EXM02

Exam Prep
70-411 Administering Windows Server 2012

Brian Svidergol
What we’ll cover today

Microsoft
Certification
Overview Study for Success
Microsoft Certification
Overview
Microsoft Certifications
Solution/cloud focus

Microsoft Certified
Solutions Master (MCSM)
Master

Microsoft Certified
Solutions Expert
Expert
(MCSE)

Microsoft Certified
Solutions Associate
(MCSA)
Associate
MCSE and MCSD certifications

Private Cloud Server Infrastructure Desktop Infrastructure

SharePoint Data Platform Web Applications SharePoint

MCSA: Windows Server 2012

410 + 411 + 412 =

EXAM

EXAM
EXAM

Installing and Configuring

Configuring Administering Advanced Windows MCSA: Windows
Windows Server 2012 Windows Server 2012 Server 2012 Services Server 2012
 Upgrade paths

Any of the following certifications qualify:

MCSA: Windows Server 2008

MCITP: Virtualization Administrator on Windows Server 2008 R2

+ +
MCITP: Enterprise Messaging Administrator 2010
MCITP: Lync Server Administrator 2010
MCITP: SharePoint Administrator 2010
MCITP: Enterprise Desktop Administrator on Windows 7
70-417
Upgrading Your Skills to
MCSA Windows Server
2012

* Individuals that have earned the MCITP: Enterprise Administrator

or MCITP: Server Administrator have also earned the MCSA:
Windows Server 2008
Study for Success
Topics covered on the exam
Replace the Ns with your exam number to find your prep guide:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-NNN

List of available languages

Second tab shows Skills Measured.

Third tab shows Preparation Materials, including a
link to the Learning Plan for the exam.
Know What to Expect
How to interpret the questions
All questions
Business Problem
have a
consistent
Goal Statement
anatomy
Questions are One or Multiple Correct
Answers
not intended to
trick you
Multiple Distracters
 Question types go beyond multiple
choice

Extending
Two Part Matching Choose
Analysis items Code Review Case Studies All That Apply

Multi-source Graphics
Reasoning Interpretation Active Screen Drag & Drop Build Lists Best Answer

Be sure to view the exam item type demo before you take your first exam!
The Objectives
Objective Weight
Deploy, Manage, and Maintain Servers 17%
Configure File and Print Services 15%
Configure Network Services and 17%
Access
Configure a Network Policy Server 14%
Infrastructure
Configure and Manage Active 19%
Directory
Configure and Manage Group Policy 18%
Deploy, Manage, and Maintain Servers
Deploy and manage
server images

Implement patch
management

Monitor
servers
Deploy and Manage Server Images (1/2)
Install the Windows Deployment Services (WDS) role
Prerequisites: AD DS/DHCP/DNS/NTFS, member of Administrators
Install-WindowsFeature –Name WDS -ComputerName Server01 –IncludeManagementTools
(Servermanagercmd.exe deprecated)

Boot, capture, install, discover images

Boot image is Windows PE + client (boot.wim on media)
Capture image is used to capture a reference computer to use for your install image
Install image is what you deploy (install.wim on media)
Discover image when computer can’t use PXE (boot to discover image media)

Update images - patches/hotfixes/drivers/features

DISM (ImageX, Package Manager, OCSetup - deprecated), 22 DISM cmdlets
dism /online /enable-feature /FeatureName:TelnetClient
Deploy and Manage Server Images (2/2)
Update images - patches/hotfixes/drivers/features
Mount the offline image:
DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>
Add package or driver to image:
DISM /Image:<temppath> /Add-Package /PackagePath:<path>
DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>
Commit the changes and unmount:
DISM /Unmount-Image /MountDir:<temppath> /Commit
Example question
You have an existing image that you use to deploy to servers. You need to add a package to the
image.

What should you do first?

A. Run the DISM /Image:<temppath> /Add-Package /PackagePath:<path>

B. Run the DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>
C. Run the DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>
D. Run the DISM /Unmount-Image /MountDir<temppath> /Commit
Implement Patch Management
Install WSUS role
DISM /Online /Enable-Feature /FeatureName: (dism /online /get-features)
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

GPOs, client side targeting

Server-side targeting (default) – best in smaller deployments, make changes on the fly
Client-side targeting (typically GPO) – best in large deployments, automated membership
Watch for non-domain joined clients or the manual step of creating groups in WSUS

Synchronization and WSUS groups

Synchronization is where WSUS downloads updates from upstream server or Microsoft Update
Watch for proxy server issue (configure in WSUS), firewall issue, or BITS issue
WSUS groups – used for targeting updates to groups of computers
Watch for client computers not showing up in the computer list (configure them for WSUS first)
Monitor Servers (1/2)
Configure Data Collector Sets (DCS)
3 types of collectors – performance counters (system performance), event trace data (activities
and system events), system configuration information (registry)
Built in templates – Active Directory Diagnostics, Basic, System Diagnostics, System
Performance, WDAC Diagnostics

Alerts / Monitor Real-Time Performance

Monitor performance counter then alert when threshold is exceeded
Start a DCS, log event in Event Log, run a task (such as email or script)

Monitor VMs
Prerequisites: Windows Server 2012 Failover Cluster, Windows Server 2012 VMs, FW rule for VM
Monitoring, enabled for monitoring
Monitor services, restart service upon failure, reboot and/or move VM thereafter, automate,
manual, or integrate with System Center
Monitor Servers (2/2)
Monitor Events
Centralize event log data to a single collector server (default protocol HTTP over port 5985)
Use winrm quickconfig on source and wecutil qc on collector
Works in non-domain environment but need to set TrustedHosts for WinRM

Configure Event Subscriptions

Use Event Viewer to create a subscription, default location is ForwardedEvents log
Can use existing custom view (useful when trying to minimize administrative overhead)

Configure Network Monitoring

System Center Operations Manager + OS mgmt. packs + network device discovery
Performance Monitor – DCS + performance monitor data + alert or log
Example question
You have a standalone Hyper-V host server running Windows Server 2012. You need to monitor
the VMs that run Windows Server 2012.

What should you do first?

A. Migrate the VMs to a Windows Server 2012 Failover Cluster.

B. Install Windows Server 2012 SP1 on the host server.
C. Install Windows Server 2012 SP1 on the VMs.
D. Join the host server to an Active Directory domain.
Configure File and Print Services
Configure Distributed
File System (DFS)

Configure File Server

Resource Manager (FSRM)

Configure file and

disk encryption
Configure advanced
audit policies
Configure DFS (1/2)
Overview
DFS Replication and DFS Namespaces are role services (rolling up to File and Storage Services role)
Know what’s new: PowerShell module, WMI mgmt., site awareness for DirectAccess, dedupe
Know what’s deprecated: dfscmd, FRS

Install and configure DFS Namespaces

Domain-based namespace (can use multiple namespace servers, not Failover Clustering)
For ABE and increased scalability – DFS Windows Server 2008 mode required:
1. The forest functional level must be Windows Server 2003 or higher
2. The domain functional level must be Windows Server 2008 or higher
3. All namespace servers must be running Windows Server 2008 or newer

Stand-alone namespace (can be combined with Failover Clustering)

Useful for non-AD DS environment
Can scale to 50,000 folders (higher than Windows 2000 Server Mode which is ~5,000)
Configure DFS (2/2)
Configure DFS Replication Targets
Keep folders in sync, use the Replicate Folder wizard to configure
Config changes must replicate via AD DS and then each namespace server must poll a DC for the
config change (speed it up by forcing AD DS replication and then running the dfsrdiag.exe
PollAD /Member:Contoso\Server01 command)

Configure Replication Scheduling

Create replication group:
1. Multipurpose or data collection
2. Hub and spoke, full mesh, or no topology
3. Replicate continuously (select bandwidth limits if desired)
4. Replicate during specific days/times (can set bandwidth to use per time slot)
Watch for staging folder size issues (if too small, high CPU or slow replication will result)
Use a different physical disk for staging folder for improved I/O
Configure FSRM (1/2)
Install FSRM
Add-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Configure Quotas
Configure quotas on specific folder or on a path (which handles newly created folders)
Hard (users cannot exceed) or soft (users can exceed, used for monitoring)
Built-in templates which can be used to create a quota or to create a new customized template
When quota threshold met, option to send email, log event, run command, or generate report
Be wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)
Configure FSRM (2/2)
Configure File Screens
Active screening (cannot save unauthorized files)
Passive screening (can save unauthorized files, used for monitoring)
Built-in templates (block audio/video files, e-mail files, executable files, images, monitor exe/system)
Be wary of deprecated filescrn.exe
Set-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate

Configure Reports
Run reports on demand – DHTML, HTML, XML, CSV, or text
Built-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property,
folders by property, large files, least recently accessed files, most recently accessed files, quota usage
Set scheduled reports and have reports emailed to admin(s)
Configure file and disk encryption (1/3)
New Features
BitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)
Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)
Change PIN and password by standard users (no longer require admin rights)
Support for encrypted hard drives (encryption offloaded to the hard drive)

Configure BitLocker encryption

TPM version 1.2 or higher (required for provisioning prior to operating system deployment)
TPM owner authorization – separate object new for Windows 8 – requires AD schema update
Add BitLocker Drive Encryption feature, Enable-BitLocker (need volume/encryption method/key
protector)
Configure file and disk encryption (2/3)
Configure the Network Unlock feature (new)
Install the BitLocker Network Unlock feature, WDS on Windows Server 2012, separate DHCP, UEFI
DHCP drivers, PKI for issuing certificate (or self-signed certificate), Group Policy configured
For TPM+PIN systems, Network Unlock allows a form of two-factor authentication without user
intervention when booting (on untrusted networks, TPM+PIN is used)

Configure BitLocker policies (Win8 or Win2012)

Choose drive encryption method and cipher strength
Configure use of hardware-based encryption for *** drives (fixed/operating/removable)
Enforce drive encryption type on *** drives – Full/Used only
Allow network unlock at startup
Configure file and disk encryption (3/3)
Configure the EFS recovery agent
Obtain a certificate for File Recovery for a data recovery agent user account
Add data recovery agent (DRA) by editing GPO:
Add from AD DS if certificated are published in AD DS (default not published)
Add from .cer files if not published in AD DS

Manage EFS and BitLocker certificates including

backup and restore
For certificates, can enable archiving on the certificate templates to allow recovery
DRA can have a self-signed certificate which is backed up with standard backup methods
Windows 7 requires permissions update to ms-TPM-OwnerInformation for TPM owner info backup
Back up BitLocker recovery info to AD DS GPO setting (Pre-2008 requires schema extension)
Example question
You are the system administrator for Contoso, Ltd. You manage an Active Directory Domain
Services (AD DS) domain. All servers run Windows Server 2008 R2. The forest functional level is set
to Windows Server 2003. The domain functional level is set to Windows Server 2008. You are
preparing to deploy DFS. The deployment must meet the following requirements.
• Users must not be able to see folders that they do not have access to
• Users must be able to create 3,000 total folders
• Minimize changes to the environment

You need to deploy DFS to meet the requirements. What should you do?

A. Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone
DFS namespace.
B. Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-
based DFS namespace by deselecting DFS Windows Server 2008 mode.
C. Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.
D. Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.
Configure advanced audit policies (1/2)
Implement auditing using Group Policy and
AuditPol.exe
Know difference between basic Audit Policy settings and advanced Audit Policy settings
To manually enable Advanced Audit subcategory auditing (high overhead for widespread use):
auditpol /set /subcategory:"RPC Events" /success:enable
Auditpol has a /backup switch and a /restore switch

Global object access auditing (for file system or registry – automatically applies to all objects)
For Global auditing, watch for situations that don’t also enable Audit File System and Audit
Registry audit policy settings (required)
Advanced Audit Policy settings take precedence over basic Audit Policy settings
Configure advanced audit policies (2/2)
Create expression-based audit policies
Audit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set
directly on a file/folder or in global policy), can be combined with Dynamic Access Control

Create removable device audit policies

Requires Windows 8 or Windows Server 2012
Logs event when users attempt to access a removable storage device (Audit Removable Storage)
Can also log removable storage device events (Audit Handle Manipulation)
Configure Network Services and Access
Configure DNS
zones
Configure DNS
records
Configure VPN
and routing
Configure
DirectAccess
Configure DNS zones (1/2)
Configure primary and secondary zones
Primary zone can be stored in file or in AD DS – authoritative source for the zone
Secondary zone cannot be stored in AD DS and is a read-only copy of a primary zone

Configure stub zones

Stub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisition
Watch for scenarios that offer stub zone and conditional forwarding as potential solutions
Stub zones best when needing to dynamically maintain authoritative DNS servers for child zone

Configure conditional forwarders

Forwards to specific DNS servers which can then build up a cache for efficient resolution
Often the best solution for merger/acquisition but can also speed up internal name resolution
Configure DNS zones (2/2)
Configure zone and conditional forward storage in
Active Directory
DNS must be a domain controller, zone must be primary/stub/conditional
Replication for integrated zones – all DNS + DCs in forest, all DNS + DCs in domain, all DCs in
domain, all DCs in partition

Configure zone delegation

Key scenarios – delegate management, distribute load/improve perf/fault tolerance

Configure zone transfer settings

All servers, listed name servers, specific list – best security is specific list

Configure notify settings

Can notify name servers which helps secondary servers have more consistent DNS data
Configure DNS records (1/2)
Create configure Resource Records (RR) including A,
AAAA, PTR, SOA, NS, SRV, CNAME, and MX records
Know that AAAA is IPv6 A record
Use dnscmd /recordadd for mass record creation (or PowerShell)
Add-DnsServerResourceRecord -A -Name “test" -ZoneName "woodgrovebank.com"
-IPv4Address 172.16.1.200

Configure zone scavenging

Must enable at server level and at zone level (watch for troubleshooting scenarios or choose all)
Must also be enabled at resource record level (by default it is, but watch for troubleshooting)
Cleans up dynamic records only (not static)
Avoid DNScmd.exe /ageallrecords
Configure DNS records (2/2)
Configure record options including TTL and weight
TTL default is 1 hour – can be updated at zone level or individual resource record level
Weight default is 100 with a possible range of 0-65535 (higher means usually picked more)

Configure round robin

On and working by default, can disable with registry edit for certain resource record types
HKLM\System\CurrentControlSet\Services\DNS\Parameters\DoNotRoundRobinTypes
Local subnet priority takes precedence over round-robin for multi-homed names

Configure secure dynamic updates

Secure updates option only available when a zone is AD DS integrated
Run dnscmd /Config woodgrovebank.com /AllowUpdate 2 to force a zone to secure only
VPN and Routing
Install and configure the Remote Access role
1. Add-WindowsFeature RemoteAccess -IncludeManagementTools –IncludeAllSubFeature
2. Run the Configure and Enable Routing and Remote Access wizard

Implement Network Address Translation (NAT)

Need two interfaces prior to enabling via wizard

Configure VPN settings

For SSTP, need to select the proper SSL certificate post install

Configure remote dial-in settings for users

Default in AD is control access through NPS Network Policy
Need to adjust policy or create new policy in order to allow users in

Configure routing
IPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol
DirectAccess (1/2)
Implement server requirements
No longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)
New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP)
integration, or two-factor authentication
Can use a single NIC card behind NAT (Windows Server 2012 required)
Remote access servers and all client computers must be domain members
IPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)

Implement client configuration

Need to have security groups in place and then create GPOs
DirectAccess (2/2)
Configure DNS for DirectAccess
Name Resolution Policy Table (NRPT) – used to send specific queries to specific DNS servers
(otherwise, use normal name resolution) – Windows 7 or later required (config via GPO)

Configure certificates for DirectAccess

If using internal CA or self-signed certificate, CRL distribution point must be available externally
Can’t use self-signed cert in a multi-site environment
Internal PKI is required if Kerberos proxy over HTTPS not available/possible
Example question
You are the system administrator for Tailspin Toys. You administer the Active Directory Domain
Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS
Address (A) record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name
resolution is fully functional. However, the web administrators are reporting that 10.10.5.254 is not
resolving to www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to
www2.tailspintoys.com.

What should you do?

A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.
B. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com.
C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.
D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.
Configure a Network Policy Server Infrastructure
Configure Network
Policy Server (NPS)

Configure
NPS policies
Configure Network
Access Protection
(NAP)
Configure NPS (1/2)
Configure multiple RADIUS server infrastructures
5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS
server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain
membership optional, use NETSH to copy config from one proxy to another), user account DBs
(such as AD DS)

Configure RADIUS clients

Required: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)

Manage RADIUS templates

Watch for questions involving administrative overhead as that may indicate the creation of a
template or use of existing template.
Configure NPS (2/2)
Configure RADIUS accounting
Can log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging
for failover (if SQL logging fails, continue to log via text file)
If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default
install and sudden loss of functionality – could be out of disk space, consider moving logging to
non-system disk)

Configure certificates
Certificate-based auth - NPS servers need a server certificate
Minimize administrative overhead in large environment – autoenrollment
Configure NPS policies (1/2)
Configure connection request policies
Policies have conditions such as connection type, day/time, network, computer
Useful to authenticate untrusted domain (proxy policy first in the policy order) while still
authenticating locally via NPS (to AD DS)
If no local processing by NPS, then server is a proxy (can forward one place or multiple)

Configure network policies for VPN clients (multilink

and bandwidth allocation, IP filters, encryption, IP
addressing)
Watch for default installation on encryption as all encryption options are enabled (40-bit, 56-bit,
128-bit)
Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)
Configure NPS policies (2/2)
Manage NPS templates
Can use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and
remediation server groups (minimize administrative overhead, speed up deployment)
Can export templates to .XML file and import to another server

Import and export NPS policies

Can use NETSH or Export-NpsConfiguration to export entire NPS server config including policies
Configure NAP (1/2)
Configure System Health Validators (SHVs)
One default SHV – Windows Security Health Validator – can require specific firewall settings,
antivirus settings, spyware protection, automatic updates settings
If noncompliant with SHV, can restrict network access or remediate
Windows XP does not have spyware protection settings available

Configure health policies

Policy dictates how many SHV checks must be passed or failed
Health policies are added to network policies (NPS) to ascertain who should gain access

Configure NAP enforcement using DHCP and VPN

Non-compliant devices – full access, full access with limited time, limited access
Limited access usually is tied with remediation servers for updating components for compliance
If full network + limited time and client subsequently becomes compliant, will be disconnected!
Configure NAP (2/2)
Configure isolation and remediation of non-
compliant computers using DHCP and VPN
Default network policy has automatic remediation enabled by default
Can add remediation servers and a troubleshooting URL for employees

Configure NAP client settings

Remember that Group Policy overrides NETSH and NAP Client Configuration console
Enable tracing - netsh nap client set tracing state = enable
Use the NAP Client Configuration console to create .xml config file for use in a GPO
By default, NAP enforcement clients are disabled
To enforce health policies, must enable at least one NAP enforcement client
IPsec – need to configure NAP health registration authority settings
Configure and Manage Active Directory
Configure service
authentication
Configure Domain
Controllers
Maintain Active
Directory
Configure account
policies
Configure service authentication (1/2)
Create and configure Service Accounts
Used to enhance security but the pain point is the password management and SPN mgmt.

Create/configure Group Managed Service Accounts

Must create/configure on a server running Windows Server 2012 or on a Windows 8 computer
Automated password management and can be used across multiple servers
Minimum of one DC that runs Windows Server 2012
Before you begin, must create KDS Root Key - Add-KDSRootKey –EffectiveImmediately
New-ADServiceAccount and Set-ADServiceAccount

Create and configure Managed Service Accounts

Introduced in Windows Server 2008 R2 / Windows 7
New-ADServiceAccount with the –RestrictToSingleComputer parameter
Automated password management and can be used on a single server
Not supported for scheduled tasks, Exchange, SQL
Configure service authentication (2/2)
Configure Kerberos delegation
IIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)

SetSPN (note that it cannot register duplicate names in a domain in Windows Server 2012)
<service type>/<instance name>:<port number>/<service name>
Configure Domain Controllers (1/2)
Configure Universal Group Membership Caching
Eliminates dependency on GC during logons
Set-ADObject "CN=NTDS Site Settings,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" –Replace @{options='32'}

Transfer and seize operations masters

NTDSUTIL can transfer and seize roles
Move-ADDirectoryServerOperationMasterRole for transfer, use –Force for seize

Install and configure an RODC

Cannot upgrade writable DC to RODC
Staged installation – delegate installation to non-Domain Admin at remote site (+IFM for speed)
Configure Domain Controllers (2/2)
Configure Domain Controller cloning
• VM-GenerationID (supported on Hyper-V on 2012 and VMware 5.0 and later)
• Source VM must be 2012, PDC emulator must be 2012

1. Add the source DC to the Cloneable Domain Controllers group

2. Run New-ADDCCloneConfig to create DCCloneConfig.xml file (IP info, site info)
3. Export source DC (Hyper-V or Export-VM cmdlet)
4. Import the VM (Hyper-V or Import-VM cmdlet)

DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out
for unsupported services such as DHCP)
CustomDCCloneAllowList.xml is for custom services that you are sure about

See http://
blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-
domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx
(the entire series is valuable)
Maintain Active Directory (1/2)
Back up Active Directory and SYSVOL
wbadmin start systemstatebackup -backuptarget:e:
(this includes SYSVOL)

Manage Active Directory offline

Stop the Active Directory Domain Services service (Services console or Stop-Service cmdlet)
Can perform offline defrag (or other maintenance) and then start the service

Optimize an Active Directory database

LDIFDE can be used to manually kick off a garbage collection process (free up space inside)
NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second copy of .dit file)
Maintain Active Directory (2/2)
Clean up metadata
Since 2008, deletion of DC from default OU results in automatic metadata cleanup
Deletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanup
Otherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>

Configure Active Directory snapshots

Ntdsutil, snapshot, activate instance ntds, create

Perform object- and container-level recovery

Ntdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target
DomainName -server DomainControllerName

Perform Active Directory restore

Authoritative vs. non-authoritative (watch for situations where you restore and the objects gets
subsequently deleted after the restore)
Configure account policies (1/2)
Configure domain user password policy
Without fine-grained, one password and one lockout policy per domain
Configure via GPO

Configure and apply Password Settings Objects

New-ADFineGrainedPasswordPolicy – apply to user or groups (not OU)
Active Directory Administrative Center

Delegate password settings management

Can delegate ability to apply a PSO to user or group (Write Property permissions on the PSO)
Configure account policies (2/2)
Configure local user password policy
Can use a GPO linked to an OU with the computer objects

Configure account lockout settings

“Account lockout duration” setting set to 0 means an administrator must unlock locked accounts
“Account lockout threshold” setting set to 0 means an account will never get locked out
“Reset account lockout counter after” setting resets the number of failed logon attempts
Watch for requirements such as minimizing calls to the Help Desk, maintaining the highest level of
security, or situations where a Denial of Service (DoS) is occurring
Configure and Manage Group Policy
Configure Group
Policy processing
Configure Group
Policy settings
Manage Group Policy
objects (GPOs)

Configure Group
Policy preferences
Configure Group Policy processing (1/3)
Configure processing order and precedence
LSDOU – remember this!
Link order – 1 is highest (also referred to as the “top of the list”)

Configure blocking of inheritance

Nothing above will apply unless a GPO is enforced

Configure enforced policies

Right-click a GPO and click Enforced to ensure that the GPO cannot blocked
Enforced GPOs also ensure that the settings aren’t overwritten by GPOs applied lower in structure
Configure Group Policy processing (2/3)
Configure security filtering and WMI filtering
Read and Apply Group Policy (AGP) permissions are required for GPO to apply
Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server
2012 Datacenter”

Configure loopback processing

Loopback with Replace – ensures that settings from User Configuration of GPOs that apply to the
computer replace the settings that are set in User Configuration of GPOs that apply to the user

Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to
the computer merge with the settings that are set in User Configuration of GPOs that apply to the
user

Watch for scenarios such as a kiosk or public computer where all users must have the exact same
settings on the computer!
Configure Group Policy processing (3/3)
Configure and manage slow-link processing
Some settings not applied when slow link detected (software installation, folder redirection, etc.)
Default slow link is less than 500Kbps
Computer Configuration\Administrative Templates\System\Group Policy

Configure client-side extension (CSE) behavior

Allow processing across a slow network connection
Do not apply during periodic background processing
Process even if the Group Policy objects have not changed
Settings can be set on extensions such as Scripts, Security, Registry, or other extensions (note that
some only have two options, not all three)
Configure Group Policy settings (1/2)
Configure settings including software installation,
folder redirection, scripts, and administrative
template settings
Assign to user (shortcuts appear on Start menu, not installed yet)
Assign to computer (no shortcut, install typical at startup)
Publish to user (add/remove programs availability)

Import security templates

Import from Group Policy Object Policy/Computer Configuration/Windows Settings/Security
Settings
“Clear this database before importing” option will overwrite, without it you get a merge
Configure Group Policy settings (2/2)
Import custom administrative template file
Add/remove templates while editing GPO
ADM and ADMX (ADMX cuts down on SYSVOL size because it isn’t stored in GPO)
ADMX – Central Store (ADM not supported in Central Store)

Convert admin templates using ADMX Migrator

Free download, GUI conversion using “Generate ADMX from ADM”
Command line - faAdmxConv.exe name.adm

Configure property filters for admin templates

Managed – any = all, yes = only, no = only unmanaged
Configured – any = all, yes = only, no = only not configured
Commented – any = all, yes = only, no = only uncommented
(filters to limit what you see in the GUI)
Manage Group Policy objects (GPOs)
Back up, import, copy, and restore GPOs
PowerShell – Backup-GPO, Import-GPO, Copy-GPO, Restore-GPO
C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts (.WSF scripts)

Create and configure Migration Table

Manually open Migration Table Editor, select source, destination
Cross-Domain Copying Wizard
Users, groups, computers, and UNC paths

Reset default GPOs

dcgpofix /target:Domain (can also use DC or Both as target)

Delegate Group Policy management

Group Policy Creator Owners group – create new GPOs and edit/delete GPOs that they created
Linking a GPO requires additional permissions (can be granted via ADUC on OU)
Configure Group Policy preferences
Configure Group Policy Preferences (GPP) settings
including printers, network drive mappings, power
options, custom registry settings, Control Panel
settings, Internet Explorer settings, file and folder
deployment, and shortcut deployment
Beware of tattooing scenarios – use the “Remove this item when it is no longer applied” option
Use the “Apply once and do not reapply” option to allow user customization

Configure item-level targeting

Use single GPO but set different settings for different users or computer
Targets can be specific CPU, battery presence, security group membership, WMI, and many more
Example question
You are the system administrator for Woodgrove Bank. An existing GPO named GPO1 is linked to
an OU named Corp. The Corp OU contains all user objects. You need to ensure that a GPO named
GPO2 applies to all users in the Corp OU while also ensuring that settings in GPO2 take
precedence over the same settings in GPO1.

What should you do?

A. Link GPO2 to the domain.

B. Link GPO2 to the site.
C. Migrate GPO2 to a local GPO.
D. Configure GPO2 to be enforced.
false
lVVALAfs

Related content
Breakout Sessions (WCA-B346 - What's New in Windows Server 2012 Active Directory)

Hands-on Labs (WCA-H306 – Enabling Secure Remote Users with RemoteApp,

DirectAccess, and Dynamic Access Control)

Related Exams - 70-412 and 70-417

Find Me Later At Info Desk (Tues/Thurs. 9:15am -12:15pm)

Also Find Me Later At Study Hall (Wed. 9:15am – 12:15pm)

Resources
Learning
Sessions on Demand Microsoft Certification & Training Resources
http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning

TechNet msdn
Resources for IT Professionals Resources for Developers
http://microsoft.com/technet http://microsoft.com/msdn
Complete an evaluation on CommNet
and enter to win!
MS tag

Scan the Tag

to evaluate this
session now on
myTechEd
Mobile
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.