Post on 09-Feb-2017
MCSA (E)History of Microsoft certificatesMCSE – MCITP – MCSE
Validity of MCSA certificate
Course Topics• Windows Management (Installation,
Modifying installation, Core)• Active Directory• Accounts (Users, Computers, OUs,
and Groups)• Group Policy• Networking (IPv4, IPv6, DHCP, and
DNS)• Managing Storage
• License (Editions)• Prerequisites (HW, Apps,
Storage Drivers)• Testing on Virtual Machine• BACKUP• Installation Modes
Installing Windows 2012 R2
• Upgrade https://technet.microsoft.com/en-us/library/dn303416.aspx• Migrationhttps://technet.microsoft.com/en-us/library/dn486773
Switching between modes• Full – Core - Minimal• GUI needs Vs Core advantages
Features on demand• Security, space• If we needed it later?• Online or to an Offline VHD
Adding roles to offline VHDs
• PowerShell• CMD• Alias• SConfig• RDP
Configuring Core
WinRM (Mostly for monitoring)RSAT (Useful for desktops)Another Server With Same Role
Non-domain joined computer (FW rule, PS script)
Remote Management
Active Directory
Each server has its own password policy (complexity, expiration, etc.), different companies, and many users for each server
Domain Vs WorkgroupDC redundancyDomain namingParent, child, tree, and forestTrust between domains
Active Directory
Domain ControllersInstallation ADDS + Promoting to DCRedundancyAdding extra DCs (Same subnet, IFM, Script)Uninstalling (demoting) DC
AD DC UpgradeFFLDFL
Global CatalogSRV Records
Domain Controllers
UserComputerGroup (types)Organizational UnitSites
AD Objects
What is SID?Creating AccountsCreating Template AccountsJoining a Computer
OnlineOffline
Inactive & Disabled Accounts
AD Users & Computers
SID, Username, & PWSecure ChannelBroken Secure Channel
AD Computers Accounts
DC PromoAD ACRecycle BinFine-grained Passwords
Extra
Automate Accounts CreationLDIFDE: Lightweight Data Interchange Format, Data ExchangeCSVDE: Comma Separated Value Data Exchange.
LDIFDE:dn: “cn=Elizabeth Andersen,ou=Research,dc=adatum,dc=com”changetype: add (or modify, delete)ObjectClass: userSAMAccountName: eanderUserPrincipalName: eander@adatum.comtelephoneNumber: 586-555-1234Then, save it with .ldf and run:ldifde –i –f <filename.ldf>
CSVDE:dn,samAccountName,userPrincipalName,telephoneNumber,objectClass“cn=Elizabeth Andersen,ou=Research,dc=adatum,dc=com”,eander,eander@adatum.com,586-555-1234,userThen you run the command:csvde.exe -i -f <filename.csv>
DSADDDSADD allows adding users to multiple OU; create OUs, computers, usersdsadd ou ou=test,dc=northwindtraders,dc=comdsadd user “cn=test321,ou=sales,dc=dabbas,dc=com” -disable noDSquery, Dsmod, DSget, DSMove, DSRmCheck the notes file
PowerShell
CSV file (first line is parameters)Import-Csv .\CSVimport.csv | foreach-object {$userprincipalname = $_.SamAccountName + "@{domainname}.com"
GroupsWhy we use Groups?Are OUs Groups?Type of Groups
Group Scopes
Group Conversions
Organizational Units
What OU can contain?Simplifying AdministrationPermissions on OUs?OUs & GPOs?
Users & Computers are ContainersRedirUser & RedirCmpAccidental DeletionDelegationDelegation Templates
Organizational Units
Networking – IPv4What is IP?Public Vs Private IPs
Subnetting & Default GatewayHostsIP AssignmentsExercises
Supernetting
Networking – IPv6Hexadecimal Notation
Addressing – 128 Bits – 8 of 16 Bits blocksShortening Address Rules
The Interface IDConverting MAC to EUI-64
Addresses Types:Link Local: Starts with FE80
Unique Local (Site Local): Starts with FD
Global
Communications Type:• Unicast: One to One• Multicast: One to Many• Anycast: One to Closest • No Broadcast as in IPv4
Transition to IPv6• Dual Stack Routers• Tunneling (6to4 & 4to6) • Intra-Site Automatic Tunnel
Addressing Protocol ISATAP• Teredo
Group PolicyWhat are GPOs & Why we use them?Where GPO Files are saved?GPOs Types:
Local GPONon-Local GPO
Creating & Managing a Local GPONon-Local Overwrites Local GPOs
Domain (Non-Local) GPOsCreating a GPOLinking (Applying) to an OUBlocking Top GPOs on a specific OUEnforcing Blocked GPO!How long GPO takes to be applied?
Templates GPOsPre-defined GPOsCan be downloadedMultiple OSs?
Central StoreUseful to avoid OSs diff. templatesFound under “PolicyDefinitions”
www.gpanswers.com
Scope of Management• User (Computer) Should be
linked to Users (Computers) OUs
• Policies are Cumulative• Computer overwrites UserProcessing Order
Local > Site > Domain > OU > OUAuthenticated Users
Starter GPOsPolicies Vs. PreferencesPolicies PreferencesSettings are permanent (greyed out UI)
User can change settings (drive map
Applied at startup, logon, refresh Same as policies, option to do not reapply
Removing policy reverts to defaults
Does not revert back automatically
Takes precedence over preferences
not available for local GPO
Useful for: preventing installing apps, prevent changing backgrounds
Useful for: desktop icons, shortcuts, add URL on desktop, drive map, file copy, update
GPO Permissions• Who have Full perm. By default?• Delegate PermissionGPO Security Settings
Comp. > Policies > Win. > Sec.User Tokens (Standard & Admin Tokens)Security TemplatesSecurity Configuration & Analysis
Software Restriction Policy & ApplockerSoftware Restriction Policy Applocker
Designed for legacy Windows (XP, 2003)
Designed for Win 7/8, 2008 R2, 2012
Fairly easy to bypass Less easy to bypass
All apps are allowed by defaults All apps are denied by defaults
DHCPWhat is DHCP?Why it’s better than Static IP?Allocation Methods:• Dynamic• Automatic• Manual
DORADiscover – Offer – Request –
Ack.Common ParametersPXE & DHCPRelay AgentExtra:• DB Backup• Failover Options
DNSWhat is DNS?Zones & Zones TypesHow DNS Works?Type of Queries (Recursive & Iterative)Type of Answers (Authoritative & Non-Authoritative)
Forwarders:• Root Hints• Conditional ForwardersStub ZonesManage CacheRecords Types (Resource Records)
Hyper-VWhat is Virtualization and Why?Benefits of Using Virtualization• Space, Power, Cooling• Less Management (at least centralized)• Optimize Resources to the max.• Greener, easier to backup, easier to
replicate, etc.
HypervisorHypervisor Types:• Type 1: Native or Bare Metal
(Hyper-V)• Type 2: Hosted (VMWare
Workstation)Hyper-V needs 64-Bit processorBIOS Should Support VirtualizationRAM & Storage Consideration
Enabling Hyper-V on Windows 8 & 8.1Hyper-V Configuration Settings• Dynamic Memory• Smart Paging• Resource Metering• Guest Integration Services• Memory Buffer• Memory Weight
Storage in Hyper-VVHD Max. 2 TB, VHDx up to 64 TBVHDx is more resilientHow to modify VHD files?How to Change VHD size? Disk Mgmt.?Differencing drivesPass through disksSnapshotsFiber Channel Adapter
Networking in Hyper-VSwitches Types:• External• Internal• PrivateVLANConfiguring MAC
Gen1 & Gen2Gen2 can be used on 2012, 8, 8.1 64-bit onlyHyper-V in R2 uses RDP (supports copy/paste, audio redirection)Online VHDx resize / shrink
NIC Teaming:Teaming
Switch IndependentStatic Teaming (Dependent)LACP (Dependent)
Load BalancingAddress HashHyper-V PortDynamic
Local StorageDisk Types, Basic & DynamicChoosing Storage Type Depends on:• Amount of Storage needed• Number of Users (at the same
time)• Data Sensitivity• Data Importance
RAID Types:SimpleSpannedStriped (RAID 0)Mirrored (RAID 1)Striped Set with Parity (RAID 5)
File Systems (Must know, not directly required)File. Allocation Table FAT/FAT32/exFAT• No SecurityNew TechFile System NTFS• Secured using Permissions• Encryption & Compression• Quotas• Auditing, File Tagging, Larger Files
Resilient File System ReFS• File can have 16 Exabyte size• File Name Length is up to 32000
char.• High Resiliency• Backward Compatible• No Disk Quotas
Creating VHD & VHDx through Disk ManagementAdding files to VHD & VHDx through Disk Management
Storage Spaces in 2012What is SAN?• Administration? Cost Wise?What about NAS?Virtual Disks (Not VHDs!)Storage Pools
Virtual Disk Configuration Layout• Simple, Two or Three way Mirror,
ParityProvisioning• Fixed, ThinAllocation• Data Store, Manual, Hot Spare
Storage Spaces Using Enclosures
• Approved JBOD:www.windowsservercatalog.com
• 2U/4U Rack mounted, up to 70 Drives
• Smart, can send not. to Windows about temp., storage status)
• Redundant fan, Power
Storage container not a self RAIDStorage Spaces Tiering• Fast SSD for hot or pinned data• Slow HDD for cold data
Share & NTFSShare Vs. NTFS permissionsShare NTFS
Network Only, no control over local access
Local and Network access
First line of defense Primary tool to control access
Options are: Read, change, Full
Much more
Applies to folders only Applies to files & folders
No inheritance Many options available for inheritance
Share• Cumulative permissions apply (deny
wins)• Can be combined with NTFS perms.• Administrative Share• Access-Based EnumerationNTFS• Change Owner• Inheritance apply order
• Permission can be either additive or subtractive (start with all denied then allow, or start with all allow then deny)
• Effective access: the result of applying these rules:
•Deny overrides allow•Allow permissions are cumulative•Explicit perm takes precedence over inherited
• Authorizing occurs to SID for users
Offline Files• Applies to network shares• Files stay available when
disconnected• High reliable sync. Mechanism• Can be configured using Offline
settings or GPO• Needs to be enabled first, then
apply on folders
Disk Quotas• Limit disk usage• Enabled on volume level• Soft Quota & Hard Quota• File Server Resource Manager FSRM is
handy• FSRM can apply quotas on folders,
Windows Explorer on volumes only• File Screening, Data Deduplication• Storage Reports Management
Volume Shadow Copy• Used in VM snapshots• Used by backup operations
(Windows, Acronis)• Used for File RecoveryIn File Recovery:• Quick restore for accidental
deletions• Scheduled• Used on the machine not only
shares
• VSS is configured under volume properties
• VSS is replaced with File History, starting Win. 8
• On servers, enabled under driver properties under disk management
• VSS by default creates two copies, at 7:00 AM and 12:00 PM
Work Folders• Similar to Offline Files feature• Allows access to joined & non-joined
domain workstations• Enables managing BYOD• Transparent conflict resolution• Hub-Spoke topology• Works with file screening, classification
(can classify documents), quotas• Security policies for encryption, screen
lock (data security if device was stolen)
Work Folders ConfigurationServer Side:• Define appropriate users and groups• Add & configure “work folders” role• DNS (workfolders.domain.com)• Certificates• ProxyClient Side:• Control panel configuration• Access using “work folders”
PrintersDefinitions:• Print Device• Printer• Print Server• Printer DriverPrinting workflow:• PC > Printer > Driver > Print
server > Print device
Network printers & Local printers• Central Management, drivers,
easier to install, queue management, less cost
Printer Management MMC• Printers FilteringCreating multiple instances (objects) of a printer, if we want to give higher priority for managers
Printing Options:• Direct print• Locally attached printer sharing• Network attached printing• Network attached printer
sharingPrinter Pool: Identical devices ONLYAdding 32-bit driver to a 64-bit serverEasy Print
FirewallWhy Windows Firewall?Firewall Interfaces• Control Panel• Windows Firewall Advanced• NetSH• PowerShell• GPO
Hardware Firewall & Software FirewallFirewall Modes:Domain• Work• Home• PublicOpening port Vs. Allowing ApplicationConnection security rules
Importing & Exporting Rules
Configuring Firewall under GPOComputer > Policies > Windows >
Security > Windows FW with Advanced Security