Professional Documents
Culture Documents
Smackslidecom Powerpoint Pres 5eb210bcbf711
Smackslidecom Powerpoint Pres 5eb210bcbf711
Exam Prep
70-411 Administering Windows Server 2012
Brian Svidergol
What we’ll cover today
Microsoft
Certification
Overview Study for Success
Microsoft Certification
Overview
Microsoft Certifications
Solution/cloud focus
Microsoft Certified
Solutions Master (MCSM)
Master
Microsoft Certified
Solutions Expert
Expert
(MCSE)
Microsoft Certified
Solutions Associate
(MCSA)
Associate
MCSE and MCSD certifications
EXAM
EXAM
+ +
MCITP: Enterprise Messaging Administrator 2010
MCITP: Lync Server Administrator 2010
MCITP: SharePoint Administrator 2010
MCITP: Enterprise Desktop Administrator on Windows 7
70-417
Upgrading Your Skills to
MCSA Windows Server
2012
Extending
Two Part Matching Choose
Analysis items Code Review Case Studies All That Apply
Multi-source Graphics
Reasoning Interpretation Active Screen Drag & Drop Build Lists Best Answer
Be sure to view the exam item type demo before you take your first exam!
The Objectives
Objective Weight
Deploy, Manage, and Maintain Servers 17%
Configure File and Print Services 15%
Configure Network Services and 17%
Access
Configure a Network Policy Server 14%
Infrastructure
Configure and Manage Active 19%
Directory
Configure and Manage Group Policy 18%
Deploy, Manage, and Maintain Servers
Deploy and manage
server images
Implement patch
management
Monitor
servers
Deploy and Manage Server Images (1/2)
Install the Windows Deployment Services (WDS) role
Prerequisites: AD DS/DHCP/DNS/NTFS, member of Administrators
Install-WindowsFeature –Name WDS -ComputerName Server01 –IncludeManagementTools
(Servermanagercmd.exe deprecated)
Monitor VMs
Prerequisites: Windows Server 2012 Failover Cluster, Windows Server 2012 VMs, FW rule for VM
Monitoring, enabled for monitoring
Monitor services, restart service upon failure, reboot and/or move VM thereafter, automate,
manual, or integrate with System Center
Monitor Servers (2/2)
Monitor Events
Centralize event log data to a single collector server (default protocol HTTP over port 5985)
Use winrm quickconfig on source and wecutil qc on collector
Works in non-domain environment but need to set TrustedHosts for WinRM
Configure Quotas
Configure quotas on specific folder or on a path (which handles newly created folders)
Hard (users cannot exceed) or soft (users can exceed, used for monitoring)
Built-in templates which can be used to create a quota or to create a new customized template
When quota threshold met, option to send email, log event, run command, or generate report
Be wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)
Configure FSRM (2/2)
Configure File Screens
Active screening (cannot save unauthorized files)
Passive screening (can save unauthorized files, used for monitoring)
Built-in templates (block audio/video files, e-mail files, executable files, images, monitor exe/system)
Be wary of deprecated filescrn.exe
Set-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate
Configure Reports
Run reports on demand – DHTML, HTML, XML, CSV, or text
Built-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property,
folders by property, large files, least recently accessed files, most recently accessed files, quota usage
Set scheduled reports and have reports emailed to admin(s)
Configure file and disk encryption (1/3)
New Features
BitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)
Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)
Change PIN and password by standard users (no longer require admin rights)
Support for encrypted hard drives (encryption offloaded to the hard drive)
You need to deploy DFS to meet the requirements. What should you do?
A. Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone
DFS namespace.
B. Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-
based DFS namespace by deselecting DFS Windows Server 2008 mode.
C. Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.
D. Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.
Configure advanced audit policies (1/2)
Implement auditing using Group Policy and
AuditPol.exe
Know difference between basic Audit Policy settings and advanced Audit Policy settings
To manually enable Advanced Audit subcategory auditing (high overhead for widespread use):
auditpol /set /subcategory:"RPC Events" /success:enable
Auditpol has a /backup switch and a /restore switch
Global object access auditing (for file system or registry – automatically applies to all objects)
For Global auditing, watch for situations that don’t also enable Audit File System and Audit
Registry audit policy settings (required)
Advanced Audit Policy settings take precedence over basic Audit Policy settings
Configure advanced audit policies (2/2)
Create expression-based audit policies
Audit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set
directly on a file/folder or in global policy), can be combined with Dynamic Access Control
Configure routing
IPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol
DirectAccess (1/2)
Implement server requirements
No longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)
New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP)
integration, or two-factor authentication
Can use a single NIC card behind NAT (Windows Server 2012 required)
Remote access servers and all client computers must be domain members
IPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)
A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.
B. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com.
C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.
D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.
Configure a Network Policy Server Infrastructure
Configure Network
Policy Server (NPS)
Configure
NPS policies
Configure Network
Access Protection
(NAP)
Configure NPS (1/2)
Configure multiple RADIUS server infrastructures
5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS
server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain
membership optional, use NETSH to copy config from one proxy to another), user account DBs
(such as AD DS)
Configure certificates
Certificate-based auth - NPS servers need a server certificate
Minimize administrative overhead in large environment – autoenrollment
Configure NPS policies (1/2)
Configure connection request policies
Policies have conditions such as connection type, day/time, network, computer
Useful to authenticate untrusted domain (proxy policy first in the policy order) while still
authenticating locally via NPS (to AD DS)
If no local processing by NPS, then server is a proxy (can forward one place or multiple)
DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out
for unsupported services such as DHCP)
CustomDCCloneAllowList.xml is for custom services that you are sure about
See http://
blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-
domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx
(the entire series is valuable)
Maintain Active Directory (1/2)
Back up Active Directory and SYSVOL
wbadmin start systemstatebackup -backuptarget:e:
(this includes SYSVOL)
Configure Group
Policy preferences
Configure Group Policy processing (1/3)
Configure processing order and precedence
LSDOU – remember this!
Link order – 1 is highest (also referred to as the “top of the list”)
Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to
the computer merge with the settings that are set in User Configuration of GPOs that apply to the
user
Watch for scenarios such as a kiosk or public computer where all users must have the exact same
settings on the computer!
Configure Group Policy processing (3/3)
Configure and manage slow-link processing
Some settings not applied when slow link detected (software installation, folder redirection, etc.)
Default slow link is less than 500Kbps
Computer Configuration\Administrative Templates\System\Group Policy
Related content
Breakout Sessions (WCA-B346 - What's New in Windows Server 2012 Active Directory)
TechNet msdn
Resources for IT Professionals Resources for Developers
http://microsoft.com/technet http://microsoft.com/msdn
Complete an evaluation on CommNet
and enter to win!
MS tag