20410a enu trainerhandbook new

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20410A Installing and Configuring Windows Server® 2012

ii 20410A: Installing and Configuring Windows Server® 2012

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2012 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20410A

Part Number: X18-48636

Released: 07/2012

MICROSOFT LICENSE TERMSMICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of itsaffiliates) and you. Please read them. They apply to your use of the content accompanying this agreement whichincludes the media on which you received it, if any. These license terms also apply to Trainer Content and anyupdates and supplements for the Licensed Content unless other terms accompany those items. If so, those termsapply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft LearningCompetency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-LedCourseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center ownsor controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds thehardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Sessionor Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the MicrosoftInstructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training sessionto End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as aMicrosoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course thateducates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-LedCourseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT AcademyProgram.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Networkprogram in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as MicrosoftOfficial Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in goodstanding.

l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic devicethat you personally own or control that meets or exceeds the hardware level specified for the particularMicrosoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members forcorporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.These classes are not advertised or promoted to the general public and class attendance is restricted toindividuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy ProgramMember to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additionalsupplemental content designated solely for Trainers’ use to teach a training session using the MicrosoftInstructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainerpreparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not include any software, virtual harddisks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copyper user basis, such that you must acquire a license for each individual that accesses or uses the LicensedContent.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft

Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware isin digital format, you may install one (1) copy on up to three (3) Personal Devices. You may notinstall the Microsoft Instructor-Led Courseware on a device you do not own or control.

ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End

User who is enrolled in the Authorized Training Session, and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware being provided, or

2. provide one (1) End User with the unique redemption code and instructions on how they canaccess one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. provide one (1) Trainer with the unique redemption code and instructions on how they canaccess one (1) Trainer Content,

provided you comply with the following:iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid

license to the Licensed Content,iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized TrainingSession,

v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree thattheir use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreementprior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be requiredto denote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with theMicrosoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught forall your Authorized Training Sessions,

viii. you will only deliver a maximum of 10 hours of training per week for each Authorized TrainingSession that uses a MOC title, and

ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resourcesfor the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft



User attending the Authorized Training Session and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware provided, or

2. provide one (1) End User attending the Authorized Training Session with the unique redemptioncode and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. you will provide one (1) Trainer with the unique redemption code and instructions on how theycan access one (1) Trainer Content,


license to the Licensed Content,iv. you will ensure that each End User attending an Authorized Training Session has their own valid

licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the AuthorizedTraining Session,

v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-LedCourseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for your Authorized TrainingSessions,

viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that isthe subject of the MOC title being taught for all your Authorized Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.

c. If you are a MPN Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft



User attending the Private Training Session, and only immediately prior to the commencementof the Private Training Session that is the subject matter of the Microsoft Instructor-LedCourseware being provided, or

2. provide one (1) End User who is attending the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) digital version of theMicrosoft Instructor-Led Courseware, or

3. you will provide one (1) Trainer who is teaching the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) Trainer Content,


license to the Licensed Content,iv. you will ensure that each End User attending an Private Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led

Courseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensedcopy of the Trainer Content that is the subject of the Private Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for all your Private TrainingSessions,

viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is thesubject of the MOC title being taught for all your Private Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for yourpersonal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access theMicrosoft Instructor-Led Courseware online using the unique redemption code provided to you by thetraining provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up tothree (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the

form provided to you on one (1) Personal Device solely to prepare and deliver an AuthorizedTraining Session or Private Training Session, and install one (1) additional copy on another PersonalDevice as a backup copy, which may be used only to reinstall the Trainer Content. You may notinstall or use a copy of the Trainer Content on a device you do not own or control.

ii. You may customize the written portions of the Trainer Content that are logically associated withinstruction of a training session in accordance with the most recent version of the MCT agreement.If you elect to exercise the foregoing rights, you agree to comply with the following: (i)customizations may only be used for teaching Authorized Training Sessions and Private TrainingSessions, and (ii) all customizations will comply with this agreement. For clarity, any use of“customize” refers only to changing the order of slides and content, and/or not using all the slides orcontent, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may notseparate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you maynot distribute any Licensed Content or any portion thereof (including any permitted modifications) to anythird parties without the express written permission of Microsoft.

2.4 Third Party Programs and Services. The Licensed Content may contain third party programs orservices. These license terms will apply to your use of those third party programs or services, unless otherterms accompany those programs and services.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses alsoapply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subjectmatter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to theother provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version ofthe Microsoft technology. The technology may not work the way a final version of the technology willand we may change the technology for the final version. We also may not release a final version.Licensed Content based on the final version of the technology may not contain the same information asthe Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide youwith any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly orthrough its third party designee, you give to Microsoft without charge, the right to use, share andcommercialize your feedback in any way and for any purpose. You also give to third parties, withoutcharge, any patent rights needed for their products, technologies and services to use or interface withany specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. Youwill not give feedback that is subject to a license that requires Microsoft to license its software,technologies, or products to third parties because we include your feedback in them. These rightssurvive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft LearningCompetency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content onthe Pre-release technology upon (i) the date which Microsoft informs you is the end date for using theLicensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of thetechnology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copiesof the Licensed Content in your possession or under your control.

4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you somerights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you morerights despite this limitation, you may use the Licensed Content only as expressly permitted in thisagreement. In doing so, you must comply with any technical limitations in the Licensed Content that onlyallows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:• access or allow any individual to access the Licensed Content if they have not acquired a valid license

for the Licensed Content,• alter, remove or obscure any copyright or other protective notices (including watermarks), branding

or identifications contained in the Licensed Content,• modify or create a derivative work of any Licensed Content,• publicly display, or make the Licensed Content available for others to access or use,• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or

distribute the Licensed Content to any third party,• work around any technical limitations in the Licensed Content, or• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the

Licensed Content except and only to the extent that applicable law expressly permits, despite thislimitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted toyou in this agreement. The Licensed Content is protected by copyright and other intellectual property lawsand treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in theLicensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the LicensedContent. These laws include restrictions on destinations, end users and end use. For additional information,see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you failto comply with the terms and conditions of this agreement. Upon termination of this agreement for anyreason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content inyour possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the LicensedContent. The third party sites are not under the control of Microsoft, and Microsoft is not responsible forthe contents of any third party sites, any links contained in third party sites, or any changes or updates tothird party sites. Microsoft is not responsible for webcasting or any other form of transmission receivedfrom any third party sites. Microsoft is providing these links to third party sites to you only as aconvenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third partysite.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates andsupplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.a. United States. If you acquired the Licensed Content in the United States, Washington state law governs

the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of lawsprinciples. The laws of the state where you live govern all other claims, including claims under stateconsumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of thatcountry apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the lawsof your country. You may also have rights with respect to the party from whom you acquired the LicensedContent. This agreement does not change your rights under the laws of your country if the laws of yourcountry do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "ASAVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVEAFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAYHAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENTCANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT ANDITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROMMICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UPTO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies too anything related to the Licensed Content, services, content (including code) on third party Internet

sites or third-party programs; ando claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,

or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. Theabove limitation or exclusion may not apply to you because your country may not allow the exclusion orlimitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in thisagreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clausesdans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Touteutilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantieexpresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection duesconsommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garantiesimplicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LESDOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommagesdirects uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autresdommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)figurant sur des sites Internet tiers ou dans des programmes tiers; et.

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilitéstricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Sivotre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoiresou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votreégard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droitsprévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votrepays si celles-ci ne le permettent pas.

Revised June 2012

20410A: Installing and Configuring Windows Server® 2012 xi

xii 20410A: Installing and Configuring Windows Server® 2012

Acknowledgments Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Stan Reimer - Content Developer and Lead Subject Matter Expert Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author. Stan has extensive experience consulting on Active Directory® Domain Services (AD DS) and Microsoft Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press®. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12 years.

Damir Dizdarevic - Content Developer and Subject Matter Expert Damir Dizdarevic, an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and Microsoft Certified IT Professional (MCITP), is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server®, Exchange Server, security and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft® Official Curriculum (MOC) courses, and has published more than 400 articles in various Information Technology (IT) magazines, such as Windows ITPro and INFO Magazine. Damir is also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable Professional (MVP) for Windows Server Infrastructure Management.

Gary Dunlop - Subject Matter Expert Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. He has authored a number of Microsoft Learning titles, and has been an MCT since 1997.

Siegfried Jagott - Content Developer Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at Atos Germany. He is an award winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft Press) and has authored and technically reviewed several MOC courses on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 SP1. Siegfried has coauthored various other Windows® operating system, System Center Virtual Machine Manager (SC VMM) and Exchange books, and is a frequent presenter on these topics at international conferences such as the IT & Dev Connections conference, held in spring 2012, in Las Vegas. Siegfried has planned, designed, and implemented some of the world’s largest Windows and Exchange Server infrastructures for international customers. He received an MBA from Open University in England, and is an MCSE since 1997.

Jason Kellington - Subject Matter Expert Jason Kellington (MCT, MCITP, and MCSE) is a consultant, trainer, and author. He has experience working with a wide range of Microsoft technologies, and focuses on enterprise network infrastructure. Jason works in several capacities with Microsoft. He is a content developer for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.

20410A: Installing and Configuring Windows Server® 2012 xiii

Vladimir Meloski - Content Developer Vladimir is a MCT, an MVP on Exchange Server, and consultant, providing unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync® Server, and Microsoft System Center. Vladimir has devoted 16 years of professional experience in information technology. Vladimir has been involved in Microsoft conferences in Europe and in the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has been also involved as a subject matter expert and technical reviewer for several MOC courses.

Nick Portlock - Subject Matter Expert Nick has been an MCT for 15 years. He is a self-employed IT trainer, consultant, and author. Last year, Nick taught in over 20 countries. He specializes in AD DS, Group Policy, and Domain Name System (DNS), and has consulted with a variety of companies over the last decade. He has reviewed more than 100 Microsoft courses. Nick is a member of the Windows 7 Springboard Series Technical Expert Panel (STEP) program.

Brian Svidergol - Technical Reviewer Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions based around Windows operating systems, AD DS, Exchange Server, System Center, virtualization, and Microsoft Desktop Optimization Package (MDOP). He holds the MCT, MCITP (Enterprise Administrator (EA)), MCITP (Virtualization Administrator (VA)), MCITP (Exchange 2010), and several other Microsoft and industry certifications. Brian authored Microsoft Official Curriculum (MOC) course 6426C: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory. He has also worked for several years on Microsoft certification exam development and related training content.

Orin Thomas - Subject Matter Expert Orin Thomas is an MVP, an MCT, and has a variety of MCSE and MCITP certifications. He has written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. He has been working in IT since the early 1990's. He regularly speaks at events such as TechED in Australia, and around the world on Windows Server, Windows Client, System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group.

Byron Wright - Content Developer and Subject Matter Expert Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems implementation, and technical training. Byron is also a sessional instructor for the Asper School of Business at the University of Manitoba, teaching management information systems and networking. Byron has authored and co-authored a number of books on Windows Server operating systems, Windows Vista, and Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.

xiv 20410A: Installing and Configuring Windows Server® 2012

Contents

Module 1: Deploying and Managing Windows Server 2012

Lesson 1: Windows Server 2012 Overview 1-2 Lesson 2: Overview of Windows Server 2012 Management 1-14 Lesson 3: Installing Windows Server 2012 1-19 Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24 Lesson 5: Introduction to Windows PowerShell 1-32 Lab: Deploying and Managing Windows Server 2012 1-37

Module 2: Introduction to Active Directory Domain Services Lesson 1: Overview of AD DS 2-2 Lesson 2: Overview of Domain Controllers 2-8 Lesson 3: Installing a Domain Controller 2-13 Lab: Installing Domain Controllers 2-18

Module 3: Managing Active Directory Domain Services Objects Lesson 1: Managing User Accounts 3-3 Lesson 2: Managing Group Accounts 3-15 Lesson 3: Managing Computer Accounts 3-22 Lesson 4: Delegating Administration 3-27 Lab: Managing Active Directory Domain Services Objects 3-30

Module 4: Automating Active Directory Domain Services Administration Lesson 1: Using Command-line Tools for Administration 4-2 Lesson 2: Using Windows PowerShell for Administration 4-7 Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13 Lab: Automating AD DS Administration by Using Windows PowerShell 4-20

Module 5: Implementing IPv4 Lesson 1: Overview of TCP/IP 5-2 Lesson 2: Understanding IPv4 Addressing 5-6 Lesson 3: Subnetting and Supernetting 5-11 Lesson 4: Configuring and Troubleshooting IPv4 5-16 Lab: Implementing IPv4 5-23

20410A: Installing and Configuring Windows Server® 2012 xv

Module 6: Implementing DHCP Lesson 1: Installing a DHCP Server Role 6-2 Lesson 2: Configuring DHCP Scopes 6-7 Lesson 3: Managing a DHCP Database 6-12 Lesson 4: Securing and Monitoring DHCP 6-16 Lab: Implementing DHCP 6-21

Module 7: Implementing DNS Lesson 1: Name Resolution for Windows Clients and Servers 7-2 Lesson 2: Installing and Managing a DNS Server 7-10 Lesson 3: Managing DNS Zones 7-16 Lab: Implementing DNS 7-20

Module 8: Implementing IPv6

Lesson 1: Overview of IPv6 8-2 Lesson 2: IPv6 Addressing 8-8 Lesson 3: Coexistence with IPv6 8-13 Lesson 4: IPv6 Transition Technologies 8-17 Lab: Implementing IPv6 8-22

Module 9: Implementing Local Storage

Lesson 1: Overview of Storage 9-2 Lesson 2: Managing Disks and Volumes 9-11 Lesson 3: Implementing Storage Spaces 9-20 Lab: Implementing Local Storage 9-25

Module 10: Implementing File and Print Services

Lesson 1: Securing Files and Folders 10-2 Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15 Lesson 3: Configuring Network Printing 10-18 Lab: Implementing File and Print Services 10-23

Module 11: Implementing Group Policy

Lesson 1: Overview of Group Policy 11-2 Lesson 2: Group Policy Processing 11-10 Lesson 3: Implementing a Central Store for Administrative Templates 11-15 Lab: Implementing Group Policy 11-19

xvi 20410A: Installing and Configuring Windows Server® 2012

Module 12: Securing Windows Servers Using Group Policy Objects

Lesson 1: Windows Security Overview 12-2 Lesson 2: Configuring Security Settings 12-6 Lab A: Increasing Security for Server Resources 12-15 Lesson 3: Restricting Software 12-21 Lesson 4: Configuring Windows Firewall with Advanced Security 12-25 Lab B: Configuring AppLocker and Windows Firewall 12-29

Module 13: Implementing Server Virtualization with Hyper-V

Lesson 1: Overview of Virtualization Technologies 13-2 Lesson 2: Implementing Hyper-V 13-8 Lesson 3: Managing Virtual Machine Storage 13-15 Lesson 4: Managing Virtual Networks 13-22 Lab: Implementing Server Virtualization with Hyper-V 13-27

Lab Answer Keys Module 1 Lab: Deploying and Managing Windows Server 2012 L1-1 Module 2 Lab: Installing Domain Controllers L2-9 Module 3 Lab: Managing Active Directory Domain Services Objects L3-13 Module 4 Lab: Automating AD DS Administration by Using Windows PowerShell L4-21 Module 5 Lab: Implementing IPv4 L5-25 Module 6 Lab: Implementing DHCP L6-29 Module 7 Lab: Implementing DNS L7-35 Module 8 Lab: Implementing IPv6 L8-41 Module 9 Lab: Implementing Local Storage L9-45 Module 10 Lab: Implementing File and Print Services L10-49 Module 11 Lab: Implementing Group Policy L11-55 Module 12 Lab A: Increasing Security for Server Resources L12-59 Module 12 Lab B: Configuring AppLocker and Windows Firewall L12-65 Module 13 Lab: Implementing Server Virtualization with Hyper-V L13-71

About This Course xvii

About This Course This section provides you with a brief description of the course—20410A: Installing and Configuring Windows Server® 2012— audience, suggested prerequisites, and course objectives.

Course Description Note: This first release (A) Microsoft® Official Curriculum (MOC) version of course 20410A has been developed on prerelease software (Windows® 8 Release Preview and Windows Server® 2012 Release Candidate (RC)). Microsoft Learning will release a B version of this course after the release to manufacturing (RTM) version of the software is available.

This course is part one of a series of three courses, which provide the skills and knowledge necessary to implement a core Windows Server 2012 infrastructure in an existing enterprise environment.

The three courses in total will collectively cover implementing, managing, maintaining, and provisioning services and infrastructure in a Windows Server 2012 environment.

While there is some cross-over in skillset and tasks across the courses, this course will primarily cover the initial implementation and configuration of those core services, such as Active Directory® Domain Services (AD DS), networking services, and initial Hyper-V® configuration.

Audience This course is intended for Information Technology (IT) Professionals who have good Windows operating system knowledge and experience, and want to acquire the skills and knowledge necessary to implement the core infrastructure services in an existing Windows Server 2012 environment.

The secondary audience consists of those seeking certification in the 70-410, Installing and Configuring Windows Server 2012 exam.

Student Prerequisites This course requires that you meet the following prerequisites:

• A good understanding of networking fundamentals

• An understanding and experience configuring security and administration tasks in an enterprise environment

• Experience supporting or configuring Windows operating system clients

• Good hands-on Windows client operating system experience with Windows Vista®, Windows 7, or Windows 8.

Students would also benefit from having some previous Windows Server operating system experience.

Course Objectives After completing this course, students will be able to:

• Install and Configure Windows Server 2012.

• Describe AD DS.

• Manage AD DS objects.

• Automate AD DS administration.

xviii About This Course

• Implement TCP/IPv4.

• Implement Dynamic Host Configuration Protocol (DHCP).

• Implement Domain Name System (DNS).

• Implement IPv6.

• Implement local storage.

• Share files and printers.

• Implement Group Policy.

• Use Group Policy Objects to secure Windows Servers.

• Implement server virtualization using Hyper-V.

Course Outline This section provides an outline of the course:

Module 1, Deploying and Managing Windows Server 2012

Module 2, Introduction to Active Directory Domain Services

Module 3, Managing Active Directory Domain Services Objects

Module 4, Automating Active Directory Domain Services Administration

Module 5, Implementing IPv4

Module 6, Implementing DHCP

Module 7, Implementing DNS

Module 8, Implementing IPv6

Module 9, Implementing Local Storage

Module 10, Implementing File and Print Services

Module 11, Implementing Group Policy

Module 12, Securing Windows Servers Using Group Policy Objects

Module 13, Implementing Server Virtualization with Hyper-V

Exam/Course Mapping This course, 20410A: Installing and Confiruging Windows Server® 2012 , has a direct mapping of its content to the objective domain for the Microsoft exam 70-410: Installing and Configuring Windows Server 2012.

The table below is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.

About This Course xix

Note The exam objectives are available online at the following URL http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab2.

Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Course Content

Install and Configure Servers Module Lesson Lab

Install servers.

This objective may include but is not limited to: Plan for a server installation; plan for server roles; plan for a server upgrade; install Server Core; optimize resource utilization by using Features on Demand; migrate roles from previous versions of Windows Server

Mod 1 Lesson 1 Mod 1 Ex 1

Configure servers.

This objective may include but is not limited to: Configure Server Core; delegate administration; add and remove features in offline images; deploy roles on remote servers; convert Server Core to/from full GUI; configure services; configure NIC teaming

Mod 1 Lesson 1/2 Mod 1 Ex 1/2/3


Configure local storage.

This objective may include but is not limited to: Design storage spaces; configure basic and dynamic disks; configure MBR and GPT disks; manage volumes; create and mount virtual hard disks (VHDs); configure storage pools and disk pools

Mod 9 Lesson 2/3 Mod 9 Ex 3/4

Configure Server Roles and Features

Configure file and share access.

This objective may include but is not limited to: Create and configure shares; configure share permissions; configure offline files; configure NTFS permissions; configure access-based enumeration (ABE); configure Volume Shadow Copy Service (VSS); configure NTFS quotas


Configure print and document services.

This objective may include but is not limited to: Configure the Easy Print print driver; configure Enterprise Print Management; configure drivers; configure printer pooling; configure print priorities; configure printer permissions


Configure servers for remote management.

This objective may include but is not limited to: Configure WinRM; configure down-level server management; configure servers for day-to-day management tasks; configure multi-server management; configure Server Core; configure Windows Firewall

Mod 1 Lesson 1/2/4


xx About This Course


Configure Hyper-V Create and configure virtual machine settings.

This objective may include but is not limited to: Configure dynamic memory; configure smart paging; configure Resource Metering; configure guest integration services


Create and configure virtual machine storage.

This objective may include but is not limited to: Create VHDs and VHDX; configure differencing drives; modify VHDs; configure pass-through disks; manage snapshots; implement a virtual Fibre Channel adapter

Mod 9 Lesson 1


Create and configure virtual networks.

This objective may include but is not limited to: Implement Hyper-V Network Virtualization; configure Hyper-V virtual switches; optimize network performance; configure MAC addresses; configure network isolation; configure synthetic and legacy virtual network adapters


Deploy and Configure Core Network Services

Configure IPv4 and IPv6 addressing.

This objective may include but is not limited to: Configure IP address options; configure subnetting; configure supernetting; configure interoperability between IPv4 and IPv6; configure ISATAP; configure Teredo

Mod 1 Lesson 4 Mod 1 Ex 1/2

Mod 5 Lesson 2/3/4 Mod 5 Ex 1/2 Mod 8 Lesson 3/4 Mod 8 Ex 2

Deploy and configure Dynamic Host Configuration Protocol (DHCP) service.

This objective may include but is not limited to: Create and configure scopes; configure a DHCP reservation; configure DHCP options; configure client and server for PXE boot; configure DHCP relay agent; authorize DHCP server

Mod 6 Lesson 1/2/3/4 Mod 6 Ex 1/2

Deploy and configure DNS service.

This objective may include but is not limited to: Configure Active Directory integration of primary zones; configure forwarders; configure Root Hints; manage DNS cache; create A and PTR resource records

Mod 7 Lesson 1/2/3 Mod 7 Ex 1/2/3

About This Course xxi


Install and Administer Active Directory

Install domain controllers.

This objective may include but is not limited to: Add or remove a domain controller from a domain; upgrade a domain controller; install Active Directory Domain Services (AD DS) on a Server Core installation; install a domain controller from Install from Media (IFM); resolve DNS SRV record registration issues; configure a global catalog server

Mod 2 Lesson 3 Mod 2 Ex 1/2

Create and manage Active Directory users and computers.

This objective may include but is not limited to: Automate the creation of Active Directory accounts; create, copy, configure, and delete users and computers; configure templates; perform bulk Active Directory operations; configure user rights; offline domain join; manage inactive and disabled accounts

Mod 1 Lesson 4

Mod 3 Lesson 1 Mod 3 Ex 2 Mod 4 Lesson 1/2/3 Mod 4 Ex 1/2/3

Create and manage Active Directory groups and organizational units (OUs).

This objective may include but is not limited to: Configure group nesting; convert groups including security, distribution, universal, domain local, and domain global; manage group membership using Group Policy; enumerate group membership; delegate the creation and management of Active Directory objects; manage default Active Directory containers; create, copy, configure, and delete groups and OUs

Mod 3 Lesson 2/4 Mod 3 Ex 1/2/3


Create and Manage Group Policy

Create Group Policy objects (GPOs).

This objective may include but is not limited to: Configure a Central Store; manage starter GPOs; configure GPO links; configure multiple local group policies; configure security filtering

Mod 11 Lesson 1/2/3 Mod 11 Ex 1/2

Configure security policies.

his objective may include but is not limited to: Configure User Rights Assignment; configure Security Options settings; configure Security templates; configure Audit Policy; configure Local Users and Groups; configure User Account Control (UAC)

Mod 12 Lesson 2 Mod 12 Lab A Ex 1/2/3

xxii About This Course


Create and Manage Group Policy Configure application restriction policies.

This objective may include but is not limited to: Configure rule enforcement; configure Applocker rules; configure Software Restriction Policies

Mod 12 Lesson 3 Mod 12 Lab B Ex 1

Configure Windows Firewall.

This objective may include but is not limited to: Configure rules for multiple profiles using Group Policy; configure connection security rules; configure Windows Firewall to allow or deny applications, scopes, ports, and users; configure authenticated firewall exceptions; import and export settings

Mod 12 Lesson 4 Mod 12 Lab B Ex 2

Important Attending this course in itself will not successfully prepare you to pass any associated certification exams.

The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following:

• Minimum of one years real world, hands-on experience Installing and configuring a Windows Server Infrastructure

• Additional study outside of the content in this handbook

There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab3

You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab1

The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.

About This Course xxiii

Course Materials The following materials are included with your kit:

• Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.

• Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.

• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.

• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention.

• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook.

• Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.

• Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.

Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.

• Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

• To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration In this course, you will use Microsoft® Hyper-V to perform the labs.

xxiv About This Course

Important At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps:

1. On the virtual machine, on the Action menu, click Close.

2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK.

The following table shows the role of each virtual machine used in this course.

Virtual machine Role

20410A-LON-DC1 A domain controller running Windows Server 2012 in the Adatum.com domain.

20410A-LON-SVR1 A member server running Windows Server 2012 in the Adatum.com domain.

20410A-LON-SVR2 A member server running Windows Server 2012 in the Adatum.com domain. This server will be located on a second subnet.

20410A-LON-SVR3 A blank virtual machine on which students will install Windows Server 2012.

20410A-LON-SVR4 A stand-alone server running Windows Server 2012 that will be used for joining domains and initial configuration.

20410A-LON-HOST1 A bootable VHD for running Windows Server 2012 as the host for Hyper-V.

20410A-LON-CORE A standalone server running Windows Server 2012 Server Core.

20410A-LON-RTR A router that is used for network activities that require a separate subnet.

20410A-LON-CL1 A client computer running Windows 8 and Microsoft Office 2010 Service Pack 1 (SP1) in the Adatum.com domain.

20410A-LON-CL2 A client computer running Windows 8 and Office 2010 SP1 in the Adatum.com domain that is located in a second subnet.

Software Configuration The following software is installed on each virtual machine:

• Microsoft Network Monitor 3.4 is installed on LON-SVR2.

Course Files There are lab files associated with the labs in this course. The lab files are located in the folder E:\Labfiles\LabXX on NYC-DC1.

About This Course xxv

Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

• Hardware level 6 with 8 gigabytes (GB) of random access memory (RAM)

1-1

Module 1 Deploying and Managing Windows Server 2012

Contents: Module Overview 1-1

Lesson 1: Windows Server 2012 Overview 1-2

Lesson 2: Overview of Windows Server 2012 Management 1-14

Lesson 3: Installing Windows Server 2012 1-19

Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24

Lesson 5: Introduction to Windows PowerShell 1-32

Lab: Deploying and Managing Windows Server 2012 1-37

Module Review and Takeaways 1-45

Module Overview

Understanding the capabilities of a new server operating system enables you to leverage that operating system effectively. If you do not understand the capabilities of your new operating system, you may end up using it like you used the previous operating system, and you may forego the advantages of the new system. By understanding how to utilize your new Windows Server® 2012 operating system fully, and by understanding the tools that are available to manage that functionality you will provide your organization with more value.

This module introduces the new Windows Server 2012 administrative interface. In this module, you will learn about the different roles and features that are available with the Windows Server 2012 operating system. You will also learn about the different installation options from which you can choose when deploying Windows Server 2012.

This module discusses the configuration steps that you can perform both during installation and after deployment to ensure that the servers can begin functioning in its assigned role. You will also learn how to use Windows PowerShell® to perform common administrative tasks in Windows Server 2012.

Objectives

After completing this module, you will be able to:

• Describe Windows Server 2012.

• Describe the management tools available in Windows Server 2012.

• Install Windows Server 2012.

• Perform post-installation configuration of Windows Server 2012.

• Perform basic administrative tasks using Windows PowerShell.

1-2 Deploying

Lesson Windo

Befoeditconsuit201cost

Thisandand

Les

Afte

•

•

•

•

•

•

On

As aabohowpubheacoureadworyoueveto leloca

TheLocaprov

•

and Managing Wind

1 ows Serv

ore deploying tions might befiguration is aable than a ph2 in an efficienting your orga

s lesson provid features. Usin installation o

sson Objecti

er completing

Describe the

Explain the d

List the differ

Describe the installation of

Explain the fu2012.

Explain the p

n Premises

an IT professioout cloud compw software andblic or private crt of the futureld also have hdy for the clourked with localr career, it worything is movearn about deally?”

reality is, not ally-deployed vide the follow

InfrastructureSystem (DNS)to connect anto connect ei

ows Server 2012

ver 201Windows Serv

enefit your orgppropriate for

hysical deploymnt manner. If yanization time

des an overviewng this informaptions are righ

ives

this lesson, yo

place of a loca

ifference betw

ent editions o

difference betf Windows Ser

unction of the

urpose of vario

Servers

onal, you probaputing. You md services are bcloud becausee of enterpriseeard that Wind

ud. As an IT proly deployed seuld be reasona

ving to the cloploying Windo

every service aservers form t

wing resources

e services. Serv) and Dynamicnd communicather to each o

2 Overvver 2012, you anization’s ser

r Windows Servment, and whiyou do not havand money by

w of the variouation, you will ht for your org

ou will be able

ally deployed s

ween the privat

f Windows Ser

tween a Serverrver 2012.

server roles th

ous Windows

ably have hearight have hear

being moved te the cloud is ae computing. Ydows Server 2ofessional whoervers for mosable to ask, “Ifud, why do I nows Server 201

and applicatiothe backbone s to clients:

vers provide clic Host Configuate with other other or to rem

view need to underrvers. You alsover 2012, whech installationve an understay making a cho

us Windows Sebe able to det

ganization.

to:

server on a mo

te and public c

rver 2012.

r Core installat

hat are availab

Server 2012 fe

rd rd to a at the You 012 is

o has t of

f need 12

on used on a dof an organiza

ients with infrauration Protocoresources. Wit

mote resources

rstand how eao need to knowether a virtual d source allowsanding of thesoice that you m

erver 2012 editermine which

odern network

clouds.

tion of Window

le on compute

eatures.

aily basis shouational networ

astructure resool (DHCP) servthout these ses, including res

ch of the Windw whether a padeployment ms you to deplose issues, you cmust later cor

itions, installath Windows Serv

k.

ws Server 2012

ers running W

uld be hosted rk. Locally-dep

ources, includivices. These seervices, clients wsources hosted

dows Server 20articular hardw

might be more y Windows Secould end up rect.

tion options, rover 2012 editio

2 and tradition

Windows Server

in the cloud. ployed servers

ng Domain Narvices allow clwould not be

d in the cloud.

012 ware

erver

oles, on

nal

r

ame ients able

20410A: Installing and Configuring Windows Server® 2012 1-3

• Shared files and printers. Servers provide a centralized location that allows users to store and share documents. Servers also host resources such as shared printers that allow groups of users to leverage resources more efficiently. Without these centralized locally deployed resources, sharing files and backing up files centrally would be a more complex and time-intensive process. While it might be possible to host some of this information in the cloud, it doesn’t always make sense to send a job to a printer that is in the next room through a server hosted at a remote location.

• Hosted applications. Servers host applications such as Microsoft® Exchange Server, Microsoft SQL Server®, Microsoft Dynamics®, and Microsoft System Center. Clients access these applications to accomplish different tasks, such as accessing e-mail or self-service deployment of desktop applications. In some cases, these resources can be deployed to the cloud. In many cases these resources must be hosted locally for performance, cost, and regulatory reasons. The choice on whether to host these resources locally or in the cloud depends on the specifics of the individual organization.

• Network access. Servers provide authentication and authorization resources to clients on the network. By authenticating against a server, a user and client can prove their identity. Even when many of an organization’s servers are located in the cloud, people still need to have some form of local authentication and authorization infrastructure.

• Application, Update, and Operating System deployment. Servers are often deployed locally to assist with the deployment of applications, updates, and operating systems to clients on the organizational network. Because of intensive bandwidth utilization, these servers must be in proximity to the clients to which they are providing this service.

Each organization will have its own requirements. An organization in an area that has limited Internet connectivity is going to rely more on servers on the premises than an organization that has access to high-speed broadband. It is important that, even in a case of Internet connectivity issues, work in an organization can continue. Productivity will be negatively affected if the failure of the organization’s Internet connection suddenly means that no one is able to access their shared files and printers.

While Windows Server 2012 is promoted as being ready for the cloud, remember that, for all the cloud-ready features the product has, the operating system is still eminently suited to the traditional workhorse tasks that server operating systems have performed for at least the last two decades. If you have been working as an IT professional for some time, it is likely that you will configure and deploy Windows Server 2012 to perform the same or similar workloads that you configured for servers running Windows Server 2003 and maybe even for Windows NT 4.

Question: What is the difference between a server and a client operating system?

Question: How has the role of the server evolved over time from the Microsoft Windows NT 4.0 Server operating system to Windows Server 2012?

1-4 Deploying

Wh

Clouenc

The

•

•

•

PubA pupubpubbec

In cmaythe

Priv201appto ustorconman

and Managing Wind

hat Is Clou

ud computing ompasses seve

most commo

Infrastructureform of cloudvirtual machinhosting proviplatform, andthat runs on tinfrastructurean example oServer 2012 acloud, but in

Platform as aplatform. For and the cloudService.

Software as ainfrastructurecloud hosting

blic and Privublic cloud is a

blic use. A pubblic cloud secuause costs are

ontrast, privaty be hosted bycloud services

vate clouds are2 managemen

plications. For euse a self-servicrage componefigured in sucnual deployme

Question: WWindows Serv

ows Server 2012

ud Comput

is a general deeral different t

n forms of clo

e as a Service (Id computing, yne in the cloudder manages t

d you manage the cloud prove. Windows Azof IaaS. You caas a virtual masome cases th

Service (PaaS)example, a pr

d hosting prov

a Service (Saas)e that supportsg provider. Win

vate Cloudsa cloud servicelic cloud may rity is not as stabsorbed by

te clouds are cly the organizats are not share

e more than simnt suite, which example, in ance portal to re

ents. Windows h a way that thent of virtual m

hich type of clver 2012?

ting?

escription thatechnologies.

oud computing

(IaaS). With thiyou can run a d. The cloud the hypervisorthe virtual ma

vider’s ure™ Computn run Windowchine in an Iaa

he operating sy

). With PaaS, trovider may alvider hosts the

). The cloud hos that applicatindows InTune™

s that is hostedhost a single ttrong as privatmultiple tenan

oud infrastruction itself, or m

ed with any oth

mply large scamakes it poss

n organization equest multi-tieServer 2012 ahis service req

machines and d

loud would yo

t

g are:

s full

r achine

e is ws aS ystem will host

he cloud hostilow you to ho database serv

osting provideion. You purch™ and Microso

d by a cloud seenant, or hostte cloud securnts.

cture that is demay be hostedher organizatio

le hypervisor dsible to providethat has its ower applicationsnd the compouest can be prdatabase serve

ou use to deplo

t the virtual m

ing provider pst databases. Yver. SQL Azure

er hosts your ahase and run aoft Office 365

ervices providet tenants from ity, but public

edicated to a sd by a cloud seon.

deployments; e self-service dwn private clous including we

onents of the Srocessed automer software.

oy a custom vi

achines in an

provisions you You manage te™ is an examp

pplication anda software appare examples

er, and is mademultiple orgacloud hosting

single organizaervices provide

they can use tdelivery of servud, it would beeb-server, dataSystem Center matically, with

irtual machine

IaaS cloud.

with a particuhe database itple of Platform

d all of the plication from a

of SaaS.

e available for anizations. As sg typically cost

ation. Private cer who ensures

the System Cevices and e possible for abase-server, a

2012 suite arehout requiring

e running

ular tself,

m as a

a

such, ts less

clouds s that

nter

users and e the

O

ThSealSeth

Wsyse

Thed

Options for

here are severaerver 2012 frolow organizaterver 2012 thahan pay for fea

When deployingystems adminielecting the ap

he following taditions.

Edition

Windows ServStandard edit

Windows ServDatacenter ed

Windows ServFoundation e

Windows ServEssentials

Microsoft HypServer 2012

Windows StoServer 2012 Workgroup

Windows StoServer 2012 S

Windows MuServer 2012 S

r Windows

al different edm which to chions to select a

at best meets tatures that the

g a server for astrators can sa

ppropriate edit

able lists the W

D

ver 2012 tion

ver 2012 dition

ver 2012 dition j

ver 2012

per-V

rage

rage Standard

ltiPoint Standard

s Server 20

itions of Windhoose. These eda version of Wtheir needs, ratey do not requ

a specific role,ave substantialtion.

Windows Serve

Description

Provides all roplatform. SuppIncludes two v

Provides all ro2012 platformmachines run processor core

Aimed at smajoined to a doprocessor core

Next edition ocannot functioDesktop Servitwo processor

Stand-alone Hcost (free) for 64 sockets andWindows Serv

Entry-level uncore, 32 GB of

Supports 64 soSupports 4 TBdomain join. Sdoes not supp(AD DS), ActivFederation Se

Supports multseparate mouRAM, and a mand DHCP Serand AD FS. Do

012

dows ditions

Windows ther ire.

, ly by

er 2012

oles and featurports up to 64virtual machine

oles and featurm. Includes unli

on the same hes, and up to 4

ll business owomain, and ince and up to 32

of Small Busineon as a Hyper-ces server. It hr cores and 64

Hyper-V platfohost OS, but vd 4 TB of RAMver 2012 roles

ified storage af RAM. Suppor

ockets, but is lB of RAM. IncluSupports someport others incve Directory Cervices (AD FS).

tiple users accese, keyboard, a

maximum of 12rver roles, but oes not suppor

20410A: Instal

res available o4 sockets and ue licenses.

res that are avaimited virtual hardware. Sup4 TB of RAM.

ners, this editiludes limited s2 GB of RAM.

ess Server. Mu-V®, Failover Chas limits for 2

GB of RAM.

orm for virtual virtual machin

M. Supports doother than lim

appliance. Limrts domain join

licensed on a tudes two virtuae roles includincluding Active ertificate Servic.

essing the samand monitors.

2 sessions. Supdoes not supprt domain join

lling and Configuring

n the Windowup to 4 terabyt

ailable on the machine licenports 64 socke

on allows onlyserver roles. Su

st be root servClustering, Serv5 users and 50

machines withes are licensedmain join. Doe

mited file servic

ited to 50 usen.

two-socket incal machine liceng DNS and DDirectory® Doces (AD CS), an

me host compu Limited to on

pports some roport others incn.

g Windows Server®

ws Server 2012 tes (TB) of RAM

Windows Servses for virtual ets, up to 640

y 15 users, canupports one

ver in domain.ver Core, or Re0 devices. Supp

h no UI. No licd normally. Sues not supportces features.

rs, one proces

crementing baenses. SupportHCP Server ro

omain Servicesnd Active Dire

uter directly usne socket, 32 Goles including Dcluding AD DS

2012 1-5

M.

ver

nnot be

It emote ports

ensing pports t other

sor

sis. ts

oles, but

ectory

sing GB of DNS , AD CS,

1-6 Deploying

Ed

WSe

see

Wh

ServWinWinthan201comoptServinst201ovedep

•

•

IncrinstServ

The

•

•

and Managing Wind

dition

Windows MultiPerver 2012 Pre

Note: For mothe Windows

hat Is Serv

ver Core is a mndows Server 2ndows PowerShn by using GU2 Server Core

mponents and ions than the fver 2012. Serveallation option2. Server Corer a traditional

ployment:

Reduced updrequires you tadministrator

Reduced hardvirtualized, th

reasing numbealled operatinver Core–insta

re are two way

Server Core. TWindows Servinstallation so

Server Core wdeployment ocomponents and Windowsneeding to sp

ows Server 2012

De

Point emium

SuseRAanan

ore informationServer Catalog

ver Core?

minimal installa2012 that you hell or a commI-based tools. installation ofadministrativefull installationer Core installan when installie has the follow

Windows Serv

date requiremeto install fewer to service Ser

dware footprinhis means that

ers of Microsofg systems. Forlled version of

ys of installing

The standard dver 2012 with ource with all s

with Managemof Windows Seare not installes Server 2012 wpecify an insta

escription

upports multipparate mouse,

AM, and a maxnd DHCP Servend AD FS. Supp

n about the difg at http://ww

ation option fomanage from

mand line ratheA Windows Se

ffers fewer e managementn of Windows ation is the deng Windows Swing advantagver 2012

ents. Because Sr software updrver Core.

nt. Server Coreyou can deplo

ft server applicr example, youf Windows Serv

g Windows Ser

deployment ofthe graphical server files, suc

ment. Also knowerver 2012 wited nor removewith a graphicllation source.

ple users access, keyboard, anximum of 22 seer roles, but doports domain j

fferences betwww.windowsser

or

er erver

t

fault Server ges

Server Core insdates. This red

e computers reoy more serve

cations are desu can install SQver 2008 R2.

rver 2012 in a S

f Server Core. administrationch as a mounte

wn as Server Ch the graphicaed. You can cocal interface by

sing the same nd monitors. Liessions. Suppooes not suppojoin.

ween Windowsrvercatalog.com

stalls fewer couces the amou

equire less RAMrs on the same

signed to run QL Server 2012

Server Core co

It is possible ton componentsed Windows im

Core-Full Serveal component,onvert betweeny installing the

host computeimited to two orts some rolert others inclu

s Server 2012 em/svvp.aspx.

mponents, its unt of time req

M and less hare host.

on computers2 on computer

onfiguration:

o convert to ths only if you hamage file (.wim

er. This works t, except that thn Server Core

e graphical fea

er directly usinsockets, 4 TB os including DNding AD DS, A

editions,

deployment quired for an

rd disk space. W

with Server Crs running the

he full version ave access to am) image.

the same as a he graphical with Managemtures, but with

ng of NS AD CS,

When

ore–

of an

ment hout


You can switch from Server Core to the graphical version of Windows Server 2012 by running the following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that hosts the full version of the Windows Server 2012 installation files:

Import-Module ServerManager Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount

Installing the graphical components gives you the option of performing administrative tasks using the graphical tools. You can also add the graphical tools using the sconfig.cmd menu-driven command-line tool. You will learn more about how to perform this task in Lesson 4, “Post-installation Configuration of Windows Server 2012.”

Once you have performed the necessary administrative tasks, you can return the computer to its original Server Core configuration. You can switch a computer that has the graphical version of Windows Server 2012 to Server Core by removing the following features:

• Graphical Management Tools and Infrastructure

• Server Graphical Shell

Note: Be careful when removing graphical features, as some servers will have other components installed that are dependent upon those features.

When connected locally, you can use the tools that are listed in the following table to manage Server Core deployments of Windows Server 2012.

Tool Function

Cmd.exe Allows you to run traditional command-line tools such as ping.exe, ipconfig.exe, and netsh.exe.

PowerShell.exe Launches a Windows PowerShell session on the Server Core deployment. You can then perform Windows PowerShell tasks normally.

Sconfig.cmd A command-line menu-driven administrative tool that allows you to perform most common server administrative tasks.

Notepad.exe Allows you to use the Notepad.exe text editor within the Server Core environment.

Regedt32.exe Provides registry access within the Server Core environment.

Msinfo32.exe Allows you to view system information about the Server Core deployment.

Taskmgr.exe Launches the Task Manager.

Note: If you accidentally close the command window on a computer that is running Server Core, you can recover the command window by performing the following steps: 1. Press Ctrl+Alt+DEL, and then select Task Manager. 2. From the File menu, click New Task (Run…), and then type cmd.exe.

Server Core supports most—but not all—Windows Server 2012 roles and features. You cannot install the following roles on a computer running Server Core:

• AD FS

1-8 Deploying

•

•

•

Eveserv

the

Theconto pServYouby r

Net

Wi

To pWinorgaawaopeshipof Wenhpart201manServ

Win

Ro

A(A

A

A

ASe

and Managing Wind

Application S

Network Polic

Windows Dep

n if a role is avvice that is asso

Note: You caquery Get-Wi

Windows Servsole than the t

perform an admver Core operau can enable rerunning the fo

sh.exe firew

indows Se

properly plan hndows Server 2anization’s req

are of what rolerating system.ps with a differWindows Serveanced and otht, the roles tha2 are familiar naged Windowver 2003.

ndows Server 2

ole

ctive DirectoryAD CS)

D DS

D FS

ctive Directoryervices (AD LD

ows Server 2012

erver

cy and Access

ployment Serv

vailable to a coociated with th

n check whichindowsFeatur

ver 2012 admitraditional meministrative taating system fremote managellowing comm

all set serv

rver 2012

how you are g2012 to suppoquirements, yoes are availabl. Each version rent set of roleer are releasedhers are depreat are availableto IT professio

ws Server 2008

2012 supports

y Certificate Se

y Lightweight DS)

Services (NPA

vices (Windows

omputer that ihat role may n

roles on Servere | where-ob

inistration paraethod of manask, you are morom one compement of a com

mand:

vice remotead

Roles

going to use rt your

ou need to be fle as part of thof Windows S

es. As new vers, some roles a

ecated. For thee in Windows Sonals that have8 and Window

the server role

ervices

Directory

AS)

s DS)

s running the not be available

er Core are avbject {$_.Insta

adigm focusesging each servore likely to mputer, than youmputer that is

dmin enable A

fully he erver

sions re most Server e s

es that are liste

Function

Allows yourelated ro

A centralizobjects, infor authen

Provides wfederation

Supports sdirectory-infrastruct

Server Core ine.

vailable and whllState -eq “R

s more on manver separately.anage multiplu are to connerunning Serve

ALL

ed in the follow

u to deploy cele services.

zed store of inncluding user antication and a

web single signn support.

storage of appaware applicature of AD DS.

nstallation opti

hich are not byRemoved”}.

naging many s. This means the computers t

ect to each comer Core throug

wing table.

ertification aut

nformation aboand computer authorization.

n-on (SSO) and

plication-specitions that do n.

ion, a specific

y running

servers from ohat when you that are runninmputer individgh sconfig.cmd

thorities and

out network accounts. Use

d secured iden

fic data for not require the

role

one want

ng the dually. d, or

ed

ntify

e full


Role Function

Active Directory Rights Management Services (AD RMS)

Allows you to apply rights management policies to prevent unauthorized access to sensitive documents.

Application Server Supports centralized management and hosting of high-performance distributed business applications, such as those built with Microsoft .NET Framework 4.5, and .NET Enterprise Services.

DHCP Server Provisions client computers on the network with temporary IP addresses.

DNS Server Provides name resolution for TCP/IP networks.

Fax Server Supports sending and receiving of faxes. Also allows you to manage fax resource on the network.

File and Storage Services Supports the management of shared folders storage, distributed file system (DFS), and network storage.

Hyper-V® Enables you to host Virtual Machines on computers that are running Windows Server 2012.

Network Policy and Access Services Authorization infrastructure for remote connections, including Health Registration Authority (HRA) for Network Access Protection (NAP).

Print and Document Services Supports centralized management of document tasks, including network scanners and networked printers.

Remote Access Supports Seamless Connectivity, Always On, and Always Managed features based on DirectAccess. Also supports Remote Access through virtual private network (VPN) and dial-up connections.

Remote Desktop Services (RDS) Supports access to virtual desktops, session-based desktops, and RemoteApp programs.

Volume Activation Services Allows you to automate and simplify the management of volume license keys and volume key activation. Allows you to manage a Key Management Service (KMS) host or configure AD DS–based activation for computers that are members of the domain.

Web Server (IIS) The Windows Server 2012 web server component.

Windows DS Allows you to deploy server operating systems to clients over the network.

Windows Server Update Services (WSUS) Provides a method of deploying updates for Microsoft products to network computers.

When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s configuration (such as firewall settings), to support the role. Windows Server 2012 also automatically deploys role dependencies simultaneously. For example, when you install the WSUS role, the Web Server (IIS) role components that are required to support the WSUS role are also installed automatically.

1-10 Deploying

YouServrole

Wh

Wincomsup

For as itservothe

Winare

Fe

.N

.N

Ba(B

W

Bi

W

C

D

En

Fa

G

g and Managing Win

u add and remver 2012 Servees using the In

Question: W

hat Are the

ndows Server 2mponents that port the serve

example, Wint only providesver. It is not a rer servers on t

ndows Server 2listed in the fo

eature

NET Framewor

NET Framewor

ackground IntBITS)

Windows BitLoc

itLocker netwo

Windows Branc

lient for NFS

ata Center Bri

nhanced Stora

ailover Cluster

roup Policy M

ndows Server 2012

ove roles usinger Manager costall-Window

hich roles are

e Features

2012 features aoften supportr directly.

dows Server Bs backup suppresource that che network.

2012 includes tollowing table.

k 3.5 Features

k 4.5 Features

elligent Transf

cker® Drive En

ork unlock

chCache®

dging

age

ing

anagement

g the Add Rolensole. If you a

wsFeature and

often co-locat

s of Windo

are independet role services o

Backup is a featport for the loccan be used by

the features th.

fer Service

cryption

es and Featurere using Serve

d Remove-Win

ted on the sam

ows Server

ent or

ture cal y

hat

Descriptio

Installs .NE

Installs .NEinstalled b

Allows asyother netw

Supports fstartup en

Provides aunlock locoperating

Allows theserver or aBranchCac

Provides a(NFS) serv

Allows youConverged

Provides sin Enhancdevice, inc

A high-av2012 to pa

An admin

es Wizard, whier Core, then yndowsFeature

me server?

r 2012?

on

ET Framework

ET Frameworkby default.

ynchronous trawork applicatio

full-disk and funvironment pro

a network-basecked BitLocker systems.

e server to funa BranchCacheche clients.

access to files svers.

u to enforce bd Network Ad

support for aded Storage Accluding data a

vailability featuarticipate in fa

istrative mana

ch is availableyou can also ade Windows Po

k 3.5 technolog

k 4.5 technolog

ansfer of files tons are not ad

ull-volume encotection.

ed key protectr–protected do

ction as eithere content serve

stored on netw

bandwidth allodapters.

ditional functiccess (IEEE 166access restrictio

ure that allows ailover clusteri

agement tool f

e from the Windd and removeowerShell cmd

gies.

gies. This featu

to ensure that dversely impac

cryption, and

tor that can omain-joined

r a hosted cacher for

work file system

cation on

onality availab67 protocol) ons.

Windows Servng.

for administeri

ndows e lets.

ure is

cted.

he

m

ble

ver

ing


Feature Description

Group Policy across an enterprise.

Ink and Handwriting Services Allows use of Ink Support and Handwriting Recognition.

Internet Printing Client Supports use of Internet Printing Protocol.

IP Address Management (IPAM) Server Centralized management of IP address and namespace infrastructure.

Internet SCSI (iSCSI) Target Storage Provider

Provides iSCSI target and disk management services to Windows Server 2012.

Internet Storage name Service (iSNS) Server service

Supports discovery services of iSCSI storage area networks (SANs).

Line Printer Remote (LPR) Port Monitor Allows computer to send print jobs to printers that are shared using the Line Printer Daemon (LPD) service.

Management Open Data Protocol (OData) IIS Extension

Allows you to expose Windows PowerShell cmdlets through an OData–based web service running on the IIS platform.

Media Foundation Supports media file infrastructure.

Message Queuing Supports message delivery between applications.

Multipath input/output (I/O) Supports multiple data paths to storage devices.

Network Load Balancing (NLB Allows traffic to be distributed in a load balanced manner across multiple servers that host the same stateless application.

Peer Name Resolution Protocol (PNRP) Name resolution protocol that allows applications to resolve names on the computer.

Quality Windows Audio Video Experience Supports audio and video streaming applications on IP home networks.

Remote Access Server (RAS) Connection Manager Administration Kit

Allows you to create connection manager profiles that simplify remote access configuration deployment to client computers.

Remote Assistance Allows remote support through invitations.

Remote Differential Compression (RDC) Transfers the differences between files over a network, minimizing bandwidth utilization.

Remote Server Administration Tools Collection of consoles and tools for remotely managing roles and features on other services.

Remote Procedure Call (RPC) over HTTP Proxy

Relays RPC traffic over HTTP as an alternative to VPN connections.

Simple TCP/IP Services Supports basic TCP/IP services, including Quote of the Day.

1-12 Deploying and Managing Windows Server 2012

Feature Description

Simple Mail Transfer Protocol (SMTP) Server

Supports transfer of email messages.

Simple Network Management Protocol (SNMP) Service

Includes SNMP agents that are used with the network management services.

Subsystem for UNIX-based Applications Supports Portable Operating System Interface for UNIX (POSIX)–compliant UNIX-based applications.

Telnet Client Allows outbound connections to Telnet servers and other Transmission Control Protocol (TCP)-based services.

Telnet Server Allows clients to connect to the server using the Telnet protocol.

Trivial File Transfer Protocol (TFTP) Client Allows you to access TFTP servers.

User Interfaces and Infrastructure Contains the components necessary to support the graphical interface installation option on Windows Server 2012. On graphical installations, this feature is installed by default.

Windows Biometric Framework (WBF) Allows use of fingerprint devices for authentication.

Windows Feedback Forwarder Supports sending of feedback to Microsoft when joining a Customer Experience Improvement Program (CEIP).

Windows Identity Foundation 3.5 Set of .NET Framework classes that support implementing claims based identity on .NET applications.

Windows Internal Database Relational data store that can only be used by Windows roles and features such as WSUS.

Windows PowerShell Task-based command-line shell and scripting language used to administer computers running Windows operating systems. This feature is installed by default.

Windows PowerShell Web Access Allows remote management of computers by running Windows PowerShell sessions in a web browser.

Windows Process Activation service (WAS) Allows applications hosting WCF services that to not use HTTP protocols to use features of IIS.

Windows Search service Allows fast searches of files hosted on a server for clients compatible with the Windows Search Service.

Windows Server Backup Backup and recovery software for Windows Server 2012.

Windows Server Migration Tools Collection of Windows PowerShell cmdlets that assist in the migration of server roles, operating system settings, files, and shares from computers running previous versions of Windows Server operating systems to


Feature Description

Windows Server 2012.

Windows Standards-Based Storage Management

Set of Application Programming Interfaces (APIs) that allow the discovery, management, and monitoring of storage devices that use standards such as Storage Management Initiative Specification (SMI-S).

Windows System Resource Manager (WSRM)

Allows you to control the allocation of CPU and memory resources.

Windows TIFF IFilter Supports Optical Character Recognition on Tagged Image File Format (TIFF) 6.0-compliant files.

WinRM IIS Extension Windows Remote Management for IIS.

Windows Internet Naming Service (WINS) Server

Supports name resolution for NetBIOS names.

Wireless local area network (LAN) Service Allows the server to use a wireless network interface.

Windows on Windows (WoW) 64 Support Supports running 32-bit applications on Server Core installations. This feature is installed by default.

XPS Viewer Supports the viewing and singing of documents in XPS formats

Features on Demand Features on Demand is a Windows Server 2012 installation option where features are not available directly on the deployed server, but can be added if you have access to a remote source, such as a mounted image of the full operating system. The advantage of a Features on Demand installation is that it requires less hard disk space than a traditional installation. The disadvantage is that you must have access to a mounted installation source if you want to add a role or feature, something that is not necessary if you perform an installation of Windows Server 2012 with the graphical features enabled.

Question: Which feature do you need to install to support NetBIOS name resolution for client computers running a Microsoft Windows NT 4.0 workstation?

1-14 Deploying

Lesson 2Overvi

Initiprovset oadm

In thadm

Les

Afte

•

•

•

•

•

Wh

ServyouWinManandas gperfacrosam

Youperfand

•

•

•

•

BesServPracare inclissufunc

g and Managing Win

2 iew of Wially configurinvides multiple of circumstanc

ministrators to

his lesson you ministrative tas

sson Objecti

er completing

Describe Serv

Describe how

Describe how

Describe how

Describe how

hat Is Serv

ver Manager is will use to ma

ndows Server 2nager console remote serve

groups. By manform the sameoss multiple se

me role, or are

u can use the sform the follow remote serve

Add roles and

Launch Wind

View events

Perform serve

st Practice Aver Manager inctices Analyzerproblems thatuding queryines associated wctionality.

ndows Server 2012

Windowng a server cor

tools to perfoces. The Windoperform admi

will learn abosks on comput

ives

this lesson, yo

ver Manager.

w to use admin

w to use Server

w to configure

w to configure

ver Manage

s the primary ganage comput2012. You can to manage bors. You can alsnaging serverse administrativervers that eithmembers of th

erver managewing tasks on rs:

d features

ows PowerShe

er configuratio

Analyzers ncludes a Best r, you can detet you need to g associated ewith specific ro

ws Serverrectly can saveorm specific adows Server 201inistrative task

ut the differeners that are ru

ou will be able

nistrative tools.

r Manager to p

services.

remote manag

er?

graphical tool ters running use the Server

oth the local seso manage sers as groups, yove tasks quicklyher perform thehe same group

r console to both local serv

ell sessions

on tasks

Practices Anaermine whetheremediate. Bes

event logs for woles before tho

er 2012 e you from su

dministrative ta12 manageme

ks on more tha

nt managemennning the Win

to:

.

perform a varie

gement.

that

r erver vers

ou can y e p.

vers

lyzer tool for aer roles on youst Practices Anwarning and eose health issu

Managbstantial probasks, each of went interface alan one server s

nt tools that yondows Server 2

ety of tasks.

all Windows Seur network arenalyzer examinerror events—sues cause a fai

gement blems later. Wiwhich is approlso enhances tsimultaneously

ou can use to 2012 operating

erver 2012 role functioning enes how a role so you can be lure that impa

ndows Server priate for a givthe ability for sy.

perform g system.

es. With Best efficiently or iffunctions—aware of heal

acts the server

2012 ven server

f there

th

A

WspadaprorealMseincoSeA

Thab

•

•

•

•

•

•

•

•

•

Yo

St

D

In

•

•

Administra

When you use Specific role-reldministrative tppropriate admole or feature uemotely, the apso loaded. For

Manager to insterver, the DHCnstalled on theomplete set oferver 2012 by dministration

he tools that about in Lesson

Active DireadministratDirectory R

Active Direusers, comp

DNS Consoincludes cre

Event Viewevent logs.

Group Policmanage the

IIS Manage

Performanccounters as

Resource Mnetwork ut

Task Sched

ou can access

Note: You ctart menu.

Demonstra

n this demonst

Log on to W

Add a featu

tive Tools

Server Manageated or featuretask, the consoministrative tousing Server Mppropriate admr example, if yotall the DHCP

CP console will local server. Yf administrativinstalling the Tools feature.

administrators n 5), include:

ctory Administtive tasks such

Recycle Bin. Yo

ctory Users anputers, and gro

ole. With the Deating forward

er. You can us

cy Managemeeir application

er Tool. You ca

ce Monitor. Yossociated with

Monitor. You cailization.

uler. You can u

each of these

can also pin fre

ation: Usin

tration, you wi

Windows Serve

ure by Using th

er to perform ae-related

ole launches thol. When you

Manager locallyministrative toou use Server role on anotheautomatically

You can install e tools for WinRemote Server

most common

trative Center.as raising domu also use this

nd Computers. oups. You can

DNS console, yod and reverse l

e the Event Vi

nt Tool. With tn in AD DS.

n use this tool

ou can use thisspecific resou

an use this con

use this conso

tools from the

equently used

g Server M

ll see how Serv

er 2012 and vi

he Add Roles a

a

he install a y or

ool is

er y be

the ndows r

nly use, (aside

. With this conmain and foress console to ma

With this toolalso use this t

ou can configuookup zones a

ewer to view e

this tool, you c

l to manage w

s console to vierces that you w

nsole to view r

le to manage

e Tools menu

tools to the W

Manager

ver Manager is

ew the Windo

and Features W

20410A: Installin

from Window

nsole, you can st functional leanage Dynam

l, you can creatool to create O

ure and managand managing

events recorde

can edit Group

websites.

ew record perfwant to monit

real-time infor

the execution

in Server Man

Windows Serve

s used to perfo

ows Server 201

Wizard.

ng and Configuring W

ws PowerShell,

perform Activevels and enabic Access Cont

ate and managOrganizationa

ge the DNS Seg DNS records

ed in the Wind

p Policy Objec

formance datator.

rmation on CP

of scheduled

nager.

er 2012 taskba

orm the follow

12 desktop.

Windows Server® 20

which you wil

ve Directory bling the Activtrol.

ge Active Direcal Units (OUs).

erver role. This.

dows Server 20

cts (GPOs) and

a by selecting

U, memory, di

tasks.

ar, or to the

wing tasks:

012 1-15

l learn

ve

ctory

s

012

isk and


• View role-related events.

• Run the Best Practice Analyzer for a role.

• List the tools available from Server Manager

• Restart Windows Server 2012.

Demonstration Steps

Log on to Windows Server 2012 and view the Windows Server 2012 desktop

• Log on to LON-DC1, and then close the Server Manager console.

Add a feature by Using the Add Roles and Features Wizard 1. Open Server Manager from the taskbar.

2. Start the Add Roles and Features Wizard.

3. Select Role-based or featured-based installation.

4. Select Select a server from the server pool, verify that LON-DC1.Adatum.com is selected, and then click Next.

5. On the Select server roles page, select Fax Server.

6. In the Add Roles and Features Wizard dialog box, click Add Features.

7. On the Select features page, click BranchCache.

8. On the Fax Server page, click Next.

9. On the Print and Document Services page, click Next.

10. On the Select role services page, click Next.

11. On the Confirmation page, select the Restart the destination server automatically if required check box, click Yes, click Install and then click Close.

12. Click the flag icon next to Server Manager Dashboard, and review the messages.

View role-related events 1. Click the Dashboard node.

2. In the Roles and Server Groups pane, under DNS, click Events.

3. On the DNS - Events Detail View, change the time period to 48 hours, and the Event Sources to All.

Run the Best Practice Analyzer for a role

1. Under DNS, click BPA results.

2. Select All on the Severity Levels drop-down menu, and then click OK.

List the tools available from Server Manager

• Click on the Tools menu, and review the tools that are installed on LON-DC1.

Log off the currently logged-on user

1. On the Start menu, click Administrator, and then click Sign Out.

2. Log on to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.

R

•

C

SeanYocomcothap

St

Se

•

•

•

•

anru

S

Reopop

•

•

•

•

Yofa

MMadtombe

Restart Wind

In a Windo

Shutdown

Configuring

ervices are prond provide serou can managonsole, which

menu in Server omputer, you shose that are rpplications tha

tartup Type

ervices use one

Automatic. when the se

Automatic

Manual. Th

Disabled. T

Note: If a send then locateunning state.

ervice Reco

ecovery optionpening the DNptions:

Take no act

Restart the

Run a Prog

Restart the

ou can configuailures. You can

Managed SeManaged servicdvantage of a o a schedule. T

minimizes the cecause admini

dows Server

ws PowerShell

/r /t 60

g Services

ograms that rurvices to clientge services throis available thrManager. Whshould disableequired by theat are installed

es

e of the follow

The service sterver boots.

(Delayed Start

e service must

he service is d

erver is behavie those service

overy

ns determine wNS Server Prop

tion. The servic

Service. The s

ram. Allows yo

Computer. Th

ure different ren also configu

rvice Accouce accounts aremanaged serv

These passwordchance that theistrators tradit

r 2012

l window, type

n in the backgs and the hostough the Servirough the Tooen securing a

e all services exe roles, feature on the server

wing startup ty

arts automatic

t). The service

t be started m

isabled and ca

ing problemats that are conf

what a service perties window

ce remains in a

ervice restarts

ou to run a pro

he computer re

ecovery optionre a period of

unts e special domavice account isd changes are e service accouionally assign

e the following

ground t server. ces

ols

xcept es, and r.

ypes:

cally

starts automat

anually, either

annot be starte

tically, open thfigured to star

does in the evw. On the Reco

a failed state u

automatically

ogram or a scr

estarts after a

ns for the first time after whi

ain-based accos that the acco

automatic, anunt password wsimple passwo

20410A: Installin

g command, a

tically after the

r by a program

ed.

he Services conrt automaticall

vent that it faiovery tab, you

until attended

y.

ript.

preconfigured

failure, the secich the service

ounts that youount password nd do not requwill be compro

ords to service


nd then press

e server has bo

m or by an adm

nsole, sort by sly, and which a

ls. You access have the follow

to by an adm

d number of m

cond failure, ae failure clock r

u can use with is rotated auto

uire administraomised, somet

e accounts with

Windows Server® 20

Enter:

ooted.

ministrator.

startup type, are not in a

the Recovery twing recovery

inistrator.

minutes.

and subsequenresets.

services. The omatically accator interventiothing that haph the same ser

012 1-17

tab by y

nt

cording on. This

ppens rvice

1-18 Deploying

acroservrota

Co

Youthe on amanManWintoo

YouMan

1.

2.

3.

Youcan remtoo

Rem

Remservof W

1.

2.

3.

Youopt

g and Managing Win

oss a large numvice-specific acated and mana

Question: Wdomain-base

onfiguring

u rarely performserver room. Aa daily basis wnagement technagement, youndows PowerShls to manage a

u can enable Renager by perfo

In the Server Server node.

In the Properopens the Co

In the ConfigThis Server F

u can enable redisable Remo

mote manageml.

mote Deskt

mote Desktop vers that they mWindows Serve

In the Server

Next to Remo

In the System

o Don’t all

o Allow coconnectio

o Allow CoAuthentsupport n

u can enable anion by using th

ndows Server 2012

mber of serverccounts that araged by the op

hat is the advad service acco

Remote M

m systems admAlmost all task

will be performehnologies. Witu can use Remhell, and remoa computer re

emote Managorming the fol

Manager cons

rties dialog boonfigure Remo

gure Remote MFrom Other C

emote manageote Managemement on a com

op

is the traditionmanage. You cer 2012 by per

Manager cons

ote Desktop,

m Properties d

low connectio

onnections froons from Rem

onnections onication. Allownetwork-level

nd disable Remhe sconfig.cm

rs, and never bre local rather perating system

antage of a maount?

Manageme

ministration froks that you pered using remoth Windows Re

mote Shell, remote managememotely.

ement from Slowing steps:

sole, click the L

ox for the locaote Managem

Managementomputers che

ement from thent by using thputer running

nal method bycan configure rforming the fo

sole, click the L

click Disabled

dialog box, on

ons to this co

om computerote Desktop c

nly from Comws secure conn

authentication

mote Desktop md command-

bother to updathan domain-

m.

anaged service

ent

om rform ote emote ote

ent

erver

Local

l server, next tment dialog bo

t dialog box, seeck box, and th

he command lihe same metho the Server Co

y which systemRemote Desktollowing steps

Local Server n

d.

the Remote t

omputer. The d

rs running anylients that do

mputers runniections from cn.

on computersline tool.

ate those passw-based. The pa

e account com

to Remote Maox.

elect the Enabhen click OK.

ine by runningod that you usore installation

ms administratotop on a comp:

node.

tab, select one

default state o

y version of Rnot support N

ng Remote Dcomputers run

s that are runn

words. Virtual assword for vir

mpared with a

anagement, c

ble Remote M

g the commanse to enable it.n option using

ors remotely coputer that runn

e of the follow

of remote desk

Remote DeskNetwork Level A

Desktop with Nnning Remote

ning the Server

accounts are rtual accounts

traditional

click Disabled.

Management O

d WinRM -qc. You can disabthe sconfig.cm

onnect to the ning the full ve

wing options:

ktop is disable

top. Allows Authentication

Network LeveDesktop client

r Core installat

is

. This

Of

c. You ble md

ersion

d.

n

el ts that

tion

LessonInstal

Wcosude

Inthre

LeA

•

•

•

•

In

Mopfoorra

OMdeWm

•

•

n 3 ling Wi

When preparingonfiguration isuitable than a eploy Window

n this lesson yohat you can usequirements, a

esson Objecfter completin

Describe th

Identify the

Determine necessary t

Describe th

nstallation

Microsoft distribptical media aormat is becomrganizations aather than phy

Once you have Microsoft, you c

eploy the opeWindows Servemethods, includ

Optical Me

o Disadv

Re

Is u

Yo

Yo

USB Media

o Advant

All

Th

indows g to install Wins appropriate. Yfull graphical u

ws Server 2012

ou will learn abe to install the

and the decisio

ctives ng this lesson, y

he different me

e different inst

whether a como install Windo

he decisions th

n Methods

butes Windownd in an .iso im

ming more comcquire softwar

ysically.

the operatingcan then use yrating system. r 2012 by usinding the follow

dia

antages includ

equires that the

usually slower

ou cannot upda

ou can only pe

tages include:

l computers al

he image can b

Server ndows Server 2You also needuser interface in an efficient

bout the procee operating sysons that you ne

you will be ab

ethods that yo

allation types

mputer or virtuows Server 20

at you need to

ws Server 2012 mage format. mmon as re over the Int

system from your own meth

You can instang a variety of wing:

de:

e computer ha

than USB med

ate the installa

rform one inst

low boot from

be updated as

2012 2012, you nee to know whet(GUI) deploymt manner.

ess of installingstem, the diffeeed to make w

le to:

ou can use to in

that you can c

ual machine m12.

o make when

on ISO

ernet

hod to ll

as access to a D

dia.

ation image w

tallation per D

m USB media.

new software

20410A: Installin

ed to understanther a Server C

ment, and whic

g Windows Seerent installatiowhen using the

nstall Window

choose when i

meets the minim

performing a W

DVD-ROM driv

ithout replacin

DVD-ROM at a

updates and d


nd whether a Core deploymch installation

rver 2012, inclon options, thee Installation W

ws Server 2012.

nstalling the W

mum hardwar

Windows Serv

ve.

ng the media.

time.

drivers becom

Windows Server® 20

particular hardent might be msource allows

uding the mete minimum sysWizard.

.

Windows Serve

e requirement

ver 2012 instal

e available.

012 1-19

dware more you to

thods stem

er 2012.

ts

lation.


The answer file can be stored on a USB drive, minimizing the amount of interaction that the administrator must perform.

o Disadvantages include:

It requires the administrator to perform special steps to prepare USB media from ISO file.

• Mounted ISO image

o Advantages include:

With virtualization software, you can mount the ISO image directly, and install Windows Server 2012 on the virtual machine.

• Network Share


It is possible to boot a server off a boot device (DVD or USB drive) and install from installation files hosted on a network share.

o Disadvantages include:

This method is much slower than using Windows Deployment Services. If you already have access to a DVD or USB media, it is simpler to use those tools for operating system deployment.

• Windows DS


You can deploy Windows Server 2012 from WIM image files or specially prepared VHD files.

You can use the Windows Automated Installation Kit (AIK) to configure lite-touch deployment.

Clients perform a Pre-Boot eXecution Environment (PXE) boot to contact the WDS server and the operating system image is transmitted to the server over the network.

WDS allows multiple concurrent installations of Windows Server 2012 using multicast network transmissions.

• System Center Configuration Manager


System Center Configuration Manager allows you to fully automate the deployment of Windows Server 2012 to new servers that do not have an operating system installed. This process is called Zero Touch deployment.

• Virtual Machine Manager Templates


Windows Server 2012 is usually deployed in private cloud scenarios from preconfigured virtual machine templates. You can configure multiple components of the System Center suite to allow self-service deployment of Windows Server 2012 virtual machines.

Question: What is another method that you can use to deploy Windows Server 2012?

In

HspthrudiruWWch

Wto“bch

nstallation

ow you deplopecific server dhat deploymenunning Windowifferent actionunning an x86

When you are pWindows Servehoose one of t

Installation O

Fresh installat

Upgrade

Migration

When you perfoo an existing voboot to VHD” shoose when pe

n Types

y Windows Sedepends on thnt. Deploying tws Server 2008s than deployiedition of Win

performing ther 2012 operatithe options in

ption Des

tion Allinstimpe

AnoriiteupWiYo20op

UseWiSerset

orm a fresh insolume. You cascenario. Booterforming a ty

rver 2012 on ae circumstanceto a server tha8 R2 requires ing to a serverndows Server 2e installation oing system, yothe following

scription

ows you to pestallations are tme. You can alsrform a dual b

n upgrade presginal server. Yms and want tgrade to Windndows Server u can only upg12. You launcherating system

e migration wndows Server rver Migrationttings.

stallation, you an also install Wt to VHD requiypical installati

a es of t is

r 2003.

of the u can table.

erform a fresh the most frequso use this optboot if you wan

serves the filesYou perform anto continue to dows Server 202003 R2, Windgrade to an eqh an upgrade b

m.

hen migrating2003 R2, or W

n Tools feature

can deploy WWindows Serveres special preon using the W

20410A: Installin

install on a neuently used, antion to configunt to keep the

s, settings, andn upgrade whe use the same 012 from x64 vdows Server 20quivalent or neby running set

g from an x86 vWindows Servee in Windows S

Windows Serverer 2012 to a speparation and Windows Setup


ew disk or volund take the shure Windows Se existing oper

applications ien you want to server hardwaversions of Wi008, and Windewer edition otup.exe from w

version of Winr 2008. You caServer 2012 to

r 2012 to an upecially-prepais not an optiop wizard.

Windows Server® 20

ume. Fresh ortest amount

Server 2012 toating system.

installed on tho keep all of thare. You can ondows Server dows Server 20of Windows Sewithin the orig

ndows Server 2an use the Wino transfer files a

npartitioned dred VHD file inon that you ca

012 1-21

t of

e hese

only 2003,

008 R2. rver

ginal

2003, ndows and

disk, or n a an

1-22 Deploying

Ha

HarhardServrequthe the

Eachon nresodiffeDHC

Winandneevirtuwith

Win

•

•

•

•

The

•

•

•

Vali

g and Managing Win

ardware Re

dware requiredware that is rver 2012 serveuirements migservices that tserver, and th

h role service anetwork, disk Iources. For exaerent stresses oCP role.

ndows Server 2 certain other d to match theual machine toh enough mem

ndows Server 2

Processor arc

Processor spe

Memory (RAM

Hard disk driv

Datacenter ed

640 logical pr

4 TB of RAM

63 failover clu

Additional Redation Progra

Question: WRAM?

ndows Server 2012

equiremen

ments define trequired to runer. Your actual ght be greater,the server is hoe responsivene

and feature plI/O, processor,ample, the file on server hard

2012 is suppornon-Microsofe same hardwo host Windowmory and hard

2012 has the fo

hitecture: x86-

eed: 1.4 gigahe

M): 512 megab

ve space: 32 G

dition of Wind

rocessors

uster nodes

eading: For mm, see http://w

hy does a serv

nts for Win

the minimum n the Windowshardware and depend o

osting, the loadess of your ser

aces a unique , and memory server role pla

dware than the

rted on Hyper-ft virtualizationare specificatio

ws Server 2012 disk space.

ollowing minim

-64

ertz (GHz)

bytes (MB)

GB, more if the

dows Server 20

more informatiowww.windows

ver need more

ndows Serv

s

on d on rver.

load

aces e

-V® n platforms. Wons as physica

2, you need to

mum hardware

server has mo

012 supports th

on about the Wservercatalog.

hard disk driv

ver 2012

Windows Serveral deploymentsensure that yo

e requirement

ore than 16 GB

he following h

Windows Serv.com/svvp.aspx

ve space if it h

r 2012 virtualizs. For exampleou configure t

ts:

B of RAM

hardware maxi

ver Virtualizatiox.

as more than

zed deploymee, when creatinhe virtual mac

mums:

on

16 GB of

ents ng a chine

In

ThsypatothdeSefil

1.

2.

3.

4.

5.

6.

7.

8.

nstalling W

he process of dystem is simpleast. The persono make fewer dhat they do maeployment. A erver 2012, if yle, involves pe

. Connect tothis include

o Insert aWindoand bo

o Connec

o Perform

. On the first

o Langua

o Time a

o Keyboa

. On the secoselect Repaand you are

. In the Windchoose fromInstallation

. On the Liceaccept the

. On the Wh

o Upgrato upgversion

o Custom

. On the WhWindows Syou click N

. On the Sett

Windows S

deploying a seer today than in performing tdecisions, althoake are criticaltypical installayou do not havrforming the f

the installatioe:

a DVD-ROM cows Server 2012

oot from the D

ct a specially p

m a PXE boot,

t page of the W

age to install

nd currency fo

ard or input m

ond page of thair Your Compe no longer ab

dows Setup wim the available.

ense Terms palicense terms

hich Type Of I

de. Select this rade to Windo

n of Windows S

m. Select this o

here do you werver 2012. Yoext, the instal

tings page, pr

Server 2012

erver operatingit has been in the deploymeough the deci to the succes

ation of Windove an existing following steps

on source. Opt

ontaining the 2 installation f

DVD-ROM.

prepared USB

and connect t

Windows Setup

ormat

method

he Windows Seputer. Use thisble to boot into

zard, on the Se operating sy

age, review thebefore you can

nstallation Do

option if you ows Server 201Server rather t

option if you w

want to installou can also cholation process

rovide a passw

2

g the nt has sions s of the

ows answer s:

ions for

files,

drive that host

to a Windows

p wizard, selec

etup wizard, cs option in theo Windows Se

elect The Opeystem installati

e terms of then proceed with

o You Want p

have an existi12. You shouldthan booting f

want to perform

Windows paoose to repartwill copy files

word for the loc

20410A: Installin

ts the Window

DS server.

ct the followin

lick Install noe event that anerver 2012.

erating Systeion options. Th

e operating sysh the installati

page, you have

ng installationd launch upgrafrom the instal

m a new insta

ge, choose anition and refo

s and reboot th

cal Administra


ws Server 2012

g:

ow. You can alsn installation h

m You Want he default opt

stem license. Yon process.

e the following

n of Windows Sades from withllation source.

llation.

n available diskrmat disks fromhe computer s

ator account.

Windows Server® 20

2 installation fi

so use this paghas become co

To Install pagion is Server C

You must choo

g options:

Server that yohin the previou

k on which to im this page. Wseveral times.

012 1-23

les.

ge to orrupted,

ge, Core

ose to

u want us

install When

1-24 Deploying

Lesson 4Post-In

Theyouyouwill

Thisnetwprod

LesAfte

•

•

•

•

•

Ov

Unlisystprocyouneecommemthatthe acco

YouMan

•

•

•

•

•

•

•

•

g and Managing Win

4 nstallati Windows Serv have complet can deploy it play on your o

s lesson coverswork addressinduct activation

sson Objectier completing

Describe how

Describe how

Describe how

Explain how t

Describe how

verview of

ike previous veems, the Windcess minimizes need to answd to configure

mputer name, ambership infort you provide dpassword for

ount.

u use the Locanager console

Configure the

Set the comp

Join an Active

Configure the

Enable autom

Add roles and

Enable remot

Configure Wi

ndows Server 2012

ion Conver 2012 instated installationin a productio

organization’s

s how to perfong informationn options.

ives this lesson, yo

w to Server Ma

w to configure

w to join an Act

to activate Win

w to perform p

Post-Insta

ersions of Windows Server 20s the number

wer. For exampe network conna user accountrmation. The oduring the instthe default loc

l Server node to perform th

e IP address

puter name

e Directory do

e time zone

matic updates

d features

te desktop

ndows Firewa

nfiguratllation processn, you need toon environmennetwork.

rm a range of n, setting a ser

ou will be able

nager to perfo

the network.

tive Directory

ndows Server 2

ost-installation

allation Co

dows operatin012 installationof questions th

ple, you no lonnections, a t, and domain only informatiotallation procecal Administra

in the Server he following ta

main

ll settings

tion of Ws involves answ

o perform sevent. These steps

post-installatirver’s name an

to:

orm post-insta

domain.

2012.

n configuratio

onfiguratio

ng n hat ger

on ess is tor

sks:

Windowwering a minimeral post-instals allow you to

ion configuratnd joining it to

allation configu

on of a Server C

on

ws Servemal number oflation configuprepare the se

tion tasks, incluo the domain, a

uration tasks.

Core compute

er 2012f questions. Onration steps berver for the ro

uding configuand understan

er.

2 nce efore ole it

ring nding

C

TococochdeobYocl

If rasefrsew

pab

C

Yo

1.

2.

3.

4.

C

YocoCco

Configuring

o communicatorrect IP addreompleted instaheck the serveefault, a newlybtain IP addreou can view a icking the Loc

the server hasange of 169.25erver has not bom a DHCP seerver has not b

with the networ

Note: If youroblematic, anbout impleme

Configuratio

ou can configu

. In the Serveconfigure. T

. Right-click Properties

. In the AdapProperties

. In the Interaddress info

o IP addr

o Subnet

o Default

o Preferr

o Alterna

Command-L

ou can set IPv4ommand fromonnection witommand:

Netsh int255.255.2

g Server N

te on the netwess informationallation, you ner’s IP address c

y-deployed serss informationserver’s IP add

cal Server nod

s an IPv4 addre54.0.1 to 169.2been configureerver. This maybeen configurerk infrastructu

u are using onnd IPv6 addresnting IPv6 in M

on Using Ser

ure IP address

er Manager coThis will open

on the networ.

pter Propertie.

rnet Protocolormation, and

ress

t Mask

t Gateway

red DNS server

ate DNS server

ine IPv4 Ad

4 address infom the interface

th the IPv4 add

terface ipv4 255.0

Network Se

work, a server nn. Once you haeed to either sconfiguration.rver attempts tn from a DHCPdress configurade in Server Ma

ess in the APIP54.255.254, th

ed with an IP ay be because aed on the netwre that blocks

ly an IPv6 netws information

Module 8, “Imp

rver Manag

information fo

onsole, click onthe Network C

rk adapter for

es dialog box,

Version 4 (TC then click OK

r

r

ddress Confi

rmation manuipv4 context. dress 10.10.10

set address

ettings

needs ave set or By

to P server. ation by anager.

PA hen the address a DHCP work, or, if therthe adapter fr

work, then an is still configuplementing IPv

ger

or a server ma

n the address nConnections w

which you wa

click Internet

CP/IPv4) PropK twice:

iguration

ually from an eFor example, t

0.10 and subne

“Local Area

20410A: Installin

re is a DHCP srom receiving

IPv4 address ired automaticv6.”

anually by perf

next to the netwindow.

ant to configur

t Protocol Ve

perties dialog

elevated commto configure thet mask 255.25

a Connection”


erver, becausean address.

in this range iscally. You will l

forming the fo

twork adapter

re an address,

rsion 4 (TCP/

g box, enter th

mand prompt bhe adapter nam55.255.0, type

” static 10.1

Windows Server® 20

e there is a pro

s not earn more

ollowing steps:

r that you wan

and then click

/IPv4), and the

e following IPv

by using the nmed Local Arethe following

10.10.10

012 1-25

oblem

t to

k

en click

v4

netsh.exe ea

1-26 Deploying

Youconthe

You

NetWitNetthe usinmod

1.

2.

3.

4.

5.

6.

Ho

WhecomjoinwithpracscheComtheipershistdeteDNSthat

You

1.

2.

3.

4.

5.

g and Managing Win

u can use the sfigure the adaprimary DNS

Netsh inte

u will learn mo

twork Card h Network Carwork Card Teacards fails, the

ng that shared del or use the

Ensure that th

In Server Ma

Next to Netw

In the NIC Teyou want to a

Right-click on

In the New T

ow to Join

en you install Wmputer is assig

ing a domain,h the name it wctice, you shoueme when devmputers shouldir function andsonal ties, suchorical characteermine that a S server in Met a server nam

u change this n

In Server Ma

In the ProperProperties d

In the System

In the Computo the compu

Restart the co

ndows Server 2012

ame context oapter named Lserver, type th

rface ipv4 s

re about confi

Teaming rd Teaming, yoaming, a compe computer is aaddress. Netwsame driver. T

he server has m

anager, click th

work Adapter

eaming dialogadd to the tea

n these selecte

Team dialog bo

the Doma

Windows Servned a random you should cowill use in the uld use a consvising a compud be given namd location, not h as pet namesers. It is simpleserver named lbourne, than ed Copernicus

name using the

anager, click th

rties window, cialog box.

m Properties d

uter Name/Duter.

omputer to im

of the netsh.exocal Area Con

he following co

et dnsserver

iguring IPv4 in

ou can increasputer uses oneable to mainta

work card teamTo team netwo

more than one

he Local Serve

Teaming, clic

g box, hold dowm.

ed network ada

ox, provide a n

ain

ver 2012, the name. Prior toonfigure the sedomain. As a bistent naming uter name. mes that reflecnames with

s, or fictional oer for everyoneMEL-DNS1 is it is to determ

s holds the DN

e Server Mana

he Local Serve

click the active

dialog box, in

omain Chang

plement the n

xe command tonnection to uommand:

rs “Local Are

n Module 5, “Im

se the availabile network addrain communicaming does not ork cards, perfo

e network adap

er node.

ck Disabled. T

wn the Ctrl ke

apters, and the

name for the t

o erver best

ct

or e to a

mine NS role in the M

ager console by

er node.

e text next to C

the Compute

ges dialog box

name change.

o configure DNse the DNS se

ea Connection

mplementing I

lity of a networess for multipation with othrequire that th

orm the follow

pter.

This will launch

y, and then cli

en click Add t

team, and then

Melbourne off

y performing t

Computer Nam

r Name tab, c

x, enter the new

NS configuratirver at IP addr

n” static 10

IPv4.”

ork resource. Wple cards. In theer hosts on thhe network ca

wing steps:

h the NIC Team

ick each netwo

to New Team.

n click OK.

fice.

the following

me. This will la

click Change.

w name that y

ion. For exampress 10.10.10.5

.10.10.5 prim

When you confe event that oe network tha

ards be the sam

ming dialog b

ork adapter th

.

steps:

aunch the Syst

you want to as

ple, to 5 as

mary

figure ne of t are

me

box.

at

tem

sign

Prto

•

•

•

Ndo

To

1.

2.

3.

4.

5.

6.

P

OjococowyocowA

Uando

1.

2.

rior to joining o be domain-jo

Ensure thatcontroller. Ugoals.

Complete o

o Create to join the do

o Join thjoin op

Verify that domain.

ow that you homain-joined,

o join the dom

. In Server M

. In the Prop

. In the Syste

. In the Comoption. Ent

. In the Windthe domain

. Restart the

Performing

Offline Domain oin a computeromputer does onnection. Thi

where connectivou are deployionnected via s

were deployingustralia or isla

se the djoin.exn offline domaomain join by

. Log on to tcomputers

. Open an elYou also ne

the domain, boined:

t you are able Using the Ping

one of the follo

a computer ato the domainmain automat

e computer toperations.

the security ac

have renamed you can join t

main using Serv

Manager, click

perties window

em Propertie

mputer Name/er the new do

dows Securityn.

computer.

g Offline D

Join is a featur to the domainot have an as feature can bvity is intermiting a server tosatellite uplink. servers to locnds in the Sou

xe command lain join. You caperforming th

the domain coto the domain

evated commaeed to specify

be sure to com

to resolve the g tool to ping t

owing tasks:

ccount in the n. This is oftentically.

o the domain u

ccount that is

your Windowsthe server to th

ver Manager, p

k the Local Ser

w, next to Work

s dialog box, o

/Domain Chanmain name, an

y dialog box, e

Domain Joi

ure you can usein when that

active network be useful in sitttent, such as w a remote site . For example, ations in Outb

uth Pacific.

ine tool to peran perform anhe following st

ntroller with an.

and prompt anthe domain to

mplete the follo

IP address of the domain co

domain that m done when la

using a securit

used for the d

s Server 2012 she domain.

perform the fo

rver node.

kgroup, click W

on the Compu

nges dialog bond then click O

enter domain c

in

e to

tuations when

if you back

rform offline

teps:

a user account

nd use the djoo which you wa

20410A: Installin

owing steps to

the domain coontroller by ho

matches the naarge numbers

ty account that

omain operat

server and hav

ollowing steps:

WORKGROUP

uter Name tab

ox, in the MemOK.

credentials tha

that has the a

oin.exe commaant to join the


o verify that the

ontroller and costname accom

ame of the comof computers

t has the right

ion already ex

ve verified tha

:

P.

b, click Chang

mber Of area,

at allow you to

appropriate rig

and with the /pe computer, th

Windows Server® 20

e new server is

contact that domplishes both

mputer that yoneed to be jo

t to perform do

xists within the

t it is ready to

e.

click the Dom

o join the com

ghts to join oth

provision opthe name of the

012 1-27

s ready

omain of these

ou want ined to

omain-

e

be

main

puter to

her

tion. e

1-28 Deploying

3.

4.

Ac

You201organotirequprevsystpericanThefor a

•

•

Witperf

You

1.

2.

3.

4.

Becyouente

g and Managing Win

computer youtarget of the adatum.com

djoin.exe join.txt

Transfer the g/requestODJCanberra-joincommand pro

djoin.exe

Restart the co

Question: In traditional do

tivating W

u must activate2 that you instanization is coices for producuires activationvious versions em, there is noiod. If you do not perform ore are two genactivation:

Manual activadeploying a s

Automatic ac

h manual activforms the activ

u can perform

Click the Loca

In the Proper

In the Windo

If a direct conabout performusing a local

ause compute can perform er the product

ndows Server 2012

u will be joininoffline domainusing the save

/provision /

generated saveJ option. For en.txt to compuompt on Canb

/requestODJ

omputer to co

what situationomain join?

Windows Se

e every copy otall, to ensure

orrectly licensect updates. Win after installaof the Windowo longer an acnot perform a

operating systeneral strategie

ation. Suitablesmall number o

ctivation. Suita

vation, you entvation over the

manual activa

al Server node

rties window, n

ows Activation

nnection cannoming activatiotelephone num

ers running themanual activatt key, and slmg

ng to the doman join. For exaefile Canberra-

domain adatu

efile to the newxample, to pe

uter Canberra, berra:

/loadfile ca

mplete the do

n would you p

erver 2012

f Windows Serthat your d and to receiindows Server tion. Unlike ws server operctivation gracectivation, you

em customizats that you can

e when you areof servers.

ble when you

ter the produce phone or thr

tion from the

e.

next to Produc

n dialog box, e

ot be establishn using a webmber.

e Server Core ition using thegr.vbs /ato to

ain, and the nample, to join t-join.txt, type t

um.com /machi

w computer, arform the offliyou would run

anberra-join.

omain-join ope

erform an offl

2

rver

ve 2012

rating e

ion. n use

e

are deploying

ct key and the rough a specia

Server Manag

ct ID, click No

enter the prod

hed to the Micsite from a de

nstallation optslmgr.vbs co

o perform activ

ame of the savthe computer Cthe following c

ine canberra

and then run thine domain join the following

txt /windows

eration.

ine domain jo

g larger numbe

server contacal clearinghous

ger console by

ot Activated.

duct key, and t

crosoft activatievice that has a

tion do not haommand. Use tvation once th

vefile that youCanberra to thcommand:

/savefile c

he djoin.exe coin, after transfeg command fr

spath %system

oin rather than

ers of servers.

ts Microsoft ose website.

performing th

then click Acti

on servers, detan Internet con

ave the Server the slmgr.vbshe product key

u will transfer the domain

:\canberra-

ommand witherring the saverom an elevate

mroot% /local

a

r an administr

he following st

ivate.

tails will displannection, or by

Manager conss /ipk commany is installed.

o the

the efile ed

los

rator

teps:

ay y

sole, nd to

Pruspe20

Yocaseco

Oaccora

Pea on

A

Inacyoonbacoth

YoSeInen

C

Perucapebacowa

ThmusthA

Yo

•

•

revious versionsing the sysprerformed this 012, you can r

ou can performan use a retail et number of aomputers up t

OEM keys are activation whenomputers that arely used with

erforming actimethod of actn each system

Automatic A

n previous versctivation of muou to manage n the KMS servased activationomputers. Whehe KMS server

ou use the Volervices to perfnternet. You canterprise netw

Configuring

erforming posunning the Seran be dauntingerformed the tased tools thatonfiguration p

with performingcommand-line

he good news majority of post

sing the sconfhis utility minimdministrator m

ou can use sco

Configure D

Configure t

ns of the Windrep utility, but task, and due earm a deploy

m manual activproduct key to

activations thao a set activat

special type on a computer i

are running ch computers th

vation manuativating large manually.

Activation

sions of the Wultiple clients. a KMS server

ver. When youn. Active Direcen you use Voto renew its a

lume Activatioorm activation

an use VAMT tworks.

g a Server

st installation orver Core operg to administratask before. Int simplify the process, IT profg complex cone interface.

is that you cat-installation cig.cmd commamizes the possmaking syntax

onfig.cmd to p

Domain and W

the computer’s

dows Server oplimited the nuto an overall l

yment up to 99

vation using eo activate onlyt you can use. ion limit.

of activation kes first poweredlient operating

hat are running

lly in large-scanumbers of co

indows Server The Volume Athrough a new

u install Volumctory-based acolume Activatioctivation statu

on Managemen of multiple cto generate lic

Core Insta

on a computerating system oators that havestead of havinpost-installatiofessionals are fnfiguration tas

n perform theconfiguration tand-line tool. sibility of the errors when u

perform the fol

Workgroup info

s name

perating systemumber of timesimit of three r99 times.

ither the retaiy a single comUsing a multi

ey that are prod on. This typeg systems suchg server opera

ale server deplomputers auto

operating sysActivation Servw interface. Th

me Activation Stivation allowson Services, eaus.

nt Tool (VAMTomputers on nense reports a

allation

r option e not

ng GUI-on faced ks from

e tasks Using

sing more com

llowing tasks:

ormation

20410A: Installin

m allowed yous due to activarearms per inst

l product key, puter. Howeveple activation

ovided to a mae of activation h as Windows ating systems.

oyments can bomatically with

stem, you coulvices server rolhis simplifies thServices, you cas automatic acach computer

T) 3.0 in conjunetworks that and manage cl

mplicated com


u to generalizeation being reatallation. With

or the multipler, a multiple akey, you can a

anufacturer ankey is typically7 and Window

be cumbersomhout having to

d use KMS to e in Windows

he process of ian also configctivation of doactivated mus

nction with Voare not conneient and serve

mmand-line uti

Windows Server® 20

e a Windows imarmed each tim Windows Serv

le activation kactivation key activate multip

nd allow automy used with ws 8. OEM key

me. Microsoft penter product

perform centrServer 2012 anstalling a KMure Active Dire

omain-joined st periodically c

olume Activatiected directly ter activation on

ilities.

012 1-29

mage me you ver

ey. You has a

ple

matic

ys are

provides t keys

ralized llows

MS key ectory-

contact

on to the n


• Add local Administrator accounts

• Configure Remote Management

• Enable Windows Update

• Download and install updates

• Enable Remote Desktop

• Configure Network Address information

• Set the date and time

• Perform Windows Activation

• Enable the Windows Server GUI

• Log off

• Restart the server

• Shut down the server

Configure IP Address Information

You can configure the IP address and DNS information using sconfig.cmd or netsh.exe. To configure IP address information using sconfig.cmd, perform the following steps:

1. From a command-line command, run sconfig.cmd.

2. Choose option 8 to configure Network Settings.

3. Choose the index number of the network adapter to which you want to assign an IP address.

4. In the Network Adapter Settings area, choose between one of the following options:

o Set Network Adapter Address

o Set DNS Servers

o Clear DNS Server Settings

o Return to Main Menu

Change Server Name

You can change a server’s name using the netdom command with the renamecomputer option. For example, to rename a computer to Melbourne, type the following command:

Netdom renamecomputer %computername% /newname:Melbourne

You can change a server’s name using sconfig.cmd by performing the following steps:


2. Choose option 2 to configure the new computer name.

3. Type the new computer name, and then press Enter.

You must restart a server for the configuration change to take effect.

Joining the Domain You can join a Server Core computer to a domain using the netdom command with the join option. For example, to join the adatum.com domain using the Administrator account, and to be prompted for a password, issue the command:

Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*


Note: Prior to joining the domain, verify that you are able to ping the DNS server by hostname.

To join a Server Core computer to the domain using sconfig.cmd, perform the following steps:


2. Choose option 1 to configure Domain/Workgroup.

3. To choose the Domain option, type D and then press Enter.

4. Type the name of the domain to which you want to join the computer.

5. Provide the details in domain\username format, of an account that is authorized to join the domain.

6. Type the password associated with that account.

To restart the computer, complete a domain join operation it is necessary.

Adding Roles and Features You can add and remove roles and features on a computer that is running the Server Core installation option by using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows PowerShell cmdlets. These cmdlets are available after you load the ServerManager Windows PowerShell module.

For example, you can view a list of roles and features that are installed by executing the following command:

Get-WindowsFeature | Where-Object {$_.InstallState -eq “Installed”}

You can install a Windows role or feature using the Install-WindowsFeature cmdlet. For example, to install the NLB feature, execute the command:

Install-WindowsFeature NLB

Not all features are directly available for installation on a computer running the Server Core operating system. You can determine which features are not directly available for installation by running the following command:

Get-WindowsFeature | Where-Object {$_.InstallState -eq “Removed”}

You can add a role or feature that is not directly available for installation by using the -Source parameter of the Install-WindowsFeature cmdlet. You must specify a source location that hosts a mounted installation image that includes the full version of Windows Server 2012. You can mount an installation image using the DISM.exe command-line utility.

Add the GUI

You can configure a Server Core computer with the GUI using the sconfig.cmd command-line utility. To do this, choose option 12 from within the sconfig.cmd Server Configuration menu.

Note: The process of adding and removing the graphical component of the Windows Server 2012 operating system by using the Install-WindowsFeature cmdlet was covered in Lesson 1.

You can also use the dism.exe command-line tool to add and remove Windows roles and features from a Server Core deployment, even though this tool is used primarily for managing image files.

1-32 Deploying

Lesson Introd

WinServWitsyst

In thmos

ThisspecPowscrip

LesAfte

•

•

•

•

Wh

Windesiadmup oPowPowlangpuradmdesi

An isuchgrapgenthroadm

Youmodrelaspec

g and Managing Win

5 uction t

ndows PowerShver 2012 operah Windows Poems administr

his lesson, youst critical piece

s lesson describcific cmdlets a

werShell Integrpts.


Describe the

Describe Winwith a particu

Describe comfeatures.

Describe the

hat Is Wind

ndows PowerShigned to assist

ministrative tasof cmdlets tha

werShell prompwerShell scriptsguages that wepose, but have

ministration tasigned with sys

increasing numh as Microsoft phical interfac

nerated Windoough all of theministrator’s jo

u can extend Wdule includes Wted managemcifically useful

ndows Server 2012

to Windhell is a commating system thowerShell, you ration tasks.

u will learn aboe of a server ad

bes how to usend to find rela

rated Scripting


purpose of Wi

dows PowerShular cmdlet.

mmon Window

functionality o

dows Pow

hell is a scriptit you in perforsks. Windows Pt you execute pt, or combines. Unlike otherere designed ie been adaptesks, Windows Pstem administr

mber of MicrosExchange Seres that build Wws PowerShel

e steps in the Gb, and saves ti

Windows PoweWindows Pow

ment tasks. Thefor performin

dows Pomand-line shell

hat simplifies tcan automate

out Windows Pdministrator’s

e the Windowated cmdlets. Tg Environment

ou will be able

indows Power

hell cmdlet syn

ws PowerShell c

of Windows Po

werShell?

ng language ming day-to-d

PowerShell is mat a Windows

e into Windowr scripting nitially for anod for system PowerShell is ration tasks in

soft products—ver 2010—hav

Windows Powel script, so you

GUI. Being ableme.

erShell functionerShell cmdlet DNS Server mg DNS server-

owerShand task-base

the automatioe common task

PowerShell, antoolkit.

s PowerShell’sThis lesson also(ISE) to assist

to:

Shell.

ntax, and expla

cmdlets used t

owerShell ISE.

day made s

ws

other

mind.

—ve erShell commau can execute te to automate

nality by addints that are spec

module include-related manag

ell ed scripting te

on of common ks, leaving you

d why Window

s built-in discoo discusses hoyou in creatin

ain how to det

to manage ser

ands. These prthe task at a lacomplex tasks

ng modules. Focifically usefules Windows Pogement tasks.

echnology builsystems admi

u more time fo

ws PowerShell

overability to leow to leverage

g effective Wi

termine comm

rvices, processe

roducts allow yater time withos simplifies a s

or example, th for performinowerShell cmd

t into the Wininistration taskor more difficu

is perhaps the

earn how to usthe Windows ndows PowerS

mands associat

es, roles and

you to view thout having to gserver

he Active Direcng Active Direcdlets that are

dows ks. ult

e

se

Shell

ed

e go

ctory ctory-

W

Wsyveno

Cin

•

•

•

•

•

•

•

•

•

•

•

•

•

Yo

Yo

Wascm

Yocmlo

Windows P

Windows Poweyntax. Each noerbs. The availoun.

ommon Windnclude:

Get

New

Set

Restart

Resume

Stop

Suspend

Clear

Limit

Remove

Add

Show

Write

ou can learn th

Get-Help

ou can learn th

Get-Help

Windows Powessociated set omdlet by execu

Help Cmdl

ou can determmdlet. Which Woad a module u

PowerShell

rShell cmdletsun has a collecable verbs diff

ows PowerShe

he available ve

-Noun NounNa

he available W

-Verb VerbNa

rShell parametof parameters. uting the com

ltName

mine which WinWindows Powusing the Imp

l Cmdlet S

use a verb-noction of associfer with each c

ell cmdlet verb

erbs for a parti

ame

Windows Powe

ame

ters start with You can learnmand:

ndows PowerSerShell cmdletort-Module c

Syntax

oun iated cmdlet’s

bs

icular Window

rShell nouns fo

a dash. Each W what the para

Shell cmdlets ats are availablecmdlet.

20410A: Installin

ws PowerShell n

or a specific ve

Windows Poweameters are fo

are available bye depends on w


noun by execu

erb by executi

erShell cmdletor a particular W

y executing thwhich module

Windows Server® 20

uting the comm

ng the comma

t has its own Windows Pow

he Get-Commes are loaded. Y

012 1-33

mand:

and:

werShell

and You can

1-34 Deploying

Co

Theto urelaServ

Ser

Youcmdrunn

•

•

•

•

•

•

•

•

Eve

Yourunn

•

•

•

•

•

•

•

Pro

Yourunn

•

•

•

•

•

g and Managing Win

ommon Cm

re are certain use as a server te to services, verManager ru

rvice Cmdle

u can use the fodlets to managning Windows

Get-Service.

New-Service

Restart-Serv

Resume-Serv

Set-Service.

Start-Service

Stop-Service

Suspend-Ser

ent Log Cmd

u can use the foning Windows

Get-EventLo

Clear-EventL

Limit-EventL

New-EventLoServer 2012.

Remove-Eve

Show-EventL

Write-EventL

ocess Cmdle

u can use the foning Windows

Get-Process.

Start-Proces

Stop-Process

Wait-Proces

Debug-Proce

ndows Server 2012

mdlets for

cmdlets that yadministratorevent logs, pr

unning on the

ts

ollowing Windge services on s Server 2012:

View the prop

e. Creates a new

vice. Restarts a

vice. Resumes

Configures the

e. Starts a stop

e. Stops a runn

rvice. Suspend

dlets

ollowing Winds Server 2012:

og. Displays eve

Log. Deletes al

Log. Sets event

og. Creates a

entLog. Remov

Log. Shows th

Log. Allows yo

ets

ollowing Winds Server 2012:

. Provides info

s. Starts a proc

s. Stops a proc

s. Waits for th

ess. Attaches a

Server Ad

you are more l. These primar

rocesses, and server.

dows PowerSha computer th

perties of a ser

w service.

n existing serv

a suspended

e properties of

pped service.

ning service.

ds a service.

dows PowerSh

ents in the spe

ll entries from

t log age and

new event log

ves a custom e

e event logs o

ou to write eve

dows PowerSh

rmation on a p

cess.

cess.

e process to st

a debugger to

ministratio

ikely rily

ell hat is

rvice.

vice.

service.

f a service.

ell cmdlets to

ecified event lo

the specified

size limits.

and a new ev

event log and

of a computer.

ents to an even

ell cmdlets to

process.

top before acc

o one or more

on

manage even

og.

event log.

vent source on

unregisters all

nt log.

manage proce

cepting input.

running proce

t logs on a com

n a computer r

event sources

esses on a com

esses.

mputer that is

running Windo

s for the log

mputer that is

ows

S

Than

•

•

•

W

Wenwcoyopaco

WusexsctoThan

Wpsc

Yode

D

In

•

•

•

D

U

1.

2.

erverManag

he ServerManand roles. These

Get-Windoinstalled, anaccess to an

Install-WinWindowsFoperating s

Remove-W

What Is Wi

Windows Powenvironment th

when using Winommand compou to see all avarameters thatommands.

Windows Powesing Windows xecute cmdletcripting windoo construct andhe ability to vind can create

Windows Powerovides you wcripts.

ou can use theetermine whic

Demonstra

n this demonst

Use Window

View the cm

Use the Get

Demonstrati

Use Window

. Ensure that

. In Server M

ger Module

ager module ae cmdlets are:

owsFeature. Vnd whether thn installation s

ndowsFeatureFeature cmdlesystems.

WindowsFeatu

ndows Po

rShell ISE is anat provides yo

ndows PowerSpletion functiovailable commt can be used w

rShell ISE simpPowerShell bes from the ISE.w within Windd save Windowew cmdlet parsyntactically-c

rShell ISE provith debugging

e Windows Powch Windows Po

ation: Usin

tration, you wi

ws PowerShell

mdlets made a

t-WindowsFea

ion Steps

ws PowerShe

t you are logge

Manager, click

e

allows you to a

View a list of ave feature is avsource.

e. Installs a part is aliased to t

ure. Removes a

werShell I

n integrated scou with assistahell. It provide

onality, and allmands and the

with those

plifies the procecause you can. You can also dows PowerShws PowerShell rameters ensucorrect Window

vides color-codg tools that you

werShell ISE enowerShell mod

g Window

ll see how to c

l ISE to import

available in the

ature cmdlet fr

ell ISE to im

ed on to LON-

k Tools, and th

add one of thr

vailable roles aailable. An una

rticular Windothis command

a particular W

SE?

cripting nce es ows

cess of n use a ell ISE scripts. res that you arws PowerShell

ded cmdlets tou can use to d

nvironment todule you need

ws PowerSh

complete the f

t the ServerMa

e ServerManag

rom Windows

port the Se

-DC1 as Admin

hen click Wind

20410A: Installin

ee cmdlets tha

and features. Aavailable featu

ows Server roled and is availab

Windows Server

re aware of thcommands.

o assist with troebug simple a

o view availableto load to acc

hell ISE

following tasks

anager module

ger Module

PowerShell IS

erverManag

nistrator.

dows PowerSh


at are useful fo

Also displays wure can only be

e or feature. Thble in previous

r role or featur

e full function

oubleshootingand complex W

e cmdlets by mcess a particula

s:

e

E

er module

hell ISE.

Windows Server® 20

or managing f

whether the feae installed if yo

he Add-s versions of W

re.

ality of each c

g. The ISE also Windows Powe

module. You car cmdlet.

012 1-35

features

ature is ou have

Windows

cmdlet,

erShell

an then


3. At the prompt, type Import-Module ServerManager.

View the cmdlets made available in the ServerManager Module • In the Commands pane, use the Modules drop-down menu to select the Server Manager module.

Use the Get-WindowsFeature cmdlet from Windows PowerShell ISE

1. Click Get-WindowsFeature, and then click Show Details.

2. In the ComputerName field, type LON-DC1, and then click Run.

Demonstration: Using Windows PowerShell

In this demonstration, you will see how to use Windows PowerShell to display the running services and processes on a server.

Demonstration Steps

Use Windows PowerShell to display the running services and processes on a server

1. On LON-DC1, open a Windows PowerShell session.

2. Execute the following commands, and then press Enter:

Get-Service | where-object {$_.status -eq “Running”} Get-Command -Noun Service Get-Process Get-Help Process

3. Right-click on the Windows PowerShell icon on the taskbar and click Run as Administrator.


Lab: Deploying and Managing Windows Server 2012 Scenario

A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.

You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.

The marketing department has purchased a new web-based application. You need to install and configure the servers for this application in the data center. One server has a graphic interface and the second server is configured as Server Core.

Objectives

After completing this lab, you will be able to:

• Deploy Windows Server 2012.

• Configure Windows Server 2012 Server Core.

• Manage servers by using Server Manager.

• Manage servers with Windows PowerShell.

Lab Setup

Estimated time: 60 minutes

Virtual Machines 20410A-LON-DC1

20410A-LON-CORE

User Name Administrator

Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Log on using the following credentials:

a. User name: Adatum\Administrator

b. Password: Pa$$w0rd

5. Repeat steps 1 to 3 for 20410A-LON-CORE. Do not log on until directed to do so.


Exercise 1: Deploying Windows Server 2012

Scenario

The first Windows Server® 2012 server that you are installing for the Marketing department will host an SQL Server 2012 database engine instance. You want to configure the server so that it will have the full GUI, as this will allow the application vendor to run support tools directly on the server, rather than requiring a remote connection.

The main tasks for this exercise are as follows:

1. Install the Windows Server 2012 server.

2. Change the server name.

3. Change the date and time.

4. Configure the network and network teaming.

5. Add the server to the domain.

Task 1: Install the Windows Server 2012 server 1. In the Hyper-V Manager console, open the settings of 20410A-LON-SVR3

2. Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This file is located at C:\Program Files\Microsoft Learning\20410\Drives.

3. Start 20410A-LON-SVR3. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, click Next, and then click Install Now.

o Language to install: English (United States)

o Time and currency format: English (United States)

o Keyboard or input method: US

4. Click to install the Windows Server 2012 Release Candidate Datacenter (Server with a GUI) operating system.

5. Accept the license terms and then click Custom: Install Windows only (advanced).

6. Install Windows Server 2012 on Drive 0.

Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process.

7. Enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish to complete the installation.

Task 2: Change the server name 1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.

2. In Server Manager, on the Local Server node, click on the randomly-generated name next to Computer name.

3. In the System Properties dialog box, on the Computer Name tab, click Change.

4. In the Computer name box, type LON-SVR3, and then click OK.

5. Click OK again, and then click Close.

6. Restart the computer.


Task 3: Change the date and time 1. On LON-SVR3, on the taskbar, click the time display, and then click Change date and time settings.

2. Click Change Time Zone, and set the time zone to your current time zone.

3. Click Change Date and Time, and verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom.

4. Close the Date and Time dialog box.

Task 4: Configure the network and network teaming 1. On LON-SVR3, click Local Server, and then next to NIC Teaming, click Disabled.

2. Press and hold the Ctrl key and then in the Adapters And Interfaces area, click both Local Area Connection and Local Area Connection 2.

3. Right-click on the selected network adapters, and then click Add to New Team.

4. Enter LON-SVR3 in the Team name, box, click OK, and then close the NIC Teaming dialog box. Refresh the console pane.

5. Next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.

6. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.

7. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

8. Enter the following IP address information, then and click OK.

o IP address: 172.16.0.101

o Subnet Mask: 255.255.0.0

o Default Gateway: 172.16.0.1

o Preferred DNS server: 172.16.0.10

9. Close all dialog boxes.

Task 5: Add the server to the domain 1. On LON-SVR3, in the Server Manager console, click Local Server.

2. Next to Workgroup, click WORKGROUP.

3. On the Computer Name tab, click Change.

4. Click the Domain option, and in the Domain box, enter adatum.com.

5. Enter the following account details

o Username: Administrator

o Password: Pa$$w0rd

6. In the Computer Name/Domain Changes dialog box, click OK.

7. Restart the computer to apply changes.

8. In the System Properties dialog box, click Close.

9. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.

Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.


Exercise 2: Configuring Windows Server 2012 Server Core

Scenario

The web-based tier of the marketing application is a .NET application. To minimize the operating system footprint and reduce the need to apply software updates, you have chosen to host the IIS component on a computer running the Server Core installation option of the Windows Server 2012 operating system.

To enable this, you will need to configure a computer that is running Windows Server 2012 with the Server Core installation option.


1. Change the server name.

2. Change the computer’s date and time.

3. Configure the network.

4. Add the server to the domain.

Task 1: Change the server name 1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.

2. On LON-CORE, type sconfig.cmd.

3. Click option 2 to select Computer Name.

4. Set the computer name as LON-CORE.

5. In the Restart dialog box, click Yes to restart the computer.

6. After the computer restarts, log on to server LON-CORE using the Administrator account.

7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.

Task 2: Change the computer’s date and time 1. On LON-CORE, in the sconfig.cmd main menu, type 9 to select Date and Time:

2. Click Change time zone, and then set the time zone to the same time zone that your classroom uses.

3. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK three times to dismiss the dialog boxes.

4. Exit sconfig.cmd.

Task 3: Configure the network 1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.

2. Type 8 to configure Network Settings.

3. Type the number of the network adapter that you want to configure.

4. Type 1 to set the Network Adapter Address.

5. Select static IP address configuration, and then enter the address 172.16.0.111.

6. At the Enter subnet mask prompt, type 255.255.0.0.

7. At the Enter default gateway prompt, type 172.16.0.1.

8. Type 2 to configure the DNS server address.

9. Set the preferred DNS server to 172.16.0.10.

10. Do not configure an alternate DNS server address.


11. Exit sconfig.cmd.

12. Verify network connectivity to lon-dc1.adatum.com using the Ping tool.

Task 4: Add the server to the domain 1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.

2. Type 1 to switch to configure Domain/Workgroup.

3. Type D to join a domain.

4. At the Name of domain to join prompt, type adatum.com.

5. At the Specify an authorized domain\user prompt, type adatum\administrator.

6. At the Type the password associated with the domain user prompt, type Pa$$w0rd.

7. At the prompt, click Yes.

8. Restart the server.

9. Log on to server LON-CORE with the adatum\administrator account using the password Pa$$w0rd.

Results: After finishing this exercise you will have configured a Windows Server 2012 Server Core deployment, and verified the server’s name.

Exercise 3: Managing Servers

Scenario After deploying the servers LON-SVR3 and LON-CORE for hosting the Marketing application, you need to install appropriate server roles and features to support the application. With this in mind, you will install the Windows Server Backup feature on both LON-SVR3 and LON-CORE. You will install the Web Server role on LON-CORE.

You also need to configure the World Wide Web Publishing service on LON-CORE with the following settings:

• Startup type: Automatic

• Log on as: Local System Account

• First failure: Restart the Service

• Second failure: Restart the Service

• Subsequent failures: Restart the server

• Reset fail count after: 1 days

• Restart service after: 1 minute

• Restart computer after: 1 minute


1. Create a server group.

2. Deploy features and roles to both servers.

3. Review services, and change a service setting.


Task 1: Create a server group 1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.

2. In the Server Manager console, click Dashboard, and then click Create a server group.

3. Click the Active Directory tab, and then click Find Now.

4. In the Server group name box, type LAB-1.

5. Add LON-CORE and LON-SVR3 to the server group.

6. Click LAB-1. Press and hold the Ctrl key to select both LON-CORE and LON-SVR3.

7. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3.

8. Right-click LON-CORE, and then click Start Performance Counters.

Task 2: Deploy features and roles to both servers 1. In Server Manager on LON-DC1, click the LAB-1 server group, right-click LON-CORE, and then click

Add Roles and Features.

2. Click Next, click Role-based or feature-based installation, and then click Next.

3. Verify that LON-CORE.Adatum.com is selected, and then click Next.

4. Select the Web Server (IIS) Server role.

5. Select the Windows Server Backup feature.

6. Add the Windows Authentication role service, and then click Next.

7. Select the Restart the destination server automatically if required check box, and then click Install.

8. Click Close.

9. Right-click LON-SVR3, click Add Roles and Features, and then click Next.

10. Click Role-based or feature-based installation, and then click Next.

11. Verify that LON-SVR3.Adatum.com is selected, and then click Next twice.

12. Click Windows Server Backup, and then click Next.

13. Select the Restart the destination server automatically if required check box, click Install, and then click Close.

14. In Server Manager, click the IIS node, and verify that LON-CORE is listed.

Task 3: Review services, and change a service setting 1. On LON-CORE, in a command prompt window, enter the command netsh.exe firewall set service

remoteadmin enable ALL

2. Log on to LON-DC1 with the adatum\Administrator account.

3. In Server Manager, click LAB-1, right-click LON-CORE, and then click Computer Management.

4. Expand Services and Applications, and then click Services.

5. Verify that the Startup type of the World Wide Web Publishing service is set to Automatic.

6. Verify that the service is configured to use the Local System account.


7. Configure the following service recovery settings:

o First failure: Restart the Service

o Second failure: Restart the Service

o Subsequent failures: Restart the Computer.

o Reset fail count after: 1 days

o Reset service after: 1 minute

8. Configure the Restart Computer option to 2 minutes, and close the Service Properties dialog box.

9. Close the Computer Management console.

Results: After finishing this exercise you will have created a server group, deployed roles and features, and configured the properties of a service.

Exercise 4: Using Windows PowerShell to Manage Servers

Scenario

The Marketing application vendor has indicated that they can provide some Windows PowerShell scripts to configure the web server that is hosting the application. You need to verify that remote administration is functional before running the scripts.


1. Use Windows PowerShell® to connect remotely to servers and view information.

2. Use Windows PowerShell to install new features remotely.

Task 1: Use Windows PowerShell® to connect remotely to servers and view information 1. On LON-DC1, in Server Manager, click the LAB-1 server group.

2. Right-click LON-CORE, and then click Windows PowerShell.

3. Type Import-Module ServerManager.

4. Type Get-WindowsFeature, and review roles and features.

5. Use the following command to review the running services on LON-CORE:

Get-service | where-object {$_.status -eq “Running”}

6. Type get-process to view a list of processes on LON-CORE.

7. Review the IP addresses assigned to the server with the following command:

Get-NetIPAddress | Format-table

8. Review the most recent 10 items in the security log with the following command:

Get-EventLog Security -Newest 10

9. Close Windows PowerShell.

Task 2: Use Windows PowerShell to install new features remotely 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.


2. Type import-module ServerManager.

3. Type the following command to verify that the XPS Viewer feature has not been installed on LON-SVR3

Get-WindowsFeature -ComputerName LON-SVR3

4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:

Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3

5. Type the following command to verify that the XPS Viewer feature has now been deployed on LON-SVR3:


6. From the Tools drop down in the Server Manager console, choose Windows PowerShell ISE.

7. In the Untitled1.ps1 script pane, type the following:

Import-Module ServerManager Install-WindowsFeature WINS -ComputerName LON-SVR3 Install-WindowsFeature WINS -ComputerName LON-CORE

8. Save the script as InstallWins.ps1 in a new folder named Scripts.

9. Press F5 to execute InstallWins.ps1.

Results: After finishing this exercise you will have used Windows PowerShell to perform a remote installation of features on multiple servers.

To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:

1. On the host computer, switch to the Hyper-V Manager console.

2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.


Module Review and Takeaways Review Questions

Question: What is the benefit of using Windows PowerShell to automate common tasks?

Question: What are the advantages to performing a Server Core deployment compared to the Full GUI deployment?

Question: What tool can you use to determine which cmdlets are contained in a Windows PowerShell module?

Question: Which role can you use to manage Key Management Services (KMS)?

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

Remote management connections fail.

Windows PowerShell cmdlets not available.

Cannot install the GUI features on Server Core deployments.

Unable to restart a computer running Server Core.

Unable to join the domain.

2-1

Module 2 Introduction to Active Directory Domain Services


Lesson 1: Overview of AD DS 2-2

Lesson 2: Overview of Domain Controllers 2-8

Lesson 3: Installing a Domain Controller 2-13

Lab: Installing Domain Controllers 2-18


Module Overview

Active Directory® Domain Services (AD DS) and its related services form the foundation for enterprise networks that run Windows® operating systems. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise. In this module, we will study the structure of AD DS, and various components, such as forest, domain, and organizational units (OUs).

The process of installing AD DS on a server is refined and improved with Windows Server® 2012. This module also examines some of the choices that are now available for installing AD DS on a server.

Objectives


• Describe the structure of Active Directory® Domain Services (AD DS).

• Describe the purpose of domain controllers.

• Install a domain controller.

2-2 Introductio

Lesson Overvi

Thehostformprov

In thAD Win

LesAfte

•

•

•

•

•

Ov

AD comcomimpthe wornetwcan optsoftinfraBranfewcom

PhyAD som

Ph

D

D

n to Active Directory

1 iew of A AD DS databats the service t

ms a security bvides the struc

his lesson, youDS domain co

ndows Server 2


Describe the

Describe AD

Describe OUs

Describe AD

Explain how ain the AD DS

verview of

DS is composemponents. Undmponents of Aportant part of

knowledge ofrk together, yowork, and conaccess. In add

ions including tware and updastructure, remnchCache and. Group Policy

mponents is the

ysical CompDS informatio

me of the physi

hysical compo

omain control

ata store

y Domain Services

AD DS ase stores infothat authentica

boundary, in adcture with whic

u will explore hontrollers have2012 server to


components o

DS domains.

s and their pur

DS forests and

a Schema provdomain datab

AD DS

ed of both phyderstanding theD DS work togsupporting A

f how the AD Dou can efficienttrol what reso

dition, there arinstallation anates, managin

mote access, Dcertificate han

y is a very powee key to succe

ponents on is stored in aical componen

nent De

llers C

Thin

ormation on usates user and ddition to it bech you can con

how OUs work, additional rolbe a domain c

ou will be able

of AD DS.

rpose.

d trees, and ex

vides a set of rbase.

ysical and logie way the

gether is an D DS services. DS componenttly manage yources your use

re many other nd configuringng the security irectAccess, ndling to menerful tool to mssful use of Gr

a single file onnts and where

escription

ontain copies

he file on eachnformation.

ser identity, cocomputer accoeing a searchanfigure and m

, and why youles. You will excontroller.

to:

plain how you

ules that mana

cal

With ts

our ers

g of

tion a manage all of troup Policy.

n each domainthey are store

of the AD DS

h domain cont

omputers, grouounts when th

able database omanage objects

would use thexplore various

u can deploy th

age the object

hese, and a cle

n controllers’ hed.

database.

troller that sto

ups, services anhey log on to tof objects in ths in the databa

em. You will eways that you

hem in a netw

ts and attribut

ear understand

hard disk. The f

res the AD DS

nd resources. Ithe domain. ADhe domain. ADase.

xamine why sou can promote

work.

tes that are sto

ding of the AD

following table

It also D DS D DS

ome a

ored

D DS

e lists


Physical component Description

Global catalog servers Host the global catalog, which is a partial, read-only copy of all the objects in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.

Read-only domain controller (RODC)

A special install of AD DS in a read-only form. This is often used in Branch Offices where security and IT support are often less advanced than in the main corporate centers.

Logical Components

AD DS logical components are structures that are used to implement an appropriate Active Directory design for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain.

Logical component Description

Partition A section of the AD DS database. Although the database is one file: NTDS.DIT, it is viewed, managed and replicated as if it consisted of distinct sections or instances, and these are the partitions, also referred to as naming contexts.

Schema Defines the list of attributes that all objects in AD DS can have.

Domain A logical, administrative boundary for users and computers.

Domain tree A collection of domains that share a common root domain and a Domain Name System (DNS) namespace.

Forest A collection of domains that share a common AD DS.

Site A collection of users, groups, and computers as defined by their physical locations. Sites are useful in planning administrative tasks such as replication of the AD DS.

OU These are containers in AD DS, which provide a framework for delegating administrative rights and also for linking Group Policy.

Additional Reading: For more information about domains and forests, please see Domains and Forests Technical Reference at http://go.microsoft.com/fwlink/?LinkId=104447.

2-4 Introductio

AD

An Acommanstordatathe

Thestoraccowhiaccewana cohavtoge

An Agrodomdomandin e

Wh

An Owithuserare

•

•

Youyouwithregiyou


D DS Doma

AD DS domainmputer, and grnagement andred in the AD Dabase is storedAD DS domai

re are several red in the AD Dounts. User accch to authentiess resources onts to log on toomputer that ie an account iether objects f

AD DS domainup, which have

main, their rangmain level by d autonomous,very domain i

hat Are OU

Organizationahin a domain trs, groups, comtwo reasons to

To configure You can assigOU, and the swithin the OUare policies thmanage and accounts. Thethese policies

To delegate aon an OU, theadministrator

u can use OUs can create OU

hin your organions. You can tr organization

y Domain Services

ains

n is a logical goup objects fo

d security. All oDS database, ad on every domn.

types of objecDS database, icounts providecate and then

on the networko the domain, s a member ofn AD DS. The for administrat

n is an adminise full control oge of control i

default. Althou the Enterprisen the AD DS fo

Us?

al Unit (OU) is athat you can umputers, and oo create OUs:

objects contaign Group Policsettings apply U. Group Policyhat administraconfigure com

e most commos is to link them

administrative ereby delegatir.

to represent thUs that represenization, or crethen manage t

nal model.

rouping of useor the purposeof these objectand a copy of tmain controlle

cts that can bencluding user e a mechanism authorize usek. When a usethey must do f the AD DS dodomain also stive or security

strative centerover every objes limited to thgh a domain ce Admins grouorest.

a container obse to consolid

other objects. T

ined within thecy Objects to thto all objects

y Objects (GPOtors create to

mputer and useon way to depm to OUs.

control of objing control of

he hierarchicaent the depart

eate OUs that athe configurat

er, e of ts are this r in

e

m by ers to r so at

omain. For thistores groups, wy reasons, for i

. It holds an Adect in the dom

he domain. Pasconstitutes a sup in the fores

bject ate There

e OU. he

Os)

er loy

ects within thethat OU to a u

l, logical structtments within yare a combination and use o

s reason, eachwhich are the instance user a

dministrator amain; however,ssword and accsecurity boundst root domain

e OU. You canuser or group w

tures within yoyour organization of both df user, group,

domain-joinemechanism fo

accounts and c

account and a unless they acount rules are

dary that is largn has full contr

n assign managwithin AD DS

our organizatiotion, the geog

departmental aand computer

ed computer mor grouping computer acco

Domain Admire in the forese managed at gely self-manarol over every o

gement permiother than the

on. For exampgraphic regionand geographir accounts bas

must

ounts.

ins t root the

aging object

ssions e

ple, s ic sed on


Every AD DS domain contains a standard set of containers and OUs that are created when you install AD DS, including the following:

• Domain container. Serves as the root container to the hierarchy.

• Builtin container. Stores a number of default groups.

• Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain, and some default groups.

• Computers container. The default location for new computer accounts that you create in the domain.

• Domain controllers OU. The default location for the computer accounts for domain controllers computer accounts. This is the only OU that is present in a new installation of AD DS.

Note: None of the default containers in the AD DS domain can have Group Policies linked to them, except for the default domain controllers OU and the domain itself. All the other containers are just folders. To link Group Policies to apply configurations and restrictions, create a hierarchy of OUs, and then link Group Policies to them.

Hierarchy Design

The design of an OU hierarchy is dictated by the administrative needs of the organization. The design could be based on geographic, functional, resource, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility as possible. For example, if all computers that IT administrators use must be configured in a certain way, you can group all computers in an OU, and then assign a policy to manage its computers. To simplify administration, you also can create OUs inside other OUs.

For example, your organization might have multiple offices, and each office might have a set of administrators who are responsible for managing user and computer accounts in the office. In addition, each office might have different departments with different computer configuration requirements. In this situation, you could create an OU for the office that is used to delegate administration, and create a department OU inside the office OU to assign desktop configurations.

Although there is no technical limit to the number of levels in your OU structure, for the purpose of manageability limit your OU structure to a depth of no more than 10 levels. Most organizations use five levels or fewer to simplify administration. Note that Active Directory-enabled applications can have restrictions on the OU depth within the hierarchy, or the number of characters that can be used in the distinguished name (the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory).

2-6 Introductio

Wh

A fotreedomforerootin oforescheaddSchedomcon

Exam

•

•

Wh

Theall odatafor A

AD widstanthatvaristordatais m

AD handefi

Objthis AD orig


hat Is an A

orest is a colleces. A tree is a cmains.. The firsest is called thet domain holds

other domains est root domaiema master an

dition, the Enteema Admins g

main. The Entetrol over every

mples of why

In certain circorganization,might be the domain of adof the parent

There may be(adatum.comexists in one fdifferent namtree.

hat Is the A

schema is theobjects and atta. It is sometimAD DS.

DS stores and e variety of ap

ndardizes how t it can store aous sources. Bred, AD DS cana, while ensuri

maintained.

DS uses objecdles data, the inition in the s

ect definitionsinformation, tDS can store,

ginal source of

y Domain Services

AD DS Fore

ction of one orollection of ont domain that e forest root dos a few objectsin the forest. Fn holds two sp

nd the domainerprise Adminsgroup exist onlrprise Admins y domain in th

more than one

cumstances, it and these aredomain at the

datum.com, andomain, for e

e a requiremen) and Fabrikamforest, you cou

mespaces, all ob

AD DS Sch

e AD DS comptributes that A

mes referred to

retrieves inforpplications and

data is storednd replicate d

By standardizinn retrieve, updng that the int

ts as units of sdirectory quechema, the dir

s control the tythe schema enretrieve, and vthe data. Only

est?

r more domainne or more is created in t

omain. The fors that do not eFor example, tpecial roles, thn naming masts group and thly in the forestgroup has ful

he forest.

e domain may

might be advae typically struce root of a fore

nd have a namexample atl.ada

nt to have diffem, Inc. (fabrikauld add a tree bjects in this fo

hema?

onent that defAD DS uses to so as the bluepr

rmation from ad services. AD in the directoata from these

ng how data is ate, and replictegrity of the d

storage. All objries the schemrectory creates

ypes of data thnsures that all ovalidate the day data that ha

n

the rest exist he e

ter. In he t root l

y be required i

antageous to hctured in a treest. Another de that is basedatum.com.

erent namespaam.com) were to accommod

orest would fu

fines store rint

a DS

ory so e

cate data

jects are definma for an appro

s the object an

hat the objectsobjects confor

ata that it mans an existing o

n the forest:

have more thaee. For instanceomain could b

d on the DNS s

aces in the forto merge, the

date the seconunction as if th

ned in the scheopriate object nd stores the d

s can store, anrm to their staages, regardle

object definitio

an one domaine, The A. Datube added to thstructure and

rest. If A. Datumn although the

nd namespace.he domains we

ema. Each timedefinition. Ba

data.

d the syntax ondard definitio

ess of the applon in the schem

n in the m Corporationhe tree as a chincludes the n

m Ltd e organization Apart from th

ere both in the

e that the direcsed on the obj

of the data. Usons. As a resulication that is ma can be stor

n ild ame

n he e same

ctory ject

ing t, the red in


the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema.

In AD DS, the schema defines the following:

• Objects that are used to store data in the directory

• Rules that define what types of objects you can create, what attributes must be defined when you create the object (mandatory), and what attributes are optional

• Structure and the content of the directory itself

You can use an account that is a member of the Schema Administrators to modify the schema components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many attributes are location, accountExpires, buildingName, company, manager, and displayName.

The schema master is one of the single master operations domain controllers in AD DS. Because it is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master operations role.

The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest.

Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary, through a tightly controlled process, and after you have performed testing to ensure that there will be no adverse effects to the rest of the forest.

Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Microsoft® Exchange Server 2010 into your AD DS forest, the installation program extends the schema to support new object types and attributes.

Additional Reading

For more information about Windows Server 2012 Release Candidate, see http://www.microsoft.com/en-us/server-cloud/windows-server/v8-default.aspx.

For more information about Windows Server 2012 Overview, see http://www.microsoft.com/en-us/server-cloud/windows-server/v8-overview.aspx.

For more information about Windows Server 2012 Capabilities, see http://www.microsoft.com/en-us/server-cloud/windows-server/2012-capabilities.aspx.

For more information about Windows Server 8 (a one-hour long video), see http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F.

2-8 Introductio

Lesson 2Overvi

Beccriti

Thisproc

All dperfless

LesAfte

•

•

•

•

•

Wh

A docondataVoluexcea reSYSVthe sett

YousyncdatadomDistandAD Kerboptdescwhithe

An Adom


2 iew of Dause domain ccal to the corr

s lesson examicess. In additio

domain controformed on speon.


Describe the

Describe the

Describe the the logon pro

Describe the

Explain the fu

hat Is a Do

omain controllfigured to stoabase (NTDS.Dume (SYSVOL)ept read-only

ead/write copyVOL folder. NTSYSVOL foldeings for GPOs.

u can use the Achronize changabase betweenmain. The SYSVtributed File Sy updates betwDS database. Dberos service, wionally configucribed in the nch provides loservice that is

AD DS domainmain controller

y Domain Services

Domaincontrollers arerect functionin

nes domain coon, this lesson

ollers are essenecific domain c


purpose of do

purpose of the

AD DS logon pocess.

functionality o

unctions of ope

omain Con

ler (DC) is a sere a copy of th

DIT) and a copy folder. All dodomain contro

y of both NTDSTDS.DIT is the r contains all t.

AD DS replicatiges and updatn the domain cVOL folders areystem (DFS) Reween each otheDomain controwhich is used ure domain conext topic. Domgon and passwsues the Ticke

n should alwayrs fails, there is

n Contro responsible fo

ng of the netwo

ontrollers, the discusses the

ntially the samcontrollers call

ou will be able

omain controlle

e global catalo

process, and th

of SRV records

erations maste

ntroller?

rver that is he AD DS direcy of the Systemmain controlleollers (RODCs)S.DIT and the database itsel

the template

ion service to tes to the AD Dcontrollers in te replicated eiteplication. Theer, and unless ollers host sevby user and co

ontrollers to homain controlleword change ct to Get Ticket

ys have a minims a backup to e

ollers or all authenticork.

logon processpurpose of the

e, but there arled operations

to:

ers.

og.

he importance

.

ers.

ctory m ers ) store

f, and

DS the ther by the file

e domain contrthey are an ROeral other Actiomputer accouost a copy of thers also run somcapabilities, ants (TGT) to an a

mum of two densure continu

cations, doma

s, and the impoe global catalo

re certain opermasters, whic

e of DNS and s

e replication serollers in each ODC, they all sive Directory–unts for logonhe Active Direme important nd the Key Distaccount that l

domain controuity of the AD

in controller d

ortance of theog.

rations that cach are discusse

service (SRV) r

ervice (FRS), odomain replic

store a read/wrelated service

n authenticatioectory Global C

services includtribution centeogs on to the

llers. This way,DS domain se

deployment is

e DNS in that

an only be ed at the end o

esource record

r by the newecate all the cha

write copy of thes, including thon. You can Catalog, whichding Kerberos,er (KDC). The KAD DS domai

, if one of the ervices. When y

of this

ds in

r anges he he

is , KDC is n.

you

depe

InbeofBifr

Youncous

openseit

W

Wcothouobcoonpdomgdaofth

ThthinpeexacExthca

Inindo

ecide to add merformance re

n a branch office deployed to f information iitLocker ensurom it.

Note: An ou can deploynreliable Wideontroller, whicsers locally wit

Note: Winperating systencrypts the enecret key and (to another co

What Is the

Within a single ontains all the hat domain. Thutside the dombject in AD DSontrollers for tne domain in trovide any resomain. For thi

more domain colobal catalog. atabase that cf every object hat is created i

he global catahe subset of atnclude firstnamerform a searcxample, when ccount so thatxchange serveheir Active Direatalog to chec

n a single domn a multi-domaomain control

more than twoquirements; h

ce where secureduce the im

is much lower es that there i

RODC is a doy an RODC in ae Area Networh might presethout providin

ndows BitLockms, and for cetire operating (optionally) pa

omputer.

e Global C

domain, the Ainformation a

his informationmain. For examS is directed tothat domain. Ifthe forest, theults for objects reason, you controllers to stThe global catontains a searfrom all the ds the first dom

log does not cttributes that ame, displaynach against a gloan Exchange s

t it can decide r is able to locectory accountk for universal

ain, all domainain environmelers are config

o domain controwever, two d

rity may be lesmpact of a brea

than with a fus a very low ch

main controllea remote site wk (WAN) connnt a security rig any write ca

ker® is a drive eertain Window

system so thaassing an integ

atalog?

AD DS databasbout every ob

n is not replicample, a query fo one of the dof there is moren that query ws in a differentcan configure tore a copy oftalog is a districhable represeomains in a m

main controller

contain all attrare most likely ame, and locatobal catalog raserver receiveshow to route

cate the recipiet, the domain l group memb

n controllers shent, the Infrastrgured to hold a

rollers, considedomain contro

ss than optimaach of defenseull read-write dhance of an int

er that holds a where users minection. Ratherisk, you could

apability to the

encryption syss client operat

at the computegrity check. A d

e bject in ted or an omain e than will not t one or

f the buted entation ulti-domain fo

r in the forest r

ributes for eacto be useful intion. There coather than a ds an incoming the message.

ent in a multi-dcontroller perf

berships before

hould be confructure mastera copy of the g

20410A: Instal

er the size of yllers should be

al, there are soes. If an RODC domain controtruder being a

read-only copight have difficr than deploy ainstall a RODC

e AD DS datab

stem that is avting system veer cannot startdisk stays encr

orest. By defauroot domain.

h object. Insten cross-domai

ould be a variedomain contro

email, it needBy automaticadomain enviroforming the ae the user is au

figured as holdr should not bglobal catalog


your organizate considered a

ome additionais compromis

oller. If a hard able to gain an

py of the AD Dculty logging oa full read/writC, which can abase.

vailable for Winersions. BitLockt without beinrypted even if y

ult, the only gl

ead, the globalin searches. Thty of reasons wller that is nots to search for

ally querying aonment. Whenuthentication uthenticated.

ders of the globe a global catag depends on r

g Windows Server®

tion and the an absolute mi

l measures thaed, the potentdrive is stolen,

ny useful inform

DS database. on over an te domain uthenticate

ndows Server ker securely g supplied a you transfer

obal catalog s

l catalog mainhese attributeswhy you wouldt a global catalr the recipienta global catalon a user logs omust contact

obal catalog; hoalog server. Wreplication traf

2012 2-9

inimum.

at can tial loss , then mation

server

tains might d log. For ’s g, the n to a global

owever, Which

ffic and

2-10 Introduct

netwserv

Th

WheDNSdomspecrecousindomIf thauthThe(SIDusercredMicto c

Siterecotryin

Admcondatabran

SRVthe thosthe /reg

271(413storpartaccoby vacco

AlthuserAD AD the seco

ion to Active Directo

work bandwidver.

Question: Sh

e AD DS L

en you log on S for SRV reco

main controllercify informatioorded in DNS bng DNS lookupmain controllerhe logon is suchority (LSA) bu access token

Ds) for the userr is a member.dentials for anyrosoft Office W

check the level

s are used by ords in DNS. Tng elsewhere.

ministrators canectivity and bacenter by an nch office as se

V records are reSRV records ase records by rSRV records; i

gisterdns from

Note: A SID587809-500, w30086281-375red (usually thet of the SID thaount and everyvirtue of the uount because

hough the logor provides credDS database. IDS database, tdomain contr

ondary proces

ry Domain Services

th. Many orga

hould a domain

Logon Proc

to AD DS, yourds to locate tr. SRV records on on availableby all domain ps, clients can r to service theccessful, the locuilds an accesscontains the sr and any grou. This providesy process initia

Word® and att of the user’s p

a client systemhen the client

n define sites bandwidth. Founreliable WAeparate sites in

egistered in Dre not enteredrestarting the f you want to

m a command

D is a unique nwhere S-1-5-252200129-2715e AD DS domaat uniquely idey group that ynique RID. Youit ends with th

on process appdentials, usuallIf the user accothe user becomoller. At this ps in the backg

anizations are o

n controller be

cess

ur system lookhe nearest suiare records th

e services, andcontrollers. Bylocate a suitabeir logon requcal security token for the ecurity identif

ups of which th the access ated by that uempts to openpermissions fo

m when it needsystem attem

in AD DS. Sitesor example, theAN link. In this n AD DS.

NS by the Netd in DNS correNet Logon serreregister the prompt, just a

umber in the f1 represents th587809) are thain), and the laentifies that ac

you create havu can tell that he “well-known

pears to the usly a user accouount name anmes an authenoint, the user round submits

opting to mak

e a global cata

ks in table

hat are

y ble ests.

user. fiers he

ser. For exampn a file. Word u

or that file.

ds to contact apt to connect

s will usually aere might be acase, it would

t Logon serviceectly, you can trvice on that dhost record in

as you would f

form of S-1-5-he type of ID, he number of tast section (500ccount in the de a unique SIDthis particular

n” RID 500.

ser as a single unt name and d the passwor

nticated user, adoes not haves the TGT to th

ke every doma

alog?

ple, after loggiuses the crede

a domain contto a domain c

align with partsa branch office be better to d

e that is runnintrigger the domdomain contronformation in Dfor any other c

-21-41300862the next threethe database w0) is the relativdatabase. EverD but they onlyr SID is the SID

event, it is actpassword, wh

rd match the inand is issued ae access to anyhe domain con

ain controller a

ing on to AD Dentials in the u

roller. It starts controller in th

s of the netwoe that is connedefine the data

ng on each domain controlle

oller. This proceDNS, you muscomputer.

81-375220012e blocks of numwhere the accove ID (RID), whry user and comy differ from e

D for the admin

tually made upich are then cnformation th

a ticket-grantiny resources on ntroller, and re

a global catalo

DS, a user runsuser’s access to

by looking uphe same site be

ork that have gected to the maacenter and th

omain controlleer to reregisteress only reregist run ipconfig

29-mbers ount is hich is the mputer each other nistrator

p of two parts.hecked againsat is stored in ng ticket (TGT)the network.

equests access

g

s oken

p SRV efore

good ain he

er. If r isters g

. The st the the ) by A to

thlom

Wpcoev

ofnaofvireth

D

ThThloco

D

V1.

2.

W

AeqpecoadabdoopSi“f

•

•

he local machiocal computer.machine.

When a user surocess is run aontroller returnvent at that co

Note: A dften overlookeame and a pasf the Authenticsual confirmat

ecord the activhe Security Log

Demonstra

he demonstrathese records a

ogon, passwordontrollers to fi

Demonstrati

View the SRV. Open the D

. View the dithat clients

What Are O

lthough all doqual, there areerformed by taontroller. For edditional domble to connectomain controlperations masingle Master Ofizz-mos”). The

Each forest domain nam

Each AD DScontroller (

ne. The domai. At this point

bsequently attgain, and the ns the ticket, t

omputer.

domain-joineded. You do notssword to log ocated Users grtion in the formvity. Additionag of the Event

ation: View

tion shows theare crucial to thd changes, andnd replication

ion Steps

V records byDNS Manager

ifferent SRV recan discover t

Operations

omain controllee some tasks thargeting one pexample, if youain to the foret to the domailers that have ters, single ma

Operations (FSMey are distribut

has one schemming master.

S domain has oPDC} emulato

in controller isin the process,

tempts to conTGT is submitthe user can ac

computer alst see the transaon to AD DS. Oroup. Althoughm of a graphiclly, if auditing Viewer.

wing the SR

e various typeshe operability d Group Policypartners.

y using DNSr window, and

ecords that arethem.

s Masters?

ers are essentihat can only beparticular domu need to add est, then you mn naming masthese roles are

aster roles, or FMOs) (pronouted as follows:

ma master and

one RID master.

ssues a ticket to, the user is au

nect to anotheted to the neaccess the comp

o logs on to Aaction when thOnce authentih the computec user interfaceis enabled, the

RV Record

s of SRV recordof AD DS, bec

y Object (GPO)

S Managerexplore the u

e registered by

?

ally e

main an

must be ster. The e called Flexible nced

d one

er, one infrastr

20410A: Installin

o the user, whuthenticated to

er computer orest domain cputer on the n

AD DS when thhe computer ucated, the com

er logon procee (GUI), there aere are more e

ds in DNS

ds that the domcause they are ) editing. SRV

nderscore DN

y domain contr

ructure master


ho is then able o AD DS and lo

on the networkontroller. Whe

network, which

hey start—a facuses its compumputer becomess does not haare event log eevents that are

main controlleused to find drecords are al

S domains.

rollers to prov

r, and one prim

Windows Server® 20

to interact wiogged on to t

k, the secondaen the domainh generates a l

ct that is uter account

mes a member ave any events that e viewable in

ers register in Ddomain controso used by do

vide alternate p

mary domain

012 2-11

th the he local

ry n ogon

DNS. ollers for omain

paths so

2-12 Introduction to Active Directory Domain Services

The following is a list of Single Master Roles:

• Schema master. The domain controller where any schema changes are made. To make changes you would typically log on the schema master as a member of both the Schema Admins and Enterprise Admins groups. A user who is a member of both of these groups and who has the appropriate permissions could also edit the schema by using a script.

• Domain naming master. The domain controller that records additions and removals of domains and also domain name changes.

• RID master. Whenever an object is created in AD DS, the domain controller where the object is created assigns the object a unique identifying number known as a SID. To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain.

• Infrastructure master. This role is responsible for maintaining inter-domain object references, such as when a group in one domain contains a member from another domain. In this situation, the infrastructure master is responsible for maintaining the integrity of this reference. For example, when you look at the security tab of an object, the system looks up the SIDs that are listed and translates them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other domains. The Infrastructure role should not reside on a global catalog server. The exception is when you follow best practices and make every domain controller a global catalog. In that case, the Infrastructure role is disabled because every domain controller knows about every object in the forest.

Note: The Infrastructure role should not reside on a global catalog server. For example, the security tab on an object (file, folder, printer) has a list of SIDs with a matrix of permissions assigned. To ease administration, these SIDs are converted into names such as users and groups, usually before you even see the SIDs appear. If there is more than one domain in the AD DS forest, then there may be SIDs from remote domains in the security tab, and because they are not recognized on the local domain, a mechanism is necessary to look up the actual names. The infrastructure master does this by referring to a GC. If the infrastructure master is also configured as a GC, then the infrastructure service is disabled.

• PDC emulator. The domain controller that holds the PDC emulator role is the time source for the domain. The domain controllers that hold the PDC emulator role in the forest sync with the domain controller that has the PDC emulator role in the forest root domain. You set this domain controller to synchronize with an external atomic time source. The PDC emulator is the domain controller that receives urgent password changes. If a user’s password is changed, the information is sent immediately to the domain controller holding the PDC emulator role. This means that if a user’s password was changed and they subsequently tried to logon, if they were authenticated by a domain controller in a different location that hadn’t yet received an update about the new password, it would contact the domain controller holding the PDC emulator role and check for recent changes. When a group policy other than a local group policy is opened for editing, the copy that is edited is the one stored on the PDC emulator.

Note: The global catalog is not one of the Operations Master roles.

Question: Why would you make a domain controller a global catalog server?

LessonInstal

Sosyredoyo

Thusdisnup

LeA

•

•

•

•

In

Prpdodcre

“TInMht1”

yodchosu

WcoDin

n 3 ling a D

ometimes youystem. It mightesources. Perhaomain controlou use varies w

his lesson examsing Server Maiscusses installnapshot of thepgrading a do


Explain how

Explain how

Explain how

Explain how

nstalling a

rior to Windowractice to use tomain controlcpromo on a eceive the follo

The Active nstallation W

Manager. Fottp://go.micr”

Note: Theou run on a secpromo.exe haowever, in Winupported for u

When you run Somputer, on a

Directory Domnstalled, but AD

Domainneed to insta

t be that the eaps you are pllers. You also

with the circum

mines several wanager to instaing AD DS on

e AD DS databaomain controlle


w to install a d

w to install a d

w to upgrade a

w to install a d

Domain C

ws Server 2012the dcpromo.lers. If you atteWindows Serv

owing error me

Directory Wizard is reor more rosoft.com/fw

e dcpromo.exeerver to make tas been the prndows Server 2unattended ins

Server Manageremote comp

main Services D DS is not yet

Controll additional do

existing domaianning for a nmight be setti

mstances.

ways to install all AD DS on aa Server Core ase that is storer from an ear

you will be ab

omain control

omain control

a domain cont

omain control

Controller

2, it was comm.exe tool to inempt to run ver 2012 serveessage:

Domain Selocated in

informationwlink/?LinkId=

e tool is a tool the server an Areferred metho2012, this toolstallations from

er, you can choputer, or by merole. At the ent set up on tha

oller omain controln controllers a

new remote offng up a test la

additional do local machineinstallation, a

red on removarlier Windows o

le to:

ller by using th

ller on a Serve

troller.

ller by using In

by Using

mon stall

r, you

Services Server

n, see =22092

that AD DS domainod to install AD is replaced wi

m the comman

oose whether embers of a send of the initiaat server. A me

20410A: Installin

lers on your Ware overworkedfice that requiab or a backup

main controllee and on a remnd installing Aable media. Yooperating syst

he GUI.

er Core installa

nstall from Me

a GUI

n controller. UnD DS, and it usith Server Man

nd–line interfac

the operationerver pool. Youal installation pessage to that


Windows Served and you neeres you to dep

p site. The insta

ers. It demonstmote server. ThAD DS on a coou will also exatem to Window

ation of Windo

edia (IFM).

ntil Windows Ssually runs in Gnager. Dcpromce.

is performed u then choose process, the ADeffect displays

Windows Server® 20

er 2012 operated additional ploy one or moallation metho

trates the prochis lesson also mputer using amine the procws Server 2012

ows Server 201

Server 2012, GUI mode;

mo.exe is still

on the local to add the Ac

D DS binaries as in Server Ma

012 2-13

ting

ore od that

cess of

a cess of 2.

12.

ctive are nager.


You can select the link to Promote this server to a domain controller, and then AD DS promotion wizard runs. You are then asked the following questions about the proposed structure.

Required information Description

Add a domain controller to an existing domain

Choose whether an additional domain controller is added to a domain.

Add a new domain to an existing forest Create a new domain in the forest.

Add a new forest Create a new forest.

Specify the domain information for this operation

Supply information about the existing domain to which the new domain controller will connect.

Supply the credentials to perform this operation

Enter the name of a user account that has the rights to perform this operation.

Some other information you need to collect before running the promotion is listed in the following table.

Required information Description

DNS name for the AD DS domain For example, adatum.com

NetBIOS name for the AD DS domain For example, adatum

Whether the new forest needs to support Domain controllers running previous versions of Windows operating systems (affects choice of functional level)

Will there also be Windows Server 2008 domain controller?

Whether this domain controller will contain DNS

Your DNS must be functioning well to support AD DS

Location to store the database files (For example, NTDS.DIT, edb.log, or edb,chk)

By default, these files will be stored in C:\windows\NTDS

The wizard continues through several different pages where you can enter prerequisites such as the NetBIOS domain name, DNS configuration, whether this domain controller should be a global catalog server, and the Directory Services Restore Mode password. Finally, you must reboot to complete the installation.

Note: If you need to reinstall the AD DS database from a backup, reboot the domain controller in Directory Services Restore Mode. When the domain controller boots up, it is not running the AD DS services; instead, it is running as a member server in the domain. To log on to that server in the absence of AD DS, log on using the Directory Services Recovery Mode password.

InS

Incothcaon

•

•

•

U

ThSeupcosesenoInWA

U

FofrSe20

Yoindo

A20upW

nstalling aerver 2012

nstall AD DS byonnect to the she AD DS binaan complete thne of three wa

In Server Mto completconfiguratioand setup o

Create an a/unattend:“D:\answerffile.

Run dcprom

dcpromo //replicaO/database/safeMode

Upgrading

here are two werver 2012 dompgrade the opontrollers, or inervers as domaecond is the pro old or disuse

nstead, you havWindows Serve

D DS database

Upgrading to

or an organizaom one runninerver 2012 fun008 operating

ou can achieventroducing newomain control

lthough there 008 domain, wpgrade the sch

Windows Serve

Domain C2

y using Server server core serries and the sehe installation ays:

Manager, click te the post-depon. This starts of the domain

answer file and:”D:\answerfifile.txt” is the p

mo /unattend

/unattend /InOrNewDomain:ePath:"c:\ntdeAdminPasswo

a Domain

ways to upgradmain controlle

perating systemntroduce Windain controllers.referred methoed code and five a clean instr 2012 operatie.

o Windows

ation to upgradng at Window

nctional level, asystem to the

e this by upgraw domain contlers.

is no reason twhen the time hema. To upgrr 2012 installa

Controller

Manager to rerver. Once youerver is rebootand configura

the notificationployment the configuratcontroller.

d run dcpromoile.txt” where path to the an

d with the app

nstallDns:yereplica /repds" /logPathrd:Pa$$w0rd

n Controlle

de to a Windower: you can eithm on existing ddows Server 20. Of the two, thod, because thles remaining.

tallation of theing system and

Server 201

de an AD DS dws Server 2008 all the domaine Windows Ser

ading all of thetrollers runnin

to prevent Wincomes to have

rade the schemtion media.

on a Serve

emotely u install ted, you ation in

n icon

tion

o

swer

propriate switc

s /confirmgllicadomaindn:"c:\ntdslog/rebootOnCom

er

ws her domain 012 he here are

e d

2

domain functional leve

n controllers mver 2012 oper

e existing domg Windows Se

ndows Server 2e domain contma, you must r

20410A: Installin

er Core In

ches, for examp

obal catalognsname:”mynewgs" /sysvolpampletion:yes

el to an AD DSmust first be uprating system.

main controllererver 2012, and

2012 servers frtrollers runninrun the adpre


stallation

ple:

g:yes wdomain.com” ath:"c:\sysvo

S domain runnpgraded from t

rs to Windows d then phasing

rom being parg Windows Se

ep tool that is i

Windows Server® 20

of Window

ol"

ning at Windowthe Window Se

Server 2012, og out the exist

rt of a Windowerver 2012, youincluded in the

012 2-15

ws

ws erver

or by ting

ws Server u must e

2-16 Introduct

To urun gro

•

•

•

In aWindom

Int

Theeithupg

1.

2.

3.

Witevedoin

To i

1.

2.

to WServ200

Ins

If younreaddlocaoftethe

For remAD datadom

ion to Active Directo

upgrade the scadprep /foreups to have th

Schema Adm

Enterprise Ad

Domain Adm

ddition, you mndows Server 2main, in an elev

roduce Win

re are two wayher upgrade Wgrade the oper

Insert the inst

After the lang

After the opeinstallation dand apps.

h this type of urything is upgng an upgrade

ntroduce a cle

Deploy and c

Promote the the other me

Note: You cWindows Servever, you must e8 R2, or perfo

stalling a D

ou have an inteliable, or cost

d another domation or branchen better to deInstall from M

example, if yomote office and

DS, you will neabase and the main controller

ry Domain Services

chema, log onestprep from ahe necessary rig

ins for the fore

dmins for the f

mins for the dom

must run the ad2012 servers asvated cmd.exe

ndows Serve

ys to introduceWindows Server

rating system o

tallation disk f

guage selectio

erating system do you want?

upgrade, thereraded in placee.

ean install of W

configure a new

new server to thods describe

can upgrade der 2012. To upeither performrm a clean inst

Domain Co

ervening netwtly, you might ain controller h office. In thiseploy AD DS to

Media (IFM) me

ou connect to ad use Server Meed to copy thSYSVOL folde

r. This process

to the schemaan elevated cmghts to run th

est

orest

main where th

dprep commas domain conte window, run

er 2012 Dom

e Windows Ser 2008 to Windof a Windows

or Windows Se

n page, select

selection wind? window, choo

e is no need toe. Remember t

Windows Serve

w installation o

be a domain ced previously.

directly from Wgrade servers

m an interim uptall.

ontroller b

work that is slofind it necessaat a remote

s scenario, it iso a server by uethod.

a server in theanager to inst

he entire AD Der to the new

must take pla

a master for thmd.exe windowis command:

he schema mas

and again in earollers. To do tadprep /dom

main Contro

rver 2012 domdows Server 20Server 2008 d

erver 2012, an

Install now.

dow and the liose Upgrade:

o preserve useo check for ha

er 2012 as a do

of Windows Se

controller in th

Windows Servethat are runnipgrade to Win

by Using IF

w, ary to

using

tall

DS

ce

he forest, and w. You must be

ster resides

ach domain wthis, on the Inf

mainprep /gpp

ollers

main controller012, or you caomain control

nd run Setup.

icense acceptaInstall Windo

rs’ settings andardware and so

omain membe

erver 2012 and

he domain by

r 2008 and Wing an earlier v

ndows Server 2

FM

in the supporte a member of

where you planfrastructure mprep.

rs into your don have a cleanller to Window

ance page, on ows and keep

d reinstall appoftware compa

er:

d join it to the

using Server M

indows Server version of Win2008 or Windo

t\adprep direcf all of the foll

n to introduce master for the

omain. You cann installation. Tws Server 2012

the Which typp files, setting

plications; atibility before

e domain.

Manager or on

2008 R2 dows

ows Server

ctory, owing

n To 2:

pe of gs,

e

ne of


over a potentially unreliable wide area network (WAN) connection. As an alternative, and to significantly reduce the amount of traffic copied over the WAN link, you can make a backup of AD DS by using the NTDSUTIL tool. When you run Server Manager to install AD DS, you can then select the option to Install from Media. Most of the copying is then done locally (perhaps from a USB drive), and the WAN link is used only for security traffic, and to ensure that the new domain controller receives any changes that are made after you create the IFM backup.

To install a domain controller by using IFM, browse to a writable domain controller but not an RODC. Use the NTDSUTIL tool to create a snapshot of the AD DS database, and then copy it to the server that will be promoted to a domain controller. Use Server Manager to promote the server to a domain controller by selecting the Install from Media option, and by providing the local path to the IFM directory that you created previously.

The full procedure is as follows:

1. On the full domain controller, type the following commands (where C:\IFM is the destination directory that will contain the snapshot of the AD DS database) at an administrative command prompt, and press Enter after each line:

Ntdsutil activate instance ntds ifm create SYSVOL full C:\IFM

2. On the server that you are promoting to a domain controller, perform the following steps:

a. Use Server Manager to add the AD DS Role.

b. Wait while the AD DS binaries are installed.

c. In Server Manager, click the notification icon to complete the post-deployment configuration and a wizard runs.

d. At the appropriate time during the wizard, select the option to install from IFM, and then provide the local path to the snapshot directory.

AD DS then installs from the snapshot. When the domain controller reboots, it contacts other domain controllers in the domain and updates AD DS with any changes that were made since the snapshot was created.

Additional Reading: For more information about the steps necessary to install AD DS, see http://technet.microsoft.com/en-us/library/hh472162.aspx.

Question: What is the reason to specify the Directory Services Restore Mode password?


Lab: Installing Domain Controllers Scenario

A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.

Objectives

After performing this lab, you will be able to:

• Install a domain controller.

• Install a domain controller by using IFM.

Lab Setup Estimated time: 60 minutes

Virtual Machines 20410A-LON-DC1 (start first)

20410A-LON-SVR1

20410A-LON-RTR

20410A-LON-SVR2


Password Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.



o User name: Administrator


o Domain: Adatum

4. Repeat steps 1 to 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.

Exercise 1: Installing a Domain Controller

Scenario

Users have been experiencing slow logon in London during peak usage times. The server team has determined that the domain controllers are overwhelmed when many users are authenticating simultaneously. To improve logon performance, you are adding a new domain controller in the London data center.



1. Add an Active Directory® Domain Services (AD DS) role to a member server.

2. Configure a server as a domain controller.

3. Configure a server as a global catalog server.

Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. From Server Manager, add LON-SVR1 to the server list.

3. Add the Active Directory Domain Services server role to LON-SVR1. Add all required features as prompted.

4. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.

Task 2: Configure a server as a domain controller 1. Use Server Manager on LON-DC1 perform post-deployment configuration to promote LON-SVR1 to

a domain controller with the following options:

a. Add a domain controller to the existing adatum.com domain

b. Use the credentials Adatum\Administrator with the password Pa$$w0rd.

c. For Domain Controller Options, install the Domain Name System but remove the selection to install the Global Catalog.

d. DSRM password: Pa$$w0rd.

e. All other options: default.

Task 3: Configure a server as a global catalog server 1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.

2. Use Active Directory Sites and Services to make LON-SVR1 a global catalog server.

Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.

Exercise 2: Installing a domain controller by using IFM

Scenario

You have now been assigned by management to manage one of the new branch offices that are being configured. A faster network connection is scheduled to be installed in a few weeks. Until that time, network connectivity is very slow.

It has been determined that the branch office requires a domain controller to support local logons. To avoid problems with the slow network connection, you are using IFM to install the domain controller in the branch office.


1. Use the NTDSUTIL tool to generate Install from Media (IFM).

2. Add the AD DS role to the member server.

3. Use IFM to configure a member server as a new domain controller.


Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM) • On LON-DC1, open an administrative command-line interface, and use NTDSUTIL to create an IFM

backup of the AD DS database and of the SYSVOL folder.

Task 2: Add the AD DS role to the member server 1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.

2. Open a command prompt and map K: to \\LON-DC1\C$\IFM.

3. Add the AD DS server role to LON-SVR2.

Task 3: Use IFM to configure a member server as a new domain controller 1. Open a command prompt and use Robocopy to copy the IFM backup from K: to c:\ifm on

LON-SVR2.

2. Use Server Manager on LON-SVR2 to perform the post-deployment configuration of AD DS using the following options:

a. Add a domain controller to the existing adatum.com domain

b. Use Adatum\Administrator with the password Pa$$w0rd for credentials.

c. DSRM password: Pa$$w0rd

d. Use the IFM media to configure and install AD DS.

e. Accept all other defaults.

3. Restart LON-SVR2 to complete the AD DS installation.

Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.


1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.


4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.



Question: What are the two main purposes of organizational units?

Question: Why would an organization need to deploy an additional tree in the AD DS forest?

Question: Which deployment method would you use if you had to install an additional domain controller in a remote location that had a limited WAN connection?

Question: If you needed to promote a Server Core installation of Windows Server 2012 to be a domain controller, which tools could you use?

3-1

Module 3 Managing Active Directory Domain Services Objects


Lesson 1: Managing User Accounts 3-3

Lesson 2: Managing Group Accounts 3-15

Lesson 3: Managing Computer Accounts 3-22

Lesson 4: Delegating Administration 3-27

Lab: Managing Active Directory Domain Services Objects 3-30


Module Overview

User accounts are fundamental components of network security. Stored in Active Directory® Domain Services (AD DS), they identify users for the purposes of authentication and authorization. Because of their importance, an understanding of user accounts and the tasks related to supporting them are critical aspects of administering a Microsoft Windows® enterprise network.

Although users and computers, and even services, change over time, business roles and rules tend to remain more stable. Your business probably has a finance role, which requires certain capabilities in the enterprise. The user or users who perform that role might change over time, but the role will remain relatively the same. For that reason, it is not sensible to manage an enterprise by assigning rights and permissions to individual users, computers, or service identities. Instead, you should associate management tasks with groups. Consequently, it is important that you know how to use groups to identify administrative and user roles, to filter Group Policy, to assign unique password policies, and to assign rights and permissions.

Computers, like users, are security principals:

• They have an account with a logon name and password that Windows changes automatically on a periodic basis.

• They authenticate with the domain.

• They can belong to groups, and have access to resources, and you can configure them by using Group Policy.

Managing computers—both the objects in Active Directory and the physical devices—is one of the day-to-day tasks of most IT pros. New computers are added to your organization, taken offline for repairs, exchanged between users or roles, and retired or upgraded. Each of these activities requires managing the computer’s identity, which is represented by its object, or account, and AD DS. As a result, it is important that you know how to create and manage computer objects.

In small organizations, one person may be responsible for performing all of these day-to-day administrative tasks. However, in large enterprise networks, with thousands of users and computers, that is not feasible. It is important for an enterprise administrator to know how to delegate specific

3-2 Managing Active Directory Domain Services Objects

administrative tasks to designated users or groups to ensure that enterprise administration is efficient and effective.

Objectives


• Manage user accounts with graphical tools.

• Manage groups with graphical tools.

• Manage computer accounts.

• Delegate permissions to perform AD DS administration.

LessonMana

A orsem

LeA

•

•

•

•

•

•

A

Begyope

AInMfo

•

•

•

•

inFe

n 1 aging U

user object inr account. It is ecure processe

management.


View AD DS

Explain how

Describe ho

Describe ho

Explain how

Manage us

AD DS Adm

efore you can roup, and comou understanderform these v

Active Directns

Most AD DS adollowing snap-

Active Diresnap-in maresources, iand organizadministrat

Active Direservices.

Active Direthe forest f

Active Direattributes achanged. T

Note: To nstall Remote Seatures node o

ser Accn AD DS is far m

the cornerstoes regarding th


S objects by us

w to create use

ow to configur

ow to create u

w to use user-a

er accounts.

ministratio

begin creatingmputer accound which tools yvarious manag

tory Admin

ministration is-ins and conso

ctory Users ananages most concluding userszational units. tor.

ctory Sites and

ctory Domainsunctional leve

ctory Schema.and object clasherefore, the A

administer ADServer Adminisof Server Mana

ounts more than justne of identity

he administrat

you will be ab

sing various A

er accounts tha

re important u

ser profiles.

account templ

n Tools

g and managints, it is importa

you can use to gement tasks.

istration Sn

s performed wles:

nd Computers. ommon day-tos, groups, comThis is likely to

d Services. This

s and Trusts. Tl.

This schema esses. It is the bActive Directo

D DS from a costration Tools ager on Windo

t a handful of and access in ion of user acc

le to:

D DS manage

at you can use

user-account a

lates to create

ng user, ant that

nap-

ith the

This o-day

mputers, o be the most

s snap-in mana

his snap-in co

examines and lueprint for ADry Schema sna

omputer that is(RSAT). RSAT iows Server® 20

20410A: Instal

properties relaAD DS. Theref

counts are the

ment tools.

e in an enterpr

ttributes.

user accounts

heavily used s

ages replicatio

onfigures and m

modifies the dD DS. It is rareap-in is not ins

s not a domainis a feature tha012.


ated to the usefore, consisten

e cornerstone o

rise network.

s.

snap-in for an

on, network to

maintains trust

definition of Aly viewed, andstalled, by defa

n controller, yoat can be insta

g Windows Server®

er’s security idnt, efficient, anof enterprise s

Active Directo

opology, and re

t relationships

Active Directoryd even more raault.

ou must alled from the

2012 3-3

entity, nd ecurity

ory

elated

and

y arely


You also can install RSAT on Windows clients, including Windows Vista® Service Pack 1 (or newer), Windows® 7, and Windows 8. After you download the RSAT installation files from Microsoft’s website, run the Setup Wizard, which steps you through the installation. After installing RSAT, you must turn on the tool or tools that you want to be visible. To do this, use the Turn Windows Features On or Off command in the Programs And Features application in Control Panel.

Additional Reading: To download the RSAT installation files, see http://www.microsoft.com/downloads.

Active Directory Administrative Center

Windows Server 2012 provides another option for managing AD DS objects. The Active Directory Administrative Center provides a graphical user interface (GUI) built upon Windows PowerShell®. This enhanced interface allows you to perform AD DS object management by using task-oriented navigation. Tasks that you can perform by using the Active Directory Administrative Center include:

• Create and manage user, computer, and group accounts.

• Create and manage organizational units (OUs).

• Connect to, and manage, multiple domains within a single instance of the Active Directory Administrative Center.

• Search and filter Active Directory data by building queries.

Windows PowerShell

You can use the Active Directory Module for Windows PowerShell to create and manage objects in AD DS. Windows PowerShell is not just a scripting language. It also enables you to run commands that perform administrative tasks, such as creating new user accounts, configuring services, deleting mailboxes, and similar functions.

Windows PowerShell is installed by default on Windows Server 2012, but the Active Directory Module is only present when:

• You install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles.

• You run Dcpromo.exe to promote a computer to a domain controller.

• You install RSAT.

Directory Service Command-Line Tools You also can use the Directory Service command-line tools, in addition to Windows PowerShell. These tools enable you to create, modify, manage, and delete AD DS objects, such as users, groups, and computers. You can use the following commands:

• Dsadd. Use to create new objects.

• Dsget. Use to display objects and their properties.

• Dsmod. Use to edit objects and their properties.

• Dsmove. Use to move objects.

• Dsquery. Use to query AD DS for objects that match criteria that you supply.

• Dsrm. Use to delete objects.

conud

C

InreWthre

A in20paacyore

W

•

•

•

A auin

Toto

acloof

CA us

YoW

Tost

1.

2.

Note: It isommands. Forumber of all usquery user –

Creating Us

n AD DS, all useesources must

With this user ahe AD DS domesources.

user account nformation tha012. A user accassword, as weccount also coou can configuequirements.

With a user acco

Allow or de

Grant users

Manage usdirectories,

user account uthenticate. Wn the domain/f

o maximize seo the network

Note: Altccounts in the ogon and accef this course.

Creating Useuser account

ser object also

ou can use theWindows Powe

o create a userteps:

. Right-click User.

. In the First

s possible to p example, typisers that have

–name John*

ser Accoun

ers that requirbe configuredccount, users

main and receiv

is an object that defines a usecount includesell as group m

ontains many oure based upo

ount, you can:

eny users perm

s access to pro

ers’ access to rand printer q

enables a userWhen creating a

forest in which

curity, you shohas a unique u

hough AD DS local security ss to local reso

er Accounts includes the u

o includes seve

e Active DirectrShell, or the d

r object by usi

the OU or the

name box, ty

ipe the resultsing the followia name startin

| dsget user –

nts

re access to ned with a user acan authentica

ve access to ne

at contains aller in Windowss the user namemberships. A

other settings tn your organiz

:

mission to log o

ocesses and ser

resources suchueues.

r to log on to ca user account

h the user acco

ould avoid muuser account a

accounts are taccounts man

ources. Local u

user name anderal other attrib

tory Users or Cdsadd.exe com

ng the Active

e container in w

ype the user’s f

s of the Dsqueing at a commng with John: –office

etwork ccount. ate to etwork

of the s Server

me and A user that zational

on to a compu

rvices for a spe

h as AD DS obj

computers andt, you must proount is created

ltiple users shaand password.

the focus of thnager (SAM) dauser accounts a

password, whbutes that des

Computers conmmand-line to

Directory User

which you wan

first name.

20410A: Instal

ry command tmand prompt r

uter based on

ecific security c

jects and their

d domains witovide a user lo

d.

aring one acco

his course, youatabase of eacare, for the mo

hich serve as thcribe and man

nsole, Active Dool to create a

rs or Compute

nt to create th


to other Directreturns the offi

their user acco

context.

r properties, sh

th an identity togon name, w

ount, so that e

u also can storech computer, eost part, beyon

he logon credenage the user.

Directory Admi user object.

ers console, pe

e user, point t

g Windows Server®

tory Service ice telephone

ount identity.

hared folders, f

that the domawhich must be u

each user that

e user enabling local nd the scope

entials for a us

nistrative Cent

erform the follo

o New, and th

2012 3-5

files,

ain can unique

logs on

ser. A

ter,

owing

hen click


3. In the Initials box, type the user’s middle initial(s).

Note: The Initials property is meant for the initials of a user’s middle name, not the initials of the user’s first or last name.

4. In the Last name box, type the user’s last name.

5. The Full name box is populated automatically, although you can make modifications to it, if necessary.

The Full name box is used to create several attributes of a user object, most notably, the common name (CN) and display name properties. The CN of a user is the name displayed in the details pane of the snap-in, and it must be unique within the container or OU. If you are creating a user object for a person with the same name as an existing user in the same OU or container, you need to enter a unique name in the Full name field.

6. In the User logon name box, type the name with which the user will log on, and from the drop-down list, select the user principal name (UPN) Suffix that will be appended to the user logon name following the @ symbol.

User names in AD DS can contain special characters, including periods, hyphens, and apostrophes. These special characters let you generate accurate user names, such as O’Hare and Smith-Bates. However, certain applications may have other restrictions, so we recommend that you use only standard letters and numerals until you fully test the applications in your enterprise for compatibility with special characters. The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts snap-in. Right-click the root of the snap-in, click Properties, and use the UPN Suffixes tab to add or remove suffixes. The DNS name of your AD DS domain is always available as a suffix, and you cannot remove it.

7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often called the downlevel logon name. In the AD DS database, the name for this attribute is sAMAccountName.

Note: It is important to implement a user-account naming strategy, especially in large networks where users may share the same name full name. A combination of last name and first name, and where necessary, additional characters, should yield a unique user account name. Strictly speaking, it is only the UPN name that must be unique within your AD DS forest. The Full name needs to be unique only within the organizational unit where it resides, while the downlevel name must be unique within that domain.

8. Click Next.

9. Enter a temporary password for the user in the Password and Confirm password boxes.

10. Select the User must change password at next logon check box.

We recommend that you always select this option, so that the user can create a new password unknown to the IT staff. Appropriate support staff can reset the user’s password, if necessary to log on as the user or access the user’s resources. Only users should know their own passwords on a day-to-day basis.

11. Click Next.

12

13

14

15

C

Walp

a scsedoenExchob

Wdecaar

A

Thdi

•

•

•

•

2. Review the

The New Oproperties, additional p

3. Right-click

4. Configure t

5. Click OK.

Configuring

When you creatso configure aroperties, or at

Note: Theuser account a

chema, which ecurity group coes not changnterprise-levelxchange Servehanges are reqbjects, includin

When you use Aefine many attan associate a re, and how yo

Attribute Cat

he attributes oialog box, and

Account attflags. You cDirectory U

Personal incontains thdescriptioninformationinfo attribuOrganizatio

User configlogon scrip

Group memYou also ca

summary, and

Object – User insuch as name properties, wh

the user objec

the user prope

g User Acc

te a user accouall the associatttributes.

e attributes thaare defined asmembers of thcan modify. Gee frequently. H application, s

er 2010, is introquired. These cng user object

Active Directortributes beyonuser object wi

ou can use the

tegories

of a user objec include

tributes: The Acan configure mUsers and Com

formation: Thee name prope and contact i

n. The Telephoute. It is a very on tab shows t

guration manat, and home fo

mbership: The an change the

d then click Fin

nterface allowsand passwordich you can co

ct that you cre

erties.

count Attr

unt in AD DS, yted account

at are associat part of the AD

he Schema Adenerally, the scHowever, wheuch as Microso

oduced, many changes enabls, to have add

ry Users and Cnd those requirith many attrib

em in your org

t fall into seve

Account tab. Thmany of theseputers snap-in

e General, Adderties that you nformation. Th

ones tab also isuseful genera

the job title, de

gement: The Polder.

Member Of tauser’s primary

nish.

s you to configd settings. Howonfigure after y

ated, and then

ributes

you

ted with D DS mins chema n an oft schema e itional attribut

Computers to cred to allow thbutes, it is impanization.

eral broad cate

hese propertiee attributes whn. The Account

dress, Telephoconfigure whehe Address ans where the Nol-purpose textepartment, co

Profile tab. Her

ab. You can ady group.

20410A: Instal

gure a limited wever, a user oyou create the

n click Proper

tes.

create a new uhe user to logoportant that yo

egories that ap

es include logohen you createt Properties se

nes, and Orgaen you create d Telephones otes field is loct field that manmpany, and o

re, you can co

dd the user to,


number of accobject in AD De object.

rties.

user object, yoon by using thou understand

ppear on tabs o

on names, pass a new user w

ection details t

anization tabs. a user object, tabs provide dcated, which cny enterprises rganizational r

nfigure the us

and remove t

g Windows Server®

count-related S supports do

u are not reque account. Sinwhat these at

of the user pro

swords, and acith the Active the account att

The General talong with the

detailed contacorresponds to

underuse. Therelationships.

ser’s profile pa

the user from,

2012 3-7

zens of

uired to nce you tributes

operties

ccount

tributes.

ab e basic

act o the e

th,

groups.


• Remote Desktop Services: The Remote Desktop Services Profile, Environment, Remote control, Sessions, and Personal Virtual Desktop tabs. These tabs enable you to configure and manage the user’s experience when the user connects to a Remote Desktop Services session.

• Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab.

• Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications.

Viewing All Attributes The Attribute Editor tab allows you to view and edit all attributes of a user object.

Note: The Attribute Editor tab is not visible until you enable Advanced Features from the View menu of the Microsoft Management Console (MMC).

The Attribute Editor displays all system attributes of the selected object. The Filter button enables you to choose to see even more attributes, including backlinks and constructed attributes.

Backlinks are attributes that result from references to the object from other objects. The easiest way to understand backlinks is to look at an example: the memberOf attribute:

• When a user is added to a group, it is the group’s member attribute that is changed. The distinguished name of the user is added to this multivalued attribute.

• The member attribute of a group is called a forward link attribute.

• A user’s memberOf attribute is updated automatically by AD DS when the user is referred to by a group’s member attribute. In other words, you do not ever write directly to the user’s memberOf attribute. AD DS maintains it dynamically.

A constructed attribute is one of the results from a calculation that AD DS performs. An example is the tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which the user belongs, including nested groups. To determine the value of tokenGroups, AD DS must calculate the effective membership of the user, which takes a few processor cycles. Because of this, the attribute is not stored as part of the user object, nor is it dynamically maintained. Instead, it is calculated when needed. Because of the processing required to produce constructed attributes, the Attribute Editor tab does not display them by default. In addition, you cannot use constructed attributes in Lightweight Directory Access Protocol (LDAP) queries.

Modifying Attributes for Multiple Users

The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user objects simultaneously. To modify attributes of multiple users in the Active Directory Users and Computers snap-in:

1. Select several user objects by holding the Ctrl key as you click each user, or by using any other multiple-selection technique. Be certain that you select only objects of one class, such as users.

2. After you select the objects, right-click any one of them, and then click Properties.

When you have selected the user objects, a subset of properties is available for modification:

• General: Description, Office, Telephone Number, Fax, Web page, E-mail

• Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, and Account expires

• Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and Country/region

•

•

C

Socoth

Yo

•

pa

•

•

WpaasMinof

Profile: Pro

Organizatio

Creating Us

ome of the oponfigure for yohe Profile tab o

ou can configu

Profile pathusually, a Usettings aredefine a usethen whichuser’s logonavailable. T

Note: It isath.

Logon scripon. Typicallfile, it is mo(GPOs) or Gfilename (wfolder on a

Home foldepersonal dofolder. You path.

When configuriath, this is subs the shared pa

Modify File permnstance, the filef his or her ho

file path, Logo

on: Job Title, D

ser Profile

ptional propertour user accouof the Accoun

ure three prop

h. This is eitherUNC path. The e stored in the er profile by uever domain cn, their desktohis is known a

s good practic

pt. This is the nly, you use theore usual for adGroup Policy Pwith extension)ll domain cont

er. This value eocuments. Youalso must spe

ng the profile stituted for tharent folder exmissions on the permissions me folder.

on script, and H

Department, Co

es

ties that you caunts are locatent Property pa

perties on this

r a local, or mouser’s desktopprofile. Once sing a UNC pa

computer servop settings willas a roaming p

e to use a sub

name of a batcese commandsdministrators t

Preferences. If y) only. Scripts strollers.

enables you tou can specify eecify a drive let

path and home actual user nxists, and the ahe shared foldeare modified o

Home folder

ompany, and M

an d on age.

page:

ore p you

ath, ices a be rofile.

folder of the u

ch file that cons to create drivto implement you use a logishould be stor

o create a perseither a local ptter that is use

me folder locatname during aadministrator mer, then the uson the newly-c

20410A: Instal

Manager

user’s home fo

ntains commanve mappings. Rlogon scripts bn script, this vared in the C:\W

onal storage aath, or more u

ed to map a ne

tions, if you usapplication of tmodifying the ser’s subfolder created subfol


older for the us

nds that execuRather than usby using Groualue should be

Windows\SYSV

area in which uusually, a UNC etwork drive to

se the variablethe properties account propis created aut

lder so that th

g Windows Server®

ser’s profile

ute when the use a logon scripp Policy Objece in the form o

VOL\domain\sc

users can save path to the u

o the specified

e %username%s. Additionally,perties has at letomatically. In e user has full

2012 3-9

user logs pt batch cts of a cripts

their ser’s

d UNC

% in the so long east this control

3-10 Managing

Cre

Useprocan the foldserva neratheach

If yosimitemuseraccohom

To c

1.

2.

To c

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

It is attr

•

•

•

•

•

g Active Directory Do

eating Use

rs in a domainperties. For exbelong to thenetwork durin

ders and roamiver. Because ofew user, you caher than createh property.

ou want to creilar properties,

mplate. A user ar account that ount for sales

me folder, and

create a user a

Create a user

Disable the unetwork.

create a user b

Right-click th

In the First n

In the Last na

Modify the Fu

In the User lofrom the drop

In the User lo

Click Next.

In the Passwo

Select the app

If you createddisabled che

important to ibutes that are

General tab. N

Address tab. Note that the

Account tab.

Profile tab. Pr

Organization

omain Services Objec

er Account

n often share mample, all sale

e same securityng similar houring profiles stof this, to save tan copy an exe a blank accou

eate multiple u, you can use aaccount templyou have pop

representativeroaming prof

account templa

account, and

ser account te

based on the te

e user accoun

ame box, type

ame box, type

ull name valu

ogon name bop-down list.

ogon name (p

ord box and t

propriate pass

d the new usereck box to enab

understand the copied:

No properties

P.O. box, city, e street addres

Logon hours,

rofile path, log

tab. Departm

cts

ts with Use

many similar es representativy groups, log ors, and have hoored on the satime when creisting user accunt and popul

users with broaa user accountate is a generi

pulated with coes, which you tile path.

ate, perform th

prepopulate i

emplate so tha

emplate, perfo

t template, an

e the user’s firs

e the user’s last

e, if necessary.

ox, type the us

pre-Windows

he Confirm p

sword options.

r account by coble the new ac

hat not all attri

are copied fro

state or provinss itself is not c

logon worksta

gon script, hom

ent, company,

er Accoun

ves on to ome me ating

count late

adly t ic ommon propethen configure

he following st

t with the app

t the template

orm the follow

nd then click C

st name.

t name.

.

ser logon nam

2000) box, ty

assword box,

opying a disabccount.

butes are copi

om the Genera

nce, ZIP or poscopied.

ations, account

me drive, and h

, and manager

t Templat

erties. For exame with group m

teps:

propriate attrib

e account cann

wing steps:

opy. The Copy

me, and then se

ype the user’s u

type the user’

bled user acco

ied. The follow

al tab.

stal code, and

t options, and

home folder p

r are copied.

es

mple, you can memberships, l

butes.

not be used to

y Object – Use

elect the appro

user name.

’s password.

ount, clear the

wing list summ

country or reg

account expir

path are copied

create a templogon hours, a

o log on to the

er Wizard appe

opriate UPN su

Account is

marizes the

gion are copie

ration are copi

d.

plate a

e

ears.

uffix

ed.

ied.


• Member Of tab. Group membership and primary group are copied.

It is not useful to configure any other attributes in the template, because they will not be copied.

Demonstration: Managing User Accounts by Using Active Directory Users and Computers

After you have created a user account, there are a number of tasks that you perform that are considered Account Management tasks, and may include:

• Renaming a user account.

• Resetting a user password.

• Unlocking a user account.

• Disabling or enabling a user account.

• Moving a user account.

• Deleting a user account.

Renaming a User Account

When you need to rename a user account, there can be one or more attributes that you must change.

To rename a user in the Active Directory Users and Computers snap-in, perform the following steps:

1. Right-click the user, and then click Rename.

2. Type the new common name (CN) for the user, and press Enter.

The Rename User dialog box appears and prompts you to enter additional name attributes.

3. Type the Full name (which corresponds to the CN and Name attributes).

4. Type the First name and Last name.

5. Type the Display name.

6. Type the User logon name and User logon name (pre-Windows 2000).

Reset a User Password

When attempting to log on, a user who forgets the logon password will see a logon error message.

Before the user can log on successfully, you must reset the password. You do not need to know the user’s old password to do so.

To reset a user’s password in the Active Directory Users and Computers snap-in:

1. Right-click the user object, and then click Reset Password.

The Reset Password dialog box appears.

2. Enter the new password in both the New Password and Confirm Password boxes.

It is a best practice to assign a temporary, unique, strong password for the user.

3. Select the User Must Change Password at Next Logon check box.

It is a best practice to force the user to change the password at the next logon, so that the user creates a password known only by the user.

4. Click OK.


5. Communicate the temporary password to the user in a secure manner.

Unlocking a User Account An Active Directory domain supports account lockout policies. A lockout policy is designed to prevent intruders from penetrating the enterprise network by attempting to log on repeatedly with various passwords until they find the correct password. When users attempt to log on with an incorrect password, a logon failure is generated. When too many logon failures occur within a specified period of time, which you define in the lockout policy, the account is locked out. The next time that users attempt to log on, a notification clearly states the account lockout.

Your lockout policy can define a period of time after which a lockout account is unlocked automatically. But when users try to log on and discover that they are locked out, it is likely they will contact the help desk for support.

To unlock a user account in the Active Directory Users and Computers snap-in, perform the following steps:

1. Right-click the user object, and then click Properties.

2. Click the Account tab.

3. Select the Unlock Account check box.

Windows Server 2012 also provides the option to unlock a user’s account when you choose the Reset Password command.

To unlock a user account while resetting the user’s password, perform the following step:

• In the Reset Password dialog box, select the Unlock the user’s account check box.

This method is particularly handy when a user’s account is locked out because the user did, in fact, forget the password. You can now assign a new password, specify that the user must change the password at the next logon, and unlock the user’s account: all in one dialog box.

Note: Watch for drives mapped with alternate credentials, because this is a common cause of account lockout. If the password is changed, and the Windows client attempts repeatedly to connect to the drive, that account is locked out.

Disabling and Enabling User Accounts User accounts are security principals that can be given access to network resources. Each user is a member of Domain Users and of the Authenticated Users special identity. By default, each user account has at least Read access to the information stored in Active Directory. For this reason, it is important not to leave user accounts open. This also means that you should configure password policies, auditing, and procedures to ensure that accounts are being used appropriately.

If a user account is provisioned before it is needed, or if the employee for whom you have set up an account is, or will be, absent for an extended period, disable the account.

To disable an account in the Active Directory Users and Computers snap-in:

• Right-click a user, and then click Disable Account.

If an account is disabled already, the Enable Account command appears when you right-click the user.

Moving a User Account

To move a user object in the Active Directory Users and Computers snap-in, perform the following steps:

1. Right-click the user, and then click Move.


2. Click the folder to which you want to move the user account, and then click OK.

Alternatively, you can drag the user object to the destination OU.

Deleting a User Account

When an account is no longer necessary, you can delete it from your directory.

To delete a user account in Active Directory Users and Computers, perform the following steps:

1. Select the user and press Delete; or right-click the user, and then click Delete.

You are prompted to confirm your choice because of the significant implications of deleting a security principal.

2. Confirm the prompt by clicking OK.

Demonstration

This demonstration shows how to:

1. Open Active Directory Users and Computers.

2. Delete a user account.

3. Create a template account.

4. Create a new user account from a template.

5. Modify the user account properties.

6. Rename the user account.

7. Move the user account.

Demonstration Steps

Open Active Directory Users and Computers 1. Log on as Administrator.


Delete a user account • Locate Ed Meadows in the Managers OU, and delete the account.

Create a template account

1. Create a folder called C:\userdata, and share it. Grant Everyone Full Control shared permissions on the folder. Note that the NTFS permissions remain unaffected.

2. Create a new user account called _Managers_template. Ensure that the account is created in a disabled state with a strong password.

3. Modify the properties of the template account so that it has a Home folder located in the new shared folder.

Create a new user account from a template 1. Copy the template account, and then configure the new user account with the Full name Ed

Meadows, and the logon name of Ed.

2. Configure a strong password, and then enable the account.

Modify the user account properties

1. Open the Ed Meadows account, and then verify that the Home folder has been automatically defined as part of the copy process.


2. View additional properties.

Rename the user account • Rename the account Ed Meadows2, but cancel the operation after viewing the options for renaming

the various account names.

Move the user account • Move the Ed Meadows account to the IT OU.

LessonMana

Winusreened

BeWm

Le

A

•

•

•

•

•

G

Intyyoth

DenThcaa m

SeYoengm

Beusshadto

n 2 aging GWhile it might bn small networsers need the sequired user acnabling you toditing the file

efore implemeWindows Servemanagement ri

esson Objec

fter completin

Describe gr

Describe gr

Explain how

Describe de

Manage gr

Group Type

n a Windows Sypes of groupsou create a grohe New Objec

istribution gronabled, are usehis means thatannot be givenmessage to a

message to all g

ecurity groupsou can therefontries in accessroups as a mea

must be a secur

Note: The

ecause you case only securithould create thdded to the usoken.

roup Acbe practical, evks, it becomessame level of accounts, and ao change a usepermissions di

enting groups r group types,ghts and abilit

ctives

ng this lesson, y

roup types.

roup scopes.

w to implemen

efault groups a

oups in Windo

es

erver enterpriss: security and oup, you chooct – Group dia

oups, which areed primarily byt they do not hn permission todistribution g

group membe

s are security pore use these gs control lists (ans of distriburity group.

e default grou

n use security ty groups. Howhe group as a ser’s security a

ccountsven desirable, s impractical anaccess to a folassign the grouer’s file permissirectly.

in your organ and how bestties.

you will be ab

nt group mana

and special ide

ows Server.

se, there are twdistribution. W

ose the group tlog box.

e not security-y email applicahave SIDs, so to resources. Seroup sends thers.

principals with groups in perm(ACLs) to contrution for email

p type is Secu

groups for bowever, we recodistribution grccess token, w

s to assign permnd inefficient ider, it is more up the requiresions by addin

ization, you mt to use these t

le to:

agement.

entities.

wo When

type in

-ations. hey ending e

SIDs. mission rol security forapplications.

rity.

oth resource acommend that iroup. Otherwis

which can lead

20410A: Installin

missions and ain large enterpefficient to crd permissions

ng or removing

must understanto manage acc

r resource acceIf you want to

ccess and emaf a group is usse, the group ito an unneces


bilities to indivprise networksreate a group t. This has the ag them from g

nd about the sccess to resourc

ess. You also co use a group t

ail distribution,sed only for emis assigned a Sssary size incre

Windows Server® 20

vidual user accs. For example,that contains tadded benefit groups rather t

cope of variouces or to assig

can use securitto manage sec

, many organizmail distributioSID, and the SIease of the sec

012 3-15

counts , if many the of

than

us n

ty curity, it

zations on, you D is curity

3-16 Managing

Exchacro

Gro

Winscopthe the scop

•

•

•


Note: The bhange Server doss the enterpr

oup Scope

ndows Server sping. The scoprange of a grogroup membepes:

Local. These eworkstations,are not domamember worklocal, which mon the compuimportant cha

o You can

o Members

Any grou

User

User

Univ

Domain Locaresponsibilitieconsequentlycharacteristic

o You can compute

o Members

Any grou

User

User

Univ

Global. Theseglobal grouplocation. The

o You can

o Members


benefit of usingdeployments, erise.

es

supports the nope of a group doup’s abilities oership. There a

exist on stand-on domain-m

ain controllers,kstations. Locameans that theuter where thearacteristics of

assign abilities

s can be from

security princiups.

rs, computers,

rs, computers,

versal groups d

l. These are uses (rights). Domy, the group’s ss of domain lo

assign abilitiesers in the local

s can be from

security princiups.

rs, computers,

rs, computers,

versal groups d

e are used prims often are useimportant cha

assign abilities

s can be only f

cts

g distribution especially whe

otion of groupdetermines boor permissionsare four group

-alone servers member servers, or on domainal groups are tey are availableey exist. The f a local group

s and permissio

anywhere in t

ipals from the

and global gro

and global gro

defined in any

sed primarily tomain local groscope is localizocal groups are

s and permissiodomain.

anywhere in t

ipals from the

and global gro

and global gro

defined in any

marily to consoed to consolidaaracteristics of

s and permissio

from the local

groups becomere there is a n

p oth s, and

or s that n-ruly e only

p are:

ons only on lo

he AD DS fore

domain: users

oups from any

oups from any

domain in the

o manage accups exist on dzed to the dome:

ons only on do

he AD DS fore

domain: users

oups from any

oups from any

domain in the

olidate users thate users that f global groups

ons anywhere

domain, and c

mes more evideneed to nest th

ocal resources,

est, and can inc

s, computers, g

y domain in th

y trusted doma

e forest.

ess to resourcomain contro

main in which t

omain local re

est, and can inc

s, computers, g

y domain in th

y trusted doma

e forest.

hat have similaare part of a ds are:

in the forest.

can include:

ent in large-schese distributio

meaning on t

clude:

global groups,

e forest.

ain.

es or to assignllers in an AD they reside. Th

esources, mean

clude:

global groups,

e forest.

ain.

ar characteristidepartment or

cale on groups

the local comp

, or domain loc

n managementDS forest, andhe important

ning on all

, or domain loc

ics. For exampr geographic

puter.

cal

t d

cal

ple,

•

Im

Anesurupuis m

EaobNshlekn

•

•

•

•

IdThruggap

Us

Universal. Tof both domgroups are:

o You ca

o Membe

Us

Un

o Properthe entgroupsexampthe me

mplement

dding groups esting—can crupport your buules. Now that urposes and tetime to align

management.

arlier in this lesbjects can be mow is time to

hould be memeads to the besnown as IGDLA

Identities

Global grou

Domain loc

Access

dentities (user hose role grouules, for examproups (domainranted by addppropriate leve

sers, computer

These groups amain local gro:

n assign abilit

ers can be from

sers, computer

niversal groups

rties of universterprise on all s’ membershiple, if a universa

embership list

ting Group

to other groureate a hierarchusiness roles ayou have lear

echnical charathe two in a st

sson, you learnmembers of eaidentify what t

mbers of each gst practice for A, which is:

ups

cal groups

and computerups (global grople, determininn local groups)ing the domaiel of access.

rs, and global g

are most usefuoups and globa

ies and permis

m anywhere in

rs, and global g

s defined in an

al groups are domain contro

p lists more accal group is usetypically is qui

p Managem

ps—a process hy of groups tnd manageme

rned the busincteristics of grtrategy for gro

ned what typeach group scotypes of objecgroup scope. Tgroup nesting

r accounts) areoups) are memng who has Re) are granted ain local group

groups from th

ul in multidomal groups. Spec

ssions anywhe

n the AD DS fo

groups from a

ny domain in t

propagated toollers that hoscessible, whiched for email diicker in distrib

ment

called hat ent ess roups, it oup

es of pe. ts

This g,

e members of gmbers of domaead permissionaccess to resouto the folder’s

20410A: Installin

hen local dom

ain networks acifically, the im

re in the fores

orest, and can

ny domain in

the forest.

o the global cast the global cah can be usefulistribution puruted multidom

global groupsin local group

n to a specific curces. In the cas ACL, with a p


main.

as they combinmportant chara

st, as with glob

include:

the forest.

atalog, and maatalog role. Thl in multidomarposes, the promain networks

s, which represps, which reprecollection of foase of a sharedpermission tha

Windows Server® 20

ne the charactacteristics of u

bal groups

ade available ahis makes univeain scenarios. Focess for deters.

sent business resent managemolders. These rd folder, accesat provides the

012 3-17

teristics niversal

across ersal For rmining

oles. ment rule s is

e


Note: This approach of groups nesting was earlier known as AGDLP, which stands for: accounts, global groups, domain local groups, permissions. The terminology used in this course, IGDLA, has more general scope of application, and it also aligns with industry-standard terminology.

In a multidomain forest, there are universal groups also, which fit in between global and domain local groups. global groups from multiple domains are members of a single universal group. That universal group is a member of domain local groups in multiple domains. You can remember the nesting as IGUDLA.

IGDLA Example

This best practice for implementing group nesting translates well even in multi-domain scenarios. Consider the following, which describes usage of IGDLP scenario.

This figure on the slide represents a group implementation that reflects not only the technical view of group management best practices (IGDLA), but also the business view of role-based, rule-based management.

Consider the following scenario:

The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit. You would perform the following steps to implement the security required by this scenario:

1. Assign users with common job responsibilities or other business characteristics to role groups implemented as global security groups. Do this separately in each domain. Salespeople at Contoso are added to a Sales role group; Auditors at Woodgrove Bank are added to an Auditors role group.

2. Create a group to manage access to the Sales folders with Read permission. This is implemented in the domain containing the resource that is being managed. In this case, the Sales folder resides in the Contoso domain. The resource access management rule group is created as a domain local group, ACL_Sales Folders_Read.

3. Add the role groups to the resource access management rule group to represent the management rule. These groups can come from any domain in the forest or from a trusted domain, such as Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same forest, can be members of a domain local group.

4. Assign the permission that implements the required level of access. In this case, grant the Allow Read permission to the domain local group.

This strategy results in two single points of management, reducing the management burden. There is one point of management that defines who is in Sales, and one that defines who is an Auditor. Those roles, of course, are likely to have access to a variety of resources beyond simply the Sales folder. There is another single point of management to determine who has Read access to the Sales folder. Furthermore, the Sales folder may not just be a single folder on a single server. It could be a collection of folders across multiple servers, each of which assigns the Allow Read permission to the single domain local group.

D

D

ThauThinADarUEnfothof

•

•

•

•

•

•

•

•

Default Gro

Default Grou

here are a numutomatically ohese are called

nclude well-knodministrators, esktop Users. re created in asers containernterprise Admollowing list prhe subset of def AD DS:

Enterprise AAdministratall domain the domain

Schema Adthe Active D

Administratcontrollers administratchange theAdministratgroup in th

Domain Adof its domadefault, addAdmins ow

Server Opedomain conrestore opedefault, this

Account Opaccounts foControllers accounts ththose grouhas no mem

Backup Opoperations this group

Print Operacontrollers.

oups and S

ups

mber of groupn a Windows S

d default local own groups, sBackup OperaThere are add domain, both

rs, including Doins, and Schem

rovides a summefault groups t

Admins (in thetors group in econtrollers. It

n naming cont

dmins (Users CoDirectory sche

tors (Built-in Cand data in th

tive groups in e membership tors group in t

he forest.

dmins (Users Cain. It thereforeded to the loca

wnership of all d

rators (Built-inntrollers. It haserations, formas group has no

perators (Builtor users, group

OU), and in thhat are membeps. Account Ombers.

erators (Built-ion domain cohas no membe

ators (Built-in C It also can log

Special Ide

s that are creaServer 2012 Segroups, and thuch as ators, and Remitional groups

h in the Builtinomain Adminsma Admins. Thmary of capabthat have sign

e Users containevery domain also owns the ext in all fores

ontainer of thema.

Container of Eahe domain namthe domain, aof Enterprise Athe forest root

ontainer of Eae inherits all ofal Administratdomain comp

n Container of s the right to loat disks, createo members.

-in Container ops, and compuhe Users and Cers of the Admperators also c

in Container oontrollers, and ers.

Container of Eg on locally an

entities

ated erver. hey

mote that and s, he ilities of ificant permiss

ner of the forein the forest, gConfiguration

st domains.

e Forest Root

ach Domain). Tming context. Ind the AdminAdmins, Schemt domain is arg

ch Domain). Tf the capabilitiors group of euters.

Each Domain)og on locally,

e or delete sha

of Each Domaters located in

Computers conministrators or can log on loc

of Each Domainlog on locally

Each Domain). nd shut down d

20410A: Installin

sions and user

st root domaingiving it compn partition of t

Domain). This

This group hasIt can change istrators group

ma Admins, anguably the mo

This group is adies of the Admeach domain m

). This group cstart and stopres, and shut d

ain). This groupn any OU in thntainer. AccouDomain Admi

cally to domain

n). This group and shut dow

This group cadomain contro


r rights related

n). This group plete access to the directory a

group owns a

s complete conthe membershp in the forest nd Domain Adost powerful se

dded to the Aministrators gromember comp

can perform mp services, perfodown domain

p can create, me domain (excnt Operators cins groups, non controllers. B

can perform bwn domain con

n maintain priollers.

Windows Server® 20

d to the manag

is a member othe configura

and has full con

and has full co

ntrol over all dhip of all otherroot domain c

mins. The ervice administ

Administrators oup. It is also,

puter, giving D

maintenance taorm backup acontrollers. By

modify, and decept the Domacannot modifyr can they mo

By default, this

backup and rentrollers. By de

int queues on

012 3-19

gement

of the tion of ntrol of

ntrol of

domain r can

tration

group by omain

asks on nd y

elete ain y dify

s group

estore efault,

domain


You need to carefully manage the default groups that provide administrative privileges, because they typically have broader privileges than are necessary for most delegated environments, and because they often apply protection to their members.

The Account Operators group is a good example of this. If you examine the capabilities of the Account Operators group in the preceding list, you can see that its rights are very broad—it can even log on locally to a domain controller. In very small networks, such rights would probably be appropriate for one or two individuals who typically would be domain administrators anyway. In large enterprises, the rights and permissions granted to Account Operators usually are far too broad.

Additionally, the Account Operators group is, like the other administrative groups, a protected group.

Protected groups are defined by the operating system and cannot be unprotected. Members of a protected group become protected. The result of protection is that the permissions (ACLs) of members are modified so that they no longer inherit permissions from their OU, but rather receive a copy of an ACL that is quite restrictive. For example, if you add Jeff Ford to the Account Operators group, his account becomes protected, and the help desk, which can reset all other user passwords in the Employees OU, cannot reset Jeff Ford’s password.

You should try to avoid adding users to the following groups that do not have members by default: Account Operators, Backup Operators, Server Operators, and Print Operators. Instead, create custom groups to which you assign permissions and user rights that achieve your business and administrative requirements.

For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but should not be able to perform restore operations that could lead to database rollback or corruption, and should not be able to shut down a domain controller, do not put Scott in the Backup Operators group. Instead, create a group and assign it only the Backup Files And Directories user right, then add Scott as a member.

Special Identities

Windows and AD DS also support special identities, which are groups for which membership is controlled by the operating system. You cannot view the groups in any list (in the Active Directory Users and Computers snap-in, for example), you cannot view or modify the membership of these special identities, and you cannot add them to other groups. You can, however, use these groups to assign rights and permissions. The most important special identities, often referred to as groups (for convenience), are described in the following list:

• Anonymous Logon. This identity represents connections to a computer and its resources that are made without supplying a user name and password. Prior to Windows Server 2003, this group was a member of the Everyone group. Beginning with Windows Server 2003, this group is no longer a default member of the Everyone group.

• Authenticated Users. This represents identities that have been authenticated. This group does not include Guest, even if the Guest account has a password.

• Everyone. This identity includes Authenticated Users and the Guest account. On computers that are running versions of Windows that precede Windows Server 2003, this group includes Anonymous Logon.

• Interactive. This represents users accessing a resource while logged on locally to the computer that is hosting the resource, as opposed to accessing the resource over the network. When a user accesses any given resource on a computer to which the user is logged on locally, the user is added to the Interactive group automatically for that resource. Interactive also includes users logged on through a Remote Desktop connection.


• Network. This represents users accessing a resource over the network, as opposed to users who are logged on locally at the computer that is hosting the resource. When a user accesses any given resource over the network, the user is automatically added to the Network group for that resource.

The importance of these special identities is that you can use them to provide access to resources based on the type of authentication or connection, rather than the user account. For example, you could create a folder on a system that allows users to view its contents when they are logged on locally to the system, but that does not allow the same users to view the contents from a mapped drive over the network. You could achieve this by assigning permissions to the interactive special identity.

Demonstration: Managing Groups

This demonstration shows how to:

1. Create a new group.

2. Add members to the group.

3. Add a user to the group.

4. Change the group type and scope.

Demonstration Steps

Create a new group 1. Open Active Directory Users and Computers.

2. Create a new Global Security group in the IT OU called IT Managers.

Add members to the group • Select multiple users, and then add them to the new group.

Add a user to the group

• Open the properties of Ed Meadows, and from the Member Of tab, add him to the IT Managers group.

Change the group type and scope

• Open the properties of the IT Managers group, and on the General tab, change the group scope to Universal and the type to Distribution.

3-22 Managing

Lesson 3Manag

A coday

•

•

•

•

It is con

Les

Afte

•

•

•

•

•

Wh

Befodire

WheconThisCon

Thebetwcreasuba GPthatobje


3 ging Coomputer accouadministrative

Configuring c

Moving the c

Managing the

Renaming, re

important thafigure and ma

sson Objecti

er completing

Explain the p

Describe how

Explain how t

Describe com

Explain how t

hat Is the C

ore you createectory service,

en you create tainer is creates container is nntainer class.

re are subtle bween a containate an OU withdivide the ComPO to a contait you create cuects, instead o


omputerunt begins its e tasks include

computer prop

computer betw

e computer its

esetting, disabl

at you know hoaintain the com

ives

this lesson, yo

urpose of the

w to configure

to control who

mputer account

to reset the sec

Computer

e a computer oyou must have

a domain, theed by default (not an OU. It is

but important ner and an OUhin a containermputers OU. Yiner. Thereforeustom OUs to f using the Co

cts

r Accoulife cycle whene the following

perties.

ween OUs.

self.

ing, enabling,

ow to performmputer objects

ou will be able

AD DS Compu

the location o

o has permissio

ts and the secu

cure channel.

rs Containe

object in the e a place to pu

e Computers (CN=Computes an object of t

differences U. You cannot r, so you canno

You also cannoe, we recommehost compute

omputers conta

unts n you create itg:

and eventuall

m these variouss within your o

to:

uters container

of computer ac

on to create co

ure channel.

er?

ut it.

ers). the

ot ot link end r ainer.

t and join it to

ly deleting the

s computer-morganization.

r.

ccounts.

omputer accou

your domain.

e computer obj

anagement ta

unts.

Thereafter, da

bject.

sks so you can

ay-to-

n

S

McofoanThCth

Cis obseobOm

Yoorexyoaddeenco

Thadad

AGfofode

C

Thco

•

•

•

pecifying

Most organizatiomputer objecor client compnd other user shese two OUs ontrollers OU

he AD DS insta

omputer objecno technical d

bject in a clienerver’s or dombjects are com

OUs typically armanagement o

our administrarganizations cxample, you mou can delegatdministrators fesktop-suppornables each sitomputers to th

hese specific edministrative mdministration.

dditionally, byPOs that are li

or collections oor organizationesktop or lapto

Controlling

hree conditionomputer to an

A computedirectory se

You must hthe computyou to join that matchethe domain

You must bAdministratallows you

the Locati

ions create at cts: one to hosuters, such as systems, and aare in additionthat is created

allation.

cts are createddifference betwnt’s OU and a cain controller’

mputer objects.re created to pf client objects

ative model mreate sub-OUs

might create ante permissionsfor each type ort teams oftente’s support tehe domain by

examples asidemodel so that

y using separatinked to the clof computers bns to separate op configurati

g Permissio

ns are requiredn Active Directo

r object shouldervice.

have appropriater object. Thea physical comes that of the

n.

be a member otors group on to change the

ion of Com

least two OUs st computer acdesktops, laptanother for sern to the Domad by default du

d in both OUs. ween a compucomputer objes OU; comput. However, sep

provide uniques to one team

ight necessitats beneath a sen OU for file ans to manage coof server. Simil divide a pare

eam to create cusing those co

e, what is mostyour OUs can

te OUs, you calient and the sby linking GPOclients into de

ion to the app

ons to Cre

d for you to joiory domain:

d be created i

ate permissione permissions amputer with a object in AD D

of the local the computer

e computer’s d

mputer Acc

for ccounts ops, rvers. ain uring

There uter ect in a er

parate e scopes of maand managem

te further dividrver OU, to cond print serveromputer objeclarly, geographnt OU for cliencomputer objeomputer objec

t important is tprovide single

an create varioerver OUs. Wi

Os that containesktop and lapropriate OUs.

ate Comp

in a

n the

s on allow name

DS to

r. This omain or wor

20410A: Installin

counts

anagement, soment of server

ding your clienollect and manrs, and an OU cts in the apprhically-distribunts into sub-Oects in the site cts.

that your OU se points of ma

ous baseline coth Group Polic

n configurationptop OUs. You

uter Acco

kgroup memb


o that you can objects to ano

nt and server Oage specific tyfor database s

ropriate OU touted organizat

OUs for each sit for client com

structure reflecanagement for

onfigurations bcy, you can spn instructions tthen can link

unts

bership.

Windows Server® 20

delegate other.

OUs. Many ypes of serversservers. By doio the team of tions with locate. This approa

mputers, and to

cts your r the delegatio

by using differeecify configurato OUs. It is coGPOs that spe

012 3-23

s. For ng so,

al ach o join

on of

ent ation ommon ecify


Note: It is not mandatory to create a computer object in the directory service, but it is highly recommended. However, many administrators join computers to a domain without first creating a computer object. When you do this, Windows attempts to join the domain to an existing object. When Windows does not find the object, it fails back and creates a computer object in the default Computer container.

The process of creating a computer account in advance is called prestaging a computer. There are two major advantages of prestaging a computer:

• The account is in the correct OU and is therefore delegated according to the security policy defined by the ACL of the OU.

• The computer is within the scope of GPOs linked to the OU, before the computer joins the domain.

After you have been given permission to create computer objects, you can do so by right-clicking the OU and choosing Computer from the New menu. Enter the computer name, following the naming convention of your enterprise, and select the user or group that will be allowed to join the computer to the domain with this account. The two computer names—Computer Name and Computer Name (Pre-Windows 2000)—should be the same. There, very rarely, is a justification for configuring them separately.

Note: You can use the Redircmp.exe command-line tool to reconfigure the default computer container. For example, if you want to change the default computer container to an organizational unit called mycomputers, use the following syntax: redircmp ou=mycomputers,DC=contoso,dc=com

Delegating Permissions

By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have permission to create computer objects in any new OU. However, as discussed earlier, we recommend that you tightly restrict membership in the first three groups, and that you do not add Administrators to the Account Operators group.

Instead, you should delegate the permission to create computer objects (called Create Computer Objects) to appropriate administrators or support personnel. This permission, assigned to an OU’s group, allows group members to create computer objects in that OU. For example, you might allow your desktop support team to create computer objects in the clients OU, and allow your file server administrators to create computer objects in the file servers OU. To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose a custom task to delegate. The next lesson discusses delegation.

C

Evm(suspa(LdoNthw

CbeNdo

•

•

•

R

Thp

•

•

•

Computer A

very member cmaintains a comsAMAccountNser account doassword in the

LSA) secret, andomain approxetLogon servic

he domain, whwith a domain c

omputer accoetween compuevertheless, ceomain. Examp

After reinsteven thougBecause theoriginal comauthenticat

A computeworking awremembersauthenticat

A computecan think ojust disagrecannot auth

Resetting t

he most commroblems are:

Messages acontroller ccomputer apassword oincorrect, o(another wabetween thbeen lost.

Error messaindicate simpasswords, failed. One computer’s

A compute

Accounts a

computer in amputer accounName) and pasoes. The compe form of a locd changes its pimately every ce uses the cre

hich establishescontroller.

unts and the suters and theirertain scenarioles of such sce

alling the opegh the technicie new installatmputer accounte to the doma

r has not beenway from the os the current ation can fail.

r’s LSA secret of this as the coees with the dohenticate, and

he Secure

mon signs of co

at logon indicacannot be contaccount mighton the computor that the trusay of saying th

he computer a

ages or eventsmilar problems

trusts, secure such error is N

s event log.

r account is m

and Secur

n AD DS domant with a user nssword, just likuter stores its al security autpassword with30 days. The edentials to logs the secure ch

secure relationr domain are ros might arise enarios include

rating system ian used the sation generatednt password inain.

n used for an eoffice. Computnd previous pa

gets out of synomputer forgeomain over wh the secure ch

Channel

omputer-acco

ate that a domtacted, that th be missing, th

ter account is st relationship he secure relatind the domain

in the event los or suggest thchannels, or re

NETLOGON Ev

missing in AD D

e Channel

ain name ke a

thority h the

g on to hannel

nships obust. in which a come:

on a workstatame computerd a new SID, ann the domain,

extended perioers change theassword. If the

nchronization etting its passwhat the passwohannel cannot

unt

main e

hat the

ionship) n has

og hat elationships wvent ID 3210: F

DS.

20410A: Installin

ls

mputer is no lo

tion, the worksr name as was nd because theit does not be

od, perhaps beeir passwords e computer is

with the passwword. Althoughord really is. Wbe created.

with the domaiFailed To Auth


onger able to a

station is unab used in the pe new comput

elong to the do

ecause the useevery 30 days,unused within

word that the h it did not for

When this happ

n or a domainhenticate, whic

Windows Server® 20

authenticate w

ble to authenticrevious installater does not komain and can

er is on vacatio, and AD DS

n this period,

domain knowrget its passwo

pens, the comp

n controller havch appears in t

012 3-25

with the

cate, ation. now the nnot

on or

ws. You ord, it puter

ve he


When the secure channel fails, you must reset the secure channel. Many administrators do this by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice, because it has the potential to delete the computer account altogether. This loses the computer’s SID, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated. If the trust with the domain has been lost, do not remove a computer from the domain, and then rejoin it. Instead, reset the secure channel.

To reset the secure channel between a domain member and the domain, use the Active Directory Users and Computers snap-in, DSMod.exe, NetDom.exe, or NLTest.exe. If you reset the account, the computer’s SID remains the same, and it maintains its group memberships.

To reset the secure channel by using the Active Directory Users and Computers snap-in:

1. Right-click a computer, and then click Reset Account.

2. Click Yes to confirm your choice.

3. Rejoin the computer to the domain, and then restart the computer.

To reset the secure channel by using DSMod:

1. At a command prompt, type the following command:

dsmod computer “ComputerDN” –reset.

2. Rejoin the computer to the domain, and then restart the computer.

To reset the secure channel by using NetDom, at a command prompt, type the following command, where the credentials belong to the local Administrators group of the computer:

netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}

This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or rebooting.

To reset the secure channel by using NLTest, on the computer that has lost its trust, at a command prompt, type the following command:

NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER

You also can use Windows PowerShell with Active Directory Module to reset a computer account. The following example demonstrates how to reset the secure channel between the local computer and the domain to which it is joined. You must run this command on the local computer:

Test-ComputerSecureChannel –Repair

Note: You also can reset a remote computer’s password with Windows PowerShell: invoke-command -computername Workstation1 -scriptblock {reset-computermachinepassword}

LessonDeleg

AacsosoOofde

LeA

•

•

•

A

AgpecaasalinAlis

Easupespmin

Thexoneagm

Ainpe

Thpeusad

n 4 gating A

lthough a singccounts, as theome point, it isome specific as

OUs to bring def administrativelegate admin


Describe AD

Determine

Delegate ad

AD DS Perm

ll AD DS objecroups, can be ermissions. Thalled access cossigned to useso known as s

n the object’s DCL. The ACL cost (SACL) that

ach object in Aufficient permiermissions to cpecific AD DS o

manage access n a folder, you

he DACL of anxample, you cane property. Itasily manage pranular permis

mobile telepho

ssigning the hn AD DS, it is nermissions at t

he permissionsermission to resers, all user odministrative t

Adminisgle person cane network grows necessary forspect of netwoepartmental ove delegation. nistrative tasks


D DS permissio

a user’s effect

dministrative c

missions

cts, such as usesecured by use permissions

ontrol entries (Ars, groups, or c

security principDACL, which isontains the sysincludes audit

AD DS has its ossions, you cacontrol the levobject. The deto objects andcan give a gro

n object also alan allow (or det is a property permissions tossions and allone number or

elp desk permot a good prathe level of org

s you assign toeset passwordsbjects within ttask.

stration easily managews, so too doer teams with pork managemer geographic sIt is importantto users on ob

you will be ab

ons.

ive AD DS per

control to a sp

ers, computersing a list of on an object aACEs), and thecomputers, whpals. ACEs are s part of the obstem access coing settings.

own ACL. If yon modify the vel of access onlegation of ad

d properties inoup the ability

llows you to aseny) permissioset that includ commonly us

ow or deny perthe street add

mission to resetctice to assignganizational u

o an OU are ins for user objehat OU will inh

n e a small netw

es the volume oarticular specient. In AD DS estructure to tht that you knowbjects within th

le to:

missions on an

pecified user or

s, and

are ey are hich are saved bject’s ontrol

u have

n a dministrative con AD DS. Just ay, for example,

ssign permissioon to change pdes multiple, spsed collectionsrmission to chadress.

t passwords fon permissions tnits.

herited by all ects and attachherit that perm

20410A: Installin

work with a hanof work that realizations to eenvironments,e networked ow why and hohose OUs.

n AD DS objec

r group of use

ontrol involvesas you can give

to reset passw

ons to an objephone and emapecific properts of propertiesange just som

or each individto individual o

objects in the h that permissimission. In just


ndful of user aelates to netw

evolve, each wi, it is commonobjects, and toow to create O

ct.

ers of an AD DS

s assigning pee a group the words on user

ect’s specific prail options. Thties. Using pro. But, you coue of the inform

ual user objecobjects. Instead

OU. So, if youion to the OU t one step, you

Windows Server® 20

and computer work managem

ith responsibil practice to cr

o enable configUs, and how t

S object.

ermissions thatability to chanobjects.

roperties. For his is, in fact, nooperty sets, yould assign more

mation, such a

t is tedious. Evd, you should a

u give the helpthat contains

u have delegat

012 3-27

ment. At ity for

reate guration o

t nge files

ot just u can e s the

ven so, assign

p desk the ted that

3-28 Managing

Chilits pfromeachena

Eff

Effefor abaseandpassmemPassaboassian eYouwheexpassi

To cyou

1.

2.

3.

permwithdsA

PermThisassipermthan

Allogrotask

Denhas to r


ld objects inhepermissions from the domain h new object ibled.

fective AD

ective permissioa security prined on the cum explicit ACE. Ysword, for exambership in a sword permiss

ove the user obgned to a groeffective permur effective peren you considelicit and inherigned different

calculate effec can perform t

Right-click th

Click Advanc

In the Enter tThe selected

Note: You amissions. For ehin the Help D

Acls "OU=Help

missions, whets means that, igning them tomission that hn a permission

ow permissionsups have beenks assigned to

ny permissionsbeen allowed eset password


erit the permisom its parent citself. The reass created with

DS Permi

ons are the rescipal, such as a

mulative effect Your ability tomple, may be group that is a

sion on an OU bject. The inheup to which yoission of Allowrmissions can ber Allow and Dited ACEs, andt permissions.

tive permissiothe following

e object, file o

ced, click the E

the object nacheck boxes in

also can use thexample, to gra

Desk OU, use thDesk,OU,DC=

ther assigned tn the end, an A

o groups, but ias been assign

n assigned to a

s, which allow n granted permall of those gr

, which deny athe permissios, the Deny pe

cts

sions of the pacontainer OU. son child objec the Include i

ssions

sulting permisa user or grouof each inheri

o reset a user’s due to your

allowed the Reseveral levels

erited permissioou belong resu

w: Reset Passwobe complicate

Deny permissiod the fact that

ns for a specifprocedure:

or folder, click

Effective Perm

me to select fndicate the eff

he DSACLS comant Amy Readhe following sy=Adatum,DC=C

to your user acACE applies tot is also possib

ned directly toa group to whi

access, are cummissions that aroups, and task

access, overridon to reset passermission prev

arent containeIf it is a first-lects inherit permnheritable pe

sions p, ted

eset

on ults in ord. d

ons, you may belon

ic user or a gro

Properties, an

missions tab, a

field, type the fective permiss

mmand-line to and Execute pyntax: Com" /G Dom

ccount or to a o you, the userble to assign A

you, the user,ch you belong

mulative. Wheallow a variety ks assigned dir

e equivalent Aswords, and an

vents you from

er or OU. That evel container missions from ermissions fro

ng to multiple

oup, an AD DS

nd then click t

and then click

name of a usesions of the us

ool to view or permissions on

ain\Amy:GRGE

group to whicr. The best pra

ACEs to individ, is neither mog.

en you belong of tasks, you w

rectly to your u

Allow permissionother group

m resetting pas

container or Oor OU, it inhetheir parents

om this objec

e groups, each

S object, or for

the Security ta

Select.

er or group, anser or group fo

modify AD DSn computer ob

E;computer

ch you belongactice is to manual users or co

ore important n

to several growill be able to user account.

ons. If you arethat has been swords.

OU in turn inhrits the permisis that, by defa

ct’s parent op

of which may

r a file or folde

ab.

nd then click Oor that file or f

S bjects

g, are equivalenage permissioomputers. A nor less impor

oups, and thosperform all of

e in one groupdenied permi

erits ssions ault, tion

y be

er,

OK. folder.

nt. ons by

rtant

se f the

that ssion


Note: Use Deny permissions rarely. In fact, it is unnecessary to assign Deny permissions, because if you do not assign an Allow permission, users cannot perform the task. Before assigning a Deny permission, check to see if you could achieve your goal by removing an Allow permission instead. For example, if you want to delegate an Allow permission to a group, but exempt only one member from that group, you can use a Deny permission on that specific user account while the group still has an Allow permission.

Each permission is granular. Even if you have been denied the ability to reset passwords, you may still have the ability, through other Allow permissions, to change the user’s logon name or email address.

In this lesson, you learned that child objects inherit the inheritable permissions of parent objects by default, and that explicit permissions can override inheritable permissions. This means that an explicit Allow permission will actually override an inherited Deny permission.

Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can make evaluating effective permissions tedious. You can use the permissions reported by the DSACLs command or on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating effective permissions, but it is still a manual task.

Demonstration: Delegating Administrative Control

In this demonstration, you will see how to:

1. Delegate a standard task.

2. Delegate a custom task.

3. View AD DS permissions resulting from these delegations.

Demonstration Steps

Delegate a standard task


2. Use the Delegate Control Wizard to grant the IT group the following standard management tasks on the IT OU:

o Create, delete, and manage user accounts

o Reset user passwords and force password change at next logon

o Read all user information

Delegate a custom task • Use the Delegate Control Wizard to grant the following permissions on the IT OU to the IT group:

o Full Control on computer objects

o Create computer objects

o Delete computer objects

View AD DS permissions resulting from these delegations

1. Enable the Advanced Features view in Active Directory Users and Computers.

2. View the Properties of the IT OU.

3. Use the Security tab to verify the assigned permissions. Close all open windows.


Lab: Managing Active Directory Domain Services Objects Scenario

A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.

You have been working for A. Datum for several years as a desktop-support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.

To begin deployment of the new branch office you are preparing AD DS objects. As part of this preparation, you need to create an OU for the branch office and delegate permission to manage it. Then you need to create users and groups for the new branch office. Finally, you need to reset the secure channel for a computer account that has lost connectivity to the domain in the branch office.

Objectives


• Delegate administration for a branch office.

• Create and configure user accounts in AD DS.

• Manage computer objects in AD DS.



20410A-LON-CL1

User name Administrator

Password Pa$$w0rd


1. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager.




a. User name: Administrator


c. Domain: Adatum

5. Repeat steps 2 to 4 for 20410A-LON-CL1.


Exercise 1: Delegating Administration for a Branch Office

Scenario

A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office organizational unit. There is also a branch office help desk group that is able to manage users in the branch office organizational unit, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups.


1. Delegate administration for Branch Administrators.

2. Delegate a user administrator for the Branch Office Help Desk.

3. Add a member to the Branch Administrators.

4. Add a member to the Branch Help Desk group.

Task 1: Delegate administration for Branch Administrators 1. On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit in

the Adatum.com domain called Branch Office 1.

2. Create the following global security groups in the Branch Office 1 organizational unit:

o Branch 1 Help Desk

o Branch 1 Administrators

o Branch 1 Users

3. Move Holly Dickson from the IT organizational unit to the Branch Office 1 organizational unit.

4. Move the following users to the Branch Office 1 organizational unit:

o Development\Duncan Bart

o Managers\Ed Meadows

o Marketing\Connie Vrettos

o Research\Barbara Zighetti

o Sales\Arlene Huff

5. Move the LON-CL1 computer to the Branch Office 1 organizational unit, and then restart the computer.

6. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

7. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 organizational unit to the Branch 1 Administrators security group.

8. Delegate the following common tasks:




o Create, delete and manage groups

o Modify the membership of a group


o Manage Group Policy links

9. Delegate the following custom tasks:

o Create and delete computer objects in the current OU

o Full control of computer objects in the current OU

Task 2: Delegate a user administrator for the Branch Office Help Desk 1. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate

administration of the Branch Office 1 organizational unit to the Branch 1 Help Desk security group.

2. Delegate the following common tasks:




Task 3: Add a member to the Branch Administrators 1. Add Holly Dickson to the Branch 1 Administrators global group.

2. Add the Branch 1 Administrators global group to the Server Operators domain local group. Log off -LON-DC1.

3. Log on as Adatum\Holly with a password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group.

4. From Server Manager, open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box.

5. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful as you lack the required permissions.

6. Try to delete Branch Office 1\Ed Meadows. You are successful because you have the required permissions.

Task 4: Add a member to the Branch Help Desk group 1. Add Bart Duncan to the Branch 1 Help Desk global group.

2. Close Active Directory Users and Computers, and then close Server Manager.

3. Open Server Manager, and then open Active Directory Users and Computers. In the User Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required credentials. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group.

4. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Log off LON-DC1.

5. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group.

6. Open Server Manager and then open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box.

7. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful because you lack the required permissions.

8. Reset Connie’s password to Pa$$w0rd. You are successful. Log off LON-DC1.

9. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.


Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.

Exercise 2: Creating and Configuring User Accounts in AD DS

Scenario You have been a given a list of new users for the branch office, and you need to begin creating them.


1. Create a template user for the branch office.

2. Configure the template’s settings.

3. Create a new user for the branch office, based on the template.

4. Log on as a user to test account settings.

Task 1: Create a template user for the branch office 1. On LON-DC1, create a folder called C:\branch1-userdata, and then share it.

2. Modify the shared folder permissions so that the Everyone group as Full Control Allow permissions.

3. From Server Manager, open Active Directory Users and Computers and create a new user with the following properties in the Branch Office 1 organizational unit:

o Full name: _Branch_template

o User logon name: _Branch_template


o Account is disabled

Task 2: Configure the template’s settings • Modify the following properties of the _Branch_template account:

o City: Slough

o Group: Branch 1 Users

o Home folder: \\lon-dc1\branch1-userdata\%username%

Task 3: Create a new user for the branch office, based on the template 1. Copy the _Branch_template user account, and configure the following properties:

o First name: Ed

o Last name: Meadows


o User must change password at next logon is cleared.

o Account is disabled is cleared.

2. Verify that the following properties have been copied during account creation:

o City: Slough

o Home folder path: \\lon-dc1\branch1-userdata\Ed


o Group: Branch 1 Users

3. Log off from LON-DC1.

Task 4: Log on as a user to test account settings 1. Switch to LON-CL1 and log off.

2. Log on to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to log on successfully.

3. Verify that you have a drive mapping for Z: to Ed’s home folder on LON-DC1, and then log off.

Results: After this exercise, you should have successfully created and tested a user account created from a template.

Exercise 3: Managing Computer Objects in AD DS

Scenario

A workstation has lost its connectivity to the domain and cannot properly authenticate users. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain.


1. Reset a computer account.

2. Observe the behavior when a client logs on.

3. Rejoin the domain to reconnect the computer account.

Task 1: Reset a computer account 1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.

2. Open Active Directory Users and Computers. Confirm your credentials in the User Account Control dialog box.

3. Navigate to Branch Office 1.

4. Reset the LON-CL1 computer account.

Task 2: Observe the behavior when a client logs on • Switch to LON-CL1 and attempt to log on as Adatum\Ed with the password Pa$$w0rd. A message is

displayed that explains that The trust relationship between this workstation and the primary domain failed. Click OK to acknowledge the message.

Task 3: Rejoin the domain to reconnect the computer account 1. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2. Open Control Panel. Switch to Large icons view, and then open System.

3. View the Advanced system settings, and then select the Computer Name tab. Use the Network ID button to rejoin the computer to the domain.

4. Complete the wizard to rejoin the computer to the domain. Use the following to help complete the wizard:

o User name: administrator



o Domain: Adatum

o Do you want to enable a domain user account on this computer: No

5. Restart the computer when prompted.

6. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.

Results: After this exercise, you should have successfully reset the trust relationship.

Prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:


2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.


4. Repeat steps 2 and 3 for 20410A-LON-DC1.



Question: Members of a Sales department in a company that has branches in multiple cities travel frequently between domains. How can you provide these members with access to printers on various domains that are managed by using domain local groups?

Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the user’s account?

Question: What is the main difference between the Computers container and an OU?

Question: When should you reset a computer account? Why is it better to reset the computer account than to disjoin and rejoin it to the domain?

Best Practices

Best Practices for User Account Management • Do not let users share user accounts. Always create a user account for each individual, even if that

person will not be with your organization for long.

o Educate users about the importance of password security.

o Ensure that you choose a naming strategy for user accounts that enables you to identify the user to whom the account relates. Also ensure that your naming strategy uses unique names within your domain.

Best Practices for Group Management

• When managing access to resources, try to use both domain local group and role groups.

o Use Universal groups only when necessary because they add weight to replication traffic.

o Use Windows PowerShell with Active Directory Module for batch jobs on groups.

o Avoid adding users to built-in and default groups.

Best Practices Related to Computer Account Management • Always provision a computer account before joining computers to a domain, and then place them in

appropriate OUs.

o Redirect the default Computer container to another location.

o Reset the computer account, instead of disjoining and rejoining.

o Integrate the Offline Domain Join functionality with unattended installations.

Real-world Issues and Scenarios 1. A project manager in your department is starting a group project that will continue for the next year.

Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?

2. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server-based infrastructure. You have to find a method for joining new Windows® 8-based computers to a domain during the installation process, without intervention of a user or an administrator.


Tools

Tool Use Where to find it

Active Directory Users and Computers

Manage groups Administrative Tools

Windows Power Shell with Active Directory Module

Manage groups Installed as Windows Feature

DS utilities Manage groups Command line

Windows PowerShell with Active Directory Module

Computer account management

Administrative Tools

Djoin.exe Offline domain join Command line

Redircmp.exe Change default computer container

Command line

DSACLS View and modify AD DS permissions

Command line

4-1

Module 4 Automating Active Directory Domain Services Administration


Lesson 1: Using Command-line Tools for Administration 4-2

Lesson 2: Using Windows PowerShell for Administration 4-7

Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13

Lab: Automating AD DS Administration by Using Windows PowerShell 4-20


Module Overview

You can use command-line tools and Windows PowerShell® to automate Active Directory® Domain Services (AD DS) administration. Automating administration speeds up processes that you might otherwise perform manually. Windows PowerShell includes cmdlets for performing AD DS administration and for performing bulk operations. You can use bulk operations to change many AD DS objects in a single step rather than updating each object manually.

Objectives


• Use command-line tools for AD DS administration.

• Use Windows PowerShell cmdlets for AD DS administration.

• Perform bulk operations by using Windows PowerShell.

4-2 Automating

Lesson Using

Winadmandthesuses

Les

Afte

•

•

•

•

Be

MansuchAD Gravisuin thWhedo n

GratheyadmComcan

Som

•

•

•


1 Comma

ndows Server® ministration. M

managementse command-ls.

sson Objecti

er completing

Describe the

Describe how

Describe how

Describe how

nefits of U

ny administrath as Active DirDS administraphical tools ar

ually represent he form of raden informationnot need to m

phical tools woy cannot be au

ministration, yommand-line to

be used by ot

me benefits of

Faster implemfrom a humaaccounts baseuser account

Customized pgather informgathered, theconvention—group. This p

AD DS adminActive Direct

Note: Serve

omain Services Admi

and-line2012 includesany organizat

t of AD DS objine tools to en

ives

this lesson, yo

benefits of usi

w and when to

w and when to

w and when to

Using Com

tors prefer to urectory Users ation whenever

re intuitive to uinformation a

dio buttons andn is represente

memorize synta

ork well in mautomated. To aou need commools can be usether applicatio

using comman

mentation of bn resources aped on the expoindividually.

processes for Amation about ae graphical pro

—is correct. Therocess allows c

nistration on setory Users an

er core can be

nistration

e Tools s several commions create scrects such as u

nsure that if re

ou will be able

ing command-

use csvde.

use ldifde.

use DS comm

mmand-Lin

use graphical tand Computersr possible. use because thand provide opd dialog boxesed graphically, ax.

ny situations, automate AD

mand-line toolsed in scripts, oons.

nd-line tools a

bulk operationspplication. Youorted informat

AD DS adminisa new group, aogram can verien, the graphiccompany-spec

erver core. Servnd Computers

administered

for Admmand-line toolripts that use cser accounts a

equired, you ca

to:

-line tools for

mands.

e Tools fo

tools, s, for

hey ptions s. you

but DS s. r they

are:

s. For exampleu use a commation. This is mu

stration. You caand then creatify that the infcal program uscific rules to be

ver core cannos. However, yo

remotely by u

ministras that you cancommand-lineand groups. Yoan modify the

AD DS admini

or Adminis

e, you can expoand-line tool ouch faster than

an use a custoe the new groformation formses a commane enforced.

ot run graphicu can use com

using graphica

ation n use to perfore tools to autoou must underscripts that yo

istration.

stration

ort a list of newor script to crean manually cre

omized graphicoup. When the mat—such as tnd-line tool to

cal administratmmand-line to

l tools.

rm AD DS mate the crearstand how to our organizatio

w user accounate the new useating each ne

cal program toinformation is

the naming create the new

ion tools suchols on server c

tion use

on

nts ser ew

o s

w

as core.

W

Csimcoapdainda

Thmoncsyousca

ExToda

Th

O

O

Aex

C

Th

Cs

ThTh

What Is Csv

Csvde is a commmports Active Domma-separatpplications areata from .csv f

nteroperability atabases or sp

he main limitamodify existing

nly create newsvde to createou cannot use ser accounts aan use csvde t

xport Objeco export objecata will be exp

he basic syntax

Csvde –f

Other options t

Option

-d RootDN

-p SearchSco

-r Filter

-l ListOfAtrri

fter the exportxported. The h

Create Objec

he basic syntax

svde –i –f fi

he -i parametehe -k paramet

vde?

mand-line tooDirectory objeted values (.csve capable of exfiles. This makewith other ap

preadsheets.

tion of csvde Active Directo

w objects. For ee a set of new u

it to modify tfter they are c

to export a list

cts by Usingcts by using csported. With o

x to use csvde

filename

hat you can us

ope

ibutes

t completes, thheader row is a

cts by Using

x for using csv

ilename –k

er specifies imter instructs cs

ol that exports ects to or from v) file. Many xporting or imes csvde usefupplications, suc

is that it cannoory objects; it cexample, you cuser accounts,he properties

created. You caof users and t

g csvde vde, as a mininly the filenam

e for export is:

se with csvde

Description

Specifies thewill begin. T

Specifies theoption -d. Thonelevel (obsubcontaine

Limits the obon Lightweig

Specifies theattribute, an

he .csv file willa comma-sepa

g csvde

vde to create o

port mode. Thvde to ignore

or a

porting ul for ch as

ot can can use but

of the an also use csvtheir email add

mum, you neeme specified, a

are listed in th

e distinguishedhe default is th

e scope of the he SearchScobjects within thrs). The defaul

bjects returnedght Directory A

e attributes to d separate the

contain a heaarated list with

objects is:

he -f parameteerror message

20410A: Instal

vde to export dresses.

ed to specify tll objects in th

he following ta

d name of the he domain.

search relativepe option canhis container), lt is subtree.

d to those thatAccess Protoco

be exported. Uem with comm

ader row and o the names of

er identifies thees, including t


object proper

he filename ofhe domain will

able.

container from

e to the contain be either bas or subtree (th

t match the filol (LDAP) quer

Use the LDAP mas.

one row for eaf the attributes

e file name frohe “Object Alr

g Windows Server®

ties. For exam

f the .csv file to be exported.

m which the ex

iner specified e (this object ohis container a

ter. The filter iry syntax.

name for each

ach object thats for each obje

om which to imready Exists” er

2012 4-3

ple, you

o which

xport

by the only), and all

is based

h

t was ect.

mport. rror

4-4 Automating

mespos

Theattrspec

Youuser

csvd

http

http

Wh

LdifexpLikeThe(LDIdataobtaserv

An commodopeopethe

The

dn: chaobjobjobjobjcn: sn: titdesgivdiscomsAMAusemai


ssage. The supsible are creat

.csv file that isibutes for the cified in the he

u cannot use csr accounts crea

Note: For mde /?, and the

Additional p://go.microso


hat Is Ldifd

fde is a commort, create, mo

e csvde, ldifde file must be inIF). Most applia in LDIF formain data in LDvice.

LDIF file is textmposing a singdifying a user eration specifieeration, such asLDIF file.

following is a

CN=Bonnie Kngetype: addectClass: toectClass: peectClass: orectClass: usBonnie KearKearney

le: Operatiocription: OpenName: BonnplayName: Kepany: ContosAccountName:rPrincipalNal: bonnie.ke

omain Services Admi

ppress errors oed, instead of

s being used fdata in the .cseader row.

svde to imporated by csvde

more informatin press Enter.

Reading: For oft.com/fwlink/


de?

and-line tool todify, or deletee uses data than LDAP Data Ications cannoat. It is more liIF format from

t-based, with ble operation sobject. Each li

es something as an attribute o

n example of a

earney,OU=Em p rson ganizationaler ney

ns erations (Loie arney, Bonnio, Ltd. bonnie.kear

me: bonnie.karney@adatum

nistration

option is usefustopping whe

or an import msv file. Each row

rt passwords, be have a blank

on about para

more informa/?LinkId=1687

more informa/?LinkId=1687

that you can ue AD DS objecat is stored in anterchange Fo

ot export or imikely that you

m another direc

blocks of lines uch as creatinne within the about the or the type of

an LDIF file th

mployees,OU=U

Person

ondon)

e

rney [email protected]

ul when imporen partially com

must have a hew must contain

because passwpassword and

ameters for csv

ation about LD52.

ation about LD52

use to ts. a file. ormat port can ctory

g or

operation. A b

at creates a sin

User Accounts

um.com

rting objects tomplete.

eader row thatn exactly the c

words in a .csv fd are disabled.

vde, at a comm

DAP query synt

DAP query synt

blank line sepa

ngle user.

s,DC=adatum,D

o ensure that a

t contains namcorrect numbe

file are not pro

mand prompt,

tax, see

tax, see

arates multiple

DC=com

all of the objec

mes of LDAP er of items as

otected. As a r

, type

e operations w

cts

result,

within


For each operation in an LDIF file, the changetype line defines the operation to be performed. The valid values are add, modify, or delete.

Export Objects by Using ldifde

When using ldifde to export objects, the minimum information you must provide is a filename to hold the data. When no other options are selected, all objects in the domain are exported. The basic syntax for exporting objects by using LDIFE is:

Ldifde –f filename

Some other options you can use when exporting objects ldifde are listed in the following table.

Option Description

-d RootDN The root of the LDAP search. The default is the root of the domain.

-r Filter An LDAP search filter that limits the results returned.

-p SearchScope The scope, or depth, of the search. This can be:

• subtree (the container and all child containers)

• base (the immediate child objects of the container only)

• onelevel (the container and its immediate child containers)

-l ListOfAttributes A comma-separated list of attributes to include in the export.

-o ListOfAttributes A comma-separated list of attributes to exclude in the export.

Import Objects by Using ldifde When you use ldifde to import objects, you must specify the operation to perform on the object. For each operation in an LDIF file, the changetype line defines the operation to be performed.

The basic syntax for using ldifde to import objects is:

Ldifde –i –f filename –k

The -i parameter specifies import mode. The -f parameter identifies the file name to import from. The -k parameter instructs ldifde to ignore errors, including the “Object Already Exists” error. The option suppress errors is useful when importing objects to ensure that all objects possible are created instead of stopping when partially complete.

You cannot use ldifde to import passwords, because passwords in an LDIF file would not be secure. As a result, user accounts created by ldifde have a blank password and are disabled.

4-6 Automating

Wh

Wintoouse to cobjecom

To

D

D

D

D

D

D

Use

The

To m

Dsmo

To d

Dsg

To d

Dsrm

To c

Dsa


hat Are DS

ndows Server 2ls called DS coin scripts. You

create, view, mects. The follow

mmand-line to

ool

Sadd

Sget

Squery

Smod

Srm

Smove

er Managem

following are

modify the dep

od user “cn=

display the em

et user “cn=

delete a user a

m “cn=Joe He

create a new u

dd user “cn=

Question: Wcommands?

omain Services Admi

S Comman

2012 includes commands, whicu can use DS coodify, and remwing table desols.

ment Comm

examples of c

partment of a

Joe Healy,ou

mail of a user ac

Joe Healy,ou

account, type:

aly,ou=Manag

user account, ty

Joe Healy,ou

hat criteria wo

nistration

nds?

command-linech are suitableommand-line

move AD DS scribes DS

mand Examp

commands tha

user account,

=Managers,dc

ccount, type:

=Managers,dc

ers,dc=adatu

ype:

=Managers,dc

ould you use to

e e for tools

Description

Creates AD

Displays pro

Searches for

Modifies AD

Removes AD

Moves AD D

ples

at you could ty

type:

c=adatum,dc=c

c=adatum,dc=c

um,dc=com”

c=adatum,dc=c

o select betwe

DS objects.

operties of AD

r AD DS object

D DS objects.

D DS objects.

DS objects.

ype at a comm

com” –dept IT

com” –email

com”

een using csvd

DS objects.

ts.

mand prompt.

T

de, ldifde, andd the DS

LessonUsing

WusWto

LeA

•

•

•

•

U

Yocrcmpaofth

C

n 2 g WindoWindows Powe

se than previoWindows Poweo create, modif


Use Window

Use Window

Use Window

Use Window

Using Wind

ou can use Wireate, modify, mdlets can be art of a script tf the cmdlets fhe following ta

Cmdlet

New-ADUser

Set-ADUser

Remove-ADU

Set-ADAccou

Set-ADAccou

Unlock-ADA

Enable-ADAc

Disable-ADA

ows PowrShell is the prus scripting larShell includesfy, and remove


ws PowerShell

ws PowerShell

ws PowerShell

ws PowerShell

dows Powe

ndows PowerSand delete useused for indivto perform bufor managing able.

r

User

untPassword

untExpiration

Account

ccount

Account

werShelreferred scriptinguages such s an extensive e user account

you will be ab

l cmdlets to m

l cmdlets to m

l cmdlets to m

l cmdlets to m

erShell Cm

Shell cmdlets ter accounts. Th

vidual operatiolk operations. user accounts

De

Cr

M

De

Re

n M

Unac

En

Di

ll for Ading environmeas Microsoft®

list of cmdletsts, groups, com

le to:

anage user ac

anage groups

anage compu

anage organiz

mdlets to M

to hese

ons or as Some are in

escription

reates user acc

Modifies proper

eletes user acc

esets the passw

Modifies the exp

nlocks a user accepted numb

nables a user a

isables a user a

20410A: Instal

dministent in Window

® Visual Basic Ss to manage Amputer accoun

ccounts.

s.

uter accounts.

zational units (

Manage Us

counts.

rties of user ac

counts.

word of a user

piration date o

account when er of incorrect

account.

account.


ration ws Server 2012.Scripting EditioAD DS objects. nts, and organ

(OUs).

sers

ccounts.

r account.

of a user accou

it is locked aftt login attemp

g Windows Server®

. It is much eason (VBScript). Cmdlets can bizational units

unt.

ter exceedingpts.

2012 4-7

sier to

be used s.

the

4-8 Automating Active Directory Domain Services Administration

Create New User Accounts

When you use the New-ADUser cmdlet to create new user accounts, you can set most user properties including a password. For example:

• If you do not use the –AccountPassword parameter, no password is set and the user account is disabled. The –Enabled parameter cannot be set as $true when no password is set.

• If you use the –AccountPassword parameter to specify a password, then you must specify a variable that contains the password as a secure string, or choose to be prompted for the password. A secure string is encrypted in memory. If you set a password then you can enable the user account by setting the –Enabled parameter as $true.

Some commonly used parameters for the New-ADUser cmdlet are listed in the following table.

Parameter Description

AccountExpirationDate Defines the expiration date for the user account.

AccountPassword Defines the password for the user account.

ChangePasswordAtLogon Requires the user account to change passwords at the next logon.

Department Defines the department for the user account.

Enabled Define whether the user account is enabled or disabled.

HomeDirectory Defines the location of the home directory for a user account.

HomeDrive Defines the drive letters that are mapped to the home directory for a user account.

GivenName Defines the first name for a user account.

Surname Defines the last name for a user account.

Path Defines the OU or container where the user account will be created.

The following is a command you could use to create a user account with a prompt for a password:

New-ADUser “Joe Healy” –AccountPassword (Read-Host –AsSecureString “Enter password”) -Department IT

Question: Are the parameters for all cmdlets that you use to manage user accounts the same?

U

Yomustofota

C

C

YoNth

Using Wind

ou can use Wimodify, and del

sed for individo perform bulkor managing gable.

Cmdlet

New-ADGrou

Set-ADGroup

Get-ADGrou

Remove-ADG

Add-ADGrou

Get-ADGrou

Remove-ADG

Add-ADPrincipalG

Get-ADPrincipalG

Remove-ADPrincipalG

Create New G

ou can use theNew-ADGrouphe only require

Parameter

Name

GroupScope

DisplayName

GroupCatego

dows Powe

ndows PowerSlete groups. Thual operations

k operations. Sgroups are liste

up

p

p

Group

upMember

pMember

GroupMembe

GroupMembe

GroupMembe

GroupMembe

Groups

e New-ADGrop cmdlet, you med parameter.

e

ory

erShell Cm

Shell to createhese cmdlets cs or as part of

Some of the cmed in the follow

De

Cr

M

Di

De

Ad

Di

er Re

ership Ad

ership Di

ership Re

oup cmdlet to must use the GThe following

Desc

Defi

DefiUniv

Defi

Defido n

mdlets to M

, can be a script

mdlets wing

escription

reates new gro

Modifies proper

isplays propert

eletes groups.

dds members

isplays membe

emoves memb

dds group me

isplays group

emoves group

create groupsGroupScope p table lists com

ription

nes the name

nes the scope versal. You mu

nes the LDAP

nes whether itnot specify eith

20410A: Instal

Manage Gr

oups.

rties of groups

ties of groups

to groups.

ership of grou

bers from grou

mbership to o

membership o

p membership

s. However, whparameter in ammonly used p

of the group.

of the group ust provide th

display name

t is a security gher, a security


roups

s.

.

ps.

ups.

objects.

of objects.

from an objec

hen you createaddition to theparameters fo

as DomainLois parameter.

for the object

group or a distgroup is creat

g Windows Server®

ct.

e groups usinge group name. r New-ADGro

cal, Global, or

.

tribution grouted.

2012 4-9

g the This is

oup.

r

p. If you


Parameter Description

ManagedBy Defines a user or group that can manage the group.

Path Defines the OU or container in which the group is created.

SamAccountName Defines a name that is backward compatible with older operating systems.

The following command is an example of what you could type at a Windows PowerShell prompt to create a new group:

New-ADGroup –Name “CustomerManagement” –Path “ou=managers,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security

Manage Group Membership

There are two sets of cmdlets that you can use to manage group membership: *-ADGroupMember and *-ADPrincipalGroupMembership. The distinction between these two sets of cmdlets is the perspective used when modifying group membership. They are:

• The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or remove members of a group.

o You cannot pipe a list of members to these cmdlets.

o You can pass a list of groups to these cmdlets.

• The *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such as a user. For example, you can modify a user account to add it as a member of a group.

o You can pipe a list of members to these cmdlets.

o You cannot provide a list of groups to these cmdlets.

Note: When you pipe a list of objects to a cmdlet, you pass a list of objects to a cmdlet. More information about how to pipe a list of objects is covered in Lesson 3: Performing Bulk Operations with Windows PowerShell.

The following is a command you could use to add a member to a group.

Add-ADGroupMember CustomerManagement –Members “Joe Healy”

U

Yomcmpaofar

C

CYojode

Th

Th

Ne

RYore

Using Wind

ou can use Wimodify, and delmdlets can be art of a script tf the cmdlets fre listed in the

Cmdlet

New-ADCom

Set-ADComp

Get-ADComp

Remove-ADC

Test-Comput

Reset-Compu

Create New Cou can use the

oined to the doeploying the c

he following ta

Parameter

Name

Path

Enabled

he following is

ew-ADCompute

Repair the Trou can use theelationship bet

dows Powe

ndows PowerSlete computerused for indivto perform bufor managing following tab

mputer

puter

puter

Computer

terSecureCha

uterMachineP

Computer Ae New-ADComomain. You docomputer.

able lists comm

s an example t

r –Name LON-

rust Relatioe Test-Computween a comp

erShell Cm

Shell to createaccounts. Th

vidual operatiolk operations. computer acco

ble.

annel

Password

Accounts mputer cmdleo this so you ca

monly used pa

that you can u

SVR8 –Path “

onship for a uterSecureChauter and the d

mdlets to M

, ese

ons or as Some

ounts

Description

Creates a ne

Modifies pr

Displays pro

Deletes a co

Verifies or rcomputer a

Resets the p

et to create a nan create the c

arameters for N

Description

Defines the

Defines thewill be crea

Defines whedisabled. Bya random p

se to create a

ou=marketing

Computer Aannel cmdlet wdomain. You m

20410A: Installin

Manage Co

ew computer

roperties of a c

operties of a c

omputer accou

repairs the trusand the domai

password for a

new computer computer acco

New-ADComp

e name of the c

e OU or containted.

ether the comy default, the cpassword is ge

computer acc

g,dc=adatum,d

Account with the –Rep

must run the cm


omputer A

account.

computer acco

computer acco

unt.

st relationshipn.

a computer acc

account befoount in the cor

puter.

computer acco

ner where the

mputer accountcomputer acconerated.

count:

dc=com –Enabl

pair parametermdlet on the c

Windows Server® 20

Accounts

ount.

ount.

p between a

count.

re the computrrect OU befor

ount.

computer acc

t is enabled orount is enabled

led $true

r to repair a locomputer with

012 4-11

ter is re

count

r d and

st trust the lost

4-12 Automati

truscom

Test

Us

Youmodusedto pfor

Cm

N

Se

G

R

Cre

Youphy

The

Pa

N

Pa

P

The

New“ou=

ng Active Directory D

st relationship. mputer accoun

t-ComputerSe

ing Windo

u can use Winddify, and deletd for individua

perform bulk omanaging OU

mdlet

New-ADOrgan

et-ADOrganiz

et-ADOrgani

emove-ADOr

eate New OU

u can use Newysical locations

following tab

arameter

Name

ath

rotectedFrom

following is a

-ADOrganizat=marketing,d

Question: In required?

Domain Services Adm

The followingt:

cureChannel -

ows Power

dows PowerShte OUs. These cal operations ooperations. Soms are listed in

nizationalUnit

zationalUnit

zationalUnit

rganizationalU

Us

w-ADOrganiza within in you

le shows comm

mAccidentalDe

n example you

ionalUnit –Nc=adatum,dc=

the slide exam

ministration

g is a command

-Repair

rShell Cmd

ell to create, cmdlets can b

or as part of a me of the cmdthe following

t

Unit

ationalUnit cmr organization

monly used pa

eletion

u can use whe

ame Sales –P=com” -Protec

mple, is the Pro

d that you cou

dlets to Ma

e script

dlets table.

De

Cr

M

D

D

mdlet to create.

arameters for t

Descrip

Define

Define

PrevenThe de

n you want to

Path ctedFromAccid

otectedFromA

uld use to repa

anage OU

escription

reates OUs.

Modifies prope

isplays proper

eletes OUs.

e a new OU to

the New-ADO

ption

es the name of

es the location

nts the OU froefault value is

o create a new

dentalDeletio

AccidentalDe

air the trust re

s

rties of OUs.

rties of OUs.

represent dep

Organizationa

f the new OU.

n of the new O

om being delet$true.

organizationa

on $true

eletion parame

lationship for

partments or

alUnit cmdlet.

OU.

ted accidental

al unit:

eter

a

ly.

LessonPerfo

Wwg

Tofobu

Le

A

•

•

•

•

•

•

W

A mminpelik

YotoEadi

•

•

•

Th

1.

2.

n 3 orming BWindows Powewhich would no

raphical tools.

o perform bulkor a list of AD Dulk operations

esson Objec

fter completin

Describe bu

Use graphic

Query AD D

Modify AD

Use .csv file

Modify and

What Are B

bulk operationmultiple objectsmuch faster thandividually. It merforming mankelihood of ma

ou can performools, at a commach method foifferent capab

Graphical toproperties t

Command-have more

Scripts can

he general pro

. Define a qumay want t

. Modify the that you watools, you m

Bulk OprShell is a pow

ormally be ted

k operations uDS objects, ans that you requ

ctives

ng this lesson, y

ulk operations

cal tools to pe

DS objects by u

DS objects by

es.

d execute Wind

Bulk Opera

n is a single acs. Performing aan changing mmay also be mny individual aaking a typogr

m bulk operatimand prompt, or performing ilities. For exam

ools tend to bthat they can m

-line tools tendoptions for m

combine mult

ocess for perfo

uery. You use tto modify all u

objects defineant to modify, may use a list o

perationwerful scriptingious to perform

using Windowsd how to workuire.

you will be ab

.

rform bulk op

using Window

y using Window

dows PowerSh

ations?

ction that chana bulk operatio

many objects ore accurate, bactions increasraphical error.

ions with grapor by using scbulk operationmple:

e limited in thmodify.

d to be more fodifying objec

tiple command

orming bulk op

the query to seser accounts i

ed by the querand then edit

of objects or v

ns with g environmentm manually. Y

s PowerShell, yk with .csv files

le to:

perations.

ws PowerShell.

ws PowerShell

hell scripts to p

nges on is

because ses the

phical cripts. ns has

he

flexible than gct properties.

d-line actions

perations is as

elect the objecn a specific OU

ry. When usingt the propertievariables to ide

20410A: Installin

Windowt that you can You can also pe

you must first s. Then you ca

.

perform bulk o

raphical tools

for the most c

follows:

cts that you waU.

g graphical tooes of those objentify the obje


ws Powuse to performerform some b

understand hon create script

operations.

when defining

complexity and

ant to modify.

ols, you typicaects. When uscts that you w

Windows Server® 20

werShellm bulk operatibulk operation

ow to create qts that perform

g queries, and

d flexibility.

For example,

ally select the oing command

want to modify

012 4-13

ons,

ns in

ueries m the

they

you

objects d-line y.


Demonstration: Using Graphical Tools to Perform Bulk Operations

You can use Active Directory Administrative Center and Active Directory Users and Computers to modify the properties of multiple objects at the simultaneously. To perform a bulk operation with using graphical tools, perform the following steps:

1. Perform a search or create a filter to display the objects that you want to modify.

2. Select the objects.

3. Examine the properties of the objects.

4. Modify the properties that you want to change.

When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that displayed in the user interface.


• Create a query for all users.

• Configure the company attribute for all users.

• Verify that the company attribute has been modified.

Note: When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that display in the user interface.

Demonstration Steps

Create a query for all users

1. On LON-DC1, open Active Directory Administrative Center.

2. Browse to Global Search, and add the criteria Object type is user/inetOrgPerson/computer/group/organization unit.

3. Verify that the criteria that you added is for the type User, and perform the search.

Configure the Company attribute for all users

1. Select all the user Accounts and modify their properties.

2. Type the Company as A. Datum.

Verify that the Company attribute has been modified

• Open the properties of Adam Barr, and verify that the company is A. Datum.

Q

IntoYoquopus

C

YoALaPo

•

•

•

ThLa

O

Querying O

n Windows Powo obtain lists oou can also usueries for objeperations. Thesed parameter

Parameter

SearchBase

SearchScope

ResultSetSize

Properties

Create a Que

ou can use theAD* cmdlets. Thanguage. The owerShell Expr

It is easier t

You can use

There is aut

he following taanguage.

Operator

-eq

-ne

-lt

-le

-gt

Objects wit

werShell, you uf objects, suche these cmdle

ects on which ye following tabrs with the Get

D

e

e

ery

e Filter paramhe Filter paramLDAPFilter paression Langua

to write querie

e variables ins

tomatic conve

able lists comm

th Window

use the Get-*h as user accouts to generateyou can perfor

ble lists commot-AD* cmdlets

Description

Defines the ADOU.

Defines at whaYou can choosubtree.

Defines how mall objects are

Defines whichproperties, typuse a property

eter or the LDmeter is used farameter is useage is preferre

es in Windows

ide the querie

ersion of variab

monly used op

ws PowerS

cmdlets unts. e rm bulk only s.

D DS path to b

at level below se to search o

many objects t returned, you

h object propepe an asterisk y for filtering.

DAPFilter parafor queries wried for queries ed because:

PowerShell Ex

s.

ble types, when

perators you ca

D

E

N

L

L

G

20410A: Installin

Shell

begin searchin

the SearchBanly in the base

to return in resu should set th

rties to return (*). You do no

meter to creatitten in Windowritten as LDA

xpression Lang

n required.

an use in Wind

Description

Equal to

Not equal to

Less than

Less than or eq

Greater than


ng, for example

ase a search she, one level do

sponse to a quhis to $null.

and display. Tot need to use

te queries for ows PowerShelAP query strin

guage.

dows PowerSh

qual to

Windows Server® 20

e, the domain

hould be perfoown, or the ent

uery. To ensure

To return all this paramete

objects with thll Expression gs. Windows

hell Expression

012 4-15

or an

ormed. tire

e that

er to

he Get-

4-16 Automati

Op

-g

-l

The

Get

Theall it

Get

Theolde

Get

Thedep

Get

http

Mo

To plist ocmduse

To pcmdchafromperf

Thethosattruser

Get

ng Active Directory D

perator

ge

ike

following is a

-ADUser Admi

following is ats child OUs:

-ADUser –Sea

following is aer than a speci

-ADUser –Fil

following is apartment that h

-ADUser –Fil

Note: For mp://technet.mic

Question: W

odifying O

perform a bulkof objects thatdlet to modify the Set-AD* c

pass the list of dlet for furtherracter. The pip

m the query toforms a specifi

following is ase accounts thibute set. This r accounts and

-ADUser –Fil

Domain Services Adm

command tha

nistrator –P

command tha

rchBase “ou=

command thaific date:

ter ‘lastlog

command thahave a last log

ter ‘lastlog

more informaticrosoft.com/en

hat is the diffe

Objects wit

k operation, yot you have quethe objects. In

cmdlets to mo

queried objecr processing, ype character pao a second cmdied operation

command thahat do not have

code would gd set the comp

ter ‘company

ministration

at you could u

Properties *

at you could u

=Marketing,dc

at you could u

ondate –lt “

at you could ugon date older

ondate –lt “

on about filten-us/library/hh

erence betwee

th Window

ou need to paseried to anothn most cases, yodify the objec

cts to another you use the pipasses each objdlet, which theon each objec

at you could ue the company

generate a list opany attribute

y –eq “$null”

Des

Gre

Use

use to show all

use to return a

c=adatum,dc=c

use to show all

“January 1, 2

use to show all than a specifi

“January 1, 2

ring with Get-h531527(v=ws

en using –eq a

ws PowerS

ss the er

you cts.

pe ( | ) ect

en ct.

use for y of to A. Datum.

”’ | Set-ADUs

scription

eater than or e

es wildcards fo

of the proper

ll the user acco

com” –SearchS

of the user ac

2012”’

of the user acc date:

2012” –and de

-AD* cmdlets, s.10) .

nd –like when

hell

ser –Company

equal to

or pattern mat

rties for a user

ounts in the M

Scope subtree

ccounts with a

ccounts in the

epartment –eq

see

n comparing st

“A. Datum”

ching

account:

Marketing OU,

e

last logon dat

Marketing

q “Marketing

trings?

and

te

”’

Thon

Ge

U

Ina geusor

Wa

Th

Ge

W

A thfilinsirefowob

Yocowthcoea

Th

FiGrRoQi

UInmty

he following isn since a speci

et-ADUser –Fi

Use Objects

nstead of usingtext file. This ienerate that liser accounts torganization.

When you use asingle line.

he following e

et-Content C

Question: the Filter p

Working w

.csv file can cohan a simple lisle can have mu

nformation. Eacngle object, an

epresents a proor bulk operati

where multiple bject are requ

ou can use theontents of a .cs

work with the dhe variable, yoolumn of data ach column by

he following is

irstName,Lastreg,Guzik,IT obin,Young,Reiong,Wu,Marke

Use Foreach n many cases, ymany rows therype of loop do

s a command tific date, and t

ilter ‘lastl

from a Text

g a list of objecs useful when st by using a qo be disabled.

a text file to sp

xample disabl

:\users.txt

Which attributparameter?

with CSV Fi

ontain much mst. Similar to aultiple rows anch row in the .nd each columoperty of the oions such as crpieces of infoired.

e Import-Csv sv file into a va

data. After the u can then refhas a name th

y name.

s an example a

tName,Depart

esearch eting

to Process you are creatinre are in each .oes not require

that you couldthen disables t

ogondate –lt

t File

cts from a queyou need a lis

query. For examThere is no qu

pecify a list of o

es the user acc

| Disable-AD

tes of a user ac

les

more informat spreadsheet,

nd columns of .csv file repres

mn in the .csv fobject. This is ureating user acrmation about

cmdlet to readariable, and thdata is import

fer to each indhat is based on

a .csv file with

ment

CSV Data ng script that w.csv file. You ca

e that you know

d use to generathem:

“January 1,

ery to perform st of objects tomple, the humuery that can i

objects, the te

counts that are

Account

ccount can yo

ion a .csv

ents a ile useful ccounts t each

d the hen ted into ividual row of n the header ro

a header row:

will be reused an use a foreaw how many r

20410A: Installin

ate a list of use

2012”’ | Di

a bulk operato modify or rem

man resources didentify a list o

ext file needs to

e listed in a te

ou use when cr

f data and eachow (the first ro

for multiple .cach loop to prrows there are


er accounts th

isable-ADAcco

tion, you can umove, and it idepartment mof users that ha

o have the nam

ext file:

reating a query

h individual coow) of the .csv

csv files, and yoocess each row.

Windows Server® 20

hat have not lo

ount

use a list of objis not possible

may generate aave left the

me of each ob

y by using

olumn of data.v file. You can r

ou do not know in a .csv file.

012 4-17

ogged

jects in e to a list of

bject on

. Each refer to

ow how This


The following is a command that you could use to import a .csv file into a variable, and use a foreach loop to display the first name from each row in a .csv file:

$users=Import-CSV C:\users.csv Foreach ($i in $users) { Write-Host “The first name is: $i.FirstName” }

Question: In the foreach loop, how does $i change?

Demonstration: Performing Bulk Operations with Windows PowerShell

You can use a script to combine multiple Windows PowerShell commands to perform more complex tasks. Within a script, you often use variables and loops to process data. Windows PowerShell scripts have a .ps1 extension.

The execution policy on a server determines whether scripts are able to run. The default execution policy on Windows Server 2012 is RemoteSigned. This means that local scripts can run without being digitally signed. You can control the execution policy on by using the Set-ExecutionPolicy cmdlet.


• Configure the department for users in the Research OU.

• Create a LondonBranch OU.

• Run the script to create new user accounts in LondonBranch.

• Verify that the new user accounts were created in LondonBranch.

Demonstration Steps

Configure the department for users in the Research OU

1. On LON-DC1, open a Windows PowerShell prompt.

2. At the Windows PowerShell prompt, search for user accounts in the Research OU using the following command:

Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com”

3. Set the department attribute of all users in the Research OU using the following command:

Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com” | Set-ADUser –Department Research

4. Display a table-formatted list of users in the Research department. Display the distinguished name and department by using the following command:

Get-ADUser –Filter ‘department –eq “Research”’ | Format-Table DistinguishedName,Department

5. Use the Properties parameter to allow the previous command to display the department correctly. Use the following command:

Get-ADUser –Filter ‘department –eq “Research”’ –Properties Department | Format-Table DistinguishedName,Department


Create a LondonBranch OU

• At the Windows PowerShell prompt, create a new OU named LondonBranch using the following command:

New-ADOrganizationalUnit LondonBranch –Path “dc=adatum,dc=com”

Run the script to create new user accounts in LondonBranch

1. Open E:\Labfiles\Mod04\DemoUsers.csv, and read the header row.

2. Edit DemoUsers.ps1, and review the contents of the script. Note that the script:

o Refers to the location of the .csv file.

o Uses a foreach loop to process the .csv file contents.

o Refers to the columns defined by the header in the .csv file.

3. At the Windows PowerShell prompt, change to the E:\Labfiles\Mod04 directory and run the following command:

.\DemoUsers.ps1

Verify that the new user accounts were created in LondonBranch

1. In Server Manager, open Active Directory Administrative Center tool.

2. In Active Directory Administrative Center, browse to Adatum (local)>LondonBranch, and verify that the user accounts were created. Note that the passwords are disabled because no password was set during creation.


Lab: Automating AD DS Administration by Using Windows PowerShell

Scenario A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.

You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.

As part of configuring a new branch office, you need to create user and group accounts. Creating multiple users with graphical tools is inefficient, so, you will be using Windows PowerShell.

Objectives


• Create user accounts and group accounts by using Windows PowerShell.

• Use Windows PowerShell to create user accounts in bulk.

• Modify user accounts in bulk.

Lab Setup

Lab Setup



20410A-LON-CL1


Password Pa$$w0rd








5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.


Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell

Scenario A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command-line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell.


1. Create a user account by using Windows PowerShell.

2. Create a group by using Windows PowerShell.

Task 1: Create a user account by using Windows PowerShell 1. On LON-DC1, open a Windows PowerShell prompt.

2. At the Windows PowerShell prompt, create a new OU named LondonBranch.

New-ADOrganizationalUnit LondonBranch

3. Create a new user account for Ty Carlson in the LondonBranch OU using the following command:

New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path “ou=LondonBranch,dc=adatum,dc=com”

4. Set the password for the new account as Pa$$w0rd, using the following command:

Set-ADAccountPassword Ty

5. Enable the new user account using the following command:

Enable-ADAccount Ty

6. On LON-CL1, log on as Ty using a password of Pa$$w0rd.

7. Verify that logon is successful and then sign out of LON-CL1.

Task 2: Create a group by using Windows PowerShell 1. On LON-DC1, at the Windows PowerShell prompt, create a new global security group for users in the

London branch office, using the following command:

New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security

2. At the Windows PowerShell prompt, add Ty as a member of LondonBranchUsers, using the following command:

Add-ADGroupMember LondonBranchUsers –Members Ty

3. At the Windows PowerShell prompt, confirm that Ty has been added as a member of LondonBranchUsers, using the following command:

Get-ADGroupMember LondonBranchUsers


Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.

Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

Scenario

You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your CSV file.


1. Prepare the .csv file.

2. Prepare the script.

3. Run the script.

Task 1: Prepare the .csv file 1. On LON-DC1, read the contents in E:\Labfiles\Mod04\LabUsers.ps1 to identify the header

requirements for the .csv file

2. Edit the contents in C:\Labfiles\Mod04\LabUsers.csv and add the appropriate header.

Task 2: Prepare the script 1. On LON-DC1, use Windows PowerShell ISE to modify the variables in LabUsers.ps1.

o $csvfile: E:\Labfiles\Mod04\labUsers.csv

o $OU: “ou=LondonBranch,dc=adatum,dc=com”

2. Save the modified LabUsers.ps1.

3. Review the contents of the script.

Task 3: Run the script 1. On LON-DC1, open a Windows PowerShell prompt, and run E:\Labfiles\Mod04\LabUsers.ps1.

2. At the Windows PowerShell prompt, verify that the users were created by using the following command:

Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”

3. On LON-CL1, log on as Luka using a password of Pa$$w0rd.

Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.

Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

Scenario You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force the users to change their passwords at their next logon. You decide


to run a script to force all user accounts in the London branch to change their password the next time that they log on.


1. Force all user accounts in LondonBranch to change password at next logon.

2. Configure the address for user accounts in LondonBranch.

3. To prepare for the next module.

Task 1: Force all user accounts in LondonBranch to change password at next logon 1. On LON-DC1, open a Windows PowerShell prompt.

2. At the Windows PowerShell prompt, create a query for user accounts in the LondonBranch OU using the following command:

Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide DistinguishedName

3. At the Windows PowerShell prompt, modify the previous command to force all user accounts to change their password at the next logon.

Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –ChangePasswordAtLogon $true

Task 2: Configure the address for user accounts in LondonBranch 1. On LON-DC1, open Active Directory Administrative Center tool.

2. Open the properties for all user accounts in LondonBranch.

3. Set the address for multiple users as follows:

o Street: Branch Office

o City: London

o Country/Region: United Kingdom

Results: After completing this exercise, you will have modified user accounts in bulk.

To prepare for the next module When you finish the lab, revert all virtual machines back to their initial state by performing the following steps:




4. Repeat steps 2 to 3 for 20410A-LON-DC1.


Module Review and Takeaways Question: A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file, but is experiencing errors when attempting to set a default password. Why might this be happening?

Question: You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script?

Question: The Research department in your organization has been renamed to Research and Development. You need to update the Department property of users in the Research department to reflect this change.

Question: You have created a query for user accounts with the department property set to Research by using the Get-ADUser cmdlet and the –Filter parameter. What is the next step to update the department property to Research and Development?

5-1

Module 5 Implementing IPv4


Lesson 1: Overview of TCP/IP 5-2

Lesson 2: Understanding IPv4 Addressing 5-6

Lesson 3: Subnetting and Supernetting 5-11

Lesson 4: Configuring and Troubleshooting IPv4 5-16

Lab: Implementing IPv4 5-23


Module Overview

Internet Protocol Version 4 (IPv4) is the network protocol used on the Internet and local area networks. To ensure that you can you understand and troubleshoot network communication, it is essential that you understand how IPv4 is implemented.. In this module, you will see how to implement anIPv4 addressing scheme, and determine and troubleshoot network-related problems.

Objectives

At the end of this module, you will be able to:

• Describe the TCP/IP protocol suite.

• Describe IPv4 addressing.

• Determine a subnet mask necessary for supernetting or subnetting.

• Configure IPv4 and troubleshoot IPv4 communication.

5-2 Implement

Lesson Overvi

Tranprovrelaare foun

Les

At t

•

•

•

•

Th

Thecomprotdist

•

•

•

•

Ben

Rathprov

•

•

•

•

ing IPv4

1 iew of Tnsmission Convides communtes to other prused by applicndation for un

sson Objecti

he end of this

Describe the

Describe the

Describe TCP

Describe a so

e TCP/IP P

tasks performmmunication ptocols. These pinct layers of t

Application application laresources.

Transport laycontrol data tnetwork.

Internet layecontrol packe

Network inteInternet layer

nefits of Arc

her than creatvides several b

Separate prot

Creating or mprotocol stac

Having multipprotocols tha

Because the spersonnel wh

TCP/IP trol Protocol/

nication in a herotocols to enacation to acce

nderstanding a

ives

lesson, you w

elements of th

individual pro

/IP application

ocket and ident

Protocol Su

med by TCP/IP process are distprotocols are othe TCP/IP stac

layer. Applicaayer protocols

yer. The transtransfer reliabi

er. The interneet movement b

erface layer. Tr are transmitte

chitecture L

ing a single prbenefits:

tocols make it

modifying protk.

ple protocols ot provide only

stack is split inho are uniquely

Internet Protoeterogeneous able network cpt network co

and troublesho

will be able to:

he TCP/IP suite

tocols that ma

n layer protoco

tify port numb

uite

in the tributed betweorganized intock:

tions use the to access netw

port layer protility on the

et layer protocobetween netwo

The network ined on the med

Layers

rotocol, dividin

easier to supp

ocols to suppo

operating at thy the level of se

to layers, the dy qualified in t

ocol (TCP/IP) isnetwork. This communicatiommunications

ooting network

e of protocols.

ake up the TCP

ols.

bers for specifi

een o four

work

tocols

ols orks.

nterface layer dia.

ng the network

port a variety o

ort new standa

he same layer ervice required

development othe operations

s an industry slesson provide

on. It also coves. Combined tok communicat

P/IP suite.

ied protocols.

protocols defi

k functions int

of computing

ards does not

makes it possid.

of the protocos of the particu

tandard suite es an overview

ers the conceptogether this ovtion.

ne how datag

to a stack of se

platforms.

require modif

ible for applica

ols can proceedular layers.

of protocols thw of IPv4 and ht of sockets whverview provid

rams from the

eparate protoc

fication of the

ations to selec

d simultaneou

hat how it hich des a

e

cols

entire

ct the

usly by

P

Thdeseneth

AThcoseseac

TThcop

•

•

Than

In

Thpanla

Th

•

•

•

•

Protocols in

he Open Systeefines distinct ending, and reetwork. The lahe TCP/IP stack

Application Lhe applicationorresponds to ession layers oervices and uticcess network

ransport Lahe transport laommunicationrogrammers th

TCP. Providcommunicamake commdesired in mclients, and

UDP. Proviresponsibilithan TCP. Anot delay pName Syste

he transport land is based on

nternet Laye

he Internet layrotocols, inclund Internet Coayer data into u

he Internet lay

IP. IP is respServer® 201IPv4 and IP

ARP. ARP isadapters—tlocal host. Alocalized. Saddress of a

IGMP. IGM

ICMP. ICM

n the TCP/

ems Interconnelayers related ceiving data tryered suite of k carry out the

Layer layer of the Tthe applicatiof the OSI modlities that enabresources.

ayer ayer corresponn using TCP or he choice of TC

des connectionation confirmsmunication relmost cases andd other applica

des connectioity of the applApplications suplayback. UDP em (DNS) nam

ayer protocol tn the commun

er

yer correspondding: IP; Addre

ontrol Messageunits called pa

yer protocols a

ponsible for ro12 operating sPv6.

s used by IP tothat is, adapteARP is broadcaome implemea network ada

MP provides sup

P sends error

/IP Suite

ection (OSI) mto packaging,ransmissions oprotocols that

ese functions.

TCP/IP model on, presentatio

el. This layer pble application

nds to the tranUser DatagramCP or UDP as

n-oriented reli that the destiiable, TCP cond is used by mations that mov

nless and unreication. Applic

uch as streaminis also used by

me lookups.

that an applicaication require

ds to the netwoess Resolutione Protocol (ICMackets, address

are:

outing and addystem implem

o determine thers installed onast-based, meantations of TC

apter is used to

pport for mult

messages in an

odel , over a t form

n, and provides ns to

sport layer of m Protocol (UDa transport lay

able communnation is ready

nfirms that all post applicationve large amou

eliable commucations use UDng audio and vy applications

ation uses is deements of the

ork layer of th Protocol (ARP

MP). The protos them, and rou

dressing. The Wment a dual-lay

he media accesn computers onaning that ARP

CP/IP provide so determine th

titasking applic

n IP-based net

20410A: Instal

the OSI modeDP). The TCP/yer protocol:

ications for apy to receive dapackets are recns. Web server

unts of data us

unication. WheDP for faster covideo use UDPthat send sma

etermined by tapplication.

e OSI model aP); Internet Groocols at the Intute them to th

Windows 8 opyer IP protocol

ss control (MAn the local netP frames cannsupport for Rehe correspond

cations over ro

twork.


el and is responIP protocol su

pplications. Coata before it seceived. Reliablrs, File Transfese TCP.

en using UDP, ommunication P so that a singall amounts of

the developer

and consists ofoup Managemternet layer enheir destinatio

perating systeml stack, includi

AC) address of twork—from tot transit a rou

everse ARP (RAing IP address

outers in IPv4

g Windows Server®

nsible for end-ite offers appl

onnection-orieends the data.le communica

er Protocol (FT

reliable delive with less overgle missing paf data, such as

r of an applicat

f several separament Protocol ncapsulate tranns.

m and the Winng support for

local network the IP address uter and are th

ARP) in which ts.

networks.

2012 5-3

-to-end ication

nted To tion is P)

ery is the rhead acket will Domain

tion,

ate (IGMP); nsport

ndows r both

of a herefore the MAC

5-4 Implement

Net

Thedatasendthe driv

TC

Appcomservprotsom

Pr

H

H

FT

RP

Se(S

SiP

Pve

ing IPv4

twork Inter

network intera link and phyding and receiTCP/IP protoc

ver and the net

P/IP Appli

plications use ammunicate ovever must be ustocol to comm

me common ap

rotocol

HTTP

HTTP/Secure (H

TP

emote Desktorotocol (RDP)

erver MessageSMB)

imple Mail Trarotocol (SMTP

ost Office Protersion 3 (POP3

rface Layer

rface layer (somsical layers of iving packets ocol suite becautwork adapter

ications

application layer the networking the same a

municate. The fpplication laye

D

U

HTTPS) Aa

U

op Uo

e Block U

ansfer P)

U

tocol 3)

U

metimes referrthe OSI modeon the networuse the tasks a.

yer protocols tok. A client and application layfollowing tabler protocols.

Description

Used for comm

A version of HTand web serve

Used to transfe

Used to remotover a network

Used by server

Used to transfe

Used to retriev

red to as the lil. The networkk media. This lre performed

o

yer e lists

munication bet

TTP that encryrs.

er files betwee

ely control a ck.

rs and client co

er email messa

ve messages fr

ink layer or dak interface layelayer is often nby the combin

tween the web

ypts communic

en FTP clients a

computer runn

omputers for f

ages over the I

rom some ema

ata link layer) cer specifies thenot formally conation of the n

b browsers and

cation betwee

and servers.

ning Windows

file and printer

Internet.

ail servers.

corresponds toe requirementsonsidered partnetwork adapt

d web servers.

en web browse

operating syst

r sharing.

o the s for t of ter

ers

tems

W

Wcohoappa

•

•

•

Th

W

Aknconoapof

Yocow

What Is a S

When an applicommunicationost, it creates appropriate. A sart of the com

The transpouses, which

The TCP or application

The IPv4 ordestination

his combinatio

Well-Known

pplications arenown ports andonsistent port on-standard ppplications typf these well-kn

Port

80

443

110

25

53

53

20, 21

ou need to beommunication

when required.

Question: A

Socket?

cation wants ton with an applia TCP or a UDsocket identifie

mmunication pr

ort protocol thh could be TCP

UDP port nums are using

r IPv6 address hosts

on of transport

Ports

e assigned a pd have been anumbers to m

port number, thpically use a ranown ports.

Protocol

TCP

TCP

TCP

TCP

UDP

TCP

TCP

aware of the n. Most applica

For example,

Are there othe

o establish cation on a reP socket, as es the followinrocess:

hat the applicaP or UDP

mbers that the

of the source

t protocol, IP a

ort number bessigned to spe

make it easier fohen you need ndom source

Ap

HT

HT

PO

SM

D

D

FT

port numbers ations have a dsome web-bas

er well-known

mote

ng as

ation

e

and

address, and p

etween 0 and ecific applicatioor client applicto specify the port number a

pplication

TTP used by a

TTPS for a sec

OP3 used for e

MTP that is use

NS used for m

NS used for zo

TP used for file

that applicatiodefault port nused application

ports that you

20410A: Instal

port creates a s

65,535. The firons. Applicatiocations to con port number above 1,024. T

web server

ure web serve

email retrieval

ed for sending

most name reso

one transfers

e transfers

ons use, so youmber for this ns run on a po

u can think of?


socket.

rst 1,024 portsons listening fo

nnect. If an appwhen connect

The following t

er

g email messag

olution reques

u can configupurpose, but

ort other than

?

g Windows Server®

s are known asor connectionsplication listenting to it. Clientable identifies

ges

sts

re firewalls to it can be chanport 80 or por

2012 5-5

s well-s use s on a nt s some

allow nged rt 443.

5-6 Implement

Lesson 2Under

Undandaddbetwsup

Les

At t

•

•

•

•

•

IPv

To cfamNetdireEachuniq

Eachadddottdivibits betwsepa

Sub

Eachwhisubn

In thpartwithand

inteswit

ing IPv4

2 standinderstanding IPv maintain IPv4

dressing, subneween hosts. Toposed to work

sson Objecti

he end of this

Describe the

Identify publi

Understand h

Describe a sim

Describe a co

v4 Address

configure netwmiliar with IPv4

work communected to the IPvh networked cque IPv4 addre

h IPv4 addressdresses more reted decimal nodes a 32-bit IPwhich are con

ween zero andarated by a pe

bnet Mask

h IPv4 addressch the computnet mask iden

he simplest scet of the netwoh an IP address a host ID of 0

Note: The terchangeably. Atches to repres

ng IPv4 v4 network co4 networks. Onet masks, and do identify IPv4 k. .

ives

lesson, you w

information re

ic and private

how dotted de

mple IPv4 netw

omplex IPv4 ne

sing

work connectivaddresses and

nication for a cv4 address of

computer mustess.

s is 32 bits longeadable, they aotation. DottedPv4 address intnverted to a ded 255. The deceriod (dot). Eac

s is composed ter is located. tifies which pa

enarios, each ork ID, while a 0s of 192.168.230.0.0.45.

erms network,A large netwosent subnets.

Addresommunication ne of the core default gatewacommunicatio

will be able to:

equired to con

IPv4 addresses

ecimal notation

work with class

etwork with cla

vity, you must d how they wocomputer is that computert be assigned

g. To make IP are shown in d decimal notato four groupsecimal numbeimal numbers ch decimal num

of a network IThe host ID un

art of an IPv4 a

octet in a subn0 represents a3.45 and a sub

, subnet, and Vrk is often sub

sing is critical to encomponents oays allows youon errors you

nfigure an IPv4

s.

n relates to bin

sfull addressin

assless address

be ork.

r. a

ation s of 8 r are

mber is called

ID and a host niquely identifaddress is the

net mask is eithn octet that is

bnet mask of 2

VLAN (Virtual bdivided into s

nsuring that yoof IPv4 is addru to identify thneed to under

4 host.

nary numbers.

g.

sing.

an octet.

ID. The networfies the compunetwork ID, an

her 255 or 0. A part of the ho

255.255.255.0

Local Area Neubnets, and V

ou can implemressing. Underse proper comrstand how the

rk IDi identifieuter on that spnd which part

A 255 represenost ID. For exahas a network

etwork) are oftVLANs are conf

ment, troubleshstanding munication e process is

es the networkpecific networkis the host ID.

nts an octet thmple, a compu

k ID of 192.168

en used figured on

hoot,

k on k. A

at is uter 8.23.0

D

A ne

Oanlo

Beis sene

Wthcogade

CPrho

P

DIndeIn

P

PuAIPRporThyo

P

Thadrere

Default Gate

default gatewetworks. The m

On an intranet, nd remote. Yoocal hosts to co

efore a host seon the same n

ending host traetwork, the ho

When a host trahe appropriateontain any rouateway. The hoefault gateway

lient computerotocol (DHCPost. Most serve

Question: incorrectly?

Public and

evices and honternet requireevices that do

nternet do not

Public IPv4 A

ublic IPv4 addssigned Numb

Pv4 addresses tIRs then assignroviders (ISPs)r more public he number of ou depends up

Private IPv4

he pool of IPv4ddresses. Techelatively small emote hosts an

eway

way is a device,multiple intern

any given netu must configommunicate w

ends an IPv4 pnetwork, or onansmits the paost transmits th

ansmits a packe router for theuting informatiost assumes thy is used in mo

rs usually obtaP) server. This iers have a stat

How is networ?

Private IP

sts that connee a public IPv4

not connect drequire a pub

Addresses

resses must bebers Authority to regional Intn IPv4 address. Usually, youraddresses fromaddresses thatpon how many

Addresses

4 addresses is hnologies suchnumber of pund services on

, usually a routal networks in

twork might haure one of the

with hosts on re

packet, it uses in a remote netacket directly the packet to a

ket to a remotee packet to reaion about the hat the defaultost cases.

ain their IP adds more straigh

tic IP configura

rk communica

v4 Addres

ct directly to taddress. Host

directly to the blic IPv4 addre

e unique. Inter(IANA) assign

ternet registriees to Internet ISP allocates ym its address pt your ISP allocy devices and

becoming smas network adblic IPv4 addrethe Internet.

ter, on a TCP/n an organizati

ave several roue routers as theemote networ

its own subnettwork. If the deto the destinatrouter for del

e network, IPv4ach the destinadestination su

t gateway cont

dressing informhtforward thanation that is as

tion affected i

sses

the ts and

ss.

rnet s public

es (RIRs). service you one pool. cates to hosts that you

aller, so RIRs address translatesses, and at t

20410A: Instal

IP network thaion can be refe

uters that conne default gatewrks.

t mask to deteestination hosttion host. If theivery.

4 consults theation subnet. I

ubnet, IPv4 fortains the requi

mation from a n manually assssigned manua

if a default gat

u have to conn

are reluctant totion (NAT) enahe same time,


at forwards IP erred to as an

nect it to otheway for local h

ermine whethet is on the same destination h

e internal routiIf the routing trwards the pacired routing in

Dynamic Hosigning a defaually.

teway is config

nect to the Inte

o allocate supeable administra, enable local h

g Windows Server®

packets to othintranet.

er networks, bohosts. This ena

er the destinatme network, thhost is on a dif

ng table to detable does notcket to the defnformation. Th

t Configuratioult gateway on

gured

ernet.

erfluous IPv4 ators to use a hosts to conne

2012 5-7

her

oth local ables the

ion host he fferent

etermine t ault

he

on n each

ect to

5-8 Implement

IANpac

Ne

1

1

1

Ho

Whedecbasethe binamasIP a

Witdeczeroto arighvaluin ais th

MosCalccon

Bi

1

ing IPv4

A defines the kets originatin

etwork

0.0.0.0/8

72.16.0.0/12

92.168.0.0/16

ow Dotted

en you assign imal notation.ed on the decibackground, c

ary. To understsk for complexddresses in bin

hin an 8-bit ocimal value. A bo value. A bit ta decimal valuehtmost bit in thue of 1. The hign octet are set

he highest pos

st of the time, culator applicaversions, as sh

nary

0000011 0110

address rangeng from, or des

Decimal N

IP addresses, y Dotted decimimal number scomputers usetand how to c

x networks, younary.

ctet, each bit pbit that is set tthat is set to 1 e. The low-ordhe octet—reprgh-order bit—t to 1 the octesible value of

you can use aation included hown in the fol

01011 0000001

es in the followstined to, thes

Range

10.0.0.0-1

172.16.0.0

192.168.0

Notation R

you use dottedmal notation is system. Howeve IP addresses hoose a subneu must unders

position has ao 0 always hascan be conver

der bit—the resents a decim

—the leftmost bet’s decimal vaan octet.

a calculator to in Windows o

llowing examp

11 00011000

wing table as pe ranges.

10.255.255.255

0-172.31.255.2

.0-192.168.255

Relates to

d

ver, in in

et stand

s a rted

mal bit in the octetlue is 255 (tha

convert decimoperating systeple.

D

1

private. Interne

5

255

5.255

Binary Nu

t—represents at is: 128 + 64

mal numbers toems can perfor

otted decima

131.107.3.24

et-based route

umbers

a decimal valu+ 32 + 16 + 8

o binary and vrm decimal-to

l notation

ers do not forw

ue of 128. If all8 + 4 + 2 + 1).

vice versa. The o-binary

ward

l bits That

S

IP

ThEamnefr

Casadfoexch

ad

S

Yothpath

teno

imple IPv4

Pv4 Address

he IANA organach class of ad

mask that definetwork. IANA om Class A th

lasses A, B, andssign to IP addddresses are uor multicastingxperimental usharacteristics o

Class

A

B

C

Note: Theddress classes.

imple IPv4

ou can use subhe subnet masart of the netwhe 10.0.0.0 net

Note: Theest the local coot permitted f

4 Impleme

s Classes

nizes IPv4 addddress has a difes the numbehas named therough Class E.

d C are IP netwdresses on hostsed by compu

g. The IANA resse. The followiof each IP addr

First octet

1-127

128-191

192-223

e Internet no lo

Networks

bnetting to divk defines full o

work ID, and a twork with a su

e IPv4 address onfiguration ofor configuring

entations

resses into clafferent defaultr of valid hoste IPv4 address.

works that yout computers. C

uters and appliserves Class E ng table lists tress class.

Default

255.0.0

255.25

255.25

onger uses rou

vide a large neoctets as part o0 represents a

ubnet mask of

127.0.0.1 is usf the IPv4 protg IPv4 hosts.

sses. t subnet s on the

s classes

u can Class D cations for

the

t subnet mask

0.0

5.0.0

5.255.0

uting based on

etwork into muof the networkan octet that is255.255.0.0 to

sed as a loopbtocol stack. Co

20410A: Instal

k Number onetworks

126

16,384

2,097,152

n the default s

ultiple smaller k ID and host Is part of the ho create 256 sm

back address; yonsequently, th


of Nupe

1

6

2 2

subnet mask o

networks. In sID. A 255 repreost ID. For examaller networ

you can use thhe network ad

g Windows Server®

umber of hoster network

6,777,214

5,534

54

of IPv4

simple IPv4 neesents an octeample, you canks.

is address to dress 127 is

2012 5-9

ts

tworks, et that is n use

5-10 Implemen

Mo

In csimmigfor tID. Tsubexamdivi

17

In mreprbits is an

17

Var

ModsubnetwThis

nting IPv4

ore Compl

omplex netwople combinatio

ght subdivide othe network IDThis allows younets and hostsmple shows a de a class B ne

72.16.0.0/255

many cases, ratresentation of in the networ

n example of C

2.16.0.0/20

riable Lengt

dern routers sunets of differework with 256 s allows you to

Question: Do

lex IPv4 Im

orks, subnet mons of 255 andone octet withD, and some thu to have the ss that you requsubnet mask t

etwork into 16

5.255.240.0

ther than usingthe subnet ma

rk ID is specifieCIDR:

th Subnet M

upport the usent sizes when addresses into

o use IP addres

oes your organ

mplementa

asks might nod 0. Rather, yosome bits tha

hat are for the specific numbeuire. The followthat can be use6 subnets:

g a dotted decask, the numbed instead. Thi

Masks

e of variable leyou subdivideo 3 smaller netsses in a netwo

nization use sim

ations

t be ou at are

host er of wing ed to

cimal ber of s is called clas

ength subnet me a larger netwtworks with 12ork more effici

mple or comp

ssless interdom

masks (VLSMs)work. For exam28 addresses, 6iently.

plex networking

main routing (C

). VLSMs allowmple, you could

64 addresses, a

g?

IDR). The follo

w you to created subdivide a sand 64 addres

owing

e small sses.

LessonSubne

Inalthm

LeA

•

•

•

•

•

•

H

InfoIf ID

Inmsucobich

ThbyAne

•

•

Th

Wsubi

n 3 etting an most organizlocate those s

he correct nummultiple networ

esson Object the end of th

Describe ho

Identify wh

Calculate a

Calculate a

Identify an

Describe su

How Bits A

n simple netwoour octets, andthe octet is 25

D. If the octet i

n complex netwmask to binary, ubnet mask. A ontiguous 1s ait and continuhange to all 0s

he network ID y the 1s. The hny bits taken fetwork ID.

Each bit tha

Each bit tha

he mathematic

When you use mubnet. Using mits than you ne

and Supzations, you neubnets for spe

mber of bits to rks into a sing

ctives his lesson, you

ow bits are use

en to use subn

subnet mask t

subnet mask t

appropriate su

upernetting.

Are Used in

orks, subnet md each octet ha55, that octet is 0, that octet

works, you canand evaluate subnet mask

and 0s. The 1s e uninterruptes.

of a subnet mhost ID can be from the host

at is 1 is part o

at is 0 is part o

cal process use

more bits for tmore bits than eed allows for

pernettieed perform suecific purposesinclude in thele larger netwo

will be able to

ed in a subnet

netting.

that supports

that supports

ubnet mask fo

n a Subnet

asks are compas a value of 2is part of the nis part of the

n convert the seach bit in theis composed ostart at the lef

ed until the bit

mask can be ideidentified by tID and allocat

of the network

of the host ID.

ed to compare

the subnet mayou need allogrowth in the

ng ubnetting to ds or locations. Te subnet masksork through su

o:

mask.

a specific num

a specific num

or a scenario.

t Mask

posed of 55 or 0.

network host ID.

subnet e of ftmost ts

entified the 0s. ed to the netw

k ID.

e an IP address

sk, you can haws for subnet

e number of ho

20410A: Installin

divide your netTo do this yous. In some caseupernetting.

mber of subnet

mber of hosts.

work ID must b

s and a subnet

ave more subngrowth, but li

osts you can h


twork into smau need to undees, you may al

ts.

be contiguous

t mask is called

nets, but fewer mits growth foave, but limits

Windows Server® 20

aller subnets aerstand how toso need to com

with the origi

d ANDing.

hosts on eachor hosts. Usings growth in sub

012 5-11

nd o select mbine

inal

h g fewer bnets.

5-12 Implemen

Th

WhemusuniqID—the netw

By u

•

•

•

•

Ca

Befomanrequnum

Youyouwhenum

Thesubnum

Nu

1

2

3

4

5

6

To dexam

nting IPv4

e Benefits

en you subdivst create a uniqque IDs are de

—you allocate snetwork ID. Th

works.

using subnets,

Use a single, physical locat

Reduce netwotraffic and redsegment.

Increase secu

Overcome limeach segmen

lculating S

ore you defineny subnets anduire. This enab

mber of bits fo

u can calculate need in the n

ere n is the nummber of subnet

following tabnets that you c

mber of bits.

umber of bits

determine the mple, if you ch

of Using S

ide a network que ID for eac

erived from thesome of the bhis enables yo

you can:

large network tions.

ork congestionducing broadc

rity by dividin

mitations of cut can have.

Subnet Ad

e a subnet masd hosts for eacbles you to user the subnet m

the number onetwork. Use thmber of bits. Tts that your ne

le indicates thcan create by

(n) Num

2

4

8

16

32

64

subnet addrehoose to subne

Subnetting

into subnets, ch subnet. These main networits in the host u to create mo

across multip

n by segmenticasts on each

g the network

rrent technolo

dresses

sk, estimate hoch subnet you e the appropriamask.

of subnet bits the formula 2n, The result is thetwork require

e number of using a specifi

mber of subne

sses quickly, yoet the network

g

you se rk ID to ore

le

ng

k and using fire

ogies, such as e

ow may ate

that

e es.

ic

ts (2n)

ou can use thek 172.16.0.0 by

ewalls to contr

exceeding the

e lowest value y using 3 bits,

rol communica

e maximum nu

bit in the subthis mean the

ation.

mber of hosts

net mask. For e subnet mask

s that

is

25in

Th

neIn

C

Toreonrenunuanca

OauAneth

55.255.224.0. Tncrement betw

he following ta

Binary netwo

172.16.00000

172.16.00100

172.16.01000

172.16.01100

172.16.10000

172.16.10100

172.16.11000

172.16.11100

Note: Youetwork, rather

nternet.

Calculating

o determine hequired numben a subnet. Caequired by usinumber of bits. umber of hostnd is also the man configure o

On each subnetutomatically an address withetwork. An addhe broadcast a

The decimal 22ween each subn

able shows exa

rk number

0000.00000000

0000.00000000

0000.00000000

0000.00000000

0000.00000000

0000.00000000

0000.00000000

0000.00000000

u can use a suthan calculati

g Host Add

ost bits in the er of bits for thlculate the nung the formulaThis result mu

ts that you neemaximum numon that subnet.

t, two host IDsnd cannot be h the host ID adress with the ddress for tha

24 is 11100000net address.

amples of calc

0

0

0

0

0

0

0

0

bnet calculatong them manu

dresses

mask, determhe supporting mber of host ba 2n-2, where nust be at least ed for your netmber of hosts t.

s are allocated used by comp

as all 0s represehost ID as all t network.

0 in binary, an

ulating subnet

Decimal netw

172.16.0.0

172.16.32.0

172.16.64.0

172.16.96.0

172.16.128.0

172.16.160.0

172.16.192.0

172.16.224.0

or to determineually. Subnet c

ine the hosts

bits n is the the twork, that you

puters. ents the 1s is

20410A: Installin

nd the lowest b

t addresses.

work number

0

0

0

0

e the appropricalculators are


bit has a value

iate subnets foe widely availab

Windows Server® 20

of 32, so that

or your ble on the

012 5-13

is the

5-14 Implemen

Thebits

Nu

1

2

3

4

5

6

You

1.

2.

The

Ne

1

1

1

To cyoucalc

Dis

Reaque

Youconallosub

Theeachrouthavprinto 1

You

nting IPv4

following tab.

umber of bits

u can calculate

The first host

The last host

following tab

etwork

72.16.64.0/19

72.16.96.0/19

72.16.128.0/19

create an appr need, and ho

culate an appro

scussion: C

d the followinestions on the

u are identifyinfiguration for cated the 10.3net as required

re are four buh should have ting between te up to 700 us

nters. The typic1.

u also need to

le shows how

(n) Num

0

2

6

14

30

62

each subnet’s

is one binary

is two binary d

le shows exam

9

ropriate addrew many hosts opriate subnet

Creating a

g scenario andslide.

ng an appropria new campus

34.0.0/16 netwd.

ildings on the its own subne

the buildings. sers. Each buildcal ratio of use

allocate a sub

many hosts a

mber of hosts

s range of host

digit higher th

digits lower th

mples of calcula

Host range

172.16.64.1 –

172.16.96.1 –

172.16.128.1

ssing scheme you need on

t mask.

Subnettin

d answer the

ate network s. You have be

work that you c

new campus, et to allow for Each building ding will also hers to printers i

net for the ser

class C netwo

(2n-2)

t addresses by

han the curren

han the next su

ating host add

– 172.16.95.25

– 172.16.127.2

1 – 172.16.159.

for your organeach subnet. O

ng Scheme

een can

and

will have is 50

rver data cente

rk has availabl

y using the foll

nt subnet ID.

ubnet ID.

dresses.

54

254

.254

nization, you mOnce you have

e for a New

er that will hol

le based on th

owing process

must know howe that informa

w Office

d up to 100 se

he number of h

s:

w many subnetion, you can

ervers.

host

ets

W

Suinaphaexusaladsunethin

To1919

Sunea

Th

What Is Sup

upernetting conto a single larppropriate whas grown and xpanded. For esing the netwol of its IP addrdditional netwubnet mask of etworks then yhem. You can unto a single ne

o perform sup92.168.16.0/2492.168.54.0/24

upernetting is etwork ID to tspecific numb

Number of bi

1

2

3

4

he following ta

Network

192.168.0001

192.168.0001

192.168.0001

pernetting

ombines multige network. Ten you have athe address spexample, a braork 192.168.16resses and be a

work 192.168.1255.255.255.0

you must perfouse supernettitwork.

ernetting, the 4 and 192.168.4.

the opposite ohe host ID. The

ber of bits.

ts Nu

2

4

8

16

able shows an

10000.0000000

10001.0000000

10000.0000000

g?

ple small netwhis may be small network

pace needs to anch office tha6.0/24 might eallocated the 7.0/24. If the d

0 is used for thorm routing bng to combine

networks that.17.0/24 can b

of subnetting. e following tab

umber of netw

6

example of su

00/24

00/24

00/23

works

k that be

at is xhaust

default hese etween e them

t you are combbe supernetted

When you peble shows how

works combine

upernetting tw

Range

192.168

192.168

192.168

20410A: Installin

bining must bed, but you cann

erform supernew many netwo

ed

wo class C netw

8.16.0-192.168

8.17.0-192.168

8.16.0-192.168


e contiguous. not supernet 1

etting, you allorks that you ca

works.

8.16.255

8.17.255

8.17.255

Windows Server® 20

For example, 192.168.16.0/2

ocate bits froman combine by

012 5-15

4 and

m the y using

5-16 Implemen

Lesson 4Config

If IPensuIPv4usef

Thesystdeta

LesAt t

•

•

•

•

•

•

Co

Youaddcan variDNSsho

IPv4

•

•

•

•

Statmetcom

YounetsAreagate

Ne

ad

nting IPv4

4 guring aPv4 is configureure the availab4. Windows Seful for scripting

troubleshootiems. Howeverailed analysis o

sson Objectihe end of this

Configure IPv

Configure a s

Use IPv4 trou

Describe the

Describe the

Use Network

onfiguring

u typically confdress. This is do

document theous services oS server is acceuld not chang

4 configuration

IPv4 address

Subnet mask

Default gatew

DNS servers

tic configuratiothod of compu

mputers. Manu

u can configuresh command-la Connection weway of 10.10.

tsh interfac

dr=10.10.0.1

and Troed incorrectly,bility of networver 2012 introg.

ing tools in Wr, you may notof network com

ives lesson, you w

v4 manually to

server so that i

ubleshooting to

troubleshootin

function of Ne

Monitor to ca

IPv4 Man

figure servers wone to ensure te IP addresses n your networessed at a spece.

n includes:

way

on requires thauter managemally entering a

e a static IP adline tool. For ewith the static.0.1.

ce ipv4 set a

10 mask=255.2

ublesho then it affectsrk services, yooduces the ab

indows Server t be familiar wmmunication.

will be able to:

o provide a sta

t obtains an IP

ools.

ng process use

etwork Monito

apture and ana

ually

with a static IPthat you knowthat are used

rk. For examplecific IP address

at you visit eacment is reasonaa static configu

ddress either inexample, the foc IP address 10

address name=

255.0.0 gatew

ooting Is the availabiliu need to undility to configu

2012 are simiith Network M

tic configurati

Pv4 configurat

ed to resolve f

or.

alyze network

P w and

for e, a s that

ch computer aable for serversuration also in

n the propertieollowing comm0.10.0.10, the s

="Local Area

way=10.10.0.1

IPv4 ty of services t

derstand how ture IPv4 by usi

ilar to previousMonitor which

ion for a serve

tion automatic

undamental IP

traffic.

and input the Is, but it is verycreases the ris

es of the netwomand configurubnet mask of

Connection"

1

that are runninto configure aing Windows P

s versions of Wcan be used to

er.

cally.

Pv4 problems.

IPv4 configuray time consumsk of configura

ork connectionres the interfacf 255.255.0.0,

source=stat

ng on a servernd troubleshoPowerShell. Th

Windows operao perform very

ation manuallying for client

ation mistakes.

n or by using tce named Locaand a default

ic

r. To oot his is

ating y

y. This

.

the al

Wcoav

Thin25

N

N

Po

C

DIPcoinfocoIt thThthco

Dbuyo

•

Windows Serveonfiguration. Tvailable for co

Cmdlet

Set-NetIPAd

Set-NetIPInt

Set-NetRout

Set-DNSClie

he following cnterface named55.255.0.0, and

Set-NetIPAddPrefixLength New-NetRoute

NextHop 10.1

AdditionaowerShell see:

Question:

Configuring

HCP for IPv4 ePv4 configuratomputers withndividually. Theor IPv4 configuonfigure to obalso assigns a

hat you define he DHCP servihe request origonfiguration fr

HCP helps simut you must bou must do th

Include resithe service

r 2012 also haThe following tnfiguring IPv4

ddress

terface

te

ntServerAddr

ode is an examd Local Area Cd a default gat

ress –Interf16 –InterfaceA

0.0.1

al Reading: Fohttp://technet

Do any compu

g IPv4 Aut

enables you toions for large

hout having to e DHCP serviceuration from cobtain an IPv4 additional IPv4 for each of yoce identifies th

ginated and asrom the releva

mplify the IP coe aware that ife following:

ilience in yourfrom function

s Windows Potable describes

4.

D

resses

mple of the WiConnection witteway of 10.10

faceAlias “Lo

Alias “Local

or more informt.microsoft.com

uters or device

tomatically

o assign automnumbers of assign each o

e receives requomputers thatddress automasettings from

our network’s she subnet fromssigns IP ant scope.

onfiguration prf you use DHC

DHCP servicening.

owerShell® cmds some of the

Description of

Modifies an exmask

Enables or dis

Modifies routidefault gatew

Configures theinterface

indows Powerth the static IP 0.0.1.

ocal Area Con

Area Connect

mation about Nm/en-us/librar

es in your orga

y

matic

ne uests t you atically. scopes

subnets. m which

rocess, CP to assign IPv

e design so tha

20410A: Installin

dlets that you available Wind

f IPv4 configu

xisting IP addr

abled DHCP fo

ing table entriway (0.0.0.0)

e DNS server t

Shell cmdlets taddress 10.10

nnection” –IP

tion” –Destin

et TCP/IP Cmdry/hh826123.

anization have

v4 information

at the failure o


can use to madows PowerSh

uration uses

ress and sets th

or an interface

es, including t

that is used fo

that you can u0.0.10, the sub

Pv4Address 10

nationPrefix

dlets in Windo

e static IP addr

n and the serv

of a single serve

Windows Server® 20

anage networkhell cmdlets th

he subnet

e

the

r an

use to configunet mask of

0.10.0.10

0.0.0.0/0

ows

esses?

ice is business

er does not pr

012 5-17

k hat are

re the

-critical,

revent

5-18 Implemen

•

If yorequAdd

WheConAPIPbut

APIPindi

IPv

Mosperf200that

IPC

IpcocurrAddto r

Theopt

Co

ip

ip

ip

ip

ip

PinPingechprimICM

Tra

Tracseriedest

nting IPv4

Configure thenetwork and

ou use a laptouire a differentdressing (APIPA

en you configunfiguration taPA to assign itwith no defau

PA is useful focation that the

v4 Trouble

st IPv4 connecformed at a co8 includes a nt help you diag

Config

onfig is a commrent TCP/IP neditionally, you efresh DHCP a

following tabions for ipcon

ommand

pconfig /all

pconfig /relea

pconfig /rene

pconfig /displ

pconfig /flush

ng g is a commano request mes

mary TCP/IP coMP messages.

acert

cert is a commes of ICMP echtination. This t

e scopes on thprevent comm

p to connect tt IP configuratA) or an altern

ure Windows-b to control th

tself an IP addrult gateway or

r troubleshoote computer ca

eshooting

ctivity troublesommand-line. umber of comgnose network

mand-line tooetwork configucan use the ip

and DNS settin

le describes thfig.

ase

w

laydns

hdns

nd-line tool thassages and dispommand that y

mand-line tool ho requests. Trtool also deter

e DHCP servemunication.

to multiple nettion. Windowsnate static IP ad

based computhe behavior if ress automaticDNS server; th

ting DHCP; if tannot commun

Tools

shooting is Windows Serv

mmand-line took problems.

ol that displays uration. pconfig commngs.

he command-l

Descriptio

View deta

Release tthe DHCP

Renew th

View the

Purge the

at verifies IP-leplays the receiyou use to tro

that identifiesracert then disrmines which r

r carefully. If y

tworks, such as operations syddress for this

ters to obtain a DHCP serve

cally from the his enables lim

the computer nicate with a D

ver ols

the

mand

ine

on

ailed configura

he leased confP server

he leased confi

DNS resolver

e DNS resolve

evel connectivipt of correspoubleshoot con

the path takesplays the list orouter has faile

you make a mi

s at work andystem support situation.

an IPv4 addrer is not availab169.254.0.0 to

mited functiona

has an addresDHCP server.

ation informat

figuration bac

iguration

cache entries

cache

ity to another onding echo rennectivity; how

en to a destinaof router interfed, and what t

stake, it can af

at home, eachthe use of Aut

ss from DHCPble. By default,o 169.254.255.2ality.

s from the AP

tion

ck to

TCP/IP compueply messages

wever, firewalls

tion computerfaces betweenhe latency (or

ffect the entire

h network migtomatic Privat

P, use the Alter, Windows use255 address ra

IPA range, it is

uter. It sends Is. Ping is the s might block t

r by sending an a source and

speed) is. The

e

ht e IP

rnate es ange,

s an

CMP

the

a a

ese


results might not be accurate if the router is busy, because the ICMP packets are assigned a low priority by the router.

Pathping

Pathping is a command-line tool that traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail, because it sends 100 packets for each router, which enables it to establish trends.

Route Route is a command-line tool that allows to view and modify the local routing table. You can use this to verify the default gateway which is listed as the route 0.0.0.0. In Windows Server 2012 you can also use PowerShell cmdlets to view and modify the routing table. The cmdlets for viewing and modifying the local routing table include Get-NetRoute, New-NetRoute, and Remove-NetRoute.

Telnet

You can use the Telnet Client feature to verify whether a server port is listening. For example, the command telnet 10.10.0.10 25 attempts to open a connection with the destination server, 10.10.0.10, on port 25, SMTP. If the port is active and listening, it returns a message to the Telnet client.

Netstat Netstat is a command-line tool that enables you to view network connections and statistics. For example, the command netstat –ab returns all listening ports and the executable that is listening.

Resource Monitor Resource Monitor is a graphical utility that allows you to monitor system resource utilization. You can use Resource Monitor to view TCP and UDP ports that are in use. You can also verify which applications are using specific ports and the amount of data they are transferring on those ports.

Network Diagnostics

Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a Windows Server networking problem, the Diagnose Connection Problems option helps you diagnose and repair the problem. Windows Network Diagnostics returns a possible description of the problem and a potential remedy. However, the solution might require manual intervention from the user.

Event Viewer Event logs are files that record significant events on a computer, such as when a process encounters an error. When these events occur, the Windows operating system records the event in an appropriate event log. You can use Event Viewer to read the event log. IP conflicts are listed in the System event log and might prevent services from starting.

5-20 Implemen

Th

TheproThewill all uthenconaffeservcongrocom

To tprocundprocthe

Som

1.

2.

3.

4.

nting IPv4

e Troubles

first step in trblem is identif causes of a prmost likely dif

users. If a probn the problemfiguration of t

ects all users, thver configuratifiguration issuup of users, th

mmon denomin

troubleshoot ncess. You can i

derstand how tcess, you needrouting path t

me of the steps

If you know wverify that it iindicates that

Use ping to shost, you veriFirewall on mping responsehosts on the s

You can use ause Windowsconnect to th

Use ping to sget a responsclient computrouter is expe

Note: You c

Question: Arproblems?

shooting P

roubleshootingfying the scoperoblem that afffer from a pro

blem affects on is likely relate

that one comphen it is likely ton issue or a n

ue. If a problemhen you need tnator among t

network commidentify wherethe overall comd to understanthrough your n

s that you can

what the corres configured tt the host faile

see if the remoify both name

member serverse may not indsame network

an application s Internet Explohe port of the r

see if the defause when you pter, such as theriencing error

can force ping

re there any ot

Process

g a network e of the probleffects a single oblem that affenly a single useed to the puter. If a probthat it is eithernetwork m affects only to determine tthat group of

munication proe the process ismmunication pd the routing network, you c

use to identify

ct network cothat way. If ipced to obtain an

ote host responresolution and

s and client coicate that the

k it often indica

to test the serorer® to test coremote applica

ult gateway reing the defaule default gaters.

g to use IPv4 in

ther steps that

em. user ects er,

blem r a

a the users.

oblems, you nes breaking dowprocess works. and firewall cocan use Tracer

y that cause of

nfiguration forconfig returnsn IP address fro

nds. If you used whether the

omputers oftenremote host isates that the p

rvice you are connectivity to ation.

esponds. Most lt gateway, theway being con

nstead of IPv6

t you use to tro

eed to understwn and prevenTo understan

onfiguration ort.

f network com

r the host sho an address onom DHCP.

e ping to reture host respondn blocks ping as not functionaproblem is on t

connecting to a web server.

routers responen there is likenfigured incor

by using the -

oubleshoot ne

and the overanting commund the overall c

on your netwo

mmunication p

uld be, then un the 169.254.

rn the DNS nas. Be aware thattempts. In sual. If you can pthe remote ho

on the remoteYou can also u

nd to ping reqely a configurarectly. It is also

-4 option.

etwork connec

ll communicatnication only ifcommunicatiork. To help ide

problems are:

se ipconfig to0.0/16 networ

me of the remat Windows

uch a case, lackping other remost.

e host. For exause Telnet to

quests. If you dtion error on to possible that

ctivity

tion f you n

entify

o rk, it

mote

k of a mote

ample,

do not the t the

W

NyothCteneFotrer

Yoentha cocoNm

Yothlone

U

ObeFr

Th

•

•

•

Wofas

Eacotu

Wreyo

What Is Ne

etwork Monitoou to capture he network to apturing pack

echnique that etwork probleor example, byransmitted on rrors that are n

ou can install Nndpoint in thehird computer.third compute

onfigure port mommunicationetwork Monito

mode.

ou can downlohat is running eocal network adew capture.

Using Netwo

Once you have ehavior is experame Summary

he Frame Sum

Time and d

Source anddetermine w

Protocol naARP, (ICMPservices mig

When you selecf that particulas you proceed

ach layer in thontainer of theurn, is encapsu

When you haveelevant to yourou can select t

etwork Mo

or is a packet and examine nwhich your coets is an advanhelps you to idms and work ty examining tha network younot reported b

Network Monie communicati. If you install er, then you mmirroring to co

n process, to thor can monito

oad Network Meither Windowdapters. When

ork Monitor

captured netwected or not. Ty pane.

mmary pane dis

date: this enab

d destination: twhich comput

ame: the higheP, TCP, SMB, anght be experie

ct a frame in thar frame. You c.

e network arche layer below. ulated in an Eth

e gathered a lar specific probto show only D

onitor?

analyzer that enetwork packe

omputer is connced troubleshdentify unusuatowards a resohe packets u may be able by an applicatio

itor on either on process, orNetwork Mon

must configure opy the netwohe switch port or the packets s

Monitor from tws 8 or Windown you launch N

r

work packets, yTo help you, N

splays all captu

les you to dete

his provides thters are involve

est-level protond others. Knoencing or caus

he Frame Sumcan step throu

hitecture—froIn other wordhernet frame.

arge amount oblem. You can uDNS–related pa

enables ets on nnected. hooting al olution.

to see on.

r on a itor on port mirroring

ork packets thawhere the comsent to other c

the Microsoft ws Server 2012

Network Monit

you must be aetwork Monit

ured packets, a

ermine in whic

he source and ed in the dialo

col that Netwoowing the highing the proble

mary pane, thugh the frame’

m the applicats, an HTTP req

of data, it can buse filtering toackets.

20410A: Installin

g on the netwoat are destinedmputer with Ncomputers, be

download web2. Once installtor, you can vi

ble to interpreor displays the

and provides t

ch order the p

destination IPog.

ork Monitor cah-level protocoem that you ar

he Frame Detai’s details, exam

tion on down—quest is encaps

be difficult to do show only th


ork switches. Ed for endpoint

Network Monitecause it opera

bsite and instaed, Network Miew existing ca

et what you see packets in a

the following i

ackets were tr

P addresses so

an identify is lol enables you re troubleshoo

ils pane updatmining the con

—encapsulatesulated in an I

determine whhose frames of

Windows Server® 20

Ensure that yots in the tor is connecteates in promisc

all it on a workMonitor binds aptures, or beg

ee, and whethesummarized li

information:

ransmitted.

that you can

isted. For exam to pinpoint w

oting.

tes with the content of each e

s its data in thPv4 packet, wh

ich frames areinterest. For e

012 5-21

u

ed. cuous

kstation to the

gin a

er the ist in the

mple, which

ontents element

he hich in

e example,

5-22 Implementing IPv4

Demonstration: How to Capture and Analyze Network Traffic by Using Network Monitor

You can use Network Monitor to capture and view packets that are transmitted on the network. This allows you to view detailed information that would not normally be possible to see. This type of information can be useful for troubleshooting.

Demonstration Steps

Prepare to perform a packet capture

1. Log on to LON-SVR2 as Adatum\Administrator with a password of Pa$$w0rd.

2. Open a Windows PowerShell prompt and run the following command:

• ipconfig /flushdns

3. Open Network Monitor 3.4, and create a new capture tab.

Capture packets from a ping request 1. In Network Monitor, start a packet capture.

2. At the Windows PowerShell prompt, ping LON-DC1.adatum.com.

3. In Network Monitor, stop the packet capture.

View ICMP echo request and echo response packets

1. In Network Monitor, scroll down and select the first ICMP packet.

2. Expand the Icmp portion of the packet to view that it is an Echo Request. This is a ping request.

3. Expand the Ipv4 portion of the packet to view the source and destination IP addresses.

4. Expand the Ethernet portion of the packet to view the source and destination MAC addresses.

5. Select the second ICMP packet.

6. In the Icmp portion of the packet, verify that it is an Echo Reply. This is the response to the ping request.

Filter the display of packets for the DNSQueryName of LON-DC1.adatum.com 1. In Network Monitor, in the Display Filter pane, load the standard DNS filter DNSQueryName.

2. Edit the filter to apply for DNS queries for LON-DC1.adatum.com, and apply the filter.

3. Verify that the packets have been filtered to show only packets that match the filter.


Lab: Implementing IPv4 Scenario

A. Datum has an IT office and data center in London which supports the London location and other locations. They have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.

After a security review, your manager has asked you to calculate new subnets for the branch office to support segmenting network traffic. You also need to troubleshoot a connectivity problem on a server in the branch office.

Objectives After completing this lab, you will be able to:

• Calculate subnets for a given set of requirements.

• Troubleshoot IPv4 connectivity issues.

Lab Setup

Estimated Time: 45 minutes

Logon Information


20410A-LON-RTR

20410A-LON-SVR2

User Name Adatum\Administrator

Password Pa$$w0rd






o User name: Adatum\Administrator


5. Repeat steps 2-4 for 20410A-LON-RTR, and 20410A-LON-SVR2.

Exercise 1: Identifying Appropriate Subnets

Scenario The new branch office is configured with a single subnet. After a security review, all branch office network configurations are being modified to place servers on a separate subnet from the client computers. You need to calculate the new subnet mask and the default gateways for the subnets in your branch.

The current network for your branch office is 192.168.98.0/24. This network needs to be subdivided into three subnets as follows:


• One subnet with at least 100 IP addresses for clients

• One subnet with at least 10 IP addresses for servers

• One subnet with at least 40 IP addresses for future expansion


1. Calculate the bits required to support the hosts on each subnet.

2. Calculate subnet masks and network IDs.

Task 1: Calculate the bits required to support the hosts on each subnet 1. How many bits are required to support 100 hosts on the client subnet?

2. How many bits are required to support 10 hosts on the server subnet?

3. How many bits are required to support 40 hosts on the future expansion subnet?

4. If all subnets are the same size can they be accommodated?

5. Which feature allows a single network to be divided into subnets of varying sizes?

6. How many host bits will you use for each subnet? Use the simplest allocation possible.

Task 2: Calculate subnet masks and network IDs 1. Given the number of host bits allocated, what is the subnet mask that you will use for the client

subnet?

• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask.

Binary Decimal

2. Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet?

• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask

Binary Decimal

3. Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet?

• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask

Binary Decimal


4. For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool.

Description Binary Decimal

Network ID

First host

Last host

Broadcast

5. For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool.


Network ID

First host

Last host

Broadcast

6. For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool.


Network ID

First host

Last host

Broadcast

Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.

Exercise 2: Troubleshooting IPv4

Scenario

A server in the branch office is unable to communicate with the domain controller in the head office. You need to resolve the network connectivity problem.



1. Prepare for troubleshooting.

2. Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1.

Task 1: Prepare for troubleshooting 1. On LON-SVR2, open Windows PowerShell and ping LON-DC1 and verify that it is functional.

2. Run the Break.ps1 script that is located in E:\Labfiles\Mod05. This script creates the problem that you will troubleshoot and repair in the next task.

Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1 1. Use your knowledge of IPv4 to troubleshoot and repair the connectivity problem between

LON-SVR2 and LON-DC1. Consider using the following tools:

• IPConfig

• Ping

• Tracert

• Route

• Network Monitor

2. When you have repaired the problem, ping LON-DC1 from LON-SVR2 to confirm that the problem is resolved.

Note: If you have additional time, run an additional break script from \\LON-DC1\E$\Labfiles\Mod05 and troubleshoot that problem.

Results: After completing this lab, you will have resolved an IPv4 connectivity problem.

To prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.




4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.



Question: You have just started as a server administrator for a small organization with a single location. The organization is using the 131.107.88.0/24 address range for the internal network. Is this a concern?

Question: You are working for an organization that provides web hosting services to other organizations. You have a single /24 network from your ISP for the web hosts. You are almost out of IPv4 addresses and have asked ISP for an additional range of addresses. Ideally, you would like to supernet the existing network with the new network. Are there any specific requirements for supernetting?

Question: You have installed a new web-based application that runs on a non-standard port number. A colleague is testing access to the new web-based application, and indicates that he cannot connect to it. What are the most likely causes of his problem?

Best Practices

When implementing IPv4, use the following best practices:

• Allow for growth when planning IPv4 subnets. This ensures that you do not need to change you IPv4 configuration scheme.

• Define purposes for specific address ranges and subnets. This allows you to easily identify hosts based on their IP address and use firewalls to increase security.

• Use dynamic IPv4 addresses for clients. It is much easier to manage the IPv4 configuration for client computers by using DHCP than with manual configuration.

• Use static IPv4 addresses for servers. When servers have a static IPv4 address, it is easier to identify where services are located on the network.



IP conflicts

Multiple default gateways defined

Incorrect IPv4 configuration


Tools

Tool Use for Where to find it

Network Monitor

Capture and analyze network traffic Download from Microsoft web site

IPConfig View network configuration Command prompt

Ping Verify network connectivity Command prompt

Tracert Verify network path between hosts Command prompt

Pathping Verify network path and reliability between hosts

Command prompt

Route View and configure the local routing table

Command prompt

Telnet Test connectivity to a specific port Command prompt

Netstat View network connectivity information

Command Prompt

Resource monitor

View network connectivity information

Tools in Server Manager

Windows Network Diagnostics

Diagnose problem with a network connection

Properties of the network connection

Event Viewer View network related system events Tools in Server Manager

6-1

Module 6 Implementing DHCP


Lesson 1: Installing a DHCP Server Role 6-2

Lesson 2: Configuring DHCP Scopes 6-7

Lesson 3: Managing a DHCP Database 6-12

Lesson 4: Securing and Monitoring DHCP 6-16

Lab: Implementing DHCP 6-21


Module Overview

Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server® 2012 infrastructure. It is the primary means of distributing important network configuration information to network clients, and it provides configuration information to other network-enabled services, including Windows Deployment Services (Windows DS) and network access protection (NAP). To support and troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to deploy, configure, and troubleshoot the DHCP server role.

Objectives After completing this module, you will be able to:

• Install the DHCP server role.

• Configure DHCP scopes.

• Manage a DHCP database.

• Secure and monitor the DHCP server role.

6-2 Implement

Lesson Installi

Usinexpnetw

Les

Afte

•

•

•

•

•

•

•

Be

TheInteenvaddwithinstsubto o

Whenetwtimemanhancon

Witinfoinfocha

DHCadmhav

DHCenvalonadd

ing DHCP

1 ing a DHng DHCP can hlains how the work with Acti

sson Objecti

er completing

Describe the

Explain how D

Explain how t

Explain how t

Describe the

Explain how a

Explain how t

nefits of U

DHCP protocernet Protocol ironment. Wit

d a client to a nh information aalled it, includnet mask, and

other networks

en you need towork, managine-consuming pnage thousanddhelds, desktofigurations for

h the DHCP seormation; this hormation changnge the inform

CP is also a keyministrators to ing to deal wit

CP version 6 (vironment. Statng with additiodress automatic

HCP Sehelp simplify cDHCP protocove Directory®

ives

this lesson, yo

benefits of usi

DHCP allocate

the DHCP leas

the DHCP leas

purpose of a D

a DHCP server

to add and aut

Using DHC

ol simplifies co(IP) clients in ahout using DHnetwork, you habout the netwing the IP add the default gas.

o manage mang them manuprocess. Manyds of computeop computers,r organizations

erver role, you helps to eliminges in the netw

mation directly

y service for moffer complexth their netwo

v6) stateful andteful configuraonal DHCP datcally, and the

rver Roclient computeol works, and dDomain Servic

ou will be able

ing DHCP.

s IP addresses

e generation p

e renewal proc

DHCP relay ag

role is author

thorize the DH

CP

onfiguration oa network HCP, each timehave to configuwork on which

dress, the netwateway for acc

ny computers ually can becomy corporations r devices, incluand laptops. I

s of this size.

can help to ennate human erwork, you can y on each com

mobile users whx network-confrk-configurati

d stateless conation occurs wta. Stateless coDHCPv6 serve

le er configuratiodiscusses howces (AD DS).

to:

to network cl

process works.

cess works.

ent.

rized.

HCP server role

of

e you ure it h you

work’s cess

in a me a

uding It is not feasib

nsure that all crror during conupdate it usinputer.

ho change netfiguration infoon details.

nfigurations arhen the DHCP

onfiguration ocer only assigns

on. This lesson to control DH

ients.

.

e.

le to manually

clients have apnfiguration. Wng the DHCP se

tworks often. Dormation to no

re supported foPv6 server assigccurs when thother IPv6 co

describes the HCP in a Windo

y manage the

ppropriate conWhen key config

erver role with

DHCP enables ontechnical use

or configuringgns the IPv6 ae subnet routenfiguration set

benefits of DHows Server 201

network IP

nfiguration guration hout having to

network ers, without us

g clients in an Iddress to the cer assigns the ttings.

HCP, 12

o

sers

IPv6 client, IPv6

Nwfrwtoth

YoinseCal

H

Dotththdaei

DcolimThse

Fohaobre

If ad

H

YopUtran

1.

AP is part of awith system hea

om the corpowith internal seco-date antiviruhe intranet.

ou can install Dnstallation allowerver, you musore DHCP roleready.

How DHCP

HCP allocates therwise knowhe lease duratihe duration forays. The defauight days, and

HCP uses IP bommunicationmited to commhis means thaterver for each

or a computeras to be configbtain an IP addespond to a DH

a computer isddress and is c

How DHCP

ou use the fourocess to assignderstanding

roubleshoot prn IP address. T

. The DHCP cpacket to ea computera computerrelay agentDHCP relaythe DHCP s

a new toolset talth requiremerate network. curity policies.

us program ins

DHCP as a rolews you to creast install and coe from a graph

P Allocates

IP addresses own as a lease. A

on to unlimiter not more tha

ult lease time fofor wireless cl

roadcasts to inns. Therefore, Dmunication witt in many netwIP subnet.

r to be considegured to obtaidress automatHCP broadcast

s configured wconsidered a n

P Lease Ge

ur step DHCP lgn an IP addreshow each steproblems when The four steps

client broadcaevery computer that has the r or router that responds. In ty agent forwarserver with wh

that can preveents. NAP withDHCP NAP en. For example, talled before t

e on a Windowate a server witonfigure the ro

hical user inter

s IP Addres

on a dynamic Although you ced, you typicalan a few hoursor wired clientients it is three

nitiate DHCP servers athin their IP suworks, there is

ered a DHCP cn an IP addres

tically. In a nett.

with an IP addrenon-DHCP clie

neration W

ease-generatioss to clients.. p works helps yclients cannotare:

asts a DHCPDISer in the subneDHCP server rt is running a the latter case,ds the messagich it is config

nt full access t DHCP helps i

nables administall network cl

they are assign

ws Server 2012th a reduced aole from the cface (GUI)–bas

sses

basis, can set ly set

s or ts is e days.

are ubnet. a DHCP

lient, it ss automaticaltwork where a

ess by an admnt, and will no

Works

on

you t obtain

SCOVER t. Only ole, or DHCP , the

ge to ured.

20410A: Instal

to the intranetsolate potentitrators to ensuients must be ned an IP conf

2 Server Core iattack surface. ommand-line sed console w

ly. By default, DHCP server i

ministrator, thaot communicat


t for computerally malware-iure that DHCPup-to-date an

figuration that

nstallation. A To manage Dinterface. Youhere the DHCP

every computis installed, a D

n that computte with a DHC

g Windows Server®

rs that do not infected comp

P clients are cond have a validt allows full acc

Server Core DHCP from theu also can manP role is install

ter is configureDHCP client w

ter has a staticP server.

2012 6-3

comply puters ompliant d, up-cess to

e core nage the led

ed to ill

c IP

6-4 Implement

2.

3.

4.

http

Ho

WheleasThisbacaddon a

To rbroathatDHCmescha

Cliehavsubcomassucon

Theprotavaisam

ing DHCP

A DHCP Serveclient..

The client reccase, it usuallthe DHCP serserver identifthe client has

The DHCP semessage as naddress clientreason, the DDHCP server


ow DHCP L

en the DHCP lse time, the clies is an automakground. Com

dress for a longa network with

renew the IP aadcasts a DHCt leased the IP CPACK messagssage containsnged since the

nt computers e been movednet. If renewal

mputer attempumes that it is figuration from

DHCP role ontocol enables ilability. If one

me subnet.

er responds w

ceives the DHCy selects the server closest to ier. This informs chosen to acc

rvers receive totification that information i

DHCP server casends a DHCP


Lease Rene

ease reaches 5ent attempts ttic process tha

mputers might g time if they ohout being shu

ddress lease, tCPREQUEST me

address originge back to thes any new parae original lease

also attempt rd while they wel is successful,

pts to contact ton a new subn

m any DHCP s

n Windows Sersynchronizatio DHCP server

ith a DHCPOF

CPOFFER packeerver that madthe client. The

ms the DHCP scept.

he DHCPREQUat the client dein the DHCP dnnot provide t

PNAK message

more informa/?LinkID=1120

ewal Work

50 percent of tto renew the leat occurs in thehave the same

operate continut down.

the client essage. The senally sends a client; this

ameters that he was created.

renewal duringere offline; forthe lease perio

the configurednet and enterserver.

rver 2012 suppon of lease infois not available

FER packet. Th

et. It might recde the fastest re client then brervers that rec

UEST. Those seeclines that serdatabase and rthe address th

e.

ation about ho075&clcid=0x4

ks

the ease. e e IP

nually

rver

ave

g the startup pr example, a laod is reset. If td default gatews the Discovery

ports a new feaormation betwe, the other D

his packet cont

ceive packets fresponse to itsroadcasts a DHceive the broa

ervers that the rver’s offer. Thesponds with

hat was offered

ow DHCP techn409.

process. This isptop computehe renewal is uway. If the gatey phase, where

ature, DHCP Sween DHCP serHCP servers co

tains a potent

from multiple s DHCPDISCOVHCPREQUEST dcast which se

client has note chosen servea DHCPACK m

d in the initial

nology works

s because cliener might be plunsuccessful, teway does note it attempts to

erver Failover rvers and increontinues to se

ial address for

servers; in thaVER. This typicthat contains aerver’s DHCPO

t accepted useer stores the IP

message. If for DHCPOFFER, t

see:

nt computers mugged into a nthen the clientt respond, the o obtain an IP

protocol. Thiseases DHCP service clients in

r the

at cally is a

OFFER

e the P some the

might new t client

s ervice n the

W

DcolimThsenudeseForeYoagcose

Wrocobot

D

DcowoccobaDinmpthcl

A

YoIPm

doA

St

A D

What Is a D

HCP uses IP bommunicationmited to commhis means thaterver for each umber of subneploy servers ferver might seor the DHCP seequest, it mustou can enablegent on each somputer or roervers in differ

With the DHCP outer. Then, yoonfigure the agroadcasts and ther subnets u

DHCP Serv

HCP allows a configuration in

which it starts. Dccurs before aomputer; and ased on IP broHCP server in

nformation to cmust be author

rocess of regishe Active Direcients.

Active Direct

ou must authoP addresses. It multiple AD DS

Note: Foromains with thdmins group h

tandalone D

standalone DS domain, and

DHCP Rela

roadcasts to inns. Therefore, Dmunication witt in many netwIP subnet. If th

nets, it might bfor every subnrvice collectionerver to respot be able to recthis by config

subnet. A DHCuter that listenent subnets

relay agent, thou can configugent with the forward them

using a router t

er Authori

client computenformation aboDHCP communy authenticatbecause the D

oadcasts, an ina network canclients. To avoized. DHCP au

stering the DHctory domain t

tory Requir

orize the Windis possible to hdomains. The

r authorizationhe exception ohave adequate

DHCP Serve

HCP server is ad that has the

y Agent

nitiate DHCP servers athin their IP suworks, there is here are a largbe expensive toet. A single DHns of smaller snd to a DHCP ceive DHCP re

guring a DHCPCP relay agentns for DHCP br

he DHCP broaure the agent iIP address of t

m to the DHCP that is compat

ization

er to acquire out the netwonication typication of the use

DHCP protocol correctly confi

n provide invaloid this, the seruthorization is CP Server servto support DH

ements

ows Server 20have a single D

erefore, an Ente

n purposes, yoof the forest roe privilege to a

er Considera

a computer thDHCP server r

are ubnet. a DHCP e o HCP ubnets. client quests.

P relay is a roadcasts from

adcast packets n the subnet tthe DHCP servserver in anot

tible with Requ

ork in ally er or

is igured lid rver the

vice in CP

012 DHCP servDHCP server perprise Admin

u must have aoot domain; in authorize a DH

ations

hat is running Wole installed a

20410A: Instal

m DHCP clients

can be relayethat requires IPver. The agent ther subnet. Youest for Comm

ver role in AD Dproviding IP adistrator accou

an Enterprise A this instance,

HCP server.

Windows Servend configured


s and then rela

d into anotherP addresses. Acan then capt

ou can also relment (RFC) 154

DS before it caddresses for sunt must autho

Administrator imembers of t

er 2012, that id. If the standa

g Windows Server®

ays them to DH

r IP subnet acrdditionally, yoture the client ay DHCP pack

42.

an begin leasinbnets that con

orize the DHCP

n all he Domain

s not part of aalone DHCP se

2012 6-5

HCP

ross a ou can

kets into

ng ntain P server.

an AD erver

6-6 Implementing DHCP

detects an authorized DHCP server in the domain, it does not lease IP addresses and shuts down automatically.

Rogue DHCP Servers

Many network devices have built-in DHCP server software. Many routers can act as a DHCP server, but it is often the case that these servers do not recognize DHCP-authorized servers and might lease IP addresses to clients.

Additional Reading:

For more information about DHCP Resources see: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409.

For more information about Networking Collection see: http://go.microsoft.com/fwlink/?LinkId=99883&clcid=0x409.

Demonstration: Adding the DHCP Server Role

Demonstration Steps

Install and authorize the DHCP server role

1. Switch to LON-SVR1.

2. Open Server Manager and install the DHCP Server role.

3. In the Add Role Wizard, accept all default settings.

4. Close Server Manager.

LessonConfi

Yoponex

LeA

•

•

•

•

•

•

W

A avDto

Fo19su1919scal19

ad

To

•

•

•

•

•

n 2 guring ou must configrimary methodn an IP subnetxplains DHCP s


Describe th

Describe a

Describe th

Describe th

Explain how

Create and

What Are D

DHCP scope ivailable for leaHCP server. A

o the IP addres

or example, a s92.168.1.0/24 upports a rang92.168.1.254. W92.168.1.0/24 cope that definlocates an add92.168.1.254.

Note: Remddress. This ad

o configure a s

Name and

IP addresslists the ent

Subnet maorganizatio

Exclusionsrange, but t

Delay: This

DHCP Sgure the DHCPd by which yout, and can havescopes, and ho


he purpose of a

DHCP reservat

he DHCP Optio

he DHCP Class-

w DHCP Optio

configure a D

DHCP Scop

s a range of IPase, and that aDHCP scope t

sses in a given

scope for the (subnet mask

ge from 192.16When a compsubnet requesned the range dress between

member that tddress should b

scope, you mu

description:

range: This ptire range of a

ask: This propeon’s network in

: This propertythat will not b

s property is th

ScopesP scopes after u can configure settings specow to manage

you will be ab

a DHCP scope

tion.

ons.

-Level Options

ons are applied

DHCP scope

pes?

P addresses thare managed btypically is con subnet.

network of 255.255.25

68.1.1 throughuter or device sts an IP addrein this examp 192.168.1.1 a

the DHCP servbe excluded fr

ust define the f

This property

property lists thddresses for a

erty is used bynfrastructure.

y lists single ade offered for l

he amount of t

you install there options for cific to hardwae them.

le to:

.

s.

d.

at are by a nfined

5.0), in the

ess, the le nd

ver, if deployedrom the IPv4 a

following prop

identifies the

he range of adgiven subnet.

y client compu

ddresses or bloease.

time to delay b

20410A: Instal

e DHCP role oa group of IP

are or custom

d to the same address range.

perties:

scope.

ddresses that c.

ters to determ

ocks of addres

before making


n a server. A Daddresses. A Dgroups of clie

subnet, consu

can be offered

mine their locat

sses that fall w

g DHCPOFFER.

g Windows Server®

DHCP scope is DHCP scope is nts. This lesson

mes an IPv4

for lease, and

tion in the

ithin the IP ad

.

2012 6-7

the based

n

usually

dress

6-8 Implement

•

•

IPv

Youseve

Whe

•

•

•

•

•

Wh

It ofsuchadd

UsinIP ascopresethatDHCdevan Iaddcent

Con

To caddreseTyplapt

The

1.

2.

ing DHCP

Lease duratiaddresses, an

Options: You

o option 00

o option 00

o option 01

v6 scopes

u can configureeral different o

en configuring

Name and d

Prefix: The IPnetwork addr

Exclusions: Tbut will not b

Preferred life

Options: As w

hat Is a DH

ften is desirabh as network p

dress.

ng a DHCP resddresses that pe are not assiervation is a spt is reserved peCP client. A DHices with reserP address eve

dresses. Configtralize manage

nfiguring DHC

configure a resdress or physicaervation. You cically, MAC adtop computers

process for co

Open the DH

Expand the D

on: This proped longer dura

u can configure

03 – Router (th

06 – Domain N

15 – DNS suffi

e the IPv6 scopoptions to mod

g a DHCPv6 sc

escription: Th

Pv6 address prress.

This property lbe offered for l

e times: This p

with IPv4, you

HCP Reserv

le to provide nprinters—with

ervation, you you set aside figned to anoth

pecific IP addreermanently foHCP reservatiorvations are gun if a scope is uring reservatement of fixed

CP Reservatio

servation, you al address. Thican acquire a nddresses for nes also note this

onfiguring a D

CP server role

DHCP scope, an

erty lists the leations for more

e many option

he default gate

Name System

x

pe options as adify, and an en

cope, you must

his property id

refix is analogo

ists single addease.

property defin

can configure

vation?

network devicea predetermin

can ensure thafrom a configuher device. A Dess, within a scr lease to a spe

on also ensuresuaranteed depleted of ions enables y

d IP addresses.

ons

must know ths address indic

network interfaetwork printerss information o

DHCP reservatio

e.

nd then click R

ase duration. Ue static networ

nal properties

eway for the s

(DNS) Servers

a separate sconhanced lease

t define the fo

entifies the sco

ous to the IPv4

resses or block

nes how long le

e many option

es—ned IP

at the ured DHCP ope, ecific s that

you to

he device’s netcates to the Dace’s MAC adds and other neon the bottom

on includes th

Reservations.

Use shorter durks.

on a scope, bu

ubnet)

ope, in the DHCmechanism.

ollowing prope

ope.

4 address rang

ks of addresse

eased address

s.

twork interfaceHCP server thadress by using etwork devicesm of their chass

he following ste

rations for sco

ut typically you

CP console’s IP

erties:

ge; in essence,

es that fall with

es are valid.

e media accessat the device sthe ipconfig/

s are printed osis.

eps:

opes with limit

u will configur

Pv6 node. The

it defines the

hin the IPv6 pr

s control (MACshould have a /all commandn the device. M

ted IP

re:

re are

refix

C)

. Most

3.

W

DadnedecosecaanDthEn

C

Th

Oc

. Click More

What Are D

HCP servers caddress; they aletwork resourcefault gatewayommon configerver, scopes, ran apply DHCPnd vendor leveHCP options, a

he RFC documngineering Tas

Common DH

he following ta

Option code

1

3

6

15

44

46

47

51

58

59

31

33

43

249

e Actions, and

DHCP Opti

an configure mso provide infces, such as DNy. DHCP optionguration data treservations, aP options at thels. An option and most optientation foundsk Force (IETF)

HCP Options

able lists the c

Name

Subnet mas

Router

DNS servers

DNS domai

WINS/NBNSService)

WINS/NetB

NetBIOS sco

Lease time

Renewal (T1

Rebinding (

Perform rou

Static route

Vendor-spe

Classless sta

then click New

ions?

more than just ormation abouNS servers andns are values fthat applies tond class optio

he server, scopcode identifieon codes comd on the Intern website.

s

ommon optio

sk

s

n name

S servers (Win

T node type (W

ope ID

1) time value

(T2) time value

uter discovery

ecific informati

atic routes

w Reservation

an IP ut d the or

o the ns. You e, user, s the

me from net

n codes that W

dows Internet

WINS / NetBIO

e

on

20410A: Instal

n.

Windows-base

Naming Servi

OS over TCP/IP


ed DHCP client

ice / NetBIOS

P)

g Windows Server®

ts request.

Name

2012 6-9

6-10 Implemen

Ho

DHCfollo

1.

2.

3.

4.

Youprio

If thoveandthe

YouassiaddIP pven

De

Youor tman201

Dem

Aut1.

2.

3.

nting DHCP

ow Are DH

CP applies optowing order:

Server level. to all DHCP c

Scope level. to all clients o

Class level. Aall clients thaof a class.

Reserved clieoption is assig

u need to undeority, when you

he DHCP optiorride previous a different deeffective settin

u can also confgnment policy

dresses and setphones. The codor informatio

emonstrati

u can create sche Netsh netwnage scopes re2. The Netsh

monstration

thorize the Switch to LON

Open the DH

Authorize the

HCP Option

tions to client c

A server-levelclients of the D

A scope-level of a scope.

A class-level opt identify them

ent level. A regned to one D

erstand these ou are configuri

on settings thaly applied sett

efault gatewayng.

figure addressy contains a settings to differeonditions definon, in order to

on: Creati

opes using eitwork configuraemotely if the command-line

n Steps

DHCP ServeN-SVR1.

CP console.

e lon-svr1.ada

ns Applied

computers in t

option is assigDHCP server.

option is assig

ption is assignemselves as mem

eservation-leveDHCP client.

options when ing different se

t are applied atings. For examy is applied for

s assignment et of conditionent types of Ded in these podifferentiate v

ng and Co

her the Microsation commanDHCP server ie tool is also u

er

atum.com ser

d?

the

gned

gned

ed to mbers

el

configuring Dettings on mu

at each level comple, if the def

a reserved clie

policies at thes that you def

DHCP clients, suolicies include various types o

onfiguring

soft Managemnd-line tool. Ths running on aseful for script

ver in AD DS.

HCP, so you wltiple levels.

onflict, then thfault gateway ent, then the r

e server level oine in order touch as computmultiple criterof clients.

a DHCP S

ment Console (he Netsh comma Server Core iting and autom

will know which

he options thais configured areserved client

or scope level.o lease differenters, laptops, nria, such as MA

Scope

MMC) for the mand-line tooinstallation of mating server

h level setting

t are applied lat the scope let setting becom

. Address nt DHCP IP network printeAC address or

DHCP server rl allows you toWindows Servprovisioning.

s has

ast evel, mes

ers, or

role, o ver


Configure scope and scope options in DHCP

1. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand and right-click IPv4, and then click New Scope.

2. Create a new scope with the following properties:

o Name: Branch Office

o IP Address Range: 172.16.0.100–172.16.0.200

o Length: 16


o Exclusions: 172.16.0.190-172.16.0.200

o Other settings: use default values

o Configure options Router 172.16.0.1

3. Use default settings for all other pages, and then activate the scope.

6-12 Implemen

Lesson 3Manag

Thethatman

Les

Afte

•

•

•

•

Wh

TheconleasconconclienDHCare fold

DH

Theserv

Fil

D

D

J5J5

J5

nting DHCP

3 ging a D

DHCP databat you understanage the datab

sson Objecti

er completing

Describe the

Explain how t

Explain how t

Explain how t

hat Is a DH

DHCP databataining data th

ses, and reservtains the data figuration infonts that have lCP server. By dstored in the %

der.

HCP Service

following tabvice database f

le

Dhcp.mdb

Dhcp.tmp

50.log and 50#####.log

50.chk

Note: You s

DHCP Dase stores inforand how to bacbase and its da

ives

this lesson, yo

DHCP databas

to back up and

to reconcile a

to move a DHC

HCP Datab

ase is a dynamhat relates to sations. The dafile that store

ormation and teased an IP ad

default, the DH%systemroot%

Database F

le describes sofiles.

Descripti

Dhcp.md

Dhcp.tmdatabasesometim

J50.log adatabase

This is a

should not rem

Databasermation aboutck up the dataata.

ou will be able

se.

d restore a DH

DHCP databas

CP database.

base?

ic database scopes, addrestabase also s both the DHthe lease data ddress from thHCP database f%\System32\Dh

iles

ome of the DH

ion

db is the DHCP

mp is a temporae index mainte

mes remains in

and J50#####e uses this log

checkpoint file

move or alter a

e t the IP addresabase and reso

to:

HCP database.

se.

ss

CP for e files hcp

HCP

P server datab

ary file that thenance operatthe Systemroo

#.log are logs oto recover da

e.

any of the DHC

ss leases. If theolve database

base file.

e DHCP databtions. Followingot\System32\D

of all database ta when neces

CP service data

ere is a problemissues. This les

base uses as a g a system fail

Dhcp directory

transactions. ssary.

abase files.

m, it is importasson explains h

swap file durinlure, Dhcp.tmp

y.

The DHCP

ant how to

ng p

ThTCWco

Byinre

HK

Yo

B

YoyoauA ba

A

Thsypp

M

If coof

W

Wfo

•

•

•

•

•

Dba

he DHCP serveCP/IP configur

Windows Internomplex.

y default, the Dntervals. You caegistry key:

KEY_LOCAL_MAC

ou can also ba

Backing Up

ou can back uou can configuutomatic backmanual backu

ackup.

Automatic (S

he default bacystemroot\Systractice, you caroperties to po

Manual (Asy

you have an ionsole. This acf the DHCP ad

What Is Back

When a synchroollowing:

All scopes

Reservation

Leases

All options,

All registry settings) th

HKEY_LOCA

To back up

Note: TheHCP server usackup method

er database is ration parametnet Name Serv

DHCP databasan change this

CHINE\SYSTEM\

ack up a DHCP

p and Rest

p a DHCP dataure it to backukup is called a sup is called an

Synchronou

ckup path for ttem32\Dhcp\B

an modify this oint to anothe

ynchronous)

mmediate neection requires edministrators g

ked Up?

onous or async

ns

, including serv

keys and otheat are set in D

AL_MACHINE\SY

this key, open

e DNS dynamies when regist

d.

dynamic. It upters. Because t

vice (WINS) ser

se and related s default interv

\CurrentCont

P database ma

oring a DH

abase manuallp automaticalsynchronous basynchronous

us) Backup

the DHCP backBackup. As a bpath in the ser volume.

) Backup

ed to create a either adminis

group.

chronous back

ver options, sc

er configuratioDHCP server pr

YSTEM\Curren

n Registry Edit

c update credtering DHCP c

pdates as DHCthe DHCP datarver database,

registry entrieval by changin

rolSet\Servi

nually at any t

HCP Datab

ly, or ly. An

backup. s

k is est rver

backup, you ctrative-level p

kup occurs, the

cope options, r

on settings (foroperties. Thes

tControlSet\

or and save th

entials (user nlient compute

20410A: Installin

P clients are aabase is not a maintaining t

es are backed ung the value of

ces\DHCPServ

time.

base

can run the maermissions, or

e entire DHCP

reservation op

r example, aude settings are

\Services\DHC

he specified ke

ame, domain, ers in DNS are


ssigned, or as distributed dahe DHCP serve

up automaticaf BackupInter

ver\Parameter

anual backup othat the user

database is sa

ptions, and clas

dit log settingsstored in the f

CPServer\Para

ey to a text file

and passwordnot backed up

Windows Server® 20

they release tatabase like theer database is

ally at 60-minurval in the follo

rs

option in the Daccount be a

aved, including

ss options

s and folder lofollowing regis

ameters

e.

d) that the p with any

012 6-13

heir e less

ute owing

DHCP member

g the

cation stry key:

6-14 Implemen

Res

If yoprodataperm

Bac

Wheadmprot

Usi

Youup t

Thedata

expo

To r

impo

serv

http

Re

Recaffe

Theleas

•

•

Whesuminco

To candowntimefutu

nting DHCP

storing a Da

ou need to resmpted for the abase is restormissions, or be

ckup Securi

en the DHCP dministrators cantected.

ing Netsh

u also can use cthe database t

following coma for all scopes

ort "c:\My F

restore the DH

ort "c:\My F

Note: The Nver role installe


conciling a

onciling scopeect client comp

DHCP Server se information

Detailed IP adthe DHCP dat

Summary IP athe server’s R

en you are recmmary entries aonsistencies.

correct and rep reconcile sco

ner, or creates e that is assignure use.

atabase

tore the databbackup’s loca

red. To restore e a member of

ty

database file isn access. This e

commands in to a remote loc

mmand is a scrs:

older\Dhcp C

HCP database,

older\Dhcp C

Netsh DHCP coed.


a DHCP D

es can fix inconputers.

service stores in two forms:

ddress lease intabase stores

address lease iegistry stores

conciling scopeare compared

pair these incope inconsistena temporary r

ned to the scop

base, use the Ration. Once yo

the database,f the DHCP ad

s backed up, itensures that a

the Netsh DHCcation using a

ript that you ca

Configuration

use the follow

Configuration

ontext does no

more informat/?LinkId=9988

atabase

nsistencies tha

scope IP addr

nformation, wh

nformation, w

es, the detail ato find

onsistencies, yoncies, the DHCreservation forpe. When the

Restore functiou have selecte, the user accoministrators g

t should be in ny network inf

CP context to script file.

an use from th

n" all

wing command

n" all

ot exist on serv

tion about back9&clcid=0x40

t can

ress-

hich

which

and

ou must reconP service either those addresslease time exp

on in the DHCPed the locationount must eithroup.

a protected loformation in t

back up the d

he Netsh DHC

d:

ver computers

king up the DH09.

ncile any scopeer restores thoses. These resepires, the addre

P server conson, DHCP serviceer have admin

ocation that onhe backup file

database; this i

P prompt to b

s without the D

HCP database

e inconsistencise IP addresseervations are vesses are then

ole. You will bee stops, and th

nistrative-level

nly the DHCP es remains

s useful for ba

back up the DH

DHCP

see:

es. After you ses to the originvalid for the lea recovered for

e he

acking

HCP

select nal ase r

M

Inromenth

YoonDthcap

Moving a D

n the event thaole to another

move the DHCPnsures that cliehe likelihood o

ou move the dn to the old DHCP service o

he DHCP databan restore it usrocedure.

DHCP Data

at you must mserver, it is als

P database to tent leases are of client-config

database initiaHCP server. Thn the old DHCbase to the nesing the norma

abase

ove the DHCPso advisable ththe same serveretained, and

guration issues

lly by backinghen, shut downCP server. Nextw server, wheral database re

P server hat you er. This reduces

s.

it up n the t, copy re you store

20410A: Installinng and Configuring WWindows Server® 20012 6-15

6-16 Implemen

Lesson 4Securin

DHCprec

DHCprocan

ThisDHC

LesAfte

•

•

•

•

•

•

Pre

DHCdesiinfoauthyouunawith

Basiuna

•

•

•

nting DHCP

4 ng and CP protocol hacautions, IP lea

CP is a core seperly, or if theidentify the p

s lesson explainCP servers, and


Explain how t

Explain how t

Explain how t

Describe DHC

Describe DHC

Identify comm

eventing a

CP by itself canigned to work

ormation is in phenticate with should take puthorized com

h DHCP.

ic precautions uthorized acce

Ensuring thausers can accto the networbe able to obphysically fro

Enabling audaddition to alMake sure to

Requiring aunow support allows for por(WPA) Enterp

Monitoas no built-in mases could be

rvice in many re is a situatioroblem and de

ns how to prevd how to confi


to prevent an

to restrict unau

to delegate ad

CP statistics.

CP audit loggin

mon issues tha

an Unautho

n be difficult tbefore the ne

place for a cliea domain con

precautions to mputers from o

that you shouess include:

at you reduceess an active nrk, their comp

btain an IP addm the switchin

dit logging onllowing you toschedule time

uthenticated Institute of Elert-level user au

prise and WPA

oring Dmethod for augranted to dev

organization’sn that is causinetermine pote

vent unauthorigure DHCP se

ou will be able

unauthorized

uthorized, non

dministration o

ng.

at are possible

orized Com

o secure—it isecessary ent computer tntroller. This is prevent

obtaining a lea

uld take to lim

e physical accenetwork conneuters are likely

dress. If a netwng infrastructu

n all DHCP seo trace when ae at regular int

Layer 2 conneectrical and Eleuthentication. 2 Enterprise, a

HCP uthenticating uvices and user

s network enving problems w

ential causes to

rized users fromervers so that a

to:

computer from

n–Microsoft DH

of the DHCP se

with DHCP.

mputer fro

s

to why

ase

it

ess: If ection y to

work port is noture.

ervers: This cann unauthorizetervals to revie

ections to theectronics EnginSecure wireles

also use 802.1X

users. This mears who are una

ironments. If twith the DHCPo resolve the p

m obtaining a a specific grou

m obtaining a

HCP servers fro

erver role.

om Obtain

t being used, y

n provide an hed user obtaineew the audit lo

e network: Moneers, Inc. (IEEss standards, sX authenticatio

ans that if you authorized.

he DHCP serviP server, it is improblem.

lease, how to up can manage

lease.

om leasing IP

ning a Leas

you should dis

historical view ed an IP addreogs.

ost enterprise EE) 802.1X authsuch as Wi-Fi Pon.

do not take

ice is not workmportant that y

manage rogue them.

addresses.

se

sconnect it

of activity, in ess in the netw

hardware swithentication. ThProtected Acce

king you

ue

work.

tches his ess

•

RA

Mmarthseauneco

Tomcop

If seis

Yosu

D

Enadby

•

•

Threseis is

P

Ado

Implementsystem hearunning an the networreceive the healthy com

Restricting Addresses

Many devices amultiple DHCP re almost neveherefore, it is perver that doesuthenticated setwork. In thisonfiguration d

o eliminate anmust first locateommunicatinghysically, or by

users complaierver. Use the not the IP add

ou can use theubnet.

Delegating

nsure that onlydminister the Dy performing e

Limit the mAdministrat

Assign userDHCP mem

he DHCP Admestrict and graervers. Therefoin the built-inon local serve

Permissions

uthorization oown-level adm

ting NAP: NAlth requiremeup-to-date an

k, they receivenecessary upd

mputers access

Unauthor

nd network opserver implem

er homogeneopossible that ats not check foervers will be e case, clients mata.

unauthorizede it, and then pg on the netwoy disabling the

in that they doipconfig /all cdress of an aut

e DHCP Server

DHCP Ad

y authorized pDHCP server roeither of the fo

membership of tors group.

rs that require mbership of the

ministrators locant access to ad

ore, the DHCP n groups on doers

Required to

of a DHCP servministrator to a

AP allows admints, such as runtivirus client. e an IP addressdates. The adms to the intern

rized, Non

perating systemmentations. Netous in nature; t some point ar Active Directenabled on th

might obtain in

d DHCP server,prevent it fromork by disabline DHCP service

o not have concommand to cthorized DHCP

r Locator utility

dministrati

persons can ole. You can dollowing tasks:

the DHCP

read-only acce DHCP Users

al group is usedminister DHCAdministrator

omain controll

o Authorize

vice is only avaauthorize the d

nistrators to vnning all the lIf users who d

s configurationministrator canal local area n

–Microsof

ms have tworks

a DHCP tory–e ncorrect

you m g it

e.

nnectivity to thcheck the IP adP server, then t

y (Dhcploc.exe

on

o this :

cess to group.

ed to CP s group lers, or

e and Admin

ilable to Enterdomain, use Ac

20410A: Installin

validate that a atest Window

do not meet sen to access a ren restrict accesetwork (LAN).

ft DHCP Se

he network, chddress of the Dthere is proba

e) to locate the

nister DHCP

rprise administctive Directory


client computws operating syecurity requireemediation nes to the netwo

ervers from

heck the IP addDHCP Server fibly a rogue se

e DHCP server

P

trators. If the ny delegation.

Windows Server® 20

ter is complianystem updates ments try to a

etwork where tork by allowing

m Leasing

dress of their Dield. If the IP aerver in the ne

s that are activ

need exists for

012 6-17

nt with or

access they can g only

IP

DHCP address twork.

ve on a

r a

6-18 Implemen

•

•

Wh

DHCactivdetethe clienusefamopacprov

Youin th

DHDHCquicuse

DH

DHCaddaddusinresp

Wh

TheDHCleasinfoserv%syYouserv

Theweeaudnam

nting DHCP

DHCP Adminservice.

DHCP Users.

hat Are DH

CP statistics prvity and use. Yermine quicklyDHCP service nts. An exampful is if the admount of negatikets, which mividing the cor

u can configurehe General tab

HCP Server SCP server statisckly the state oaddresses, and

HCP Scope S

CP scope statisdresses are in udresses availabng scope statispect to the add

hat Is DHC

DHCP audit loCP server activse requests, graormation allowver performancystemroot%\syu can configurever’s Propertie

DHCP audit loekday that the it logging is e

me is DhcpSrvL

nistrators. An

. Any user in th

HCP Statist

rovide informaYou can use thy whether theror with the nele in which staministrator notve acknowledgight indicate threct data to cl

e the refresh rab of server’s P

Statistics stics provide aof the DHCP sed total availab

Statistics

stics provide muse, and how mle in the servetics, an admindresses availab

CP Audit Lo

og provides a vity. You can uants, and deni

ws you to troubce. The log filestem32\dhcp e the log file sees window.

og files are nafile was createnabled on a M

Log-Mon.log.

y user in the D

he DHCP User

tics?

ation about DHis console to

re is a problemetwork’s DHCPatistics might btices an excessgement (NAK)hat the server ients.

ate for the statroperties wind

an overview of erver. Informa

ble addresses c

much fewer demany addresser statistics, it mistrator can qu

ble.

ogging?

traceable log se this log to tals. This

bleshoot DHCPes are stored infolder by defaettings in the

med based oned. For examp

Monday, the fil

DHCP Adminis

s group can ha

HCP

m with P be sive ) is not

tistics dow.

DHCP server tion such as n

can help to pro

tails—such as es are availablemight be that ouickly determin

of track

P n the ult.

n the le, if e

strators group

ave read-only

usage. You caumber of offe

ovide a picture

total addressee. If you noticeonly one scopene the status o

can manage t

access to the

n use this dataers, number of e of the server’

es in the scopee that there aree is near its deof the particula

the server’s DH

DHCP console

a to understanrequests, tota’s health.

e, how many e a low numbeepletion point.ar scope with

HCP

e.

nd l in-

er of By

F

Th

CC

•

•

•

•

D

ThDSocl

ields That M

he following ta

Field

ID

Date

Time

Description

IP Address

Host Name

MAC Address

Common Eveommon event

ID,Date,Tim

00,06/22/9

56, 06/22/9

55, 06/22/9

Discussion:

he following taHCP issues. Enolution columnass.

Make Up a D

able describes

Descriptio

A DHCP se

The date o

The time a

A descript

The IP add

The host n

The MAC

ent ID Codet ID codes inclu

me,Description,

9,22:35:10,Sta

99,22:35:10,Au

99,22:45:38,Au

Common

able describes nter the possibn, and then dis

DHCP Audit

the fields in a

n

erver event ID

on which this e

at which this e

tion of the DH

dress of the DH

name of the D

address used

es ude:

,IP Address,Ho

rted,,,,

thorization fai

thorized(servic

n DHCP Iss

some commoble solutions inscuss them wit

t Log

DHCP audit lo

code.

entry was logg

entry was logg

CP server even

HCP client.

HCP client.

by the client’s

ost Name,MAC

ilure, stopped

cing),,domain1

ues

on n the th the

20410A: Installin

og.

ged on the DH

ed on the DHC

nt.

network adap

C Address

servicing,,dom

1.local


HCP server.

CP server.

pter hardware.

main1.local,,

Windows Server® 20

.

012 6-19


Issue Description Example Solution

Address conflicts

The same IP address is offered to two different clients.

An administrator deletes a lease. However, the client that had the lease is still operating as if the lease is valid. If the DHCP server does not verify the IP address, it might lease the IP to another machine, causing an address conflict. This can also occur if two DHCP servers have overlapping scopes.

Failure to obtain a DHCP address

The client does not receive a DHCP address and instead receives an Automatic Private IP Addressing (APIPA) self-assigned address.

If a client’s network card driver is configured incorrectly, it might cause a failure to obtain a DHCP address. Additionally, the DHCP server or relay agent on the client’s subnet.

Address obtained from an incorrect scope

The client is obtaining an IP address from the wrong scope, causing it to experience communication problems.

If the client is connected to the wrong network or the DHCP relay agent is incorrectly configured this error could occur.

DHCP database suffers data corruption or loss

The DHCP database become unreadable or is lost due to a hardware failure.

A hardware failure can cause the database to become corrupted.

DHCP server exhausts its IP address pool

The DHCP server’s IP scopes have been depleted. Any new clients requesting an IP address are refused.

For example, if all the IPs assigned to a scope are leased this error occurs.


Lab: Implementing DHCP Scenario

A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations as well. A. Datum have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients.

You have recently accepted a promotion to the server support team. One of your first assignments is to configure the infrastructure service for a new branch office. As part of this assignment, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and do not use DHCP.

Objectives After performing this lab you will be able to:

• Install and configure the DHCP server role.

• Configure the DHCP scope and options.

• Configure a client computer to use DHCP, and then test the configuration.

• Configure a lease as a reservation.

• Install and configure a DHCP relay.

• Test DHCP relay with client.

Lab Setup


Logon Information

Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-RTR 20410A-LON-CL1 20410A-LON-CL2


Password Pa$$w0rd



2. In Microsoft Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.





o Domain: Adatum

5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.


6. For the optional Exercise 2, you should repeat steps 2 to 4 for 20410A-LON-RTR, 20410A-LON-SVR2, and 20410A-LON-CL2.

Exercise 1: Implementing DHCP

Scenario As part of configuring the infrastructure for the new branch office, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and usually do not use DHCP for obtaining IP addresses.

One of the client computers in the branch office needs to access an accounting application in the head office. The network team uses firewalls based on IP addresses to restrict access to this application. The network team has requested that you assign a static IP address to this client computer. Rather than configuring a static IP address on the client computer manually, you decide to create a reservation in DHCP for the client computer.


1. Install DHCP server role.

2. Configure the DHCP scope and options.

3. Configure client to use DHCP and then test the configuration.

4. Configure a lease as a reservation.

Task 1: Install DHCP server role 1. Switch to LON-SVR1.

2. Open Server Manager, and install the DHCP Server role.

3. In the Add Roles and Features Wizard, accept all defaults.

Task 2: Configure the DHCP scope and options 1. Switch to LON-SVR1.

2. In Server Manager, open the DHCP console.

3. Authorize the lon-svr1.adatum.com server in AD DS.

4. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.


o Name: Branch Office


o Length: 16


o Exclusions: 172.16.0.190-172.16.0.200

o Configure options Router 172.16.0.1

o For all other settings use default values

6. Activate the scope.

Task 3: Configure client to use DHCP and then test the configuration 1. To configure a client, switch to LON-CL1.


2. Reconfigure the Local Area Connection using the following information:

o Configure Internet Protocol Version 4 (TCP/IPv4)

o Obtain an IP address automatically

o Obtain DNS server address automatically

3. Open a command prompt, and initiate the DHCP process using the ipconfig /renew command.

4. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all.

This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes

Task 4: Configure a lease as a reservation 1. Switch to LON-CL1.

2. In a command prompt, type ipconfig/all to display the physical address of the network adapter.


4. Open the DHCP console.

5. In the DHCP console, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office scope, right-click Reservations, and then click New Reservation.

6. Create a new reservation for LON-CL1 using the physical address of the LON-CL1 network adapter, and the IP address 172.16.0.55.

7. On LON-CL1, use the ipconfig command to renew and then verify the IP address.

Task 5: To prepare for the optional exercise If you are going to complete the optional lab, revert the following virtual machines: 20410A-LON-CL1 and 20410-LON-SVR1.

Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation

Exercise 2: Implementing a DHCP Relay (Optional Exercise)

Scenario

Your manager has asked you to configure a DHCP relay for another subnet in your branch office. This avoids the need to configure an addition DHCP server on the subnet.


1. Install DHCP relay.

2. Configure DHCP relay.

3. Test DHCP relay with client.

Task 1: Install DHCP relay 1. Switch to LON-RTR.

2. In Server Manager, open Routing and Remote Access.

3. Use the following steps to add the DHCP Relay agent to the router:


o In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol.

o In the Routing protocols list, click DHCP Relay Agent and then click OK.

Task 2: Configure DHCP relay 1. Open Routing and Remote Access.

2. Use the following steps to configure the DHCP Relay agent:

o In the navigation pane, right-click DHCP Relay Agent and then click New Interface.

o In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.

o In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.

o Right-click DHCP Relay Agent and then click Properties.

o In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK.

3. Close Routing and Remote Access.

Task 3: Test DHCP relay with client

Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope.


2. Open the DHCP console.

3. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.


o Name: Branch Office 2


o Length: 16


o Exclusions: 10.10.0.190-10.10.0.200

o Other settings use default value

o Configure options Router 10.10.0.1 and other setting use default values

5. Activate the scope.

6. To test the client, switch to LON-CL2.

7. Open the Network and Sharing Center window and configure Local Area Connection, Internet Protocol Version 4 (TCP/IPv4) properties with following settings:

o Obtain IP address automatically

o Obtain DNS server address automatically

8. Open the command prompt.


9. In the command prompt, type following command:

ipconfig /renew

10. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope installed on LON-SVR1.

Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16.

Results: After completing these tasks, you will have implemented DHCP relay agent.

To prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.




4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.


Module Review and Takeaways Module Review Questions

Question: You have two subnets in your organization and want to use DHCP to allocate addresses to client computers in both subnets. You do not want to deploy two DHCP servers. What factors must you consider?

Question: Your organization has grown, and your IPv4 scope is almost out of addresses. What should you do?

Question: What information do you require to configure a DHCP reservation?

Question: Can you configure option 003 – Router as a Server-level DHCP scope option?

Best Practices • Spend time designing your IP addressing scheme so that it will accommodate both your current and

IT infrastructure and any potential future IT infrastructure needs.

• Determine which devices need DHCP reservations, such as network printers, network scanners, or IP based cameras.

• Secure your network from non-authorized, rogue DHCP servers.

• Configure the DHCP database on highly available disk drive configurations, such as redundant array of independent disks (RAID)–5 or RAID–1, to provide DHCP service availability in case of single disk failure.

• Back up the DHCP database regularly, and test the restore procedure in isolated, non-production environment.

• Monitor the system utilization of DHCP servers, and upgrade the hardware of DHCP server if needed, in order to provide better service performance.

Tools


IPConfig.exe Managing and troubleshooting client IP settings Command-line

Netsh.exe Configuring both client and server-side IP settings, including those for DHCP server role

Command-line

Regedit.exe Editing and fine-tuning settings, including those for the DHCP server role

Windows interface or Command line

Network Monitor Capture and analyze DHCP traffic on a subnet Download from the Microsoft website

7-1

Module 7 Implementing DNS


Lesson 1: Name Resolution for Windows Clients and Servers 7-2

Lesson 2: Installing and Managing a DNS Server 7-10

Lesson 3: Managing DNS Zones 7-16

Lab: Implementing DNS 7-20


Module Overview

Name resolution, one of the most important concepts of every network infrastructure, is the process of software translating between names that users can read and understand, and numerical IP addresses, which are necessary for TCP/IP communications. Client computers use the name resolution process when locating hosts on the Internet, and when locating other hosts and services in an internal network. Doman Name System (DNS) is one of the most common technologies for name resolution. Active Directory® Domain Services (AD DS) depends heavily on DNS, as does Internet traffic. This module discusses some basic name resolution concepts as well as installing and configuring DNS service and its components.

Objectives After completing this module, you will be able to:

• Describe name resolution for Windows® operating system clients and Windows Server® servers

• Install and manage DNS service

• Manage DNS zones

7-2 Implement

Lesson Name

YouThenamhow

LesAfte

•

•

•

•

•

•

•

Wh

ThedestHowandof tcomto csysthostin NWin

Na

ThedevWinappinclserv

EarlrequWinWin

add

ing DNS

1 Resolut

u can configure computer use

me. This lessonw to troublesho


Describe com

Describe DNS

Describe DNS

Describe how

Describe Link

Describe how

Troubleshoot

hat Are Co

TCP/IP set of tination compwever, comput rememberinghis, administra

mputers. Admincomputer IP adem such as DNt name format

NetBIOS name ndows Internet

me Type

type of nameeloper. If the a

ndows sockets,plication to requding Internetvices. NetBIOS

ier versions ofuire NetBIOS tndows 2000, alndows, but do

Note: You cdress or by hos

tion fore a computer tes name resolu focuses on dioot problems w

ives this lesson you

mputer names.

S.

S zones and re

w Internet DNS

k Local Multica

w a client resolv

t name resolut

omputer N

protocols idenuters by their ter users are mg names than nators usually asnistrators thenddresses in a nNS. These namt (which is recoformat (which

t Name Service

e (host name oapplication dev, then host nam

quest services tt applications, is used by ma

f Microsoft® Wto support netl operating synot require N

can use Windost name. NetBI

r Windoto communicaution to find anfferent types owith name res

u will be able t

ecords.

S names are re

ast Name Reso

ves a name.

tion.

Names?

ntifies source aIP addresses.

much better at numbers. Becssign names ton link these namname resolutiomes are in eitheognized by DNh is recognizede (WINS)).

or NetBIOS namveloper designmes are used. through NetBIuse Windows

any earlier Win

Windows®, suchworking capabstems supportetBIOS themse

ows sockets apOS application

ows Clieate over a netwn IP address thof computer nsolution.

to:

solved.

olution.

and

using ause o mes n

er NS) or d by

me) that an apns an applicatiIf, on the otheOS, a NetBIOSsockets—and

ndows operatin

h as Microsoft bilities such ast NetBIOS for belves.

pplications to sns require the

ents andwork by using hat correspondames, the met

pplication usesion to request er hand, the apS name is usedthus use host

ng system app

Windows 98 as file sharing. Hbackward com

specify the desuse of a NetB

d Servea name in plads to a name, thods used to

is determinednetwork servi

pplication deved. Most current names—to acplications.

and Windows However, sincempatibility with

stination host eIOS name.

rs ce of an IP addsuch as a hostresolve them,

d by the applicces through eloper designst applications,ccess network

Millennium Ede Microsoft h earlier versio

either by IP

dress. t and

cation

s an

dition,

ns of

H

A TCch

YoquYoIn

N

A nana15lo

Thor

ht

W

Dreadin

Wlonacoberedoadch

Dquloreth

Oadpim20

Host Names

host name is CP/IP host. Theharacters, perio

ou can use houalified domaiou can combin

nternet, and in

NetBIOS Nam

NetBIOS namame can repreame; the final 5-character na

ogged on. The

he NetBIOS narganize NetBIO

Additionattp://technet.m

What Is DN

NS is a serviceesolve FQDNs ddresses. All Wnclude a DNS s

When you use Docate network ames (for examomputer then enefit is that IPemember (for eomain name tyddition, you cahange while th

NS uses a dataueries on and

ocate a print seesolve the namhe user-friendl

Originally, one fddresses. This roblems assoc

mportant, beca001:db8:4136:

a user-friendlye host name cods, and hyph

st names in vain name (FQDne an alias witcludes periods

mes

me is a 16-charaesent a single ccharacter iden

ame may inclusixteenth char

amespace is flaOS names into

al Reading: Fomicrosoft.com/

NS?

e that uses a diand other hos

Windows serveservice.

DNS, users on resources by t

mple, microsofresolves to anPv4 addresses example, 131.1ypically is easian use host nahe underlying

abase of nameupdates to the

erver can use tme to a printer

y name can re

file on the Intelist quickly beciated with usin

ause IPv6 addre38c:384f:3764

y name that is an be up to 25ens.

arious forms. TN). An alias is h a domain nas as separators

acter name thcomputer or a ntifies the resode the compuracter is a 1-by

at, meaning tho a hierarchica

or more inform/en-us/library/

istributed datast names to IP r operating sys

your network typing in user-ft.com), which IP address. Thmay be difficu107.0.32), whiler to remembmes that do nIP addresses c

es and IP addree DNS databasthe DNS name’s IP address, s

emain the sam

ernet containecame too longng a single interesses are more4:b59c:3d97).

associated wit55 characters l

he two most ca single name

ame to create s. An example

at identifies a group of com

ource or serviceter name, the yte hexadecim

hat names can l structure, as y

mation about Ne/cc738412(WS

abase to

stems

can -friendly the

he ult to le a er. In

not an be changed

esses to providse. For exampl

e printserver.cosuch as 172.16e.

ed a list of all dg to manage aernet file. Withe complex tha

20410A: Instal

th a computerlong, and can

common forme associated wian FQDN. An of an FQDN is

NetBIOS resoumputers. The fire that is beingdomain name

mal identifier.

be used only oyou can with F

etBIOS name reS.10).aspx

d to suit your

de this service.le, within an oontoso.com, a6.23.55. Even if

domain namesnd distribute. h the adoptionan IPv4 addres


r’s IP address tcontain alpha

s are as an aliaith an IP addreFQDN is strucs payroll.conto

urce on the nerst 15 characte

g referred to one, and the nam

once within a FQDNs.

esolution see:

organizationa

. DNS client soorganization, a and the DNS clf the printer’s I

s and their corDNS was deve

n of IPv6, DNSses (for examp

g Windows Server®

to identify it asbetic and num

as, and as a fuess, such as paytured for use o

oso.com.

etwork. A NetBers are used fon the compute

me of the user

network. You

l needs.

oftware perforuser who is tr

lient software IP address cha

responding IPeloped to solve becomes eve

ple,

2012 7-3

s a meric

lly yroll. on the

BIOS or the er. The who is

cannot

ms rying to will nges,

e the n more

7-4 Implement

DNShieranddowstru

Thenamorga

If hodomfromensuinte

In a

•

•

•

DN

A Dnamzonfor domrespIP a

ZonAD zonthe onlywhi

Thelook

For

Forwhostresotypenam

Rev

Revman

ing DNS

S groups inforrarchical struct descending in

wnward even fcture is known

Internet uses mespace, a domanizations atte

osts that are lomain internallym Internet domure uniquenes

ernal use in mu

ddition to reso

Locate doma

Resolve IP adhost.

Locate mail se

NS Zones a

NS zone is a smespace that ce is hosted onresponding to

main. For examponsible for reddress would

ne content canDS database. We in a file, thatserver. When

y one copy of le all others ar

most commokup zones.

rward Looku

ward lookup zt (A), alias (CN

ource records. es, the most co

me to an IP add

verse Looku

erse lookup zonner as a forwa

mation about ture of domainnto separate burther into indn as a DNS nam

a single DNS nmain name muempt to use th

ocated on the y, without regismain names, oss is to create auch the same w

olving host na

in controllers a

dresses to hos

erver for emai

and Record

pecific portioncontains DNS rn a DNS server o queries for remple, the DNS

solving www.ccontain the co

be stored in aWhen the DNSt file is locatedthe zone is nothe zone can bre read-only.

nly used types

up Zones

ones resolve hNAME), service

Although forwommon recorddress.

up Zones

ones resolve IPard zone, but

network resouns is an invertebranches with cdividual child dmespace.

namespace wiust be registerehe same doma

Internet do nostering it. Howr connectivity an internal domway that privat

mes to IP add

and global cat

st names. This

l delivery. This

ds

n of DNS records. A DNSthat is respon

ecords in a speserver that is contoso.com toontoso.com zo

a file or in the S server stores

d in a local foldot stored in ADbe writable co

s of zones in W

host names to (SRV), mail exward lookup zd type is the ho

P addresses tothe IP address

urces into a hieed tree structucommon leveldomains. The r

th multiple roed with a DNSin name.

ot need to resowever, you mus

to Internet resmain in the .lote IP addresses

resses, DNS ca

talog servers. T

is useful when

s is used for th

S nsible ecific

o an one.

s the der on D DS,

py,

Windows Serve

IP addresses, achange (MX),

zones are capaost (A) record.

domain names is the part of

erarchical strure beginning ws of parent dorepresentation

ot servers. To S registrar. This

olve names in st still ensure tsources might

ocal domain. Ts are reserved

an be used to:

This is used wh

n a log file con

he delivery of a

er DNS are forw

and hosts comstart of autho

able of hosting. This record is

es. A reverse zothe query whi

cture of domawith a root do

omains, and den of the entire

participate in s ensures that

your domain, that the domat be affected. Ahe .local domafor internal us

hen logging on

ntains only the

all Internet em

ward lookup z

mmon resourcerity (SOA), and

g a number of s used when re

one functions ile the host na

ains. The omain at its apescending hierarchical do

the Internet Dno two

you can host in name is uni

A common waain is reservedse.

n to AD DS.

IP address of

mail.

zones and reve

e records includ name server different reco

esolving a host

in the same ame is the retu

ex,

omain

DNS

a que y to for

a

erse

uding (NS) rd t

urned

inno

MFoca

Mem

Hadfr

RThlothde

ReExreth

Rewmpo

H

Wena thovarseyoar

Toa p

1.

2.

3.

4.

5.

nformation. Reot always conf

Many standard or example, if an use a revers

Many email servmail servers try

aving a reversddresses. Manyom a particula

Resource Reche DNS zone f

ocate the resouhat resolves a hevice, such as

esource recordxchange serveequests the mahe host that is

esource recordwhich is useful imail server the

ort the service

How Intern

When resolvingntire system ofsingle server.

he Internet, calverall practice re representedervers are preloou register a dre paying to b

o see how thesDNS name letrocess for the

. A workstati

. If the local location of

. The local D

. The local D

. The IP addr

verse lookup zfigured, but yo

Internet protothe forward lose lookup to co

vers use a revey to detect op

e zone is impoy applications ar IP address, y

cords file stores resource. The mosthost name to aa router.

ds also help finr needs to findail exchanger (running the S

ds also can conif an organizatreceiving orga

e is listening, an

net DNS N

g DNS names of computers isThere are hunlled root serverof DNS resolu

d by 13 FQDNsoaded on each

domain name oecome part of

se servers wort us look at thename www.m

ion queries the

DNS server dothe .com DNS

DNS server que

DNS server que

ress of www.m

zones host SOAou should conf

ocols rely on reookup indicateonfirm that 19

erse lookup asen Simple Ma

ortant if you hrecord this inf

you can look u

urce records. Rt common resoan IP address.

nd resources fod the server th(MX) resource MTP mail serv

ntain custom ation has multipanization prefend the protoco

ames Are

on the Internet used rather thdreds of servers, which mana

ution. These ses; a list of theseh DNS server. Won the Internef this system.

k together to e name resoluticrosoft.com:

e local DNS se

oes not have thS servers.

eries a .com DN

eries the micro

microsoft.com i

A, NS, and poifigure them to

everse zone loes that training92.168.2.45 is a

one way of reil Transfer Prot

ave applicatioformation in s

up the host nam

Resource recoource record isThe host can b

or a particular at is responsibrecord for tha

vice.

attributes. MX ple mail serverers. SRV recordol that you sho

Resolved

t, an han just ers on age the

ervers e 13 When

et, you

resolve tion

rver for the IP

he information

NS server for t

soft.com DNS

s returned to t

20410A: Instal

inter (PTR) reso reduce warni

ookup data to vg.contoso.comassociated with

educing spam.tocol (SMTP) s

ons that rely onecurity or eveme using the

rds specify a res an A resourcbe a workstati

domain. For ible for deliveriat domain. This

records, for inrs. The MX recds also containould use to co

address www

n, then it quer

he location of

server for the

the workstatio


ource recordsing and error m

validate forwa is resolved to h training.cont

. By performinservers (open r

n looking up hnt logs. If you reverse zone

esource type, ce record. This on, server, or a

nstance, whenng mail for ans record point

nstance, have aord tells the se

n information rommunicate w

w.microsoft.com

ies a root DNS

f the microsoft

e IP address of

on.

g Windows Server®

. Reverse zonemessages.

ard zone inform 192.168.2.45, toso.com.

g a reverse loorelays).

hosts by their Isee suspiciousinformation.

and the IP addis a simple recanother netwo

n a Microsoft nother domains to the “A” re

a preference aending server regarding on with the service

m.

S server for the

t.com DNS serv

www.microso

2012 7-5

es are

mation. you

okup,

P s activity

dress to cord ork

, it ecord of

ttribute, which which .

e

vers.

ft.com.

7-6 Implement

The

•

•

Wh

In WresoMulvarithis netwaddIPv6sup

LLM

•

•

•

For infra

LLMIt usadd

To ufeatdisa

If yodisa

ing DNS

name resolut

Caching. Aftehours. Subseq

Forwarding. of querying rserver at an In

hat Is Link

Windows Serveolving names tlticast Name Rous limitationslesson) it is us

works. Althougdresses, it has b6; so if you waported and en

MNR is commo

There are no name resolut

Implementati

These service

example, you astructure.

MNR is supportses a simple sy

dresses.

use LLMNR, yoture is availablabled for any n

ou want to conable LLMNR via

Group Policy Multicast NamSet this value

ion process ca

er a local DNS quent resolutio

A DNS server oot servers. Fonternet service

-Local Mu

er 2012, a new to IP addressesResolution (LLMs (which are besually used ongh LLMNR is abeen designednt to use it, yo

nabled on your

only used in ne

DNS or NetBIOion.

ion of these se

s are not avail

might want to

ted on Windowystem of reque

ou need to ture in the Netwo

network that y

ntrol the use oa Group Policy

= Computer Cme Resolution to Enabled if

an be modified

server resolveon requests fo

can be configor example, reqe provider (ISP

ulticast Nam

method for s is Link-local MNR). Becauseeyond the scoly on localizedble to resolve

d specifically foou must have Ir hosts.

etworks where:

OS services fo

ervices is not p

able.

o set up a tem

ws Vista®, Winest and reply m

n on the Network and Sharinou designate a

of LLMNR on yy, set the follow

Configuration\. you do not wa

d by caching o

es a DNS namer the DNS nam

ured to forwaquests for all I

P).

me Resolu

e of pe of

d IPv4

or Pv6

:

r

practical for an

porary networ

dows Server 2messages to re

work Discoveryng Center. Be aas Public.

your network, ywing Group Po

\Administrative

ant to use LLM

or forwarding:

e, it caches theme are given th

rd DNS requesnternet names

ution?

ny reason.

rk for testing p

2008 and all neesolve compute

y feature for alaware that Net

you can configolicy value:

e Templates\N

MNR or to Disa

e results for aphe cached info

sts to another s can be forwa

purposes witho

ewer Windowser names to IP

l nodes on thetwork Discove

gure it via Gro

Network\DNS C

abled if you wa

pproximately 2ormation.

DNS server inarded to a DNS

out server

s operating sysPv6 or IPv4

e local subnet. ery is usually

up Policy. To

Client\Turn of

ant to use LLM

24

nstead S

stems.

This

ff

MNR.

H

WdisupredeLe

W

WreNp

Yo

•

•

pnaW

H

WanIf ho

W

1.

2.

3.

4.

5.

6.

7.

NAN

How a Clie

Windows operaifferent methouch as DNS, Wrocess. DNS is esolving host nescribed in deesson, What is

WINS

WINS provides egistering dynaetBIOS namesrovide backwa

ou can resolve

Broadcast routers do

Lmhosts fimaintenanc

Note: Therovides a new ames that are

WINS to provid

Host Name R

When an applicnd DNS when NetBIOS over

ost names.

Windows opera

. Checking w

. Searching t

. Sending a D

. Converting

. Contacting

. Broadcastinattached.

. Searching t

Note: YouetBIOS over Tlternatively, yoetBIOS name

nt Resolve

ating systems sods for resolvin

WINS, and the hthe Microsoft

names to IP Adtail in the secoDNS.

a centralized damic mappings. Support is reard compatibil

e NetBIOS nam

messages. Brnot propagate

le on all comce solution, be

e DNS server rzone type, theunique acrosse support for

Resolution P

cation specifiesattempting to

r TCP/IP is ena

ating systems r

whether the ho

the DNS resolv

DNS request to

the host nam

the host’s con

ng as many as

the Lmhosts fil

u can control tCP/IP, none ofou can modifyresolution me

es a Name

support a numng computer nhost name reso

standard for ddresses and isond topic of th

database for gs of a networketained for WINity.

mes by using:

oadcast messae broadcasts.

puters. Using ecause you mu

ole in Windowe GlobalName an entire foresingle-label na

Process

s a host name o resolve the hbled, TCP/IP a

resolve host na

ost name is the

ver cache. In D

o its configure

e to a NetBIO

nfigured WINS

three NetBIOS

le.

the order usedf the NetBIOS the NetBIOS n

thods are atte

mber of names, olution

s his

k’s NS to

ages, however,

an Lmhosts fiust maintain th

ws Server 2008es zone, which est. This eliminames.

and uses Windost name. Thelso uses NetBI

ames by:

e same as the l

DNS client reso

ed DNS servers

S name and ch

S servers.

S name query

d to resolve naname resolutinode type, whmpted.

20410A: Instal

, do not work

le for NetBIOShe file manuall

8 R2 and Windyou can use to

nates the need

dows sockets, e hosts file is loIOS name reso

local host nam

olver cache, en

s.

hecking the lo

request messa

ames. For examion methods a

hich changes th


well on large

S name resoluty on all comp

ows Server 20o contain singto use the Ne

TCP/IP uses thoaded into theolution method

me.

tries from hos

ocal NetBIOS n

ages on the su

mple, if you disare attempted.he order in wh

g Windows Server®

networks beca

tion is a high uters.

12 also gle-label etBIOS-based

he DNS resolvee DNS resolverds when resolv

ts file are pre-

name cache.

ubnet that is d

sable . hich the

2012 7-7

ause

er cache r cache. ving

-loaded.

irectly

7-8 Implement

Tro

LikesomoccuresoWhesombecobv

TooTheuse issu

•

•

•

•

•

Tro

Whecombetwpro

1.

2.

3.

ing DNS

oubleshoo

e most of othemetimes requirur when the Dource records—en resource re

metimes be moause configura

vious.

ols and Com command-linto troubleshoes are as follow

Nslookup: Uvaluable inforvalidate their resolution.

Dnscmd: Usebatch files to and configura

Dnslint: Use DNS quickly, are testing.

IPconfig: Usetool includes clients. You ccan clear the use ipconfig

Monitoring operform simpschedule thesWindows Serv

oubleshooti

en you troublemputer is usingween resolutioblem, troubles

Open an elev/flushdns.

Attempt to pname resolutis related to n

Attempt to pFor example, command pro

oting Nam

r technologieses troubleshoo

DNS server—an—are not confiecords are causore difficult to ation problem

mmands ne tools and coot these and ows:

se this tool to rmation aboutconfiguration

e this commanhelp automat

ation of new D

this tool to diaand can gene

e this commanadditional coman view the clilocal cache us/registerdns.

on DNS serveple local queriese tests for regver 2008 and W

ng Process

eshoot name rg, and in what on attempts. If shoot the nam

vated comman

ing the remoteion. If the ping

name resolutio

ing the remoteif you are worompt: Ping LO

e Resoluti

s, name resoluoting. Issues cand its zones anigured propersing issues, it cidentify the isss are not alwa

ommands thatother configur

query DNS inft DNS server stn. Additionally,

d-line tool to e routine DNS

DNS servers on

agnose commorate a report i

nd to view andmmand-line oient local DNSsing ipconfig/.

er: To test if thes and recursivgular intervals. Windows Serv

resolution, youorder the comyou cannot co

me resolution a

nd prompt, and

e host by its IPg succeeds witon.

e host by its hrking at ContoON-dc1.conto

on

tion an nd ly. can sue ys

t you ation

formation. Thetatus. You also you can test z

manage the DS managementn your network

on DNS issuesn HTML forma

d modify IP conptions that yo cache using t

/flushdns. If yo

e server can cove queries fromThe DNS server 2012 in the

u must understmputer uses theonnect to a res follows:

d then clear th

P address. Thisth the IP addre

ost name. For oso, Ltd, you woso.com.

e tool is flexiblo can use it to zone transfers,

DNS server rolet tasks or to pek.

s. This tool diagat regarding th

nfiguration deou can use to tthe command ou want to re-

ommunicate wm the DNS servver Monitoringe DNS Server N

tand what namem. Be sure tomote host and

he DNS resolve

s helps identifyess but fails by

accuracy, use would enter the

le and can prolook up resou, security optio

e. This tool is uerform simple

gnoses confighe status of th

etails that the croubleshoot aipconfig/disp

-register a hos

with upstream ver Monitoring tab is availab

Name Propertie

me resolution mo clear the DNSd suspect a na

er cache by typ

y whether the y its host name

the FQDN wite following co

ovide a lot of rce records anons, and MX re

useful in scriptunattended s

uration issues e domain that

computer usesnd support DNplaydns, and yst in DNS, you

servers you cang tab. You alsble only in es window.

methods the S resolver cachme resolution

ping IPConfig

issue is relatede, then the pro

th a trailing pemmand at the

nd ecord

ting etup

in t you

s. This NS you can

an so can

he

g

d to oblem

eriod. e


4. If the ping is successful, then the problem is most likely not related to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry to the end of the file. In the previous Contoso, Ltd example, you would add the following line and save the file:

10.10.0.10 LON-dc1.contoso.com

5. Perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache. To display the DNS resolver cache, at a command prompt type IPConfig /displaydns.

6. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.

7. At the command prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution:

Nslookup.exe –d2 LON-dc1.contoso.com. > filename.txt

Note: You also should know how to interpret the DNS resolver cache output so that you can identify whether the name resolution problem lies with the client computer’s configuration, the name server, or the configuration of records within the name server zone database. Unfortunately interpreting the DNS resolver cache output is beyond the scope of this lesson.

7-10 Implemen

Lesson 2Installi

To uprocandman

LesAfte

•

•

•

•

•

•

Wh

Theservreso

DN

A Dquezondiffecach

DN

DNSTheexam

DN

Thebe aserv

nting DNS

2 ing anduse a DNS servcedure. To ma their purpose

nage the DNS


Describe the

Describe root

Describe DNS

Describe forw

Explain how D

Describe how

hat Are the

components vers, DNS serveolvers, or DNS

NS Server

NS server answeries. DNS serves of a particuerent resourcehe lookups to

NS Servers o

S servers on thse servers hostmple .COM, .N

NS Resolver

DNS resolver any computer vers also can is

d Managvice, you must anage your DNe. In this lessonServer role.


components o

t hints.

S queries.

warding.

DNS server cac

w to install the

e Compon

of a DNS soluters on the Inteclients.

wers recursive ers also can ho

ular domain. Zoe records. DNSsave time for c

on the Intern

he Internet aret information

NET, and .EDU)

generates andthat is perform

ssue DNS requ

ging a Dfirst install it.

NS service, it is n, you will lear

ou will be able

of a DNS solut

ching works.

DNS server ro

nents of a

tion include Dernet, and DNS

and iterative ost one or moones contain servers also ccommon quer

net

e accessible puabout public d).

d sends iterativming a DNS loests to other D

DNS SerInstalling the Dimportant than about DNS c

to:

ion.

ole.

DNS Solut

NS S

DNS re

an ries.

blicly. domains, such

ve or recursiveokup that req

DNS servers.

rver DNS service oat you understcomponents, a

tion?

as common to

e queries to thuires interactio

n a DNS servetand the DNS sand about how

op level doma

e DNS Server. on with the DN

r is a simple server componw to install and

ains (TLDs) (for

A DNS resolveNS server. DNS

nents d

r

er can S

W

AroInreitsseneanD

Roincasew

WDnoatth

It Rea thin

W

A sepau

seD

AR

Th

•

•

What Are R

s previously dioot hints are a nternet that yoesolve a DNS qs own cache. Tervers in the Decessary informn iterative queNS namespace

oot Servers arenstall the DNS ache.dns file thetup files. You

within a forest.

When a DNS seDo Not Use Re

ot be able to pttempt to sendhis query, the f

is important tecursion on a recursive quer

he responsibilitn more detail.

What Are D

DNS query is ent to a DNS Srovides either uthoritative re

Note: It iservers also canNS queries to

AuthoritativeResponses

he two types o

Authoritatcorrect, becserver is au

Non-authorequested d

Root Hints

iscussed in lesslist of the 13 F

our DNS serverquery by usingThe root hints NS hierarchy, mation for a Dery to the next e.

e installed autorole. They are hat is includedalso can add r

erver communiecursion For Tperform queried a recursive qfirst server resp

to understand DNS server mery is a query thty for providin

DNS Queri

a name resoluServer. The DNan authoritativsponse to the

s important ton act as DNS re

other DNS ser

e or Non-A

of responses ar

tive. An authocause the requthoritative wh

oritative. A nodomain in its c

s?

son one, topicFQDNs on ther uses if it cann a DNS forwarlist the highesand can provi

DNS server to plowest layer o

omatically whecopied from t in the DNS roroot hints to a

icates with a roThis Domain oes on the root uery to its forwponds that the

that recursioneans that the shat is made to ng a complete

es?

ution query thaS server then ve or a non-client query.

note that DNesolvers and servers.

uthoritative

re:

ritative responuest is directeden it hosts a p

on-authoritativcache answers

c four, e not rder or t de the

perform of the

en you the ole DNS server to

oot hint serveroption (on thehints. If you c

warding servee host could no

n on a DNS serserver uses its a DNS server answer to the

at is

S end

e

nse is one in wd to the authorprimary or seco

ve response is a query by us

20410A: Installin

o support look

r, it uses only ae DNS server pconfigure the sr; then if the foot be found.

rver and recursroot hints to tin which the r

e query. The ne

which the serveritative server ondary copy o

one where thesing forwarder


kups for non-c

an iterative quroperties windserver using a orwarding serv

sive queries artry to resolve arequester asks ext topics discu

er returns an anthat manages

of a DNS zone.

e DNS server ts or root hints

Windows Server® 20

ontiguous dom

uery. If you seledow), the serve

forwarder, it wver does not a

re not the sama DNS query, wthe server to a

uss recursive q

nswer that it k the domain. A

that contains ts. Because the

012 7-11

mains

ect the er will will answer

e thing. whereas assume

queries

knows is A DNS

he answer

7-12 Implementing DNS

provided might not be accurate (because only the authoritative DNS server for the given domain can issue that information), it is called non-authoritative response.

If the DNS server is authoritative for the query’s namespace, the DNS server checks the zone and then does one of the following:

• Returns the requested address.

• Returns an authoritative “No, that name does not exist.”

Note: An authoritative answer can be given only by the server with direct authority for the queried name.

If the local DNS server is non-authoritative for the query’s namespace, then the DNS server does one of the following:

• Checks its cache and return a cached response.

• Forwards the unresolvable query to a specific server, called a forwarder.

• Uses well-known addresses of multiple root servers to find an authoritative DNS server to resolve the query. This process uses root hints.

Recursive Queries

In a recursive query the requester asks the DNS server to provide a fully resolved name before returning the answer. The DNS server may have to perform several queries to other DNS servers before it finds the answer.

A recursive query has two possible results:

• The DNS server returns the IP address of the host requested.

• The DNS server cannot resolve an IP address.

For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so, the DNS server in question will not attempt to forward its DNS requests to another server. This is useful when you do not want a particular DNS server to communicate outside its local network.

Iterative Queries

Iterative queries access domain name information that resides across the DNS system; by using them, you can resolve names across many servers quickly and efficiently. When a DNS server receives a request that it cannot answer using its local information or its cached lookups, it makes the same request to another DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer with either the IP address for the domain name (if known), or with a referral to the DNS servers that are responsible for the domain being queried.

W

A quthcoac

Ofofolonaneimyo

Thmto

imw

C

A Dnam

C

InmA

p

What Is For

forwarder is aueries for extehat network. Yoonditional forwccording to sp

Once you desigorwarder, thenorward to it theocally. By usingame resolutionetwork, such a

mproves the efour network’s

he forwarder mmeans either yoo communicate

Best Pracmprove securitwhich ensures t

Conditional

conditional foNS domain naames ending w

multiple DNS se

onditional Fo

n Windows Sermoved to a nod

ctive Directory

Best Pracrovides for fas

rwarding?

a network DNSernal names toou also can crewarders to forwpecific domain

gnate a networ other DNS see queries that

g a forwarder, n for names ouas names on thfficiency of namcomputers.

must be able toou configure ite.

ctice: Use a cety because youthat no server w

Forwarder

orwarder is a Dame. For examwith corp.contoervers. This can

orwarding in W

rver 2008 R2 ade in the DNS y integration.

ctice: Use condter name reso

S server that fo DNS servers oeate and use ward queries names.

rk DNS server arvers in the nethey cannot reyou can manautside of your he Internet. Thme resolution

o communicatt to forward re

ntral forwardinu can isolate thwithin the net

DNS server on aple, you can coso.com to then be useful wh

Windows Serv

nd Windows Sconsole. You c

ditional forwarlution.

orwards outside

as a etwork esolve

age

is for

te with the DNequests to anot

ng DNS serverhe forwarding work is comm

a network thatonfigure a DN

e IP address ofhen you have m

ver 2008 R2 a

Server 2012, thcan replicate t

rders if you ha

20410A: Installin

NS server that ther DNS serv

r for Internet nDNS server in

municating dire

t forwards DNNS server to fof a specific DNmultiple DNS n

and 2012

he conditional his informatio

ave multiple in


is located on ter, or configur

name resolutio a perimeter n

ectly to the Int

S queries accorward all querS server, or to namespaces in

forwarder conn to other DN

nternal namesp

Windows Server® 20

the Internet. Tre it to use roo

on. This can network, ernet.

ording to the qries that it rece

the IP addresn a forest.

nfiguration hasNS servers thro

paces. This

012 7-13

his ot hints

query’s eives for ses of

s been ugh

7-14 Implemen

Ho

DNSorgait ta

WhesucctimetheidomTheonemodDNS

A cadata

In Win thMan

Theclienthe

Youavainot secu

Ho

TheServa roservservWiz

YoudomDiredurdom

OncManautoMan

WheDNStype

nting DNS

ow DNS Se

S caching increanization’s DN

akes to provide

en a DNS servcessfully, it adde, this builds air associated IPmains that the default time t

e hour. The zondifying the SOS zone.

aching-only sea; it only answ

Windows Servehe DNS Managnager. You can

DNS client cant-side cachinlocal DNS clie

u can prevent Dilable in Windobe overwritte

urity against ca

ow to Insta

DNS server rover 2012 by deole-based manver to performver role by usinzard in Server M

u can also add main controllerectory Domaining which you

main controller

ce you install tnager snap-in omatically to tnager from the

en you install tSCmd tool to se: dnscmd.exe

erver Cach

eases the perfoNS system by de DNS lookups

er resolves a Dds the name to cache of dom

P addresses fororganization uto keep a namne owner can c

OA record for th

erver is the ideers lookup req

er 2012, you cager console. Wn also delete si

ache is a DNS cg, at a comma

ent cache. If yo

DNS client cacows Server 200n for the duratache poisoning

all the DNS

ole is not instaefault. Instead,ner when you the role. You

ng the Add RoManager.

the DNS server Options pag

n Services Insta promote your.

he DNS serverbecomes avai

the Server Mane run window

the DNS servescript and autoe /?

ing Works

ormance of thdecreasing the s.

DNS name o its cache. Ov

main names anr most of the uses or accesse

me in the cachechange this byhe appropriate

al type of DNSquests for DNS

an access the cWhen you enabingle entries (o

cache that the and-line prompou need to clea

hes from bein08 R2 and Wintion of the timg attacks.

S Server Ro

lled on Windo you must addconfigure theinstall the DN

oles and Featur

er role from thge of the Activeallation Wizardr server to a

r role, the DNSlable to add tonager console by typing dns

er role, the dnsomate DNS co

s

e time

ver d

es. e is y e

S server to useS clients.

content of DNble this view, cor the entire ca

DNS client sept run the ipcoar the local cac

g overwritten ndows Server 2

me to live (TTL)

ole

ows d it in e S res

he e

d,

S o your adminisand to the DN

smgmt.msc.

scmd.exe comonfiguration. Fo

e as a forwarde

S server cachecached contentache) from DN

rvice stores ononfig /displayche, you can u

with the DNS 2012. When en) value. Cache

strative consolNS Manager co

mmand-line toor help with th

er. It will not h

e by selecting tt displays as a

NS server cach

n the local comydns comman

use ipconfig /f

Cache Lockinnabled the caclocking provid

les. The snap-ionsole. You ca

ol is also addehis tool, at the

ost any DNS z

the Advanced node in DNS e.

mputer. To viewnd. This will disflushdns.

g feature whicched records wdes improved

in is added an run the DNS

ed. You can usee command pro

zone

view

w splay

ch is will

S

e the ompt,


To administer a remote DNS server, add the Remote Server Administrative tools to your administrative workstation, which must be running a Windows Vista SP1 or newer Windows operating system.

Demonstration: Installing the DNS Server Role

In many scenarios you will want to have more than one DNS server on your network. You can install additional DNS servers by using Server Manager console. If you want to enable your DNS server to resolve Internet names, you will probably want to enable forwarding.

Demonstration Steps

Install a second DNS server

1. On LON-SVR1, open Server Manager.

2. Start the Add Roles and Features Wizard.

3. Add the DNS Server role.

Configure Forwarding

• Configure the DNS Server with a forwarder on IP address 172.16.0.10.

7-16 Implemen

Lesson 3Manag

DNSotheconless

LesAfte

•

•

•

•

Wh

The

•

•

•

•

Pri

WhezoninfomasAD zonstor

SecWhezonhostzonseconon

Stu

A stidennamsepa

nting DNS

3 ging DNS service is a ker services wittroller promoton, you will lea


Describe DNS

Describe dyna

Describe Acti

Describe how

hat Are DN

four DNS zon

Primary

Secondary

Stub

Active Directo

mary zone

en a zone thate, the DNS ser

ormation abouster copy of zoDS. When the e_name.dns, ared in AD DS, t

condary zonen a zone thate information.ts the zone. The information.ondary zone can-Windows DN

ub zone

tub zone is a rentify that zonemespaces, whicarate DNS nam

NS Zonekey service for hin the netwotion. The DNS arn about Acti


S zone types.

amic updates.

ve Directory-in

w to create an A

NS Zone Ty

ne types are:

ory–integrated

t a DNS serverrver is the primt this zone, an

one data eitherDNS server stnd is located othis is the only

ne t a DNS server. The zone at this DNS server. Because a secannot be store

NS zones.

eplicated copye’s authoritativch might be nemespaces reso

es AD DS. Serverrk. You usuallyserver can theive Directory–i

ou will be able

ntegrated zon

Active Directo

ypes?

d

hosts is a primmary source fond it stores ther in a local file tores the zone on the server iy DNS server th

hosts is a secothis server mus must have necondary zone ed in AD DS. S

y of a zone thae DNS serversecessary whenlve names for

s and clients ay install a DNSen host zone dintegrated DN

to:

es.

ry-integrated

mary r

e or in in a file, the pn the %windir

hat has a writa

ondary zone, tst be obtainedetwork access tis a copy of a econdary zone

at contains onl. A stub zone ra corporate mclients in both

alike use DNS tS server with a data in an ActivNS zones.

zone.

primary zone fir%\System32\Dable copy of th

the DNS served from anotherto the remote primary zone es can be usef

ly those resouresolves name

merger requireh namespaces.

to locate domdomain contrve Directory d

ile by default iDns folder. Whhe database.

r is a secondarr remote DNS DNS server tothat another s

ful if you are re

rce records thaes between sepes that the DN

ain controllersroller during doatabase. In thi

is named hen the zone i

ry source for thserver that als

o receive updaserver hosts, theplicating data

at are necessaparate DNS S servers for tw

s and omain is

s not

he so ted

he a from

ry to

wo

A

•

•

ThU

A

If zo

W

A ticldyre

Thclofa du

•

•

•

Th

1.

2.

3.

InIncllo

Bym

stub zone con

The delega

The IP addr

he master servsually this is th

Active Direct

AD DS stores one. This enab

What Are D

dynamic updame. Dynamic uients that chanynamically regecords without

he Dynamic Hient service pef whether the DHCP server, uring the follo

When the cservice is st

When an IP

When an ad

he process of d

. The client izone then tintegrated

. Eventually, the zone. Tname serve

. If the zone then authe

n some configun this case you ient registers t

ookup) record.

y default, Windmodify this beh

nsists of the fo

ted zone’s SOA

ress of one or

vers for a stub he DNS server

tory–Integr

the zone, thenbles you to edit

Dynamic U

ate is an updaupdates are imnge locations gister and updat manual interv

ost Configuraterforms the regclient’s IP addor is fixed. The

owing events:

client starts antarted.

P address is co

dministrator ru

dynamic upda

dentifies a nathe name servzone, the clien

if the zone suhis is the prim

er for an Active

is configured nticates and re

urations, you mcan configure

that it is a (hos

dows operatinhavior in the cl

ollowing:

A resource rec

more master s

zone are one that is hosting

ated zone

n DNS can uset zone data on

Updates?

te to DNS in rmportant for D- they can ate their resouvention.

tion Protocol (gistration, regaress is obtainee registration o

d the DHCP cl

nfigured, adde

uns the comm

tes is as follow

me server ander refuses thent may have to

pports dynammary server for

e Directory–int

for secure dyne-sends the up

may not want ce the DHCP sest/address) rec

ng systems atteient IP configu

cord, NS resou

servers that yo

or more DNS g the primary z

e the multimasn more than on

eal NS

urce

(DHCP) ardless

ed from occurs

lient

ed, or changed

and-line comm

ws:

d sends an upde client’s updato do this sever

ic updates, thea standard, filetegrated zone

namic updatespdate.

clients to updarver to registecord, and the D

empt to registeuration, or thro

20410A: Installin

urce records, an

ou can use to u

servers that arzone for the d

ster replicationne DNS server

d on any netw

mand ipconfig

date. If the namte. If the zone ral times.

e client reachee-based zone .

s, the DNS serv

ate their recorr the records oDHCP server re

er their recordough Group P


nd A resource

update the stu

re authoritativdelegated dom

n model to repr simultaneous

work connectio

g /registerdn

me server hostis not an Activ

es a DNS serveor any domain

ver refuses the

rds even in a don the clients’ egisters the PT

ds with their Dolicy.

Windows Server® 20

records.

ub zone.

e for the childmain name.

plicate the primsly.

on.

ns.

ts only a seconve Directory–

er that can writn controller th

e change. The c

dynamic updatbehalf. By def

TR (pointer/rev

NS server. You

012 7-17

zone.

mary

ndary

te to hat is a

client

te zone. fault, a verse

u can

7-18 Implemen

Wh

In Lzonthe WheDire

Thezon

•

•

•

•

De

To cchacon

Dem

Cre

1.

2.

3.

4.

5.

6.

Cre

•

nting DNS

hat Are Ac

esson 1, you lee data in the ADNS server is en this happenectory–integrat

benefits of ane are significa

Multimasterprimary zoneby a single printegrated zowritable DC tThis builds reimportant in can update thprimary serve

Replication oDirectory repActive Directothan replicati

Secure dyna

Granular secyou to delegacontrol list (A

Question: Ca

emonstrati

create an Activnges in an Acttrollers throug

monstration

eate an Acti

On LON-DC1

Start the New

Create new A

Name the zon

Allow only se

Review record

ate a record

Create a New

ctive Direc

earned that DNAD DS databasan AD DS domns, this creatested zone.

n Active Directnt:

r updates. Unls —which canrimary server—ones can be wro which the zodundancy intogeographicallyheir DNS recorer.

of DNS zone dlication is attriory–integratedng the entire z

mic updates.

curity. As with ate administra

ACL) on the zon

an you think of

on: Creati

ve Directory intive Directory igh AD DS repli

n Steps

ve Director

1, open the DN

w Zone Wizard

Active Directory

ne Contoso.co

cure dynamic

ds in the new z

w Host record

tory-Integ

NS server canse provided thmain controlles an Active

tory–integrated

ike standard only be modi

—Active Directritten to by anyone is replicateo the DNS infray distributed ords without ha

data by usingibute-level repd zone can levezone file as in

An Active Dire

other Active Dtion of zones, ne.

f any disadvan

ng an Acti

ntegrated zoneintegrated zonication mecha

y–integrate

NS Manager co

.

y–integrated f

om.

updates.

zone.

in Adatum.co

grated Zon

store hat r.

d

fied ory–y ed. astructure. In aorganizations taving to conne

g AD DS replicplication in wherage these betraditional DN

ectory–integra

Directory objedomains, and

ntages to storin

ive Directo

e, you must insne are replicatenism.

ed zone

onsole.

forward lookup

m zone named

nes?

addition, Multthat use dynamect to a potent

cation. One oich only changenefits of Activ

NS zone transfe

ated zone can

cts, an Active resource reco

ng DNS inform

ory–Integr

stall DNS serveed to all other

p zone.

d www which

timaster updatmic update zotially geograph

f the characteged attributes ve Directory reer models.

enforce secure

Directory-inteords by modify

mation in AD D

rated Zone

er on a Domair DNS servers o

points to 172

tes are particunes, because chically distant

ristics of Activare replicated

eplication, rath

e dynamic upd

egrated zone aying the access

DS?

e

n Controller. Aon domain

2.16.0.100.

larly clients

e d. An her

dates.

llows s

All


Verify replication to a second DNS server

• Verify that new record is replicating to the LON-SVR1 DNS server.


Lab: Implementing DNS Scenario

A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You need to configure the infrastructure service for a new branch office.

Your manager has asked you to configure the domain controller in the branch office as a DNS server. You have also been asked to create some new host records to support a new application that is being installed. Finally, you need to configure forwarding on the DNS server in the branch office to support Internet name resolution.

Objectives After completing this lab you will be able to:

• Install and configure DNS.

• Create host records in DNS.

• Manage the DNS server cache.

Lab Setup


Logon Information

Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-CL1


Password Pa$$w0rd








o Domain: Adatum

5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.

Exercise 1: Installing and Configuring DNS

Scenario

As part of configuring the infrastructure for the new branch office, you need to configure a DNS server that will provide name resolution for the branch office. The DNS server in the branch office will also be a


domain controller. The Active Directory-integrated zones required to support logons will be replicated automatically to the branch office.


1. Configure LON-SVR1 as a domain controller without installing the DNS server role.

2. Review configuration settings on the existing DNS server to confirm root hints.

3. Add the DNS server role for the branch office on the domain controller.

4. Verify replication of the Adatum.com Active Directory–integrated zone.

5. Use NSLookup to test non-local resolution.

6. Configure Internet name resolution to forward to the head office.

7. Use NSLookup to confirm name resolution.

Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role 1. Use Add roles and features task in Server Manager to add the Active Directory Domain Services

role to LON-SVR1.

2. Start the wizard to promote LON-SVR1 to domain controller.

3. Choose to add LON-SVR1 as additional domain controller in Adatum.com domain.

4. Do not install DNS Server.

Task 2: Review configuration settings on the existing DNS server to confirm root hints 1. On LON-DC1, open the DNS Manager console.

2. In DNS Manager, open the Properties window of LON-DC1.

3. Review root hints and forwarder configuration.

Task 3: Add the DNS server role for the branch office on the domain controller • Use Server Manager to add the DNS Server role to LON-SVR1.

Task 4: Verify replication of the Adatum.com Active Directory–integrated zone 1. On LON-SVR1, open the DNS Manager console.

2. Expand Forward Lookup Zones, and verify that the Adatum.com and _msdcs.Adatum.com zones are replicated.

If you do not see these zones, open Active Directory Sites and Services, and force replication between LON-DC1 and LON-SVR1, and then try again.

Task 5: Use NSLookup to test non-local resolution 1. On LON-SVR1, on Local Area Connection Network Adapter, in the preferred DNS server field,

remove the IP address 172.16.0.10.

2. Make 127.0.0.1 the preferred DNS server for LON-SVR1.

3. Open a command prompt window on LON-SVR1, and start nslookup.

4. Try to resolve www.nwtraders.msft with nslookup.

5. You will receive negative reply (this is expected).


Task 6: Configure Internet name resolution to forward to the head office 1. On LON-SVR1, open the DNS Manager console.

2. Configure a forwarder for LON-SVR1 to be 172.16.0.10.

Task 7: Use NSLookup to confirm name resolution • On LON-SVR1, in a command prompt window, start nslookup and try to resolve

www.nwraders.msft. You should get reply and IP address.

Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.

Exercise 2: Creating Host Records in DNS

Scenario Several new web-based applications are being implemented in the head office. Each application requires that you configure a host record in DNS. You have been asked to create the new host records for these applications.


1. Configure a client to use LON-SVR1 as a DNS server.

2. Create several host records in the Adatum.com domain for web apps.

3. Verify replication of new records to LON-SVR1.

4. Use the ping command to locate new records from LON-CL1.

Task 1: Configure a client to use LON-SVR1 as a DNS server 1. Log on to LON-CL1 as Adatum\Administrator using the password Pa$$w0rd.

2. Open Control Panel.

3. Open the Properties window for the Local Area Network Connection adapter.

4. Configure preferred DNS server to be 172.16.0.21.

Task 2: Create several host records in the Adatum.com domain for web apps 1. On LON-DC1, open DNS Manager.

2. Navigate to the Adatum.com forward lookup zone.

3. Create new record named www with IP address 17.16.0.100.

4. Create new record named ftp with IP address 172.16.0.200.

Task 3: Verify replication of new records to LON-SVR1 1. On LON-SVR1, open DNS Manager.

2. Navigate to the Adatum.com forward lookup zone.

3. Ensure that records www and ftp display. (You might have to refresh the Adatum.com zone for these records to appear.)

Task 4: Use the ping command to locate new records from LON-CL1 1. On LON-CL1, open a command prompt window.

2. Ping www.adatum.com. Ensure that ping resolves this name to 172.16.0.100.


3. Ping ftp.adatum.com. Make sure that ping resolves this name to 172.16.0.200.

Results: After completing this exercise, you will have configured DNS records.

Exercise 3: Managing the DNS Server Cache

Scenario After you changed some host records in zones configured on LON-DC1, you noticed that clients that use LON-SVR1 as their DNS server, still get old IP addresses during name resolving process. You want to make sure which component is caching this data.


1. Use the ping command to locate Internet record from LON-CL1.

2. Update Internet record to point to the LON-DC1 IP address, retry the location using ping.

3. Examine the content of the DNS cache.

4. Clear the cache, and retry ping.

Task 1: Use the ping command to locate Internet record from LON-CL1 1. On LON-CL1, open a command prompt window.

2. Use ping to locate www.nwtraders.msft.

3. Ensure that name resolves to an IP address. Document the IP address.

Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping 1. On LON-DC1, open the DNS Manager console.

2. Navigate to the nwtraders.msft forward lookup zone.

3. Change the IP address for the record www to be 172.16.0.10.

4. From LON-CL1, ping www.nwtraders.msft

5. Note that you will still have this record resolved with old IP.

Task 3: Examine the content of the DNS cache 1. On LON-SVR1, in the DNS Manager console, enable Advanced View.

2. Browse the content of the Cached Lookups container.

3. On LON-CL1, in a command prompt window, type ipconfig /displaydns.

4. Examine the cached content.

Task 4: Clear the cache, and retry ping 1. Clear the cache on the LON-SVR1 DNS Server.

2. Retry the ping to www.nwtraders.msft on LON-CL1 (The result will still return the old IP address.)

3. Clear the client resolver cache on LON-CL1 by typing ipconfig /flushdns in a command prompt window.

4. On LON-CL1, retry ping to www.nwtraders.msft. (The result should work.)


Results: After completing this exercise, you will have DNS Server cache examined.

To prepare for next module After you finish the lab, revert the virtual machines to their initial state.




4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.



Question: You are troubleshooting DNS name resolution from a client computer. What must you remember to do before each test?

Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider when planning the DNS configuration?

Question: What benefits do you realize by using forwarders?

Best Practices:

When implementing DNS, use the following best practices:

• Always use host names instead of NetBIOS names.

• Use forwarders rather than root hints.

• Be sure to be aware of potential caching issues when troubleshooting name resolution.

• Use Active Directory-integrated zones instead of primary and secondary zones.



Client can sometimes cache invalid DNS records.

DNS Server performs slowly.

Tools

Name of tool Used for Where to find it

DNS Manager console Manage DNS server role Administrative Tools

NSLookup command line tool Troubleshoot DNS Command line utility

Ipconfig command line tool Troubleshoot DNS Command line utility

8-1

Module 8 Implementing IPv6


Lesson 1: Overview of IPv6 8-2

Lesson 2: IPv6 Addressing 8-8

Lesson 3: Coexistence with IPv4 8-13

Lesson 4: IPv6 Transition Technologies 8-17

Lab: Implementing IPv6 8-22


Module Overview

IPv6 is a technology that helps the Internet support a growing user base and an increasingly large number of IP-enabled devices. The current IPv4 has been the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses. This is due in large part to the rapid growth of new network-aware devices.

Objectives


• Describe the features and benefits of IPv6.

• Describe IPv6 addressing.

• Describe IPv6 coexistence with IPv4.

• Describe IPv6 transition technologies.

8-2 Implement

Lesson Overvi

IPv6Vist

It is IPv6

LesAfte

•

•

•

Be

IPv6anddesc

Lar

ThemucA 32pos2128 340456addprov

Hie

Theare opt

StaIPv6disccon

Req

Thepaymetprot

ing IPv6

1 iew of I6 has been inca. The use of I

important for6 into those ne


Describe the

Describe the

Describe the

nefits of IP

6 support is inc Windows 8. Tcribes why IPv

rger address

IPv6 address ch larger than 2-bit address ssible addresseor ,282,366,920,9 (or 3.4x1038 o

dresses. As the vides for the re

erarchical ad

IPv6 address many more adimization.

ateless and s6 has auto-concover router infiguration. A s

quired supp

IPv6 standardload (ESP) heathods and cryptect IPv6 pack

Pv6 luded with WiPv6 is becomi

r you to underetworks. This le


benefits of IPv

differences be

IPv6 address s

Pv6

cluded in WindThe following lv6 is being imp

s space

space is 128-bthe 32-bit add

space has 232 os; a 128-bit ad

938,463,463,37or 340 undecill

Internet contiequired larger

ddressing a

space is designddresses, route

stateful addnfigure capabiformation so t

stateful addres

port for Inte

ds require suppaders that are dptographic algets. This guara

ndows clients ng more comm

stand how thisesson discusse

ou will be able

v6.

etween IPv4 an

space.

dows Server 20ist of benefits

plemented.

bit, of which is dress space in or 4,294,967,29ddress space h

74,607,431,768ion) possible nues to grow, r address space

nd routing

ned to be morers can proces

dress configlity without Dythat hosts can s configuratio

ernet Protoc

port for the Audefined by IPs

gorithms are noantees the ava

and servers stmon on corpo

s technology aes the benefits

to:

nd IPv6.

012

IPv4. 96 as

8,211,

IPv6 e.

infrastructu

re efficient for s data much m

guration ynamic Host Caccess the Intn is when you

col security

uthentication Hsec. Although sot specified, IPilability of IPse

tarting with Worate networks

affects current of IPv6, and h

ure

routers, whichmore efficiently

Configuration Pternet; this is re use the DHCP

y (IPsec)

Header (AH) asupport for spPsec is definedec on all IPv6 h

Windows Servers and parts of t

networks, andhow it differs fr

h means that ey because of a

Protocol (DHCeferred to as aPv6 protocol.

nd encapsulatpecific IPsec aud from the starhosts.

r 2008 and Winthe Internet.

d how to integrom IPv4.

even though taddress

CP), and it can a stateless add

ting security thentication

rt as the way to

ndows

grate

here

ress

o

E

OtrIPapor

P

Aasinde

Im

IPcayo

Ex

IP

D

WunHalexth

IPthhidaenanan

IP

Th

nd-to-end c

One of the desiranslation mecPv6 hosts can cpplications sucrganizations m

Prioritized d

n IPv6 packet ssigned a priorn a timely manelivery is time-

mproved su

Pv6 has much ban use the autou can connec

xtensibility

Pv6 has been d

Differences

When the IPv4 nimaginable thowever, due tolocation practxplosion of Inthat a replacem

Pv6 addresses whe address spaierarchical rouay Internet topnough bits to nd flexibility fond routing. Th

Pv4 and IPv

he following ta

IPv4

Source and dbits (4 bytes)

IPsec supportincludes suppWindows 200systems, but ivendors.

communica

gn goals for IPhanisms such communicate dch as video con

may choose to

elivery

contains a fielrity. For exampner. You can s-sensitive.

upport for si

better supportomatic configuct and share in

designed so th

s Between

address space hat it could evo changes in ttice that did noternet hosts, , i

ment would be

were made 12ce can be subting domains pology. With 1create multiplor designing hese are feature

v6 Comparis

able highlights

estination addlong.

t is optional. Mport for IPsec i00 and newer oit is not implem

tion

Pv6 is to providas network addirectly with enferencing andcontinue usin

d that specifieple, when you set this field to

ingle-subne

t of automatic uration featureformation.

at developers

IPv4 and

was designedver be exhaustetechnology andot anticipate thit was clear by necessary.

28 bits long so divided into that reflect mo

128 bits there ae levels of hierierarchical addes that are cur

son

s the differenc

dresses are 32

Microsoft n the Microsooperating mented by all

de sufficient address translatieach other oved other peer-tg translation m

es how fast theare streaming

o ensure that n

et environm

configurationes in IPv6 to cr

can extend it

IPv6

d, it was ed. d an he 1992

that

odern-are rarchy, dressing rrently lacking

ces between IP

IPv6

Source (16 byte

ft® IPsec suoperatinsupport

20410A: Instal

ddress space sion (NAT). This

er the Internet.to-peer applicamechanisms as

e packet shoulg video traffic, network device

ments

n and operatioreate tempora

with much few

on the IPv4-b

Pv4 and IPv6.

and destinatioes) long.

upport is requing system impt IPsec.


so that you dos simplifies com. This also simpations. Howevs a security me

d be processeit is critical tha

es determine t

n on single suary ad-hoc net

wer constraints

based Internet.

on addresses a

red. Any devicplementing IPv

g Windows Server®

o not have to ummunication bplifies support ver, many easure.

d; so traffic caat the packets hat the packet

bnet networkstworks through

s than IPv4.

.

re 128 bits

ce or v6 must

2012 8-3

use because for

an be arrive

t

s. You h which


IPv4 IPv6

The IPv4 header contains no identification of packet flow for Quality of Service (QoS) handling by routers.

Packet-flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field.

Fragmentation is done by both routers and the sending host.

Fragmentation is not done by routers, only by the sending host.

Header includes a checksum. Header does not include a checksum.

Header includes options. All optional data is moved to IPv6 extension headers.

Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address.

ARP Request frames are replaced with multicast Neighbor Solicitation messages.

Internet Group Management Protocol (IGMP) is used to manage local subnet group membership.

IGMP is replaced with Multicast Listener Discovery (MLD) messages.

Internet Control Message Protocol (ICMP) Router Discovery—which is optional—is used to determine the IPv4 address of the best default gateway.

ICMP Router Discovery is replaced with required ICMPv6 Router Solicitation and Router Advertisement messages.

Broadcast addresses are used to send traffic to all nodes on a subnet.

There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used.

Must be configured either manually or through DHCP.

Does not require either manual configuration or DHCP.

Uses host (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses.

Uses IPv6 host (AAAA) resource records in DNS to map host names to IPv6 addresses.

Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names.

Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.

Must support a 576-byte packet size (possibly fragmented).

Must support a 1280-byte packet size (without fragmentation).

IPv6 Equivalents to IPv4

The following table shows IPv6 equivalents to some common IPv4 addresses.

IPv4 Address IPv6 Address

Unspecified address 0.0.0.0 Unspecified address is ::

Loopback address is 127.0.0.1 Loopback address is ::1

Autoconfigured addresses (169.264.0.0/16) Link-local addresses (FE80::/64)

IP

Thmexasreas

11oc

Hanar

20

Thhobew

H

Insyfode

co

Tocofoth

•

•

•

•

To1.ze

IPv4 Address

Broadcast add

Multicast add

Pv6 Addre

he most distinmuch larger addxpressed in fous 192.168.1.1. epresents a bins follows:

1000000.10101ctets = 32 Bi

owever, an IPvn IPv4 addressre expressed in

001:DB8:0:2F

his might seemosts and will raetween binary

with subnets, an

Hexadecima

n the hexadeciymbols for eacor the hex systeecimal numbe

Note: Youonvert betwee

o convert an IPonvert each ofour bits at a timhe right and m

the first bit

the second

the third bi

the fourth b

o calculate the. In the exampero. Therefore,

dresses

dresses (224.0.0

ess Space

guishing featudresses. IPv4 aur groups of dEach groupingnary octet. In b

1000.0000000its)

v6 address is fos. Because of thn hexadecimal

3B:2AA:FF:FE

m complex for arely type IPv6y and hexadecind calculating

l Numberin

mal numberinch position. Beem; hence, the

er 16.

u can use the Cen binary, decim

Pv6 binary addf these eight bme. You should

moving left. Tha

[0010] is assig

bit [0010] is a

t [0010] is assi

bit [0010] bit i

e hexadecimal ple of 0010, the, the hex value

0.0/4)

ure of IPv6 is itaddresses are ecimal numbe

g of numbers binary, 192.168

1.00000001 (

our times largehis, IPv6 addre (hex).

28:9C5A

end users, but6 addresses maimal than it is thosts and net

ng System (B

g system, somcause 10 symbe letters A thro

Calculator appmal, and hexad

dress that is 12locks of 16 bitd number eachat is:

gned the value

assigned the va

igned the valu

s assigned the

value for this e only bit that e of this sectio

IPv6 Ad

Not ap

IPv6 m

ts use of

ers, such

8.1.1 is

4

er than esses

t the assumptianually. The IPto convert bettworks.

Base 16)

me letters reprebols (0 throughough F are use

plication includdecimal numb

28 bits long, yots into four hexh section of fo

e of 1.

alue of 2.

ued of 4.

e value of 8

section of fouis set to 1 is thn of four bits i

20410A: Instal

ddress

pplicable in IPv

ulticast addres

ion is that usePv6 address in tween binary a

esent numbersh 9) already ex

ed. The hexade

ded with Windbers.

ou break it intx characters. F

our binary num

r bits, add up he bit assignedis 2.


v6

sses (FF00::/8)

rs will rely on hex is also eas

and decimal. T

s because, therxist, there musecimal number

dows Server 20

o eight blocksFor each of thembers 1, 2, 4, a

the value of ed the value 2. T

g Windows Server®

DNS names tosier to convertThis simplifies w

re must be 16 st be six new syr 10 is equal to

012 to

s of 16 bits. Yoe blocks, you end 8, starting

ach bit that is The rest are se

2012 8-5

o resolve t working

unique ymbols o the

ou then evaluate from

set to et to


Converting From Binary to Hexadecimal

The following table describes converting 8-bits of binary into hexadecimal:

[0010][1111]

Binary 0010 1111

Values of each binary position 8421 8421

Adding values where the bit is 1 0+0+2+0=2 8+4+2+1=15 or hexadecimal F

The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers represents one IP address:

0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010

The 128-bit address is now divided along 16-bit boundaries (eight blocks of 16 bits):

0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010

Each block is further broken into sections of four bits. The following table shows the binary and corresponding hexadecimal values for each section of four bits:

Binary Hexadecimal

[0010][0000][0000][0001] [2][0][0][1]

[0000][1101][1011][1000] [0][D][B][8]

[0000][0000][0000][0000] [0][0][0][0]

[0010][1111][0011][1011] [2][F][3][B]

[0000][0010][1010][1010] [0][2][A][A]

[0000][0000][1111][1111] [0][0][F][F]

[1111][1110][0010][1000] [F][E][2][8]

[1001][1100][0101][1010] [9][C][5][A]

Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows:

2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A


Compressing Zeros

When multiple contiguous zero blocks occur, you can compress these and represent them in the address as a double-colon (::); this further simplifies the IPV6 notation. The computer recognizes “::” and substitutes it with the number of blocks necessary to make the appropriate IPv6 address.

In the following example, the address is expressed using zero compression:

2001:DB8::2F3B:2AA:FF:FE28:9C5A

To determine how many 0 bits are represented by the “::”, you can count the number of blocks in the compressed address, subtract this number from eight, and then multiply the result by 16. Using the previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by 16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located.

You can use zero compression only once in a given address. If you use it twice or more, then there is no way to show how many 0 bits are represented by each instance of the double-colon (::).

To convert an address into binary, use the reverse of the method described previously:

1. Add in zeros using zero compression.

2. Add leading zeros.

3. Convert each hex number into its binary equivalent.

8-8 Implement

Lesson 2IPv6 A

An eusedtrouadd

LesAfte

•

•

•

•

•

IPv

Likeis diaddorde128IP spare

Intemanaddalso

IPv

The

Al

Re

G

Li

Uad

M

The

ing IPv6

2 Addressi

essential part od. This allows yubleshooting. Ydress to ensure


Describe IPv6

Describe Unic

Describe zone

Describe add

Configure IPv

v6 Prefixes

e the IPv4 addrivided by alloc

dress space for er bits (bits tha-bit IPv6 addrpace. The highknown as a fo

ernet Assignednages IPv6, an

dress space willo specified the

v6 Format P

following tab

location

eserved

lobal unicast a

nk-local unica

nique local unddresses

Multicast addre

remaining IPv

ng of working wityou to understYou also need

e that hosts are


6 prefixes.

cast IPv6 addre

e IDs.

ress autoconfi

v6 client settin

s

ress space, thecating portionsvarious IP fun

at are at the bess) define are

h-order bits anrmat prefix.

Numbers Autd has defined l be divided informat prefixe

refixes

le shows the I

addresses

ast addresses

nicast

esses

v6 address spa

th IPv6 is undetand the overa to understande properly con

ou will be able

ess types.

guration for IP

gs on a netwo

e IPv6 address s of the availab

nctions. The higeginning of th

eas statically innd their fixed v

thority (IANA) how the IPv6

nitially. IANA hes.

Pv6 address-sp

Prefix binary

0000 0000

001

1111 1110 1

1111 1100

1111 1111

ace is unassign

erstanding theall communicad the processefigured.

to:

Pv6.

ork host.

space ble gh-he n the values

as

pace allocation

y value Pva

-

2

1000 F

F

F

ed.

e different addation process bes available for

n by format pr

refix hexadecalue

-

2 or 3

FE8

FD

FF

ress types andbetween IPv6 hr configuring a

refixes.

imal Fracspac

1/2

1/8

1/1

1/2

1/2

d when they arhosts and perfa host with an

ction of the adce

256

8

1024

256

256

re form IPv6

ddress

IP

ThpCFo

U

A asThhaIPaddi

Thbebithan

G

GSefie

•

•

•

•

Li

Alo

Pv6 Prefixes

he prefix is therefix’s bits. Prelassless Interdoor example, 20

Note: IPv

Unicast IPv

unicast IPv6 assigned to a sihis is equivalenas several type

Pv4, computersddresses. Diffeifferent purpo

he bits in unicaetween netwoits are the netwhe host ID. By dn IPv6 address

Note: The

Global Unica

lobal unicast aervice Provideelds in the glo

Fixed portassigned gl

Global rouThe combinsite prefix, won the IPv6organizatio

Subnet ID.16 bits. Themultiple lev

Interface Isize is 64 biwas based oaddress wa

ink-Local U

ll IPv6 hosts haocal address is

s

e part of the adefixes for IPv6 somain Routing001:DB8::/48 a

6 does not use

v6 Address

address is an IPngle interface nt to unicast aes of unicast ads typically have

erent address tses.

ast IPv4 addreork ID and intework ID, and tdefault, the ints is randomly g

e interface ID i

ast Addresse

addresses are er (ISP). They arbal unicast ad

ion set to 001obal addresse

uting prefix. Tnation of the twhich is assign

6 Internet thenon’s site.

The Subnet IDe organizationvels of address

D. The Interfacits. This is eitheon the Media s bound.

nicast Addr

ave a link-locaautomatically

ddress that indsubnets, routeg (CIDR) notatnd 2001:DB8:0

e subnet mask

s Types

Pv6 address thin a single comddresses in IPvddresses, and e multiple IPv6types are used

esses are split erface ID: the fihe second 64 terface ID port

generated.

in IPv6 is equiv

es

equivalent to pre routable anddress are:

1. The three hies is 2000::/3. T

This field identthree fixed bitsned to an organ forward IPv6

D is used withi’s site can use sing hierarchy,

ce ID identifieser randomly gAccess Contro

resses

al address thatgenerated an

dicates the bitses, and addressions. An IPv6 p0:2F3B::/64 are

ks.

hat is mputer. v4. IPv6 unlike 6 for

evenly rst 64 bits are tion of

valent to the I

public IPv4 add reachable gl

igh-order bits Therefore, all g

ifies the globas and the 45-banization’s indtraffic that ma

n an organizathese 16 bits w and an efficie

s the interfaceenerated, or a

ol (MAC) addre

is used for cod non-routabl

20410A: Instal

s that have fixs ranges are exprefix is writtee IPv6 address

Pv4 host ID as

dresses that alobally on the

are set to 001global unicast a

al routing prefibit global routiividual site. Onatches the 48-

tion’s site to idwithin its site tent routing inf

e on a specific assigned by DHess of the netw

ommunication le. In this way,


xed values, or txpressed in then in address/pprefixes.

s discussed in M

re available froIPv6 portion o

1. The address addresses beg

ix for a specificing prefix is usnce the assign-bit prefix to th

dentify subnetto create 65,53frastructure.

subnet within HCPv6. In the work interface

only on the lo link-local add

g Windows Server®

that are the sue same way as

prefix-length n

Module 5.

om an Interneof the Internet

prefix for currgin with either

c organizationsed to create ament occurs, rhe routers of t

ts. This field’s s36 subnets, or

the site. This fpast, the Interfcard to which

ocal subnet. Thdresses are sim

2012 8-9

bnet s IPv4 notation.

t t. The

rently 2 or 3.

n’s site. a 48-bit routers he

size is

field’s face ID the

he link-milar to

8-10 Implemen

IPv4of IP

Linkbroaadd

The

Un

Uniqwith

IPv4comcoma m

To astrugenensu

Theaddflagthe

Zo

Eachthe linkintecoma zozon

Add

Eachwill negexamfor t

EachaddIPv6exam

fe80

nting IPv6

4 Automatic PrPv6 communic

k-local addressadcasts. For ex

dition, link-loca

prefix for link

ique Local U

que local addrhin an organiz

4 private IP admpanies used tmmunicate dire

erger or a buy

avoid the duplcture allocates

nerated. The likures that each

first seven bitdresses have th

value set to 0address prefix

ne IDs

h IPv6 host hahost has mult-local address

erface. To allowmmunication oone ID is addede ID is used in

ress%zone_ID

h sending hostassociate with

gotiation of zomple, on the sthe zone ID on

h interface in adition to physic6 hosts use themple, the inte

0::2b0:d0ff:

rivate IP Addrecation.

ses are used foxample, link-loal addresses ar

k-local address

Unicast Add

resses are the ation, but not

dresses were ahe same addreectly. It also cayout.

lication probles 40-bits to ankelihood of tw organization

ts of the organhe address pref0 has not yet bx of FD::/8.

s a single link-iple network inis reused on e

w hosts to idenon each uniqued to the link-lo the following

t determines th each interfacne ID betweensame network, n its interface.

a Windows-bacal network cae interface inderface ID for th

fee9:4143%3

essing (APIPA)

or communicatocal addresses re used for nei

ses is always FE

dresses

IPv6 equivalenon the Interne

a relatively smaess space. This

aused problem

ems experiencen organization o randomly gehas a unique a

nization identiffix of FC00::/7.

been defined. T

-local address.nterfaces, the each network ntify link-local e network inteocal address. A format:

the zone ID thae. There is no

n hosts. For host A might

ased host is assrds, interfacesex of an interfe network card

addresses. Ho

tion in many sare used whenghbor discove

E80::/64. The fi

nt of IPv4 privaet.

all part of the s caused probl

ms when mergi

ed with IPv4 pidentifier. The

enerated 40-baddress space.

fier have the fi. The Local (L) Therefore, uniq

If same

rface, A

at it

use 3 for the z

signed a uniqu also include loace as the zond is 3.

owever, a link-

scenarios whern communicatery which is the

inal 64-bits are

ate addresses.

overall IPv4 adems when sepng the networ

private addresse 40-bit organbit identifies be.

ixed binary valflag is set 1 to

que local addr

zone ID on its

ue interface indoopback and t

ne ID for that i

-local address

re IPv4 would ting with a DHe IPv6 equival

e the interface

These address

ddress space, aparate organizrks of two orga

ses, the IPv6 unization identifeing the same

lue of 1111110o indicate a locresses with the

interface, and

dex, which is atunnel interfacnterface. In th

is an essential

have used HCPv6 server. Ient of ARP in

e identifier.

ses are routab

and many ations tried toanizations foll

nique local adier is randomlyare very small

0. All unique local address. Ane L flag set to 1

d host B might

an integer. In ces. Windows-

he following

part

n IPv4.

le

o owing

dress y l. This

ocal n L 1 have

use 6

-based

p

A

Inpseimis

A

Dholifadst

•

•

•

•

•

TTy

•

•

•

St

Wthse

Wdi

Note: Yourompt. This wi

Address Au

n most cases, yrovide IPv6 hoeveral ways aumplemented. Y

performed by

Autoconfigu

uring autoconost goes throufecycle of the ddresses are intates:

Tentative. Duplicate acannot rece

Valid. In thtraffic.

Preferred. and from it

Deprecatecommunica

Invalid. In

ypes of Autypes of autoco

Stateless. Aincludes a r

Stateful. CDHCPv6 to configuratio

o It recei

o There a

Both. Conf

tateful Con

With stateful cohere are any spervers—then a

When IPv6 atteifferent than w

u can view thell display the l

utoconfigu

you will use auosts with an IPvtoconfiguratio

You control hoy using a type

ured Addres

nfiguration theugh several staIPv6 address. An one or more

In the tentativaddress detecteive unicast tra

he valid state, t

In the preferret.

d. In a deprecaation.

the invalid sta

toconfiguraonfiguration in

Address configrouter prefix b

onfiguration isobtain addres

on when:

ves instruction

are no routers

figuration is ba

figuration

onfiguration, opecific scope o DHCPv6 serve

mpts to commwith IPv4, whic

e zone ID of a ocal IP configu

uration for

toconfiguratiov6 address. Thon can be ow autoconfiguof autoconfigu

ss States

e IPv6 address ates that defineAutoconfigureof the followi

ve state, verificion performs vaffic.

the address ha

ed state, the a

ated state, the

te, the addres

ation nclude:

guration is onlybut does not in

s based on thesses and other

ns to do so in R

present on th

ased on receip

organizations coptions that yoer is necessary

municate with ah uses broadc

link-local addruration.

r IPv6

on to ere are

uration uration.

of a e the ed ng

cation is occurverification. W

as been verified

ddress enable

e address is val

s no longer all

y based on thenclude addition

e use of a stater configuration

Router Advert

e local link.

t of Router Ad

can control howou need to cony.

a DHCPv6 servast IPv4 addre

20410A: Installin

resses by typin

ring to determWhen an addres

d as unique, a

s a node to se

lid, but its use

lows a node to

e receipt of Ronal configurat

eful address con options. A ho

isement messa

dvertisement m

w IPv6 addresnfigure—such

ver, it uses muesses.


ng IPconfig at

mine if the addss is in the ten

nd can send a

end and receiv

is discouraged

o send or rece

outer Advertiseion options su

onfiguration post uses statefu

ages.

messages and

ses are assigneas the IPv6 ad

ulticast IPv6 ad

Windows Server® 20

t a command

dress is uniquetative state, a

nd receive uni

e unicast traffi

d for new

ive unicast tra

ement messaguch as DNS ser

rotocol such aul address

on DHCPv6.

ed using DHCPddresses of DN

ddresses. This is

012 8-11

. node

icast

ic to

ffic.

ges. This rvers.

as

Pv6. If NS

s


Demonstration: Configuring IPv6 Client Settings

In most cases, IPv6 is configured dynamically by using DHCPv6 or router advertisements. However, you can also configure IPv6 manually with a static IPv6 address. The process for configuring IPv6 is similar to the process for configuring IPv4.

Demonstration Steps

View IPv6 configuration by using IPconfig.

1. On LON-DC1, open a Windows PowerShell® prompt.

2. Use ipconfig to view the link-local IPv6 address on Local Area Connection.

3. Use the Get-NetIPAddress cmdlet to view network configuration.

Configure IPv6 on LON-DC1 1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the

Local Server.

2. Open the properties of Internet Protocol Version 6 (TCP/IPv6), and enter the following information:

o Use the following IPv6 address

o IPv6 address: FD00:AAAA:BBBB:CCCC::A

o Subnet prefix length: 64

o Use the following DNS server addresses

o Preferred DNS server: ::1

Configure IPv6 on LON-SVR1

1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the Local Server.

2. Open the properties window of Internet Protocol Version 6 (TCP/IPv6), and enter the following:

o Use the following IPv6 address

o IPv6 address: FD00:AAAA:BBBB:CCCC::15

o Subnet prefix length: 64

o Use the following DNS server addresses

o Preferred DNS server: FD00:AAAA:BBBB:CCCC::A

Verify IPv6 communication is functional

1. On LON-SVR1, open a Windows PowerShell prompt.

2. Use ipconfig to view the IPv6 address for Local Area Connection.

3. Use ping -6 to test IPv6 communication with LON-DC1.

4. Use ping -4 to test IPv4 communication with LON-DC1

LessonCoexi

Frus

Thleex

Le

A

•

•

•

•

W

WwDtoimkiin

•

•

•

•

•

CIPwfocous

n 3 istence rom its inceptise both IPv4 a

his lesson provesson also descxplains how D

esson Objec

fter completin

Describe IP

Describe m

Configure D

Explain IPv6

What Are N

When planningwhat types of n

escribing the no define their cmportant if youinds of tunnelsncluding the fo

IPv4-only only IPv4 (adoes not su

IPv6-only only IPv6 (adoes not suis not commphones and

IPv6/IPv4 Vista or late

IPv4 node.

IPv6 node.

oexistence occPv4 infrastructuwill achieve trueoreseeable futuonverted to IPvsing an IPv4-to

with IPon, IPv6 was dnd IPv6 for ma

vides an overvcribes the diffeNS resolves na

ctives

ng this lesson, y

P node types.

methods to pro

DNS to suppor

6 over IPv6 tun

Node Type

an IPv6 netwoodes or hosts nodes in the focapabilities onu use tunnelins require speciollowing:

node. A node and has only IPupport IPv6.

node. A node and has only IPupport IPv4. Thmon today. Hod handheld co

node. A nodeer use IPv4 and

. A node that i

. A node that i

curs when the ure, an IPv6 ine migration whure, you can acv6/IPv4 nodeso-IPv6 proxy o

Pv4 designed for loany years. Con

iew of the techerent node typames to IPv6 a

you will be ab

vide coexisten

rt IPv6.

nneling.

es?

ork, you shoulare on the netollowing ways the network. g, because cerfic node types

that implemePv4 addresses)

that implemePv6 addresses)his node is ablowever, it mighmputers, use t

that implemed IPv6 by defa

mplements IP

mplements IP

largest numbefrastructure, ohen all IPv4 nochieve practicas. IPv4-only noor translation g

ong-term coexnsequently, yo

hnologies thatpes and IP stacddresses and t

le to:

nce for IPv4 an

d know twork. helps This is rtain s,

ents ) and

ents ) and e to communiht become mothe IPv6 proto

ents both IPv4 ault.

v4. It can be a

v6. It can be a

er of nodes (IPor an infrastrucodes are conveal migration w

odes can commgateway.

20410A: Installin

xistence with IPu need to und

t support the tck implementathe various typ

nd IPv6.

icate only withore prevalent aocol exclusively

and IPv6. Win

an IPv4-only no

an IPv6-only no

Pv4 or IPv6 nocture that is a certed to IPv6-o

when as many municate with


Pv4; in most caderstand how t

two IP protocotions of IPv6. pes of IPv6 tra

h IPv6 nodes aas smaller deviy.

ndows Server 2

ode or an IPv6

ode or an IPv6

des) can commcombination oonly nodes. HoIPv4-only nodIPv6-only nod

Windows Server® 20

ases your netwthey coexist.

ols’ coexistenceFinally, this les

ansition techno

nd applicationices, such as ce

2008 and Wind

6/IPv4 node.

6/IPv4 node.

municate usingof IPv4 and IPvowever, for thees as possible

des only when

012 8-13

work will

e. This sson ologies.

ns, and ellular

dows

g an v6. You e are you are

8-14 Implemen

IPv

RathaddwithWinsimuIP laWinless

DuA dbegthroThislayeIPv6add

Du

DuaconprotUDP

DN

JustWheIPv6coex

•

•

•

regi

WheTheWin

Eachwhe

nting IPv6

v4 and IPv

her than replad IPv6 to their eh Windows Serndows operatinultaneous use ayer architectundows Server 2

efficient dual

al IP Layer Aual IP layer arc

ginning with Wough Windowss architecture cer protocols su6, and there arding any new p

al Stack Arc

al stack architetain separate itocol driver in P.

NS Infrastruc

t as DNS is useen IPv6 is adde6 name-to-addxistence are:

Host (A) reso

IPv6 host (AA

Reverse looku

Note: In moistered in DNS

en a name can client then se

ndows Server 2

h prefix has a en you ping a

v6 Coexiste

cing IPv4, mosexisting IPv4 nrver 2008 and ng systems supof IPv4 and IP

ure. The Windo2003 operatingstack architec

Architecturechitecture, was

Windows Vista, s Server 2012 acontains both ch as TCP and

re fewer files toprotocols in th

chitecture

ecture containsimplementatioWindows Serv

cture Requi

ed as a supported to the netwdress and addr

urce records fo

AAA) resource

up pointer (PT

ost cases, the IS dynamically.

n be resolved telects which ad2012 by using

precedence lehost, the ping

ence

st organizationnetwork. StartiWindows Vist

pport the Pv6 through a ows XP and g systems usedture.

e s implementedand continuinand WindowsIPv4 and IPv6

d User Datagrao maintain to e network-car

s both IPv4 anons of transpover 2003 and W

rements

ting service onwork, you needress-to-name r

or IPv4 nodes

records

R) resource re

Pv6 host (AAA

to both an IPv4ddress to use bthe Get-NetP

vel assigned tocommand wil

ns ng a,

dual

d a

d ng 8. Internet layer

am Protocol (Uprovide IPv6 crd configuratio

d IPv6 Internert layer protocWindows XP, c

n an IPv4 netwd to ensure tharesolution are

cords for IPv4

AA) resource re

4 and IPv6 addbased on prefixPrefixPolicy cm

o it. In most call use the IPv6

rs with a singleUDP). Dual stacconnectivity. IPon.

et layers, and hcols, such as TCcontains a sepa

work, it is also rat the records added. The D

and IPv6 nod

ecords that IPv

dress, both adx polices. You mdlet.

ases, IPv6 is praddress instea

e implementatck allows for ePv6 is also ava

has separate prCP and UDP. Tarate impleme

required on anthat are necesNS records tha

es

v6 nodes requ

ddresses are recan view the p

referred over Iad of the IPv4

tion of transpoasier migratioilable without

rotocol stacks Tcpip6.sys, the entation of TC

n IPv6 networkssary to suppoat are required

ire are

turned to the prefix policies

Pv4. For examaddress.

ort n to

that IPv6 P and

k. ort d for

client. in

ple,


The following table displays the typical prefix policies for Windows Server 2012.

Prefix Precedence Label Description

::1/128 50 0 IPv6 loopback

fc00::/7 45 13 Unique local

::/0 40 1 Default gateway

::ffff:0:0/96 10 4 IPv4 compatible address

2002::/16 7 14 6to4

2001::/32 5 5 Teredo

::/96 1 10 IPv4 compatible address (depreciated)

fec0::/10 1 11 Site local (depreciated)

3ffe::/16 1 12 6Bone (depreciated)

Additional Reading: For more information about prefix policies see http://technet.Microsoft.com/library/bb877985.

Demonstration: Configuring DNS to Support IPv6

Similar to IPv4 nodes, IPv6 nodes use dynamic DNS automatically-created host records. You can also manually create host records for IPv6 addresses. An IPv6 host (AAAA) resource record is a unique record type and different that IPv4 host (A) resource record.

Demonstration Steps

Configure an IPv6 host (AAAA) resource record

1. On LON-DC1, in Server Manager, open the DNS tool and browse to the Adatum.com forward lookup zone.

2. In DNS Manager, verify that IPv6 addresses have been registered dynamically for LON-DC1 and LON-SVR1.

3. Create a new host record in Adatum.com with the following settings:

o Name: WebApp

o IP address: FD00:AAAA:BBBB:CCCC::A

Verify name resolution for an IPv6 host (AAAA) resource record 1. On LON-SVR1, if necessary, open a Windows PowerShell prompt.

2. Use ping to test communication with WebApp.adatum.com.

8-16 Implemen

Wh

IPv6IPv6pacinfra

•

•

Unli(L2ToveIPv6

nting IPv6

hat Is IPv6

6 over IPv4 tun6 packets with kets can be seastructure. Wit

The IPv4 Proan encapsulat

The Source aIPv4 addressecan configurepart of the tuderived autom

ike tunneling fTP), there is nor IPv4 tunnelin6 tunneling, it

6 Over IPv4

nneling is the ean IPv4 headent over an IPvthin the IPv4 h

otocol field is sted IPv6 packe

and Destinatioes of the tunnee tunnel endpounnel interfacematically.

for the Point-to exchange of ng does not prdoes not need

4 Tunnelin

encapsulation er so that IPv6v4-only header:

set to 41 to indet.

on fields are seel endpoints. Yoints manually, or they can b

to-Point Tunnemessages for trovide securityd to establish a

ng?

of

dicate

et to You y as be

eling Protocol tunnel setup, m

y for tunneled a protected co

(PPTP) and Lamaintenance, IPv6 packets.

onnection first.

ayer Two Tunnor terminationThis means th.

neling Protocon. Additionallyat when you u

l y, IPv6 use

LessonIPv6 T

Trantrth

Thanad

LeA

•

•

•

•

•

W

ISyobeIScousmorcoISIS

Aad

A

Fo20

WIScoot

n 4 Transitiransitioning frond services relyransition by allhat allow IPv6

his lesson provnd Teredo, whddresses PortP


Describe IS

Describe 6t

Describe Te

Describe Po

Describe th

What Is ISA

SATAP is an adou can use to etween IPv6/IP

SATAP hosts doonfiguration, asing standard

mechanisms. Yorganizations’ somponent is eSATAP-based aSATAP on your

n ISATAP addrddress is forma

[64-bit unic

n ISATAP addr

[64-bit unic

or example, FD001:db8::200:5

What Is an ISSATAP allows Ionfiguration. Ather IPv6 clien

on Techom IPv4 to IPvy on IPv4 for itowing commucommunicatio

vides informathich help proviProxy, which p


ATAP.

to4.

eredo.

ortProxy.

he transition pr

ATAP?

dress-assignmprovide unicasPv4 hosts acroo not require aand can createaddress autoc

ou mainly use site, and althouenabled by defaddresses if it cr network.

ress that is basatted like the f

cast prefix]:0:5

ress that is bas

cast prefix]:200

D00::5EFE:192.5EFE:131.107.1

SATAP RoutPv6 clients on An ISATAP routs on other IPv

hnologiv6 requires coet to be removeunication betwon over IPv4 ne

ion about Intrde connectivitrovides compa

you will be ab

rocess from IP

ment technologst IPv6 connec

oss an IPv4 intrany manual e ISATAP addreonfiguration ISATAP withinugh the ISATAfault, it only ascan resolve the

sed on a privatfollowing exam

EFE:w.x.y.z

sed on a public

0:5EFE:w.x.y.z.

168.137.133 is137.133 is an e

ter? an IPv4-only iter advertises v6 subnets.

ies existence betwed quickly. Ho

ween IPv4-onlyetworks.

a-Site Automaty between IPvatibility for app

le to:

v4 to IPv6.

gy that ctivity ranet.

esses

an AP ssigns e name

te IPv4 mple:

c IPv4 address

s an example oxample of a p

intranet to coman IPv6 prefix,

20410A: Installin

ween the two powever, there ay and IPv6-onl

atic Tunnel Adv4 and IPv6 tecplications.

s is formatted

of a private IPvublic IPv4 add

mmunicate wi, and allows th


protocols. Tooare several tecy hosts. There

dressing Protochnology. This

like the follow

v4 address, anddress.

thout additionhe clients to co

Windows Server® 20

many applicahnologies thatare also techn

ocol (ISATAP),s lesson also

wing example:

d

nal manual ommunicate w

012 8-17

ations t aid nologies

6to4,

with

8-18 Implemen

Ho

YoureconamISAT

Youdiffi

List Youhost

Oth

•

•

•

nodAs ssho

Wh

6to4unichostentifollohexIPv4

EnaWin

To eyouWin

•

•

•

nting IPv6

w ISATAP T

u can initiate ISord in DNS thame automaticaTAP for severa

u can also definicult to manag

Note: By dethat prevents

u need to remot record to con

her ways you ca

Use the Wind

Use Netsh In

Configure the

Note: All ISAdes are part of such, you shouuld instead de

hat Is 6to4

4 is a technolocast IPv6 connts across the IPire IPv4 Interneowing 6to4 adadecimal repre4 address:

2002:WWXX:Y

abling 6to4 ndows Ope

enable Window enable Intern

ndows operatin

IPv6 forwardi

The private in192.168.0.0/2

A 64-bit IPv6 derives the inis the private

Tunneling W

SATAP tunnelinat resolves to tlly begin usingl computers si

ne ISATAP namge.

efault, WindowISATAP resolu

ove ISATAP fronfigure ISATAP

an configure h

dows PowerShe

nterface IPv6

e ISATAP Rou

ATAP nodes athe same AD

uld use ISATAPeploy native IPv

4?

ogy that you uectivity betwePv4 Internet. 6et as a single l

ddress, WWXX:esentation of w

YYZZ:Subnet_I

Router Funrating Syste

ws Server 2012net Connectionng system, the

ng is enabled

nterface conne24 prefix.

subnet prefix ntranet subnet

interface’s ind

Works

ng in many wathe IPv4 addreg the specifiedimultaneously.

me resolution i

ws Server 2008ution, even if thom the Global P clients.

hosts with an I

ell cmdlet Set-

ISATAP Set R

uter Name Gro

re connected tDS site which

P only for limitv6 support.

se to provide een IPv6 sites a6to4 treats the ink. In the YYZZ is the cow.x.y.z, a publi

ID:Interface_ID

nctionality iems

2 as a 6to4 roun Sharing (ICS)e following occ

on the 6to4 tu

ects to a single

is selected forprefix from 20

dex.

ays, but the simess of the ISATAd ISATAP route.

in a hosts file,

8 or newer DNShe host recordQuery Block L

SATAP router

-NetIsatapCo

Router x.x.x.x.

oup Policy sett

to a single IPvmay not be deed testing. For

and

olon-ic

D,

n

uter, . When you en

curs:

unneling and p

e subnet, and u

r advertisemen002:WWXX:YY

mplest way is tAP router. Winer. By using thi

but this is not

S servers haved is created anList in DNS if y

are:

onfiguration –

.

ting.

v6 subnet. Thisesirable. r intranet-wide

nable ICS on a

private interfa

uses private IP

nt on the privaYZZ:InterfaceIn

to configure andows hosts this method, you

t recommende

a Global Qued properly con

you are using a

–Router x.x.x.

s means that a

e deployment,

a computer tha

ces.

Pv4 addresses f

ate intranet. Thndex::/64, in wh

n ISATAP hosthat can resolveu can configur

ed because it is

ry Block nfigured. an ISATAP

.x.

ll ISATAP

, you

at is running a

from the

he 6to4 compohich InterfaceIn

t e this re

s

onent ndex

•

Thde

H

Wauinananroof

Ex

Inofwroththfo

FoHapth

W

TeIPIPInbeteIScomanTeit

TTh

•

•

Router adv

he router adveerived 6to4 su

How 6to4 Tu

Within a site, loutoconfigure 6ndividual subnend a default rony of the subnouter on the sif ::/0 that forw

xample

n the example f a default rou

with Host C in aouter in Site 1, he traffic with ahe tunneled traorwards the IPv

or example, Hoost C resides oppears in the she IPv4-encaps

What Is Ter

eredo tunnelinPv4-only InternPv4 NAT. Terednternet connecehind a NAT. Technology for SATAP, or 6to4ommunicating

more IPv4 NATsnd as IPv6 coneredo will be uis not used at

eredo Comhe Teredo com

Teredo clieTeredo clie

Teredo serin the initiaclients in di

ertisement me

ertisement mebnet prefix.

unneling Wo

cal IPv6 route6to4 addressesets are configuoute with the nnet prefixes thate border has

wards traffic to

network showte using the n

another site, Husing the 200

an IPv4 headeaffic, removes v6 packet to H

ost A resides oon subnet 2 wislide, lists the asulated IPv6 p

redo?

ng enables younet when the cdo was createdctions use privaTeredo is a lastIPv6 connectiv

4 connectivity ig nodes, Tereds are upgraded

nnectivity becoused less frequall.

ponents mponents are a

ent. Supports nts or nodes o

rver. Connectsal Teredo clientifferent sites o

essages are sen

ssages adverti

orks

rs advertise 20s. IPv6 routers ured automatinext-hop addrat the site usesa 2002::/16 roa 6to4 relay o

wn in the slide, ext-hop addreost A sends th

02::/16 route iner and tunnels

the IPv4 headHost C.

on subnet 1 wiithin Site 2 andaddresses in thacket to the 6t

u to tunnel acrclients are behd because manate IPv4 addret-resort transitvity. If native IPis present betwo is not used. d to support 6

omes ubiquitouuently, until ev

as follows:

a Teredo tunnon the IPv6 Int

s to both the IPt configurationr between Ter

nt on the priva

se the ICS com

002:WWXX:YYZwithin the sitecally with a 64

ress of the advs is forwarded oute that forwaon the IPv4 Inte

Host A and Hess of the 6to4he traffic to then its routing tait to the 6to4 er, and using t

thin Site 1 andd uses the pubhe IPv4 and IPvto4 router in S

ross the ind an

ny esses tion Pv6, ween As

6to4, us, entually

neling interfaceernet through

Pv4 and IPv6 In, and to faciliredo clients an

20410A: Installin

ate interface.

mputer as a de

ZZ:Subnet_ID::e deliver traffic4-bit subnet rovertising routerto a 6to4 rout

ards traffic to oernet.

ost B can com4 router in Sitee 6to4 router iable and the 6trouter in Site the subnet pre

d uses the pubblic IPv4 addrev6 headers whSite 2.

e through which a Teredo rela

nternet. The rotate the initial

nd IPv6-only ho


efault router an

:/64 subnet prc between 6tooute for direct r. IPv6 traffic tter on the site other 6to4 site

mmunicate withe 1. When Hostin Site 1 as IPvto4 tunnel inte2. The 6to4 roefix route in its

blic IPv4 addreess of 131.107.hen the 6to4 ro

ch packets areay.

ole of the Terel communicatiosts on the IPv

Windows Server® 20

nd contain the

refixes so that 4 hosts. Hosts delivery to nehat does not mborder. The 6

es and a defau

h each other bt A communic

v6 packets. Theerface, encaps

outer in Site 2 rs routing table

ess of 157.60.91210.49. The taouter in Site 1

e tunneled to o

edo server is toon between Tv6 Internet.

012 8-19

e

hosts on

eighbors match to4

ult route

because cates e 6to4 ulates receives e,

1.123. able that

sends

other

o assist eredo

8-20 Implemen

•

•

Wh

YouappappfaciappaddandalloTCP

Portonlyembappflexthat

Som

•

•

•

http

nting IPv6

Teredo relaythe IPv6 Inter

Teredo host-Additionally, Internet withothrough a puconnectivity tan IPv6 transi

hat Is Port

u can use the Pplication-layer plications that dlitates the com

plications that cdress type, Inte

TCP port. Thiw IPv6 nodes

P applications.

tProxy can proy application-lbed address or

plication-layer ible. Additionat you typically

me areas where

An IPv4-only

An IPv6-only

An IPv6 node

Additional p://go.Microso

y. Forwards pacrnet.

-specific relaya Teredo hostout needing ablic IPv4 addreto the IPv6 Intition technolog

tProxy?

PortProxy servigateway for ndo not suppor

mmunication bcannot connec

ernet layer prots service’s primto communica

oxy only TCP dayer protocolsr port informadata. PortProxally, you will fawould addres

e PortProxy ca

node can acce

node can acce

e can access an


ckets between

y. Has interfac-specific relayn intermediateess or throughernet can be tgy, such as 6to

ice as an odes or rt IPv6. PortPro

between nodesct using a comtocol (IPv4 or

mary purpose iate with IPv4-o

data, and it sups that do not tion inside the

xy cannot chanare better usings by using Por

n be helpful a

ess an IPv6-on

ess an IPv4-on

n IPv4-only ser


n Teredo client

es on, and concan communi

e Teredo relayh a private IPv4hrough a direco4.

oxy s or

mmon IPv6), is to only

pports

e nge address ing other tunnertProxy.

nd provide so

nly node.

nly node.

rvice that is run

ation about IPv079&clcid=0x4

ts on the IPv4

nnects to, the icate directly w

y. The connecti4 address and ct connection

nformation at tling technolog

olutions during

nning on a Po

v6 transition te409.

Internet and I

IPv4 and IPv6 with Teredo cliivity to the IPva neighboringto the IPv6 In

the applicationgies to address

g a transition p

ortProxy comp

echnologies se

Pv6-only hosts

Internet. ients over the v4 Internet cang NAT. The ternet, or thro

n level, and is ns many of the

phase include w

uter.

ee

s on

IPv4 n be

ough

not issues

when:

P

Thexinrep

Tous

•

•

•

•

•

Mcodeas

IPAW

Process for

he industry-wixpected to taknto consideratiesult, the transrocess that allo

o achieve the gse the followin

Upgrade yoof either IPvchange appSockets app(APIs) so thcreation, an

Upgrade ronative IPv6

Upgrade demany otherprinters and

Update thehave to upgrecords (reqoptional. Aupdate for IPv6 addres

Upgrade hoadd DNS reYou can de

Most organizatioexistence for evices that do s ISATAP.

Pv6 is enabled s a best practi

Windows opera

r Transition

de migration fke considerableon when desigition plan for ows for extend

goal of a pureng general gui

our applicationv6 or IPv4. Forplications to usplication prog

hat name resolnd other funct

outing infrastrurouting and IP

evices to suppr types of devid scanners—a

e DNS infrastrugrade the DNSquired) and podditionally, enIPv6 host addsses automatic

osts to IPv6/IPesolver supporeploy ISATAP in

ions will most an extended pnot support IP

by default force, you should

ating systems r

ning to IPv

from IPv4 to IPe time. This wagning IPv6 andIPv6 is a multided coexistenc

IPv6 environmdelines:

ns to be indepr example, youse new Windoramming interution, socket ions are indep

ucture for natiPv6 routing pr

ort IPv6. The mces do not. Yolso support IPv

ucture to suppS infrastructureointer (PTR) rensure that the Dress (AAAA) recally.

v4 nodes. Yourt to process Dn a limited cap

likely add IPv6period of timePv6, and coexi

Windows Vistd not disable IPrely on IPv6.

v6–Only

Pv6 is as taken d as a step ce.

ment,

endent u can ws rfaces

pendent regard

ve IPv6 routinrotocols.

majority of curou need to verv6.

ort IPv6 addree to support thsource recordsDNS servers suesource record

u must upgradDNS query resupacity to test IP

6 to an existing. There are stilistence is muc

ta or newer cliPv6 unless the

20410A: Installin

dless of wheth

g. You must u

rrent networkirify that all net

ess and pointehe new IPv6 hs in the IP6.ARupport DNS trads so that IPv6

e hosts to use ults that contaiPv6 and DNS f

g IPv4 environll in existence h simpler than

ents and Windere is a technic


her you are usi

upgrade router

ng hardware stwork attached

r (PTR) resourcost address (A

RPA reverse doaffic over IPv6hosts can reg

both IPv4 andin both IPv4 afunctionality.

nment and conmany legacy a

n using transiti

dows Server 20cal reason to d

Windows Server® 20

ng IPv4 or IPv

rs to support b

supports IPv6, d devices—suc

ce records. YoAAAA) resourceomain, but this6 and DNS dynister their nam

d IPv6. You alsnd IPv6 addre

ntinue to haveapplications anion technologi

008 or newer so so. Some fea

012 8-21

6.

both

but ch as

u might e s is namic mes and

so must sses.

nd ies such

servers. atures in


Lab: Implementing IPv6 Scenario

A. Datum Corporation has an IT office and data center in London, which support the London location and other locations. They have recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You now need to configure the infrastructure service for a new branch office.

The IT manager at A. Datum has been briefed by several application vendors about newly added support for IPv6 in their products. A. Datum does not have IPv6 support in place at this time. The IT manager would like you to configure a test lab that uses IPv6. As part of the test lab configuration, you also need to configure ISATAP to allow communication between an IPv4 network and an IPv6 network.


• Configure IPv6.

• Configure an ISATAP router.

Lab Setup


Logon Information

Virtual Machines 20410A-LON-DC1 20410A-LON-RTR 20410A-LON-SVR2


Password Pa$$w0rd








o Domain: Adatum

5. Repeat steps 2 to 4 for 20410A-LON-RTR and 20410A-LON- SVR2.

Exercise 1: Configuring an IPv6 Network

Scenario

As the first step in configuring the test lab, you need to configure LON-DC1 as an IPv4–only node, and LON-SVR2 as an IPv6–only node. You also need to configure LON-RTR to support IPv6 routing.



1. Verify IPv4 routing.

2. Disable IPv6 on LON-DC1.

3. Disable IPv4 on LON-SVR2.

4. Configure an IPv6 network on LON-RTR.

5. Verify IPv6 on LON-SVR2.

Task 1: Verify IPv4 routing 1. On LON-SVR2, open a Windows PowerShell prompt.

2. Ping LON-DC1 to verify that IPv4 is routing through LON-RTR.

3. Use ipconfig to verify that LON-SVR2 has only a link-local IPv6 address.

Task 2: Disable IPv6 on LON-DC1 1. On LON-DC1, in Server Manager, on the Local Server, open the Local Area Connection properties.

2. Disable IPv6 for Local Area Connection.

Task 3: Disable IPv4 on LON-SVR2 1. On LON-SVR2, in Server Manager, open the properties of Local Area Connection on the Local

Server.

2. Disable IPv4 for Local Area Connection.

Task 4: Configure an IPv6 network on LON-RTR 1. On LON-RTR, open Windows PowerShell.

2. Use the following New-NetRoute cmdlet to add an IPv6 network on Local Area Connection 2 to the local routing table:

New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –Publish Yes

3. Use the following Set-NetIPInterface cmdlet to enable router advertisements on Local Area Connection 2:

Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising Enabled

4. Use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64 network.

Task 5: Verify IPv6 on LON-SVR2 • On LON-SVR2, use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the

2001:db8:0:1::/64 network.

Results: After completing the exercise, students will have configured an IPv6–only network.


Exercise 2: Configuring an ISATAP Router

Scenario

After configuring the infrastructure for an IPv4–only network and an IPv6–only network, you need to configure ISATAP to support communication between the IPv4–only nodes and the IPv6–only nodes.


1. Add an ISATAP host record to DNS.

2. Enable the ISATAP router on LON-RTR.

3. Remove ISATAP from the DNS Global Query Block List.

4. Enable ISATAP on LON-DC1.

5. Test connectivity.

Task 1: Add an ISATAP host record to DNS 1. On LON-DC1, in Server Manager, open the DNS tool.

2. Add an ISATAP host record that resolves to 172.16.0.1.

Task 2: Enable the ISATAP router on LON-RTR 1. On LON-RTR, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:

Set-NetIsatapConfiguration –Router 172.16.0.1

2. Use the following Get-NetIPAddress cmdlet to identify the interface index of the ISATAP interface with 172.16.0.1 in the link-local address. Interface index:

Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address

3. Use the Get-NetIPAddress cmdlet to verify the following on the ISATAP interface:

o Forwarding is enabled

o Advertising is disabled

Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List

4. Use the following Set-NetIPAddress cmdlet to enable router advertisements on the ISATAP interface:

Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled

5. Use the following New-NetRoute cmdlet to configure a network route for the ISATAP interface:

New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish Yes

6. Use the following Get-NetIPAddress cmdlet to verify that the ISATAP interface has an IPv6 address on the 2001:db8:0:2::/64 network:

Get-NetIPAddress –InterfaceIndex IndexYouRecorded


Task 3: Remove ISATAP from the DNS Global Query Block List 1. On LON-DC1, open Regedit and browse to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.

2. Modify GlobalQueryBlockList to remove isatap.

3. Restart the DNS service.

4. Ping isatap to verify it can be resolved. The name should resolve and you should receive four request timed out messages from 172.16.0.1.

Task 4: Enable ISATAP on LON-DC1 1. On LON-DC1, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:

Set-NetIsatapConfiguration –State Enabled

2. Use ipconfig to verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network.

Task 5: Test connectivity 1. On LON-SVR2, use the following ping command to test connectivity to the ISATAP address for LON-

DC1:

ping 2001:db8:0:2:0:5efe:172.16.0.10

2. User Server Manager to modify the properties of TCP/IPv6 on the Local Area Connection 2, and add 2001:db8:0:2:0:5efe:172.16.0.10 as the preferred DNS server.

3. Use the ping command to test connectivity to LON-DC1.

Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6–only network and an IPv4–only network.

To prepare for the next module After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps.







Question: What is the main difference between 6to4 and Teredo?

Question: How can you provide a DNS server dynamically to an IPv6 host?

Question: Your organization is planning to implement IPv6 internally. After some research, you have identified unique local IPv6 addresses as the correct type of IPv6 addresses to use for private networking. To use unique local IPv6 addresses, you must select a 40-bit identifier that is part of the network. A colleague suggests using all zeros for the 40 bits. Why is this not a good idea?

Question: How many IPv6 addresses should an IPv6 node be configured with?

Best Practice:

Use the following best practices when implementing IPv6:

• Do not disable IPv6 on Windows 8 or Windows Server 2012.

• Enable coexistence of IPv4 and IPv6 in your organization rather than using transition technologies.

• Use unique local IPv6 addresses on your internal network.

• Use Teredo to implement IPv6 connectivity over the IPv4 Internet.

9-1

Module 9 Implementing Local Storage


Lesson 1: Overview of Storage 9-2

Lesson 2: Managing Disks and Volumes 9-11

Lesson 3: Implementing Storage Spaces 9-20

Lab: Implementing Local Storage 9-25


Module Overview

Storage is one of the key components that you must consider when planning and deploying Windows Server® 2012 operating systems. Most organizations require a great deal of storage because users work regularly with applications that create new files that need to be stored in a central location. Storage demands increase when users keep their files for longer periods of time. Every time a user logs on to a server, an audit trail is created in an event log, which also uses storage. Even as files are created, copied, and moved, storage is required.

This module introduces you to different storage technologies. It discusses how to implement the storage solutions in Windows Server 2012, and how to use Storage Spaces, a new feature that you can use to combine disks into pools that are then managed automatically.

Objectives

After completing this module you will be able to:

• Explain the various storage technologies.

• Manage disks and volumes.

• Implement Storage Spaces.

9-2 Implement

Lesson Overvi

Wheare acceben

As yThis

•

•

•

•

Les

Afte

•

•

•

•

•

•

Dis

Thecan systOuttype

•

ing Local Storage

1 iew of Sen you plan a various types essed via Ether

nefits as well as

you prepare tos lesson addres

Does the stor

Does the stor

How much st

How much reinvestment re

sson Objecti

er completing

Describe disk

Describe dire

Describe netw

Describe stor

Describe Red

Describe RAID

sk Types a

re are various use to provideems. The spee

tputs per secones of disks are:

Enhanced InteEIDE is basedin 1986. The Iinterface suppTechnology AAdvanced TecInterface (ATAto the ATA-2 channels, eacThese drives ahave two dev128 gigabytemaximum of

Storage server deployof storage tharnet, or even cs its limitations

o deploy storagsses questions

rage need to b

rage need to b

orage does yo

esilience do yoemains secure

ives

this lesson, yo

k types and per

ct-attached st

work-attached

age area netw

undant Array

D levels.

nd Perform

types of disks e storage to se

ed of disks is mnd (IPOS).The :

egrated Drive E on standards Integrated Driports both theAttachment 2 (chnology AttaAPI) standards(Fast ATA) sta

ch connecting are commonlyvices chained a (GB) limitatio133 megabyte

ment, one of tat you can utiliconnected withs.

ge for your enyou might co

be fast?

be highly availa

our deploymen

ou need to addin the future?

ou will be able

rformance.

orage.

storage.

work (SAN).

of Independen

mance

available thaterver and clien

measured in Inpmost common

Electronics (EIDthat were creave Electronics

e Advanced (ATA-2) and chment Packe

s. Enhanced refandard, which two devices. In

y found conneat any time. Dun on storage ues (MB) per sec

the key compoze, from locallh optical fiber.

vironment, yonsider, such as

able?

nt actually req

d to the initial

to:

nt Disks (RAID)

t you nt put n

DE). ated (IDE)

et fers provides fasten practice, thected using a 4ue to the addrusing EIDE. Furcond. EIDE dri

onents that yoly attached sto. You should b

ou will need tos the following

uire?

storage requir

).

er transfer ratese terms EIDE, ID40-wire cable oressing standarrther, the speeives are almost

ou will require orage, to storabe aware of ea

o make some img:

rement to ensu

s and allows foDE, and ATA aor 80-wire cabrds of this techeds of EIDE aret never used o

is storage. Thege that is remch solution’s

mportant deci

ure that your

or multiple re synonymoule, and can onhnology, theree limited to a on servers toda

ere otely

sions.

us. nly e is a

ay.


• Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel, for connecting the motherboard or device adapters to mass storage devices such as hard disk drives and optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but SATA host adapters and devices communicate via a high-speed serial cable over two pairs of conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0, and 6.0 GB per second, depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than other drive options, but also provide less performance. Organizations may choose to deploy SATA drives when they require large amounts of storage, but not high performance. SATA disks are generally low-cost disks that provide mass storage. However, for the lower cost they are also less reliable compared to serial attached SCSI (SAS) disks.

A variation on the SATA interface is eSATA, which is designed to enable high-speed access to externally-attached SATA drives.

• Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and transferring data between computers and peripheral devices. SCSI was originally introduced in 1978 and was designed as an interface on a lower-level communication, subsequently allowing it to take less processing power and perform transactions at higher speeds. SCSI became a standard in 1986. Similar to EIDE, SCSI was designed to run over parallel cables; however, recently the usage has been expanded to run over other mediums. The 1986 parallel specification of SCSI had initial speed transfers of 40 MB per second. The more recent 2003 implementation, Ultra 640 SCSI, also known as Ultra 5, can transfer data at speeds of 5,120 MB per second. SCSI disks provide higher performance than SATA disks, but are also more expensive.

• SAS. SAS is a further implementation of the SCSI standard. SAS depends on a point-to-point serial protocol that replaces the parallel SCSI bus technology, and uses the standard SCSI command set. SAS offers backwards-compatibility with second generation SATA drives. SAS drives provide are reliable and made for 24 hours a day, seven days a week (24/7) operations in data centers. With up to 15,000 rotations per minute (RPM), these disks are also the fastest traditional hard disks.

• Solid State Drives (SSDs). SSDs are data storage devices that use solid-state memory to store data rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips to store the data and do not contain any moving parts. SSDs provide fast disk access, use less power, and are less susceptible to failure from being dropped than traditional hard disks (such as SAS drives), but are also much more expensive per GB of storage. SSDs typically use a SATA interface so you can usually replace hard disk drives with SSDs without any modifications.

Note: Fibre Channel, fire-wire, or USB-attached disks are also available storage options. They define either the transport bus or the disk type. For example, USB-attached disks use mostly with SATA or SSD drives to store data.

9-4 Implement

Wh

AlmThisattaare direconaltePrimthe powcomSSDof t

Adv

A tyare comconmai

DASandconope

DisStormulare stor

DASservDASbusy

ing Local Storage

hat Is Dire

most all servers s type of storagached storage (physically loca

ectly with an exnected to the rnative comm

marily, DAS stoserver. Becaus

wer failure, themes in various dD, which affect he storage, an

vantages of

ypical DAS systconnected dir

mputer, there anected directlyntain.

S is also usually sizes to accomfigure. In mos

erating system

sadvantagesring data localltiple servers. Tlooking for. Fu

rage on that co

S also has drawver operating sS shares the pry servers, disk

ct Attache

provide somege is referred t(DAS). DAS canated inside thexternal array, oserver with a Uunications me

orage is physicse of this, if thee storage is unadisk types suchthe speed andd has both ad

f Using DAS

tem is made urectly to a comare no networky to the server

y the least expmmodate variot instances, yorecognizes it,

s of Using Dly on DAS ma

This can make urthermore, if omputer is una

wbacks in its acsystem, DAS carocessing powaccess may slo

ed Storage

e built-in storato as direct n include diskse server, conneor disks that arUSB cable or a

ethodology. ally connectede server suffersavailable. DASh as SATA, SASd the performavantages and

S

p of a data stomputer throughk devices such r that utilizes it

pensive storageous installation

ou would simpand then use

DAS kes data centrit more company one devicavailable.

ccess methodoan be slower ther and server mow when the o

e?

ge.

s that ected re an

d to s a S or ance disadvantages

orage device thh a host bus adas hubs, switc

t, making DAS

e available todns. In addition ly plug in the dDisk Managem

alization morelex to back up

ce that has DA

ologies. Due tohan other stormemory to whoperating syste

s.

hat includes a dapter (HBA). ches, or routerS the easiest st

day, and is wid to being inexdevice, ensurement to config

e difficult becap the data andS connected t

o the way readrage technologhich it is conneem is overload

number of haBetween the D

rs. Instead, the torage system

dely available ixpensive, DAS ie that the runngure the disks.

ause the data i for users, to loo it suffers a p

ds and writes agies. Another dected. This meded.

ard disk drives DAS and the storage is to deploy and

n various speeis very easy to

ning Windows

s located on ocate the data

power outage,

are handled bydrawback is th

eans that on ve

that

d

eds

a they the

y the hat ery

W

NcoacDeaacdianSA

EathdewSt

Tohapneac

Toarthdire

A

Nfapof

Nth

•

•

•

•

Nw

D

NreshM

What Is Ne

Network attachonnected to a ccessed over tAS in that the ach individual cross the netwistinct solutionnd an enterpriAN.

ach NAS devichat solely contevice, which re

with sharing thetorage Server,

o enable NAS ave any serverrovide a netwoetwork shares ccessible to us

oday, most SAre identical; thhe SAN to the isk drives (aggeliability are th

Advantages

AS is an ideal ast data accessroductivity gaif the files.

AS also fits nichan DAS in the

NAS storag

NAS offers devices wit

NAS offers

NAS units aserve up da

AS can also bewithout IT staff

Disadvantag

AS is slower thelies heavily onharing/storage

Microsoft Excha

etwork Att

ed storage (NAdedicated stohe network. Nstorage is notserver, but rat

work to many sns: a low-end ase-class NAS t

ce has a dedicarols the accesseduces the ovee storage devica feature of W

storage, you nr interfaces sucork configuraton the deviceers on the net

AN solutions ofe access methservers using F

gregates) are thhe same.

of Using NA

choice for orgs for multiple cins because th

cely into the me following wa

ge is usually mu

a single locatih DAS.

centralized sto

are accessible fata via CIFS an

e considered aat hand.

es of Using

han SAN technn the network e solution and ange Server an

ached Sto

AS) is storage trage device anAS is different

t directly attacther is accessibervers. NAS haappliance (NASthat integrates

ated operatings to the data oerhead associace with other s

Windows Serve

need a storagech as keyboardion and then a by using the

twork.

ffer SAN and Nod is the only FCOE or iSCSI,he same, the m

AS

ganizations thaclients at the fie processing p

market as a midys:

uch larger tha

on for all critic

orage at an aff

from any operd NFS at the s

a Plug and Play

NAS

nologies. NAS supporting thcannot (and s

nd Microsoft SQ

rage?

that is nd then t than hed to

ble as two S only), s with

g system on the ated server services

er 2012.

e device. Frequds, mice and maccess the devname of the N

NAS together. thing that cha while NAS se

methods for w

at are looking le level. Users

power of the N

d-priced soluti

n DAS.

cal files, rather

fordable price

rating system. same time thus

y solution that

is frequently ae NAS solutionhould not) be QL Server®.

20410A: Instal

s. An example

uently, these dmonitors. Insteavice across the NAS and the sh

The backend anges. Enterprrvices are madriting are the s

for a simple aof NAS benef

NAS device is d

ion. It is not ex

r than inter-dis

.

They often has Windows and

t is easy to inst

accessed via Etn. For this reasused with dat


of NAS softwa

evices are appad, to configunetwork. You

hare created. T

head units, disrises often prode available viasame, and the

nd cost-effectfit from performdedicated sole

xpensive, but i

spersing them

ave multi-protod Linux hosts a

tall, deploy, an

thernet protocson, NAS is cota-intensive ap

g Windows Server®

are is Windows

pliances that dre the device, can then crea

These shares ar

sks, and technovision storagea CIFS and NFS overhead and

ive way to achmance and

ely to the distri

it suits more n

on various se

ocol support aat the same tim

nd manage, wi

cols. Because ommonly used pplications suc

2012 9-5

s®

o not you

ate re then

ologies from S; the d

hieve

ibution

eeds

rvers or

and can me.

ith or

of this, it as a file

ch as

9-6 Implement

NASsystpro

NASthis,usedapp

http

Wh

The(SANthathighusuabustraffnum

A SAstorany otheYoufrom

Unliand

Adv

SANDAScheset hav

SAN

•

•

•

•

ing Local Storage

S is affordable em that readsne to the poss

S is also slower, it relies heavid as a file shar

plications such


hat Is a SA

third type of N). A SAN is a t connects comh-performanceally includes v-adapters (HBAfic, and storag

mbers (LUNs) f

AN enables mrage in which astorage unit. A

er network, suu can, thereforem anywhere.

ike DAS or NA offers method

vantages of

N technologiesS and NAS solucksum calculatup. This speeding to read/wr

Ns also provide

Centralizationgrow indepenrequired. Storreconfiguring

Common infrfor configurat

Storage devic

Data transfer

for small to m and writes da

sibility of data

r than SAN tecily on the netwring and storagas Microsoft®


AN?

storage is a stospecialized hig

mputer systeme storage subsarious componAs), special swe disk arrays wor storage.

ultiple servers any server canA SAN uses a ch as a local ae, use a SAN to

AS, a SAN is cods to minimize

f Using SAN

s read and writutions, if you wted. With SAN

d is accomplishrite an entire f

e:

n of storage inndently. They arage on a give

g or re-cabling

rastructure for tion and deplo

ces that are inh

directly from

mid-size busineata in differentloss dependin

chnologies. NAwork that is supge solution; it Exchange Ser


orage area netgh speed netws or host serve

systems. A SANnents such as

witches to help with logical un

to access a po potentially acnetwork like area network (Lo connect man

ntrolled by a he overhead (su

N

te at block levewrite a file of 8

N, the file is wrihed by fiber acfile by using a

nto a single poalso enable sto

en server can bg of devices.

attaching storoyment.

herently share

device to devi

esses and, simi ways than a S

ng on the size o

AS is frequentlypporting the Ncannot and shver and Micro

ation about Wi647.

twork work ers to N host route it

ool of ccess ny LAN). ny different de

hardware devicuch as using ra

els, making da8 GB, the entiretten to the dis

ccess methodochecksum.

ol, which enaborage to be dybe increased o

rage, which en

d by multiple

ice without ser

ilar to DAS, haSAN solution. Nof the data be

y accessed viaNAS solution. Fhould not be uosoft SQL Serve

indows Storag

evices and hos

ce and offers taw disks).

ata access muce file will havesk based on thologies and blo

bles storage reynamically assir decreased as

nables a single

systems.

rver interventi

s overheads oNAS systems aeing copied.

a Ethernet protFor this reason

used with data er®.

ge Server, see

sts to provide a

the fastest acc

ch faster. For ee to be read/whe block size foock level writin

esources and signed from ths needed witho

e common man

on.

f an operatingare more frequ

tocols. Becausen, NAS is commintensive

access to any d

cess to the stor

example, with ritten and its or which the SAng, instead of

erver resourcee pool when itout complex

nagement mo

g uently

e of monly

device

rage

most

AN is

es to t is

del

•

D

Threenw

TounInth

op

W

RAst(pstsidethdiav

RAredeorrethse

H

RAfuto

•

•

A high levethrough thesupplies an

Disadvantag

he main drawbequires managntry level SAN

without any SA

o manage a SAnderlying tech

n addition, eachis, organizatio

Note: SANptions are Fibr

What Is RA

AID is a technotorage systemspotentially) higtorage systemsngle logical unepending on the failure of onisks, or providevailable by usi

AID provides aedundancy—theploying Windrganizations, itedundant comhis redundancyerver fails. By i

How RAID W

AID enables faunction even ifolerance:

Disk mirroranother dis

Parity inforthat was stoinformationanother disdata that isdata that w

el of redundane network. As d hard disks.

es of Using

back to SAN tegement tools a

can often cosN disks or con

AN, you often hnology, includh storage vend

ons often have

Ns can be impre Channel and

AID?

ology that yous that provide gh performancs by combiningnit called a RAthe configuratine or more of e higher perfong a single dis

an important chat you can usdows Server 20t is important ponents such y is to ensure tmplementing

Works

ault tolerance bf one or more

ring. With disk sk. If one of the

mation. Parityored on a diskn for each blocsk or across mus still available was stored on t

cy. Most SANswell, the stora

SAN

echnology is thnd expert skill

st as much as anfiguration.

use commandding the LUN sdor often imp

e dedicated pe

plemented usind Internet SCS

u can use to cohigh reliability

ce. RAID impleg multiple diskID array, whicion, can withstthe physical h

ormance than isk.

component—se when plann012 servers. In that the serveas redundant

that the serverRAID, you can

by using additdisks in the su

mirroring, all e disks fails, th

y information isk. If you use thick of data thatultiple disks. Ifon the functio

the failed disk.

s are deployedage device con

hat due to thels. It is also cona fully loaded s

d-line tools. Yosetup, the Fibrlements SANs

ersonnel whose

ng a variety of I (iSCSI).

onfigure y and ments ks into a h, tand ard is

ing and most rs are availablepower supplie

r remains availn provide the s

tional disks to ubsystem fail. R

of the informahe other disk is

s used in the eis option, the st is written to tf one of the disonal disks alon

20410A: Instal

d with multiplentains redunda

e complexities nsiderably moserver with a D

ou must have are Channel bacusing differen

e only job is to

technologies.

e all of the times, and redundable even whe

same level of r

ensure that thRAID uses two

ation that is ws still available

event of a diskserver or RAIDthe disks, and sks in the RAID

ng with the par


e network deviant componen

in the configure expensive t

DAS or an NAS

a firm understck end, the blont tools and feo manage the

The most com

me. Most servedant network aen a single comredundancy fo

he disk subsyst options for en

written to one d.

k failure to calcD controller cal

then stores thD array fails, thrity informatio

g Windows Server®

ices and pathsts such as pow

uration, SAN ofhan DAS or NAS device, and t

anding of the ock sizing, andatures. BecausSAN deploym

mmon

ers provide higadapters. The gmponent on thr the storage s

tem can continnabling fault

disk is also writ

culate the infolculates the pa

his informationhe server can uon to recreate

2012 9-7

s wer

ften AS; an that is

d so on. se of ent.

hly-goal of he system.

nue to

tten to

rmation arity n on use the the

9-8 Implementing Local Storage

RAID subsystems can also provide potentially better performance than single disks by distributing disk reads and writes across multiple disks. For example, when implementing disk striping, the server can read information from all hard disks in the stripe set. When combined with multiple disk controllers, this can provide significant improvements in disk performance.

Note: Although RAID can provide a greater level of tolerance for disk failure, you should not use RAID to replace traditional backups. If a server has a power surge or catastrophic failure and all of the disks fail, then you would still need to rely on standard backups.

Hardware RAID vs. Software RAID

You implement hardware RAID by installing a RAID controller in the server, and then configuring RAID by using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden from the operating system while the RAID arrays are exposed to the operating system as single disks. The only configuration you need to perform in the operating system is to create volumes on the disks.

Software RAID is implemented by exposing all of the disks available on the server to the operating system and then configuring RAID from within the operating system. Windows Server 2012 supports the use of software RAID, and you can use Disk Management to configure several different levels of RAID.

When choosing to implement hardware or software RAID, consider the following:

• Hardware RAID requires disk controllers that are RAID-capable. Most disk controllers shipped with new servers have this functionality.

• To configure hardware RAID, you need to access the disk controller management program. Normally, you can access this during the server boot process or by using a web page that runs management software.

• Implementing disk mirroring for the disk containing the system and boot volume with software RAID can require additional configuration when a disk fails. Because the RAID configuration is managed by the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk fails, you may need to modify the boot configuration for the server to start the server. This is not an issue with hardware RAID, because the disk controller will access the available disk and expose it to the operating system.

• In older servers, you may get better performance with software RAID when using parity because the server processor can calculate parity more quickly than the disk controller can. This is no longer an issue with newer servers, where you may get better performance on the server because you can offload the parity calculations to the disk controller.

Question: Should all disks be configured with the same amount of fault tolerance?

R

Wwcomdimth

RAID Level

When implemewhat level of RAommon Raid le

mirroring), RAIDistributed pari

mirrored set in he features for

Level Des

RAID 0 Strwitmi

Daseqea

RAID 1 Miwitstr

Dato sim

RAID 2 Dain diswrsepdis

RAID 3 Dain diswrsepdis

RAID 4 Dain eapaa d

s

nting RAID, yoAID to implemevels are RAIDD 5 (also knowty) and RAID 1a stripe set). Teach different

scription

riped set thout parity orrroring

ata is written quentially to ch disk

irrored set thout parity orriping

ata is written both disks

multaneously

ata is written bits to each sk with parity itten to parate disk or sks

ata is written bytes to each sk with parity itten to parate disk or sks

ata is written blocks to ch disk with rity written to

dedicated disk

ou need to decent. The most

D 1 (also knownwn as striped se1+0 (also knowhe table belowt RAID level.

Performan

r High readand write performan

r Good performan

Extremelyhigh performan

Very high performan

k

Good readperformanpoor writeperforman

cide

n as et with wn as w lists

nce Space utilizati

nce

All spacthe disavailab

nce Can onthe amof spacis availaon the smalles

nce

One ordisks uparity

nce One diused foparity

d nce, e nce

One diused foparity

20410A: Instal

ion Red

ce on ks is

ble

A sifailuin tall d

nly use mount ce that able

st disk

Cansingfailu

r more sed for

Cansingfailu

sk or

Cansingfailu

sk or

Cansingfailu


undancy

ingle disk ure results he loss of data

n tolerate a gle disk ure




g Windows Server®

Comments

Use only in situations whyou require hperformanceand can toledata loss

Frequently ufor system anboot volumewith hardwaRAID

Requires thadisks be synchronized

Not currentlyused

Requires thadisks be synchronized

Rarely used

Rarely used

2012 9-9

here high e rate

used nd es re

t all

d

y

t all

d


Level Description Performance Space utilization Redundancy Comments

RAID 5 Striped set with distributed parity

Data is written in blocks to each disk with parity spread across all disks

Good read performance, poor write performance

The equivalent of one disk used for parity

Can tolerate a single disk failure

Commonly used for data storage where performance is not critical, but maximizing disk usage is important

RAID 6 Striped set with dual distributed parity

Data is written in blocks to each disk with double parity written across all disks

Good read performance, poor write performance

The equivalent of two disks used for parity

Can tolerate two disk failures

Commonly used for data storage where performance is not critical but maximizing disk usage and availability are important

RAID 0+1

Striped sets in a mirrored set

A set of drives is striped, and then the strip set is mirrored

Very good read and write performance

Only half the disk space is available due to mirroring

Can tolerate the failure of two or more disks as long as all failed disks are in the same striped set

Not commonly used

RAID 1+0

Mirrored set in a stripe set

Several drives are mirrored to a second set of drives, and then one drive from each mirror is striped

Very good read and write performance

Only half the disk space is available due to mirroring

Can tolerate the failure of two or more disks as long as both disks in a mirror do not fail

Frequently used in scenarios where performance and redundancy are critical, and the cost of the required additional disks is acceptable

LessonMana

IdthTh

Fosoqu

•

•

Thto

LeA

•

•

•

•

•

•

•

S

A thWorsyre

M

Thpadiinth

•

•

•

n 2 aging Ddentifying whichat your envirohere are other

or example, onolutions, you nuestions:

What disks

Will the typ

his lesson addools you need


Describe se

Describe th

Explain a re

Describe ho

Explain mo

Create mou

Describe th

electing a

partition tablehe method tha

Windows Server volumes on aystems, you caecord (MBR) an

MBR

he MBR partitiartitioning schisks since the f

n the 1980s. Thhe following ch

Supports a

A partition

If you initiaand the resits space.

Disks andch storage teconment is prepr steps that you

nce you have ineed to figure

will you alloca

pe of file system

resses these anto manage dis


electing a parti

he difference b

esilient file syst

ow to select a

unt points and

unt points and

he process of e

Partition

e format, or paat an operatingr 2012 uses toa disk. For Winn decide betwnd GUID partit

ion table formaheme that has first personal che MBR partitioharacteristics:

maximum of f

can have max

alize a disk largst of the storag

d Volumhnology that ypared for data u will need to

dentified the bout the best w

ate to a storag

ms be the sam

nd similar quescs.

you will be ab

ition table form

between basic

tem.

file system.

d links.

d links.

extending and

Table Form

artition style, rg system such organize part

ndows operatinween master botion table (GPT

at is the standbeen used on

computers camon table forma

four primary p

ximum of 2 ter

ger than 2 TB uge will not be u

mes you will want tstorage requitake to prepar

best storage soway to manage

ge pool?

me for all disks?

stions, includin

le to:

mat.

and dynamic d

shrinking volu

mat

efers to as

titions ng oot T).

ard hard

me out at has

partitions per d

rabytes (TB) (2.

using MBR, theused. You mus

20410A: Installin

to deploy is threments. This,re for data sto

olution, or have that storage.

?

ng why it is im

disk types.

umes.

drive

.19 x 10^12 by

e disks are onlst convert the


he first critical s however, is o

orage requirem

ve chosen a m. Ask yourself t

mportant to ma

ytes)

y able to storedisk to GPT if

Windows Server® 20

step in makingnly the first ste

ments.

ix of storage the following

anage disks, an

e volumes up tyou want to u

012 9-11

g sure ep.

nd what

to 2 TB use all of

9-12 Implemen

in si

GPT

Thelimi

•

•

•

•

arch

Sel

WheServand

Bas

Basiusedsystcallepartpartinto

By dconbasi

Somby cdiskare

Dyn

Dynsyststorcan

Whethatassi

nting Local Storage

Note: You size. This provid

T

GPT was introtations of MBR

GPT is the suc

Supports a m

A partition ca

A hard disk ca

Note: If you

Additional hitecture, see h

lecting a D

en selecting a ver 2012, you c dynamic disk

sic Disk

ic storage usesd by all versionem. A disk thaed a basic disktitions, such astitions. You ca

o logical drives

default, when yvert basic diskic disk, all data

me applicationconverting basks to dynamic davailable with

namic Disk

namic storage ems and the M

rage is called aperform disk

en you configut is made fromgn a drive lett

should use thedes you with a

oduced with WR, and to addr

ccessor of MBR

maximum of 12

an have up to

an have up to

ur hard disk is

Reading: For http://support

Disk Type

type of disk focan choose be

ks.

s normal partitns of the Windat is initialized k. A basic disk cs primary partin subdivide exs.

you initialize aks to dynamic da on the disk w

s cannot addresic disks to dyndisks unless thdynamic disks

is supported inMicrosoft Winda dynamic diskand volume m

ure dynamic dm free space on

er or configur

e MBR partitiona bit more spac

Windows Serveress larger disk

R partition tab

8 partitions pe

8 zettabytes (Z

18 exabytes (E

larger than 2 T

frequently ask.microsoft.com

or use in Windetween basic d

tion tables thadows operatingfor basic storacontains basic itions and extextended partiti

a disk in Windodisks without a

will be lost.

ess data that isnamic disks. Fohey need to uss.

n all Windowsdows NT® Servk. A dynamic dmanagement w

disks, you creatn one or more e it with a mo

n table formatce because GP

r 2003 and Wiks. GPT has the

ble format

er drive

ZB)

EB), with 512 k

TB, you should

ked questions m/kb/302873.

dows disks

at are g age is

ended ions

ows, the disk isany loss of dat

s stored on dyor these reasone some of the

operating sysver 4.0 operatiisk contains dy

without the nee

te volumes ratdisks. You canunt point.

t for disk drivePT requires mo

indows® XP 64e following cha

kilobytes (KB)

d use the GPT

about the GU

s configured ata; however, w

ynamic disks. Tns, most adminadditional vo

stems includingng system. A dynamic volumed to restart W

ther than partin format the vo

es that never suore disk space

4-bit Edition toaracteristics:

logical block a

partition table

ID partitioning

as a basic disk. when convertin

There is also nonistrators do nlume configur

g the Windowdisk that is inites. With dynam

Windows opera

tions. A volumolume with a f

urpass 2 TB than MBR.

o overcome th

addressing (LB

e format.

g table disk

You can easilyng a dynamic d

o performancenot convert baration options

ws XP operatingtialized for dynmic storage, yoating systems.

me is a storage file system, an

he

BA)

y disk to

e gain asic

that

g namic ou

unit d can


The following is a list of the dynamic volumes that are available:

• Simple volumes. A simple volume uses free space from a single disk. It can be a single region on a disk, or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or on to additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.

• Spanned volumes. A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored, and is not fault-tolerant; therefore, if you lose one disk, you will lose the entire spanned volume.

• Striped volumes. A striped volume has data that is spread across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended, and is not fault-tolerant. This means that the loss of one disk causes the immediate loss of all the data. Striping is also known as RAID-0.

• Mirrored volumes. A mirrored volume is a fault-tolerant volume that has all data duplicated onto two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.

• RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume that has data striped across a minimum of three or more disks. Parity is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.

Required Disk Volumes

Regardless of which type of disk you use, you must configure both a system volume and a boot volume on one of the hard disks in the server:

• System volumes. The system volume contains the hardware-specific files that are needed to load Windows operating system (for example, Bootmgr and BOOTSECT.bak). The system volume can—but does not have to—be the same as the boot volume.

• Boot volumes. The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%’System32 folders. The boot volume can—but does not have to—be the same as the system volume.

Note: When you install the Windows 8 operating system or the Windows Server 2012 operating system in a clean installation, a separate system volume is created to enable encrypting the boot volume by using Windows BitLocker® drive encryption.

Additional Reading: For more information about how basic disks and volumes work, see http://go.microsoft.com/fwlink/?LinkID=199648.

For more information about dynamic disks and volumes, see http://go.microsoft.com/fwlink/?LinkID=199649.

9-14 Implemen

Sel

Whe201ReF

File

The of tsystchatop copcaseallostor

A dWheestanextloca

Becpartsup

FATsystform

exFAsuitlargcent

NT

NTF4.0. hardthe

NTFadvaddsyst

NTFDomRep

Res

TheNTFdireveri

nting Local Storage

lecting a F

en you configu2, you can choS file systems.

e Allocation

file allocation he file systemsems support. Tracterized by aof the volumeies of the FAT e one becomecation tables ared in a fixed lo

isk formatted wen a file is creaablished. This et cluster. Thereation on the dr

ause of the siztitions that weports partition

T does not provem for disks a

mat external m

AT (Extended Fable, such as w

ger than 2 TB. eters, and porta

FS

FS is the standaUnlike FAT, th

dware, such astables.

FS is an improvanced data str

ditional extensiem journaling

FS is required fmain Services (plication Servic

ilient File Sys

Resilient File SFS. ReFS was dectories, disk vofication, error

File System

ure your disks oose between

n Table (FAT

table (FAT) is s that WindowThe FAT file sya table that rese. To protect thfile system ares damaged. Inand the root docation so tha

with FAT is alloated, an entry entry in the tabe is no organizrive.

ze limitation were less than 2 ns of up to 2 T

vide any securttached to Wi

media such as U

FAT) is a file sywhen you needexFAT is suppoable media pla

ard file systemhere are no spes 512-byte sect

vement over FAructures to impions such as se, and encrypti

for a number o(AD DS), Volumces (FRS). NTFS

stem (ReFS)

System (ReFS) eveloped to imolumes, and ocorrection, an

m

in Windows SFAT, NTFS, an

T)

the most simpws operating ystem is sides at the vehe volume, twe maintained i

n addition, the irectory must t the system’s

ocated in clustis created in tble either indiczation to the F

with the file alloGB in size. To B.

rity for files onndows Server USB flash med

ystem designedd a disc formatorted in a numayers.

m for all Windoecial objects otors. In additio

AT in several wprove performecurity access con.

of Windows Seme Shadow SeS also provides

was introducemprove upon Nther items. Ad

nd scalability.

erver d

plistic

ery o in file be boot files can

ters, whose sizhe directory, acates that this

FAT directory s

ocation table, tenable larger

the partition. 2012 servers. Yia.

d especially fot that works w

mber of media

ows operating on the disk, andon, in NTFS the

ways, such as bmance, reliabilit

control lists (A

erver 2008 R2 ervices (VSS), Ds a much highe

ed with WindoNTFS by offeri

dditionally, ReF

n be correctly l

zes are determand the first cluis the last clus

structure, and f

the original redisks, Microso

You should nYou might con

r flash drives. with a television

devices, such

systems begind there is no dere are no spe

better supportty, and disk sp

ACLs), which yo

roles and featDistributed Fileer level of secu

ows Server 201ng larger max

FS offers great

ocated.

mined by the sizuster number ster of the file,files are given

elease of FAT coft developed

ever use FAT onsider using FA

It can be usedn, which requias modern fla

nning with Windependence onecial locations o

t for metadatapace utilizationou can use for

ures such as Ae System (DFS)urity than FAT

2 to enhance ximum sizes foer resiliency, m

ze of the volumcontaining da, or points to tthe first open

could only acceFAT32. FAT32

or FAT32 as thAT or FAT32 to

d where FAT32res a disc thatt panel TVs, m

ndows NT Servn the underlyion the disk, su

, and the use on. NTFS also ha

auditing, file

Active Directory and File or FAT 32.

the capabilitieor individual filmeaning bette

me. ata is the n

ess

he file o

is not is

media

ver ng

uch as

of as

y®

es of es, r data

Reopw

Yoercher

htFo

W

ThWfil

•

•

•

•

•

•

•

•

•

Re

•

•

•

•

•

•

•

eFS uses featuperating syste

write to ReFS ha

ou should use rror checking ahoice was NTFrror checking,

Additionattp://go.microor more inform

Question: it?

What Is a R

he Resilient FilWindows Serve

le system, and

Metadata in

Expanded p

Maximizes of power (wexperience circumstanc

Large volum

Storage po

Data stripin

Disk scrubb

Resiliency t

Shared stor

eFS inherits so

BitLocker d

Access-con

Update seq

Change not

Symbolic lin

Volume sna

File IDs

res from NTFSm versions. Ward-drive parti

ReFS with verand correctionS), it makes sebetter reliabili

al Reading: Fosoft.com/fwlin

mation on how

What file syste

Resilient Fi

e System (ReFr 2012. ReFS is provides the f

ntegrity with c

protection aga

reliability, espwhile NTFS hascorruption in ces)

me, file, and di

oling and virtu

ng for perform

bing for protec

to corruptions

rage pools acro

ome features fr

rive encryptio

trol lists for se

quence numbe

tifications

nks, junction p

apshots

S, and is designindows 8 clienitions and to s

ry large volumn. Because ReFense to use ReFity, and less co

or more informnk/?LinkID=19w NTFS works,

em do you cur

le System?

FS) is a new feas based on thefollowing adva

checksums

ainst data corru

ecially during s been known similar

irectory sizes

ualization, whi

mance (bandwid

ction against la

with recovery

oss machines f

rom NTFS, incl

n

ecurity

er (USN) journa

points, mount

ned to maintaints or older Wihares on a ser

es and very larS was not avaFS with Windoorruption.

mation on how9652. see http://go.m

rrently use on

?

ature in e NTFS antages:

uption

a loss to

ch makes crea

dth can be ma

atent disk erro

for maximum

for additional

luding the follo

al

points and rep

20410A: Installin

in backward coindows client orver, just as the

rge file shares ilable prior to

ows Server 201

w FAT works, s

microsoft.com

your file serve

ating and man

anaged) and re

ors

m volume availa

failure toleran

owing:

parse points


ompatibility woperating systey can with tho

to overcome Windows Serv

12 instead of N

ee

m/fwlink/?LinkI

er? Will you co

naging file syst

edundancy for

ability

nce and load b

Windows Server® 20

with its older Wems can read ose running N

the NTFS limitver 2012 (the oNTFS to achiev

D=199654.

ontinue to use

ems easier

r fault toleranc

balancing

012 9-15

Windows and

NTFS.

tation of only

ve better

ce

9-16 Implemen

BecNTFhardimpcorr

Beyfiles

At

M

M

M

Mvo

M

M

M

Msy

Mpo

Wh

Witcreadire

Mo

Mousystdiskcomlettegain

Sincopethena nenamyou

nting Local Storage

ause ReFS useFS. Therefore, Wd-drive partitio

plied in its namrection, and sc

ond its greates, directories, d

ttribute

Maximum size o

Maximum size o

Maximum num

Maximum numolume

Maximum file n

Maximum path

Maximum size o

Maximum numystem

Maximum numool

hat Are Mo

h the NTFS anate mount poiectories, and vo

ount Points

unt points are ems to make a

k useable by thmmonly, mouner mappings son access to the

ce the Microsoerating system n use to mounew hard disk tome such as C:\d

are actually a

s a subset of fWindows 8 clieons and shares

me, the new filecalability.

r resiliency, Redisk volumes, a

of a single file

of a single volu

ber of files in a

ber of director

name length

length

of any storage

ber of storage

ber of spaces

ount Point

d ReFS file sysnts and links tolumes.

used in Windoa portion of a he operating synt points are aso that the ope

e disk through

oft Windows 20was first intro

nt a hard disk to a server, rathdatadrive to thccessing the n

eatures from Nents or older Ws on a server, je system offers

eFS also surpasand other item

ume

a directory

ries in a

e pool

e pools in a

in a storage

ts and Link

stems, you cano refer to files

ows operatingdisk or the enystem. Most ssociated with erating system

the drive lette

000 Server duced, you hato an empty foher than mounhe drive. Whennew hard disk.

NTFS, it is desiWindows clientust as they cans greater resilie

sses NTFS by oms, as listed in t

Limit

~16 exabyte

2^78 bytes w(2^64 * 16 *

Windows st

2^64

2^64

32,000 Unico

32,000

4 petabytes

No limit

No limit

ks?

n ,

g tire

drive can

er.

ave been able older that is locnting the driven you do this, a

gned to maintt operating syn with those ruency, meaning

offering larger the following t

es (EB) (18.446

with 16 KB clu* 2^10)

tack addressing

ode characters

(PB)

to enable volucated on anot

e using a drive any time you a

tain backwardystems can reaunning NTFS. g better data v

maximum sizetable.

6.744.073.709.5

uster size

g allows 2^64

s

ume mount pother drive. For letter, you can

access the C:\d

compatibility d and write toHowever, as

verification, err

es for individu

551.616 bytes)

4 bytes

oints, which yoexample, if yon assign a folddatadrive folde

with o ReFS

ror

ual

)

ou can ou add der er,


Volume mount points can be useful in the following scenarios:

• If you are running out of drive space on a server and you want to add disk space without modifying the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.

• If you are running out of available letters to assign to partitions or volumes. If you have several hard disks that are attached to the server, you may run out of available letters in the alphabet to which to assign drive letters. By using a volume mount point, you can add additional partitions or volumes without using more drive letters.

• If you need to separate disk input/output (I/O) within a folder structure. For example, if you are using an application that requires a specific file structure, but which uses the hard disks extensively, you can separate the disk I/O by creating a volume mount point within the folder structure.

Note: You can assign volume mount points only to empty folders on an NTFS partition. This means that if you want to use an existing folder name, you must first rename the folder, create and mount the hard disk using the required folder name, and then copy the data to the mounted folder.

Links

A link is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path. Windows supports the following two types of links:

• A symbolic file link (also known as a soft link)

• A symbolic directory link (also known as a directory junction)

A link which is stored on a server share could refer back to a directory on a client that is not actually accessible from the server where the link is stored. Because the link processing is done from the client, the link would work correctly to access the client, even though the server cannot access the client.

Links operate transparently: applications that read or write to files that are named by a link behave as if they are operating directly on the target file. For example, you can use a symbolic link to link to a Hyper-V® parent virtual hard disk file from another location. Hyper-V uses the link to work with the parent virtual hard drive (VHD) as it would use the original file. The benefit of using symbolic links is that you do not need to modify the properties of your differencing VHD.

Note: In Hyper-V, you can use a differencing virtual hard disk (VHD) to save space by making changes only to the child VHD, when the child VHD is part of a parent/child VHD relationship.

Links are sometimes easier to manage than mount points. Mount points force you to place the files on the root of the volumes, whereas with links you can be more flexible with where you save files.

You can create links in a Windows Explorer window, or by using the mklink.exe tool in a command-line interface window.


Demonstration: Creating Mount Points and Links

In this demonstration, you will see how to create a mount point and then assign it to a folder. Then you will see the process of creating a link between folders and a link for a file, and see how to use both links.

Demonstration Steps

Create a mount point

1. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$w0rd.

2. Open Computer Management, and then expand Disk Management.

3. In Disk Management, initialize Disk2 with GPT (GUID Partition Table).

4. On Disk 2, create a Simple Volume with the following parameters:

o Size: 4000 MB

o Do not assign a drive letter or drive path

o File system: NTFS

o Volume label: MountPoint

5. Wait until the volume is created, right-click MountPoint, and then click Change Drive Letter and Paths.

6. Change the drive letter as follows:

o Mount in the following empty NTFS folder

o Create new Folder C:\MountPointFolder and use it as mount point.

7. On the taskbar, open a Windows Explorer window, and then click Local Disk (C:). You should now see the MountPointFolder with a size of 4,095,996 KB assigned to it. Notice the icon that is assigned to the mount point.

Create a link between folders 1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32 with the name

System32 Shortcut.

2. In Windows Explorer, in the right pane, double-click System32 Shortcut. Notice how the shortcut path changes automatically to the correct path in the Address bar.

Create a link for a file

1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32\mspaint.exe and name it Paint Shortcut.

2. In Windows Explorer, in the right pane, double-click Paint Shortcut. Note how the link opens Paint. Using links can be very useful if you want to refer to a file such as a virtual hard disk that is located on another drive.

E

In20sodiVopM

Waw

•

•

•

•

•

voD

•

Tocm

ht

Fode

xtending a

n versions of W003 or Windowoftware to shriisk. Since Windista, this functperating syste

Management sn

When you wantware of the fo

You only haNTFS volumcannot be r

You can on

To extend aspace is not

You can extvolume witdisk fails, alpartitions, t

When you wthat you cathe requireexample, yo

Note: As olume before yuring the defr

If bad clust

o modify a volmdlet.


or more informe/library/cc73

and Shrink

Windows prior ws Vista®, you nk or extend adows Server 20ionality is inclum so you can nap-in to resiz

t to resize a vollowing:

ave the ability mes. FAT, FAT3resized.

nly extend ReFS

a volume, the t adjacent to t

tend a volumeh other disks, ll data on the vthus you canno

want to shrinkannot reclaim sment to shrinkou can remove

a best practiceyou shrink it. Tragment proce

ers are found

lume, you can


mation about h1894.

king Volum

to Windows Serequired addi

a volume on y003 and Winduded in the Wuse the Disk

ze NTFS volum

olume, you mu

to shrink or e32 or exFAT vo

S volumes, not

available disk the volume, yo

e using free spyou create a dvolume is lost.ot extend you

k a partition, imspace beyond k a partition me the page file

e for shrinkingThis method reess, you can ide

on the partitio

use Disk Man

or more inform/de-de/library/

how to shrink

mes

erver tional our ows indows

mes.

ust be

xtend olumes

t shrink them.

space must beou will not be a

ace on the samdynamic disk w. Also, a stripedr boot partitio

mmovable filesthe location w

more, you neede, shrink the vo

g volumes, youeturns the maxentify any imm

on, you will no

agement, the

mation about h/cc771473.

a basic volume

20410A: Installin

e adjacent to table to extend

me disk as welwith a striped vd volume cann

ons by using an

s such as pagewhere these filed to delete or molume, and the

u should defragximum amoun

moveable files.

ot be able to sh

Diskpart.exe t

how to extend

e, see http://te


the volume thad the disk.

ll as other diskvolume. In a stnot contain bonother disk.

e files are not res are on the vmove the immen add the pag

gment the filent of free disk s.

hrink it.

ool, or the Res

d a basic volum

echnet.microso

Windows Server® 20

at is extended

ks. When you etriped volume,oot or system

relocated. Thisvolume. If you

movable files. Fge file back ag

s on the space.

size-Partition

me, see

oft.com/de-

012 9-19

. If free

extend a , if one

s means have

For gain.

n

9-20 Implemen

Lesson 3Implem

Manadmphy

SANexpthathow

Manadmphy

SANexpthathow

Les

Afte

•

•

•

•

Wh

StorthatWinNTFandexteYouof acreaprimdo nmul

To c

•

•

nting Local Storage

3 mentingnaging physica

ministrators. Toysical disks tog

Ns require specensive. To ovet pools disks tow to configure

naging physicaministrators. Toysical disks tog

Ns require specensive. To ovet pools disks tow to configure

sson Objecti

er completing

Describe the

Describe vario

Describe adva

Configure Sto

hat Is the S

rage Spaces is t is built into Wndows 8. It is aFS and ReFS vo pooled storag

ernal drives of u can use Storaany type and siate highly avaimary advantagnot manage siltiple disks as o

create a highly

Disk drive. Thusing a drive

Virtual disk (oapplications. in-time (JIT) asuch as mirro

g Storagal disks that aro overcome thether.

cial configuratercome these isogether and pand implemen

al disks that aro overcome thether.

cial configuratercome these isogether and pand implemen

ives

this lesson, yo

use of Storage

ous options fo

anced manage

orage Spaces.

Storage Sp

a storage virtuWindows Serve feature that is

olumes, that prge for numerodiffering sizes

age Spaces to aize to a storaglable virtual d

ge of Storage Sngle disks, butone unit.

y-available virt

his is a volume letter.

or storage spacHowever, virtuallocations, andoring.

ge Spacre attached diris problem, ma

ion, however, ssues, you canresents them tnt the Storage

re attached diris problem, ma

ion, however, ssues, you canresents them tnt the Storage

ou will be able

e Spaces.

or configuring

ement options

paces Feat

ualization capaer 2012 and s available for rovides redund

ous internal ans and interfaceadd physical de pool, and thisks from it. Th

Spaces is that yt can manage

tual disk, you n

that you can a

ce). This is veryual disks are md they include

ces rectly to a servany organizati

and sometimen use Storage Sto the operatine Spaces featur

rectly to a servany organizati

and sometimen use Storage Sto the operatine Spaces featur

to:

virtual disks.

s for Storage S

ure?

ability

both dancy d

es. disks hen he you

need the follow

access from yo

y similar to a pmore flexible bee resiliency to p

ver has provenions used SAN

es special hardSpaces, which ing system as are.

ver has provenions used SAN

es special hardSpaces, which ing system as are.

paces.

wing:

our Windows o

physical disk froecause they inphysical disk fa

n to be a tedioNs that essentia

dware, which mis a Windows Sa single disk. T

n to be a tedioNs that essentia

dware, which mis a Windows Sa single disk. T

operating syste

om the perspenclude thin proailures with bu

us task for ally grouped

makes them Server 2012 fe

This lesson exp

us task for ally grouped

makes them Server 2012 fe

This lesson exp

em, for examp

ective of users ovisioning or juuilt-in function

eature lains

eature lains

ple, by

and ust-nality

•

•

V

YoyoyocoMcoth

Storage poovirtual disksattached to

Physical disstorage poo

o One phrequire

o A miniparity.

o Three-w

o Disks m

o Disks cIf you w

Virtual Disk

ou can create our storage poou can also creonfigure virtua

Manager or Winonsider the redhe following ta

Feature

Storage layou

ol. A storage ps. You can add

o another stora

sk. Physical disol, the disks ne

hysical disk is red to create a

mum of three

way mirroring

must be blank

can be attachewant to use fa

k Configur

virtual disks frool contains meate redundanal disks or Storndows PowerSdundancy funcable.

Desc

ut Thisallo

• SlothSDfa

• Todedgaw

• PinSfa

pool is a collectd to a storage age pool.

ks are disks sueed to satisfy t

required to creresilient mirro

physical disks

requires at lea

and unformat

d using a varieilover clusterin

ration Opt

rom storage pomore than one nt virtual disks.rage Spaces in Shell, you needctionality show

cription

s feature definocated. Valid o

Simple. A simplogically sequehese sequentia

Striping makes Do not host imailover capabi

Two-way and tof the data thadata copies forensure that all data across mugreater data tha risk of corrupwhen writing d

Parity. A parity nformation, is Spaces to contiailed. Parity is

tion of one or pool any avail

uch as SATA orthe following r

eate a storage r virtual disk.

are required t

ast five physic

ted; no volum

ety of bus inteng with storag

tions

ools. If disk, . To Server

d to wn in

nes the numbeoptions include

le space has dantial data is seal segments cait possible to

mportant data olities when the

three-way mirrt they host (tw

r three-way midata copies ar

ultiple physicalhroughput andpting at-rest dadata.

space is very striped acrossinue to servicealways rotated

20410A: Installin

more physicaable physical d

r SAS disks. If yrequirements:

pool; a minim

to create a virt

al disks.

me must exist o

rfaces includine pools, you c

er of disks frome:

ata striping buegmented acroan be made toaccess multipon a simple voe disk that is st

rors. Mirror spawo data copiesirrors). Duplicare always curre drives. Mirror

d lower access ata, and do no

similar to a sim multiple phys

e read and writd across availa


l disks that yodisk that is not

you want to ad

mum of two ph

tual disk with

on them.

ng iSCSI, SAS, Scannot use SAT

m the storage p

ut no redundaoss all disks in o different phyle segments o

olume, becausetoring the data

aces maintain s for two-way ation happens ent. Mirror spar spaces providlatency. They

ot require the e

mple space. Dasical drives. Pate requests ev

able disks to en

Windows Server® 20

u can use to ct formatted or

dd physical dis

hysical disks is

resiliency thro

SATA, SCSI, anTA, USB or SCS

pool that are

ncy. In data sta way that acc

ysical storage df data concurre it provides na fails.

two or three cmirrors and thwith every wr

aces also stripede the benefit also do not inextra journalin

ata, along withrity enables Sten when a drivnable I/O

012 9-21

reate r

sks to a

ough

nd USB. SI disks.

triping, cess to drives. rently. no

copies hree ite to

e the of troduce

ng stage

h parity torage ve has


Feature Description

optimization. Storage spaces require a minimum of three physical drives for parity spaces. Parity spaces have increased resiliency through journaling.

Disk sector size A storage pool’s sector size is set when it is created. If the list of drives being used contains only 512 and/or 512e drives, then the pool is defaulted to 512e. If, however, the list contains at least one 4-KB drive, then the pool sector size is defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size that all contained spaces in the pool will inherit. After an administrator defines this, the Windows operating system will only permit you to add drives that have a compliant sector size, that is: 512 or 512e for a 512e storage pool, and 512, 512e, or 4 KB for a 4-KB pool.

Drive allocation • This defines how the drive is allocated to the pool. Options are:

• Data Store. This is the default allocation when any drive is added to a pool. Storage spaces can automatically select available capacity on data-store drives for both storage space creation and JIT allocation.

• Manual. Administrators can choose to specify manual as the usage type for drives that are added to a pool. A manual drive is not used automatically as part of a storage space unless it is specifically selected at the creation of that storage space. This usage property makes it possible for administrators to specify particular types of drives for use by only certain Storage Spaces.

• Hot Spare. Drives added as Hot-Spares to a pool are reserve drives that are not used in the creation of a storage space. If a failure occurs on a drive that is hosting columns of a storage space, a reserve drive is called upon to replace the failed drive.

Provisioning schemes

• You can provision a virtual disk by using two different schemes:

• Thin provisioning space. Thin provisioning is a mechanism that allows storage to be easily allocated on a just-enough and JIT basis. Storage capacity in the pool is organized into provisioning slabs that are not allocated until the point in time when datasets grow to require the storage. As opposed to the traditional fixed storage allocation method—where large pools of storage capacity are allocated but may remain unused—thin provisioning optimizes utilization of available storage. Organizations are also able to save on operating costs such as electricity and floor space that are associated with keeping unused drives operating. The downside of using thin provisioning is lower performance of your disks.

• Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also employ the flexible provisioning slabs. The difference between thin provisioning and a fixed provisioning space is that the storage capacity in the fixed provisioning space is allocated at the same time that the space is created.

Cluster disk requirement

Failover clustering prevents interruption to workloads or data in the event of a machine failure. For a pool to support failover, clustering all assigned drives must support a multi-initiator protocol, such as SAS.

Note: You can use Storage Spaces to create both thin and fixed provisioning virtual disks within the same storage pool. Having both provisioned types in the same storage pool is convenient, particularly when they are related to the same workload. For example, you can choose to have a thin provisioning space to host a database and a fixed provisioning space to host its log.

A

SemSetocrexpandi

Facoporpoda

Wex

W

ht

D

In

D

C

1.

Question: available on

Advanced M

erver Managermanagement oerver Managero and remove reate, managexample, in Servhysical disks thnd Server Manisks are unhea

ailed disks in aorrected by reroblem. Tools r chkdsk do nool. The new daily maintenan

Windows Powexamples of the

Windows Pow

Get-StorageP

Get-VirtualD

Repair-Virtu

Get-Physical“Healthy”}

Reset-Physic

Get-VirtualD


Demonstra

n this demonst

Demonstrati

Create a stor

. On LON-SV

What do you cn the physical

Managem

r provides youf virtual disks ar, you can creaphysical disks , and delete viver Manager yhat are attachenager will displlthy.

a virtual disk omoving the disuch as defragot apply for re

disk will automnce, or you can

rShell® providee command-lin

werShell cmdle

Pool

Disk

alDisk

Disk | Where

calDisk

Disk | Get-Phy

al Reading: Tomicrosoft.com/

ation: Conf

tration, you wi

ion Steps

rage pool

VR1, in Server

call a virtual ddisks portion

ent Optio

with basic and storage poate storage pofrom pools, anirtual disks. Foyou can view ted to a virtual lay if any of th

r storage poolsk that is causgmenting, scanepairing a stor

matically resyncn trigger it ma

es advanced mne interfaces a

et

{$_.HealthSta

ysicalDisk

o learn more a/en-us/library/

figuring St

ll see how to c

Manager, acce

isk that is largeof the storage

ns for Stor

ools. In ols, add nd r he disk,

hese

are ing the n disk. age pool. To rchronize whennually.

management ore listed in the

atus –ne

about storage /hh848705.asp

torage Spa

create a storag

ess File and St

20410A: Installin

er than the ame pool?

rage Space

replace a failedn disk mainten

options for virte following tab

Description

Lists storag

Lists virtual

Repairs a V

Lists unhea

Removes a

Lists physicdisk

cmdlets in Wipx.

aces

ge pool, a simp

torage Service


mount of disk s

es

d disk, you addnance occurs. T

tual disks and ble.

n

ge pools

l disks

Virtual Disk

althy physical d

physical disk f

cal disks that a

indows PowerS

ple virtual disk

es and Storag

Windows Server® 20

space

d a new disk toThis will occur

storage pools.

disks

from a storage

re used for a v

Shell, see

k, and a volum

ge Pools.

012 9-23

o the during

. Some

e pool

virtual

e.


2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and add all of the available disks.

Create a simple virtual disk and a volume

1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:

o Storage pool: StoragePool1

o Disk name: Simple vDisk

o Storage layout: Simple

o Provisioning type: Thin

o Size: 2 GB

2. On the View results page, wait until the creation is completed, make sure the Create a volume when this wizard closes check box is selected.

3. In the New Volume Wizard, create a volume with these settings:

o Virtual disk: Simple vDisk

o File system: ReFS

o Volume label: Simple Volume


Lab: Implementing Local Storage Scenario


You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.

Your manager has asked to add disk space to a file server. After creating volumes, your manager has also asked you to resize those volumes based on updated information he has been given. Finally, you need to make data storage redundant by creating a 3-way mirrored virtual disk.


• Install and configure a new disk.

• Resize volumes.

• Configure a storage pool.

• Configure a redundant storage space.



20410A-LON-SVR1


Password Pa$$w0rd


On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.






o Domain: Adatum

4. Repeat steps 1 to 3 for 20410A-LON-SVR1.


Exercise 1: Installing and Configuring a New Disk

Scenario

The file server in your branch office is low on disk space. You need to add a new disk to the server and create volumes based on specifications provided by your manager.


1. Initialize a new disk.

2. Create and format two simple volumes on the disk.

3. Verify the drive letter in a Windows® Explorer window.

Task 1: Initialize a new disk 1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.

2. In Server Manager, open Computer Management, and then access Disk Management.

3. Initialize Disk 2 and configure it to use GPT (GUID Partition Table).

Task 2: Create and format two simple volumes on the disk 1. In the Computer Management console, on Disk 2, create a Simple Volume with the following

attributes:

o Volume size: 4000 MB

o Drive Letter: F

o File system: NTFS

o Volume label: Volume1

2. In the Computer Management console, on Disk 2, create a Simple Volume with the following attributes:

o Volume size: 5000 MB

o Drive Letter: G

o File system: ReFS

o Volume label: Volume2

Task 3: Verify the drive letter in a Windows® Explorer window 1. Use Windows Explorer to make sure you can access the following volumes:

o Volume1 (F:)

o Volume2 (G:),

2. On Volume2 (G:), create a folder named Folder1.

Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.


Exercise 2: Resizing Volumes

Scenario

After installing the new disk in your file server, you are contacted by your manager who indicates that the information he gave you was incorrect. He now needs you to resize the volumes without losing any data.


1. Shrink Volume1.

2. Extend Volume2.

Task 1: Shrink Volume1 • Use Disk Management to shrink Volume1 (F:) by 1000 MB.

Task 2: Extend Volume2 1. Use Disk Management to extend Volume2 (G:) by 1000 MB.

2. Use Windows Explorer to verify that the folder Folder1 is still on drive G.

Results: After this lab, you should have made one volume smaller, and extended another.

Exercise 3: Configuring a Redundant Storage Space

Scenario

Your server does not have a hardware-based RAID card, but you have been asked to configure redundant storage. To support this feature, you need to create a storage pool.

After creating the storage pool, you will also need to create a redundant virtual disk. As the data is critical, the request for redundant storage specifies that you need to use a three-way mirrored volume. Shortly after the volume is in use, a disk fails and you have to add another disk to the storage pool to replace it.


1. Create a storage pool from five disks that are attached to the server.

2. Create a three-way mirrored virtual disk.

3. Copy a file to the volume, and verify that it is visible in Windows Explorer.

4. Remove a physical drive.

5. Verify that the mspaint.exe file is still accessible.

6. Add a new disk to the storage pool.

7. To prepare for the next module.

Task 1: Create a storage pool from five disks that are attached to the server 1. On LON-SVR1, open Server Manager.

2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.

3. Create a storage pool with the following settings:

o Name: StoragePool1

o PhysicalDisk3

o PhysicalDisk4


o PhysicalDisk5

o PhysicalDisk6

o PhysicalDisk7

Task 2: Create a three-way mirrored virtual disk 1. On LON-SVR1, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with the following

settings:

o Storage pool: StoragePool1

o Name: Mirrored Disk

o Storage Layout: Mirror

o Resiliency settings: Three-way mirror

o Provisioning type: Thin

o Virtual disk size: 10 GB

2. In the New Volume Wizard, create a volume with the following settings:

o Virtual disk: Mirrored Disk

o Drive letter: H

o File system: ReFS

o Volume label: Mirrored Volume

Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer 1. On the Start screen, type command prompt, and then press Enter.

2. Type the following command:

Copy C:\windows\system32\mspaint.exe H:\

3. Open Windows Explorer from the taskbar, and access Mirrored Volume (H:). You should now see mspaint.exe in the file list.

Task 4: Remove a physical drive • On Host machine, in Hyper-V Manager, in the Virtual Machines pane, change 20410A-LON-SVR1

settings to the following:

o Remove Hard Drive 20410A-LON-SVR1-Disk5.vhdx.

Task 5: Verify that the mspaint.exe file is still accessible 1. Switch to LON-SVR1.

2. Use Windows Explorer and browse to H:\mspaint.exe to ensure access to the file is still available.

3. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. Notice the warning that displays next to Mirrored Disk.

4. Open Mirrored Disk Properties, and access the Health pane. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded.


Task 6: Add a new disk to the storage pool 1. Switch to LON-SVR1.

2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button.

3. In the STORAGE POOLS pane, right-click StoragePool1, click Add Physical Disk, and then click PhysicalDisk8 (LON-SVR1).

Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.

To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.




4. Repeat steps 2 and 3 for 20410A-LON-SVR1.



Question: Your current volume runs out of disk space. You have another disk available in the same server. What actions in Windows can you perform to help you add disk space?

Question: What are the two different types of disks in Disk Management?

Question: What are the most important implementations of RAID?

Question: You attach five 2 TB disks to your Windows Server 2012 computer. You want to manage them almost automatically, and if one disk fails, you want to make sure the data is not lost. What feature can you implement to accomplish this?

Best Practices The following are recommended best practices:

• If you want to shrink a volume, defragment the volume first so you can reclaim more space from the volume.

• Use the GPT partition table format for disks larger than 2 TB.

• For very large volumes, use ReFS.

• Do not use FAT or FAT32 on Windows Server disks.

• Use the Storage Spaces feature to let the Windows operating system manage your disks.

Tools


Disk Management • Initialize disks.

• Create and modify volumes.

In Server Manager on the Tools menu (part of Computer Management)

Diskpart.exe • Initialize disks.

• Create and modify volumes from a command prompt.

Command prompt

Mklink.exe • Create a symbolic link to a file or folder. Command prompt

Chkdsk.exe • Check a disk for a NTFS–formatted volume. Cannot be used for ReFS or Virtual Disks.

Command prompt

Defrag.exe • Disk defragmentation tool for NTFS–formatted volumes. Cannot be used for ReFS or Virtual Disks.

Command prompt

10-1

Module 10 Implementing File and Print Services


Lesson 1: Securing Files and Folders 10-2

Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15

Lesson 3: Configuring Network Printing 10-18

Lab: Implementing File and Print Services 10-23


Module Overview

Accessing files and printers on the network is one of the most common activities in the Windows Server® environment. Reliable, secure access to files and folders and print resources is often the first requirement of a Windows Server 2012-based network. To provide access to file and print resources on your network, you must understand how to configure these resources within Windows Server 2012 server, and how to configure appropriate access to the resources for users in your environment.

This module discusses how to provide these important file and print resources from Windows Server 2012. You will learn how to enable and configure file and print services in Windows Server 2012, and you will learn important considerations and best practices for working with file and print services.

Objectives


• Secure shared files and folders.

• Protect shared files and folders by using shadow copies.

• Configure network printing.

10-2 Implemen

Lesson Securin

Thedataof m

Thisserv

Les

Afte

•

•

•

•

•

•

•

Wh

NTFon aThefoldfold

TheNTF

•

•

•

•

NT

The

StaStanassi

nting File and Print S

1 ng Files files and foldea. Providing apmanaging file a

s lesson gives yvers, so that yo

sson Objecti

er completing

Explain NTFS

Describe a sh

Explain perm

Explain how e

Explain acces

Describe Offl

Create and co

hat Are NT

FS permissionsa storage drive permissions t

ders govern useders.

following poiFS permissions

NTFS permissindividual filefolders.

NTFS permissto objects tha

NTFS permisssuch as read o

NTFS permissassigned to a

FS Permissi

re are two ass

ndard Permindard permissgn standard p

ervices

s and Foers that your sppropriate accand print servi

you informatioour organizatio

ives

this lesson, yo

file system pe

ared folder.

issions inherita

effective perm

s-based enum

ine files.

onfigure a sha

TFS Permis

are assigned te that is formahat you assigner access to th

nts describe th:

sions can be ase or folder, or s

sions can be asat include user

sions are contror write.

sions can be in folder are also

ion Types

ignable NTFS

issions ions provide thermissions in t

olders servers store tycess to these fices in Window

on necessary toon’s data is ava

ou will be able

ermissions.

ance.

issions work w

meration.

red folder.

ssions?

to files or foldtted with NTF

n to NTFS files hese files and

he key aspects

ssigned to an sets of files or

ssigned individrs, groups, and

rolled by deny

nherited from po assigned to

permissions ca

he most commthe main NTFS

ypically containles and folders

ws Server 2012

o secure files aailable and pro

to:

when you acce

ers S. and

s of

dually d computers.

ing or grantin

parent foldersnewly created

ategories: stan

monly used peS Permissions A

n your organizs, usually over 2.

and folders onotected.

ss shared folde

g specific type

. By default, th folders or file

ndard, and adv

rmission settinAssignment w

zation’s businethe network,

n your Window

ers.

es of NTFS file

he NTFS permies within that p

vanced.

ngs for files anindow.

ess and functiois an importan

ws Server 2012

and folder ac

issions that areparent folder.

nd folders. You

onal nt part

cess,

e

u


The following table details the standard permissions options for NTFS files and folders.

File permissions Description

Full Control Grants the user complete control of the file or folder, including control of permissions.

Modify Grants the user permission to read, write, or delete a file or folder, including creating a file or folder.

Read and Execute Grants the user permission to read a file and start programs.

Read Grants the user permission to see file or folder content and start programs.

Write Grants the user permission to write to a file.

List folder contents (folders only)

Grants the user permission to view a list of the folder’s contents.

Note: Granting users Full Control permissions on a file or a folder gives them the ability to perform any file system operation on the object, and the ability to change permissions on the object. They can also remove permissions on the resource for any or all users, including you.

Advanced Permissions

Advanced permissions can provide a much greater level of control over NTFS files and folders. Advanced permissions are accessible by clicking the Advanced button, and then accessing the Security tab of a file or folder’s Properties sheet.

The following table details the Advanced permissions for NTFS files and folders.


Traverse Folder/Execute File

The Traverse Folder permission applies only to folders. This permission grants or denies the user’s ability to browse through folders to reach other files or folders, even if the user has no permissions for the traversed folders. The Traverse Folder permission takes effect only when the group or user is not granted the Bypass Traverse Checking user right.

The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.

The Execute File permission grants or denies access to program files that are running.

If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.

List Folder/Read Data

The List Folder permission grants the user permission to view file names and subfolder names. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. In addition, this setting has no effect on viewing the file structure from a command-line interface.

The Read Data permission grants or denies the user permission to view data in files. The Read Data permission applies only to files,

10-4 Implementing File and Print Services


Read Attributes The Read Attributes permission grants the user permission to view the basic attributes of a file or a folder such as read-only and hidden attributes. Attributes are defined by NTFS.

Read Extended Attributes

The Read Extended Attributes permission grants the user permission to view the extended attributes of a file or folder. Extended attributes are defined by applications, and can vary by application.

Create Files/Write Data

The Create Files permission applies only to folders, and grants the user permission to create files in the folder.

The Write Data permission grants the user permission to make changes to the file and overwrite existing content by NTFS. The Write Data permission applies only to files.

Create Folders/Append Data

The Create Folders permission grants the user permission to create folders in the folder. The Create Folders permission applies only to folders.

The Append Data permission grants the user permission to make changes to the end of the file, but not to delete or overwrite existing data. The Append Data permission applies only to files.

Write Attributes The Write Attributes permission grants the user permission to change the basic attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply that you can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table.

Write Extended Attributes

The Write Extended Attributes permission grants the user permission to change the extended attributes of a file or folder. Extended attributes are defined by programs, and can vary by program.

The Write Extended Attributes permission does not imply that the user can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table.

Delete Subfolders and Files

The Delete Subfolders and Files permission grants the user permission to delete subfolders and files, even if the Delete permission is not granted on the subfolder or file. The Delete Subfolders and Files permission applies only to folders.

Delete The Delete permission grants the user permission to delete the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.

Read Permissions Read Permissions grants the user permission to read permissions about the file or folder, such as Full Control, Read, and Write.

Change Permissions Change Permissions grants the user permission to change permissions on the file or folder, such as Full Control, Read, and Write.



Take Ownership The Take Ownership permission grants the user permission to take ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.

Synchronize The Synchronize permission assigns different threads to wait on the handle for the file or folder, and then synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.

Note: Standard permissions are combinations of several individual Advanced permissions that are grouped into commonly file and folder usage scenarios.

NTFS Permissions Examples The following are basic examples of assigning NTFS permissions.

Example 1

For the Marketing Pictures folder, an administrator has chosen to assign Adam Carter Allow permissions for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have Read access to the files and folders that are contained in the Marketing Pictures folder.

Example 2 When applying NTFS permissions, the results are cumulative. For example, let us carry on with the given example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to Adam Carter’s user account with the permissions assigned to the Marketing group, Adam would have both Read and Write permissions for the Marketing Pictures folder.

Important Rules for NTFS Permissions There are two groupings of NTFS permissions:

• Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a file or a folder take precedence over those that are inherited from a parent folder.

• Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions, any Deny permissions that exist override conflicting Allow permissions within the group.

Therefore, taking these rules into account, NTFS permissions apply in the following order:

1. Explicit Deny

2. Explicit Allow

3. Inherited Deny

4. Inherited Allow

It is important to remember that NTFS permissions are cumulative, and these rules apply only when two NTFS permission settings conflict with each other.

Note: Permissions inheritance is discussed in more detail later in this lesson.

10-6 Implemen

Ho

You

1.

2.

3.

Wh

ShaacceWheconsimumaiNTFconan eare

Mosto hfolddep

file

AccUseaddsharexam

Sha

Win

•

•

•

•


w to Config

u can view and

Right-click th

In the Properthat have bee

To open an eusers or grou

hat Are Sh

red folders areess to files on yen you share atents are madultaneously ovntain a separa

FS permissionstents. These pextra level of smade availabl

st organizationhost shared folders according partment in on

Note: The sor a group of

cessing a Shrs typically acc

dress. The UNCred folder nammple, the UNC

aring a Fold

ndows Server 2

Select the appselect the New

Use the File Son the Sharin

Use AdvancedProperties wi

Use the Netsh

ervices

gure NTFS P

configure NT

e file or folder

rties window, cen assigned pe

ditable permisps, click the Ed

hared Folde

e a key compoyour server froa folder, the foe available to

ver the networate set of perm, which apply ermissions areecurity for filee on the netw

ns deploy dedders. You can to categories e shared folde

sharing procesfiles.

hared Foldecess a shared f

C address contame, separated bC path for the

der on the N

2012 provides

propriate drivew Share task.

Sharing Wizardng tab of the f

d Sharing by cndow.

h command-li

Permissions

FS permission

r for which you

click the Securermissions to v

ssions dialog bdit button.

ers?

onent to grantiom the networolder and all ofmultiple users

rk. Shared foldmissions from t

to the folder’se used to provis and folders t

work.

icated file servstore files in sor functions. F

er, and shared

s applies only

r folder over theains the nameby a backwardSales shared fo

Network

different ways

e, and then in

d, either from tfolder’s Proper

clicking the Ad

ne tool from a

s by following

u want to assig

rity tab. In thisview the specif

box so that you

ing rk. f its s ers he

s ide that

vers hared For example, yfiles for the M

to the folder l

e network by u of the server

d slash (\) and older on the L

s to share a fol

the Files and S

the folder’s rigrties window.

dvanced Shari

a command–lin

these steps:

gn permissions

s tab, you can fic permissions

u can modify e

you can put shMarketing depa

level. You cann

using its Univeon which the fpreceded by t

LON-SVR1 serv

lder:

Storage Servic

ght-click menu

ing button on

ne window.

s, and then cli

select the currs assigned to e

existing permi

hared files for tartment in ano

not share an in

ersal Naming Cfolder is hostetwo backward ver would be \

ces section in S

u, or by clicking

n the Sharing t

ck Properties

rent users or geach principal.

ssions or add

the Sales other.

ndividual

Convention (UNed, and the act

slashes (\\). Fo\\LON-SVR1\Sa

Server Manage

g the Share b

tab of the fold

.

groups

new

NC) tual or ales.

er,

utton

der’s


Note: When sharing a folder, you will be asked to give the shared folder a name. This name does not have to be the same name as the actual folder. It can be a descriptive name that better describes the folder contents to network users.

Administrative Shares

You can create administrative (or hidden) shared folders that need to be available from the network, but should be hidden from users browsing the network. You can access an administrative shared folder by typing in its UNC path, but the folder will not display if you browse the server by using a Windows® Explorer window. Administrative shared folders also typically have a more restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the folder’s contents.

To hide a shared folder, append the dollar symbol ($) to the folder’s name. For example, a shared folder on LON-SVR1 named Sales can be made into a hidden shared folder by naming it Sales$. The shared folder is accessible over the network by using the UNC path \\LON-SVR1\Sales$.

Note: Shared folder permissions apply only to users who access the folder over the network. They do not affect users who access the folder locally on the computer where the folder is stored.

Shared Folder Permissions Just like NTFS permissions, you can assign shared folder permissions to users, groups, or computers. However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or folders within the shared folder. Shared folder permissions are set once for the shared folder, itself and apply universally to the entire contents of the shared folder for users who access the folder over the network.

When you create a shared folder, the default assigned shared permission for the Everyone group is set to Read.

The following table lists the permissions that you can grant to a shared folder.

Shared folder permission Description

Read Users can view folder and file names, view file data and attributes, run program files and scripts, and navigate the folder structure within the shared folder.

Change Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission.

Full Control Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

Note: When you assign Full Control permissions on a shared folder to a user, that user can modify permissions on the shared folder, which includes removing all users, including you, from the shared folders permissions list. In most cases, you should grant Change Permission instead of Full Control permission.

10-8 Implemen

Pe

By dinhea fofoldthat(parstru

Ho

Con

Ad

M

Ne

Fo

M

M

Ne

Fa

In ththe

•

•

•

•

Per

SompareIn thexpprec


rmissions

default, NTFS aeritance to pro

older structure.der, it is automt are set on anrent folders) incture.

w Inheritan

nsider the follo

dam Carter

arketing grou

ew York Editor

lder or File

arketing (folde

arketing Pictu

ew York (folde

all_Composite.j

his example, Afolder structu

The top-levelRead access.

In the next lepermissions inthat are set o

In the third leYork Editors. the Read permobjects, cumu

The fourth anset for this filefrom both the

rmission Co

metimes, explicent folder. In the given examlicitly granted cedence over t

ervices

Inheritanc

and shared folopagate permi. When you creatically assigny folders that

n the hierarchy

nce Is Applie

owing example

p

rs group

er)

res (folder)

er)

jpg (file)

Adam is a memre. They are as

folder, Marke

vel, the Markenheritance, Adn the Marketin

evel, the New YIn addition to mission from tulating with an

nd last level is te, Adam has be Marketing fo

onflicts

citly set permisthese cases, the

mple, if Adam CWrite access tthe inherited d

ce

ders use ssions througheate a file or aed the permisexist above it

y of the folder

ed

e structure:

Assigned

Read – M

None set

Write – N

None set

mber of two gros follows:

eting, has an as

eting Pictures fdam has Read ng folder.

York folder hathis explicitly

the Marketing ny explicit Rea

the Fall_Compboth Read and older and the N

ssions on a filee explicitly assCarter was dento the New Yodeny Write acc

hout a sions

Permissions

Marketing

New York Edito

oups that are

ssigned permi

folder has no eaccess to this

s Write permisassigned Writefolder. These d and Write pe

posite.jpg file. Write access t

New York fold

e or folder will signed permissnied Write acceork folder, the gcess permissio

A

ors

R

R

R

R

assigned perm

ssion for the M

explicit permisfolder and its

ssions assignede permission, tpermissions permissions set

Even though nto the file due

der.

conflict with psions always ovess to the paregranted Writen.

Adam’s Permis

Read

Read (inherited

Read(i) + Write

Read(i) + Write

missions for file

Marketing Gro

ssions set, but contents from

d to one of Adthe New York

pass down to fit on those files

no explicit per to the inherit

permissions inverride the inhent Marketing e access permis

ssions

d)

e

e(i)

es or folders w

oup giving them

because of m the permissio

dam’s groups—folder also inhle and folder

s.

missions have ed permission

herited from aherited permisfolder, but the

ssions would t

within

m

ons

—New herits

been s

a sions. en ake

B

YoexanTo

•

•

•

•

Are

R

Aanreinpeovun

E

AgWpefa

•

•

•

Efba

•

•

Blocking Inh

ou can also disxplicitly defineny parent foldo block inherit

Right-click

In the Prop

In the Adva

In the next

t this point, yoemove all inhe

Resetting De

fter you blockn effect on theeset that behavnheritable perermissions on verride all expnder the Inclu

ffective Pe

ccess to a file ranted based o

When a user attermission thatactors, includin

Explicitly dethat apply t

Explicitly dethat apply tbelongs.

How the uslocally, or o

ffective NTFS pased on the fa

Cumulativeto all the ghas Read pcumulative

Deny permoverride aninherited Dexplicit Allo

heritance

sable the inhee permissions fers. Windows tance on a file

the file or fold

perties window

anced Security

Advanced Sec

ou are promptrited permissio

efault Inheri

inheritance, ce permissions fvior from one rmissions fromthe current folicitly assigned

ude inheritabl

ermissions

or folder in Won a combinattempts to accet applies is depng:

efined and inhto the user.

efined and inhto the groups

ser is accessingover the netwo

permissions areactors listed ab

e permissions aroups of whichermission and Modify permi

issions overridn inherited DenDeny permissioow overrides th

ritance behavifor a set of objServer 2012 por folder, com

der where you

w, click the Sec

y Settings wind

curity Settings

ed to either coons from the o

itance Beha

changes made for the child oof the parent m this object

older are propad permissions fle permission

s

Windows Servertion of permissess a file or folpendent on va

herited permiss

herited permissto which the u

g the file or folork.

e the cumulativbove. The follow

are the combinh the user is a is a member o

issions.

de equivalent Any permission.n, but is expliche inherited D

or for a file orjects without irovides an opt

mplete the follo

want to block

urity tab, and

dow, click the C

window, click

onvert the inheobject to start

avior

to permissionbject (and its cfolders by selecheck box. W

agated down tfor those files s from this ob

r 2012 is sions. der, the rious

sions

sions user

lders—

ve permissionswing principle

nation of the hmember. For eof a group tha

Allow permissi For example, citly granted W

Deny for the pa

20410A: Installin

r a folder (and ncluding any otion for blockiowing steps:

k inheritance, a

then click the

Change Perm

the Disable i

erited permisswith a blank p

ns on the parencontents) thatecting the Rep

When you selecto all child objand folders. Tbject’s parent

s that are assiges determine e

highest NTFS pexample, if a u

at has Modify p

ions. However,if a user is den

Write access toarticular subfo


its contents) oof the inheriteng inheritance

and then click

e Advanced b

missions button

nheritance bu

sions into explpermissions sla

nt folder structhas blocked in

place all childt this check boects in the treehis check box t check box.

gned to a usereffective NTFS

permissions gruser is a membpermission, th

, an explicit Alnied Write acc

o a subfolder older or file.

Windows Server® 20

on an NTFS dred permissionse on a file or a

Properties.

utton.

n.

utton.

icit permissionate.

ture no longernheritance, un objects with ox, the existinge structure, anis located dire

r for a file of fopermissions:

ranted to the uber of a groupe user is assign

low permissiocess to a folderor a particular f

012 10-9

ive to from folder

ns or

r have nless you g set of nd ectly

older

user and p that ned

n can r via an file, the


• You can apply permissions to a user or to a group. Assigning permissions to groups is preferred because they are more efficient than managing permissions that are set for many individuals.

• NTFS file permissions take priority over folder permissions. For example, if a user has Read permission to a folder, but has been granted Modify permission to certain files in that folder, the effective permission for those files will be set to Modify.

• Every object in an NTFS drive or in Active Directory® Domain Services (AD DS) is owned. The owner controls how permissions are set on the object and to whom permissions are granted. For example, a user who creates a file in a folder where they have Modify permissions can change the permissions on the file to Full Control.

Effective Permissions Tool

Windows Server 2012 provides an Effective Permissions tool that shows the effective NTFS permissions on a file or folder for a user, based on permissions assigned to the user account and groups that the user account belongs to. You can access Effective Permissions tool by using the following steps:

1. Right-click the file or folder for which you want to analyze permissions, and then click Properties.

2. In the Properties window, click the Advanced button.

3. In the Advanced Security Settings window, click the Effective Permissions tab.

4. Choose a user or group to evaluate by using the Select button.

Combining NTFS Permissions and Shared Folder Permissions

NTFS permissions and shared folder permissions work together to control access to file and folder resources that are accessed from a network. When you configure access to network resources on an NTFS drive, use the most restrictive NTFS permissions to control access to folders and files, and combine them with the most restrictive shared folder permissions to control access to the network.

How Combining NTFS and Shared Folder Permissions Works When you apply both NTFS and shared folder permissions, remember that the more restrictive of the two permissions dictates the access that a user will have to a file or folder. . The following two examples explain this further:

• If you set the NTFS permissions on a folder to Full Control, but you set the shared folder permissions to Read, then that user has only Read permission when accessing the folder over the network. Access is restricted at the shared folder level, and any greater access at the NTFS permissions level does not apply.

• Likewise, if you set the shared folder permission to Full Control, and you set the NTFS permissions to Write, then the user will have no restrictions at the shared folder level, but the NTFS permissions on the folder will grant only Write permissions to that folder.

The user must have appropriate permissions on both the NTFS file or folder and the shared folder. If no permissions exist for the user (either as an individual or as the member of a group) on either resource, access is denied.

Considerations for Combined NTFS and Shared Folder Permissions

The following are several considerations that make administering permissions more manageable:

• Grant permissions to groups instead of users. Groups can always have individuals added or deleted, while permissions on a case-by-case basis are difficult to track and cumbersome to manage.

• Use Deny permissions only when necessary. Because Deny permissions are inherited, assigning deny permissions to a folder can result in users not being able to access files further down in the folder structure tree. You should assign Deny permissions only in the following situations:

•

•

•

W

Wfilacbecomneenth

E

Tofo

1.

2.

3.

4.

5.

Wen

inenth

o To excl

o To exclgroup

Never denydeny Admipermissions

Grant permsettings aredepartmengroup for aupdate dep

Use NTFS pand shareda group thapermissions

What Is Acc

With access-basles and foldersccess. Access-better user expeomplex view o

making it easiereed. Windows numeration ofhe network.

nabling Acc

o enable accesolder:

. Open Serve

. In the navig

. In the navig

. In the Shareenumeratio

. In the Propcheck box.

When the Enabnabled on the

Note: Thenterface wherenumeration is he shared folde

lude a subset o

lude one spec

y the Everyonenistrators acces list, as long a

missions to an oe propagated tts of the comp

all user accounpartment grou

permissions ins folder permisat contains mas that are mor

cess-Based

sed enumeratis which they hbased enumererience becaus

of the contentsr for users to fServer 2012 a

f folders that a

cess-Based

ss-based enum

er Manager.

gation pane, c

gation pane, c

es pane, right-on, and then cl

perties window

ble access-basshared folder.

e File and Store you can confi

not available ier in Windows

of a group tha

ific permission

e group accessess—including as you grant pe

object that is athroughout thpany together nts on the domps before new

stead of sharedssions can be dany users at the specific.

d Enumera

on, users see oave permissionation providesse it displays as of a shared foind the files th

allows access-ba server shares

Enumeratio

meration for a

lick File and S

lick Shares.

-click the sharelick Propertie

w, click Setting

sed enumerat. This setting is

age Services cigure access-bin any of the ps Explorer.

at has Allow pe

n when you ha

s to an object. yourself. Inste

ermissions for

as high in the fe tree. For exainto a Read fo

main) to the shaw users receive

d permissions difficult. Conside shared folde

ation?

only the n to s a a less older, hat they based over

on

shared

Storage Servic

ed folder for ws.

gs, and then se

tion check boxs unique to ea

console is the obased enumeraproperties wind

20410A: Installing

ermissions

ve granted Fu

If you deny evead, remove ththe object to

folder structurample, insteadolder, assign Dare. In this ma

e the shared fo

for fine-graineder assigning ter level, and th

ces.

which you wan

elect the Enabl

x is selected, aach shared fold

only place in tation for a shadows that are

g and Configuring W

ull Control perm

veryone accesshe Everyone gother users, g

re as possible, of bringing g

Domain Users (anner, you elimolder.

ed access. Conthe most restr

hen use NTFS p

nt to enable ac

le access-base

ccess-based eder on the serv

he Windows Sred folder. Accaccessible by

Windows Server® 201

missions to a u

s to an object, roup from theroups, or com

so that the secroups represe

(which is a defminate the nee

nfiguring both ictive permissipermissions to

ccess-based

ed enumerati

numeration is ver.

Server 2012 cess-based right-clicking

12 10-11

user or a

you e puters.

curity nting all

fault ed to

NTFS ions for

o assign

ion

10-12 Implem

Wh

An ostoruserclien

Offlthe the cliensyncfiles

Offlope

•

•

•

•

•

•

•

•

On the Offl

•

•

•

•

enting File and Print

hat Are Of

offline file is a red on a client rs can access nnt computer is

ine files and foclient, and thenetwork copynt is reconnectchronization scs is controlled

ine files are averating systems

Windows 8

Windows Serv

Windows 7

Windows Serv

Windows Serv

Windows Vist

Windows Serv

Windows XP

a Windows SeCaching buttoine Settings w

Only the filewhen you setby default, anconnected to

No files or pcomputers fro

All files and offline. Wheor program isautomaticallyon the server opened are n

Optimized fofiles (.exe, .dllthat client cocache instead

Services

ffline Files?

copy of a netwcomputer. By

network-baseds disconnected

olders are edite changes are y of the files thted to the netwchedule and bby the client o

vailable to the s:

ver 2012 clien

ver 2008 R2

ver 2008

ta®

ver 2003

erver 2012 comon in the Adva

window:

es and prograt up a shared fnd users controo the network.

programs fromom making co

programs thanever a user as automaticallyy made availab

until the cachnot available of

or performan) that are run mputer. The n

d of the shared

?

work file that iy using offline fd files when thd from the netw

ted or modifiedsynchronized e next time thwork. The

behavior of offoperating syste

following

ts

mputer, you vieanced Sharing

ms that usersfolder. When yol which files a

m the shared opies of the file

at users openccesses the shy made availabble offline remhe is full or theffline.

nce. If you selefrom the share

next time the cd folder on the

s files eir work.

d by with e

fline em.

ew the Offline window . The

s specify are ayou use this opand programs

folder are avaes and program

n from the shaared folder or ble offline to tain in the offli

e user deletes t

ect the Optimied folder by a client computee server.

Settings winde following opt

available offliption, no files othey want to a

ailable offlinems on the shar

ared folder arr drive and opehat user. Files ne files cache the files. Files a

ized for perfoclient comput

er runs the exe

dow for a sharetions are availa

ine. This is theor programs aaccess when th

e. This option red folder.

re automaticaens a file or prand programsand synchron

and programs

ormance checter are automa

ecutable files, i

ed folder by clable within the

e default optiore available ofhey are not

blocks client

ally available rogram in it, ths that are ize with the vethat are not

k box, executaatically cachedt will access its

icking e

on ffline

hat file

ersion

able d on s local


Note: The Offline Files feature must be enabled on the client computer for files and programs to be cached automatically. In addition, the Optimized for performance option does not have any effect on client computers that use Windows Vista or older, as these operating systems perform the program-level caching automatically, as specified by this option.

Configuring the Always Work Offline Setting

You can configure Windows Server 2012 and Windows 8 computers to use the Always available offline mode when accessing shared folders. When you configure this option, client computers always use the locally cached version of the files from a network share, even if they are connected to the file server by a high-speed network connection.

This configuration typically results in faster access to files for client computers, especially when connectivity or speed of a network connection is intermittent. Synchronization with the files on the server occurs according to the offline files configuration of the client computer.

How to Enable the Always Work Offline Mode To enable Always work offline mode, you use Group Policy to enable the Configure slow-link mode setting, and you set the latency value to 1:

1. On an AD DS domain controller, open Group Policy Management Console.

2. To optionally create a new Group Policy Object (GPO) for Offline Files settings, right-click the appropriate domain or Organizational Unit (OU), and then click Create a GPO in this domain, and Link it here.

3. In the console tree, right-click the GPO for which you want to configure the Offline Files settings, and then click Edit.

4. In the Group Policy Management Editor, in the console tree, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then expand Offline Files.

5. Right-click Configure slow-link mode, and then click Edit.

6. In the Configure slow-link mode window, click Enabled.

7. In the Options box, click Show.

8. In the Show Contents window, in the Value name box, specify the shared folder path for which you want to enable Always Offline mode.

Note: To enable Always Offline mode on all file shares, type a wildcard character (*).

9. In the Value box, type 1 to set the latency threshold to one millisecond, and then click OK.

Demonstration: Creating and Configuring a Shared Folder

Creating and configuring a shared folder is typically done within Windows Explorer, from the Sharing tab on the Properties window of the file or folder. When creating a shared folder, always ensure that you set permissions that are appropriate for all of the files and folders within the shared folder location.

Demonstration Steps

Create a shared folder



2. Create a folder named Data on drive E.

3. Share the Data folder.

Assign permissions for the shared folder

• Grant the Authenticated Users Change permissions for \\LON-SVR1\Data.

Configure access-based enumeration 1. Open Server Manager.

2. Navigate to the Share pane in the File and Storage Services management console.

3. Open the Data Properties window for the \\LON-SVR1\Data, and enable access-based enumeration.

Configure offline files

1. Open the Data Properties window for E:\Data.

2. Navigate to the Sharing tab and open the advanced sharing settings.

3. Open the caching settings, and then disable offline files.

LessonProte

Shpof

Thsn

Le

A

•

•

•

•

W

A a cofostvifilsn

A alis thalco

Bybearfoch

Betral

Shthp

n 2 ecting S

hadow copies revious versionffsite. Files and

his lesson intronapshots in Wi

esson Objec

fter completin

Describe sh

Describe co

Identify me

Restore dat

What Are S

shadow copy set of data, su

opies provide tolders based otorage drives. Aew and potenles and foldersnapshot was ta

shadow copy l files for eachtaken, Windo

he drive. A spelocated for tra

ontent might b

y default, the ce modified. Yore retained untor new snapshohanges betwee

ecause a snapsraditional backso lost.

hadow copies hat need to berevious version

hared Fare used to ren of a file fromd folders can b

oduces you to indows Server

ctives

ng this lesson, y

hadow copies.

onsiderations f

ethods for rest

ta from a shad

Shadow Co

is a static imaguch as a file or the capability n snapshots thAfter a snapshtially restore ps that existed aaken.

does not makh snapshot. Insws Server 201

ecific amount oacking the chabe in the curre

changed disk bou can also deftil the allocateots. The amouen snapshots.

shot is not a cokups. If the disk

are suitable foe logically consns is likely to b

Files andestore previousm a shadow cobe recovered b

shadow copie2012.

you will be ab

for scheduling

oring data fro

dow copy.

opies?

ge (or a snapshfolder. Shadowto recover file

hat are taken ohot is taken, yoprevious versioat the time tha

ke a complete tead, after a sn2 tracks changof disk space isnged disk bloc

ent version of t

blocks are storfine how much

ed disk space isnt of disk spac

omplete copy k containing a

or recovering dsistent before abe corrupt and

d Foldes versions of fipy than from a

by administrato

es, and shows y

le to:

shadow copie

m shadow cop

hot) of w

es and of ou can ons of at the

copy of napshot ges to s cks. When youthe file, and so

red on the samh disk space is s full, after whce that is used

of files, shado drive is lost o

data files, but na backup is pe

d require datab

20410A: Installing

ers usingles and foldersa traditional bors, or directly

you how to co

es.

pies.

u access a prevome might be

me drive as the allocated for ich, older snap

d by a snapsho

ow copies cannor damaged, th

not for more cerformed. A dabase repairs.

g and Configuring W

g Shados. It is much fa

backup copy, wy by end users.

onfigure a sche

vious version oin the snapsho

e original file, bshadow copie

pshots are remot is based on t

not be used ashen the snapsh

complex data—atabase that is


ow Copaster to restorewhich might be

edule of drive

of a file, some ot.

but this behaves. Multiple snamoved to makethe size of disk

s a replacemenhots of that dr

—such as data restored from

12 10-15

ies e a e stored

of the

vior can apshots e room k

nt for ive are

bases—m

10-16 Implem

Co

TheMonat ndesi

Whe

•

•

•

Re

Prevuserthatinstof a

Admdirecan netwversof t

Whecan avaiprevprev

Winaccerunn


onsideratio

default schednday through

noon. You can ired for your o

en scheduling

Consider thatshadow copieserver. You shcopies more t

Increase the ffrequently chlikelihood tha

Increase the ffile changes a

storing Da

vious versions rs or administrt they can do tructions on ho

a file.

ministrators caectly on the ser

access previowork from a fisions are acceshe file or folde

en viewing prebrowse the av

ilable, you canvious version ovents overwrit

ndows XP SP2 essing previouning Windows

Services

ons for Sch

dule for creatinFriday at 07:00modify the de

organization.

shadow copie

t increasing thes increases thhould not schethan once eac

frequency of sanging data. T

at recent file ch

frequency of sare captured.

ata from a

of files can berators. Most usthis and they wow to restore a

n access previrver that storeus versions of le share. In bossed from the er.

evious versionsvailable files ann review each vof a file to an aing the curren

or newer, Wins file versions

s XP SP1 or old

heduling S

ng shadow cop0 A.M., and ag

efault schedule

es:

e frequency ofe load on the

edule drive shah hour.

hadow copies This increases thanges are cap

hadow copies

Shadow C

e restored by esers are unawawill need a previous vers

ous versions os the files. Usefiles over the th cases, previProperties win

s of a folder, ynd select only version beforealternate locatnt file version.

dows Vista, anwithout instal

der operating s

hadow Co

pies is gain e as

f

adow

for the ptured.

for important

Copy

either are

sion

of files ers

ious ndow

you the file that yo deciding whic

tion instead of

nd Windows 7 ling any additsystems, you m

opies

t data. This inc

ou need. If much one to restof restoring it to

operating sysional software

must install the

creases the like

ultiple versionsore. Finally, yoo its previous l

tem clients aree. For Windowse Previous Ver

elihood that re

s of files are ou can copy a ocation. This

e capable of s XP clients tharsions Client.

ecent

at are


Demonstration: Restoring Data from a Shadow Copy

Shadow copies can be created using the default schedule, or you can modify the schedule to provide more frequent snapshots. In either case, you will only see the versions of the file as it has changed. Taking a shadow copy of a file that doesn’t change has no actual effect on the shadow copy. No additional versions are available, and no space is used in the snapshot, for that particular file.

Demonstration Steps

Configure shadow copies 1. On LON-SVR1, open Windows Explorer.

2. Enable Shadow Copies for Local Disk (C:).

Create a new file 1. Open Windows Explorer.

2. Create a folder in drive C named Data.

3. Create a text file named TestFile.txt in the Data folder.

4. Change the contents of TestFIle.txt by adding the text Version 1.

Create a shadow copy

1. In Windows Explorer, right-click Local Disk (C:) and then click Configure Shadow Copies.

2. In the Shadow Copies window, click Create Now.

3. When the shadow copy is complete, click OK.

Modify the file 1. In Windows Explorer, double-click TestFile.txt to open the document.

2. In Notepad, type Version 2.

3. Close Notepad, and click Save to save the changes.

Restore a previous version

1. In Windows Explorer, right-click TestFile.txt, and then click Restore previous versions.

2. Restore the most recent version.

3. In the warning window, click Restore.

4. Open TestFile.txt to open the document and verify that the previous version is restored.

10-18 Implem

Lesson 3Config

By unetwcon

WinroleimpWin

LesAfte

•

•

•

•

•

•

•

Be

YouWinthis jobsthat

Theas aprinto mconinstdist

By cwhe

A nelowbecexam

Net


3 guring N

using the Printwork and centsole, you can m

ndows Server 2e that you can portant aspectsndows Server 2


Identify the b

Describe Enha

Identify secur

Create multip

Describe prin

Describe Bran

Identify meth

nefits of N

u can configurendows Server 2

configurations to the printet is connected

biggest benefa print server isnting. Instead omany individuanection to thealled centrally ributed to wor

centralizing prether printing

etwork printerer consumableause the initiample, a single

work printers

Services

Networkt and Documetralize print sermonitor print

2012 introduceuse to manags of network p2012.

ives the lesson, yo

benefits of netw

anced Point an

rity options for

ple configurati

ter pooling.

nch Office Dire

hods for deploy

Network P

e network prin2012 as a printn, client compur server for deto the networ

fit of using Wis centralized mof managing cal devices, youe server. Printe

on the server,rkstations.

inting on a serproblems are

r is more expenes costs and bel cost of the pnetwork print

can also be pu

k Printint Services rolrver and netwoqueues, and re

es new featuree your networrinting, and in

u will be able

work printing.

nd Print.

r network prin

ons for a print

ect Printing.

ying printers t

rinting

nting by using t server for useuters submit prlivery to a prinrk.

ndows Server management oclient connectio manage their

er drivers are , and then

rver, you also scaused by the

nsive than thoetter quality printer is spread

ter could servic

ublished in AD

ng e in Windows ork printer maeceive importa

es and importark printing envntroduces new

to:

nting.

t device.

to clients.

ers. In rint nter

2012 of ons r

simplify troubprinter, serve

ose typically usrinting. Therefd over all the cce 100 users o

D DS, which allo

Server 2012, yanagement. Byant notificatio

ant changes tovironment bett network print

leshooting. It r, or client com

sed for local prfore, the cost ocomputers tha

or more.

ows users to se

you can share y using the Prinns regarding p

o the Print andter. This lessonting features t

is relatively eamputer.

rinting but it aof printing is sat connect to t

earch for print

printers on a nt Managemeprint server act

Document Sen explains the hat are availab

sy to determin

also has significstill minimized,that printer. Fo

ters in their do

nt tivity.

ervices

ble in

ne

cantly ,

or

omain.

W

EnWdPrin8.

UD

Thininofopspfedde

InWdePrlaPa

VU

Th

•

•

•

•

•

UUanidfr

Wseto

If in

What Is Enh

nhanced PointWindows Serve

rivers for netwrint uses the n

ntroduced in W.

UnderstandiDrivers

he Windows pn previous versn relatively the f version 3 (v3perating systepecific device teatures. Under rivers for eachevice, to suppo

ntroducing Windows Serve

evice driver mrint Class Drive

arge set of devaper Specificat

ersion 4 drivernlike v3 driver

he V4 driver m

Sharing a p

Driver files

A single dri

Driver packtimes.

The printer

Using Enhannder the v4 mnd Print. Whendentify the prinom Windows

With Enhanced erver. Driver ino be transferre

the driver stonstalled, and if

hanced Po

t and Print is ar 2012 that ma

work printers. Eew version 4 (

Windows Serve

ng V3 Drive

printer driver stsions of Windo

same form sin) drivers in Wims. With v3 drthat they prodthe v3 model print device iort both platfo

the V4 Prinr 2012 and Wianagement aners that suppovices. Commontion (XPS).

rs are typicallyrs, v4 drivers a

model provides

printer does no

are isolated o

iver can suppo

kages are smal

driver and the

ced Point amodel, printer sn a network prnt device. The Update or Win

Point and Prinnstallation for ned over the net

re on the clienan appropriat

oint and Pr

new function akes it easier tEnhanced Poin(v4) driver typeer 2012 and W

ers and V4

tandard that isows Server has nce the introdndows 2000 rivers, printer m

duced, to ensu, printer infrasn the environmorms.

ter Driver indows 8 inclund installation.rt similar printn printing lang

y delivered by ure not delivere

s the following

ot require prov

n a per-driver

ort multiple de

ler and more s

e printer user

and Print forsharing and drrinter is installedriver then insndows Softwar

nt, the print denetwork print twork from ser

nt machine doete driver canno

rint?

in o install

nt and e that is indows

s used existed

uction

manufacturersre that Windowtructure mana

ment, and sepa

de support fo. Under the v4ting features aguages may in

using Windowed from a prin

g benefits:

visioning drive

basis, prevent

evices.

streamlined th

interface can b

r Driver Instriver installatioed on a client stalls directly fre Update Serv

evice drivers ndevices becomrver to client.

es not containot be obtained

20410A: Installing

s created custows application

agement requiarate 32 and 6

r v4 print drive4 model, print and printing lanclude Printer C

ws Update or Wter store that

ers that match

ting driver file

han v3 drivers,

be deployed in

tallation on operates aucomputer, the

from the drivevices.

o longer needmes faster beca

n a driver for thd from Window

g and Configuring W

omized print dns could use alires administra64-bit drivers f

ers, and enabldevices manufnguage that mControl Langu

Windows Softwis hosted on th

the client arch

naming confli

resulting in fa

ndependently.

tomatically une server and clr store on the

d to be maintaause printer dr

he network prws Update or W


drivers for eachll of their printators to maintafor a single pri

es improved pfacturers can c

may be commouage (PCL), .ps

ware Update Sehe print server

hitecture.

icts.

aster driver ins

.

nder Enhancedient work togeclient machin

ined on the prrivers no longe

inter that is beWindows Serv

12 10-19

h ter’s ain int

print create on to a or XML

ervices. r.

tallation

d Point ether to e, or

rint er need

eing er

10-20 Implem

Upddriv

Sec

WhecaseconalloconWin

Theprin

•

•

•

De

Creagrothe prio

Dem

Cre1.

2.

3.

4.

Cre

1.

2.

3.

4.


date Services, Wver from the pr

curity Opt

en a printer is es no security sidered to be wed to print ofiguration for

ndows server.

permissions tnting include:

Print: This pedocuments oEveryone gro

Manage thisdrivers. By de

Manage docpermission is manages thatall print jobs.

emonstrati

ating multiple ups to print hihigh priority p

ority queue.

monstration

eate a shareOpen the Dev

Add a printer

Name the pri

Share the prin

eate a secon

Open the Dev

Add a printer

Name the pri

Share the prin

Services

Windows uses rint server.

tions for N

shared over ais required. Thopen access, t

on it. This is thea printer that

hat are availab

ermission allown the printer.

oup is assigned

s printer: This efault, this perm

cuments: This assigned to C

t job. Administ

on: Creati

configurationgh priority job

print queue, th

n Steps

ed printer vices and Print

r using the LPT

nter AllUsers.

nter using the

nd shared p

vices and Print

r using the LPT

nter Executiv

nter using the

a fallback me

Network Pr

network, in mhe printer is that is everyone default is shared on a

ble for shared

ws users to prinBy default, the

d this permissio

permission allmission is give

permission allREATOR OWNtrators, Server

ng Multip

ns for a print dbs to a printer he print server

ter window.

T1 local port, a

.

default setting

rinter that u

ter window.

T1 local port, a

es.

default setting

chanism to en

rinting

many

ne is

nt e on.

ows users to mn to Administr

ows users to mNER, which me

Operators, an

ple Configu

evice enables that is being uwill process th

and the Broth

gs.

uses the sam

and the Broth

gs.

nable cross-pla

modify printer rators, Server O

modify and deeans that the und Print Opera

urations fo

you to assign used by other he job before

her Color Leg

me port

her Color Leg

atform printing

settings, incluOperators, and

elete print jobsuser who createtors also have

or a Print D

print queues tusers. When aany jobs comi

Type1 Class d

Type1 Class d

g using the pri

uding updatingd Print Operat

s in the queue.es a print job this permissio

Device

to specific usea print job is seng from the n

driver.

driver.

nt

g tors.

. This

on for

rs or ent to ormal

In

1.

2.

W

Prpcoppop

Pravpoexbepca

A ofU

Th

•

•

W

BrcoWPrinplotorepre

Br

ncrease prin

. Open the E

. Increase the

What Is Pri

rinter pooling hysical printeromputers, the rinter. When joool, they can brinter in the pr

rinter pooling vailability of neool. If one prinxample, from aeing offline), arinters. If a priapacity, you ca

printer pool isf one physical SB connection

he requiremen

Printers muprinters mumodel is us

Printers shoclose togetfind their d

What Is Bra

ranch Office Dosts for organi

Windows Serverinting is enab

nformation frorint jobs direct

onger travels too the branch oeduces traffic brint server, andesults in increa

ranch Office D

nting priorit

Executives Prin

e Priority to 10

nter Pooli

is a way to coms into a single printer pool a

obs are submitbe processed brinter pool.

increases the etwork printinnter in the pooa large print joall jobs are sennter pool doesan add anothe

s configured oprinter. In mo

n.

nts for a printe

ust use the samust accept prinsed.

ould be in the her. When useocument. The

anch Office

Direct Printing zations that hr roles. When

bled, Windows m the print setly to the printo the central s

office printer. Tbetween the cld the branch oased network e

Direct Printing

ty for a high

ter properties

0.

ng?

mbine multiplelogical unit. Tppears to be atted to the priby any availab

scalability andg by using a p

ol is unavailablob, a paper jamt to the remais not have suff

er printer to th

on a server by ost cases, the p

er pool are as f

me driver: Cliennt jobs in the sa

same locationers retrieve there is no way fo

e Direct P

reduces netwoave centralizedBranch Office clients obtainrver, but send ter. The print derver and then

This configuratlient computeoffice printer, aefficiency.

is transparent

h priority pr

window.

e To client a single nter le

d printer le (for m, or ning ficient e printer pool

specifying muports are an IP

follows:

nts use a singleame format. In

n: The printers eir print jobs, tor users to kno

rinting?

ork d their Direct printer the

data no n back tion r, the and

to the

20410A: Installing

rint queue

without perfo

ultiple ports foraddress on th

e printer driven many cases,

in a printer pothey must checow which print

g and Configuring W

orming any clie

r a printer. Eace network, ins

er for generatinthis means tha

ool should be ck all printers ter has printed


ent configurat

ch port is the lstead of a loca

ng print jobs. Aat a single prin

located physicin the printer

d their docume

12 10-21

ion.

ocation l LPT or

All nter

cally pool to ent.

10-22 Implem

userthe cach

Con

BranWin

To c

1.

2.

3.

To cfollo

SetRen

De

Depmanwellscalthou

The

•

•

•


r. In addition, twide area nethed on the clie

nfiguring B

nch Office Direndows PowerSh

configure Bran

In Server Man

In the navigatnetwork print

Click the PrinDirect Printi

configure Branowing comma

t-Printer -nanderingMode B

eploying P

ploying printernaging printinl-designed sysable and can busands of com

options for de

Group Policy Policy prefereto Windows Xand Windowsassociated wicomputer accgroup. For W

GPO created GPO for distrWindows XP

Manual instalAdd Printer Wavailable onlyinstall the pri

Services

the user can pwork (WAN) lient computer

ranch Offic

ect Printing is hell® command

nch Office Dire

nager, open th

tion pane, expter for which B

nters node, rigng.

nch Office Dirend at a Windo

ame "<PrinteBranchOffice

rinters to

rs to clients is ag services on ttem for deplobe used to ma

mputers.

eploying print

preferences. Yences to deploXP, Windows Vs 8 clients. Theth either the ucount, and can

Windows XP com

by Print Manaibution to cliecomputers mu

llation. Each usWizard; It is imy to the user thnter manually.

print even if thnk to the datain the branch

e Direct Pri

configured byd-line interfac

ect Printing fro

he Print Manag

pand Print ServBranch Office D

ght-click on th

ect Printing usiows PowerShel

r Name Here>

Clients

a critical part othe network. Aying printers inage hundred

ters are:

You can use Groy shared printVista, Windowse printer can buser account on be targeted bmputers, you m

agement. The nt computers ust be configu

ser can add prportant to nothat installed th.

he print server a center is dowoffice..

nting

y an administrae.

om the Print M

gement conso

vers, and then Direct Printing

e desired prin

ing a Windowsll window com

" -ComputerN

of A s

ds or

roup ters s 7, e

or by must install the

Print Managembased on eithered to run Pus

rinters manualte that networhem. If multipl

is unavailablewn). This is bec

ator using the

Management co

le.

expand the pg will be enable

ter, and then c

s PowerShell cmmand prompt

Name <Print S

e Group Policy

ment administer a user accoshprinterconne

ly by either brrk printers thate users share a

e for some reascause the print

Print Manage

onsole, use the

rint server thated.

click Enable B

command-linet:

Server Name H

y Preference C

trative tool canunt or a compections.exe.

rowsing the net are installed a computer, th

son (for exampter information

ement console

e following ste

t is hosting the

Branch Office

e interface, typ

Here> -

Client Extensio

n add printers puter account.

etwork or usinmanually are hey must each

ple if n is

or a

eps:

e

e the

n.

to a

g the

h


Lab: Implementing File and Print Services Scenario

Your manager has recently asked you to configure file and print services for the branch office. This requires you to configure a new shared folder that is used by multiple departments, configure shadow copies on the file servers, and configure a printer pool.

Objectives

After performing this Lab you will be able to:

• Create and configure a file share.

• Configure a shadow copy

• Create and configure a printer pool.

Lab Setup


Logon Information

Virtual Machines 20410A-LON-CL1

20410A-LON-DC1

20410A-LON-SVR1


Password Pa$$w0rd



2. In Hyper-V® Manager, click 20410A-LON-DC1 and in the Actions pane, click Start.





o Domain: Adatum

5. Repeat steps 2 to 4 for 20410A-LON-SVR1.

6. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.

Exercise 1: Creating and Configuring a File Share

Scenario

Your manager has asked you to create a new shared folder for use by all departments. There will be a single file share with separate folders for each department. To ensure that users only see files to which they have access, you need to enable access-based enumeration on the share.


There have been problems in other branch offices with conflicts when offline files are used for shared data structures. To avoid conflicts, you need to disable Offline Files for this share.


1. Create the folder structure for the new share.

2. Configure NTFS permissions on the folder structure.

3. Create the shared folder.

4. Test access to the shared folder.

5. Enable access-based enumeration.

6. Test access to the share.

7. Disable Offline Files for the share.

Task 1: Create the folder structure for the new share 1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.

2. Open a Windows Explorer window, and create the following folders:

o E:\Data

o E:\Data\Development

o E:\Data\Marketing

o E:\Data\Research

o E:\Data\Sales

Task 2: Configure NTFS permissions on the folder structure 1. In Windows Explorer, block the NTFS permissions inheritance for E:\Data, and when prompted,

convert inherited permissions into explicit permissions.

2. In Windows Explorer, remove permissions for LON-SVR1\Users on subdirectories in E:\Data.

3. In Windows Explorer, add the following NTFS permissions for the folder structure:

Folder Permissions

E:\Data No change

E:\Data\Development Modify: Adatum\Development

E:\Data\Marketing Modify: Adatum\Marketing

E:\Data\Research Modify: Adatum\Research

E:\Data\Sales Modify: Adatum\Sales

Task 3: Create the shared folder 1. In Windows Explorer, share the E:\Data folder.

2. Assign the following permissions to the shared folder:

o Change: Adatum\Authenticated Users


Task 4: Test access to the shared folder 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.

Note: Bernard is a member of the Development group.

2. Open Windows Explorer.

3. Navigate to \\LON-SVR1\Data.

4. Attempt to open the Development, Marketing, Research, and Sales folders.

Note: Bernard should have access to the Development folder. However, although Bernard can still see the other folders, he does not have access to their contents.

5. Log off LON-CL1.

Task 5: Enable access-based enumeration 1. Switch to LON-SVR1

2. Open Server Manager.

3. Select File and Storage Management.

4. Select Shares.

5. Open the Properties window for the Data share, and from the Settings page, enable Access-based enumeration.

Task 6: Test access to the share 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.

2. Click the Desktop tile and then open a Windows Explorer window, and navigate to \\LON-SVR1\Data.

Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions.

3. Open the Development folder to confirm access.

4. Log off LON-CL1.

Task 7: Disable Offline Files for the share 1. Switch to LON-SVR1.


3. Navigate to E:\

4. Open the Properties window for the Data folder, and disable Offline file caching.

Results: After finishing this exercise, you will have created a new shared folder for use by multiple departments.


Exercise 2: Configuring Shadow Copies

Scenario

A. Datum Corporation stores daily backups offsite for disaster recovery. Every morning the backup from the previous night is taken offsite. To recover a file from backup requires the backup tapes to be shipped back onsite. The overall time to recover a file from backup can be a day or more.

Your manager has asked you to ensure that shadow copies are enabled on the file server so you can restore recently modified or deleted files without using a backup tape. Because the data in this branch office changes frequently, you have been asked to configure a shadow copy to be created once per hour.


1. Configure shadow copies for the file share.

2. Create multiple shadow copies of a file.

3. Recover a deleted file from a shadow copy.

Task 1: Configure shadow copies for the file share 1. Switch to LON-SVR1.


3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.

4. Enable Shadow Copies for the E:\ drive.

5. Configure the settings to schedule hourly shadow copies for the E:\ drive.

Task 2: Create multiple shadow copies of a file 1. On LON-SVR1, switch to Windows Explorer, and navigate to the E:\Data\Development folder.

2. Create a new text file named Report.txt.

3. Switch the Shadow Copies window, and then click Create Now.

Task 3: Recover a deleted file from a shadow copy 1. Switch back to the Windows Explorer window.

2. Delete the Report.txt file.

3. Open the Properties window for E:\Data\Development, and then click the Previous Versions tab.

4. Open the most recent version of the Development folder, and then copy the Report.txt file.

5. Paste the file back into the Development folder.

6. Close Windows Explorer and all open windows.

Results: After finishing this exercise, you will have enabled shadow copies on the file server.

Exercise 3: Creating and Configuring a Printer Pool

Scenario

Your manager has asked you to create a new shared printer for your branch office. However, instead of creating the shared printer on the local server in the branch office, he has asked you to create the shared printer in the head office and use Branch Office Direct Printing. This allows the printer to be managed in the head office, but prevents print jobs from traversing WAN links.


To ensure high availability of this printer, you need to format it as a pooled printer. Two physical print devices of the same model have been installed in the branch office for this purpose.


1. Install the Print and Document Services server role.

2. Install a printer.

3. Configure printer pooling.

4. Install a printer on a client computer.

Task 1: Install the Print and Document Services server role 1. On LON-SVR1, open Server Manager.

2. Install the Print and Document Services role, and accept the default settings.

Task 2: Install a printer 1. On LON-SVR1 use the Print Management console to install a printer with following parameters:

a. IP Address: 172.16.0.200

b. Driver: Microsoft XPS Class Driver

c. Name: Branch Office Printer

2. Enable Branch Office Direct Printing.

3. List the printer in AD DS.

Task 3: Configure printer pooling 1. In the Print Management console, create a new port on LON-SVR1 with the following configuration:

a. Type: Standard TCP/IP port

b. IP Address: 172.16.0.201

c. Connection: Generic Network Card

2. Open the Branch Office Printer Properties page, and on the Ports tab, enable printer pooling.

3. Select port 172.16.0.201 as the second port.

Task 4: Install a printer on a client computer 1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.

2. Add a printer, selecting the Branch Office Printer on LON-SVR1 printer.

Results: After finishing this exercise, you will have Installed the Print and Document Services server role and installed a printer with printer pooling.

To prepare for the next module After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps.


2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.


4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.


Module Review and Takeaways Review Questions:

Question: How does inheritance affect explicitly assigned permissions on a file?

Question: Why should you not use shadow copies as a means for data backup?

Question: In which scenarios could Branch Office Direct Printing be beneficial?

Tools


Effective Permissions Tool

Assessing combined permissions for a file, folder or shared folder.

Under Advanced, on the Security tab of the Properties page of a file, folder or shared folder.

Netsh command-line tool

Configuring Windows Server 2012 networking components.

Command prompt.

Print Management administrative

Managing the print environment in Windows Server 2012.

The Tools menu in Server Manager.

11-1

Module 11 Implementing Group Policy


Lesson 1: Overview of Group Policy 11-2

Lesson 2: Group Policy Processing 11-10

Lesson 3: Implementing a Central Store for Administrative Templates 11-15

Lab: Implementing Group Policy 11-19


Module Overview

Maintaining a consistent environment across an organization is challenging. Administrators need a mechanism to configure and enforce user and computer settings and restrictions. Group Policy can provide that consistency by enabling administrators to centrally manage and apply configuration settings.

This module provides an overview of Group Policy and provides details about how to implement group policies.

Objectives


• Create and manage Group Policy Objects.

• Describe Group Policy processing.

• Implement a central store for administrative templates.

11-2 Implemen

Lesson Overvi

GroPolistruuses

GroPolistruuses

Les

Afte

•

•

•

•

•

•

•

Co

Groallomodregican whi(use

GP

A GpoliuserSYSVPoliPolithe

GroA Gcha(ADof tand

nting Group Policy

1 iew of Gup Policy allowcy functions, scture, and defs and groups.

up Policy allowcy functions, scture, and defs and groups.

sson Objecti

er completing

Describe the

Describe mul

Describe stor

Describe GPO

Describe start

Describe the

Describe the

omponents

up Policies arew administratodifying the comistry settings ogroup Group ch you can theers, groups or c

Os

GPO is an objeccy settings thars, computers, VOL, and can cy Managemecy Managemeobjects in tho

oup Policy Sroup Policy senge to apply t

D DS). Group Pohe computing Windows® op

Group Pws you to contso you can appfines local and

ws you to contso you can appfines local and

ives

this lesson, yo

components o

tiple local Gro

age options fo

O policies and

ter GPOs.

process of del

process of cre

s of Group

e configurationors to enforce mputer-specif

on domain-basPolicies toget

en apply to seccomputers).

ct that containat apply configor both. GPObe managed b

ent Console (Gent Editor. GPOse containers.

Settings etting is the moto an object (aolicy has thous environment.

perating system

Policy trol the compuply Group Poli domain grou

trol the compuply Group Poli domain grou

ou will be able

of Group Policy

oup Policy Obje

or domain GPO

preferences.

egating GPO m

ating and man

p Policy

n settings thatsettings by ic and user-spsed computersher, to make Gcurity principle

ns one or moreguration settins are stored inby using the G

GPMC). Within Os are logically

ost granular co computer or sands of config. Not all settingms. Each new v

uting environmcy correctly. Tp policies. It al

uting environmcy correctly. Tp policies. It al

to:

y.

ects (GPOs).

Os.

management.

naging GPOs.

t

ecific s. You GPOs, es

e ng for

roup the GPMC, yo

y linked to Act

omponent of Ga user, or bothgurable settinggs can be appversion introdu

ment. It is impohis lesson provlso describes t

ment. It is impohis lesson provlso describes t

ou can open antive Directory®

Group Policy. h) within Activgs. These settilied to all oldeuces new setti

ortant to undevides an overvthe types of se

ortant to undevides an overvthe types of se

nd edit a GPO ® containers to

It defines a spve Directory Dongs can affect

er versions of Wngs and capab

erstand how Gview of Group ettings availabl

erstand how Gview of Group ettings availabl

by using the Go apply setting

ecific configuromain Servicest nearly every aWindows Servebilities that on

Group Policy le for

Group Policy le for

Group s to

ration s area er® ly


apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it simply ignores it.

Most policy settings have three states:

• Not Configured. The GPO will not modify the existing configuration of the particular setting for the user or computer.

• Enabled. The policy setting will be applied.

• Disabled. The policy setting is specifically reversed.

By default, most settings are set to Not Configured.

Note: Some settings are multi-valued or have text string values. These are typically used to provide specific configuration details to applications or operating system components. For example, a setting may provide the URL of the home page for Windows Internet Explorer® or blocked applications.

The effect of the change depends on the policy setting. For example, if you enable the Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in this policy setting: You disable a policy that prevents an action, so you allow the action.

Group Policy Settings Structure

There are two distinct areas of Group Policy settings:

• User settings. These are settings that modify the HKey Current User hive of the registry.

• Computer settings. These are settings that modify the HKEY Local Machine hive of the registry.

User and computer settings each have three areas of configuration, as described in the following table.

Section Description

Software settings Contain software settings that can be deployed to either the user or the computer. Software that is deployed to a user is specific to that user. Software that is deployed to the computer is available to all users of that computer.

Windows operating system settings

Contain script settings and security settings for both user and computer, and Internet Explorer maintenance for the user configuration.

Administrative templates Contain hundreds of settings that modify the registry to control various aspects of the user and computer environment. New administrative templates may be created by Microsoft or other vendors. You can add these new templates to the GPMC. For example, Microsoft has Office 2010 templates that are available for download, and that you can add to the GPMC.

Group Policy Management Editor

The Group Policy Management Editor (GPME) displays the individual Group Policy settings that are available in a GPO. These are displayed in an organized hierarchy that begins with the division between computer settings and user settings, and then expands to show the Computer Configuration node and the User Configuration node. The Group Policy Management Editor is where all Group Policy settings and preferences are configured.

11-4 Implemen

Gro

In abotPreflate

Loc

All sPoliimp

Wh

In WVistconconon fWinsystWinfeatWindiffeis onGrocom

WinPoli

•

•

•

dom

Ho

The

1.

2.

3.

Witlocaloca

nting Group Policy

oup Policy P

ddition to theh the Computferences providr in this modu

cal Group P

systems runnincies that are a

ported to other

hat Are Mu

Windows operaa®, there was ofiguration in tfiguration wasfrom that locandows Vista® aems, and Wind

ndows Server oture–multiple lndows Server 2erent user settnly available foup Policy. The

mputer.

ndows 8 and Wcy Objects:

Local Group P

Administrato

User-specific

Note: The emain controller

w the Layer

layers of Loca

Local Group P

Administrato

User-specific

h the exceptioal Group Policial Group Policy

Preferences

Group Policy er Configuratide even more

ule.

olicy

ng the Microsovailable. Localr computers.

ultiple Loc

ating systems only one availhe local Groups applied to alll computer. Th

and newer cliendows Server 2operating systelocal GPOs. In 2012, it is now tings for differeor the users’ co

ere is only one

Windows Serve

Policy (contain

r and Non-Ad

Local Group P

exception to thrs cannot have

rs Are Proce

al Group Policy

Policy

rs and Non-Ad

Local Group P

on of the categes to groups, y, or the Admi

sections showon and User Ccapabilities w

oft® Windows l policy setting

cal GPOs?

prior to Windoable user p Policy. That l users who loghis is still true, nt operating 008 and neweems have an aWindows 8 anpossible to haent local usersonfigurations set of comput

er 2012 provide

ns the compute

ministrator Gr

Policy

his feature is de local Group P

essed

y Objects are p

dministrators G

Policy

gories of Admibut only to indnistrator or No

wn in the previoConfiguration nwith which to co

2000 operatings only apply t

ows

gged but

er dded

nd ave s; this in ter configurati

e this ability w

er configuratio

oup Policy

omain controlPolicies

processed in th

Group Policy

nistrator or Nodividual local uon-Administra

ous table, a Prnodes in the Gonfigure the e

ng systems or no the local ma

ions available

with the followi

on settings)

llers. Due to th

he following o

on-Administrauser accounts.ator settings, a

references nodGroup Policy Menvironment, a

newer also havachine, but can

that affects all

ing three layer

he nature of th

order:

ator, it is not p Domain userss appropriate.

de is present uManagement Eand are discuss

ve local Groupn be exported

l users of the

rs of Local Gro

heir role,

ossible to apps are subject to

nder ditor. sed

p and

oup

ply o the

thenPo

S

GGacan

G

Gsete%SethcrMPo

G

ThEathveGSYthar

Byin

ThnuthPorech

Wemwde

Note: Dohat are runningnabling the Tuolicy Object.

torage of

roup Policy seroup Policy Mctually two comnd a Group Po

Group Policy

roup Policy teettings that yoemplates are st

%SystemRoot%erver 2012 conhousands of coreate a new Gr

Management Edolicy container

Group Policy

he Group Policach Group Polhe object withiersion numberroup Policy teYSVOL is locathe GUID of there saved to the

y default, when a GPO only if

he Group Policumber that is he Group Policolicy Client knefresh, the Grohanged, the CS

When editing amulator Flexib

what computer efault. It is pos

main administg Windows clieurn Off Local

Domain G

ettings are presanagement tomponents: a Golicy container

y Template

mplates are thu can change.tored in the

%\PolicyDefinitntains Group Ponfigurable setroup Policy, thditor presents r is created.

y Container

cy container isicy container iin AD DS. The rs, but it does mplate, whiched in the %Sys

e Group Policye Group Policy

n Group Policyf the GPO has

cy Client can idincremented e

cy container, aows the versio

oup Policy ClieSEs will be info

Group Policy,ble Single Mast

you are usingssible to chang

trators can disaent operating Group Policy

GPOs

sented as GPOool, but a GPOGroup Policy te.

he actual collec Group Policy

ions folder. WPolicy templatettings. When y

he Group Policythe templates

s an Active Direincludes a globGroup Policy cnot contain an

h is a collectionstemRoot% \S

y container. Why template of t

y refresh occubeen updated

dentify an updeach time a chnd in a text file

on number of ent discovers thormed that the

, the version oter Operationsg to perform thge the focus of

able processinsystems and W

y Objects Proc

Os in the is

emplate,

ction of

indows es with you y s in a new GPO

ectory object tbally unique idcontainer definy of the settinn of files storedYSVOL\Domahen you makethe server from

rs, the Group d.

dated GPO by ange is made.e, GPT.ini, in theach GPO thathat the versione GPO is upda

n the compute (FSMO) role i

he editing, thef the GPMC to

20410A: Installin

ng Local GroupWindows Servecessing policy

O. When you e

that is stored identifier (GUIDnes basic attri

ngs. Instead, thd in the SYSVOin\Policies\GP

e changes to thm which the GP

Policy client-s

its version num. The version nhe Group Polict it has previoun number of thted.

er that has thes the version b

e GPMC is focuo edit a version


p Policy Objecter operating sy setting in a do

edit and save t

in the Active DD) attribute thabutes of the Ghe settings areOL of each domOGUID path, w

he settings of aPO was opene

ide extensions

mber. Each GPnumber is storecy Template fously applied. Ifhe Group Polic

e primary dombeing edited. Iused on the PDn on a differen

Windows Server® 20

ts on clients ystems by omain Group

he GPO, a new

Directory databat uniquely ide

GPO such as line contained in main controllewhere GPOGUa GPO, the chaed.

s (CSEs) apply s

PO has a versioed as an attribolder. The Grof, during Groucy container ha

main controller It does not maDC emulator bnt domain cont

012 11-5

w Group

base. entifies nks and the

er. UID is anges

settings

on bute of up p Policy as been

(PDC) atter y troller.

11-6 Implemen

Wh

GroWinPrefextesettthe

to hinstThedow

ChaPref

•

•

•

•

•

•

•

•

Com

Althuses

•

•

•

•

•

•

•

•

•

nting Group Policy

hat Are Gr

up Policy Prefndows Server 2ferences includensions that exings within a Gneed for logo

Note: Windhave the Groupalled to procese can be dow

wnload website

aracteristicsferences have

Preferences e

Unlike Groupthat are estab

Preferences c

Preferences c

Unlike Groupyou can chan

Preferences csecurity grou

Preferences a

Unlike Group

mmon Uses

hough you cans are as follow

Drive mappin

Configuring d

Setting enviro

Mapping prin

Setting powe

Configuring S

Configuring d

Configuring I

Scheduling ta

roup Polici

ferences are a 2012 operatingde more than xpand the rangGPO. Preferencn scripts.

dows XP operap Policy client-ss Group Polic

wnloaded frome.

s of Preferethe following

exist for both c

p Policy settingblished by pref

can be manage

can be applied

p Policy settingnge this behavi

can easily be tap membership

are not availab

p Policy, the us

s for Group

n configure mas:

ngs for users

desktop shortc

onment variab

nters

r options

Start menus

data sources

nternet option

asks

ies and Pre

feature in the g system. 20 Group Policge of configurces help to red

ting systems n-side extensioncy preferences.

m the Microsoft

nces characteristics

computers and

gs, preferencesferences.

ed through the

only once at s

gs, preferencesior.

argeted to certp or operating

le for local gro

er interface of

Policy Prefe

any settings th

cuts for users o

bles

ns

eferences?

cy able duce

need ns . t

s:

d users.

s are not enfor

e Remote Serv

startup or logo

s are not remo

tain users or cosystem versio

oup policies.

f the setting is

erences

hrough Group

or computers

?

rced, and users

ver Administra

on, or refreshe

oved when the

omputers throon.

not disabled.

Policy prefere

s can change t

tion Tools (RSA

ed at intervals.

GPO is no lon

ough a variety

nces, some of

the configurat

AT).

nger applied, b

of ways, such

the more com

ions

but

as

mmon

W

Stcrcamw

AStACCWavof

Ex

YoththGse

W

Thforedi

In

ThGSpVde

D

APousthGpataduGmM

What Are S

tarter GPOs arreation of GPOan choose to u

makes it easier with the same b

Available Settarter GPOs cadministrative Tonfiguration sonfiguration s

Windows Settinvailable, becauf services and

xporting St

ou can export hat is completehe .cab file to oPO that define

ettings, then yo

When to Use

he most commor a type of coestrictions, or aifferent depart

ncluded Sta

he GPMC incluPOs. These popecialized Secuista and Windoesign security

Delegating

dministrators olicy administrsers do not hahey can be usePOs. For examarticular Organasked with peruties, while thePOs for that O

might be put inManagement In

Starter GPO

e templates thOs. When creatuse a starter GPand faster to c

baseline config

ttings an only containTemplates nodection or the Cection. The So

ngs nodes of Guse these nodeare more com

tarter GPOs

starter GPOs tely independeother administes Internet Expou could expo

e Starter GP

mon situation imputer role. Fall file servers ttments.

rter GPOs

udes a link to colicies provide urity – Limitedows XP SP2 oppolicies.

Managem

can delegate srative tasks to ve to be doma

ers that are grample, a user wh

nizational Unitforming repore help desk gr

OU. A third gron charge of crenstrumentation

Os?

hat assist in theting new GPOsPO as the sourcreate multipleguration.

n settings fromde of either theComputer

oftware Settingroup Policy ar

es involve intermplex and dom

to a Cabinet fint of the sourctrators, who caplorer security ort the starter G

POs

n which you wFor example, yoto have the sa

create a Startepreconfigured

d Functionality perating system

ment of GP

some of the Gother users. Tain administraanted certain rho manages a t (OU) could brting and analyroup is allowedoup of developeating Windown (WMI) filters

e s, you rce. This e GPOs

m the e User

gs and re not raction

main-dependen

le (.cab) and tce domain/foran then use it isettings. If you

GPO to a .cab

would use a staou may want ame baseline G

er GPO folder, d security-orie

(SSLF) clients ms. You can us

POs

roup hese tors;

rights to

be ysis d to edit pers ws .

20410A: Installin

nt.

hen load that rest. Exportingin other areas.u want all sitesfile, and then

arter GPO is wall corporate la

Group Policy se

which containnted settings ffor both user se these polici


.cab file into a a starter GPO. For example, s and domainsdistribute it.

when you wantaptops to haveettings, but en

ns a number offor enterprise and computeres as starting

Windows Server® 20

another enviroO allows you to

you may creas to employ th

a group of see the same deable variations

f predefined stclients (EC) anr settings on Wpoints when y

012 11-7

onment o send te a

he same

ettings esktop s for

tarter nd Windows you

11-8 Implementing Group Policy

The following Group Policy tasks can be delegated independently:

• Creating GPOs

• Editing GPOs

• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy modeling analysis

• Reading Group Policy results data

• Creating WMI filters

The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that they have created.

Group Policy Default Permissions

By default, the following users and groups have full access to manage Group Policy:

• Domain Admins

• Enterprise Admins

• Creator Owner

• Local System

The Authenticated User group has Read and Apply Group Policy permissions only.

Permissions for Creating GPOs By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. You can use two methods to grant a group or user this right:

• Add the user to the Group Policy Creator Owners group

• Explicitly grant the group or user permission to create GPOs by using GPMC

Permissions for Editing GPOs

To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission by using the GPMC.

Managing GPO Links

The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can manage this permission by using the Delegation tab on the container. You can also delegate it through the Delegation of Control Wizard in Active Directory Users and Computers.

Group Policy Modeling and Group Policy Results You can delegate the ability to use the reporting tools in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.

Creating WMI Filters You can delegate the ability to create and manage WMI filters in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.


Demonstration: Creating and Managing GPOs

In this demonstration, you will see how to use the GPMC to create a new GPO. You will also see how you can use the Group Policy Management Editor to edit the GPO settings. Finally, you will see how Windows PowerShell® is used to create a GPO.

Demonstration Steps

Create a GPO by using the GPMC

• Log on to LON-DC1 as Administrator and create a policy named Prohibit Windows Messenger.

Edit a GPO with the Group Policy Management Editor

1. Edit the policy to prohibit the use of Windows Messenger.

2. Link the Prohibit Windows Messenger GPO to the domain.

Use Windows PowerShell to create a GPO

• Use Windows PowerShell to create a GPO named Desktop Lockdown.

11-10 Implem

Lesson 2Group

UndThisandyoudetecreacon

LesAfte

•

•

•

•

•

GP

Oncsettto liA Gto amullink

•

•

•

OncpolipareReaGPO

YouDele

GPOsystsyst

enting Group Policy

2 Policy

derstanding hos lesson shows how to contro want to applyermine what sated. These potrollers. The ap


Describe a GP

Describe how

Describe the

Describe the

Describe GPO

PO Links

ce you have crings that you wink the policy tPO link is the

a container. Yoltiple containeGPOs to the f

Sites

Domains

OUs

ce a GPO is lincy is applied tent object. Thid and Apply G

O.

u can disable lieting links doe

Os cannot be lem containersem containers

Processow Group Polic

you how Grouol the applicaty, they must beettings are app

olicies are usedpplication of p


PO link.

w GPOs are app

Group Policy p

default GPOs.

O security filter

eated a GPO awant it to delivto an Active Dlogical connec

ou can link a sirs by using thefollowing type

ked to a contao all the objecs is because th

Group Policy p

nks to containes not delete t

inked directly s of AD DS, incs receive Grou

sing cy is applied isup Policy is asstion of Group e linked to conplied to object

d to deliver paspolicies can als

ou will be able

plied to contai

processing ord

ring.

and defined alver, the next s

Directory contaction of the pongle GPO to e GPMC. You cs of containers

ainer, by defaucts in the contahe default permermission. You

ners, which remhe actual GPO

to users, groucluding Builtin,p Policy settin

s the key to besociated with APolicy. After crntainers. GPOsts. There are twssword and secso be controlle

to:

iners and obje

der.

l the tep is

ainer. olicy

can s:

ult the ainer, and submissions of theu can modify t

moves the confO, only the logi

ps or compute, Computers, Ugs from GPOs

eing able to deActive Directoreating the GPs are applied inwo default polcurity settings

ed through sec

ects.

sequently all te GPO are sucthis behavior b

figuration settical connectio

ers. In additionUsers, or Mana linked to the

evelop a Groupory objects, howPOs and confign a specific ordlicies that are as for the domacurity filtering.

the child contah that Authen

by managing p

tings. You can n to the conta

n, GPOs cannoaged Service Adomain level o

p Policy stratew it is processeguring the settder. This orderautomatically in and for dom.

ainers under thticated Users h

permissions on

also delete linainer.

ot be linked toAccounts. The Aonly.

egy. ed, tings r may

main

hat have

n the

nks.

the AD DS

A

CstAThcodore

Urederu

locosew

YoreTecoThin

Yoansefu

A thlooc

G

Garapovap

G

•

Applying G

omputer confitartup, and theny startup scrihe default inteonfigurable. Thomain controlefreshed every

ser settings arefreshed at regefault is also 9un at logon.

Note: A nogons before tomputer use cettings are bei

will not take eff

ou can changeefresh interval emplates\Sysorresponding she security set

nterval that you

ou can also refny new Group ettings. There iunction.

new feature ihe GPMC to taogged-on userccurs within 10

Group Polic

POs are not apre applied in applied later in verwrite any copplied earlier.

POs are applie

Local groupWindows 2has a local

GPOs

iguration settien are refreshepts are run at

erval is every 9he exception tlers, which hav

y five minutes.

e applied at logular, configur90 minutes. An

number of usehe user sees thached credentng delivered tfect until the n

e the refresh insetting is foun

stem\Group Psettings underttings section ou set for the re

fresh Group PoPolicy configu

is also a new W

n Windows Serget an OU an

rs. To do this, y0 minutes.

cy Process

pplied simulta logical order.the process ofonflicting poli

ed in the follow

p policies: Each000 or newer Group Policy c

ngs are applieed at regular incomputer star

90 minutes, buto the set interve their setting

ogon and are able intervals; y logon script

r settings requhe effect of thetials to speed uo the compute

next logon. The

nterval by confnd in the ComPolicy node. For User Configuof the Group Pefresh interval.

olicy manuallyurations. The GWindows Powe

rver 2012 is Rend force Groupyou right-click

sing Order

neously; rathe GPOs that aref applying GPOcy settings tha

wing order:

h system runnpotentially alrconfigured.

ed at ntervals. rtup. t this is rval is gs

the s are

uire two e GPO. This is up logons. Thier, the user is ae folder redire

figuring a Groputer Configuor user settingration. An exc

Policy will be re.

y. The commanGpupdate /foerShell Invoke

emote Policy Rp Policy refreshany OU, and t

r

er, they e Os at were

ing eady

20410A: Installing

because usersis means that, already loggedction setting is

up Policy settiuration\Polic

gs, the refresh ception to the efreshed at lea

nd line utility Gorce commande-Gpupdate cm

Refresh. This feh on all of its cthen click Gro

g and Configuring W

s logging on toalthough the d on and thus s an example o

ing. For compucies\Administinterval is founrefresh intervaast every 16 ho

Gpupdate refrd refreshes all tmdlet, which p

eature allows acomputers and

oup Policy Up


o the same policy the settings

of this.

uter settings, ttrative nd at the al is security seours, regardles

reshes and delthe Group Polperforms the s

administratorsd their currentdate. The upd

12 11-11

the

ettings. ss of the

livers icy

same

s to use tly date

11-12 Implem

•

•

•

•

Objof arestto rwou

of p

If mconlink

Youknoexamcom

Wh

Durdefaand

Def

Thissecupasssettthis conto acreathen

Def

Thisdesi

enting Group Policy

Site group po

Domain groumultiple polic

OU group pounique to thecan link a pol

Child OU pol

ects in the cona conflict betwrict access to reverse that pould be availabl

Note: Othepolicies on con

multiple policietrol the order ed.

u can also disabown to be empmple, if you ha

mputer-side of

hat Are the

ring the installaault GPOs are Default Doma

fault Doma

s policy is linkeurity principlessword policy sings, and Kerbpolicy should figured. If you

apply to the enate new policien link the polic

fault Doma

s GPO is linkedigned to provi

olicies: Policies

up policies: Polces at the dom

olicies: Policies e objects in thalicy to the Sale

icies: Any polic

ntainers receiveen settings, tregistry editingolicy. Because e.

r methods sucntainers.

s are applied aof processing.

ble the user orpty, then you save a policy ththe policy.

e Default G

ation of the ADcreated: Defauain Controller

in Policy

ed to the domas in the domaiettings, the ac

beros policy. Anot have othe

u need to confntire domain thes to deliver thcies to the dom

in Controlle

d to the domaide auditing se

that are linke

icies that are lmain level. Thes

linked to OUsat OU. For exaes OU to delive

cies that are lin

ve the cumulathe last policy ag tools, but yothe OU-level p

ch as Enforcem

at the same lev. The default p

r computer cohould disable

hat only delive

GPOs?

D DS role, twoult Domain PoPolicy.

ain and affectsn. It contains t

ccount lockouts a best practier settings igure other sethen you shoulhe settings, andmain.

ers Policy

in controllers’ettings and use

d to sites are p

inked to the dse policies are

s are processedmple, the Saleer those setting

nked to child O

ive effect of alapplied takes

ou could configpolicy is applie

ment and Inher

vel, the adminpreference ord

nfiguration of the empty secrs user deskto

o olicy,

s all the t ce,

ttings d d

OU, and shouer rights, and s

processed nex

domain are proprocessed in o

d next. These pes users may hgs.

OUs are proce

ll polices in theeffect. For exagure an OU-leed later in the

ritance Blockin

istrator can aser is the order

f a particular Gction to speed p configuratio

ld only affect dshould not be

xt.

ocessed next. Torder of prefe

policies contaiave special req

essed last.

eir processing ample, a domaevel policy and

process, acces

ng can change

ssign a preferer in which the

GPO. If one secup policy pro

on, you could d

domain controused for othe

There are ofteerence.

n settings thatquired settings

order. In the cain-level policy link it to the Iss to registry t

the effect

ence value to policies were

ction of a policocessing. For disable the

ollers. This polr purposes.

n

t are s. You

case y may IT OU ools

cy is

icy is

G

Bypbebepamreth

EadepeReByhaG

be

DIf yoalexto

LiAcoshexcoof

p

Thth

GPO Securi

y nature, a GPrinciples in theelow the parenehavior and haarticular secur

may want to exestrictive deskthrough securit

ach GPO has aefines permissermission is foead and Applyy adjusting theave the GPO sroup Policy, o

Note: Theeen authentica

Deny Accessmost security

ou can exemptl the users in txempt that groo Deny.

imit Permislternatively, if ontainer, you chould receive txample, you momputers. Youf the laptops, a

Note: Nevrinciples would

he ACL of a GPhen clicking th

ity Filterin

O applies to ae container, annt. You may wave certain GPity principles. empt certain utop policy. Youy filtering.

an Access Contions to that G

or Authenticatey Group Policye permissions ettings appliedr limit permiss

e Authenticateated to AD DS

to Group Pprinciples in tt particular secthe Sales OU soup (or user) b

ssions to Groyou have crea

can remove ththe GPO settin

may have a GPOu could removeand then gran

ver deny accesd never receive

PO is accessede Delegation

g

ll the security nd all child con

wish to change POs apply onlyFor example, yusers in an OUu can accompl

trol List (ACL) tPO. The defaued Users to havy permission apin the ACL, yod. There are twsions to Group

ed Users groupS.

Policy the container scurity principlehould receive

by adding that

oup Policyated a GPO thae Authenticate

ngs, and then gO with compue the Authentit them the Re

ss to the Authee the GPO sett

d in the GPMC >Advanced ta

ntainers that

y to you

U from a ish this

that ult ve the pplied. u can control

wo approachesp Policy.

p includes all u

should receivees by denying a policy excep

t group to the

at should only ed Users grougrant them theter configuraticated Users gad and Apply

enticated Usertings.

by selecting tab.

20410A: Installing

which securitys you might ta

user and comp

e the policy setthem access t

pt the Sales MaACL of the GP

be applied top from the ACe Read and Aption settings throup from theGroup Policy

r group. If you

he GPO in the

g and Configuring W

y principles recake to do this:

puter accounts

ttings but somto the Group Panagers groupPO, and then s

o a few securityCL, add the secpply Group Pohat should onlye ACL, add the permission.

u do, then secu

e Group Policy


ceive permissiodeny access to

s that have

me should not, Policy. For examp. Then you casetting the per

y principles in curity principleolicy permissiony apply to laptcomputer acc

urity

Object folder

12 11-13

on to o the

then mple, if an rmission

a es that ns. For top counts

and

11-14 Implem

Dis

Sce

TheCorSale

•

•

•

•

Somto s

De

In thPoliMod

Dem

UseHT1.

2.

3.

Use

•

enting Group Policy

scussion: I

enario

slide illustrateporation’s AD

es OU with its c

GPO1 is linkecontainer. Ththat turn off tminutes of inregistry editin

GPO2 has setof the Sales U

GPO3 configu

GPO4 configumode.

me users in thepecifically gra

Question: W

Question: W

Question: W

Question: WControl Pane

Question: If yit?

Question: Ca

emonstrati

his demonstracy (RSoP), anddeling Wizard

monstration

e GpupdateML file On LON-DC1

Use Gpresult

Open the HT

e the Group

Use the Grouwho log onto

dentifying

es a portion ofDS structure, child OUs and

ed to the Adatue GPO configuthe monitors aactivity, and re

ng tools.

ttings to lock dUsers OU, and

ures power op

ures a differen

e Sales OU havnt access to Co

hat power opt

hat power opt

hat power opt

ill users in the l be able to ac

you needed to

an GPO2 be ap

on: Using

tion you will sd output the re

to test policie

n Steps

e to refresh

1, use Gpupda

t /H to create

ML report and

p Policy Mod

p Policy Modeo any compute

g Group Po

f the A. Datumwhich contain the Servers O

um domain ures power opand disks afterestricts access

down the deskconfigure prin

ptions for lapto

nt set of power

ve administrativontrol Panel.

tions will the s

tions will the la

tions will all ot

Sales Users Occess Control P

o grant access

pplied to other

Group Po

ee how to useesults to an HTes.

Group Polic

te to refresh t

an HTML file t

d review the re

deling Wiza

eling Wizard toer.

olicy Appli

m s the

OU.

tions r 30 to

ktops nters for Sales

ops in the Sale

r options to en

ve rights on th

ervers in the S

aptops in the S

ther computer

U who have crPanel?

to Control Pan

r department O

olicy Diagn

e Gpupdate to TML file. You w

cy, display R

he GPOs.

that displays th

esults.

ard to test t

o simulate a po

ication

Users.

s Laptops OU.

nsure that the

heir computers

Servers OU rec

Sales Laptops

rs in the doma

reated local po

nel to some us

OUs?

nostic Tool

refresh Groupwill also see ho

RSOP, and o

he current GPO

the policy

olicy applicatio

.

servers never

s, and have cre

ceive?

OU receive?

in receive?

olicies to gran

sers, how wou

ls

p Policy, displaow to use the G

output the r

O settings.

on for users in

go into power

eated local po

t access to

ld you do

ay Resultant SeGroup Policy

results to an

n the Manager

r save

olicies

et of

n

rs OU

LessonImpleTemp

InadpThlo

LeA

•

•

•

•

W

If wedww.astdidiseAanwSe

Thwthbewad

YocoCmA

n 3 ementinplates n a large organdministrator edrovides a singlhis lesson disc

ocation to prov


Describe th

Describe ad

Describe ho

Describe m

What Is the

your organizaworkstations, thditing GPOs. If

which to hold thworkstation you

dmx (ADMX) atored in the locifferent adminifferent operatervice pack levDMX and ADMnd ADML files

workstation witerver 2012 dom

he Central Stoworkstations cahat the adminiefore loading

workstation detdministration e

ou must createontroller, name:\Windows\SY

must then copyDML files in th

ng a Cen

nization, there dits a GPO, thele folder in SYSusses the files vide consistenc


he central store

dministrative t

ow administrat

managed and u

e Central S

ation has multihere could be pf you do not hhe template fiu are editing frand .adml (ADcal PolicyDefinistration workting systems ovels, there mayML files. For exthat are storeh no service pmain controlle

re addresses tn download thstrator is usingthe local ADMtects a Central experience am

e and provisioe the folder PoSVOL\sysvol\{D

y all the contenhis folder are a

ntral Sto

may be manye template fileSVOL that conthat make up cy in the temp

you will be ab

e.

emplates.

tive templates

nmanaged po

Store?

iple administrapotential issueave a Central les, then the rom will use th

DML) files that nitons folder. Ikstations have r are at differe

y be differencexample, the ADd on a Windowack installed m

er.

his issue. The Che same ADMXg to perform a

MX and ADML Store, it then

mong multiple

n the Central SolicyDefinitioDomain Naments of the C:\Walso in a langua

ore for

y GPOs and mues are pulled frtains all of thethe templates

plates that adm

le to:

work.

olicy settings.

ation es when Store in

he are f

ent es in the DMX ws 7

may not be the

Central Store pX and ADML f

administration files in the Grodownloads thworkstations.

Store manuallyons, and store e}\Policies\. Th

Windows\Policyage-specific fo

20410A: Installing

Admin

ultiple adminisrom the local we templates reqs, and discusseministrators use

e same as the

provides a singfiles when editalways checks

oup Policy Obje template file

y. First you muthe folder at

his folder will nyDefinitions foolder (such as

g and Configuring W

istrative

strators managworkstation. Tquired to crea

es how to create.

files that are s

gle point fromting a GPO. Ths to see if a Ceject Editor. Whes. In this way,

ust create a fo

now be your Colder to the Ceen-US).


e

ging them. Whhe central storte and edit GPte a central sto

tored on a Wi

m which admine local workst

entral Store exihen the local there is a con

lder on a dom

entral Store. Yentral Store. Th

12 11-15

hen an re POs. ore

ndows

istration ation ists

nsistent

main

You he

11-16 Implem

Wh

An afiles

•

•

ADM%SyalsotemWo

Adm

•

•

•

•

AD

PriolangPoliincr

Ho

Admevesettsettenvsettchathat

enting Group Policy

hat Are Ad

administratives types: ADMX

ADMX files spchange. AMD

ADML files geconfigure thesettings in theEditor. ADML

MX and ADMLystemRoot%\Po create your o

mplates in XML rd, Office Exce

ministrative Te

They are orgaenvironment,

The settings ithe user secti

Some settingMessenger frothe computer

Some settingnew settings Double-clickicannot be pro

DM Files

or to Windows guage-specificcy template. If

reases the size

ow Admini

ministrative Tery aspect of thing in the teming that contrironment. For ing that prevenges the valuet aspect.

dministrati

template is m and ADML.

pecify the regiDX files are lan

enerate the use Administrative Group Policy

L files are langu

L files are storePolicyDefinitionown custom ad

format. Admiel® and Office

mplates have

anized into sub, such as netwo

n the computeon edit the HK

s exist for bothom running inr setting preva

s are availablethat can be apng the settingocessed by an

Vista, adminisc, and were diff an ADM file iof SYSVOL, an

istrative Te

mplates have he computing

mplate correspools an aspect oexample, whe

ents access to Ce in the registr

ive Templa

made up of two

stry setting to guage-neutra

er interface tove Templates py Managemenuage-specific.

ed in the ns folder. You dministrative nistrative temPowerPoint®)a

the following

bfolders that hork, system, an

er section editKEY_CURRENT

h user and comn both the userails.

e only to certaipplied only to s will display tolder Window

strative templaficult to customis used in multnd therefore in

emplates W

settings for almenvironment. onds to a regisof the computen you enable Control Panel, ry key that con

ates?

o XML

l.

o policy t

can

plates that conare also availab

characteristics

house configurnd Windows co

t the HKEY_LOT_USER registry

mputer. For exr and the com

in versions of Wthe Windows

the supported ws operating sy

ates had an .admize. ADM filetiple GPOs, thencreases the siz

Work

most Each stry ting the this

ntrols

ntrol Microsofble from the M

s:

ration optionsomponents.

OCAL_MACHINy hive.

xample, there iputer templat

Windows oper7 and newer oversions for thystem is simpl

dm (ADM) file es are stored inen the file is stze of Active D

ft Office produMicrosoft down

for specific ar

NE registry hive

is a setting to tes. In case of c

rating systemsoperating systehat setting. Anly ignored by t

extension. ADn SYSVOL as ptored multiple irectory replica

ucts (such as Onload website.

reas of the

e, and settings

prevent Windoconflicting sett

s, such as severems versions. ny setting that that system.

DM files were part of the Gro times. This ation traffic.

Office .

in

ows tings,

ral

oup


The Administrative Templates node is organized as shown in the following table.

Section Nodes

Computer settings • Control Panel

• Network

• Printers

• System

• Windows Components

• All Settings

User settings • Control Panel

• Desktop

• Network

• Shared Folders

• Start Menu and Taskbar

• System

• Windows Components

• All Settings

Most of those nodes contain multiple subfolders to further organize settings into logical groupings. Even with this organization, finding the setting you need can be a daunting task. To help you locate settings, the All Settings folder allows you to filter the entire list of settings by either the computer or the user section. The following filter options are available:

• Managed or unmanaged

• Configured or not configured

• Commented

• By keyword

• By platform

You can also combine multiple criteria. For example, you could filter to find all the configured settings that apply to Internet Explorer 10 by using the keyword ActiveX.

11-18 Implem

Ma

TheandAdmThepoliit is comconsettdoe

Ma

A mcha

•

•

•

Un

In clongpermconsettyouGro

enting Group Policy

anaged an

re are two typ unmanaged.

ministrative Te Group Policy cy settings anno longer wit

mputer. The Grtrol unmanageings are persis

es not remove

anaged Polic

managed policyracteristics:

The user interesult in the athrough a Grointerface.

Changes are reserved regis

o HKLM\So

o HKCU\So

o HKLM\So

o HKCU\So

Changes madout of scope applied to a uAdditionally,

managed P

ontrast, an unger applies, thmanent changfiguration to ting. By default from implemup Policy pref

nd Unmana

pes of policy seAll policy settimplates are mservice controd removes a phin scope of th

roup Policy sered policy settistent. The Grouunmanaged p

cy Settings

y setting has th

rface (UI) is locappropriate UIoup Policy set

made in restricstry keys are:

oftware\Policie

oftware\Policie

oftware\Micros

oftware\Micros

de by a Group of the GPO. Fouser will be relthe UI interfac

olicy Settin

managed polie setting rema

ge. To reverse tthe desired stat, the Group Penting a confiferences are un

aged Polic

ettings: managings in a GPO’

managed policiols the managepolicy setting whe user or rvice does not ngs. These poup Policy servi

policy settings.

he following

cked, so that a being disableting, then the

cted areas of t

es (computer s

es (user setting

soft\Windows\

soft\Windows\

Policy setting or example, if eased. This me

ce for the setti

gs

cy setting makains. This is oftthe effect of th

ate. Additionalolicy Managemguration that nmanaged sett

cy Settings

ged, s es. ed when

licy ce

a user cannot ced. For exampluser will see t

the registry, to

settings)

gs)

\Current Versio

\Current Versio

and the UI locyou delete a Geans that, genng is enabled.

kes a change ten called tattohe policy settinly, an unmanament Editor hiis difficult to rtings.

s

change the setle, if you confighose settings g

o which only ad

on\Policies (co

on\Policies (us

ckout are releaGPO, managederally, the sett.

that is persisteooing the regisng, you must daged policy setides unmanagevert. Many o

tting. Managegure the desktgreyed out in

dministrators h

omputer settin

ser settings)

ased if the used policy settingting resets to i

nt in the regisstry—in other deploy a changtting does not ed policy settif the settings t

d policy settintop wallpaper his or her loca

have access. T

ngs)

er or computergs that had bets previous sta

try. If the GPOwords, makingge that revertslock the UI fongs to discourthat are availa

ngs

al user

hese

r falls een ate.

O no g a s the

or that rage ble in


Lab: Implementing Group Policy Scenario

A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.

In your role as a member of the server support team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.

Your manager has asked you to create a central store for ADMX files to ensure that everyone can edit GPOs that have been created with customized ADMX files. You also need to create a starter GPO that includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Marketing department and the IT department.


• Configure a Central Store.

• Create GPOs.

Lab Setup



20410A-LON-SVR1


Password Pa$$w0rd

Lab Setup Instructions








5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on until directed to do so.


Exercise 1: Configuring a Central Store

Scenario

A. Datum recently implemented a customized ADMX template to configure an application. A colleague obtained the ADMX files from the vendor before creating the Group Policy Object with the configurations settings. The settings were applied to the application as expected.

After implementation, you noticed that you are unable to modify the application settings in the Group Policy Object from any location other than the workstation that was originally used by your colleague. To resolve this issue, your manager has asked you to create a Central Store for administrative templates. After you create the Central Store, your colleague will copy the vendor ADMX template from the workstation into the Central Store.


1. View the location of administrative templates in a Group Policy Object (GPO).

2. Create a central store.

3. Copy administrative templates to the central store.

4. Verify the administrative template location in GPMC.

Task 1: View the location of administrative templates in a Group Policy Object (GPO) 1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.

2. Start the Group Policy Management Console (GPMC).

3. Open the Default Domain Policy and view the location of the administrative templates.

Task 2: Create a central store 1. Open Windows Explorer and browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.

2. Create a folder named PolicyDefinitions which will be used for the Central Store.

Task 3: Copy administrative templates to the central store • Copy the contents of the default PolicyDefinitions folder located at C:\Windows\PolicyDefinitions

to the new PolicyDefinitions folder located at C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.

Task 4: Verify the administrative template location in GPMC • Verify that the Group Policy Object Editor is using the ADMX files from the central PolicyDefinitions

folder, by viewing the location information text of the Administrative templates folder.

Results: After completing this exercise, you will have configured a Central Store

Exercise 2: Creating GPOs

Scenario After a recent meeting of the IT Policy committee, management has decided that A. Datum will use Group Policy to restrict access to the General page of Internet Explorer for users.

Your manager has asked you to create a starter GPO that can be used for all departments with default restriction settings for Internet Explorer. You then need to create the GPOs that will deliver the settings for members of all departments except for the IT department.



1. Create a Windows Internet Explorer® Restriction default starter GPO

2. Configure the Internet Explorer Restriction starter GPO

3. Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO

4. Test Application of the GPO for Domain Users

5. Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy

6. Test the GPO application for IT Department Users

7. Test Application of the GPO for other domain users

8. To prepare for the next module

Task 1: Create a Windows Internet Explorer® Restriction default starter GPO 1. Open the GPMC and create a starter GPO named Internet Explorer Restrictions.

2. Type a comment that states This GPO disables the General page in Internet Options.

Task 2: Configure the Internet Explorer Restriction starter GPO • Configure the starter GPO named Internet Explorer Restrictions to disable the General page of

Internet Options.

Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO • Create a new GPO named IE Restrictions that is based on the Internet Explorer Restrictions starter

GPO, and link it to the Adatum.com domain.

Task 4: Test Application of the GPO for Domain Users 1. Log on to LON-CL1 as Adatum\Brad, with a password of Pa$$w0rd.

2. Open the Control Panel.

3. Attempt to change your homepage.

4. Open Internet Options to verify that the General tab has been restricted.

5. Sign out of LON-CL1.

Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy • On LON-DC1, open Group Policy Management, and configure security filtering on the IE Restrictions

policy to deny access to the IT department.

Task 6: Test the GPO application for IT Department Users 1. Log on to LON-CL1 as Brad, with a password of Pa$$w0rd.


3. Attempt to change your homepage. Verify that the Internet Properties dialog opens to the General page, and all settings are available.



Task 7: Test Application of the GPO for other domain users 1. Log on to LON-CL1 as Boris, with a password of Pa$$w0rd.


3. Attempt to change your homepage.

4. Open Internet Options to verify that the General tab has been restricted.


Results: After completing this lab, you will have created a GPO.

To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:




4. Repeat steps 2 and 3 for 20410A-LON-CL1.



Question: What are some of the advantages and disadvantages of using site-level GPOs?

Question: You have a number of logon scripts that map network drives for users. Not all users need these drive mappings, so you must ensure that only the desired users receiving the mappings. You want to move away from using scripts. What is the best way to map network drives without using scripts for selected users?

Best Practices

The following are recommended best practices:

• Do not use the Default Domain and Default Domain Controllers policies for other uses. Instead, create new policies.

• Limit the use of security filtering and other mechanisms that make diagnostics more complex.

• Disable the User or Computer sections of policies, if they have no settings configured.

• If you have multiple administration workstations, create a Central Store.

• Add comments to your GPOs to explain what the policies are doing.

• Design your OU structure to support Group Policy application.



A user is experiencing abnormal behavior on their workstation.

All users in a particular OU are having issues, and the OU has multiple GPOs applied.

Tools


Group Policy Management Console (GPMC)

Controls all aspects of Group Policy

In Server Manager, on the Tools menu

Group Policy Object Editor Use to configure settings in GPOs

Accessed by editing any GPO

Resulting Set of Policies (RSoP)

Use to determine what settings are applying to a user or computer

In the GPMC

Group Policy Modeling Wizard

Use to test what would occur if settings were applied to users or computers, prior to actually applying the settings

In the GPMC

Local Group Policy Editor Use to configure Group Policy settings that apply only to the local computer

Accessed by creating a new Microsoft Management Console (MMC) on the local computer, and adding the Group Policy Object Editor snap-in

12-1

Module 12 Securing Windows Servers Using Group Policy Objects


Lesson 1: Windows Security Overview 12-2

Lesson 2: Configuring Security Settings 12-6

Lab A: Increasing Security for Server Resources 12-15

Lesson 3: Restricting Software 12-21

Lesson 4: Configuring Windows Firewall with Advanced Security 12-25

Lab B: Configuring AppLocker and Windows Firewall 12-29


Module Overview

Protecting IT infrastructure has always been a priority to organizations. Many security risks are threatening companies and their critical data. Failure to have adequate security policies can lead to data loss, server unavailability, and companies losing credibility.

To protect from security threats, companies must have well-designed security policies that include many components, from organizational to IT-related. Security policies must be evaluated on a regular basis, because as security threats evolve, so IT must also evolve.

Before you start designing security policies to help protect your organization’s data, services, and IT infrastructure, you must learn how to identify security threats, how to plan your strategy to mitigate security threats, and how to secure your Windows Server® 2012 infrastructure.

Objectives


• Describe Windows security.

• Configure security settings by using Group Policy.

• Restrict unauthorized software from running on servers and clients.

• Configure Windows Firewall® with Advanced Security.

12-2 Securing

Lesson Windo

As oinfraopeorgatoo201

WinsecuUndimp

LesAfte

•

•

•

Dis

Theidenassointereso

Revthe asso

ApInc

Youcominfraoftetechorga

Defsecudow

Windows Servers Us

1 ows Secorganizations eastructure secu

erating system anizational assls and concept2 infrastructur

ndows Server 2urity. These feaderstanding thplementation, i

sson Objectier this lesson, y

Describe secu

Describe how

Describe best

scussion: I

first step in dentifying the poociated costs. Oelligent decisioources to mitig

iew the questidiscussion to

ociated costs to

pplying Decrease Secu

u can mitigate mputer networastructure layeen used to deshnologies at danization.

ense-in-depthurity that extenwn to the appli

ing Group Policy Obj

urity Ovexpand their aurity becomesenable organ

sets in increasits that are avare.

2012 includes natures combinese features ais critical to ma

ives you will be abl

urity risks for W

w the defense-i

t practices for

dentifying

efending yourotential securitOnce you do t

ons about how gate those risk

on on the slididentify some o Windows-ba

efense-In-Durity

risks to your ok by providingers. The term dcribe the use oifferent points

h technologies nd from user pication and the

jects

verviewavailability of n

more challengizations to prongly complex ilable for impl

numerous feate to form the nd their assocaintaining a se

le to:

Windows Serve

in-depth mod

increasing Win

g Security

r systems is ty risks and thethat, you can m

to allocate s.

e and participof the risks an

ased networks

Depth to

organization’s g security at vadefense-in-depof multiple sec throughout y

include layerspolicies all the e data itself.

w network data, aging. Security

ovide better prenvironmentsementing secu

tures that provcore of Windoiated concepts

ecure environm

er 2012, and th

el addresses se

ndows Server 2

Risks and

eir make

ate in nd .

arious pth is curity your

s of way

applications, atechnologies

rotection for ths and business urity within a W

vide different ows Server 201s, as well as be

ment.

he costs associ

ecurity.

2012 security.

Costs

and systems, ein the Windowheir network rscenarios. Thi

Windows 8 an

methods for im12’s security fueing familiar w

iated with them

nsuring netwows Server 2012resources and s lesson reviewd Windows Se

mplementing unctionality. with their basic

m.

ork 2

ws the erver

c


Policies, Procedures, and Awareness

Security policy measures need to operate within the context of organizational policies regarding security best practices. For example, enforcing a strong user password policy is not helpful if users write their passwords down and stick them to their computer screens, so users must be taught how to protect their passwords. Another example of security best practice is ensuring that users do not leave their desktop computer without first locking the desktop or logging off from the computer. When establishing a security foundation for your organization’s network, it is a good idea to start with establishing appropriate policies and procedures and making users aware of them. Then you may progress to the other aspects of the defense-in-depth model.

Physical Security

If any unauthorized person can gain physical access to a computer on your network, then most other security measures are not useful. You must ensure that computers containing the most sensitive data, such as servers, are physically secure, and that access is granted to authorized personnel only.

Perimeter These days, no organization is an isolated enterprise. Organizations operate within the Internet, and many organization network resources are available from the Internet. This might include building a website to describe your organization’s services, or making internal services such as web conferencing and email accessible externally, so that users can work from home or from branch offices.

Perimeter networks mark the boundary between public and private networks. Providing reverse proxy servers in the perimeter network enables you to provide more secure corporate services across the public network.

Many organizations implement so-called network access quarantine control, where computers that connect to the corporate network are checked for different security criteria, such as whether the computer has the latest security updates, antivirus updates, and other company-recommended security settings. If these conditions are true, the computer is allowed to connect to corporate network. If not, the computer is placed in isolated network, called quarantine, with no access to corporate resources. Once the computer has its security settings remediated, it is removed from the quarantine network and is allowed to connect to corporate resources.

Note: A reverse proxy, such as Microsoft® Forefront® Threat Management Gateway 2010, enables you to publish services, such as email or web services, from the corporate intranet without placing the email or web servers in the perimeter, or exposing them to external users. Microsoft Forefront Threat Management acts as both reverse proxy and as a firewall solution.

Networks

Once you connect computers to a network, either internal or public, they are susceptible to a number of threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication takes place over public networks by employees who are working from home, or from remote offices. You should deploy a firewall solution, such as Microsoft Forefront Threat Management Gateway 2010, to protect from different types of network threats.

Host

The next layer of defense is the layer that is used for the host computer. You must keep computers secure with the latest security updates. You also have to configure security policies, such as password complexity, and configure host firewall and install antivirus software. Steps mentioned above contain a process that is called security hardening.

12-4 Securing

Ap

AppUpdappthatmen

Dat

Theprocon

http

http

Be

Conincr

•

•

•

•

Windows Servers Us

plication

plications are odate feature inplications mustt might allow antioned above

ta

final layer of sper use of file fidential data

Additional p://technet.mic


Question: Hoorganization?

st Practice

nsider the folloreasing security

Apply all avaias possible fostrive to implas possible toprotected froMicrosoft pubknown vulnerbeen releasedvolume of mavulnerability. that you adeq

Follow the prlevels requirecredentials is modify critica

Restrict consoremotely. Thidesktop. If yoensure that e

Restrict physiunlimited accto quickly resdrive to intro


only as secure Windows ope

t be tested by an external atte contain a pro

security is datauser permissiowith Encryptio

Reading: For crosoft.com/en


ow many layer?

es for Incre

owing best pray:

ilable security ollowing their rement security

o ensure that yom known vulnblicly releases rabilities after d, which can lealware attempHowever, you

quately test up

rinciple of leasted to complete

limited in its ial operating sy

ole logon. Logs is because so

ou allow adminnhanced secu

cal access. If socess to the datset the passwoduce malware

jects

as your latest erating systemIT security admtacker to compocess that is ca

a security. To hons by using Aon File System

the latest Micn-us/security/d

more informan-us/library/cc

rs of the defen

easing Sec

ctices for

updates as qurelease. You shy updates as so

your systems anerabilities. the details of an update has

ead to an increpting to exploitu must still enspdates before

t privilege. Proe their necessampact. It also

ystem settings.

ging on locallyome malware cnistrators to usrity features su

omeone has pa on that serverd on local ad

e.

security updatms to keep youministrators, wpromise appliclled applicatio

help ensure thAccess Control

(EFS), and per

crosoft securitydefault.aspx.

ation about coc959354.aspx .

nse-in-depth m

urity

uickly hould oon re

s eased t the ure they are appli

ovide users andry tasks. This elimits the abili

y at a console can only infectse Remote Desuch as user acc

physical access er. An unauthoministrator ac

te. You shouldr applications

whether they hacations or otheon hardening.

he protection oLists (ACLs), im

rform backups

y bulletin and

mmon types o.

model should y

ed widely with

d service accoensures that anity of users to

is a greater rist a computer bsktop Connectcount control

to your serveorized person

ccounts and all

d consistently uup-to-date. Mave any securier network com

of your networmplement the s of data regul

advisory infor

of network atta

you implemen

hin your organ

unts with the ny malware usaccidentally d

sk to a server tby using a usetion for server are enabled.

rs, that personcould use a wlow local acces

use the WindoMoreover, ity vulnerabilitmponents. Ste

rk, ensure the encryption ofarly.

mation, see

acks, see

t in your

nization.

lowest permissing those delete data or

than accessinger session at th

administratio

n has virtually wide variety of

ss, or use a US

ows

ies ps

f

sion

g data e n,

tools SB


Additional Reading: For more information about best practices for enterprise security, see http://technet.microsoft.com/en-us/library/cc750076.aspx.

12-6 Securing

Lesson 2Config

Oncyoulessandcon

GrocomServdom

Les

Afte

•

•

•

•

•

•

•

Co

SecumanWinvaritemcan acco

•

•

•

•

•

•

•

Windows Servers Us

2 guring Sce you have le can start confon, you will lea computers infigure passwo

up Policy has mputers. You cavices (AD DS) bmain, or Organ

sson Objecti

er completing

Describe how

Describe wha

Describe how

Describe how

Describe how

Describe how

Describe how

onfiguring

urity templatenage and confndows-based cous categories

mplates are diviconfigure eac

ording to a co

Account policlockout policy

Local policiesassignment, a

Event log: ap

Restricted gro

System servic

Registry: perm

File system: p


Securityarned about sfiguring securiarn how to co your organizard policy settin

a large securitan apply securby defining secnizational Unit

ives

this lesson, yo

w to configure

at user rights a

w to configure

w to configure

w to configure

w to configure

w to configure

Security T

s are files thatfigure security computers. Des of security seided into logicch of the followmpany’s need

cies: password y, and Kerbero

s: audit policy, and security op

plication, syste

oups: member

ces: startup and

missions for re

permissions for

jects

y Settingecurity threatsity for your Winfigure securitation, you will ngs and then d

ty component rity consistentlcurity settings (OU).

ou will be able

Security temp

re and how to

Security Optio

User Account

Auditing.

Restricted Gro

Account Polic

Templates

you can use tsettings on pending on th

ettings, securitycal sections. Yowing sections s and requests

policy, accounos policy

user rights ptions

em, and securi

rship of groups

d permissions

gistry keys

r folders and fi

gs s and risks, andindows® 8 andty settings. To use Group Po

deploy them o

that you can uly across the oin a Group Po

to:

plates.

o configure the

ons.

Control.

oups.

y Settings.

to

he y ou

s:

nt

ty event log se

s that have spe

for system ser

iles

d about best pd Windows Ser

apply those seolicy. For examon multiple use

use to configuorganization inolicy Object (G

em.

ettings

ecial rights an

rvices

practices for inrver 2012 enviecurity settingple, you can uers.

ure security forn Active DirectGPO) that is ass

d permissions

creasing securronment. In th

gs to multiple uuse Group Polic

r both users anory® Domain sociated with a

rity, his users cy to

nd

a site,

Wmth

•

•

•

•

•

C

UpecoriggA

Th

•

•

Yode

Yo\WM

So

•

•

•

•

•

•

•

When you confmultiple compuhe security tem

The secedit

The Securit

The Securit

Group Polic

Security Co

Configuring

User rights assigerform actionsomputer has itght to changeranted either tdministrator.

here are two ty

Privileges ddomain resup files and

Logon righton to a comto a system

ou can configuefault.

ou can configuWindows Sett

Management C

ome examples

Add workst

Allow log o

Allow log olog on as R

Back up filea computer

Change theon the inte

Force shutdfrom a rem

Shut down allowed to

igure a securituters on the nemplates:

t.exe command

ty Templates sn

ty Configuratio

cy

ompliance Man

g User Rig

gnment refers s on the operats own set of ue the system timto the Local Sy

ypes of user ri

define access tosources. For exd directories.

ts define who imputer, and ho

m locally.

ure rights thro

ure settings fotings\SecurityConsole (GPM

s of commonly

tations to dom

on locally. Dete

on through Rememote Deskto

es and directorr.

e system time. rnal clock of th

down from a reote location o

the system. Dshut down the

ty template, yoetwork. The fo

d-line tool

nap-in

on and Analysi

nager

ghts

to the ability tating system. Euser rights, sucme. Most rightystem or to the

ghts:

o computer anxample, rights t

is authorized tow they can lo

ough Group Po

r User Rights by Settings\Lo

MC).

y used user rig

main. Determin

ermines which

mote Desktopop Services Clie

ries. Determine

Determines whe computer.

emote systemon the network

etermines whie computer.

ou can use it tollowing are a f

s Wizard

to Each ch as the ts are e

nd to back

to log og on. For exam

olicy. The defau

by accessing: Ccal Policies\U

hts (and polici

nes which users

users can log

Services. Deteent.

es which users

which users or g

. Determines wk.

ch of the user

20410A: Installin

o configure a sfew ways that

mple, logon rig

ult domain po

Computer CoUser Rights As

ies configured

s or groups ca

on the compu

ermines which

s have permiss

groups have r

which users are

rs who are logg


single computyou can config

ghts may defin

olicy has no rig

nfiguration\Pssignment fro

by them) are:

an add worksta

uter.

h users or grou

sions to back u

ight to change

e allowed to sh

ged on locally

Windows Server® 20

ter or to configgure and distr

ne the right to

ghts defined by

Policies om the Group

:

ations to the d

ups have perm

up files and fol

e the time and

hut down a co

y to a compute

012 12-7

gure ribute

o log on

y

p Policy

domain.

ission to

lders on

d date

omputer

er are

12-8 Securing

Co

Youoptcan follo

•

•

•

•

•

•

You\Wi

The

•

•

•

•

Co

Admdegaccothe the settlogghas

Usethatcomadmactiuser

By dconstanUAC

Windows Servers Us

onfiguring

u can use Grouions. The comconfigure in s

owing:

Administrato

Access to disk

Digital data s

Driver installa

Logon promp

User account

u can also confndows Setting

following are

Interactive lolog on to the

Accounts: Reassociated wi

Accounts: Reassociated wi

Devices: Resis accessible t

onfiguring

ministrative accgree of securityount is loggedentire Windowregistry, systeings. As long aged on, the sythe potential

r Account Cont helps preven

mputer, by askiministrator credons that couldrs.

default, both stext of a stand

ndard user accC creates a mo


Security O

p Policy to coputer security security option

r and Guest ac

k and CD/DVD

ignatures

ation behavior

pts

control

figure settings gs\Security Sett

examples of c

ogon: Do notcomputer dis

ename adminth the security

ename adminth the security

trict CD-ROMto both local a

User Acco

counts carry wy risk. When and on, its privilegws operating sm files, and coas an administstem is vulnerato be compro

ntrol (UAC) is at unauthorizeding the user fodentials befored potentially af

tandard users dard user. The ount to an ad

ore secure envi

jects

Options

nfigure securitsettings that y

ns include the

ccount names

D drives

for security optings\Local Po

commonly use

t display last uplays in the W

nistrator accouy identifier (SID

nistrator accouy identifier (SID

M access to locnd remote use

ount Contr

with them a hign administrativges allow accesystem, includionfiguration rative accountable to attack mised.

security featud changes to aor permission oe performing ffect the comp

and administrUAC prompt pministrator accironment in w

ty you

ptions by acceolicies\Security

ed security opt

user name. DeWindows logon

unt. DeterminD) for the acco

unt. DeterminD) for the acco

cally logged-ers simultaneo

rol

gher ve ess to ng

t is and

ure a or

puter's operati

rators access reprovides a waycount withouthich to run an

essing Computy Options from

tions:

etermines whe window.

nes whether a dount Administr

nes whether a dount Administr

on user only.ously.

on or that cha

esources and ry for a user to t logging off, snd install applic

ter Configuratm the GPMC.

ether the name

different accorator.

different accorator.

. Determines w

ange settings t

run applicatioelevate his or

switching userscations.

ion\Policies

e of the last us

unt name is

unt name is

whether a CD-

that affect mul

ns in the securr her status fros, or using Run

ser to

ROM

ltiple

rity m a n As.


When an application requires administrator-level permission, UAC notifies the user as follows:

• If the user is an administrator, the user confirms to elevate his or her permission level and continue. This process of requesting approval is known as Admin Approval Mode.

Note: In Windows Server 2012, the built-in Administrator account does not run in Admin Approval Mode. The result is that no UAC prompts display when using the local Administrator account.

• If the user is not an administrator, then a username and password for an account that has administrative permissions needs to be entered. Providing administrative credentials temporarily gives the user administrative privileges, but only to complete the current task. After the task is complete, permissions change back to those of a standard user.

When using this process of notification and elevation to administrator account privileges, changes cannot be made to the computer without the user knowing. This can help prevent malicious software (malware) and spyware from being installed on or making changes to a computer.

UAC allows the following system-level changes to occur without prompting, even when a user is logged on as a local user:

• Install updates from Windows Update

• Install drivers from Windows Update or those that are packaged with the operating system

• View Windows operating system settings

• Pair Bluetooth devices with the computer

• Reset the network adapter, and perform other network diagnostic and repair tasks

Modifying UAC Behavior You can modify the UAC notification experience to adjust the frequency and behavior of UAC prompts. To modify UAC behavior on a single computer, access the Windows Server 2012 control panel in System and Security.

You can also configure UAC settings by accessing from the GPMC: Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options.

The following are examples of some GPO settings that you can configure for UAC:

• User Account Control: Run all administrators in Admin Approval Mode. Controls the behavior of all UAC policy settings for the computer. If this setting is disabled, UAC will not run on this computer.

• User Account Control: Administrator Approval Mode for the built-in Administrator account. When you enable this setting, the built-in Administrator account uses Admin Approval Mode.

• User Account Control: Detect application installations and prompt for elevation. This setting controls the behavior of application installation detection for the computer.

• User Account Control: Only elevate executables that are signed and validated. When you enable this setting, a Public Key Infrastructure (PKI) check is performed on the executable file to verify that it originates from a trusted source. If the file is verified, then the file is permitted to run.

Note: By default, UAC is not configured or enabled in Server Core installations of Windows Server 2012.

12-10 Securing

Co

Typorgaactivunsdataor userv

Recsecusecuthe

Afteevesecu

•

•

•

You\Po

The

•

•

•

•

http

g Windows Servers U

onfiguring

ically, one of tanization’s secvities behavioruccessful attema that is storedunsuccessful lovers.

ording these surity auditing. urity event logSecurity Event

er configuring nt logs can heurity-related d

A group adm

An employeedifferent dep

A user who iscompany comthat week, wh

u can configureolicies\Window

following are

Audit accouncomputer val

Audit accounsuch as creatior disabling a

Audit objectDirectory objmust configutype of action

Audit systemas attemptinglog size excee


Using Group Policy O

Auditing

the componencurity strategy r, such as succmpts to accessd in different foogon attempts

security-relatedSecurity auditi

gs that administ Log in Event

auditing, infolp your organata by tracking

ministrator who

e within a definartments.

s trying to log mputer. You mhich means so

e security audiws Settings\S

examples of s

nt logon evenidates an acco

nting manageing, changing,a user account

t access. Deterects, such as fore system accen, such as write

m events. Deteg to change theding a config


bjects

nts of an is recording uessful or s business-critiolders, or succon different

d events is calling produces strators can vieViewer.

rmation in secization audit tg precisely def

o has modified

ned group that

on to his or hemight find that

me other emp

iting settings bSecurity Settin

some GPO sett

nts. Determineount’s credenti

ement. Determ renaming, or .

rmines whetheolders or files. ess control listse, read, or mod

ermines whethhe system timeurable thresho

more informan-us/library/hh

user

cal cessful

led

ew in

curity heir compliancfined activities

settings or da

t has accessed

er account repthe employee

ployee was tryi

by accessing frngs\Local Pol

tings that you

es whether theials.

mines whetherdeleting a use

er operating syBefore configs (SACLs) on fodify.

her the operatie, attempting aold warning.

ation about sech849638.aspx.

ce with imports such as:

ata on servers

d an important

peatedly withoe who owns thng to log on w

rom the GPMClicies\Audit P

can configure

e operating sys

r to audit eacher account, cha

ystem audits huring audit seolders or files t

ing system auda system startu

curity auditing

tant business-

that contain fi

t folder contain

out success froat user accounwith a differen

C: Computer CPolicy.

e for UAC:

stem audits ea

h event of accoanging a passw

have access to ettings with Groto allow audit

dits system-reup or shutdow

g, see

related and

inance informa

ning data from

m an internal nt was on a vant user account

Configuration

ach time the

ount managemword, or enab

non-Active oup Policy, yoing for a speci

lated events, swn, or the secu

ation.

m

cation t.

n

ment, ling

ou ific

such rity

C

Inmasad

YocomRePoonredo

AyoanwA

YoReA

YoC

C

Aacacyoutcopase

ImThimSeanm(O

sh

Configuring

n some cases, ymembership of s the local admddition of othe

ou can use theontrol group m

members are plestricted Grouolicy, any curren the Restricteemoved, includomain adminis

lthough you cou should use nd Schema Ad

workstations andministrators

ou cannot speestricted Groudministrators

ou can configuomputer Con

Configuring

ccount policieccounts and daccount passwoour network entilize strong paontrol the comasswords. You ettings throug

mplementinhe policy settin

mplemented aterver 2012 domnd account loc

multiple policieOU).

Note: If yhadow group, w

g Restricte

you may want certain group

ministrators groer user accoun

e Restricted Grmembership bylaced in a groups policy and ent member o

ed Groups poliding default mstrators.

an control domthis setting pr

dmins. You cannd member sergroup on all w

ecify local usersps policy contaccount is alw

ure the settingnfiguration\Po

g Account

es protect yourata by mitigat

ord brute forcenvironment reasswords. Pass

mplexity and lifcan configure

h Group Policy

ng Account ngs under Acct the domain lmain can haveckout policies, s to a user or t

you need to apwhich is a glob

ed Groups

to control theps in a domain—oup—to prevents to those gr

roups policy toy specifying wup. If you definthen refresh G

of a group thatcy members li

members such a

main groups brimarily to conn also use this rvers. For exam

workstations.

s in a domain trols will be rem

ways in the loca

gs for Restricteolicies\Windo

t Policy Se

r organization’ing the threat

e attacks. Secuequires that all sword policy sefetime of user e password poy.

Policies count policies aevel. A Windo

e multiple passwhich are call

to a global sec

pply a fine-grabal security gro

s

e —such ent the oups.

o what ne a Group t is not st is as

by assigning Renfigure membesetting to cont

mple, you can

GPO. Local usmoved. The onal Administrato

d Groups by aows Settings\

ttings

’s of ring users

ettings

licy

are ows sword led fine-grainecurity group in

ined passwordoup that is log

20410A: Installing

estricted Grouership of criticatrol the membplace the Help

ers who currennly exception tors group.

accessing from\Security Sett

ed password pn a domain, bu

d policy to usegically mapped

g and Configuring W

ups policies to al groups suchbership of builpdesk group in

ntly are in the to this is that t

m the GPMC: ings\Restricte

policies. You caut not to an or

ers of an OU, yd to an OU.


domain controh as Enterpriset-in local grou

nto the local

local group ththe local

ed Groups.

an apply theserganizational u

you can use a

12 12-11

ollers, Admins

ups on

hat the

unit

12-12 Securing Windows Servers Using Group Policy Objects

You can configure Account policy settings by accessing from the GPMC: Computer Configuration \Policies\Windows Settings\Security Settings\Account Policies.

Account Policies Components

Account policy components include password policies, account lockout policies, and Kerberos policy.

Password Policy Password policies that you can configure are listed in the following table.

Policy Function Best Practice

Password must meet complexity requirements

Requires passwords to:

• Be at least six characters long.

• Contain a combination of at least three of the following types of characters: uppercase letters, lowercase letters, numbers, and symbols (punctuation marks).

• Must not contain the user’s user name or screen name.

Enable this setting. These complexity requirements can help ensure a strong password. Strong passwords are more difficult to decrypt than those containing simple letters or numbers.

Enforce password history

Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.

The greater number ensures better security. The default value is 24. Enforcing password history ensures that passwords that have been compromised are not used repeatedly.



Maximum password age

Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.

By default it is 42 days; it is recommended that you set is at 90 days. Setting the number of days too high provides hackers with an extended window of opportunity to determine the password. Setting the number of days too low frustrates users who have to change their passwords too frequently, and could result in more frequent calls to the IT help desk.

Minimum password age

Sets the minimum number of days that must pass before a password can be changed.

Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help enforce other settings.

For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse the original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing the original password on the same day.

Minimum password length

Specifies the fewest number of characters that a password can have.

Set the length to between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or a common phrase.

Store passwords by using reversible encryption

Provides support for applications that require knowledge of a user password for authentication purposes.

Do not use this setting unless you use a program that requires it. Enabling this setting decreases the security of stored passwords.


Account Lockout Policy

Account Lockout Policies that you can configure are listed in the following table.


Account lockout threshold

Specifies the number of failed login attempts that are allowed before the account is locked.

For example, if the threshold is set to 3, the account will be locked out after a user enters incorrect login information three times.

A setting of 50 allows for reasonable user error, and limits repeated login attempts for malicious purposes.

Account lockout duration

Allows you to specify a timeframe, in minutes, after which the account automatically unlocks and resumes normal operation. If you specify 0, then the account will be locked indefinitely until an administrator manually unlocks it.

After the threshold has been reached and the account is locked out, the account should remain locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A duration of 30 to 90 minutes should work well in most situations.

Reset account lockout counter after

Defines a timeframe for counting the incorrect login attempts. If the policy is set for one hour, and the account lockout threshold is set for three attempts, a user can enter the incorrect login information three times within one hour. If they enter incorrect information twice, but get it correct the third time, the counter will reset after one hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at one.

Using a timeframe between 30 and 60 minutes is usually sufficient to deter automated attacks and manual attempts by an attacker to guess a password.

Kerberos Policy

This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.


Lab A: Increasing Security for Server Resources Scenario


You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.

Your manager has given you some security-related settings that need to be implemented on all member servers. You also need to implement file system auditing for a file share used by the Marketing department. Finally, you need to implement auditing for domain logons.

Objectives


• Use Group Policy to secure member servers.

• Audit File System Access.

• Audit Domain Logons.

Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:







5. Repeat steps 2-4 for 20410A-LON-SVR1 and steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.

Exercise 1: Using Group Policy to Secure Member Servers

Scenario

A. Datum uses the Computer Administrators group to provide administrators with permissions to administer member servers. As part of the installation process for a new server, the Computer Administrators group from the domain is added to the local Administrators group on the new server. Recently, this important step was missed when configuring several new member servers.

To ensure that the Computer Administrators group is always given permission to manage member servers, your manager has asked you to create a GPO that sets the membership of the local Administrators group on member servers to include Computer Server Administrators. . This GPO also needs to enable Admin Approval Mode for UAC.



1. Create a Member Servers Organizational Unit (OU) and move servers into it.

2. Create a Server Administrators group.

3. Create a Member Server Security Settings GPO and link it to the Member Servers OU.

4. Configure group membership for local administrators to include Server Administrators and Domain Admins.

5. Verify that Computer Administrators has been added to the local Administrators group.

6. Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally.

7. Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account.

8. Verify that a standard user cannot log on to a member server.

Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it 1. On LON-DC1, open Active Directory Users and Computers.

2. Create new OU called Member Servers OU.

3. Move servers LON-SVR1 and LON-SVR2 to Member Servers OU.

Task 2: Create a Server Administrators group • On LON-DC1, in Member Servers OU, create a new global security group called Server

Administrators.

Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU 1. On LON-DC1, open the Group Policy Management Console.

2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new GPO with a name Member Server Security Settings.

3. In the Group Policy Management Console, link the Member Server Security Settings to Member Servers OU.

Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins 1. On LON-DC1, open Group Policy Management Console.

2. Edit the Default Domain Policy.

3. Navigate to Computer Configuration, click Policies, click Windows Settings, click Security Settings, and then click Restricted Groups.

4. Add the Server Administrators and Domain Admins groups to the Administrators group.

5. Close the Group Policy Management Editor.


Task 5: Verify that Computer Administrators has been added to the local Administrators group 1. Switch to LON-SVR1, and log on as Adatum\Administrator with a password of Pa$$w0rd.

2. Open a Windows PowerShell® window, and from a Windows PowerShell command prompt, type following command:

gpupdate/force

3. Open Server Manager, open the Computer Management console, and then expand Local Users and Groups.

4. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members.


Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally 1. Switch to LON-DC1.

2. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings GPO.

3. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\User Rights Assignment, and configure Allow log on locally for Domain Admins and Administrators security groups.


Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account 1. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings

GPO.

2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options, and enable User Account Control: Admin Approval Mode for the Built-in Administrator account.


Task 8: Verify that a standard user cannot log on to a member server 1. Switch to LON-SVR1.

2. Open Windows PowerShell, and from a Windows PowerShell command prompt, type following command:

gpupdate/force

3. Log off of LON-SVR1.

4. Try to log back on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.

5. Verify that you cannot log on to LON-SVR1.

Results: After completing this exercise, you should have used Group Policy to secure Member servers.


Exercise 2: Auditing File System Access

Scenario

The manager of the Marketing department has concerns that there is no way to track who is accessing files that are on the departmental file share. Your manager has explained that only users with permissions are allowed to access the files. However, the manager of the Marketing department would like to try logging access to the files that are in the file share to see which users are accessing specific files.

Your manager has asked you to enable auditing for the file system that is on the Marketing department file share, and to review the results with the manager of the Marketing department.


1. Modify the Member Server Security Settings GPO to enable object access auditing.

2. Create and share a folder.

3. Enable auditing on the HR folder for Domain Users.

4. Create a new file in the file share from LON-CL1.

5. View the results in the security log on the domain controller.

Task 1: Modify the Member Server Security Settings GPO to enable object access auditing 1. On LON-DC1, in the Group Policy Management console, edit the Member Server Security Settings

GPO.

2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and enable Audit object access with both Success and Failure settings.

Task 2: Create and share a folder 1. On LON-SVR1, on drive C, create a new folder with the name HR.

2. Configure the HR folder with Read/Write sharing permissions for user Adam.

Task 3: Enable auditing on the HR folder for Domain Users 1. On LON-SVR1, in the Local Disk (C:) window, configure auditing on the HR folder, with following

settings:

o Select a principal: Domain Users

o Type: All

o Permission: Read & execute, List folder content, Read, Write

o Leave other settings with their default values.

2. Open a command prompt window and refresh Group Policy using the gpupdate /force command.

Task 4: Create a new file in the file share from LON-CL1 1. Switch to LON-CL1.

2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.

3. Open a command prompt window, and type the following command:

gpupdate/force

4. Close the command prompt window.


5. Log off LON-CL1 and then log on again, as Adatum\Adam with a password of Pa$$w0rd.

6. Open the HR folder on LON-SVR1, by using following Universal Naming Convention (UNC) path: \\LON-SVR1\HR.

7. Create a text document with a name Employees.

8. Log off of LON-CL1.

Task 5: View the results in the security log on the domain controller 1. Switch to LON-SVR1, and start Event Viewer.

2. In the Event Viewer window, expand Windows Logs, and then open Security.

3. Verify that following event and information displays:

o Source: Microsoft Windows Security Auditing

o Event ID: 4663

o Task category: File System

o An attempt was made to access an object.

Results: After completing this exercise, you should have enabled file system access auditing.

Exercise 3: Auditing Domain Logons

Scenario

After a security review, the IT policy committee has decided to begin tracking all user logons to the domain. Your manager has asked you to enable auditing of domain logons and verify that they are working.


1. Modify the Default Domain Policy GPO.

2. Run GPUpdate.

3. Log on to LON-CL1 with an incorrect password.

4. Review event logs on LON-DC1.

5. Log on to LON-CL1 with the correct password.

6. Review event logs on LON-DC1.

Task 1: Modify the Default Domain Policy GPO 1. On LON-DC1, in the Group Policy Management Console, edit the Default Domain Policy Group

Policy Object.

2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and then enable Audit account logon events with both Success and Failure settings.

3. Update Group policy by using the Gpupdate /force command.


Task 2: Run GPUpdate 1. Switch to LON-CL1.


3. Open the a command prompt window, and type the following command:

gpupdate/force

4. Close the command prompt window, and log off LON-CL1.

Task 3: Log on to LON-CL1 with an incorrect password • Log on to LON-CL1 as Adatum\Adam with a password of password.

Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.

Task 4: Review event logs on LON-DC1 1. On LON-DC1, start Event Viewer.

2. In the Event Viewer window, expand Windows Logs, and then click Security.

3. Review the event logs for the following message: “Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.”

Task 5: Log on to LON-CL1 with the correct password • Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.

Note: This password is correct, and you should be able to log on successfully as Adam.

Task 6: Review event logs on LON-DC1 1. On LON-DC1, start Event Viewer.


3. Review the event logs for the following message: “A user successfully logged on to a computer.”

Results: After completing this exercise, you should have enabled domain logon auditing.

To prepare for the next lab • To prepare for the next lab, leave the virtual machines running.

LessonRestri

Uapbuthaconp

LeA

•

•

•

•

W

InansoadanrucoG

SoWWup

R

Rucobeth

•

•

•

•

n 3 icting Ssers need accepplications oftusiness purposherefore, that sccess or spreadnly necessary srevent softwar


Describe hoservers and

Describe th

Describe Apservers and

Describe ho

What Are S

ntroduced in thnd the Windowoftware restrictdministrators tnd specify whiun on client coonfigured and roup Policy.

oftware RestricWindows ServeWindows Vista®

p of the follow

Rules

ules govern hoonstructs withieing run. Ruleshe application

Hash. A cry

Certificate.

Path. The lo

Zone. The I

Softwareess to the applten get installeses. Unsupportsoftware couldd computer virsoftware gets re from runnin


ow software red clients.

he purpose of A

ppLocker rulesd clients.

ow to create A

Software R

he Windows Xws Server 2003tion policies (Stools that theych application

omputers. SRP deployed to c

ction Policies pr 2012 to prov

® compatibilitywing rules and

ow SRP responin an SRP, ands can be basedin question:

yptographic fin

A software pu

ocal or UNC pa

nternet zone.

e lications that hed on client coted or unused

d be attacked aruses. Consequinstalled on al

ng that is not a

you will be ab

estriction polic

AppLocker®.

s and how to u

AppLocker rule

Restriction

P operating sy3 operating syRP) give

y can use to idens are permittesettings are

clients by using

policies are usevide Windows y. An SRP set issecurity levels

nds to an appli a group of ru

d on one of th

ngerprint of th

ublisher certific

ath to where t

help them do tmputers, whet software is noand used as anuently, it is of tl the compute

allowed or is no

le to:

ies are used to

use them to re

es.

Policies?

ystem stem,

entify ed to

g

ed in XP and s made s.

ication that is ules together de following cri

e file.

cate that is use

the file is store

20410A: Installing

their jobs. Howther unintentioot maintained n entry point fthe utmost im

ers in your orgao longer used

o restrict unau

estrict unautho

being run or idetermine howiteria that app

ed to digitally

ed.

g and Configuring W

wever, unneceonally or for mor secured by

for attackers tomportance for y

anization. It is or supported.

uthorized softw

orized software

nstalled. Rulesw an SRP respoply to the prim

sign a file.


ssary or unwamalicious or noy the administro gain unauthoyou to ensure also vital that

.

ware from runn

e from running

s are the key onds to applicaary executable

12 12-21

nted on-rators; orized that

t you

ning on

g on

ations e file for

12-22 Securing

Sec

Eachthe

•

•

•

Usin

•

•

SoftCom\So

prot

Wh

AppWinServwhi

Appmetidenrestacceto cAppAD

ApporgaActiworapp

Usinconfiles

g Windows Servers U

curity Levels

h applied SRP application th

Disallowed. T

Basic User. A

Unrestricted

ng these three

If an administclients, the Derun can be idlevel to each

If an administon clients, therequirementsrules, which w

tware Restrictiomputer Configftware Restri

Additional tect against un

hat Is App

pLocker, whichndows 7 operaver 2008 R2, isch application

pLocker providthods for detentity of applicarict, or to whicess. AppLockecomputer objepLocker rules cDS users or gr

pLocker also coanizations preiveX® controls rkstations are splications that a

ng AppLocker trol how users

s), and DLLs.


s

is assigned a shat is defined i

The software i

Allows the softw

d. Allows the so

settings, there

trator has a coefault Securityentified in SRPindividual app

trator does noe Default Secus. Any applicatwould use a se

on Policy settiguration\Poliction Policies

Reading: For nauthorized so

Locker?

h was introduceting system an a security setts users are allo

des administratrmining quickations that thech they may wr is applied thrcts within an O

can also be approups.

ontains optionvent unlicensefrom being in

standardized aare approved

technology, cos can access an

bjects

security level tn the rule is ru

dentified in th

ware identified

oftware identif

e are two prim

omprehensive y Level can be P rules that woplication, depe

ot have a compurity Level can ions that shoucurity level set

ngs can be fouicies\Windows.

more informaoftware, see ht

ed in the nd Windows ting that controwed to run.

tors a variety oly and concise

ey may want towant to permit rough Group POU. Individual plied to individ

ns for monitoried or maliciousnstalled. It can across the enteby the enterpr

ompanies cannd use files, su

that governs thun. The three a

he rule will not

d in the rule to

fied in the rule

mary ways to u

list of all the soset to Disallow

ould apply eithending on the

prehensive list be set to Unre

uld not be allowtting of Disallo

und in Group ws Settings\Se

ation about usittp://go.micros

rols

of ely the o

Policy

dual

ng or auditings software fromalso reduce th

erprise, and tharise.

reduce adminch as .exe files

he way that thavailable secur

t run, regardles

o run as a stan

e to run unrest

se SRPs:

oftware that swed. All applicher the Basic Usecurity requir

of the softwarestricted or Bwed to run canowed.

Policy at the foecurity Setting

ing software resoft.com/fwlin

g the applicatiom executing, ahe total cost ofat users are ru

nistrative overhs, scripts, Wind

he operating syrity level settin

ss of the acces

ndard, non-adm

tricted by SRP.

hould be allowcations that shUser or Unresrements.

re that should Basic User, depn then be iden

ollowing locatgs

estriction Policnk/?LinkId=203

on of rules. Apand can selectif ownership by

unning only th

head and helpdows Installer f

ystem reacts wngs are as follo

ss rights of the

ministrative us

.

wed to run on hould be allowtricted securit

be allowed topending on sentified by using

tion:

cies to 3296.

ppLocker can hively restrict y ensuring thae software and

p administratorfiles (.msi and

when ows:

e user.

ser.

wed to ty

o run curity g SRP

help

at d

rs .msp

Yo

•

•

•

•

Yo\W

A

•

•

•

•

•

•

•

•

ht

A

Athfil

•

•

•

•

D

Tha seno

A

Aaplisalp

ou can use Ap

Is not allow

Is no longe

Is no longe

Should be u

ou can configuWindows Sett

ppLocker is av

Windows S

Windows S

Windows S

Windows S

Windows S

Windows 7

Windows 7

Windows 8


AppLocker

ppLocker definhat are derivedle. File attribut

Publisher n

Product na

File name

File version

Default Conf

he default conset of default

et of rules ensuormally are all

Allow and De

Allow and Denpplications thast of applicatiolows the execurovide a mean

ppLocker to res

wed to be used

r used or it is r

r supported in

used only by s

ure AppLockertings\Security

vailable in the

erver 2008 R2

erver 2008 R2

erver 2008 R2

erver 2008 R2

erver 2012

Ultimate ope

Enterprise op


Rules

nes rules based from the digtes in the digit

ame

me

figuration

nfiguration for rules for each

ures that the fiowed to run.

eny Rule Ac

ny are rule actiat you configuons, and blocksution of any a

ns to identify e

strict software

d in the compa

replaced with

n the company

specific depart

r settings by by Settings\Ap

following Win

Standard ope

Enterprise op

Datacenter op

for Itanium-b

rating system

perating system


d on file attribital signature otal signature in

AppLocker corule collection

iles that are ne

ctions

ons that allowre. The Allows everything epplication excxceptions to t

that:

any.

newer version

y.

ments.

rowsing in GPpplication Con

dows operatin

erating system

erating system

perating syste

based Systems

m

mation about A/hh831409.asp

butes of the nclude:

ontains n. This ecessary for W

w or deny execuaction on rulelse. The Denyept those on ahose actions.

20410A: Installing

n.

PMC to: Compntrol Policies.

ng system edit

m

m

operating syst

AppLocker, sepx.

Windows operat

ution of applices limits execuaction on rule

a list of denied

g and Configuring W

uter Configu.

tions:

tem

e

ting systems t

cations based tion of applicaes takes the opd applications.


ration\Policie

o run and ope

on a list of ations to an alpposite approaThese actions

12 12-23

es

erate

lowed ach and s also


You should use AppLocker when software is being used that is:

• Not allowed for use in the company. Give an example of software that can disrupt employees’ business productivity, such as social networking software, or software that streams video files or pictures that can use a large amount of network bandwidth.

• No longer used. Software that is not needed in the company is no longer maintained.

• No longer supported. Software that is not updated with security updates might pose a security risk.

Enforce or Audit Only

When AppLocker policy is set to Enforce, rules are enforced and all events are audited. When AppLocker policy is set to Audit Only, rules are evaluated and events are written in to the AppLocker Log, but no enforcement takes place.

Demonstration: Creating AppLocker Rules


• Create a GPO to enforce the default AppLocker Executable rules.

• Apply the GPO to the domain.

• Test the AppLocker rule.

Demonstration Steps

Create a GPO to enforce the default AppLocker Executable rules

1. On LON-DC1, open the Group Policy Management console.

2. Create a new GPO named WordPad Restriction Policy.

3. Edit the WordPad Restriction Policy’s Security Settings by using AppLocker to create a new Executable Rule.

4. Set the permission of the new rule to Deny, the condition to Publisher, and then select wordpad.exe. If prompted, click OK to create default rules.

5. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\ Application Control Policies\ AppLocker.

6. In AppLocker, configure enforcement with Enforce rules.

7. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\System Services.

8. Configure Application Identity Properties with Define this policy setting and Select service startup mode with Automatic.

Apply the GPO to the Contoso.com domain 1. Open a command prompt window, type gpupdate /force, and then press Enter.

2. Start and then log on to 20410A-LON-SVR1 as Adatum\Alan, with the password, Pa$$w0rd.

3. In the command prompt window, type gpupdate /force, and then press Enter. Wait for the policy to update.

Test the AppLocker rule

• Attempt to start WordPad, and then verify that WordPad does not start.

LessonConfi

WSemunea

Le

A

•

•

•

•

W

WhoSecothpInfrfofr

In

Ininco

Oorextrco

YoCex

C

Yo20th

n 4 guring

Windows Firewaerver 2012. Th

malware. Windonique settings ach server, or c

esson Objec

fter completin

Describe th

Describe Fi

Describe Co

Describe ho

What Is Wi

Windows Firewaost-based firewerver 2012. Thomputer and rhat computer. rovides protec

nternet, a host-om threats wh

or a host that iom LAN or Int

nbound and

nbound rules cnitiated by anoommunication

Outbound rulesr computer onxplicitly blockeraffic that is exomputer and t

ou can create ontrol Protocoxecutable netw

Connection S

ou use Connec012. When thehen use that in

Windoall with Advanis snap-in helpows Firewall wto different ty

configure them

ctives

ng this lesson, y

he features of W

rewall Profiles

onnection Sec

ow to deploy W

ndows Fir

all with Advanwall that is incis snap-in runsrestricts netwoUnlike a perim

ction only from-based firewalherever they os not behind aternet.

d Outbound

control commuother device orn is blocked ex

s control commn the network. ed by an outboplicitly allowedthe network co

inbound and ool (TCP) ports. work access, re

Security Rul

ction Security ese rules are conformation to c

ws Firewced Security is

ps to prevent swith Advanced ypes of networm centrally by

you will be ab

Windows Firew

.

urity Rules.

Windows Firew

ewall with

ced Security isluded in Winds on the local

ork access to anmeter firewall, wm threats on thl provides proriginate. For exa firewall, it pro

d Rules

unication that r computer oncept the traffic

munication thaBy default, all

ound rule. If yod, you must caommunication

outbound ruleYou can also c

egardless of th

les

Rules to configonfigured, youcreate firewall

wall wits an importantseveral differenSecurity has mrks. You can musing Group P

le to:

wall with Adva

wall rules.

h Advanced

s a dows

nd from which

he tection xample, otects

is the network,c that is explic

at is initiated b outbound coou choose to barefully catalog required by t

es based on Uscreate inbounde port numbe

gure Internet Pu can authentic

rules based o

20410A: Installing

th Advat tool for enhant security issu

multiple firewamanually configPolicy.

nced Security.

d Security

with the hostcitly allowed by

by the host commmunication block all outbog the softwarehat software.

ser Datagram d and outboun

er that is being

Protocol Securcate communin specific user

g and Configuring W

anced Sancing the secuues such as poll profiles, eacgure Windows

.

y?

computer. By y an inbound

mputer, and isis allowed excound commune that is allowe

Protocol (UDPnd rules that a

g used.

rity (IPsec) for ication betweer and compute


ecurityurity of Windort scanning orh of which app

s Firewall rules

default, all inbrule.

s destined for aept the traffic

nication exceped to run on th

P) and Transmiallow a specific

Windows Serven computers,er accounts.

12 12-25

ows r plies on

bound

a device that is t the

hat

ission c

ver and

12-26 Securing

Ad

Winyou

WinR2,

•

•

•

•

•

•

YouComSecu

Fire

Dis

Winena

RevdiscbaseAdv

Fir

Winnetwprofnetwallonetw

Wityounetwfirewspec

g Windows Servers U

ditional Enh

ndows Firewall to perform ad

ndows Firewall and Windows

Supports filte

Provides a M

Integrates fire

Enables you t

Provides netw

Enables you t

u can configuremputer Configurity.

Note: Windwall by using t

scussion: W

ndows Firewall bled by defau

iew the discuscussion to idened firewall sucvanced Security

Question: Wbased firewalAdvanced Sec

ewall Prof

ndows Firewall work-aware apfiles to provideworks of a spews you to defiwork, a public

h Windows Fir can define a cwork; each conwall profile. Fircific firewall pr


hancements

with Advancedvanced config

in Windows VServer 2012 h

ering for both

MC snap-in th

ewall filtering

to configure ru

work location-

to import or ex

e Windows Fireuration\Policie

dows Server 20the Windows P

Why Is a H

with Advancelt on Windows

sion question ntify the benefch as Windowsy.

hy is it importl such as Windcurity?

files

with Advancepplication thate a consistent

ecific type. Winine a network network, or a

rewall with Advconfiguration nfiguration setrewall rules arerofiles.

bjects

s

ed Security is aguration of W

Vista, Windowshas the followi

incoming and

hat you can use

and IPsec prot

ules to control

aware profiles

xport policies.

ewall settings es\Windows Se

012 introducesPowerShell co

ost-Based

ed Security is s Server 2012.

and participatits of using a h

s Firewall with

ant to use a hodows Firewall w

ed Security is at uses firewall configuration

ndows Server 2as either a domprivate netwo

vanced Securitset for each tyt is referred to e activated onl

a Microsoft Maindows Firewa

s 7, Windows 8ng enhanceme

outgoing traf

e to configure

tection setting

network traffi

.

on each compettings\Securit

the additionammand-line in

d Firewall I

te in a host-

ost-with

a

for 2012 main

ork.

ty, ype of

as a ly for

anagement Coall.

8, Windows Seents:

ffic.

e advanced set

gs.

ic.

puter individuaty Settings\Wi

al option for adnterface.

mportant?

onsoles (MMC)

erver 2008, Win

ttings.

ally, or with Grndows Firewal

dministering W

?

) snap-in that a

ndows Server

roup Policy at:ll with Advanc

Windows

allows

2008

: ed

W

Wthappe

C

A beesinencoSe

Th

•

•

•

Windows Firewa

Profile

Public

Private

Domain

Windows Servehat a multi-hompply the domaerimeter netw

Connection

connection seetween two pestablish a connnformation. Thncrypting the omputers. Winecurity uses IP

he configurab

Isolation. Aby restrictincredentials health statuimplement

Authenticatnot requirea subnet, o

Serve-to-Serule usuallyendpoints bauthenticat

all with Advan

De

Us

OtdeW

Us

A apth

Usdo

Wcacapr

r 2012 allows med server thaain firewall proork.

n Security

ecurity rule foreer computersnection and traey also securedata that is tra

ndows Firewallsec to enforce

le connection

n isolation ruleng connectionsuch as doma

us. Isolation ruan isolation st

tion Exemptione authenticatior a predefined

erver. A server-y protects connbetween whichtion that you w

ced security in

escription

se when you a

ther than domefault, the Pub

Windows 7, and

se when you a

network is catpplication idenhe Home profil

se when your comain.

Windows operaan authenticatean be placed inrofile in Windo

multiple firewaat is connected

ofile to the inte

Rules

rces authenticas before they cansmit secure

e that traffic byansmitted betw with Advance

e these rules.

security rules

e isolates coms that are base

ain membershiules allow you ttrategy for serv

n. You can use on. You can ded group such a

-to-server rulenections betweh communicatwant to use.

ncludes the fol

are connected

main networks, blic (most restrd Windows 8.

are connected

tegorized as pntifies the netwle in Windows

computer is pa

ting systems ae access to then this categoryows Vista, Wind

all profiles to bd to both the ernal network,

ation can

y ween ed

are:

puters ed on p or to vers or domai

an authenticasignate compu

as a gateway.

protects conneen servers. Wtions are prote

20410A: Installing

llowing profile

to an untruste

all networks arictive) profile

behind a firew

rivate only if awork as private Vista, Window

art of a Windo

automatically ie domain conty. This profile idows 7, and W

be active on a internal netwo and the publi

ns.

ation exemptiouters by a spec

nections betweWhen creating tected. Then de

g and Configuring W

es:

ed public netw

are categorizedis used in Win

wall.

an administratoe. This profile iws 7, and Wind

ows operating

dentify netwotroller. No oths referred to a

Windows 8.

server simultaork and the peic or private fir

on to designatcific IP address

een specific cothe rule, specif

esignate requir


work.

d as Public. Bydows Vista,

or or an s referred to adows 8.

system

orks on which ier networks

as the Work

aneously. Thiserimeter networewall profile t

te connectionss, an IP addres

omputers. This fy the networkrements and th

12 12-27

y

as

t

means ork can to the

s that do ss range,

type of k he

12-28 Securing

•

•

Ho

Fireyoufirewand

De

Howimpappdepcan way

•

•

•

g Windows Servers U

Tunnel. With would use a t

Custom. Use aup authenticaSecurity Rule

w Firewall R

wall rules allow can create cowall. You must services; they

eploying Fi

w you deploy Wportant considepropriate methployed accurate

deploy Windoys:

Manually. Youfirewall rules environment this is labor-inmethod is typand troublesh

Using Group creating and firewall rules

Exporting andoption to impmanually contreated as a c


a tunnel rule, tunnel rule wh

a custom rule ation rules thaWizard.

Rules and C

w traffic throuonnection secut create a firewy are applied b

irewall Rul

Windows Fireweration. Choos

hod ensures thely and with mows Firewall ru

u can individuon each servewith more thantensive and ppically used onhooting.

Policy. The pretesting a GPOto a large num

d importing firport and expornfigure firewallcomplete set a

bjects

you can proteen connecting

to authenticatt you need by

onnection S

gh the firewalurity rules. Howwall rule to do between the co

les

wall rules is an sing the at rules are

minimum efforules in the follo

ally configure r. However, in an a few serverprone to error.nly during test

eferred way to with the requ

mber of compu

rewall rules. Wrt firewall rules rules during tnd replace all

ect connectiong across the Int

te connectionsy using the oth

Security Rul

l, but do not swever, connectthis. Connecti

omputers that

t. You owing

an rs, . This ing

o distribute fireuired firewall ruuters.

Windows Firewas. You can exptroubleshootincurrently conf

s between gatternet betwee

s between twoher rules availa

les Work To

secure that tration security ruon security rumake up the t

ewall rules is bules, you can q

all with Advanport firewall rung. When you figured firewa

teway computen two security

o endpoints whable in the new

ogether

ffic. To secure ules do not alloles are not apptwo endpoints

by using Groupquickly and ac

ced Security ales to create aimport firewall rules.

ters. Typically, y gateways.

hen you cannow Connection

traffic with IPow traffic throplied to progras.

p Policy. After curately deplo

also gives you t backup beforll rules, they a

you

ot set

sec, ough a ams

oy the

the re you re


Lab B: Configuring AppLocker and Windows Firewall Scenario


You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.

Your manager has asked you to implement AppLocker to restrict non-standard applications from running. He also has asked you to create new Windows Firewall rules for any member servers running web-based applications.

Objectives


• Configure AppLocker Policies.

• Configure Windows Firewall.

Lab Setup



20410A-LON-SVR1


Password Pa$$w0rd








5. Repeat steps 2-4 for 20410A-LON-SVR1 and 20410A-LON-CL1.


Exercise 1: Configuring AppLocker® Policies

Scenario

Your manager has asked you to configure new AppLocker policies to control the use of applications on user desktops. The new configuration should allow programs to be run only from approved locations. All users must be able to run applications from the C:\Windows directory and from C:\Program Files.

You also need to add an exception to run a custom-developed application that resides in a non-standard location. The first stage of the implementation will log compliance with rules. The second stage of implementation will prevent unauthorized programs from running.


1. Create an OU for Client Computers.

2. Move LON-CL1 to the Client Computers OU.

3. Create a Software Control GPO and link it to the Client Computers OU.

4. Run GPUpdate on LON-SVR1.

5. Run app1.bat in the C:\CustomApp folder.

6. View AppLocker events in an event log.

7. Create a rule that allows software to run from C:\CustomApp.

8. Modify Software Control GPO to enforce the rules.

9. Verify that an application can still be run from C:\CustomApp.

10. Verify that an application cannot be run from the Documents folder.

Task 1: Create an OU for Client Computers 1. Switch to LON-DC1.


3. Create new OU called Client Computers OU.

Task 2: Move LON-CL1 to the Client Computers OU • On LON-DC1, in the Active Directory Users and Computers console, move LON-CL1 to Client

Computers OU.

Task 3: Create a Software Control GPO and link it to the Client Computers OU 1. On LON-DC1, open the Group Policy Management Console.

2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Software Control GPO.

3. Edit the Software Control GPO.

4. In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.

5. Create default rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged app Rules.

6. Configure the rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and Packaged app Rules with Audit only option.


7. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity.

8. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK.


10. In the Group Policy Management Console, link the Software Control GPO to Member Servers OU.

Task 4: Run GPUpdate on LON-SVR1 1. Switch to LON-SVR1.


gpupdate/force

3. Close the command prompt window and restart LON-SVR1.

Task 5: Run app1.bat in the C:\CustomApp folder 1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.

2. At the command prompt, type following command:

C:\CustomApp\app1.bat

Task 6: View AppLocker events in an event log 1. On LON-SVR1, start Event Viewer.

2. In the Event Viewer window, browse to Application and Services Logs/ Microsoft/AppLocker, and review the events.

3. Click MSI and Scripts, and review the event logs for App1.bat.

Task 7: Create a rule that allows software to run from C:\CustomApp 1. On LON-DC1, edit the Software Control GPO with the following settings Computer Configuration/

Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.

2. Create an AppLocker script rule with following settings:

o Permissions: Allow

o Conditions: Path

o Path: %OSDRIVE%\CustomApp\app1.bat

o Name and Description: Custom App Rule

Task 8: Modify Software Control GPO to enforce the rules 1. Use the Enforce rules option to configure rule enforcement for Executable rules, Windows

Installer Rules, Script Rules, and Packaged app Rules.


Task 9: Verify that an application can still be run from C:\CustomApp 1. Switch to LON-SVR1.



gpupdate/force

3. Close the command prompt window and restart LON-SVR1.


5. Open a command prompt and verify that you can run the app1.bat application, which is located in the C:\CustomApp folder.


Task 10: Verify that an application cannot be run from the Documents folder 1. On LON-SVR1, from CustomApp folder, copy app1.bat to the Documents folder.

2. Verify that application cannot be run from Documents folder, and that the following message appears: “This program is blocked by Group Policy. For more information, contact your system administrator.”

Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.

Exercise 2: Configuring Windows Firewall

Scenario Your manager has asked you to configure Windows Firewall rules for a set of new application servers. These application servers have a web-based application that is listening on a non-standard port. You need to configure Windows Firewall to allow network communication through this port. You will use security filtering to ensure that the new Windows Firewall rules apply only to the application servers.


1. Create a group called Application Servers.

2. Add LON-SRV1 as a group member.

3. Create a new Application Servers GPO.

4. Link the Application Servers GPO to the Member Servers OU.

5. Use security filtering to limit the Application Server GPO to members of Application Server group.

6. Run GPUpdate on LON-SRV1.

7. View the firewall rules on LON-SRV1.

Task 1: Create a group called Application Servers • On LON-DC1, in Active Directory Users and Computers, in the Member Servers OU, create a new

global security group called Application Servers.

Task 2: Add LON-SRV1 as a group member • In the Active Directory Users and Computers console, in the Member Servers OU, open Application

Servers Properties, and then and then add LON-SVR1 as a group member.

Task 3: Create a new Application Servers GPO 1. On LON-DC1, open the Group Policy Management Console.


2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Application Servers GPO.

3. In the Group Policy Management Editor, under In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings / Application Control Policies/ Windows Firewall with Advanced Security.

4. Configure an inbound rule with the following settings:

o Rule Type: Custom

o Protocol type: TCP

o Specific Ports: 8080

o Scope: Any IP address

o Action: Allow the connection

o Profile: Domain

o Name: Application Server Department Firewall Rule


Task 4: Link the Application Servers GPO to the Member Servers OU • In the Group Policy Management Console, link the Application Servers GPO to the Member

Servers OU.

Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group 1. On LON-DC1, open Group Policy Management Console, expand the Member Servers OU, and then

click Application Servers GPO.

2. In the right-hand pane, under Security Filtering, remove Authenticated Users, and configure Application Servers GPO to apply only to the Application Servers security group.

Task 6: Run GPUpdate on LON-SRV1 1. Switch to LON-SRV1.


gpupdate/force


4. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.

Task 7: View the firewall rules on LON-SRV1 1. Switch to LON-SVR1.

2. Start Windows Firewall with Advanced Security.

3. In Windows Firewall with Advanced Security window, in Inbound rules, verify that Application Server Department Firewall Rule you created using Group Policy earlier, is configured.

4. Verify that you cannot edit Application Server Department Firewall Rule, because it is configured through Group Policy.


Results: After completing this exercise, you should have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.


To prepare for the next module When you finish the lab, revert the virtual machines to their initial state by performing the following steps:







Question: Does the defense-in-depth model prescribe specific technologies that you should use to protect Windows Server operating system servers?

Question: What setting must you configure to ensure that users are allowed only three invalid logon attempts?

Question: You want to place an application control policy on a new type of executable file. What must you do before you can create a rule for this executable code?

Question: You are creating a GPO with standardized firewall rules for the servers in your organization. You tested the rules on a stand-alone server in your test lab. The rules appear on the servers after the GPO is applied, but they are not taking effect. What is the most likely cause of this problem?

Question: Last year, your organization developed a security strategy that included all aspects of a defense-in-depth model. Based on that strategy, your organization implemented security settings and policies on the entire IT infrastructure environment. Yesterday, you read in an article that new security threats were detected on the Internet, but now you realize that your company strategy does not include a risk analysis and mitigation plan for those new threats. What should you do?

Best Practices The following are best practices:

• Always make a detailed security risk assessment before planning which security features your organization should deploy.

• Create a separate GPO for security settings that applies to different type of users in your organization, because each department might have different security needs.

• Make sure that the security settings that you configure are reasonably easy to use so that they are accepted by employees. Frequently, very strong security policies are too complex or difficult for employees to adopt.

• Always test security configurations that you plan to implement with a GPO in an isolated, non-production environment. Only deploy policies in your production environment after this testing is completed successfully.



The user cannot log on locally to a server.

After configuring auditing, there are too many events logged in the Security Event Log in Event Viewer.

Some users complain that their business applications can no longer access resources on the server.


Tools


Group Policy Management Console (GPMC)

A graphical tool that you use to create, edit, and apply Group Policy Objects (GPOs).

Server Manager/Tools

AppLocker Applies security settings that control which applications are allowed to be run by users.

GPO Editor in GPMC

Windows Firewall with Advanced Security

A host-based firewall that is included as a feature in Windows Server 2012 and Windows Server 2008.

Server Manager/Tools if configured individually, or GPO Editor in GPMC for deploying with Group Policy

Security Compliance Manager

Deploying security policies based on Microsoft Security Guide recommendations and industry best practices.

Download from the Microsoft website at http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx.

13-1

Module 13 Implementing Server Virtualization with Hyper-V


Lesson 1: Overview of Virtualization Technologies 13-2

Lesson 2: Implementing Hyper-V 13-8

Lesson 3: Managing Virtual Machine Storage 13-15

Lesson 4: Managing Virtual Networks 13-22

Lab: Implementing Server Virtualization with Hyper-V 13-27


Module Overview

Server virtualization has only been a part of the Windows Server operating system since the release of Windows Server 2008 and the introduction of the Hyper-V role. Server virtualization allows organizations to save money through server consolidation. Because of these efficiencies, server administrators need to be able to distinguish which server workloads might run effectively in virtual machines, and which server workloads must remain deployed in a more traditional server environment.

This module introduces you to the Hyper-V® role, the components of the role, how best to deploy the role, and the new features of the Hyper-V role that are introduced with Windows Server 2012.

Objectives


• Understand and describe Microsoft's virtualization technologies.

• Implement Hyper-V.

• Manage virtual machine storage.

• Manage virtual networks.

13-2 Implemen

Lesson Overvi

YouprimAlthothe

LesAfte

•

•

•

•

•

Ser

Witvirtuthe Thecom

VirtcomusinWinhavclosmacmacYousimu

Vir

By iappcomsepamor10 tvirtuof 4

Thislocathat

nting Server Virtualiz

1 iew of Vu can deploy mmarily deployehough this moer types of virt


Describe serv

Describe Win

Explain when

Determine th

Explain the bedeployment

rver Virtua

h server virtuaual machines, resources of ase virtual mac

mputer running

ual machine gmputers. Whenng Remote Desndows PowerShe to examine t

sely to determchine or a tradchine. Virtual mu can run multultaneously, p

tual Machin

mplementing plication does nmputer. When arate virtual mre effectively. Fto 15 percent oual machines, 40 to 60 percen

s is a simplifiedating virtual mt are hosted on

zation with Hyper-V

Virtualizmany different

d. The type ofdule is primartualization and


ver virtualizatio

dows® AzureTM

you would us

e components

enefits of Micr

alization w

alization, you cand run them

a single server hines are knowg Hyper-V is k

guests functionn users are loggsktop Connecthell® remote the properties ine whether it

ditionally deplomachine guestiple virtual marovided the ho

nes and Har

virtual machinnot consume mdeployed as v

machines on toFor example, ifof a host serveand then placent of the host

d example. In rachines; you hn the host hyp

zation Ttypes of virtua

f virtualization ily concerned d the situation

ou will be able

on using Hype

M.

se desktop virt

s required to i

rosoft Applicat

with Hyper

can create sepaconcurrently uoperating systwn as guests. Tnown as the h

n as normal ged on remotetion (RDC) or asession, you wof a computeis a virtual

oyed physical ts that are hostachines that arost server has e

rdware Usag

nes, you use hamore than a frirtual machine

o the same hosf you have fouer's hardware re them on theserver's hardw

real world envhave to ensurepervisor do not

Technolalization on nethat you choowith server virs in which it is

to:

r-V.

tualization.

mplement pre

tion Virtualizat

r-V

arate using tem. The ost.

ely a

would er

ted on the same using differeenough resou

ge

ardware more raction of the res, you can orgst server so thaur separate serresources, you e same hardwaware.

ironments, youe that the hardt exceed the h

ogies etworks whereose depends ortualization, in s appropriate t

esentation virtu

tion (App-V) o

me hypervisor ent operating srces.

efficiently. In resources that ganize multipleat the resourcervices and app can install the

are where on a

u must make aware resource

hypervisor’s ha

e Windows opeon what you ne this lesson yoto deploy them

ualization.

over traditiona

are independesystems on a h

most cases, a are available e services and es of that host plications that eese services anaverage, they w

adequate prepe needs of all trdware resour

erating systemeed to accomp

ou will learn abm.

al application

ent of one anohost server

service or on the host applications fserver are use

each consumend applicationswill consume a

parations befohe virtual mac

rces.

ms are plish. bout

other.

from ed e from s in a total

re co-chines

S

KetasaThon

S

Wrum20hoin

sethhomth

S

Yo

•

•

W

Wyomdasopaparapwyo

Cgsp

ervice and A

eeping one paask becomes eame server. Fohese applicatione server. Run

erver Conso

With server virtun on separate

machines on th010, SQL Serveosted within v

n place of the t

Best Pracerver on the sahat you not deosts the doma

machines and this is a support

implifying S

ou can also us

There are vMicrosoft Srather conf

You can alsservers andadministratSystem Cen

What Is Wi

Windows Azureou can purcha

machines or foratabases on SQolution, you paaying a fixed raying a monthack at a hostinrovider charge

when the serverou pay more a

loud-based carow or shrink qpecific server c

Application

articular serviceven more comr example, youons conflict whning these ap

olidation

ualization, youe hardware. Bee same host, iter 2012, and Airtual machinethree servers t

ctice: Microsofame computereploy a SQL Sein controller rohen run those ted configurat

Server Depl

e virtualization

virtual machineSystem Center figuring virtual

so create virtuad applications ation team. Younter 2012 - Ser

ndows Az

e is cloud-basese capacity, eir applications, QL Azure. As aay for capacityrate. For examphly flat rate to g provider, thees you based or is experiencinas use increase

apacity is elastiquickly as requchassis. Then, if

n Isolation in

e or applicatiomplicated if youu might need then run on theplications with

u can consolidaecause each virt is possible to

Active Directoryes. This means hat they would

ft recommendr that holds a drver 2012 dataole. Instead, dvirtual machin

tion.

oyment

n to simplify th

e templates fo2012 - Virtuall machines fro

al machine selautomatically wu create these vrvice Manager

ure?

ed platform whther for virtuasuch as SQL S

a cloud-based y you use, rathple, rather tharent a server oe cloud hostinon use. You pang minimal us

es.

ic, meaning it uired. For examf you need to

n Virtual Ma

on functioning u need to depto deploy appe same compuhin virtual mac

ate onto a singrtual machine o deploy servicy® domain cothat an organd have needed

s that you notdomain controabase engine ieploy each of nes as guests o

he process of s

r common ser Machine Manm the very be

f-service portawithout requirvirtual machin

r.

here l erver hosting er than n

on a g y less e and.

can mple, in a tradincrease capac

20410A: Installin

achines

in a reliable mploy multiple seplication A anduter, but you cachines can solv

gle host, serveon a host is iso

ces and applicaontrollers—on nization only nd in the past.

t deploy a Micoller role. Microinstance on ththese workloa

on the same se

server deploym

rver configuratnager (VMM). ginning.

als that enablering the directne self-service

itionally hostecity rapidly, yo


manner can beervices and ap

d application Ban only affordve this problem

ers that would olated from thations—such athe same phyeeds to deploy

crosoft Exchangosoft also recoe same compu

ads on separaterver virtualiza

ment:

tions included You can confi

e end users to t intervention oportals with V

ed solution, yoou would have

Windows Server® 20

e challenging. Tpplications on tB at a branch o

enough hardwm.

otherwise neehe other virtuaas Exchange Seysical computey one physical

ge mailbox ommends uter that te virtual ation host;

with productsgure these tem

provision appof the systems

VMM and Micr

ou might choose to switch to a

012 13-3

This the

office. ware for

ed to al erver er, but l server

s such as mplates

roved s osoft

se a another

13-4 Implemen

clastimemiga clahostall w

ThisRathdemof-ccondisc

Ho

Cloudepdeprent

For are ecothis

De

Clie

YouthatEnterun CliePro procServplattrangiga

Clie

TheWinHypthe Wincom

ClieIn euser


s of server hare and planning

grating to a lowass of hardwarting provider, without the co

s can be very uher than purch

monstrate a proconcept solutiocerns. This is c

carded if the p

sting Webs

ud-based platfploy the underploy both Windt the cloud-ba

a successful clmore economnomical to hodetermination

esktop Virt

ent Hyper-V

u can install thet are running Werprise operativirtual machinnt Hyper-V, thand Windowscessor requirever 2012: the ctform that supnslation (SLAT)abytes (GB) of

ent Hyper-V

Client Hyper-ndows Server 2per-V also doehost operating

ndows 7, whichmputers runnin

ent Hyper-V enterprise envirs to run previ

zation with Hyper-V

rdware, which g. Similarly if ywer class of hare that you docapacity is scamplexity of m

useful when yohase test hardwoject's feasibilon is validatedcheaper than aroject does no

ites or Prod

forms like Winlying server indows Server 20sed database

loud strategy, mical to host wi

st on premisesn, and a strate

tualization

V

e Hyper-V roleWindows 8 Proing systems. Thne guests on che Hyper-V feas 8 Enterprise, ments as Hypecomputer musports second-, and have a mrandom acces

on Window

-V role on Win2012, but doess not support g system’s Stah used Virtual ng specific edit

in enterpriseronments, Clieous versions o

would requireyour need for crdware is wort not need righ

aled automaticigration.

ou have to proware and haveity, you can qu

d, you can chooacquiring hardot go ahead or

duction App

ndows Azure afrastructure. F012 and SQL Sserver, and the

you must be aith a host provs. Many factorgy that is best

n

e on computero and Windowhis allows you lient computeature in Windohas the same er-V on Windot have an x64 level address

minimum of 4 ss memory (RA

s 8

ndows 8 suppos not support epublishing aprt menu. This wPC (Virtual PCtions of the W

e environmeent Hyper-V is of the Window

e you to migracapacity decreth the cost, or ht now—and mcally and your

ovide proof-of-e to deploy a puickly deploy aose to discard ware for a pror turns out to b

plications

lso allow you tor example, if

Server 2012, anen host the da

able to determvider, and whics that are uniqt for one organ

rs ws 8

to ers. ows 8

ows

AM).

orts many of thenterprise featplications thatwas a feature t is the client vindows 7 oper

ents often used fo

ws operating sy

te from the fireases, you wou

if your organimay or may noorganization i

-concept solutproof-of-concea cloud based it, or keep it d

oof-of-conceptbe infeasible.

to deploy appyou need a da

nd then deployatabase there.

mine correctly wch services andque to an organization may n

he features thatures such as vt are installed othat was prese

virtualization ferating system)

r developmenystem so that t

rst physical hould need to deization shouldot need in the is charged for

tions when proept solution tovirtual machin

depending on t solution whic

plications withoatabase, insteay the specific d

which servicesd applications anization are innot be approp

at are availablevirtual machineon the virtual ent in Windoweature availabl.

nt purposes, orthey can acces

st. All of this tacide whether continue to pfuture. By usinonly what you

oposing projeco that hardwarne . Once the poperational

ch may be

out having to ad of having todatabase, you

s and applicatioare more

nvolved in mariate for anoth

e with Hyper-Ve migration. Cmachine gues

ws XP Mode onle to some

r to allow specss applications

akes

pay for ng a u use,

cts. re to proof-

o can

ons

king her.

V on lient st to n

ific that

aracEn

M

Mcecopuas

htv.

V

Vhoasa fe

V

•

•

•

VInvi

P

Prvi

•

•

re incompatiblccess to a prevnterprise Desk

MED-V

MED-V is a cententrally deployompatible withublished in sucs part of the M

Additionattp://www.micaspx.

Virtual Deskt

irtual Desktoposted centrallys RDC. Using tRemote Deskt

eature in addit

DI can simplify

For all the cbacked up

The client v

In the evenother RDC

DI is also one n this scenario,rtual machine

Presentatio

resentation virrtualization in

In desktop their own vclient operavirtualizatiosessions onusers Alex asame remosessions usi

With desktorun within vvirtualizatio

le with Windowvious version oktop Virtualizat

trally managedy and manage h previous versch a way so th

Microsoft Deskt

al Reading: Focrosoft.com/en

top Infrastr

Infrastructurey as virtual mahe Add Roles atop Services inion to the Hyp

y the managem

client computeregularly.

virtual machine

t that a client methods.

method of allo workers bring that has been

on Virtualiz

rtualization dif the following

virtualization, virtual machineating system. Ion, users log o a server or seand Brad mighte desktop sering RDC.

op virtualizatiovirtual machinon, the desktop

ws 8. When laof the Windowtion (MED-V).

d form of clienvirtual machin

sions of the Wat they are acctop Optimizat

or more informn-us/windows/

ructure

e (VDI) is a formchines. Clientsand Features W

nstallation. Youper-V role, whe

ment of client

ers that are ho

es can be host

computer bre

owing organizg their own con assigned to t

zation

ffers from desk ways:

each user is ae that is runninn presentationn and run sep

ervers. For examht be logged orver, running d

on, the applicaes.With presenp and the app

rge numbers ows operating sy

nt-hosted virtunes running on

Windows client cessible througion Pack.

mation about M/enterprise/pro

m of desktop vs connect to thWizard, you cau can also instaen configuring

operating syst

osted on a sing

ted on a highly

aks, users are

zations to implmputer to thehem.

ktop

ssigned ng a n arate mple, onto the different

ations ntation lications run o

20410A: Installin

of people withystem, you sho

ualization. MEDn clients. MEDoperating systgh the Window

MED-V see: oducts-and-te

virtualization whese virtual maan configure a all the Remoteg a host server

tems in the fo

gle server, it is

y available Hyp

still able to ac

lement “Bring e office and use

on the host ser


hin an organizaould consider d

D-V allows admD-V allows apptem, such as Wws 8 Start men

chnologies/m

where client oachines using server to supp

e Desktop Virtur to function a

llowing ways:

easier to ensu

per-V host.

ccess their virtu

Your Own Deve RDC softwar

rver.

Windows Server® 20

ation need regdeploying Mic

ministrators tolications that a

Windows XP, tonu. MED-V is a

dop/med-

perating systeclient softwareport VDI by chualization Hoss a VDI server.

ure that they a

ual machine us

vice” (BYOD) pre to connect t

012 13-5

gular rosoft

o are o be available

ms are e such hoosing st role .

re

sing

policies. to the

13-6 Implemen

On Des

•

•

•

RemRemusinfeatServthe to sservGat

Ap

AppusesClieappclienas pPacor fe

Ap

Appsystenvyouablethe can proMic

Ap

Anopartappnetw


networks that ktop Services

Full Desktopand to run ap

RemoteApp applications tRemoteApp adeployment m

Remote Desklaunch Remo

mote Desktmote Desktop Gng virtual privature. Remote Dver 2012. RemRDC client witee if it is on th

ver. If it is not, eway.

pplication V

plication Virtuas special clientnt, that is insta

plications to eitnt computers.

part of the Mick, and is not aeature.

plication iso

p-V isolates theem and runs itironment. This cannot install

e to run as AppWindows 8 opalso run appli

blematic whenrosoft Office W

plication st

other useful feats of the applic

plication deplowork to the cli

zation with Hyper-V

use Windows server role. Cli

p. Clients can upplications on

applications.that run on theapplications camethods. This

ktop Web ActeApp applica

op GatewayGateway allowate network (VDesktop Gatewote Desktop Gth the addresshe organizationit routes the c

Virtualizat

alization, also kt software, knoalled on the clther run on or App-V, like M

crosoft Desktopnative Windo

olation

e application ft in a special ss means that al and run direcp-V applicatioperating systemications that mn run togetherWord simultan

reaming

ature of App-Vcation that areyment becausent computer

Server 2012, pients can acces

use a remote dthe Windows

Rather than ue host Windowan be deployedallows you to

cess. Clients ctions and Rem

y ws external clieVPN), or the Wway is a role seGateway server of Remote Denal network. If

connection to t

tion

known as Appown as the Appient to allow be streamed t

Med-V, is availap Optimization

ows Server 201

from the operaeparate virtuapplications tha

ctly on a host ons. For exampm can be run o

might be compr. For example,neously.

V is applicatione being used ase only part—n.

presentation vss presentation

desktop client sServer 2012 h

use a full desktws Server 2012d as Windowsassociate file t

an access a wemote Desktop s

ents to access Rindows 7 and

ervice that you rs are deployedesktop Gatewaf it is, it makes the Remote De

p-V, p-V

to able n 2 role

ating l at operating systele, applicationon Windows 8

patible with the, you can use A

n streaming. Wre transmitted

not all—of the

virtualization isn virtualization

such as RDC toost server.

top client like 2 server to be d

Installer (.msi)types with Rem

eb site on a spsessions from t

Remote DesktoWindows 8 op can install ond on perimeteay servers. Wha direct conne

esktop server

em, because ons written for W8 if deployed the host operatiApp-V to depl

When an applicd to the client e application m

s provided by tn in the follow

o access a full

RDC, RemoteAdisplayed on t) files using tramoteApp appl

pecially configutheir browser.

op and Remotperating system a computer r

er networks. Yoen you do thisection to the Rthrough the R

of compatibilitWindows XP thhrough App-Vng system, butloy and run dif

cation is streamcomputer. Thi

must be transm

the Remote wing ways:

desktop sessio

App allows the client comaditional softwications.

ured server an

teApp withoutms DirectAcceunning Windoou can configus, the client chRemote Deskto

Remote Deskto

ty problems, arhat cannot runV. With App-V,t may be fferent version

med only thoss speeds up

mitted across th

on

puter. ware

d

t ss

ows ure ecks op

op

re n on , you

ns of

se

he


Application portability

When deployed with Microsoft System Center 2012 Configuration Manager, App-V allows applications to follow users across multiple computers, without requiring a traditional installation on those client computers. For example, a user can log on to a colleague's computer and have App-V stream that application to them so that they can use it on that computer. The application is not installed locally, and when the user logs off, the application is no longer available to other users of the computer.

13-8 Implemen

Lesson 2Implem

Undservvirtucan

ThisWinintePow

Les

Afte

•

•

•

•

•

•

•

Ab

HypavaivirtuaccesoftServusin

YouServServthatsomthis and

YouFeatServinclloca


2 mentingderstanding hover virtualizatioualization stratand cannot d

s lesson discusndows Server 2egration servicewerShell cmdle

sson Objecti

er completing

Install the Hy

Describe the

Describe virtu

Configure dy

Configure virt

Configure virt

Perform Hype

bout Hyper

per-V is the hailable in Windoualization provess to the hosttware virtualizaver 2005 R2, thng the operatin

u use the Hypever 2012 to funver 2012 can tt are running s

me documentacase the Wind virtual machi

u can deploy Htures Wizard. Yver 2012 Serveudes only the ally through W

zation with Hyper-V

g Hyperow Hyper-V woon in a Windowtegy using Wino.

ses Hyper-V, t2012, the diffees. It also discu

ets.

ives

this lesson, yo

per-V server ro

appropriate ha

ual machine co

namic memor

tual machine i

tual machine s

er-V resource

r-V

rdware virtualows Server 201vides virtual mt's hardware. Tation productshat provide acng system.

er-V role to connction as a hyphen host virtuasupported opetion, the virtuadows Server 20nes running o

Hyper-V to a coYou can instaler Core. There components n

Windows Power

r-V orks and how ws Server 2012ndows Server 2

he hardware rrent componeusses how to m

ou will be able

ole.

ardware for Hy

omponents.

y.

integration ser

start and stop

metering tasks

ization role 12. Hardware

machines with dThis is in contras, such as Virtucess indirectly

nfigure Windopervisor. Windal machine gu

erating systemal machine ho012 computer n the Hyper-V

omputer runnil the Hyper-V is also a Serve

necessary to horShell, or remo

virtual machin2 network env2012 as a virtu

requirements fents of a virtuameasure virtua

to:

yper-V deploy

rvices.

actions.

s.

direct ast to

ual

ows dows ests s. In st (in that is runnin

V host are refer

ing Windows Srole on both W

er Hyper Core eost virtual macotely through t

nes function is vironment. Whual machine ho

for deploying al machine andal machine reso

yment.

g Hyper-V) is rred to as child

Server 2012 byWindows Serveedition of Winchines. Virtual the Hyper-V m

critical to effehen you plan aost, you need

Hyper-V on a d the benefits oource use with

referred to as d partitions.

y using the Ader 2012 Full G

ndows Server 2machine adm

manager conso

ectively deploy server to know what

computer runof virtual mach

h Windows

the parent pa

dd Roles and UI and Windo2012, which

ministration is dole.

ying

you

nning hine

rtition

ws

done

H

Wseyo

•

•

•

•

•

V

VhaSethhacam

Vha

•

Hardware R

When deciding erver on whichou need to ens

The server supports SL

The CPU cameet the remachines.

A virtual mWindows Sof 1 TB of Rprocessors.

The server machines thoperating s

The storagemachines. Wmachines odisks (RAID

The host sethe guest vNetwork In

Virtual Mac

irtual machineardware. The herver 2012 withe virtual hardardware. For ean be mapped

mapped to an a

irtual machineardware by de

BIOS. Simuon a standavarious fact

o The bo

o From wlegacy

o Num L

Requireme

on the hardwh you will instasure the follow

must have an LAT and Data E

apacity of the hequirements o

achine hostederver 2012 can

RAM and up to

must have enohat must run csystem. The se

e subsystem peWhether deploon separate phD), solid-state d

erver's networkvirtual machineterface Card (

chine Hard

es use virtual (ohost operatingh the Hyper-Vware to media

example, a virtud to a virtual neactual network

es have the folefault:

ulates the comalone computetors on the virt

oot order for th

which device itnetwork adap

ock

ents for Hy

ware to use withll the Hyper-V

wing:

x64 platform tExecution Prev

host server muf the guest vir

on Hyper-V inn support a mao 32 virtual

ough memory concurrently, prver must have

erformance moyed locally orhysical disks, todrives (SSD), hy

k adapters mues. This may reNIC) teams for

dware

or, simulated) g system, WindV role installedate access to aual network adetwork that is k interface.

lowing simulat

puter's BIOS. Jer you can contual machine s

he virtual mac

t will boot (for pter, or floppy

yper-V

h a V role,

that vention.

ust tual

n aximum

to support thplus enough me at least 4 GB

ust meet the ir on SANs, it mo deploy a highybrid-SSD, or a

st be able to sequire installingr virtual machi

dows , uses ctual dapter in turn

ted

ust as nfigure such as:

hine's virtual h

example, fromdisk)

20410A: Installin

e memory reqmemory to run B of RAM.

input/output (may be necessah performancea combination

support the neg multiple netines that have

hardware

m a DVD drive


quirements of a the host Wind

(I/O) needs of ary to place dife redundant an of all three.

etwork throughtwork adaptershigh network

, Integrated D

Windows Server® 20

all of the virtudows Server 20

the guest virtufferent virtual rray of indepe

hput requirems and using m

k use requirem

Drive Electronic

012 13-9

al 012

ual

endent

ments of ultiple ents.

cs (IDE),

13-10 Implementing Server Virtualization with Hyper-V

• Memory. Allows you to allocate memory resources to the virtual machine. An individual virtual machine can be allocated up to 1 TB of memory. You will learn about configuring memory later in this lesson.

• Processor. Allows you to allocate processor resources to the virtual machine. You can allocate up to 32 virtual processors to a single virtual machine.

• IDE Controller 0. A virtual machine can only support two IDE controllers and, by default, two are allocated to each virtual machine. Each IDE controller can support two devices. You can connect virtual hard disks or virtual DVD drives to an IDE controller. If booting from a hard disk drive or DVD-ROM, the boot device must be connected to an IDE controller. Use IDE controllers to connect virtual hard disks and DVD-ROMs to virtual machines that use any operating systems that do not support integration services.

• IDE Controller 1. Allows additional virtual hard drives and DVD-ROMs to be deployed to the virtual machine.

• SCSI Controller. A small computer system interface (SCSI) controller can only be used on virtual machines that you deploy with any operating systems that support integration services.

• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You can only use synthetic network adapters with supported virtual machine guest operating systems.

• COM 1. Allows you to configure a connection through a named pipe.

• COM 2. Allows you to configure an additional connection through a named pipe.

• Diskette Drive. Allows you to map a VHD floppy disk image to a virtual diskette drive.

You can add the following hardware to a virtual machine by editing the virtual machine's properties and clicking on Add Hardware:

• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.

• Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters. You will learn more about synthetic network adapters in Lesson 4.

• Legacy Network Adapter. Legacy network adapters allow you to use network adapters with any operating systems that do not support integration services. You can also use legacy network adapters to allow network deployment of operating system images. A single virtual machine can have up to four legacy network adapters. You will learn more about legacy network adapters in Lesson 4.

• Fibre Channel adapter. Allows a virtual machine to connect directly to a Fibre Channel storage area network (SAN). A Fibre Channel adapter requires that the Hyper-V host have a Fibre Channel host bus adapter (HBA) that also has a Windows Server 2012 driver that supports Virtual Fibre Channel.

• RemoteFX 3D video adapter. The RemoteFX 3D video adapter allows virtual machines to display high performance graphics by leveraging DirectX and graphics processing power on the host Windows Server 2012 serve.

Additional Reading: For more information about Virtual Fibre Channel adapters see: http://technet.microsoft.com/en-us/library/hh831413.aspx.

C

InSeofspofwm

DmanadwSeDnealrem

WmSP

S

ApVthocnetomUth

Se

ht

Configuring

n the first releaerver 2008, yof memory to vpecial precautif memory that

were likely to eimemory.

ynamic Memominimum amound then to allodditional mem

was introduced ervice Pack 1 (ynamic Memoeeds. You can so choose a m

equests more mmemory.

With Windows memory values P1. You can pe

mart Paging

nother new mrovides a solutirtual machine

he past, it was ccurred—this eeded during o a virtual mac

machine needs nfortunately, S

he host server

Note: Abet-VMMemor


g Dynamic

ase of Hyper-Vu could only a

virtual machineons to measurt a virtual macither under all

ory allows you unt of memoryow the virtual m

mory as neededwith Window

(SP1). Rather thory allows you choose a mini

maximum valuememory. Virtu

Server 2012, awhile the virtu

erform this tas

g

emory featuretion to the proes can require necessary to ameant that thenormal operat

chine when it iwhen it is ope

Smart Paging and other virt

out configuratry Windows Po


c Memory

V with Windowassign a static aes. Unless you re the precise hine required,ocate or over

to allocate a y to a virtual mmachine to reqd. Dynamic Mes Server 2008 han attemptinto configure Himum value, we, which the vial machines m

n administratoual machine isk from a Virtu

e that is availaboblem of minimmore memory

allocate the mie amount of mtion. Smart Pas starting up. T

erating normalresults in loweual machines.

tion: You can cowerShell cmd


y

ws amount took amount you allocate

machine, quest emory R2 g to guess howHyper-V so tha

which will alwartual machine

must support H

or can modify running. This al Machine's s

ble in Windowmum memory y during startuinimum memo

memory allocatging uses diskThis allows yoully, rather thaner performance

configure virtudlet.

mation about Hy/hh831766.asp

20410A: Installing

w much memoat the virtual mys be allocated

e will not exceeHyper-V integr

dynamic memwas not possi

settings dialog

ws Server 2012 allocation rela

up than they reory required foted could be m

k paging to assu to allocate mn the amount te because it us

ual machine m

yper-V Dynampx.

g and Configuring W

ory a virtual mmachine is allod to the virtuaed even if the vration services

mory minimumible with Wind box.

is Smart Paginated to virtual equire during or startup, to emore than thesign additionamemory basedthat it needs dses disk resour

memory using t

mic Memory se


machine requireocated as muchal machine. Yovirtual machinto use dynam

m and maximumdows Server 20

ng. Smart Pagmachine start

normal operatensure that sta virtual machinl temporary m on what the v

during startup.rces that are u

the

ee:

12 13-11

es, h as it u can

ne ic

m 008 R2

ing tup. tion. In rtup ne

memory virtual sed by

13-12 Implem

Co

OncservInteof bto b

Supservsuchadague

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Win

enting Server Virtual

onfiguring

ce you have inver you can useegration Servicboth the host abe integrated in

pported operatvices componeh as SCSI adappters. Hyper-V

est operating s

Windows Serv

Windows Serv

Windows Serv

Windows Serv

Windows Hom

Windows Mu

Windows Sma

Windows Serv

CentOS 6.0-6

CentOS 5.5-5

Red Hat Ente

Red Hat Ente

SUSE Linux En

SUSE Linux En

Windows 7 w

Windows Vist

Windows XP

Note: Suppndows Server 2

ization with Hyper-V

Virtual Ma

stalled guests e install Virtua

ces to improve and the guestsnto the host se

ting systems caents, and adappters and synthV supported viystems include

ver 2012

ver 2008 R2 w

ver 2008 with

ver 2003 R2 w

me Server 201

ltiPoint Server

all Business Se

ver 2003 with

6.2

5.7

rprise Linux 6.

rprise Linux 5.

nterprise Serve

nterprise Serve

with SP1

ta® with SP2

with Service P

ort for the Wi2003 and Wind

V

achine Int

onto the hostal Machine

the performas—the guest iserver.

an use integrater functionali

hetic network rtual machinee:

with SP1

Service Pack 2

with SP2

11

r 2011

erver 2011

SP2

0-6.2

5-5.7

er 11 with SP1

er 10 with Serv

ack 3 (SP3)

ndows XP opedows Server 20

egration S

nce s said

tion ity

2 (SP2)

or SP2

vice Pack 4 (SP

erating system 003 R2 expires

Services

P4)

ends in April s in July 2015.

2014. Support

t for

YoVSeau

•

•

•

•

•

C

Vcowhomcrwtha

Yoeaprig

Yo

•

•

•

Yo

•

•

•

ou can install tirtual Machineervices Setuputomatically. Y

Operating virtual mac

Time synchof time syn

Data excha

Heartbeat.

Backup (vosnapshots ovirtual mac

Configuring

irtual Machineonfigure what

with specific virost is started o

machine start aritical virtual m

whenever a Hyphey are shut doshutdown com

ou configure sach individual roperties of thght clicking on

ou can configu

Nothing. Tvirtual mac

Automaticwas runningvirtual mac

Always staV host startattempt sta

ou can configu

Save the vdisk. Allows

Turn off th

Shut downThis option

the Hyper-V ine Connection w Disk item. Yo

You can also en

system shutdhine.

hronization. Achronization.

ange. Allows t

. Allows Hyper

olume snapshof the virtual mhines' normal

g Virtual M

e start and stopsteps the Hyptual machines

or shut down. Ynd stop action

machines alwayper-V host is reown gracefullymmand.

startup and shvirtual machin

he virtual machn the virtual m

ure the followi

The virtual machine was in a r

cally start if itg when the Hyhine was runn

art this virtualts. You can conartup at the sa

ure the followi

irtual machins the virtual m

he virtual mac

n the guest opn is only availab

ntegration servwindow, and thou can then insnable the follo

down. Allows t

Allows the virtu

the Hyper-V ho

r-V to determi

hot). Allows thmachine for thoperations.

Machine St

p actions allowper-V host perf

when the HypYou can use vins to ensure thys start automaestarted, and ty if the server r

utdown settingne by editing thine. You do th

machine and cli

ing options in

chine is not starunning state w

t was runningyper-V host re

ning when the

l machine autnfigure a startume time.

ing options in

ne state. Savesachine to be r

chine. The virt

perating systeble if integratio

vices componehen in the Actstall the relevaowing virtual m

the Hyper-V s

ual machine to

ost to write da

ne if the virtua

he Volume Shae purposes of

tart and St

w you to forms per-V irtual

hat atically that receives

gs for the his by icking Settings

the Automatic

arted automatwhen the Hyp

g when the serceived the comserver suffered

tomatically. Tup delay to en

the Automatic

s the active staresumed when

tual machine is

em. The virtuaon services co

20410A: Installing

ents on an opetion menu, clicant operating smachine integr

erver to initiat

o use the host

ata to the regis

al machine has

adow Copy Serbackup opera

top Action

s.

c Start Actions

tically when thper-V host was

rvice stoppedmmand to shud a failure that

The virtual macnsure that mul

c Stop Actions

ate of the virtun the Hyper-V

s powered off

al machine is shmponents are

g and Configuring W

erating systemcking the Insersystem driversration compon

te a graceful sh

server's proce

stry of the virt

s become unre

rvice (VSS) proation, without

ns

s window:

e Hyper-V hos shut down.

d. The virtual mut down, or in t caused it to b

chine always sttiple virtual m

s window:

ual machine, inhost restarts.

with the poss

hut down in a e installed on t


m by accessing rt Integration either manuanents:

hutdown of th

essor for the p

ual machine

esponsive.

ovider to createinterrupting th

st starts, even

machine will stthe event thatbe powered of

tarts when theachines do no

ncluding memo

ibility of data

graceful manhe virtual mac

12 13-13

the n ally or

he guest

urposes

e he

if the

tart if it t the ff.

e Hyper-ot

ory to

loss.

ner. chine.

13-14 Implem

by upara

Hy

ResoresoWinrole

Witfollomac

•

•

•

•

•

By mdepvirtupatt

YouPowcmd

•

•

•

•

http


Note: You cusing the Set-Vameters.

yper-V Res

ource meterinource utilizationdows Server 2e installed.

h resource meowing paramechines:

Average GPU

Average phys

o Minimum

o Maximum

Maximum dis

Incoming net

Outgoing net

measuring howpartments or cuual machine. Aterns of use an

u perform resowerShell modudlets to perfor

Enable-VMR

Disable-VMR

Reset-VMRe

Measure-VM



can also configVM cmdlet wi

source Met

g allows you ton of virtual m2012 compute

etering, you caeters on individ

use

sical memory u

m memory use

m memory use

sk space alloca

twork traffic fo

twork traffic fo

w much of theustomers base

An organizationd plan future

urce meteringle. There is nom resource me

ResourceMete

ResourceMete

esourceMeteri

M. Displays reso


V

gure virtual math the Autom

tering

o track the achines hostedrs with the Hy

n measure thedual Hyper-V v

use, including:

e

e

ation

or a network ad

or a network a

se resources eed on their hosn with only intexpansions.

g tasks using Wo GUI tool that etering tasks:

ering. Starts co

ering. Disable

ing. Resets virt

ource meterin

more informatn-us/library/hh

achine automamaticStartActio

d on per-V

e virtual

dapter

dapter

each virtual masted virtual maternal custome

Windows Poweallow you to p

ollecting data o

s resource met

tual machine r

g statistics for

tion about resoh831661.aspx.

atic start and aon and Autom

achine uses, anachines use, raers can also us

erShell cmdletsperform this ta

on a per virtua

tering on a pe

resource mete

a specific virtu

ource metering

automatic stopmaticStopAct

n organizationather than charse these measu

s in the Hyper-ask. You can u

al machine bas

er virtual mach

ering counters.

ual machine.

g for Hyper-V

p actions ion

can bill rging a flat feeurements to se

-V Windows use the followin

sis.

hine basis.

.

see:

e per ee

ng

LessonMana

Hfounthse

Inth

LeA

•

•

•

•

•

W

A recoanusmSeSeopsutoWdeedis a

•

•

•

•

su

n 3 aging V

yper-V providor a given situanderstand the hat consume uerver.

n this lesson, yohe benefits and


Explain the

Create a vir

Manage vir

Deploy diff

Use virtual

What Is a V

virtual hard depresents a traonfigure a virtn operating sysed with virtua

mount virtual herver 2008, Wierver 2012, anperating systeupports boot to configure the

Windows Serveeployed on a vditions of the Wdeployed on virtual hard d

The Hyper-

The Disk M

The diskpar

The New-V

Note: Somupport boot to

irtual Mes many differation, then youdifferent virtu

unnecessary sp

ou will learn ad limitations o

ctives ng this lesson y

purpose of vi

rtual hard disk

rtual hard disk

ferencing disks

machine snap

Virtual Har

isk is a specialditional hard dual hard disk w

ystem. Virtual hal machines, anard disks usingindows Server d Windows 8, ms. Windows to virtual hard e computer tor 2012 operativirtual hard disWindows 8 opa virtual hard isk using:

-V manger con

anagement co

rt command-li

VHD Windows

me editions ofo virtual hard d

Machinerent virtual mau can ensure tual machine stopace or that pla

bout differentf using virtual

you will be abl

rtual hard disk

k type.

s.

s to reduce sto

pshots.

rd Disk?

file format thdisk drive. Youwith partitionshard disks can nd you can alsg the Window2008 R2, Windand WindowsServer 2012 disk; this allow boot into a ing system thask, or into cert

perating systemdisk. You can

nsole.

onsole.

ine tool.

PowerShell cm

f Windows 7 andisk.

e Storagachine storagehat a virtual morage options,ace an unnece

virtual hard dmachine snap

e to:

k.

orage.

at u can and be

so ws

dows s 7

ws you

at is tain m that create

mdlet.

nd the Window

20410A: Installing

ge e options. If yomachine perfor

, you may endessary perform

disk types, diffepshots.

ws Server 2008

g and Configuring W

ou know whichrms well. Howed up deploying

mance burden o

erent virtual ha

8 R2 operating


h option is appever, if you dog virtual hard don the host Hy

ard disk forma

g system also

12 13-15

propriate o not disks yper-V

ats, and

13-16 Implem

VH

VirtvirtuHyp

•

•

•

•

Youupgis aldisk

SM

Winaltecreaspecsharserv

http

Cre

WhechoinclDiffless

Cre

Whehardprocfragperfdevyousitudisk


DX vs. VHD

ual hard disks ual hard disks. per-V on Wind

VHDX virtual

The VHDX virhost server su

VHDX virtual

VHDX virtual better perform

u can convert agraded a Windso possible to

ks later in this l

MB Share Sup

ndows Server 2rnative to stor

ating a virtual cify this when re must suppovers with Wind


eating Virt

en you configuose between suding fixed, dyerencing diskson.

eating Fixed

en you create d disk space iscess. This has t

gmentation, whformance wheices. This has t to allocate allations. you wil

ks, you may en


D

use the .vhd eThe VHDX forows Server 20

hard disks can

rtual hard diskuffers an unexp

hard disk form

hard disks allomance for the

an existing VHows Server 20convert from

lesson.

pport

2012 now suppring virtual harmachine in Hychoosing the

ort SMB 3. Thisdows Server 20


tual Disk T

ure a virtual haseveral differenynamic, and ps will be discus

d Virtual Ha

a fixed virtual allocated durthe advantagehich improves

en hosted on trthe disadvantal space used bll not know pr

nd up allocatin

V

extension. Winrmat has the fo

008 and Windo

n be as large a

k file structure pected power

mat supports b

ow larger blocse workloads.

D file to VHDX08 or WindowVHDX format

ports virtual hard disk files onyper-V on Winvirtual hard di

s limits you to 012. Older vers

more informatn-us/library/hh

Types

ard disk, you cnt disk types, ass through.

ssed later in in

rd Disks

hard disk, all oing the creatio

e of minimizingvirtual hard d

raditional storaage of requiriny the fixed virtecisely how mg space to sto

ndows Server 2ollowing bene

ows Server 200

as 64 TB. VHD v

means that thoutage.

better alignme

k size for dyna

X format usingws Server 2008

to VHD. You w

ard disks that an internet SCSI ndows Server 2isk location or placing virtualsions of Windo

tion about Virtuh831446.aspx.

can

this

of the on g isk age

ng tual hard disk uch disk space

orage that is no

2012 introduceefits over the V08 R2:

virtual hard di

e disk is less li

ent when deplo

amic and diffe

g the Edit Virtu R2 Hyper-V swill learn more

are stored on (iSCSI) or Fibr

2012, you can attaching an e

l hard disks onows Server do

ual Hard Disk

at the time the a virtual macot actually req

es the new VHVHD format th

isks were limit

kely to becom

oyed to a large

erencing disks,

ual Hard Disk werver to Winde about conve

SMB 3 file share Channel SANspecify a netwexisting virtua

n file shares thnot support S

formats see:

at the disk is cchine needs. Ifuired.

DX format forat was used in

ed to 2 TB.

me corrupt if th

e sector disk.

which provide

wizard, if you hows Server 20

erting virtual h

ares. This is an N devices. Wh

work share. Youl hard disk. That are hosted MB 3.

created.. In maf you use fixed

r n

he

es

have 12. It ard

hen u he file on file

any hard


To create a fixed virtual hard disk, perform the following steps:

1. Open the Hyper-V Manager console.

2. On the Actions pane, click New, and then click Hard Disk.

3. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.

4. In the New Virtual Hard Disk Wizard, on the Choose Disk Format page, click either VHD or VHDX, and then click Next.

5. On the Choose Disk Type page, click Fixed size, and then click Next.

6. On the Specify Name and Location page, enter a name for the virtual hard disk, and then specify a folder in which to host the virtual hard disk file.

7. On the Configure Disk page, choose one of the following options:

o Create a new blank virtual hard disk of the specified size.

o Copy the contents of a specified physical disk. Allows you to replicate an existing physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the disk that you have replicated. Replicating an existing physical hard disk does not alter data on the existing disk.

o Copy the contents of a specified virtual hard disk. Allows you to create a new fixed hard disk based on the contents of an existing virtual hard disk.

Note: You can create a new fixed hard disk using the New-VHD Windows PowerShell cmdlet with the -Fixed parameter.

Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID volumes, or on SSDs. Improvements in Hyper-V (since it was first introduced with Windows Server 2008) also minimize the performance differences between dynamic and fixed virtual hard disks.

Dynamic Disks

When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only uses the amount of space that needs to be allocated, and will grow as necessary. For example, if you create a new virtual machine and specify a dynamic disk, only a small amount of disk space will be allocated to the new disk. For a VHD format virtual hard disk, approximately 260 kilobytes (KB) are allocated. For a VHDX format virtual hard disk, approximately 4,096 KB are allocated.

As storage is allocated, the dynamic virtual hard disk will grow. If you delete files from a dynamically expanding virtual hard disk, the virtual hard disk file will not shrink. You can only shrink a dynamically expanding virtual hard disk file by performing a shrink operation. You will learn how to shrink virtual hard disks later in this lesson.

You perform similar steps when creating a dynamically expanding virtual hard disk to when you create a fixed virtual hard disk. The difference is that on the Choose Disk Type page, you choose the Dynamically Expanding type.

Note: You can create a new dynamic hard disk using the New-VHD Windows PowerShell cmdlet with the -Dynamic parameter.

Pass-Through Disks

Pass-through disks allow the virtual machine to access a physical disk drive, rather than to use a virtual hard disk. You can use pass-through disks to connect a virtual machine directly to an iSCSI logical unit

13-18 Implem

numtargOnc

You

1.

2.

3.

4.

diskcon

Ma

Frommaiexamdiskto aperfvirtu

•

•

•

•

Whecreafixeconthe

To c

1.

2.

3.


mber (LUN). Wget disk. To doce the disk is o

u can attach a

Ensure that th

Use the Hype

Click on an ID

In the Hard Dthat you wan

Note: You dk to a virtual mtroller, then yo

Question: Whard disks.

Question: In expanding di

anaging V

m time to timentenance opemple you migk to free up spaanother formatform the followual hard disks:

Convert the d

Convert the d

Convert a virtVHDX.

Convert a virt

en you converated virtual had virtual hard tents of the exexisting fixed

convert a virtu

In the Hyper-

In the Edit Vir

On the Localconvert.


When you use p this, you mus

offline, you can

pass-through

he target hard

er-V console to

DE or SCSI con

Drive dialog bot to use as the

do not have tomachine's SCSI ou must first s

hy might you

what types ofsks.

irtual Hard

e, you will neerations on virtht want to comace, or convert as your needwing maintena

disk from fixed

disk from dyna

tual hard disk

tual hard disk

rt a virtual hardrd disk that hadisk to a dynaxisting fixed vivirtual hard di

al hard disk, p

-V Manager co

rtual Hard Disk

Virtual Hard

V

pass-through dt use the disk

n connect it to

disk by perfor

disk is offline

o edit an existi

troller, click A

ox, select Physe pass-through

o shut a virtualcontroller. If yhut down the

consider using

f situations mig

d Disks

d to perform ual hard disks

mpact a virtuart a virtual hards change. Youance operation

d to dynamic.

amic to fixed.

in VHD forma

in VHDX form

d disk, the conas the settings amic virtual hartual hard diskisk is deleted, w

perform the fo

onsole, from th

k Wizard, on t

Disk page, cl

disks, the virtuamanagement one of the vir

ming the follo

.

ng virtual mac

dd, and then c

sical Hard Dish disk.

machine dowyou want to covirtual machin

g fixed virtual

ght you encou

. For l hard d disk can

ns on

t to

at to VHD.

ntents of the exthat you haverd disk, a new

k are copied towith the new d

llowing steps:

he Actions pan

he Before You

ick Browse. Se

al machine muconsole on th

rtual machine'

owing steps:

chine's proper

click Hard Dri

k. From the dr

wn if you conneonnect to a virtne.

hard disks inst

unter difficultie

xisting virtual e chosen. For e dynamic virtu

o the new dynadynamic virtua

ne, click Edit D

u Begin page,

elect the virtua

ust have exclushe host to takes disk controll

rties.

ive.

rop-down men

ect the pass-thtual machine's

tead of dynam

es if you use dy

hard disk are example, whenual hard disk isamic virtual haal hard disk ta

Disk.

, click Next.

al hard disk th

sive access to e the disk offliners.

nu, select the d

hrough s IDE

mic virtual

ynamically

copied to a nen converting frs created, the ard disk, and tking its place.

at you want to

the ne.

disk

ewly rom a

then

o

4.

5.

6.

7.

YoexofW

Yobe

Yody

Yoex

R

DthDofatwamthpedi

Yopadi

YoAdi

To

1.

2.

3.

4.

5.

6.

. On the Cho

. On the Conformat will appropriate

. On the Conyou also wa

. On the Con

ou can also shxample, a dynaf that space. Y

Wizard.

ou cannot shriefore you can

ou can use theynamically exp

ou can also usxpanding and

Reducing S

ifferencing dishat record the ifferencing disf hard disk spat the cost of di

work well with Smount of spache disk performerformance drisk.

ou can link muarent disk. Howisk, the links to

ou can reconnctions pane ofisk of a differe

o create a diffe

. Open the H

. In the Actio

. In the New

. On the Cho

. On the Cho

. On the Spe

oose Action p

nvert Virtual Halready be sel

e format, and t

nvert Virtual Hant to convert

nfigure Disk p

rink a dynamicamic virtual haou shrink a vir

ink fixed virtuacompact the d

e resize-partitpanding virtua

e the Edit Virtfixed virtual h

Storage Ne

sks are separatchanges made

sks allow you tace consumed isk performancSSD, and wherce available onmance compenrawbacks of us

ultiple differenwever, if you mo all of the diff

nect a differencf the Hyper-V encing disk.

erencing disk,

Hyper-V Mana

ons pane, click

Virtual Hard D

oose Disk For

oose Disk Typ

ecify Name an

page, select Co

Hard Disk paglected. If you wthen click Nex

Hard Disk pagthe hard disk

page, choose t

c virtual hard dard disk mightrtual hard disk

al hard disks. Ydisk.

tion and the ral hard disk.

ual Hard Disk ard disks.

eeds with

te virtual hard e to a parent dto reduce the aby virtual har

ce. Differencinre there is a limn the host volunsates for the sing a differenc

ncing disks to amodify the parferencing disks

cing disk to thManager cons

perform the fo

ger console.

k New, and the

Disk Wizard, o

mat page, clic

pe page, click D

nd Location p

onvert, and the

ge, choose betwant to converxt. You do not

ge, choose bettype, choose t

the destination

disk that is not be allocated 6 by selecting t

You must first c

esize-vhd Win

Wizard to exp

Differenci

disks disk. amount d disks

ng disks mited me and

cing

a single rent s will fail.

e parent usingsole. You can a

ollowing steps

en click Hard D

n the Before Y

ck VHD, and th

Differencing,

page, provide t

20410A: Installing

en click Next.

tween VHD anrt between the have to chang

tween Fixed Sithe appropriat

n location for t

t using all of t60 GB on the pthe Compact o

convert a fixed

ndows PowerS

pand a disk. Yo

ng Disks

g the Inspect Dalso use the In

s:

Disk.

You Begin pa

hen click Next

and then click

the location of

g and Configuring W

nd VHDX formese two formage format.

ize and Dynamte type, and th

the disk.

he space that parent volumeoption in the E

d virtual hard d

Shell cmdlets t

ou can expand

Disk tool, whicspect Disk too

age, click Next

t.

k Next.

f the parent ha


at. The currents, choose the

mically Expandhen click Next

it is allocated e, but only useEdit Virtual Ha

disk to dynam

to compact a

both dynamic

h is available iol to locate the

t.

ard disk.

12 13-19

t disk

ing. If t.

For e 20 GB ard Disk

mic

cally

n the e parent

13-20 Implem

Youexamc:\p

New

Us

Snaat aimathe storon tsnapmenor fcan

Youvirtusnapmem

Whedomensuvirtu

Remtimedomcom

Sna

Snahardlost

ExpYouHypsnapvirtu

Dif

Whethatyouvirtu

•


u can create a dmple, to create

parent.vhd, use

-VHD c:\diff

ing Snapsh

pshots represe particular poige of the set omoment the s

red in either .athe virtual hardpshot of a virtnu of the Virturom the Hypehave a maxim

u can take snapual machine ispshot of a runmory.

en taking snapmain controllerures that itemsual member se

member that we. If you take a

main controllermmand.

apshots vs.

pshots are notd disks. If the v.

porting Snau can perform per-V will creatpshot was takeual machine w

fferencing D

en you create t differentiates delete snapshual hard disk. F

If you delete this space is r


differencing vie a new differe

e the following

-disk.vhd -P

hots

ent the state oint in time. Theof data on the snapshot is takvhd or .avhdx d disk format. ual machine fr

ual Machine Cor-V console. Ea

mum of 50 snap

pshots at any tshut down. Wning virtual m

pshots of multr and virtual ms such as comperver.

when you revera computer bar, you will need

Backups

t a replacemenvolume hostin

pshots a virtual machte full virtual hen. If you choo

will also be exp

Disk Files

a snapshot, Hys the snapshothots, this data For example:

the most recereclaimed imm

V

irtual hard diskencing disk na

g Windows Pow

ParentPath C:

of a virtual macey are a static virtual machin

ken. Snapshotsformat depenYou can take

rom the Actiononnection winach virtual mapshots.

time, even wheWhen you take

achine, the sn

iple virtual mamember server,puter account

rt to a snapshoack to a point bd to rejoin tha

nt for backupsg these files fa

hine export of ahard disks that ose to export aorted.

yper-V writes from the previs either disca

nt snapshot, thmediately rathe

k using the Neamed c:\diff-diwerShell comm

\parent.vhd

chine

ne at s are nding a n dow, chine

en a a apshot include

achines that ar, you should tapasswords are

ot, you are revbefore it had pat computer to

. Snapshot datails, both the s

a snapshot. Wrepresent the

an entire virtua

differencing dvious snapshotrded, or merge

he data is discer than when t

ew-VHD Windisk.vhd that usmand:

es the content

re part of the sake these snape synchronized

verting to a comperformed a coo the domain o

ta is stored onnapshot and t

When you perfoe state of the val machine, all

disk (.avhd, or .t, or from the ed back into t

arded. With Hhe virtual mac

dows PowerShses the virtual

ts of the virtua

same group, fopshots simultad between the

mputer’s stateomputer passwor run the netd

n the same voluthe virtual hard

orm an export virtual machinel snapshots ass

.avhdx) files, wparent virtual he previous sn

Hyper-V in Winchine is shut d

ell cmdlet. Forhard disk

al machine’s

or example a vneously. This

e virtual DC an

e at that point word change wdom resetpw

ume as the vird disk files will

of the snapshe at the time tsociated with t

which store thehard disk. Wh

napshot or par

ndows Server 2own.

r

virtual

d the

in with a

wd

rtual l be

ot, he the

e data hen rent

2012,


• If you delete the second most recent snapshot, the data is merged so that the earlier and latter snapshot states of the virtual machine retain their integrity.

Managing Snapshots

When you apply a snapshot, the virtual machine reverts to the configuration as it existed at the time the snapshot was taken. Reverting to a snapshot does not delete existing snapshots. If you revert to a snapshot after making a configuration change, you will be prompted to take a snapshot. It is only necessary to create a new snapshot if you want to return to that current configuration.

It is possible to create snapshot trees that have different branches. For example, if you took a snapshot of a virtual machine on Monday, Tuesday and then on Wednesday, and if on Thursday you apply the Tuesday snapshot and then made changes to the configuration of the virtual machine, you will have created a new branch that diverts from the original Tuesday snapshot. You can have multiple branches as long as you do not exceed the 50 snapshots per virtual machine limit.

13-22 Implem

Lesson 4Manag

HypV alsimitheysamensu

Les

Afte

•

•

•

•

Wh

A viswitin WtermswitbetwHypthe manmanpanon Wtype

•

•

•

Whethe Hyplogi


4 ging Virper-V provideslows you to coilar to traditiony are only able

me Hyper-V houres that you c

sson Objecti

er completing

Describe virtu

Configure net

Manage a vir

Configure virt

hat Is a Vir

rtual switch is tch. The term v

Windows Servem virtual switchtches control hween virtual mper-V server, arest of the org

nage virtual swnager which is

ne of the HypeWindows Servees of virtual sw

External. Useteam. Windowyou have instthe Hyper-V s

Internal. Usehost, and to c

Private. Use you cannot uitself.

en configuringnetwork. This

per-V host's necal networks. T


rtual Ne several differeonfigure virtuanally deployede to communicst in Windowscan leverage t

ives

this lesson you

ual switches.

twork virtualiz

tual machine M

tual network a

rtual Switc

a virtual versiovirtual networker 2008, has beh in Windows how network tmachines that and between viganizational newitches throug accessible thrr-V Manager cer 2012 suppo

witches:

e this type of sws Server 2012talled the Wireserver has a co

e internal virtuacommunicate

private switchese private swit

g a virtual netwallows you to

etwork switch. Traffic can onl

V

etworksent options foal machines thd physical hostcate with a lims Server 2012. hose options t

u will be able t

zation.

MAC address p

adapters.

ch?

on of a netwok, which was ueen replaced bServer 2012. Vraffic flows are hosted on rtual machineetwork. You h the virtual sw

rough the Acticonsole. Hyperorts three diffe

witch to map 2 supports maeless local areaompatible ada

al switches to cbetween the v

es only to comtches to comm

work, you can extend existinVLANs allow yly pass from o

s r network comat communicats. It also allow

mited number oKnowing the oto best meet y

to:

pool.

rk sed

by the Virtual

the s and

witch ons r-V rent

a network to apping an exte

a network (LANpter.

communicate virtual machine

mmunicate betmunicate betwe

also configureng VLANs on thyou to partitione VLAN to an

mmunication bate with an ext

ws you to confiof other virtuaoptions availabyour organizat

a specific netwernal network tN) Service on t

between the ves and the Hyp

tween virtual meen the virtua

e a virtual LANhe external ne

on network trafnother if it pas

between virtuaternal networkigure virtual ml machines thable for Hyper-Vion's needs.

work adapter oto a wireless nthe host Hyper

virtual machinper-V host itse

machines on thl machines and

N (VLAN) ID to etwork to VLANffic, and functsses through a

l machines. Hyk in a manner

machines so thaat are hosted oV virtual netw

or network adaetwork adapter-V server, and

nes on the Hypelf.

he Hyper-V hod the Hyper-V

be associatedNs within the ion as separaterouter.

yper-

at on the orks

apter er if d if

per-V

ost; V host

with

e

Yo

•

•

ht

H

HisHFoSetoNbamneNwan

Win

•

•

Nexdi

ht

ou can configu

Microsoft captured.

Microsoft switch to b


Hyper-V Ne

yper-V Netwoolate virtual myper-V host, bor example, if ervice (IaaS) too isolate their vetwork Virtuaasic traffic par

machines to sepetwork traffic. etwork Virtua

were using Hypnother organiz

When you confn the following

Customer address is coccur even separate puline window

Provider IPvisible to thvirtual mac

etwork Virtuaxample, 192.16ifferent provid


ure the followi

NDIS Capture

Windows Filte filtered.


etwork Vir

ork Virtualizatiomachines that sbut are from dyou provide a

o differing busvirtual machinlization allowstitioning by asparate VLANs You would prlization in scen

per-V to host vzation.

igure Networkg manner:

IP address. Thconfigured in sthough the vi

ublic IP networw on the virtua

P address. Thihe hosting prohine.

lization allows68.15.101—on

der IP addresse


ing extensions

e. This extensio

tering Platfor


rtualizatio

on allows you share the sameifferent organin Infrastructurinesses, you wes from each o you to go beyssigning these as a way of isoimarily deploynarios where yvirtual machine

k Virtualization

his address is asuch a way thairtual machinerk. To display tal machine.

is address is thovider and to o

you to host mn the same Hypes.


s for each virtu

on allows for d

rm. This extens

mation about Vi/hh831452.asp

n

to e izations. re as a

will want other. yond virtual

olating y you es for

n, each guest v

assigned by that communicate might be hosthe customer I

he IP address aother hosts on

multiple machiper-V host, be

mation about N/hh831395.asp

20410A: Installing

ual switch type

data travelling

sion allows dat

irtual Switchespx.

virtual machine

e customer totion with the csted on a HypeIP address, exe

assigned by thethe physical n

nes that use thecause the virtu

etwork Virtualpx.

g and Configuring W

e:

across the vir

ta travelling ac

s see:

e has two IP a

o the virtual macustomer's inteer-V server thaecute IPCONF

e hosting provnetwork but it

he same custoual machines w

lization see:


tual switch to

cross the virtu

ddresses that

achine. This IPernal network at is connectedFIG in a comm

vider. This addis not visible f

omer address—will be assigne

12 13-23

be

al

function

P can

d to a and-

ress is from the

—for ed

13-24 Implem

Ma

Unle(MAMAadaconMAManpoo

WhenetwnetwbecdupHypnetwthatthe

WhereseIP a

You

1.

2.

3.

4.

5.

MAshoexam

Hy

H

H

H


anaging V

ess you specifyAC) address, HyC address to epter from a pofigure the addC Address Rannager console.ol of 255 MAC

en virtual macworks, the MAwork adaptersause the Hype

plicate MAC adper-V hosts andworks, you shot separate Hypvirtual machin

en virtual macervation, you sddress is alway

u can configure

Open the Hyp

Select the Hy

On the Action

Under Global

Specify a min

C addresses aruld consider cmples of range

yper-V Host

ost 1

ost 2

ost 3


irtual Mac

y a static mediyper-V dynam

each virtual maool of MAC address range of nge setting of t. By default, a addresses.

chines use privAC address that

is not likely toer-V host will eddresses are nod those compuould ensure thper-V hosts thanes that they h

chines are allochould consideys allocated to

e the MAC add

per-V Manage

yper-V host tha

ns pane, select

l Network Sett

nimum and a m

re in hexadecimhanging the ves for multiple

MAC

Min

Max

Min

Max

Min

Max

V

chine MAC

ia access contrmically allocateachine networddresses. You cthis pool fromthe Virtual SwHyper-V host

ate or internalt is allocated to be of concerensure that ot assigned to uters host virtuat each Hyperat connect to thost.

cated IP addreer using static Mo a specific MA

dress range by

er console.

at you wish to

t Virtual Switc

tings, click MA

maximum rang

mal format. Wvalues of the see Hyper-V host

C Address Ran

nimum: 00-15-

ximum: 00-15-

nimum: 00-15-

ximum: 00-15-

nimum: 00-15-

ximum: 00-15-

C Addresse

rol s a k can

m itch has a

l o

rn

different virtuual machines tr-V host uses athe same netw

esses through aMAC addresseAC address.

y performing t

configure.

ch Manager.

AC Address Ra

ge for the MAC

When configurinecond from thts.

nge

5D-0F-AB-00

-5D-0F-AB-FF

5D-0F-AC-00

-5D-0F-AC-FF

5D-0F-AD-00

-5D-0F-AD-FF

es

ual machines. Hthat use adapta different poowork do not ass

a Dynamic Hoes. A DHCP res

he following s

ange.

C address.

ng ranges for e last pair of d

However, wheters connectedol of MAC addsign the same

ost Configuratioservation ensu

steps:

multiple Hypedigits. The follo

n you have mud to external resses. This enMAC address

on Protocol (Dres that a part

er-V hosts, youowing table di

ultiple

sures es to

DHCP) ticular

u splays

C

VguviVppNsefo

•

•

•

Bo

•

•

•

•

•

Sytoac

•

Configuring

irtual networkuest operatingrtual switches irtual Switch Mroperties of a vroperties of a etwork Adapt

ettings dialog ollowing:

Virtual Swswitch the n

VLAN ID. Athat the vir

Bandwidthallocated tothe networHyper-V ho

oth synthetic n

MAC addrepool, or yoMAC addreaccess, suchaccess.

DHCP GuaDHCP servehosts virtuavirtual mac

Router Guconfigured control ove

Port Mirroanother virt

NIC Teamiserver.

ynthetic netwoo the Advancedcceleration fea

Virtual Mato the guesoperating sa network a

g Virtual N

k adapters allowg system to cothat you conf

Manager consovirtual machinnetwork adapter pane on thebox, you can c

itch. Determinnetwork adapt

Allows you to stual machine w

h Managemeno the adapter k adapter, eveost are functio

network adapt

ess allocationu can configur

ess spoofing. Th as when the

rd. Drops DHCers. This may bal machines fohines.

ard. Drops rouas unauthoriz

er the configur

oring. Allows ytual machine t

ing. Allows you

ork adapters red features listeatures:

achine Queue.st. This improvsystem to the vadapter that su

Network A

w the virtual mmmunicate usfigure using thole. You can edne to modify thter. From the e virtual machconfigure the

nes which virtuter connects to

specify a VLANwill use for com

nt. Allows you by Hyper-V. T

en when other ning at capaci

ters and legacy

n. You can conre the network

This is useful wvirtual machin

CP messages fbe necessary inr others, but d

uter advertisemzed routers. Thration of virtua

you to copy incthat you have

u to add the v

equire the gueed earlier, synt

. This feature uves performancvirtual machinupports this fe

Adapters

machine sing the e dit the he

ine's

ual o.

N ID mmunication t

to specify a mhe minimum bvirtual networty.

y network ada

figure a MAC k adapter to ushen the virtuane is running a

from virtual man scenarios whdoes not have

ment and redirhis may be necal machines.

coming and ouconfigured fo

virtual network

est operating sthetic network

uses hardware ce as the packee. Virtual Mac

eature.

20410A: Installing

that passes thr

minimum and abandwidth allork adapters on

apters support

address to be se a fixed MAC

al machine neea mobile devic

achines that ahere you are mdirect control

rection messagcessary in scena

utgoing packer monitoring.

k adapter to an

system to suppk adapters supp

packet filterinet does not nehine Queue re

g and Configuring W

rough this ada

a maximum baocation is resen virtual machi

the following

assigned fromC address. Youeds to provide ce emulator th

re functioningmanaging a Hyp

over the conf

ges from virtuarios where yo

ets from a netw

n existing team

port integratioport the follow

ng to deliver need to be copiequires that th


apter.

andwidth to brved by Hyperines hosted on

advanced fea

m the MAC addu can also conf

specific netwoat requires net

g as unauthorizper-V server thiguration of th

al machines thou do not have

work adapter t

m on the host

on services. In awing hardware

network traffic ied from the h

he host compu

12 13-25

e r-V for n the

tures:

dress figure ork twork

zed hat hose

hat are e direct

to

Hyper-V

addition e

directly host ter has


• IPsec task offloading. This feature allows calculation-intensive security association tasks to be performed by the host's network adapter. In the event that sufficient hardware resources are not available, the guest operating system performs these tasks. You can configure a maximum number of offloaded security associations between a range of 1 and 4,096. IPsec task offloading requires guest operating system and network adapter support.

• SR-IOV. Single-root I/O virtualization (SR-IOV) allows multiple virtual machines to share the same Peripheral Component Interconnect Express (PCIe) physical hardware resources. If sufficient resources are not available, then network connectivity falls back to be provided through the virtual switch. Single-root I/O virtualization (SR-IOV) requires specific hardware and special drivers to be installed on the guest operating system.

Legacy network adapters emulate common network adapter hardware. You use legacy network adapters in the following situations:

• You want to support network boot installation scenarios for virtual machines. For example, you want to deploy an operating system image from a Windows Deployment Services (Windows DS) server or through Configuration Manager.

• You need to support operating systems that do not support integration services and do not have drivers for the synthetic network adapter.

Legacy network adapters do not support the hardware acceleration features that synthetic network adapters support. You cannot configure virtual machine queue, IPsec task offloading, or Single-root I/O virtualization for legacy network adapters.


Lab: Implementing Server Virtualization with Hyper-V Scenario

A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. Your assignment is to configure the infrastructure service for a new branch office.

To more effectively use the server hardware that is currently available at branch offices, your manager has decided that all branch office servers will run as virtual machines. You must now configure a virtual network and a new virtual machine for these branch offices.

Objectives

After performing this lab you will be able to:

• Install the Hyper-V Server role.

• Configure virtual networking.

• Create and configure a virtual machine.

• Use virtual machine snapshots.

Lab Setup


Logon Information

Virtual Machines 20410A- LON-HOST1


Password Pa$$w0rd

1. Reboot the classroom computer and choose 20410A-LON-HOST1 from the Windows Boot Manager

2. Log on to LON-HOST1 with the Administrator account and the password Pa$$w0rd.

Exercise 1: Installing the Hyper-V Server Role

Scenario The first step in migrating to a virtualized environment for the branch office is installing the Hyper-V server role on a new server.


1. Install the Hyper-V server role.

2. Complete Hyper-V role installation and verify settings.

Task 1: Install the Hyper-V server role 1. Reboot the classroom computer and from the Windows Boot Manager, choose

20410A-LON-HOST1.

2. Log onto the computer with the Administrator account and the password Pa$$w0rd.

3. In Server Manager, click Local Server and then configure the following network settings:


o IP Address: 172.16.0.31

o Subnet mask: 255.255.0.0

o Default gateway: 172.16.0.1


4. Use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1 with the following options:

o Do not create a virtual switch

o Use the Default stores locations

o Allow the server to restart automatically if required.

5. After a few minutes, the server will automatically restart. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times

Task 2: Complete Hyper-V role installation and verify settings 1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.

2. When the Hyper-V tools installation completes, click Close.

3. Open the Hyper-V Manager console and then click LON-HOST1.

4. Edit the Hyper-V settings of LON-HOST1, and configure the following settings:

o Keyboard: Use on the virtual machine

o Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks

Results: After this exercise, you will have deployed the Hyper-V role to a physical server.

Exercise 2: Configuring Virtual Networking

Scenario

After installing the Hyper-V server role on the new server, you need to configure the virtual network. You need to create both a network that is connected to the physical network, and a private network that can be used only for communication between virtual machines. The private network will be used once virtual machines are configured for high availability. You also need to configure a specific range of MAC addresses for the virtual machines.


1. Configure the external network.

2. Create a private network.

3. Create an internal network.

4. Configure the MAC address range.

Task 1: Configure the external network 1. Open the Hyper-V console, and then click on LON-HOST1.

2. Use the Virtual Switch Manager to create a new External virtual network switch with the following properties:

o Name: Switch for External Adapter


o External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)

Task 2: Create a private network 1. On LON-HOST1, open the Hyper-V Manager console.

2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.

o Name: Private Network

o Connection type: Private network

Task 3: Create an internal network 1. On LON-HOST1, open the Hyper-V Manager console.

2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.

o Name: Internal Network

o Connection type: Internal network

Task 4: Configure the MAC address range 1. On LON-HOST1, open the Hyper-V Manager console.

2. Use the Virtual Switch Manager to configure the following MAC Address Range settings:

o Minimum: 00-15-5D-0F-AB-A0

o Maximum: 00-15-5D-0F-AB-EF

Results: After this exercise, you will have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.

Exercise 3: Creating and Configuring a Virtual Machine

Scenario

You have been asked to deploy two virtual machines to LON-HOST1. You have copied a sysprepped VHD file that hosts a Windows Server 2012 installation.

To minimize disk space use at the cost of performance, you are going to create two differencing files based on the sysprepped VHD. You will then use these differencing files as the virtual hard disk files for the new virtual machines.


1. Create differencing disks.

2. Create virtual machines.

3. Enable resource metering.

Task 1: Create differencing disks 1. Use Windows Explorer to create the following folders:

o E:\Program Files\Microsoft Learning\Base \LON-GUEST1

o E:\Program Files\Microsoft Learning\Base \LON-GUEST2


Note: The drive letter may depend upon the number of drives on the physical host machine.

2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:

o Disk Format: VHD

o Disk Type: Differencing

o Name: LON-GUEST1.vhd

o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\

o Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

3. Open Windows PowerShell, import the Hyper-V module, and then run the following command:

New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”

4. Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.

5. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files \Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.

Task 2: Create virtual machines 1. On LON-HOST1, in the Hyper-V Manager console, in the Actions pane, click New, and then click

Virtual Machine.

2. Create a virtual machine with the following properties:

o Name: LON-GUEST1


o Memory: 1024 MB

o Use Dynamic Memory: Yes

o Networking: Private Network

o Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1 \lon-guest1.vhd

3. Open Windows PowerShell, import the Hyper-V module, and execute the following command:

New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private Network"

4. Use the Hyper-V Manager console, edit the settings of LON-GUEST2. Configure the following:

5. Automatic Start Action: Nothing.

6. Automatic Stop Action: Shut down the guest operating system.

Task 3: Enable resource metering • At the Windows PowerShell command-line prompt, import the Hyper-V module and enter the

following commands:

Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2


Results: After this exercise, you will have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.

Exercise 4: Using Virtual Machine Snapshots

Scenario You are in the process of developing a strategy to mitigate the impact of incorrectly applied change requests. As a part of this strategy development, you are testing the speed and functionality of using virtual machine snapshots to roll back to a previously existing stable configuration.

In this exercise, you will deploy Windows Server 2012 in a virtual machine. You will create a stable configuration for that virtual machine, and then take a virtual machine snapshot. You will then modify the configuration, and then roll back to the snapshot.


1. Deploy Windows Server 2012 in a virtual machine.

2. Create a virtual machine snapshot.

3. Modify the virtual machine.

4. Revert to the existing virtual machine snapshot.

5. View resource metering data.

Task 1: Deploy Windows Server 2012 in a virtual machine 1. Use the Hyper-V Manager console to start LON-GUEST1.

2. Open the Virtual Machine Connection Window and perform the following steps to deploy Windows Server 2012 on the virtual machine:

o On the Settings page, click Skip.

o On the Settings page, select I accept the license terms for using Windows and click Accept.

o On the Settings page, click Next to accept the Region and Language settings.

o On the Settings page enter the password Pa$$w0rd twice and click Finish.

3. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.

4. Reset the name of the virtual machine to LON-GUEST1, and then restart the virtual machine.

Task 2: Create a virtual machine snapshot 1. Log on to the LON-GUEST1 virtual machine, and verify that the name of the computer is set to LON-

GUEST1.

2. Create a snapshot of LON-GUEST1, and name the snapshot Before Change.

Task 3: Modify the virtual machine 1. Log on to the LON-GUEST1 virtual machine, and use the Server Manager console to change the

computer's name to LON-Computer1.

2. Reboot the virtual machine.

3. Log on to the LON-GUEST1 virtual machine, and verify that the server name is set to LON-Computer1.


Task 4: Revert to the existing virtual machine snapshot 1. Revert the virtual machine.

2. Verify that the Computer Name of the virtual machine is set to LON-GUEST1.

Task 5: View resource metering data 1. On LON-HOST1, import the Hyper-V Windows PowerShell module and issue the following command:

Measure-VM LON-GUEST1

2. Note the average CPU, average RAM, and total disk use figures and then close the PowerShell window.

Results: After this exercise, you will have used virtual machine snapshots to recover from a virtual machine misconfiguration.

Revert the virtual machines After you finish the lab, restart the computer in Windows Server 2008 R2.

1. Click on the Windows PowerShell icon on the Taskbar.

2. In the Windows PowerShell window, enter the following command and press enter:

Shutdown /r /t 5

3. From the Windows Boot Manager, choose Windows Server 2008 R2



Question: In which situations should you use a fixed memory allocation rather than dynamic memory?

Question: In which situations must you use VHDX format virtual hard disks as opposed to VHD format virtual hard disks?

Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a file share. What operating system must the file server be running to support this configuration?



Cannot deploy Hyper-V on an x64 platform.

Virtual Machine does not use dynamic memory.

Best Practices

When implementing server virtualization with Hyper-V, use the following best practices:

• Ensure that the processor on the computer that will host Hyper-V supports SLAT. Servers that support the Hyper-V role on Windows Server 2008 and Windows Server 2008 R2 may not support Hyper-V on Windows Server 2012.

• Ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual machines paging the hard disk drive because they are provisioned with inadequate memory will decrease performance for all virtual machines on the Hyper-V host.

• Monitor virtual machine performance carefully. A virtual machine that uses a disproportionate amount of server resources can adversely impact the performance of all other virtual machines that are hosted on the same Hyper-V server.

Tools

You can use the following tools with Hyper-V to deploy and manage virtual machines.


Sysinternals disk2vhd tool

Use to convert physical hard disks to VHD format.

You can download this tool from the Microsoft TechNet website.


Course Evaluation Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

L1-1

Module 1: Deploying and Managing Windows Server 2012

Lab: Deploying and Managing Windows Server 2012 Exercise 1: Deploying Windows Server 2012

Task 1: Install the Windows Server 2012 server 1. Open the Hyper-V® Manager console.

2. Click 20410A-LON-SVR3. In the Actions pane, click Settings.

3. Under Hardware, click DVD Drive.

4. Click Image file, and then click Browse.

5. Browse to C:\Program Files\Microsoft Learning\20410\Drives, and then click Win2012_RC.ISO.

6. Click Open and then click OK.

7. In the Hyper-V Manager console, double-click 20410A-LON-SVR3 to open the Virtual Machine Connection Window.

8. In the Virtual Machine Connection Window, In the Action menu, click Start.

9. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, and then click Next.

o Language to install: English (United States)

o Time and currency format: English (United States)

o Keyboard or input method: US

10. On the Windows Server 2012 page, click Install now.

11. On the Select the operating system you want to install page, select Windows Server 2012 Release Candidate Datacenter (Server with a GUI), and then click Next.

12. On the License terms page, review the operating system license terms. Select the I accept the license terms check box, and then click Next.

13. On the Which type of installation do you want?, click Custom: Install Windows only (advanced).

14. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has enough space for the Windows Server 2012 operating system, and then click Next.

Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process.

15. On the Settings page, enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish.

Task 2: Change the server name 1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.

2. In Server Manager, click Local Server.

L1-2 20410A: Installing and Configuring Windows Server® 2012

3. Click on the randomly-generated name next to Computer name. This will launch the System Properties dialog box.


5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the name LON-SVR3, and then click OK.


7. Close the System Properties dialog box.

8. In the Microsoft Windows dialog box, click Restart Now.

Task 3: Change the date and time 1. Log on to server LON-SVR3 Administrator with the password Pa$$w0rd.

2. On the taskbar, click the time display. A pop-up window with a calendar and a clock displays.

3. On the pop-up window, click Change date and time settings.

4. In the Date and Time dialog box, click Change Time Zone.

5. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click OK.

6. In the Date and Time dialog box, click Change Date and Time.

7. Verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom, and then click OK.

8. Click OK to close the Date and Time dialog box.

Task 4: Configure the network and network teaming 1. In the Server Manger console on LON-SVR3, click Local Server.

2. Next to NIC Teaming, click Disabled.

3. In the NIC Teaming dialog box, press and hold the Ctrl key, and then in the Adapters And Interfaces workspace, click both Local Area Connection and Local Area Connection 2.

4. Right-click the selected network adapters, and then click Add to New Team.

5. In the New Teaming dialog box, in the Team name field. type LON-SVR3, and then click OK.

6. Close the NIC Teaming dialog box. Refresh the Server Manager console.

7. In the Server Manager console, next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.

8. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.

9. In the LON-SVR3 Properties dialog, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, enter the following IP address information, and then click OK.

o IP address: 172.16.0.101


o Default Gateway: 172.16.0.1


Module 1: Deploying and Managing Windows Server 2012 L1-3

11. Click Close to close the LON-SVR3 Properties dialog box.

12. Close the Network Connections dialog box.

Task 5: Add the server to the domain 1. On LON-SVR3, in the Server Manager console, click Local Server.

2. Next to Workgroup, click WORKGROUP.


4. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain option.

5. In the Domain box, enter adatum.com, and then click OK.

6. In the Windows Security dialog box, enter the following details, and then click OK:

o Username: Administrator



8. When informed that you must restart the computer to apply changes, click OK.

9. In the System Properties dialog box, click Close.


11. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.

Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.

Exercise 2: Configuring Windows Server 2012 Server Core

Task 1: Change the server name 1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.

2. At the command prompt, type sconfig.cmd.

3. To select Computer Name, type 2, and then press Enter.

4. Enter the computer name LON-CORE, and then press Enter.

5. In the Restart dialog box, click Yes.

6. Log on to server LON-CORE using the Administrator account.

7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.

Task 2: Change the computer’s date and time 1. When logged on to server LON-CORE with the Administrator account, at the command prompt,

type sconfig.cmd, and then press Enter.

2. To select Date and Time, type 9, and then press Enter.

3. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone that your classroom uses, and then click OK.


4. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK two times to dismiss the dialog boxes.

5. In the command prompt window, type 15, and then press Enter to exit Server Configuration.

Task 3: Configure the network 1. Ensure that you are logged on to server LON-CORE using the account Administrator and password

Pa$$w0rd.

2. At the command prompt, type sconfig.cmd, and then press Enter.

3. To configure Network Settings, type 8, and then press Enter.

4. Type the index number of the network adapter that you want to configure, and then press Enter.

5. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter Address.

6. To select static IP address configuration, type S, and then press Enter.

7. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter.

8. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter.

9. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter.

10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS server address.

11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter.

12. In the Network Settings dialog box, click OK.

13. Press Enter to not configure an alternate DNS server address.

14. Type 4, and then press Enter to return to the main menu.

15. Type 15, and then press Enter to exit sconfig.cmd.

16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain controller from LON-CORE.

Task 4: Add the server to the domain 1. Ensure that you are logged on to server LON-CORE using the account Administrator with password

Pa$$w0rd.

2. At the command prompt, type sconfig.cmd, and then press Enter.

3. To switch to configure Domain/Workgroup, type 1, and then press Enter.

4. To join a domain, type D, and then press Enter.

5. At the Name of domain to join prompt, type adatum.com.

6. At the Specify an authorized domain\user prompt, type adatum\administrator, and then press Enter.

7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then press Enter.

8. At the Change Computer Name prompt, click Yes.

9. At the Enter new computer name prompt, press Enter.

10. To restart the server, type 13, and then press Enter.


11. In the Restart dialog box, click Yes.

12. Log on to server LON-CORE with the adatum\administrator account and the password Pa$$w0rd.

Results: After finishing this exercise, you will have configured a Windows Server 2012 Server Core deployment, and verified the server’s name.

Exercise 3: Managing Servers

Task 1: Create a server group 1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.

2. In the Server Manager console, click Dashboard, and then click Create a server group.

3. In the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.

4. In the Server group name box, type LAB-1.

5. Use the arrow to add LON-CORE and LON-SVR3 to the server group. Click OK to close the Create Server Group dialog box.

6. Click LAB-1. Press and hold the Ctrl key, and then select both LON-CORE and LON-SVR3.

7. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3.

8. Right-click LON-CORE, and then click Start Performance Counters.

Task 2: Deploy features and roles to both servers 1. In Server Manager on LON-DC1, click LAB-1.

2. Scroll to the top of the pane, right-click LON-CORE, and then click Add Roles and Features.

3. In the Add Roles and Features Wizard, click Next.

4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

5. On the Select destination server page, verify that LON-CORE.Adatum.com is selected, and then click Next.

6. On the Select server roles page, select Web Server (IIS), and then click Next.

7. On the Features page, select Windows Server Backup, and then click Next.

8. On the Web Server Role (IIS) page, click Next.

9. On the Select Role Services page, add the Windows Authentication role service, and then click Next.

10. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.

11. Click Close to close the Add Roles and Features Wizard.

12. In Server Manager, right-click LON-SVR3, and then click Add Roles and Features.

13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

14. On the Select installation type page, click Role-based or feature-based installation.


15. On the Select destination server page, verify that LON-SVR3.Adatum.com is selected, and then click Next.

16. On the Server Roles page, click Next.

17. On the Select features page, click Windows Server Backup, and then click Next.


19. Once the install commences, click Close.

20. In Server Manager, click the IIS node, and verify that LON-CORE is listed.

Task 3: Review services, and change a service setting 1. Log on to LON-CORE with the adatum\Administrator account and using the password Pa$$w0rd.

2. At a command prompt, type netsh.exe firewall set service remoteadmin enable ALL, and then press Enter.

3. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.

4. In Server Manager, click LAB-1.

5. Right-click LON-CORE, and then click Computer Management.

6. In the Computer Management console, expand Services and Applications, and then click Services.

7. Right-click the World Wide Web Publishing service, and then click Properties. Verify that the Startup type is set to Automatic.

8. In the World Wide Web Publishing Service dialog box, on the Log On tab, verify that the service is configured to use the Local System account.

9. In the World Wide Web Publishing Service dialog box, on the Recovery tab, configure the following settings:

o First failure: Restart the Service

o Second failure: Restart the Service

o Subsequent failures: Restart the Computer.

o Reset fail count after: 1 days

o Reset service after: 1 minute

10. In the World Wide Web Publishing Service Properties dialog box, on the Recovery tab, click the Restart Computer Options button.

11. In the Restart Computer Options dialog box, in the Restart Computer After box, type 2, and then click OK.

12. Click OK to close the World Wide Web Publishing Services Properties dialog box.


Results: After finishing this exercise, you will have created a server group, deployed roles and features, and configured the properties of a service.


Exercise 4: Using Windows PowerShell to Manage Servers

Task 1: Use Windows PowerShell® to connect remotely to servers and view information 1. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.

2. In the Server Manager console, click LAB-1.

3. Right-click LON-CORE, and then click Windows PowerShell.

4. At the command prompt, type Import-Module ServerManager, and then press Enter.

5. Type Get-WindowsFeature to review the roles and features installed on LON-CORE.

6. Type the following command to review the running services on LON-CORE:

Get-service | where-object {$_.status -eq “Running”}

7. Type get-process, and then press Enter to view a list of processes on LON-CORE.

8. Type the following command to review the IP addresses assigned to the server:

Get-NetIPAddress | Format-table

9. Type the following command to review the most recent 10 items in the security log:

Get-EventLog Security -Newest 10


Task 2: Use Windows PowerShell to install new features remotely 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell command prompt, type import-module ServerManager, and then press Enter.

3. To verify that the XPS Viewer feature has not been installed on LON-SVR3, type the following command, and then press Enter:


4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:

Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3

5. To verify that the XPS Viewer feature has now been deployed on LON-SVR3, type the following command and then press Enter:


6. In the Server Manager console, from the Tools drop-down menu, click Windows PowerShell ISE.

7. In the Windows PowerShell ISE window, in the Untitled1.ps1 script pane, type the following, pressing Enter after each line:

Import-Module ServerManager Install-WindowsFeature WINS -ComputerName LON-SVR3 Install-WindowsFeature WINS -ComputerName LON-CORE


8. Click the Save icon. Select the root of Local Disk (C:). Create a new folder named Scripts, and then save the script in that folder as InstallWins.ps1.

9. Press F5 to run the script.

Results: After finishing this exercise, you will have used Windows PowerShell to perform a remote installation of features on multiple servers.


1. On the host computer, switch to the Hyper-V Manager console.

2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.


4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.

L2-9

Module 2: Introduction to Active Directory Domain Services

Lab: Installing Domain Controllers Exercise 1: Installing a Domain Controller

Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. In Server Manager, in the left column, select All Servers.

3. Right-click All Servers and then click Add Servers.

4. In the Add Servers dialog box, in the Name (CN) box, type LON-SVR1 and then click Find Now.

5. Under Name, click LON-SVR1 and then click the arrow to add the server to the Selected column.

6. Click OK to close the Add Servers dialog box.

7. In Server Manager, in the Servers window, right-click LON-SVR1, and select Add Roles and Features.


9. In the Select installation type window, ensure that Role-based or feature-based installation is selected, and then click Next.

10. On the Select destination server page, ensure that Select a server from the server pool is selected. In the Server Pool window, verify that LON-SVR1.Adatum.com is highlighted, and then click Next.

11. On the Select server roles page, select the Active Directory Domain Services check box, click Add Features, and then click Next.

12. On the Select features page, click Next.

13. On the Active Directory Domain Services page, click Next.


15. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.

Task 2: Configure a server as a domain controller 1. On LON-DC1, in Server Manager on the menu bar, on the left of the Manage button, click the yellow

Alert button.

2. In the Post-deployment Configuration window that appears, click Promote this server to a domain controller. The wizard continues.

3. In the Deployment Configuration page, ensure that the radio button next to Add a domain controller to an existing domain is selected, and then, beside the Domain line, click Select.

4. In the Windows Security dialog box that opens, enter Adatum\Administrator in the Username box and in the Password box, type Pa$$w0rd, and then click OK.

5. In the Select a domain from the forest window, click adatum.com, and then click OK.

6. In the Deployment Configuration window, click Next.

7. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is selected, and then deselect the check box next to Global Catalog (GC).


Note: You would usually want to enable the global catalog as well, but for the purpose of this lab, this is done in the next section.

8. In the Type the Directory Services Restore Mode (DSRM) password section, type Pa$$w0rd in both text boxes, and then click Next.

9. On the DNS Options page, click Next.

10. On the Additional Options page, click Next.

11. On the Paths page, accept the default folders, and then click Next.

12. On the Review Options page, click View Script, examine the Windows PowerShell® script that the wizard generates, close the Notepad window, and then click Next.

13. On the Prerequisites Check page, read any warning messages, and then click Install.

14. When the task completes successfully, click Close.

Task 3: Configure a server as a global catalog server 1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.

2. In Server Manager, click Tools and then click Active Directory Sites and Services.

3. When the Active Directory Sites and Services window opens, expand Sites, expand Default-First-Site-Name, expand Servers, and then expand LON-SVR1.

4. In the left column, right-click NTDS Settings and select Properties.

5. In the NTDS Settings Properties dialog box, select the check box next to Global Catalog.

6. Click OK and close Active Directory Sites and Services.

Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.

Exercise 2: Installing a domain controller by using IFM

Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM) 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.

3. On the Start screen, type CMD and then press Enter.

4. In the Command Prompt window, type the following, pressing Enter after each line:

Ntdsutil Activate instance ntds Ifm Create sysvol full c:\ifm

Task 2: Add the AD DS role to the member server 1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.

2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.

3. On the Start screen, type CMD and then press Enter.

Module 2: Introduction to Active Directory Domain Services L2-11

4. Type the following command, and then press Enter:

Net use k: \\LON-DC1\c$\IFM

5. Switch to Server Manager.

6. From the list on the left, click Local Server.

7. In the toolbar, click Manage, and then click Add Roles and Features.

8. On the Before you begin page, click Next.

9. On the Select installation type page, ensure that Role-based or feature-based installation is selected, and then click Next.

10. On the Select destination server page, verify that LON-SVR2.Adatum.com is highlighted, and then click Next.

11. On the Select server roles page, click Active Directory Domain Services, in the Add Roles and Features Wizard window, click Add Features, and then click Next.

12. In the Select Features window, click Next.


14. On the Confirm installation selections page, click Restart the destination server automatically if required. Click Yes at the message box.

15. Click Install.

16. After the installation is succeeded, click Close.

Task 3: Use IFM to configure a member server as a new domain controller 1. On LON-SVR2, in the command prompt window, type the following command, and then press Enter:

Robocopy k: c:\ifm /copyall /s


3. In the Server Manager toolbar, to the left of the Manage button, click the yellow Alert button.

4. In the Post-deployment Configuration window, click Promote this server to a domain controller.

5. On the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and confirm that adatum.com is entered as the target domain. Click Next.

6. On the Domain Controller Options page, ensure that both Domain Name System (DNS) server and global catalog are selected. For the DSRM password, enter Pa$$w0rd in both boxes, and then click Next.

7. On the DNS Options page, click Next.

8. On the Additional Options page, select the check box next to Install from media, in the text box, type C:\ifm and then click verify.

9. When the path has been verified, click Next.

10. On the Paths page, click Next.

11. On the Review Options page, click Next, and then observe the wizard as it performs a check for prerequisites.

12. Click Install and wait while AD DS is configured. While this task is running, read the information messages that display on the screen.


13. Wait for the server to restart.

Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.





4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.

L3-13

Module 3: Managing Active Directory Domain Services Objects

Lab: Managing Active Directory Domain Services Objects Exercise 1: Delegating Administration for a Branch Office

Task 1: Delegate administration for Branch Administrators 1. Switch to LON-DC1.

2. From Server Manager, click Tools.

3. Click Active Directory Users and Computers.

4. In Active Directory Users and Computers, click Adatum.com.

5. Right-click Adatum.com, point to New, and then click Organizational Unit.

6. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and then click OK.

7. Right-click Branch Office 1, point to New, and then click Group.

8. In the New Object – Group dialog box, in the Group name box, type Branch 1 Help Desk, and then click OK.


10. In the New Object – Group dialog box, in the Group name box, type Branch 1 Administrators, and then click OK.


12. In the New Object – Group dialog box, in the Group name box, type Branch 1 Users, and then click OK.

13. In the navigation pane, click IT.

14. In the details pane, right-click Holly Dickson, and then click Move.

15. In the Move dialog box, click Branch Office 1, and then click OK.

16. In the navigation pane, click the Development organizational unit.

17. In the details pane, right-click Bart Duncan, and then click Move.


19. In the navigation pane, click the Managers organizational unit.

20. In the details pane, right-click Ed Meadows, and then click Move.


22. In the navigation pane, click the Marketing organizational unit.

23. In the details pane, right-click Connie Vrettos, and then click Move.


25. In the navigation pane, click the Research organizational unit.


26. In the details pane, right-click Barbara Zighetti, and then click Move.


28. In the navigation pane, click the Sales organizational unit.

29. In the details pane, right-click Arlene Huff, and then click Move.


31. In the navigation pane, click Branch Office 1.

32. In the navigation pane, click Computers.

33. In the details pane, right-click LON-CL1, and then click Move.


35. Switch to LON-CL1.

36. Pause your mouse pointer in the lower-right corner of the display, and then click Settings.

37. Click Power, and then click Restart.

38. When the computer has restarted, log on as Adatum\Administrator with the password of Pa$$w0rd.

39. Switch to the LON-DC1 computer.

40. If necessary, switch to Active Directory Users and Computers.

41. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.

42. On the Users or Groups page, click Add.

43. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.

44. On the Users or Groups page, click Next.

45. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next:




o Create, delete and manage groups


o Manage Group Policy links

46. On the Completing the Delegation of Control Wizard page, click Finish.

47. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.


49. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.


51. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

Module 3: Managing Active Directory Domain Services Objects L3-15

52. On the Active Directory Object Type page, select Only the following objects in the folder, select the following check boxes, and then click Next:

o Computer objects

o Create selected objects in this folder

o Delete selected objects in this folder

53. On the Permissions page, select the General check box, and the Full Control check box, and then click Next.


Task 2: Delegate a user administrator for the Branch Office Help Desk 1. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.


3. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk and then click OK.


5. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next:





Task 3: Add a member to the Branch Administrators 1. In the navigation pane, click Branch Office 1.

2. In the details pane, right-click Holly Dickson, and then click Add to a group.

3. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.

4. In the Active Directory Domain Services dialog box, click OK.

5. In the details pane, right-click Branch 1 Administrators, and then click Add to a group.

6. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK.


8. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.

9. On LON-DC1, click Sign out.

10. Log on to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group.

11. On the desktop, in the task bar click Server Manager.

12. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes.




15. In Active Directory Users and Computers, expand Adatum.com.

16. In the navigation pane, click Sales.

17. In the details pane, right-click Aaren Ekelund, and then click Delete.

18. Click Yes to confirm.

19. Click OK to acknowledge that you do not have permissions to perform this task.


21. In the details pane, right-click Ed Meadows, and then click Delete.

22. Click Yes to confirm. You are successful because you have the required permissions.

Task 4: Add a member to the Branch Help Desk group 1. In the details pane, right-click Bart Duncan, and then click Add to a group.

2. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk, and then click OK.


4. Close Active Directory Users and Computers.

5. Close Server Manager. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group.

6. On the desktop, click Server Manager.

7. In the User Account Control dialog box, in the User name box, type Adatum\Administrator. In the Password box, type Pa$$w0rd, and then click Yes.

8. In Server Manager, click Tools.

9. In the Tools list, click Active Directory Users and Computers.



12. In the details pane, right-click Branch 1 Help Desk, and then click Add to a group.

13. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK.




17. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group.

18. On the desktop, click Server Manager.

19. In the User Account Control dialog box, in the User name box, type Bart. In the Password box, type Pa$$w0rd, and then click Yes.






24. In the details pane, right-click Connie Vrettos, and then click Delete.

25. Click Yes to confirm. You are unsuccessful because you lack the required permissions. Click OK.

26. Right-click Connie Vrettos, and then click Reset Password.

27. In the Reset Password dialog box, in the New password and Confirm password boxes, type Pa$$w0rd, and then click OK.

28. Click OK to confirm the successful password reset.

29. On your host computer, in the 20410A-LON-DC1 windows, on the Action menu, click Ctrl+Alt+Delete.


31. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.

Exercise 2: Creating and Configuring User Accounts in AD DS

Task 1: Create a template user for the branch office 1. On LON-DC1, on the Taskbar, click Windows Explorer.

2. Click Desktop, and then double-click Computer.

3. Double-click Local Disk (C:).

4. On the menu, click Home, and then click New folder.

5. Type branch1-userdata, and then press Enter.

6. Right-click branch1-userdata, and then click Properties.

7. In the branch1-userdata Properties dialog box, on the Sharing tab, click Advanced Sharing.

8. Select the Share this folder check box, and then click Permissions.

9. In the Permissions for branch1-userdata dialog box, select the Full Control Allow check box, and then click OK.

10. In the Advanced Sharing dialog box, click OK, and then in the branch1-userdata Properties dialog box, click Close.


12. Click Active Directory Users and Computers, and then expand Adatum.com.

13. Right-click Branch Office1, point to New, and then click User.

14. In the New Object – User dialog box, in the Full name box, type _Branch_template.

15. In the User logon name box, type _Branch_template, and click Next.

16. In the Password and Confirm password boxes, type Pa$$w0rd.

17. Select the Account is disabled check box, and then click Next.

18. Click Finish.


Task 2: Configure the template’s settings 1. From within the Branch Office 1 OU, right-click _Branch_template, and then click Properties.

2. In the _Branch_template Properties dialog box, on the Address tab, in the City box, type Slough.

3. Click the Member Of tab.

4. Click Add. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Users, and then click OK.

5. Click the Profile tab.

6. Under Home folder, click Connect, and in the To: box, type \\lon-dc1\branch1-userdata \%username%.

7. Click Apply, and then click OK.

Task 3: Create a new user for the branch office, based on the template 1. Right-click _Branch_template, and then click Copy.

2. In the New Object – User dialog box, in the First name box, type Ed.

3. In the Last name box, type Meadows.

4. In the User logon name box, type Ed, and then click Next.

5. In the Password and Confirm password boxes, type Pa$$w0rd.

6. Clear the User must change password at next logon check box.

7. Clear the Account is disabled check box, and then click Next.

8. Click Finish.

9. Right-click Ed Meadows, and then click Properties.

10. In the Ed Meadows Properties dialog box, click the Address tab. Notice that the City is configured.

11. Click the Profile tab. Notice that the home folder location is configured

12. Click the Member Of tab. Notice that Ed belongs to the Branch 1 Users group. Click OK.



Task 4: Log on as a user to test account settings 1. Switch to LON-CL1.

2. On your host computer, in the 20410A-LON-CL1 window, on the menu, click Ctrl+Alt+Delete.

3. On LON-CL1, click Sign out.

4. Log on to LON-CL1 as Adatum\Ed with the password of Pa$$w0rd.

5. On the Start screen, click Desktop.

6. On the Taskbar, click Windows Explorer.

7. In the navigation pane, click Desktop, and then in details, double-click Computer.

8. Verify that Drive Z is mapped to \\lon-dc1\branch1userdata\Ed.

9. Double-click Ed (\\lon-dc1\branch1-userdata) (Z:).

10. If you receive no errors, you have been successful.


11. On your host computer, in the 20410A-LON-CL1 window, on the Action menu, click Ctrl+Alt+Delete.

12. On LON-CL1, click Sign out.

Results: After this exercise, you should have successfully created and tested a user account created from a template.

Exercise 3: Managing Computer Objects in AD DS

Task 1: Reset a computer account 1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.

2. On the task bar, click Server Manager.

3. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes.





8. In the details pane, right-click LON-CL1, and then click Reset Account.

9. In the Active Directory Domain Services dialog box, click Yes.


Task 2: Observe the behavior when a client logs on 1. Switch to LON-CL1.

2. Log on as Adatum\Ed with the password Pa$$w0rd.

3. A message is displayed that explains that The trust relationship between this workstation and the primary domain failed.

4. Click OK.

Task 3: Rejoin the domain to reconnect the computer account 1. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2. On the Start screen, right-click the display, click All apps, and in the Apps list, click Control Panel.

3. In Control Panel, in the View by list, click Large icons.

4. Click System.

5. In the navigation list, click Advanced system settings.

6. In System Properties, click the Computer Name tab.

7. Click Network ID.

8. On the Select the option that describes your network page, click Next.

9. On the Is your company network on a domain page, click Next.

10. On the You will need the following information page, click Next.


11. On the Type your user name, password, and domain name for your domain account page, in the Password box, type Pa$$w0rd. The other fields are completed. Click Next.

12. In the User Account and Domain Information dialog box, click Yes.

13. On the Do you want to enable a domain user account on this computer? page, click Do not add a domain user account, and then click Next.

14. Click Finish, and then click OK.


16. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.

Results: After this exercise, you should have successfully reset the trust relationship.





4. Repeat steps 2 and 3 for 20410A-LON-DC1.

L4-21

Module 4: Automating Active Directory Domain Services Administration

Lab: Automating AD DS Administration by Using Windows PowerShell Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell

Task 1: Create a user account by using Windows PowerShell 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell® prompt, type the following command, and then press Enter:

New-ADOrganizationalUnit LondonBranch


New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path “ou=LondonBranch,dc=adatum,dc=com”


Set-ADAccountPassword Ty

5. When prompted for the current password, press Enter.

6. When prompted for the desired password, type Pa$$w0rd, and then press Enter.

7. When prompted to repeat the password, type Pa$$w0rd, and then press Enter.

8. At the Windows PowerShell prompt, type Enable-ADAccount Ty, and then press Enter.

9. On LON-CL1, log on as Ty using a password of Pa$$w0rd.

10. Verify that logon is successful and then sign out of LON-CL1.

Task 2: Create a group by using Windows PowerShell 1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press

Enter:

New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security


Add-ADGroupMember LondonBranchUsers –Members Ty


Get-ADGroupMember LondonBranchUsers

Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.


Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk

Task 1: Prepare the .csv file 1. On LON-DC1, on the taskbar, click the Windows Explorer icon.

2. In the Windows® Explorer window, expand E:, expand Labfiles, and then click Mod04.

3. Right-click LabUsers.ps1, and then click Edit.

4. In Windows PowerShell ISE, read the comments at the top of the script, and then identify the requirements for the header in the .csv file.

5. Close Windows PowerShell ISE.

6. In Windows Explorer, double-click LabUsers.csv.

7. In the How do you want to open this type of file (.csv) window, click Notepad.

8. In Notepad, type the following line at the top of the file: FirstName,LastName,Department,DefaultPassword

9. Click File, and then click Save.

10. Close Notepad.

Task 2: Prepare the script 1. On LON-DC1, in Windows Explorer, right-click LabUsers.ps1, and then click Edit.

2. In Windows PowerShell ISE, under Variables, replace C:\path\file.csv with E:\Labfiles\Mod04\LabUsers.csv.

3. Under Variables, replace “ou=orgunit,dc=domain,dc=com” with “ou=LondonBranch,dc=adatum,dc=com”.

4. Click File, and then click Save.

5. Scroll down and review the contents of the script.

6. Close Windows PowerShell ISE.

Task 3: Run the script 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter.

3. Type .\LabUsers.ps1, and then press Enter.


Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”

5. Close the Windows PowerShell prompt.

6. On LON-CL1, log on as Luka using a password of Pa$$w0rd.

Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.

Module 4: Automating Active Directory Domain Services Administration L4-23

Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk

Task 1: Force all user accounts in LondonBranch to change password at next logon 1. On LON-DC1, on the task bar, click the Windows PowerShell icon.

2. At the Windows PowerShell Prompt, type the following command, and then press Enter:

Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide DistinguishedName

3. Verify that only users from the LondonBranch organizational unit are listed.

4. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –ChangePasswordAtLogon $true


Task 2: Configure the address for user accounts in LondonBranch 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative

Center.

2. In Active Directory Administrative Center, in the Navigation pane, browse to Adatum (local) > LondonBranch.

3. Click the Type column header to sort based on the object type.

4. Select all user accounts, right-click the user accounts, and then click Properties.

5. In the Multiple Users window, under Organization, select the Address check box.

6. In the Street box, type Branch Office.

7. In the City box, type London.

8. In the Country/Region box, select United Kingdom, and then click OK.

9. Close Active Directory Administrative Center.

10.

Results: After completing this exercise, you will have modified user accounts in bulk.

To prepare for the next module When you finish the lab, revert all virtual machines back to their initial state by performing the following steps:




4. Repeat steps 2 to 3 for 20410A-LON-DC1.

L5-25


Lab: Implementing IPv4 Exercise 1: Identifying Appropriate Subnets

Task 1: Calculate the bits required to support the hosts on each subnet 1. How many bits are required to support 100 hosts on the client subnet?

Seven bits are required to support 100 hosts on the client subnet (27-2=126, 26-2=62).

2. How many bits are required to support 10 hosts on the server subnet?

Four bits are required to support 10 hosts on the server subnet (24-2=14,23-2=6).

3. How many bits are required to support 40 hosts on the future expansion subnet?

Six bits are required to support 40 hosts on the future expansion subnet (26-2=62, 25-2=30).

4. If all subnets are the same size, can they be accommodated?

No. If all subnets are the same size, then all subnets must use 7 bits to support 126 hosts. Only a single class C–sized address with 254 hosts has been allocated. Three subnets of 126 hosts would not fit.

5. Which feature allows a single network to be divided into subnets of varying sizes?

Variable length subnet masking allows you to define different subnet masks when subnetting. Therefore, variable length subnet masking allows you to have subnets of varying sizes.

6. How many host bits will you use for each subnet? Use the simplest allocation possible.

The client subnet is 7 host bits. This allows for up to 126 hosts and uses half of the allocated address pool. The server and future expansion subnets are 6 host bits. This allows for up to 62 hosts on each subnet and uses the other half of the address pool.

Task 2: Calculate subnet masks and network IDs 1. Given the number of host bits allocated, what is the subnet mask that you will use for the client

subnet?

• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask.

Binary Decimal

11111111.11111111.11111111.10000000 255.255.255.128


2. Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet?

• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask.

Binary Decimal

11111111.11111111.11111111.11000000 255.255.255.192

3. Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet?

• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask.

Binary Decimal

11111111.11111111.11111111.11000000 255.255.255.192

4. For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool.


Network ID 11000000.10101000.1100010.00000000 192.168.98.0

First host 11000000.10101000.1100010.00000001 192.168.98.1

Last host 11000000.10101000.1100010.01111110 192.168.98.126

Broadcast 11000000.10101000.1100010.01111111 192.168.98.127

5. For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool.


Network ID 11000000.10101000.1100010.10000000 192.168.98.128

First host 11000000.10101000.1100010.10000001 192.168.98.129

Last host 11000000.10101000.1100010.10111110 192.168.98.190

Broadcast 11000000.10101000.1100010.10111111 192.168.98.191

Module 5: Implementing IPv4 L5-27

6. For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool.


Network ID 11000000.10101000.1100010.11000000 192.168.98.192

First host 11000000.10101000.1100010.11000001 192.168.98.193

Last host 11000000.10101000.1100010.11111110 192.168.98.254

Broadcast 11000000.10101000.1100010.11111111 192.168.98.255

Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.

Exercise 2: Troubleshooting IPv4

Task 1: Prepare for troubleshooting 1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter.

3. Open a Windows Explorer window, and browse to \\LON-DC1\E$\Labfiles\Mod05.

4. Right-click Break.ps1 and click Run with Powershell.

5. Close Windows Explorer.

Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1 1. On LON-SVR2, at the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice

that the destination host is unreachable.

2. Type tracert LON-DC1, and then press Enter. Notice that the host is unable to find the default gateway, and that it is not the default gateway that is responding back.

3. Type ipconfig, and then press Enter. Notice that the default gateway is configured correctly.

4. Type ping 10.10.0.1, and then press Enter. Notice that the default gateway is responding, but that packets are not being routed there.

5. Type Get-NetRoute, and then press Enter. Notice that the entry for the default gateway (0.0.0.0) is correct, but there is an unnecessary entry for the 172.16.0.0 network.

6. Type Remove-NetRoute –DestinationPrefix 172.16.0.0/16, and then press Enter. This removes the unnecessary route to the 172.16.0.0 network. The default gateway will be used for routing instead.

7. Press Y, and then press Enter to confirm removed of the route from active routes.

8. Type ping LON-DC1, and then press Enter. Notice that the ping is now successful.

Task 3: To Prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.






Results: After completing this lab, you will have resolved an IPv4 connectivity problem.

L6-29

Module 6: Implementing DHCP

Lab: Implementing DHCP Exercise 1: Implementing DHCP

Task 1: Install DHCP server role 1. Switch to LON-SVR1.

2. In Server Manager, click Add roles and features.


4. On the Select installation type page, click Next.

5. On Select destination server page, click Next.

6. On the Select server roles page, select the DHCP Server check box.

7. In the Add Roles and Features Wizard window click Add Features, and then click Next.


9. On the DHCP Server page, click Next.

10. On the Confirm installation selections page, click Install.

11. On the Installation progress page, wait until the following information appears – Installation succeeded on lon-svr1.adatum.com, and then click Close.

Task 2: Configure the DHCP scope and options 1. In the Server Manager Dashboard, click Tools, and then click DHCP.

2. In the DHCP console, expand lon-svr1.adatum.com.

3. Right-click lon-svr1.adatum.com, and then click Authorize.

4. In the DHCP console, right-click lon-svr1.adatum.com, and then click Refresh. Notice that the icons next to IPv4 IPv6 changes color from red to green, which means that DHCP server has been authorized in Active Directory® Domain Services (AD DS).

5. In the DHCP console, in the navigation pane, click lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.

6. In the New Scope Wizard, click Next.

7. On the Scope Name page, in the Name box, type Branch Office, and then click Next.

8. On the IP Address Range page, complete the page using the following information:

o Start IP address: 172.16.0.100

o End IP address: 172.16.0.200

o Length: 16

o Subnet mask: 255.255.0.0, and then click Next.

9. On the Add Exclusions and Delay page, complete the page using the following information:


o End IP address: 172.16.0.200, click Add, and then click Next

10. On the Lease Duration page, click Next.


11. On the Configure DHCP Options page, click Next.

12. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then click Next.

13. On the Domain Name and DNS Servers page, click Next.

14. On the WINS Servers page, click Next.

15. On the Activate Scope page, click Next.

16. On the Completing the New Scope Wizard page, click Finish.

Task 3: Configure client to use DHCP and then test the configuration 1. To configure a client, switch to the LON-CL1 computer.

2. Move the mouse on the lower right corner of the screen, click on Search icon, and then in the Search box, type Control Panel. Press Enter.

3. In Control Panel, under Network and Internet, click View Network Status and Tasks.

4. In the Network and Sharing Center window, click Change Adapter Settings.

5. In the Network Connections window, right click Local Area Connection, and then click Properties.

6. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

7. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Obtain an IP address automatically radio button, then select Obtain DNS server address automatically radio button, click OK, and then click Close.

8. Move the mouse on the lower right corner of the screen, click on Search icon, and then in Search box, type Command Prompt. Press Enter.

9. Type ipconfig /renew, and then press Enter.

10. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all.

This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes.

Task 4: Configure a lease as a reservation 1. Switch to LON-CL1.

2. In the command prompt, type ipconfig /all, and then press Enter.

3. Write down the Physical Address of LON-CL1 network adapter.


5. In the Server Manager dashboard, click Tools, and then click DHCP.

6. In the DHCP console, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office, right-click Reservations, and then click New Reservation.

7. In the New Reservation window:

o in the Reservation Name field, type LON-CL1

o in the IP address field, type 172.16.0.155

o in the MAC address field, type the physical address you wrote down in step 3

Module 6: Implementing DHCP L6-31

o click Add and then click Close.


9. In a command prompt, type ipconfig /release, and then press Enter. This causes LON-CL1 to release any currently leased IP addresses.

10. In a command prompt, type ipconfig /renew, and then press Enter. This causes LON-CL1 to lease any reserved IP addresses.

11. Verify that IP address of LON-CL1 is now 172.16.0.155.

Task 5: To prepare for the optional exercise If you are going to do the optional lab, revert the virtual machines that are no longer required. To do this, complete the following steps.





Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation

Exercise 2: Implementing a DHCP Relay (Optional Exercise)

Task 1: Install DHCP relay 1. Switch to LON-RTR.

2. In Server Manager, click on Tools, and then click Routing and Remote Access.

3. In the navigation pane, expand LON-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol.

4. In the Routing protocols list, click DHCP Relay Agent, and then click OK.

Task 2: Configure DHCP relay 1. In the navigation pane, right-click DHCP Relay Agent and then click New Interface.

2. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.

3. In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.

4. Right-click DHCP Relay Agent and then click Properties.

5. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK.

6. Close Routing and Remote Access

Task 3: Test DHCP relay with client

Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope.



2. In the Server Manager Dashboard, click Tools, and then click DHCP.

3. In the DHCP console, expand lon-svr1.adatum.com.

4. In the DHCP console, in the navigation pane, click lon-svr1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.

5. In the New Scope Wizard, click Next.

6. On the Scope Name page, in the Name box, type Branch Office 2, and then click Next.

7. On the IP Address Range page, complete the page using the following information, and then click Next:



o Length: 16


8. On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next:



9. On the Lease Duration page, click Next.

10. On the Configure DHCP Options page, click Next.

11. On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then click Next.

12. On the Domain Name and DNS Servers page, click Next.

13. On the WINS Servers page, click Next.

14. On the Activate Scope page, click Next.

15. On the Completing the New Scope Wizard page, click Finish.

16. To test the client, switch to LON-CL2.

17. On the Start screen, type Control Panel. Press Enter.

18. Under Network and Internet, click View network status and tasks.

19. In the Network and Sharing Center window, click Change Adapter Settings, right-click Local Area Connection, and then click Properties.

20. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

21. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click on Obtain IP address automatically, then click on Obtain DNS server address automatically, click OK and then click Close.

22. Navigate to the lower right corner, choose search from the right menu and then type cmd and press Enter to start Command Prompt.

23. In the command prompt, type following command: ipconfig /renew

Module 6: Implementing DHCP L6-33

24. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope Branch Office 2 installed on LON-SVR1.

Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16

Task 4: To Prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.




4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.

Results: After completing these tasks, you will have implemented DHCP relay agent.

L7-35

Module 7: Implementing DNS

Lab: Implementing DNS Exercise 1: Installing and Configuring DNS

Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role 1. Log on to LON-SVR1 as Adatum\Administrator using the password of Pa$$w0rd.

2. In the Server Manager console, click Add roles and features.



5. On the Select destination server page, make sure that LON-SVR1.Adatum.com is selected, and then click Next.

6. On the Select server roles page, select Active Directory Domain Services.

7. When Add Roles and Features Wizard window displays, click Add Features, and then click Next.




11. On the Installation progress page, when the Installation succeeded message displays, click Close.

12. In the Server Manager console, on the navigation page, click AD DS.

13. At the title bar where Configuration required for Active Directory Domain Services at LON-SVR1 displays, click More.

14. On the All Server Task Details and Notifications page, click Promote this server to a domain controller.

15. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and then click Next.

16. On the Domain Controller Options page, clear the Domain Name System (DNS) server check box, and leave only Global Catalog (GC) selected. Type Pa$$w0rd in both text fields, and then click Next.

17. On the Additional Options page, click Next.

18. On the Paths page, click Next.

19. On the Review Options page, click Next.

20. On the Prerequisites Check page, click Install.

Note: Server will automatically restart as part of the procedure.

21. After LON-SVR1 restarts, log on as Adatum\Administrator.


Task 2: Review configuration settings on the existing DNS server to confirm root hints 1. Log on to LON-DC1 as Adatum\Administrator using the password Pa$$w0rd.

2. In the Server Manager console, click Tools.

3. Click DNS.

4. In the DNS Manager console, click and then right-click LON-DC1, and then select Properties.

5. Click the Root hints tab. Ensure that root hints servers display.

6. Click the Forwarders tab. Ensure that the list displays no entries, and that the Use root hints if no forwarders are available option is selected.

7. Click Cancel.

8. Close the DNS Manager console.

Task 3: Add the DNS server role for the branch office on the domain controller 1. On LON-SVR1, in the Server Manager console, click Add roles and features.



4. On the Select destination server page, ensure that LON-SVR1.Adatum.com is selected, and then click Next.

5. On the Select server roles page, select DNS Server.

6. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.

7. On the Select Features page, click Next.

8. On the DNS Server page, click Next.


10. On the Installation progress page, when the message Installation succeeded displays, click Close.

Task 4: Verify replication of the Adatum.com Active Directory–integrated zone 1. On LON-SVR1, in the Server Manager console, click Tools.

2. Select DNS.

3. In the DNS Manager console, expand LON-SVR1, and then expand Forward Lookup Zones. This container will most likely be empty.

4. Switch back to Server Manager, click Tools, and then select Active Directory Sites and Services.

5. In the Active Directory Sites and Services console, expand Sites, expand Default-First-Site-Name, expand Servers, expand LON-DC1, and then click NTDS Settings.

6. In the right pane, right-click the LON-SVR1 replication connection, and select Replicate Now.

Note: If you receive an error message, proceed to the next step and then retry this step after 3-4 minutes.

7. In the navigation pane, expand LON-SVR1, and then click NTDS Settings.

Module 7: Implementing DNS L7-37

8. In the right pane, right-click the LON-DC1 replication connection, and then select Replicate Now. Click OK.

9. Switch back to the DNS Manager console, right-click Forward Lookup Zones, and then select Refresh.

10. Ensure that both the _msdcs.Adatum.com and Adatum.com containers display.

11. Close DNS Manager.

Task 5: Use NSLookup to test non-local resolution 1. On LON-SVR1, switch to the Start screen, and type Control Panel. Press Enter.

2. In Control Panel, click View network status and tasks.

3. Click Change adapter settings.

4. Right-click Local Area connection, and then select Properties.

5. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

6. In the preferred DNS server field, remove the IP address, type 127.0.0.1, click OK, and then click Close.

7. On LON-SVR1, right-click the taskbar, and select Task Manager.

8. In the Task Manager window, click More details.

9. Click the File menu, and then click Run new task.

10. In the Create new task window, type cmd, and then press Enter.

11. In the command prompt window, type nslookup, and press Enter.

12. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. You will not receive any reply, because that zone does not exist on the DNS server on LON-SVR1.

13. In the command prompt window type quit, and press Enter.

14. Leave the command prompt window open.

Task 6: Configure Internet name resolution to forward to the head office 1. On LON-SVR1, open the DNS Manager console.

2. In the DNS Manager console, right-click LON-SVR1, and then click Properties.

3. Click the Forwarders tab, and then click Edit.

4. In the Edit Forwarders window, type 172.16.0.10, and then click OK two times.

Task 7: Use NSLookup to confirm name resolution 1. On LON-SVR1, switch to a command prompt window.

2. In the command prompt window, type nslookup, and then press Enter.

3. At the nslookup prompt, type www.nwtraders.msft, and then press Enter.

4. Ensure that you receive an IP address for this host as a non-authoritative answer.

5. Type quit, and then press Enter.

Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.


Exercise 2: Creating Host Records in DNS

Task 1: Configure a client to use LON-SVR1 as a DNS server 1. On LON-CL1, log on as Adatum\Administrator using the password Pa$$w0rd.

2. On the Start screen, type Control Panel. Press Enter.

3. In Control Panel, click View network status and tasks.

4. Click Change adapter settings.

5. Right-click Local Area connection, and then select Properties.

6. Select Internet Protocol Version 4 (TCP/Ipv4), and then click Properties.

7. Delete the IP address for preferred DNS server. In the preferred DNS server box, type 172.16.0.21, click OK, and then click Close.

Task 2: Create several host records in the Adatum.com domain for web apps 1. On LON-DC1, in the Server Manager console, click Tools, and then click DNS.

2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click on Adatum.com.

3. Right-click Adatum.com, and select New Host (A or AAAA).

4. In the New Host window, configure the following settings:

a. Name: www

b. IP address: 172.16.0.100

5. Click Add Host, and then click OK.

6. In the New Host window, configure the following settings:

o Name: ftp

o IP address: 172.16.0.200

7. Click Add Host, click OK, and then click Done.

Task 3: Verify replication of new records to LON-SVR1 1. On LON-SVR1, in the Server Manager console, click Tools, and then click DNS.

2. In the DNS Manager console, expand LON-SVR1, expand Forward Lookup Zones, and then click Adatum.com.

3. Ensure that both www and ftp resource records display. (If they do not display, right-click Adatum.com, and then select Refresh). It may take a couple of minutes for the records to appear.

Task 4: Use the ping command to locate new records from LON-CL1 1. On LON-CL1, right-click the taskbar, and then select Task Manager.


3. Open the File menu, and then select Run new task.


5. In the Command prompt window, type ping www.adatum.com, and then press Enter.

6. Make sure that name resolves to 172.16.0.100. ( You will not receive replies.)

7. Type ping ftp.adatum.com, and then press Enter.

Module 7: Implementing DNS L7-39

8. Ensure that name resolves to 172.16.0.200 (You will not receive replies.)

9. Close the command prompt window and the Task Manager.

Results: After completing this exercise, you will have configured DNS records.

Exercise 3: Managing the DNS Server Cache

Task 1: Use the ping command to locate Internet record from LON-CL1 1. On LON-CL1, right-click the taskbar, then and select Task Manager.


3. Open the File menu, and select Run new task.


5. In the command prompt window, type ping www.nwtraders.msft, and then press Enter.

6. Ping will not work, but ensure that the name resolves to an IP address.

7. Leave the command prompt window open.

Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping 1. On LON-DC1, open DNS Manager.

2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click nwtraders.msft.

3. In the right pane, right-click www, and then select properties.

4. Change the IP address to 172.16.0.10, and then click OK.

5. Switch back to LON-CL1.

6. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will not work, and the old IP address will still be displayed in command prompt window.

Task 3: Examine the content of the DNS cache 1. Switch to LON-SVR1, and in the Server Manager console, click Tools, and then click DNS.

2. Select LON-SVR1, click the View menu, and then select Advanced.

3. Expand LON-SVR1, expand the Cached Lookups node, expand .(root), expand msft, and then click nwtraders.

4. In the right pane, examine the cached content.


6. In the command prompt window, type ipconfig /displaydns, and then press Enter.

7. Look for cached entries.

Task 4: Clear the cache, and retry ping 1. On LON-SVR1, in the DNS Manager console, right-click LON-SVR1, and then select Clear Cache.



3. In a command prompt window, at a command prompt, type ping www.nwtraders.msft, and then press Enter. The return will still be the old IP address.

4. In a command prompt window, type ipconfig /flushdns, and then press Enter.

5. In the command prompt window, type ping www.nwtraders.msft, and press Enter.

6. Ping now should work on address 172.16.0.10.

Task 5: To prepare for next module When you are finished the lab, revert the virtual machines to their initial state.





Results: After completing this exercise, you will have DNS Server cache examined.

L8-41


Lab: Implementing IPv6 Exercise 1: Configuring an IPv6 Network

Task 1: Verify IPv4 routing 1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type ping lon-dc1, and then press Enter. Notice that there are four replies from 172.16.0.10.

3. Type ipconfig, and then press Enter.

4. Verify that the only IPv6 address listed is a link-local address.

Task 2: Disable IPv6 on LON-DC1 1. On LON-DC1, in Server Manager, click Local Server.

2. In the Properties window, beside Local Area Connection, click 172.16.0.10, IPv6 enabled.

3. In the Network Connections window, right-click Local Area Connection, and then click Properties.

4. In the Local Area Connection Properties window, clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.

5. Close the Network Connections window.

6. In Server Manager, verify that Local Area Connection lists only 172.16.0.10. You may need to refresh the view.

Task 3: Disable IPv4 on LON-SVR2 1. On LON-SVR2, in Server Manager, click Local Server.

2. In the Properties window, next to Local Area Connection, click 10.10.0.24, IPv6 enabled.

3. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.

4. In the Local Area Connection 2 Properties window, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK.


6. In Server Manager, verify that Local Area Connection now lists only IPv6 enabled. You may need to refresh the view.

Task 4: Configure an IPv6 network on LON-RTR 1. On LON-RTR, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:

New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –Publish Yes

3. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:

Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising Enabled


4. Type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on the 2001:db8:0:1::/64 network.

Task 5: Verify IPv6 on LON-SVR2 • On LON-SVR2, at the Windows PowerShell prompt, type ipconfig, and then press Enter. Notice that

Local Area Connection 2 now has an IPv6 address on the on the 2001:db8:0:1::/64 network.

Results: After completing the exercise, students will have configured an IPv6–only network.

Exercise 2: Configuring an ISATAP Router

Task 1: Add an ISATAP host record to DNS 1. On LON-DC1, in Server Manager, click Tools, and then click DNS.

2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.

3. Right-click Adatum.com, and then click New Host (A or AAAA).

4. In the New Host window, in the Name box, type ISATAP.

5. In the IP address box, type 172.16.0.1, and then click Add Host.

6. Click OK to clear the success message.

7. Click Done to close the New Host window.

8. Close DNS Manager.

Task 2: Enable the ISATAP router on LON-RTR 1. On LON-RTR, at the Windows PowerShell prompt, type the following command, and then press Enter:

Set-NetIsatapConfiguration –Router 172.16.0.1


Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address

3. Record the InterfaceIndex of isatap interface that has an IPv6 address that includes 172.16.0.1. Interface index:


Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List

5. Verify that Forwarding is enabled for the interface and that Advertising is disabled.


Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled


New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish Yes


Get-NetIPAddress –InterfaceIndex IndexYouRecorded

Module 8: Implementing IPv6 L8-43

9. Verify that an IPv6 address is listed on the 2001:db8:0:2::/64 network.

Task 3: Remove ISATAP from the DNS Global Query Block List 1. On LON-DC1, at the Windows PowerShell prompt, type regedit, and then press Enter.

2. In the Registry Editor window, expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand DNS, click Parameters, and double-click GlobalQueryBlockList.

3. In the Edit Multi-String window, delete isatap, and then click OK.

4. If an error appears indicating that there was an empty string, click OK to continue.

5. Close the Registry Editor.

6. At the Windows PowerShell prompt, type Restart-Service DNS –Verbose, and then press Enter.

7. Type ping isatap, and then press Enter. The name should resolve and you should receive four request timed out messages from 172.16.0.1.

Task 4: Enable ISATAP on LON-DC1 1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press

Enter:

Set-NetIsatapConfiguration –State Enabled

2. Type ipconfig, and then press Enter.

3. Verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network. Notice that this address includes the IPv4 address of NYC-DC1.

Task 5: Test connectivity 1. On LON-SVR2, at the Windows PowerShell prompt, type the following command, and then press

Enter:

ping 2001:db8:0:2:0:5efe:172.16.0.10

2. In Server Manager, if necessary, click Local Server.

3. In the Properties window, next to Local Area Connection 2, click IPv6 enabled.

4. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.

5. In the Local Area Connection 2 Properties window, click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

6. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click Use the following DNS server addresses.

7. In the Preferred DNS server box, type 2001:db8:0:2:0:5efe:172.16.0.10, and then click OK.

8. In the Local Area Connection 2 Properties window, click Close.


10. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that four replies are received from LON-DC1.


Task 6: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.





Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6–only network and an IPv4–only network.

L9-45

Module 9: Implementing Local Storage

Lab: Implementing Local Storage Exercise 1: Installing and Configuring a New Disk

Task 1: Initialize a new disk 1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.

2. In Server Manager, click the Tools menu, in the Tools drop-down list, click Computer Management.

3. In the Computer Management console, under the Storage node, click Disk Management.

4. In the Disks pane, right-click Disk2, and then from drop-down list, click Online.

5. Right-click Disk2, and then click Initialize Disk.

6. In the Initialize Disk dialog box, select the Disk 2 check box, ensure that all other Disk check boxes are cleared, click GPT (GUID Partition Table), and then click OK.

Task 2: Create and format two simple volumes on the disk 1. In the Computer Management console, in Disk Management, right-click the black marked box right

of Disk 2, and then click New Simple Volume.

2. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next.

3. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click Next.

4. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that F is selected in from the drop-down menu, and then click Next.

5. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume label text box, type Volume1, and then click Next.

6. On Completing the New Simple Volume Wizard page, click Finish.

7. in the Disk Management window, right-click the black marked box right of Disk 2, and then click New Simple Volume.

8. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next.

9. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click Next.

10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that G is selected in from the drop-down list, and then click Next.

11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume label text box, type Volume2, and then click Next.

12. On the Completing the New Simple Volume Wizard page, click Finish.

Task 3: Verify the drive letter in a Windows® Explorer window 1. On the taskbar, open a Windows Explorer window, expand Computer, and then click Volume1 (F:).

2. In Windows Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click Folder.


3. In the New folder field, type Folder1, and then press Enter.

Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.

Exercise 2: Resizing Volumes

Task 1: Shrink Volume1 1. On LON-SVR1, switch to the Computer Management console.

2. In the Computer Management console, in Disk Management, in the middle-pane, right-click Volume1 (F:), and then click Shrink Volume.

3. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and then click Shrink.

Task 2: Extend Volume2 1. On LON-SVR1, in Disk Management, in the middle-pane, right-click Volume2 (G:), and then click

Extend Volume.

2. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next.

3. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click Next.

4. On the Completing the Extended Volume Wizard page, click Finish.

5. In a Windows Explorer window, click Volume2 (G:), and verify that Folder1 is available on the volume.

Results: After this lab, you should have made one volume smaller, and extended another.

Exercise 3: Configuring a Redundant Storage Space

Task 1: Create a storage pool from five disks that are attached to the server 1. On LON-SVR1, on the taskbar, click the Server Manager icon.

2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.

3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New Storage Pool.

4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.

5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1, and then click Next.

6. On the Select physical disks for the storage pool page, click the following Physical disks, and then click Next:

o PhysicalDisk3

o PhysicalDisk4

o PhysicalDisk5

Module 9: Implementing Local Storage L9-47

o PhysicalDisk6

o PhysicalDisk7

7. On the Confirm selections page, click Create.

8. On the View results page, wait until the creation completes, then click Close.

Task 2: Create a three-way mirrored virtual disk 1. On LON-SVR1, in Server Manager, in the Storage Spaces pane, click StoragePool1.

2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New Virtual Disk.

3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.

4. On the Select the server and storage pool page, click StoragePool1, and then click Next.

5. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click Next.

6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.

7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.

8. On the Specify the provisioning type page, click Thin, and then click Next.

9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click Next.


11. On the View results page, wait until the creation completes, ensure that the Create a volume when this wizard closes check box is selected, and then click Close.

12. In the New Volume Wizard window, on the Before you begin page, click Next.

13. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and then click Next.

14. On the Specify the size of the volume page, click Next to confirm the default selection.

15. On the Assign to a drive letter or folder page, ensure that H is selected in the Drive letter drop-down menu, and then click Next.

16. On the Select file system settings page, in the File system drop-down menu, select ReFS, in the Volume label box, type Mirrored Volume, and then click Next.


18. On the Completion page, wait until the creation completes, and then click Close.

Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer 1. Click to the Start screen, type command prompt, and then press Enter.

2. In the command prompt window, type the following command, and then press Enter:

Copy C:\windows\system32\mspaint.exe H:\


4. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:).

5. Verify that mspaint.exe displays in the file list.



Task 4: Remove a physical drive 1. On Host machine, in Hyper-V Manager, in the Virtual Machines pane, right-click 20410A-LON-SVR1,

and then click Settings.

2. In Settings for 20410A-LON-SVR1, in the Hardware pane, click Hard Drive 20410A-LON-SVR1-Disk5.vhdx.

3. In the Hard Drive pane, click Remove, and then click OK. Click Continue.

Task 5: Verify that the mspaint.exe file is still accessible 1. Switch to LON-SVR1.

2. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:).

3. In the file list pane, verify that mspaint.exe is still available.


5. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. Notice the warning that displays next to Mirrored Disk.

6. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties.

7. In the Mirrored Disk Properties window, in the left pane, click Health. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded.

8. Click OK to close the Mirrored Disk Properties window.

Task 6: Add a new disk to the storage pool 1. Switch to LON-SVR1.

2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button.

3. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk.

4. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK..

Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.

To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.





L10-49

Module 10: Implementing File and Print Services

Lab: Implementing File and Print Services Exercise 1: Creating and Configuring a File Share

Task 1: Create the folder structure for the new share 1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.

2. On the taskbar, click the Windows Explorer shortcut.

3. In a Windows® Explorer window, in the navigation pane, expand Computer, and then click Allfiles (E:).

4. On the menu toolbar, click Home, click New folder, type Data, and then press Enter.

5. Double-click the Data folder.

6. On the menu toolbar, click Home, click New folder, type Development, and then press Enter.

7. Repeat Step 6 for the following new folder names:

o Marketing

o Research

o Sales

Task 2: Configure NTFS permissions on the folder structure 1. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.

2. In the Data Properties window, click Security, and then click Advanced.

3. In the Advanced Security Settings for Data window, click Disable Inheritance.

4. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object.

5. Click OK to close the Advanced Security Settings for Data window.

6. Click OK to close the Data Properties window.

7. In Windows Explorer, double-click the Data folder.

8. Right-click the Development folder, and then click Properties.

9. In the Development Properties window, click Security, and then click Advanced.

10. In the Advanced Security Settings for Development window, click Disable Inheritance.

11. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object.

12. Remove the two permissions entries for Users (LON-SVR1\Users), and then click OK.

13. On the Security tab, click Edit.

14. In the Permissions for Development window, click Add.

15. Type Development, click Check names, and then click OK.

16. Select the check box for Allow Modify in the Permissions for Development section.

17. Click OK to close the Permissions for Development window.


18. Click OK to close the Development Properties window.

19. Repeat steps 8 through 18 for the Marketing, Research, and Sales folders, assigning Modify permissions to the Marketing, Research, and Sales groups for their respective folders.

Task 3: Create the shared folder 1. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.

2. On the Data Properties window, click the Sharing tab, and then click Advanced Sharing.

3. In the Advanced Sharing Window, select the Share this folder check box, and then click Permissions.

4. In the Permissions for Data window, click Add.

5. Type Authenticated Users, click Check names, and then click OK.

6. In the Permissions for Data window, click Authenticated Users, and then select the Allow checkbox for the Change permission.

7. Click OK to close the Permissions for Data window.

8. Click OK to close the Advanced Sharing window.

9. Click Close to close the Data Properties window.

Task 4: Test access to the shared folder 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.

Note: Bernard is a member of the Development group.

2. On the Start screen, click the Desktop tile.

3. On the taskbar, click the Windows Explorer icon.

4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.

5. Double-click the Development folder.

Note: Bernard should have access to the Development folder.

6. Attempt to access the Marketing, Research, and Sales folders. NTFS permissions on these folders will prevent you from doing this.

Note: Bernard can still see the other folders, even though he does not have access to their contents.

7. Log off LON-CL1.

Task 5: Enable access-based enumeration 1. Switch to LON-SVR1.

2. On the taskbar, click the Server Manager icon.

3. In Server Manager, in the navigation pane, click File and Storage Services.

4. On the File and Storage Services page, in the navigation pane, click Shares.

Module 10: Implementing File and Print Services L10-51

5. In the Shares pane, right-click Data, and then click Properties.

6. Click Settings, and then select the Enable access-based enumeration check box.

7. Click OK to close the Data Properties window.

8. Close Server Manager.

Task 6: Test access to the share 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.

2. Click the Desktop tile.


4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.

Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions.

5. Double-click the Development folder.

Note: Bernard should have access to the Development folder.

6. Log off LON-CL1.

Task 7: Disable Offline Files for the share 1. Switch to LON-SVR1.


3. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.

4. On the Data Properties window, click the Sharing tab, click Advanced Sharing, and then click Caching.

5. In the Offline Settings window, select No files or programs from the shared folder are available offline, and then click OK.

6. Click OK to close the Advanced Sharing window.

7. Click Close to close the Data Properties window.

Exercise 2: Configuring Shadow Copies

Task 1: Configure shadow copies for the file share 1. Switch to LON-SVR1.


3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.

4. In the Shadow Copies window, click the E:\ drive, and then click Enable.

5. In the Enable Shadow Copies window, click Yes.

6. In the Shadow Copies window, click Settings.

7. In the Settings window, click Schedule.


8. In the E:\ window, change Schedule Task to Daily, change Start time to 12:00 AM, and then click Advanced.

9. In the Advanced Schedule Options window, select Repeat task, and then set the frequency to every 1 hours.

10. Select Time, and change the time value to 11:59PM.

11. Click OK twice.

12. Click OK to close the Settings window.

13. Leave the Shadow Copies window open.

Task 2: Create multiple shadow copies of a file 1. On LON-SVR1, open a Windows Explorer window, and navigate to the E:\Data\Development folder.

2. On the menu toolbar, click Home, click New item, and then click Text Document.

3. Type Report, and then press Enter.

4. Switch back to the Shadow Copies window, and then click Create Now.

Task 3: Recover a deleted file from a shadow copy 1. On LON-SVR1, switch back to the Windows Explorer window.

2. Right-click Report.txt, and then click Delete.

3. In Windows Explorer, right-click on the Development folder, and then click Properties.

4. In the Development Properties window, click the Previous Versions tab.

5. Click the most recent folder version for Development , and then click Open.

6. Confirm that the Report .txt is in the folder, right-click Report.txt, and then click Copy.

7. Close the Windows Explorer window that just opened.

8. In the other Windows Explorer window, right-click on the Development folder, and then click Paste.


10. Click OK and close all open windows.

Exercise 3: Creating and Configuring a Printer Pool

Task 1: Install the Print and Document Services server role 1. On LON-SVR1, on the taskbar, click the Server Manager shortcut.

2. In Server Manager, on the menu toolbar, click Manage, and then click Add Roles and Features.

3. Click Next, select Role-based or feature-based Installation, and then select Next again.

4. On the Select destination server page, select the server on which you want to install the Print and Document Services. The default server is the local server. Click Next.

5. On the Select Server Roles page, select the Print and Document Services check box. In the Add Roles and Features Wizard window, click Add Features, and then click Next in the Select server roles window

6. On the Select Features page, click Next.

7. On the Print and Document Services page, review the Notes for the administrator, and then click Next.

Module 10: Implementing File and Print Services L10-53

8. On the Select Role Services page, click Next until the Confirm Installation Selections page displays. Click Install to install the required role services.

9. Click Close.

Task 2: Install a printer 1. On LON-SVR1, in the Server Manager, click Tools and then click Print Management.

2. Expand Printer Servers, expand LON-SVR1, right-click Printers, and then click Add Printer.

3. Click Add a TCP/IP or Web Services Printer by IP address or hostname, and then click Next.

4. Change the Type of Device to TCP/IP Device,

5. In the Host name box, type 172.16.0.200 clear the Auto detect printer driver to use check box, and then click Next.

6. Under Device Type, click Generic Network Card, and then click Next.

7. Click Install a new driver, and then click Next.

8. Click Microsoft as the Manufacturer, under Printers, click Microsoft XPS Class Driver, and then click Next.

9. Change the Printer Name to Branch Office Printer, and then click Next.

10. Click Next two times to accept the default printer name and share name, and to install the printer.

11. Click Finish to close the Network Printer Installation Wizard.

12. In the Print Management console, right-click the Branch Office Printer, and then click Enable Branch Office Direct Printing.

13. In the Print Management console, right-click the Branch Office Printer, and then select Properties.

14. Click the Sharing tab, select the List in the directory check box, and then click OK.

Task 3: Configure printer pooling 1. In the Print Management console, right-click Ports under LON-SVR1, and then click Add Port.

2. In the Printer Ports window, select Standard TCP/IP Port, and then click New Port.

3. In the Add Standard TCP/IP Printer Port Wizard, click Next.

4. In the Printer Name or IP Address field, type 172.16.0.201, and then click Next.

5. In the Additional port information required window, click Next.

6. Click Finish to close the Add Standard TCP/IP Printer Port Wizard.

7. Click Close to close the Printer Ports window.

8. In the Print Management console, click Printers, right-click Branch Office Printer, and then click Properties.

9. On the Branch Office Printer Properties page, click the Ports tab, select the Enable printer pooling check box, and then click the 172.16.0.201 port to select it as the second port.

10. Click OK to close the Branch Office Printer Properties page.

11. Close the Print Management Console.


Task 4: Install a printer on a client computer 1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.

2. On LON-CL1, on the Start screen, type Contol Panel. Press Enter.

3. Under Hardware and Sound, click Add a device.

4. In the Add a device window, click on Branch Office Printer on LON-SVR1. Click Next. The device installs automatically.

Task 5: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.


2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.


4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.

L11-55

Module 11: Implementing Group Policy

Lab: Implementing Group Policy Exercise 1: Configuring a Central Store

Task 1: View the location of administrative templates in a Group Policy Object (GPO) 1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.

2. In Server Manager, click Tools, and then click Group Policy Management.

3. In the Group Policy Management Console (GPMC), expand Forest: Adatum.com, expand Domains, expand Adatum.com and then expand the Group Policy Objects folder.

4. Right-click the Default Domain Policy, and then click Edit.

5. In the Group Policy Management Editor, expand the Default Domain Policy, expand User Configuration, expand Policies, and then click Administrative Templates.

6. Point your mouse over the Administrative Templates folder, and note that the location is Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.


Task 2: Create a central store 1. On the taskbar, click the Folder icon to launch a Windows® Explorer window.

2. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, and then click Policies.

3. In the details pane, right-click on a blank area, click New, and then click Folder.

4. Name the folder PolicyDefinitions.

Task 3: Copy administrative templates to the central store 1. In Windows Explorer, navigate back to C:\Windows, and open the PolicyDefinitions folder.

2. Select the entire contents of the PolicyDefinitions folder. (Hint: click in the details pane, and then use the Ctrl+A keys to select all of the content.)

3. Right-click the selection, and then click Copy.

4. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, Browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies and open the PolicyDefinitions folder.

5. Right-click in the empty folder area, and then click Paste.

Task 4: Verify the administrative template location in GPMC 1. In the GPMC, right-click the Default Domain Policy, and then click Edit.

2. Expand Polices, point your mouse over the Administrative Templates folder, and view the local information text. Note that it now says Administrative Templates: Policy definitions (ADMX files) retrieved from the Central Store.


Results: After completing this exercise, you will have configured a Central Store


Exercise 2: Creating GPOs

Task 1: Create a Windows Internet Explorer® Restriction default starter GPO 1. In the GPMC right-click the Starter GPOs folder, and then click New.

2. In the New Starter GPO dialog box, in the Name field, type Internet Explorer Restrictions, and in the Comment field, type This GPO disables the General page in Internet Options, and then click OK.

Task 2: Configure the Internet Explorer Restriction starter GPO 1. Expand the Starter GPOs folder, right-click the Internet Explorer Restrictions GPO, and then click

Edit.

2. Expand User Configuration, Administrative Templates, and then click All Settings.

3. Right-click All Settings, and then click Filter Options.

4. In the Filter Options dialog box, select the Enable Keyword Filters check box.

5. In the Filter for word(s): field, type General page.

6. In the drop-down box, select Exact, and then click OK.

7. Double-click the Disable the General page setting, click Enabled, and then click OK.

8. Close the Group Policy Starter GPO Editor.

Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO 1. In the GPMC, right-click the Adatum.com domain, and then click Create a GPO in this domain, and

link it here.

2. In the New GPO dialog box, in the Name field, type IE Restrictions.

3. Under Source Starter GPO, click the drop down box, select Internet Explorer Restrictions, and then click OK.

Task 4: Test application of the GPO for domain users 1. Log on to LON-CL1 as Adatum\Brad with a password of Pa$$w0rd.

2. Move your mouse to the bottom, right of the desktop and in the flyout, click the Search charm.

3. In the Apps search box, type Control Panel.

4. In the Search Apps results, click Control Panel.

5. In the Control Panel window, click Network and Internet.

6. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled.

7. Click OK to acknowledge the message.

8. Click Internet Options. Notice that in the Internet Properties dialog box the General page does not appear.

9. Close all open windows, and sign out.

Module 11: Implementing Group Policy L11-57

Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy 1. Switch to LON-DC1.

2. In the GPMC expand the Group Policy Objects folder, and then in the left pane, click the IE Restrictions policy.

3. In the details pane, click the Delegation tab.

4. Click the Advanced button.

5. In the IE Restrictions Security Settings dialog box, click Add.

6. In the Select Users, Computers, Service Accounts, or Groups field, type IT, and then click OK.

7. In the IE Restrictions Security Settings dialog box, click the IT (Adatum\IT) group, next to the Apply group policy permission, select the Deny check box, and then click OK.

8. Click Yes to acknowledge the Windows Security dialog box.

Task 6: Test the GPO application for IT Department Users 1. Log on to LON-CL1 as Brad with a password of Pa$$w0rd.

2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm.


4. In the Apps results window, click Control Panel.


6. In the Network and Internet dialog box, click Change your homepage. The Internet Properties dialog opens to the General page, and all settings are available.


Task 7: Test Application of the GPO for other domain users 1. Log on to LON-CL1 as Boris with a password of Pa$$w0rd.

2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm.


4. In the Apps results window, click Control Panel.


6. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled.

7. Click OK to acknowledge the message.

8. Click Internet Options. In the Internet Properties dialog box, notice that the General page does not display.


Results: After completing this lab, you will have created a GPO.


To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:




4. Repeat steps 2 and 3 for 20410A-LON-CL1.

L12-59

Module 12: Securing Windows Servers Using Group Policy Objects

Lab A: Increasing Security for Server Resources Exercise 1: Using Group Policy to Secure Member Servers

Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.

3. In the New Object - Organizational Unit window, type Member Servers OU, and then click OK.

4. In the Active Directory Users and Computers console, in the navigation pane, click Computers container.

5. Press and hold the Ctrl key. In the details pane, click LON-SVR1 and LON-SVR2, right-click the selection and then click Move.

6. In the Move window, click Member Servers OU, and then click OK.

Task 2: Create a Server Administrators group 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

2. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group.

3. In the New Object – Group window, in the Group Name field, type Server Administrators, and then click OK.

Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU 1. On LON-DC1, in the Server Manager window, click Tools, and then click Group Policy

Management.

2. In the Group Policy Management window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.

3. In the New GPO window, in the Name: field, type Member Server Security Settings, and then click OK.

4. In the Group Policy Management Console window, right-click Member Servers OU, and then click Link an Existing GPO.

5. In the Select GPO window, in Group Policy Objects window, click Member Server Security Settings, and then click OK.


Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins 1. On LON-DC1, in the Group Policy Management Console window, expand Forest: Adatum.com,

expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.

2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups.

3. Right-click Restricted Groups, and then click Add Group.

4. In the Add Group dialog box, in the Group name field, type Administrators, and then click OK.

5. In the Administrators Properties dialog box, next to Members of this group, click Add.

6. In the Add Member dialog box, type Adatum\Server Administrators, and then click OK.

7. Next to Members of this group, click Add.

8. In the Add Member dialog box, type Adatum\Domain Admins, and then click OK twice.


Task 5: Verify that Computer Administrators has been added to the local Administrators group 1. Switch to LON-SVR1.


3. On the taskbar, click the Windows PowerShell® icon.

4. At the Windows PowerShell command prompt, type the following command:

gpupdate/force

5. In the Server Manager window, click Tools, and then click Computer Management.

6. In the Computer Management console, expand Local Users and Groups, click Groups, and then in the right pane, double-click Administrators.

7. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members. Click Cancel.


Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove users from Allow log on locally 1. Switch to LON-DC1.

2. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects.

3. In the right pane, right-click Member Server Security Settings, and then click Edit.

4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

5. In the right pane, right-click Allow log on locally, and then click Properties.

6. In the Allow log on locally Properties window, select the Define these policy settings check box, and then click Add User or Group.

Module 12: Securing Windows Servers Using Group Policy Objects L12-61

7. In the Add User or Group window, type Domain Admins, and then click OK.

8. Click Add User or Group.

9. In the Add User or Group window, type Administrators, and then click OK twice.


Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account 1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand

Domains, expand Adatum.com, and then click Group Policy Objects.


3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

4. In the right pane, right-click User Account Control: Admin Approval Mode for the Built-in Administrator account, and then click Properties.

5. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties window, select the Define this policy settings check box, ensure that Enabled radio button is selected, and then click OK.


Task 8: Verify that a standard user cannot log on to a member server 1. Switch to LON-SVR1.

On the taskbar, click the Windows PowerShell icon.

2. From the Windows PowerShell command prompt, type following command:

gpupdate/force


4. Try to log on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.

5. Verify that you cannot log on to LON-SVR1, and that a logon error message displays.

Results: After completing this exercise, you should have used Group Policy to secure Member servers.

Exercise 2: Auditing File System Access

Task 1: Modify the Member Server Security Settings GPO to enable object access auditing 1. Switch to LON-DC1.

2. On LON-DC1, in the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects.


4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, click Audit Policy, and then in the right pane, right-click Audit object access, and then click Properties.


5. In the Audit object access Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.

Task 2: Create and share a folder 1. On LON-SVR1, on the taskbar, click Windows Explorer, and then, in navigation pane, click

Computer.

2. In the Computer window, double-click Local Disk (C) click Home, click New folder, and then type HR.

3. In the Computer window, right-click the HR folder, click Share with, and then click Specific people.

4. In the File Sharing window, type Adam, click Add.

5. Change the Permission Level to Read/Write and then click Share and then click Done.

Task 3: Enable auditing on the HR folder for Domain Users 1. On LON-SVR1, in the Local Disk (C:) window, right-click the HR folder, and then click Properties.

2. In the HR Properties window, click the Security tab, and then click Advanced.

3. In the Advanced Security Settings for HR window, click the Auditing tab, and then click Add.

4. In the Auditing Entry for HR window, click Select a principal.

5. In the Select User, Computer, Service Account or Group window, in the Enter the object name to select field, type Domain Users, and then click OK.

6. In the Auditing Entry for HR window, from the Type drop-down menu, select All.

7. In the Auditing Entry for HR window, under Permission list, select the Write check box, and then click OK three times.

8. Switch to the Start screen, type cmd, and then press Enter.

9. In the command prompt window, type following command:

gpupdate /force


Task 4: Create a new file in the file share from LON-CL1 1. Switch to LON-CL1.


3. On the Start screen, type cmd, and then press Enter.

4. In the command prompt window, type the following command:

gpupdate /force


6. Log off LON-CL1, and then log on again as Adatum\Adam with a password of Pa$$w0rd.

7. On the Start screen, type \\LON-SVR1\HR, and then press Enter.

8. In HR window, click Home, click New item, click Text Document, in the file name field, type Employees, and then press Enter.

9. Log off of LON-CL1.


Task 5: View the results in the security log on the domain controller 1. Switch to LON-SVR1.

2. In the Server Manager window, click Tools, and then click Event Viewer.


4. Verify that following event and information displays:

o Source: Microsoft Windows Security Auditing

o Event ID: 4663

o Task category: File System

o An attempt was made to access an object.

Results: After completing this exercise, you should have enabled file system access auditing.

Exercise 3: Auditing Domain Logons

Task 1: Modify the Default Domain Policy GPO 1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand

Domains, expand Adatum.com, and then click Group Policy Objects.

2. In the right pane, right-click Default Domain Policy, and then click Edit.

3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. In the right pane, right-click Audit account logon events, and then click Properties.

4. In Audit account logon events Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.

5. Update Group policy by using the Gpupdate /force command.

Task 2: Run GPUpdate 1. Switch to LON-CL1.


3. On the Start screen, type cmd, and then press Enter.


gpupdate/force

5. Close the command prompt window, and log off LON-CL1.

Task 3: Log on to LON-CL1 with an incorrect password • Log on to LON-CL1 as Adatum\Adam with a password of password.

Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.


Task 4: Review event logs on LON-DC1 1. On LON-DC1, in Server Manager, click Tools, and then click Event Viewer.


3. Review the event logs for following message: “Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.”

Task 5: Log on to LON-CL1 with the correct password • Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.

Note: This password is correct, and you should be able to log on successfully as Adam.

Task 6: Review event logs on LON-DC1 1. Log on to LON-DC1.

2. In the Server Manager window, click Tools, and then click Event Viewer.


4. Review the event logs for the following message: “A user successfully logged on to a computer.”

Task 7: To prepare for the next lab • To prepare for the next lab, leave the virtual machines running.

Results: After completing this exercise, you should have enabled domain logon auditing.


Lab B: Configuring AppLocker and Windows Firewall Exercise 1: Configuring AppLocker® Policies

Task 1: Create an OU for Client Computers 1. Switch to LON-DC1.

2. In Server Manager, click Tools, and then click Active Directory Users and Computers.

3. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.

4. In the New Object - Organizational Unit window, type Client Computers OU, and then click OK.

Task 2: Move LON-CL1 to the Client Computers OU 1. On LON-DC1, in the Active Directory Users and Computers console, in the navigation pane, click

Computers container.

2. In the details pane, right-click LON-CL1, and then click Move.

3. In the Move window, click Client Computers OU, and then click OK.

Task 3: Create a Software Control GPO and link it to the Client Computers OU 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management Console window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.

3. In New GPO window, in the Name: text box, type Software Control GPO, and then click OK.

4. In the right pane, right-click Software Control GPO, and then click Edit.

5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker.

6. Under AppLocker, right-click Executable Rules, and then click Create Default Rules.

7. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules.

8. In the navigation pane, click AppLocker, and then in the right pane, click Configure rule enforcement.

9. In the AppLocker Properties window, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only.

10. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK.

11. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity.

12. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK.



14. In the Group Policy Management Console, right-click Member Servers OU, and then click Link an Existing GPO.

15. In the Select GPO window, in Group Policy Objects list, click Software Control GPO, and then click OK.

Task 4: Run GPUpdate on LON-SVR1 1. Switch to LON-SVR1.

2. Move the mouse pointer in the lower right corner, and then click Search.

3. In the Search box, type cmd, and then press Enter.

4. In command prompt window, type following command:

gpupdate/force


6. Move the mouse pointer in the lower right corner, click Settings, click Power, and then click Restart.

Task 5: Run app1.bat in the C:\CustomApp folder 1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.

2. Point the mouse pointer over the lower right corner of the screen, and then, when it appears, click Search.


4. At the command prompt, type following command:

C:\CustomApp\app1.bat

Task 6: View AppLocker events in an event log 1. On LON-SVR1, open the Server Manager window, click Tools, and then click Event Viewer.

2. In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand Windows, and then expand AppLocker.

3. Click MSI and Scripts, and review the event logs for App1.bat.

Task 7: Create a rule that allows software to run from C:\CustomApp 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management window, in the Group Policy Objects node, edit the Software Control GPO.

3. In the console tree, double-click Application Control Policies, double-click AppLocker, right-click Script rules, and then click Create New Rule.

4. On the Before You Begin page, click Next.

5. On the Permissions page, select the Allow radio button, and then click Next.

6. On the Conditions page, click Path radio button, and then click Next.

7. On Path page, in the Path field, type the following path: %OSDRIVE%\CustomApp\app1.bat to enter the targeted folder for the applications, and then click Next.

8. On Exception page, click Next, on the Name and Description page, in the Name field, type Custom App Rule, and then click Create.


Task 8: Modify Software Control GPO to enforce the rules 1. In the Software control GPO window, in navigation pane, click AppLocker, and then in the right

pane, click Configure rule enforcement.

2. In AppLocker Properties window, under Executable rules, select the Configured check box, and then from drop-down menu, select Enforce rules.

3. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK.

4. Close Group Policy Management Editor.

Task 9: Verify that an application can still be run from C:\CustomApp 1. Switch to LON-SVR1.




gpupdate/force


6. Point the mouse pointer over the lower-right corner, click Settings, click Power, and then click Restart.

7. Log on to LON-SVR1 as Adatum\Tony with a password of Pa$$w0rd.

8. Open a command prompt.

9. Verify that you can still run c:\customapp\app1.bat.

Task 10: Verify that an application cannot be run from the Documents folder 1. On LON-SVR1, on the taskbar, click on Windows Explorer, and then in navigation pane click on

Computer. In the Computer window, double-click Local Disk (C:), double-click the CustomApp folder, right-click app1.bat, and then click Copy.

2. In CustomApp window, on the navigation pane, right-click the Documents folder, and then click Paste.

3. In command prompt, type C:\Users\Tony\Documents\app1.bat.

4. Verify that application cannot be run from Documents folder, and that the following message displays: “This program is blocked by Group Policy. For more information, contact your system administrator.”

5. Close all open windows and log off.

Results: After completing this exercise, you will have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.


Exercise 2: Configuring Windows Firewall

Task 1: Create a group called Application Servers 1. Switch to LON-DC1.

2. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.

3. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group.

4. In the New Object – Group window, in the Group Name field, type Application Servers, and then click OK.

Task 2: Add LON-SRV1 as a group member 1. In the Active Directory Users and Computers console, in the navigation pane, click the Member

Servers OU, in the details pane right-click Application Servers group, and then click Properties.

2. In the Application Server Properties window, click Members tab, and then click Add.

3. In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and then click OK.

4. In Enter the object names to select, type LON-SVR1, and then click OK.

Task 3: Create a new Application Servers GPO 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2. In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.

3. In the New GPO window, in the Name: field, type Application Servers GPO, and then click OK.

4. In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit.

5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then click Windows Firewall with Advanced Security - LDAP://CN={GUID}.

6. In the Group Policy Management Editor, click Inbound Rules.

7. Right-click Inbound Rules, and then click New Rule.

8. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next.

9. On the Program page, click Next.

10. On the Protocol and Ports page, in the Protocol type list, click TCP.

11. In the Local port list, click Specific Ports, in the text box, type 8080, and then click Next.

12. On the Scope page, click Next.

13. On the Action page, click Allow the connection, and then click Next.

14. On the Profile page, clear the Private and Public check boxes, and then click Next.

15. On the Name page, in the Name box, type Application Server Department Firewall Rule, and then click Finish.



Task 4: Link the Application Servers GPO to the Member Servers OU 1. On LON-DC1, In the Group Policy Management Console, right-click Member Servers OU, and then

click Link an Existing GPO.

2. In the Select GPO window, in Group Policy objects list, click Application Servers GPO, and then click OK.

Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group 1. On LON-DC1, in the Group Policy Management Console, click Member Servers OU.

2. Expand the Member Servers OU, and then click the Application Servers GPO link.

3. In the Group Policy Management Console message box, click OK.

4. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.

5. In the confirmation dialog box, click OK.

6. In the details pane, under Security Filtering, click Add.

7. In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK.

Task 6: Run GPUpdate on LON-SRV1 1. Switch to LON-SRV1 and log on as Adatum\Administrator.



4. In the command prompt window, type following command, and then press Enter:

gpupdate/force


6. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.

Task 7: View the firewall rules on LON-SRV1 1. Switch to LON-SVR1.

2. In Server Manager, click Tools, and then click Windows Firewall with Advanced Security.

3. In the Windows Firewall with Advanced Security window, click Inbound rules.

4. In the right pane, verify that Application Server Department Firewall Rule that you created earlier using Group Policy is configured.

5. Verify that you cannot edit the Application Server Department Firewall Rule, because it is configured through Group Policy.


Task 8: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state by performing the following steps:





Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.

L13-71

Module 13: Implementing Server Virtualization with Hyper-V

Lab: Implementing Server Virtualization with Hyper-V Exercise 1: Installing the Hyper-V Server Role

Task 1: Install the Hyper-V server role 1. Reboot the classroom computer and from the Windows Boot Manager, choose 20410A-LON-

HOST1.

2. Log onto LON-HOST1 with the Administrator account and the password Pa$$w0rd.

3. In Server Manager, click Local Server.

4. In the Properties pane, click the IPv4 address assigned by DHCP link.

5. In the Network Connections dialog box, right-click the network object and then click Properties.

6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

7. On the General tab, click Use the following IP address and configure the following:

o IP Address: 172.16.0.31


o Default gateway: 172.16.0.1

8. On the General tab, click Use the following DNS server addresses and then configure the following:


9. Click OK to close the Properties dialog box.

10. Click Close.

11. Close the Network Connections dialog box.

12. In the Server Manager console, from the Manage menu, click Add Roles and Features.

13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

14. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

15. On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next.

16. On the Select server roles page, select Hyper-V.

17. In the Add Roles and Features Wizard dialog box, click Add Features.

18. On the Select server roles page, click Next.


20. On the Hyper-V page, click Next.

21. On the Virtual Switches page, verify that no selections have been made, and then click Next.

22. On the Virtual Machine Migration page, click Next.


23. On the Default Stores page, review the location of the Default Stores, and then click Next.

24. On the Confirm installation selections page, select Restart the destination server automatically if required.

25. In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then click Yes.

26. On the Confirm Installation Selections page, click Install.

27. After a few minutes, the server will restart automatically. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times.

Task 2: Complete Hyper-V role installation and verify settings 1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.

2. When the installation of the Hyper-V tools completes, click Close to close the Add Roles and Features Wizard.

3. In the Server Manager console, click the Tools menu, and then click Hyper-V Manager.

4. In the Hyper-V Manager console, click LON-HOST1.

5. In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V Settings.

6. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Keyboard item. Verify that the Keyboard is set to the Use on the virtual machine option.

7. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Virtual Hard Disks item. Verify that the location of the default folder to store Virtual Hard Disk files is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK.

Results: After this exercise, you should have deployed the Hyper-V role to a physical server.

Exercise 2: Configuring Virtual Networking

Task 1: Configure the external network 1. In the Hyper-V Manager console, click LON-HOST1.

2. From the Actions menu, click Virtual Switch Manager.

3. In the Virtual Switch Manager for LON-HOST1 dialog box, select New virtual network switch. Ensure that External is selected, and then click Create Virtual Switch.

4. In the Virtual Switch Properties area, enter the following information, and then click OK:

o Name: Switch for External Adapter

o External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)

5. In the Apply Networking Changes dialog box, review the warning, and then click Yes.

Task 2: Create a private network 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.


3. Under Virtual Switches, click New virtual network switch.

Module 13: Implementing Server Virtualization with Hyper-V L13-73

4. Under Create virtual switch, select Private, and then click Create Virtual Switch.

5. In the Virtual Switch Properties section of the Virtual Switch Manager dialog box, configure the following settings, and then click OK:

o Name: Private Network

o Connection type: Private network

Task 3: Create an internal network 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.


3. Under Virtual Switches, select New virtual network switch.

4. Under Create virtual switch, select Internal and then click Create Virtual Switch.

5. In the Virtual Switch Properties section, configure the following settings, and then click OK:

o Name: Internal Network

o Connection type: Internal network

Task 4: Configure the MAC address range 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1

2. On the Actions menu, click Virtual Switch Manager.

3. Under Global Network Settings, click MAC Address Range.

4. On MAC Address Range settings, configure the following values, and then click OK:

o Minimum: 00-15-5D-0F-AB-A0

o Maximum: 00-15-5D-0F-AB-EF

5. Close the Hyper-V Manager console.

Results: After this exercise, you should have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.

Exercise 3: Creating and Configuring a Virtual Machine

Task 1: Create differencing disks 1. On the taskbar, click Windows Explorer.

2. Click Computer, and then browse to the following location: E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number of drives on the physical host machine)

3. Verify that the Base12A-WS2012-RC.vhd hard disk image file is present.

4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click each folder and rename each folders to each name listed below:

o LON-GUEST1

o LON-GUEST2



6. In the Server Manager console, click the Tools menu and click Hyper-V Manager.

7. In the Actions pane, click New, and then click Hard Disk.

8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.

9. On the Choose Disk Format page, select VHD, and then click Next.

10. On the Choose Disk Type page, select Differencing, and then click Next.

11. On the Specify Name and Location page, specify the following details, and then click Next:

o Name: LON-GUEST1.vhd


12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning \Base\Base12A-WS2012-RC.vhd, and then click Finish.

13. On the taskbar, click the PowerShell icon.

14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then press Enter.

Import-Module Hyper-V

15. At the PowerShell prompt, type the following command to create a new differencing disk to be used with LON-GUEST2 and then press Enter:

New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”

16. Close the PowerShell window.

17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.

18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click LON-GUEST2.vhd, and then click Open.

19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base \Base12A-WS2012-RC.vhd as a parent, and then click Close.

Task 2: Create virtual machines 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.

2. In the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine.

3. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.

4. On the Specify Name and Location page, select Store the virtual machine in a different location, enter the following values, and then click Next:

o Name: LON-GUEST1


5. On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this virtual machine option, and then click Next.

6. On the Configure Networking page, for the connection, choose Private Network, and then click Next.


7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click Open and then click Finish.

8. On the Taskbar, click the PowerShell icon.

9. At the PowerShell prompt, enter the following command to import the Hyper-V module:


10. At the PowerShell prompt, enter the following command to create a new virtual machine named LON-GUEST2:

New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private Network"

11. Close the PowerShell window.

12. In the Hyper-V Manager console, click LON-GUEST2.

13. In the Actions pane, under LON-GUEST2, click Settings.

14. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set the Automatic Start Action to Nothing.

15. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set the Automatic Stop Action to Shut down the guest operating system.

16. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box.

Task 3: Enable resource metering 1. On the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell prompt, enter the following command to import the Hyper-V module:


3. At the Windows PowerShell prompt, enter the following commands to enable resource metering on the virtual machines:

Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2

Results: After this exercise, you should have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.

Exercise 4: Using Virtual Machine Snapshots

Task 1: Deploy Windows Server 2012 in a virtual machine 1. In the Hyper-V Manager console, click on LON-GUEST1.

2. In the Actions pane, click Start.

3. Double click LON-GUEST1 to open the Virtual Machine Connection Window.

4. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection Window, on the Settings page, click Skip.


5. On the Settings page, select the I accept the license terms for using Windows check box, and then click Accept.

6. On the Settings page, click Next to accept the Region and Language settings.

7. On the Settings page, enter the password Pa$$w0rd twice, and then click Finish.

8. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu, click Ctrl+Alt+Delete. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.

9. On the virtual machine, in the Server Manager console click Local Server, and then click the randomly assigned name next to the computer name.


11. Set the Computer Name to LON-GUEST1, and then click OK.


13. Click Close to close the System Properties dialog box.


Task 2: Create a virtual machine snapshot 1. Log on to the LON-GUEST1 virtual machine using the Administrator account and the password

Pa$$w0rd.

2. In the Server Manager console, click the Local Server node, and verify that the name of the computer is set to LON-GUEST1.

3. In the Virtual Machine Connection window, from the Action menu, click Snapshot.

4. In the Snapshot Name dialog box, enter the name Before Change, and then click Yes.

Task 3: Modify the virtual machine 1. In the Server Manager console, click Local Server, and then next to Computer name, click

LON-GUEST1.


3. Set the Computer Name to LON-Computer1, and then click OK.


5. Close the System Properties dialog box.

6. In the Microsoft Windows dialog box, click Restart Now..

7. Log back on to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd.

8. In the Server Manager console, click Local Server, and verify that the server name is set to LON-Computer1.

Task 4: Revert to the existing virtual machine snapshot 1. In the Virtual Machine Connection window, from the Action menu, click Revert.


3. In the Server Manager console, in the Local Server node in the Virtual Machines list, verify that the Computer Name is set to LON-GUEST1.


Task 5: View resource metering data 1. On LON-HOST1, on the taskbar, click the Windows PowerShell icon.

2. At the Windows PowerShell command-line prompt, enter the following command to import the Hyper-V module:


3. At the Windows PowerShell command-line prompt, enter the following command to retrieve resource metering information:

Measure-VM LON-GUEST1

4. Note the average CPU, average random access memory (RAM), and total disk usage figures.

5. Close the Windows PowerShell window.

Task 6: Revert the virtual machines 1. Click on the Windows PowerShell icon on the Taskbar.

2. In the Windows PowerShell window, enter the following command and press enter:

Shutdown /r /t 5

3. From the Windows Boot Manager, choose Windows Server 2008 R2

Results: After this exercise, you should have used virtual machine snapshots to recover from a virtual machine misconfiguration.

20410a enu trainerhandbook new

Documents

endorsement of microsoft

control of microsoft

microsoft technologies

microsoft group of companies

linked site

o f f i c

written license agreement

i c r o s o f t