exam prep: 70-411 & 70- 417 mcsa: administering windows server 2012 (r2)
TRANSCRIPT
Alfred [email protected]
19 Years of IT ExperienceSenior Consultant with Microsoft Consulting Services (MCS)Desktop Enterprise Management, ConfigMgr 2012 and IntuneMicrosoft Communities both Internal and ExternalBlogSite
http://thedevicepros.com @thedevicepros - twitter.com/thedevicepros
Facebook – http://www.facebook.com/thedeviceprofessionals
Member of #TheKrewe
But first… a little about me!
Session Objective(s): Certification OverviewExam Preparation per SectionDescribe key 70-411 & 70-417 exam objectivesPrepare more effectively using available study materialRelate practical Windows Server 2012 experience to exam
Identify areas that may require extra studyingAction plan for exam preparation and success
Session Objectives And Takeaways
For YouIncreased confidence in your abilities at workEnhanced product knowledgeLearn about certification to educate your coworkers and bosses
For Your CareerMakes a great commitmentShows drive an initiativeTangible way to demonstrate mastery of a productSets you apart from your peers at review timeRecognition inside and outside of MicrosoftCompletely achievable at SPC
Changes to Certifications and Exams
Deeper Skill Set
Certification
Requirements
Broader Skill Set
Recertification
Relevance Rigor
MCSE and MCSD Certifications
Web Applications Windows Store Apps
Server Infrastructure Desktop Infrastructure
Business Intelligence Data Platform
Private Cloud
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Reflection of the real worldLearn more, validate moreSolutions are more complex, questions must reflect thatBest way to measure candidates know what they know
New item typesFewer multiple choiceCase studies
Scenario basedSee big picture and make decisions
Innovative item types
Increased Rigor
Exam Basics40-60 questions1-4 hours to complete examCan review questionsCannot move between case studies
700 is passing700 is not 70%
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
How to interpret questions
One or Multiple Correct Answers
Goal Statement
Business ProblemAll questions have a consistent anatomy
Multiple Distracters
Questions are not intended to trick you
Exam ScoringEach exam has a "cut score"Each question is worth one pointNo partial creditNo points deducted for wrong answers
Deploy, Manage, and Maintain Servers (15-20 %)Configure File and Print Services (15-20 %)Configure Network Services and Access (15-20 %)Configure a Network Policy Server Infrastructure (15-20 %)Configure and Manage Active Directory (15-20 %)Configure and Manage Group Policy (15-20 percent)
Total Time: 195 minutes with comments, 150 minutes for exam
70-411 Exam Objectives
Deploy, Manage, and Maintain ServersDeploy and
manage server images
Implement patch management
Monitor servers
Windows Server 2012 - WDS
Install using Roles and Features
Requires RSATEnables PXE UseDeployment MethodsWDS Service must be enabled and show green
Configuration OptionsEnsure DHCP, NTFS shares are availableDecide on PXE boot requestsDon’t forget about WDSUtil
Using WDSAdd Install Images and DriversMulticast transmissions Install-WindowsFeature –Name WDS -ComputerName
Server01 –IncludeManagementTools (Servermanagercmd.exe deprecated)
Deploy and Manage Server Images (2/2)Update images - patches/hotfixes/drivers/features
Mount the offline image:DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>Add package or driver to image:DISM /Image:<temppath> /Add-Package /PackagePath:<path>DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>Commit the changes and unmount:DISM /Unmount-Image /MountDir:<temppath> /Commit
Deploy and Manage Server Images (1/2)Boot, capture, install, discover imagesBoot image is Windows PE + client (boot.wim on media)Capture image is used to capture a reference computer to use for your install imageInstall image is what you deploy (install.wim on media)Discover image when computer can’t use PXE (boot to discover image media)
Install WSUS roleDISM /Online /Enable-Feature /FeatureName: (dism /online /get-features)Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
GPOs, client side targetingServer-side targeting (default) Client-side targeting (typically GPO) Watch for non-domain joined clients or the manual step of creating groups in WSUS
Synchronization and WSUS groupsSynchronization – downloading updates from an upstream serverWatch for proxy server issue, firewall issue, or BITS issueWSUS groups – used for targeting updates to group computersWatch for client computers not showing up in the computer list
Implement Patch Management
Monitor Servers: Data Collector Sets
Concepts to know…Collect performance over a given timeExcellent for baselinesPerformance but also event trace, system configuration (registry)Several default DCSCan create DCS from current countersCan create Templates
Key Tips to KnowImageX, Package Manager and OCSetup – DeprecatedAutomatic Approvals for WSUSBoot, capture, install, discover imagesKnow your WDS Options with DHCPPXE is a driving factor for deploymentsDeploy & Capture ImagesUpdate images - patches/hotfixes/drivers/featuresInstalling Features for Offline Images
Exam Updates for R2Deploy, manage, and maintain server
Tasks currently measured Task changed\added sinc January 2014Deploy and manage server images Install the Windows Deployment Services (WDS) role; configure and manage boot, install, and discover images; update images with patches, hotfixes, and drivers; install features for offline images
Configure driver groups and packages
Implement patch management Install and configure the Windows Server Update Services (WSUS) role; configure group policies for updates; configure client-side targeting; configure WSUS synchronization; configure WSUS groups
Manage patch management in mixed environments
Monitor servers Configure Data Collector Sets (DCS); configure alerts; monitor real-time performance; monitor virtual machines (VMs); monitor events; configure event subscriptions; configure network monitoring
Schedule performance monitoring
Exam Prep QuestionYour network contains a Microsoft Windows Deployment Services (WDS) server. You have added a custom image named CustomWin8.wim to the server.After creating and adding the custom image to the WDS server, you decide that the image is missing a feature. You mount the image to the c:\mount folder.You need to add the Telnet Client feature the CustomWin8.wim image.What should you do?
A. Run the command imagex /apply C:\mount\CustomWin8.wim 1 D:\B. Run the command dism /Image:C:\mount /Enable-Feature
/FeatureName:TelnetClientC. Run the command dism /Image:CustomWin8.wim /Enable-Feature
/FeatureName:TelnetClientD. Run the command imagex /image:C:\mount /Enable-Features
/FeatureName:TelnetClient
Configure File and Print ServicesConfigure Distributed
File System (DFS)
Configure File Server Resource Manager
(FSRM)
Configure file and disk encryption
Configure advanced audit policies
Configure DFS (1/2)OverviewDFS Replication and DFS Namespaces are role services (rolling up to File and Storage Services role)Know what’s new: PowerShell module, WMI mgmt., site awareness for DirectAccess, dedupe
Know what’s deprecated: dfscmd, FRS
Install and configure DFS NamespacesDomain-based namespaceStand-alone namespaceGet familiar with DFSnRoot & DfsnFolder for powershellRequires the management of referrals
Configure DFS (2/2)Configure DFS Replication TargetsKeep folders in sync, use the Replicate Folder wizard to configureConfig changes must replicate via AD DS and then each namespace server must poll a DC for the config change (speed it up by forcing AD DS replication and then running the dfsrdiag.exe PollAD /Member:Contoso\Server01 command)
Configure Replication SchedulingCreate replication group:
1. Multipurpose or data collection2. Hub and spoke, full mesh, or no topology3. Replicate continuously (select bandwidth limits if desired)4. Replicate during specific days/times (can set bandwidth to use per time slot)
Watch for staging folder size issues (if too small, high CPU or slow replication will result)Use a different physical disk for staging folder for improved I/O
Configure FSRM (1/2)Install FSRMAdd-WindowsFeature FS-Resource-Manager -IncludeManagementTools
Configure QuotasConfigure quotas on specific folder or on a path (which handles newly created folders)Hard (users cannot exceed) or soft (users can exceed, used for monitoring)Built-in templates which can be used to create a quota or to create a new customized templateWhen quota threshold met, option to send email, log event, run command, or generate reportBe wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)
Configure FSRM (2/2)Configure File ScreensActive screening (cannot save unauthorized files)Passive screening (can save unauthorized files, used for monitoring)Built-in templates (block audio/video files, e-mail files, executable files, images, monitor exe/system)Be wary of deprecated filescrn.exeSet-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate
Configure ReportsRun reports on demand – DHTML, HTML, XML, CSV, or textBuilt-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property, folders by property, large files, least recently accessed files, most recently accessed files, quota usageSet scheduled reports and have reports emailed to admin(s)
Configure file and disk encryption (1/3)New FeaturesBitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)Change PIN and password by standard users (no longer require admin rights)Support for encrypted hard drives (encryption offloaded to the hard drive)
Configure BitLocker encryptionTPM version 1.2 or higher (required for provisioning prior to operating system deployment)TPM owner authorization – separate object new for Windows 8 – requires AD schema updateAdd BitLocker Drive Encryption feature, Enable-BitLocker (need volume/encryption method/key protector)
Configure file and disk encryption (2/3)Configure the Network Unlock feature (new)Install the BitLocker Network Unlock feature, WDS on Windows Server 2012, separate DHCP, UEFI DHCP drivers, PKI for issuing certificate (or self-signed certificate), Group Policy configuredFor TPM+PIN systems, Network Unlock allows a form of two-factor authentication without user intervention when booting (on untrusted networks, TPM+PIN is used)
Configure BitLocker policies (Win8 or Win2012)Choose drive encryption method and cipher strengthConfigure use of hardware-based encryption for *** drives (fixed/operating/removable)Enforce drive encryption type on *** drives – Full/Used onlyAllow network unlock at startup
Configure file and disk encryption (3/3)Configure the EFS recovery agentObtain a certificate for File Recovery for a data recovery agent user accountAdd data recovery agent (DRA) by editing GPO:
Add from AD DS if certificated are published in AD DS (default not published)Add from .cer files if not published in AD DS
Manage EFS and BitLocker certificates including backup and restoreFor certificates, can enable archiving on the certificate templates to allow recoveryDRA can have a self-signed certificate which is backed up with standard backup methodsWindows 7 requires permissions update to ms-TPM-OwnerInformation for TPM owner info backupBack up BitLocker recovery info to AD DS GPO setting (Pre-2008 requires schema extension)
Configure advanced audit policies (1/2)Implement auditing using Group Policy and AuditPol.exeKnow difference between basic Audit Policy settings and advanced Audit Policy settingsTo manually enable Advanced Audit subcategory auditing (high overhead for widespread use):auditpol /set /subcategory:"RPC Events" /success:enable
Auditpol has a /backup switch and a /restore switch
Global object access auditing (for file system or registry – automatically applies to all objects)For Global auditing, watch for situations that don’t also enable Audit File System and Audit Registry audit policy settings (required)Advanced Audit Policy settings take precedence over basic Audit Policy settings
Configure advanced audit policies (2/2)Create expression-based audit policiesAudit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set directly on a file/folder or in global policy), can be combined with Dynamic Access Control
Create removable device audit policiesRequires Windows 8 or Windows Server 2012Logs event when users attempt to access a removable storage device (Audit Removable Storage)Can also log removable storage device events (Audit Handle Manipulation)
Exam Updates for R2:
Tasks currently measured Task changed\added since January 2014Configure Distributed File System (DFS) Install and configure DFS namespaces; configure DFS Replication Targets; configure Replication Scheduling; configure Remote Differential Compression settings; configure staging; configure fault tolerance
Clone a DFS database; recover DFS databases; optimize DFS replication
Configure File Server Resource Manager (FSRM) Install the FSRM role; configure quotas; configure file screens; configure reports
Configure file management tasks
Configure File and Print Services
Exam Prep QuestionYou are the system administrator for Contoso, Ltd. You manage an Active Directory Domain Services (AD DS) domain. All servers run Windows Server 2008 R2. The forest functional level is set to Windows Server 2003. The domain functional level is set to Windows Server 2008. You are preparing to deploy DFS. The deployment must meet the following requirements.
Users must not be able to see folders that they do not have access toUsers must be able to create 3,000 total foldersMinimize changes to the environment
You need to deploy DFS to meet the requirements. What should you do?
A. Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone DFS namespace.
B. Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-based DFS namespace by deselecting DFS Windows Server 2008 mode.
C. Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.D. Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.
Configure Network Services and AccessConfigure DNS
zones
Configure DNS records
Configure VPN and routing
Configure DirectAccess
Configure DNS zones (1/2)Configure primary and secondary zonesPrimary zone can be stored in file or in AD DS – authoritative source for the zoneSecondary zone cannot be stored in AD DS and is a read-only copy of a primary zone
Configure stub zonesStub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisitionWatch for scenarios that offer stub zone and conditional forwarding as potential solutionsStub zones best when needing to dynamically maintain authoritative DNS servers for child zone
Configure conditional forwardersForwards to specific DNS servers which can then build up a cache for efficient resolutionOften the best solution for merger/acquisition but can also speed up internal name resolution
DNS = systemDNS = host name resolutionForward and reverse lookupsTypes of DNSPrimary, secondary, Active Directory-Integrated, and stub zones
For AD-Integrated, what is the domain partition, forestDNSZone, and domainDNSZone? Hint: replication scope
Records =SOA, NS, A, CNAME, PTR, SRV, and MX
Exam ContentDeploy and Configure Network Services
Windows Server 2012Network Services
IPv4 & IPv6 addressingDHCP – failover, name protectionDNS – zones, records, DNSSECIPAMVPN & routingDirectAccess
VPN and RoutingInstall and configure the Remote Access role1. Add-WindowsFeature RemoteAccess -IncludeManagementTools –IncludeAllSubFeature2. Run the Configure and Enable Routing and Remote Access wizard
Implement Network Address Translation (NAT)Need two interfaces prior to enabling via wizard
Configure VPN settingsFor SSTP, need to select the proper SSL certificate post install
Configure remote dial-in settings for usersDefault in AD is control access through NPS Network PolicyNeed to adjust policy or create new policy in order to allow users in
Configure routingIPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol
DirectAccess (1/2)Implement server requirementsNo longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP) integration, or two-factor authenticationCan use a single NIC card behind NAT (Windows Server 2012 required)Remote access servers and all client computers must be domain membersIPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)
Implement client configurationNeed to have security groups in place and then create GPOs
DirectAccess (2/2)Configure DNS for DirectAccessName Resolution Policy Table (NRPT) – used to send specific queries to specific DNS servers (otherwise, use normal name resolution) – Windows 7 or later required (config via GPO)
Configure certificates for DirectAccessIf using internal CA or self-signed certificate, CRL distribution point must be available externallyCan’t use self-signed cert in a multi-site environmentInternal PKI is required if Kerberos proxy over HTTPS not available/possible
Exam Updates for R2:
Tasks currently measured Task changed\added since January 2014Configure VPN and routing Install and configure the Remote Access role; implement Network Address Translation (NAT); configure VPN settings; configure remote dial-in settings for users; configure routing
Configure Web Application proxy in pass-through mode
Configure Network Services and Access
Exam Prep QuestionYou are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A) record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com.What should you do?
A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.
B. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.C. Add a second Address (AAAA) record for 10.10.5.254 and point it to
www2.tailspintoys.com.D. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.
Configure a Network Policy Server Infrastructure
Configure Network Policy Server (NPS)
Configure NPS policies
Configure Network Access Protection (NAP)
Configure NPS (1/2)Configure multiple RADIUS server infrastructures5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain membership optional, use NETSH to copy config from one proxy to another), user account DBs (such as AD DS)
Configure RADIUS clientsRequired: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)
Manage RADIUS templatesWatch for questions involving administrative overhead as that may indicate the creation of a template or use of existing template.
Configure NPS (2/2)Configure RADIUS accountingCan log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging for failover (if SQL logging fails, continue to log via text file)If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default install and sudden loss of functionality – could be out of disk space, consider moving logging to non-system disk)
Configure certificatesCertificate-based auth - NPS servers need a server certificateMinimize administrative overhead in large environment – autoenrollment
Configure NPS policies (1/2)Configure connection request policiesPolicies have conditions such as connection type, day/time, network, computerUseful to authenticate untrusted domain (proxy policy first in the policy order) while still authenticating locally via NPS (to AD DS)If no local processing by NPS, then server is a proxy (can forward one place or multiple)
Configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing)Watch for default installation on encryption as all encryption options are enabled (40-bit, 56-bit, 128-bit)Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)
Configure NPS policies (2/2)Manage NPS templatesCan use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and remediation server groups (minimize administrative overhead, speed up deployment)Can export templates to .XML file and import to another server
Import and export NPS policiesCan use NETSH or Export-NpsConfiguration to export entire NPS server config including policies
Configure NAP (1/2)Configure System Health Validators (SHVs)One default SHV – Windows Security Health Validator – can require specific firewall settings, antivirus settings, spyware protection, automatic updates settingsIf noncompliant with SHV, can restrict network access or remediateWindows XP does not have spyware protection settings available
Configure health policiesPolicy dictates how many SHV checks must be passed or failedHealth policies are added to network policies (NPS) to ascertain who should gain access
Configure NAP enforcement using DHCP and VPNNon-compliant devices – full access, full access with limited time, limited accessLimited access usually is tied with remediation servers for updating components for complianceIf full network + limited time and client subsequently becomes compliant, will be disconnected!
Exam Updates for R2:
Tasks currently measured Task changed\added since January 2014Configure Network Policy Server (NPS) Configure multiple RADIUS server infrastructures; configure RADIUS clients; manage RADIUS templates; configure RADIUS accounting; configure certificates
Configure a RADIUS server, including RADIUS proxy; manage configure RADIUS NPS templates
Configure a Network Policy Server Infrastructure
Configure NAP (2/2)Configure isolation and remediation of non-compliant computers using DHCP and VPNDefault network policy has automatic remediation enabled by defaultCan add remediation servers and a troubleshooting URL for employees
Configure NAP client settingsRemember that Group Policy overrides NETSH and NAP Client Configuration console Enable tracing - netsh nap client set tracing state = enableUse the NAP Client Configuration console to create .xml config file for use in a GPOBy default, NAP enforcement clients are disabledTo enforce health policies, must enable at least one NAP enforcement clientIPsec – need to configure NAP health registration authority settings
Configure and Manage Active DirectoryConfigure service
authentication
Configure Domain Controllers
Maintain Active Directory
Configure account policies
Configure service authentication (1/2)Create and configure Service AccountsUsed to enhance security but the pain point is the password management and SPN mgmt.
Create/configure Group Managed Service AccountsMust create/configure on a server running Windows Server 2012 or on a Windows 8 computerAutomated password management and can be used across multiple serversMinimum of one DC that runs Windows Server 2012Before you begin, must create KDS Root Key - Add-KDSRootKey –EffectiveImmediatelyNew-ADServiceAccount and Set-ADServiceAccount
Create and configure Managed Service AccountsIntroduced in Windows Server 2008 R2 / Windows 7New-ADServiceAccount with the –RestrictToSingleComputer parameter Automated password management and can be used on a single serverNot supported for scheduled tasks, Exchange, SQL
Configure service authentication (2/2)Configure Kerberos delegationIIS may require the Trust this computer for delegation to any service (Kerberos only) option
Manage Service Principal Names (SPNs)SetSPN (note that it cannot register duplicate names in a domain in Windows Server 2012)<service type>/<instance name>:<port number>/<service name>
Configure Domain Controllers (1/2)Configure Universal Group Membership CachingEliminates dependency on GC during logonsSet-ADObject "CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" –Replace @{options='32'}
Transfer and seize operations mastersNTDSUTIL can transfer and seize rolesMove-ADDirectoryServerOperationMasterRole for transfer, use –Force for seize
Install and configure an RODCCannot upgrade writable DC to RODCStaged installation – delegate installation to non-Domain Admin at remote site (+IFM for speed)
Configure Domain Controllers (2/2)Configure Domain Controller cloning
VM-GenerationID (supported on Hyper-V on 2012 and VMware 5.0 and later)Source VM must be 2012, PDC emulator must be 2012
1. Add the source DC to the Cloneable Domain Controllers group2. Run New-ADDCCloneConfig to create DCCloneConfig.xml file (IP info, site info)3. Export source DC (Hyper-V or Export-VM cmdlet)4. Import the VM (Hyper-V or Import-VM cmdlet)
DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out for unsupported services such as DHCP)CustomDCCloneAllowList.xml is for custom services that you are sure about
See http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx (the entire series is valuable)
Maintain Active Directory (1/2)Back up Active Directory and SYSVOLwbadmin start systemstatebackup -backuptarget:e:(this includes SYSVOL)
Manage Active Directory offlineStop the Active Directory Domain Services service (Services console or Stop-Service cmdlet)Can perform offline defrag (or other maintenance) and then start the service
Optimize an Active Directory databaseLDIFDE can be used to manually kick off a garbage collection process (free up space inside)NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second copy of .dit file)
Maintain Active Directory (2/2)Clean up metadataSince 2008, deletion of DC from default OU results in automatic metadata cleanupDeletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanupOtherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>
Configure Active Directory snapshotsNtdsutil, snapshot, activate instance ntds, create
Perform object- and container-level recoveryNtdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target DomainName -server DomainControllerName
Perform Active Directory restoreAuthoritative vs. non-authoritative (watch for situations where you restore and the objects gets subsequently deleted after the restore)
Configure account policies (1/2)Configure domain user password policyWithout fine-grained, one password and one lockout policy per domainConfigure via GPO
Configure and apply Password Settings ObjectsNew-ADFineGrainedPasswordPolicy – apply to user or groups (not OU)Active Directory Administrative Center
Delegate password settings managementCan delegate ability to apply a PSO to user or group (Write Property permissions on the PSO)
Configure account policies (2/2)Configure local user password policyCan use a GPO linked to an OU with the computer objects
Configure account lockout settings“Account lockout duration” setting set to 0 means an administrator must unlock locked accounts“Account lockout threshold” setting set to 0 means an account will never get locked out“Reset account lockout counter after” setting resets the number of failed logon attemptsWatch for requirements such as minimizing calls to the Help Desk, maintaining the highest level of security, or situations where a Denial of Service (DoS) is occurring
Exam Updates for R2:
Tasks currently measured Task changed\added since January 2014Configure service authentication Create and configure Service Accounts; create and configure Group Managed Service Accounts; create and configure Managed Service Accounts; configure Kerberos delegation; manage Service Principal Names (SPNs)
Configure virtual accounts
Maintain Active DirectoryBack up Active Directory and SYSVOL; manage Active Directory offline; optimize an Active Directory database; clean up metadata; configure Active Directory snapshots; perform object- and container level recovery; perform Active Directory restore
Active Directory Recycle Bin
Configure account policies Configure domain user password policy; configure and apply Password Settings Objects (PSOs); delegate password settings management; configure local user password policy; configure account lockout settings
Configure Kerberos Policy settings
Configure and manage Active Directory
Configure and Manage Group PolicyConfigure Group Policy processing
Configure Group Policy settings
Manage Group Policy objects (GPOs)
Configure Group Policy preferences
Exam ContentCreate and Manage Group Policy
GP optionsEnforceBlock inheritanceLoopback – merge, replace
WMI filtersADMX central store
Allows editing of the ADMX fileExtends the functionality of GPMC
Group Policy Preferences (GPP)
Exam ContentCreate and Manage Group Policy
Deploy software
Publish to usersAssign to usersAssign to computers
Software removalSoftware Restriction PoliciesAppLocker
Win7 & 2008 R2
Configure Group Policy processing (1/3)Configure processing order and precedenceLSDOU – remember this!Link order – 1 is highest (also referred to as the “top of the list”)
Configure blocking of inheritanceNothing above will apply unless a GPO is enforced
Configure enforced policiesRight-click a GPO and click Enforced to ensure that the GPO cannot blockedEnforced GPOs also ensure that the settings aren’t overwritten by GPOs applied lower in structure
Configure Group Policy processing (2/3)Configure security filtering and WMI filteringRead and Apply Group Policy (AGP) permissions are required for GPO to applyRoot\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server 2012 Datacenter”
Configure loopback processingLoopback with Replace – ensures that settings from User Configuration of GPOs that apply to the computer replace the settings that are set in User Configuration of GPOs that apply to the user
Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to the computer merge with the settings that are set in User Configuration of GPOs that apply to the user
Watch for scenarios such as a kiosk or public computer where all users must have the exact same settings on the computer!
Configure Group Policy processing (3/3)Configure and manage slow-link processingSome settings not applied when slow link detected (software installation, folder redirection, etc.)Default slow link is less than 500KbpsComputer Configuration\Administrative Templates\System\Group Policy
Configure client-side extension (CSE) behaviorAllow processing across a slow network connectionDo not apply during periodic background processingProcess even if the Group Policy objects have not changedSettings can be set on extensions such as Scripts, Security, Registry, or other extensions (note that some only have two options, not all three)
Configure Group Policy settings (1/2)Configure settings including software installation, folder redirection, scripts, and administrative template settingsAssign to user (shortcuts appear on Start menu, not installed yet)Assign to computer (no shortcut, install typical at startup)Publish to user (add/remove programs availability)
Import security templatesImport from Group Policy Object Policy/Computer Configuration/Windows Settings/Security Settings“Clear this database before importing” option will overwrite, without it you get a merge
Configure Group Policy settings (2/2)Import custom administrative template fileAdd/remove templates while editing GPOADM and ADMX (ADMX cuts down on SYSVOL size because it isn’t stored in GPO)ADMX – Central Store (ADM not supported in Central Store)
Convert admin templates using ADMX MigratorFree download, GUI conversion using “Generate ADMX from ADM”Command line - faAdmxConv.exe name.adm
Configure property filters for admin templatesManaged – any = all, yes = only, no = only unmanagedConfigured – any = all, yes = only, no = only not configuredCommented – any = all, yes = only, no = only uncommented(filters to limit what you see in the GUI)
Manage Group Policy objects (GPOs)Backup, import, copy and restore GPOsPW - bacjup-GPO, Import-GPO,CopyGPO, Restore-GPOC:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Script (.WSF scripts
Create and configure Migration TableManually open Migration Table Editor, select source, destinationCross-Domain Copying WizardUsers, Groups, computers and UNC paths
Reset default GPOsDcgpofix /target:Domain (can also use DC or Both as target)
Delegate Group Policy ManagementGroup Policy Creator Owners group - create new GPOs and edit/delete GPOs that they createdLinking a GPO requires additional permissions (can be granted via ADUC on OU)
Comparing Group Policy Preferences and GPO Settings
Group Policy Settings Group Policy Preferences
Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify
Are written to the normal locations in the registry that the application or operating system feature uses to store the setting
Typically disable the user interface for settings that Group Policy is managing
Do not cause the application or operating system feature to disable the user interface for the settings they configure
Refresh policy settings at a regular interval
Refresh preferences by using the same interval as Group Policy settings by default
Exam Updates for R2:
Tasks currently measured Task changed\added since January 2014Configure Group Policy processing Configure processing order and precedence; configure blocking of inheritance; configure enforced policies; configure security filtering and WMI filtering; configure loopback processing; configure and manage slow-link processing; configure client-side extension (CSE) behavior
Force Group Policy update; configure and manage slow-link processing and Group Policy caching
Configure and Manage Group Policy
Example questionYou are the system administrator for Woodgrove Bank. An existing GPO named GPO1 is linked to an OU named Corp. The Corp OU contains all user objects. You need to ensure that a GPO named GPO2 applies to all users in the Corp OU while also ensuring that settings in GPO2 take precedence over the same settings in GPO1.What should you do?
A. Link GPO2 to the domain.B. Link GPO2 to the site.C. Migrate GPO2 to a local GPO.D. Configure GPO2 to be enforced.
Session Objective(s): Certification OverviewExam Preparation per SectionDescribe key 70-411 & 70-417 exam objectivesPrepare more effectively using available study materialRelate practical Windows Server 2012 experience to exam
Identify areas that may require extra studyingAction plan for exam preparation and success
In Review: Session Objectives And Takeaways
Addition Exam Prep SessionsEXM08 Exam Prep: 70-410 and 70-417 - MCSA: Windows Server 2012 (Repeated)Tuesday, May 13 5:00 PM - 6:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)
EXM01 Exam Prep: 70-411 and 70-417 - MCSA: Windows Server 2012Monday, May 12 3:00 PM - 4:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)
EXM03 Exam Prep: 70-412 and 70-417 - MCSA: Windows Server 2012Monday, May 12 4:45 PM - 6:00 PM Room: Hilton L2 Ballrm F (Peter De Tender)
EXM10 Exam Prep: 70-413 and 70-414 - MCSE: Server Infrastructure Wednesday, May 14 10:15 AM - 11:30 AM Room: Hilton L2 Ballrm F (Ryan
Sokolowski)
Hands-on LabsAny session that starts with PCIT-H3XX Windows Server 2012 R2
Related Content
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.