Professional Documents
Culture Documents
70-410 Installing and Configuring Windows Server 2012
70-410 Installing and Configuring Windows Server 2012
20410A
Installing and Configuring Windows Server®
2012
ii 20410A: Installing and Configuring Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2012 Microsoft Corporation. All rights reserved.
Released: 07/2012
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good
standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Deploying and Managing Windows Server 2012
Lesson 1: Windows Server 2012 Overview 1-2
Lesson 2: Overview of Windows Server 2012 Management 1-14
Lesson 3: Installing Windows Server 2012 1-19
Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24
Lesson 5: Introduction to Windows PowerShell 1-32
Lab: Deploying and Managing Windows Server 2012 1-37
Course Description
Note: This first release (A) Microsoft® Official Curriculum (MOC) version of course 20410A has been
developed on prerelease software (Windows® 8 Release Preview and Windows Server® 2012 Release
Candidate (RC)). Microsoft Learning will release a B version of this course after the release to
manufacturing (RTM) version of the software is available.
This course is part one of a series of three courses, which provide the skills and knowledge necessary to
implement a core Windows Server 2012 infrastructure in an existing enterprise environment.
The three courses in total will collectively cover implementing, managing, maintaining, and provisioning
services and infrastructure in a Windows Server 2012 environment.
While there is some cross-over in skillset and tasks across the courses, this course will primarily cover the
initial implementation and configuration of those core services, such as Active Directory® Domain Services
(AD DS), networking services, and initial Hyper-V® configuration.
Audience
This course is intended for Information Technology (IT) Professionals who have good Windows operating
system knowledge and experience, and want to acquire the skills and knowledge necessary to implement
the core infrastructure services in an existing Windows Server 2012 environment.
The secondary audience consists of those seeking certification in the 70-410, Installing and Configuring
Windows Server 2012 exam.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Good hands-on Windows client operating system experience with Windows Vista®, Windows 7, or
Windows 8.
Students would also benefit from having some previous Windows Server operating system experience.
Course Objectives
After completing this course, students will be able to:
• Describe AD DS.
• Manage AD DS objects.
• Automate AD DS administration.
xviii About This Course
• Implement TCP/IPv4.
• Implement IPv6.
Course Outline
This section provides an outline of the course:
Exam/Course Mapping
This course, 20410A: Installing and Confiruging Windows Server® 2012 , has a direct mapping of its
content to the objective domain for the Microsoft exam 70-410: Installing and Configuring Windows
Server 2012.
The table below is provided as a study aid that will assist you in preparation for taking this exam and to
show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
About This Course xix
Note The exam objectives are available online at the following URL
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab2.
Important Attending this course in itself will not successfully prepare you to pass any associated
certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
• Minimum of one years real world, hands-on experience Installing and configuring a Windows Server
Infrastructure
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
About This Course xxiii
Course Materials
The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s
needed.
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
• Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Important At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine without saving the changes, perform the following
steps:
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course.
20410A-LON-SVR1 A member server running Windows Server 2012 in the Adatum.com domain.
20410A-LON-SVR3 A blank virtual machine on which students will install Windows Server 2012.
A stand-alone server running Windows Server 2012 that will be used for
20410A-LON-SVR4
joining domains and initial configuration.
20410A-LON-HOST1 A bootable VHD for running Windows Server 2012 as the host for Hyper-V.
20410A-LON-RTR A router that is used for network activities that require a separate subnet.
20410A-LON-CL1 A client computer running Windows 8 and Microsoft Office 2010 Service Pack
1 (SP1) in the Adatum.com domain.
20410A-LON-CL2 A client computer running Windows 8 and Office 2010 SP1 in the
Adatum.com domain that is located in a second subnet.
Software Configuration
The following software is installed on each virtual machine:
Course Files
There are lab files associated with the labs in this course. The lab files are located in the folder
E:\Labfiles\LabXX on NYC-DC1.
About This Course xxv
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Module 1
Deploying and Managing Windows Server 2012
Contents:
Module Overview 1-1
Module Overview
Understanding the capabilities of a new server operating system enables you to leverage that operating
system effectively. If you do not understand the capabilities of your new operating system, you may end
up using it like you used the previous operating system, and you may forego the advantages of the new
system. By understanding how to utilize your new Windows Server® 2012 operating system fully, and by
understanding the tools that are available to manage that functionality you will provide your organization
with more value.
This module introduces the new Windows Server 2012 administrative interface. In this module, you will
learn about the different roles and features that are available with the Windows Server 2012 operating
system. You will also learn about the different installation options from which you can choose when
deploying Windows Server 2012.
This module discusses the configuration steps that you can perform both during installation and after
deployment to ensure that the servers can begin functioning in its assigned role. You will also learn how
to use Windows PowerShell® to perform common administrative tasks in Windows Server 2012.
Objectives
After completing this module, you will be able to:
Lesson 1
Windo
ows Serv
ver 2012 Overv
view
Befoore deploying Windows Servver 2012, you need to underrstand how each of the Wind dows Server 20012
enefit your organization’s serrvers. You also
edittions might be o need to knoww whether a paarticular hardw
ware
configuration is appropriate forr Windows Servver 2012, wheether a virtual ddeployment m might be more
suitable than a ph ment, and which installation source allowss you to deploy Windows Se
hysical deploym erver
2012 in an efficien
nt manner. If you
y do not havve an understaanding of thesse issues, you ccould end up
costting your orga
anization time and money byy making a cho must later correct.
oice that you m
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the place of a loca
ally deployed server
s on a mo
odern networkk.
On
n Premises Servers
As an
a IT professioonal, you proba ably have hearrd
aboout cloud comp puting. You might have hearrd
howw software and d services are being
b moved to t a
pubblic or private cloud
c because e the cloud is at
a the
heart of the futuree of enterprise
e computing. You Y
could also have heard that Wind dows Server 2012 is
readdy for the clou
ud. As an IT proofessional who o has
worrked with locally deployed se ervers for most of
your career, it would be reasona able to ask, “Iff
everything is movving to the cloud, why do I need
n
to le
earn about deploying Windo ows Server 201 12
loca
ally?”
• Shared files and printers. Servers provide a centralized location that allows users to store and share
documents. Servers also host resources such as shared printers that allow groups of users to leverage
resources more efficiently. Without these centralized locally deployed resources, sharing files and
backing up files centrally would be a more complex and time-intensive process. While it might be
possible to host some of this information in the cloud, it doesn’t always make sense to send a job to a
printer that is in the next room through a server hosted at a remote location.
• Hosted applications. Servers host applications such as Microsoft® Exchange Server, Microsoft SQL
Server®, Microsoft Dynamics®, and Microsoft System Center. Clients access these applications to
accomplish different tasks, such as accessing e-mail or self-service deployment of desktop
applications. In some cases, these resources can be deployed to the cloud. In many cases these
resources must be hosted locally for performance, cost, and regulatory reasons. The choice on
whether to host these resources locally or in the cloud depends on the specifics of the individual
organization.
• Network access. Servers provide authentication and authorization resources to clients on the network.
By authenticating against a server, a user and client can prove their identity. Even when many of an
organization’s servers are located in the cloud, people still need to have some form of local
authentication and authorization infrastructure.
• Application, Update, and Operating System deployment. Servers are often deployed locally to assist
with the deployment of applications, updates, and operating systems to clients on the organizational
network. Because of intensive bandwidth utilization, these servers must be in proximity to the clients
to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet
connectivity is going to rely more on servers on the premises than an organization that has access to
high-speed broadband. It is important that, even in a case of Internet connectivity issues, work in an
organization can continue. Productivity will be negatively affected if the failure of the organization’s
Internet connection suddenly means that no one is able to access their shared files and printers.
While Windows Server 2012 is promoted as being ready for the cloud, remember that, for all the cloud-
ready features the product has, the operating system is still eminently suited to the traditional workhorse
tasks that server operating systems have performed for at least the last two decades. If you have been
working as an IT professional for some time, it is likely that you will configure and deploy Windows Server
2012 to perform the same or similar workloads that you configured for servers running Windows Server
2003 and maybe even for Windows NT 4.
Question: What is the difference between a server and a client operating system?
Question: How has the role of the server evolved over time from the Microsoft
Windows NT 4.0 Server operating system to Windows Server 2012?
1-4 Deploying and Managing Windows Server 2012
Wh
hat Is Clou
ud Computting?
Clou
ud computing is a general de
escription thatt
encompasses seve
eral different technologies.
• Software as a Service (Saas)). The cloud hoosting provideer hosts your a pplication and
d all of the
infrastructure
e that supportss that applicatiion. You purch
hase and run a software app plication from a
cloud hostingg provider. Winndows InTune™ ™ and Microso oft Office 365 are examples of SaaS.
Pub
blic and Priv
vate Cloudss
A pu
ublic cloud is a cloud service that is hosted
d by a cloud seervices provideer, and is madee available for
blic use. A public cloud may host a single tenant, or hostt tenants from multiple orgaanizations. As ssuch,
pub
blic cloud security is not as sttrong as privatte cloud secur ity, but public cloud hosting
pub g typically costts less
because costs are absorbed by multiple tenan nts.
In contrast, privatte clouds are cloud infrastruccture that is deedicated to a ssingle organizaation. Private cclouds
mayy be hosted byy the organizattion itself, or may
m be hosted d by a cloud seervices provideer who ensuress that
the cloud servicess are not share ed with any othher organizatio on.
Options
O forr Windowss Server 20
012
Th
here are severaal different editions of Wind
dows
erver 2012 from which to ch
Se hoose. These ed ditions
allow organizations to select a version of Windows
W
Se
erver 2012 thaat best meets their
t needs, ratther
th
han pay for fea
atures that theey do not require.
When
W deployingg a server for a specific role,,
syystems administrators can saave substantially by
se
electing the ap
ppropriate edittion.
Th
he following ta
able lists the Windows
W Serve
er 2012
ed
ditions.
Edition Description
D
Windows Servver 2012 Aimed at small business ow ners, this editi on allows onlyy 15 users, can
nnot be
Foundation edition joined
j to a do
omain, and inc ludes limited sserver roles. Su
upports one
processor core
e and up to 322 GB of RAM.
Microsoft Hyp
per-V Stand-alone Hyper-V
H platfo
orm for virtual machines with h no UI. No licensing
Server 2012 d normally. Supports
cost (free) for host OS, but vvirtual machin es are licensed
64 sockets and d 4 TB of RAMM. Supports domain join. Doe es not supportt other
Windows Servver 2012 roles other than lim mited file servicces features.
Windows Storage Entry-level unified storage aappliance. Limited to 50 users, one processor
Server 2012 core, 32 GB off RAM. Supporrts domain join n.
Workgroup
Ed
dition De
escription
Windows
W MultiPPoint Su
upports multip
ple users accesssing the same host compute er directly usin
ng
Se
erver 2012 Pre
emium separate mouse,, keyboard, annd monitors. Liimited to two sockets, 4 TB o
of
RA
AM, and a maxximum of 22 seessions. Suppo orts some roles including DN NS
an
nd DHCP Serveer roles, but do
oes not support others including AD DS, A AD CS,
an
nd AD FS. Supp
ports domain jjoin.
Note: For mo
ore information
n about the diffferences betw
ween Windowss Server 2012 e
editions,
see the Windows Server Catalog
g at http://ww
ww.windowsserrvercatalog.com
m/svvp.aspx.
Wh
hat Is Serv
ver Core?
Servver Core is a minimal
m installa
ation option fo
or
Winndows Server 2012
2 that you manage from
Winndows PowerSh hell or a comm mand line ratheer
thann by using GUI-based tools. A Windows Se erver
2012 Server Core installation offfers fewer
commponents and administrative e managementt
options than the full
f installation n of Windows
Servver 2012. Serveer Core installa
ation is the default
n when installing Windows Server
installation option S
2012. Server Core e has the followwing advantag ges
over a traditional Windows Servver 2012
depployment:
• Reduced upd date requireme ents. Because Server
S Core insstalls fewer components, its deployment
requires you to
t install fewer software upddates. This red uces the amou unt of time req
quired for an
administratorr to service Serrver Core.
Incrreasing numbeers of Microsofft server appliccations are dessigned to run on computers with Server Core–
installed operating systems. Forr example, youu can install SQ
QL Server 2012 2 on computerrs running the
Servver Core–installed version off Windows Servver 2008 R2.
You can switch from Server Core to the graphical version of Windows Server 2012 by running the
following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that
hosts the full version of the Windows Server 2012 installation files:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount
Installing the graphical components gives you the option of performing administrative tasks using the
graphical tools. You can also add the graphical tools using the sconfig.cmd menu-driven command-line
tool. You will learn more about how to perform this task in Lesson 4, “Post-installation Configuration of
Windows Server 2012.”
Once you have performed the necessary administrative tasks, you can return the computer to its original
Server Core configuration. You can switch a computer that has the graphical version of Windows Server
2012 to Server Core by removing the following features:
• Graphical Management Tools and Infrastructure
Note: Be careful when removing graphical features, as some servers will have other
components installed that are dependent upon those features.
When connected locally, you can use the tools that are listed in the following table to manage Server Core
deployments of Windows Server 2012.
Tool Function
PowerShell.exe Launches a Windows PowerShell session on the Server Core deployment. You
can then perform Windows PowerShell tasks normally.
Notepad.exe Allows you to use the Notepad.exe text editor within the Server Core
environment.
Msinfo32.exe Allows you to view system information about the Server Core deployment.
Note: If you accidentally close the command window on a computer that is running Server
Core, you can recover the command window by performing the following steps:
1. Press Ctrl+Alt+DEL, and then select Task Manager.
2. From the File menu, click New Task (Run…), and then type cmd.exe.
Server Core supports most—but not all—Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
• AD FS
1-8 Deploying and Managing Windows Server 2012
• Application Server
The Windows Servver 2012 admiinistration para adigm focusess more on man naging many sservers from oone
console than the traditional
t meethod of managing each servver separately.. This means thhat when you want
to perform
p an admministrative task, you are mo
ore likely to m anage multiple computers tthat are runnin
ng the
Servver Core opera
ating system frrom one comp puter, than youu are to conneect to each com
mputer individ
dually.
Youu can enable re
emote manage ement of a com
mputer that is running Serveer Core throug gh sconfig.cmd
d, or
by running
r the following comm mand:
Win
ndows Server 2012
2 supports the server role
es that are listeed in the follow
wing table.
Ro
ole Function
AD DS A centralizzed store of in
nformation aboout network
objects, in
ncluding user aand computer accounts. Useed
for authenntication and aauthorization.
AD FS Provides w
web single sign
n-on (SSO) and
d secured iden
ntify
federation
n support.
Role Function
Active Directory Rights Management Allows you to apply rights management policies to
Services (AD RMS) prevent unauthorized access to sensitive documents.
File and Storage Services Supports the management of shared folders storage,
distributed file system (DFS), and network storage.
Network Policy and Access Services Authorization infrastructure for remote connections,
including Health Registration Authority (HRA) for
Network Access Protection (NAP).
Volume Activation Services Allows you to automate and simplify the management
of volume license keys and volume key activation.
Allows you to manage a Key Management Service
(KMS) host or configure AD DS–based activation for
computers that are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows Server Update Services (WSUS) Provides a method of deploying updates for Microsoft
products to network computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s
configuration (such as firewall settings), to support the role. Windows Server 2012 also automatically
deploys role dependencies simultaneously. For example, when you install the WSUS role, the Web Server
(IIS) role components that are required to support the WSUS role are also installed automatically.
1-10 Deployingg and Managing Winndows Server 2012
Wh
hat Are the
e Featuress of Windo
ows Serverr 2012?
Win
ndows Server 2012
2 features are
a independe ent
com
mponents that often supportt role services or
o
support the server directly.
Fe
eature Descriptio
on
.N
NET Framework 3.5 Features Installs .NEET Frameworkk 3.5 technolog
gies.
.N
NET Framework 4.5 Features Installs .NEET Frameworkk 4.5 technolog
gies. This featu
ure is
installed bby default.
Ba
ackground Intelligent Transffer Service Allows asyynchronous traansfer of files tto ensure that
(B
BITS) other netwwork applicatio
ons are not ad dversely impaccted.
Windows
W BitLoccker® Drive Encryption Supports ffull-disk and fu
ull-volume enccryption, and
startup en
nvironment pro otection.
BiitLocker netwo
ork unlock Provides a network-baseed key protecttor that can
unlock loccked BitLockerr–protected do
omain-joined
operating systems.
Windows
W BrancchCache® Allows thee server to fun ction as eitherr a hosted cach
he
server or a BranchCachee content serve er for
BranchCacche clients.
En
nhanced Stora
age Provides ssupport for additional functionality availab
ble
in Enhanc ed Storage Acccess (IEEE 166 67 protocol)
device, inccluding data aaccess restrictio
ons.
Fa
ailover Clustering A high-avvailability featu
ure that allows Windows Servver
2012 to paarticipate in faailover clustering.
Feature Description
Group Policy across an enterprise.
Ink and Handwriting Services Allows use of Ink Support and Handwriting
Recognition.
Internet SCSI (iSCSI) Target Storage Provides iSCSI target and disk management services to
Provider Windows Server 2012.
Internet Storage name Service (iSNS) Supports discovery services of iSCSI storage area
Server service networks (SANs).
Line Printer Remote (LPR) Port Monitor Allows computer to send print jobs to printers that are
shared using the Line Printer Daemon (LPD) service.
Management Open Data Protocol (OData) Allows you to expose Windows PowerShell cmdlets
IIS Extension through an OData–based web service running on the
IIS platform.
Peer Name Resolution Protocol (PNRP) Name resolution protocol that allows applications to
resolve names on the computer.
Quality Windows Audio Video Experience Supports audio and video streaming applications on IP
home networks.
Remote Access Server (RAS) Connection Allows you to create connection manager profiles that
Manager Administration Kit simplify remote access configuration deployment to
client computers.
Remote Differential Compression (RDC) Transfers the differences between files over a network,
minimizing bandwidth utilization.
Remote Server Administration Tools Collection of consoles and tools for remotely managing
roles and features on other services.
Remote Procedure Call (RPC) over HTTP Relays RPC traffic over HTTP as an alternative to VPN
Proxy connections.
Simple TCP/IP Services Supports basic TCP/IP services, including Quote of the
Day.
1-12 Deploying and Managing Windows Server 2012
Feature Description
Simple Network Management Protocol Includes SNMP agents that are used with the network
(SNMP) Service management services.
Subsystem for UNIX-based Applications Supports Portable Operating System Interface for UNIX
(POSIX)–compliant UNIX-based applications.
Telnet Server Allows clients to connect to the server using the Telnet
protocol.
Trivial File Transfer Protocol (TFTP) Client Allows you to access TFTP servers.
User Interfaces and Infrastructure Contains the components necessary to support the
graphical interface installation option on Windows
Server 2012. On graphical installations, this feature is
installed by default.
Windows Biometric Framework (WBF) Allows use of fingerprint devices for authentication.
Windows Identity Foundation 3.5 Set of .NET Framework classes that support
implementing claims based identity on .NET
applications.
Windows Internal Database Relational data store that can only be used by Windows
roles and features such as WSUS.
Windows Process Activation service (WAS) Allows applications hosting WCF services that to not
use HTTP protocols to use features of IIS.
Windows Search service Allows fast searches of files hosted on a server for
clients compatible with the Windows Search Service.
Windows Server Backup Backup and recovery software for Windows Server
2012.
Windows Server Migration Tools Collection of Windows PowerShell cmdlets that assist in
the migration of server roles, operating system settings,
files, and shares from computers running previous
versions of Windows Server operating systems to
20410A: Installing and Configuring Windows Server® 2012 1-13
Feature Description
Windows Server 2012.
Windows System Resource Manager Allows you to control the allocation of CPU and
(WSRM) memory resources.
Windows Internet Naming Service (WINS) Supports name resolution for NetBIOS names.
Server
Wireless local area network (LAN) Service Allows the server to use a wireless network interface.
Windows on Windows (WoW) 64 Support Supports running 32-bit applications on Server Core
installations. This feature is installed by default.
Features on Demand
Features on Demand is a Windows Server 2012 installation option where features are not available directly
on the deployed server, but can be added if you have access to a remote source, such as a mounted
image of the full operating system. The advantage of a Features on Demand installation is that it requires
less hard disk space than a traditional installation. The disadvantage is that you must have access to a
mounted installation source if you want to add a role or feature, something that is not necessary if you
perform an installation of Windows Server 2012 with the graphical features enabled.
Question: Which feature do you need to install to support NetBIOS name resolution for
client computers running a Microsoft Windows NT 4.0 workstation?
1-14 Deployingg and Managing Winndows Server 2012
Lesson 2
Overviiew of Window
W ws Serve
er 2012 Manag
gement
Initiially configurin
ng a server corrrectly can save
e you from su bstantial probblems later. Windows Server 2012
provvides multiple tools to perfo orm specific ad which is appropriate for a givven
dministrative taasks, each of w
set ofo circumstancces. The Windo ows Server 201 12 managemeent interface allso enhances tthe ability for sserver
admministrators to perform admiinistrative task ks on more thaan one server ssimultaneouslyy.
In th
his lesson you will learn about the differen
nt managemen ou can use to perform
nt tools that yo
admministrative tassks on computers that are running the Win
ndows Server 2 2012 operatingg system.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe Servver Manager.
• Describe how
w to use admin
nistrative tools..
• Describe how
w to use Serverr Manager to perform
p a varieety of tasks.
• Describe how
w to configure services.
Wh
hat Is Serv
ver Manage
er?
Servver Manager iss the primary graphical
g tool that
you will use to maanage computters running
Winndows Server 2012.
2 You can use the Serverr
Man nager console to manage bo oth the local seerver
and remote servers. You can alsso manage servers
as groups.
g By man naging serverss as groups, yo
ou can
perfform the samee administrativve tasks quicklyy
acro
oss multiple se
ervers that eith
her perform the e
sam
me role, or are members of th he same group p.
You
u can use the server manager console to
wing tasks on both local servvers
perfform the follow
and remote servers:
• Perform serve
er configuratio
on tasks
Administra
A tive Tools
When
W you use Server
S Manageer to perform a
sp
pecific role-related or feature e-related
ad
dministrative task,
t the conso
ole launches th
he
ap
ppropriate adm ministrative tool. When you install a
ro
ole or feature using
u Server Manager
M locallyy or
re
emotely, the ap ppropriate adm ministrative to
ool is
also loaded. Forr example, if yo ou use Server
Manager
M to insttall the DHCP role on anothe er
se
erver, the DHC CP console will automaticallyy be
nstalled on the local server. You
in Y can install the
omplete set off administrative tools for Win
co ndows
erver 2012 by installing the Remote Serverr
Se
Administration Tools feature.
Th
he tools that administrators
a most common
nly use, (aside from Window
ws PowerShell, which you will learn
ab
bout in Lessonn 5), include:
• Active Directory Administtrative Center.. With this connsole, you can perform Activve Directory
administrattive tasks such as raising dommain and foresst functional leevels and enab
bling the Activve
Directory Recycle
R Bin. You also use thiss console to maanage Dynam ic Access Conttrol.
• Event Viewer. You can use the Event Viewer to view eevents recordeed in the Wind
dows Server 20
012
event logs.
• Resource Monitor.
M You ca
an use this con
nsole to view rreal-time inforrmation on CPU, memory, diisk and
network utilization.
Yo
ou can access each of these tools from the
e Tools menu in Server Man
nager.
Demonstra
D ation: Using Server Manager
M
In
n this demonsttration, you will see how Servver Manager iss used to perfo
orm the follow
wing tasks:
• Log on to Windows
W Serve
er 2012 and view the Windo
ows Server 201
12 desktop.
• Add a featu
ure by Using th
he Add Roles and
a Features W
Wizard.
1-16 Deploying and Managing Windows Server 2012
Demonstration Steps
Log on to Windows Server 2012 and view the Windows Server 2012 desktop
• Log on to LON-DC1, and then close the Server Manager console.
11. On the Confirmation page, select the Restart the destination server automatically if required
check box, click Yes, click Install and then click Close.
12. Click the flag icon next to Server Manager Dashboard, and review the messages.
2. In the Roles and Server Groups pane, under DNS, click Events.
3. On the DNS - Events Detail View, change the time period to 48 hours, and the Event Sources to
All.
2. Select All on the Severity Levels drop-down menu, and then click OK.
2. Log on to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.
20410A: Installinng and Configuring W
Windows Server® 20012 1-17
Restart
R Wind
dows Serverr 2012
• In a Windows PowerShelll window, type
e the following
g command, and then press Enter:
Shutdown /r /t 60
Configuring
C g Services
Seervices are pro
ograms that run in the backg ground
an
nd provide serrvices to clients and the hostt server.
Yoou can manag ge services throough the Services
co
onsole, which is available thrrough the Too ols
menu
m in Server Manager. When securing a
co
omputer, you should
s disable
e all services exxcept
th
hose that are required by the e roles, feature
es, and
ap
pplications tha at are installed on the serverr.
Sttartup Type
es
Se
ervices use one
e of the follow
wing startup tyypes:
• Automatic (Delayed Startt). The service starts automattically after thee server has bo
ooted.
Service Reco
overy
Re
ecovery option
ns determine what
w a service does in the evvent that it fails. You access the Recovery ttab by
op
pening the DNNS Server Prop
perties windoww. On the Recoovery tab, you have the follow wing recoveryy
op
ptions:
Managed
M Service Accou
unts
Managed
M servicce accounts are
e special doma ain-based acco
ounts that you u can use with services. The
ad
dvantage of a managed servvice account iss that the accoount password is rotated auto omatically acccording
to
o a schedule. These
T passwordd changes are automatic, annd do not requ uire administraator interventioon. This
minimizes
m the chance
c that the
e service accou
unt password wwill be compro omised, sometthing that hap ppens
be
ecause adminiistrators traditionally assign simple passwoords to servicee accounts withh the same serrvice
1-18 Deployingg and Managing Winndows Server 2012
Co
onfiguring Remote Manageme
M ent
You
u rarely performm systems adm ministration fro
om
the server room. Almost
A all task
ks that you perrform
on a daily basis will
w be performe ed using remo ote
mannagement tech hnologies. Witth Windows Re emote
Mannagement, you u can use Rem mote Shell, remote
Winndows PowerSh hell, and remo ote manageme ent
tools to manage a computer remotely.
You emote Management from Server
u can enable Re
Man
nager by perfoorming the following steps:
You
u can enable re
emote manageement from th he command liine by runningg the command WinRM -qcc. You
can disable Remo
ote Manageme ent by using th
he same metho
od that you usse to enable it.. You can disab
ble
rem
mote managem ment on a computer running the Server Co
ore installation
n option using the sconfig.cmmd
tool.
Rem
mote Desktop
Remmote Desktop is the tradition nal method byy which system
ms administrato
ors remotely co
onnect to the
servvers that they manage.
m You can
c configure Remote Deskttop on a comp puter that runn
ning the full ve
ersion
of Windows
W Serve
er 2012 by perrforming the fo
ollowing steps :
2. Next to Remo
ote Desktop, click Disabled
d.
3. In the System
m Properties dialog
d box, on the Remote ttab, select onee of the follow
wing options:
o Allow co
onnections fro
om computerrs running anyy version of R Remote Desktop. Allows
connectio
ons from Remote Desktop clients that do not support N Authentication
Network Level A n
You
u can enable an mote Desktop on computerss that are runn
nd disable Rem ning the Serverr Core installattion
option by using th
he sconfig.cm
md command-line tool.
20410A: Installinng and Configuring W
Windows Server® 20012 1-19
Lesson
n3
Installing Wiindows Server 2012
When
W preparingg to install Win
ndows Server 2012,
2 you neeed to understan
nd whether a particular hard dware
co Y also need to know whetther a Server C
onfiguration iss appropriate. You Core deployment might be m more
su
uitable than a full graphical user
u interface (GUI) deploymment, and whicch installation source allows you to
de
eploy Window ws Server 2012 in an efficientt manner.
In
n this lesson yo
ou will learn ab
bout the proceess of installing
g Windows Server 2012, including the metthods
th
hat you can use to install thee operating sysstem, the diffeerent installatio
on options, the
e minimum sysstem
re
equirements, and
a the decisio ons that you neeed to make w when using thee Installation WWizard.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he different me
ethods that yo
ou can use to in
nstall Window
ws Server 2012..
• Identify the
e different installation types that you can cchoose when installing the W
Windows Serve
er 2012.
• Determine whether a com mputer or virtu
ual machine m
meets the minim
mum hardware requirementts
necessary to install Windo
ows Server 2012.
• Describe th
he decisions that you need to
o make when performing a W
Windows Servver 2012 installation.
In
nstallation
n Methods
Microsoft
M distrib
butes Windowws Server 2012 on
op mage format. ISO
ptical media and in an .iso im
fo
ormat is becom ming more com mmon as
orrganizations acquire softwarre over the Internet
ra
ather than phyysically.
Once
O you have the operating system from
Microsoft,
M you can
c then use your
y own meth hod to
eploy the operating system. You can install
de
Windows
W Server 2012 by usinng a variety of
methods,
m includ
ding the follow
wing:
• Optical Media
o Disadvantages includ
de:
Re
equires that the
e computer ha
as access to a D
DVD-ROM drivve.
Is usually
u slower than USB med
dia.
Yo
ou cannot upda
ate the installa
ation image w ithout replacin
ng the media.
Yo DVD-ROM at a time.
ou can only perform one insttallation per D
• USB Media
o Advanttages include:
The answer file can be stored on a USB drive, minimizing the amount of interaction that the
administrator must perform.
o Disadvantages include:
It requires the administrator to perform special steps to prepare USB media from ISO file.
With virtualization software, you can mount the ISO image directly, and install Windows
Server 2012 on the virtual machine.
• Network Share
o Advantages include:
It is possible to boot a server off a boot device (DVD or USB drive) and install from
installation files hosted on a network share.
o Disadvantages include:
This method is much slower than using Windows Deployment Services. If you already have
access to a DVD or USB media, it is simpler to use those tools for operating system
deployment.
• Windows DS
o Advantages include:
You can deploy Windows Server 2012 from WIM image files or specially prepared VHD files.
You can use the Windows Automated Installation Kit (AIK) to configure lite-touch
deployment.
Clients perform a Pre-Boot eXecution Environment (PXE) boot to contact the WDS server and
the operating system image is transmitted to the server over the network.
WDS allows multiple concurrent installations of Windows Server 2012 using multicast
network transmissions.
o Advantages include:
System Center Configuration Manager allows you to fully automate the deployment of
Windows Server 2012 to new servers that do not have an operating system installed. This
process is called Zero Touch deployment.
o Advantages include:
Windows Server 2012 is usually deployed in private cloud scenarios from preconfigured
virtual machine templates. You can configure multiple components of the System Center
suite to allow self-service deployment of Windows Server 2012 virtual machines.
Question: What is another method that you can use to deploy Windows Server 2012?
20410A: Installinng and Configuring W
Windows Server® 20012 1-21
In
nstallation
n Types
How you deploy Windows Server 2012 on a
sp
pecific server depends
d on the circumstance es of
th
hat deploymen t a server that is
nt. Deploying to
ru
unning Window ws Server 20088 R2 requires
diifferent actions than deployiing to a serverr
ru
unning an x86 edition of Win ndows Server 2003.
2
When
W you are performing
p the
e installation of
o the
Windows
W Server 2012 operatiing system, you can
ch
hoose one of thet options in the following table.
Fresh installattion Allows you to pe erform a fresh install on a neew disk or volu
ume. Fresh
insstallations are the
t most frequ uently used, an nd take the shortest amountt of
tim
me. You can alsso use this opttion to configu ure Windows SServer 2012 to
perform a dual boot
b if you wannt to keep thee existing operating system.
Upgrade Ann upgrade presserves the filess, settings, and applications iinstalled on the
original server. You
Y perform an n upgrade wheen you want to o keep all of th
hese
items and want to t continue to use the same server hardwaare. You can o only
upgrade to Wind dows Server 20012 from x64 vversions of Windows Server 2003,
Windows Server 2003 R2, Wind dows Server 20 008, and Wind dows Server 20 008 R2.
You can only upg grade to an eqquivalent or neewer edition oof Windows Server
2012. You launch h an upgrade b by running settup.exe from w within the origginal
operating system m.
When
W you perfoorm a fresh insstallation, you can deploy WWindows Serverr 2012 to an unpartitioned d disk, or
to
o an existing vo
olume. You ca an also install Windows
W Serveer 2012 to a sp
pecially-prepared VHD file in
na
“b
boot to VHD” scenario.
s Boott to VHD requires special preeparation and is not an optio on that you caan
ch
hoose when pe erforming a tyypical installation using the W
Windows Setup p wizard.
1-22 Deployingg and Managing Winndows Server 2012
Ha
ardware Re
equiremen
nts for Win
ndows Servver 2012
Hardware requirements define the t minimum
harddware that is required
r to run
n the Windowss
Servver 2012 serve
er. Your actual hardware
requuirements migght be greater, and depend on o
the services that the
t server is hoosting, the loadd on
the server, and the responsivene ess of your serrver.
Eachh role service and
a feature places a unique load
on network,
n disk I/O,
I processor,, and memory
reso
ources. For exaample, the file server role pla
aces
diffe
erent stresses on
o server hard dware than the e
DHC CP role.
Win
ndows Server 2012
2 has the fo
ollowing minim
mum hardwaree requirementts:
• Memory (RAM
M): 512 megab
bytes (MB)
• 4 TB of RAM
• 63 failover clu
uster nodes
Question: Why does a servver need more hard disk drivve space if it has more than 16 GB of
RAM?
20410A: Installinng and Configuring W
Windows Server® 20012 1-23
In
nstalling Windows
W Server
S 2012
2
Thhe process of deploying
d a se
erver operatingg
syystem is simple er today than iti has been in the
pa ast. The personn performing thet deployment has
to
o make fewer decisions,
d althoough the decisions
th
hat they do ma ake are critical to the success of the
de eployment. A typical installa ation of Windoows
Se y do not havve an existing answer
erver 2012, if you
fille, involves performing the following
f stepss:
o Langua
age to install
4.. In the Wind dows Setup wizard, on the Select The Ope erating System You Want To Install pag ge,
choose from m the available
e operating syystem installatiion options. Th
he default option is Server C
Core
Installation.
6.. On the Wh
hich Type Of Installation Do
o You Want p
page, you havee the following
g options:
o Custom
m. Select this option
o if you want
w m a new installation.
to perform
Lesson 4
Post-In
nstallatiion Con
nfigurattion of W
Window
ws Serve
er 2012
2
The Windows Servver 2012 installation processs involves answ
wering a minim mal number off questions. On nce
you have completted installation o perform seveeral post-instal lation configuration steps before
n, you need to
you can deploy it in a productio
on environmen nt. These stepss allow you to prepare the seerver for the ro
ole it
will play on your organization’s
o network.
Thiss lesson coverss how to perform a range of post-installatiion configurattion tasks, inclu
uding configuring
netwwork addressin ng informationn, setting a serrver’s name an
nd joining it to
o the domain, aand understan
nding
prodduct activationn options.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w to Server Manager to perfo
orm post-instaallation configu
uration tasks.
• Describe how
w to configure the network.
• Describe how
w to join an Acttive Directory domain.
• Explain how to
t activate Win
ndows Server 2012.
2
• Describe how
w to perform post-installation
n configuratio
on of a Server C
Core compute
er.
Ov
verview of Post-Insta
allation Co
onfiguratio
on
Unliike previous ve
ersions of Windows operatin ng
systems, the Wind dows Server 20012 installationn
proccess minimizess the number of questions th hat
you need to answ wer. For examp ple, you no longer
need to configure e network conn nections, a
com
mputer name, a user accountt, and domain
memmbership inforrmation. The only
o informatio
on
thatt you provide during
d the insttallation proce
ess is
the password for the default loccal Administrator
acco
ount.
u use the Local Server node in the Server
You
nager console to perform th
Man he following tasks:
• Configure the
e IP address
• Set the comp
puter name
• Join an Active
e Directory domain
• Configure the
e time zone
• Enable autom
matic updates
Configuring
C g Server Network
N Se
ettings
To
o communicatte on the netw work, a server needs
n
co
orrect IP addreess informationn. Once you ha ave
co
ompleted insta allation, you ne
eed to either set
s or
ch
heck the server’s IP address configuration.
c By
de
efault, a newlyy-deployed serrver attempts to
t
ob
btain IP address information n from a DHCP P server.
Yo
ou can view a server’s IP add dress configura
ation by
clicking the Loccal Server nodde in Server Ma anager.
Note: If you
u are using only an IPv6 netw
work, then an IPv4 address iin this range iss not
nd IPv6 address information is still configu red automaticcally. You will learn more
problematic, an
bout implementing IPv6 in Module
ab M 8, “Imp
plementing IPvv6.”
Configuratio
C on Using Serrver Manag
ger
Yo
ou can configu
ure IP address information fo
or a server maanually by perfforming the fo
ollowing steps:
1.. In the Serve
er Manager co
onsole, click on next to the nettwork adapterr that you want to
n the address n
configure. This
T will open the Network Connections
C w
window.
2.. Right-click on the networrk adapter for which you waant to configurre an address, and then clickk
Properties.
3.. In the Adap es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
pter Propertie en click
Properties.
4.. In the Interrnet Protocol Version 4 (TCCP/IPv4) Prop
perties dialog
g box, enter the following IPvv4
address infoormation, and then click OK
K twice:
o IP addrress
o Subnett Mask
o Defaultt Gateway
o Alterna
ate DNS serverr
Command-L
C ine IPv4 Ad
ddress Confiiguration
Yo
ou can set IPv4
4 address information manu ually from an eelevated commmand prompt b by using the n
netsh.exe
co
ommand from m the interface ipv4 context. For example, tto configure th
he adapter nammed Local Are ea
Connection witth the IPv4 adddress 10.10.10
0.10 and subneet mask 255.25 55.255.0, type the following
co
ommand:
Netsh int
terface ipv4 set address “Local Area
a Connection”
” static 10.1
10.10.10
255.255.2
255.0
1-26 Deployingg and Managing Winndows Server 2012
You
u can use the same context of
o the netsh.exxe command to o configure DNNS configuratiion. For examp ple, to
configure the ada
apter named Local Area Con nnection to u se the DNS server at IP addrress 10.10.10.5
5 as
the primary DNS server, type th
he following co
ommand:
You
u will learn more about confiiguring IPv4 in
n Module 5, “Im
mplementing IIPv4.”
1. Ensure that th
he server has more
m than one
e network adap
pter.
2. In Server Ma
anager, click th
he Local Serve
er node.
3. Next to Netw
work Adapter Teaming, clicck Disabled. TThis will launch
h the NIC Team
ming dialog b
box.
4. In the NIC Te
eaming dialog
g box, hold dow ork adapter that
wn the Ctrl ke y, and then cliick each netwo
you want to add
a to the team.
5. Right-click on
n these selecte
ed network ada
apters, and theen click Add tto New Team..
Ho
ow to Join the Doma
ain
Whe en you install Windows
W Servver 2012, the
commputer is assigned a random name. Prior to o
joining a domain, you should co onfigure the se
erver
with
h the name it will
w use in the domain. As a best b
pracctice, you shouuld use a consistent naming
scheeme when devvising a compu uter name.
Commputers should d be given nam mes that reflecct
theiir function andd location, not names with
perssonal ties, such
h as pet namess, or fictional oro
historical characteers. It is simpleer for everyone
e to
deteermine that a server named MEL-DNS1 is a
DNS S server in Melbourne, than it is to determ mine
thatt a server named Copernicuss holds the DN NS role in the M
Melbourne offfice.
You
u change this name
n using the ager console byy performing tthe following steps:
e Server Mana
1. In Server Ma
anager, click th
he Local Serve
er node.
3. In the System
m Properties dialog
d box, in the Compute r Name tab, cclick Change.
5. Restart the co
omputer to implement the name
n change.
20410A: Installinng and Configuring W
Windows Server® 20012 1-27
• Complete one
o of the follo
owing tasks:
o Create a computer account in the domain that m matches the naame of the com
mputer that yo
ou want
to join to the domain
n. This is often done when laarge numbers of computers need to be joined to
the domain automattically.
• Verify that the security acccount that is used for the d omain operat ion already exxists within the
e
domain.
To
o join the dom
main using Servver Manager, perform
p the fo
ollowing steps::
Performing
P g Offline Domain
D Joiin
Offline
O Domain Join is a featu ure you can use e to
jo
oin a computerr to the domaiin when that
co
omputer does not have an activea network
co
onnection. This feature can be b useful in sittuations
where
w connectivvity is intermitttent, such as when
w
yo
ou are deployiing a server to a remote site
co
onnected via satellite
s uplink.. For example, if you
were
w deploying servers to locations in Outb back
Australia or islands in the Sou uth Pacific.
Use the djoin.exxe command line tool to perrform
an
n offline doma an perform an offline
ain join. You ca
do
omain join by performing th he following stteps:
1.. Log on to the
t domain controller with a user account that has the aappropriate rig
ghts to join oth
her
computers to the domain
n.
4. Restart the co
omputer to complete the do
omain-join opeeration.
Activating Windows
W Se
erver 2012
2
Youu must activate e every copy of Windows Serrver
2012 that you insttall, to ensure that your
orga orrectly licensed and to receive
anization is co
notiices for producct updates. Wiindows Server 2012
requ n after installation. Unlike
uires activation
prevvious versions of the Window ws server operrating
system, there is noo longer an acctivation gracee
periiod. If you do not perform activation, you
cannot perform operating
o syste
em customization.
There are two gen neral strategies that you cann use
for activation:
a
• Manual activa
ation. Suitable
e when you are
e
deploying a small
s number ofo servers.
• Automatic acctivation. Suitable when you are deploying
g larger numbeers of servers.
With manual activvation, you entter the producct key and the server contacts Microsoft or an administrrator
perfforms the activvation over the
e phone or thrrough a speciaal clearinghousse website.
4. If a direct con
nnection cannoot be establish
hed to the Miccrosoft activati on servers, dettails will displaay
about perform ming activation using a website from a deevice that has aan Internet con nnection, or byy
using a local telephone num mber.
Because compute ers running thee Server Core installation opttion do not haave the Server Manager conssole,
you can perform manual activattion using the slmgr.vbs co ommand. Use tthe slmgr.vbss /ipk comman nd to
ente
er the productt key, and slmg
gr.vbs /ato too perform activvation once thhe product keyy is installed.
20410A: Installinng and Configuring W
Windows Server® 20012 1-29
Prrevious version
ns of the Wind dows Server op perating system
m allowed you u to generalizee a Windows im
mage
ussing the sysprrep utility, but limited the nu
umber of timess due to activaation being reaarmed each tim
me you
peerformed this task, and due to an overall limit of three rrearms per insttallation. With Windows Servver
012, you can rearm a deployyment up to 99
20 99 times.
Yo
ou can perform m manual activvation using either the retai l product key, or the multiplle activation key. You
ca o activate onlyy a single com puter. Howeveer, a multiple aactivation key has a
an use a retail product key to
se
et number of activations
a that you can use. Using a multi ple activation key, you can aactivate multip ple
omputers up to a set activation limit.
co
OEM
O keys are a special type of
o activation ke
ey that are proovided to a maanufacturer an nd allow autommatic
acctivation whenn a computer is first poweredd on. This typee of activation key is typicallyy used with
omputers that are running client operating
co g systems such h as Windows 7 and Window ws 8. OEM keyys are
ra
arely used withh computers th hat are running
g server operaating systems.
Automatic
A Activation
A
In
n previous verssions of the Windows Server operating sysstem, you could use KMS to perform centrralized
ultiple clients. The Volume Activation
acctivation of mu A Servvices server rol e in Windows Server 2012 allows
ou to manage a KMS server through a new
yo w interface. Th he process of installing a KM
his simplifies th MS key
onn the KMS servver. When you u install Volum
me Activation SServices, you caan also configure Active Direectory-
ba n. Active Direcctory-based activation allowss automatic acctivation of do
ased activation omain-joined
co
omputers. Whe en you use Vo olume Activatioon Services, eaach computer activated musst periodically ccontact
th
he KMS server to renew its activation statu us.
Configuring
C g a Server Core Insta
allation
Pe
erforming posst installation on
o a computerr
ru
unning the Serrver Core operating system option
o
ca
an be dauntingg to administra ators that havee not
pe
erformed the task
t before. Instead of havinng GUI-
ba
ased tools thatt simplify the post-installatio
p on
co
onfiguration process, IT proffessionals are faced
f
with
w performing g complex con nfiguration tasks from
a command-line e interface.
Th
he good news is that you can perform the e
majority
m of postt-installation configuration
c tasks
t
ussing the sconfig.cmd comma and-line tool. Using
th
his utility minim
mizes the posssibility of the
Administrator making
m syntax errors when using more com
mplicated com
mmand-line utiilities.
Yo
ou can use sco
onfig.cmd to perform
p the folllowing tasks:
• Configure Domain
D and Workgroup
W info
ormation
• Configure the
t computer’ss name
1-30 Deploying and Managing Windows Server 2012
• Log off
4. In the Network Adapter Settings area, choose between one of the following options:
You can change a server’s name using sconfig.cmd by performing the following steps:
You must restart a server for the configuration change to take effect.
Note: Prior to joining the domain, verify that you are able to ping the DNS server by
hostname.
To join a Server Core computer to the domain using sconfig.cmd, perform the following steps:
4. Type the name of the domain to which you want to join the computer.
5. Provide the details in domain\username format, of an account that is authorized to join the domain.
6. Type the password associated with that account.
For example, you can view a list of roles and features that are installed by executing the following
command:
You can install a Windows role or feature using the Install-WindowsFeature cmdlet. For example, to
install the NLB feature, execute the command:
Install-WindowsFeature NLB
Not all features are directly available for installation on a computer running the Server Core operating
system. You can determine which features are not directly available for installation by running the
following command:
You can add a role or feature that is not directly available for installation by using the -Source parameter
of the Install-WindowsFeature cmdlet. You must specify a source location that hosts a mounted
installation image that includes the full version of Windows Server 2012. You can mount an installation
image using the DISM.exe command-line utility.
Note: The process of adding and removing the graphical component of the Windows Server
2012 operating system by using the Install-WindowsFeature cmdlet was covered in Lesson 1.
You can also use the dism.exe command-line tool to add and remove Windows roles and features from a
Server Core deployment, even though this tool is used primarily for managing image files.
1-32 Deployingg and Managing Winndows Server 2012
Lesson 5
Introduction to
t Wind
dows Po
owerShell
Winndows PowerSh hell is a commmand-line shell and task-baseed scripting teechnology built into the Windows
Servver 2012 opera
ating system thhat simplifies the
t automatioon of common systems admiinistration taskks.
With Windows Po owerShell, you can automate e common taskks, leaving you u more time fo
or more difficu
ult
systems administrration tasks.
In th
his lesson, youu will learn abo
out Windows PowerShell,
P an d why Window
ws PowerShell is perhaps the
e
mosst critical piece dministrator’s toolkit.
e of a server ad
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe com
mmon Window
ws PowerShell cmdlets
c used tto manage serrvices, processe
es, roles and
features.
• Describe the functionality of
o Windows Po
owerShell ISE.
Wh
hat Is Wind
dows Pow
werShell?
Winndows PowerSh hell is a scripting language
desiigned to assistt you in performing day-to-d day
admministrative tassks. Windows PowerShell
P is made
m
up of
o cmdlets that you execute at a Windowss
PowwerShell promp pt, or combine e into Window ws
PowwerShell scriptss. Unlike otherr scripting
lang
guages that we ere designed initially for ano other
purpose, but have e been adapted for system
admministration tassks, Windows PowerShell
P is
desiigned with sysstem administrration tasks in mind.
An increasing
i num
mber of Microssoft products—
—
suchh as Microsoft Exchange Server 2010—havve
grapphical interfaces that build Windows
W PoweerShell commaands. These prroducts allow yyou to view the
gennerated Windows PowerShell script, so you u can execute tthe task at a laater time witho
out having to g
go
thro
ough all of thee steps in the GUI.
G Being ablee to automate complex taskss simplifies a sserver
adm
ministrator’s job, and saves time.
Windows
W PowerShell
P l Cmdlet Syntax
S
Windows
W PowerShell cmdlets use a verb-no oun
syyntax. Each noun has a collecction of associiated
veerbs. The available verbs difffer with each cmdlet’s
c
nooun.
• New
• Set
• Restart
• Resume
• Stop
• Suspend
• Clear
• Limit
• Remove
• Add
• Show
• Write
Yo
ou can learn th
he available ve
erbs for a partiicular Window
ws PowerShell n
noun by execu
uting the comm
mand:
Yo
ou can learn th
he available Windows
W PowerShell nouns fo
or a specific veerb by executing the commaand:
Windows
W PowerShell parametters start with a dash. Each W
Windows PoweerShell cmdlett has its own
o parameters. You can learn what the paraameters are fo
asssociated set of or a particular W
Windows Pow werShell
cm
mdlet by execu uting the command:
Help Cmdl
ltName
Co
ommon Cm
mdlets for Server Administratio
on
There are certain cmdlets that youy are more likely
to use
u as a server administrator. These primarrily
relate to services, event logs, prrocesses, and
ServverManager ru unning on the server.
Serrvice Cmdlets
You
u can use the fo
ollowing Winddows PowerShell
cmd ge services on a computer th
dlets to manag hat is
runn
ning Windowss Server 2012:
• e. Creates a new
New-Service w service.
• Start-Service
e. Starts a stop
pped service.
• Stop-Service
e. Stops a runn
ning service.
• Suspend-Serrvice. Suspend
ds a service.
Eve
ent Log Cmd
dlets
You
u can use the fo dows PowerShell cmdlets to manage even t logs on a com
ollowing Wind mputer that is
runn
ning Windowss Server 2012:
• Get-EventLo
og. Displays eve
ents in the spe
ecified event lo
og.
• New-EventLo og. Creates a new event log and a new evvent source on
n a computer rrunning Windo
ows
Server 2012.
• Remove-Eve
entLog. Removves a custom event
e log and unregisters all event sourcess for the log
• Show-EventL
Log. Shows the event logs of
o a computer.
• Write-EventL
Log. Allows yo
ou to write eve
ents to an even
nt log.
Pro
ocess Cmdle
ets
You
u can use the fo dows PowerShell cmdlets to manage proceesses on a com
ollowing Wind mputer that is
runn
ning Windowss Server 2012:
ServerManag
ger Module
e
Th
he ServerMana ager module allows
a you to add
a one of thr ee cmdlets thaat are useful fo
or managing ffeatures
an
nd roles. These
e cmdlets are:
• Install-Win
ndowsFeaturee. Installs a parrticular Windo
ows Server rolee or feature. Th
he Add-
WindowsF Feature cmdlet is aliased to this
t command d and is availab
ble in previouss versions of W
Windows
operating systems.
s
• Remove-W
WindowsFeatu
ure. Removes a particular W
Windows Serverr role or featurre.
What
W Is Windows PowerShell ISE?
Windows
W PowerShell ISE is an n integrated sccripting
en
nvironment that provides yo ou with assistance
when
w using Win ndows PowerShell. It provide es
co
ommand comp onality, and allows
pletion functio
yo
ou to see all avvailable commmands and the
pa
arameters thatt can be used with
w those
co
ommands.
Windows
W PowerShell ISE simpplifies the proccess of
ussing Windows PowerShell be ecause you can n
exxecute cmdlets from the ISE.. You can also use a
sccripting window within Wind dows PowerShell ISE
to
o construct and d save Window ws PowerShell scripts.
Thhe ability to view cmdlet parrameters ensures that you arre aware of th e full functionality of each ccmdlet,
annd can create syntactically-ccorrect Window ws PowerShell commands.
Windows
W PowerShell ISE provvides color-cod
ded cmdlets to oubleshooting
o assist with tro g. The ISE also
provides you with debugging g tools that you
u can use to d ebug simple aand complex W Windows Powe erShell
sccripts.
Yo
ou can use the
e Windows Pow
werShell ISE en
nvironment to
o view availablee cmdlets by m module. You can then
de
etermine whicch Windows Po
owerShell mod dule you need to load to acccess a particulaar cmdlet.
Demonstra
D ation: Using Window
ws PowerSh
hell ISE
In
n this demonsttration, you will see how to complete
c the ffollowing taskss:
• Use Window
ws PowerShelll ISE to importt the ServerMaanager modulee
• View the cm
mdlets made available
a in the
e ServerManag
ger Module
Demonstrati
D ion Steps
Use
U Window
ws PowerShe
ell ISE to import the Se
erverManager module
1.. Ensure thatt you are logge
ed on to LON--DC1 as Admin
nistrator.
Demonstration Steps
Use Windows PowerShell to display the running services and processes on a server
1. On LON-DC1, open a Windows PowerShell session.
3. Right-click on the Windows PowerShell icon on the taskbar and click Run as Administrator.
20410A: Installing and Configuring Windows Server® 2012 1-37
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. As a new member of the team you help to deploy and configure
new servers and services into the existing infrastructure based on the instructions given to you by your IT
manager.
The marketing department has purchased a new web-based application. You need to install and configure
the servers for this application in the data center. One server has a graphic interface and the second server
is configured as Server Core.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
b. Password: Pa$$w0rd
5. Repeat steps 1 to 3 for 20410A-LON-CORE. Do not log on until directed to do so.
1-38 Deploying and Managing Windows Server 2012
3. Start 20410A-LON-SVR3. In the Windows Setup Wizard, on the Windows Server 2012 page, verify
the following settings, click Next, and then click Install Now.
4. Click to install the Windows Server 2012 Release Candidate Datacenter (Server with a GUI)
operating system.
5. Accept the license terms and then click Custom: Install Windows only (advanced).
Note: Depending on the speed of the equipment, the installation will take approximately 20
minutes. The virtual machine will restart several times during this process.
7. Enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click
Finish to complete the installation.
2. In Server Manager, on the Local Server node, click on the randomly-generated name next to
Computer name.
3. In the System Properties dialog box, on the Computer Name tab, click Change.
4. In the Computer name box, type LON-SVR3, and then click OK.
2. Click Change Time Zone, and set the time zone to your current time zone.
3. Click Change Date and Time, and verify that the date and time that display in the Date and Time
Settings dialog box match those in your classroom.
2. Press and hold the Ctrl key and then in the Adapters And Interfaces area, click both Local Area
Connection and Local Area Connection 2.
3. Right-click on the selected network adapters, and then click Add to New Team.
4. Enter LON-SVR3 in the Team name, box, click OK, and then close the NIC Teaming dialog box.
Refresh the console pane.
5. Next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.
6. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
o IP address: 172.16.0.101
4. Click the Domain option, and in the Domain box, enter adatum.com.
o Username: Administrator
o Password: Pa$$w0rd
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also
will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
1-40 Deploying and Managing Windows Server 2012
To enable this, you will need to configure a computer that is running Windows Server 2012 with the
Server Core installation option.
6. After the computer restarts, log on to server LON-CORE using the Administrator account.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
2. Click Change time zone, and then set the time zone to the same time zone that your classroom uses.
3. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time
match those in your location. Click OK three times to dismiss the dialog boxes.
4. Exit sconfig.cmd.
3. Type the number of the network adapter that you want to configure.
5. Select static IP address configuration, and then enter the address 172.16.0.111.
6. At the Type the password associated with the domain user prompt, type Pa$$w0rd.
9. Log on to server LON-CORE with the adatum\administrator account using the password
Pa$$w0rd.
Results: After finishing this exercise you will have configured a Windows Server 2012 Server Core
deployment, and verified the server’s name.
You also need to configure the World Wide Web Publishing service on LON-CORE with the following
settings:
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. Click the Active Directory tab, and then click Find Now.
6. Click LAB-1. Press and hold the Ctrl key to select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE
and LON-SVR3.
2. Click Next, click Role-based or feature-based installation, and then click Next.
6. Add the Windows Authentication role service, and then click Next.
7. Select the Restart the destination server automatically if required check box, and then click
Install.
8. Click Close.
9. Right-click LON-SVR3, click Add Roles and Features, and then click Next.
10. Click Role-based or feature-based installation, and then click Next.
11. Verify that LON-SVR3.Adatum.com is selected, and then click Next twice.
13. Select the Restart the destination server automatically if required check box, click Install, and
then click Close.
14. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
3. In Server Manager, click LAB-1, right-click LON-CORE, and then click Computer Management.
5. Verify that the Startup type of the World Wide Web Publishing service is set to Automatic.
6. Verify that the service is configured to use the Local System account.
20410A: Installing and Configuring Windows Server® 2012 1-43
8. Configure the Restart Computer option to 2 minutes, and close the Service Properties dialog box.
Results: After finishing this exercise you will have created a server group, deployed roles and features, and
configured the properties of a service.
7. Review the IP addresses assigned to the server with the following command:
Get-NetIPAddress | Format-table
8. Review the most recent 10 items in the security log with the following command:
3. Type the following command to verify that the XPS Viewer feature has not been installed on LON-
SVR3
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
5. Type the following command to verify that the XPS Viewer feature has now been deployed on LON-
SVR3:
6. From the Tools drop down in the Server Manager console, choose Windows PowerShell ISE.
Import-Module ServerManager
Install-WindowsFeature WINS -ComputerName LON-SVR3
Install-WindowsFeature WINS -ComputerName LON-CORE
Results: After finishing this exercise you will have used Windows PowerShell to perform a remote
installation of features on multiple servers.
Question: What are the advantages to performing a Server Core deployment compared to
the Full GUI deployment?
Question: What tool can you use to determine which cmdlets are contained in a Windows
PowerShell module?
Question: Which role can you use to manage Key Management Services (KMS)?
Module 2
Introduction to Active Directory Domain Services
Contents:
Module Overview 2-1
Module Overview
Active Directory® Domain Services (AD DS) and its related services form the foundation for enterprise
networks that run Windows® operating systems. The AD DS database is the central store of all the domain
objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical
directory, and provides a method for applying configuration and security settings for objects in the
enterprise. In this module, we will study the structure of AD DS, and various components, such as forest,
domain, and organizational units (OUs).
The process of installing AD DS on a server is refined and improved with Windows Server® 2012. This
module also examines some of the choices that are now available for installing AD DS on a server.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of AD
A DS
The AD DS databa ase stores info
ormation on usser identity, co
omputers, grouups, services annd resources. IIt also
hostts the service that
t authenticaates user and computer acco ounts when th
hey log on to tthe domain. AD D DS
form
ms a security boundary,
b in ad
ddition to it be
eing a searchaable database o
of objects in th
he domain. ADD DS
provvides the struccture with whicch you can con nfigure and m
manage objectss in the databaase.
In th
his lesson, you
u will explore how
h OUs work,, and why you would use theem. You will examine why so ome
AD DS domain co ontrollers have additional rolles. You will exxplore various ways that you
u can promote a
Winndows Server 2012
2 server to be a domain controller.
c
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
• Describe AD DS domains.
• Explain how a Schema provvides a set of rules that manaage the objectts and attributtes that are sto
ored
in the AD DS domain datab
base.
Ov
verview of AD DS
AD DS is compose ed of both phyysical and logical
commponents. Und derstanding the e way the
commponents of AD DS work tog gether is an
impportant part of supporting AD DS services. With
the knowledge off how the AD DS D componentts
worrk together, yo ou can efficienttly manage yo our
netwwork, and control what resources your use ers
can access. In add dition, there arre many other
options including installation an nd configuring g of
softtware and updates, managin ng the security
infra mote access, DirectAccess,
astructure, rem
BrannchCache and certificate han ndling to mention a
few. Group Policyy is a very powe erful tool to manage
m all of t hese, and a cleear understand
ding of the AD
D DS
commponents is the e key to successful use of Grroup Policy.
Phy
ysical Comp
ponents
AD DS informatio
on is stored in a single file on
n each domain
n controllers’ h
hard disk. The ffollowing table
e lists
som
me of the physiical componennts and where they are storeed.
Ph
hysical component De
escription
Global catalog servers Host the global catalog, which is a partial, read-only copy of all
the objects in the forest. A global catalog speeds up searches for
objects that might be stored on domain controllers in a different
domain in the forest.
Logical Components
AD DS logical components are structures that are used to implement an appropriate Active Directory
design for an organization. The following table describes some of the types of logical structures that an
Active Directory database might contain.
Schema Defines the list of attributes that all objects in AD DS can have.
Domain tree A collection of domains that share a common root domain and a
Domain Name System (DNS) namespace.
Additional Reading: For more information about domains and forests, please see Domains
and Forests Technical Reference at http://go.microsoft.com/fwlink/?LinkId=104447.
2-4 Introduction to Active Directoryy Domain Services
AD
D DS Doma
ains
An ADA DS domain n is a logical grouping of useer,
com
mputer, and group objects fo or the purpose
e of
man nagement and d security. All of
o these objectts are
storred in the AD DS
D database, and a a copy of this
t
dataabase is stored
d on every dom main controller in
the AD DS domain.
An AD
A DS domain n is an adminisstrative center. It holds an Ad dministrator aaccount and a Domain Admiins
group, which have e full control over
o every obje
ect in the dommain; however, unless they are in the forest root
dommain, their rang he domain. Passsword and acccount rules are
ge of control is limited to th e managed at the
dommain level by default.
d Although a domain constitutes
c a ssecurity bound dary that is larg
gely self-manaaging
and autonomous, the Enterprise e Admins grou up in the foresst root domain n has full contrrol over every oobject
in every domain in the AD DS fo orest.
Wh
hat Are OU
Us?
An Organizationa
O al Unit (OU) is a container ob
bject
with
hin a domain that
t you can use to consolidate
userrs, groups, com
mputers, and other
o objects. There
T
are two reasons to o create OUs:
• To configure objects contaiined within the e OU.
You can assiggn Group Policcy Objects to th he
OU, and the settings
s apply to all objects
within the OU U. Group Policyy Objects (GPO Os)
are policies th
hat administrators create to
manage and configure com mputer and use er
accounts. The e most commo on way to deploy
these policiess is to link them
m to OUs.
• To delegate administrative
a control of objects within thee OU. You can gement permissions
n assign manag
on an OU, theereby delegatiing control of that OU to a u within AD DS other than the
user or group w e
administratorr.
Every AD DS domain contains a standard set of containers and OUs that are created when you install
AD DS, including the following:
• Users container. The default location for new user accounts and groups that you create in the
domain. The users container also holds the administrator and guest accounts for the domain, and
some default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
• Domain controllers OU. The default location for the computer accounts for domain controllers
computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have Group Policies linked
to them, except for the default domain controllers OU and the domain itself. All the other
containers are just folders. To link Group Policies to apply configurations and restrictions, create a
hierarchy of OUs, and then link Group Policies to them.
Hierarchy Design
The design of an OU hierarchy is dictated by the administrative needs of the organization. The design
could be based on geographic, functional, resource, or user classifications. Whatever the order, the
hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility
as possible. For example, if all computers that IT administrators use must be configured in a certain way,
you can group all computers in an OU, and then assign a policy to manage its computers. To simplify
administration, you also can create OUs inside other OUs.
For example, your organization might have multiple offices, and each office might have a set of
administrators who are responsible for managing user and computer accounts in the office. In addition,
each office might have different departments with different computer configuration requirements. In this
situation, you could create an OU for the office that is used to delegate administration, and create a
department OU inside the office OU to assign desktop configurations.
Although there is no technical limit to the number of levels in your OU structure, for the purpose of
manageability limit your OU structure to a depth of no more than 10 levels. Most organizations use five
levels or fewer to simplify administration. Note that Active Directory-enabled applications can have
restrictions on the OU depth within the hierarchy, or the number of characters that can be used in the
distinguished name (the full Lightweight Directory Access Protocol (LDAP) path to the object in the
directory).
2-6 Introduction to Active Directoryy Domain Services
Wh
hat Is an AD
A DS Fore
est?
A fo
orest is a collecction of one orr more domain n
tree
es. A tree is a collection of onne or more
dommains.. The first domain that is created in the t
fore
est is called thee forest root do
omain. The forrest
roott domain holdss a few objectss that do not exist
e
in other
o F example, the
domains in the forest. For
fore
est root domain holds two sp pecial roles, the
scheema master an nd the domain n naming mastter. In
adddition, the Enteerprise Adminss group and th he
Scheema Admins group
g exist onlly in the forestt root
dommain. The Enterprise Admins group has full
control over everyy domain in th he forest.
mples of why more than one
Exam e domain mayy be required i n the forest:
• In certain circcumstances, it might be adva antageous to h have more thaan one domain n in the
organization, and these are e typically strucctured in a treee. For instancee, The A. Datum Corporation n
might be the domain at the e root of a foreest. Another d omain could b be added to th he tree as a child
domain of ad datum.com, an nd have a name that is based d on the DNS sstructure and includes the name
of the parent domain, for example
e atl.adaatum.com.
• There may be e a requiremen nt to have diffeerent namespaaces in the forrest. If A. Datumm Ltd
(adatum.com) and Fabrikam m, Inc. (fabrika
am.com) were to merge, then although the e organization
n
exists in one forest,
f uld add a tree to accommod
you cou date the secon nd namespace. Apart from th he
different nam
mespaces, all obbjects in this fo
orest would fu
unction as if th
he domains we ere both in the
e same
tree.
Wh
hat Is the AD
A DS Sch
hema?
The schema is the e AD DS component that deffines
all objects
o and atttributes that AD
A DS uses to store
s
dataa. It is sometim
mes referred to o as the blueprrint
for AD
A DS.
the directory. If a new type of data needs to be stored, a new object definition for the data must first be
created in the schema.
• Rules that define what types of objects you can create, what attributes must be defined when you
create the object (mandatory), and what attributes are optional
You can use an account that is a member of the Schema Administrators to modify the schema
components in a graphical form. Examples of objects that are defined in the schema include user,
computer, group, and site. Among the many attributes are location, accountExpires, buildingName,
company, manager, and displayName.
The schema master is one of the single master operations domain controllers in AD DS. Because it is a
single master, you must make changes to the schema by targeting the domain controller that holds the
schema master operations role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should be made only when necessary,
through a tightly controlled process, and after you have performed testing to ensure that there will be no
adverse effects to the rest of the forest.
Although you might not make any change to the schema directly, some applications make changes to the
schema to support additional features. For example, when you install Microsoft® Exchange Server 2010
into your AD DS forest, the installation program extends the schema to support new object types and
attributes.
Additional Reading
For more information about Windows Server 2012 Release Candidate, see
http://www.microsoft.com/en-us/server-cloud/windows-server/v8-default.aspx.
For more information about Windows Server 2012 Overview, see http://www.microsoft.com/en-
us/server-cloud/windows-server/v8-overview.aspx.
For more information about Windows Server 2012 Capabilities, see
http://www.microsoft.com/en-us/server-cloud/windows-server/2012-capabilities.aspx.
For more information about Windows Server 8 (a one-hour long video), see
http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F.
2-8 Introduction to Active Directoryy Domain Services
Lesson 2
Overviiew of Domain
D n Contro
ollers
Because domain controllers
c are responsible fo
or all authenticcations, domain controller d
deployment is
critical to the corrrect functionin
ng of the netwoork.
Thiss lesson examines domain co ontrollers, the logon processs, and the impo
ortance of the
e DNS in that
on, this lesson discusses the purpose of thee global catalo
proccess. In additio og.
All domain
d contro ntially the same, but there arre certain operrations that caan only be
ollers are essen
perfformed on spe
ecific domain controllers
c callled operations masters, whicch are discusse
ed at the end o
of this
lesson.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Wh
hat Is a Do
omain Con
ntroller?
A doomain controlller (DC) is a server that is
configured to store a copy of th he AD DS direcctory
dataabase (NTDS.DDIT) and a copyy of the System m
Voluume (SYSVOL) folder. All domain controlle ers
exceept read-only domain contro ollers (RODCs)) store
a re
ead/write copyy of both NTDS S.DIT and the
SYSVVOL folder. NTTDS.DIT is the database itself, and
the SYSVOL folder contains all thet template
settings for GPOs..
You
u can use the AD A DS replicatiion service to
syncchronize chang ges and updattes to the AD DS D
dataabase between n the domain controllers
c in the
t
dommain. The SYSV VOL folders are e replicated eitther by the filee replication seervice (FRS), or by the newer
Disttributed File Syystem (DFS) Re eplication. Thee domain contrrollers in each domain repliccate all the chaanges
and updates betw ween each othe er, and unless they are an RO ODC, they all sstore a read/w write copy of thhe
AD DS database. Domain
D contro
ollers host several other Actiive Directory–related service es, including th
he
Kerbberos service, which
w is used by user and co omputer accou unts for logonn authenticatio on. You can
optionally configu ure domain co ontrollers to hoost a copy of th he Active Direectory Global C Catalog, which is
desccribed in the next
n topic. Dommain controlle ers also run somme important services includ ding Kerberos,,
which provides logon and passw word change capabilities,
c an
nd the Key Disttribution cente er (KDC). The KKDC is
the service that issues the Ticket to Get Ticketts (TGT) to an aaccount that logs on to the AD DS domain.
An AD
A DS domain n should alwayys have a minim mum of two d domain controllers. This way,, if one of the
dom
main controllerrs fails, there iss a backup to ensure
e continuuity of the AD DS domain seervices. When yyou
20410A: Installling and Configuringg Windows Server® 2012 2-9
de
ecide to add more
m than two
o domain contrrollers, consideer the size of yyour organizattion and the
pe
erformance requirements; however, two domain
d contro llers should bee considered aan absolute miinimum.
In
n a branch officce where security may be lesss than optimaal, there are so
ome additional measures thaat can
bee deployed to reduce the immpact of a brea ach of defensees. If an RODC is compromised, the potenttial loss
off information is
i much lower than with a fu ull read-write d
domain contro oller. If a hard drive is stolen,, then
BiitLocker ensures that there is a very low ch
hance of an inttruder being aable to gain an ny useful informmation
from it.
Note: An RODC is a domain controlle er that holds a read-only cop py of the AD DDS database.
Yo
ou can deployy an RODC in a remote site where
w users miight have difficculty logging o
on over an
un
nreliable Wide e Area Network (WAN) conn nection. Ratherr than deploy a full read/writte domain
co
ontroller, which might present a security riisk, you could install a RODCC, which can authenticate
ussers locally witthout providing any write ca
apability to thee AD DS databbase.
What
W Is the
e Global Catalog?
Within
W a single domain, the ADA DS database
ontains all the information about every ob
co bject in
th
hat domain. Th his informationn is not replicated
ou
utside the dom main. For exam mple, a query for an
ob
bject in AD DS S is directed to
o one of the do omain
co
ontrollers for that
t domain. Iff there is more
e than
on
ne domain in the t forest, then that query will
w not
provide any results for objects in a differentt
do
omain. For this reason, you can c configure one or
more
m domain co ontrollers to sttore a copy off the
global catalog. The global cattalog is a distributed
da
atabase that contains a searchable represe entation
off every object from all the domains in a multi-domain fo ult, the only global catalog sserver
orest. By defau
hat is created is the first dom
th main controllerr in the forest rroot domain.
In
n a single domain, all domainn controllers shhould be conffigured as hold
ders of the glo
obal catalog; hoowever,
in
n a multi-domaain environme ent, the Infrastrructure masterr should not b
be a global cataalog server. W
Which
doomain controllers are config
gured to hold a copy of the g global catalog
g depends on rreplication trafffic and
2-10 Introduction to Active Directory Domain Services
The AD DS Logon
L Proccess
Whe en you log on to AD DS, you ur system look ks in
DNS S for SRV records to locate the nearest suitable
dom main controllerr. SRV records are records th hat
speccify informatioon on available e services, and are
recoorded in DNS by b all domain controllers. Byy
usinng DNS lookup ps, clients can locate a suitabble
dom main controllerr to service theeir logon requests.
If th
he logon is succcessful, the loccal security
authhority (LSA) buuilds an access token for the user.
The access token contains the security identiffiers
(SIDDs) for the userr and any grou ups of which thhe
userr is a member.. This provides the access
creddentials for anyy process initia
ated by that user. For examp ple, after loggiing on to AD DDS, a user runss
®
Microsoft Office Word
W and attempts to open n a file. Word u
uses the credeentials in the u
user’s access to
oken
to check
c the level of the user’s permissions
p fo
or that file.
Admministrators can define sites in AD DS. Sitess will usually aalign with partss of the netwo
ork that have g
good
connectivity and bandwidth.
b Fo
or example, the ere might be a branch officee that is conne ected to the maain
data
acenter by an unreliable WA AN link. In this case, it would be better to d define the dataacenter and th
he
bran
nch office as se
eparate sites in
n AD DS.
SRV
V records are reegistered in DNS by the Nett Logon servicee that is runnin
ng on each do omain controlle er. If
the SRV records are not entered d in DNS corre
ectly, you can ttrigger the dom
main controlle er to reregisterr
thosse records by restarting
r the Net Logon serrvice on that d
domain contro oller. This proce
ess only reregiisters
the SRV records; if you want to reregister the host record in
nformation in DDNS, you musst run ipconfig g
/reg
gisterdns fromm a command prompt, just as a you would ffor any other ccomputer.
Alth
hough the logo on process app pears to the usser as a single event, it is acttually made upp of two parts.. The
userr provides cred
dentials, usuallly a user accou
unt name and password, which are then checked againsst the
AD DS database. IfI the user acco ount name and the passworrd match the in nformation that is stored in the
AD DS database, the
t user becom mes an authen nticated user, aand is issued a ticket-grantinng ticket (TGT)) by
the domain controller. At this point, the user does not havee access to anyy resources on the network. A
seco
ondary process in the background submitss the TGT to th he domain con equests access to
ntroller, and re
20410A: Installinng and Configuring W
Windows Server® 20012 2-11
th
he local machine. The domaiin controller isssues a ticket to o the user, wh
ho is then able to interact with the
lo
ocal computer.. At this point in the process,, the user is au
uthenticated too AD DS and loogged on to the local
machine.
m
When
W a user subsequently atttempts to connect to anotheer computer o on the networkk, the secondary
process is run again, and the TGT is submittted to the nea rest domain c ontroller. Wheen the domainn
co
ontroller returnns the ticket, the user can acccess the comp
puter on the n h generates a logon
network, which
evvent at that co
omputer.
Note: A domain-joined
d computer also logs on to A AD DS when th hey start—a facct that is
offten overlookeed. You do nott see the transa action when th he computer u uses its compu uter account
na
ame and a passsword to log on o to AD DS. Once
O authenti cated, the com
mputer becom mes a member
off the Authenticcated Users grroup. Although h the computeer logon proceess does not haave any
visual confirmattion in the form
m of a graphicc user interfacee (GUI), there aare event log eevents that
ecord the activvity. Additionally, if auditing is enabled, theere are more eevents that are
re e viewable in
th
he Security Logg of the Event Viewer.
Demonstra
D ation: View
wing the SR
RV Record
ds in DNS
Th
he demonstrattion shows the e various typess of SRV record
ds that the dom
main controlle
ers register in D
DNS.
Th
hese records are
a crucial to thhe operability of AD DS, beccause they are used to find d
domain contro ollers for
lo
ogon, password d changes, andd Group Policyy Object (GPO)) editing. SRV records are also used by do omain
co
ontrollers to find replication partners.
Demonstrati
D ion Steps
View
V the SRV
V records by
y using DNS
S Manager
1.. Open the DNS
D Managerr window, and explore the u nderscore DNS domains.
What
W Are Operations
O s Masters??
Although all do omain controlle ers are essentially
eqqual, there aree some tasks th hat can only be e
pe erformed by ta argeting one particular
p dommain
coontroller. For example,
e if youu need to add an
addditional domain to the fore est, then you must
m be
abble to connectt to the domain naming masster. The
do omain controllers that have these roles are e called
op perations masters, single ma aster roles, or Flexible
F
Siingle Master Operations
O MOs) (pronounced
(FSM
“ffizz-mos”). Theey are distributted as follows:
• Schema master. The domain controller where any schema changes are made. To make changes you
would typically log on the schema master as a member of both the Schema Admins and Enterprise
Admins groups. A user who is a member of both of these groups and who has the appropriate
permissions could also edit the schema by using a script.
• Domain naming master. The domain controller that records additions and removals of domains and
also domain name changes.
• RID master. Whenever an object is created in AD DS, the domain controller where the object is
created assigns the object a unique identifying number known as a SID. To ensure that no two
domain controllers assign the same SID to two different objects, the RID master allocates blocks of
RIDs to each domain controller within the domain.
• Infrastructure master. This role is responsible for maintaining inter-domain object references, such as
when a group in one domain contains a member from another domain. In this situation, the
infrastructure master is responsible for maintaining the integrity of this reference. For example, when
you look at the security tab of an object, the system looks up the SIDs that are listed and translates
them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other
domains. The Infrastructure role should not reside on a global catalog server. The exception is when
you follow best practices and make every domain controller a global catalog. In that case, the
Infrastructure role is disabled because every domain controller knows about every object in the forest.
Note: The Infrastructure role should not reside on a global catalog server. For example, the
security tab on an object (file, folder, printer) has a list of SIDs with a matrix of permissions
assigned. To ease administration, these SIDs are converted into names such as users and groups,
usually before you even see the SIDs appear. If there is more than one domain in the AD DS
forest, then there may be SIDs from remote domains in the security tab, and because they are not
recognized on the local domain, a mechanism is necessary to look up the actual names. The
infrastructure master does this by referring to a GC. If the infrastructure master is also configured
as a GC, then the infrastructure service is disabled.
• PDC emulator. The domain controller that holds the PDC emulator role is the time source for the
domain. The domain controllers that hold the PDC emulator role in the forest sync with the domain
controller that has the PDC emulator role in the forest root domain. You set this domain controller to
synchronize with an external atomic time source. The PDC emulator is the domain controller that
receives urgent password changes. If a user’s password is changed, the information is sent
immediately to the domain controller holding the PDC emulator role. This means that if a user’s
password was changed and they subsequently tried to logon, if they were authenticated by a domain
controller in a different location that hadn’t yet received an update about the new password, it would
contact the domain controller holding the PDC emulator role and check for recent changes. When a
group policy other than a local group policy is opened for editing, the copy that is edited is the one
stored on the PDC emulator.
Note: The global catalog is not one of the Operations Master roles.
Question: Why would you make a domain controller a global catalog server?
20410A: Installinng and Configuring W
Windows Server® 20012 2-13
Lesson
n3
Installing a Domain
D Contro
oller
Soometimes you need to install additional do omain control lers on your WWindows Serve er 2012 operatting
syystem. It mightt be that the existing
e domain controllers aare overworked
d and you nee ed additional
re
esources. Perhaaps you are planning for a new
n remote offfice that requires you to dep ploy one or moore
doomain controllers. You also might be setting up a test laab or a backupp site. The instaallation metho
od that
yoou use varies with
w the circum mstances.
Th
his lesson exam mines several ways
w to install additional do main controlleers. It demonsttrates the proccess of
ussing Server Ma all AD DS on a local machinee and on a rem
anager to insta mote server. Th his lesson also
diiscusses installing AD DS on a Server Core installation, a nd installing A
AD DS on a computer using a
sn
napshot of the e AD DS databa ase that is storred on removaable media. Yo ou will also exaamine the proccess of
up
pgrading a do omain controlleer from an earrlier Windows o operating systtem to Window ws Server 2012 2.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Explain how
w to install a domain controlller on a Serveer Core installaation of Windo
ows Server 201
12.
• Explain how
w to upgrade a domain conttroller.
• Explain how
w to install a domain controlller by using In
nstall from Meedia (IFM).
In
nstalling a Domain Controller
C by Using a GUI
Prrior to Windowws Server 20122, it was comm
mon
t dcpromo..exe tool to install
practice to use the
doomain controllers. If you atte
empt to run
dccpromo on a Windows Servver 2012 server, you
re
eceive the follo
owing error me essage:
e dcpromo.exe
Note: The e tool is a tool that
yo
ou run on a se
erver to make the
t server an AD A DS domain n controller. Un
ntil Windows SServer 2012,
dccpromo.exe haas been the prreferred metho od to install AD
D DS, and it ussually runs in G
GUI mode;
ho
owever, in Win
ndows Server 2012,
2 this tool is replaced wiith Server Mannager. Dcprom mo.exe is still
su
upported for unattended
u insstallations fromm the comman nd–line interfacce.
When
W you run Server
S Manage er, you can chooose whether the operation is performed on the local
co
omputer, on a remote comp puter, or by me embers of a seerver pool. You u then choose to add the Acctive
Directory
D Dommain Services role. At the en nd of the initiaal installation p
process, the AD
D DS binaries aare
in
nstalled, but AD at server. A meessage to that effect displayss in Server Manager.
D DS is not yett set up on tha
2-14 Introduction to Active Directory Domain Services
You can select the link to Promote this server to a domain controller, and then AD DS promotion
wizard runs. You are then asked the following questions about the proposed structure.
Add a new domain to an existing forest Create a new domain in the forest.
Specify the domain information for this Supply information about the existing
operation domain to which the new domain controller
will connect.
Supply the credentials to perform this Enter the name of a user account that has
operation the rights to perform this operation.
Some other information you need to collect before running the promotion is listed in the following table.
Whether the new forest needs to support Will there also be Windows Server 2008
Domain controllers running previous domain controller?
versions of Windows operating systems
(affects choice of functional level)
Whether this domain controller will contain Your DNS must be functioning well to
DNS support AD DS
Location to store the database files (For By default, these files will be stored in
example, NTDS.DIT, edb.log, or edb,chk) C:\windows\NTDS
The wizard continues through several different pages where you can enter prerequisites such as the
NetBIOS domain name, DNS configuration, whether this domain controller should be a global catalog
server, and the Directory Services Restore Mode password. Finally, you must reboot to complete the
installation.
Note: If you need to reinstall the AD DS database from a backup, reboot the domain
controller in Directory Services Restore Mode. When the domain controller boots up, it is not
running the AD DS services; instead, it is running as a member server in the domain. To log on to
that server in the absence of AD DS, log on using the Directory Services Recovery Mode
password.
20410A: Installinng and Configuring W
Windows Server® 20012 2-15
In
nstalling a Domain Controller
C on a Serveer Core Installation of Window
ws
Server 2012 2
In
nstall AD DS byy using Server Manager to re emotely
co
onnect to the server
s core serrver. Once youu install
th
he AD DS binaries and the se erver is rebootted, you
ca
an complete th he installation and configura ation in
onne of three wa
ays:
• In Server Manager,
M click the
t notificationn icon
to complete the post-dep ployment
configuratio
on. This starts the configurattion
and setup of
o the domain controller.
• Create an answer
a file and
d run dcpromo o
/unattend::”D:\answerfiile.txt” where
“D:\answerffile.txt” is the path
p to the answer
file.
• Run dcprom
mo /unattend
d with the app
propriate switcches, for examp
ple:
dcpromo /unattend
/ /In
nstallDns:yes /confirmgl obal catalog
g:yes
/replicaO
OrNewDomain:replica /replicadomaindn
nsname:”mynewwdomain.com”
/database
ePath:"c:\ntd
ds" /logPath:"c:\ntdslog
gs" /sysvolpaath:"c:\sysvool"
/safeMode
eAdminPassword:Pa$$w0rd /rebootOnCom
mpletion:yes
Upgrading
U a Domain
n Controlle
er
Th
here are two ways
w to upgrad de to a Window ws
Se
erver 2012 dom main controlleer: you can eith her
uppgrade the op perating systemm on existing domain
d
co
ontrollers, or in
ntroduce Wind dows Server 20 012
se
ervers as doma ain controllers.. Of the two, th
he
se
econd is the prreferred metho od, because th here are
noo old or disuseed code and files remaining.
In
nstead, you havve a clean insttallation of thee
Windows
W Server 2012 operatiing system and d
AD DS database e.
Upgrading
U to
o Windows Server 2012
Fo
or an organizaation to upgrad de an AD DS domain
d
from one runnin ng at Window ws Server 2008 functional leveel to an AD DSS domain runn
ning at Window
ws
Seerver 2012 fun
nctional level, all
a the domain
n controllers mmust first be up
pgraded from tthe Window Se
erver
20008 operating system to the e Windows Server 2012 operrating system.
To upgrade
u the scchema, log on to the schema a master for th
he forest, and in the supportt\adprep direcctory,
run adprep /foreestprep from an
a elevated cm md.exe window w. You must bee a member off all of the following
groups to have th
he necessary rig
ghts to run this command:
• Enterprise Ad
dmins for the forest
• Domain Adm
mins for the dom
main where th
he schema masster resides
Introduce Win
ndows Serve
er 2012 Dom
main Contro
ollers
There are two wayys to introducee Windows Server 2012 dom main controllerrs into your do
omain. You can n
eith
her upgrade Windows
W Serverr 2008 to Wind
dows Server 20012, or you can have a cleann installation. T
To
upg o a Windows Server 2008 d omain controlller to Window
grade the operrating system of ws Server 2012 2:
To introduce a cle
ean install of Windows
W Serve
er 2012 as a do
omain membeer:
Insstalling a Domain
D Co
ontroller by
b Using IFFM
If yo
ou have an intervening netw work that is slow,
unreeliable, or costtly, you might find it necessa ary to
addd another domain controller at a remote
locaation or branch h office. In thiss scenario, it is
ofteen better to deeploy AD DS to o a server by using
u
the Install from Media
M (IFM) meethod.
For example, if yo
ou connect to a server in the
rem
mote office andd use Server Manager to insttall
AD DS, you will neeed to copy th
he entire AD DS
D
data
abase and the SYSVOL folde er to the new
main controllerr. This process must take place
dom
20410A: Installing and Configuring Windows Server® 2012 2-17
over a potentially unreliable wide area network (WAN) connection. As an alternative, and to significantly
reduce the amount of traffic copied over the WAN link, you can make a backup of AD DS by using the
NTDSUTIL tool. When you run Server Manager to install AD DS, you can then select the option to Install
from Media. Most of the copying is then done locally (perhaps from a USB drive), and the WAN link is
used only for security traffic, and to ensure that the new domain controller receives any changes that are
made after you create the IFM backup.
To install a domain controller by using IFM, browse to a writable domain controller but not an RODC. Use
the NTDSUTIL tool to create a snapshot of the AD DS database, and then copy it to the server that will be
promoted to a domain controller. Use Server Manager to promote the server to a domain controller by
selecting the Install from Media option, and by providing the local path to the IFM directory that you
created previously.
1. On the full domain controller, type the following commands (where C:\IFM is the destination
directory that will contain the snapshot of the AD DS database) at an administrative command
prompt, and press Enter after each line:
Ntdsutil
activate instance ntds
ifm
create SYSVOL full C:\IFM
2. On the server that you are promoting to a domain controller, perform the following steps:
c. In Server Manager, click the notification icon to complete the post-deployment configuration
and a wizard runs.
d. At the appropriate time during the wizard, select the option to install from IFM, and then provide
the local path to the snapshot directory.
AD DS then installs from the snapshot. When the domain controller reboots, it contacts other domain
controllers in the domain and updates AD DS with any changes that were made since the snapshot was
created.
Additional Reading: For more information about the steps necessary to install AD DS, see
http://technet.microsoft.com/en-us/library/hh472162.aspx.
Question: What is the reason to specify the Directory Services Restore Mode password?
2-18 Introduction to Active Directory Domain Services
Objectives
After performing this lab, you will be able to:
Lab Setup
Estimated time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
2. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
1. Add an Active Directory® Domain Services (AD DS) role to a member server.
X Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server
1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
3. Add the Active Directory Domain Services server role to LON-SVR1. Add all required features as
prompted.
4. Installation will take several minutes, when the installation is succeeded, click Close to close the Add
Roles and Features Wizard.
2. Use Active Directory Sites and Services to make LON-SVR1 a global catalog server.
Results: After completing this exercise, you will have explored Server Manager and promoted a member
server to be a domain controller.
It has been determined that the branch office requires a domain controller to support local logons. To
avoid problems with the slow network connection, you are using IFM to install the domain controller in
the branch office.
X Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM)
• On LON-DC1, open an administrative command-line interface, and use NTDSUTIL to create an IFM
backup of the AD DS database and of the SYSVOL folder.
2. Use Server Manager on LON-SVR2 to perform the post-deployment configuration of AD DS using the
following options:
Results: After completing this exercise, you will have installed an additional domain controller for the
branch office by using IFM.
Question: Which deployment method would you use if you had to install an additional
domain controller in a remote location that had a limited WAN connection?
Question: If you needed to promote a Server Core installation of Windows Server 2012 to be
a domain controller, which tools could you use?
3-1
Module 3
Managing Active Directory Domain Services Objects
Contents:
Module Overview 3-1
Module Overview
User accounts are fundamental components of network security. Stored in Active Directory® Domain
Services (AD DS), they identify users for the purposes of authentication and authorization. Because of their
importance, an understanding of user accounts and the tasks related to supporting them are critical
aspects of administering a Microsoft Windows® enterprise network.
Although users and computers, and even services, change over time, business roles and rules tend to
remain more stable. Your business probably has a finance role, which requires certain capabilities in the
enterprise. The user or users who perform that role might change over time, but the role will remain
relatively the same. For that reason, it is not sensible to manage an enterprise by assigning rights and
permissions to individual users, computers, or service identities. Instead, you should associate
management tasks with groups. Consequently, it is important that you know how to use groups to
identify administrative and user roles, to filter Group Policy, to assign unique password policies, and to
assign rights and permissions.
• They have an account with a logon name and password that Windows changes automatically on a
periodic basis.
• They can belong to groups, and have access to resources, and you can configure them by using
Group Policy.
Managing computers—both the objects in Active Directory and the physical devices—is one of the day-
to-day tasks of most IT pros. New computers are added to your organization, taken offline for repairs,
exchanged between users or roles, and retired or upgraded. Each of these activities requires managing the
computer’s identity, which is represented by its object, or account, and AD DS. As a result, it is important
that you know how to create and manage computer objects.
In small organizations, one person may be responsible for performing all of these day-to-day
administrative tasks. However, in large enterprise networks, with thousands of users and computers, that is
not feasible. It is important for an enterprise administrator to know how to delegate specific
3-2 Managing Active Directory Domain Services Objects
administrative tasks to designated users or groups to ensure that enterprise administration is efficient and
effective.
Objectives
After completing this module, you will be able to:
Lesson
n1
Mana
aging User Accounts
A user object in n AD DS is far more
m than justt a handful of properties relaated to the use
er’s security identity,
orr account. It is the cornerstone of identity and access in AD DS. Thereffore, consistennt, efficient, an
nd
se
ecure processe es regarding thhe administration of user acccounts are thee cornerstone oof enterprise security
management.
m
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Explain how
w to create use
er accounts tha
at you can usee in an enterprrise network.
• Describe ho
ow to configurre important user-account
u a ttributes.
• Describe ho
ow to create user profiles.
• Explain how
w to use user-a
account templlates to create user accountss.
• Manage user accounts.
AD
A DS Adm
ministration Tools
Be
efore you can begin creating
g and managin ng user,
group, and com
mputer accounts, it is importa
ant that
yo
ou understandd which tools you
y can use to
pe
erform these various
v managgement tasks.
Active
A Directtory Administration Sn
nap-
In
ns
Most
M AD DS administration iss performed with the
ollowing snap--ins and consoles:
fo
Note: To administer AD
D DS from a co omputer that iss not a domain n controller, yoou must
in
nstall Remote Server
S Adminisstration Tools (RSAT). RSAT iis a feature thaat can be instaalled from the
Fe
eatures node of
o Server Manaager on Windo ows Server® 20012.
3-4 Managing Active Directory Domain Services Objects
You also can install RSAT on Windows clients, including Windows Vista® Service Pack 1 (or
newer), Windows® 7, and Windows 8. After you download the RSAT installation files from
Microsoft’s website, run the Setup Wizard, which steps you through the installation. After
installing RSAT, you must turn on the tool or tools that you want to be visible. To do this, use the
Turn Windows Features On or Off command in the Programs And Features application in
Control Panel.
Additional Reading: To download the RSAT installation files, see
http://www.microsoft.com/downloads.
• Connect to, and manage, multiple domains within a single instance of the Active Directory
Administrative Center.
• Search and filter Active Directory data by building queries.
Windows PowerShell
You can use the Active Directory Module for Windows PowerShell to create and manage objects in AD DS.
Windows PowerShell is not just a scripting language. It also enables you to run commands that perform
administrative tasks, such as creating new user accounts, configuring services, deleting mailboxes, and
similar functions.
Windows PowerShell is installed by default on Windows Server 2012, but the Active Directory Module is
only present when:
• You install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles.
• You run Dcpromo.exe to promote a computer to a domain controller.
• Dsquery. Use to query AD DS for objects that match criteria that you supply.
Note: It iss possible to pipe the resultss of the Dsque ry command tto other Directtory Service
ommands. For example, typiing the followiing at a comm
co mand prompt rreturns the offiice telephone
nu
umber of all users that have a name startin ng with John:
dsquery user –name
– John* | dsget user –office
–
Creating
C Usser Accoun
nts
In
n AD DS, all use
ers that requirre access to ne
etwork
re
esources must be configured d with a user account.
W this user account, users can authentica
With ate to
th
he AD DS dom main and receivve access to ne etwork
re
esources.
With
W a user acco
ount, you can::
• Allow or de
eny users perm
mission to log on
o to a compu
uter based on their user acco
ount identity.
To
o maximize security, you sho
ould avoid multiple users shaaring one acco each user that logs on
ount, so that e
to
o the network has a unique user
u account and
a password.
Note: Although AD DS accounts are the t focus of thhis course, youu also can store
e user
acccounts in the local security accounts man nager (SAM) daatabase of eacch computer, e enabling local
lo
ogon and access to local reso ources. Local user
u accounts aare, for the mo
ost part, beyonnd the scope
off this course.
Creating
C Use
er Accounts
A user account includes the user
u name and password, wh hich serve as th
he logon credeentials for a usser. A
usser object also
o includes seve
eral other attrib
butes that des cribe and mannage the user.
Yo
ou can use the
e Active Directtory Users or Computers
C con
nsole, Active D
Directory Administrative Centter,
Windows
W PowerShell, or the dsadd.exe
d com ool to create a user object.
mmand-line to
Too create a userr object by using the Active Directory Userrs or Computeers console, pe
erform the follo
owing
stteps:
1.. Right-click the OU or the
e container in which
w you wan
nt to create the user, point to New, and th
hen click
User.
Note: The Initials property is meant for the initials of a user’s middle name, not the initials
of the user’s first or last name.
5. The Full name box is populated automatically, although you can make modifications to it, if
necessary.
The Full name box is used to create several attributes of a user object, most notably, the common
name (CN) and display name properties. The CN of a user is the name displayed in the details pane of
the snap-in, and it must be unique within the container or OU. If you are creating a user object for a
person with the same name as an existing user in the same OU or container, you need to enter a
unique name in the Full name field.
6. In the User logon name box, type the name with which the user will log on, and from the drop-
down list, select the user principal name (UPN) Suffix that will be appended to the user logon name
following the @ symbol.
User names in AD DS can contain special characters, including periods, hyphens, and apostrophes.
These special characters let you generate accurate user names, such as O’Hare and Smith-Bates.
However, certain applications may have other restrictions, so we recommend that you use only
standard letters and numerals until you fully test the applications in your enterprise for compatibility
with special characters.
The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts
snap-in. Right-click the root of the snap-in, click Properties, and use the UPN Suffixes tab to add or
remove suffixes. The DNS name of your AD DS domain is always available as a suffix, and you cannot
remove it.
7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often
called the downlevel logon name. In the AD DS database, the name for this attribute is
sAMAccountName.
8. Click Next.
9. Enter a temporary password for the user in the Password and Confirm password boxes.
10. Select the User must change password at next logon check box.
We recommend that you always select this option, so that the user can create a new password
unknown to the IT staff. Appropriate support staff can reset the user’s password, if necessary to log on
as the user or access the user’s resources. Only users should know their own passwords on a day-to-
day basis.
12
2. Review the summary, and
d then click Fin
nish.
15
5. Click OK.
Configuring
C g User Acccount Attrributes
When
W you creatte a user accou
unt in AD DS, you
y
also configure all
a the associatted account
properties, or atttributes.
When
W you use Active
A Directorry Users and Computers
C to ccreate a new u
user object, you are not requ
uired to
deefine many atttributes beyon
nd those requirred to allow th he user to logo
on by using the account. Sinnce you
ca
an associate a user object wiith many attrib
butes, it is impportant that yoou understand what these attributes
arre, and how yo em in your organization.
ou can use the
Attribute
A Cattegories
Th
he attributes of
o a user object fall into seve
eral broad cateegories that ap
ppear on tabs o
of the user pro
operties
diialog box, and include
• Personal information: The e General, Adddress, Telepho nes, and Orgaanization tabs. The General tab
contains the name prope erties that you configure wheen you create a user object, along with the e basic
description and contact information. Th he Address an d Telephones tabs provide d detailed contaact
informationn. The Telepho ones tab also iss where the No
otes field is loccated, which ccorresponds too the
info attribu
ute. It is a very useful general-purpose textt field that man ny enterprises underuse. The e
Organizatioon tab shows the t job title, de epartment, co mpany, and organizational rrelationships.
• User config
guration management: The Profile
P tab. Herre, you can co nfigure the usser’s profile path,
logon script, and home fo
older.
• Group mem mbership: The Member Of ta ab. You can ad
dd the user to, and remove tthe user from, groups.
You also ca
an change the user’s primaryy group.
3-8 Managing Active Directory Domain Services Objects
• Remote Desktop Services: The Remote Desktop Services Profile, Environment, Remote control,
Sessions, and Personal Virtual Desktop tabs. These tabs enable you to configure and manage the
user’s experience when the user connects to a Remote Desktop Services session.
• Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on
the Dial-in tab.
• Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+
partition set. This feature facilitates the management of distributed applications.
Note: The Attribute Editor tab is not visible until you enable Advanced Features from the
View menu of the Microsoft Management Console (MMC).
The Attribute Editor displays all system attributes of the selected object. The Filter button enables you to
choose to see even more attributes, including backlinks and constructed attributes.
Backlinks are attributes that result from references to the object from other objects. The easiest way to
understand backlinks is to look at an example: the memberOf attribute:
• When a user is added to a group, it is the group’s member attribute that is changed. The
distinguished name of the user is added to this multivalued attribute.
• The member attribute of a group is called a forward link attribute.
A constructed attribute is one of the results from a calculation that AD DS performs. An example is the
tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which
the user belongs, including nested groups. To determine the value of tokenGroups, AD DS must calculate
the effective membership of the user, which takes a few processor cycles. Because of this, the attribute is
not stored as part of the user object, nor is it dynamically maintained. Instead, it is calculated when
needed. Because of the processing required to produce constructed attributes, the Attribute Editor tab
does not display them by default. In addition, you cannot use constructed attributes in Lightweight
Directory Access Protocol (LDAP) queries.
The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user
objects simultaneously. To modify attributes of multiple users in the Active Directory Users and Computers
snap-in:
1. Select several user objects by holding the Ctrl key as you click each user, or by using any other
multiple-selection technique. Be certain that you select only objects of one class, such as users.
2. After you select the objects, right-click any one of them, and then click Properties.
When you have selected the user objects, a subset of properties is available for modification:
• General: Description, Office, Telephone Number, Fax, Web page, E-mail
• Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options,
and Account expires
• Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and Country/region
20410A: Installling and Configuringg Windows Server® 2012 3-9
• Organizatio
on: Job Title, Department,
D Co
ompany, and M
Manager
Creating
C Usser Profile
es
So
ome of the op ptional propertties that you ca
an
co
onfigure for yoour user accou
unts are located on
th
he Profile tab of
o the Accoun nt Property pa age.
Yo
ou can configu perties on this page:
ure three prop
• Profile path
h. This is eitherr a local, or moore
usually, a UNC
U path. The user’s desktop p
settings are
e stored in the profile. Once you
define a useer profile by using a UNC pa ath,
then whichever domain computer
c services a
user’s logon op settings will be
n, their deskto
available. This is known asa a roaming profile.
When
W configuring the profile path and hom me folder locattions, if you usse the variable
e %username% % in the
paath, this is substituted for the actual user name
n during aapplication of tthe propertiess. Additionally, so long
ass the shared pa arent folder exxists, and the administrator
a mmodifying the account prop perties has at le
east
Modify
M File permmissions on thhe shared folde er, then the usser’s subfolder is created auttomatically. In this
in
nstance, the filee permissions are modified on o the newly-ccreated subfollder so that the user has full control
off his or her home folder.
3-10 Managingg Active Directory Doomain Services Objeccts
Cre
eating Use
er Accountts with Use
er Account Templates
Users in a domain n often share many
m similar
properties. For example, all sale es representativves
can belong to the e same securityy groups, log ono to
the network durin ng similar hourrs, and have ho ome
fold
ders and roamiing profiles sto ored on the same
servver. Because off this, to save time
t when creating
a neew user, you caan copy an existing user acccount
rath
her than createe a blank accou unt and popullate
eachh property.
If yo
ou want to creeate multiple users
u with broa
adly
simiilar properties,, you can use a user accountt
temmplate. A user account
a template is a generiic
userr account that you have pop pulated with co
ommon propeerties. For exammple, you can create a tempplate
accoount for sales representativees, which you then
t configuree with group m
memberships, llogon hours, a
hom me folder, and roaming profile path.
To create
c a user account
a templa
ate, perform th
he following stteps:
To create
c a user based
b on the te
emplate, perfo
orm the follow
wing steps:
3. In the Last na
ame box, type
e the user’s lastt name.
4. Modify the Fu
ull name value, if necessary..
5. In the User lo
ogon name bo ox, type the usser logon nam
me, and then seelect the appro
opriate UPN su
uffix
from the dropp-down list.
6. In the User lo
ogon name (p
pre-Windows 2000) box, tyype the user’s u
user name.
7. Click Next.
8. In the Passwo
ord box and the Confirm password box, type the user’’s password.
It is important to understand th
hat not all attributes are copiied. The follow
wing list summ
marizes the
attributes that are
e copied:
• Address tab. P.O. box, city, state or provinnce, ZIP or posstal code, and country or reg
gion are copie
ed.
Note that the
e street addresss itself is not copied.
c
It is not useful to configure any other attributes in the template, because they will not be copied.
To rename a user in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user, and then click Rename.
2. Type the new common name (CN) for the user, and press Enter.
The Rename User dialog box appears and prompts you to enter additional name attributes.
3. Type the Full name (which corresponds to the CN and Name attributes).
Before the user can log on successfully, you must reset the password. You do not need to know the user’s
old password to do so.
To reset a user’s password in the Active Directory Users and Computers snap-in:
2. Enter the new password in both the New Password and Confirm Password boxes.
It is a best practice to assign a temporary, unique, strong password for the user.
3. Select the User Must Change Password at Next Logon check box.
It is a best practice to force the user to change the password at the next logon, so that the user
creates a password known only by the user.
4. Click OK.
3-12 Managing Active Directory Domain Services Objects
Your lockout policy can define a period of time after which a lockout account is unlocked automatically.
But when users try to log on and discover that they are locked out, it is likely they will contact the help
desk for support.
To unlock a user account in the Active Directory Users and Computers snap-in, perform the following
steps:
Windows Server 2012 also provides the option to unlock a user’s account when you choose the Reset
Password command.
To unlock a user account while resetting the user’s password, perform the following step:
• In the Reset Password dialog box, select the Unlock the user’s account check box.
This method is particularly handy when a user’s account is locked out because the user did, in fact, forget
the password. You can now assign a new password, specify that the user must change the password at the
next logon, and unlock the user’s account: all in one dialog box.
Note: Watch for drives mapped with alternate credentials, because this is a common cause
of account lockout. If the password is changed, and the Windows client attempts repeatedly to
connect to the drive, that account is locked out.
If a user account is provisioned before it is needed, or if the employee for whom you have set up an
account is, or will be, absent for an extended period, disable the account.
2. Click the folder to which you want to move the user account, and then click OK.
Alternatively, you can drag the user object to the destination OU.
To delete a user account in Active Directory Users and Computers, perform the following steps:
1. Select the user and press Delete; or right-click the user, and then click Delete.
You are prompted to confirm your choice because of the significant implications of deleting a
security principal.
2. Confirm the prompt by clicking OK.
Demonstration
This demonstration shows how to:
1. Open Active Directory Users and Computers.
Demonstration Steps
2. Create a new user account called _Managers_template. Ensure that the account is created in a
disabled state with a strong password.
3. Modify the properties of the template account so that it has a Home folder located in the new shared
folder.
Lesson
n2
Mana
aging Group Acccountss
While
W it might be
b practical, evven desirable, to assign perm missions and abilities to indivvidual user acccounts
in
n small networks, it becomess impractical an nd inefficient iin large enterpprise networkss. For example,, if many
ussers need the same
s level of access
a to a folder, it is more efficient to crreate a group tthat contains tthe
re
equired user acccounts, and assign
a the grouup the require d permissions . This has the aadded benefit of
en
nabling you to o change a use er’s file permisssions by addin ng or removing g them from ggroups rather tthan
ed
diting the file permissions diirectly.
Be
efore implemeenting groups in your organization, you m
must understannd about the sccope of variou us
Windows
W Server group types, and how bestt to use these tto manage acccess to resourcces or to assign
management
m rights and abilitties.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe grroup types.
• Explain how
w to implemen
nt group mana
agement.
• Describe de
efault groups and
a special ide
entities.
Group
G Type
es
In
n a Windows Server enterprisse, there are tw wo
tyypes of groupss: security and distribution. When
W
yoou create a gro
oup, you choo ose the group type
t in
th
he New Objecct – Group dialog box.
Se
ecurity groupss are security principals
p with SIDs.
Yo
ou can therefoore use these groups
g in perm
mission
en
ntries in accesss control lists (ACLs)
( to contrrol security forr resource acceess. You also ccan use securitty
groups as a mea ans of distribuution for email applications. If you want to o use a group tto manage seccurity, it
must
m be a securrity group.
Beecause you can use security groups for bo oth resource acccess and emaail distribution,, many organizzations
usse only securitty groups. How
wever, we recoommend that i f a group is ussed only for em mail distributio
on, you
sh
hould create th he group as a distribution grroup. Otherwisse, the group iis assigned a SSID, and the SID is
ad
dded to the usser’s security access token, which
w can lead to an unnecesssary size increease of the seccurity
to
oken.
3-16 Managingg Active Directory Doomain Services Objeccts
Gro
oup Scope
es
Winndows Server supports
s the no otion of group
p
scop
ping. The scop
pe of a group determines
d bo
oth
the range of a gro
oup’s abilities or
o permissionss, and
the group membe ership. There are
a four group
scop
pes:
• Domain Local. These are ussed primarily to o manage acc ess to resources or to assignn managementt
responsibilitie main local groups exist on d omain contro llers in an AD DS forest, and
es (rights). Dom d
consequentlyy, the group’s scope
s main in which tthey reside. Th
is localizzed to the dom he important
characteristics of domain lo ocal groups are e:
• Global. These
e are used prim
marily to consoolidate users thhat have similaar characteristiics. For examp
ple,
global groups often are use
ed to consolida ate users that are part of a d
department orr geographic
location. The important cha
aracteristics off global groupss are:
o You can assign abilitiess and permissio
ons anywhere in the forest.
• Universal. These
T groups are
a most usefu ul in multidom ain networks aas they combin ne the charactteristics
of both dommain local gro
oups and globa mportant charaacteristics of universal
al groups. Speccifically, the im
groups are::
o You can assign abilities and permisssions anywhe re in the foresst, as with glob
bal groups
Un
niversal groupss defined in an
ny domain in tthe forest.
o Properrties of universal groups are propagated to o the global caatalog, and maade available aacross
the entterprise on all domain contro ollers that hosst the global caatalog role. Th
his makes unive ersal
groupss’ membership p lists more acccessible, whichh can be usefull in multidomaain scenarios. FFor
example, if a universa al group is use
ed for email diistribution purrposes, the proocess for deterrmining
the meembership list typically is quiicker in distrib uted multidommain networkss.
Im
mplementting Group
p Managem
ment
Adding groups to other groups—a process called
neesting—can crreate a hierarch hy of groups that
su
upport your bu usiness roles and manageme ent
ules. Now that you have learrned the business
ru
puurposes and teechnical characteristics of grroups, it
is time to align the two in a sttrategy for gro
oup
management.
m
• Identities
• Global grou
ups
• Access
Id
dentities (user and computerr accounts) are e members of g global groupss, which repressent business roles.
Th
hose role grou ups (global grooups) are memmbers of doma in local group ps, which repre esent managem ment
ru
ules, for exampple, determininng who has Reead permission n to a specific ccollection of fo
olders. These rrule
groups (domain n local groups)) are granted access
a to resou
urces. In the caase of a shared d folder, access is
granted by adding the domaiin local group to the folder’ss ACL, with a p permission thaat provides the e
ap
ppropriate leve el of access.
3-18 Managing Active Directory Domain Services Objects
Note: This approach of groups nesting was earlier known as AGDLP, which stands for:
accounts, global groups, domain local groups, permissions. The terminology used in this course,
IGDLA, has more general scope of application, and it also aligns with industry-standard
terminology.
In a multidomain forest, there are universal groups also, which fit in between global and domain local
groups. global groups from multiple domains are members of a single universal group. That universal
group is a member of domain local groups in multiple domains. You can remember the nesting as
IGUDLA.
IGDLA Example
This best practice for implementing group nesting translates well even in multi-domain scenarios.
Consider the following, which describes usage of IGDLP scenario.
This figure on the slide represents a group implementation that reflects not only the technical view of
group management best practices (IGDLA), but also the business view of role-based, rule-based
management.
The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a
folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors
from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit.
You would perform the following steps to implement the security required by this scenario:
1. Assign users with common job responsibilities or other business characteristics to role groups
implemented as global security groups. Do this separately in each domain. Salespeople at Contoso
are added to a Sales role group; Auditors at Woodgrove Bank are added to an Auditors role group.
2. Create a group to manage access to the Sales folders with Read permission. This is implemented in
the domain containing the resource that is being managed. In this case, the Sales folder resides in the
Contoso domain. The resource access management rule group is created as a domain local group,
ACL_Sales Folders_Read.
3. Add the role groups to the resource access management rule group to represent the management
rule. These groups can come from any domain in the forest or from a trusted domain, such as
Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same
forest, can be members of a domain local group.
4. Assign the permission that implements the required level of access. In this case, grant the Allow Read
permission to the domain local group.
This strategy results in two single points of management, reducing the management burden. There is one
point of management that defines who is in Sales, and one that defines who is an Auditor. Those roles, of
course, are likely to have access to a variety of resources beyond simply the Sales folder. There is another
single point of management to determine who has Read access to the Sales folder. Furthermore, the Sales
folder may not just be a single folder on a single server. It could be a collection of folders across multiple
servers, each of which assigns the Allow Read permission to the single domain local group.
20410A: Installinng and Configuring W
Windows Server® 20012 3-19
Default
D Gro
oups and Special
S Ide
entities
Default
D Grou
ups
Thhere are a nummber of groups that are crea ated
utomatically on a Windows Server
au S 2012 Seerver.
Thhese are called
d default local groups, and th
hey
in
nclude well-kno own groups, such as
Administrators, Backup Opera ators, and Remmote
Desktop Users. There are additional groups that
arre created in a domain, bothh in the Builtin and
Users containerrs, including Doomain Adminss,
En
nterprise Admins, and Schem ma Admins. Th he
fo
ollowing list prrovides a summmary of capabilities of
th
he subset of de efault groups that
t have significant permisssions and userr rights related
d to the manag
gement
off AD DS:
• Enterprise Admins
A (in thee Users contain
ner of the fore st root domain n). This group is a member o of the
Administrattors group in every
e domain in the forest, g
giving it compplete access to the configuration of
all domain controllers. It also owns the Configuration n partition of tthe directory aand has full con
ntrol of
the domainn naming context in all foresst domains.
• Schema Ad dmins (Users Co e Forest Root Domain). This group owns aand has full control of
ontainer of the
the Active Directory
D schema.
• Domain Ad dmins (Users Container of Each Domain). TThis group is ad dded to the AAdministrators group
of its domaain. It therefore
e inherits all off the capabilitiies of the Adm oup. It is also, by
ministrators gro
default, add
ded to the loca al Administrators group of eeach domain m member comp puter, giving Domain
Admins ow wnership of all domain
d computers.
• Server Operators (Built-in n Container of Each Domain)). This group ccan perform m maintenance taasks on
domain con ntrollers. It hass the right to lo
og on locally, start and stop orm backup and
p services, perfo
restore opeerations, forma at disks, create down domain controllers. Byy
e or delete sha res, and shut d
default, thiss group has no o members.
You need to carefully manage the default groups that provide administrative privileges, because they
typically have broader privileges than are necessary for most delegated environments, and because they
often apply protection to their members.
The Account Operators group is a good example of this. If you examine the capabilities of the Account
Operators group in the preceding list, you can see that its rights are very broad—it can even log on locally
to a domain controller. In very small networks, such rights would probably be appropriate for one or two
individuals who typically would be domain administrators anyway. In large enterprises, the rights and
permissions granted to Account Operators usually are far too broad.
Additionally, the Account Operators group is, like the other administrative groups, a protected group.
Protected groups are defined by the operating system and cannot be unprotected. Members of a
protected group become protected. The result of protection is that the permissions (ACLs) of members
are modified so that they no longer inherit permissions from their OU, but rather receive a copy of an ACL
that is quite restrictive. For example, if you add Jeff Ford to the Account Operators group, his account
becomes protected, and the help desk, which can reset all other user passwords in the Employees OU,
cannot reset Jeff Ford’s password.
You should try to avoid adding users to the following groups that do not have members by default:
Account Operators, Backup Operators, Server Operators, and Print Operators. Instead, create custom
groups to which you assign permissions and user rights that achieve your business and administrative
requirements.
For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but
should not be able to perform restore operations that could lead to database rollback or corruption, and
should not be able to shut down a domain controller, do not put Scott in the Backup Operators group.
Instead, create a group and assign it only the Backup Files And Directories user right, then add Scott as a
member.
Special Identities
Windows and AD DS also support special identities, which are groups for which membership is controlled
by the operating system. You cannot view the groups in any list (in the Active Directory Users and
Computers snap-in, for example), you cannot view or modify the membership of these special identities,
and you cannot add them to other groups. You can, however, use these groups to assign rights and
permissions. The most important special identities, often referred to as groups (for convenience), are
described in the following list:
• Anonymous Logon. This identity represents connections to a computer and its resources that are
made without supplying a user name and password. Prior to Windows Server 2003, this group was a
member of the Everyone group. Beginning with Windows Server 2003, this group is no longer a
default member of the Everyone group.
• Authenticated Users. This represents identities that have been authenticated. This group does not
include Guest, even if the Guest account has a password.
• Everyone. This identity includes Authenticated Users and the Guest account. On computers that are
running versions of Windows that precede Windows Server 2003, this group includes Anonymous
Logon.
• Interactive. This represents users accessing a resource while logged on locally to the computer that is
hosting the resource, as opposed to accessing the resource over the network. When a user accesses
any given resource on a computer to which the user is logged on locally, the user is added to the
Interactive group automatically for that resource. Interactive also includes users logged on through a
Remote Desktop connection.
20410A: Installing and Configuring Windows Server® 2012 3-21
• Network. This represents users accessing a resource over the network, as opposed to users who are
logged on locally at the computer that is hosting the resource. When a user accesses any given
resource over the network, the user is automatically added to the Network group for that resource.
The importance of these special identities is that you can use them to provide access to resources based
on the type of authentication or connection, rather than the user account. For example, you could create
a folder on a system that allows users to view its contents when they are logged on locally to the system,
but that does not allow the same users to view the contents from a mapped drive over the network. You
could achieve this by assigning permissions to the interactive special identity.
Demonstration Steps
Lesson 3
Manag
ging Co
omputerr Accou
unts
A co
omputer accou unt begins its life cycle when
n you create itt and join it to your domain. Thereafter, daay-to-
day administrative
e tasks include
e the followingg:
• Configuring computer
c prop
perties.
• Managing the
e computer itsself.
• Renaming, re
esetting, disabling, enabling, and eventuallly deleting thee computer obj
bject.
It is important tha
at you know ho m these variouss computer-m anagement tasks so you can
ow to perform n
configure and ma aintain the com
mputer objectss within your o
organization.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Explain how to
t control who
o has permissio
on to create co
omputer accou
unts.
• Describe com
mputer accountts and the secu
ure channel.
• Explain how to
t reset the seccure channel.
Wh
hat Is the Computer
C rs Containe
er?
Befo
ore you createe a computer object
o in the
dire
ectory service, you must have
e a place to pu
ut it.
Th
hese specific examples
e aside
e, what is mostt important is tthat your OU sstructure refleccts your
ad
dministrative model
m so that your OUs can provide singlee points of maanagement forr the delegatioon of
ad
dministration.
Controlling
C g Permissio
ons to Create Computer Accounts
Th
hree condition
ns are required
d for you to joiin a
co
omputer to ann Active Directo
ory domain:
• d be created in the
A computer object should
directory se
ervice.
• You must have
h appropriaate permissions on
the computter object. The e permissions allow
a
you to join a physical commputer with a name
that matche es that of the object in AD DS
D to
the domain n.
• You must be
b a member of o the local
Administrattors group on the computerr. This
allows you to change the
e computer’s domain or wor kgroup memb
bership.
3-24 Managing Active Directory Domain Services Objects
Note: It is not mandatory to create a computer object in the directory service, but it is
highly recommended. However, many administrators join computers to a domain without first
creating a computer object. When you do this, Windows attempts to join the domain to an
existing object. When Windows does not find the object, it fails back and creates a computer
object in the default Computer container.
The process of creating a computer account in advance is called prestaging a computer. There are two
major advantages of prestaging a computer:
• The account is in the correct OU and is therefore delegated according to the security policy defined
by the ACL of the OU.
• The computer is within the scope of GPOs linked to the OU, before the computer joins the domain.
After you have been given permission to create computer objects, you can do so by right-clicking the OU
and choosing Computer from the New menu. Enter the computer name, following the naming
convention of your enterprise, and select the user or group that will be allowed to join the computer to
the domain with this account. The two computer names—Computer Name and Computer Name (Pre-
Windows 2000)—should be the same. There, very rarely, is a justification for configuring them separately.
Note: You can use the Redircmp.exe command-line tool to reconfigure the default
computer container. For example, if you want to change the default computer container to an
organizational unit called mycomputers, use the following syntax:
redircmp ou=mycomputers,DC=contoso,dc=com
Delegating Permissions
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have
permission to create computer objects in any new OU. However, as discussed earlier, we recommend that
you tightly restrict membership in the first three groups, and that you do not add Administrators to the
Account Operators group.
Instead, you should delegate the permission to create computer objects (called Create Computer Objects)
to appropriate administrators or support personnel. This permission, assigned to an OU’s group, allows
group members to create computer objects in that OU. For example, you might allow your desktop
support team to create computer objects in the clients OU, and allow your file server administrators to
create computer objects in the file servers OU.
To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose
a custom task to delegate. The next lesson discusses delegation.
20410A: Installinng and Configuring W
Windows Server® 20012 3-25
Computer
C Accounts
A and
a Secure Channells
Evvery member computer
c in an AD DS doma ain
maintains
m a com
mputer accoun nt with a user name
n
(ssAMAccountN Name) and passsword, just lik ke a
usser account do oes. The computer stores its
pa assword in thee form of a local security autthority
(LLSA) secret, and
d changes its password
p with
h the
do omain approximately every 30 days. The
NetLogon servicce uses the cre edentials to logg on to
thhe domain, wh hich establishess the secure chhannel
with
w a domain controller.
c
• A computer’s LSA secret gets out of synnchronization with the passw word that the domain know ws. You
can think of
o this as the co
omputer forgeetting its passw
word. Although h it did not forrget its passwo
ord, it
just disagre
ees with the do
omain over whhat the passwo ord really is. W
When this happ pens, the comp puter
cannot authhenticate, and the secure ch
hannel cannot be created.
Resetting
R the Secure Channel
Th
he most comm omputer-account
mon signs of co
problems are:
When the secure channel fails, you must reset the secure channel. Many administrators do this by
removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This
is not a good practice, because it has the potential to delete the computer account altogether. This loses
the computer’s SID, and more importantly, its group memberships. When you rejoin the domain, even
though the computer has the same name, the account has a new SID, and all the group memberships of
the previous computer object must be recreated. If the trust with the domain has been lost, do not
remove a computer from the domain, and then rejoin it. Instead, reset the secure channel.
To reset the secure channel between a domain member and the domain, use the Active Directory Users
and Computers snap-in, DSMod.exe, NetDom.exe, or NLTest.exe. If you reset the account, the
computer’s SID remains the same, and it maintains its group memberships.
To reset the secure channel by using the Active Directory Users and Computers snap-in:
3. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using DSMod:
2. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using NetDom, at a command prompt, type the following command,
where the credentials belong to the local Administrators group of the computer:
This command resets the secure channel by attempting to reset the password on both the computer and
the domain, so it does not require rejoining or rebooting.
To reset the secure channel by using NLTest, on the computer that has lost its trust, at a command
prompt, type the following command:
You also can use Windows PowerShell with Active Directory Module to reset a computer account. The
following example demonstrates how to reset the secure channel between the local computer and the
domain to which it is joined. You must run this command on the local computer:
Test-ComputerSecureChannel –Repair
Note: You also can reset a remote computer’s password with Windows PowerShell:
invoke-command -computername Workstation1 -scriptblock {reset-computermachinepassword}
20410A: Installinng and Configuring W
Windows Server® 20012 3-27
Lesson
n4
Deleg
gating Adminis
A stration
n
Although a sing gle person can easily manage e a small netwwork with a han ndful of user aand computer
acccounts, as thee network grow ws, so too doees the volume o of work that reelates to netwwork managem ment. At
ome point, it iss necessary forr teams with particular speci alizations to eevolve, each wiith responsibility for
so
so
ome specific asspect of netwo ork manageme ent. In AD DS eenvironments,, it is common practice to crreate
OUs
O to bring de epartmental or geographic structure
s to th e networked o objects, and too enable config
guration
off administrativve delegation. It is importantt that you know w why and ho ow to create OUs, and how to
deelegate admin nistrative tasks to users on obbjects within th
hose OUs.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe AD
D DS permissio
ons.
AD
A DS Perm
missions
All AD DS objeccts, such as use ers, computerss, and
groups, can be secured by using a list of
pe ermissions. The permissions on an object area
caalled access coontrol entries (A
ACEs), and theey are
asssigned to users, groups, or computers,
c wh
hich are
also known as security
s pals. ACEs are saved
princip
in
n the object’s DACL,
D which iss part of the ob
bject’s
ACL. The ACL co ontains the sysstem access coontrol
lisst (SACL) that includes auditing settings.
Ea
ach object in AD
A DS has its own
o ACL. If you have
ufficient permissions, you can modify the
su
peermissions to control
c the levvel of access onna
sp
pecific AD DS object.
o The delegation of ad dministrative coontrol involvess assigning pe
ermissions thatt
manage
m access to objects andd properties in
n AD DS. Just aas you can givee a group the ability to chan
nge files
in
n a folder, you can give a grooup the abilityy, for example, to reset passw
words on user objects.
Thhe DACL of ann object also alllows you to asssign permissio ons to an objeect’s specific prroperties. For
exxample, you ca an allow (or deeny) permissio on to change pphone and emaail options. Th his is, in fact, no
ot just
onne property. Itt is a property set that includ
des multiple, sp
pecific propertties. Using pro
operty sets, you u can
ea
asily manage permissions
p to commonly ussed collectionss of properties. But, you could assign more e
granular permisssions and allo ow or deny perrmission to chaange just som e of the inform mation, such as the
mobile
m telephone number or the street add dress.
Assigning the help desk perm or each individ ual user object is tedious. Evven so,
mission to resett passwords fo
in
n AD DS, it is not a good practice to assign
n permissions tto individual o
objects. Instead
d, you should aassign
peermissions at the
t level of org
ganizational units.
Th
he permissionss you assign to o an OU are inherited by all objects in the OU. So, if you u give the help
p desk
peermission to re eset passwordss for user obje
ects and attachh that permissiion to the OU that contains the
ussers, all user objects within that OU will inh
herit that perm
mission. In justt one step, you
u have delegatted that
ad
dministrative task.
t
3-28 Managingg Active Directory Doomain Services Objeccts
Efffective AD DS Permissions
Effe
ective permissioons are the ressulting permissions
for a security principal, such as a user or group,
baseed on the cum mulative effect of each inherited
and explicit ACE. Your
Y ability to
o reset a user’s
passsword, for example, may be due to your
memmbership in a group that is allowed
a the Reeset
Passsword permisssion on an OU several levels
aboove the user obbject. The inhe erited permissio on
assigned to a group to which yo ou belong resu ults in
an effective
e permission of Allow w: Reset Passwo ord.
Youur effective perrmissions can beb complicated
wheen you conside er Allow and Deny
D permissioons,
explicit and inheriited ACEs, and d the fact that you may belon
ng to multiplee groups, each of which mayy be
assigned differentt permissions.
To calculate
c effective permissions for a specific user or a gro
oup, an AD DSS object, or forr a file or folde
er,
you can perform the
t following procedure:
1. Right-click the object, file or
o folder, click Properties, an
nd then click tthe Security taab.
Note: Use Deny permissions rarely. In fact, it is unnecessary to assign Deny permissions,
because if you do not assign an Allow permission, users cannot perform the task. Before
assigning a Deny permission, check to see if you could achieve your goal by removing an Allow
permission instead. For example, if you want to delegate an Allow permission to a group, but
exempt only one member from that group, you can use a Deny permission on that specific user
account while the group still has an Allow permission.
Each permission is granular. Even if you have been denied the ability to reset passwords, you may still
have the ability, through other Allow permissions, to change the user’s logon name or email address.
In this lesson, you learned that child objects inherit the inheritable permissions of parent objects by
default, and that explicit permissions can override inheritable permissions. This means that an explicit
Allow permission will actually override an inherited Deny permission.
Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can
make evaluating effective permissions tedious. You can use the permissions reported by the DSACLs
command or on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating
effective permissions, but it is still a manual task.
Demonstration Steps
3. Use the Security tab to verify the assigned permissions. Close all open windows.
3-30 Managing Active Directory Domain Services Objects
You have been working for A. Datum for several years as a desktop-support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. One of your first assignments is configuring the infrastructure
service for a new branch office.
To begin deployment of the new branch office you are preparing AD DS objects. As part of this
preparation, you need to create an OU for the branch office and delegate permission to manage it. Then
you need to create users and groups for the new branch office. Finally, you need to reset the secure
channel for a computer account that has lost connectivity to the domain in the branch office.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
c. Domain: Adatum
2. Create the following global security groups in the Branch Office 1 organizational unit:
o Branch 1 Help Desk
o Branch 1 Administrators
o Branch 1 Users
3. Move Holly Dickson from the IT organizational unit to the Branch Office 1 organizational unit.
o Development\Duncan Bart
o Managers\Ed Meadows
o Marketing\Connie Vrettos
o Research\Barbara Zighetti
o Sales\Arlene Huff
5. Move the LON-CL1 computer to the Branch Office 1 organizational unit, and then restart the
computer.
6. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
7. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to
delegate administration of the Branch Office 1 organizational unit to the Branch 1 Administrators
security group.
X Task 2: Delegate a user administrator for the Branch Office Help Desk
1. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate
administration of the Branch Office 1 organizational unit to the Branch 1 Help Desk security group.
3. Log on as Adatum\Holly with a password Pa$$w0rd. You can logon locally at a domain controller
because Holly belongs, indirectly, to the Server Operators domain local group.
4. From Server Manager, open Active Directory Users and Computers. Confirm your current
credentials in the User Account Control dialog box.
5. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful as you lack the required permissions.
6. Try to delete Branch Office 1\Ed Meadows. You are successful because you have the required
permissions.
2. Close Active Directory Users and Computers, and then close Server Manager.
3. Open Server Manager, and then open Active Directory Users and Computers. In the User
Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required
credentials. To modify the Server Operators membership list, you must have permissions beyond
those available to the Branch 1 Administrators group.
4. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Log off
LON-DC1.
5. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller
because Bart belongs, indirectly, to the Server Operators domain local group.
6. Open Server Manager and then open Active Directory Users and Computers. Confirm your
current credentials in the User Account Control dialog box.
7. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful because you lack the required
permissions.
8. Reset Connie’s password to Pa$$w0rd. You are successful. Log off LON-DC1.
9. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
20410A: Installing and Configuring Windows Server® 2012 3-33
Results: After this exercise, you should have successfully created the necessary OU and delegated
administration of it to the appropriate group.
3. Create a new user for the branch office, based on the template.
2. Modify the shared folder permissions so that the Everyone group as Full Control Allow permissions.
3. From Server Manager, open Active Directory Users and Computers and create a new user with the
following properties in the Branch Office 1 organizational unit:
o Password: Pa$$w0rd
o Account is disabled
X Task 3: Create a new user for the branch office, based on the template
1. Copy the _Branch_template user account, and configure the following properties:
o First name: Ed
2. Verify that the following properties have been copied during account creation:
o City: Slough
2. Log on to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to log on successfully.
3. Verify that you have a drive mapping for Z: to Ed’s home folder on LON-DC1, and then log off.
Results: After this exercise, you should have successfully created and tested a user account created from a
template.
2. Open Active Directory Users and Computers. Confirm your credentials in the User Account
Control dialog box.
3. Navigate to Branch Office 1.
2. Open Control Panel. Switch to Large icons view, and then open System.
3. View the Advanced system settings, and then select the Computer Name tab. Use the Network ID
button to rejoin the computer to the domain.
4. Complete the wizard to rejoin the computer to the domain. Use the following to help complete the
wizard:
o Domain: Adatum
6. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer
had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
Question: You are responsible for managing accounts and access to resources for your
group members. A user in your group transfers into another department within the
company. What should you do with the user’s account?
Question: What is the main difference between the Computers container and an OU?
Question: When should you reset a computer account? Why is it better to reset the
computer account than to disjoin and rejoin it to the domain?
Best Practices
o Use Universal groups only when necessary because they add weight to replication traffic.
o Use Windows PowerShell with Active Directory Module for batch jobs on groups.
2. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server-based
infrastructure. You have to find a method for joining new Windows® 8-based computers to a domain
during the installation process, without intervention of a user or an administrator.
20410A: Installing and Configuring Windows Server® 2012 3-37
Tools
Tool Use Where to find it
Module 4
Automating Active Directory Domain Services
Administration
Contents:
Module Overview 4-1
Module Overview
You can use command-line tools and Windows PowerShell® to automate Active Directory® Domain
Services (AD DS) administration. Automating administration speeds up processes that you might
otherwise perform manually. Windows PowerShell includes cmdlets for performing AD DS administration
and for performing bulk operations. You can use bulk operations to change many AD DS objects in a
single step rather than updating each object manually.
Objectives
After completing this module, you will be able to:
• Use command-line tools for AD DS administration.
Lesson 1
Using Comma
and-line
e Tools for Adm
ministraation
Winndows Server® 2012 includess several comm mand-line tool s that you can
n use to perforrm AD DS
ministration. Many organizations create scrripts that use ccommand-linee tools to automate the creation
adm
and managementt of AD DS objects such as user accounts aand groups. Yo ou must underrstand how to use
thesse command-line tools to en
nsure that if re
equired, you caan modify the scripts that yo
our organizatio
on
usess.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w and when to use csvde.
Benefits of Using
U Com
mmand-Line Tools fo
or Adminisstration
Man ny administrattors prefer to use
u graphical tools,
t
suchh as Active Dirrectory Users and
a Computerss, for
AD DS administration wheneverr possible.
Graphical tools arre intuitive to use
u because th hey
visu
ually represent information and
a provide op ptions
in th
he form of rad
dio buttons and d dialog boxess.
Whe en information n is represente
ed graphically, you
do not
n need to memorize
m synta
ax.
• Faster implem
mentation of bulk
b operationss. For examplee, you can expo ort a list of new
w user accounnts
from a human resources ap pplication. You
u use a commaand-line tool o or script to creaate the new usser
accounts base
ed on the expo orted informattion. This is mu
uch faster than
n manually cre eating each ne
ew
user account individually.
• Customized processes
p for AD
A DS adminisstration. You caan use a custo omized graphiccal program to o
gather inform
mation about a new group, and
a then creat e the new gro oup. When the information iss
gathered, the
e graphical proogram can veriify that the infformation formmat—such as tthe naming
convention——is correct. Theen, the graphiccal program usses a comman nd-line tool to create the new
w
group. This process allows company-spec
c cific rules to bee enforced.
Note: Serve
er core can be administered remotely by u
using graphical tools.
20410A: Installling and Configuringg Windows Server® 2012 4-3
What
W Is Csv
vde?
Csvde
Cs is a commmand-line too ol that exports or
im
mports Active Directory
D ects to or from a
obje
co
omma-separatted values (.csvv) file. Many
ap
pplications aree capable of exxporting or importing
daata from .csv files.
f This make
es csvde usefu ul for
in
nteroperability with other ap pplications, succh as
daatabases or sppreadsheets.
Ex
xport Objeccts by Using
g csvde
To
o export objeccts by using csvde, as a minimum, you neeed to specify the filename off the .csv file to
o which
da ported. With only the filenam
ata will be exp me specified, a ll objects in th
he domain will be exported.
Th
he basic syntaxx to use csvde
e for export is:
Csvde –f filename
Other
O options that you can usse with csvde are listed in th
he following taable.
Option
O Description
-p SearchSco
ope Specifies the
e scope of the search relativee to the contaiiner specified by the
option -d. Thhe SearchSco pe option can n be either base (this object oonly),
onelevel (obbjects within th
his container), or subtree (th
his container aand all
subcontainers). The defaullt is subtree.
Create
C Objeccts by Using
g csvde
Th
he basic syntaxx for using csv
vde to create objects
o is:
Cs
svde –i –f fi
ilename –k
Th
he -i paramete
er specifies import mode. Thhe -f parameteer identifies thee file name fro
om which to im mport.
Th
he -k parametter instructs csvde to ignore error messagees, including t he “Object Alrready Exists” errror
4-4 Automatingg Active Directory Doomain Services Administration
The .csv file that iss being used for an import must
m have a heeader row thatt contains nam
mes of LDAP
attributes for the data in the .cssv file. Each row
w must contain
n exactly the ccorrect numbe
er of items as
speccified in the heeader row.
You
u cannot use cssvde to imporrt passwords, because
b passw
words in a .csv ffile are not pro
otected. As a rresult,
userr accounts crea
ated by csvde
e have a blank password and
d are disabled.
Wh
hat Is Ldifd
de?
Ldiffde is a command-line tool that
t you can use
u to
export, create, mo e AD DS objects.
odify, or delete
Like
e csvde, ldifde e uses data thaat is stored in a file.
The file must be inn LDAP Data Interchange Fo ormat
(LDIIF). Most applications canno ot export or import
dataa in LDIF format. It is more liikely that you can
obta ain data in LDIF format fromm another direcctory
servvice.
An LDIF file is textt-based, with blocks
b of lines
com
mposing a single operation such as creating or
moddifying a user object. Each line within the
ope
eration specifiees something about
a the
ope
eration, such ass an attribute or
o the type of operation. A b
blank line sepaarates multiple
e operations w
within
the LDIF file.
The following is an example of an
a LDIF file that creates a sin
ngle user.
For each operation in an LDIF file, the changetype line defines the operation to be performed. The valid
values are add, modify, or delete.
Ldifde –f filename
Some other options you can use when exporting objects ldifde are listed in the following table.
Option Description
-d RootDN The root of the LDAP search. The default is the root of the
domain.
Ldifde –i –f filename –k
The -i parameter specifies import mode. The -f parameter identifies the file name to import from. The -k
parameter instructs ldifde to ignore errors, including the “Object Already Exists” error. The option
suppress errors is useful when importing objects to ensure that all objects possible are created instead of
stopping when partially complete.
You cannot use ldifde to import passwords, because passwords in an LDIF file would not be secure. As a
result, user accounts created by ldifde have a blank password and are disabled.
4-6 Automatingg Active Directory Doomain Services Administration
Wh
hat Are DS
S Comman
nds?
Winndows Server 2012
2 includes command-line
c e
tools called DS coommands, whicch are suitable
e for
use in scripts. You
u can use DS coommand-line tools
to create,
c view, modify, and remmove AD DS
obje
ects. The followwing table desscribes DS
com
mmand-line tools.
To
ool Description
DSmod Modifies AD
D DS objects.
DSrm Removes AD
D DS objects.
DSmove Moves AD D
DS objects.
Use
er Managem
ment Comm
mand Examp
ples
The following are examples of commands
c tha
at you could tyype at a comm
mand prompt.
To modify
m the dep
partment of a user account, type:
Dsmo
od user “cn=Joe Healy,ou=Managers,dc
c=adatum,dc=c
com” –dept IT
T
To display
d the em
mail of a user acccount, type:
To delete
d a user account,
a type:
Dsrm
m “cn=Joe Healy,ou=Managers,dc=adatu
um,dc=com”
To create
c a new user
u account, tyype:
Lesson
n2
Using
g Windo
ows Pow
werShelll for Ad
dministration
Windows
W PowerShell is the prreferred scriptiing environmeent in Window
ws Server 2012.. It is much eassier to
usse than previous scripting languages such as Microsoft® Visual Basic SScripting Editio
on (VBScript).
Windows
W PowerShell includess an extensive list of cmdletss to manage A
AD DS objects. Cmdlets can b be used
to
o create, modiffy, and remove e user accountts, groups, com
mputer accoun nts, and organizational unitss.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Use Window
ws PowerShelll cmdlets to manage groupss.
• Use Window
ws PowerShelll cmdlets to manage compu
uter accounts.
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Ussers
Yoou can use Windows PowerS Shell cmdlets to
t
crreate, modify, and delete use
er accounts. Th
hese
cm
mdlets can be used for indivvidual operatio
ons or as
pa t perform bulk operations. Some
art of a script to
f managing user accounts are in
off the cmdlets for
th
he following ta able.
Cmdlet
C De
escription
Set-ADUser Modifies
M properrties of user acccounts.
Remove-ADU
User De
eletes user acccounts.
Set-ADAccou
untPassword Re
esets the passw
word of a userr account.
Set-ADAccou
untExpiration
n Modifies
M the exp
piration date o
of a user accou
unt.
Unlock-ADA
Account Unnlocks a user aaccount when it is locked aftter exceeding the
acccepted numb er of incorrectt login attemppts.
Enable-ADAcccount En
nables a user aaccount.
Disable-ADA
Account Diisables a user aaccount.
4-8 Automating Active Directory Domain Services Administration
• If you do not use the –AccountPassword parameter, no password is set and the user account is
disabled. The –Enabled parameter cannot be set as $true when no password is set.
• If you use the –AccountPassword parameter to specify a password, then you must specify a variable
that contains the password as a secure string, or choose to be prompted for the password. A secure
string is encrypted in memory. If you set a password then you can enable the user account by setting
the –Enabled parameter as $true.
Some commonly used parameters for the New-ADUser cmdlet are listed in the following table.
Parameter Description
ChangePasswordAtLogon Requires the user account to change passwords at the next logon.
HomeDirectory Defines the location of the home directory for a user account.
HomeDrive Defines the drive letters that are mapped to the home directory
for a user account.
The following is a command you could use to create a user account with a prompt for a password:
Question: Are the parameters for all cmdlets that you use to manage user accounts the
same?
20410A: Installling and Configuringg Windows Server® 2012 4-9
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Grroups
Yo
ou can use Windows PowerS Shell to create,
modify,
m and dellete groups. Thhese cmdlets can
c be
ussed for individual operationss or as part of a script
to
o perform bulk k operations. Some
S of the cm
mdlets
fo
or managing groups
g are liste
ed in the follow
wing
ta
able.
Cmdlet
C De
escription
New-ADGrou
up Crreates new gro
oups.
Set-ADGroup
p Modifies
M properrties of groupss.
Remove-ADG
Group De
eletes groups.
Add-ADGrou
upMember Ad
dds members to groups.
Remove-ADG
GroupMembe
er Re
emoves memb
bers from grou
ups.
Add- Ad
dds group me mbership to o
objects.
GroupMembe
ADPrincipalG ership
Remove- Re
emoves group
p membership from an objecct.
GroupMembe
ADPrincipalG ership
Create
C New Groups
G
Yo
ou can use thee New-ADGro oup cmdlet to create groupss. However, wh hen you createe groups using
g the
New-ADGroup
N p cmdlet, you must
m use the GroupScope
G p e group name. This is
parameter in aaddition to the
th
he only require
ed parameter. The following table lists com
mmonly used p parameters for New-ADGro oup.
Parameter Description
DisplayName
e Defines the LDAP display name for the object.
GroupCatego
ory Defines whether itt is a security g
group or a disttribution group. If you
do not
n specify eithher, a security group is creatted.
4-10 Automating Active Directory Domain Services Administration
Parameter Description
The following command is an example of what you could type at a Windows PowerShell prompt to create
a new group:
• The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or
remove members of a group.
o You cannot pipe a list of members to these cmdlets.
Note: When you pipe a list of objects to a cmdlet, you pass a list of objects to a cmdlet.
More information about how to pipe a list of objects is covered in Lesson 3: Performing Bulk
Operations with Windows PowerShell.
Using
U Wind
dows Powe
erShell Cm
mdlets to M
Manage Co
omputer A
Accounts
Yoou can use Windows PowerS Shell to create,
modify,
m and dellete computer accounts. These
mdlets can be used for indivvidual operatio
cm ons or as
pa t perform bulk operations. Some
art of a script to
f managing computer acco
off the cmdlets for ounts
arre listed in the following tab
ble.
Cmdlet
C Description
New-ADCom
mputer Creates a neew computer account.
Set-ADComp
puter Modifies prroperties of a ccomputer acco
ount.
Get-ADComp
puter Displays pro
operties of a ccomputer acco
ount.
Remove-ADC
Computer Deletes a co
omputer accou
unt.
Test-ComputterSecureCha
annel Verifies or rrepairs the trusst relationship
p between a
computer aand the domai n.
Reset-Compu
uterMachineP
Password Resets the p
password for a computer acccount.
Create
C New Computer
C Accounts
A
Yoou can use the
e New-ADCom mputer cmdle et to create a n
new computer account before the computter is
jo
oined to the do
omain. You do
o this so you ca
an create the ccomputer acco
ount in the corrrect OU beforre
deeploying the computer.
c
Th
he following ta
able lists comm
monly used pa
arameters for N
New-ADComp
puter.
Parameter Description
Th
he following iss an example that
t you can use to create a computer acccount:
Ne
ew-ADComputer –Name LON-SVR8 –Path “ou=marketing
g,dc=adatum,d
dc=com –Enabl
led $true
Repair
R the Trrust Relatio
onship for a Computer A
Account
Yo
ou can use thee Test-CompuuterSecureCha annel cmdlet w
with the –Reppair parameterr to repair a lost trust
re
elationship bettween a computer and the domain.
d You m mdlet on the ccomputer with the lost
must run the cm
4-12 Automating Active Directory Domain
D Services Adm
ministration
Using Windo
ows PowerrShell Cmd
dlets to Maanage OUs
Youu can use Wind dows PowerShell to create,
mod dify, and delette OUs. These cmdlets
c can be
usedd for individua o as part of a script
al operations or
to perform
p bulk operations.
o Somme of the cmd dlets
for managing OUs are listed in the following table.
Cm
mdlet Deescription
New-ADOrgan
N nizationalUnitt Crreates OUs.
Se
et-ADOrganizzationalUnit M
Modifies properties of OUs.
Remove-ADOrrganizationalU
Unit D eletes OUs.
Cre
eate New OU
Us
You
u can use New w-ADOrganiza ationalUnit cmmdlet to createe a new OU to represent dep
partments or
phyysical locations within in your organization.
The following table shows comm
monly used pa
arameters for tthe New-ADO
Organizationa
alUnit cmdlet.
Pa
arameter Descrip
ption
Name
N Definees the name off the new OU.
Pa
ath Definees the location
n of the new O
OU.
ProtectedFrom
mAccidentalDe
eletion Preven
nts the OU fro om being deletted accidentally.
The deefault value is $true.
Lesson
n3
Perfo
orming Bulk
B Op
peration
ns with Window
ws Pow
werShell
Windows
W PowerShell is a pow
werful scripting
g environmentt that you can use to perform
m bulk operations,
which
w would no ormally be tedious to perform
m manually. Y
You can also peerform some b bulk operation
ns in
graphical tools.
To
o perform bulk k operations using
u Windowss PowerShell, yyou must first understand ho ow to create queries
fo
or a list of AD DS
D objects, and how to workk with .csv filess. Then you can create scriptts that perform
m the
bu
ulk operationss that you requuire.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe bu
ulk operations.
• Query AD DS
D objects by using
u Window
ws PowerShell.
• ws PowerShell .
Modify AD DS objects byy using Window
• Modify and
d execute Wind
dows PowerSh
hell scripts to p
perform bulk o
operations.
What
W Are Bulk
B Opera
ations?
A bulk operation n is a single acction that channges
multiple
m objectss. Performing a bulk operatio on is
much
m faster thaan changing many
m objects
in m also be more accurate, because
ndividually. It may b
peerforming man ny individual actions
a increasses the
lik
kelihood of ma aking a typogrraphical error.
Yo
ou can perform m bulk operatiions with grap
phical
to
ools, at a commmand prompt, or by using sccripts.
Ea
ach method fo or performing bulk operation ns has
diifferent capabilities. For exam
mple:
• Graphical to
ools tend to be limited in th
he
properties that
t they can modify.
m
Th
he general pro
ocess for perfo
orming bulk op
perations is as follows:
1.. Define a qu
uery. You use the
t query to seelect the objeccts that you waant to modify. For example, you
may want to
t modify all user accounts in a specific OU
U.
1. Perform a search or create a filter to display the objects that you want to modify.
When you use graphical tools to modify multiple user accounts simultaneously, you are limited to
modifying the properties that displayed in the user interface.
Note: When you use graphical tools to modify multiple user accounts simultaneously, you
are limited to modifying the properties that display in the user interface.
Demonstration Steps
3. Verify that the criteria that you added is for the type User, and perform the search.
Querying
Q Objects
O witth Window
ws PowerSShell
In
n Windows Pow werShell, you use
u the Get-* cmdlets
to
o obtain lists of objects, such
h as user accou
unts.
Yoou can also use these cmdlets to generate e
quueries for obje
ects on which you
y can perforrm bulk
opperations. Thee following tabble lists commo
only
ussed parameterrs with the Gett-AD* cmdletss.
Parameter Description
D
SearchScope
e Defines at wha
at level below the SearchBa ase a search shhould be perfo
ormed.
You can choose to search o nly in the basee, one level do
own, or the enttire
subtree.
ResultSetSize
e Defines how many
m objects tto return in ressponse to a qu
uery. To ensure
e that
all objects are returned, youu should set thhis to $null.
Create
C a Que
ery
Yo
ou can use the
e Filter parameter or the LD
DAPFilter para meter to creatte queries for objects with th
he Get-
AD*
A cmdlets. Th he Filter param
meter is used for
f queries wriitten in Windoows PowerShelll Expression
La
anguage. The LDAPFilter pa arameter is use
ed for queries written as LDA
AP query strings. Windows
Po
owerShell Exprression Langua
age is preferre
ed because:
Th
he following ta
able lists comm
monly used op
perators you caan use in Wind
dows PowerSh
hell Expression
La
anguage.
Operator
O D
Description
-eq EEqual to
-ne N
Not equal to
-gt G
Greater than
4-16 Automating Active Directory Domain
D Services Adm
ministration
Op
perator Desscription
-g
ge Greeater than or eequal to
Get-ADUser Administrator –P
Properties *
Mo
odifying Objects
O witth Window
ws PowerS hell
To perform
p a bulk
k operation, yoou need to passs the
list of
o objects thatt you have queeried to another
cmd dlet to modify the objects. In
n most cases, you
y
use the Set-AD* cmdlets
c to moodify the objeccts.
To pass
p the list of queried objeccts to another
cmddlet for furtherr processing, you
y use the pip pe ( | )
character. The pip pe character paasses each object
from
m the query to o a second cmd dlet, which the
en
perfforms a specifiied operation on each objecct.
Th
he following iss a command that
t you couldd use to generaate a list of useer accounts th
hat have not lo
ogged
on
n since a speciific date, and then
t disables them:
t
Ge
et-ADUser –Fi
ilter ‘lastlogondate –lt “January 1, 2012”’ | Di
isable-ADAcco
ount
Use
U Objects from a Textt File
In
nstead of using g a list of objeccts from a queery to perform a bulk operattion, you can u use a list of objjects in
a text file. This is useful when you need a lisst of objects to
o modify or rem move, and it iis not possiblee to
geenerate that list by using a query.
q For exam
mple, the humman resources d department m may generate a list of
usser accounts to o be disabled. There is no qu uery that can iidentify a list o
of users that haave left the
orrganization.
When
W you use a text file to sp
pecify a list of objects,
o the teext file needs to
o have the nam
me of each ob
bject on
a single line.
Th
he following example disables the user acccounts that aree listed in a teext file:
Ge
et-Content C:\users.txt | Disable-ADAccount
Working
W with
w CSV Files
A .csv file can co
ontain much more
m information
th
han a simple lisst. Similar to a spreadsheet, a .csv
fille can have muultiple rows annd columns of
in
nformation. Eacch row in the .csv
. file represents a
single object, annd each colum mn in the .csv file
re
epresents a pro operty of the object.
o This is useful
u
fo
or bulk operatiions such as crreating user acccounts
where
w multiple pieces of information aboutt each
ob bject are required.
Yo
ou can use the e Import-Csv cmdlet to read d the
co
ontents of a .cssv file into a va
ariable, and th
hen
work
w with the data.
d After the data is importted into
he variable, you can then reffer to each individual row off data and each
th h individual coolumn of data.. Each
co
olumn of data has a name th hat is based on
n the header ro
ow (the first ro
ow) of the .csvv file. You can rrefer to
ea
ach column byy name.
Th
he following iss an example a .csv file with a header row:
Fi
irstName,Last
tName,Department
Gr
reg,Guzik,IT
Ro
obin,Young,Re
esearch
Qi
iong,Wu,Marke
eting
Use
U Foreach to Process CSV Data
In
n many cases, you
y are creatin ng script that will
w be reused for multiple .ccsv files, and yo
ou do not kno ow how
many
m rows therre are in each .csv
. file. You ca
an use a foreaach loop to process each row w in a .csv file. This
tyype of loop do
oes not requiree that you know w how many rrows there are.
4-18 Automating Active Directory Domain Services Administration
The following is a command that you could use to import a .csv file into a variable, and use a foreach
loop to display the first name from each row in a .csv file:
$users=Import-CSV C:\users.csv
Foreach ($i in $users) {
Write-Host “The first name is: $i.FirstName”
}
The execution policy on a server determines whether scripts are able to run. The default execution policy
on Windows Server 2012 is RemoteSigned. This means that local scripts can run without being digitally
signed. You can control the execution policy on by using the Set-ExecutionPolicy cmdlet.
Demonstration Steps
Configure the department for users in the Research OU
1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, search for user accounts in the Research OU using the following
command:
3. Set the department attribute of all users in the Research OU using the following command:
4. Display a table-formatted list of users in the Research department. Display the distinguished name
and department by using the following command:
5. Use the Properties parameter to allow the previous command to display the department correctly.
Use the following command:
Create a LondonBranch OU
• At the Windows PowerShell prompt, create a new OU named LondonBranch using the following
command:
2. Edit DemoUsers.ps1, and review the contents of the script. Note that the script:
3. At the Windows PowerShell prompt, change to the E:\Labfiles\Mod04 directory and run the following
command:
.\DemoUsers.ps1
2. In Active Directory Administrative Center, browse to Adatum (local)>LondonBranch, and verify that
the user accounts were created. Note that the passwords are disabled because no password was set
during creation.
4-20 Automating Active Directory Domain Services Administration
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. One of your first assignments is configuring the infrastructure
service for a new branch office.
As part of configuring a new branch office, you need to create user and group accounts. Creating multiple
users with graphical tools is inefficient, so, you will be using Windows PowerShell.
Objectives
After completing this lab, you will be able to:
• Create user accounts and group accounts by using Windows PowerShell.
Lab Setup
Lab Setup
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
20410A: Installing and Configuring Windows Server® 2012 4-21
New-ADOrganizationalUnit LondonBranch
3. Create a new user account for Ty Carlson in the LondonBranch OU using the following command:
4. Set the password for the new account as Pa$$w0rd, using the following command:
Set-ADAccountPassword Ty
Enable-ADAccount Ty
2. At the Windows PowerShell prompt, add Ty as a member of LondonBranchUsers, using the following
command:
3. At the Windows PowerShell prompt, confirm that Ty has been added as a member of
LondonBranchUsers, using the following command:
Get-ADGroupMember LondonBranchUsers
4-22 Automating Active Directory Domain Services Administration
Results: After completing this exercise, you will have created user accounts and groups by using Windows
PowerShell.
o $csvfile: E:\Labfiles\Mod04\labUsers.csv
o $OU: “ou=LondonBranch,dc=adatum,dc=com”
2. At the Windows PowerShell prompt, verify that the users were created by using the following
command:
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in
bulk.
to run a script to force all user accounts in the London branch to change their password the next time that
they log on.
X Task 1: Force all user accounts in LondonBranch to change password at next logon
1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, create a query for user accounts in the LondonBranch OU using
the following command:
3. At the Windows PowerShell prompt, modify the previous command to force all user accounts to
change their password at the next logon.
Results: After completing this exercise, you will have modified user accounts in bulk.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
Question: You are an administrator for a school district that creates 20,000 new user
accounts for students each year. The administration system for students can generate a list of
the new students and then export it as a .csv file. After the data has been exported to a .csv
file, what information do you need to work with the data in a script?
Question: The Research department in your organization has been renamed to Research and
Development. You need to update the Department property of users in the Research
department to reflect this change.
Question: You have created a query for user accounts with the department property set to
Research by using the Get-ADUser cmdlet and the –Filter parameter. What is the next step
to update the department property to Research and Development?
5-1
Module 5
Implementing IPv4
Contents:
Module Overview 5-1
Module Overview
Internet Protocol Version 4 (IPv4) is the network protocol used on the Internet and local area networks. To
ensure that you can you understand and troubleshoot network communication, it is essential that you
understand how IPv4 is implemented.. In this module, you will see how to implement anIPv4 addressing
scheme, and determine and troubleshoot network-related problems.
Objectives
At the end of this module, you will be able to:
Lesson 1
Overviiew of TCP/IP
T
Trannsmission Control Protocol/ Internet Protoocol (TCP/IP) iss an industry standard suite of protocols th
hat
provvides commun nication in a heeterogeneous network. This lesson providees an overview w of IPv4 and hhow it
relates to other prrotocols to enaable network communicatio
c on. It also coveers the conceptt of sockets wh
hich
are used by appliccation to accept network communicationss. Combined to ogether this ovverview providdes a
founndation for un
nderstanding anda troublesho ooting networkk communicattion.
Lessson Objectiives
At the end of this lesson, you will
w be able to:
• Describe a so
ocket and identtify port numb
bers for specifiied protocols.
• Internet laye
er. The interne
et layer protoco
ols
control packe
et movement between
b netwo
orks.
Ben
nefits of Arcchitecture Layers
L
Rath
her than creating a single prrotocol, dividin
ng the networkk functions intto a stack of se
eparate protoccols
provvides several benefits:
b
• Creating or modifying
m ort new standaards does not require modiffication of the entire
protocols to suppo
protocol stack.
Protocols
P in
n the TCP//IP Suite
Th
he Open Syste ems Interconne ection (OSI) model
efines distinct layers related to packaging,,
de
ending, and receiving data trransmissions over
se o a
ne
etwork. The layered suite of protocols thatt form
th
he TCP/IP stackk carry out theese functions.
Application
A Layer
L
Thhe application layer of the TCP/IP
T model
co
orresponds to the applicatio on, presentation, and
ession layers of the OSI model. This layer provides
se p
ervices and utilities that enab
se ble application
ns to
acccess network resources.
Transport La
ayer
Th
he transport la
ayer correspon
nds to the transport layer of the OSI modeel and is responnsible for end--to-end
co
ommunication n using TCP or User Datagram m Protocol (UD DP). The TCP/ IP protocol suite offers application
programmers th he choice of TC
CP or UDP as a transport layyer protocol:
• TCP. Providdes connectionn-oriented reliable commun ications for ap pplications. Coonnection-oriented
communica ends the data. To
ation confirms that the destination is readyy to receive daata before it se
make comm munication reliable, TCP con packets are recceived. Reliablle communication is
nfirms that all p
desired in most
m cases and
d is used by most applicationns. Web serverrs, File Transfeer Protocol (FTP)
clients, and
d other applica
ations that movve large amouunts of data usse TCP.
• UDP. Provides connectionless and unre eliable commuunication. Wheen using UDP, reliable delive ery is the
responsibiliity of the application. Appliccations use UD
DP for faster co
ommunication with less overrhead
than TCP. Applications
A su
uch as streamin ng audio and vvideo use UDP P so that a sing
gle missing paacket will
not delay playback.
p UDP is also used byy applications that send smaall amounts off data, such as Domain
Name Syste em (DNS) nam me lookups.
Th
he transport la
ayer protocol that
t ation uses is deetermined by tthe developerr of an applicattion,
an applica
an
nd is based on
n the communication require ements of the application.
In
nternet Laye
er
Thhe Internet layyer correspondds to the netwo ork layer of th e OSI model aand consists off several separaate
protocols, including: IP; Addre ess Resolution Protocol (ARP P); Internet Gro
oup Managem ment Protocol (IGMP);
annd Internet Coontrol Message e Protocol (ICMMP). The proto ocols at the Intternet layer en
ncapsulate tran
nsport
la
ayer data into units
u called pa
ackets, addresss them, and rou ute them to th heir destinations.
Th
he Internet layyer protocols are:
a
• IP. IP is resp
ponsible for ro
outing and add
dressing. The W
Windows 8 op perating system m and the Win ndows
®
Server 201 12 operating system implemment a dual-layyer IP protocoll stack, including support forr both
IPv4 and IP Pv6.
• IGMP. IGM
MP provides sup outers in IPv4 networks.
pport for multtitasking appliccations over ro
TCP/IP Appliications
Appplications use application
a layyer protocols too
com
mmunicate ove er the network k. A client and
servver must be using the same application
a layyer
prottocol to commmunicate. The following
f tablee lists
som
me common ap pplication layer protocols.
Prrotocol Description
D
HTTP
H Used
U for comm
munication bettween the web
b browsers and
d web servers.
HTTP/Secure
H (H
HTTPS) A version of HT
TTP that encryypts communiccation betwee
en web browse
ers
and
a web servers.
FT
TP Used
U to transfe
er files betweeen FTP clients aand servers.
Se
erver Message
e Block Used
U by serverrs and client co
omputers for ffile and printerr sharing.
(S
SMB)
What
W Is a Socket?
S
When
W an appliccation wants to
o establish
co
ommunication n with an application on a remote
ost, it creates a TCP or a UDP socket, as
ho
ap
ppropriate. A socket
s identifie
es the followin
ng as
pa
art of the commmunication prrocess:
• The transpo
ort protocol th
hat the applica
ation
uses, which
h could be TCPP or UDP
Th
his combinatio
on of transportt protocol, IP address,
a and p
port creates a ssocket.
Well-Known
W Ports
Applications aree assigned a port number be etween 0 and 65,535. The firrst 1,024 portss are known ass well-
kn
nown ports and d have been assigned to spe ecific applicatioons. Applicatio
ons listening fo
or connectionss use
onsistent port numbers to make
co m it easier fo
or client appliccations to con plication listens on a
nnect. If an app
no
on-standard port
p number, th hen you need to specify the port number when connectting to it. Clien nt
ap
pplications typpically use a random source port number aabove 1,024. TThe following ttable identifiess some
off these well-kn
nown ports.
Port Protocol Ap
pplication
80 TCP HT
TTP used by a web server
443 TCP HT
TTPS for a sec ure web serveer
110 TCP PO
OP3 used for eemail retrieval
25 TCP SM
MTP that is useed for sending
g email messag
ges
20, 21 TCP FT
TP used for filee transfers
Yo
ou need to be aware of the port numbers that applicatio
ons use, so yo u can configure firewalls to allow
co
ommunicationn. Most applica
ations have a default
d umber for this purpose, but it can be chan
port nu nged
when
w required. For example, some web-bassed applicationns run on a poort other than port 80 or porrt 443.
Question: Are
A there othe
er well-known ports that you
u can think of??
5-6 Implementing IPv4
Lesson 2
Understandin
ng IPv4 Addressing
Und
derstanding IPvv4 network coommunication is critical to en
nsuring that yo ou can implem
ment, troubleshhoot,
and maintain IPv4
4 networks. On ne of the core components o of IPv4 is addrressing. Undersstanding
add
dressing, subne
et masks, and default
d gatewa u to identify the proper communication
ays allows you
betw
ween hosts. To
o identify IPv4 communicatio on errors you need to underrstand how the e process is
supposed to workk. .
Lessson Objectiives
At the end of this lesson, you will
w be able to:
• Understand how
h dotted de
ecimal notation
n relates to bin
nary numbers.
• Describe a sim
mple IPv4 netw
work with classsfull addressin g.
• Describe a co
omplex IPv4 ne
etwork with cla
assless addresssing.
IPv
v4 Addresssing
To configure
c netw
work connectivvity, you must be
fam
miliar with IPv4 addresses and d how they woork.
Network commun nication for a computer
c is
ected to the IPvv4 address of that computerr.
dire
Eachh networked computer
c mustt be assigned a
uniq
que IPv4 addre ess.
Sub
bnet Mask
Each
h IPv4 addresss is composed of a network IDI and a host ID. The networrk IDi identifie
es the networkk on
which the computter is located. The host ID unniquely identiffies the compu
uter on that sp
pecific networkk. A
subn
net mask identifies which paart of an IPv4 address
a is the network ID, an
nd which part is the host ID.
In th
he simplest sce
enarios, each octet
o in a subn
net mask is eith
her 255 or 0. A 255 represen nts an octet that is
ost ID. For example, a compu
partt of the network ID, while a 0 represents an octet that is part of the ho uter
withh an IP addresss of 192.168.23
3.45 and a subbnet mask of 2255.255.255.0 has a networkk ID of 192.168 8.23.0
and a host ID of 0.0.0.45.
0
Default
D Gate
eway
A default gatew
way is a device,, usually a routter, on a TCP/ IP network thaat forwards IP packets to oth
her
ne
etworks. The multiple
m internal networks inn an organizatiion can be refeerred to as an intranet.
Beefore a host se
ends an IPv4 packet,
p it uses its
i own subnett mask to deteermine whethe er the destination host
is on the same network,
n or onn a remote nettwork. If the deestination hostt is on the sam
me network, th he
se
ending host traansmits the pa acket directly to
t the destinattion host. If thee destination h
host is on a diffferent
neetwork, the hoost transmits th
he packet to a router for del ivery.
When
W a host tra
ansmits a pack ket to a remote 4 consults thee internal routing table to de
e network, IPv4 etermine
th
he appropriatee router for the
e packet to rea
ach the destinaation subnet. IIf the routing ttable does nott
co
ontain any rou
uting informatiion about the destination su ubnet, IPv4 forrwards the paccket to the default
ga
ateway. The ho ost assumes thhat the defaultt gateway conttains the requiired routing in
nformation. Th he
de
efault gatewayy is used in moost cases.
Public
P and Private IPv4 Addressses
Devices and hosts that connect directly to the
t
In
nternet require
e a public IPv4 address. Hostts and
deevices that do not connect directly
d to the
In
nternet do not require a pubblic IPv4 address.
Public
P IPv4 Addresses
A
Puublic IPv4 addresses must bee unique. Interrnet
Assigned Numb bers Authority (IANA) assigns public
IP
Pv4 addresses to
t regional Intternet registrie
es (RIRs).
RIRs then assignn IPv4 addresses to Internet service
providers (ISPs). Usually, your ISP allocates you
y one
orr more public addresses fromm its address pool.
p
Th
he number of addresses thatt your ISP alloccates to
yo
ou depends up pon how manyy devices and hosts that youu have to conn
nect to the Inte
ernet.
Private
P IPv4 Addresses
Th
he pool of IPv4 4 addresses is becoming smaller, so RIRs aare reluctant to
o allocate supeerfluous IPv4
ad
ddresses. Techhnologies such as network ad ddress translattion (NAT) enaable administraators to use a
elatively small number of public IPv4 addre
re esses, and at t he same time,, enable local h
hosts to conne ect to
re
emote hosts an nd services on the Internet.
5-8 Implementing IPv4
Ne
etwork Range
10.0.0.0/8 10.0.0.0-1
10.255.255.2555
172.16.0.0/12 172.16.0.0
0-172.31.255.2255
192.168.0.0/16 192.168.0.0-192.168.2555.255
Ho
ow Dotted Decimal Notation
N Relates
R to Binary Nu
umbers
Whe en you assign IP addresses, you
y use dotted d
decimal notation. Dotted decimmal notation is
baseed on the deciimal number system.
s Howevver, in
the background, computers
c e IP addresses in
use
binaary. To understtand how to choose a subneet
massk for complexx networks, youu must undersstand
IP addresses in bin
nary.
10000011 0110
01011 0000001
11 00011000 1131.107.3.24
20410A: Installling and Configuringg Windows Server® 2012 5-9
Simple IPv4
4 Impleme
entations
IP
Pv4 Addresss Classes
Thhe IANA organ nizes IPv4 addresses into classes.
Eaach class of ad
ddress has a diffferent defaultt subnet
mask
m that defines the number of valid hosts on the
neetwork. IANA has named the e IPv4 addresss classes
from Class A through Class E..
Number oof Nu
umber of hostts
Class First octet Defaultt subnet maskk
networks pe
er network
A 1-127 255.0.0
0.0 126 16,777,214
Note: Thee IPv4 address 127.0.0.1 is ussed as a loopbback address; yyou can use this address to
te
est the local co
onfiguration off the IPv4 prottocol stack. Co
onsequently, thhe network address 127 is
no
ot permitted for configuring g IPv4 hosts.
5-10 Implemennting IPv4
Mo
ore Compllex IPv4 Im
mplementa
ations
In complex netwo orks, subnet masks might not be
simple combinatio ons of 255 andd 0. Rather, yo
ou
migght subdivide one
o octet with some bits tha at are
for the
t network ID D, and some thhat are for the host
ID. This
T allows you u to have the specific
s numbe er of
subnets and hostss that you requuire. The follow
wing
exammple shows a subnet mask that
t can be use ed to
divide a class B ne
etwork into 16
6 subnets:
17
72.16.0.0/255
5.255.240.0
In many
m cases, ratther than using
g a dotted deccimal
reprresentation of the subnet ma ask, the numbber of
bits in the networrk ID is specifie
ed instead. This is called classsless interdom
main routing (CIDR). The follo
owing
is an
n example of CIDR:
C
172.16.0.0/20
Question: Do
oes your organ
nization use sim
mple or comp
plex networking
g?
20410A: Installinng and Configuring W
Windows Server® 20012 5-11
Lesson
n3
Subne
etting and
a Sup
pernetting
In
n most organizzations, you ne eed perform su ubnetting to ddivide your nettwork into smaaller subnets and
allocate those subnets for spe ecific purposess or locations. TTo do this you
u need to unde
erstand how to o select
th
he correct num
mber of bits to include in the e subnet maskss. In some casees, you may also need to com mbine
multiple
m networrks into a single larger netwoork through su upernetting.
Le
esson Objecctives
At the end of th
his lesson, you will be able to
o:
• Identify an appropriate su
ubnet mask fo
or a scenario.
• Describe su
upernetting.
How
H Bits Are
A Used in
n a Subnett Mask
In
n simple netwo orks, subnet masks are comp posed of
fo
our octets, and d each octet haas a value of 255 or 0.
If the octet is 25
55, that octet is
i part of the network
n
ID
D. If the octet is 0, that octet is part of the host ID.
In
n complex netw works, you cann convert the subnet
s
mask
m to binary, and evaluate each bit in the
e
ubnet mask. A subnet mask is composed of
su o
co
ontiguous 1s and
a 0s. The 1s start at the lefftmost
biit and continue uninterrupteed until the bitts
ch
hange to all 0ss.
Th
he mathematiccal process use
ed to compare
e an IP addresss and a subnett mask is called
d ANDing.
When
W you use more
m bits for the
t subnet mask, you can haave more subn nets, but fewer hosts on each h
su
ubnet. Using more
m bits than you need allows for subnet growth, but li mits growth foor hosts. Using
g fewer
biits than you ne
eed allows for growth in the
e number of hoosts you can h ave, but limitss growth in sub
bnets.
5-12 Implemennting IPv4
• Overcome lim ogies, such as eexceeding thee maximum number of hostss that
mitations of current technolo
each segment can have.
Calculating Subnet
S Addresses
Befo
ore you definee a subnet massk, estimate ho
ow
manny subnets andd hosts for eacch subnet you may
requ
uire. This enab
bles you to use
e the appropria
ate
num
mber of bits for the subnet mask.
m
You
u can calculate the number ofo subnet bits that
t
n
you need in the network.
n Use thhe formula 2 ,
whe
ere n is the num
mber of bits. The
T result is the
num
mber of subnetts that your neetwork requirees.
Nu
umber of bits (n) Num
mber of subnets (2n)
1 2
2 4
3 8
4 16
5 32
6 64
To determine
d ou can use thee lowest value bit in the subnet mask. For
the subnet addresses quickly, yo
exam
mple, if you ch
hoose to subne
et the network k 172.16.0.0 byy using 3 bits, this mean the
e subnet mask is
20410A: Installinng and Configuring W
Windows Server® 20012 5-13
2555.255.224.0. The
T decimal 22
24 is 11100000
0 in binary, an
nd the lowest b
bit has a value of 32, so that is the
in
ncrement betwween each subn
net address.
Th
he following ta
able shows exa
amples of calculating subnett addresses.
172.16.00000
0000.00000000
0 172.16.0.0
172.16.00100
0000.00000000
0 172.16.32.0
172.16.01000
0000.00000000
0 172.16.64.0
172.16.01100
0000.00000000
0 172.16.96.0
172.16.10000
0000.00000000
0 172.16.128.00
172.16.10100
0000.00000000
0 172.16.160.00
172.16.11000
0000.00000000
0 172.16.192.00
172.16.11100
0000.00000000
0 172.16.224.00
Calculating
C g Host Add
dresses
To
o determine host bits in the mask, determine the
re
equired numbe he supporting hosts
er of bits for th
n a subnet. Calculate the number of host bits
on b
re
equired by usinng the formula a 2n-2, where n is the
nu
umber of bits. This result mu ust be at least the
nu
umber of hostts that you nee ed for your nettwork,
an
nd is also the maximum
m nummber of hosts that
t you
ca
an configure on
o that subnet..
On
O each subnett, two host IDss are allocated
utomatically and cannot be used by comp
au puters.
An address with
h the host ID as
a all 0s represeents the
ne
etwork. An adddress with the host ID as all 1s is
he broadcast address for that network.
th
5-14 Implemennting IPv4
The following table shows how many hosts a class C netwo rk has availablle based on th
he number of h
host
bits.
Nu
umber of bits (n) Num
mber of hosts (2n-2)
1 0
2 2
3 6
4 14
5 30
6 62
You
u can calculate each subnet’ss range of hostt addresses byy using the foll owing processs:
Ne
etwork Host range
172.16.128.0/19
9 172.16.128.1
1 – 172.16.159..254
To create
c an apprropriate addressing scheme for your organ
nization, you m
must know howw many subne ets
you need, and how many hosts you need on each subnet. O Once you havee that information, you can
calcculate an appro
opriate subnett mask.
Disscussion: Creating
C a Subnettin
ng Schemee for a New
w Office
Read the following scenario and
d answer the
que
estions on the slide.
You
u also need to allocate a subnet for the serrver data centeer that will hold up to 100 se
ervers.
20410A: Installinng and Configuring W
Windows Server® 20012 5-15
What
W Is Sup
pernetting
g?
Su
upernetting co ombines multiple small netw works
in
nto a single large network. This may be
ppropriate when you have a small network
ap k that
haas grown and the address sp pace needs to be
exxpanded. For example,
e a bra
anch office thaat is
ussing the netwo ork 192.168.166.0/24 might exhaust
all of its IP addrresses and be allocated
a the
ad
dditional netw work 192.168.17.0/24. If the default
d
ubnet mask of 255.255.255.0
su 0 is used for th
hese
neetworks then youy must perfo orm routing between
th
hem. You can use u supernetting to combine e them
in
nto a single network.
To
o perform supernetting, the networks thatt you are combbining must bee contiguous. For example,
19
92.168.16.0/24
4 and 192.168..17.0/24 can be
b supernetted d, but you cann
not supernet 1
192.168.16.0/24 and
19
92.168.54.0/24
4.
Number of bits Nu
umber of netw
works combineed
1 2
2 4
3 8
4 16
6
Th
he following ta
able shows an example of su
upernetting tw
wo class C netw
works.
Network Range
192.168.0001
10000.0000000
00/24 192.1688.16.0-192.168
8.16.255
192.168.0001
10001.0000000
00/24 192.1688.17.0-192.168
8.17.255
192.168.0001
10000.0000000
00/23 192.1688.16.0-192.168
8.17.255
5-16 Implemennting IPv4
Lesson 4
Config
guring and
a Troublesho
ooting IIPv4
If IP
Pv4 is configureed incorrectly, then it affectss the availabili ty of services tthat are runnin
ng on a serverr. To
ensu ure the availabbility of network services, you need to und derstand how tto configure and troublesho oot
IPv44. Windows Server 2012 intro oduces the ability to configu ure IPv4 by usiing Windows P PowerShell. Th
his is
usefful for scripting
g.
The troubleshootiing tools in Windows Server 2012 are simiilar to previouss versions of W
Windows operaating
systems. Howeverr, you may nott be familiar with Network M
Monitor which can be used to o perform veryy
deta
ailed analysis of
o network commmunication.
Lessson Objectiives
At the end of this lesson, you will
w be able to:
• Configure a server
s so that it obtains an IP
Pv4 configurattion automaticcally.
• Use IPv4 trou
ubleshooting to
ools.
Co
onfiguring IPv4 Manually
You
u typically conffigure servers with
w a static IP P
add
dress. This is do
one to ensure that
t you know
w and
can document the e IP addresses that are used for
various services on your networrk. For example e, a
DNSS server is acce
essed at a speccific IP addresss that
should not change.
IPv4
4 configuration
n includes:
• IPv4 address
• Subnet mask
• Default gatew
way
• DNS servers
Stattic configuratio
on requires tha
at you visit eacch computer aand input the IIPv4 configuraation manuallyy. This
metthod of compu uter managem ment is reasona able for serverss, but it is veryy time consuming for client
com
mputers. Manually entering a static configu uration also in creases the rissk of configuraation mistakes..
You
u can configuree a static IP ad
ddress either in
n the propertiees of the netwo
ork connection n or by using tthe
netssh command-lline tool. For example,
e the fo
ollowing comm mand configurres the interfacce named Locaal
Areaa Connection with
w the staticc IP address 10 0.10.0.10, the s ubnet mask off 255.255.0.0, and a default
gateeway of 10.10..0.1.
Netsh interfac
ce ipv4 set address
a name=
="Local Area Connection" source=static
addr=10.10.0.1
10 mask=255.2
255.0.0 gatew
way=10.10.0.1
1
20410A: Installinng and Configuring W
Windows Server® 20012 5-17
Windows
W Server 2012 also has Windows PoowerShell® cmd dlets that you can use to maanage networkk
co
onfiguration. The
T following table
t describess some of the available Wind
dows PowerSh hell cmdlets th
hat are
avvailable for configuring IPv4
4.
Cmdlet Description
D off IPv4 configu
uration uses
Set-NetIPAd
ddress Modifies an exxisting IP addrress and sets th
he subnet
mask
Thhe following code is an exammple of the Wiindows Power Shell cmdlets tthat you can u use to configure the
in
nterface named d Local Area Connection
C 0.0.10, the subnet mask of
witth the static IP address 10.10
2555.255.0.0, and
d a default gatteway of 10.10
0.0.1.
Set-NetIPAddress –Interf
faceAlias “Lo
ocal Area Con
nnection” –IP
Pv4Address 10
0.10.0.10
PrefixLength 16
New-NetRoute
N –InterfaceA
Alias “Local Area Connect
tion” –Destin
nationPrefix 0.0.0.0/0
NextHop
N 10.10.0.1
Configuring
C g IPv4 Auttomatically
y
DHCP for IPv4 enables
e you to
o assign autommatic
IP
Pv4 configurations for large numbers of
coomputers with hout having to assign each one
in
ndividually. Thee DHCP servicee receives requ
uests
fo
or IPv4 configuuration from coomputers thatt you
coonfigure to obbtain an IPv4 address automa atically.
It also assigns additional IPv4 settings from scopes
hat you define for each of yo
th our network’s subnets.
s
Thhe DHCP service identifies thhe subnet fromm which
th
he request origginated and asssigns IP
coonfiguration frrom the releva
ant scope.
• Configure the
e scopes on the DHCP server carefully. If yyou make a mistake, it can afffect the entire
e
network and prevent comm munication.
If yo
ou use a laptop to connect to h network might
t multiple nettworks, such ass at work and at home, each
requuire a differentt IP configurattion. Windows operations syystem support the use of Auttomatic Private IP
Add dressing (APIPAA) or an altern ddress for this situation.
nate static IP ad
Wheen you configu ure Windows-based computters to obtain an IPv4 address from DHCP P, use the Alterrnate
nfiguration tab to control th
Con he behavior if a DHCP serve r is not availab
ble. By default,, Windows use
es
APIP
PA to assign ittself an IP addrress automaticcally from the 169.254.0.0 to
o 169.254.255.2255 address raange,
but with no defauult gateway or DNS server; th his enables lim
mited functionaality.
APIP
PA is useful for troubleshootting DHCP; if the
t computer has an address from the APIPA range, it iss an
indication that the
e computer caannot commun nicate with a D
DHCP server.
IPv
v4 Trouble
eshooting Tools
Mosst IPv4 connecctivity troublesshooting is
perfformed at a coommand-line. Windows Servver
2008 includes a number of com mmand-line toools
thatt help you diag
gnose network k problems.
IPC
Config
Ipco
onfig is a comm mand-line toool that displays the
currrent TCP/IP neetwork configuuration.
Addditionally, you can use the ip
pconfig comm mand
to refresh DHCP and
a DNS settin ngs.
Co
ommand Descriptio
on
ip
pconfig /all View deta
ailed configuraation informattion
ip
pconfig /relea
ase Release the leased conffiguration bacck to
the DHCP P server
ip
pconfig /renew Renew th
he leased confiiguration
ip
pconfig /displlaydns View the DNS resolver cache entries
ip
pconfig /flush
hdns Purge the
e DNS resolve cache
Pin
ng
Ping
g is a commannd-line tool tha
at verifies IP-le
evel connectiv ity to another TCP/IP compu uter. It sends ICMP
echo request messsages and dispplays the receiipt of correspo
onding echo reeply messagess. Ping is the
prim
mary TCP/IP co
ommand that youy use to troubleshoot con nnectivity; howwever, firewallss might block tthe
ICM
MP messages.
Tra
acert
Traccert is a comm
mand-line tool that identifies the path takeen to a destination computerr by sending a
serie
es of ICMP ech ho requests. Trracert then dissplays the list o n a source and a
of router interffaces between
desttination. This tool
t also deterrmines which router
r has faileed, and what t he latency (or speed) is. The
ese
20410A: Installing and Configuring Windows Server® 2012 5-19
results might not be accurate if the router is busy, because the ICMP packets are assigned a low priority
by the router.
Pathping
Pathping is a command-line tool that traces a route through the network in a manner similar to Tracert.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the network.
Pathping can provide greater detail, because it sends 100 packets for each router, which enables it to
establish trends.
Route
Route is a command-line tool that allows to view and modify the local routing table. You can use this to
verify the default gateway which is listed as the route 0.0.0.0. In Windows Server 2012 you can also use
PowerShell cmdlets to view and modify the routing table. The cmdlets for viewing and modifying the local
routing table include Get-NetRoute, New-NetRoute, and Remove-NetRoute.
Telnet
You can use the Telnet Client feature to verify whether a server port is listening. For example, the
command telnet 10.10.0.10 25 attempts to open a connection with the destination server, 10.10.0.10, on
port 25, SMTP. If the port is active and listening, it returns a message to the Telnet client.
Netstat
Netstat is a command-line tool that enables you to view network connections and statistics. For example,
the command netstat –ab returns all listening ports and the executable that is listening.
Resource Monitor
Resource Monitor is a graphical utility that allows you to monitor system resource utilization. You can use
Resource Monitor to view TCP and UDP ports that are in use. You can also verify which applications are
using specific ports and the amount of data they are transferring on those ports.
Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows Server networking problem, the Diagnose Connection Problems option helps you diagnose
and repair the problem. Windows Network Diagnostics returns a possible description of the problem and
a potential remedy. However, the solution might require manual intervention from the user.
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. When these events occur, the Windows operating system records the event in an appropriate event
log. You can use Event Viewer to read the event log. IP conflicts are listed in the System event log and
might prevent services from starting.
5-20 Implemennting IPv4
Som
me of the stepss that you can use to identifyy that cause off network com
mmunication p
problems are:
Question: Arre there any otther steps thatt you use to tro
oubleshoot neetwork connecctivity
problems?
20410A: Installinng and Configuring W
Windows Server® 20012 5-21
What
W Is Ne
etwork Mo
onitor?
Network Monito or is a packet analyzer that enables
e
yoou to capture and examine network
n packeets on
th
he network to which your co omputer is connnected.
Capturing packets is an advan nced troublesh hooting
te
echnique that helps you to id dentify unusua al
ne etwork problems and work towards
t a reso
olution.
Foor example, byy examining th he packets
trransmitted on a network you u may be able to see
errrors that are not
n reported by b an applicatioon.
Yo
ou can install Network
N Moniitor on either
en
ndpoint in thee communication process, orr on a
hird computer.. If you install Network Monitor on
th
a third compute er, then you must
m configure port mirroringg on the netwoork switches. EEnsure that you
co
onfigure port mirroring
m to coopy the netwoork packets thaat are destined
d for endpointts in the
co
ommunication n process, to thhe switch port where the com mputer with NNetwork Monittor is connecte ed.
Network Monito or can monito or the packets sent
s to other ccomputers, beecause it operaates in promisccuous
mode.
m
Using
U Netwo
ork Monitorr
Once
O you have captured netw work packets, you
y must be a ble to interpreet what you seee, and whethe
er the
beehavior is expe T help you, Network Monit or displays thee packets in a summarized liist in the
ected or not. To
Frrame Summaryy pane.
Th
he Frame Sum
mmary pane dissplays all captu
ured packets, aand provides tthe following iinformation:
• Protocol na
ame: the higheest-level protocol that Netwoork Monitor caan identify is listed. For exam
mple,
ARP, (ICMPP, TCP, SMB, an
nd others. Knoowing the highh-level protoco
ol enables you to pinpoint w which
services mig
ght be experie
encing or causing the probleem that you arre troubleshoo oting.
When
W you selecct a frame in th
he Frame Summary pane, th
he Frame Detaiils pane updattes with the coontents
off that particula
ar frame. You can
c step throu
ugh the frame’’s details, exam
mining the con
ntent of each e
element
ass you proceed.
Ea
ach layer in the network archhitecture—from the applicattion on down— —encapsulates its data in thhe
co
ontainer of thee layer below. In other words, an HTTP req
quest is encapssulated in an IPv4 packet, wh
hich in
tu
urn, is encapsu
ulated in an Eth
hernet frame.
When
W you have e gathered a laarge amount of
o data, it can b
be difficult to d
determine which frames are e
re
elevant to yourr specific prob
blem. You can use
u filtering too show only th hose frames of interest. For e
example,
yo
ou can select to
t show only DNS–related
D paackets.
5-22 Implementing IPv4
Demonstration Steps
• ipconfig /flushdns
2. Expand the Icmp portion of the packet to view that it is an Echo Request. This is a ping request.
3. Expand the Ipv4 portion of the packet to view the source and destination IP addresses.
4. Expand the Ethernet portion of the packet to view the source and destination MAC addresses.
2. Edit the filter to apply for DNS queries for LON-DC1.adatum.com, and apply the filter.
3. Verify that the packets have been filtered to show only packets that match the filter.
20410A: Installing and Configuring Windows Server® 2012 5-23
After a security review, your manager has asked you to calculate new subnets for the branch office to
support segmenting network traffic. You also need to troubleshoot a connectivity problem on a server in
the branch office.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 45 minutes
Logon Information
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
X Task 1: Calculate the bits required to support the hosts on each subnet
1. How many bits are required to support 100 hosts on the client subnet?
2. How many bits are required to support 10 hosts on the server subnet?
3. How many bits are required to support 40 hosts on the future expansion subnet?
5. Which feature allows a single network to be divided into subnets of varying sizes?
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet
mask.
Binary Decimal
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server
subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet
mask
Binary Decimal
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future
expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the
subnet mask
Binary Decimal
20410A: Installing and Configuring Windows Server® 2012 5-25
4. For the client subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the client subnet is the first subnet allocated from the available address pool.
Network ID
First host
Last host
Broadcast
5. For the server subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the server subnet is the second subnet allocated from the available address
pool.
Network ID
First host
Last host
Broadcast
6. For the future allocation subnet, define the network ID, first available host, last available host, and
broadcast address. Assume that the future allocation subnet is the third subnet allocated from the
available address pool.
Network ID
First host
Last host
Broadcast
Results: After completing this exercise, you will have identified the subnets required to meet the
requirements of the lab scenario.
2. Run the Break.ps1 script that is located in E:\Labfiles\Mod05. This script creates the problem that
you will troubleshoot and repair in the next task.
• IPConfig
• Ping
• Tracert
• Route
• Network Monitor
2. When you have repaired the problem, ping LON-DC1 from LON-SVR2 to confirm that the problem is
resolved.
Note: If you have additional time, run an additional break script from \\LON-
DC1\E$\Labfiles\Mod05 and troubleshoot that problem.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Question: You are working for an organization that provides web hosting services to other
organizations. You have a single /24 network from your ISP for the web hosts. You are almost out
of IPv4 addresses and have asked ISP for an additional range of addresses. Ideally, you would like
to supernet the existing network with the new network. Are there any specific requirements for
supernetting?
Question: You have installed a new web-based application that runs on a non-standard port
number. A colleague is testing access to the new web-based application, and indicates that he
cannot connect to it. What are the most likely causes of his problem?
Best Practices
When implementing IPv4, use the following best practices:
• Allow for growth when planning IPv4 subnets. This ensures that you do not need to change you IPv4
configuration scheme.
• Define purposes for specific address ranges and subnets. This allows you to easily identify hosts based
on their IP address and use firewalls to increase security.
• Use dynamic IPv4 addresses for clients. It is much easier to manage the IPv4 configuration for client
computers by using DHCP than with manual configuration.
• Use static IPv4 addresses for servers. When servers have a static IPv4 address, it is easier to identify
where services are located on the network.
IP conflicts
Tools
Tool Use for Where to find it
Network Capture and analyze network traffic Download from Microsoft web site
Monitor
Event Viewer View network related system events Tools in Server Manager
6-1
Module 6
Implementing DHCP
Contents:
Module Overview 6-1
Module Overview
Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server® 2012
infrastructure. It is the primary means of distributing important network configuration information to
network clients, and it provides configuration information to other network-enabled services, including
Windows Deployment Services (Windows DS) and network access protection (NAP). To support and
troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to
deploy, configure, and troubleshoot the DHCP server role.
Objectives
After completing this module, you will be able to:
Lesson 1
Installiing a DH
HCP Server Role
Usin
ng DHCP can help
h simplify client
c compute
er configuratio
on. This lesson describes the benefits of DH
HCP,
explains how the DHCP protoco ol works, and discusses
d how to control DHHCP in a Windo ows Server 20112
®
netw
work with Active Directory Domain Servicces (AD DS).
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the benefits of usiing DHCP.
Benefits of Using
U DHC
CP
The DHCP protocol simplifies co onfiguration of
o
Inte
ernet Protocol (IP) clients in a network
environment. Without using DH HCP, each time e you
addd a client to a network,
n you have
h to configu
ure it
with
h information about
a the netwwork on which h you
installed it, including the IP add
dress, the netw
work’s
subnet mask, and the default ga ateway for acccess
to other
o networkss.
How
H DHCP
P Allocatess IP Addressses
DHCP allocates IP addresses on o a dynamic basis,
ottherwise knowwn as a lease. Although
A you can
c set
th
he lease duration to unlimite ed, you typically set
th
he duration forr not more tha an a few hourss or
daays. The defau
ult lease time foor wired clientts is
eiight days, and for wireless clients it is three
e days.
How
H DHCP
P Lease Generation Works
W
Yo ou use the fou
ur step DHCP lease-generatio on
process to assiggn an IP addresss to clients..
Understanding how each step p works helps youy
trroubleshoot prroblems when clients cannott obtain
ann IP address. The
T four steps are:
2. A DHCP Serve
er responds with a DHCPOFFER packet. Th
his packet conttains a potential address forr the
client..
3. The client recceives the DHC CPOFFER packe et. It might recceive packets ffrom multiple servers; in thaat
case, it usually selects the se
erver that mad
de the fastest rresponse to itss DHCPDISCOV VER. This typiccally is
the DHCP serrver closest to the client. Thee client then brroadcasts a DHHCPREQUEST that contains a
server identifier. This inform
ms the DHCP servers that recceive the broa dcast which se erver’s DHCPO OFFER
the client hass chosen to acccept.
4. The DHCP servers receive the DHCPREQU UEST. Those seervers that the client has nott accepted use e the
message as notification tha at the client de
eclines that serrver’s offer. The chosen serve er stores the IP
P
address clientt information in
i the DHCP database
d and r esponds with a DHCPACK m message. If for some
reason, the DHCP
D server cannot provide the
t address th hat was offered d in the initial DHCPOFFER, tthe
DHCP server sends a DHCP PNAK message e.
Ho
ow DHCP Lease
L Rene
ewal Work
ks
Whe en the DHCP lease reaches 50 5 percent of the
t
leasse time, the clie
ent attempts to
t renew the le ease.
Thiss is an automatic process tha at occurs in the
e
background. Com mputers might have the same e IP
adddress for a longg time if they operate
o continnually
on a network with hout being shu ut down.
To renew
r the IP address lease, the
t client
broaadcasts a DHC CPREQUEST me essage. The server
thatt leased the IP address originnally sends a
DHCCPACK messag ge back to the client; this
messsage containss any new para ameters that have
changed since the e original lease
e was created.
The DHCP role on n Windows Serrver 2012 supp ports a new feaature, DHCP S erver Failover protocol. Thiss
prottocol enables synchronizatio on of lease info
ormation betw ween DHCP serrvers and incre eases DHCP se ervice
avaiilability. If one DHCP server is not available
e, the other D HCP servers co
ontinues to service clients in
n the
sam
me subnet.
20410A: Installling and Configuringg Windows Server® 2012 6-5
What
W Is a DHCP
D Relay Agent
DHCP uses IP broadcasts to in nitiate
coommunication ns. Therefore, DHCP
D servers are
a
lim
mited to comm munication witthin their IP suubnet.
Thhis means thatt in many netw works, there is a DHCP
se here are a large
erver for each IP subnet. If th
nuumber of subn nets, it might be
b expensive to o
deeploy servers for
f every subnet. A single DH HCP
seerver might service collection ns of smaller subnets.
Foor the DHCP se erver to respond to a DHCP client
equest, it mustt be able to recceive DHCP requests.
re
Yoou can enable this by config guring a DHCP P relay
aggent on each subnet.
s A DHC CP relay agent is a
coomputer or router that listen ns for DHCP brroadcasts from
m DHCP clientss and then relaays them to DH
HCP
seervers in different subnets
DHCP
D Server Authoriization
DHCP allows a client
c compute er to acquire
co
onfiguration in nformation aboout the netwo ork in
which
w it starts. DHCP
D communication typica ally
occcurs before any authenticattion of the use er or
co
omputer; and because the DHCP D protocol is
baased on IP bro oadcasts, an incorrectly confiigured
DHCP server in a network can n provide invallid
in
nformation to clients.
c To avooid this, the serrver
must
m be authorized. DHCP au uthorization is the
process of regisstering the DHCP Server servvice in
th
he Active Direcctory domain to t support DHCP
clients.
Active
A Directtory Requirements
Yoou must autho orize the Windows Server 20 012 DHCP servver role in AD DDS before it caan begin leasin
ng
IP
P addresses. It is possible to have
h a single DHCP
D server p
providing IP ad
ddresses for subnets that conntain
multiple
m AD DS domains. The erprise Admin istrator accou nt must autho
erefore, an Ente orize the DHCP P server.
Sttandalone DHCP
D Serve
er Considera
ations
A standalone DHCP server is a computer th
hat is running W Windows Serveer 2012, that is not part of aan AD
DS domain, andd that has the DHCP server role installed a nd configured
d. If the standaalone DHCP seerver
6-6 Implementing DHCP
detects an authorized DHCP server in the domain, it does not lease IP addresses and shuts down
automatically.
Additional Reading:
For more information about DHCP Resources see:
http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409.
Lesson
n2
Configuring DHCP Scopes
S
Yoou must configgure the DHCP P scopes after you install thee DHCP role on a server. A D
DHCP scope is the
primary method d by which youu can configurre options for a group of IP addresses. A DDHCP scope is based
on e settings speccific to hardwaare or custom groups of clients. This lesson
n an IP subnett, and can have n
exxplains DHCP scopes,
s and ho
ow to manage e them.
Le
esson Objecctives
After completin y will be able to:
ng this lesson, you
• Describe th
he DHCP Class--Level Optionss.
• Explain how
w DHCP Optio
ons are applied
d.
• Create and configure a DHCP
D scope
What
W Are DHCP
D Scop
pes?
A DHCP scope is a range of IP P addresses thaat are
avvailable for lea
ase, and that are managed byb a
DHCP server. A DHCP scope typically
t is con
nfined
to
o the IP addressses in a given subnet.
To
o configure a scope,
s you mu
ust define the following
f prop
perties:
• Exclusions: This propertyy lists single ad ocks of addressses that fall within the IP address
ddresses or blo
range, but that
t will not be offered for lease.
o option 00
03 – Router (th
he default gate
eway for the s ubnet)
o option 00
06 – Domain Name
N System (DNS) Servers
o option 01
15 – DNS suffix
IPv
v6 scopes
You
u can configure e the IPv6 scop
pe options as a separate sco
ope, in the DHC Pv6 node. There are
CP console’s IP
seve
eral different options
o to moddify, and an en
nhanced lease mechanism.
Whe
en configuring
g a DHCPv6 sccope, you mustt define the fo
ollowing propeerties:
• Exclusions: This
T property lists single addresses or blockks of addressees that fall with
hin the IPv6 prrefix
b offered for lease.
but will not be
• Preferred life
e times: This property
p defin
nes how long leeased address es are valid.
Wh
hat Is a DH
HCP Reserv
vation?
It offten is desirable to provide network
n device
es—
suchh as network printers—with
p a predetermin
ned IP
adddress.
Con
nfiguring DHC
CP Reservatio
ons
To configure
c a resservation, you must know th he device’s nettwork interfacee media accesss control (MAC C)
adddress or physicaal address. This address indiccates to the D HCP server thaat the device sshould have a
rese
ervation. You can
c acquire a network
n interfa
ace’s MAC add dress by using the ipconfig//all command.
Typically, MAC adddresses for ne etwork printerss and other neetwork devicess are printed on the device. M Most
lapttop computerss also note thiss information on
o the bottom m of their chasssis.
The process for co
onfiguring a DHCP
D reservatio
on includes th
he following steeps:
What
W Are DHCP
D Optiions?
DHCP servers ca an configure more
m than just an IP
ad
ddress; they also provide information abou ut
ne
etwork resourcces, such as DN NS servers andd the
de
efault gatewayy. DHCP option ns are values for
co
ommon config guration data that
t applies to
o the
se
erver, scopes, reservations,
r and class options. You
ca
an apply DHCP he server, scope, user,
P options at th
an
nd vendor leve els. An option code identifies the
a most option codes com
DHCP options, and me from
th
he RFC documentation found d on the Internnet
En
ngineering Tassk Force (IETF) website.
Common
C DH
HCP Optionss
Th
he following ta
able lists the common option codes that W
Windows-baseed DHCP clientts request.
Option
O
Name
code
c
1 Subnet massk
3 Router
6 DNS serverss
47 NetBIOS sco
ope ID
51 Lease time
58 Renewal (T1
1) time value
59 Rebinding (T2)
( time value
e
31 Perform rou
uter discovery
33 Static route
43 Vendor-spe
ecific information
Ho
ow Are DH
HCP Option
ns Applied
d?
DHC CP applies opttions to client computers
c in the
t
follo
owing order:
If th
he DHCP optio on settings that are applied at
a each level co he options that are applied last
onflict, then th
override previously applied setttings. For exammple, if the deffault gateway is configured aat the scope le evel,
and a different deefault gatewayy is applied for a reserved clieent, then the rreserved clientt setting becom
mes
the effective settin
ng.
Youu can also conffigure addresss assignment policies at thee server level o or scope level.. Address
assignment policyy contains a se et of conditions that you def ine in order to
o lease differen
nt DHCP IP
adddresses and setttings to differe
ent types of DHCP
D clients, su
uch as computters, laptops, n
network printe
ers, or
IP phones.
p The co
onditions defined in these po olicies include multiple criterria, such as MA
AC address or
vendor informatio on, in order to differentiate various
v types oof clients.
De
emonstration: Creating and Co
onfiguring a DHCP SScope
Youu can create scopes using either the Microssoft Managem ment Console (MMC) for the DHCP server rrole,
or the Netsh netwwork configuraation comman nd-line tool. Thhe Netsh comm mand-line tool allows you too
mannage scopes reemotely if the DHCP server is running on a Server Core iinstallation of Windows Servver
2012. The Netsh command-line e tool is also useful for scriptting and autom
mating server provisioning.
Dem
monstration
n Steps
3. Authorize the
e lon-svr1.ada
atum.com server in AD DS.
20410A: Installing and Configuring Windows Server® 2012 6-11
o Length: 16
o Exclusions: 172.16.0.190-172.16.0.200
3. Use default settings for all other pages, and then activate the scope.
6-12 Implemennting DHCP
Lesson 3
Manag
ging a DHCP
D Database
D e
The DHCP databa ase stores inforrmation aboutt the IP addresss leases. If theere is a problem
m, it is importaant
thatt you understa
and how to bacck up the dataabase and reso olve database issues. This lessson explains h how to
mannage the databbase and its daata.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe the DHCP databasse.
• Explain how to
t back up and
d restore a DH
HCP database.
• Explain how to
t reconcile a DHCP databasse.
• Explain how to
t move a DHC
CP database.
Wh
hat Is a DH
HCP Datab
base?
The DHCP databa ase is a dynamic database
containing data th hat relates to scopes,
s addresss
leasses, and reservations. The database also
contains the data file that stores both the DHCP
configuration info ormation and the
t lease data for
cliennts that have leased an IP adddress from the
DHC CP server. By default,
d the DH
HCP database files
f
are stored in the %systemroot%
% %\System32\Dh hcp
fold
der.
DH
HCP Service Database Files
The following table describes so
ome of the DH
HCP
servvice database files.
f
Fille Descriptiion
Dhcp.mdb
D Dhcp.md
db is the DHCP
P server datab
base file.
Dhcp.tmp
D Dhcp.tm
mp is a tempora
ary file that th e DHCP datab
base uses as a swap file durin
ng
database
e index mainte
enance operattions. Followingg a system faillure, Dhcp.tmp
p
sometim
mes remains in the Systemrooot\System32\D Dhcp directoryy.
J5
50.log and J50.log and
a J50##### #.log are logs o
of all database transactions. The DHCP
J5
50#####.log databasee uses this log to recover da ta when necesssary.
J5
50.chk This is a checkpoint file
e.
Th
he DHCP serveer database is dynamic. It up
pdates as DHC P clients are assigned, or as they release their
TC t DHCP dataabase is not a distributed daatabase like the
CP/IP configurration parametters. Because the e
Windows
W net Name Servvice (WINS) serrver database, maintaining the DHCP serve
Intern er database is less
co
omplex.
HK
KEY_LOCAL_MAC
CHINE\SYSTEM\
\CurrentControlSet\Servi ces\DHCPServ
ver\Parameter
rs
Yo
ou can also ba
ack up a DHCP
P database manually at any ttime.
Backing
B Up
p and Restoring a DH
HCP Datab
base
Yo
ou can back up a DHCP data abase manuallly, or
yo ure it to backup automatically. An
ou can configu
au
utomatic backkup is called a synchronous
s backup.
b
A manual backu up is called an asynchronouss
ba
ackup.
Automatic
A (S
Synchronou
us) Backup
Thhe default bacckup path for the
t DHCP back k is
syystemroot\Systtem32\Dhcp\B Backup. As a best
an modify this path in the server
practice, you ca
properties to pooint to another volume.
Manual
M (Asy
ynchronous)) Backup
If you have an immediate nee ed to create a backup, you ccan run the maanual backup o option in the D
DHCP
coonsole. This acction requires either
e administrative-level p ermissions, or that the user account be a member
off the DHCP ad dministrators group.
g
What
W Is Back
ked Up?
When
W a synchro
onous or asyncchronous back
kup occurs, thee entire DHCP database is saaved, including
g the
fo
ollowing:
• All scopes
• Reservation
ns
• Leases
HKEY_LOCA
AL_MACHINE\SY
YSTEM\CurrentControlSet\
\Services\DHC
CPServer\Para
ameters
Resstoring a Da
atabase
If yo
ou need to restore the datab base, use the Restore
R functio
on in the DHCPP server conso
ole. You will be
e
prompted for the backup’s loca ation. Once you have selecteed the location
n, DHCP servicee stops, and th
he
dataabase is restorred. To restore the database,, the user acco
ount must either have adminnistrative-level
permmissions, or bee a member off the DHCP administrators g roup.
Bacckup Security
Wheen the DHCP database
d file iss backed up, itt should be in a protected lo
ocation that on
nly the DHCP
adm
ministrators can
n access. This ensures
e that any network infformation in t he backup filees remains
prottected.
Usiing Netsh
You
u also can use commands
c in the Netsh DHC CP context to back up the d
database; this is useful for baacking
up the
t database tot a remote loccation using a script file.
expo
ort "c:\My Folder\Dhcp Configuration
C n" all
To restore
r the DH
HCP database, use the follow
wing command
d:
impo
ort "c:\My Folder\Dhcp Configuration
C n" all
• Detailed IP ad
ddress lease in
nformation, wh
hich
the DHCP dattabase stores
• Summary IP address
a lease information, which
w
the server’s Registry stores
Wheen you are recconciling scope
es, the detail and
a
sum
mmary entries are
a compared to find
inco
onsistencies.
To correct
c and rep
pair these inco
onsistencies, yo
ou must reconncile any scopee inconsistencies. After you sselect
and reconcile scope inconsisten ncies, the DHCP service eitheer restores those IP addresse es to the originnal
ownner, or creates a temporary reservation
r forr those addressses. These reseervations are vvalid for the leaase
time
e that is assign
ned to the scoppe. When the lease time exp pires, the addreesses are then recovered forr
futu
ure use.
20410A: Installinng and Configuring Windows Server® 20012 6-15
Moving
M a DHCP
D Data
abase
In
n the event tha
at you must move the DHCP P server
ole to another server, it is alsso advisable th
ro hat you
move
m the DHCP P database to the t same serve er. This
en ent leases are retained, and reduces
nsures that clie
th
he likelihood of
o client-config guration issuess.
Yo
ou move the database
d initially by backing it up
n to the old DHCP server. Th
on hen, shut down n the
DHCP service on the old DHC CP server. Nextt, copy
th
he DHCP datab base to the new server, wherre you
ca
an restore it ussing the norma al database restore
procedure.
6-16 Implemennting DHCP
Lesson 4
Securin
ng and Monito
oring DHCP
DHCCP protocol ha as no built-in method
m for au
uthenticating u
users. This meaans that if you do not take
preccautions, IP lea
ases could be granted to devvices and userrs who are unaauthorized.
DHCCP is a core service in many organization’ss network enviironments. If the DHCP serviice is not workking
properly, or if there is a situation that is causin
ng problems w with the DHCP P server, it is im
mportant that yyou
can identify the problem and de etermine pote ential causes to
o resolve the p
problem.
Thiss lesson explain
ns how to prevvent unauthorrized users from
m obtaining a lease, how to manage rogu
ue
DHC CP servers, andd how to confiigure DHCP se
ervers so that a specific grou
up can manage e them.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Explain how to
t prevent an unauthorized computer from
m obtaining a lease.
• Explain how to
t restrict unau
uthorized, non
n–Microsoft DH
HCP servers fro
om leasing IP addresses.
• Explain how to
t delegate ad
dministration of
o the DHCP seerver role.
• Describe DHC
CP statistics.
• Describe DHC
CP audit loggin
ng.
• Identify comm
mon issues tha
at are possible with DHCP.
Pre
eventing an
a Unautho
orized Com
mputer fro
om Obtain
ning a Leasse
DHC CP by itself can
n be difficult to secure—it iss
desiigned to work before the ne ecessary
info
ormation is in place
p for a clieent computer to t
authhenticate with a domain con ntroller. This is why
you should take precautions
p to prevent
unauthorized com mputers from obtaining
o a lea
ase
with
h DHCP.
• Enabling aud dit logging on n all DHCP seervers: This can n provide an hhistorical view of activity, in
addition to alllowing you to
o trace when an unauthorizeed user obtaineed an IP addre ess in the netw work.
Make sure to schedule time e at regular inttervals to revieew the audit lo
ogs.
• Implementting NAP: NA AP allows administrators to vvalidate that a client computter is complian nt with
system health requirements, such as running all the l atest Window ws operating syystem updates or
running an up-to-date an ntivirus client. If users who d
do not meet seecurity requirements try to aaccess
the network, they receive
e an IP addresss configuration n to access a reemediation neetwork where tthey can
receive the necessary upddates. The adm ministrator cann restrict access to the netwo
ork by allowing
g only
healthy commputers accesss to the internal local area n etwork (LAN).
Restricting
R Unauthorrized, Non–Microsofft DHCP Se
ervers from
m Leasing IP
Addresses
A
Many
M devices and network op perating systemms have
multiple
m DHCP server implem mentations. Nettworks
arre almost neve er homogeneo ous in nature;
th
herefore, it is possible
p that att some point a DHCP
se
erver that doess not check for Active Directtory–
uthenticated servers will be enabled
au e on the
neetwork. In this case, clients might
m obtain in
ncorrect
co
onfiguration data.
o eliminate an unauthorized
To d DHCP server, you
must
m first locate
e it, and then prevent
p it from
m
co
ommunicating g on the netwo ork by disabling it
physically, or byy disabling the
e DHCP service e.
Yo e DHCP Serverr Locator utilityy (Dhcploc.exee) to locate thee DHCP servers that are activve on a
ou can use the
su
ubnet.
Delegating
D DHCP Ad
dministration
En
nsure that onlyy authorized persons
p can
ad
dminister the DHCP
D server ro
ole. You can do this
byy performing either
e of the fo
ollowing tasks::
Permissions
P Required to
o Authorize
e and Admin
nister DHCP
P
Authorization of
o a DHCP servvice is only available to Enterrprise administtrators. If the n
need exists forr a
do
own-level admministrator to authorize
a the domain,
d use Acctive Directoryy delegation.
6-18 Implemennting DHCP
• DHCP Admin
nistrators. Any user in the DHCP
D Adminisstrators group can manage tthe server’s DH
HCP
service.
• he DHCP Users group can haave read-only access to the DHCP console
DHCP Users.. Any user in th e.
Wh
hat Are DH
HCP Statisttics?
DHC CP statistics prrovide informaation about DH HCP
activvity and use. You
Y can use this console to
deteermine quicklyy whether therre is a problem m with
the DHCP service or with the ne etwork’s DHCP P
clien
nts. An example in which sta atistics might be
b
usefful is if the adm
ministrator nottices an excesssive
amo ount of negative acknowledg gement (NAK))
packets, which miight indicate th hat the server is not
provviding the correct data to clients.
DH
HCP Server Statistics
S
DHC a overview of DHCP server usage. You can use this dataa to understan
CP server statisstics provide an nd
quicckly the state of
o the DHCP se erver. Information such as n umber of offeers, number of requests, total in-
use addresses, and d total availabble addresses can
c help to pro ovide a picturee of the server’’s health.
DH
HCP Scope Statistics
S
DHC CP scope statisstics provide much
m fewer details—such as total addressees in the scope e, how many
adddresses are in use,
u and how many m addresse es are availablee. If you noticee that there are
e a low numbe er of
adddresses available in the server statistics, it might
m be that oonly one scopee is near its deepletion point. By
ng scope statistics, an administrator can qu
usin uickly determin ne the status o of the particulaar scope with
resp
pect to the adddresses availabble.
Wh
hat Is DHC
CP Audit Lo
ogging?
The DHCP audit lo og provides a traceable log of
DHC CP server activvity. You can use this log to track
t
leasse requests, gra
ants, and denials. This
info
ormation allow ws you to troub bleshoot DHCP P
servver performancce. The log filees are stored inn the
%syystemroot%\system32\dhcp folder by default.
Youu can configure e the log file se
ettings in the
servver’s Propertiees window.
Field Description
ID A DHCP se
erver event ID code.
Common
C Eve
ent ID Code
es
Common eventt ID codes inclu
ude:
• ID,Date,Tim
me,Description,,IP Address,Ho
ost Name,MAC
C Address
• 00,06/22/99,22:35:10,Started,,,,
• 99,22:35:10,Authorization faiilure, stopped servicing,,dom
56, 06/22/9 main1.local,,
• 55, 06/22/9
99,22:45:38,Authorized(serviccing),,domain11.local
Discussion:
D Common
n DHCP Issues
Th
he following ta
able describes some commo on
DHCP issues. En
nter the possib
ble solutions in
n the
So
olution columnn, and then disscuss them witth the
class.
6-20 Implementing DHCP
You have recently accepted a promotion to the server support team. One of your first assignments is to
configure the infrastructure service for a new branch office. As part of this assignment, you need to
configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are
configured with static IP addresses and do not use DHCP.
Objectives
After performing this lab you will be able to:
Lab Setup
Estimated Time: 75 minutes
Logon Information
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
6. For the optional Exercise 2, you should repeat steps 2 to 4 for 20410A-LON-RTR, 20410A-LON-
SVR2, and 20410A-LON-CL2.
One of the client computers in the branch office needs to access an accounting application in the head
office. The network team uses firewalls based on IP addresses to restrict access to this application. The
network team has requested that you assign a static IP address to this client computer. Rather than
configuring a static IP address on the client computer manually, you decide to create a reservation in
DHCP for the client computer.
4. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and
then click New Scope.
5. Create a new scope with the following properties:
o Length: 16
o Exclusions: 172.16.0.190-172.16.0.200
X Task 3: Configure client to use DHCP and then test the configuration
1. To configure a client, switch to LON-CL1.
20410A: Installing and Configuring Windows Server® 2012 6-23
3. Open a command prompt, and initiate the DHCP process using the ipconfig /renew command.
4. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by
typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status, which
should be Yes
2. In a command prompt, type ipconfig/all to display the physical address of the network adapter.
3. Switch to LON-SVR1.
5. In the DHCP console, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, expand
Branch Office scope, right-click Reservations, and then click New Reservation.
6. Create a new reservation for LON-CL1 using the physical address of the LON-CL1 network adapter,
and the IP address 172.16.0.55.
7. On LON-CL1, use the ipconfig command to renew and then verify the IP address.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and
options, and configured a DHCP reservation
3. Use the following steps to add the DHCP Relay agent to the router:
6-24 Implementing DHCP
o In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol.
o In the Routing protocols list, click DHCP Relay Agent and then click OK.
o In the navigation pane, right-click DHCP Relay Agent and then click New Interface.
o In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and
then click OK.
o In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
o Right-click DHCP Relay Agent and then click Properties.
o In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21,
click Add, and then click OK.
Note: In order to test how a client receives an IP address from DHCP Relay in another
subnet, we need to create another DHCP scope.
1. Switch to LON-SVR1.
3. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and
then click New Scope.
o Length: 16
o Exclusions: 10.10.0.190-10.10.0.200
o Configure options Router 10.10.0.1 and other setting use default values
7. Open the Network and Sharing Center window and configure Local Area Connection, Internet
Protocol Version 4 (TCP/IPv4) properties with following settings:
ipconfig /renew
10. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope
installed on LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP relay agent.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Question: Your organization has grown, and your IPv4 scope is almost out of addresses. What
should you do?
Question: Can you configure option 003 – Router as a Server-level DHCP scope option?
Best Practices
• Spend time designing your IP addressing scheme so that it will accommodate both your current and
IT infrastructure and any potential future IT infrastructure needs.
• Determine which devices need DHCP reservations, such as network printers, network scanners, or IP
based cameras.
• Configure the DHCP database on highly available disk drive configurations, such as redundant array
of independent disks (RAID)–5 or RAID–1, to provide DHCP service availability in case of single disk
failure.
• Back up the DHCP database regularly, and test the restore procedure in isolated, non-production
environment.
• Monitor the system utilization of DHCP servers, and upgrade the hardware of DHCP server if needed,
in order to provide better service performance.
Tools
Tool Use for Where to find it
Regedit.exe Editing and fine-tuning settings, including those for Windows interface or
the DHCP server role Command line
Network Monitor Capture and analyze DHCP traffic on a subnet Download from the
Microsoft website
7-1
Module 7
Implementing DNS
Contents:
Module Overview 7-1
Module Overview
Name resolution, one of the most important concepts of every network infrastructure, is the process of
software translating between names that users can read and understand, and numerical IP addresses,
which are necessary for TCP/IP communications. Client computers use the name resolution process when
locating hosts on the Internet, and when locating other hosts and services in an internal network. Doman
Name System (DNS) is one of the most common technologies for name resolution. Active Directory®
Domain Services (AD DS) depends heavily on DNS, as does Internet traffic. This module discusses some
basic name resolution concepts as well as installing and configuring DNS service and its components.
Objectives
After completing this module, you will be able to:
• Describe name resolution for Windows® operating system clients and Windows Server® servers
Lesson 1
Name Resoluttion forr Windo
ows Clie
ents and
d Servers
You
u can configuree a computer to
t communica ate over a netwwork by using a name in place of an IP adddress.
The computer use es name resolu
ution to find ann IP address th
hat correspond
ds to a name, such as a hostt
nam o computer n ames, the metthods used to resolve them, and
me. This lesson focuses on different types of
how
w to troubleshooot problems with
w name ressolution.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• Describe com
mputer names.
• Describe DNS
S.
• Describe DNS
S zones and re
ecords.
• Describe how
w Internet DNS
S names are resolved.
• Describe Link
k Local Multica
ast Name Reso
olution.
• Describe how
w a client resolvves a name.
Wh
hat Are Co
omputer Names?
N
The TCP/IP set of protocols iden ntifies source and
a
desttination computers by their IP addresses.
Howwever, computter users are much
m better at using
and remembering g names than numbers.
n Because
of this, administra
ators usually asssign names to o
commputers. Admin nistrators then
n link these nam mes
to computer
c IP ad
ddresses in a name
n resolution
system such as DN NS. These nam mes are in eithe er
hostt name formatt (which is recoognized by DN NS) or
in NetBIOS
N name format (which h is recognizedd by
Winndows Internett Name Service e (WINS)).
Name Type
The type of name e (host name or
o NetBIOS nam me) that an ap pplication uses is determinedd by the appliccation
developer. If the application
a devveloper design
ns an applicatiion to request network services through
Winndows sockets,, then host nam mes are used. If, on the otheer hand, the ap
pplication deve
eloper designss an
appplication to req
quest services through
t NetBIOS, a NetBIOSS name is used d. Most current applications,
including Internett applications, use Windows sockets—and thus use hostt names—to acccess network
servvices. NetBIOS is used by maany earlier Win
ndows operatin ng system app plications.
Host
H Names
A host name is a user-friendlyy name that is associated witth a computerr’s IP address tto identify it ass a
TC
CP/IP host. Thee host name can be up to 25 55 characters llong, and can contain alphabetic and num meric
ch
haracters, perio
ods, and hyphens.
Yoou can use host names in va arious forms. The two most ccommon forms are as an aliaas, and as a fully
quualified domaiin name (FQDN). An alias is a single namee associated wiith an IP addre
ess, such as payyroll.
Yoou can combin ne an alias with a domain naame to create an FQDN. An FQDN is structured for use o on the
nternet, and includes periodss as separatorss. An example of an FQDN iss payroll.conto
In oso.com.
NetBIOS
N Nam
mes
A NetBIOS nam me is a 16-charaacter name that identifies a NetBIOS resou urce on the neetwork. A NetBBIOS
naame can repreesent a single computer
c or a group of commputers. The firrst 15 characteers are used fo
or the
naame; the final character iden
ntifies the reso
ource or servicee that is being
g referred to on
n the compute er. The
155-character na
ame may include the computer name, the domain namee, and the nam me of the user who is
ogged on. The sixteenth charracter is a 1-byyte hexadecim
lo mal identifier.
Th
he NetBIOS na amespace is fla
at, meaning th
hat names can be used only o once within a network. You cannot
orrganize NetBIO
OS names intoo a hierarchical structure, as yyou can with FFQDNs.
What
W Is DN
NS?
DNS is a service
e that uses a diistributed data
abase to
re
esolve FQDNs and other hosst names to IP
ad
ddresses. All Windows
W server operating sysstems
in
nclude a DNS service.
s
When
W you use DNS,
D users on your network can
ocate network resources by typing
lo t in user--friendly
naames (for exam mple, microsofft.com), which the
omputer then resolves to an IP address. Th
co he
beenefit is that IP
Pv4 addresses may be difficu ult to
re
emember (for example,
e 131.1107.0.32), whille a
doomain name tyypically is easier to remember. In
ad
ddition, you ca an use host names that do not
n
ch
hange while th he underlying IP addresses can be changed
d to suit your organizational needs.
DNS uses a data abase of name es and IP addreesses to provid oftware performs
de this service.. DNS client so
quueries on and updates to the e DNS databasse. For examplle, within an o organization, a user who is trrying to
lo
ocate a print se
erver can use the
t DNS name ontoso.com, aand the DNS cllient software will
e printserver.co
re
esolve the namme to a printer’s IP address, such
s as 172.166.23.55. Even iff the printer’s IIP address changes,
th
he user-friendly name can re emain the same.
Originally,
O one file
f on the Inte ernet containe domain namess and their corresponding IP
ed a list of all d
ad
ddresses. This list quickly beccame too longg to manage a nd distribute. DNS was deve eloped to solve
e the
problems associated with usin ng a single inte
ernet file. With n of IPv6, DNS becomes even more
h the adoption
im
mportant, becaause IPv6 addrresses are more e complex thaan IPv4 addresses (for examp ple,
20
001:db8:4136:e38c:384f:3764 4:b59c:3d97).
7-4 Implementing DNS
DNS S groups information about network resou urces into a hieerarchical structure of domaains. The
hierrarchical structture of domain ed tree structu re beginning w
ns is an inverte with a root do
omain at its apex,
and descending in nto separate branches
b with common
c level s of parent doomains, and de escending
dowwnward even further into ind dividual child domains.
d The rrepresentation n of the entire hierarchical do
omain
structure is known n as a DNS nammespace.
In addition to reso
olving host names to IP addresses, DNS caan be used to:
• Locate domain controllers and
a global cattalog servers. TThis is used wh
hen logging on
n to AD DS.
• Resolve IP addresses to hosst names. This is useful when ntains only the IP address of a
n a log file con
host.
• Locate mail se
erver for email delivery. Thiss is used for th
he delivery of aall Internet em
mail.
DN
NS Zones and
a Record
ds
A DNS zone is a specific portionn of DNS
nammespace that contains
c DNS records.
r A DNSS
zone is hosted onn a DNS server that is responnsible
for responding too queries for re
ecords in a spe
ecific
dommain. For exammple, the DNS server that is
ponsible for resolving www.ccontoso.com to
resp o an
IP address would contain the co ontoso.com zo one.
Zon
ne content can be stored in a file or in the
AD DS database. WhenW the DNS S server storess the
zone in a file, thatt file is located
d in a local fold
der on
the server. When the zone is no ot stored in ADD DS,
onlyy one copy of the zone can be b writable copy,
while all others arre read-only.
Forrward Looku
up Zones
Forw
ward lookup zones resolve hosth names to IP addresses, aand hosts com mmon resource e records inclu
uding
NAME), service (SRV), mail exchange (MX), start of authority (SOA), and
hostt (A), alias (CN d name server (NS)
ource records. Although forw
reso ward lookup zones
z are capaable of hosting g a number of different record
type
es, the most co ommon record d type is the hoost (A) record.. This record iss used when re
esolving a hostt
namme to an IP add dress.
Rev
verse Looku
up Zones
Reverse lookup zoones resolve IP
P addresses to domain namees. A reverse zo one functions in the same
man ard zone, but the IP addresss is the part of the query whiile the host naame is the retu
nner as a forwa urned
20410A: Installling and Configuringg Windows Server® 2012 7-5
in
nformation. Reverse lookup zones
z host SOAA, NS, and poiinter (PTR) resource records. Reverse zone
es are
noot always conffigured, but yo
ou should conffigure them to
o reduce warniing and error mmessages.
Many
M standard Internet protoocols rely on re
everse zone loookup data to vvalidate forwaard zone inform
mation.
Fo
or example, if the forward lo
ookup indicatees that training
g.contoso.com is resolved to 192.168.2.45, you
ca
an use a reversse lookup to co
onfirm that 19 h training.conttoso.com.
92.168.2.45 is aassociated with
Many
M email servvers use a reveerse lookup as one way of reeducing spam.. By performing a reverse loo
okup,
mail servers tryy to detect open Simple Mail Transfer Prottocol (SMTP) sservers (open rrelays).
em
Having a reverse zone is impo ortant if you have applicatioons that rely onn looking up h hosts by their IP
adddresses. Manyy applications record this infformation in s ecurity or eve nt logs. If you see suspiciouss activity
from a particula
ar IP address, you
y can look up u the host nam me using the reverse zone information.
Resource
R Reccords
Th
he DNS zone file
f stores resource records. Resource
R reco rds specify a reesource type, and the IP add dress to
lo
ocate the resouurce. The mostt common resoource record iss an A resourcce record. This is a simple reccord
th
hat resolves a host
h name to an
a IP address. The host can bbe a workstation, server, or aanother netwo ork
deevice, such as a router.
Re
esource record ds also can con ntain custom attributes.
a MX records, for in
nstance, have a preference attribute,
which
w is useful if
i an organizattion has multip ple mail serverrs. The MX rec ord tells the se
ending server which
mail
m server the receiving orga anization prefe
ers. SRV record
ds also contain
n information rregarding on w which
po
ort the servicee is listening, an
nd the protocool that you sho ommunicate with the service.
ould use to co
How
H Intern
net DNS Names Are Resolved
When
W resolving
g DNS names on o the Internett, an
enntire system off computers is used rather thhan just
a single server. There are hundreds of serve ers on
th
he Internet, callled root serverrs, which mana
age the
ovverall practice of DNS resoluution. These se
ervers
arre representedd by 13 FQDNss; a list of these
e 13
se
ervers are prelooaded on each h DNS server. When
W
yo
ou register a domain
d name ono the Interneet, you
arre paying to become part off this system.
• Caching. Afte
er a local DNS server resolve
es a DNS namee, it caches thee results for ap
pproximately 2
24
hours. Subseq
quent resolutio
on requests for the DNS nam
me are given th he cached info ormation.
• Forwarding. A DNS server can be configured to forwa rd DNS requessts to another DNS server in nstead
of querying root servers. Foor example, reqquests for all I nternet namess can be forwaarded to a DNSS
server at an In
nternet service
e provider (ISP
P).
Wh
hat Is Link-Local Mu
ulticast Nam
me Resolu
ution?
In Windows
W Serve er 2012, a new method for
reso
olving names to t IP addressess is Link-local
Mullticast Name Resolution
R (LLM
MNR). Because e of
various limitationss (which are be eyond the scope of
this lesson) it is ussually used only on localized d
netwworks. Althoug gh LLMNR is able to resolve IPv4
adddresses, it has been
b designedd specifically fo
or
IPv6
6; so if you want to use it, yo ou must have IPv6
supported and en nabled on yourr hosts.
LLM
MNR is commo
only used in ne
etworks where::
• Implementatiion of these se
ervices is not practical
p for an
ny reason.
LLMMNR is supportted on Window ws Vista®, Windows Server 22008 and all neewer Windowss operating sysstems.
It usses a simple syystem of reque
est and reply messages
m to reesolve computeer names to IP
Pv6 or IPv4
adddresses.
To use
u LLMNR, yo ou need to turn on the Netw work Discoveryy feature for all nodes on the
e local subnet. This
featture is available in the Netwo ork and Sharin
ng Center. Be aaware that Nettwork Discoveery is usually
disa
abled for any network
n that you designate as
a Public.
If yo
ou want to con
ntrol the use of
o LLMNR on youry gure it via Group Policy. To
network, yyou can config
disaable LLMNR via
a Group Policyy, set the follow
wing Group Po olicy value:
How
H a Client Resolve
es a Name
Windows
W opera
ating systems support
s a nummber of
diifferent metho
ods for resolvin
ng computer names,
n
su
uch as DNS, WINS,
W and the host
h name reso olution
process. DNS is the Microsoft standard for
re
esolving host names
n to IP Ad
ddresses and iss
de
escribed in detail in the seco
ond topic of th
his
Le
esson, What is DNS.
WINS
W
WINS
W provides a centralized database
d for
re
egistering dynaamic mapping gs of a networkk’s
NetBIOS namess. Support is reetained for WINNS to
provide backwa ard compatibility.
Yo
ou can resolve
e NetBIOS nam
mes by using:
• Broadcast messages. Broadcast messa ages, however,, do not work well on large networks becaause
routers do not propagate
e broadcasts.
• Lmhosts file on all computers. Using an Lmhosts fi le for NetBIOSS name resoluttion is a high
maintenancce solution, be
ecause you mu he file manuall y on all computers.
ust maintain th
Note: Thee DNS server role in Window ws Server 20088 R2 and Windows Server 2012 also
provides a new zone type, the
e GlobalName es zone, which you can use too contain sing
gle-label
na
ames that are unique across an entire foreest. This elimin
nates the need to use the Ne
etBIOS-based
WINS
W to provide support for single-label naames.
Host
H Name Resolution
R Process
P
When
W an appliccation specifiess a host name and uses Winddows sockets, TCP/IP uses th he DNS resolve er cache
annd DNS when attempting to o resolve the host name. Thee hosts file is lo
oaded into the
e DNS resolverr cache.
If NetBIOS overr TCP/IP is enabled, TCP/IP also uses NetBIIOS name reso olution methodds when resolvving
hoost names.
Windows
W opera
ating systems resolve
r host na
ames by:
6.. Broadcastin
ng as many as three NetBIOS
S name query request messaages on the su
ubnet that is directly
attached.
Tro
oubleshoo
oting Name Resolution
Like
e most of other technologiess, name resolution
som
metimes requires troubleshoo oting. Issues caan
occuur when the DNS
D server—an nd its zones annd
reso
ource records——are not confiigured properly.
Whe en resource re
ecords are caussing issues, it can
c
som
metimes be mo ore difficult to identify the isssue
because configura ation problems are not always
obvvious.
Too
ols and Com
mmands
The command-lin ne tools and co
ommands thatt you
use to troubleshoot these and other
o configuration
issues are as follow
ws:
• Nslookup: Use this tool to query DNS infformation. Thee tool is flexiblle and can pro ovide a lot of
valuable inforrmation aboutt DNS server sttatus. You also
o can use it to look up resource records an nd
n. Additionally, you can test zzone transfers,, security optio
validate their configuration ons, and MX reecord
resolution.
• IPconfig: Use e this commannd to view and d modify IP connfiguration deetails that the ccomputer usess. This
tool includes additional commmand-line options that yo ou can use to t roubleshoot and support DN NS
clients. You can view the cliient local DNS cache using tthe command ipconfig/disp playdns, and yyou
can clear the local cache ussing ipconfig//flushdns. If yoou want to re--register a hosst in DNS, you can
use ipconfig /registerdns..
• Monitoring ono DNS serve er: To test if the server can co with upstream servers you caan
ommunicate w
perform simpple local queriees and recursivve queries fromm the DNS servver Monitorin ng tab. You alsso can
schedule thesse tests for reg
gular intervals. The DNS servver Monitoring g tab is availab
ble only in
Windows Servver 2008 and Windows
W Server 2012 in thee DNS Server N
Name Propertie es window.
Tro
oubleshooting Process
Wheen you troubleeshoot name resolution,
r you
u must understtand what nam me resolution m
methods the
com
mputer is using
g, and in what order the com o clear the DNSS resolver cach
mputer uses theem. Be sure to he
betw
ween resolutio
on attempts. If you cannot co
onnect to a re mote host and
d suspect a name resolution
me resolution as follows:
problem, troublesshoot the nam
1. Open an elevvated comman
nd prompt, and
d then clear th
he DNS resolveer cache by typ
ping IPConfig
g
/flushdns.
3. Attempt to ping the remote e host by its host name. For accuracy, use the FQDN witth a trailing pe
eriod.
For example, if you are worrking at Contooso, Ltd, you w
would enter thee following command at the e
command pro ompt: Ping LO ON-dc1.conto oso.com.
20410A: Installing and Configuring Windows Server® 2012 7-9
4. If the ping is successful, then the problem is most likely not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry
to the end of the file. In the previous Contoso, Ltd example, you would add the following line and
save the file:
10.10.0.10 LON-dc1.contoso.com
5. Perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify
that the name resolved correctly by examining the DNS resolver cache. To display the DNS resolver
cache, at a command prompt type IPConfig /displaydns.
6. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
7. At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
Note: You also should know how to interpret the DNS resolver cache output so that you
can identify whether the name resolution problem lies with the client computer’s configuration,
the name server, or the configuration of records within the name server zone database.
Unfortunately interpreting the DNS resolver cache output is beyond the scope of this lesson.
7-10 Implemennting DNS
Lesson 2
Installiing and
d Manag
ging a DNS
D Serrver
To use
u a DNS servvice, you must first install it. Installing the D
DNS service on a DNS server is a simple
proccedure. To ma
anage your DN NS service, it is important thaat you understtand the DNS sserver componnents
and their purpose
e. In this lesson
n, you will learn about DNS ccomponents, aand about how w to install and
d
mannage the DNS Server role.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe DNS
S queries.
• Describe forw
warding.
Wh
hat Are the
e Compon
nents of a DNS Soluttion?
The components of a DNS soluttion include DNS
servvers, DNS serve
ers on the Inte
ernet, and DNS
S
reso
olvers, or DNS clients.
DN
NS Server
A DNS server answ wers recursive and iterative DNS
queeries. DNS servers also can ho
ost one or more
zones of a particu
ular domain. Zoones contain
diffe e records. DNS servers also can
erent resource
cachhe lookups to save time for common
c querries.
DN
NS Servers on
o the Intern
net
DNSS servers on th e accessible publicly.
he Internet are
These servers hostt information about public domains,
d such as common to
op level domaains (TLDs) (forr
exam
mple .COM, .N NET, and .EDU)).
DN
NS Resolver
The DNS resolver generates and d sends iterativve or recursivee queries to the DNS Server. A DNS resolveer can
be any
a computer that is perform ming a DNS lookup that req uires interactio on with the DN
NS server. DNSS
servvers also can isssue DNS requests to other DNS
D servers.
20410A: Installinng and Configuring W
Windows Server® 20012 7-11
What
W Are Root
R Hintss?
As previously diiscussed in lessson one, topicc four,
ro
oot hints are a list of the 13 FQDNs
F on thee
In
nternet that yoour DNS serverr uses if it cann
not
re
esolve a DNS query
q by using a DNS forwarrder or
T root hints list the highest
itss own cache. The
ervers in the DNS hierarchy, and can provide the
se
neecessary inform
mation for a DNS
D server to perform
p
ann iterative que
ery to the next lowest layer of
o the
DNS namespace e.
When
W a DNS seerver communiicates with a ro oot hint serverr, it uses only aan iterative qu
uery. If you sele
ect the
Do
D Not Use Re ecursion For ThisT Domain option
o (on thee DNS server properties wind dow), the serve er will
noot be able to perform
p queriees on the root hints. If you cconfigure the sserver using a forwarder, it w will
atttempt to sendd a recursive query to its forw
warding serve r; then if the fo orwarding servver does not aanswer
th
his query, the first
f server resp
ponds that the
e host could no ot be found.
It is important to
t understand that recursion n on a DNS serrver and recurssive queries arre not the same thing.
Reecursion on a DNS server me eans that the server
s uses its root hints to ttry to resolve a DNS query, wwhereas
a recursive querry is a query th
hat is made to a DNS server in which the rrequester asks the server to aassume
th ng a complete answer to thee query. The neext topics discu
he responsibilitty for providin uss recursive q
queries
in
n more detail.
What
W Are DNS
D Queries?
A DNS query is a name resolu ution query thaat is
se
ent to a DNS Server.
S The DNS server then
provides either an authoritativve or a non-
au
uthoritative response to the client query.
Authoritative
A e or Non-Authoritative
e
Responses
R
Th
he two types of
o responses arre:
• Non-autho oritative. A noon-authoritativve response is one where thee DNS server tthat contains the
requested domain
d in its cache
c answers a query by ussing forwarders or root hintss. Because the answer
7-12 Implementing DNS
provided might not be accurate (because only the authoritative DNS server for the given domain can
issue that information), it is called non-authoritative response.
If the DNS server is authoritative for the query’s namespace, the DNS server checks the zone and then
does one of the following:
Note: An authoritative answer can be given only by the server with direct authority for the
queried name.
If the local DNS server is non-authoritative for the query’s namespace, then the DNS server does one of
the following:
• Uses well-known addresses of multiple root servers to find an authoritative DNS server to resolve the
query. This process uses root hints.
Recursive Queries
In a recursive query the requester asks the DNS server to provide a fully resolved name before returning
the answer. The DNS server may have to perform several queries to other DNS servers before it finds the
answer.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so,
the DNS server in question will not attempt to forward its DNS requests to another server. This is useful
when you do not want a particular DNS server to communicate outside its local network.
Iterative Queries
Iterative queries access domain name information that resides across the DNS system; by using them, you
can resolve names across many servers quickly and efficiently. When a DNS server receives a request that
it cannot answer using its local information or its cached lookups, it makes the same request to another
DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer
with either the IP address for the domain name (if known), or with a referral to the DNS servers that are
responsible for the domain being queried.
20410A: Installinng and Configuring W
Windows Server® 20012 7-13
What
W Is Forrwarding?
A forwarder is a network DNS S server that fo
orwards
quueries for exte
ernal names to DNS servers outside
o
th
hat network. Yo ou also can cre
eate and use
co
onditional forwwarders to forwward queries
acccording to sppecific domain names.
Once
O you desiggnate a networrk DNS server asa a
fo
orwarder, then other DNS servers in the ne etwork
fo
orward to it thee queries that they cannot reesolve
lo
ocally. By using
g a forwarder, you can mana age
naame resolution n for names ouutside of your
neetwork, such as
a names on th he Internet. This
im
mproves the effficiency of namme resolution for
yo
our network’s computers.
Th
he forwarder must
m be able to o communicatte with the DNNS server that is located on tthe Internet. This
means
m either yo equests to anotther DNS serv er, or configurre it to use roo
ou configure itt to forward re ot hints
to
o communicate e.
Conditional
C Forwarder
A conditional fo
orwarder is a DNS
D server on a network thatt forwards DN S queries acco ording to the qquery’s
DNS domain na ame. For example, you can configure a DN NS server to forward all querries that it rece
eives for
na
ames ending with
w corp.conto e IP address off a specific DNS server, or to the IP addresses of
oso.com to the
multiple
m DNS seervers. This can
n be useful wh
hen you have m multiple DNS n namespaces in n a forest.
Conditional Fo
orwarding in Windows
W Serv
ver 2008 R2 aand 2012
n Windows Serrver 2008 R2 and Windows Server
In S 2012, thhe conditional forwarder con nfiguration hass been
moved
m to a nod c replicate t his informatio n to other DN
de in the DNS console. You can NS servers through
Active Directoryy integration.
Ho
ow DNS Se
erver Caching Workss
DNS S caching incre
eases the perfo
ormance of the
orga anization’s DN
NS system by decreasing
d the time
it ta
akes to providee DNS lookupss.
Whe en a DNS server resolves a DNS
D name
succcessfully, it add
ds the name too its cache. Ovver
timee, this builds a cache of dommain names and
theiir associated IPP addresses forr most of the
dommains that the organization uses
u or accessees.
The default time to t keep a nam me in the cache e is
onee hour. The zon ne owner can change
c this byy
mod difying the SO OA record for th
he appropriate e
DNS S zone.
A ca
aching-only seerver is the ideal type of DNS
S server to usee as a forwardeer. It will not host any DNS zzone
a; it only answers lookup req
data quests for DNSS clients.
In Windows
W Serve
er 2012, you caan access the content
c of DN S server cachee by selecting tthe Advanced view
in th
he DNS Manag ger console. When
W you enab ble this view, ccached contentt displays as a node in DNS
Man nager. You can
n also delete siingle entries (o
or the entire caache) from DN NS server cache.
You
u can prevent DNS
D client caches from being overwritten with the DNS Cache Locking feature whicch is
avaiilable in Windo
ows Server 20008 R2 and Win ndows Server 22012. When en nabled the cacched records w
will
not be overwritten for the durattion of the tim
me to live (TTL)) value. Cache locking provid
des improved
secu
urity against ca
ache poisoningg attacks.
Ho
ow to Insta
all the DNS
S Server Ro
ole
The DNS server ro ole is not installed on Windoows
Servver 2012 by de efault. Instead, you must addd it in
ole-based manner when you configure the
a ro e
servver to perform the role. You install the DNS
servver role by usin
ng the Add Ro oles and Featurres
Wizzard in Server Manager.
M
To administer a remote DNS server, add the Remote Server Administrative tools to your administrative
workstation, which must be running a Windows Vista SP1 or newer Windows operating system.
Demonstration Steps
Configure Forwarding
• Configure the DNS Server with a forwarder on IP address 172.16.0.10.
7-16 Implemennting DNS
Lesson 3
Manag
ging DN
NS Zone
es
DNS S service is a key
k service for AD DS. Servers and clients aalike use DNS tto locate domain controllerss and
otheer services within the network. You usuallyy install a DNSS server with a domain contrroller during do omain
controller promottion. The DNS server can the en host zone ddata in an Activve Directory database. In thiis
lesson, you will leaarn about Actiive Directory–iintegrated DN
NS zones.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe DNS
S zone types.
• Describe dyna
amic updates.
• Describe Active Directory-in
ntegrated zones.
• Describe how
w to create an Active
A Directory-integrated zone.
Wh
hat Are DN
NS Zone Ty
ypes?
The four DNS zon
ne types are:
• Primary
• Secondary
• Stub
• Active Directo
ory–integrated
d
Primary zone
Whe en a zone thatt a DNS server hosts is a primmary
mary source for
zone, the DNS serrver is the prim
info
ormation about this zone, an nd it stores the e
masster copy of zoone data eitherr in a local file or in
AD DS. When the DNS server sttores the zone in a file, the p primary zone fiile by default iis named
zone_name.dns, and is located on o the server in the %windirr%\System32\D Dns folder. Wh hen the zone is not
storred in AD DS, this
t is the onlyy DNS server th hat has a writaable copy of th
he database.
Seccondary zon
ne
Whe ondary zone, tthe DNS serve r is a secondarry source for th
en a zone thatt a DNS server hosts is a seco he
zone information.. The zone at this
t server musst be obtained d from anotherr remote DNS server that alsso
hostts the zone. Th
his DNS server must have neetwork access tto the remote DNS server to o receive updated
zone information.. Because a seccondary zone is a copy of a primary zone that another sserver hosts, thhe
seco
ondary zone ca ed in AD DS. Secondary zonees can be usefful if you are re
annot be store eplicating dataa from
non
n-Windows DN NS zones.
Stu
ub zone
A sttub zone is a re
eplicated copyy of a zone tha
at contains onlly those resource records thaat are necessary to
idenntify that zone
e’s authoritative DNS servers. A stub zone rresolves namees between sep parate DNS
nam
mespaces, whicch might be ne ecessary when a corporate mmerger requirees that the DNS servers for twwo
sepa arate DNS nammespaces resolve names for clients in both h namespaces.
20410A: Installinng and Configuring W
Windows Server® 20012 7-17
Th
he master servvers for a stub zone are one or more DNS servers that arre authoritative for the child zone.
he DNS server that is hosting
Usually this is th g the primary zzone for the d
delegated dom
main name.
Active
A Directtory–Integrated zone
If AD DS stores the zone, then
n DNS can use e the multimasster replication
n model to rep
plicate the prim
mary
zoone. This enab
bles you to editt zone data on
n more than on ne DNS serverr simultaneoussly.
What
W Are Dynamic
D Updates?
U
A dynamic upda ate is an update to DNS in real
time. Dynamic updates
u mportant for DNS
are im
clients that chan
nge locations - they can
dyynamically reg
gister and upda ate their resou
urce
re
ecords withoutt manual intervvention.
Th
he Dynamic Host Configurattion Protocol (DHCP)
(
client service pe
erforms the reggistration, regaardless
off whether the client’s IP address is obtaine
ed from
a DHCP server, or is fixed. Thee registration occurs
o
duuring the follo
owing events:
• When an IP
P address is configured, adde
ed, or changed
d on any netw
work connectio
on.
• When an ad
dministrator ru
uns the command-line comm
mand ipconfig
g /registerdn
ns.
Th
he process of dynamic
d updates is as follow
ws:
2.. Eventually, if the zone supports dynamic updates, thee client reachees a DNS serve
er that can writte to
the zone. This is the prim
mary server for a standard, filee-based zone or any domain
n controller th
hat is a
name serveer for an Activee Directory–inttegrated zone .
In
n some configu urations, you may
m not want clients
c to updaate their recorrds even in a d
dynamic updatte zone.
In
n this case you can configure e the DHCP server to registe r the records o on the clients’ behalf. By deffault, a
client registers that
t it is a (hosst/address) reccord, and the D
DHCP server reegisters the PTTR (pointer/revverse
lo
ookup) record.
Wh
hat Are Acctive Directory-Integ
grated Zon
nes?
In Lesson 1, you le
earned that DN NS server can store
zone data in the AD
A DS databasse provided th hat
the DNS server is an AD DS dom main controller.
Whe en this happenns, this createss an Active
Direectory–integratted zone.
The benefits of an
n Active Directtory–integrated
d
zone are significant:
• Replication of
o DNS zone data d by using g AD DS repliccation. One o f the characteristics of Active
Directory replication is attriibute-level repplication in wh ich only changged attributes are replicated d. An
Active Directo
ory–integrated d zone can leve erage these beenefits of Activve Directory re
eplication, rath
her
than replicating the entire zone
z file as in traditional DN
NS zone transfeer models.
Question: Ca
an you think off any disadvan
ntages to storin
ng DNS inform
mation in AD D
DS?
De
emonstration: Creating an Actiive Directo
ory–Integrrated Zone
e
To create
c an Activve Directory in
ntegrated zone
e, you must insstall DNS serveer on a Domain Controller. A
All
changes in an Acttive Directory integrated
i zon
ne are replicateed to all otherr DNS servers o
on domain
controllers throug
gh AD DS repliication mechanism.
Dem
monstration
n Steps
Cre
eate an Active Directory–integrate
ed zone
1. On LON-DC1
1, open the DN
NS Manager co
onsole.
2. Start the New
w Zone Wizard.
6. Review record
ds in the new zone.
z
Create a record
Your manager has asked you to configure the domain controller in the branch office as a DNS server. You
have also been asked to create some new host records to support a new application that is being
installed. Finally, you need to configure forwarding on the DNS server in the branch office to support
Internet name resolution.
Objectives
After completing this lab you will be able to:
Lab Setup
Estimated Time: 40 minutes
Logon Information
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
domain controller. The Active Directory-integrated zones required to support logons will be replicated
automatically to the branch office.
1. Configure LON-SVR1 as a domain controller without installing the DNS server role.
2. Review configuration settings on the existing DNS server to confirm root hints.
3. Add the DNS server role for the branch office on the domain controller.
X Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server
role
1. Use Add roles and features task in Server Manager to add the Active Directory Domain Services
role to LON-SVR1.
X Task 2: Review configuration settings on the existing DNS server to confirm root
hints
1. On LON-DC1, open the DNS Manager console.
X Task 3: Add the DNS server role for the branch office on the domain controller
• Use Server Manager to add the DNS Server role to LON-SVR1.
2. Expand Forward Lookup Zones, and verify that the Adatum.com and _msdcs.Adatum.com zones
are replicated.
If you do not see these zones, open Active Directory Sites and Services, and force replication between
LON-DC1 and LON-SVR1, and then try again.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
2. Create several host records in the Adatum.com domain for web apps.
3. Verify replication of new records to LON-SVR1.
3. Open the Properties window for the Local Area Network Connection adapter.
X Task 2: Create several host records in the Adatum.com domain for web apps
1. On LON-DC1, open DNS Manager.
X Task 4: Use the ping command to locate new records from LON-CL1
1. On LON-CL1, open a command prompt window.
3. Ping ftp.adatum.com. Make sure that ping resolves this name to 172.16.0.200.
Results: After completing this exercise, you will have configured DNS records.
2. Update Internet record to point to the LON-DC1 IP address, retry the location using ping.
3. Examine the content of the DNS cache.
X Task 1: Use the ping command to locate Internet record from LON-CL1
1. On LON-CL1, open a command prompt window.
2. Use ping to locate www.nwtraders.msft.
X Task 2: Update Internet record to point to the LON-DC1 IP address, retry the
location using ping
1. On LON-DC1, open the DNS Manager console.
2. Navigate to the nwtraders.msft forward lookup zone.
2. Retry the ping to www.nwtraders.msft on LON-CL1 (The result will still return the old IP address.)
3. Clear the client resolver cache on LON-CL1 by typing ipconfig /flushdns in a command prompt
window.
Results: After completing this exercise, you will have DNS Server cache examined.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Question: You are deploying DNS servers into an Active Directory domain, and your customer
requires that the infrastructure is resistant to single points of failure. What must you consider
when planning the DNS configuration?
Best Practices:
When implementing DNS, use the following best practices:
Tools
Name of tool Used for Where to find it
Module 8
Implementing IPv6
Contents:
Module Overview 8-1
Module Overview
IPv6 is a technology that helps the Internet support a growing user base and an increasingly large number
of IP-enabled devices. The current IPv4 has been the underlying Internet protocol for almost thirty years.
Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP
addresses. This is due in large part to the rapid growth of new network-aware devices.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of IPv6
IPv6
6 has been included with Windows clients and servers sttarting with W
Windows Serverr 2008 and Win ndows
Vista. The use of IPv6 is becoming more comm
mon on corpo orate networkss and parts of tthe Internet.
It is important forr you to understand how thiss technology aaffects current networks, and d how to integ
grate
IPv66 into those neetworks. This le es the benefits of IPv6, and h
esson discusse how it differs frrom IPv4.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
Benefits of IP
Pv6
IPv6
6 support is inccluded in Winddows Server 20012
and Windows 8. TheT following list of benefits
desccribes why IPvv6 is being imp
plemented.
Hie
erarchical ad
ddressing and routing infrastructu
ure
The IPv6 address space is design
ned to be morre efficient for routers, which
h means that e even though there
are many more adddresses, routeers can process data much m more efficientlyy because of aaddress
optimization.
Sta
ateless and stateful
s add
dress config
guration
IPv66 has auto-connfigure capability without Dyynamic Host C Configuration P Protocol (DHC CP), and it can
disccover router information so that
t hosts can access the Intternet; this is reeferred to as a stateless address
configuration. A stateful
s address configuration is when you use the DHCP Pv6 protocol.
Req
quired supp
port for Inte
ernet Protoccol security
y (IPsec)
The IPv6 standardds require suppport for the Auuthentication H Header (AH) and encapsulatting security
payload (ESP) heaaders that are defined
d by IPssec. Although ssupport for sp pecific IPsec authentication
metthods and crypptographic alggorithms are no ot specified, IP
Psec is defined
d from the starrt as the way to
o
prottect IPv6 packets. This guara
antees the availability of IPseec on all IPv6 h
hosts.
20410A: Installling and Configuringg Windows Server® 2012 8-3
End-to-end communica
c tion
One
O of the design goals for IP Pv6 is to provid
de sufficient a ddress space sso that you doo not have to uuse
trranslation mechanisms such as network ad ddress translatiion (NAT). Thiss simplifies com
mmunication b because
IP
Pv6 hosts can communicate
c directly
d with each
e other oveer the Internet.. This also simpplifies support for
appplications succh as video con
nferencing and d other peer-tto-peer applicaations. Howevver, many
orrganizations may
m choose to continue using translation m mechanisms ass a security me easure.
Prioritized
P delivery
An IPv6 packet contains a field that specifiees how fast thee packet shoul d be processed; so traffic caan be
asssigned a priorrity. For examp
ple, when you are streaming g video traffic, it is critical thaat the packets arrive
in
n a timely manner. You can sets this field to network devicees determine that the packett
o ensure that n
deelivery is time--sensitive.
Im
mproved su
upport for siingle-subne
et environm
ments
IP
Pv6 has much better
b supportt of automatic configuration n and operation on single subnet networkss. You
ca
an use the automatic configu es in IPv6 to crreate temporaary ad-hoc nettworks through
uration feature h which
yo
ou can connecct and share information.
Ex
xtensibility
IP
Pv6 has been designed
d so that developers can extend it with much few
wer constraintss than IPv4.
Differences
D s Between IPv4 and IPv6
When
W the IPv4 address space was designed d, it was
unnimaginable th hat it could evver be exhausteed.
However, due to o changes in technology
t andd an
allocation practtice that did no ot anticipate th
he
i was clear by 1992
exxplosion of Intternet hosts, , it
th
hat a replacemment would be necessary.
IP
Pv6 addresses were
w made 1228 bits long so that
he address space can be subdivided into
th
hiierarchical routing domains that reflect mo odern-
daay Internet toppology. With 128
1 bits there area
en
nough bits to create multiple levels of hierrarchy,
an
nd flexibility fo
or designing hierarchical adddressing
nd routing. These are feature
an es that are currrently lacking on the IPv4-b
based Internet..
IP
Pv4 and IPv
v6 Comparisson
Th
he following ta
able highlightss the differencces between IP
Pv4 and IPv6.
IPv4 IPv6
IPv4 IPv6
The IPv4 header contains no identification Packet-flow identification for QoS handling by
of packet flow for Quality of Service (QoS) routers is included in the IPv6 header using
handling by routers. the Flow Label field.
Fragmentation is done by both routers and Fragmentation is not done by routers, only by
the sending host. the sending host.
Address Resolution Protocol (ARP) uses ARP Request frames are replaced with
broadcast ARP Request frames to resolve multicast Neighbor Solicitation messages.
an IPv4 address to a link-layer address.
Internet Control Message Protocol (ICMP) ICMP Router Discovery is replaced with
Router Discovery—which is optional—is required ICMPv6 Router Solicitation and
used to determine the IPv4 address of the Router Advertisement messages.
best default gateway.
Broadcast addresses are used to send There are no IPv6 broadcast addresses.
traffic to all nodes on a subnet. Instead, a link-local scope all-nodes multicast
address is used.
Must be configured either manually or Does not require either manual configuration
through DHCP. or DHCP.
Uses host (A) resource records in the Uses IPv6 host (AAAA) resource records in
Domain Name System (DNS) to map host DNS to map host names to IPv6 addresses.
names to IPv4 addresses.
Uses pointer (PTR) resource records in the Uses pointer (PTR) resource records in the
IN-ADDR.ARPA DNS domain to map IPv4 IP6.ARPA DNS domain to map IPv6 addresses
addresses to host names. to host names.
Must support a 576-byte packet size Must support a 1280-byte packet size (without
(possibly fragmented). fragmentation).
Broadcast add
dresses Not ap
pplicable in IPvv6
Multicast add
dresses (224.0.0
0.0/4) IPv6 m ulticast addressses (FF00::/8)
IP
Pv6 Addre
ess Space
Thhe most distinguishing featu ure of IPv6 is itts use of
much
m larger add
dresses. IPv4 addresses
a are
exxpressed in fouur groups of decimal numbe ers, such
ass 192.168.1.1. Each grouping g of numbers
re
epresents a bin nary octet. In binary,
b 192.168 8.1.1 is
ass follows:
11
1000000.10101
1000.00000001.00000001 (4
oc
ctets = 32 Bi
its)
20
001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Th
his might seemm complex for end users, butt the assumptiion is that use rs will rely on DNS names to o resolve
ho
osts and will ra
arely type IPv6
6 addresses ma Pv6 address in hex is also eassier to convertt
anually. The IP
be
etween binaryy and hexadeciimal than it is to
t convert bettween binary aand decimal. T This simplifies w
working
with
w subnets, an nd calculating hosts and nettworks.
Hexadecima
H l Numberin
ng System (B
Base 16)
In
n the hexadecimal numbering system, som me letters repreesent numberss because, therre must be 16 unique
syymbols for eacch position. Because 10 symb bols (0 throughh 9) already exxist, there musst be six new syymbols
fo
or the hex systeem; hence, thee letters A thro
ough F are useed. The hexadeecimal numberr 10 is equal to o the
deecimal numbe er 16.
To
o convert an IP Pv6 binary add dress that is 12
28 bits long, yo
ou break it int o eight blockss of 16 bits. Yo
ou then
co
onvert each off these eight blocks of 16 bitts into four hexx characters. FFor each of thee blocks, you e evaluate
fo
our bits at a tim
me. You should d number each h section of fo
our binary num mbers 1, 2, 4, and 8, starting from
th
he right and moving
m left. Tha
at is:
To e hexadecimal value for this section of fou r bits, add up the value of each bit that is set to
o calculate the
1.. In the examp e only bit that is set to 1 is th
ple of 0010, the he bit assigned
d the value 2. T
The rest are se
et to
ze
ero. Therefore,, the hex value
e of this section of four bits iis 2.
8-6 Implementing IPv6
[0010][1111]
The following example is a single IPv6 address in binary form. Note that the binary representation of the
IP address is quite long. The following two lines of binary numbers represents one IP address:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is now divided along 16-bit boundaries (eight blocks of 16 bits):
Each block is further broken into sections of four bits. The following table shows the binary and
corresponding hexadecimal values for each section of four bits:
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as
follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block.
However, each block must have at least a single digit. With leading zero suppression, the address
representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
20410A: Installing and Configuring Windows Server® 2012 8-7
Compressing Zeros
When multiple contiguous zero blocks occur, you can compress these and represent them in the address
as a double-colon (::); this further simplifies the IPV6 notation. The computer recognizes “::” and
substitutes it with the number of blocks necessary to make the appropriate IPv6 address.
2001:DB8::2F3B:2AA:FF:FE28:9C5A
To determine how many 0 bits are represented by the “::”, you can count the number of blocks in the
compressed address, subtract this number from eight, and then multiply the result by 16. Using the
previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by
16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located.
You can use zero compression only once in a given address. If you use it twice or more, then there is no
way to show how many 0 bits are represented by each instance of the double-colon (::).
To convert an address into binary, use the reverse of the method described previously:
Lesson 2
IPv6 Addressi
A ng
An essential
e part of
o working witth IPv6 is unde
erstanding thee different address types and d when they arre
usedd. This allows you
y to understtand the overa all communicaation process b between IPv6 h hosts and perfform
trou
ubleshooting. YouY also need to understand d the processees available forr configuring a host with an IPv6
adddress to ensure e that hosts are
e properly configured.
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
• Describe IPv6
6 prefixes.
IPv
v6 Prefixess
Likee the IPv4 addrress space, the e IPv6 address space
is diivided by alloccating portionss of the availabble
adddress space for various IP fun nctions. The higgh-
orde er bits (bits tha
at are at the beginning of th he
128-bit IPv6 address) define are eas statically in
n the
IP sppace. The high h-order bits an
nd their fixed values
v
are known as a format prefix.
Inte
ernet Assigned Numbers Autthority (IANA)
mannages IPv6, and has defined how the IPv6
add nitially. IANA has
dress space willl be divided in
also
o specified the format prefixe es.
IPv
v6 Format Prefixes
The following table shows the IPv6 address-sp
pace allocation
n by format prrefixes.
Re
eserved 0000 0000 - 1/2
256
Link-local unica
ast addresses 1111 1110 1000
1 FFE8 1/1
1024
Unique local un
nicast 1111 1100 FFD 1/2
256
ddresses
ad
Multicast
M addre
esses 1111 1111 FFF 1/2
256
IP
Pv6 Prefixess
Th
he prefix is thee part of the adddress that ind
dicates the bitss that have fixxed values, or tthat are the subnet
prefix’s bits. Pre
efixes for IPv6 subnets,
s routees, and addresss ranges are exxpressed in the e same way ass IPv4
Classless Interdo omain Routing g (CIDR) notations. An IPv6 p prefix is written in address/pprefix-length n notation.
Fo
or example, 20 001:DB8::/48 and 2001:DB8:0 0:2F3B::/64 aree IPv6 address prefixes.
Unicast
U IPv
v6 Addresss Types
A unicast IPv6 address
a is an IP
Pv6 address thhat is
asssigned to a single interface in a single commputer.
Thhis is equivalen
nt to unicast addresses in IPvv4. IPv6
haas several type ddresses, and unlike
es of unicast ad
IP
Pv4, computerss typically have e multiple IPv6
6
ad
ddresses. Diffeerent address types
t are used for
diifferent purposes.
Th
he bits in unicaast IPv4 addreesses are split evenly
e
be
etween netwo ork ID and interface ID: the first 64
work ID, and the second 64 bits are
biits are the netw
th
he host ID. By default,
d the intterface ID porttion of
an
n IPv6 addresss is randomly generated.
g
Note: The
e interface ID in
i IPv6 is equivvalent to the I Pv4 host ID ass discussed in M
Module 5.
Global
G Unica
ast Addresse
es
Global unicast addresses
a are equivalent
e to public
p om an Internet
IPv4 ad dresses that are available fro
Seervice Provider (ISP). They arre routable and
d reachable gllobally on the IPv6 portion o of the Internett. The
fie
elds in the global unicast address are:
• Fixed portion set to 0011. The three hiigh-order bits are set to 0011. The address prefix for currrently
assigned global addresse
es is 2000::/3. Therefore,
T global unicast aaddresses beg
all g gin with either 2 or 3.
• Global rou uting prefix. This
T field identifies the globaal routing prefiix for a specificc organizationn’s site.
The combin nation of the three
t fixed bitss and the 45-b
bit global routiing prefix is ussed to create a 48-bit
site prefix, which
w is assign
ned to an orga anization’s ind ividual site. On
nce the assignment occurs, rrouters
on the IPv6 6 Internet then n forward IPv6 traffic that maatches the 48--bit prefix to thhe routers of the
organizatio on’s site.
• Subnet ID. The Subnet ID D is used within an organiza tion’s site to id dentify subnetts. This field’s ssize is
16 bits. The
e organization’s site can use these 16 bits w within its site tto create 65,53
36 subnets, or
multiple levvels of addresssing hierarchy, and an efficieent routing inffrastructure.
• Interface ID. The Interfacce ID identifiess the interfacee on a specific subnet within the site. This ffield’s
size is 64 biits. This is eithe
er randomly generated, or aassigned by DH HCPv6. In the past, the Interfface ID
was based on o the Media Access Contro ol (MAC) addreess of the netw work interface card to which the
address was bound.
IPv4
4 Automatic Prrivate IP Addre
essing (APIPA) addresses. Ho
owever, a link--local address is an essential part
of IP
Pv6 communiccation.
Link
k-local addressses are used foor communicattion in many sscenarios wherre IPv4 would have used
broa ocal addresses are used when
adcasts. For exxample, link-lo n communicatting with a DH HCPv6 server. In
add al addresses arre used for neighbor discoveery which is thee IPv6 equivalent of ARP in IPv4.
dition, link-loca
The prefix for link
k-local addressses is always FE
E80::/64. The fiinal 64-bits aree the interface
e identifier.
To avoid
a the dupllication probleems experienceed with IPv4 p private addressses, the IPv6 un
nique local address
n organization identifier. Thee 40-bit organization identifier is randomlyy
structure allocatess 40-bits to an
gen kelihood of two randomly ge
nerated. The lik enerated 40-b bit identifies beeing the same are very smalll. This
ensuures that each organization has a unique address
a space..
Zone IDs
Eachh IPv6 host has a single link--local address. If
the host has multiple network in nterfaces, the same
link-local address is reused on each
e network
inte
erface. To allow
w hosts to idenntify link-local
commmunication on o each unique e network interface,
a zo
one ID is added d to the link-lo
ocal address. A
zone ID is used in the following format:
Address%zone_ID
Eachh interface in a Windows-ba ased host is asssigned a uniquue interface inddex, which is aan integer. In
adddition to physiccal network cards, interfaces also include lo
oopback and ttunnel interfacces. Windows--based
IPv6
6 hosts use thee interface inde
ex of an interface as the zonne ID for that interface. In th
he following
exammple, the interface ID for the network card d is 3.
fe80
0::2b0:d0ff:fee9:4143%3
20410A: Installinng and Configuring W
Windows Server® 20012 8-11
Address
A Au
utoconfigu
uration forr IPv6
In
n most cases, you
y will use autoconfiguratio on to
provide IPv6 hoosts with an IPvv6 address. There are
se
everal ways autoconfiguratio on can be
im
mplemented. You
Y control ho ow autoconfigu uration
is performed byy using a type of autoconfigu uration.
Autoconfigu
A ured Addresss States
During autocon nfiguration the
e IPv6 address of a
ho ost goes throuugh several sta
ates that definee the
liffecycle of the IPv6 address. Autoconfigure
A ed
ad n one or more of the following
ddresses are in
sttates:
• Valid. In th
he valid state, the
t address ha d as unique, a nd can send and receive uniicast
as been verified
traffic.
• ed state, the address enable s a node to seend and receive unicast traffiic to
Preferred. In the preferre
and from itt.
• Deprecated. In a depreca
ated state, the
e address is vallid, but its use is discouraged
d for new
communicaation.
Types of Auttoconfigura
ation
Tyypes of autoco
onfiguration in
nclude:
• Stateless. Address
A configguration is onlyy based on thee receipt of Ro
outer Advertise
ement messagges. This
includes a router
r prefix but
b does not in nclude addition nal configuration options su
uch as DNS serrvers.
• Stateful. Configuration iss based on the
e use of a stateeful address co
onfiguration protocol such aas
DHCPv6 to obtain addressses and otherr configuration n options. A hoost uses statefu
ul address
configuratio
on when:
o It receives instruction
ns to do so in Router
R Advert isement messaages.
o There are
a no routers present on the local link.
Sttateful Configuration
With
W stateful co onfiguration, organizations
o can
c control howw IPv6 addres ses are assigne
ed using DHCPPv6. If
th
here are any sp
pecific scope options
o that yo
ou need to con
nfigure—such as the IPv6 ad ddresses of DN
NS
se
ervers—then a DHCPv6 serve er is necessaryy.
When
W IPv6 attempts to comm
municate with a DHCPv6 servver, it uses mu
ulticast IPv6 ad
ddresses. This iss
diifferent than with
w IPv4, which uses broadcast IPv4 addreesses.
8-12 Implementing IPv6
Demonstration Steps
2. Use ipconfig to view the link-local IPv6 address on Local Area Connection.
2. Open the properties of Internet Protocol Version 6 (TCP/IPv6), and enter the following
information:
2. Open the properties window of Internet Protocol Version 6 (TCP/IPv6), and enter the following:
2. Use ipconfig to view the IPv6 address for Local Area Connection.
3. Use ping -6 to test IPv6 communication with LON-DC1.
Lesson
n3
Coexiistence with IP
Pv4
Frrom its inception, IPv6 was designed
d for lo
ong-term coexxistence with IP
Pv4; in most caases your netw
work will
usse both IPv4 and IPv6 for maany years. Connsequently, yo u need to und
derstand how tthey coexist.
Thhis lesson provvides an overview of the tech
hnologies thatt support the ttwo IP protoco ols’ coexistencee. This
le
esson also desccribes the diffe
erent node typ
pes and IP stacck implementa tions of IPv6. Finally, this lessson
exxplains how DNS resolves na ames to IPv6 addresses and tthe various typpes of IPv6 traansition techno ologies.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe IP
P node types.
• Describe methods
m to provide coexisten
nce for IPv4 an
nd IPv6.
• Configure DNS
D to supporrt IPv6.
• Explain IPv6
6 over IPv6 tun
nneling.
What
W Are Node
N Type
es?
When
W planning an IPv6 netwo ork, you should know
what
w types of nodes or hosts are on the nettwork.
Describing the nodes
n ollowing ways helps
in the fo
to
o define their capabilities
c on the network. This is
im
mportant if you u use tunneling, because cerrtain
kiinds of tunnelss require specific node typess,
in
ncluding the fo
ollowing:
• IPv6/IPv4 node. A node that impleme ents both IPv4 and IPv6. Win
ndows Server 2
2008 and Wind
dows
Vista or late
er use IPv4 and
d IPv6 by defa
ault.
IPv
v4 and IPv
v6 Coexiste
ence
Rathher than replacing IPv4, mosst organizationns
addd IPv6 to their existing
e IPv4 network.
n Starting
withh Windows Serrver 2008 and Windows Vista,
Winndows operatin ng systems suppport the
simuultaneous use of IPv4 and IP Pv6 through a dual
IP la
ayer architectu
ure. The Windo ows XP and
Winndows Server 2003
2 operating
g systems usedda
less efficient dual stack architecture.
DN
NS Infrastruccture Requirements
Justt as DNS is use
ed as a supportting service on
n an IPv4 netw
work, it is also rrequired on an
n IPv6 networkk.
Whe en IPv6 is adde
ed to the netw
work, you need d to ensure thaat the records that are necesssary to suppo
ort
IPv6
6 name-to-add dress and addrress-to-name resolution
r are added. The DNS records thaat are required d for
coexxistence are:
Each o it. In most caases, IPv6 is prreferred over IPv4. For example,
h prefix has a precedence level assigned to
wheen you ping a host, the ping command willl use the IPv6 address insteaad of the IPv4 address.
20410A: Installing and Configuring Windows Server® 2012 8-15
The following table displays the typical prefix policies for Windows Server 2012.
2002::/16 7 14 6to4
2001::/32 5 5 Teredo
Demonstration Steps
Configure an IPv6 host (AAAA) resource record
1. On LON-DC1, in Server Manager, open the DNS tool and browse to the Adatum.com forward lookup
zone.
2. In DNS Manager, verify that IPv6 addresses have been registered dynamically for LON-DC1 and LON-
SVR1.
o IP address: FD00:AAAA:BBBB:CCCC::A
Wh
hat Is IPv6
6 Over IPv4
4 Tunnelin
ng?
IPv6
6 over IPv4 tun
nneling is the encapsulation
e of
IPv6
6 packets with an IPv4 heade er so that IPv6
packets can be sent over an IPvv4-only
infra
astructure. Witthin the IPv4 header:
h
Lesson
n4
IPv6 Transiti
T on Tech
hnologiies
Trransitioning froom IPv4 to IPvv6 requires coeexistence betw
ween the two p protocols. Too many applicaations
annd services relyy on IPv4 for itt to be remove
ed quickly. Ho
owever, there aare several technologies thatt aid
trransition by allowing commu unication betwween IPv4-onlyy and IPv6-onl y hosts. There are also techn
nologies
th
hat allow IPv6 communicatio on over IPv4 neetworks.
his lesson provvides information about Intra-Site Automaatic Tunnel Addressing Proto
Th ocol (ISATAP), 6to4,
an
nd Teredo, wh hich help provide connectivitty between IPvv4 and IPv6 tecchnology. Thiss lesson also
ad
ddresses PortPProxy, which provides compa atibility for app
plications.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe ISATAP.
• Describe 6tto4.
• Describe Te
eredo.
• Describe Po
ortProxy.
• Describe th
he transition prrocess from IPv4 to IPv6.
What
W Is ISA
ATAP?
IS
SATAP is an address-assignm ment technolog gy that
yo
ou can use to provide unicasst IPv6 connecctivity
beetween IPv6/IPPv4 hosts acro oss an IPv4 intrranet.
IS
SATAP hosts do o not require anya manual
co
onfiguration, and
a can create e ISATAP addre esses
ussing standard address autoconfiguration
mechanisms.
m Yoou mainly use ISATAP within an
orrganizations’ site,
s and althou ugh the ISATAAP
co
omponent is enabled
e by deffault, it only asssigns
IS
SATAP-based addresses
a if it can
c resolve the e name
IS
SATAP on yourr network.
An ISATAP addrress that is bassed on a publicc IPv4 addresss is formatted like the follow
wing example:
What
W Is an IS
SATAP Routter?
IS
SATAP allows IPv6 clients on an IPv4-only intranet
i mmunicate without addition
to com nal manual
co A ISATAP router advertises an IPv6 prefix,, and allows th
onfiguration. An he clients to co
ommunicate w
with
otther IPv6 clients on other IPvv6 subnets.
8-18 Implemennting IPv6
Oth
her ways you ca
an configure hosts
h with an ISATAP router are:
• Configure the
e ISATAP Rou
uter Name Gro
oup Policy settting.
Wh
hat Is 6to4
4?
6to4 ogy that you use to provide
4 is a technolo
uniccast IPv6 connectivity betwe een IPv6 sites and
a
hostts across the IP
Pv4 Internet. 6to4
6 treats the
et as a single link. In the
entiire IPv4 Interne
follo
owing 6to4 ad ddress, WWXX:YYZZ is the co olon-
hexadecimal repre esentation of w.x.y.z,
w a publiic
IPv44 address:
2002:WWXX:Y
YYZZ:Subnet_IID:Interface_ID
D,
Ena
abling 6to4 Router Fun
nctionality in
Win
ndows Operating Systeems
To enable
e Window ws Server 2012
2 as a 6to4 rouuter,
you enable Intern
net Connectionn Sharing (ICS). When you en
nable ICS on a computer thaat is running a
Win
ndows operatinng system, thee following occcurs:
• The private in
nterface conne
ects to a single
e subnet, and u
uses private IP
Pv4 addresses ffrom the
192.168.0.0/224 prefix.
• Router advertisement me
essages are sen
nt on the privaate interface.
Th
he router adve
ertisement messages advertise the ICS com
mputer as a deefault router an
nd contain the
e
erived 6to4 subnet prefix.
de
How
H 6to4 Tu
unneling Wo
orks
Within
W a site, local IPv6 routers advertise 20 002:WWXX:YYZ ZZ:Subnet_ID:::/64 subnet prrefixes so that hosts
au
utoconfigure 6to4 6 addressess. IPv6 routers within the sitee deliver trafficc between 6to4 hosts. Hosts on
in
ndividual subne ets are configuured automatically with a 644-bit subnet ro oute for direct delivery to neeighbors
an
nd a default ro oute with the next-hop
n addrress of the advvertising routerr. IPv6 traffic that does not m
match
an
ny of the subn net prefixes thaat the site usess is forwarded to a 6to4 routter on the site border. The 6to4
ro
outer on the site border has a 2002::/16 ro oute that forwaards traffic to oother 6to4 sitees and a defau
ult route
off ::/0 that forw wards traffic to a 6to4 relay on
o the IPv4 Inteernet.
Ex
xample
n the example network show
In wn in the slide, Host A and H ost B can com mmunicate with h each other bbecause
off a default route using the next-hop addre ess of the 6to44 router in Sitee 1. When Hostt A communiccates
with
w Host C in another
a site, Host A sends thhe traffic to thee 6to4 router iin Site 1 as IPvv6 packets. Thee 6to4
outer in Site 1, using the 200
ro 02::/16 route in
n its routing taable and the 6tto4 tunnel inte erface, encapsulates
th
he traffic with an
a IPv4 heade er and tunnels it to the 6to4 router in Site 2. The 6to4 ro outer in Site 2 rreceives
th
he tunneled tra affic, removes the IPv4 header, and using tthe subnet preefix route in itss routing table e,
fo
orwards the IPvv6 packet to Host
H C.
Fo
or example, Hoost A resides ono subnet 1 within Site 1 and d uses the pubblic IPv4 addre
ess of 157.60.91 1.123.
Host C resides on
o subnet 2 wiithin Site 2 and d uses the pubblic IPv4 addreess of 131.107.210.49. The taable that
ap
ppears in the slide,
s lists the addresses
a in th
he IPv4 and IPvv6 headers wh outer in Site 1 sends
hen the 6to4 ro
th
he IPv4-encapssulated IPv6 packet to the 6tto4 router in SSite 2.
What
W Is Terredo?
Teeredo tunnelinng enables you u to tunnel acrross the
IP
Pv4-only Internnet when the clients
c are behind an
IP
Pv4 NAT. Tered do was created d because man ny
In
nternet connecctions use priva ate IPv4 addre esses
beehind a NAT. Teredo
T is a lastt-resort transittion
te
echnology for IPv6 connectivvity. If native IP Pv6,
IS
SATAP, or 6to4 4 connectivity is i present betw ween
coommunicating g nodes, Teredo is not used. As
more
m IPv4 NATss are upgraded d to support 6to4,
6
annd as IPv6 connnectivity beco omes ubiquitou us,
Teeredo will be used
u less frequuently, until eventually
it is not used at all.
Teredo Components
Th
he Teredo com
mponents are as
a follows:
Wh
hat Is PorttProxy?
Youu can use the PortProxy
P serviice as an
appplication-layer gateway for nodes or
appplications that do
d not supporrt IPv6. PortPro oxy
facilitates the com
mmunication between
b nodess or
appplications that cannot
c connecct using a commmon
add ernet layer prottocol (IPv4 or IPv6),
dress type, Inte
and TCP port. This service’s primmary purpose is i to
allow IPv6 nodes to communica ate with IPv4-oonly
TCPP applications.
• An IPv6 node
e can access an
n IPv4-only serrvice that is run
nning on a Po
ortProxy computer.
Additional Reading: For more informa ation about IPvv6 transition teechnologies se
ee
http
p://go.Microso
oft.com/fwlink//?LinkID=1120
079&clcid=0x4409.
20410A: Installinng and Configuring W
Windows Server® 20012 8-21
Process
P forr Transition
ning to IPv
v6–Only
Thhe industry-wide migration from
f IPv4 to IP
Pv6 is
exxpected to takke considerable e time. This waas taken
in
nto consideration when desig gning IPv6 and d as a
re
esult, the transition plan for IPv6 is a multistep
process that alloows for extendded coexistencce.
To
o achieve the goal
g of a pure IPv6 environm
ment,
usse the followin
ng general guidelines:
• Upgrade hoosts to IPv6/IPv4 nodes. You u must upgrad e hosts to use both IPv4 and d IPv6. You alsso must
add DNS re
esolver supporrt to process DNS
D query resu ults that contaiin both IPv4 and IPv6 addresses.
You can de
eploy ISATAP in n a limited cap
pacity to test IP
Pv6 and DNS ffunctionality.
Most
M organizatiions will most likely add IPv66 to an existingg IPv4 environ nment and con ntinue to have
oexistence for an extended period
co p of time. There are stilll in existence many legacy aapplications annd
deevices that do not support IPPv6, and coexiistence is muc h simpler than n using transitiion technologiies such
ass ISATAP.
IP
Pv6 is enabled by default for Windows Vistta or newer cli ents and Wind dows Server 20 008 or newer sservers.
As a best practice, you should
d not disable IP
Pv6 unless theere is a techniccal reason to do so. Some feaatures in
Windows
W operaating systems rely
r on IPv6.
8-22 Implementing IPv6
The IT manager at A. Datum has been briefed by several application vendors about newly added support
for IPv6 in their products. A. Datum does not have IPv6 support in place at this time. The IT manager
would like you to configure a test lab that uses IPv6. As part of the test lab configuration, you also need to
configure ISATAP to allow communication between an IPv4 network and an IPv6 network.
Objectives
After completing this lab, you will be able to:
• Configure IPv6.
Lab Setup
Estimated Time: 40 minutes
Logon Information
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
3. Use ipconfig to verify that LON-SVR2 has only a link-local IPv6 address.
2. Use the following New-NetRoute cmdlet to add an IPv6 network on Local Area Connection 2 to the
local routing table:
3. Use the following Set-NetIPInterface cmdlet to enable router advertisements on Local Area
Connection 2:
4. Use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64
network.
Results: After completing the exercise, students will have configured an IPv6–only network.
8-24 Implementing IPv6
5. Test connectivity.
2. Use the following Get-NetIPAddress cmdlet to identify the interface index of the ISATAP interface
with 172.16.0.1 in the link-local address.
Interface index:
3. Use the Get-NetIPAddress cmdlet to verify the following on the ISATAP interface:
o Forwarding is enabled
o Advertising is disabled
4. Use the following Set-NetIPAddress cmdlet to enable router advertisements on the ISATAP
interface:
5. Use the following New-NetRoute cmdlet to configure a network route for the ISATAP interface:
6. Use the following Get-NetIPAddress cmdlet to verify that the ISATAP interface has an IPv6 address
on the 2001:db8:0:2::/64 network:
X Task 3: Remove ISATAP from the DNS Global Query Block List
1. On LON-DC1, open Regedit and browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
4. Ping isatap to verify it can be resolved. The name should resolve and you should receive four request
timed out messages from 172.16.0.1.
2. Use ipconfig to verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64
network.
ping 2001:db8:0:2:0:5efe:172.16.0.10
2. User Server Manager to modify the properties of TCP/IPv6 on the Local Area Connection 2, and add
2001:db8:0:2:0:5efe:172.16.0.10 as the preferred DNS server.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to
allow communication between an IPv6–only network and an IPv4–only network.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Question: How can you provide a DNS server dynamically to an IPv6 host?
Question: Your organization is planning to implement IPv6 internally. After some research,
you have identified unique local IPv6 addresses as the correct type of IPv6 addresses to use
for private networking. To use unique local IPv6 addresses, you must select a 40-bit identifier
that is part of the network. A colleague suggests using all zeros for the 40 bits. Why is this
not a good idea?
Question: How many IPv6 addresses should an IPv6 node be configured with?
Best Practice:
Use the following best practices when implementing IPv6:
Module 9
Implementing Local Storage
Contents:
Module Overview 9-1
Module Overview
Storage is one of the key components that you must consider when planning and deploying Windows
Server® 2012 operating systems. Most organizations require a great deal of storage because users work
regularly with applications that create new files that need to be stored in a central location. Storage
demands increase when users keep their files for longer periods of time. Every time a user logs on to a
server, an audit trail is created in an event log, which also uses storage. Even as files are created, copied,
and moved, storage is required.
This module introduces you to different storage technologies. It discusses how to implement the storage
solutions in Windows Server 2012, and how to use Storage Spaces, a new feature that you can use to
combine disks into pools that are then managed automatically.
Objectives
After completing this module you will be able to:
• Explain the various storage technologies.
Lesson 1
Overviiew of Storage
S
Wheen you plan a server deployment, one of the t key compo onents that yoou will require is storage. The
ere
are various types of storage tha orage, to storage that is remotely
at you can utilize, from locallly attached sto
acce
essed via Etherrnet, or even connected
c withh optical fiber.. You should bbe aware of each solution’s
ben
nefits as well ass its limitationss.
As you
y prepare to o deploy storag ge for your environment, yo
ou will need too make some im
mportant decisions.
Thiss lesson addressses questions you might consider, such ass the following
g:
Lessson Objectiives
Afte ou will be able to:
er completing this lesson, yo
• Describe disk
k types and perrformance.
• Describe direct-attached storage.
• Describe netw
work-attached storage.
• Describe RAID
D levels.
• Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel, for
connecting the motherboard or device adapters to mass storage devices such as hard disk drives and
optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but
SATA host adapters and devices communicate via a high-speed serial cable over two pairs of
conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0, and 6.0 GB per
second, depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than
other drive options, but also provide less performance. Organizations may choose to deploy SATA
drives when they require large amounts of storage, but not high performance. SATA disks are
generally low-cost disks that provide mass storage. However, for the lower cost they are also less
reliable compared to serial attached SCSI (SAS) disks.
A variation on the SATA interface is eSATA, which is designed to enable high-speed access to
externally-attached SATA drives.
• Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and
transferring data between computers and peripheral devices. SCSI was originally introduced in 1978
and was designed as an interface on a lower-level communication, subsequently allowing it to take
less processing power and perform transactions at higher speeds. SCSI became a standard in 1986.
Similar to EIDE, SCSI was designed to run over parallel cables; however, recently the usage has been
expanded to run over other mediums. The 1986 parallel specification of SCSI had initial speed
transfers of 40 MB per second. The more recent 2003 implementation, Ultra 640 SCSI, also known as
Ultra 5, can transfer data at speeds of 5,120 MB per second. SCSI disks provide higher performance
than SATA disks, but are also more expensive.
• SAS. SAS is a further implementation of the SCSI standard. SAS depends on a point-to-point serial
protocol that replaces the parallel SCSI bus technology, and uses the standard SCSI command set. SAS
offers backwards-compatibility with second generation SATA drives. SAS drives provide are reliable
and made for 24 hours a day, seven days a week (24/7) operations in data centers. With up to 15,000
rotations per minute (RPM), these disks are also the fastest traditional hard disks.
• Solid State Drives (SSDs). SSDs are data storage devices that use solid-state memory to store data
rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs
use microchips to store the data and do not contain any moving parts. SSDs provide fast disk access,
use less power, and are less susceptible to failure from being dropped than traditional hard disks
(such as SAS drives), but are also much more expensive per GB of storage. SSDs typically use a SATA
interface so you can usually replace hard disk drives with SSDs without any modifications.
Note: Fibre Channel, fire-wire, or USB-attached disks are also available storage options.
They define either the transport bus or the disk type. For example, USB-attached disks use mostly
with SATA or SSD drives to store data.
9-4 Implementing Local Storage
Wh
hat Is Direct Attache
ed Storage
e?
Alm
most all servers provide some e built-in storage.
Thiss type of storag
ge is referred tot as direct
atta
ached storage (DAS).
( DAS can n include diskss that
are physically locaated inside the e server, conneected
dire
ectly with an exxternal array, or
o disks that arre
connected to the server with a USB U cable or an a
alternative communications me ethodology.
Prim
marily, DAS stoorage is physically connected d to
the server. Becausse of this, if the
e server sufferss a
powwer failure, the
e storage is una available. DAS
commes in various disk
d types such h as SATA, SAS S or
SSDD, which affect the speed and d the performa ance
of the storage, and has both advantages and disadvantagess.
Adv
vantages off Using DAS
S
A tyypical DAS systtem is made up of a data sto orage device th hat includes a number of haard disk drives that
are connected dirrectly to a com
mputer through h a host bus addapter (HBA). Between the D DAS and the
com
mputer, there are
a no network k devices such as hubs, switcches, or routerrs. Instead, the storage is
connected directlyy to the serverr that utilizes itt, making DASS the easiest sttorage system to deploy and
d
maintain.
DAS S also has drawwbacks in its acccess methodoologies. Due too the way read ds and writes aare handled byy the
servver operating system,
s DAS ca an be slower th
han other storrage technolog gies. Another d
drawback is th
hat
DAS S shares the prrocessing power and server memory
m to whhich it is conneected. This me
eans that on ve
ery
busyy servers, disk access may sloow when the operating
o systeem is overloadded.
20410A: Installling and Configuringg Windows Server® 2012 9-5
What
W Is Ne
etwork Attached Storage?
Network
N attached storage (NAAS) is storage that
t is
co
onnected to a dedicated storage device an nd then
acccessed over the network. NAS is differentt than
DAS in that the storage is nott directly attached to
eaach individual server, but ratther is accessib
ble
accross the netwwork to many servers. NAS ha as two
diistinct solution
ns: a low-end appliance
a (NAS S only),
an
nd an enterprise-class NAS that
t integratess with
SA
AN.
Ea
ach NAS devicce has a dedica ated operating g system
th
hat solely controls the accesss to the data on
o the
deevice, which re
educes the oveerhead associa ated
with
w sharing the e storage devicce with other server
s servicess. An example of NAS softwaare is Windowss®
Sttorage Server, a feature of Windows
W Serve
er 2012.
Advantages
A of Using NA
AS
NAS is an ideal choice for org ganizations tha at are looking for a simple a nd cost-effective way to achhieve
fa
ast data accesss for multiple clients
c at the file level. Users of NAS beneffit from perform
mance and
productivity gaiins because the processing power
p of the N
NAS device is d
dedicated soleely to the distriibution
off the files.
• NAS storag
ge is usually mu
uch larger than DAS.
• NAS offers a single location for all criticcal files, ratherr than inter-disspersing them on various servers or
devices with DAS.
NAS can also be e considered a Plug and Playy solution thatt is easy to insttall, deploy, an
nd manage, wiith or
without
w IT staff at hand.
Disadvantag
D es of Using NAS
NAS is slower thhan SAN techn nologies. NAS is frequently aaccessed via Etthernet protoccols. Because oof this, it
re n the network supporting the NAS solution
elies heavily on n. For this reasson, NAS is commonly used as a file
sh
haring/storage e solution and cannot (and should not) be used with datta-intensive ap pplications succh as
Microsoft
M Exchaange Server an QL Server®.
nd Microsoft SQ
9-6 Implementing Local Storage
NAS S is also slowerr than SAN tecchnologies. NA AS is frequentlyy accessed viaa Ethernet prottocols. Because
e of
this,, it relies heaviily on the netw
work that is suppporting the N
NAS solution. FFor this reasonn, NAS is commmonly
usedd as a file sharring and storag ge solution; it cannot and shhould not be u used with data intensive
appplications such as Microsoft® Exchange Server and Micro osoft SQL Serveer®.
Wh
hat Is a SA
AN?
The third type of storage is a sto orage area nettwork
(SANN). A SAN is a specialized hig gh speed netwwork
thatt connects com mputer systems or host serve ers to
highh-performance e storage subssystems. A SANN
usua ally includes various compon nents such as host
bus-adapters (HBA witches to help route
As), special sw
w logical unit
trafffic, and storage disk arrays with
nummbers (LUNs) for storage.
Unliike DAS or NA
AS, a SAN is controlled by a hardware
h devicce and offers tthe fastest acccess to the storrage
and offers methodds to minimizee overhead (su
uch as using raaw disks).
Adv
vantages off Using SAN
N
SANN technologiess read and writte at block leve els, making daata access mucch faster. For e example, with most
DASS and NAS soluutions, if you write
w a file of 8 GB, the entiree file will havee to be read/written and its
checksum calculatted. With SAN N, the file is written to the dissk based on th he block size fo
or which the SAAN is
set up. This speed
d is accomplishhed by fiber acccess methodo ologies and blo ock level writin
ng, instead of
having to read/wrrite an entire file
f by using a checksum.
SAN
Ns also provide
e:
• Centralization
n of storage in
nto a single pool, which enab
bles storage reesources and server resource
es to
grow indepen ndently. They also
a enable sto orage to be dyynamically assiigned from the pool when itt is
required. Storrage on a give
en server can be
b increased o r decreased ass needed witho out complex
reconfiguringg or re-cabling
g of devices.
• A high leve
el of redundancy. Most SANss are deployed d with multiplee network deviices and pathss
through thee network. As well, the stora ntains redundaant components such as pow
age device con wer
supplies and hard disks.
Disadvantag
D es of Using SAN
Th
he main drawb back to SAN teechnology is th
hat due to thee complexities in the configu uration, SAN offten
re
equires managgement tools and expert skillls. It is also con
nsiderably mo re expensive than DAS or NA AS; an
ntry level SAN can often cosst as much as a fully loaded sserver with a D
en DAS or an NASS device, and tthat is
without
w any SAN disks or con
nfiguration.
To
o manage a SA AN, you often use command d-line tools. Yo
ou must have a firm understanding of the
unnderlying techhnology, includ
ding the LUN setup,
s the Fibrre Channel bacck end, the blo
ock sizing, and
d so on.
In
n addition, each storage vend dor often implements SANs using differen nt tools and features. Becausse of
th
his, organizatio
ons often havee dedicated pe o manage the SAN deployment.
ersonnel whosee only job is to
What
W Is RA
AID?
RA AID is a techno
ology that youu can use to coonfigure
sttorage systemss that provide high reliabilityy and
(p
potentially) higgh performancce. RAID implements
sttorage systemss by combining g multiple diskks into a
single logical unnit called a RAID array, which,
de epending on the
t configuratiion, can withsttand
th
he failure of onne or more of the physical hard
diisks, or provide
e higher perfoormance than is i
avvailable by using a single dissk.
RA
AID provides an a important component—
c
re
edundancy—th hat you can usse when planning and
de
eploying Wind dows Server 20 012 servers. In most
orrganizations, itt is important that the servers are availablee all of the tim ers provide highly-
me. Most serve
edundant components such as redundant power suppliees, and redund
re dant network aadapters. The g
goal of
th
his redundancyy is to ensure that
t the serverr remains avail able even wheen a single com mponent on th he
se
erver fails. By implementing RAID, you can n provide the ssame level of rredundancy for the storage ssystem.
How
H RAID Works
W
RA
AID enables fa
ault tolerance by
b using addittional disks to ensure that th
he disk subsysttem can continnue to
fu
unction even iff one or more disks in the su
ubsystem fail. R
RAID uses two options for en
nabling fault
to
olerance:
• Disk mirrorring. With disk mirroring, all of the informaation that is w written to one d
disk is also writtten to
another dissk. If one of the
e disks fails, th
he other disk iss still available.
• Parity information. Parityy information iss used in the eevent of a diskk failure to calcculate the information
that was stoored on a disk k. If you use thiis option, the sserver or RAIDD controller callculates the paarity
information n for each blocck of data thatt is written to tthe disks, and then stores th his information
n on
another dissk or across mu ultiple disks. Iff one of the dissks in the RAID
D array fails, th
he server can u
use the
data that iss still available on the functio onal disks alonng with the parrity informatio on to recreate the
data that was
w stored on the t failed disk.
9-8 Implementing Local Storage
RAID subsystems can also provide potentially better performance than single disks by distributing disk
reads and writes across multiple disks. For example, when implementing disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Note: Although RAID can provide a greater level of tolerance for disk failure, you should
not use RAID to replace traditional backups. If a server has a power surge or catastrophic failure
and all of the disks fail, then you would still need to rely on standard backups.
• Hardware RAID requires disk controllers that are RAID-capable. Most disk controllers shipped with
new servers have this functionality.
• To configure hardware RAID, you need to access the disk controller management program. Normally,
you can access this during the server boot process or by using a web page that runs management
software.
• Implementing disk mirroring for the disk containing the system and boot volume with software RAID
can require additional configuration when a disk fails. Because the RAID configuration is managed by
the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk
fails, you may need to modify the boot configuration for the server to start the server. This is not an
issue with hardware RAID, because the disk controller will access the available disk and expose it to
the operating system.
• In older servers, you may get better performance with software RAID when using parity because the
server processor can calculate parity more quickly than the disk controller can. This is no longer an
issue with newer servers, where you may get better performance on the server because you can
offload the parity calculations to the disk controller.
Question: Should all disks be configured with the same amount of fault tolerance?
20410A: Installling and Configuringg Windows Server® 2012 9-9
RAID
R Levels
When
W implementing RAID, yo ou need to deccide
what
w level of RA
AID to implement. The most
co
ommon Raid le evels are RAID D 1 (also knownn as
mirroring),
m RAIDD 5 (also know wn as striped se
et with
diistributed parity) and RAID 1+0 1 (also know wn as
mirrored
m set in a stripe set). The table beloww lists
he features for each differentt RAID level.
th
Space
Level Desscription Performan
nce Red undancy Comments
utilizatiion
RAID 0 Strriped set High read All spacce on A siingle disk Use only in
witthout parity orr and write the dis ks is failu
ure results here
situations wh
mirroring performannce availab
ble in t he loss of you require h
high
Daata is written all d
data performance e
seqquentially to and can tolerate
each disk data loss
RAID 1 Miirrored set Good Can on nly use Cann tolerate a Frequently u
used
witthout parity orr performan
nce the ammount singgle disk for system an
nd
strriping of spacce that failu
ure boot volume es
Daata is written is availaable with hardware
to both disks on the RAID
sim
multaneously smallesst disk
RAID 2 Daata is written Extremely One orr more Cann tolerate a Requires that all
in bits to each high disks u sed for singgle disk disks be
dissk with parity performannce parity failu
ure synchronizedd
written to Not currentlyy
sepparate disk or used
dissks
RAID 3 Daata is written Very high One di sk Cann tolerate a Requires that all
in bytes to each performannce used foor singgle disk disks be
dissk with parity parity failu
ure synchronizedd
written to Rarely used
sepparate disk or
dissks
RAID 4 Daata is written Good readd One di sk Cann tolerate a Rarely used
in blocks to performannce, used foor singgle disk
each disk with poor write
e parity failu
ure
parity written to performannce
a dedicated
d disk
k
9-10 Implementing Local Storage
Space
Level Description Performance Redundancy Comments
utilization
RAID 5 Striped set with Good read The Can tolerate a Commonly used
distributed performance, equivalent of single disk for data storage
parity poor write one disk used failure where
Data is written performance for parity performance is
in blocks to not critical, but
each disk with maximizing disk
parity spread usage is
across all disks important
RAID 6 Striped set with Good read The Can tolerate Commonly used
dual distributed performance, equivalent of two disk for data storage
parity poor write two disks failures where
Data is written performance used for performance is
in blocks to parity not critical but
each disk with maximizing disk
double parity usage and
written across all availability are
disks important
RAID Striped sets in a Very good Only half the Can tolerate Not commonly
0+1 mirrored set read and disk space is the failure of used
A set of drives is write available due two or more
striped, and performance to mirroring disks as long
then the strip as all failed
set is mirrored disks are in the
same striped
set
RAID Mirrored set in a Very good Only half the Can tolerate Frequently used
1+0 stripe set read and disk space is the failure of in scenarios
Several drives write available due two or more where
are mirrored to performance to mirroring disks as long performance
a second set of as both disks and redundancy
drives, and then in a mirror do are critical, and
one drive from not fail the cost of the
each mirror is required
striped additional disks
is acceptable
20410A: Installinng and Configuring W
Windows Server® 20012 9-11
Lesson
n2
Mana
aging Disks
D and
d Volum
mes
Id
dentifying whicch storage technology that you
y will want tto deploy is th he first critical sstep in making
g sure
th
hat your enviro
onment is prep pared for data storage requi rements. This, however, is only the first ste ep.
Th u will need to take to preparre for data sto
here are otherr steps that you orage requirem ments.
Fo
or example, onnce you have identified the best
b olution, or havve chosen a mix of storage
storage so
so
olutions, you need
n to figure out the best way
w to managee that storage.. Ask yourself tthe following
qu
uestions:
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe se
electing a partiition table form
mat.
• Describe th
he difference between
b basic and dynamic d
disk types.
• Explain a re
esilient file systtem.
• Describe th
he process of extending
e and shrinking volu
umes.
MBR
M
Thhe MBR partitiion table forma at is the standard
pa heme that has been used on hard
artitioning sch
diisks since the first
f personal computers
c cam
me out
in
n the 1980s. Thhe MBR partitio on table forma at has
th
he following ch haracteristics:
• If you initia
alize a disk larg
ger than 2 TB using
u MBR, thee disks are only able to store
e volumes up tto 2 TB
and the resst of the storag ge will not be used.
u You musst convert the disk to GPT if you want to u
use all of
its space.
9-12 Implemennting Local Storage
GPT
T
The GPT was introoduced with Windows
W Server 2003 and Wiindows® XP 64 4-bit Edition too overcome th
he
limitations of MBR
R, and to addrress larger disk
ks. GPT has thee following chaaracteristics:
• GPT is the succcessor of MBR
R partition tab
ble format
• Supports a maximum
m of 128 partitions pe
er drive
• A partition ca
an have up to 8 zettabytes (Z
ZB)
• A hard disk ca
an have up to 18 exabytes (E
EB), with 512 kkilobytes (KB) logical block aaddressing (LB
BA)
Note: If you
ur hard disk is larger than 2 TB,
T you should
d use the GPT partition table
e format.
Additional Reading: For frequently ask ked questions about the GU ID partitioning
g table disk
arch
hitecture, see http://support
h .microsoft.com
m/kb/302873.
Sellecting a Disk
D Type
Whe en selecting a type of disk fo
or use in Wind
dows
Servver 2012, you can
c choose be etween basic disks
d
and dynamic disk ks.
Bassic Disk
Basiic storage usess normal partittion tables tha at are
usedd by all versionns of the Wind dows operating g
system. A disk tha at is initialized for basic stora
age is
calle
ed a basic diskk. A basic disk contains
c basic
parttitions, such ass primary partiitions and exte ended
parttitions. You can subdivide exxtended partitiions
into
o logical drivess.
By default,
d when youy initialize a disk in Windoows, the disk iss configured aas a basic disk. You can easilyy
convert basic disk ks to dynamic disks
d without any
a loss of datta; however, w when convertin ng a dynamic d disk to
basiic disk, all data
a on the disk will
w be lost.
Somme applications cannot addre ess data that iss stored on dyynamic disks. TThere is also no
o performance e gain
by converting
c bassic disks to dyn
namic disks. Foor these reason ns, most admin nistrators do n
not convert baasic
disk
ks to dynamic disks
d hey need to use some of the additional volume configurration options that
unless th
are available with dynamic diskss.
Dyn
namic Disk
Dynnamic storage is supported in n all Windows operating sysstems includingg the Window ws XP operating g
systems and the Microsoft
M Wind dows NT® Servver 4.0 operati ng system. A d
disk that is inittialized for dyn
namic
storrage is called a dynamic diskk. A dynamic disk contains dyynamic volumes. With dynam mic storage, yoou
can perform disk and volume management
m without
w the neeed to restart W
Windows operaating systems.
Whe en you configu ure dynamic disks,
d me is a storage unit
you creatte volumes ratther than partitions. A volum
thatt is made from
m free space onn one or more disks. You can n format the voolume with a ffile system, and can
assign a drive letter or configure it with a mount point.
20410A: Installing and Configuring Windows Server® 2012 9-13
• Simple volumes. A simple volume uses free space from a single disk. It can be a single region on a
disk, or consist of multiple, concatenated regions. A simple volume can be extended within the same
disk or on to additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
• Spanned volumes. A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume
cannot be mirrored, and is not fault-tolerant; therefore, if you lose one disk, you will lose the entire
spanned volume.
• Striped volumes. A striped volume has data that is spread across two or more physical disks. The data
on this type of volume is allocated alternately and evenly to each of the physical disks. A striped
volume cannot be mirrored or extended, and is not fault-tolerant. This means that the loss of one disk
causes the immediate loss of all the data. Striping is also known as RAID-0.
• Mirrored volumes. A mirrored volume is a fault-tolerant volume that has all data duplicated onto two
physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended. Mirroring is also known as RAID-1.
• RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume that has data striped across a minimum
of three or more disks. Parity is also striped across the disk array. If a physical disk fails, the portion of
the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the
parity. A RAID-5 volume cannot be mirrored or extended.
• System volumes. The system volume contains the hardware-specific files that are needed to load
Windows operating system (for example, Bootmgr and BOOTSECT.bak). The system volume can—but
does not have to—be the same as the boot volume.
• Boot volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%’System32 folders. The boot volume can—but does not have to—
be the same as the system volume.
Note: When you install the Windows 8 operating system or the Windows Server 2012
operating system in a clean installation, a separate system volume is created to enable encrypting
the boot volume by using Windows BitLocker® drive encryption.
Additional Reading: For more information about how basic disks and volumes work, see
http://go.microsoft.com/fwlink/?LinkID=199648.
Sellecting a File
F System
m
Wheen you configu ure your disks in Windows Server
2012, you can chooose between FAT, NTFS, and
ReFS file systems.
File
e Allocation
n Table (FAT
T)
The file allocation table (FAT) is the most simpplistic
of the file systemss that Window ws operating
systems support. TheT FAT file syystem is
characterized by a table that ressides at the ve
ery
top of the volume he volume, two
e. To protect th
copies of the FAT file system are e maintained in
i
casee one becomes damaged. In n addition, the file
a the root directory must be
allocation tables and
ocation so that the system’s boot files can
storred in a fixed lo n be correctly located.
NTFS
NTFFS is the standa
ard file system
m for all Windoows operating systems begin nning with Win ndows NT Servver
4.0. Unlike FAT, th
here are no speecial objects on
o the disk, and d there is no d
dependence on n the underlying
harddware, such ass 512-byte secttors. In additio
on, in NTFS theere are no speecial locations o
on the disk, su
uch as
the tables.
NTFFS is an improvvement over FA AT in several ways,
w such as b better supportt for metadata, and the use oof
advanced data strructures to imp prove performmance, reliabilitty, and disk sp
pace utilization
n. NTFS also haas
addditional extensiions such as se
ecurity access control
c lists (A
ACLs), which yo
ou can use for auditing, file
system journaling, and encryption.
Re
eFS uses features from NTFSS, and is designned to maintaiin backward co ompatibility w
with its older W
Windows
op
perating system versions. Windows 8 clien nts or older Wiindows client o operating systems can read and
write
w ard-drive partiitions and to shares on a serrver, just as theey can with tho
to ReFS ha ose running N NTFS.
Yoou should use ReFS with verry large volumes and very larrge file shares to overcome the NTFS limittation of
errror checking and
a correction n. Because ReFS was not ava ilable prior to Windows Servver 2012 (the o only
ch
hoice was NTFS), it makes se ense to use ReFFS with Windoows Server 201 12 instead of N
NTFS to achievve better
errror checking, better reliabiliity, and less co
orruption.
What
W Is a Resilient
R File System??
Thhe Resilient File System (ReFFS) is a new fea
ature in
Windows
W Server 2012. ReFS iss based on thee NTFS
fille system, and provides the following
f adva
antages:
• Metadata in
ntegrity with checksums
c
• Expanded protection
p aga
ainst data corru
uption
• Large volum
me, file, and diirectory sizes
• ualization, which makes creaating and man
Storage pooling and virtu naging file systems easier
• Data stripin
ng for perform
mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
• Disk scrubb
bing for protecction against la
atent disk erro
ors
• Resiliency to
t corruptions with recovery for maximum
m volume availaability
Re
eFS inherits so
ome features frrom NTFS, inclluding the follo
owing:
• Update seq
quence numbe
er (USN) journa
al
• Change nottifications
• Symbolic lin
nks, junction points,
p mount points and rep
parse points
• Volume sna
apshots
• File IDs
9-16 Implemennting Local Storage
Because ReFS uses a subset of features from NTFS, N it is desi gned to mainttain backward compatibility with
NTFFS. Therefore, Windows
W 8 clie
ents or older Windows
W clientt operating syystems can read and write to o ReFS
hardd-drive partitio
ons and sharess on a server, just as they can n with those ruunning NTFS. However, as
imp
plied in its nam
me, the new file e system offerss greater resilieency, meaning g better data vverification, errror
corrrection, and sccalability.
Beyond its greater resiliency, Re
eFS also surpassses NTFS by ooffering larger maximum size
es for individu
ual
filess, directories, disk
d volumes, and
a other item ms, as listed in tthe following ttable.
Atttribute Limit
Maximum
M size of
o a single file ~16 exabytees (EB) (18.446
6.744.073.709.5
551.616 bytes))
Maximum
M size of
o a single volu
ume 2^78 bytes wwith 16 KB clu
uster size
(2^64 * 16 * 2^10)
Windows sttack addressingg allows 2^64
4 bytes
Maximum
M number of files in a directory 2^64
Maximum
M number of directorries in a 2^64
vo
olume
Maximum
M file name
n length 32,000 Unico
ode characterss
Maximum
M path length 32,000
Maximum
M size of
o any storage
e pool 4 petabytes (PB)
Maximum
M number of storage
e pools in a No limit
syystem
Maximum
M number of spaces in a storage No limit
po
ool
Wh
hat Are Mo
ount Pointts and Link
ks?
With the NTFS and ReFS file sysstems, you can n
crea
ate mount points and links to refer to files,
dire
ectories, and vo
olumes.
Mo
ount Points
Mou unt points are used in Windo ows operatingg
systems to make a portion of a disk or the entire
disk
k useable by thhe operating syystem. Most
commmonly, moun nt points are asssociated with drive
lette
er mappings so o that the opeerating system can
gain e disk through the drive lette
n access to the er.
• If you are running out of drive space on a server and you want to add disk space without modifying
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
• If you are running out of available letters to assign to partitions or volumes. If you have several hard
disks that are attached to the server, you may run out of available letters in the alphabet to which to
assign drive letters. By using a volume mount point, you can add additional partitions or volumes
without using more drive letters.
• If you need to separate disk input/output (I/O) within a folder structure. For example, if you are using
an application that requires a specific file structure, but which uses the hard disks extensively, you can
separate the disk I/O by creating a volume mount point within the folder structure.
Note: You can assign volume mount points only to empty folders on an NTFS partition.
This means that if you want to use an existing folder name, you must first rename the folder,
create and mount the hard disk using the required folder name, and then copy the data to the
mounted folder.
Links
A link is a special type of file that contains a reference to another file or directory in the form of an
absolute or relative path. Windows supports the following two types of links:
A link which is stored on a server share could refer back to a directory on a client that is not actually
accessible from the server where the link is stored. Because the link processing is done from the client, the
link would work correctly to access the client, even though the server cannot access the client.
Links operate transparently: applications that read or write to files that are named by a link behave as if
they are operating directly on the target file. For example, you can use a symbolic link to link to a Hyper-
V® parent virtual hard disk file from another location. Hyper-V uses the link to work with the parent virtual
hard drive (VHD) as it would use the original file. The benefit of using symbolic links is that you do not
need to modify the properties of your differencing VHD.
Note: In Hyper-V, you can use a differencing virtual hard disk (VHD) to save space by
making changes only to the child VHD, when the child VHD is part of a parent/child VHD
relationship.
Links are sometimes easier to manage than mount points. Mount points force you to place the files on the
root of the volumes, whereas with links you can be more flexible with where you save files.
You can create links in a Windows Explorer window, or by using the mklink.exe tool in a command-line
interface window.
9-18 Implementing Local Storage
Demonstration Steps
o Size: 4000 MB
7. On the taskbar, open a Windows Explorer window, and then click Local Disk (C:). You should now
see the MountPointFolder with a size of 4,095,996 KB assigned to it. Notice the icon that is assigned
to the mount point.
2. In Windows Explorer, in the right pane, double-click System32 Shortcut. Notice how the shortcut
path changes automatically to the correct path in the Address bar.
2. In Windows Explorer, in the right pane, double-click Paint Shortcut. Note how the link opens Paint.
Using links can be very useful if you want to refer to a file such as a virtual hard disk that is located on
another drive.
20410A: Installinng and Configuring W
Windows Server® 20012 9-19
Extending and
a Shrink
king Volum
mes
In
n versions of Windows
W prior to Windows Seerver
20
003 or Window ws Vista®, you required additional
oftware to shrink or extend a volume on your
so
diisk. Since Winddows Server 20 003 and Windows
uded in the Windows
Vista, this functionality is inclu
opperating system so you can use the Disk
Management
M sn
nap-in to resizze NTFS volummes.
When
W you wantt to resize a vo
olume, you mu
ust be
aw
ware of the following:
• ave the ability to shrink or extend
You only ha
NTFS volum
mes. FAT, FAT3 32 or exFAT vo olumes
cannot be resized.
r
• You can on
nly extend ReFS
S volumes, nott shrink them.
• To extend a volume, the available disk space must bee adjacent to tthe volume thaat is extended. If free
space is nott adjacent to the
t volume, yoou will not be aable to extend
d the disk.
• You can exttend a volume e using free space on the sam me disk as welll as other diskks. When you eextend a
volume with other disks, you create a dynamic
d disk wwith a striped vvolume. In a sttriped volume,, if one
disk fails, alll data on the volume
v is lost.. Also, a striped
d volume cann not contain booot or system
partitions, thus
t you cannoot extend your boot partitio ons by using an nother disk.
o modify a vollume, you can use Disk Management, the Diskpart.exe tool, or the Ressize-Partition
To n
cm
mdlet.
Fo
or more inform
mation about how
h to shrink a basic volumee, see http://teechnet.microso
oft.com/de-
de
e/library/cc731894.
9-20 Implemennting Local Storage
Lesson 3
Implem
menting
g Storag
ge Spacces
Man naging physica al disks that arre attached dirrectly to a servver has proven
n to be a tedious task for
adm
ministrators. Too overcome this problem, ma any organizatiions used SAN Ns that essentiaally grouped
phyysical disks together.
SAN
Ns require speccial configuration, however, and sometimees special hard dware, which m makes them
expensive. To ove ercome these isssues, you can
n use Storage SSpaces, which iis a Windows SServer 2012 fe
eature
thatt pools disks to
ogether and presents them tot the operatin This lesson explains
ng system as a single disk. T
w to configure and implemen
how nt the Storagee Spaces featurre.
Man naging physica al disks that arre attached dirrectly to a servver has proven
n to be a tedious task for
adm
ministrators. Too overcome this problem, ma any organizatiions used SAN Ns that essentiaally grouped
phyysical disks together.
SAN
Ns require speccial configuration, however, and sometimees special hard dware, which m makes them
expensive. To ove ercome these isssues, you can
n use Storage SSpaces, which iis a Windows SServer 2012 fe
eature
thatt pools disks to
ogether and presents them tot the operatin This lesson explains
ng system as a single disk. T
w to configure and implemen
how nt the Storagee Spaces featurre.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe adva
anced manage
ement optionss for Storage S paces.
• Configure Sto
orage Spaces.
Wh
hat Is the Storage
S Sp
paces Feature?
Storrage Spaces is a storage virtu ualization capa ability
thatt is built into Windows
W Serve
er 2012 and
Winndows 8. It is a feature that iss available for both
NTFFS and ReFS vo olumes, that prrovides redund dancy
and pooled storag ge for numeroous internal and
exte
ernal drives of differing sizess and interface es.
Youu can use Stora age Spaces to add
a physical disks
d
of any
a type and siize to a storage pool, and th hen
crea
ate highly available virtual disks from it. Th he
prim
mary advantag ge of Storage Spaces
S is that you
y
do not
n manage single disks, butt can manage
mulltiple disks as one
o unit.
To create
c a highlyy-available virttual disk, you need
n the follow
wing:
• Disk drive. Th
his is a volume that you can access
a from yo
our Windows o
operating syste
em, for examp
ple, by
using a drive letter.
• Virtual disk (o
or storage spacce). This is veryy similar to a p
physical disk froom the perspe ective of users and
applications. However, virtu ual disks are more
m flexible beecause they innclude thin pro ovisioning or ju
ust-
in-time (JIT) allocations,
a and
d they include e resiliency to pphysical disk faailures with bu
uilt-in function
nality
such as mirrooring.
20410A: Installinng and Configuring W
Windows Server® 20012 9-21
o A minimum of three physical disks are required tto create a virttual disk with resiliency thro
ough
parity.
o Three-w
way mirroring requires at lea
ast five physic al disks.
o Disks must
m be blank and unformatted; no volum
me must exist o
on them.
o Disks can
c be attached using a varie ety of bus inte rfaces includin
ng iSCSI, SAS, SSATA, SCSI, an
nd USB.
If you want
w to use failover clusterin
ng with storag e pools, you ccannot use SAT TA, USB or SCSSI disks.
Virtual
V Disk
k Configurration Opttions
Yo
ou can create virtual disks frrom storage po ools. If
yo
our storage poool contains more
m than one disk,
yo
ou can also cre
eate redundan nt virtual disks.. To
co al disks or Storrage Spaces in Server
onfigure virtua
Manager
M or Win
ndows PowerS Shell, you need d to
co
onsider the red
dundancy funcctionality show wn in
th
he following ta
able.
Feature Desccription
Storage layou
ut Thiss feature defin
nes the numbeer of disks from m the storage p pool that are
allo
ocated. Valid options
o includee:
• Simple.
S A simplle space has daata striping buut no redundancy. In data sttriping,
lo
ogically sequential data is seegmented acro oss all disks in a way that acccess to
th
hese sequentia al segments caan be made to o different phyysical storage ddrives.
Striping
S makes it possible to access multiple segments of data concurrrently.
Do
D not host im mportant data o on a simple vo olume, because e it provides n
no
fa
ailover capabilities when thee disk that is sttoring the dataa fails.
• Two-way
T and three-way
t mirrrors. Mirror spaaces maintain two or three ccopies
of
o the data that they host (tw wo data copiess for two-way mirrors and th hree
data
d copies forr three-way miirrors). Duplicaation happens with every write to
ensure
e that all data copies arre always curreent. Mirror spaaces also stripe
e the
data
d across muultiple physical drives. Mirrorr spaces providde the benefit of
greater
g data th
hroughput and d lower access latency. They also do not introduce
a risk of corrup
pting at-rest daata, and do noot require the eextra journalinng stage
when
w writing data.
d
• Parity.
P A parity space is very similar to a simmple space. Daata, along with
h parity
nformation, is striped across multiple physsical drives. Parity enables Sttorage
in
Spaces
S to contiinue to servicee read and writte requests even when a drivve has
fa
ailed. Parity is always rotatedd across availaable disks to en
nable I/O
9-22 Implementing Local Storage
Feature Description
optimization. Storage spaces require a minimum of three physical drives for
parity spaces. Parity spaces have increased resiliency through journaling.
Disk sector size A storage pool’s sector size is set when it is created. If the list of drives being
used contains only 512 and/or 512e drives, then the pool is defaulted to 512e.
If, however, the list contains at least one 4-KB drive, then the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector
size that all contained spaces in the pool will inherit. After an administrator
defines this, the Windows operating system will only permit you to add drives
that have a compliant sector size, that is: 512 or 512e for a 512e storage pool,
and 512, 512e, or 4 KB for a 4-KB pool.
Drive allocation • This defines how the drive is allocated to the pool. Options are:
• Data Store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store
drives for both storage space creation and JIT allocation.
• Manual. Administrators can choose to specify manual as the usage type for
drives that are added to a pool. A manual drive is not used automatically as
part of a storage space unless it is specifically selected at the creation of that
storage space. This usage property makes it possible for administrators to
specify particular types of drives for use by only certain Storage Spaces.
• Hot Spare. Drives added as Hot-Spares to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that
is hosting columns of a storage space, a reserve drive is called upon to replace
the failed drive.
Provisioning • You can provision a virtual disk by using two different schemes:
schemes
• Thin provisioning space. Thin provisioning is a mechanism that allows storage
to be easily allocated on a just-enough and JIT basis. Storage capacity in the
pool is organized into provisioning slabs that are not allocated until the point
in time when datasets grow to require the storage. As opposed to the
traditional fixed storage allocation method—where large pools of storage
capacity are allocated but may remain unused—thin provisioning optimizes
utilization of available storage. Organizations are also able to save on
operating costs such as electricity and floor space that are associated with
keeping unused drives operating. The downside of using thin provisioning is
lower performance of your disks.
• Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also
employ the flexible provisioning slabs. The difference between thin
provisioning and a fixed provisioning space is that the storage capacity in the
fixed provisioning space is allocated at the same time that the space is
created.
Cluster disk Failover clustering prevents interruption to workloads or data in the event of a
requirement machine failure. For a pool to support failover, clustering all assigned drives
must support a multi-initiator protocol, such as SAS.
Note: You can use Storage Spaces to create both thin and fixed provisioning virtual disks
within the same storage pool. Having both provisioned types in the same storage pool is
convenient, particularly when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
20410A: Installinng and Configuring W
Windows Server® 20012 9-23
Advanced
A Managem
M ent Options for Storrage Space
es
Seerver Managerr provides you with basic
management
m of virtual disks and
a storage po ools. In
Seerver Managerr, you can crea ate storage pools, add
o and remove physical disks from pools, an
to nd
crreate, manage, and delete viirtual disks. For
y can view the
exxample, in Servver Manager you
physical disks th
hat are attache ed to a virtual disk,
annd Server Man nager will displlay if any of th
hese
diisks are unhealthy.
Fa
ailed disks in a virtual disk or storage pool are
orrected by removing the disk that is causing the
co
problem. Tools such as defrag gmenting, scan n disk.
orr chkdsk do not apply for re epairing a storage pool. To rreplace a failed
d disk, you add
d a new disk too the
po
ool. The new disk
d will autom matically resyncchronize whenn disk mainten nance occurs. TThis will occur during
da
aily maintenan nce, or you can n trigger it manually.
Windows
W PowerShell® provide
es advanced management
m o
options for virttual disks and storage pools.. Some
exxamples of the
e command-linne interfaces are listed in thee following tab
ble.
Windows
W Pow
werShell cmdle
et Description
n
Get-StorageP
Pool Lists storag
ge pools
Get-VirtualD
Disk Lists virtuall disks
Repair-VirtualDisk Repairs a V
Virtual Disk
Get-PhysicalDisk | Where{$_.HealthSta
atus –ne Lists unheaalthy physical d
disks
“Healthy”}
Get-VirtualD
Disk | Get-Phy
ysicalDisk Lists physiccal disks that are used for a vvirtual
disk
Demonstra
D ation: Conffiguring Sttorage Spaaces
In
n this demonsttration, you will see how to create
c a storag
ge pool, a simp
ple virtual diskk, and a volume.
Demonstrati
D ion Steps
Create
C a storrage pool
1.. On LON-SV
VR1, in Server Manager, acce
ess File and Sttorage Service
es and Storag
ge Pools.
9-24 Implementing Local Storage
2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and add all of the
available disks.
o Size: 2 GB
2. On the View results page, wait until the creation is completed, make sure the Create a volume
when this wizard closes check box is selected.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. One of your first assignments is configuring the infrastructure
service for a new branch office.
Your manager has asked to add disk space to a file server. After creating volumes, your manager has also
asked you to resize those volumes based on updated information he has been given. Finally, you need to
make data storage redundant by creating a 3-way mirrored virtual disk.
Objectives
After completing this lab, you will be able to:
• Resize volumes.
Lab Setup
Estimated time: 30 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
2. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. In Server Manager, open Computer Management, and then access Disk Management.
3. Initialize Disk 2 and configure it to use GPT (GUID Partition Table).
o Drive Letter: F
2. In the Computer Management console, on Disk 2, create a Simple Volume with the following
attributes:
o Volume size: 5000 MB
o Drive Letter: G
o Volume1 (F:)
o Volume2 (G:),
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes,
and formatted them. You should also have verified that the drive letters are available in Windows
Explorer.
20410A: Installing and Configuring Windows Server® 2012 9-27
1. Shrink Volume1.
2. Extend Volume2.
2. Use Windows Explorer to verify that the folder Folder1 is still on drive G.
Results: After this lab, you should have made one volume smaller, and extended another.
After creating the storage pool, you will also need to create a redundant virtual disk. As the data is critical,
the request for redundant storage specifies that you need to use a three-way mirrored volume. Shortly
after the volume is in use, a disk fails and you have to add another disk to the storage pool to replace it.
The main tasks for this exercise are as follows:
1. Create a storage pool from five disks that are attached to the server.
X Task 1: Create a storage pool from five disks that are attached to the server
1. On LON-SVR1, open Server Manager.
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
o Name: StoragePool1
o PhysicalDisk3
o PhysicalDisk4
9-28 Implementing Local Storage
o PhysicalDisk5
o PhysicalDisk6
o PhysicalDisk7
2. In the New Volume Wizard, create a volume with the following settings:
o Drive letter: H
o File system: ReFS
X Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. On the Start screen, type command prompt, and then press Enter.
2. Type the following command:
3. Open Windows Explorer from the taskbar, and access Mirrored Volume (H:). You should now see
mspaint.exe in the file list.
2. Use Windows Explorer and browse to H:\mspaint.exe to ensure access to the file is still available.
3. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that displays next to Mirrored Disk.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, click Add Physical Disk, and then click
PhysicalDisk8 (LON-SVR1).
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then
you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You
should have also copied a file to the new volume and verified that it is accessible. Next, you should have
verified that the virtual disk was still available and could be accessed after removing a physical drive.
Finally, you should have added another physical disk to the storage pool.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Question: What are the two different types of disks in Disk Management?
Question: You attach five 2 TB disks to your Windows Server 2012 computer. You want to
manage them almost automatically, and if one disk fails, you want to make sure the data is
not lost. What feature can you implement to accomplish this?
Best Practices
The following are recommended best practices:
• If you want to shrink a volume, defragment the volume first so you can reclaim more space from the
volume.
• Use the GPT partition table format for disks larger than 2 TB.
Tools
Tool Use Where to find it
Module 10
Implementing File and Print Services
Contents:
Module Overview 10-1
Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15
Module Overview
Accessing files and printers on the network is one of the most common activities in the Windows Server®
environment. Reliable, secure access to files and folders and print resources is often the first requirement
of a Windows Server 2012-based network. To provide access to file and print resources on your network,
you must understand how to configure these resources within Windows Server 2012 server, and how to
configure appropriate access to the resources for users in your environment.
This module discusses how to provide these important file and print resources from Windows Server 2012.
You will learn how to enable and configure file and print services in Windows Server 2012, and you will
learn important considerations and best practices for working with file and print services.
Objectives
After completing this module, you will be able to:
Lesson 1
Securin
ng Filess and Fo
olders
The files and foldeers that your servers
s store tyypically contain
n your organizzation’s busine
ess and functio
onal
data
a. Providing ap ppropriate acccess to these files and folderss, usually over the network, is an importan
nt part
of managing
m a print services in Window
file and ws Server 20122.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Create and co
onfigure a shared folder.
Wh
hat Are NT
TFS Permisssions?
t files or folders
NTFFS permissions are assigned to
e that is formatted with NTFS.
on a storage drive
The permissions that you assignn to NTFS files and
fold
ders govern use
er access to th
hese files and
fold
ders.
• NTFS permisssions are contrrolled by denying or grantin g specific typees of NTFS file and folder access,
such as read or
o write.
Standard Permiissions
Stan
ndard permissions provide thhe most comm
monly used pe rmission settin
ngs for files an
nd folders. You
u
assign standard permissions in the
t main NTFSS Permissions A
Assignment window.
20410A: Installing and Configuring Windows Server® 2012 10-3
The following table details the standard permissions options for NTFS files and folders.
Full Control Grants the user complete control of the file or folder, including control of
permissions.
Modify Grants the user permission to read, write, or delete a file or folder,
including creating a file or folder.
Read and Execute Grants the user permission to read a file and start programs.
Read Grants the user permission to see file or folder content and start programs.
List folder contents Grants the user permission to view a list of the folder’s contents.
(folders only)
Note: Granting users Full Control permissions on a file or a folder gives them the ability to
perform any file system operation on the object, and the ability to change permissions on the
object. They can also remove permissions on the resource for any or all users, including you.
Advanced Permissions
Advanced permissions can provide a much greater level of control over NTFS files and folders. Advanced
permissions are accessible by clicking the Advanced button, and then accessing the Security tab of a file
or folder’s Properties sheet.
The following table details the Advanced permissions for NTFS files and folders.
Traverse The Traverse Folder permission applies only to folders. This permission
Folder/Execute File grants or denies the user’s ability to browse through folders to reach other
files or folders, even if the user has no permissions for the traversed folders.
The Traverse Folder permission takes effect only when the group or user is
not granted the Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user rights in the Group
Policy snap-in. By default, the Everyone group is given the Bypass Traverse
Checking user right.
The Execute File permission grants or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File
permission is not automatically set on all files in that folder.
List Folder/Read The List Folder permission grants the user permission to view file names and
Data subfolder names. The List Folder permission applies only to folders and
affects only the contents of that folder. This permission is not affected if the
folder on which you are setting the permission is listed in the folder list. In
addition, this setting has no effect on viewing the file structure from a
command-line interface.
The Read Data permission grants or denies the user permission to view data
in files. The Read Data permission applies only to files,
10-4 Implementing File and Print Services
Read Attributes The Read Attributes permission grants the user permission to view the basic
attributes of a file or a folder such as read-only and hidden attributes.
Attributes are defined by NTFS.
Read Extended The Read Extended Attributes permission grants the user permission to view
Attributes the extended attributes of a file or folder. Extended attributes are defined by
applications, and can vary by application.
Create Files/Write The Create Files permission applies only to folders, and grants the user
Data permission to create files in the folder.
The Write Data permission grants the user permission to make changes to
the file and overwrite existing content by NTFS. The Write Data permission
applies only to files.
Create The Create Folders permission grants the user permission to create folders in
Folders/Append the folder. The Create Folders permission applies only to folders.
Data The Append Data permission grants the user permission to make changes to
the end of the file, but not to delete or overwrite existing data. The Append
Data permission applies only to files.
Write Attributes The Write Attributes permission grants the user permission to change the
basic attributes of a file or folder, such as read-only or hidden. Attributes are
defined by NTFS.
The Write Attributes permission does not imply that you can create or
delete files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To grant Create or Delete permissions, see the
Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete entries in this table.
Write Extended The Write Extended Attributes permission grants the user permission to
Attributes change the extended attributes of a file or folder. Extended attributes are
defined by programs, and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make
changes to the attributes of a file or folder. To grant Create or Delete
permissions, see the Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete entries in this table.
Delete Subfolders The Delete Subfolders and Files permission grants the user permission to
and Files delete subfolders and files, even if the Delete permission is not granted on
the subfolder or file. The Delete Subfolders and Files permission applies only
to folders.
Delete The Delete permission grants the user permission to delete the file or folder.
If you have not been assigned Delete permission on a file or folder, you can
still delete the file or folder if you are granted Delete Subfolders and Files
permissions on the parent folder.
Read Permissions Read Permissions grants the user permission to read permissions about the
file or folder, such as Full Control, Read, and Write.
Change Permissions Change Permissions grants the user permission to change permissions on
the file or folder, such as Full Control, Read, and Write.
20410A: Installing and Configuring Windows Server® 2012 10-5
Take Ownership The Take Ownership permission grants the user permission to take
ownership of the file or folder. The owner of a file or folder can change
permissions on it, regardless of any existing permissions that protect the file
or folder.
Synchronize The Synchronize permission assigns different threads to wait on the handle
for the file or folder, and then synchronize with another thread that may
signal it. This permission applies only to multiple-threaded, multiple-process
programs.
Example 1
For the Marketing Pictures folder, an administrator has chosen to assign Adam Carter Allow permissions
for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have Read
access to the files and folders that are contained in the Marketing Pictures folder.
Example 2
When applying NTFS permissions, the results are cumulative. For example, let us carry on with the given
example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been
given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to
Adam Carter’s user account with the permissions assigned to the Marketing group, Adam would have
both Read and Write permissions for the Marketing Pictures folder.
• Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a
file or a folder take precedence over those that are inherited from a parent folder.
• Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions, any
Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules apply only when two
NTFS permission settings conflict with each other.
How to Config
gure NTFS Permissions
P
You
u can view and configure NTFS permissions by following these steps:
1. Right-click the file or folderr for which you
u want to assig
gn permissionss, and then click Properties.
Wh
hat Are Sh
hared Folde
ers?
Shared folders aree a key compo onent to grantiing
acce
ess to files on your
y server froom the networrk.
Wheen you share a folder, the fo older and all off its
contents are made available to multiple userss
simu
ultaneously ovver the networrk. Shared folders
maintain a separa ate set of permmissions from the
NTFFS permissions, which apply to the folder’ss
contents. These permissions are e used to proviide
an extra
e level of security for files and folders that
t
are made available on the netw work.
Mosst organization
ns deploy dedicated file servvers
to host
h shared folders. You can store files in shared
ders according to categories or functions. For
fold F example, yyou can put sh
hared files for tthe Sales
deppartment in one shared foldeer, and shared files for the M
Marketing depaartment in ano other.
Acccessing a Sh
hared Folder
Users typically acccess a shared folder
f over the
e network by u using its Univeersal Naming C
Convention (UN NC)
add
dress. The UNC C address conta ains the name of the server on which the ffolder is hosteed, and the acttual
sharred folder nam
me, separated byb a backward d slash (\) and preceded by ttwo backward slashes (\\). Fo
or
exammple, the UNC C path for the Sales shared foolder on the LLON-SVR1 servver would be \\\LON-SVR1\Saales.
Sha
aring a Fold
der on the Network
N
Win
ndows Server 2012
2 provides different wayss to share a follder:
Note: When sharing a folder, you will be asked to give the shared folder a name. This name
does not have to be the same name as the actual folder. It can be a descriptive name that better
describes the folder contents to network users.
Administrative Shares
You can create administrative (or hidden) shared folders that need to be available from the network, but
should be hidden from users browsing the network. You can access an administrative shared folder by
typing in its UNC path, but the folder will not display if you browse the server by using a Windows®
Explorer window. Administrative shared folders also typically have a more restrictive set of permissions
assigned to the shared folder to reflect the administrative nature of the folder’s contents.
To hide a shared folder, append the dollar symbol ($) to the folder’s name. For example, a shared folder
on LON-SVR1 named Sales can be made into a hidden shared folder by naming it Sales$. The shared
folder is accessible over the network by using the UNC path \\LON-SVR1\Sales$.
Note: Shared folder permissions apply only to users who access the folder over the
network. They do not affect users who access the folder locally on the computer where the folder
is stored.
When you create a shared folder, the default assigned shared permission for the Everyone group is set to
Read.
The following table lists the permissions that you can grant to a shared folder.
Shared folder
Description
permission
Read Users can view folder and file names, view file data and attributes, run program files
and scripts, and navigate the folder structure within the shared folder.
Change Users can create folders, add files to folders, change data in files, append data to
files, change file attributes, delete folders and files, and perform all tasks permitted
by the Read permission.
Full Control Users can change file permissions, take ownership of files, and perform all tasks
permitted by the Change permission.
Note: When you assign Full Control permissions on a shared folder to a user, that user can
modify permissions on the shared folder, which includes removing all users, including you, from
the shared folders permissions list. In most cases, you should grant Change Permission instead of
Full Control permission.
10-8 Implemennting File and Print Services
Permissions Inheritancce
By default,
d NTFS and
a shared folders use
inheeritance to proopagate permissions through hout
a fo
older structure.. When you cre eate a file or a
der, it is automatically assigned the permissions
fold
thatt are set on any folders that exist above it
(parrent folders) in
n the hierarchyy of the folder
structure.
How Inheritan
nce Is Applie
ed
Con
nsider the follo
owing example
e structure:
Ad
dam Carter
Marketing group
ew York Editorrs group
Ne
In th
his example, Adam
A is a mem
mber of two gro
oups that are assigned perm
missions for file
es or folders w
within
the folder structure. They are ass follows:
Perrmission Co
onflicts
Sommetimes, expliccitly set permisssions on a file permissions inherited from a
e or folder will conflict with p
pareent folder. In these
t cases, the
e explicitly asssigned permisssions always ovverride the inhherited permissions.
In th
he given exam mple, if Adam Carter
C was den nied Write acceess to the pareent Marketing folder, but theen
explicitly granted Write access tot the New Yo granted Writee access permisssions would take
ork folder, the g
preccedence over thet inherited deny
d Write acccess permissio n.
20410A: Installinng and Configuring W
Windows Server® 20012 10-9
Blocking
B Inh
heritance
Yoou can also dissable the inheritance behavior for a file orr a folder (and its contents) o
on an NTFS drive to
exxplicitly define f a set of objjects without i ncluding any o
e permissions for ed permissions from
of the inherite
ny parent folders. Windows Server 2012 provides an opttion for blocking inheritance
an e on a file or a folder
Too block inherittance on a file or folder, com
mplete the follo
owing steps:
• der where you want to blockk inheritance, aand then click Properties.
Right-click the file or fold
• In the Prop w, click the Security tab, and then click thee Advanced button.
perties window
• In the Adva
anced Securityy Settings wind
dow, click the C
Change Perm
missions button
n.
• In the next Advanced Seccurity Settings window, click the Disable inheritance bu
utton.
At this point, yo
ou are prompted to either co
onvert the inheerited permisssions into explicit permission
ns or
re
emove all inherited permissio
ons from the object
o to start with a blank ppermissions slaate.
Resetting
R De
efault Inheriitance Beha
avior
After you block inheritance, changes
c made to permission ns on the paren nt folder structture no longerr have
an
n effect on thee permissions forf the child object (and its ccontents) that has blocked innheritance, un nless you
eset that behavvior from one of the parent folders by seleecting the Rep
re place all child objects with
in
nheritable perrmissions from m this object check box. WWhen you select this check bo ox, the existing
g set of
pe
ermissions on the current fo older are propa
agated down tto all child objects in the tree e structure, an
nd
ovverride all explicitly assigned
d permissions for
f those files and folders. T his check box is located dire ectly
un
nder the Inclu ude inheritablle permissions from this ob bject’s parentt check box.
Effective Pe
ermissionss
Access to a file or folder in Windows
W Serverr 2012 is
granted based on o a combinattion of permisssions.
When
W a user atttempts to acceess a file or folder, the
pe pendent on various
ermission thatt applies is dep
fa
actors, includin
ng:
• Explicitly de
efined and inh
herited permisssions
that apply to
t the user.
• Explicitly de
efined and inh
herited permisssions
that apply to
t the groups to which the user
u
belongs.
• You can apply permissions to a user or to a group. Assigning permissions to groups is preferred
because they are more efficient than managing permissions that are set for many individuals.
• NTFS file permissions take priority over folder permissions. For example, if a user has Read permission
to a folder, but has been granted Modify permission to certain files in that folder, the effective
permission for those files will be set to Modify.
• Every object in an NTFS drive or in Active Directory® Domain Services (AD DS) is owned. The owner
controls how permissions are set on the object and to whom permissions are granted. For example, a
user who creates a file in a folder where they have Modify permissions can change the permissions on
the file to Full Control.
1. Right-click the file or folder for which you want to analyze permissions, and then click Properties.
3. In the Advanced Security Settings window, click the Effective Permissions tab.
• Likewise, if you set the shared folder permission to Full Control, and you set the NTFS permissions to
Write, then the user will have no restrictions at the shared folder level, but the NTFS permissions on
the folder will grant only Write permissions to that folder.
The user must have appropriate permissions on both the NTFS file or folder and the shared folder. If no
permissions exist for the user (either as an individual or as the member of a group) on either resource,
access is denied.
• Grant permissions to groups instead of users. Groups can always have individuals added or deleted,
while permissions on a case-by-case basis are difficult to track and cumbersome to manage.
• Use Deny permissions only when necessary. Because Deny permissions are inherited, assigning deny
permissions to a folder can result in users not being able to access files further down in the folder
structure tree. You should assign Deny permissions only in the following situations:
20410A: Installingg and Configuring W
Windows Server® 20112 10-11
o To excllude a subset of
o a group tha
at has Allow peermissions
• Never denyy the Everyone e group accesss to an object. If you deny evveryone accesss to an object, you
deny Administrators acce ess—including yourself. Insteead, remove thhe Everyone group from the e
permissionss list, as long as
a you grant pe ermissions for the object to other users, groups, or computers.
What
W Is Acccess-Based
d Enumera
ation?
With
W access-bassed enumeration, users see only o the
filles and folderss which they have permission n to
acccess. Access-b based enumeration providess a
be etter user expe erience becausse it displays a less
coomplex view of o the contentss of a shared fo older,
making
m it easierr for users to find the files th
hat they
ne eed. Windows Server 2012 allowsa access-b based
ennumeration off folders that a server shares over
th
he network.
When
W the Enab
ble access-bassed enumerattion check boxx is selected, access-based enumeration is
en
nabled on the shared folder.. This setting iss unique to eaach shared fold
der on the servver.
Wh
hat Are Offfline Files??
An offline
o file is a copy of a netw
work file that is
storred on a client computer. Byy using offline files
f
userrs can access network-based
n d files when their
clien
nt computer iss disconnected d from the netw work.
• Windows 7
• Windows Servver 2008 R2
• Windows Vistta®
• Windows Servver 2003
• Windows XP
• Only the filees and programs that userss specify are aavailable offliine. This is the
e default optio
on
when you sett up a shared folder.
f When youy use this op
ption, no files o
or programs are available offfline
by default, an
nd users controol which files and
a programs they want to aaccess when th hey are not
connected to o the network.
• No files or programs
p m the shared folder are avaailable offline
from e. This option blocks client
computers froom making co
opies of the file
es and program
ms on the sharred folder.
• All files and programs tha at users open n from the shaared folder arre automatica ally available
offline. Whenever a user accesses the shared folder orr drive and opeens a file or prrogram in it, th hat file
or program iss automaticallyy made availab ble offline to t hat user. Files and programss that are
automaticallyy made availabble offline remain in the offli ne files cache and synchronize with the ve ersion
on the server until the cach
he is full or the
e user deletes tthe files. Files aand programs that are not
opened are not
n available offfline.
Note: The Offline Files feature must be enabled on the client computer for files and
programs to be cached automatically. In addition, the Optimized for performance option does
not have any effect on client computers that use Windows Vista or older, as these operating
systems perform the program-level caching automatically, as specified by this option.
This configuration typically results in faster access to files for client computers, especially when
connectivity or speed of a network connection is intermittent. Synchronization with the files on the server
occurs according to the offline files configuration of the client computer.
4. In the Group Policy Management Editor, in the console tree, under Computer Configuration,
expand Policies, expand Administrative Templates, expand Network, and then expand Offline
Files.
8. In the Show Contents window, in the Value name box, specify the shared folder path for which you
want to enable Always Offline mode.
Note: To enable Always Offline mode on all file shares, type a wildcard character (*).
9. In the Value box, type 1 to set the latency threshold to one millisecond, and then click OK.
Demonstration Steps
2. Navigate to the Share pane in the File and Storage Services management console.
3. Open the Data Properties window for the \\LON-SVR1\Data, and enable access-based enumeration.
2. Navigate to the Sharing tab and open the advanced sharing settings.
3. Open the caching settings, and then disable offline files.
20410A: Installingg and Configuring W
Windows Server® 20112 10-15
Lesson
n2
Prote
ecting Shared Files
F and
d Folde
ers using
g Shado
ow Copies
Sh
hadow copies are used to re estore previouss versions of fi les and folderss. It is much faaster to restore
ea
previous version m a shadow copy than from a traditional b
n of a file from backup copy, w which might be e stored
offfsite. Files and
d folders can be
b recovered byb administrato ors, or directlyy by end users.
Th
his lesson intro
oduces you to shadow copie
es, and shows yyou how to co
onfigure a sche
edule of drive
sn
napshots in Wiindows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe sh
hadow copies.
• Describe co f scheduling shadow copiees.
onsiderations for
What
W Are Shadow
S Co
opies?
A shadow copy is a static imag ge (or a snapsh hot) of
a set of data, su
uch as a file or folder. Shadow w
coopies provide the
t capability to recover file es and
olders based on snapshots th
fo hat are taken of
o
sttorage drives. After
A a snapshhot is taken, yoou can
view and potentially restore previous
p versio
ons of
filles and folderss that existed at
a the time tha at the
sn
napshot was ta aken.
Co
onsideratio
ons for Sch
heduling Shadow Co
opies
The default sched dule for creatin
ng shadow cop pies is
Mon nday through Friday at 07:00 0 A.M., and ag
gain
at noon.
n You can modify the de efault schedule
e as
desiired for your organization.
o
Restoring Da
ata from a Shadow Copy
C
Prevvious versions of files can be
e restored by either
e
userrs or administrrators. Most ussers are unawa
are
thatt they can do this
t and they will
w need
instructions on hoow to restore a previous verssion
of a file.
Demonstration Steps
4. Open TestFile.txt to open the document and verify that the previous version is restored.
10-18 Implementing File and Print Services
Lesson 3
Config
guring Network
N k Printing
By using
u the Printt and Document Services role in Windows Server 2012, yyou can share printers on a
netw
work and centtralize print serrver and netwo
ork printer maanagement. Byy using the Prinnt Management
console, you can monitor
m print queues, and re
eceive importaant notificatio ns regarding p
print server acttivity.
Lessson Objectiives
Afte
er completing the lesson, you will be able to:
• Describe Enha
anced Point an
nd Print.
• Identify securrity options forr network prin
nting.
• Create multip
ple configurations for a printt device.
• Identify meth
hods for deployying printers to
t clients.
Benefits of Network
N Printing
Youu can configure e network prin nting by using
Winndows Server 2012
2 as a printt server for use
ers. In
this configurationn, client compu uters submit prrint
jobss to the printer server for delivery to a prinnter
thatt is connected to the networrk.
By centralizing
c printing on a serrver, you also simplify
s troub leshooting. It is relatively easy to determin
ne
wheether printing problems are caused by the printer, serve r, or client com mputer.
A ne
etwork printerr is more expen nsive than thoose typically ussed for local prrinting but it aalso has significcantly
lower consumable es costs and beetter quality printing. Thereffore, the cost oof printing is sstill minimized,,
because the initial cost of the printer is spread
d over all the ccomputers thaat connect to tthat printer. Fo or
exam
mple, a single network printter could servicce 100 users o or more.
What
W Is Enh
hanced Po
oint and Prrint?
En
nhanced Pointt and Print is a new function in
Windows
W Server 2012 that ma akes it easier to install
drivers for netwwork printers. Enhanced
E Poinnt and
Prrint uses the new version 4 (v4)
( driver typee that is
in
ntroduced in Windows
W Serve er 2012 and Windows
8..
Understandi
U ng V3 Drive
ers and V4
Drivers
D
Thhe Windows printer
p driver sttandard that iss used
in
n previous verssions of Windo ows Server has existed
in
n relatively the same form sin nce the introduction
off version 3 (v3) drivers in Windows 2000
opperating systems. With v3 drrivers, printer manufacturers
m s created custo
omized print ddrivers for each h
sp
pecific device that
t they prodduced, to ensure that Window ws application
ns could use alll of their printter’s
eatures. Under the v3 model, printer infrastructure manaagement requiires administraators to maintaain
fe
drivers for each print device in the environm ment, and sepaarate 32 and 6
64-bit drivers ffor a single priint
deevice, to suppoort both platfoorms.
In
ntroducing the V4 Printer Driver
Windows
W Server 2012 and Wiindows 8 include support fo r v4 print driveers, and enables improved p print
deevice driver management an nd installation.. Under the v44 model, print devices manuffacturers can ccreate
Prrint Class Drive
ers that support similar printting features aand printing la nguage that m
may be commo on to a
la
arge set of devvices. Common n printing langguages may in nclude Printer CControl Languuage (PCL), .ps or XML
Paaper Specificattion (XPS).
Th
he V4 driver model
m providess the following
g benefits:
• Sharing a printer
p does no
ot require provvisioning driveers that match the client arch
hitecture.
• Driver files are isolated on a per-driver basis, preventting driver file naming confliicts.
• Driver pack
kages are smaller and more streamlined
s han v3 drivers, resulting in faaster driver installation
th
times.
Using
U Enhanced Point and
a Print forr Driver Insttallation
Under the v4 model,
m printer sharing
s and drriver installatio
on operates automatically un nder Enhancedd Point
annd Print. When ed on a client computer, thee server and client work toge
n a network prrinter is installe ether to
id nt device. The driver then insstalls directly ffrom the driver store on the client machine, or
dentify the prin
from Windows Update or Win ndows Softwarre Update Servvices.
With
W Enhanced Point and Prin nt, the print de d to be maintained on the prrint
evice drivers n o longer need
se
erver. Driver in
nstallation for network
n print devices becom mes faster becaause printer drrivers no longe
er need
to
o be transferreed over the nettwork from serrver to client.
• Print: This pe
ermission allow
ws users to prin
nt
documents on the printer. By default, the e
Everyone gro oup is assigned
d this permissio
on.
• Manage thiss printer: This permission allows users to m modify printer settings, incluuding updatingg
drivers. By de mission is given to Administrrators, Server O
efault, this perm Operators, and
d Print Operattors.
• Manage doccuments: This permission allows users to m modify and deelete print jobss in the queue.. This
permission is assigned to CREATOR OWN NER, which meeans that the u
user who create es a print job
manages thatt job. Administtrators, Server Operators, an
nd Print Operators also have this permissio on for
all print jobs.
De
emonstration: Creating Multip
ple Configu
urations fo
or a Print D
Device
Creaating multiple configurationns for a print device enables you to assign print queues tto specific users or
groups to print high priority job
bs to a printer that is being u
used by other users. When a print job is seent to
the high priority print
p queue, th he job before any jobs coming from the normal
he print server will process th
prio
ority queue.
Dem
monstration
n Steps
Cre
eate a share
ed printer
1. Open the Devvices and Printter window.
Cre
eate a secon
nd shared printer that uses
u the sam
me port
1. Open the Devvices and Printter window.
In
ncrease prin
nting prioritty for a high
h priority prrint queue
1.. Open the Executives
E Printer properties window.
2.. Increase the
e Priority to 10
0.
What
W Is Printer Pooling?
Prrinter pooling is a way to com
mbine multiple e
physical printers into a single logical unit. To
T client
co
omputers, the printer pool appears to be a single
printer. When jo obs are submittted to the printer
po
ool, they can be
b processed by b any available
printer in the prrinter pool.
o a server by specifying mu
A printer pool iss configured on ultiple ports forr a printer. Eacch port is the location
off one physical printer. In mo
ost cases, the ports
p are an IP address on th e network, insstead of a local LPT or
USB connection n.
Th
he requiremen
nts for a printe
er pool are as follows:
f
• Printers mu
ust use the sam
me driver: Cliennts use a singlee printer driveer for generatin
ng print jobs. A
All
printers mu
ust accept prin
nt jobs in the sa
ame format. In n many cases, this means thaat a single prin nter
model is ussed.
• Printers sho
ould be in the same location n: The printers in a printer po
ool should be located physiccally
close together. When use eir print jobs, tthey must checck all printers in the printer pool to
ers retrieve the
find their document. There is no way fo or users to kno ow which printter has printed d their docume ent.
What
W Is Bra
anch Office
e Direct Printing?
Brranch Office Direct
D Printing reduces netwo ork
osts for organizations that have centralized
co d their
Windows
W Server roles. When Branch Office Direct
bled, Windows clients obtain printer
Prrinting is enab
nformation from the print server, but send the
in
print jobs directtly to the printter. The print data
d no
lo
onger travels too the central server and then n back
to
o the branch office
o printer. This
T configurattion
re
educes traffic between
b the cllient computer, the
print server, andd the branch office
o printer, and
a
re
esults in increa
ased network efficiency.
e
Brranch Office Direct
D Printing is transparent to the
10-22 Implementing File and Print Services
Con
nfiguring Branch Office Direct Printing
Bran
nch Office Dire
ect Printing is configured byy an administraator using the Print Manage
ement console or a
Win
ndows PowerSh hell® command d-line interface.
To configure
c Bran
nch Office Dire
ect Printing fro
om the Print M
Management co
onsole, use the
e following ste
eps:
1. In Server Man
nager, open th
he Print Manag
gement conso le.
To configure
c Bran
nch Office Dire e interface, type the
ect Printing usiing a Windowss PowerShell ccommand-line
follo
owing command at a Windo ows PowerShelll window com mmand promptt:
Set
t-Printer -na
ame "<Printer Name Here>" -ComputerN
Name <Print S
Server Name H
Here> -
Ren
nderingMode BranchOffice
B
De
eploying Printers to Clients
Depploying printerrs to clients is a critical part of
o
mannaging printing services on the t network. A
welll-designed system for deploying printers is
b used to manage hundred
scalable and can be ds or
thou
usands of commputers.
• GPO created by Print Mana agement. The Print Managem n add printers to a
ment administtrative tool can
GPO for distribution to client computers based on eitheer a user account or a comp puter account.
Windows XP computers mu ust be configured to run Pusshprinterconneections.exe.
• Manual installlation. Each usser can add prrinters manual ly by either brrowsing the ne etwork or using the
Add Printer Wizard;
W It is important to notte that networrk printers thatt are installed manually are
available onlyy to the user thhat installed th
hem. If multipl e users share a computer, thhey must eachh
install the printer manually..
20410A: Installing and Configuring Windows Server® 2012 10-23
Objectives
After performing this Lab you will be able to:
Lab Setup
Estimated Time: 40 minutes
Logon Information
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1 and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
6. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
There have been problems in other branch offices with conflicts when offline files are used for shared data
structures. To avoid conflicts, you need to disable Offline Files for this share.
o E:\Data
o E:\Data\Development
o E:\Data\Marketing
o E:\Data\Research
o E:\Data\Sales
Folder Permissions
E:\Data No change
3. Navigate to \\LON-SVR1\Data.
Note: Bernard should have access to the Development folder. However, although
Bernard can still see the other folders, he does not have access to their contents.
4. Select Shares.
5. Open the Properties window for the Data share, and from the Settings page, enable Access-based
enumeration.
2. Click the Desktop tile and then open a Windows Explorer window, and navigate to \\LON-
SVR1\Data.
Note: Bernard can now view only the Development folder, the folder for which he has
been assigned permissions.
3. Navigate to E:\
4. Open the Properties window for the Data folder, and disable Offline file caching.
Results: After finishing this exercise, you will have created a new shared folder for use by multiple
departments.
10-26 Implementing File and Print Services
Your manager has asked you to ensure that shadow copies are enabled on the file server so you can
restore recently modified or deleted files without using a backup tape. Because the data in this branch
office changes frequently, you have been asked to configure a shadow copy to be created once per hour.
3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
3. Open the Properties window for E:\Data\Development, and then click the Previous Versions tab.
4. Open the most recent version of the Development folder, and then copy the Report.txt file.
Results: After finishing this exercise, you will have enabled shadow copies on the file server.
To ensure high availability of this printer, you need to format it as a pooled printer. Two physical print
devices of the same model have been installed in the branch office for this purpose.
2. Install a printer.
3. Configure printer pooling.
2. Install the Print and Document Services role, and accept the default settings.
a. IP Address: 172.16.0.200
b. Driver: Microsoft XPS Class Driver
2. Open the Branch Office Printer Properties page, and on the Ports tab, enable printer pooling.
3. Select port 172.16.0.201 as the second port.
Results: After finishing this exercise, you will have Installed the Print and Document Services server role
and installed a printer with printer pooling.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
Question: Why should you not use shadow copies as a means for data backup?
Tools
Name of tool Used for Where to find it
Print Management Managing the print environment The Tools menu in Server Manager.
administrative in Windows Server 2012.
11-1
Module 11
Implementing Group Policy
Contents:
Module Overview 11-1
Module Overview
Maintaining a consistent environment across an organization is challenging. Administrators need a
mechanism to configure and enforce user and computer settings and restrictions. Group Policy can
provide that consistency by enabling administrators to centrally manage and apply configuration settings.
This module provides an overview of Group Policy and provides details about how to implement group
policies.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Group
G Policy
P
Group Policy allowws you to conttrol the compuuting environm ment. It is impoortant to undeerstand how GGroup
Policy functions, so
s you can app ply Group Policy correctly. T his lesson provvides an overvview of Group Policy
structure, and deffines local and domain group policies. It allso describes tthe types of se
ettings availablle for
usess and groups.
Group Policy allowws you to conttrol the compuuting environm ment. It is impoortant to undeerstand how GGroup
Policy functions, so
s you can app ply Group Policy correctly. T his lesson provvides an overvview of Group Policy
structure, and deffines local and domain group policies. It allso describes tthe types of se
ettings availablle for
usess and groups.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe GPO
O policies and preferences.
• Describe startter GPOs.
Co
omponentss of Group
p Policy
Group Policies are e configurationn settings thatt
allow administrato ors to enforce settings by
mod difying the commputer-specific and user-specific
regiistry settings on
o domain-bassed computerss. You
can group Group Policies together, to make GPOs, G
which you can the en apply to seccurity principle
es
(use
ers, groups or computers).
c
GPOs
A GPO
G is an objecct that contain
ns one or moree
policy settings tha at apply config
guration settin
ng for
userrs, computers, or both. GPOs are stored in
SYSVVOL, and can be managed by b using the Group
Policy Manageme ent Console (GGPMC). Within the GPMC, yo ou can open an nd edit a GPO by using the GGroup
®
Policy Manageme ent Editor. GPO o apply settings to
Os are logicallyy linked to Acttive Directory containers to
the objects in those containers.
Gro
oup Policy Settings
S
A Group Policy se
etting is the mo
ost granular co
omponent of G Group Policy. It defines a specific configurration
change to apply to
t an object (a computer or a user, or both h) within Activve Directory Do omain Servicess
(AD
D DS). Group Poolicy has thoussands of config
gurable setting
gs. These settings can affectt nearly every aarea
of the computing environment.. Not all settinggs can be app lied to all oldeer versions of W
Windows Serve er®
®
and Windows op perating systemms. Each new version
v introduuces new settings and capab bilities that only
20410A: Installing and Configuring Windows Server® 2012 11-3
apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it
simply ignores it.
• Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
Note: Some settings are multi-valued or have text string values. These are typically used to
provide specific configuration details to applications or operating system components. For
example, a setting may provide the URL of the home page for Windows Internet Explorer® or
blocked applications.
The effect of the change depends on the policy setting. For example, if you enable the Prohibit Access to
Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting,
you ensure that users can open Control Panel. Notice the double negative in this policy setting: You
disable a policy that prevents an action, so you allow the action.
• User settings. These are settings that modify the HKey Current User hive of the registry.
• Computer settings. These are settings that modify the HKEY Local Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section Description
Software settings Contain software settings that can be deployed to either the user or the
computer. Software that is deployed to a user is specific to that user.
Software that is deployed to the computer is available to all users of that
computer.
Windows operating system Contain script settings and security settings for both user and computer,
settings and Internet Explorer maintenance for the user configuration.
Administrative templates Contain hundreds of settings that modify the registry to control various
aspects of the user and computer environment. New administrative
templates may be created by Microsoft or other vendors. You can add
these new templates to the GPMC. For example, Microsoft has Office
2010 templates that are available for download, and that you can add to
the GPMC.
Gro
oup Policy Preferences
P
In addition to the Group Policy sections show
wn in the previo
ous table, a Prreferences nod
de is present under
both the Computer Configuration and User Configuration
C n
nodes in the GGroup Policy MManagement Editor.
Prefferences provid
de even more capabilities with
w which to co onfigure the eenvironment, aand are discusssed
later in this modu
ule.
Wh
hat Are Mu
ultiple Loccal GPOs?
In Windows
W operaating systems prior to Windo ows
Vista®, there was only
o one available user
configuration in the local Group p Policy. That
configuration wass applied to alll users who log gged
on from
f that local computer. Th his is still true, but
Winndows Vista® and
a newer clien nt operating
systems, and Wind dows Server 2008 and newe er
Winndows Server operating
o ems have an added
syste
featture–multiple local
l GPOs. In Windows 8 an nd
Winndows Server 2012,
2 it is now possible to ha ave
diffe
erent user setttings for differeent local userss; this
is on
nly available fo
or the users’ co onfigurations in
Group Policy. The ere is only one set of computter configuratiions available that affects alll users of the
commputer.
Win
ndows 8 and Windows
W Serve
er 2012 provide
e this ability w
with the followiing three layerrs of Local Gro
oup
Policy Objects:
Group
G Policy
y Template
Group Policy templates are th he actual collecction of
se
ettings that you can change. Group Policy
te
emplates are sttored in the
%SystemRoot%
% %\PolicyDefinitions folder. Windows
Seerver 2012 conntains Group Policy
P templatees with
th
housands of co onfigurable setttings. When you
y
crreate a new Grroup Policy, thhe Group Policyy
Management
M Edditor presents the templatess in a new GPO
O. When you eedit and save the GPO, a new
w Group
Poolicy containerr is created.
Group
G Policy
y Container
Thhe Group Policcy container iss an Active Dire
ectory object tthat is stored iin the Active DDirectory datab base.
Ea
ach Group Policy container includes
i a glob
bally unique id dentifier (GUID D) attribute thaat uniquely ide
entifies
th
he object withiin AD DS. The Group Policy container
c defi nes basic attributes of the G
GPO such as lin nks and
ve
ersion numberrs, but it does not contain an ny of the settinngs. Instead, thhe settings aree contained in the
Group Policy template, which h is a collectionn of files stored
d in the SYSVO OL of each dom main controlle er.
SY
YSVOL is located in the %SysstemRoot% \SYSVOL\Doma in\Policies\GPOGUID path, w where GPOGU UID is
th
he GUID of the e Group Policyy container. Wh hen you makee changes to th he settings of a GPO, the chaanges
arre saved to the
e Group Policyy template of the
t server from m which the GP PO was opene ed.
Byy default, when Group Policyy refresh occurs, the Group Policy client-s ide extensionss (CSEs) apply ssettings
n a GPO only iff the GPO has been updated
in d.
Th
he Group Policcy Client can iddentify an upddated GPO by its version num mber. Each GP PO has a versio on
nu
umber that is incremented eache time a change is made.. The version n number is store ed as an attrib
bute of
he Group Policcy container, and in a text file
th e, GPT.ini, in th
he Group Policcy Template fo older. The Group
olicy Client knows the versio
Po on number of each
e GPO thatt it has previouusly applied. Iff, during Group Policy
re
efresh, the Gro
oup Policy Client discovers thhat the version n number of th
he Group Policcy container haas been
ch
hanged, the CS SEs will be info
ormed that thee GPO is upda ted.
When
W editing a Group Policy,, the version on the computeer that has thee primary dom main controller (PDC)
em
mulator Flexib ble Single Mastter Operations (FSMO) role i s the version b being edited. IIt does not maatter
what
w computer you are using g to perform th
he editing, thee GPMC is focu used on the PDDC emulator by
de
efault. It is posssible to chang
ge the focus off the GPMC to o edit a version
n on a differen
nt domain conttroller.
11-6 Implemennting Group Policy
Wh
hat Are Grroup Policiies and Pre
eferences??
Group Policy Prefferences are a feature in the
Winndows Server 2012
2 operating
g system.
Prefferences includ
de more than 20 Group Policcy
exte ge of configurable
ensions that exxpand the rang
settings within a GPO.
G Preferencces help to red
duce
the need for logon scripts.
Cha
aracteristicss of Preferences
Prefferences have the following characteristicss:
• Preferences exist
e for both computers
c and
d users.
• Preferences can
c be manage
ed through the
e Remote Servver Administration Tools (RSA
AT).
• Preferences can
c be applied only once at startup
s or logo
on, or refresheed at intervals.
• Unlike Group
p Policy setting
gs, preferencess are not remo
oved when the GPO is no lon
nger applied, b
but
you can chan
nge this behaviior.
• Preferences can
c easily be ta
argeted to certtain users or co ough a variety of ways, such as
omputers thro
security group membershipp or operating system versio on.
• Preferences are
a not available for local gro
oup policies.
• Unlike Group
p Policy, the user interface off the setting is not disabled.
Com
mmon Usess for Group Policy Prefe
erences
Alth
hough you can n configure ma hrough Group Policy preferences, some of the more com
any settings th mmon
usess are as follows:
• Drive mappin
ngs for users
• Configuring desktop
d shortccuts for users or
o computers
• Setting enviro
onment variab
bles
• Mapping prin
nters
• Configuring Start
S menus
• Configuring data
d sources
• Scheduling ta
asks
20410A: Installinng and Configuring W
Windows Server® 20012 11-7
What
W Are Starter
S GPO
Os?
Sttarter GPOs are templates th hat assist in the
e
crreation of GPO Os. When creatting new GPOss, you
ca
an choose to use u a starter GP PO as the sourrce. This
makes
m it easier and faster to create
c multiple e GPOs
with
w the same baseline
b configguration.
Available
A Setttings
Sttarter GPOs ca an only contain
n settings from
m the
Administrative Templates
T nodde of either thee User
Configuration section or the Computer
C
Configuration section. The So oftware Settinggs and
Windows
W Settin
ngs nodes of Group Policy arre not
avvailable, becauuse these nodees involve interraction
off services and are more commplex and dom main-dependen
nt.
Ex
xporting Sttarter GPOs
Yo
ou can export starter GPOs to t a Cabinet file (.cab) and t hen load that .cab file into aanother enviroonment
th
hat is complete ely independent of the sourcce domain/forrest. Exporting a starter GPO O allows you to
o send
th
he .cab file to other
o administtrators, who caan then use it iin other areas.. For example, you may create a
GPO that define es Internet Exp
plorer security settings. If youu want all sitess and domainss to employ thhe same
se
ettings, then yoou could expo ort the starter GPO
G to a .cab file, and then distribute it.
When
W to Use
e Starter GP
POs
Th
he most comm mon situation in which you would
w use a staarter GPO is w
when you want a group of se ettings
or a type of computer role. For
fo F example, yo ou may want aall corporate laaptops to have
e the same deesktop
re
estrictions, or all
a file servers to Group Policy seettings, but enable variationss for
t have the same baseline G
diifferent departtments.
In
ncluded Starter GPOs
Th
he GPMC inclu udes a link to create
c a Starte
er GPO folder, which contain ns a number off predefined sttarter
GPOs. These poolicies provide preconfigured d security-orie nted settings ffor enterprise clients (EC) an
nd
Sp
pecialized Secu d Functionality (SSLF) clients for both user and computerr settings on W
urity – Limited Windows
Vista and Windoows XP SP2 op perating system
ms. You can usse these polici es as starting points when yyou
de
esign security policies.
Delegating
D Managem
ment of GP
POs
Administrators can delegate somes of the Group
Po
olicy administrrative tasks to other users. These
ussers do not have to be doma ain administrators;
th
hey can be use ers that are gra
anted certain rights
r to
GPOs. For exam mple, a user wh ho manages a
paarticular Organ nizational Unitt (OU) could be
b
ta
asked with performing reporrting and analyysis
duuties, while thee help desk grroup is allowedd to edit
GPOs for that OU.
O A third gro oup of develop pers
might
m be put in
n charge of cre eating Window ws
Management
M In
nstrumentation n (WMI) filters.
11-8 Implementing Group Policy
• Creating GPOs
• Editing GPOs
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that
they have created.
• Enterprise Admins
• Creator Owner
• Local System
The Authenticated User group has Read and Apply Group Policy permissions only.
Demonstration Steps
Lesson 2
Group Policy Processsing
Undderstanding ho ow Group Policcy is applied iss the key to beeing able to deevelop a Group p Policy strate
egy.
Thiss lesson shows you how Grou up Policy is asssociated with AActive Directo
ory objects, how w it is processe
ed,
and how to contro ol the applicattion of Group Policy. After crreating the GPPOs and config guring the setttings
you want to applyy, they must be e linked to conntainers. GPOss are applied inn a specific ordder. This orderr may
deteermine what settings are app plied to objectts. There are tw
wo default pollicies that are aautomatically
crea
ated. These po d to deliver passsword and seccurity settingss for the domain and for dom
olicies are used main
controllers. The ap
pplication of policies
p can alsso be controlleed through seccurity filtering..
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe a GP
PO link.
• Describe how
w GPOs are app
plied to contaiiners and objeects.
• Describe the Group Policy processing
p ord
der.
• Describe GPO
O security filterring.
GP
PO Links
Oncce you have created a GPO and a defined all the
settings that you want
w it to delivver, the next step is
to liink the policy to
t an Active Directory
D contaainer.
A GPO link is the logical connecction of the po olicy
to a container. Yo ou can link a single GPO to
mulltiple containers by using the e GPMC. You can c
link GPOs to the following
f types of containerss:
• Sites
• Domains
• OUs
Oncce a GPO is linked to a conta ainer, by defauult the
policy is applied to all the objeccts in the conta
ainer, and sub sequently all tthe child contaainers under th
hat
pare
ent object. This is because th he default permmissions of thee GPO are suc h that Authenticated Users h have
Read and Apply Group
G Policy permission. You u can modify tthis behavior bby managing p permissions on n the
GPO
O.
You
u can disable links to contain
ners, which rem
moves the conffiguration setttings. You can also delete lin
nks.
Dele
eting links doe
es not delete the actual GPOO, only the logiical connection to the contaainer.
GPOOs cannot be linked directly to users, groups or computeers. In additionn, GPOs cannoot be linked to the
system containerss of AD DS, inccluding Builtin,, Computers, U
Users, or Manaaged Service A
Accounts. The AAD DS
system containerss receive Group Policy settings from GPOs linked to the domain level o only.
20410A: Installingg and Configuring W
Windows Server® 20112 11-11
Applying
A GPOs
G
Computer confiiguration settings are applie ed at
sttartup, and the
en are refresheed at regular in
ntervals.
Any startup scripts are run at computer starrtup.
Thhe default inte
erval is every 90
9 minutes, butt this is
coonfigurable. Th
he exception to the set interrval is
do omain controllers, which havve their settinggs
re
efreshed everyy five minutes.
Note: A number
n of user settings requ
uire two
ogons before the user sees th
lo he effect of the
e GPO. This is because userss logging on to o the same
co
omputer use cached credenttials to speed up u logons. Thiis means that, although the policy
se
ettings are being delivered to the compute er, the user is aalready loggedd on and thus the settings
will
w not take efffect until the next
n logon. Thee folder redire ction setting iss an example o
of this.
Yoou can change e the refresh innterval by conffiguring a Gro up Policy settiing. For compu uter settings, tthe
re
efresh interval setting is foun nd in the Computer Configu uration\Policcies\Administtrative
Teemplates\Sysstem\Group Policy P node. Foor user setting
gs, the refresh interval is foun
nd at the
co
orresponding settings
s underr User Configuration. An excception to the refresh intervaal is security se ettings.
Thhe security setttings section of
o the Group Policy
P will be reefreshed at leaast every 16 ho
ours, regardlesss of the
in
nterval that you u set for the re
efresh interval..
Yo
ou can also reffresh Group Po
olicy manuallyy. The comman nd line utility G
Gpupdate refrreshes and dellivers
an
ny new Group Policy configu urations. The Gpupdate
G /fo
orce command d refreshes all tthe Group Policy
se
ettings. There is
i also a new Windows
W PoweerShell Invoke
e-Gpupdate cm mdlet, which p performs the ssame
fu
unction.
A new feature in Windows Server 2012 is Re emote Policy R Refresh. This feeature allows aadministratorss to use
th
he GPMC to target an OU an nd force Group
p Policy refresh
h on all of its ccomputers andd their currenttly
lo
ogged-on userrs. To do this, you
y right-click any OU, and tthen click Gro oup Policy Update. The upd date
occcurs within 10
0 minutes.
Group
G Policcy Processsing Orderr
GPOs are not ap pplied simultaneously; rathe er, they
arre applied in a logical order. GPOs that aree
pplied later in the process off applying GPO
ap Os
ovverwrite any coonflicting policy settings tha
at were
ap
pplied earlier.
• Site group po
olicies: Policies that are linked to sites are p
processed nexxt.
• OU group po olicies: Policies linked to OUss are processed policies contain settings thatt are
d next. These p
unique to thee objects in thaat OU. For example, the Salees users may have special reqquired settingss. You
can link a pollicy to the Sale
es OU to delive
er those setting
gs.
Objects in the con ntainers receivve the cumulative effect of alll polices in theeir processing order. In the ccase
of a conflict between settings, the last policy applied
a takes effect. For exaample, a domaain-level policyy may
restrict access to registry
r editingg tools, but yo
ou could configgure an OU-leevel policy and link it to the IIT OU
to reverse that poolicy. Because the OU-level policy
p is applieed later in the process, accesss to registry tools
wouuld be available.
If multiple
m policies are applied at
a the same levvel, the admin istrator can asssign a prefere
ence value to
control the order of processing.. The default preference
p ord er is the orderr in which the policies were
linked.
Wh
hat Are the
e Default GPOs?
G
Durring the installa
ation of the AD
D DS role, two
o
defa
ault GPOs are created: Defau ult Domain Poolicy,
and Default Doma ain Controller Policy.
GPO
G Securiity Filtering
Byy nature, a GPO applies to all the security
principles in the
e container, annd all child con
ntainers
be
elow the paren w to change that
nt. You may wish
be
ehavior and ha ave certain GPPOs apply onlyy to
pa
articular security principles. For example, you
y
m want to exempt certain users
may u in an OUU from a
re u can accomplish this
estrictive deskttop policy. You
th
hrough security filtering.
Ea
ach GPO has an a Access Conttrol List (ACL) that
t
de
efines permissions to that GPO. The defau ult
pe
ermission is fo
or Authenticateed Users to havve the
Re
ead and Applyy Group Policyy permission ap pplied.
e permissions in the ACL, you can control which securityy principles recceive permissio
Byy adjusting the on to
ave the GPO settings applied
ha d. There are tw
wo approachess you might taake to do this: deny access to o the
Group Policy, or limit permisssions to Group
p Policy.
Deny
D Access to Group Policy
P
If most security principles in the
t container should
s receivee the policy setttings but som
me should not, then
yoou can exemptt particular seccurity principle
es by denying them access tto the Group P Policy. For exam
mple, if
t Sales OU should receive a policy excep
all the users in the pt the Sales Maanagers group p. Then you caan
exxempt that gro oup (or user) by
b adding thatt group to the ACL of the GP PO, and then ssetting the perrmission
to
o Deny.
he ACL of a GP
Th d in the GPMC by selecting t he GPO in thee Group Policy Object folder and
PO is accessed
hen clicking the Delegation>Advanced ta
th ab.
11-14 Implementing Group Policy
Disscussion: Identifying
g Group Po
olicy Appliication
Sce
enario
The slide illustrate
es a portion off the A. Datum
m
Corporation’s AD DS structure, which contains the
Sale
es OU with its child
c OUs and the Servers OU.
O
• GPO4 configu
ures a differen nsure that the servers never go into powerr save
nt set of powerr options to en
mode.
Somme users in thee Sales OU havve administrativve rights on th
heir computerss, and have cre
eated local po
olicies
to specifically grant access to Co
ontrol Panel.
Question: What power opttions will the servers in the SServers OU recceive?
Question: What power opttions will the la
aptops in the SSales Laptops OU receive?
Question: What power opttions will all otther computerrs in the domain receive?
Question: Will users in the Sales Users OU who have crreated local po
olicies to grant access to
Control Panel be able to acccess Control Panel?
P
Question: If you
y needed to nel to some ussers, how would you do
o grant access to Control Pan
it?
Question: Ca
an GPO2 be ap
pplied to otherr department O
OUs?
De
emonstration: Using Group Po
olicy Diagn
nostic Toolls
In th
his demonstration you will see how to use e Gpupdate to refresh Group p Policy, displaay Resultant Se
et of
Policy (RSoP), and
d output the reesults to an HT
TML file. You w
will also see ho
ow to use the G Group Policy
Mod deling Wizard to test policie
es.
Dem
monstration
n Steps
Use
e Gpupdate
e to refresh Group Policcy, display R
RSOP, and o
output the rresults to an
n
HTML file
1. On LON-DC1
1, use Gpupdate to refresh the GPOs.
Use
e the Group
p Policy Mod
deling Wiza
ard to test tthe policy
• Use the Group Policy Mode
eling Wizard to
o simulate a po
olicy applicatio n the Managerrs OU
on for users in
who log onto
o any computeer.
20410A: Installingg and Configuring W
Windows Server® 20112 11-15
Lesson
n3
Imple
ementinng a Cen
ntral Sto
ore for Administrative
e
Tempplates
In
n a large organ
nization, there may be manyy GPOs and mu ultiple adminisstrators managging them. Wh hen an
ad
dministrator eddits a GPO, thee template file
es are pulled frrom the local wworkstation. The central storre
provides a singlle folder in SYS
SVOL that contains all of thee templates req quired to create and edit GPPOs.
Th
his lesson discusses the files that make up the templatess, and discussees how to creatte a central stoore
lo
ocation to provvide consistenccy in the tempplates that adm
ministrators usee.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he central store
e.
• dministrative templates.
Describe ad
• Describe ho
ow administrattive templates work.
• Describe managed
m and unmanaged po
olicy settings.
What
W Is the
e Central Store?
S
If your organiza ation has multiiple administra ation
workstations,
w th
here could be potential
p issuees when
edditing GPOs. Iff you do not have a Central Store in
which
w to hold thhe template files, then the
workstation
w youu are editing frrom will use thhe
.admx (ADMX) and a .adml (AD DML) files that are
sttored in the loccal PolicyDefinnitons folder. If
diifferent administration work kstations have
diifferent operatting systems or are at differe ent
se
ervice pack levvels, there mayy be difference es in the
ADMX and ADM ML files. For exxample, the AD DMX
annd ADML files that are stored on a Window ws 7
workstation
w with no service pack installed maym not be thee same as the files that are stored on a Windows
Seerver 2012 dom main controlle er.
Yo
ou must createe and provision the Central Store
S manuallyy. First you mu ust create a folder on a dommain
co
ontroller, name
e the folder PoolicyDefinitioons, and store the folder at
C:\Windows\SYSVOL\sysvol\{D Domain Name e}\Policies\. Th
his folder will n
now be your Central Store. Y You
must
m then copyy all the contennts of the C:\W
Windows\PolicyyDefinitions fo older to the Ce
entral Store. Th
he
ADML files in th
his folder are also
a in a langua age-specific fo
older (such as en-US).
11-16 Implementing Group Policy
Wh
hat Are Ad
dministratiive Templa
ates?
An administrative
a template is made
m up of two
o XML
filess types: ADMX and ADML.
• ADMX files sp
pecify the registry setting to
change. AMDDX files are language-neutral.
Adm
ministrative Templates have the following characteristicss:
AD
DM Files
Prio
or to Windows Vista, adminisstrative templa ates had an .ad
dm (ADM) file extension. AD DM files were
langguage-specificc, and were difficult to custom
mize. ADM filees are stored in n SYSVOL as ppart of the Gro oup
Policy template. Iff an ADM file is
i used in multtiple GPOs, theen the file is sttored multiple times. This
incrreases the size of SYSVOL, an
nd therefore in ncreases the sizze of Active Directory replicaation traffic.
Ho
ow Adminiistrative Te
emplates Work
W
Admministrative Templates have settings for alm most
every aspect of th
he computing environment. Each
setting in the tem
mplate correspo onds to a regisstry
setting that controls an aspect ofo the computting
environment. For example, whe en you enable the
setting that preve
ents access to Control
C Panel, this
changes the value e in the registrry key that con
ntrols
thatt aspect.
20410A: Installing and Configuring Windows Server® 2012 11-17
Section Nodes
Most of those nodes contain multiple subfolders to further organize settings into logical groupings. Even
with this organization, finding the setting you need can be a daunting task. To help you locate settings,
the All Settings folder allows you to filter the entire list of settings by either the computer or the user
section. The following filter options are available:
• Managed or unmanaged
• Commented
• By keyword
• By platform
You can also combine multiple criteria. For example, you could filter to find all the configured settings
that apply to Internet Explorer 10 by using the keyword ActiveX.
11-18 Implementing Group Policy
Ma
anaged an
nd Unmana
aged Policcy Settingss
There are two typ pes of policy se
ettings: manag ged,
and unmanaged. All policy settiings in a GPO’s
Adm ministrative Templates are managed
m policies.
The Group Policy service contro ols the manage ed
policy settings and removes a policy
p setting when
w
it is no longer within scope of thhe user or
com mputer. The Grroup Policy serrvice does not
control unmanage ed policy settings. These policy
settings are persisstent. The Grouup Policy service
doe es not remove unmanaged policy
p settings.
Ma
anaged Policcy Settings
A managed
m policyy setting has th
he following
characteristics:
• The user interface (UI) is loccked, so that a user cannot cchange the settting. Managed policy settin ngs
result in the appropriate
a UI being disable ed. For examplle, if you config
gure the deskttop wallpaper
through a Gro oup Policy setting, then the user will see t hose settings ggreyed out in his or her locaal user
interface.
o HKLM\So
oftware\Policie
es (computer settings)
s
o HKCU\So
oftware\Policie
es (user setting
gs)
o HKLM\So
oftware\Microssoft\Windows\\Current Versio
on\Policies (co
omputer settin
ngs)
o HKCU\So
oftware\Microssoft\Windows\\Current Versio
on\Policies (usser settings)
• Changes mad de by a Group Policy setting and the UI locckout are releaased if the use er or computerr falls
out of scope of the GPO. Fo or example, if you delete a GGPO, managed d policy settinggs that had be een
applied to a user
u will be released. This me eans that, gen erally, the settting resets to its previous staate.
Additionally, the UI interfacce for the setting is enabled..
In your role as a member of the server support team, you help to deploy and configure new servers and
services into the existing infrastructure based on the instructions given to you by your IT manager.
Your manager has asked you to create a central store for ADMX files to ensure that everyone can edit
GPOs that have been created with customized ADMX files. You also need to create a starter GPO that
includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Marketing
department and the IT department.
Objectives
After completing this lab, you will be able to:
• Create GPOs.
Lab Setup
Estimated time: 40 minutes
Password Pa$$w0rd
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on until directed to do so.
11-20 Implementing Group Policy
After implementation, you noticed that you are unable to modify the application settings in the Group
Policy Object from any location other than the workstation that was originally used by your colleague. To
resolve this issue, your manager has asked you to create a Central Store for administrative templates. After
you create the Central Store, your colleague will copy the vendor ADMX template from the workstation
into the Central Store.
The main tasks for this exercise are as follows:
X Task 1: View the location of administrative templates in a Group Policy Object (GPO)
1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. Start the Group Policy Management Console (GPMC).
3. Open the Default Domain Policy and view the location of the administrative templates.
Results: After completing this exercise, you will have configured a Central Store
Your manager has asked you to create a starter GPO that can be used for all departments with default
restriction settings for Internet Explorer. You then need to create the GPOs that will deliver the settings for
members of all departments except for the IT department.
20410A: Installing and Configuring Windows Server® 2012 11-21
3. Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter
GPO
4. Test Application of the GPO for Domain Users
5. Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy
X Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet
Explorer Restrictions starter GPO
• Create a new GPO named IE Restrictions that is based on the Internet Explorer Restrictions starter
GPO, and link it to the Adatum.com domain.
4. Open Internet Options to verify that the General tab has been restricted.
X Task 5: Use security filtering to exempt the IT Department from the Internet Explorer
Restrictions policy
• On LON-DC1, open Group Policy Management, and configure security filtering on the IE Restrictions
policy to deny access to the IT department.
3. Attempt to change your homepage. Verify that the Internet Properties dialog opens to the General
page, and all settings are available.
4. Open Internet Options to verify that the General tab has been restricted.
Results: After completing this lab, you will have created a GPO.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Question: You have a number of logon scripts that map network drives for users. Not all
users need these drive mappings, so you must ensure that only the desired users receiving
the mappings. You want to move away from using scripts. What is the best way to map
network drives without using scripts for selected users?
Best Practices
The following are recommended best practices:
• Do not use the Default Domain and Default Domain Controllers policies for other uses. Instead, create
new policies.
• Limit the use of security filtering and other mechanisms that make diagnostics more complex.
• Disable the User or Computer sections of policies, if they have no settings configured.
• Add comments to your GPOs to explain what the policies are doing.
Tools
Tool Use Where to find it
Group Policy Management Controls all aspects of Group In Server Manager, on the Tools
Console (GPMC) Policy menu
Group Policy Object Editor Use to configure settings in Accessed by editing any GPO
GPOs
Group Policy Modeling Use to test what would occur if In the GPMC
Wizard settings were applied to users
or computers, prior to actually
applying the settings
Local Group Policy Editor Use to configure Group Policy Accessed by creating a new
settings that apply only to the Microsoft Management Console
local computer (MMC) on the local computer, and
adding the Group Policy Object
Editor snap-in
12-1
Module 12
Securing Windows Servers Using Group Policy Objects
Contents:
Module Overview 12-1
Module Overview
Protecting IT infrastructure has always been a priority to organizations. Many security risks are threatening
companies and their critical data. Failure to have adequate security policies can lead to data loss, server
unavailability, and companies losing credibility.
To protect from security threats, companies must have well-designed security policies that include many
components, from organizational to IT-related. Security policies must be evaluated on a regular basis,
because as security threats evolve, so IT must also evolve.
Before you start designing security policies to help protect your organization’s data, services, and IT
infrastructure, you must learn how to identify security threats, how to plan your strategy to mitigate
security threats, and how to secure your Windows Server® 2012 infrastructure.
Objectives
After completing this module, you will be able to:
Lesson 1
Windo
ows Security Ov
verview
w
As organizations
o expand
e their availability
a of network
n data, aapplications, aand systems, ensuring netwo ork
infra
astructure secuurity becomes more challeng ging. Security technologies in the Window ws Server 20122
opeerating system enable organizations to pro ovide better prrotection for th heir network rresources and
orgaanizational asssets in increasingly complex environmentss and business scenarios. This lesson review ws the
tools and conceptts that are available for implementing secu urity within a WWindows 8 and Windows Se erver
2012 infrastructurre.
Lessson Objectiives
Afte
er this lesson, you
y will be ablle to:
• Describe secu
urity risks for Windows
W Serve
er 2012, and th
he costs associiated with them
m.
• Describe how
w the defense-iin-depth model addresses seecurity.
• Describe bestt practices for increasing Win
ndows Server 22012 security.
Disscussion: Identifying
g Security Risks and Costs
The first step in de
efending yourr systems is
iden
ntifying the pootential securitty risks and the
eir
asso
ociated costs. Once
O you do that,
t you can make
m
inte
elligent decisio
ons about how to allocate
reso
ources to mitiggate those risks.
Appplying Deefense-In-D
Depth to
Inccrease Secu
urity
Youu can mitigate risks to your organization’s
o
commputer network by providing g security at va
arious
infra
astructure laye
ers. The term defense-in-dep
d pth is
ofte
en used to describe the use of
o multiple seccurity
techhnologies at different points throughout your
y
orgaanization.
Defense-in-depth h technologies include layerss of
secu
urity that exten
nd from user policies
p all the way
dowwn to the appliication and the
e data itself.
20410A: Installing and Configuring Windows Server® 2012 12-3
Physical Security
If any unauthorized person can gain physical access to a computer on your network, then most other
security measures are not useful. You must ensure that computers containing the most sensitive data,
such as servers, are physically secure, and that access is granted to authorized personnel only.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within the Internet, and many
organization network resources are available from the Internet. This might include building a website to
describe your organization’s services, or making internal services such as web conferencing and email
accessible externally, so that users can work from home or from branch offices.
Perimeter networks mark the boundary between public and private networks. Providing reverse proxy
servers in the perimeter network enables you to provide more secure corporate services across the public
network.
Many organizations implement so-called network access quarantine control, where computers that
connect to the corporate network are checked for different security criteria, such as whether the computer
has the latest security updates, antivirus updates, and other company-recommended security settings. If
these conditions are true, the computer is allowed to connect to corporate network. If not, the computer
is placed in isolated network, called quarantine, with no access to corporate resources. Once the computer
has its security settings remediated, it is removed from the quarantine network and is allowed to connect
to corporate resources.
Note: A reverse proxy, such as Microsoft® Forefront® Threat Management Gateway 2010,
enables you to publish services, such as email or web services, from the corporate intranet
without placing the email or web servers in the perimeter, or exposing them to external users.
Microsoft Forefront Threat Management acts as both reverse proxy and as a firewall solution.
Networks
Once you connect computers to a network, either internal or public, they are susceptible to a number of
threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is
especially relevant when communication takes place over public networks by employees who are working
from home, or from remote offices. You should deploy a firewall solution, such as Microsoft Forefront
Threat Management Gateway 2010, to protect from different types of network threats.
Host
The next layer of defense is the layer that is used for the host computer. You must keep computers secure
with the latest security updates. You also have to configure security policies, such as password complexity,
and configure host firewall and install antivirus software. Steps mentioned above contain a process that is
called security hardening.
12-4 Securing Windows Servers Using Group Policy Objjects
Application
Appplications are only
o as secure as your latest security updatte. You should
d consistently u
use the Windo ows
Upddate feature in Windows ope erating systemms to keep you r applications up-to-date. MMoreover,
app
plications mustt be tested by IT security admministrators, w
whether they haave any securiity vulnerabilities
thatt might allow an
a external atttacker to comppromise appliccations or otheer network commponents. Steps
menntioned above e contain a pro
ocess that is called applicatio
on hardening.
Datta
The final layer of security
s is data
a security. To help
h ensure th
he protection o of your networrk, ensure the
proper use of file user permissio ons by using Access
A mplement the encryption off
Control Lists (ACLs), im
confidential data with Encryptio on File System (EFS), and perrform backupss of data regularly.
Additional Reading: For the latest Miccrosoft securityy bulletin and advisory information, see
http
p://technet.miccrosoft.com/en
n-us/security/d
default.aspx.
Best Practice
es for Incre
easing Security
Connsider the follo
owing best practices for
incrreasing securityy:
• Apply all avaiilable security updates as qu uickly
as possible fo
ollowing their release.
r You shhould
strive to implement securityy updates as so oon
as possible to
o ensure that your
y systems are
protected froom known vuln nerabilities.
Microsoft pub blicly releases the details of
known vulnerrabilities after an update hass
been released d, which can leead to an increeased
volume of ma alware attemp pting to exploitt the
vulnerability. However, you u must still ensure
that you adeq quately test uppdates before they are appli ed widely with
hin your organ
nization.
• ole logon. Logging on locallyy at a console is a greater rissk to a server tthan accessing
Restrict conso g data
remotely. This is because so
ome malware can c only infectt a computer b by using a use er session at the
desktop. If yo
ou allow adminnistrators to usse Remote Dessktop Connecttion for server administration,
ensure that enhanced security features su uch as user acccount control are enabled.
Additional Reading: For more information about best practices for enterprise security, see
http://technet.microsoft.com/en-us/library/cc750076.aspx.
12-6 Securing Windows Servers Using Group Policy Objjects
Lesson 2
Config
guring Security
S y Setting
gs
Oncce you have learned about security threatss and risks, and d about best ppractices for increasing securrity,
you can start conffiguring securiity for your Wiindows® 8 and d Windows Serrver 2012 environment. In th his
lesson, you will lea
arn how to configure securitty settings. To apply those seecurity setting
gs to multiple u
users
and computers in your organiza ation, you will use Group Po olicy. For example, you can u use Group Policcy to
configure password policy settin ngs and then deploy
d them oon multiple useers.
Group Policy has a large securitty component that you can u use to configu
ure security forr both users an
nd
com
mputers. You ca an apply securrity consistentlly across the o n Active Directory® Domain
organization in
Servvices (AD DS) by
b defining seccurity settings in a Group Po olicy Object (G
GPO) that is asssociated with a site,
dom
main, or Organ nizational Unit (OU).
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe how
w to configure Security temp
plates.
• Describe wha
at user rights are and how to
o configure theem.
• Describe how
w to configure Security Optio
ons.
• w to configure User Account Control.
Describe how
• w to configure Auditing.
Describe how
Co
onfiguring Security Templates
T
Secuurity templates are files that you can use to
t
mannage and conffigure security settings on
Winndows-based computers.
c Depending on th he
various categoriess of security se
ettings, securityy
tem
mplates are diviided into logiccal sections. Yo
ou
can configure eacch of the followwing sections
acco
ording to a company’s needs and requestss:
• Registry: perm
missions for registry keys
• File system: permissions
p forr folders and fiiles
20410A: Installinng and Configuring W
Windows Server® 20012 12-7
When
W you configure a securitty template, yo
ou can use it to
o configure a ssingle computter or to config
gure
multiple
m compu uters on the ne
etwork. The following are a ffew ways that you can config gure and distrribute
th
he security tem
mplates:
• Group Policcy
• Security Co
ompliance Man
nager
Configuring
C g User Rig
ghts
User
U rights assig
gnment refers to the ability to
t
peerform actionss on the operaating system. Each
E
co
omputer has itts own set of user
u rights, succh as the
rig
ght to change e the system tim
me. Most rightts are
granted either tot the Local Syystem or to the e
Administrator.
Th
here are two tyypes of user rights:
• Privileges define
d access to
o computer annd
domain ressources. For exxample, rights to
t back
up files and
d directories.
ou can configu
Yo ure rights thro
ough Group Po
olicy. The defau
ult domain po
olicy has no rig
ghts defined byy
de
efault.
Yo
ou can configu
ure settings for User Rights by
b accessing: C
Computer Co nfiguration\PPolicies
\W
Windows Setttings\Security y Settings\Local Policies\U
User Rights Asssignment fro
om the Group
p Policy
Management
M Console
C (GPMMC).
So
ome exampless of commonlyy used user rights (and policiies configured by them) are::
• Allow log on
o locally. Dete
ermines which users can log on the compu
uter.
• Allow log on
o through Remmote Desktop Services. Deteermines which
h users or grou
ups have permission to
log on as Remote Deskto
op Services Clie
ent.
• Back up file
es and directorries. Determine
es which userss have permisssions to back u
up files and follders on
a computerr.
• Change the e system time. Determines which
w users or g
groups have right to change
e the time and
d date
on the internal clock of th
he computer.
• Force shutd
down from a reemote system. Determines w
which users aree allowed to sh
hut down a co
omputer
from a remote location on
o the networkk.
• Shut down the system. Determines which of the userrs who are logg
ged on locallyy to a compute
er are
allowed to shut down the
e computer.
12-8 Securing Windows Servers Using Group Policy Objjects
Co
onfiguring Security Options
O
Youu can use Group Policy to configure securitty
options. The computer security settings that you
y
can configure in security
s option
ns include the
follo
owing:
• Access to disk
k and CD/DVD
D drives
• Digital data signatures
• Driver installa
ation behavior
• Logon promp
pts
• User account control
You
u can also conffigure settings for security op
ptions by acceessing Computter Configuration\Policies
\Windows Settinggs\Security Setttings\Local Poolicies\Securityy Options from
m the GPMC.
The following are examples of commonly
c use
ed security opttions:
• Interactive lo
ogon: Do nott display last user
u name. Deetermines wheether the name
e of the last usser to
log on to the computer displays in the Windows
W logon window.
• Accounts: Reename admin nistrator accou unt. Determin nes whether a d
different account name is
associated with the securityy identifier (SID
D) for the acco
ount Administrrator.
Co
onfiguring User Acco
ount Contrrol
Admministrative acccounts carry with
w them a hig gher
deggree of securityy risk. When an n administrativve
accoount is loggedd on, its privilegges allow acceess to
the entire Window ws operating system,
s including
the registry, system files, and coonfiguration
settings. As long as
a an administrative accountt is
loggged on, the system is vulnera able to attack and
has the potential to be compromised.
By default,
d both standard users and administrrators access reesources and rrun applications in the securrity
context of a stand
dard user. The UAC prompt provides
p a wayy for a user to elevate his orr her status from a
stan
ndard user account to an administrator acccount withoutt logging off, sswitching userss, or using Run n As.
UACC creates a moore secure enviironment in which to run annd install appliccations.
20410A: Installing and Configuring Windows Server® 2012 12-9
When an application requires administrator-level permission, UAC notifies the user as follows:
• If the user is an administrator, the user confirms to elevate his or her permission level and continue.
This process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2012, the built-in Administrator account does not run in Admin
Approval Mode. The result is that no UAC prompts display when using the local Administrator
account.
• If the user is not an administrator, then a username and password for an account that has
administrative permissions needs to be entered. Providing administrative credentials temporarily
gives the user administrative privileges, but only to complete the current task. After the task is
complete, permissions change back to those of a standard user.
When using this process of notification and elevation to administrator account privileges, changes cannot
be made to the computer without the user knowing. This can help prevent malicious software (malware)
and spyware from being installed on or making changes to a computer.
UAC allows the following system-level changes to occur without prompting, even when a user is logged
on as a local user:
• Install updates from Windows Update
• Install drivers from Windows Update or those that are packaged with the operating system
• Reset the network adapter, and perform other network diagnostic and repair tasks
The following are examples of some GPO settings that you can configure for UAC:
• User Account Control: Run all administrators in Admin Approval Mode. Controls the behavior of
all UAC policy settings for the computer. If this setting is disabled, UAC will not run on this computer.
• User Account Control: Administrator Approval Mode for the built-in Administrator account.
When you enable this setting, the built-in Administrator account uses Admin Approval Mode.
• User Account Control: Detect application installations and prompt for elevation. This setting
controls the behavior of application installation detection for the computer.
• User Account Control: Only elevate executables that are signed and validated. When you enable
this setting, a Public Key Infrastructure (PKI) check is performed on the executable file to verify that it
originates from a trusted source. If the file is verified, then the file is permitted to run.
Note: By default, UAC is not configured or enabled in Server Core installations of Windows
Server 2012.
12-10 Securingg Windows Servers Using
U Group Policy Objects
Co
onfiguring Auditing
Typically, one of the
t componen nts of an
orga anization’s seccurity strategy is recording user
u
activvities behaviorr, such as successful or
unsuccessful attem mpts to accesss business-critical
dataa that is stored
d in different fo
olders, or succcessful
or unsuccessful
u lo
ogon attempts on different
servvers.
Afte
er configuring auditing, information in seccurity
event logs can help your organization audit their compliancce with importtant business-related and
secu
urity-related data by tracking
g precisely deffined activitiess such as:
• A group adm
ministrator who
o has modified settings or daata on servers that contain fiinance informaation.
• An employee e within a defin
ned group thatt has accessed
d an importantt folder contain
ning data from
m
different departments.
u can configure
You e security audiiting settings by
b accessing frrom the GPMCC: Computer C
Configuration
n
\Po
olicies\Windowws Settings\S Security Settin ngs\Local Pollicies\Audit P
Policy.
• Audit accoun
nt logon even nts. Determinees whether thee operating sysstem audits eaach time the
computer validates an acco
ount’s credentiials.
• Audit accoun nting manage ement. Determ mines whetherr to audit each h event of acco
ount managemment,
word, or enabling
such as creatiing, changing, renaming, or deleting a useer account, chaanging a passw
or disabling a user account.
• Audit objectt access. Deterrmines whethe er operating syystem audits h have access to non-Active
Directory objects, such as fo
olders or files. Before config uring audit seettings with Gro oup Policy, yo
ou
must configure system acce ess control listss (SACLs) on fo
olders or files tto allow auditing for a speciific
type of action
n, such as write
e, read, or mod dify.
• Audit systemm events. Dete ermines whethher the operatiing system aud
dits system-related events, ssuch
as attemptingg to change th
he system timee, attempting a system startu
up or shutdowwn, or the security
log size excee
eding a configurable thresho
old warning.
Configuring
C g Restricte
ed Groupss
In
n some cases, you
y may want to control the e
membership
m of certain group
ps in a domain——such
ass the local adm
ministrators gro
oup—to preve ent the
ad
ddition of othe nts to those groups.
er user accoun
Yo
ou can use thee Restricted Grroups policy too
co
ontrol group membership
m byy specifying what
w
members
m are pllaced in a grou
up. If you defin
ne a
Re
estricted Groups policy and then refresh Group
G
Po
olicy, any curre
ent member of o a group thatt is not
on ed Groups policy members list is
n the Restricte
re
emoved, includ ding default members
m such as
a
do
omain adminisstrators.
Although you can control dom main groups byb assigning Reestricted Grouups policies to domain contro ollers,
yo
ou should use this setting prrimarily to con h as Enterprise Admins
nfigure membeership of criticaal groups such
an
nd Schema Ad dmins. You can n also use this setting to conttrol the membbership of built-in local grou
ups on
workstations
w an
nd member serrvers. For exam mple, you can place the Help pdesk group innto the local
Administrators group on all workstations.
w
Yo
ou cannot speecify local userss in a domain GPO. Local us ers who curren ntly are in the local group th
hat the
Re
estricted Groups policy conttrols will be rem
moved. The on nly exception tto this is that tthe local
Administrators account is alwways in the locaal Administrato
ors group.
Yo
ou can configu
ure the setting
gs for Restricted Groups by aaccessing from
m the GPMC:
Computer Con nfiguration\Po olicies\Windo ows Settings\\Security Settings\Restricte
ed Groups.
Configuring
C g Accountt Policy Settings
Account policie es protect yourr organization’’s
acccounts and da ata by mitigating the threat of
acccount passwo e attacks. Securing
ord brute force
yo
our network en nvironment re equires that all users
uttilize strong pa
asswords. Passsword policy seettings
co
ontrol the com mplexity and liffetime of user
paasswords. You can configure e password policy
se
ettings through Group Policyy.
Im
mplementin
ng Account Policies
Th
he policy settin
ngs under Acccount policies are
a
im
mplemented att the domain level. A Windo ows
Se
erver 2012 dom main can have e multiple passsword
an
nd account locckout policies, which are callled fine-graineed password p
policies. You caan apply these
multiple
m policies to a user or to
t a global seccurity group in
n a domain, bu
ut not to an orrganizational u
unit
(O
OU).
Note: If you
y need to ap pply a fine-grained password d policy to useers of an OU, yyou can use a
sh
hadow group, which
w is a glob
bal security gro
oup that is log
gically mapped d to an OU.
12-12 Securing Windows Servers Using Group Policy Objects
You can configure Account policy settings by accessing from the GPMC: Computer Configuration
\Policies\Windows Settings\Security Settings\Account Policies.
Password Policy
Password policies that you can configure are listed in the following table.
Password must meet Requires passwords to: Enable this setting. These
complexity • Be at least six characters long. complexity requirements can
requirements help ensure a strong password.
• Contain a combination of at least Strong passwords are more
three of the following types of difficult to decrypt than those
characters: uppercase letters, containing simple letters or
lowercase letters, numbers, and numbers.
symbols (punctuation marks).
• Must not contain the user’s user
name or screen name.
Enforce password Prevents users from creating a new The greater number ensures
history password that is the same as their better security. The default value
current password or a recently is 24. Enforcing password history
used password. To specify how ensures that passwords that have
many passwords are remembered, been compromised are not used
provide a value. For example, a repeatedly.
value of 1 means that only the last
password will be remembered, and
a value of 5 means that the
previous five passwords will be
remembered.
20410A: Installing and Configuring Windows Server® 2012 12-13
Minimum password Sets the minimum number of days Set the minimum password age
age that must pass before a password to at least 1 day. By doing so,
can be changed. you require that the user can
only change their password once
a day. This will help enforce
other settings.
For example, if the past five
passwords are remembered, this
will ensure that at least five days
must pass before the user can
reuse the original password. If
the minimum password age is
set to 0, the user can change
their password six times on the
same day and begin reusing the
original password on the same
day.
Minimum password Specifies the fewest number of Set the length to between 8 and
length characters that a password can 12 characters (provided that they
have. also meet complexity
requirements). A longer
password is more difficult to
crack than a shorter password,
assuming the password is not a
word or a common phrase.
Store passwords by Provides support for applications Do not use this setting unless
using reversible that require knowledge of a user you use a program that requires
encryption password for authentication it. Enabling this setting decreases
purposes. the security of stored passwords.
12-14 Securing Windows Servers Using Group Policy Objects
Account lockout Specifies the number of failed login A setting of 50 allows for
threshold attempts that are allowed before reasonable user error, and limits
the account is locked. repeated login attempts for
For example, if the threshold is set malicious purposes.
to 3, the account will be locked out
after a user enters incorrect login
information three times.
Account lockout Allows you to specify a timeframe, After the threshold has been
duration in minutes, after which the account reached and the account is
automatically unlocks and resumes locked out, the account should
normal operation. If you specify 0, remain locked long enough to
then the account will be locked block or deter any potential
indefinitely until an administrator attacks, but short enough not to
manually unlocks it. interfere with productivity of
legitimate users. A duration of
30 to 90 minutes should work
well in most situations.
Kerberos Policy
This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes
and enforcement. Kerberos policies do not exist in Local Computer Policy.
20410A: Installing and Configuring Windows Server® 2012 12-15
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. As a new member of the team you help to deploy and configure
new servers and services into the existing infrastructure based on the instructions given to you by your IT
manager.
Your manager has given you some security-related settings that need to be implemented on all member
servers. You also need to implement file system auditing for a file share used by the Marketing
department. Finally, you need to implement auditing for domain logons.
Objectives
After completing this lab, you will be able to:
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
b. Password: Pa$$w0rd
5. Repeat steps 2-4 for 20410A-LON-SVR1 and steps 2-3 for 20410A-LON-CL1. Do not log on to
LON-CL1 until directed to do so.
To ensure that the Computer Administrators group is always given permission to manage member servers,
your manager has asked you to create a GPO that sets the membership of the local Administrators group
on member servers to include Computer Server Administrators. . This GPO also needs to enable Admin
Approval Mode for UAC.
12-16 Securing Windows Servers Using Group Policy Objects
1. Create a Member Servers Organizational Unit (OU) and move servers into it.
3. Create a Member Server Security Settings GPO and link it to the Member Servers OU.
4. Configure group membership for local administrators to include Server Administrators and Domain
Admins.
5. Verify that Computer Administrators has been added to the local Administrators group.
6. Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow
log on locally.
7. Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval
Mode for the Build-in Administrator Account.
X Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it
1. On LON-DC1, open Active Directory Users and Computers.
X Task 3: Create a Member Server Security Settings GPO and link it to the Member
Servers OU
1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a
new GPO with a name Member Server Security Settings.
3. In the Group Policy Management Console, link the Member Server Security Settings to Member
Servers OU.
3. Navigate to Computer Configuration, click Policies, click Windows Settings, click Security
Settings, and then click Restricted Groups.
4. Add the Server Administrators and Domain Admins groups to the Administrators group.
X Task 5: Verify that Computer Administrators has been added to the local
Administrators group
1. Switch to LON-SVR1, and log on as Adatum\Administrator with a password of Pa$$w0rd.
2. Open a Windows PowerShell® window, and from a Windows PowerShell command prompt, type
following command:
gpupdate/force
3. Open Server Manager, open the Computer Management console, and then expand Local Users and
Groups.
4. Confirm that the Administrators group contains both ADATUM\Domain Admins and
ADATUM\Server Administrators as members.
X Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to
remove Users from Allow log on locally
1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings
GPO.
3. In the Group Policy Management Editor window, browse to Computer Configuration\Policies
\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and configure
Allow log on locally for Domain Admins and Administrators security groups.
4. Close the Group Policy Management Editor.
X Task 7: Modify the Member Server Security Settings GPO to enable User Account
Control: Admin Approval Mode for the Build-in Administrator Account
1. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings
GPO.
2. Open Windows PowerShell, and from a Windows PowerShell command prompt, type following
command:
gpupdate/force
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
12-18 Securing Windows Servers Using Group Policy Objects
Your manager has asked you to enable auditing for the file system that is on the Marketing department
file share, and to review the results with the manager of the Marketing department.
1. Modify the Member Server Security Settings GPO to enable object access auditing.
X Task 1: Modify the Member Server Security Settings GPO to enable object access
auditing
1. On LON-DC1, in the Group Policy Management console, edit the Member Server Security Settings
GPO.
2. Configure the HR folder with Read/Write sharing permissions for user Adam.
o Type: All
2. Open a command prompt window and refresh Group Policy using the gpupdate /force command.
gpupdate/force
5. Log off LON-CL1 and then log on again, as Adatum\Adam with a password of Pa$$w0rd.
6. Open the HR folder on LON-SVR1, by using following Universal Naming Convention (UNC) path:
\\LON-SVR1\HR.
X Task 5: View the results in the security log on the domain controller
1. Switch to LON-SVR1, and start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then open Security.
Results: After completing this exercise, you should have enabled file system access auditing.
2. Run GPUpdate.
3. Open the a command prompt window, and type the following command:
gpupdate/force
Note: This password is intentionally incorrect to generate a security log which shows that
that an unsuccessful login attempt has been made.
3. Review the event logs for the following message: “Logon failure. A logon attempt was made with
an unknown user name or a known user name with a bad password.”
Note: This password is correct, and you should be able to log on successfully as Adam.
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for the following message: “A user successfully logged on to a computer.”
Results: After completing this exercise, you should have enabled domain logon auditing.
Lesson
n3
Restriicting Software
S e
Users need acce ess to the appllications that help
h them do ttheir jobs. How wever, unnecessary or unwanted
ap
pplications oftten get installe
ed on client computers, whetther unintentio onally or for m
malicious or no
on-
buusiness purposses. Unsupportted or unused software is no ot maintained or secured byy the administrrators;
th
herefore, that software
s couldd be attacked and
a used as an n entry point ffor attackers to
o gain unautho orized
acccess or spread
d computer virruses. Consequ mportance for yyou to ensure that
uently, it is of tthe utmost im
onnly necessary software
s gets installed on all the computeers in your orgaanization. It is also vital thatt you
prevent softwarre from runnin ng that is not allowed
a or is no o longer used or supported..
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
What
W Are Software
S Restriction
R Policies?
In
ntroduced in thhe Windows XP operating syystem
an
nd the Window ws Server 2003 3 operating system,
so
oftware restricttion policies (SRP) give
ad
dministrators tools
t that theyy can use to ideentify
an
nd specify which application ns are permitteed to
ru
un on client co
omputers. SRP settings are
onfigured and deployed to clients
co c by using
g
Group Policy.
So
oftware Restricction Policies policies
p are use
ed in
Windows
W Server 2012 to provvide Windows XP and
Windows
W Vista® compatibilityy. An SRP set iss made
up
p of the follow
wing rules and security levelss.
Rules
R
Ru
ules govern hoow SRP respon nds to an appliication that is being run or i nstalled. Ruless are the key
co
onstructs withiin an SRP, and a group of ru
ules together d determine howw an SRP respo onds to applicaations
be
eing run. Ruless can be based
d on one of the following criiteria that app
ply to the primary executable e file for
th
he application in question:
• Certificate. A software pu
ublisher certificcate that is useed to digitally sign a file.
• Path. The lo
ocal or UNC pa
ath to where the
t file is storeed.
Seccurity Levelss
Each
h applied SRP is assigned a security
s level that
t governs thhe way that thhe operating syystem reacts w when
the application th
hat is defined in the rule is ru
un. The three aavailable securrity level settin
ngs are as follo
ows:
• Disallowed. The
T software identified in th
he rule will nott run, regardlesss of the accesss rights of the
e user.
Usin
ng these three settings, there
e are two prim
mary ways to u se SRPs:
• If an administtrator has a co
omprehensive list of all the sooftware that s hould be allow
wed to run on
clients, the De
efault Securityy Level can be set to Disallow
wed. All appliccations that sh
hould be allow
wed to
run can be identified in SRP P rules that wo
ould apply eithher the Basic U
User or Unrestricted securitty
level to each individual app plication, depe
ending on the security requirrements.
• If an administtrator does noot have a comp prehensive list of the softwarre that should be allowed too run
on clients, the
e Default Secuurity Level can be set to Unre estricted or B
Basic User, deppending on security
requirementss. Any applications that shou uld not be allow wed to run cann then be idenntified by using
g SRP
rules, which would
w use a security level settting of Disallo
owed.
Additional Reading: For more informa ation about usiing software reestriction Policcies to
prottect against un
nauthorized so
oftware, see htttp://go.microssoft.com/fwlin
nk/?LinkId=203 3296.
Wh
hat Is AppLocker?
ApppLocker, which h was introduce ed in the
Win
ndows 7 operating system an nd Windows
Servver 2008 R2, is a security settting that contrrols
which applications users are allo owed to run.
ApppLocker provid des administrattors a variety of
o
metthods for determining quickly and concise ely the
iden
ntity of applicaations that the
ey may want to o
restrict, or to whicch they may want
w to permit
acceess. AppLocker is applied thrrough Group Policy
P
to computer
c objects within an OU.
O Individual
ApppLocker rules can
c also be app plied to individ
dual
AD DS users or grroups.
App
pLocker also co ontains option
ns for monitoring or auditing g the applicatioon of rules. Ap
ppLocker can hhelp
orgaanizations prevent unlicense
ed or maliciouss software from m executing, aand can selectiively restrict
ActiiveX® controls from being in
nstalled. It can also reduce thhe total cost off ownership byy ensuring thaat
worrkstations are standardized
s across
a the ente erprise, and thaat users are ru
unning only the software and d
app
plications that are
a approved by the enterprrise.
Yo
ou can use Ap
ppLocker to resstrict software that:
• Is not allow
wed to be used
d in the compa
any.
• Is no longer supported in
n the companyy.
• Should be used
u only by specific
s departments.
Yo ure AppLockerr settings by browsing in GP
ou can configu PMC to: Computer Configuration\Policie
es
\W
Windows Setttings\Security
y Settings\Ap pplication Conntrol Policies..
• Windows 7 Enterprise op
perating system
m
• Windows 8
AppLocker
A Rules
AppLocker defin nes rules based on file attrib butes
th
hat are derived d from the digital signature of o the
fille. File attributtes in the digittal signature in
nclude:
• Publisher name
• Product name
• File name
• File version
Default
D Conffiguration
Th
he default connfiguration for AppLocker co ontains
a set of default rules for each rule collectionn. This
se
et of rules ensu
ures that the fiiles that are ne
ecessary for W
Windows operatting systems to run and ope
erate
no
ormally are allowed to run.
Allow
A and De
eny Rule Acctions
Allow
A and Denny are rule actions that allow
w or deny execu ution of appliccations based on a list of
ap pplications thaat you configure. The Allow action on rulees limits execution of applicaations to an allowed
ons, and blockss everything else. The Deny action on rulees takes the op
lisst of applicatio pposite approaach and
allows the execu ution of any application except those on a list of denied
d applications. These actionss also
provide a mean ns to identify exceptions to those actions.
12-24 Securing Windows Servers Using Group Policy Objects
You should use AppLocker when software is being used that is:
• Not allowed for use in the company. Give an example of software that can disrupt employees’
business productivity, such as social networking software, or software that streams video files or
pictures that can use a large amount of network bandwidth.
• No longer used. Software that is not needed in the company is no longer maintained.
• No longer supported. Software that is not updated with security updates might pose a security risk.
Demonstration Steps
Create a GPO to enforce the default AppLocker Executable rules
1. On LON-DC1, open the Group Policy Management console.
4. Set the permission of the new rule to Deny, the condition to Publisher, and then select
wordpad.exe. If prompted, click OK to create default rules.
2. Start and then log on to 20410A-LON-SVR1 as Adatum\Alan, with the password, Pa$$w0rd.
3. In the command prompt window, type gpupdate /force, and then press Enter. Wait for the policy to
update.
Lesson
n4
Configuring Windows Firew
wall witth Advaanced Security
Windows
W Firewa all with Advanced Security iss an importantt tool for enhaancing the secu urity of Windo
ows
Se
erver 2012. This snap-in helpps to prevent several
s differen
nt security issu
ues such as port scanning orr
malware.
m Windo ows Firewall with
w Advanced Security has m multiple firewall profiles, each of which appplies
un
nique settings to different tyypes of networrks. You can mmanually config gure Windowss Firewall rules on
ea
ach server, or configure
c them
m centrally by using Group P Policy.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
• Describe th
he features of Windows
W Firew
wall with Adva nced Security..
• Describe Firewall Profiles.
• Describe Co
onnection Security Rules.
• Describe ho
ow to deploy Windows
W Firew
wall rules.
What
W Is Windows Firewall with
h Advanced
d Securityy?
Windows
W Firewaall with Advanced Security iss a
hoost-based firew
wall that is included in Wind dows
Seerver 2012. This snap-in runss on the local
co
omputer and restricts
r netwoork access to annd from
th
hat computer. Unlike a perim meter firewall, which
w
provides protecction only from m threats on thhe
In
nternet, a host--based firewall provides protection
from threats wh herever they originate. For exxample,
fo
or a host that is not behind a firewall, it pro
otects
from LAN or Intternet.
In
nbound and
d Outbound
d Rules
In
nbound rules control
c commuunication that is
in other device orr computer on the network, with the host computer. By default, all inb
nitiated by ano bound
co
ommunication n is blocked except the trafficc that is expliccitly allowed byy an inbound rule.
Outbound
O ruless control comm munication tha at is initiated b
by the host commputer, and iss destined for a device
orr computer on n the network. By default, all outbound co mmunication is allowed except the traffic that is
exxplicitly blockeed by an outbo ound rule. If yo
ou choose to b block all outbo
ound commun nication except the
trraffic that is explicitly allowed
d, you must ca arefully catalogg the softwaree that is allowe
ed to run on th
hat
coomputer and the t network co ommunication required by t hat software.
Connection
C Security
S Rulles
Yo
ou use Connecction Security Rules to config Protocol Securrity (IPsec) for Windows Servver
gure Internet P
20
012. When the ese rules are co
onfigured, youu can authenticcate communiication betwee en computers, and
th
hen use that in
nformation to create
c firewall rules based o n specific userr and compute er accounts.
12-26 Securingg Windows Servers Using
U Group Policy Objects
Additional Enh
hancementss
Win
ndows Firewall with Advance
ed Security is a Microsoft Maanagement Co
onsoles (MMC)) snap-in that aallows
you to perform ad
dvanced config
guration of Windows Firewaall.
Win
ndows Firewall in Windows Vista,
V ndows Server 2008
Windowss 7, Windows 88, Windows Seerver 2008, Win
R2, and Windows Server 2012 has
h the following enhancemeents:
• Supports filte
ering for both incoming and outgoing trafffic.
• Integrates fire
ewall filtering and IPsec prottection setting
gs.
• Enables you to
t configure ru
ules to control network traffiic.
• Enables you to
t import or exxport policies.
You
u can configure ewall settings on each comp
e Windows Fire puter individuaally, or with Grroup Policy at::
Com
mputer Configuration\Policie
es\Windows Se ettings\Securitty Settings\Windows Firewalll with Advanced
Secu
urity.
Disscussion: Why
W Is a Host-Based
d Firewall Important??
Win
ndows Firewall with Advance
ed Security is
enabled by default on Windowss Server 2012.
Review the discussion question and participatte in a
disccussion to idenntify the benefits of using a host-
h
base ed firewall succh as Windowss Firewall with
Advvanced Securityy.
Firewall Proffiles
Winndows Firewall with Advance ed Security is a
netwwork-aware ap pplication thatt uses firewall
e a consistent configuration for
proffiles to provide
netwworks of a speecific type. Win
ndows Server 20122
allows you to defiine a network as either a dom main
netwwork, a public network, or a private netwo ork.
Windows
W Firewa
all with Advanced security in
ncludes the folllowing profilees:
Profile De
escription
Windows
W Server 2012 allows multiple firewa all profiles to b
be active on a server simultaaneously. This means
th
hat a multi-hom
med server tha at is connected d to both the internal netwo ork and the peerimeter netwo ork can
ap
pply the doma ain firewall pro
ofile to the inte
ernal network, and the publiic or private firrewall profile tto the
pe
erimeter network.
Connection
C n Security Rules
A connection se ecurity rule forrces authentica ation
beetween two pe eer computerss before they can c
esstablish a conn
nection and tra ansmit secure
in
nformation. They also secure e that traffic byy
en
ncrypting the data that is traansmitted betw ween
co
omputers. Win ndows Firewall with Advance ed
ecurity uses IPsec to enforce
Se e these rules.
De
eploying Fiirewall Rulles
Howw you deploy Windows
W Firew
wall rules is an
imp
portant conside
eration. Choossing the
app
propriate meth
hod ensures that rules are
dep
ployed accurate
ely and with minimum
m effort. You
can deploy Windoows Firewall ru
ules in the follo
owing
wayys:
You have been working for A. Datum for several years as a desktop support specialist. In this role, you
visited desktop computers to troubleshoot application and network problems. You have recently accepted
a promotion to the server support team. As a new member of the team, you help to deploy and configure
new servers and services into the existing infrastructure based on the instructions given to you by your IT
manager.
Your manager has asked you to implement AppLocker to restrict non-standard applications from running.
He also has asked you to create new Windows Firewall rules for any member servers running web-based
applications.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 60 minutes
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
You also need to add an exception to run a custom-developed application that resides in a non-standard
location. The first stage of the implementation will log compliance with rules. The second stage of
implementation will prevent unauthorized programs from running.
3. Create a Software Control GPO and link it to the Client Computers OU.
10. Verify that an application cannot be run from the Documents folder.
X Task 3: Create a Software Control GPO and link it to the Client Computers OU
1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a
new Group Policy Object (GPO) with a name Software Control GPO.
4. In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/
Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.
5. Create default rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged
app Rules.
6. Configure the rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and
Packaged app Rules with Audit only option.
20410A: Installing and Configuring Windows Server® 2012 12-31
7. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, and then expand Security Settings, click System Services and then double-click
Application Identity.
8. In the Application Identity Properties dialog box, select the Define this policy setting and under
Select service startup mode, select Automatic, and then click OK.
10. In the Group Policy Management Console, link the Software Control GPO to Member Servers OU.
gpupdate/force
C:\CustomApp\app1.bat
2. In the Event Viewer window, browse to Application and Services Logs/ Microsoft/AppLocker, and
review the events.
3. Click MSI and Scripts, and review the event logs for App1.bat.
o Permissions: Allow
o Conditions: Path
o Path: %OSDRIVE%\CustomApp\app1.bat
gpupdate/force
5. Open a command prompt and verify that you can run the app1.bat application, which is located in
the C:\CustomApp folder.
X Task 10: Verify that an application cannot be run from the Documents folder
1. On LON-SVR1, from CustomApp folder, copy app1.bat to the Documents folder.
2. Verify that application cannot be run from Documents folder, and that the following message
appears: “This program is blocked by Group Policy. For more information, contact your system
administrator.”
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall
with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
5. Use security filtering to limit the Application Server GPO to members of Application Server group.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a
new Group Policy Object (GPO) with a name Application Servers GPO.
3. In the Group Policy Management Editor, under In the Group Policy Management Editor window,
browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings
/ Application Control Policies/ Windows Firewall with Advanced Security.
o Profile: Domain
X Task 5: Use security filtering to limit the Application Server GPO to members of
Application Server group
1. On LON-DC1, open Group Policy Management Console, expand the Member Servers OU, and then
click Application Servers GPO.
2. In the right-hand pane, under Security Filtering, remove Authenticated Users, and configure
Application Servers GPO to apply only to the Application Servers security group.
gpupdate/force
4. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd.
3. In Windows Firewall with Advanced Security window, in Inbound rules, verify that Application
Server Department Firewall Rule you created using Group Policy earlier, is configured.
4. Verify that you cannot edit Application Server Department Firewall Rule, because it is configured
through Group Policy.
12-34 Securing Windows Servers Using Group Policy Objects
Results: After completing this exercise, you should have configured AppLocker policies for all users whose
computer accounts are located in the Client Computers OU organizational unit. The policies you
configured should allow these users to run applications that are located in the folders C:\Windows and
C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
20410A: Installing and Configuring Windows Server® 2012 12-35
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Question: What setting must you configure to ensure that users are allowed only three
invalid logon attempts?
Question: You want to place an application control policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
Question: You are creating a GPO with standardized firewall rules for the servers in your
organization. You tested the rules on a stand-alone server in your test lab. The rules appear
on the servers after the GPO is applied, but they are not taking effect. What is the most likely
cause of this problem?
Question: Last year, your organization developed a security strategy that included all aspects
of a defense-in-depth model. Based on that strategy, your organization implemented
security settings and policies on the entire IT infrastructure environment. Yesterday, you read
in an article that new security threats were detected on the Internet, but now you realize that
your company strategy does not include a risk analysis and mitigation plan for those new
threats. What should you do?
Best Practices
The following are best practices:
• Always make a detailed security risk assessment before planning which security features your
organization should deploy.
• Create a separate GPO for security settings that applies to different type of users in your organization,
because each department might have different security needs.
• Make sure that the security settings that you configure are reasonably easy to use so that they are
accepted by employees. Frequently, very strong security policies are too complex or difficult for
employees to adopt.
• Always test security configurations that you plan to implement with a GPO in an isolated, non-
production environment. Only deploy policies in your production environment after this testing is
completed successfully.
Tools
Tool Use for Where to find it
Module 13
Implementing Server Virtualization with Hyper-V
Contents:
Module Overview 13-1
Module Overview
Server virtualization has only been a part of the Windows Server operating system since the release of
Windows Server 2008 and the introduction of the Hyper-V role. Server virtualization allows organizations
to save money through server consolidation. Because of these efficiencies, server administrators need to
be able to distinguish which server workloads might run effectively in virtual machines, and which server
workloads must remain deployed in a more traditional server environment.
This module introduces you to the Hyper-V® role, the components of the role, how best to deploy the
role, and the new features of the Hyper-V role that are introduced with Windows Server 2012.
Objectives
After completing this module, you will be able to:
• Implement Hyper-V.
Lesson 1
Overviiew of Virtualiz
V zation Technol
T ogies
Youu can deploy many
m different types of virtua
alization on neetworks wheree Windows ope erating systemms are
marily deployed. The type off virtualization that you choo
prim ose depends oon what you ne eed to accomp plish.
hough this module is primarily concerned with server virrtualization, in this lesson yo
Alth ou will learn ab
bout
otheer types of virttualization andd the situations in which it iss appropriate tto deploy them
m.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Explain the be
enefits of Micrrosoft Applicattion Virtualizattion (App-V) o
over traditionaal application
deployment
Serrver Virtua
alization with
w Hyperr-V
With server virtua
alization, you can
c create sepa arate
virtu
ual machines, and run them concurrently using
u
the resources of a single server operating systtem.
These virtual machines are know wn as guests. The
T
commputer runningg Hyper-V is known as the host.
Virtual Machin
nes and Harrdware Usag
ge
By implementing virtual machin nes, you use ha ardware more efficiently. In most cases, a service or
appplication does not
n consume morem than a frraction of the rresources that are available on the host
commputer. When deployed as virtual machine es, you can org ganize multiplee services and applications ffrom
sepaarate virtual machines
m on to
o the same hosst server so thaat the resourcees of that host server are use ed
morre effectively. For
F example, iff you have fou ur separate serrvices and app plications that eeach consume e from
10 to
t 15 percent ofo a host serveer's hardware resources,
r you can install theese services an
nd applicationss in
virtu
ual machines, and then place e them on the e same hardwaare where on aaverage, they w will consume a total
of 40
4 to 60 percen nt of the host server's hardw
ware.
Thiss is a simplified
d example. In real
r world environments, youu must make aadequate prep parations before co-
loca
ating virtual machines; you have
h e that the hard ware resourcee needs of all the virtual macchines
to ensure
thatt are hosted on n the host hyp hypervisor’s hardware resourrces.
pervisor do nott exceed the h
20410A: Installinng and Configuring W
Windows Server® 20012 13-3
Server Conso
olidation
With
W server virtualization, you u can consolida ate onto a sing
gle host, serveers that would otherwise nee ed to
ru
un on separatee hardware. Be ecause each virrtual machine on a host is iso olated from th
he other virtuaal
machines
m on the same host, itt is possible to
o deploy servicces and applicaations—such aas Exchange Se erver
20010, SQL Serveer 2012, and Active
A Directoryy® domain co ontrollers—on the same phyysical compute er, but
hoosted within virtual machine es. This means that an organ nization only needs to deployy one physicall server
in
n place of the three
t servers that they wouldd have needed d in the past.
Best Pracctice: Microsofft recommends that you nott deploy a Miccrosoft Exchang ge mailbox
se
erver on the saame computerr that holds a domain
d contro
oller role. Micro
osoft also reco
ommends
th
hat you not de eploy a SQL Server 2012 data abase engine iinstance on th e same compu uter that
ho
osts the domain controller ro ole. Instead, deploy each of these workloaads on separatte virtual
machines
m and then run those virtual machin nes as guests o
on the same seerver virtualizaation host;
th
his is a supportted configurattion.
Simplifying Server
S Deployment
Yo
ou can also use virtualization
n to simplify th
he process of sserver deploym
ment:
• There are virtual
v machine e templates for common serrver configurattions included with productss such as
Microsoft System
S Center 2012 - Virtual Machine Man nager (VMM). You can configure these temmplates
rather conffiguring virtuall machines from the very be ginning.
What
W Is Windows Azure?
Windows
W Azuree is cloud-base ed platform wh here
ou can purchase capacity, either for virtual
yo
machines
m or forr applications, such as SQL Server
da
atabases on SQ QL Azure. As a cloud-based hosting
so
olution, you pa ay for capacityy you use, rather than
pa
aying a fixed rate.
r For examp ple, rather than
pa
aying a month hly flat rate to rent a server on
o a
ra
ack at a hosting provider, the e cloud hosting
provider charge es you based on o use. You pay less
when
w the serverr is experiencin ng minimal use and.
yo
ou pay more as a use increase es.
class of server harrdware, which would require e you to migra te from the firrst physical host. All of this taakes
timee and planning g. Similarly if your
y need for capacity
c decreeases, you wou
uld need to decide whether
mig wer class of hardware is wortth the cost, or if your organiization should continue to p
grating to a low pay for
a cla
ass of hardwarre that you do not need righ ht now—and m may or may no ot need in the future. By usin ng a
hostting provider, capacity is sca aled automaticcally and your organization iis charged for only what you u use,
all without
w the complexity of migration.
De
esktop Virttualization
n
Clie
ent Hyper-V
V
Youu can install the
e Hyper-V rolee on computerrs
thatt are running Windows
W 8 Pro
o and Window ws 8
Ente his allows you to
erprise operatiing systems. Th
run virtual machin ne guests on client compute ers.
Client Hyper-V, th he Hyper-V feaature in Windo ows 8
Pro and Windowss 8 Enterprise, has the same
proccessor requirements as Hype er-V on Windo ows
Servver 2012: the computer
c must have an x64
plattform that supports second-level address
nslation (SLAT), and have a minimum
tran m of 4
gigaabytes (GB) of random accesss memory (RA AM).
Clie
ent Hyper-V on Windows 8
The Client Hyper--V role on Winndows 8 suppo orts many of th he features thaat are availablee with Hyper-VV on
Winndows Server 2012,
2 but doess not support enterprise
e feattures such as vvirtual machine e migration. Client
Hypper-V also does not support publishing applications thatt are installed o on the virtual machine guesst to
the host operatingg system’s Start menu. This was
w a feature tthat was preseent in Window ws XP Mode on n
Winndows 7, whichh used Virtual PC (Virtual PC is the client vvirtualization feeature availablle to some
com
mputers runninng specific edittions of the Windows 7 operrating system).
Clie
ent Hyper-V in enterprise
e environme
ents
In enterprise
e ent Hyper-V is often used fo r developmen
environments, Clie nt purposes, orr to allow specific
userrs to run previous versions of
o the Windowws operating syystem so that tthey can accesss applications that
20410A: Installinng and Configuring W
Windows Server® 20012 13-5
MED-V
M
MED-V
M is a centtrally managed
d form of cliennt-hosted virtuualization. MED
D-V allows admministrators to
o
ce
entrally deployy and manage virtual machin nes running on n clients. MED
D-V allows applications that aare
co
ompatible with h previous verssions of the Windows
W client operating systtem, such as W
Windows XP, too be
puublished in succh a way so that they are acccessible throug gh the Window ws 8 Start men
nu. MED-V is aavailable
ass part of the Microsoft
M Deskttop Optimization Pack.
Virtual
V Deskttop Infrastrructure
Virtual Desktop Infrastructure e (VDI) is a form
m of desktop vvirtualization wwhere client operating systems are
hoosted centrallyy as virtual machines. Clientss connect to thhese virtual maachines using client softwaree such
ass RDC. Using the Add Roles anda Features Wizard,
W you caan configure a server to supp port VDI by ch
hoosing
a Remote Deskttop Services in nstallation. Youu can also instaall the Remotee Desktop Virtuualization Hosst role
fe
eature in addition to the Hyp per-V role, whe en configuring g a host serverr to function as a VDI server..
• In the event that a client computer breaks, users are still able to acccess their virtu
ual machine ussing
other RDC methods.
VDI is also one method of alloowing organizzations to impllement “Bring Your Own Devvice” (BYOD) p policies.
In g their own computer to thee office and usee RDC softwarre to connect tto the
n this scenario, workers bring
virtual machine that has been n assigned to them.
Presentatio
P on Virtualizzation
Prresentation virrtualization difffers from desk
ktop
virtualization in the following ways:
• RemoteApp applications. Rather than use u a full deskttop client like RDC, RemoteA App allows
applications that
t run on the
e host Window ws Server 20122 server to be ddisplayed on tthe client computer.
RemoteApp applications
a ca
an be deployedd as Windows Installer (.msi)) files using traaditional softw
ware
deployment methods.
m This allows you to associate file ttypes with Rem
moteApp applications.
• Remote Deskktop Web Access. Clients can access a weeb site on a sp ured server and
pecially configu
launch RemoteApp applications and Rem
mote Desktop ssessions from ttheir browser.
Rem
mote Desktop Gateway
y
Remmote Desktop GatewayG allow
ws external clie
ents to access R Remote Deskto op and RemotteApp withoutt
usin
ng virtual priva ate network (V VPN), or the Windows 7 and Windows 8 op perating systemms DirectAccess
featture. Remote Desktop
D Gatew ervice that you can install on a computer running Windo
way is a role se ows
Servver 2012. Remote Desktop Gateway G serverrs are deployed d on perimeteer networks. Yo ou can configu
ure
the RDC client witth the address of Remote De esktop Gatewaay servers. When you do thiss, the client checks
to see if it is on thhe organization nal network. Iff it is, it makes a direct conneection to the R
Remote Desktoop
servver. If it is not, it routes the connection
c to the
t Remote Deesktop server through the R Remote Deskto op
Gateway.
Ap
pplication Virtualizat
V tion
App plication Virtuaalization, also known
k as Appp-V,
usess special clientt software, knoown as the App p-V
Client, that is insta
alled on the client to allow
appplications to eitther run on or be streamed to t
nt computers. App-V, like Med-V,
clien M is availa
able
as part
p of the Miccrosoft Desktop p Optimization n
Pack, and is not a native Windo ows Server 2012 role
or fe
eature.
Application iso
olation
Appp-V isolates the
e application from
f the operaating
system and runs itt in a special separate virtual
environment. Thiss means that applications tha at
you cannot installl and run direcctly on a host operating
o systeem, because oof compatibilitty problems, arre
able
e to run as Appp-V applications. For example, application ns written for W
Windows XP th hat cannot run
n on
the Windows 8 op perating system m can be run on
o Windows 8 if deployed th hrough App-V V. With App-V,, you
can also run appliications that might
m be comp patible with thee host operating system, butt may be
problematic when n run togetherr. For example,, you can use AApp-V to deplloy and run diffferent versionns of
Microsoft Office Word
W simultanneously.
Application streaming
Ano
other useful fea ature of App-VV is application
n streaming. WWhen an appliccation is stream
med only thosse
partts of the appliccation that are
e being used are transmitted d to the client computer. This speeds up
app
plication deployment becausse only part—n not all—of thee application m
must be transmmitted across th
he
netw
work to the client computer.
20410A: Installing and Configuring Windows Server® 2012 13-7
Application portability
When deployed with Microsoft System Center 2012 Configuration Manager, App-V allows applications to
follow users across multiple computers, without requiring a traditional installation on those client
computers. For example, a user can log on to a colleague's computer and have App-V stream that
application to them so that they can use it on that computer. The application is not installed locally, and
when the user logs off, the application is no longer available to other users of the computer.
13-8 Implemennting Server Virtualizzation with Hyper-V
Lesson 2
Implem
menting
g Hyperr-V
Undderstanding ho ow Hyper-V woorks and how virtual machin nes function is critical to effe
ectively deployying
servver virtualizatio
on in a Window
ws Server 2012
2 network envvironment. Wh hen you plan a server
virtu
ualization strattegy using Win
ndows Server 2012
2 as a virtu
ual machine ho ost, you need to know what you
can and cannot do.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
• Describe virtu
ual machine co
omponents.
Ab
bout Hyperr-V
Hypper-V is the hardware virtualization role
avaiilable in Windoows Server 201 12. Hardware
virtu
ualization provvides virtual machines
m with direct
d
acceess to the hostt's hardware. This
T is in contra ast to
softtware virtualiza
ation productss, such as Virtu
ual
Servver 2005 R2, thhat provide access indirectly
usin
ng the operatin ng system.
Hardware
H Requireme
R ents for Hy
yper-V
When
W deciding on the hardwware to use withha
se
erver on which
h you will install the Hyper-V
V role,
yo
ou need to enssure the follow
wing:
• The server must have an x64 platform that
t
supports SLLAT and Data Execution
E Prevvention.
• The server must have enoough memory to support th e memory req quirements of aall of the virtual
machines thhat must run concurrently,
c plus
p enough m memory to run the host Wind
dows Server 20 012
operating system.
s The server must havee at least 4 GB
B of RAM.
• The storagee subsystem pe erformance must meet the iinput/output ((I/O) needs of the guest virtu ual
machines. Whether
W deplooyed locally orr on SANs, it m
may be necessaary to place diffferent virtual
machines on
o separate ph hysical disks, to h performancee redundant array of indepe
o deploy a high endent
disks (RAID
D), solid-state drives
d (SSD), hyybrid-SSD, or a combination
n of all three.
• The host se
erver's network
k adapters must be able to ssupport the neetwork through hput requiremments of
the guest virtual
v machine
es. This may re g multiple nettwork adapterss and using multiple
equire installing
Network Interface Card (NIC) teams forr virtual machiines that have high networkk use requirements.
Virtual
V Macchine Hard
dware
Virtual machinees use virtual (oor, simulated)
ha
ardware. The host
h operating g system, Wind dows
Se
erver 2012 with the Hyper-V V role installed, uses
th
he virtual hardware to media ate access to actual
ha
ardware. For example,
e a virtu
ual network ad dapter
ca
an be mapped d to a virtual neetwork that is in turn
mapped
m to an actual
a network k interface.
o From which
w device itt will boot (for example, from
m a DVD drive , Integrated D
Drive Electroniccs (IDE),
legacy network adap
pter, or floppy disk)
o Num Lock
13-10 Implementing Server Virtualization with Hyper-V
• Memory. Allows you to allocate memory resources to the virtual machine. An individual virtual
machine can be allocated up to 1 TB of memory. You will learn about configuring memory later in
this lesson.
• Processor. Allows you to allocate processor resources to the virtual machine. You can allocate up to
32 virtual processors to a single virtual machine.
• IDE Controller 0. A virtual machine can only support two IDE controllers and, by default, two are
allocated to each virtual machine. Each IDE controller can support two devices. You can connect
virtual hard disks or virtual DVD drives to an IDE controller. If booting from a hard disk drive or DVD-
ROM, the boot device must be connected to an IDE controller. Use IDE controllers to connect virtual
hard disks and DVD-ROMs to virtual machines that use any operating systems that do not support
integration services.
• IDE Controller 1. Allows additional virtual hard drives and DVD-ROMs to be deployed to the virtual
machine.
• SCSI Controller. A small computer system interface (SCSI) controller can only be used on virtual
machines that you deploy with any operating systems that support integration services.
• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual machine guest operating systems.
• COM 1. Allows you to configure a connection through a named pipe.
• Diskette Drive. Allows you to map a VHD floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties and
clicking on Add Hardware:
• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
• Network Adapter. A single virtual machine can have a maximum of eight synthetic network
adapters. You will learn more about synthetic network adapters in Lesson 4.
• Legacy Network Adapter. Legacy network adapters allow you to use network adapters with any
operating systems that do not support integration services. You can also use legacy network adapters
to allow network deployment of operating system images. A single virtual machine can have up to
four legacy network adapters. You will learn more about legacy network adapters in Lesson 4.
• Fibre Channel adapter. Allows a virtual machine to connect directly to a Fibre Channel storage area
network (SAN). A Fibre Channel adapter requires that the Hyper-V host have a Fibre Channel host bus
adapter (HBA) that also has a Windows Server 2012 driver that supports Virtual Fibre Channel.
• RemoteFX 3D video adapter. The RemoteFX 3D video adapter allows virtual machines to display
high performance graphics by leveraging DirectX and graphics processing power on the host
Windows Server 2012 serve.
Additional Reading: For more information about Virtual Fibre Channel adapters see:
http://technet.microsoft.com/en-us/library/hh831413.aspx.
20410A: Installingg and Configuring W
Windows Server® 20112 13-11
Configuring
C g Dynamicc Memory
y
In
n the first relea
ase of Hyper-VV with Window ws
Se
erver 2008, you could only assign
a a static amount
a
off memory to virtual
v machinees. Unless you took
pecial precautions to measurre the precise amount
sp
off memory thatt a virtual machine required, you
were
w likely to eiither under allocate or over allocate
memory.
m
Smart Paging
g
Another new memory feature e that is availab
ble in Window ws Server 2012 is Smart Pagin ng. Smart Paging
provides a soluttion to the pro
oblem of minim mum memory allocation relaated to virtual machine starttup.
Virtual machine es can require more memoryy during startu up than they reequire during normal operattion. In
th
he past, it was necessary to allocate
a the miinimum memo ory required fo ensure that startup
or startup, to e
occcurred—this meant that the e amount of memory
m more than the virtual machin
allocatted could be m ne
ne
eeded during normal operattion. Smart Paging uses diskk paging to asssign additional temporary m memory
o a virtual macchine when it is starting up. This
to T allows you u to allocate m
memory based on what the vvirtual
machine
m needs when it is opeerating normallly, rather thann the amount tthat it needs d during startup.
Unfortunately, Smart
S Paging results in lowe er performancee because it usses disk resourrces that are used by
th
he host server and other virtual machines.
Co
onfiguring Virtual Ma
achine Integration SServices
Oncce you have installed guests onto the host
servver you can usee install Virtua
al Machine
egration Servicces to improve the performance
Inte
of both
b the host and
a the guestss—the guest iss said
to be
b integrated in nto the host seerver.
Sup
pported operatting systems caan use integration
servvices componeents, and adapter functionaliity
suchh as SCSI adap
pters and synth
hetic network
adapters. Hyper-VV supported virtual machine
gueest operating systems include
e:
• Windows Hom
me Server 201
11
• Windows MultiPoint Serverr 2011
• Windows Sma
all Business Se
erver 2011
• CentOS 5.5-5
5.7
• SUSE Linux En
nterprise Serve
er 10 with Servvice Pack 4 (SP
P4)
• Windows 7 with
w SP1
Note: Support for the Windows XP opeerating system ends in April 2014. Supportt for
Win
ndows Server 2003
2 and Wind
dows Server 20
003 R2 expiress in July 2015.
20410A: Installingg and Configuring W
Windows Server® 20112 13-13
Yo
ou can install the
t Hyper-V inntegration servvices componeents on an opeerating system m by accessing the
Virtual Machinee Connection window,
w and thhen in the Acttion menu, cliccking the Inserrt Integration
n
Se
ervices Setup Disk item. Yo
ou can then insstall the relevaant operating ssystem drivers either manuaally or
au
utomatically. You
Y can also ennable the follo
owing virtual mmachine integrration compon nents:
• Heartbeat.. Allows Hyperr-V to determine if the virtuaal machine hass become unre
esponsive.
• Backup (vo olume snapsh hot). Allows thhe Volume Shaadow Copy Serrvice (VSS) proovider to create
e
snapshots of
o the virtual machine
m for the purposes of backup operaation, without interrupting th
he
virtual machines' normal operations.
Configuring
C g Virtual Machine
M Sttart and Sttop Action
ns
Virtual Machine e start and stopp actions allow
w you to
co
onfigure what steps the Hyp per-V host perfforms
with
w specific virtual machines when the Hyp per-V
hoost is started or
o shut down. YouY can use viirtual
machine
m start and stop actionns to ensure thhat
crritical virtual machines
m alwayys start automa atically
whenever
w a Hypper-V host is re
estarted, and that
t
th
hey are shut do own gracefullyy if the server receives
r
a shutdown com mmand.
Yo
ou can configu
ure the followiing options in the Automaticc Start Actionss window:
• Nothing. The
T virtual macchine is not sta
arted automattically when the Hyper-V hosst starts, even if the
virtual machine was in a running
r state when
w the Hyp
per-V host was shut down.
• Always staart this virtuall machine auttomatically. TThe virtual macchine always sttarts when the
e Hyper-
V host startts. You can con
nfigure a startu
up delay to en
nsure that multiple virtual machines do noot
attempt staartup at the same time.
ou can configu
Yo ure the followiing options in the Automaticc Stop Actionss window:
• Save the virtual machin ne state. Savess the active staate of the virtu
ual machine, in
ncluding memo
ory to
disk. Allowss the virtual machine to be resumed
r when n the Hyper-V host restarts.
• he virtual macchine. The virttual machine iss powered off with the possibility of data loss.
Turn off th
• Shut down n the guest op perating syste hut down in a graceful manner.
em. The virtuaal machine is sh
This option
n is only availab on services co mponents aree installed on the virtual macchine.
ble if integratio
13-14 Implementing Server Virtualization with Hyper-V
V
Hy
yper-V Ressource Mettering
Resoource metering allows you to track the
reso on of virtual machines hosted
ource utilizatio d on
Winndows Server 2012
2 computers with the Hyper-V
role
e installed.
With resource me
etering, you can measure thee
follo
owing parame
eters on individ
dual Hyper-V virtual
v
macchines:
o Minimum
m memory use
e
o Maximum
m memory use
e
By measuring
m howw much of these resources each
e virtual maachine uses, ann organization can bill
deppartments or cuustomers baseed on their hossted virtual maachines use, raather than charrging a flat fee
e per
virtu
ual machine. An
A organization with only intternal customeers can also usse these measu urements to se ee
pattterns of use an
nd plan future expansions.
• Enable-VMR
ResourceMete
ering. Starts co
ollecting data o
on a per virtuaal machine bassis.
• Disable-VMR
ResourceMete
ering. Disables resource mettering on a peer virtual mach
hine basis.
• Reset-VMRe
esourceMeteriing. Resets virttual machine rresource meteering counters..
• Measure-VM
M. Displays reso
ource metering statistics for a specific virtu
ual machine.
Lesson
n3
Mana
aging Virtual Machine
M e Storag
ge
Hyper-V provides many differrent virtual ma achine storagee options. If yo
ou know whichh option is app
propriate
fo
or a given situa
ation, then youu can ensure that a virtual m
machine perforrms well. Howeever, if you do
o not
un
nderstand the different virtuual machine stoorage options,, you may end d up deploying
g virtual hard d
disks
th
hat consume unnecessary
u sp
pace or that pla
ace an unneceessary perform mance burden oon the host Hyyper-V
se
erver.
In
n this lesson, yo
ou will learn about different virtual hard d
disk types, diffeerent virtual haard disk formaats, and
th
he benefits and d limitations of using virtual machine snappshots.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
What
W Is a Virtual
V Harrd Disk?
A virtual hard disk is a special file format that
re
epresents a traditional hard disk
d drive. You u can
co w partitions and
onfigure a virtual hard disk with
ann operating syystem. Virtual hard
h disks can be
ussed with virtua
al machines, annd you can alsso
mount
m virtual hard disks using
g the Window ws
Seerver 2008, Wiindows Server 2008 R2, Wind dows
Seerver 2012, and Windows 8, and Windowss 7
opperating systems. Windows Server 2012
su
upports boot tot virtual hard disk; this allowws you
to
o configure the e computer to boot into a
Windows
W Server 2012 operatiing system tha at is
deeployed on a virtual
v hard dissk, or into certtain
edditions of the Windows
W 8 op
perating system m that
is deployed on a virtual hard disk. You can create
a virtual hard disk using:
• VHDX virtual hard disks can a 64 TB. VHD vvirtual hard diisks were limited to 2 TB.
n be as large as
SM
MB Share Sup
pport
Winndows Server 2012
2 now supp ports virtual haard disks that aare stored on SMB 3 file shaares. This is an
n internet SCSI (iSCSI) or Fibrre Channel SAN
alternative to storring virtual harrd disk files on N devices. Whhen
creaating a virtual machine in Hyyper-V on Win ndows Server 22012, you can specify a netw work share. You u
speccify this when choosing the virtual hard diisk location or attaching an eexisting virtual hard disk. Th he file
sharre must suppo ort SMB 3. Thiss limits you to placing virtuall hard disks on n file shares that are hosted on file
servvers with Winddows Server 20 012. Older verssions of Windo ows Server do not support SMB 3.
Cre
eating Virttual Disk Types
T
Whe en you configuure a virtual haard disk, you can
c
choose between several
s differen
nt disk types,
including fixed, dyynamic, and pass through.
Differencing diskss will be discusssed later in in this
lesson.
Cre
eating Fixed
d Virtual Hard Disks
Whe en you create a fixed virtual hard disk, all of
o the
hardd disk space is allocated during the creatioon
proccess. This has the
t advantage e of minimizing g
frag
gmentation, wh hich improves virtual hard disk
perfformance whe en hosted on trraditional storaage
devices. This has the
t disadvanta age of requirinng
you to allocate alll space used by the fixed virttual hard disk at the time that the disk is ccreated.. In maany
situations. you willl not know precisely how much disk spacee a virtual macchine needs. Iff you use fixed hard
disk
ks, you may en nd up allocating space to stoorage that is noot actually required.
20410A: Installing and Configuring Windows Server® 2012 13-17
2. On the Actions pane, click New, and then click Hard Disk.
3. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
4. In the New Virtual Hard Disk Wizard, on the Choose Disk Format page, click either VHD or VHDX,
and then click Next.
5. On the Choose Disk Type page, click Fixed size, and then click Next.
6. On the Specify Name and Location page, enter a name for the virtual hard disk, and then specify a
folder in which to host the virtual hard disk file.
o Copy the contents of a specified physical disk. Allows you to replicate an existing physical disk
on the server as a virtual hard disk. The fixed hard disk will be the same size as the disk that you
have replicated. Replicating an existing physical hard disk does not alter data on the existing disk.
o Copy the contents of a specified virtual hard disk. Allows you to create a new fixed hard disk
based on the contents of an existing virtual hard disk.
Note: You can create a new fixed hard disk using the New-VHD Windows PowerShell
cmdlet with the -Fixed parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes, or on SSDs. Improvements in Hyper-V (since it was first introduced with Windows Server
2008) also minimize the performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and will grow as necessary. For example, if you
create a new virtual machine and specify a dynamic disk, only a small amount of disk space will be
allocated to the new disk. For a VHD format virtual hard disk, approximately 260 kilobytes (KB) are
allocated. For a VHDX format virtual hard disk, approximately 4,096 KB are allocated.
As storage is allocated, the dynamic virtual hard disk will grow. If you delete files from a dynamically
expanding virtual hard disk, the virtual hard disk file will not shrink. You can only shrink a dynamically
expanding virtual hard disk file by performing a shrink operation. You will learn how to shrink virtual hard
disks later in this lesson.
You perform similar steps when creating a dynamically expanding virtual hard disk to when you create a
fixed virtual hard disk. The difference is that on the Choose Disk Type page, you choose the Dynamically
Expanding type.
Note: You can create a new dynamic hard disk using the New-VHD Windows PowerShell
cmdlet with the -Dynamic parameter.
Pass-Through Disks
Pass-through disks allow the virtual machine to access a physical disk drive, rather than to use a virtual
hard disk. You can use pass-through disks to connect a virtual machine directly to an iSCSI logical unit
13-18 Implementing Server Virtualization with Hyper-V
V
1. Ensure that th
he target hard disk is offline.
Ma
anaging Virtual Hard
d Disks
Fromm time to timee, you will need to perform
maintenance operations on virtual hard disks. For
exammple you might want to com mpact a virtual hard
disk
k to free up spaace, or converrt a virtual hard
d disk
to another
a formatt as your needs change. You can
perfform the follow
wing maintena ance operation ns on
virtu
ual hard disks:
Whe en you converrt a virtual hardd disk, the conntents of the exxisting virtual hard disk are copied to a ne ewly
creaated virtual hard disk that ha
as the settings that you havee chosen. For eexample, when n converting frrom a
fixed virtual hard disk to a dynaamic virtual hard disk, a new dynamic virtu ual hard disk iss created, the
contents of the exxisting fixed virtual hard diskk are copied to
o the new dynaamic virtual haard disk, and tthen
the existing fixed virtual hard diisk is deleted, with
w the new d dynamic virtuaal hard disk taking its place.
To convert
c a virtual hard disk, perform
p the following steps:
3. On the Local Virtual Hard Disk page, click Browse. Seelect the virtuaal hard disk that you want to
o
convert.
20410A: Installingg and Configuring W
Windows Server® 20112 13-19
Yo
ou can use thee resize-partittion and the resize-vhd Win
ndows PowerSShell cmdlets tto compact a
dyynamically exp
panding virtua
al hard disk.
Yoou can also use the Edit Virtual Hard Disk Wizard to exp ou can expand both dynamiccally
pand a disk. Yo
exxpanding and fixed virtual hard disks.
Reducing
R Storage
S Ne
eeds with Differenci ng Disks
Differencing dissks are separatte virtual hard disks
th
hat record the changes made e to a parent disk.
d
Differencing dissks allow you to
t reduce the amount
a
off hard disk spaace consumed by virtual hard disks
att the cost of diisk performancce. Differencinng disks
work
w well with SSD,
S and wherre there is a lim
mited
am
mount of spacce available on n the host volume and
th
he disk perform mance compen nsates for the
peerformance drrawbacks of ussing a differenccing
diisk.
Yo
ou can link mu ultiple differen
ncing disks to a single
pa
arent disk. How wever, if you modify
m the parrent
diisk, the links to
o all of the diffferencing diskss will fail.
Yo
ou can reconn nect a differenccing disk to the parent using Disk tool, which is available in the
g the Inspect D
Actions pane off the Hyper-V Manager conssole. You can aalso use the Inspect Disk too ol to locate thee parent
diisk of a differe
encing disk.
To
o create a diffe
erencing disk, perform the fo
ollowing stepss:
New-VHD c:\diff-disk.vhd -P
ParentPath C:\parent.vhd
Using Snapsh
hots
Snapshots represe ent the state ofo a virtual macchine
at a particular poiint in time. The ey are a static
image of the set ofo data on the virtual machin ne at
the moment the snapshot
s is tak
ken. Snapshotss are
storred in either .avhd or .avhdx format depen nding
on the
t virtual hard d disk format. You can take a
snappshot of a virtual machine frrom the Action n
men nu of the Virtuual Machine Co onnection window,
or from the Hyper-V console. Ea ach virtual machine
can have a maxim mum of 50 snap pshots.
Sna
apshots vs. Backups
Snapshots are nott a replacemen nt for backups. Snapshot datta is stored onn the same volu ume as the virrtual
hardd disks. If the volume
v hosting these files fa
ails, both the s napshot and tthe virtual hard
d disk files willl be
lost.
Exp
porting Snapshots
Youu can perform a virtual mach hine export of a snapshot. W
When you perfo orm an export of the snapshot,
Hypper-V will creatte full virtual hard
h e at the time the
disks that represent thee state of the vvirtual machine
snappshot was takeen. If you choo ose to export an
a entire virtuaal machine, alll snapshots asssociated with tthe
virtu
ual machine will
w also be exported.
Diffferencing Disk
D Files
Whe en you create a snapshot, Hyyper-V writes differencing d disk (.avhd, or ..avhdx) files, w
which store the
e data
thatt differentiatess the snapshot from the prevvious snapshott, or from the parent virtual hard disk. Wh hen
you delete snapsh hots, this data is either discarded, or mergeed back into the previous sn napshot or parrent
virtu
ual hard disk. For
F example:
• he data is disc arded. With H
If you delete the most recent snapshot, th Hyper-V in Winndows Server 2
2012,
this space is reclaimed
r imm
mediately rathe
er than when t he virtual macchine is shut down.
20410A: Installing and Configuring Windows Server® 2012 13-21
• If you delete the second most recent snapshot, the data is merged so that the earlier and latter
snapshot states of the virtual machine retain their integrity.
Managing Snapshots
When you apply a snapshot, the virtual machine reverts to the configuration as it existed at the time the
snapshot was taken. Reverting to a snapshot does not delete existing snapshots. If you revert to a
snapshot after making a configuration change, you will be prompted to take a snapshot. It is only
necessary to create a new snapshot if you want to return to that current configuration.
It is possible to create snapshot trees that have different branches. For example, if you took a snapshot of
a virtual machine on Monday, Tuesday and then on Wednesday, and if on Thursday you apply the
Tuesday snapshot and then made changes to the configuration of the virtual machine, you will have
created a new branch that diverts from the original Tuesday snapshot. You can have multiple branches as
long as you do not exceed the 50 snapshots per virtual machine limit.
13-22 Implementing Server Virtualization with Hyper-V
V
Lesson 4
Manag
ging Virrtual Ne
etworkss
Hypper-V provides several differe ent options for network com mmunication b between virtual machines. Hyyper-
V allows you to co onfigure virtua
al machines that communicaate with an extternal networkk in a manner
simiilar to tradition
nally deployedd physical hostts. It also allow
ws you to confiigure virtual m
machines so thaat
theyy are only able e to communiccate with a lim
mited number o of other virtual machines thaat are hosted o
on the
sam
me Hyper-V host in Windowss Server 2012. Knowing the o options availab V virtual networks
ble for Hyper-V
ensu c leverage those options to
ures that you can t best meet yyour organizat ion's needs.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
• ual switches.
Describe virtu
Wh
hat Is a Virrtual Switcch?
on of a network
A virtual switch is a virtual versio
swittch. The term virtual
v networkk, which was used
in Windows
W Serveer 2008, has beeen replaced byb the
term
m virtual switchh in Windows Server 2012. Virtual
V
swittches control how
h network traffic flows
betwween virtual machines
m that are
a hosted on the
Hypper-V server, and between virtual machines and
the rest of the orgganizational ne etwork. You
man nage virtual swwitches through the virtual sw witch
man nager which is accessible thrrough the Actions
panne of the Hyper-V Manager console.
c Hyperr-V
on Windows
W Serveer 2012 suppo orts three different
typees of virtual sw
witches:
• Internal. Use
e internal virtua
al switches to communicate
c between the vvirtual machin
nes on the Hyp
per-V
host, and to communicate
c between the virtual
v machinees and the Hyp
per-V host itse
elf.
Whe en configuring
g a virtual netw N (VLAN) ID to be associated with
work, you can also configuree a virtual LAN
the network. This allows you to extend existinng VLANs on thhe external neetwork to VLAN Ns within the
Hypper-V host's ne
etwork switch. VLANs allow you on network trafffic, and function as separate
y to partitio e
logical networks. Traffic
T can onlly pass from one VLAN to annother if it passses through a router.
20410A: Installingg and Configuring W
Windows Server® 20112 13-23
Yo
ou can configu
ure the followiing extensionss for each virtu
ual switch typee:
• Microsoft Windows Filttering Platforrm. This extenssion allows datta travelling accross the virtual
switch to be filtered.
Hyper-V
H Ne
etwork Virrtualization
Hyper-V Netwo ork Virtualizatio
on allows you to
isolate virtual machines
m that share
s the samee
Hyper-V host, butb are from different organiizations.
Foor example, if you provide an Infrastructurre as a
Seervice (IaaS) to
o differing businesses, you will
w want
to
o isolate their virtual
v machines from each other.
o
Network Virtualization allows you to go beyyond
baasic traffic partitioning by asssigning these virtual
machines
m parate VLANs as a way of iso
to sep olating
neetwork traffic. You would primarily deployy
Network Virtualization in scen narios where you
y
were
w using Hyp per-V to host virtual
v machinees for
annother organizzation.
When
W you configure Network n, each guest vvirtual machinee has two IP addresses that function
k Virtualization
in
n the following
g manner:
Ma
anaging Virtual Macchine MAC
C Addressees
Unle
ess you specifyy a static mediia access contrrol
(MA
AC) address, Hyyper-V dynam mically allocates a
MAC address to each
e achine network
virtual ma
adapter from a poool of MAC ad ddresses. You can
c
configure the add
dress range of this pool from m
MAC Address Ran t Virtual Switch
nge setting of the
Mannager console.. By default, a Hyper-V host has a
ol of 255 MAC addresses.
poo
Whe en virtual macchines are alloccated IP addreesses through a Dynamic Ho ost Configuratio
on Protocol (DDHCP)
rese
ervation, you should conside er using static MAC
M addressees. A DHCP resservation ensures that a partticular
IP address is alwayys allocated to
o a specific MAAC address.
You
u can configure
e the MAC add
dress range byy performing t he following ssteps:
3. On the Action
ns pane, selectt Virtual Switcch Manager.
4. Under Globall Network Setttings, click MA
AC Address Raange.
5. Specify a min
nimum and a maximum
m rang
ge for the MAC
C address.
Hy
yper-V Host MAC
C Address Ran
nge
Host 1 Min
nimum: 00-15-5D-0F-AB-00
Maxximum: 00-15--5D-0F-AB-FF
Host 2 Min
nimum: 00-15-5D-0F-AC-00
Maxximum: 00-15--5D-0F-AC-FF
Host 3 Min
nimum: 00-15-5D-0F-AD-00
Maxximum: 00-15--5D-0F-AD-FF
20410A: Installingg and Configuring W
Windows Server® 20112 13-25
Configuring
C g Virtual Network
N Adapters
A
Virtual networkk adapters alloww the virtual machine
m
gu
uest operatingg system to communicate ussing the
virtual switches that you conffigure using the
Virtual Switch Manager
M consoole. You can ed dit the
properties of a virtual
v machin
ne to modify th he
properties of a network adaptter. From the
Network Adapter pane on the e virtual machine's
se
ettings dialog box, you can configure
c the
fo
ollowing:
• Virtual Switch. Determin
nes which virtuual
switch the network
n adaptter connects to
o.
Bo
oth synthetic network
n adaptters and legacyy network adaapters support the following advanced features:
• Router Guard. Drops rou uter advertisemment and redirrection messag ges from virtual machines th
hat are
configured as unauthorizzed routers. Th his may be neccessary in scenaarios where yo
ou do not have
e direct
control ove
er the configurration of virtua
al machines.
Syynthetic netwoork adapters re equire the gue est operating ssystem to suppport integratio
on services. In aaddition
to
o the Advanced d features liste
ed earlier, syntthetic networkk adapters supp
port the follow
wing hardware e
accceleration fea
atures:
• IPsec task offloading. This feature allows calculation-intensive security association tasks to be
performed by the host's network adapter. In the event that sufficient hardware resources are not
available, the guest operating system performs these tasks. You can configure a maximum number of
offloaded security associations between a range of 1 and 4,096. IPsec task offloading requires guest
operating system and network adapter support.
• SR-IOV. Single-root I/O virtualization (SR-IOV) allows multiple virtual machines to share the same
Peripheral Component Interconnect Express (PCIe) physical hardware resources. If sufficient resources
are not available, then network connectivity falls back to be provided through the virtual switch.
Single-root I/O virtualization (SR-IOV) requires specific hardware and special drivers to be installed on
the guest operating system.
Legacy network adapters emulate common network adapter hardware. You use legacy network adapters
in the following situations:
• You want to support network boot installation scenarios for virtual machines. For example, you want
to deploy an operating system image from a Windows Deployment Services (Windows DS) server or
through Configuration Manager.
• You need to support operating systems that do not support integration services and do not have
drivers for the synthetic network adapter.
Legacy network adapters do not support the hardware acceleration features that synthetic network
adapters support. You cannot configure virtual machine queue, IPsec task offloading, or Single-root I/O
virtualization for legacy network adapters.
20410A: Installing and Configuring Windows Server® 2012 13-27
To more effectively use the server hardware that is currently available at branch offices, your manager has
decided that all branch office servers will run as virtual machines. You must now configure a virtual
network and a new virtual machine for these branch offices.
Objectives
After performing this lab you will be able to:
Lab Setup
Estimated Time: 60 minutes
Logon Information
Password Pa$$w0rd
1. Reboot the classroom computer and choose 20410A-LON-HOST1 from the Windows Boot
Manager
2. Log on to LON-HOST1 with the Administrator account and the password Pa$$w0rd.
2. Log onto the computer with the Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server and then configure the following network settings:
13-28 Implementing Server Virtualization with Hyper-V
o IP Address: 172.16.0.31
4. Use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1 with the following
options:
5. After a few minutes, the server will automatically restart. Ensure that you restart the machine from the
boot menu as 20410A-LON-HOST1. The computer will restart several times
4. Edit the Hyper-V settings of LON-HOST1, and configure the following settings:
Results: After this exercise, you will have deployed the Hyper-V role to a physical server.
2. Use the Virtual Switch Manager to create a new External virtual network switch with the following
properties:
o External Network: Mapped to the host computer's physical network adapter. (This will vary
depending on the host computer.)
2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
Results: After this exercise, you will have configured virtual switch options on a physically deployed
Windows Server 2012 server running the Hyper-V role.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You will then use these differencing files as the virtual hard disk files for
the new virtual machines.
Note: The drive letter may depend upon the number of drives on the physical host
machine.
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Name: LON-GUEST1.vhd
o Name: LON-GUEST1
o Memory: 1024 MB
4. Use the Hyper-V Manager console, edit the settings of LON-GUEST2. Configure the following:
Enable-VMResourceMetering LON-GUEST1
Enable-VMResourceMetering LON-GUEST2
20410A: Installing and Configuring Windows Server® 2012 13-31
Results: After this exercise, you will have deployed two separate virtual machines using a sysprepped
virtual hard disk file as a parent disk for two differencing disks.
In this exercise, you will deploy Windows Server 2012 in a virtual machine. You will create a stable
configuration for that virtual machine, and then take a virtual machine snapshot. You will then modify the
configuration, and then roll back to the snapshot.
The main tasks for this exercise are as follows:
2. Open the Virtual Machine Connection Window and perform the following steps to deploy Windows
Server 2012 on the virtual machine:
o On the Settings page, click Skip.
o On the Settings page, select I accept the license terms for using Windows and click Accept.
o On the Settings page, click Next to accept the Region and Language settings.
o On the Settings page enter the password Pa$$w0rd twice and click Finish.
3. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.
4. Reset the name of the virtual machine to LON-GUEST1, and then restart the virtual machine.
3. Log on to the LON-GUEST1 virtual machine, and verify that the server name is set to
LON-Computer1.
13-32 Implementing Server Virtualization with Hyper-V
2. Verify that the Computer Name of the virtual machine is set to LON-GUEST1.
Measure-VM LON-GUEST1
2. Note the average CPU, average RAM, and total disk use figures and then close the PowerShell
window.
Results: After this exercise, you will have used virtual machine snapshots to recover from a virtual
machine misconfiguration.
2. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
Question: In which situations must you use VHDX format virtual hard disks as opposed to VHD
format virtual hard disks?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?
Best Practices
When implementing server virtualization with Hyper-V, use the following best practices:
• Ensure that the processor on the computer that will host Hyper-V supports SLAT. Servers that support
the Hyper-V role on Windows Server 2008 and Windows Server 2008 R2 may not support Hyper-V on
Windows Server 2012.
• Ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual
machines paging the hard disk drive because they are provisioned with inadequate memory will
decrease performance for all virtual machines on the Hyper-V host.
• Monitor virtual machine performance carefully. A virtual machine that uses a disproportionate
amount of server resources can adversely impact the performance of all other virtual machines that
are hosted on the same Hyper-V server.
Tools
You can use the following tools with Hyper-V to deploy and manage virtual machines.
Sysinternals Use to convert physical You can download this tool from the
disk2vhd tool hard disks to VHD format. Microsoft TechNet website.
13-34 Implementing Server Virtualization with Hyper-V
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
7. In the Hyper-V Manager console, double-click 20410A-LON-SVR3 to open the Virtual Machine
Connection Window.
8. In the Virtual Machine Connection Window, In the Action menu, click Start.
9. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, and
then click Next.
o Language to install: English (United States)
11. On the Select the operating system you want to install page, select Windows Server 2012
Release Candidate Datacenter (Server with a GUI), and then click Next.
12. On the License terms page, review the operating system license terms. Select the I accept the
license terms check box, and then click Next.
13. On the Which type of installation do you want?, click Custom: Install Windows only (advanced).
14. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has
enough space for the Windows Server 2012 operating system, and then click Next.
Note: Depending on the speed of the equipment, the installation will take approximately
20 minutes. The virtual machine will restart several times during this process.
15. On the Settings page, enter the password Pa$$w0rd in both the Password and Reenter password
boxes, and then click Finish.
3. Click on the randomly-generated name next to Computer name. This will launch the System
Properties dialog box.
4. In the System Properties dialog box, on the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the
name LON-SVR3, and then click OK.
2. On the taskbar, click the time display. A pop-up window with a calendar and a clock displays.
5. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click
OK.
6. In the Date and Time dialog box, click Change Date and Time.
7. Verify that the date and time that display in the Date and Time Settings dialog box match those in
your classroom, and then click OK.
4. Right-click the selected network adapters, and then click Add to New Team.
5. In the New Teaming dialog box, in the Team name field. type LON-SVR3, and then click OK.
6. Close the NIC Teaming dialog box. Refresh the Server Manager console.
7. In the Server Manager console, next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6
Enabled.
8. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
9. In the LON-SVR3 Properties dialog, select Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, enter the following IP address
information, and then click OK.
o IP address: 172.16.0.101
3. In the System Properties dialog box, on the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain
option.
o Username: Administrator
o Password: Pa$$w0rd
7. In the Computer Name/Domain Changes dialog box, click OK.
8. When informed that you must restart the computer to apply changes, click OK.
11. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also
will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
3. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone
that your classroom uses, and then click OK.
L1-4 20410A: Installing and Configuring Windows Server® 2012
4. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time
match those in your location. Click OK two times to dismiss the dialog boxes.
5. In the command prompt window, type 15, and then press Enter to exit Server Configuration.
4. Type the index number of the network adapter that you want to configure, and then press Enter.
5. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter
Address.
7. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter.
8. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter.
9. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter.
10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS
server address.
11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter.
12. In the Network Settings dialog box, click OK.
14. Type 4, and then press Enter to return to the main menu.
15. Type 15, and then press Enter to exit sconfig.cmd.
16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain
controller from LON-CORE.
6. At the Specify an authorized domain\user prompt, type adatum\administrator, and then press
Enter.
7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then
press Enter.
12. Log on to server LON-CORE with the adatum\administrator account and the password Pa$$w0rd.
Results: After finishing this exercise, you will have configured a Windows Server 2012 Server Core
deployment, and verified the server’s name.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. In the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
5. Use the arrow to add LON-CORE and LON-SVR3 to the server group. Click OK to close the Create
Server Group dialog box.
6. Click LAB-1. Press and hold the Ctrl key, and then select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE
and LON-SVR3.
4. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
5. On the Select destination server page, verify that LON-CORE.Adatum.com is selected, and then
click Next.
6. On the Select server roles page, select Web Server (IIS), and then click Next.
7. On the Features page, select Windows Server Backup, and then click Next.
9. On the Select Role Services page, add the Windows Authentication role service, and then click
Next.
10. On the Confirm installation selections page, select the Restart the destination server
automatically if required check box, and then click Install.
11. Click Close to close the Add Roles and Features Wizard.
12. In Server Manager, right-click LON-SVR3, and then click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation.
L1-6 20410A: Installing and Configuring Windows Server® 2012
15. On the Select destination server page, verify that LON-SVR3.Adatum.com is selected, and then
click Next.
17. On the Select features page, click Windows Server Backup, and then click Next.
18. On the Confirm installation selections page, select the Restart the destination server
automatically if required check box, and then click Install.
20. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
2. At a command prompt, type netsh.exe firewall set service remoteadmin enable ALL, and then
press Enter.
3. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.
7. Right-click the World Wide Web Publishing service, and then click Properties. Verify that the
Startup type is set to Automatic.
8. In the World Wide Web Publishing Service dialog box, on the Log On tab, verify that the service is
configured to use the Local System account.
9. In the World Wide Web Publishing Service dialog box, on the Recovery tab, configure the
following settings:
10. In the World Wide Web Publishing Service Properties dialog box, on the Recovery tab, click the
Restart Computer Options button.
11. In the Restart Computer Options dialog box, in the Restart Computer After box, type 2, and then
click OK.
12. Click OK to close the World Wide Web Publishing Services Properties dialog box.
Results: After finishing this exercise, you will have created a server group, deployed roles and features,
and configured the properties of a service.
Module 1: Deploying and Managing Windows Server 2012 L1-7
7. Type get-process, and then press Enter to view a list of processes on LON-CORE.
8. Type the following command to review the IP addresses assigned to the server:
Get-NetIPAddress | Format-table
9. Type the following command to review the most recent 10 items in the security log:
2. At the Windows PowerShell command prompt, type import-module ServerManager, and then
press Enter.
3. To verify that the XPS Viewer feature has not been installed on LON-SVR3, type the following
command, and then press Enter:
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
5. To verify that the XPS Viewer feature has now been deployed on LON-SVR3, type the following
command and then press Enter:
6. In the Server Manager console, from the Tools drop-down menu, click Windows PowerShell ISE.
7. In the Windows PowerShell ISE window, in the Untitled1.ps1 script pane, type the following, pressing
Enter after each line:
Import-Module ServerManager
Install-WindowsFeature WINS -ComputerName LON-SVR3
Install-WindowsFeature WINS -ComputerName LON-CORE
L1-8 20410A: Installing and Configuring Windows Server® 2012
8. Click the Save icon. Select the root of Local Disk (C:). Create a new folder named Scripts, and then
save the script in that folder as InstallWins.ps1.
Results: After finishing this exercise, you will have used Windows PowerShell to perform a remote
installation of features on multiple servers.
2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.
4. In the Add Servers dialog box, in the Name (CN) box, type LON-SVR1 and then click Find Now.
5. Under Name, click LON-SVR1 and then click the arrow to add the server to the Selected column.
7. In Server Manager, in the Servers window, right-click LON-SVR1, and select Add Roles and Features.
10. On the Select destination server page, ensure that Select a server from the server pool is
selected. In the Server Pool window, verify that LON-SVR1.Adatum.com is highlighted, and then
click Next.
11. On the Select server roles page, select the Active Directory Domain Services check box, click Add
Features, and then click Next.
15. Installation will take several minutes, when the installation is succeeded, click Close to close the Add
Roles and Features Wizard.
2. In the Post-deployment Configuration window that appears, click Promote this server to a domain
controller. The wizard continues.
3. In the Deployment Configuration page, ensure that the radio button next to Add a domain
controller to an existing domain is selected, and then, beside the Domain line, click Select.
4. In the Windows Security dialog box that opens, enter Adatum\Administrator in the Username box
and in the Password box, type Pa$$w0rd, and then click OK.
5. In the Select a domain from the forest window, click adatum.com, and then click OK.
7. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is
selected, and then deselect the check box next to Global Catalog (GC).
L2-10 20410A: Installing and Configuring Windows Server® 2012
Note: You would usually want to enable the global catalog as well, but for the purpose of
this lab, this is done in the next section.
8. In the Type the Directory Services Restore Mode (DSRM) password section, type Pa$$w0rd in
both text boxes, and then click Next.
11. On the Paths page, accept the default folders, and then click Next.
12. On the Review Options page, click View Script, examine the Windows PowerShell® script that the
wizard generates, close the Notepad window, and then click Next.
13. On the Prerequisites Check page, read any warning messages, and then click Install.
2. In Server Manager, click Tools and then click Active Directory Sites and Services.
3. When the Active Directory Sites and Services window opens, expand Sites, expand Default-First-
Site-Name, expand Servers, and then expand LON-SVR1.
5. In the NTDS Settings Properties dialog box, select the check box next to Global Catalog.
Results: After completing this exercise, you will have explored Server Manager and promoted a member
server to be a domain controller.
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
4. In the Command Prompt window, type the following, pressing Enter after each line:
Ntdsutil
Activate instance ntds
Ifm
Create sysvol full c:\ifm
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
7. In the toolbar, click Manage, and then click Add Roles and Features.
9. On the Select installation type page, ensure that Role-based or feature-based installation is
selected, and then click Next.
10. On the Select destination server page, verify that LON-SVR2.Adatum.com is highlighted, and then
click Next.
11. On the Select server roles page, click Active Directory Domain Services, in the Add Roles and
Features Wizard window, click Add Features, and then click Next.
12. In the Select Features window, click Next.
14. On the Confirm installation selections page, click Restart the destination server automatically if
required. Click Yes at the message box.
3. In the Server Manager toolbar, to the left of the Manage button, click the yellow Alert button.
4. In the Post-deployment Configuration window, click Promote this server to a domain controller.
5. On the Deployment Configuration page, ensure that Add a domain controller to an existing
domain is selected, and confirm that adatum.com is entered as the target domain. Click Next.
6. On the Domain Controller Options page, ensure that both Domain Name System (DNS) server
and global catalog are selected. For the DSRM password, enter Pa$$w0rd in both boxes, and then
click Next.
7. On the DNS Options page, click Next.
8. On the Additional Options page, select the check box next to Install from media, in the text box,
type C:\ifm and then click verify.
11. On the Review Options page, click Next, and then observe the wizard as it performs a check for
prerequisites.
12. Click Install and wait while AD DS is configured. While this task is running, read the information
messages that display on the screen.
L2-12 20410A: Installing and Configuring Windows Server® 2012
Results: After completing this exercise, you will have installed an additional domain controller for the
branch office by using IFM.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
6. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and
then click OK.
8. In the New Object – Group dialog box, in the Group name box, type Branch 1 Help Desk, and then
click OK.
10. In the New Object – Group dialog box, in the Group name box, type Branch 1 Administrators, and
then click OK.
11. Right-click Branch Office 1, point to New, and then click Group.
12. In the New Object – Group dialog box, in the Group name box, type Branch 1 Users, and then click
OK.
14. In the details pane, right-click Holly Dickson, and then click Move.
15. In the Move dialog box, click Branch Office 1, and then click OK.
17. In the details pane, right-click Bart Duncan, and then click Move.
18. In the Move dialog box, click Branch Office 1, and then click OK.
20. In the details pane, right-click Ed Meadows, and then click Move.
21. In the Move dialog box, click Branch Office 1, and then click OK.
22. In the navigation pane, click the Marketing organizational unit.
23. In the details pane, right-click Connie Vrettos, and then click Move.
24. In the Move dialog box, click Branch Office 1, and then click OK.
25. In the navigation pane, click the Research organizational unit.
L3-14 20410A: Installing and Configuring Windows Server® 2012
26. In the details pane, right-click Barbara Zighetti, and then click Move.
27. In the Move dialog box, click Branch Office 1, and then click OK.
29. In the details pane, right-click Arlene Huff, and then click Move.
30. In the Move dialog box, click Branch Office 1, and then click OK.
33. In the details pane, right-click LON-CL1, and then click Move.
34. In the Move dialog box, click Branch Office 1, and then click OK.
36. Pause your mouse pointer in the lower-right corner of the display, and then click Settings.
38. When the computer has restarted, log on as Adatum\Administrator with the password of
Pa$$w0rd.
41. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
43. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Branch 1 Administrators, and then click OK.
44. On the Users or Groups page, click Next.
45. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the
following check boxes, and then click Next:
o Create, delete, and manage user accounts
47. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
51. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Module 3: Managing Active Directory Domain Services Objects L3-15
52. On the Active Directory Object Type page, select Only the following objects in the folder, select
the following check boxes, and then click Next:
o Computer objects
54. On the Completing the Delegation of Control Wizard page, click Finish.
X Task 2: Delegate a user administrator for the Branch Office Help Desk
1. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
3. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Branch 1 Help Desk and then click OK.
5. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the
following check boxes, and then click Next:
3. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type
Branch 1 Administrators, and then click OK.
5. In the details pane, right-click Branch 1 Administrators, and then click Add to a group.
6. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type
Server Operators, and then click OK.
8. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
10. Log on to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. You can logon locally at a
domain controller because Holly belongs, indirectly, to the Server Operators domain local group.
11. On the desktop, in the task bar click Server Manager.
12. In the User Account Control dialog box, in the User name box, type Holly. In the Password box,
type Pa$$w0rd, and then click Yes.
17. In the details pane, right-click Aaren Ekelund, and then click Delete.
19. Click OK to acknowledge that you do not have permissions to perform this task.
21. In the details pane, right-click Ed Meadows, and then click Delete.
22. Click Yes to confirm. You are successful because you have the required permissions.
2. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type
Branch 1 Help Desk, and then click OK.
5. Close Server Manager. To modify the Server Operators membership list, you must have permissions
beyond those available to the Branch 1 Administrators group.
12. In the details pane, right-click Branch 1 Help Desk, and then click Add to a group.
13. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type
Server Operators, and then click OK.
14. In the Active Directory Domain Services dialog box, click OK.
15. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
17. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller
because Bart belongs, indirectly, to the Server Operators domain local group.
19. In the User Account Control dialog box, in the User name box, type Bart. In the Password box,
type Pa$$w0rd, and then click Yes.
24. In the details pane, right-click Connie Vrettos, and then click Delete.
25. Click Yes to confirm. You are unsuccessful because you lack the required permissions. Click OK.
27. In the Reset Password dialog box, in the New password and Confirm password boxes, type
Pa$$w0rd, and then click OK.
29. On your host computer, in the 20410A-LON-DC1 windows, on the Action menu, click
Ctrl+Alt+Delete.
Results: After this exercise, you should have successfully created the necessary OU and delegated
administration of it to the appropriate group.
7. In the branch1-userdata Properties dialog box, on the Sharing tab, click Advanced Sharing.
8. Select the Share this folder check box, and then click Permissions.
9. In the Permissions for branch1-userdata dialog box, select the Full Control Allow check box, and
then click OK.
10. In the Advanced Sharing dialog box, click OK, and then in the branch1-userdata Properties dialog
box, click Close.
12. Click Active Directory Users and Computers, and then expand Adatum.com.
13. Right-click Branch Office1, point to New, and then click User.
14. In the New Object – User dialog box, in the Full name box, type _Branch_template.
15. In the User logon name box, type _Branch_template, and click Next.
16. In the Password and Confirm password boxes, type Pa$$w0rd.
17. Select the Account is disabled check box, and then click Next.
2. In the _Branch_template Properties dialog box, on the Address tab, in the City box, type Slough.
4. Click Add. In the Select Groups dialog box, in the Enter the object names to select (examples):
box, type Branch 1 Users, and then click OK.
5. Click the Profile tab.
6. Under Home folder, click Connect, and in the To: box, type \\lon-dc1\branch1-userdata
\%username%.
7. Click Apply, and then click OK.
X Task 3: Create a new user for the branch office, based on the template
1. Right-click _Branch_template, and then click Copy.
2. In the New Object – User dialog box, in the First name box, type Ed.
3. In the Last name box, type Meadows.
4. In the User logon name box, type Ed, and then click Next.
7. Clear the Account is disabled check box, and then click Next.
8. Click Finish.
9. Right-click Ed Meadows, and then click Properties.
10. In the Ed Meadows Properties dialog box, click the Address tab. Notice that the City is configured.
11. Click the Profile tab. Notice that the home folder location is configured
12. Click the Member Of tab. Notice that Ed belongs to the Branch 1 Users group. Click OK.
13. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
2. On your host computer, in the 20410A-LON-CL1 window, on the menu, click Ctrl+Alt+Delete.
7. In the navigation pane, click Desktop, and then in details, double-click Computer.
11. On your host computer, in the 20410A-LON-CL1 window, on the Action menu, click Ctrl+Alt+Delete.
Results: After this exercise, you should have successfully created and tested a user account created from a
template.
3. In the User Account Control dialog box, in the User name box, type Holly. In the Password box,
type Pa$$w0rd, and then click Yes.
8. In the details pane, right-click LON-CL1, and then click Reset Account.
10. In the Active Directory Domain Services dialog box, click OK.
3. A message is displayed that explains that The trust relationship between this workstation and the
primary domain failed.
4. Click OK.
2. On the Start screen, right-click the display, click All apps, and in the Apps list, click Control Panel.
4. Click System.
8. On the Select the option that describes your network page, click Next.
10. On the You will need the following information page, click Next.
L3-20 20410A: Installing and Configuring Windows Server® 2012
11. On the Type your user name, password, and domain name for your domain account page, in
the Password box, type Pa$$w0rd. The other fields are completed. Click Next.
12. In the User Account and Domain Information dialog box, click Yes.
13. On the Do you want to enable a domain user account on this computer? page, click Do not add
a domain user account, and then click Next.
16. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer
had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
2. At the Windows PowerShell® prompt, type the following command, and then press Enter:
New-ADOrganizationalUnit LondonBranch
Set-ADAccountPassword Ty
6. When prompted for the desired password, type Pa$$w0rd, and then press Enter.
7. When prompted to repeat the password, type Pa$$w0rd, and then press Enter.
8. At the Windows PowerShell prompt, type Enable-ADAccount Ty, and then press Enter.
10. Verify that logon is successful and then sign out of LON-CL1.
Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows
PowerShell.
L4-22 20410A: Installing and Configuring Windows Server® 2012
2. In the Windows® Explorer window, expand E:, expand Labfiles, and then click Mod04.
4. In Windows PowerShell ISE, read the comments at the top of the script, and then identify the
requirements for the header in the .csv file.
7. In the How do you want to open this type of file (.csv) window, click Notepad.
2. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in
bulk.
Module 4: Automating Active Directory Domain Services Administration L4-23
2. At the Windows PowerShell Prompt, type the following command, and then press Enter:
3. Verify that only users from the LondonBranch organizational unit are listed.
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
2. In Active Directory Administrative Center, in the Navigation pane, browse to Adatum (local) >
LondonBranch.
3. Click the Type column header to sort based on the object type.
4. Select all user accounts, right-click the user accounts, and then click Properties.
5. In the Multiple Users window, under Organization, select the Address check box.
8. In the Country/Region box, select United Kingdom, and then click OK.
Results: After completing this exercise, you will have modified user accounts in bulk.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
Seven bits are required to support 100 hosts on the client subnet (27-2=126, 26-2=62).
2. How many bits are required to support 10 hosts on the server subnet?
Four bits are required to support 10 hosts on the server subnet (24-2=14,23-2=6).
3. How many bits are required to support 40 hosts on the future expansion subnet?
Six bits are required to support 40 hosts on the future expansion subnet (26-2=62, 25-2=30).
No. If all subnets are the same size, then all subnets must use 7 bits to support 126 hosts. Only a
single class C–sized address with 254 hosts has been allocated. Three subnets of 126 hosts would not
fit.
5. Which feature allows a single network to be divided into subnets of varying sizes?
Variable length subnet masking allows you to define different subnet masks when subnetting.
Therefore, variable length subnet masking allows you to have subnets of varying sizes.
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
The client subnet is 7 host bits. This allows for up to 126 hosts and uses half of the allocated address
pool.
The server and future expansion subnets are 6 host bits. This allows for up to 62 hosts on each subnet
and uses the other half of the address pool.
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet
mask.
Binary Decimal
11111111.11111111.11111111.10000000 255.255.255.128
L5-26 20410A: Installing and Configuring Windows Server® 2012
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server
subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet
mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future
expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the
subnet mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
4. For the client subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the client subnet is the first subnet allocated from the available address pool.
5. For the server subnet, define the network ID, first available host, last available host, and broadcast
address. Assume that the server subnet is the second subnet allocated from the available address
pool.
6. For the future allocation subnet, define the network ID, first available host, last available host, and
broadcast address. Assume that the future allocation subnet is the third subnet allocated from the
available address pool.
Results: After completing this exercise, you will have identified the subnets required to meet the
requirements of the lab scenario.
2. Type tracert LON-DC1, and then press Enter. Notice that the host is unable to find the default
gateway, and that it is not the default gateway that is responding back.
3. Type ipconfig, and then press Enter. Notice that the default gateway is configured correctly.
4. Type ping 10.10.0.1, and then press Enter. Notice that the default gateway is responding, but that
packets are not being routed there.
5. Type Get-NetRoute, and then press Enter. Notice that the entry for the default gateway (0.0.0.0) is
correct, but there is an unnecessary entry for the 172.16.0.0 network.
6. Type Remove-NetRoute –DestinationPrefix 172.16.0.0/16, and then press Enter. This removes the
unnecessary route to the 172.16.0.0 network. The default gateway will be used for routing instead.
7. Press Y, and then press Enter to confirm removed of the route from active routes.
8. Type ping LON-DC1, and then press Enter. Notice that the ping is now successful.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
L6-29
6. On the Select server roles page, select the DHCP Server check box.
7. In the Add Roles and Features Wizard window click Add Features, and then click Next.
11. On the Installation progress page, wait until the following information appears – Installation
succeeded on lon-svr1.adatum.com, and then click Close.
4. In the DHCP console, right-click lon-svr1.adatum.com, and then click Refresh. Notice that the icons
next to IPv4 IPv6 changes color from red to green, which means that DHCP server has been
authorized in Active Directory® Domain Services (AD DS).
5. In the DHCP console, in the navigation pane, click lon-svr1.adatum.com, expand IPv4, right-click
IPv4, and then click New Scope.
6. In the New Scope Wizard, click Next.
7. On the Scope Name page, in the Name box, type Branch Office, and then click Next.
8. On the IP Address Range page, complete the page using the following information:
o Length: 16
9. On the Add Exclusions and Delay page, complete the page using the following information:
12. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then
click Next.
13. On the Domain Name and DNS Servers page, click Next.
16. On the Completing the New Scope Wizard page, click Finish.
X Task 3: Configure client to use DHCP and then test the configuration
1. To configure a client, switch to the LON-CL1 computer.
2. Move the mouse on the lower right corner of the screen, click on Search icon, and then in the Search
box, type Control Panel. Press Enter.
3. In Control Panel, under Network and Internet, click View Network Status and Tasks.
4. In the Network and Sharing Center window, click Change Adapter Settings.
5. In the Network Connections window, right click Local Area Connection, and then click Properties.
6. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Obtain an IP address
automatically radio button, then select Obtain DNS server address automatically radio button,
click OK, and then click Close.
8. Move the mouse on the lower right corner of the screen, click on Search icon, and then in Search
box, type Command Prompt. Press Enter.
9. Type ipconfig /renew, and then press Enter.
10. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by
typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status,
which should be Yes.
2. In the command prompt, type ipconfig /all, and then press Enter.
4. Switch to LON-SVR1.
5. In the Server Manager dashboard, click Tools, and then click DHCP.
6. In the DHCP console, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office, right-click
Reservations, and then click New Reservation.
o in the MAC address field, type the physical address you wrote down in step 3
Module 6: Implementing DHCP L6-31
8. Switch to LON-CL1.
9. In a command prompt, type ipconfig /release, and then press Enter. This causes LON-CL1 to release
any currently leased IP addresses.
10. In a command prompt, type ipconfig /renew, and then press Enter. This causes LON-CL1 to lease
any reserved IP addresses.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and
options, and configured a DHCP reservation
2. In Server Manager, click on Tools, and then click Routing and Remote Access.
3. In the navigation pane, expand LON-RTR (local), expand IPv4, right-click General, and then click
New Routing Protocol.
4. In the Routing protocols list, click DHCP Relay Agent, and then click OK.
2. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then
click OK.
3. In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
5. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click
Add, and then click OK.
Note: In order to test how a client receives an IP address from DHCP Relay in another
subnet, we need to create another DHCP scope.
L6-32 20410A: Installing and Configuring Windows Server® 2012
1. Switch to LON-SVR1.
2. In the Server Manager Dashboard, click Tools, and then click DHCP.
4. In the DHCP console, in the navigation pane, click lon-svr1.consoto.com, expand IPv4, right-click
IPv4, and then click New Scope.
5. In the New Scope Wizard, click Next.
6. On the Scope Name page, in the Name box, type Branch Office 2, and then click Next.
7. On the IP Address Range page, complete the page using the following information, and then click
Next:
o Length: 16
8. On the Add Exclusions and Delay page, complete the page using the following information, click
Add, and then click Next:
11. On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then
click Next.
12. On the Domain Name and DNS Servers page, click Next.
15. On the Completing the New Scope Wizard page, click Finish.
18. Under Network and Internet, click View network status and tasks.
19. In the Network and Sharing Center window, click Change Adapter Settings, right-click Local Area
Connection, and then click Properties.
20. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4) and
then click Properties.
21. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click on Obtain IP address
automatically, then click on Obtain DNS server address automatically, click OK and then click
Close.
22. Navigate to the lower right corner, choose search from the right menu and then type cmd and press
Enter to start Command Prompt.
24. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope
Branch Office 2 installed on LON-SVR1.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing these tasks, you will have implemented DHCP relay agent.
L7-35
5. On the Select destination server page, make sure that LON-SVR1.Adatum.com is selected, and
then click Next.
6. On the Select server roles page, select Active Directory Domain Services.
7. When Add Roles and Features Wizard window displays, click Add Features, and then click Next.
12. In the Server Manager console, on the navigation page, click AD DS.
13. At the title bar where Configuration required for Active Directory Domain Services at LON-SVR1
displays, click More.
14. On the All Server Task Details and Notifications page, click Promote this server to a domain
controller.
15. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration
page, ensure that Add a domain controller to an existing domain is selected, and then click Next.
16. On the Domain Controller Options page, clear the Domain Name System (DNS) server check box,
and leave only Global Catalog (GC) selected. Type Pa$$w0rd in both text fields, and then click
Next.
X Task 2: Review configuration settings on the existing DNS server to confirm root
hints
1. Log on to LON-DC1 as Adatum\Administrator using the password Pa$$w0rd.
3. Click DNS.
4. In the DNS Manager console, click and then right-click LON-DC1, and then select Properties.
5. Click the Root hints tab. Ensure that root hints servers display.
6. Click the Forwarders tab. Ensure that the list displays no entries, and that the Use root hints if no
forwarders are available option is selected.
7. Click Cancel.
X Task 3: Add the DNS server role for the branch office on the domain controller
1. On LON-SVR1, in the Server Manager console, click Add roles and features.
4. On the Select destination server page, ensure that LON-SVR1.Adatum.com is selected, and then
click Next.
5. On the Select server roles page, select DNS Server.
6. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
10. On the Installation progress page, when the message Installation succeeded displays, click Close.
2. Select DNS.
3. In the DNS Manager console, expand LON-SVR1, and then expand Forward Lookup Zones. This
container will most likely be empty.
4. Switch back to Server Manager, click Tools, and then select Active Directory Sites and Services.
5. In the Active Directory Sites and Services console, expand Sites, expand Default-First-Site-Name,
expand Servers, expand LON-DC1, and then click NTDS Settings.
6. In the right pane, right-click the LON-SVR1 replication connection, and select Replicate Now.
Note: If you receive an error message, proceed to the next step and then retry this step
after 3-4 minutes.
7. In the navigation pane, expand LON-SVR1, and then click NTDS Settings.
Module 7: Implementing DNS L7-37
8. In the right pane, right-click the LON-DC1 replication connection, and then select Replicate Now.
Click OK.
9. Switch back to the DNS Manager console, right-click Forward Lookup Zones, and then select
Refresh.
10. Ensure that both the _msdcs.Adatum.com and Adatum.com containers display.
9. Click the File menu, and then click Run new task.
10. In the Create new task window, type cmd, and then press Enter.
11. In the command prompt window, type nslookup, and press Enter.
12. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. You will not receive any
reply, because that zone does not exist on the DNS server on LON-SVR1.
13. In the command prompt window type quit, and press Enter.
2. In the DNS Manager console, right-click LON-SVR1, and then click Properties.
4. In the Edit Forwarders window, type 172.16.0.10, and then click OK two times.
2. In the command prompt window, type nslookup, and then press Enter.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
L7-38 20410A: Installing and Configuring Windows Server® 2012
7. Delete the IP address for preferred DNS server. In the preferred DNS server box, type 172.16.0.21,
click OK, and then click Close.
X Task 2: Create several host records in the Adatum.com domain for web apps
1. On LON-DC1, in the Server Manager console, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click on
Adatum.com.
a. Name: www
b. IP address: 172.16.0.100
o Name: ftp
o IP address: 172.16.0.200
2. In the DNS Manager console, expand LON-SVR1, expand Forward Lookup Zones, and then click
Adatum.com.
3. Ensure that both www and ftp resource records display. (If they do not display, right-click
Adatum.com, and then select Refresh). It may take a couple of minutes for the records to appear.
X Task 4: Use the ping command to locate new records from LON-CL1
1. On LON-CL1, right-click the taskbar, and then select Task Manager.
4. In the Create new task window, type cmd, and then press Enter.
5. In the Command prompt window, type ping www.adatum.com, and then press Enter.
6. Make sure that name resolves to 172.16.0.100. ( You will not receive replies.)
8. Ensure that name resolves to 172.16.0.200 (You will not receive replies.)
Results: After completing this exercise, you will have configured DNS records.
5. In the command prompt window, type ping www.nwtraders.msft, and then press Enter.
6. Ping will not work, but ensure that the name resolves to an IP address.
7. Leave the command prompt window open.
X Task 2: Update Internet record to point to the LON-DC1 IP address, retry the
location using ping
1. On LON-DC1, open DNS Manager.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click
nwtraders.msft.
6. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will
not work, and the old IP address will still be displayed in command prompt window.
2. Select LON-SVR1, click the View menu, and then select Advanced.
3. Expand LON-SVR1, expand the Cached Lookups node, expand .(root), expand msft, and then click
nwtraders.
5. Switch to LON-CL1.
6. In the command prompt window, type ipconfig /displaydns, and then press Enter.
2. Switch to LON-CL1.
L7-40 20410A: Installing and Configuring Windows Server® 2012
3. In a command prompt window, at a command prompt, type ping www.nwtraders.msft, and then
press Enter. The return will still be the old IP address.
4. In a command prompt window, type ipconfig /flushdns, and then press Enter.
5. In the command prompt window, type ping www.nwtraders.msft, and press Enter.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing this exercise, you will have DNS Server cache examined.
L8-41
2. At the Windows PowerShell prompt, type ping lon-dc1, and then press Enter. Notice that there are
four replies from 172.16.0.10.
2. In the Properties window, beside Local Area Connection, click 172.16.0.10, IPv6 enabled.
3. In the Network Connections window, right-click Local Area Connection, and then click Properties.
4. In the Local Area Connection Properties window, clear the Internet Protocol Version 6 (TCP/IPv6)
check box, and then click OK.
6. In Server Manager, verify that Local Area Connection lists only 172.16.0.10. You may need to
refresh the view.
3. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
4. In the Local Area Connection 2 Properties window, clear the Internet Protocol Version 4 (TCP/IPv4)
check box, and then click OK.
6. In Server Manager, verify that Local Area Connection now lists only IPv6 enabled. You may need to
refresh the view.
2. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
3. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
4. Type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on
the 2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6–only network.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Record the InterfaceIndex of isatap interface that has an IPv6 address that includes 172.16.0.1.
Interface index:
5. Verify that Forwarding is enabled for the interface and that Advertising is disabled.
X Task 3: Remove ISATAP from the DNS Global Query Block List
1. On LON-DC1, at the Windows PowerShell prompt, type regedit, and then press Enter.
3. In the Edit Multi-String window, delete isatap, and then click OK.
4. If an error appears indicating that there was an empty string, click OK to continue.
7. Type ping isatap, and then press Enter. The name should resolve and you should receive four request
timed out messages from 172.16.0.1.
ping 2001:db8:0:2:0:5efe:172.16.0.10
3. In the Properties window, next to Local Area Connection 2, click IPv6 enabled.
4. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
5. In the Local Area Connection 2 Properties window, click Internet Protocol Version 6 (TCP/IPv6),
and then click Properties.
6. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click Use the following DNS server
addresses.
7. In the Preferred DNS server box, type 2001:db8:0:2:0:5efe:172.16.0.10, and then click OK.
8. In the Local Area Connection 2 Properties window, click Close.
10. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that four
replies are received from LON-DC1.
L8-44 20410A: Installing and Configuring Windows Server® 2012
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to
allow communication between an IPv6–only network and an IPv4–only network.
L9-45
2. In Server Manager, click the Tools menu, in the Tools drop-down list, click Computer Management.
3. In the Computer Management console, under the Storage node, click Disk Management.
4. In the Disks pane, right-click Disk2, and then from drop-down list, click Online.
6. In the Initialize Disk dialog box, select the Disk 2 check box, ensure that all other Disk check boxes
are cleared, click GPT (GUID Partition Table), and then click OK.
2. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click
Next.
3. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click
Next.
4. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box
is selected, and that F is selected in from the drop-down menu, and then click Next.
5. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume
label text box, type Volume1, and then click Next.
7. in the Disk Management window, right-click the black marked box right of Disk 2, and then click New
Simple Volume.
8. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click
Next.
9. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click
Next.
10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check
box is selected, and that G is selected in from the drop-down list, and then click Next.
11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume
label text box, type Volume2, and then click Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
2. In Windows Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click
Folder.
L9-46 20410A: Installing and Configuring Windows Server® 2012
3. In the New folder field, type Folder1, and then press Enter.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes,
and formatted them. You should also have verified that the drive letters are available in Windows
Explorer.
3. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and
then click Shrink.
2. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next.
3. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click
Next.
Results: After this lab, you should have made one volume smaller, and extended another.
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New
Storage Pool.
4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
and then click Next.
6. On the Select physical disks for the storage pool page, click the following Physical disks, and then
click Next:
o PhysicalDisk3
o PhysicalDisk4
o PhysicalDisk5
Module 9: Implementing Local Storage L9-47
o PhysicalDisk6
o PhysicalDisk7
8. On the View results page, wait until the creation completes, then click Close.
2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New
Virtual Disk.
3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4. On the Select the server and storage pool page, click StoragePool1, and then click Next.
5. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click
Next.
6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8. On the Specify the provisioning type page, click Thin, and then click Next.
9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and
then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, ensure that H is selected in the Drive letter drop-
down menu, and then click Next.
16. On the Select file system settings page, in the File system drop-down menu, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.
18. On the Completion page, wait until the creation completes, and then click Close.
X Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer
1. Click to the Start screen, type command prompt, and then press Enter.
2. In the command prompt window, type the following command, and then press Enter:
4. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored
Volume (H:).
2. In Settings for 20410A-LON-SVR1, in the Hardware pane, click Hard Drive 20410A-LON-SVR1-
Disk5.vhdx.
3. In the Hard Drive pane, click Remove, and then click OK. Click Continue.
2. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored
Volume (H:).
5. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button. Notice the warning that displays next to Mirrored Disk.
6. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties.
7. In the Mirrored Disk Properties window, in the left pane, click Health.
Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete
or Degraded.
8. Click OK to close the Mirrored Disk Properties window.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage
Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk.
4. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK..
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then
you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You
should have also copied a file to the new volume and verified that it is accessible. Next, you should have
verified that the virtual disk was still available and could be accessed after removing a physical drive.
Finally, you should have added another physical disk to the storage pool.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In a Windows® Explorer window, in the navigation pane, expand Computer, and then click Allfiles
(E:).
4. On the menu toolbar, click Home, click New folder, type Data, and then press Enter.
6. On the menu toolbar, click Home, click New folder, type Development, and then press Enter.
o Research
o Sales
2. In the Data Properties window, click Security, and then click Advanced.
3. In the Advanced Security Settings for Data window, click Disable Inheritance.
4. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on
this object.
9. In the Development Properties window, click Security, and then click Advanced.
10. In the Advanced Security Settings for Development window, click Disable Inheritance.
11. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on
this object.
12. Remove the two permissions entries for Users (LON-SVR1\Users), and then click OK.
15. Type Development, click Check names, and then click OK.
16. Select the check box for Allow Modify in the Permissions for Development section.
19. Repeat steps 8 through 18 for the Marketing, Research, and Sales folders, assigning Modify
permissions to the Marketing, Research, and Sales groups for their respective folders.
2. On the Data Properties window, click the Sharing tab, and then click Advanced Sharing.
3. In the Advanced Sharing Window, select the Share this folder check box, and then click
Permissions.
6. In the Permissions for Data window, click Authenticated Users, and then select the Allow checkbox
for the Change permission.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
6. Attempt to access the Marketing, Research, and Sales folders. NTFS permissions on these folders will
prevent you from doing this.
Note: Bernard can still see the other folders, even though he does not have access to
their contents.
3. In Server Manager, in the navigation pane, click File and Storage Services.
4. On the File and Storage Services page, in the navigation pane, click Shares.
Module 10: Implementing File and Print Services L10-51
6. Click Settings, and then select the Enable access-based enumeration check box.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
Note: Bernard can now view only the Development folder, the folder for which he has
been assigned permissions.
3. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.
4. On the Data Properties window, click the Sharing tab, click Advanced Sharing, and then click
Caching.
5. In the Offline Settings window, select No files or programs from the shared folder are available
offline, and then click OK.
3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
4. In the Shadow Copies window, click the E:\ drive, and then click Enable.
8. In the E:\ window, change Schedule Task to Daily, change Start time to 12:00 AM, and then click
Advanced.
9. In the Advanced Schedule Options window, select Repeat task, and then set the frequency to every
1 hours.
2. On the menu toolbar, click Home, click New item, and then click Text Document.
5. Click the most recent folder version for Development , and then click Open.
6. Confirm that the Report .txt is in the folder, right-click Report.txt, and then click Copy.
8. In the other Windows Explorer window, right-click on the Development folder, and then click Paste.
9. Close Windows Explorer.
2. In Server Manager, on the menu toolbar, click Manage, and then click Add Roles and Features.
3. Click Next, select Role-based or feature-based Installation, and then select Next again.
4. On the Select destination server page, select the server on which you want to install the Print and
Document Services. The default server is the local server. Click Next.
5. On the Select Server Roles page, select the Print and Document Services check box. In the Add
Roles and Features Wizard window, click Add Features, and then click Next in the Select server roles
window
6. On the Select Features page, click Next.
7. On the Print and Document Services page, review the Notes for the administrator, and then click
Next.
Module 10: Implementing File and Print Services L10-53
8. On the Select Role Services page, click Next until the Confirm Installation Selections page
displays. Click Install to install the required role services.
9. Click Close.
2. Expand Printer Servers, expand LON-SVR1, right-click Printers, and then click Add Printer.
3. Click Add a TCP/IP or Web Services Printer by IP address or hostname, and then click Next.
5. In the Host name box, type 172.16.0.200 clear the Auto detect printer driver to use check box,
and then click Next.
6. Under Device Type, click Generic Network Card, and then click Next.
8. Click Microsoft as the Manufacturer, under Printers, click Microsoft XPS Class Driver, and then
click Next.
9. Change the Printer Name to Branch Office Printer, and then click Next.
10. Click Next two times to accept the default printer name and share name, and to install the printer.
12. In the Print Management console, right-click the Branch Office Printer, and then click Enable
Branch Office Direct Printing.
13. In the Print Management console, right-click the Branch Office Printer, and then select Properties.
14. Click the Sharing tab, select the List in the directory check box, and then click OK.
2. In the Printer Ports window, select Standard TCP/IP Port, and then click New Port.
4. In the Printer Name or IP Address field, type 172.16.0.201, and then click Next.
6. Click Finish to close the Add Standard TCP/IP Printer Port Wizard.
8. In the Print Management console, click Printers, right-click Branch Office Printer, and then click
Properties.
9. On the Branch Office Printer Properties page, click the Ports tab, select the Enable printer
pooling check box, and then click the 172.16.0.201 port to select it as the second port.
4. In the Add a device window, click on Branch Office Printer on LON-SVR1. Click Next. The device
installs automatically.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console (GPMC), expand Forest: Adatum.com, expand Domains,
expand Adatum.com and then expand the Group Policy Objects folder.
6. Point your mouse over the Administrative Templates folder, and note that the location is
Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.
3. In the details pane, right-click on a blank area, click New, and then click Folder.
4. Name the folder PolicyDefinitions.
2. Select the entire contents of the PolicyDefinitions folder. (Hint: click in the details pane, and then
use the Ctrl+A keys to select all of the content.)
4. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com,
Browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies and open the PolicyDefinitions
folder.
2. Expand Polices, point your mouse over the Administrative Templates folder, and view the local
information text. Note that it now says Administrative Templates: Policy definitions (ADMX files)
retrieved from the Central Store.
Results: After completing this exercise, you will have configured a Central Store
L11-56 20410A: Installing and Configuring Windows Server® 2012
2. In the New Starter GPO dialog box, in the Name field, type Internet Explorer Restrictions, and in
the Comment field, type This GPO disables the General page in Internet Options, and then click
OK.
2. Expand User Configuration, Administrative Templates, and then click All Settings.
4. In the Filter Options dialog box, select the Enable Keyword Filters check box.
5. In the Filter for word(s): field, type General page.
7. Double-click the Disable the General page setting, click Enabled, and then click OK.
X Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet
Explorer Restrictions starter GPO
1. In the GPMC, right-click the Adatum.com domain, and then click Create a GPO in this domain, and
link it here.
2. In the New GPO dialog box, in the Name field, type IE Restrictions.
3. Under Source Starter GPO, click the drop down box, select Internet Explorer Restrictions, and then
click OK.
2. Move your mouse to the bottom, right of the desktop and in the flyout, click the Search charm.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears
informing you that this feature has been disabled.
8. Click Internet Options. Notice that in the Internet Properties dialog box the General page does
not appear.
X Task 5: Use security filtering to exempt the IT Department from the Internet Explorer
Restrictions policy
1. Switch to LON-DC1.
2. In the GPMC expand the Group Policy Objects folder, and then in the left pane, click the IE
Restrictions policy.
6. In the Select Users, Computers, Service Accounts, or Groups field, type IT, and then click OK.
7. In the IE Restrictions Security Settings dialog box, click the IT (Adatum\IT) group, next to the
Apply group policy permission, select the Deny check box, and then click OK.
6. In the Network and Internet dialog box, click Change your homepage. The Internet Properties
dialog opens to the General page, and all settings are available.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears
informing you that this feature has been disabled.
8. Click Internet Options. In the Internet Properties dialog box, notice that the General page does
not display.
Results: After completing this lab, you will have created a GPO.
L11-58 20410A: Installing and Configuring Windows Server® 2012
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click
Adatum.com, click New, and then click Organizational Unit.
3. In the New Object - Organizational Unit window, type Member Servers OU, and then click OK.
4. In the Active Directory Users and Computers console, in the navigation pane, click Computers
container.
5. Press and hold the Ctrl key. In the details pane, click LON-SVR1 and LON-SVR2, right-click the
selection and then click Move.
6. In the Move window, click Member Servers OU, and then click OK.
3. In the New Object – Group window, in the Group Name field, type Server Administrators, and then
click OK.
X Task 3: Create a Member Server Security Settings GPO and link it to the Member
Servers OU
1. On LON-DC1, in the Server Manager window, click Tools, and then click Group Policy
Management.
2. In the Group Policy Management window, expand Forests: Adatum.com, expand Domains, expand
Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Member Server Security Settings, and then click
OK.
4. In the Group Policy Management Console window, right-click Member Servers OU, and then click
Link an Existing GPO.
5. In the Select GPO window, in Group Policy Objects window, click Member Server Security Settings,
and then click OK.
L12-60 20410A: Installing and Configuring Windows Server® 2012
2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click Restricted Groups.
4. In the Add Group dialog box, in the Group name field, type Administrators, and then click OK.
5. In the Administrators Properties dialog box, next to Members of this group, click Add.
6. In the Add Member dialog box, type Adatum\Server Administrators, and then click OK.
7. Next to Members of this group, click Add.
8. In the Add Member dialog box, type Adatum\Domain Admins, and then click OK twice.
X Task 5: Verify that Computer Administrators has been added to the local
Administrators group
1. Switch to LON-SVR1.
gpupdate/force
5. In the Server Manager window, click Tools, and then click Computer Management.
6. In the Computer Management console, expand Local Users and Groups, click Groups, and then in
the right pane, double-click Administrators.
7. Confirm that the Administrators group contains both ADATUM\Domain Admins and
ADATUM\Server Administrators as members. Click Cancel.
X Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to
remove users from Allow log on locally
1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
3. In the right pane, right-click Member Server Security Settings, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Local Policies, and then click User
Rights Assignment.
5. In the right pane, right-click Allow log on locally, and then click Properties.
6. In the Allow log on locally Properties window, select the Define these policy settings check box, and
then click Add User or Group.
Module 12: Securing Windows Servers Using Group Policy Objects L12-61
7. In the Add User or Group window, type Domain Admins, and then click OK.
9. In the Add User or Group window, type Administrators, and then click OK twice.
X Task 7: Modify the Member Server Security Settings GPO to enable User Account
Control: Admin Approval Mode for the Build-in Administrator Account
1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
2. In the right pane, right-click Member Server Security Settings, and then click Edit.
3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Local Policies, and then click
Security Options.
4. In the right pane, right-click User Account Control: Admin Approval Mode for the Built-in
Administrator account, and then click Properties.
5. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties
window, select the Define this policy settings check box, ensure that Enabled radio button is
selected, and then click OK.
gpupdate/force
5. Verify that you cannot log on to LON-SVR1, and that a logon error message displays.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
2. On LON-DC1, in the Group Policy Management console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
3. In the right pane, right-click Member Server Security Settings, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Local Policies, click Audit Policy, and
then in the right pane, right-click Audit object access, and then click Properties.
L12-62 20410A: Installing and Configuring Windows Server® 2012
5. In the Audit object access Properties window, select the Define these policy settings check box,
select both the Success and Failure check boxes, and then click OK.
2. In the Computer window, double-click Local Disk (C) click Home, click New folder, and then type
HR.
3. In the Computer window, right-click the HR folder, click Share with, and then click Specific people.
2. In the HR Properties window, click the Security tab, and then click Advanced.
3. In the Advanced Security Settings for HR window, click the Auditing tab, and then click Add.
5. In the Select User, Computer, Service Account or Group window, in the Enter the object name to
select field, type Domain Users, and then click OK.
6. In the Auditing Entry for HR window, from the Type drop-down menu, select All.
7. In the Auditing Entry for HR window, under Permission list, select the Write check box, and then
click OK three times.
8. Switch to the Start screen, type cmd, and then press Enter.
gpupdate /force
gpupdate /force
6. Log off LON-CL1, and then log on again as Adatum\Adam with a password of Pa$$w0rd.
8. In HR window, click Home, click New item, click Text Document, in the file name field, type
Employees, and then press Enter.
X Task 5: View the results in the security log on the domain controller
1. Switch to LON-SVR1.
2. In the Server Manager window, click Tools, and then click Event Viewer.
3. In the Event Viewer window, expand Windows Logs, and then click Security.
Results: After completing this exercise, you should have enabled file system access auditing.
2. In the right pane, right-click Default Domain Policy, and then click Edit.
3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit
Policy. In the right pane, right-click Audit account logon events, and then click Properties.
4. In Audit account logon events Properties window, select the Define these policy settings check box,
select both the Success and Failure check boxes, and then click OK.
gpupdate/force
Note: This password is intentionally incorrect to generate a security log which shows that
that an unsuccessful login attempt has been made.
L12-64 20410A: Installing and Configuring Windows Server® 2012
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for following message: “Logon failure. A logon attempt was made with an
unknown user name or a known user name with a bad password.”
Note: This password is correct, and you should be able to log on successfully as Adam.
3. In the Event Viewer window, expand Windows Logs, and then click Security.
4. Review the event logs for the following message: “A user successfully logged on to a computer.”
Results: After completing this exercise, you should have enabled domain logon auditing.
Module 12: Securing Windows Servers Using Group Policy Objects L12-65
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click
Adatum.com, click New, and then click Organizational Unit.
4. In the New Object - Organizational Unit window, type Client Computers OU, and then click OK.
3. In the Move window, click Client Computers OU, and then click OK.
X Task 3: Create a Software Control GPO and link it to the Client Computers OU
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console window, expand Forests: Adatum.com, expand Domains,
expand Adatum.com, right-click Group Policy Objects, and then click New.
3. In New GPO window, in the Name: text box, type Software Control GPO, and then click OK.
4. In the right pane, right-click Software Control GPO, and then click Edit.
5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Application Control Policies, and
then expand AppLocker.
6. Under AppLocker, right-click Executable Rules, and then click Create Default Rules.
7. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules.
8. In the navigation pane, click AppLocker, and then in the right pane, click Configure rule
enforcement.
9. In the AppLocker Properties window, under Executable rules, select the Configured check box, and
then from the drop-down menu, select Audit only.
10. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and
then click OK.
11. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, and then expand Security Settings, click System Services and then double-click
Application Identity.
12. In the Application Identity Properties dialog box, select the Define this policy setting and under
Select service startup mode, select Automatic, and then click OK.
14. In the Group Policy Management Console, right-click Member Servers OU, and then click Link an
Existing GPO.
15. In the Select GPO window, in Group Policy Objects list, click Software Control GPO, and then click
OK.
2. Move the mouse pointer in the lower right corner, and then click Search.
gpupdate/force
6. Move the mouse pointer in the lower right corner, click Settings, click Power, and then click Restart.
C:\CustomApp\app1.bat
2. In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand
Windows, and then expand AppLocker.
3. Click MSI and Scripts, and review the event logs for App1.bat.
2. In the Group Policy Management window, in the Group Policy Objects node, edit the Software
Control GPO.
3. In the console tree, double-click Application Control Policies, double-click AppLocker, right-click
Script rules, and then click Create New Rule.
5. On the Permissions page, select the Allow radio button, and then click Next.
6. On the Conditions page, click Path radio button, and then click Next.
7. On Path page, in the Path field, type the following path: %OSDRIVE%\CustomApp\app1.bat to
enter the targeted folder for the applications, and then click Next.
8. On Exception page, click Next, on the Name and Description page, in the Name field, type
Custom App Rule, and then click Create.
Module 12: Securing Windows Servers Using Group Policy Objects L12-67
2. In AppLocker Properties window, under Executable rules, select the Configured check box, and then
from drop-down menu, select Enforce rules.
3. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and
then click OK.
2. Move the mouse pointer in the lower right corner, and then click Search.
gpupdate/force
6. Point the mouse pointer over the lower-right corner, click Settings, click Power, and then click
Restart.
7. Log on to LON-SVR1 as Adatum\Tony with a password of Pa$$w0rd.
X Task 10: Verify that an application cannot be run from the Documents folder
1. On LON-SVR1, on the taskbar, click on Windows Explorer, and then in navigation pane click on
Computer. In the Computer window, double-click Local Disk (C:), double-click the CustomApp
folder, right-click app1.bat, and then click Copy.
2. In CustomApp window, on the navigation pane, right-click the Documents folder, and then click
Paste.
4. Verify that application cannot be run from Documents folder, and that the following message
displays: “This program is blocked by Group Policy. For more information, contact your system
administrator.”
Results: After completing this exercise, you will have configured AppLocker policies for all users whose
computer accounts are located in the Client Computers OU organizational unit. The policies you
configured should allow these users to run applications that are located in the folders C:\Windows and
C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
L12-68 20410A: Installing and Configuring Windows Server® 2012
2. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member
Servers OU, click New, and then click Group.
4. In the New Object – Group window, in the Group Name field, type Application Servers, and then
click OK.
2. In the Application Server Properties window, click Members tab, and then click Add.
3. In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and
then click OK.
4. In Enter the object names to select, type LON-SVR1, and then click OK.
2. In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand
Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Application Servers GPO, and then click OK.
4. In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit.
5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security,
and then click Windows Firewall with Advanced Security - LDAP://CN={GUID}.
8. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next.
11. In the Local port list, click Specific Ports, in the text box, type 8080, and then click Next.
14. On the Profile page, clear the Private and Public check boxes, and then click Next.
15. On the Name page, in the Name box, type Application Server Department Firewall Rule, and then
click Finish.
2. In the Select GPO window, in Group Policy objects list, click Application Servers GPO, and then
click OK.
X Task 5: Use security filtering to limit the Application Server GPO to members of
Application Server group
1. On LON-DC1, in the Group Policy Management Console, click Member Servers OU.
2. Expand the Member Servers OU, and then click the Application Servers GPO link.
4. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.
7. In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK.
2. Move the mouse pointer in the lower right corner, and then click Search.
4. In the command prompt window, type following command, and then press Enter:
gpupdate/force
6. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd.
2. In Server Manager, click Tools, and then click Windows Firewall with Advanced Security.
3. In the Windows Firewall with Advanced Security window, click Inbound rules.
4. In the right pane, verify that Application Server Department Firewall Rule that you created earlier
using Group Policy is configured.
5. Verify that you cannot edit the Application Server Department Firewall Rule, because it is
configured through Group Policy.
L12-70 20410A: Installing and Configuring Windows Server® 2012
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall
with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
L13-71
2. Log onto LON-HOST1 with the Administrator account and the password Pa$$w0rd.
4. In the Properties pane, click the IPv4 address assigned by DHCP link.
5. In the Network Connections dialog box, right-click the network object and then click Properties.
6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click
Properties.
7. On the General tab, click Use the following IP address and configure the following:
o IP Address: 172.16.0.31
8. On the General tab, click Use the following DNS server addresses and then configure the
following:
o Preferred DNS server: 172.16.0.10
12. In the Server Manager console, from the Manage menu, click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
15. On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next.
17. In the Add Roles and Features Wizard dialog box, click Add Features.
21. On the Virtual Switches page, verify that no selections have been made, and then click Next.
22. On the Virtual Machine Migration page, click Next.
L13-72 20410A: Installing and Configuring Windows Server® 2012
23. On the Default Stores page, review the location of the Default Stores, and then click Next.
24. On the Confirm installation selections page, select Restart the destination server automatically
if required.
25. In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then
click Yes.
27. After a few minutes, the server will restart automatically. Ensure that you restart the machine from the
boot menu as 20410A-LON-HOST1. The computer will restart several times.
2. When the installation of the Hyper-V tools completes, click Close to close the Add Roles and
Features Wizard.
3. In the Server Manager console, click the Tools menu, and then click Hyper-V Manager.
5. In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V
Settings.
6. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Keyboard item. Verify that the
Keyboard is set to the Use on the virtual machine option.
7. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Virtual Hard Disks item. Verify
that the location of the default folder to store Virtual Hard Disk files is
C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK.
Results: After this exercise, you should have deployed the Hyper-V role to a physical server.
3. In the Virtual Switch Manager for LON-HOST1 dialog box, select New virtual network switch.
Ensure that External is selected, and then click Create Virtual Switch.
4. In the Virtual Switch Properties area, enter the following information, and then click OK:
o External Network: Mapped to the host computer's physical network adapter. (This will vary
depending on the host computer.)
5. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
4. Under Create virtual switch, select Private, and then click Create Virtual Switch.
5. In the Virtual Switch Properties section of the Virtual Switch Manager dialog box, configure the
following settings, and then click OK:
5. In the Virtual Switch Properties section, configure the following settings, and then click OK:
4. On MAC Address Range settings, configure the following values, and then click OK:
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
Results: After this exercise, you should have configured virtual switch options on a physically deployed
Windows Server 2012 server running the Hyper-V role.
4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder and rename each folders to each name listed below:
o LON-GUEST1
o LON-GUEST2
6. In the Server Manager console, click the Tools menu and click Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2 and then press Enter:
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
2. In the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine.
3. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
4. On the Specify Name and Location page, select Store the virtual machine in a different location,
enter the following values, and then click Next:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
5. On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this
virtual machine option, and then click Next.
6. On the Configure Networking page, for the connection, choose Private Network, and then click
Next.
Module 13: Implementing Server Virtualization with Hyper-V L13-75
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
10. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
14. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set
the Automatic Start Action to Nothing.
15. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set
the Automatic Stop Action to Shut down the guest operating system.
16. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box.
2. At the Windows PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
3. At the Windows PowerShell prompt, enter the following commands to enable resource metering on
the virtual machines:
Enable-VMResourceMetering LON-GUEST1
Enable-VMResourceMetering LON-GUEST2
Results: After this exercise, you should have deployed two separate virtual machines using a sysprepped
virtual hard disk file as a parent disk for two differencing disks.
5. On the Settings page, select the I accept the license terms for using Windows check box, and
then click Accept.
6. On the Settings page, click Next to accept the Region and Language settings.
7. On the Settings page, enter the password Pa$$w0rd twice, and then click Finish.
8. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu,
click Ctrl+Alt+Delete. Log on to the virtual machine using the account Administrator and the
password Pa$$w0rd.
9. On the virtual machine, in the Server Manager console click Local Server, and then click the
randomly assigned name next to the computer name.
10. In the System Properties dialog box, on the Computer Name tab, click Change.
11. Set the Computer Name to LON-GUEST1, and then click OK.
12. In the Computer Name/Domain Changes dialog box, click OK.
2. In the Server Manager console, click the Local Server node, and verify that the name of the computer
is set to LON-GUEST1.
3. In the Virtual Machine Connection window, from the Action menu, click Snapshot.
4. In the Snapshot Name dialog box, enter the name Before Change, and then click Yes.
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. Set the Computer Name to LON-Computer1, and then click OK.
7. Log back on to the LON-GUEST1 virtual machine using the Administrator account and the
password Pa$$w0rd.
8. In the Server Manager console, click Local Server, and verify that the server name is set to
LON-Computer1.
3. In the Server Manager console, in the Local Server node in the Virtual Machines list, verify that the
Computer Name is set to LON-GUEST1.
Module 13: Implementing Server Virtualization with Hyper-V L13-77
2. At the Windows PowerShell command-line prompt, enter the following command to import the
Hyper-V module:
Import-Module Hyper-V
3. At the Windows PowerShell command-line prompt, enter the following command to retrieve
resource metering information:
Measure-VM LON-GUEST1
4. Note the average CPU, average random access memory (RAM), and total disk usage figures.
Shutdown /r /t 5
Results: After this exercise, you should have used virtual machine snapshots to recover from a virtual
machine misconfiguration.