20411B-ENU-TrainerHandbook.pdf
Transcript of 20411B-ENU-TrainerHandbook.pdf
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 1/523
O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20411BAdministering Windows Server® 2012
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 2/523
ii Administering Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 20411B
Part Number: X18-77105
Released: 12/2012
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 3/523
MICROSOFT LICENSE TERMSOFFICIAL MICROSOFT LEARNING PRODUCTSMICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply tothe Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPTTHEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a.
“Authorized Learning Center” means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. “End User” means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e.
“Licensed Content” means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f.
“Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g.
“Microsoft IT Academy Member” means a current, active member of the Microsoft IT Academy
Program.
h. “Microsoft Learning Competency Member” means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i. “Microsoft Official Course” or “MOC Course” means the Official Microsoft Learning Product instructor-
led courseware that educates IT professionals or developers on Microsoft technologies.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 4/523
j. “Microsoft Partner Network Member” or “MPN Member” means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. “Personal Device” means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. “Trainer Content” means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center:
i.
If the Licensed Content is in digital format for each license you acquire you may either:
1.
install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2.
install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2.
each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3.
for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 5/523
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
b. If you are a MPN Member.
i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii.
You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4.
you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5.
you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8.
any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:
You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 6/523
d. If you are a MCT.
i.
For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the LicensedContent on a device you do not own or control.
ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of “customize” refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2
Separation of Components. The Licensed Content components are licensed as a single unit and youmay not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable
installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (“beta”) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 7/523
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (“beta term”). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b.
Misuse of Internet-based Services. You may not use any Internet-based service in any way that couldharm it or impair anyone else’s use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• install more copies of the Licensed Content on devices than the number of licenses you acquired;
• allow more individuals to access the Licensed Content than the number of licenses you acquired;
•
publicly display, or make the Licensed Content available for others to access or use;• install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
• access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
• access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
•
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 8/523
7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to thirdparty sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under stateconsumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVEAFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TOTHE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWSWHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES ORCONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNON-INFRINGEMENT.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 9/523
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BYLAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECTDAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDINGCONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFTCORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to
o anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans cecontrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vouspouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y
compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage.
Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera
pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus
par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 10/523
x Administering Windows Server® 2012
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 11/523
Administering Windows Server®2012 xi
AcknowledgmentsMicrosoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew J. Warren – Content DeveloperAndrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a subject matter expert for many of the Windows Server®
2008 courses, and the technical lead on a number of other courses. He also has been involved in
developing TechNet sessions on Microsoft® Exchange Server 2007. Based in the United Kingdom, Andrew
runs his own IT training and education consultancy.
Jason Kellington – Content Developer
Jason Kellington (Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP), and
Microsoft Certified Solutions Expert (MCSE) is a consultant, trainer, and author. He has experience working
with a wide range of Microsoft technologies, focusing on enterprise network infrastructure. Jason works in
several capacities with Microsoft. He is a content developer for Microsoft Learning courseware titles, asenior technical writer for Microsoft IT Showcase, and an author for Microsoft Press®.
Brian Desmond – Technical Reviewer
Brian Desmond is a Microsoft Most Valuable Professional (MVP) and consultant based out of Chicago,
Illinois. Brian focuses on Active Directory®, Exchange Server, and Identity Management projects for global
enterprise customers. Brian is the author of Active Directory, 4th Edition (O’Reilly), and numerous articles
in industry leading publications such as Windows IT Pro magazine. A frequent traveler, you can usually
find Brian on the road speaking at conferences and visiting customers.
David Susemiehl – Content Developer
David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has
extensive experience consulting on Microsoft Systems Management Server and Microsoft System Center
Configuration Manager 2007, as well as Active Directory, Exchange Server, and Terminal Server/Citrix
deployments. David has developed courseware development for Microsoft and Hewlett-Packard, and
delivered those courses successfully in Europe, Central America, and across North America. For the last
several years, David has been writing courseware for Microsoft Learning, and consulting on infrastructure
transitions in Michigan.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 12/523
xii Administering Windows Server® 2012
Contents
Module 1: Deploying and Maintaining Server Images
Lesson 1: Overview of Windows Deployment Services 1-2
Lesson 2: Implementing Deployment with WindowsDeployment Services 1-8
Lesson 3: Administering Windows Deployment Services 1-14
Lab: Using Windows Deployment Services to Deploy
Windows Server 2012 1-20
Module 2: Configuring and Troubleshooting Domain Name System
Lesson 1: Installing the DNS Server Role 2-2
Lesson 2: Configuring the DNS Server Role 2-8
Lesson 3: Configuring DNS Zones 2-14
Lesson 4: Configuring DNS Zone Transfers 2-19
Lesson 5: Managing and Troubleshooting DNS 2-22
Lab: Configuring and Troubleshooting DNS 2-30
Module 3: Maintaining Active Directory Domain Services
Lesson 1: Overview of AD DS 3-2
Lesson 2: Implementing Virtualized Domain Controllers 3-7
Lesson 3: Implementing Read-Only Domain Controllers 3-11
Lesson 4: Administering AD DS 3-15
Lesson 5: Managing the AD DS Database 3-23
Lab: Maintaining AD DS 3-32
Module 4: Managing User and Service Accounts
Lesson 1: Automating User Account Management 4-2
Lesson 2: Configuring Password-Policy and User-Account
Lockout Settings 4-7
Lesson 3: Configuring Managed Service Accounts 4-14
Lab: Managing User and Service Accounts 4-20
Module 5: Implementing a Group Policy Infrastructure
Lesson 1: Introducing Group Policy 5-2
Lesson 2: Implementing and Administering GPOs 5-10Lesson 3: Group Policy Scope and Group Policy Processing 5-16
Lesson 4: Troubleshooting the Application of GPOs 5-31
Lab: Implementing a Group Policy Infrastructure 5-38
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 13/523
Administering Windows Server®2012 xiii
Module 6: Managing User Desktops with Group Policy
Lesson 1: Implementing Administrative Templates 6-2
Lesson 2: Configuring Folder Redirection and Scripts 6-7
Lesson 3: Configuring Group Policy Preferences 6-12
Lesson 4: Managing Software with Group Policy 6-16
Lab: Managing User Desktops with Group Policy 6-19
Module 7: Configuring and Troubleshooting Remote Access
Lesson 1: Configuring Network Access 7-2
Lesson 2: Configuring VPN Access 7-19
Lesson 3: Overview of Network Policies 7-19
Lesson 4: Troubleshooting Routing and Remote Access 7-25
Lab A: Configuring Remote Access 7-30
Lesson 5: Configuring DirectAccess 7-34
Lab B: Configuring DirectAccess 7-47
Module 8: Installing, Configuring, and Troubleshooting the
Network Policy Server Role
Lesson 1: Installing and Configuring a Network Policy Server 8-2
Lesson 2: Configuring RADIUS Clients and Servers 8-6
Lesson 3: NPS Authentication Methods 8-12
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 8-20
Lab: Installing and Configuring a Network Policy Server 8-25
Module 9: Implementing Network Access Protection
Lesson 1: Overview of Network Access Protection 9-2Lesson 2: Overview of NAP Enforcement Processes 9-7
Lesson 3: Configuring NAP 9-14
Lesson 4: Monitoring and Troubleshooting NAP 9-19
Lab: Implementing NAP 9-23
Module 10: Optimizing File Services
Lesson 1: Overview of FSRM 10-2
Lesson 2: Using FSRM to Manage Quotas, File Screens, and
Storage Reports 10-7
Lesson 3: Implementing Classification and File Management Tasks 10-16Lab A: Configuring Quotas and File Screening Using FSRM 10-22
Lesson 4: Overview of DFS 10-26
Lesson 5: Configuring DFS Namespaces 10-33
Lesson 6: Configuring and Troubleshooting DFS-R 10-37
Lab B: Implementing DFS 10-41
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 14/523
xiv Administering Windows Server® 2012
Module 11: Configuring Encryption and Advanced Auditing
Lesson 1: Encrypting Files by Using Encrypting File System 11-2
Lesson 2: Configuring Advanced Auditing 11-6
Lab: Configuring Encryption and Advanced Auditing 11-13
Module 12: Implementing Update Management
Lesson 1: Overview of WSUS 12-2
Lesson 2: Deploying Updates with WSUS 12-5
Lab: Implementing Update Management 12-9
Module 13: Monitoring Windows Server 2012
Lesson 1: Monitoring Tools 13-2
Lesson 2: Using Performance Monitor 13-8
Lesson 3: Monitoring Event Logs 13-16
Lab: Monitoring Windows Server 2012 13-19
Lab Answer Keys
Module 1 Lab: Using Windows Deployment Services to
Deploy Windows Server 2012 L1-1
Module 2 Lab: Configuring and Troubleshooting DNS L2-7
Module 3 Lab: Maintaining AD DS L3-13
Module 4 Lab: Managing User and Service Accounts L4-21
Module 5 Lab: Implementing a Group Policy Infrastructure L5-25
Module 6 Lab: Managing User Desktops with Group Policy L6-33
Module 7 Lab A: Configuring Remote Access L7-39
Module 7 Lab B: Configuring DirectAccess L7-45Module 8 Lab: Installing and Configuring a Network Policy Server L8-59
Module 9 Lab: Implementing NAP L9-63
Module 10 Lab A: Configuring Quotas and File Screening Using FSRM L10-71
Module 10 Lab B: Implementing DFS L10-75
Module 11 Lab: Configuring Encryption and Advanced Auditing L11-79
Module 12 Lab: Implementing Update Management L12-83
Module 13 Lab: Monitoring Windows Server 2012 L13-87
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 15/523
About This Course xvii
About This CourseThis section provides you with a brief description of the course— 20411B: Administering Windows
Server ® 2012— audience, suggested prerequisites, and course objectives.
Course DescriptionThe main objective for this course is to configure and maintain core infrastructure services in a Windows
Server 2012 enterprise environment. The primary audience for this course is Information Technology
(IT) Professionals who have successfully implemented a Microsoft® Windows Server 2008 server, either in
an existing enterprise infrastructure or as a standalone installation, and wish to acquire the skill s and
knowledge necessary to broaden that implementation to manage and maintain the core infrastructure
required for a Windows Server 2008 environment. Candidates must also have knowledge equivalent to
that already covered in Windows Server 2012 Enterprise Core 1 course, as this course will build upon that
knowledge.
Audience
This course is intended for students to broaden the initial deployment of services in Core 1, and
provide the skills necessary to manage and maintain domain-based Windows Server 2012 infrastructure.
Candidates would typically be System Administrators and must have at least one year experience working
in a Windows Server 2012 or Windows® 8 environment. The secondary audience for this course will be
candidates aspiring to acquire the Microsoft Certified Solutions Associate (MCSA) credential either in its
own right, or to proceed in acquiring the Microsoft Certified Solutions Expert (MCSE) credentials, of which
this course is a prerequisite.
Student Prerequisites
This course requires that you have the ability to meet following prerequisites:
• Install and Configure Windows Server 2012 into existing enterprise environments, or as standalone
installations.
• Configure local storage.
• Configure roles and features.
• Configure file and print services.
• Configure Windows Server 2012 servers for local and remote administration.
• Configure IPv4 and IPv6 addresses.
• Configure Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services.
• Install domain controllers.
• Create and configure users, groups, computers and organizational units (OUs).
•
Create and manage Group Policies.
• Configure local security policies.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 16/523
xviii About This Course
Course Objectives
After completing this course, students will be able to:
• Deploy, manage, and maintain servers.
• Configure file and print services.
•
Configure network services and access.
•
Configure a network policy server Infrastructure.
• Configure and manage Active Directory® Domain Services (AD DS).
• Configure and manage Group Policy.
Course Outline
The course outline is as follows:
Module 1, “Deploying and Maintaining Server Images”
Module 2, “Configuring and Troubleshooting Domain Name System”
Module 3, “Maintaining Active Directory Domain Services”
Module 4, “Managing User and Service Accounts”
Module 5, “Implementing a Group Policy Infrastructure”
Module 6, “Managing User Desktops with Group Policy”
Module 7, “Configuring and Troubleshooting Remote Access”
Module 8, “Installing, Configuring, and Troubleshooting the Network Policy Server Role”
Module 9, “Implementing Network Access Protection”
Module 10, “Optimizing File Services”
Module 11, “Configuring Encryption and Advanced Auditing”
Module 12, “Implementing Update Management”
Module 13, “Monitoring Windows Server 2012”
Exam/Course Mapping
This course, 20411B: Administering Windows Server ® 2012, has a direct mapping of its content to the
objective domain for the Microsoft Exam 70-411: Administering Windows Server 2012.
The following table is provided as a study aid that will assist you in preparation for taking this exam, and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam, but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directlycovered in the examination and will utilize the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-411#tab2.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 17/523
About This Course xix
Exam 70-411: Administering Windows Server 2012
Exam Objective Domain Course Content
Deploy, Manage, and Maintain Servers (17%) Module Lesson Lab
Deploy and
manage server
images.
This objective may include but is not limited to: Install
the Windows Deployment Services (WDS) role;
configure and manage boot, install, and discover
images; update images with patches, hotfixes, and
drivers; install features for offline images
Mod 1 Lesson
1/2/3
Mod 1
Ex
1/2/3/4
Implement
patch
management.
This objective may include but is not limited to: Install
and configure the Windows Server Update Services
(WSUS) role; configure group policies for updates;
configure client-side targeting; configure WSUS
synchronization; configure WSUS groups
Mod 12 Lesson
1/2
Mod 12
Ex 1/2/3
Monitor
servers.
This objective may include but is not limited to:
Configure Data Collector Sets (DCS); configure alerts;
monitor real-time performance; monitor virtual
machines (VMs); monitor events; configure eventsubscriptions; configure network monitoring
Mod 13 Lesson
1/2/3
Mod 13
Ex 1/2/3
Configure File and Print Services (15%)
Configure
Distributed File
System (DFS).
This objective may include but is not limited to: Install
and configure DFS namespaces; configure DFS
Replication Targets; configure Replication Scheduling;
configure Remote Differential Compression settings;
configure staging; configure fault tolerance
Mod 10 Lesson
4/5/6
Mod 10
Lab B
Ex 1/2/3
Configure File
Server Resource
Manager
(FSRM).
This objective may include but is not limited to: Install
the FSRM role; configure quotas; configure file screens;
configure reports
Mod 10 Lesson
1/2/3
Mod 10
Lab A
Ex 1/2
Configure file
and disk
encryption.
This objective may include but is not limited to:
Configure Bitlocker encryption; configure the Network
Unlock feature; configure Bitlocker policies; configure
the EFS recovery agent; manage EFS and Bitlocker
certificates including backup and restore
Mod 11 Lesson
1
Mod 11
Ex 1
Configure
advanced audit
policies.
This objective may include but is not limited to:
Implement auditing using Group Policy and
AuditPol.exe; create expression-based audit policies;
create removable device audit policies
Mod 11 Lesson
2
Mod 11
Ex 2
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 18/523
xx About This Course
Exam 70-411: Administering Windows Server 2012
Exam Objective Domain Course Content
Configure Network Services and Access (17%)
Configure DNS
zones.
This objective may include but is not limited to:
Configure primary and secondary zones; configure stub
zones; configure conditional forwards; configure zone
and conditional forward storage in Active Directory;
configure zone delegation; configure zone transfer
settings; configure notify settings
Mod 2 Lesson
1/3/4
Mod 2
Ex 2/4
Configure DNS
records.
This objective may include but is not limited to: Create
and configure DNS Resource Records (RR) including A,
AAAA, PTR, SOA, NS, SRV, CNAME, and MX records;
configure zone scavenging; configure record options
including Time To Live (TTL) and weight; configure
round robin; configure secure dynamic updates
Mod 2 Lesson
2/5
Mod 2
Ex 1/3
Configure VPN
and routing.
This objective may include but is not limited to: Install
and configure the Remote Access role; implementNetwork Address Translation (NAT); configure VPN
settings; configure remote dial-in settings for users;
configure routing
Mod 7 Lesson
1/2/3/4
Mod 7
Lab A Ex1/2
Configure
DirectAccess.
This objective may include but is not limited to:
Implement server requirements; implement client
configuration; configure DNS for Direct Access;
configure certificates for Direct Access
Mod 7 Lesson
5
Mod 7
Lab B Ex
1/2/3
Configure a Network Policy Server Infrastructure (14%)
Configure
Network Policy
Server (NPS).
This objective may include but is not limited to:
Configure multiple RADIUS server infrastructures;
configure RADIUS clients; manage RADIUS templates;configure RADIUS accounting; configure certificates
Mod 8 Lesson
3/4
Mod 8
Ex 2
Configure NPS
policies.
This objective may include but is not limited to:
Configure connection request policies; configure
network policies for VPN clients (multilink and
bandwidth allocation, IP filters, encryption, IP
addressing); manage NPS templates; import and export
NPS policies
Mod 6 Lesson
2
Mod 8 Lesson
1/2
Mod 8
Ex 1
Configure
Network Access
Protection(NAP).
This objective may include but is not limited to:
Configure System Health Validators (SHVs); configure
health policies; configure NAP enforcement using DHCP
and VPN; configure isolation and remediation of non-compliant computers using DHCP and VPN; configure
NAP client settings
Mod 9 Lesson
1/2/3/
4
Mod 9
Ex 1/2/3
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 19/523
About This Course xxi
Exam 70-411: Administering Windows Server 2012
Exam Objective Domain Course Content
Configure and Manage Active Directory (19%)
Configure
service
authentication.
This objective may include but is not limited to: Create
and configure Service Accounts; create and configure
Group Managed Service Accounts; create and configure
Managed Service Accounts; configure Kerberos
delegation; manage Service Principal Names (SPNs)
Mod 4 Lesson
1/2/3
Mod 4
Ex 1/2
Configure
Domain
Controllers.
This objective may include but is not limited to:
Configure Universal Group Membership Caching
(UGMC); transfer and seize operations masters; install
and configure a read-only domain controller (RODC);
configure Domain Controller cloning
Mod 3 Lesson
1/2/3
Mod 3
Ex 1/2
Maintain Active
Directory.
This objective may include but is not limited to: Back up
Active Directory and SYSVOL; manage Active Directory
offline; optimize an Active Directory database; clean up
metadata; configure Active Directory snapshots;perform object- and container-level recovery; perform
Active Directory restore
Mod 3 Lesson
1/3/4/
5
Mod 3
Ex 2/3
Configure
account
policies.
This objective may include but is not limited to:
Configure domain user password policy; configure and
apply Password Settings Objects (PSOs); delegate
password settings management; configure local user
password policy; configure account lockout settings
Mod 4 Lesson
1/2/3
Mod 4
Ex 1
Configure and Manage Group Policy (18%)
ConfigureGroup Policy
processing.
This objective may include but is not limited to:
Configure processing order and precedence; configure
blocking of inheritance; configure enforced policies;configure security filtering and WMI filtering; configure
loopback processing; configure and manage slow-link
processing; configure client-side extension (CSE)
behavior
Mod 5 Lesson
1/3/4
Mod 5
Ex 1/2
Configure
Group Policy
settings.
This objective may include but is not limited to:
Configure settings including software installation, folder
redirection, scripts, and administrative template
settings; import security templates; import custom
administrative template file; convert administrative
templates using ADMX Migrator; configure property
filters for administrative templates
Mod 6 Lesson
1/2/4
Mod 6
Ex 2
Manage Group
Policy objects
(GPOs).
This objective may include but is not limited to: Back up,
import, copy, and restore GPOs; create and configure
Migration Table; reset default GPOs; delegate Group
Policy management
Mod 5 Lesson
2
Mod 5
Ex 4
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 20/523
xxii About This Course
Exam 70-411: Administering Windows Server 2012
Exam Objective Domain Course Content
Configure
Group Policy
preferences.
This objective may include but is not limited to:
Configure Group Policy Preferences (GPP) settings
including printers, network drive mappings, power
options, custom registry settings, Control Panel settings,Internet Explorer settings, file and folder deployment,
and shortcut deployment; configure item-level targeting
Mod 6 Lesson
1/2/3
Mod 6
Ex 1
Important: Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
• Real-world, hands-on experience administering, managing and maintaining a Windows Server 2012
infrastructure.
• Additional study outside of the content in this handbook.
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-411#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-411#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject
to change at any time and Microsoft bears no responsibility for any discrepancies between the versionpublished here and the version available online and will provide no notification of such changes.
Course MaterialsThe following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
•
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learnedin the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it’s
needed.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 21/523
About This Course xxiii
Course Companion Content on the http://www.microsoft.com/learning/companionmocSite:
Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions andanswers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
Student Course files on the http://www.microsoft.com/learning/companionmocSite: Includes
the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
• Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
•
To provide additional comments or feedback on the course, send e-mail [email protected]. To inquire about the Microsoft Certification Program, send e-mail
Virtual Machine EnvironmentThis section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration
In this course, you will use Hyper-V® to perform the labs.
Important At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine without saving the changes, perform the following
steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK .
The following table shows the role of each virtual machine that is used in this course.
Virtual machine Role
20411B-LON-DC1 Windows Server 2012 domain controller for the Adatum.com domain20411B-LON-CL1 Windows 8 client computer and in the Adatum.com domain
20411B-LON-CL2 Windows 8 client computer and in the Adatum.com domain
20411B-LON-SVR1 Windows Server 2012 in the Adatum.com domain
20411B-LON-SVR3 No operating system installed
20411B-LON-SVR4 A Windows Server 2012 server computer in the Adatum.com domain
20411B-LON-RTR A Windows Server 2012 server computer in the Adatum.com domain
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 22/523
xxiv About This Course
Software Configuration
The following software is installed on each virtual machine:
• Network Monitor 3.4 is installed on LON-SVR2.
Course Files
There are lab files associated with the labs in this course. The lab files are located in the folder
E:\Labfiles\LabXX on NYC-DC1.
Classroom SetupEach classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
• Hardware level 6 with 8 gigabytes (GB) of random access memory (RAM)
Navigation in Windows Server 2012
If you are not familiar with the user interface in Windows Server 2012 or Windows 8 then the following
information will help orient you to the new interface.
•
Sign in and Sign out replace Log in and Log out.
• Administrative tools are found in the Tools menu of Server Manager.
• Move your mouse to the lower right corner of the desktop to open a menu with:
• Settings: This includes Control Panel and Power
•
Start menu: This provides access to some applications
• Search: This allows you to search applications, settings, and files
You may also find the following shortcut keys useful:
•
Windows: Opens the Start menu
• Windows+C: Opens the same menu as moving the mouse to the lower right corner
• Windows+I: Opens Settings
•
Windows+R: Opens the Run window
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 23/523
1-1
Module 1
Deploying and Maintaining Server ImagesContents:
Module Overview 1-1
Lesson 1: Overview of Windows Deployment Services 1-2
Lesson 2: Implementing Deployment with Windows Deployment Services 1-8
Lesson 3: Administering Windows Deployment Services 1-14
Lab: Using Windows Deployment Services to Deploy Windows Server 2012 1-20
Module Review and Takeaways 1-26
Module Overview
Larger organizations need deployment technologies that can reduce or eliminate user interaction during
the deployment process. You can use the Deployment Services role in Windows Server® 2012 and
Windows Server 2008 to help support both lite-touch and zero-touch, high-volume deployments. This
module explores the functionality of Windows Deployment Services, and explains how to use Windows
Deployment Services tools to perform lite-touch deployments.
Objectives
After completing this module, students will be able to:• Describe the important features and functionality of Windows Deployment Services.
• Configure Windows Deployment Services in Windows Server 2012.
•
Perform deployments with Windows Deployment Services.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 24/523
1-2 Deploying and Maintaining Server Images
Lesson 1
Overview of Windows Deployment Services
Windows Deployment Services enables you to deploy Windows® operating systems. You can use a
network-based installation of Windows Deployment Services to deploy these operating systems on new
computers. This means that you do not have to be physically present at each computer. In addition, youdo not have to install each operating system directly from local media. Consequently, Windows
Deployment Services scales well to support the deployment needs of larger organizations.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the function of Windows Deployment Services.
• Describe the components of Windows Deployment Services.
• Describe the benefits of Windows Deployment Services.
• Identify how to use Windows Deployment Services to support various deployment scenarios.
What Is Windows Deployment Services?
Windows Deployment Services is a server role
provided with Windows Server 2012. It provides
the following functions:
• Enables you to perform network-based
installations.
• Simplifies the deployment process.
•
Supports deployment to computers that haveno current operating system.
• Provides end-to-end deployment solutions
for both client and server computers.
• Uses existing technologies, such as Windows Preinstallation Environment (Windows PE), Windows
image (.wim) file and Virtual Hard Disk (.vhd) image files, and image-based deployment.
Windows Deployment Services enables automated deployment of Windows operating systems. You can
completely automate deployment of the following operating systems:
• Windows XP
• Windows Server 2003
• Windows Vista® with Service Pack 1 (SP1)
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
•
Windows 8
• Windows Server 2012
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 25/523
Administering Windows Server® 2012 1-3
Windows Deployment Services provides the ability to create, store, and deploy installation images of
supported operating systems, and supports .wim and .vhd image files. Deployment now can be unicast or
multicast. Using multicasting enables more effective management of network traffic that the deployment
process consumes. This potentially speeds up deployment without affecting other network services
adversely.
Operating Systems with ComponentsWindows Deployment Services integrates closely with Windows Vista, Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8, and Windows Server 2012. One important example of this
integration is the design of these operating systems with components. These operating systems consist
of self-describing elements, known as components. Self-describing refers to the fact that the elements
contain a manifest that lists the different configuration options that you can set for each component. You
can see the features and configurations for each component. Updates, service packs, and language packs
are components that are applied on top of operating systems that can be divided.
Drivers also are considered separate, configurable components. The primary benefit of this is that you
can install drivers, such as hotfixes and service packs, into an offline operating system. Instead of updating
complete images each time a new update, service pack, or driver becomes available, you can install these
components into the offline image so that Windows applies them when you deploy the image.
When deploying the images to the hard disk of a new computer, the system receives the base image with
each of the components added, before the system boots for the first time.
If your organization is multilingual or international, you can utilize the language-neutral nature of
the latest Windows operating systems. The number of images that you need to maintain shrinks again
because there are no longer localized versions. Some Windows operating systems versions are limited to
the number of language packs. You can add or remove language packs from a system as necessary and at
any time without otherwise altering the installation.
If you need to support multiple languages, you add all of the necessary language packs to your
deployment .wim file and then activate them as necessary, either on all computers or on specific
computers.
Windows Deployment Services Components
Windows Deployment Services provides a number
of distinct functions through a number of
identifiable components.
Windows Deployment Services Pre-BootEXecution Environment Server
The Pre-Boot EXecution Environment (PXE) server
provides the following functionality:
• Binds to network interfaces.
•
Listens for incoming PXE requests.
• Formats the Dynamic Host Configuration
Protocol (DHCP) response packets.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 26/523
1-4 Deploying and Maintaining Server Images
Windows Deployment Services client
The Windows Deployment Services client provides a graphical interface that is built on the
Windows Server setup graphical interface. It establishes a communication channel with the Windows
Deployment Services server and retrieves a list of install images on the Windows Deployment Services
server. Additionally, the Windows Deployment Services client provides status information at the target
computer during deployment.
Server Components
Additional server components include a Trivial File Transfer Protocol (TFTP) server that enables network-
booting clients to load a boot image into memory. Also included is: an image repository that contains
boot images, install images, files needed specifically for network-boot support, and a shared folder that
hosts the install images.
Multicasting Engine
Transmitting large operating system images over the network is more efficient with Windows Deployment
Services. However, pushing multi-gigabyte files across the network creates a large amount of network
traffic. By using the new multicast feature, you can further reduce the network cost of using Windows
Deployment Services deployment.With multicasting, the server sends the data a single time, and multiple targets receive the same data.
If you are deploying to multiple targets, this can cut the network traffic to a fraction of the equivalent
number of multiple unicast transmissions. Windows Deployment Services provides two types of
multicasting:
• Scheduled-cast. There are two ways that you can configure scheduled-cast:
o
Client count. When you specify a client count, the server waits until the defined count of
connected clients is reached, and then it starts to send the information.
o
Point in time. When you specify a point in time, the server waits until the specified time and
begins deployment to connected client computers.
While scheduled-cast provides a more efficient use of the network, it is somewhat labor-intensive;
each target computer must be connected, turned on, and cued.
• Autocast. A target can join an Autocast at any time, and the server repeats the transmission as long as
targets are connected. If the target starts receiving the image in the middle, or if it misses some
portion of the image, it remains connected and collects the additional parts of the file when the
server restarts the transmission.
Question: What is the advantage of multicasting as opposed to unicasting in volume
deployment scenarios?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 27/523
Administering Windows Server® 2012 1-5
Why Use Windows Deployment Services?
Any organization that wants to reduce the
administrator interaction that is required
during deployment of Windows Server should
use Windows Deployment Services. Because of
its ability to support deployment from across
the network, potentially with no user interaction,
Windows Deployment Services allows
organizations to create a more autonomous
and efficient environment for installing Windows.
Consider the following scenarios.
Scenario 1
In a small network consisting of a single server
and around 25 Windows XP computers, you could use Windows Deployment Services to expedite the
upgrade process of the client computers to Windows 8. Once you have installed and configured the
Windows Deployment Services server role on the single server, you can use Windows Deployment Services
to perform the following tasks:
1. Add boot.wim from the sources folder of the Windows Server 2012 media as a boot image in
Windows Deployment Services.
2. Add install.wim from the sources folder of the Windows 8 media as an install image.
3.
Create a capture image from the boot image that you added previously.
Note: A capture image is a modified boot image that contains the necessary elements that
enable you to capture a WIM file image from a configured reference computer.
4.
Start your reference computer from the network using PXE.
5. Perform a standard installation of Windows 8 from the install.wim image.
6. Install office productivity applications and custom applications as required on the reference
computer.
7. Generalize the reference computer with the System Preparation (Sysprep) tool.
8.
Restart the reference computer from the network using PXE.
9.
Connect to the capture image that you created, use it to capture the local operating system, and
upload it back to the Windows Deployment Services server.
10.
Start each of the existing target computers from the network using PXE, and connect to the
appropriate boot image.
11.
Select the custom install image.
12.
Deployment starts.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 28/523
1-6 Deploying and Maintaining Server Images
Benefits to the organization in this scenario are:
• A standardized desktop computer image.
•
Quick deployment of each computer with limited installer interaction.
This solution would not suit larger deployments, as you need the installer to start the deployment on the
target computer. Additionally, the installer is required to select a disk partition on which to install theselected installation image.
Scenario 2
In the second scenario, a medium to large-sized organization wants to deploy multiple servers in branch
offices that are geographically dispersed. It would be time-consuming and expensive to send experienced
IT staff to each location to deploy the servers.
By using Windows Deployment Services, IT staff can address this issue:
1.
Add boot.wim from the Windows Server 2012 media as a boot image in Windows Deployment
Services.
2.
Add install.wim from the Windows Server 2012 media as an install image.
3.
Create a capture image.
4. Start the reference computer from the network.
5.
Perform a standard installation of Windows Server 2012 from the install.wim image.
6.
Customize the reference computer as required.
7. Generalize the reference computer.
8. Restart the reference computer.
9.
Capture the reference Windows operating system, and upload it back to the Windows Deployment
Services server.
10.
Configure the necessary Active Directory® Domain Services (AD DS) computer accounts; this is known
as prestaging the computer accounts.
11.
Use Windows System Image Manager (SIM) in the Windows Automated Installation Kit (Windows
ADK) to create an unattended answer file.
12. Configure the answer file for use with the captured installation image on Windows Deployment
Services.
13. Configure a custom naming policy in Windows Deployment Services so that each server computer
receives a suitable computer name during deployment.
14.
Configure Windows Deployment Services to use a default boot image.
15.
Configure Windows Deployment Services to respond to PXE requests and start deployment of theinstall image automatically.
16. Start each of the target computers from the network.
Note: To avoid a boot loop, it is advisable to configure the computer’s basic input/output
system (BIOS) to start up from the hard disk and then the network. For further information about
avoiding a boot loop, refer to the Windows Deployment Services Deployment Guide.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 29/523
Administering Windows Server® 2012 1-7
Benefits to the organization in this scenario are:
• Standardized server builds.
•
Automatic domain-join following deployment.
• Automatic computer naming.
•
Little or no installer interaction.
The solution does not implement multicast transmissions, nor does it use PXE referral. These technologies
could be used as well, to help manage network traffic during the deployment.
Discussion: How to Use Windows Deployment Services
Windows Deployment Services can be useful for
many deployment scenarios involving Windows
operating systems.
Question: The A. Datum Corporation ITstaff is about to deploy Windows Server 2012
to various branch offices. The following
information has been provided to the IT staff
by management:
o
The configuration of the various branch
office servers is expected to be fairly
consistent.
o There is no requirement to upgrade settings from existing servers, as these are new branch
offices with no current IT infrastructure in place.
o
Automation of the deployment process is important, as there are many servers to deploy.
How would you use Windows Deployment Services to aid deployment?
Question: A. Datum Corporation wants to deploy several dozen new servers in their head
offices. These servers will be installed with Windows Server 2012. The following information
has been provided to the IT staff by management:
o
The configuration of the various servers is expected to vary slightly; there are two basic server
configurations: full server, and Server Core.
o
Managing network traffic is critical, as the network is near capacity.
How would you advise staff at A. Datum to proceed with the deployment?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 30/523
1-8 Deploying and Maintaining Server Images
Lesson 2
Implementing Deployment with Windows DeploymentServices
While Windows Deployment Services is not complicated to install and configure, it is important that
you understand the makeup of its components, and how to correctly configure it. By doing this, you
will ensure that it provides the appropriate level of deployment automation, and that it addresses the
deployment needs of your organization. Once you install and configure Windows Deployment Services,
you must understand how to use it and its associated tools to create, manage, and deploy images to
computers within your organization.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Windows Deployment Services components.
•
Explain how to install and configure Windows Deployment Services.
•
Explain the process of using Windows Deployment Services to deploy Windows Server.
Understanding Windows Deployment Services Components
When you deploy the Windows Deployment
Services server role, you can choose from two
configuration options. You can choose the
default configuration, which deploys both the
Deployment Server and Transport Server role
services, or you can choose to deploy only the
Transport Server role service. In this secondscenario, the Deployment Server role service
provides the image server; the Transport Server
does not provide imaging functionality.
The Deployment Server enables an end-to-end
deployment solution, while the Transport Server
provides a platform that you use to create a custom multicast deployment solution.
The following table compares the two role services.
Server component Deployment server Transport server
Requirements AD DS, DHCP, and Domain Name
System (DNS)
No infrastructure requirements
PXE Uses the default PXE provider You must create a PXE provider
Image server Includes Windows DeploymentServices image server
None
Transmission Unicast and multicast Multicast only
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 31/523
Administering Windows Server® 2012 1-9
Server component Deployment server Transport server
Management Both the WDSutil.exe command-linetools and the Windows DeploymentServices Microsoft® ManagementConsole (MMC) snap-in
WDSutil.exe only
Target computer Uses Windows Deployment Servicesclient or the Wdsmcast.exe tool
Wdsmcast.exe only
Transport Server Functionality
You can use the Transport Server to provide the following functions:
• Boot from the network. The Transport Server provides only a PXE listener; this is the component that
listens and accepts incoming traffic. You must write a custom PXE provider to use a Transport Server
to boot a computer from the network.
• Multicasting. The multicast server in Windows Deployment Services consists of a multicast provider
and a content provider:
o
Multicast provider. Transmits data over the network.
o
Content provider. Interprets the data and passes it to the multicast provider. This is installed with
both the Transport Servers and Deployment Server, and can be used to transfer any file type,
although it has specific knowledge about the .wim image file format.
Windows Deployment Services Installation Requirements
The specific requirements for installing the Windows Deployment Services role depend on whether you
are deploying a Deployment Server or only a Transport Server.
To install a Deployment Server, your network and target server must meet the following requirements.
• AD DS. Your Windows Deployment Services server must be either a member of an AD DS domain or a
domain controller for an AD DS domain.
Note: The AD DS domain and forest functional levels are not relevant; all domain and
forest configurations support Windows Deployment Services.
• DHCP. You must have a working DHCP server with an active scope on the network. This is because
Windows Deployment Services uses PXE, which relies on DHCP to allocate IP configurations.
• DNS. You must have a working DNS server on the network so that client computers can locate the
required services for deployment.
• NTFS file system volume. The server running Windows Deployment Services requires an NTFS volume
for the image store. Windows Deployment Services accesses the image store within the context of the
logged on user. Therefore, deployment user accounts must have sufficient permissions on image files.
While not a requirement, the Windows ADK enables you to simplify the process for creating answer
(unattend.xml) files for use with automated Windows Deployment Services deployments.
Note: To install the Windows Deployment Services role, you must be a member of the
Local Administrators group on the server. To initialize the server, you must be a member of the
Domain Users group.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 32/523
1-10 Deploying and Maintaining Server Images
Installing and Configuring Windows Deployment Services
Once your network infrastructure meets the
prerequisites, you can install the Windows
Deployment Services server role.
Installing the Windows DeploymentServices Server Role
Use the following high-level steps to provide
guidance on installing the role.
1.
Open Server Manager, and then add the
Windows Deployment Services server role.
2. Choose whether you want to install the
Deployment Server role service (which
includes the Transport Server role), or just the Transport Server role service.
3.
Complete the wizard to install the required role.
Initial Windows Deployment Services Configuration
Once Windows Deployment Services is installed, open Windows Deployment Services from Administrative
Tools, and then use the following high-level guidance to configure Windows Deployment Services.
1. Select your server in Windows Deployment Services the console, and launch the Configuration wizard.
2.
Specify a location to store images. This location:
o
Must be an NTFS partition.
o Must be large enough to accommodate the deployment images that you anticipate needing.
o Should be a separate physical disk from that on which the operating system is installed to help
optimize performance.
3. If the DHCP server role is co-hosted on the Windows Deployment Services server, you must:
o
Prevent the PXE server from listening on User Datagram Protocol (UDP) port 67; this port is used
by DHCP.
o
Configure DHCP option 60 to PXEClient; this enables the PXE client to locate the Windows
Deployment Services server port.
Note: If you deploy Windows Deployment Services to a server that is already running the
DHCP Server role, these changes are made automatically. If you subsequently add the DHCP
Server role to a Windows Deployment Server, you must ensure that you make these changes.
4.
Determine how you want the PXE server to respond to clients:
o
The default is that the PXE server does not respond to any clients; this is useful when you are
initially configuring Windows Deployment Services, as you do not yet have any images available
for clients.
o Alternatively, you can choose to configure the PXE server to:
Respond to known client computers; these are computers that you have prestaged.
Respond to all client computers, whether you have prestaged them or not; if you select this
option, you can additionally define that administrator approval is required for unknown
computers. While awaiting approval, client computers are held in a pending queue.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 33/523
Administering Windows Server® 2012 1-11
Note: If necessary, you can reconfigure these settings after the initial configuration is
complete.
Managing Deployments with Windows Deployment Services
Once you install and configure Windows
Deployment Services, you can then prepare
Windows Deployment Services to service client
deployments; this involves the following
procedures.
Configuring Boot Settings
You must complete several configuration tasks
to configure boot settings on the server that is
hosting Windows Deployment Services.
• Add boot images. A boot image is a Windows
PE image that you use to boot a computer
and install the install image. Typically, you use the boot.wim file on the Windows Server 2012 product
DVD in the \sources folder. You may also decide to create a capture image, which is a specific type of
boot image that you can use to capture a currently installed operating system on a reference
computer.
• Configure the PXE boot policy for known and unknown clients. This policy determines the required
installer behavior during the initial part of the deployment. By default, both known and unknown
computer policies require the installer to press F12 to connect to the Windows Deployment Services
image server. Failure to do so results in the computer using BIOS settings to determine an alternative
boot method—for example, hard disk or CD ROM. Instead of this default, you can configure the
following options:
o
Always continue the PXE boot. This option ensures that the computer continues through the
deployment process without any installer interaction.
o Continue the PXE boot unless the user pressed the Esc key. This option gives the installer the
ability to cancel the deployment.
• Configure a default boot image. If you have multiple boot images—for example, to support multiple
platforms—you can configure a default boot image for each of them. This image is selected after a
timeout period on the PXE client computer.
• Associate an answer file for setup. You can define an associated answer file for each client
architecture. This answer file provides information that is used during the initial setup phase, and
enables the Windows Deployment Services image server to select the appropriate install image for
the client, without installer intervention.
• Create discover images. Not all computers support PXE network boot. For those that do not, you can
create a discover image based on a boot image and export it to a removable storage device. To
create a discover image, specify:
o
The image name and description.
o The boot image on which it is based.
o A filename with which to store the image.
o
The name of the Windows Deployment Services server that will be used for deployment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 34/523
1-12 Deploying and Maintaining Server Images
Configuring Install Settings
You must configure additional install settings in Windows Deployment Services.
• Add install images. This is the operating system image that you use to install Windows Server.
Typically, you start with the installation image install.wim, in the \sources folder on the Windows
Server 2012 product DVD. Thereafter, you might choose to create custom images for groups of
computers that have similar configurations.
Note: Before you can create install images, you must define an install image group in
which to consolidate the related images. If you do not do so, the Windows Deployment Services
administration program creates a generic group.
• Associate an answer file with an install image. If you have created an answer file, for example by using
Windows ADK, you can associate it with an install to provide the necessary information to complete
deployment of the computer with no installer interaction.
• Configure a client naming policy. You can use the client naming policy to define computer names for
unknown computers during deployment. The policy uses a number of variables to create a uniquename:
a. %First. The installer’s first name. Placing a number after the % sign results in using only that many
characters. For example, %3First uses the first three characters of the installer’s first name.
b.
%Last. The installer’s last name. You can also define the number of characters to use.
c. %Username. The installer’s user name. Again, you can limit the number of characters by
specifying a number after the % sign.
d. %MAC. The Media Access Control (MAC) address.
e. %[n]#. You can use this sequence to define a unique identifying sequential number to the
computer name containing n digits. If you want to use a multiple-digit number, pad the variable
with leading zeros, after the % sign. For example, %2# results in the sequential numbers 1, 2, 3,
and so on. %02# results in 01, 02, and 03.
• Specify the AD DS location for computer accounts. The default is to use the same AD DS domain as
the Windows Deployment Services server. Alternatively, you can select between:
o The same domain as the user performing the deployment.
o The same organizational unit (OU) as the user who is performing the deployment.
o
A specified AD DS location.
Note: The Windows Deployment Services computer requires Create Computer object and
Write All Properties permissions on the AD DS container that you specify.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 35/523
Administering Windows Server® 2012 1-13
Configuring Transmission Settings
Configure multicast transmissions. Unicast transmission is enabled by default; that is, you need do nothing
further and you can deploy clients using unicast. However, to enable multicast transmission, specify:
• The multicast transmission name.
•
An install image with which the transmission is associated.
• A method of multicast transmission. Choose between Autocast and Scheduled-Cast. If you choose
Scheduled-Cast, you can define both a threshold minimum number of clients before transmission
starts and the start date and time.
Configuring Drivers
Windows Deployment Services in Windows Server 2012 enables you to add and configure driver packages
on the server, and then deploy them to client computers during installations based on their hardware.
Use the following high-level steps to configure drivers:
1. Obtain the drivers that you need. These must be in the form of an .inf file rather than an .msi or .exe
file.
2.
Configure filters, if desired, on the driver group. These filters determine which computers receive the
drivers based on the hardware characteristics of the client computers. For example, you can create a
filter that applies the drivers only to computers that have a BIOS manufactured by A. Datum.
3. Add the drivers as a driver package. Driver packages must be associated with a driver group. If you
associate the driver package with an unfiltered group, all computers receive the driver.
You can use Windows Deployment Services to add driver packages to your Windows 8 and Windows
Server 2012 boot images; consequently, you do not have to export the image. Use the tools in the
Windows ADK to add driver packages manually, and then add the updated boot image.
Question: What is the advantage of defining a client naming policy?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 36/523
1-14 Deploying and Maintaining Server Images
Lesson 3
Administering Windows Deployment Services
When you have completed the configuration of Windows Deployment Services, you must create and
administer boot images, install images, and optionally capture and discover images. In addition, you must
make these images available to client computers with the desired level of automation, using anappropriate transmission mechanism.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the common administration tasks.
• Explain how to add and configure boot, capture, discover, and install images.
•
Explain how to automate deployments.
• Explain how to configure multicast transmission to deploy your images.
Common Administration Tasks
To configure Windows Deployment Services
effectively, you must complete a number of
common administration tasks. To help you
complete these tasks, Windows Deployment
Services provides a number of tools to help you.
The administrative tasks that you must complete
include the following:
• Configuring DHCP
• Creating and servicing images
•
Managing the boot menu
• Prestaging client computers
• Automating deployment
• Configuring transmission
Configuring DHCP
Clients that boot using PXE require a dynamically allocated IPv4 configuration. You must create
and configure an appropriate DHCP scope for this purpose. Additionally, if the DHCP and Windows
Deployment Services server roles are co-hosted, then you must configure how the PXE server listens for
client requests; there is an inherent conflict as both DHCP and Windows Deployment Services use UDP
port 67. To create and manage DHCP scopes, you can use the DHCP snap-in or the Netsh.exe command-
line tool.
Creating and Servicing Images
You can create and service images with the Windows Deployment Services snap-in, Windows SIM, the
WDSutil.exe command-line tool, or the Dism.exe command-line tool.
For example, to add a boot image, use the following command:
WDSUTIL /Verbose /Progress /Add-Image /ImageFile:<path> /ImageType:Boot
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 37/523
Administering Windows Server® 2012 1-15
To create a capture image, use the following command:
WDSUTIL /New-CaptureImage /Image:<source boot image name> /Architecture:{x86|ia64|x64}
/DestinationImage /FilePath:<file path>
To add an install image, use the following two commands, pressing Enter after each line:
WDSUTIL /Add-ImageGroup /ImageGroup:<image group name>
WDSUTIL /Verbose /Progress /Add-Image /ImageFile:<path to .wim file> /ImageType:Install
Note: You can also perform these management tasks using the Windows Deployment
Service management console, found in Server Manager.
Managing the Boot Menu
The boot environment for Windows Server 2012 relies on the Boot Configuration Data (BCD) store. This
store defines how the boot menu is configured. You can customize the store using Bcdedit.exe.
Note: When you customize the BCD store, you must force it to be recreated for your
changes to take effect. To do this, run the following two WDSutil.exe commands (pressing Enter
after each line), to stop and then restart the Windows Deployment Services server:
wdsutil /stop-server
wdsutil /start-server
The following is a list of limitations for the boot menu user interface:
•
Screen size. Only 13 images can be displayed on the menu. If you have more, the installer must scroll
down to see them.
• Mouse. There is no mouse pointer.
•
Keyboard. There is no support for alternate keyboards, other than what the BIOS supports.
• Localization. There is limited support for localization, other than what the BIOS supports.
• Accessibility. There is limited support for accessibility.
Prestaging Client Computers
Windows Deployment Services supports deployment to unknown clients. You can exert some control over
unknown clients by configuring administrator approval. This ensures that clients that are attempting to
deploy with Windows Deployment Services are placed in a pending queue awaiting your approval. You
can also configure the client computer’s name during approval.
However, if you want more specific control over deployments, you can prestage the computers in AD DS;
this enables you to configure the client to:
• Start from a different Windows Deployment Services server.
• Use a different network boot program.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 38/523
1-16 Deploying and Maintaining Server Images
• Use a specific unattend file.
• Use a specific boot image.
•
Join a particular AD DS domain.
You can use the following WDSutil.exe command-line tool to prestage computers:
WDSUTIL /Add-Device /Device:<name> /ID:<GUIDorMACAddress>
In this example, <GUIDorMACAddress> is the identifier of the new computer.
Automating Deployment
You can automate Windows Deployment Services deployments from end-to-end. You can use the
Windows Deployment Services snap-in and Windows SIM to complete these tasks.
Configuring Transmission
Multicasting enables you to deploy an image to a large number of client computers without consuming
excessive network bandwidth.
Consider enabling multicast transmissions if your organization:
• Anticipates many concurrent deployments.
•
Has routers that support the propagation of multicasts; that is support for the Internet Group
Management Protocol (IGMP).
You can use the Windows Deployment Services snap-in or the WDSutil.exe command-line tool to manage
multicast transmission. For example, to create a multicast transmission with Autocast, use the following
command:
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly name>
/ImageType:Install /ImageGroup:<Image group name> /TransmissionType:AutoCast
To create a Scheduled-Cast transmission, use the following command:
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly name>
/ImageType:Install /ImageGroup:<Image group name> /TransmissionType:ScheduledCast[/Time:<yyyy/mm/dd:hh:mm>][/Clients:<no of clients>]
Demonstration: How to Administer Images
This demonstration shows how to administer images. In this demonstration, this process will be broken
down into the following four steps:
• Install and configure the Windows Deployment Services role.
•
Add a boot image.
• Create a capture image.
• Add an install image.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 39/523
Administering Windows Server® 2012 1-17
Demonstration Steps
Install and configure the Windows Deployment Services role
1. Switch to the LON-SVR1 computer.
2. Open Server Manager.
3.
Install the Windows Deployment Services server role with both role services.
4. In the Windows Deployment Services console, right-click LON-SVR1.Adatum.com, and then click
Configure Server.
5.
Use the following information to complete configuration:
o Integrate Windows Deployment Services with Active Directory.
o
On the Remote Installation Folder Location page, accept the defaults.
o
Accept the System Volume Warning message.
o On the PXE Server Initial Settings page, select the Respond to all (known and unknown)
client computers option.
o
When prompted, choose to not add images to the server.
Add a boot image
1.
Switch to LON-SVR1.
2.
If necessary, open the Windows Deployment Services console.
3. Add a new boot image using the following information to complete the process:
a.
On the Image File page, use the file name: D:\sources\boot.wim.
b.
Accept the defaults on the Image Metadata page.
c. Accept the defaults on the Summary page.
4.
On the Task Progress page, click Finish.
Add an install image
1. If necessary, open Windows Deployment Services.
2. Add a new Image Group with the image group name of Windows Server 2012.
3.
Use the Add Image Wizard to add a new install image to this group. Use the following information to
complete the process:
a.
On the Image File page, use the following file name: D:\sources\install.wim.
b.
On the Available Images page, clear all check boxes except Windows Server 2012
SERVERSTANDARDCORE.
c.
Accept the defaults on the Summary page.
d.
On the Task Progress page, click Finish.
4. Minimize the Windows Deployment Services window.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 40/523
1-18 Deploying and Maintaining Server Images
Automating Deployments
There are four phases that you can automate
during the Windows Deployment Services
deployment process. These are:
•
PXE Boot Policy. You can determine how thePXE server responds to clients, and whether
the installer is required to press the F12 key to
connect to the Windows Deployment Services
server and select a boot image. For example,
the Always continue the PXE boot option
ensures that the computer continues through
the deployment process without any installer
interaction.
• The default boot image. If you configure a default boot image, the installer will not be prompted to
make a selection.
•
The Windows Deployment Services screens. When the client computer uses the TFTP protocol toconnect to the Windows Deployment Services server and select a boot image, the installer must then
provide credentials and select an operating system image to install. You can create an Unattend.xml
answer file to automate this phase.
• Windows Setup. You can customize the setup program so that once the install image has been
selected (either automatically or manually), the setup program will complete the installation process
with no installer intervention. This is the same type of automation that you use to automate
installations with the Windows ADKADK.
Use Windows SIM to create both types of answer files, and then use the Windows Deployment Services
snap-in to associate the answer files with the required deployment phase.
Automate Client UnattendUse the following procedure to associate an answer file for the client unattend deployment phase:
1.
Create the Unattend.xml file in Windows ADK with settings appropriate to Windows Deployment
Services.
2. Copy the file to the Windows Deployment Services server, and paste it into a folder under
\RemoteInstall.
3. Open Windows Deployment Services.
4.
View the Properties dialog box for the Windows Deployment Services server in the Windows
Deployment Services console.
5.
On the Client tab, enable unattended installation, and then select the answer file that you createdearlier.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 41/523
Administering Windows Server® 2012 1-19
Sample Unattend Answer File for Windows Deployment Services client Unattend
The following is a portion of a sample answer file that required to automate the Windows Deployment
Services client Unattend phase:
<WindowsDeploymentServices>
<Login>
<WillShowUI>OnError</WillShowUI><Credentials>
<Username>Installer</Username><Domain>Adatum.com</Domain>
<Password>Pa$$w0rd</Password>
</Credentials></Login>
<ImageSelection>
<WillShowUI>OnError</WillShowUI><InstallImage>
<ImageName>Windows Server 2021</ImageName><ImageGroup>Adatum Server Images</ImageGroup><Filename>Install.wim</Filename>
</InstallImage><InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID></InstallTo>
</ImageSelection>
</WindowsDeploymentServices>
Automate Windows Setup
To automate the Windows Setup process, use the following steps:
1.
Create the Unattend.xml file in Windows ADK, with settings appropriate to Windows Setup.
2. Copy the file to a suitable location on the Windows Deployment Services server.
3. In Windows Deployment Services, view the properties of the appropriate install image.
4.
Enable the Allow image to install in unattended mode option, and then select the answer file thatyou created.
Demonstration: How to Configure Multicast Transmission
This demonstration shows how to configure multicast transmission.
Demonstration Steps
1.
Open the Windows Deployment Services console on LON-SVR1.
2.
Create a new multicast transmission by using the following information:
o
Transmission name: Windows Server 2012 Branch Servers
o Image group: Windows Server 2012
o
Image: Windows Server 2012 SERVERENTERPRISECORE
o
Multicast type: Autocast
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 42/523
1-20 Deploying and Maintaining Server Images
Lab: Using Windows Deployment Services to DeployWindows Server 2012
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in
London, U.K. An IT office and data center are in London to support the head office and other branch
locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is deploying servers to branch offices throughout the region for the Research department. You
have been tasked with helping to automate this deployment. You suggest using Windows Deployment
Services to deploy Windows Server 2012 to the branch offices. You have been sent some instructions by
email regarding the deployment. You must read these instructions, and then install and configure
Windows Deployment Services to support the deployment.
Objectives
After completing this lab, you will be able to:
• Install and configure Windows Deployment Services.
•
Create operating system images using Windows Deployment Services.
• Configure custom computer naming.
• Deploy images with Windows Deployment Services.
Lab Setup
Estimated Time: 75 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-SVR1
20411B-LON-SVR3
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
o User name: Adatum\Administrator
o
Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-SVR1. Do not start 20411B-LON-SVR3 until directed to
do so.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 43/523
Administering Windows Server® 2012 1-21
Exercise 1: Installing and Configuring Windows Deployment Services
Scenario
To assist with the process of configuring Windows Deployment Services, you have been sent an email with
the appropriate configuration information.
Branch Office Deployment Guide
Requirements Overview
To configure Microsoft Windows Deployment Services to aid in the deployment of branch officeservers.
Additional Information
Deployment method: Automated standard image deployments
• Configuration information:
o
LON-SVR1 is to be used to host Windows Deployment Services.
o
Configure multicast transmission to use Autocast.
o
Configure automatic naming to identify branch servers.
o Place branch servers in the Research organizational unit (OU).
o
Operating system should be Windows Server 2012 Enterprise Edition.
o
A Server Core installation should be performed.
The main tasks in this exercise are:
1. Read the supporting documentation.
2. Install the Windows Deployment Services role.
3.
Configure Windows Deployment Services.
Task 1: Read the supporting documentation
• Read the supporting documentation in the exercise scenario to determine the deployment details.
Task 2: Install the Windows Deployment Services role
1.
Switch to the LON-SVR1 computer.
2. Open Server Manager.
3.
Install the Windows Deployment Services server role with both role services.
4.
Close Server Manager.
Task 3: Configure Windows Deployment Services
1. Open the Windows Deployment Services console.
2.
Right-click LON-SVR1.Adatum.com, and then click Configure Server.
3.
Use the following information to complete configuration:
a. Integrate Windows Deployment Services with Active Directory.
b.
On the Remote Installation Folder Location page, accept the defaults.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 44/523
1-22 Deploying and Maintaining Server Images
c. Accept the System Volume Warning message.
d.
On the PXE Server Initial Settings page, select the Respond to all client computers (known
and unknown) option.
e.
When prompted, choose to not add images to the server.
Results: After completing this exercise, you will have installed and configured Windows Deployment
Services.
Exercise 2: Creating Operating System Images with Windows DeploymentServices
Scenario
Windows Deployment Services is installed and configured successfully. You now must create various
operating-system images to aid deployment.
The main tasks in this exercise are:
1.
Insert the Windows Server 2012 installation media in LON-SVR1.
2. Add a boot image.
3. Add an install image.
Task 1: Insert the Windows Server 2012 installation media in LON-SVR1
1.
On the host computer, open Hyper-V Manager.
2. Open the Settings page for 20411B-LON-SVR1.
3.
Select the DVD Drive, and attach the International Organization for Standardization (ISO) file
located at C:\Program Files\Microsoft Learning\20411\Drives\WIndows2012_RTM.iso.
Task 2: Add a boot image
1.
Switch to LON-SVR1.
2.
If necessary, open the Windows Deployment Services console.
3. Add a new boot image using the following information to complete the process:
o
On the Image File page, use the file name: D:\sources\boot.wim.
o
Accept the defaults on the Image Metadata page.
o Accept the defaults on the Summary page.
4.
On the Task Progress page, click Finish.
Task 3: Add an install image
1. If necessary, open Windows Deployment Services.
2.
Add a new Image Group with the image group name of Windows Server 2012.
3.
Use the Add Image Wizard to add a new install image to this group. Use the following information to
complete the process:
a.
On the Image File page, use the following file name: D:\sources\install.wim.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 45/523
Administering Windows Server® 2012 1-23
b. On the Available Images page, clear all check boxes except Windows Server 2012
SERVERSTANDARDCORE.
c. Accept the defaults on the Summary page.
d.
On the Task Progress page, click Finish.
4.
Minimize the Windows Deployment Services window.
Results: After completing this exercise, you will create an operating system image with Windows
Deployment Services.
Exercise 3: Configuring Custom Computer Naming
Scenario
To automate computer naming, you must configure the custom naming properties for Windows
Deployment Services as per the document that was sent to you. This also involves configuring delegation
on the Active Directory OU that will contain the computer accounts. Administrator approval is required, so
you must also configure that.
The main tasks in this exercise are:
1.
Configure automatic naming.
2.
Configure Administrator approval.
3. Configure AD DS permissions.
Task 1: Configure automatic naming
1.
In Windows Deployment Services, view the properties of LON-SVR1.Adatum.com.
2. On the AD DS tab, use the following information to configure automatic naming:
o
Format: BRANCH-SVR-%02#
o
Computer Account Location: Adatum Research OU
Task 2: Configure Administrator approval
1. In Windows Deployment Services, view the properties of LON-SVR1.Adatum.com.
2.
On the PXE Response tab, select Require administrator approval for unknown computers, and
change the PXE Response Delay to 3 seconds.
3.
Open Windows PowerShell®, and then type the following command to create a message for
installers to view while awaiting admin approval:
WDSUTIL /Set-Server /AutoAddPolicy /Message:“The Adatum administrator is authorizingthis request. Please wait.”
4.
Close the Command Prompt window.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 46/523
1-24 Deploying and Maintaining Server Images
Task 3: Configure Active Directory Domain Services (AD DS) permissions
1.
Switch to the LON-DC1 computer, and open Active Directory Users and Computers.
2. Right-click the Research organizational unit (OU), and use the Delegate Control Wizard to delegate
the LON-SVR1 computer account the ability to create computer objects in the OU. Use the following
information to help:
a.
Tasks to delegate: Create a custom task to delegate
b.
On the Active Directory Object Type page, click Only the following objects in the folder,
select the Computer objects check box, and select the Create selected objects in this folder
check box.
c. On the Permissions page, in the Permissions list, select the Full Control check box.
Results: After completing this exercise, you will have configured custom computer naming.
Exercise 4: Deploying Images with Windows Deployment Services
Scenario
You have provided instructions for a branch supervisor to initiate the installation process on the branch
office server computer. The installation now will occur.
The main tasks in this exercise are:
1. Configure a Windows Deployment Services server for multicast transmission.
2.
Configure the client for Pre-Boot Execution Environment (PXE) Booting.
Task 1: Configure a Windows Deployment Services server for multicast transmission
1. Switch to the LON-SVR1 computer.
2.
Create a new multicast transmission using the following information to complete the process:
o
Transmission name: Windows Sever 2012 Branch Servers
o Image group: Windows Server 2012
o
Image: Windows Server 2012 SERVERSTANDARDCORE
o
Multicast type: Autocast
Task 2: Configure the client for Pre-Boot PXE Booting
1.
On the host computer, switch to Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-SVR3, and then click Settings.
3.
In the Settings for 20411B-LON-SVR3 dialog box, click BIOS.
4. In the results pane, click Legacy Network adapter.
5.
Use the arrows to move Legacy Network adapter to the top of the list, and then click OK .
6.
In Hyper-V Manager, click 20411B-LON-SVR3, and in the Actions pane, click Start.
7. In the Actions pane, click Connect.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 47/523
Administering Windows Server® 2012 1-25
8. When the computer reboots, note the PXE Dynamic Host Configuration Protocol (DHCP) notice.
When prompted, press F12 for Network Boot.
Question: Do you see the admin approval message?
9.
Switch to the LON-SVR1 computer.
10.
In Windows Deployment Services, click Pending Devices.11. Right-click the pending request, and then click Approve.
12.
In the Pending Device dialog box, click OK .
13.
Switch to the LON-SVR3 computer.
Question: Which image is the default?
Question: Does setup start?
14.
You do not have to continue setup.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state.
1.
On the host computer, start Hyper-V Manager.
2.
Right-click 20411B-LON-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 20411B-LON-SVR3 and 20411B-LON-SVR1.
Results: After completing this exercise, you will have deployed an image with Windows Deployment
Services.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 48/523
1-26 Deploying and Maintaining Server Images
Module Review and Takeaways
Tools
Tool What it is used for Where to find it
Windows DeploymentServices console
Administering Windows DeploymentServices
Server Manager - Tools
WDSutil.exe Command-line management ofWindows Deployment Services
Command line
Windows ADK Managing image files and creatinganswer files
Download from Microsoft.com
Dism.exe Offline and online servicing of images Windows ADK
Netsh.exe Command-line tool for managingnetwork-related settings
Command line
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 49/523
2-1
Module 2
Configuring and Troubleshooting Domain Name SystemContents:
Module Overview 2-1
Lesson 1: Installing the DNS Server Role 2-2
Lesson 2: Configuring the DNS Server Role 2-8
Lesson 3: Configuring DNS Zones 2-14
Lesson 4: Configuring DNS Zone Transfers 2-19
Lesson 5: Managing and Troubleshooting DNS 2-22
Lab: Configuring and Troubleshooting DNS 2-30
Module Review and Takeaways 2-35
Module Overview
The Domain Name System (DNS) is the foundation name service in Windows Server® 2012. It provides
name resolution, and enables DNS clients to locate network services, such as Active Directory ® Domain
Services (AD DS) domain controllers, global catalog servers, and messaging servers. If you configure
your DNS infrastructure poorly, or it is not working correctly, these important network services will be
inaccessible to your network servers and clients. Consequently, it is vital that you understand how todeploy, configure, manage, and troubleshoot this critical service.
Objectives
After completing this module, you will be able to:
• Install the DNS server role.
• Configure the DNS server role.
•
Create and configure DNS zones.
• Configure zone transfers.
• Manage and troubleshoot DNS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 50/523
2-2 Configuring and Troubleshooting Domain Name System
Lesson 1
Installing the DNS Server Role
To support the underlying network services within your organization, you must be able to install and
configure the Windows Server 2012 DNS server role. Before installing the DNS server role, you must
understand the requirement of your organization’s network infrastructure and decide whether to use asplit-brain DNS. You also must consider the placement of the DNS server role, and the number of DNS
clients and zones that you will use. This lesson describes the installation process for a DNS server role.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain the role and benefits of DNS in the network infrastructure.
• Explain a DNS namespace.
• Describe how to integrate DNS into AD DS.
• Explain the use of split-brain DNS.
•
Explain how to install the DNS server role.
• Describe the considerations for deploying a DNS server.
Overview of the DNS Role
DNS is a name-resolution service that resolves
names to IP addresses. The DNS service is a
logically separated, hierarchical distributed
database, which enables many different servers
to host a worldwide database of DNS names.
How DNS Supports the Internet NamingScheme Foundation
DNS is a worldwide service that allows you to type
in a domain name (for example, Microsoft.com),
which your computer resolves to an IP address. A
benefit of DNS is that IPv4 addresses can be long
and difficult to remember, such as 131.107.0.32.
However, a domain name typically is easier to remember. Furthermore, you can use host names that do
not change, although you can modify the underlying IP addresses to suit your organizational needs.
With the adoption of IPv6, DNS will become even more critical because IPv6 addresses are even more
complex than IPv4 addresses. An example of an IPv6 address is 2001:db8:4136:e38c:384f:3764:b59c:3d97 .
How DNS Supports an Organization’s Foundation for AD DS Naming Schemes
DNS is responsible for resolving resources in an Active Directory Domain Services (AD DS) domain.
The DNS role is a prerequisite for installing AD DS. DNS provides information to workstation clients,
which enable them to sign in to the network. DNS resolves resources in the domain, such as servers,
workstations, printers, and shared folders. If you configure a DNS server incorrectly, it can be the source
of source of many AD DS problems.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 51/523
Administering Windows Server® 2012
2-3
Overview of the DNS Namespace
The DNS namespace facilitates how a DNS
resolver locates a computer. The namespace is
organized hierarchically to distribute information
across many servers.
Root Domain
A period (.) represents the root domain, and you
do not type it into a web browser. The period (.) is
assumed. The next time that you type an address
into a computer, try adding the period at the end
(for example, www.microsoft.com.). There are 13
root domain servers worldwide.
Note: When troubleshooting DNS, it is usual to specify the trailing period.
Top-Level Domain
The top-level domain (TLD) is the first level of the DNS name space. Examples of TLDs on the Internet
include .com, .net, .org, .biz, and .ca. The most recognized domains are .com, .net, .org, and .gov, which is
for the government of the United States. There are several more domain names at this level, and there is a
TLD for each country. For example, the TLD for Canada is .ca, and the TLD for the United Kingdom is .uk.
The organization that regulates domain names, known as the Internet Corporation for Assigned Names
and Numbers (ICANN), adds new TLDs occasionally.
Second-Level Domain
The second-level domain name is the portion of the domain name that appears before the TLD.
An example of a second-level domain name is microsoft in the www.microsoft.com domain. The
organizations that register second-level domain names control them. Anyone may register a second-leveldomain name through an Internet registry service. Many second-level domains have special rules about
what organizations or people can register a domain name. For example, only nonprofit organizations may
use .org.
Subdomain
The subdomain is listed before the second-level and top-level domains. An example of a subdomain is
www in the www.microsoft.com domain name. Subdomains are defined in the DNS server of the
organization that holds the second-level DNS server.
Fully Qualified Domain Name
A fully qualified domain name (FQDN) is the explicit DNS name that includes the computer name
and the subdomains to the root domain. For example, if the computer is designated as Server1 in thesales.south.contoso.com domain, the FQDN for that computer is server1.sales.south.contoso.com.
DNS Naming Standards
The following characters are valid for DNS names:
•
A through Z
• a through z
• 0 through 9
•
Hyphen (-)
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 52/523
2-4 Configuring and Troubleshooting Domain Name System
Note: The underscore (_) is a reserved character.
Integrating AD DS and DNS
When you begin planning your DNS namespace,you must consider both the internal and external
namespaces. The internal namespace is the one
that internal clients and servers use within your
private network. The external namespace is the
one by which your organization is referenced on
the Internet. There is no requirement that you
should implement the same DNS domain name
internally that you have externally.
When you implement AD DS, you must use a DNS
namespace for hosting AD DS records.
Note: Consider carefully your options
before selecting a namespace design for AD DS. Although it is possible to change a namespace
after implementing AD DS, it is a time-consuming and complex process that has many
limitations.
To determine a DNS namespace for your AD DS environment, you can choose from the following
scenarios:
•
Make the internal namespace the same as the public namespace. In this scenario, the internal and
public namespaces are the same, but will have different records. Although this provides simplicity,
which makes it a suitable choice for smaller organizations, it can be difficult to manage for larger
networks.
• Make the internal namespace different from the public namespace. In this scenario, the internal and
public namespaces are completely different, with no link between them. This provides for obvious
separation in the namespace. In complex networks, with many Internet-facing applications, use of
a different name introduces some clarity when configuring these applications. For example, Edge
Servers that are placed on a perimeter network often require multiple network interface cards: one
connected to the private network; and one servicing requests from the public network. If each
network interface card has a different domain name, it often is easier to complete the configuration
of that server.
•
Make the internal namespace a subdomain of the public namespace. In this scenario, the internal
namespace is linked to the public namespace, but there is no overlap between them. This provides
a hybrid approach. The internal name is different, which allows for separation of the namespace.
However, the internal name also is related to the public name, which provides simplicity. This
approach is the simplest to implement and manage. However, if you cannot use a subdomain of the
public namespace for AD DS, you should use unique namespaces.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 53/523
Administering Windows Server® 2012
2-5
Note: In most situations, computers within an AD DS domain have a primary DNS suffix
that matches the DNS domain name. Occasionally, you may require these names to differ, such
as following a merger or during an acquisition. When names differ, this is known as a disjoint
namespace. A disjoint namespace scenario is one in which the primary DNS suffix of a computer
does not match the DNS domain name in which that computer resides. The computer with the
primary DNS suffix that does not match is said to be disjointed . Another disjoint namespace
scenario occurs if the NetBIOS domain name of a domain controller does not match the DNS
domain name.
Determining Whether to Use Split DNS
Using the same namespace internally and
externally simplifies resource access from
the perspective of users, but it also increases
management complexity. You should not make
internal DNS records available externally, but
some synchronization of records for externalresources typically is required. For example, both
your internal and external namespaces might use
the name Contoso.com.
Using unique namespaces for the internal and
public namespaces provides a clear delineation
between internal and external DNS, and avoids
the need to synchronize records between the namespaces. However, in some cases, having multiple
namespaces may lead to user confusion. For example, you may choose the external namespace of
Contoso.com and the internal namespace of Contoso.local. Note that when you implement a unique
namespace configuration, you no longer are tied to using registered domain names.
Using a subdomain of the public namespace for AD DS avoids the need to synchronize recordsbetween the internal and external DNS servers. Because the namespaces are linked, users typically find
this structure easy to understand. For example, if your public namespace is Contoso.com, you might
choose to implement your internal namespace as the subdomain AD, or AD.Contoso.com.
Considering Split DNS
Having a matching internal and external DNS namespace can pose certain problems. However, split DNS
can provide a solution to these problems. Split DNS is a configuration in which your domain has two root-
server zones that contain domain-name registration information. Your internal network hosts are directed
to one zone, while external hosts are directed to another for name resolution. For example, in a nonsplit
DNS configuration for the domain Contoso.com, you might have a DNS zone that looks like the example
in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 54/523
2-6 Configuring and Troubleshooting Domain Name System
When a client computer on the Internet wants to access the Simple Mail Transfer Protocol (SMTP) relay
by using the published name of relay.contoso.com, it queries the DNS server that returns the result
131.107.1.201. The client then establishes a connection over SMTP to that IP address.
However, the client computers on the corporate intranet also use the published name of
relay.contoso.com. The DNS server returns the same result: a public IP address of 131.107.1.201. The client
now attempts to establish a connection to the returned IP address by using the external interface of thepublishing computer. Depending upon the client configuration, this may or may not be successful.
By configuring two zones for the same domain name—one on each of the two DNS servers—you can
avoid this problem.
The internal zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www CNAME Webserver1.contoso.com
Relay CNAME Exchange1.contoso.com
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
The external zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
MX Relay.contoso.com
Now, client computers in the internal and external networks can resolve the name relay.contoso.com to
the appropriate internal or external IP address.
Demonstration: Installing the DNS Server Role
This demonstration shows how to install the DNS server role.
Demonstration Steps
1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
Use Server Manager to install the DNS Server role.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 55/523
Administering Windows Server® 2012
2-7
Considerations for Deploying the DNS Server Role
When you are planning to deploy DNS, you
must review several considerations. Some of the
questions that you should ask include:
•
How many DNS zones will you configure onthe server and how many DNS records will
each zone contain? Typically, zones map on
a one-to-one basis with domains in your
namespace. When you have a large number
of records, it might make more sense to split
the records into multiple zones.
• How many DNS clients will be
communicating with the server on which you
configure the DNS role? The larger the number of client resolvers, the greater is the load placed on
the server. When you anticipate additional load, consider deploying additional DNS servers.
•
Where will you place DNS servers? For example, will you place the servers centrally, or does it makemore sense to locate DNS servers in branch offices? If there are few clients at a branch office, you
could satisfy most DNS requests by using a central DNS server or by implementing a caching-only
server. A large number of users at a branch might benefit from a local DNS server with appropriate
zone data.
How you answer the preceding questions will determine how many DNS servers you must deploy, and
where you should place them.
Active Directory Integration
The Windows Server 2012 DNS role can store the DNS database in two different ways, as the following
table shows.
Storage method Description
Text File The DNS server role stores the DNS entries in a text file, which you can editwith a text editor.
Active Directory The DNS server role stores the DNS entries in the Active Directory database,which replicates to other domain controllers, even if they do not run theWindows Server 2008 DNS role. You cannot use a text editor to edit DNS datathat Active Directory stores.
Active Directory integrated zones are easier to manage than traditional text-based zones, and are more
secure. The replication of zone data occurs as part of Active Directory replication.
DNS Server PlacementTypically, you will deploy the DNS role on all domain controllers. If you decide to implement some other
strategy, ask yourself the following questions, and keep the answers in mind:
• How will client computers resolve names if their usual DNS server becomes unavailable?
• What will the impact on network traffic be if client computers start to use an alternate DNS server,
perhaps located remotely?
• How will you implement zone transfers? Active Directory integrated zones use Active Directory
replication to transfer the zone to all other domain controllers. If you implement non-Active Directory
integrated zones, you must plan the zone transfer mechanism yourself.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 56/523
2-8 Configuring and Troubleshooting Domain Name System
Lesson 2
Configuring the DNS Server Role
The DNS infrastructure is the basis for name resolution on the Internet and in AD DS domains based on
Windows Server 2012. This lesson provides guidance and information about what is required to configure
the DNS server role, and explains the basic functions of a DNS server.
Lesson Objectives
After completing this lesson, you will be able to:
• List the components of a DNS solution.
•
Describe how various types of DNS queries work.
• Describe DNS resource records.
• Explain how root hints work.
•
Explain how forwarding and conditional forwarding works.
•
Explain how DNS server caching works.
• Explain how to configure the DNS server role properties.
What Are the Components of a DNS Solution?
The components of a DNS solution include DNS
servers, DNS servers on the Internet, and DNS
resolvers or clients.
DNS Servers
A DNS server answers recursive and iterative DNSqueries. DNS servers also can host one or more
zones of a particular domain. Zones contain
different resource records. DNS servers also can
cache lookups to save time for common queries.
DNS Servers on the Internet
DNS servers on the Internet are accessible
publicly. They host public zone information and the root server, and other common TLDs, such as .com,
.net, and .edu.
Note: Do not confuse these servers with your organization’s DNS servers that host yourpublic namespace. These are located physically on your perimeter network.
DNS Resolvers
The DNS resolver generates and sends iterative or recursive queries to the DNS server. A DNS resolver can
be any computer performing a DNS lookup that requires interaction with the DNS server. DNS servers also
can issue DNS requests to other DNS servers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 57/523
Administering Windows Server® 2012
2-9
What Are DNS Queries?
A DNS query is the method that you use to
request name resolution, and involves a query
being sent to a DNS server. There are two types
of responses to DNS queries: authoritative and
nonauthoritative.
It is important to note that DNS servers also can
act as DNS resolvers and send DNS queries to
other DNS servers.
A DNS server can be either authoritative or
nonauthoritative for the query’s namespace. A
DNS server is authoritative when it hosts a primary
or secondary copy of a DNS zone. The two types
of queries are:
• An authoritative query is one for which the server can return an answer that it knows is correct,
because the request is directed to the authoritative server that manages the domain.
• A DNS server that contains in its cache the domain being requested answers a nonauthoritative query
by using forwarders or root hints. However, the answer provided might not be accurate, because only
the authoritative DNS server for the given domain can issue that information.
If the DNS server is authoritative for the query’s namespace, the DNS server will check the zone, and then
do one of the following:
• Return the requested address.
• Return an authoritative “No, that name does not exist.”
Note: An authoritative answer can be given only by the server with direct authority for thequeried name.
If the local DNS server is nonauthoritative for the query’s namespace, the DNS server will do one of the
following:
• Check its cache, and return a cached response.
• Forward the unresolvable query to a specific server known as a forwarder.
•
Use well-known addresses of multiple root servers to find an authoritative DNS server to resolve the
query. This process uses root hints.
Recursive Queries
A recursive query can have two possible results:
• It returns the IP address of the requested host.
• The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. This prevents
the DNS server in question from forwarding its DNS requests to another server. This can be useful when
you do not want a particular DNS server communicating outside its local network.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 58/523
2-10 Configuring and Troubleshooting Domain Name System
Iterative Queries
Iterative queries provide a mechanism for accessing domain-name information that resides across the
DNS system, and enable servers to resolve names quickly and efficiently across many servers.
When a DNS server receives a request that it cannot answer using its local information or its cached
lookups, it makes the same request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it might answer with either the IP address for the domain
name (if known) or with a referral to the DNS servers that are responsible for the domain being queried.
DNS Resource Records
The DNS zone file stores resource records.
Resource records specify a resource type and
the IP address to locate the resource. The most
common resource record is an A resource record.
This is a simple record that resolves a hostname
to an IP address. The host can be a workstation,server, or another network device, such as a
router.
Resource records also help find resources for
a particular domain. For instance, when an
Exchange server needs to find the server that
is responsible for delivering mail for another
domain, it will request that domain’s Mail Exchanger (MX) record, which points to the A record of the host
that is running the SMTP mail service.
Resource records also can contain custom attributes. MX records, for instance, have a preference attribute,
which is useful if an organization has multiple mail servers. This will inform the sending server which mail
server the receiving organization prefers. Service locator (SRV) records also contain information regarding
on which port the service is listening and the protocol that you should use to communicate with the
service.
The following table describes the most common resource records.
DNS resource records Description
Start of authority (SOA) resourcerecord
The record identifies the primary name server for a DNS zone,as well as other specifics, such as Time to Live (TTL) and refresh.
Host address (A) resource record The main record that resolves a host name to an IPv4 address.
Canonical name (CNAME) resourcerecord An alias record type that maps one name to another (forexample, www.microsoft.com is a CNAME of the A recordmicrosoft.com).
MX resource record The record is used to specify an email server for a particulardomain.
SRV resource record The record identifies a service that is available in the domain.Active Directory uses these records extensively.
Name Server (NS) resource record The record identifies a name server for a domain.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 59/523
Administering Windows Server® 2012
2-11
DNS resource records Description
AAAA The main record that resolves a host name to an IPv6 address.
Pointer (PTR) resource record The record is used to look up and map an IP address to adomain name. The reverse lookup zone stores the names.
What Are Root Hints?
Root hints are the list of servers on the Internet
that your DNS server uses if it cannot resolve a
DNS query by using a DNS forwarder or its own
cache. The root hints are the highest servers in
the DNS hierarchy and can provide the necessary
information for a DNS server to perform an
iterative query to the next lowest layer of the
DNS namespace.
Root servers are installed automatically when
you install the DNS role. They are copied from the
cache.dns file that the DNS role setup files include.
You also can add root hints to a DNS server to
support lookups for noncontiguous domains within a forest.
When a DNS server communicates with a root hints server, it uses only an iterative query. If you select the
Do Not Use Recursion For This Domain option, the server will not be able to perform queries on the
root hints. If you configure the server to use a forwarder, it will attempt to send a recursive query to its
forwarding server. If the forwarding server does not answer this query, the server will respond that the
host could not be found.It is important to understand that recursion on a DNS server and recursive queries are not the same thing.
Recursion on a server means that the server will use its root hints and try to resolve a DNS query. The next
topic discusses iterative and recursive queries in more detail.
What Is Forwarding?
A forwarder is a DNS server-configuration setting
that forwards DNS queries for external DNS
names to DNS servers outside that network. You
also can use conditional forwarders to forwardqueries according to specific domain names.
A network DNS server is designated a forwarder
when the network’s other DNS servers forward
to it the queries that they cannot resolve locally.
By using a forwarder, you can manage name
resolution for names outside your network,
such as names on the Internet, and improve the
efficiency of name resolution for your network’s
computers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 60/523
2-12 Configuring and Troubleshooting Domain Name System
The server that is forwarding requests in the network must be able to communicate with the DNS server
that is located on the Internet. This means that either you configure it to forward requests to another DNS
server or it uses root hints to communicate.
Best Practice
Use a central forwarding DNS server for Internet name resolution. This can improve performance, simplify
troubleshooting, and is a security best practice. You can isolate the forwarding DNS server on a perimeter
network, which ensures that no server within the network is communicating directly to the Internet.
Conditional Forwarding
A conditional forwarder is a configuration setting in the DNS server that forwards DNS queries according
to the query’s DNS domain name. For example, you can configure a DNS server to forward all queries that
it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP
addresses of multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest.
Best Practice for Conditional Forwarding
Use conditional forwarders if you have multiple internal namespaces. This provides faster name resolution.
How DNS Server Caching Works
DNS caching increases the performance of an
organization’s DNS system by decreasing the
time it takes to provide DNS lookups.
When a DNS server resolves a DNS name
successfully, it adds the name to its cache.
Over time, this builds a cache of domain names
and their associated IP addresses for the most
common domains that the organization uses or
accesses.
Note: The default time to cache DNS data is
one hour. You can configure this by changing the SOA record for the appropriate DNS zone.
A caching-only server will not host any DNS zone data; it only answers lookups for DNS clients. This is the
ideal type of DNS server to use as a forwarder.
The DNS client cache is a DNS cache that the DNS Client service stores on the local computer. To view the
current client-side cache, run the ipconfig /displaydns command at the command prompt. If you must
clear the local cache, such as when you are troubleshooting name resolution, you can use ipconfig
/flushdns.
Note: You also can use the following Windows PowerShell® cmdlets:
• clear-DnsClientCache to delete the DNS resolver cache
•
get-DnsClientCache to view the resolver cache
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 61/523
Administering Windows Server® 2012
2-13
Demonstration: Configuring the DNS Server Role
This demonstration shows how to configure the DNS server properties.
Demonstration Steps
Configure DNS server properties1. Switch to LON-DC1 and, if necessary, log on as Adatum\Administrator with the password
Pa$$w0rd.
2. Open the DNS console.
3.
Review the properties of the LON-DC1 server:
a.
On the Forwarders tab, you can configure forwarding.
b.
On the Advanced tab, you can configure options including securing the cache against pollution,
and DNSSEC.
c.
On the Root Hints tab, you can see the configuration for the root hints servers.
d.
On the Debug Logging tab, you can configure debug logging options.
e.
On the Event Logging tab, you can configure the level of event recording.
f.
On the Monitoring tab, you can perform simple and recursive tests against the server.
g. On the Security tab, you can define permissions on the DNS infrastructure.
Configure conditional forwarding
•
From the Conditional Forwarders node, you can configure conditional forwarding:
a. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b.
Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then
press Enter. Validation will fail since this is just an example configuration.
Clear the DNS cache
• In the navigation pane, right-click LON-DC1, and then click Clear Cache.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 62/523
2-14 Configuring and Troubleshooting Domain Name System
Lesson 3
Configuring DNS Zones
DNS zones are an important concept in DNS infrastructure, because they enable you to logically separate
and manage DNS domains. This lesson provides the foundation for understanding how zones relate to
DNS domains, and provides information about the different types of DNS zones that are available in theWindows Server 2012 DNS role.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain a DNS zone.
• Explain the various DNS zone types available in Windows Server 2012.
•
Explain the purpose of forward and reverse lookup zones.
• Explain the purpose of stub zones.
• Explain how to create zones.
•
Explain how you can use DNS zone delegation.
What Is a DNS Zone?
A DNS zone hosts all or a portion of a domain
and its subdomains. The slide illustrates how
subdomains can belong to the same zone as
their parents or can be delegated to another
zone. The microsoft.com domain is separated
into two zones. The first zone hosts the
www.microsoft.com and ftp.microsoft.com
records. Example.microsoft.com is delegated
to a new zone, which hosts the
example.microsoft.com subdomain, and its
records ftp.example.microsoft.com and
www.example.microsoft.com.
Note: The zone that hosts a root of the domain (microsoft.com) must delegate the
subdomain (example.microsoft.com) to the second zone. If this does not occur,
example.microsoft.com will be treated as if it were part of the first zone.
Zone data can be replicated to more than one server. This adds redundancy to a zone because the
information needed to find resources in the zone now exists on two or more servers. The level of
redundancy that is needed is one reason to create zones. If you have a zone that hosts critical server
resource records, it is likely that this zone will have a higher level of redundancy than a zone in which
noncritical devices are defined.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 63/523
Administering Windows Server® 2012
2-15
Characteristics of a DNS Zone
Zone data is maintained on a DNS server and is stored in one of two ways:
•
In a flat zone file that contains mapping lists
• Integrated into Active Directory
A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses thatthe clients request in the zone file.
What Are the DNS Zone Types?
The four DNS zone types are:
•
Primary
• Secondary
• Stub
•
Active Directory-integrated
Primary Zone
When a zone that a DNS server hosts is a primary
zone, the DNS server is the primary source for
information about this zone, and it stores the
master copy of zone data in a local file or in
AD DS. When the DNS server stores the zone in a file, the primary zone file is by default, named
zone_name.dns, and is located in the %windir%\System32\Dns folder on the server. When the zone is
not stored in Active Directory, the DNS server hosting the primary zone is the only DNS server that has
a writable copy of the zone file.
Secondary Zone
When a zone that a DNS server hosts is a secondary zone, the DNS server is a secondary source for the
zone information. The zone at this server must be obtained from another remote DNS server that also
hosts the zone. This DNS server must have network access to the remote DNS server to receive updated
zone information. Because a secondary zone is a copy of a primary zone that another server hosts, it
cannot be stored in AD DS. Secondary zones can be useful if you are replicating data from DNS zones
that are not on Windows or you are running DNS on servers that are not AD DS domain controllers.
Stub Zone
Windows Server 2003 introduced stub zones, which solves several problems with large DNS namespaces
and multiple tree forests. A multiple tree forest is an Active Directory forest that contains two different
top-level domain names.
Active Directory–Integrated Zone
If Active Directory stores the zone, DNS can take advantage of the multimaster replication model to
replicate the primary zone. This enables you to edit zone data on any DNS server. Windows Server 2008
introduced a new concept called a read-only domain controller (RODC). Active Directory–integrated
zone data can be replicated to domain controllers, even if the DNS role is not installed on the domain
controller. If the server is a read-only domain controller, a local process cannot write to the data.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 64/523
2-16 Configuring and Troubleshooting Domain Name System
What Are Forward and Reverse Lookup Zones?
Zones can be either forward or reverse, sometimes
known as inverse zones.
Forward Lookup Zone
The forward lookup zone resolves host names
to IP addresses and hosts the common resource
records: A, CNAME, SRV, MX, SOA, TXT, and NS.
Reverse Lookup Zone
The reverse lookup zone resolves an IP address to
a domain name, and hosts SOA, NS, and PTR
records.
A reverse zone functions in the same manner as a forward zone, but the IP address is the part of the query
and the host name is the returned information. Reverse zones are not always configured, but you should
configure them to reduce warning and error messages. Many standard Internet protocols rely on reverse
zone lookup data to validate forward zone information. For example, if the forward lookup indicates thattraining.contoso.com is resolved to 192.168.2.45, you can use a reverse lookup to confirm that
192.168.2.45 is associated with training.contoso.com.
Having a reverse zone is important if you have applications that rely on looking up hosts by their IP
addresses. Many applications will log this information in security or event logs. If you see suspicious
activity from a particular IP address, you can resolve the host by using the reverse zone information.
Many email security gateways use reverse lookups to validate that the IP address that is sending messages
is associated with a domain.
Overview of Stub Zones
A stub zone is a replicated copy of a zone that
contains only those resource records necessary to
identify that zone’s authoritative DNS servers. A
stub zone resolves names between separate DNS
namespaces, which might be necessary when a
corporate merger requires that the DNS servers
for two separate DNS namespaces resolve names
for clients in both namespaces.
A stub zone consists of the following:
• The delegated zone’s SOA resource record,
NS resource records, and A resource records.
• The IP address of one or more master servers that you can use to update the stub zone.
The master servers for a stub zone are one or more DNS servers that are authoritative for the child zone,
usually the DNS server that is hosting the primary zone for the delegated domain name.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 65/523
Administering Windows Server® 2012
2-17
Stub Zone Resolution
When a DNS resolver performs a recursive query operation on a DNS server that is hosting a stub zone,
the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an
iterative query to the authoritative DNS servers that the stub zone’s NS resource records specify as if it
were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers
in its stub zone, the DNS server that is hosting the stub zone attempts standard recursion by using root
hints.
The DNS server will store the resource records it receives from the authoritative DNS servers that a stub
zone in its cache lists, but it will not store these resource records in the stub zone itself. Only the SOA, NS,
and glue A resource records returned in response to the query are stored in the stub zone. The resource
records that the cache stores are cached according to the TTL value in each resource record. The SOA, NS,
and glue A resource records, which are not written to cache, expire according to the expire interval that
the stub zone’s SOA record specifies. During the stub zone’s creation, the SOA record is created. SOA
record updates occur during transfers to the stub zone from the original, primary zone.
If the query was an iterative query, the DNS server returns a referral containing the servers that the stub
zone specifies.
Communication between DNS Servers That Host Parent and Child Zones
A DNS server that delegates a domain to a child zone on a different DNS server is made aware of new
authoritative DNS servers for the child zone only when resource records for them are added to the parent
zone that the DNS server hosts. This is a manual process that requires administrators for the different DNS
servers to communicate often. Stub zones enable a DNS server that is hosting a stub zone for one of its
delegated domains to obtain updates of the authoritative DNS servers for the child zone when the stub
zone is updated. The update is performed from the DNS server that is hosting the stub zone, and the
administrator for the DNS server that is hosting the child zone does not need to be contacted.
Contrasting Stub Zones and Conditional Forwarders
There might be some confusion about when to use conditional forwarders rather than stub zones. This is
because both DNS features allow a DNS server to respond to a query with a referral for, or by forwardingto, a different DNS server. However, these settings have different purposes:
• A conditional forwarder setting configures the DNS server to forward a query that it receives to a DNS
server, depending on the DNS name that the query contains.
• A stub zone keeps the DNS server that is hosting a parent zone aware of all the DNS servers that are
authoritative for a child zone.
When to Use Conditional Forwarders
If you want DNS clients on separate networks to resolve the names of each other without having to query
Internet DNS servers, such as when a company merger occurs, you should configure each network’s DNS
servers to forward queries for names in the other network. DNS servers in one network will forward names
for clients in the other network to a specific DNS server, which builds a large information cache about theother network. This allows you to create a direct point of contact between two networks’ DNS servers,
which reduces the need for recursion.
Stub zones do not provide the same server-to-server benefit, however. This is because a DNS server that
is hosting a stub zone in one network replies to queries for names in the other network with a list of all
authoritative DNS servers for the zone with that name, rather than the specific DNS servers that you
designated to handle this traffic. This configuration complicates any security settings that you want to
establish between specific DNS servers that are running in each of the networks.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 66/523
2-18 Configuring and Troubleshooting Domain Name System
When to Use Stub Zones
Use stub zones when you want a DNS server to remain aware of the authoritative DNS servers for a
foreign zone.
A conditional forwarder is not an efficient way to keep a DNS server that is hosting a parent zone aware
of the authoritative DNS servers for a child zone. This is because whenever the authoritative DNS servers
for the child zone change, you have to configure the conditional forwarder setting manually on the DNSserver that hosts the parent zone. Specifically, you must update the IP address for each new authoritative
DNS server for the child zone.
Demonstration: Creating Zones
This demonstration shows how to:
• Create a reverse lookup zone.
•
Create a forward lookup zone.
Demonstration Steps
Create a reverse lookup zone
1.
Switch to LON-DC1, and then create a new reverse lookup zone for the 172.16.0.0 IPv4 subnet.
2. Enable dynamic updates on the zone.
Create a forward lookup zone
1.
Switch to LON-SVR1, and then open the DNS console.
2.
Create a new forward lookup zone.
3. Configure the type as secondary, and then define LON-DC1 as the Master server for this zone.
DNS Zone Delegation
DNS is a hierarchical system, and zone
delegation connects the DNS layers together. A
zone delegation points to the next hierarchical
level down, and identifies the name servers that
are responsible for lower-level domain.
When deciding whether to divide the DNS
namespace to make additional zones, consider
the following reasons to use additional zones:• You need to delegate management of a
part of the DNS namespace to another
organizational location or department.
•
You need to divide one large zone into smaller zones so you can distribute traffic loads among
multiple servers. This improves DNS name-resolution performance, and it creates a more fault-
tolerant DNS environment.
• You need to extend the namespace by adding numerous subdomains immediately to accommodate
the opening of a new branch or site.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 67/523
Administering Windows Server® 2012
2-19
Lesson 4
Configuring DNS Zone Transfers
DNS zone transfers determine how the DNS infrastructure moves DNS zone information from one server
to another. Without zone transfers, the various name servers in your organization maintain disparate
copies of the zone data. You also should consider that the zone contains sensitive data, and securing zonetransfers is important. This lesson covers the different methods that the DNS server role uses when
transferring zones.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how DNS zone transfers work.
• Explain how to configure zone transfer security.
• Explain how to DNS zone transfers.
What Is a DNS Zone Transfer?
A zone transfer occurs when you replicate the
DNS zone that is on one server to another DNS
server.
Zone transfers synchronize primary and secondary
DNS server zones. This is how DNS builds its
resilience on the Internet. It is important that DNS
zones remain updated on primary and secondary
servers. Discrepancies in primary and secondary
zones can cause service outages and host namesthat are resolved incorrectly.
Zone transfers can happen in one of three ways:
• Full zone transfer . A full zone transfer occurs when you copy the entire zone from one DNS server to
another. A full zone transfer is known as an All Zone Transfer (AXFR).
• Incremental zone transfer . An incremental zone transfer occurs when there is an update to the DNS
server and only the resource records that were changed are replicated to the other server. This is an
Incremental Zone Transfer (IXFR).
• Fast transfer . Windows DNS servers also perform fast transfers, which is a type of zone transfer that
uses compression and sends multiple resource records in each transmission.
Not all DNS server implementations support incremental and fast zone transfers. When integrating aWindows 2012 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure
that the features you need are supported by the BIND version that is installed.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 68/523
2-20 Configuring and Troubleshooting Domain Name System
The following table lists the features that various DNS servers support.
DNS server Full zone (AXFR) Incremental zone (IXFR) Fast transfer
BIND Older than 4.9.4 Supported Not supported Not Supported
BIND 4.9.4 – 8.1 Supported Not supported Supported
BIND 8.2 Supported Supported Supported
Windows 2000 ServicePack 3 (SP3)
Supported Supported Supported
Windows 2003 (R2) Supported Supported Supported
Windows 2008 and R2 Supported Supported Supported
Windows 2012 Supported Supported Supported
Active Directory-integrated zones replicate by using multimaster AD DS replication instead of the zonetransfer process. This means that any standard domain controller that also holds the DNS role can update
the DNS zone information, which then replicates to all DNS servers that host the DNS zone.
DNS Notify
DNS notify is used by a master server to alert its configured secondary servers that zone updates are
available. The secondary servers then petition their master to obtain the updates. DNS notify is an update
to the original DNS protocol specification that permits notification to secondary servers when zone
changes occur. This is useful in a time-sensitive environment, where data accuracy is important.
Configuring Zone Transfer Security
Zone information provides organizational data,
so you should take precautions to ensure it is
protected from access by malicious users, and that
it cannot be overwritten with bad data, which is
known as DNS poisoning. One way to protect the
DNS infrastructure is to secure the zone transfers.
On the Zone Transfers tab in the Zone
Properties dialog box, you can specify the list
of allowed DNS servers. You also can use these
options to disallow zone transfer. By default, zone
transfers are turned off.
Although the option that specifies the servers that
might request zone data provides security by limiting the data recipients, it does not secure that data
during transmissions. If the zone information is highly confidential, we recommend that you use an
Internet Protocol Security (IPsec) policy to secure the transmission or replicate the zone data over a
virtual private network (VPN) tunnel. This prevents packet sniffing to determine information in the data
transmission.
Using Active Directory–integrated zones replicates the zone data as part of normal AD DS replications.
The zone transfer is then secured as a part of AD DS replication.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 69/523
Administering Windows Server® 2012
2-21
Demonstration: Configuring DNS Zone Transfers
This demonstration shows you how to:
• Enable DNS zone transfers.
•
Update the secondary zone from the master server.
• Update the primary zone, and then verify the change on the secondary zone.
Demonstration Steps
Enable DNS zone transfers
1. On LON-DC1, enable zone transfers by configuring the Allow zone transfers option.
2.
Configure zone transfers to Only to servers listed on the Name Servers tab.
3.
Enable Notify to Only to servers listed on the Name Servers tab.
4. Add LON-SVR1.adatum.com as a listed name server to receive transfers.
Update the secondary zone from the master server•
Switch to LON-SVR1 and in the DNS Manager, select Transfer from Master. It is sometimes
necessary to perform this step a number of times before the zone transfers. Also, note that the
transfer might occur automatically at any time.
Update the primary zone, and then verify the change on the secondary zone
1.
Switch back to LON-DC1, and then create a new alias record.
2.
Switch back to LON-SVR1, and then verify that the new record is present in the secondary zone. This
may require a manual Transfer from Master and a screen refresh before the record is visible.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 70/523
2-22 Configuring and Troubleshooting Domain Name System
Lesson 5
Managing and Troubleshooting DNS
DNS is a crucial service in the Active Directory infrastructure. When the DNS service experiences problems,
it is important to know how to troubleshoot them and identify the common issues that can occur in a
DNS infrastructure. This lesson covers the common problems that occur in DNS, the common areas fromwhich you can gather DNS information, and the tools that you can use to troubleshoot problems.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain how TTL, aging, and scavenging help to manage DNS records.
• Explain how to manage TTL, aging, and scavenging for DNS records.
•
Explain how to identify problems with DNS by using DNS tools.
• Describe how to troubleshoot DNS by using DNS tools.
• Explain how to monitor DNS by using the DNS Event Log and debug logging.
What Is TTL, Aging, and Scavenging?
TTL, aging, and scavenging help manage DNS
resource records in the zone files. Zone files can
change over time, so there needs to be a way to
manage DNS records that are updated or that are
not valid because the hosts they represent are no
longer on the network.
The following table describes the DNS tools that
help to maintain a DNS database.
Tool Description
TTL Indicates how long a DNS record remains valid and ineligible for scavenging.
Aging Occurs when records inserted into the DNS server reach their expiration and areremoved. This keeps the zone database accurate. During normal operations, agingshould take care of stale DNS resource records.
Scavenging Performs DNS server resource record grooming for old records in DNS. If resourcerecords have not been aged, an administrator can scavenge the zone database for stalerecords to force a database cleanup.
If left unmanaged, the presence of stale resource records in zone data might cause problems. For
example:
•
If a large number of stale resource records remain in server zones, they eventually can use up server
disk space and cause unnecessarily long zone transfers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 71/523
Administering Windows Server® 2012
2-23
• A DNS server that is loading zones with stale resource records might use outdated information to
answer client queries, which could cause the client computers to experience name resolution or
connectivity problems on the network.
• The accumulation of stale resource records on the DNS server might degrade its performance and
responsiveness.
•
In some cases, the presence of a stale resource record in a zone could prevent another computer or
host device from using a DNS domain name.
To solve these problems, the DNS Server service has the following features:
•
Time stamping, based on the current date and time that is set at the server computer, for any
resource records that are added dynamically to primary-type zones. Additionally, time stamps are
recorded in standard primary zones where you enable aging and scavenging.
• For resource records that you add manually, you use a time-stamp value of zero to indicate that the
aging process does not affect these records and that they can remain without limitation in zone data
unless you otherwise change their time stamp or delete them.
• Aging of resource records in local data, based on a specified refresh time period, for any eligible
zones.
• Only primary type zones that the DNS Server service loads are eligible to participate in this process.
• Scavenging for any resource records that persist beyond the specified refresh period.
When a DNS server performs a scavenging operation, it can determine that resource records have aged to
the point of becoming stale, and then remove them from zone data. You can configure servers to perform
recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at
the server.
Note: By default, the aging and scavenging mechanism for the DNS Server service is
disabled. You should enable it only when all parameters are understood fully. Otherwise, you
could configure the server to delete records accidentally that you should not delete. If a record
is deleted accidentally, not only will users fail to resolve queries for that record, but any user can
create the record and take ownership of it, even on zones that you configure for secure dynamic
update. This is a significant security risk.
The server uses the contents of each time stamp for specific resource records, as well as other aging
and scavenging properties that you can adjust or configure, to determine when it scavenges records.
Prerequisites for Aging and Scavenging
Before you can use the aging and scavenging features of DNS, several conditions must be met:
• You must enable scavenging and aging at the DNS server and on the zone. By default, aging and
scavenging of resource records is disabled.
• You must add resource records to zones dynamically or manually modify them for use in aging and
scavenging operations.
Typically, only those resource records that you add dynamically by using the DNS dynamic update
protocol are subject to aging and scavenging.
For records that you add to zones by loading a text-based zone file from another DNS server or by
manually adding them to a zone, a time stamp of zero is set. This makes these records ineligible for use in
aging and scavenging operations.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 72/523
2-24 Configuring and Troubleshooting Domain Name System
To change this default, you can administer these records individually to reset and permit them to use a
current (nonzero) time-stamp value. This enables these records to become aged and scavenged.
Demonstration: Managing DNS Records
This demonstration shows how to:
• Configure TTL.
•
Enable and configure scavenging and aging.
Demonstration Steps
Configure TTL
1.
Switch to LON-DC1, and then open the Adatum.com zone properties.
2. On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
Enable and configure scavenging and aging1.
Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure
aging and scavenging options.
2.
Enable Scavenge stale resource records, and then use the default values.
Demonstration: Testing the DNS Server Configuration
Issues can occur when you do not configure the DNS server, and its zones and resource records, properly.
When resource records are causing issues, it can sometimes be more difficult to identify the issue because
configuration problems are not always obvious.
The following table lists possible configuration issues that can cause DNS problems.
Issue Result
Missing records Records for a host are not in the DNS server. They might have been scavengedprematurely. This can result in workstations not being able to connect witheach other.
Incomplete records Records that are missing information required to locate the resource theyrepresent can cause clients requesting the resource to use invalid information.For example, a service record that does not contain a needed port address is anexample of an incomplete record.
Incorrectlyconfigured records Records that are pointing to an invalid IP address or have invalid information intheir configuration will cause problems when DNS clients try to find resources.
The tools used to troubleshoot these and other configuration issues are:
• Nslookup. Use this tool to query DNS information. The tool is flexible, and it can provide valuable
information about DNS server status. You also can use it to look up resource records and validate
their configuration. Additionally, you can test zone transfers, security options, and MX record
resolution.
Note: You can use the Windows PowerShell cmdlet Resolve-DnsName to perform similar
functions to Nslookup when troubleshooting DNS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 73/523
Administering Windows Server® 2012
2-25
• Windows PowerShell . You can use Windows PowerShell cmdlets to configure and troubleshoot various
DNS aspects.
• Dnscmd . Manage the DNS Server service with this command-line interface. This utility is useful in
scripting batch files to help automate routine DNS management tasks or to perform simple
unattended setup and configuration of new DNS servers on your network.
•
IPconfig. Use this command to view and modify IP configuration details that the computer uses. This
utility includes additional command-line options that you can use to troubleshoot and support DNS
clients. You can view the client local DNS cache by using the command ipconfig /displaydns, and
you can clear the local cache using ipconfig /flushdns.
Note: You can also use the following Windows PowerShell cmdlets:
o clear-DnsClientCache to delete the DNS resolver cache
o
get-DnsClientCache to view the resolver cache
• Monitoring tab on DNS server . In the DNS server Monitoring tab, you can configure a test that allows
the DNS server to determine whether it can resolve simple local queries and perform a recursive
query to ensure that the server can communicate with upstream servers. You also can schedule these
tests for regular intervals.
These are basic tests, but they provide a good place to start troubleshooting the DNS service. Possible
causes for a test to fail include:
o The DNS Server service has failed.
o
The upstream server is not available on the network.
This demonstration shows how to use Nslookup.exe to test the DNS server configuration.
Demonstration Steps
1.
Open a command prompt, and then run the following command:
nslookup –d2 LON-svr1.Adatum.com
2.
Review the information provided by nslookup.
Monitoring DNS by Using the DNS Event Log
The DNS server has its own category in the event
log. As with any event log in Windows® Event
Viewer, you should review the event log
periodically.
Common DNS Events
The following table describes common DNS
events.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 74/523
2-26 Configuring and Troubleshooting Domain Name System
EventID
Description
2 The DNS server has started. This message generally appears at startup when either theserver computer or the DNS Server service is started.
3 The DNS server has shut down. This message generally appears when either the servercomputer is shut down or the DNS Server service is stopped manually.
408 The DNS server could not open socket for address [IPaddress]. Verify that this is a valid IPaddress for the server computer.
To correct the problem, you can do the following:
1. If the specified IP address is not valid, remove it from the list of restricted interfaces for
the server and restart the server.
2. If the specified IP address is no longer valid and was the only address enabled for the
DNS server to use, the server might not have started as a result of this configuration
error. To correct this problem, delete the following value from the registry and restart
the DNS server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters \ListenAddress
3.
If the IP address for the server computer is valid, verify that no other application that
would attempt to use the same DNS server port (such as another DNS server
application) is running. By default, DNS uses TCP port 53.
413 •
The DNS server sends requests to other DNS servers on a port other than its default port(TCP port 53).
•
This DNS server is multihomed and has been configured to restrict DNS Server service toonly some of its configured IP addresses. For this reason, there is no assurance that DNS
queries that this server makes to other remote DNS servers will be sent by using one ofthe IP addresses that was enabled for the DNS server.
• This might prevent query answer responses that these servers return from being receivedon the DNS port that the server is configured to use. To avoid this problem, the DNSserver sends queries to other DNS servers using an arbitrary non-DNS port, and theresponse is received regardless of the IP address used.
• If you want to limit the DNS server to using only its configured DNS port for sendingqueries to other DNS servers, use the DNS console to perform one of the followingchanges in server properties configuration on the Interfaces tab:
o
Select All IP addresses to enable the DNS server to listen on all configured server IPaddresses.
o
Select Only the following IP addresses to limit the IP address list to a single server IP
address.
414 The server computer currently has no primary DNS suffix configured. Its DNS namecurrently is a single label host name. For example, its configured name is host rather thanhost.example.microsoft.com or another FQDN.
Although the DNS server has only a single label name, default resource records created forits configured zones use only this single label name when mapping the host name for thisDNS server. This can lead to incorrect and failed referrals when clients and other DNSservers use these records to locate this server by name.
In general, you should reconfigure the DNS server with a full DNS computer name that isappropriate for its domain or workgroup use on your network.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 75/523
Administering Windows Server® 2012
2-27
EventID
Description
708 The DNS server did not detect any zones of either primary or secondary type. It will run as acaching-only server, but will not be authoritative for any zones.
3150 The DNS server wrote a new version of zone [zonename] to file [filename]. You can view thenew version number by clicking the Record Data tab.
This event should appear only if you configure the DNS server to operate as a root server.
6527 Zone [ zonename] expired before it could obtain a successful zone transfer or update from amaster server that is acting as its source for the zone. The zone has been shut down.
This event ID might appear when you configure the DNS server to host a secondary copy ofthe zone from another DNS server that is acting as its source or master server. Verify thatthis server has network connectivity to its configured master server.
If the problem continues, consider one or more of the following options:
1.
Delete the zone and recreate it, specifying either a different master server, or an
updated and corrected IP address for the same master server.
2.
If zone expiration continues, consider adjusting the expiration interval.
Monitoring DNS by Using Debug Logging
Sometimes it might be necessary to get more
details about a DNS problem than what the Event
Viewer provides. In this instance, you can use
debug logging to provide additional information.
The following DNS debug logging options are
available:
• Direction of packets. This option has the
following settings:
o Send . The DNS server log file logs packets
that the DNS server sends.
o Receive. The log file logs packets that the
DNS server receives.
• Content of packets. This option has the following settings:
o Standard query . Specifies that packets containing standard queries, according to Request for
Comments (RFC) 1034, are logged in the DNS server log file.
o Updates. Specifies that packets containing dynamic updates, according to RFC 2136, are logged
in the DNS server log file.
o Notifies. Specifies that packets containing notifications, according to RFC 1996, are logged in the
DNS server log file.
• Transport protocol . This option has the following settings:
o UDP. Specifies that packets sent and received over User Datagram Protocol (UDP) are logged in
the DNS server log file.
o TCP. Specifies that packets sent and received over TCP are logged in the DNS server log file.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 76/523
2-28 Configuring and Troubleshooting Domain Name System
• Type of packet . This option has the following settings:
o Request . Specifies that request packets are logged in the DNS server log file. A request packet is
characterized by a Query/Response (QR) bit set to zero in the DNS message header.
A QR bit is a one-bit field that specifies whether this message is a query (0) or a response.
o
Response. Specifies that response packets are logged in the DNS server log file. A response packetis characterized by a QR bit set to 1 in the DNS message header.
• Enable filtering based on IP address. This option provides additional filtering of packets that are
logged in the DNS server log file. This option allows logging of packets that are sent from specific IP
addresses to a DNS server or from a DNS server to specific IP addresses.
• Log file maximum size limit. This option allows you to set the maximum file size for the DNS server
log file. When the DNS server log file reaches its specified maximum size, the DNS server overwrites
the oldest packet information with new information.
If you do not specify a maximum log-file size, the DNS server log file can consume a large amount of
hard-disk space.
By default, all debug logging options are disabled. When you enable them selectively, the DNS Serverservice can perform additional trace-level logging of selected types of events or messages for general
troubleshooting and server debugging.
Debug logging can be resource intensive, affecting overall server performance and consuming disk space.
Therefore, you should use it only on a temporary basis, when you need more detailed server-performance
information.
Note: Dns.log contains debug logging activity. By default, it is located in the
%systemroot%\System32\Dns folder.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 77/523
Administering Windows Server® 2012
2-29
Lab: Configuring and Troubleshooting DNS
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT
office and a data center are located in London to support the head office and other locations. A. Datum
has recently deployed a Windows Server 2012 server and client infrastructure.
You have been asked to add several new resource records to the DNS service installed on LON-DC1.
Records include a new MX record for Exchange Server 2010 and a SRV record for a Microsoft Lync ®
deployment that is occurring.
A. Datum is working with a partner organization, Contoso, Ltd. You have been asked to configure internal
name resolution between the two organizations. A small branch office has reported that name resolution
performance is poor. The branch office contains a Windows Server 2012 server that performs several roles.
However, there is no plan to implement an additional domain controller. You have been asked to install
the DNS server role at the branch office and create a secondary zone of Adatum.com. To maintain
security, you have been instructed to configure the branch office server to be on the Notify list for
Adatum.com zone transfers. You also should update all branch office clients to use the new name server
in the branch office.
You should configure the new DNS server role to perform standard aging and scavenging, as necessary
and as specified by corporate policy. After implementing the new server, you need to test and verify the
configuration by using standard DNS troubleshooting tools.
Objectives
After completing this lab, you will be able to:
• Configure DNS resource records.
•
Configure DNS conditional forwarding.
• Install and configure DNS zones.
•
Troubleshoot DNS.
Lab Setup
Estimated Time: 60 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-SVR1
20411B-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 78/523
2-30 Configuring and Troubleshooting Domain Name System
4. Sign in using the following credentials:
o
User name: Administrator
o
Password: Pa$$w0rd
o Domain: Adatum
5.
Repeat steps 2 through 4 for 20411B-LON-SVR1 and 20411B-LON-CL1.
Exercise 1: Configuring DNS Resource Records
Scenario
You have been asked to add several new resource records to the DNS service installed on LON-DC1.
Records include a new MX record for Exchange Server 2010, and a SRV record required for a Lync
deployment that is taking place currently. You have also been asked to configure a reverse lookup zone
for the domain.
The main tasks for this exercise are as follows:
1.
Add the required MX record.
2.
Add the required Lync server records.
3. Create the reverse lookup zone.
Task 1: Add the required MX record
1.
Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Open the DNS Manager console.
3. Create a new host record with the following properties:
o
Zone: Adatum.com
o
Name: Mail1
o IP address: 172.16.0.250
4.
In the Adatum.com zone, add a new record with the following information:
o
Type: New Mail Exchanger (MX)
o Fully qualified domain name (FQDN) of mail server: Mail1.Adatum.com.
Task 2: Add the required Lync server records
1.
Create a new host record with the following properties:
o Zone: Adatum.com
o
Name: Lync-svr1
o
IP address: 172.16.0.251
2. In the Adatum.com zone, add a new record:
o Type: Service Location (SRV)
o
Service: _sipinternaltls
o Protocol: _tcp
o Port Number: 5061
o
Host offering this service: Lync-svr1.adatum.com.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 79/523
Administering Windows Server® 2012
2-31
Task 3: Create the reverse lookup zone
• Create a new reverse lookup zone with the following properties:
o Zone Type: Primary zone
o Active Directory Zone Replication Scope: Default
o
Reverse Lookup Zone Name: IPv4 Reverse Lookup Zone
o Reverse Lookup Zone Name: 172.16.0
o Dynamic Update: Default
Results: After this exercise, you should have configured the required messaging service records and the
reverse lookup zone successfully.
Exercise 2: Configuring DNS Conditional Forwarding
Scenario
You have been asked to configure internal name resolution between A. Datum Corporation and its
partner organization, Contoso Ltd.
The main task for this exercise is to add the conditional forwarding record for contoso.com.
Task 1: Add the conditional forwarding record for contoso.com
• From the Conditional Forwarders node, configure conditional forwarding for Contoso.com:
a.
In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b.
Click in the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then
press Enter. Validation will fail since the server cannot be contacted.
c.
Enable Store this conditional forwarder in Active Directory, and replicate it as follows.
Results: After this exercise, you should have successfully configured conditional forwarding.
Exercise 3: Installing and Configuring DNS Zones
Scenario
A small branch office has reported that name resolution performance is poor. The branch office contains
a Windows Server 2012 Server that performs several roles. However, there is no plan to implement an
additional domain controller. You have been asked to install the DNS server role at the branch office,
and then create a secondary zone of Adatum.com. To maintain security, you also have been instructed to
configure the branch office server to be on the Notify list for Adatum.com zone transfers. You also should
update all branch office clients to use the new name server in the branch office, and then configure the
new DNS server role to perform standard aging and scavenging, as needed and specified by corporate
policy.
The main tasks for this exercise are as follows:
1. Install the DNS server role on LON-SVR1.
2.
Create the required secondary zones on LON-SVR1.
3.
Enable and configure zone transfers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 80/523
2-32 Configuring and Troubleshooting Domain Name System
4. Configure TTL, aging, and scavenging.
5.
Configure clients to use the new name server.
Task 1: Install the DNS server role on LON-SVR1
1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
Use Server Manager to install the DNS Server role.
Task 2: Create the required secondary zones on LON-SVR1
1. Open a command prompt.
2.
Type the following command to create the required secondary zone:
Dnscmd.exe /zoneadd Adatum.com /secondary 172.16.0.10
3.
Open DNS Manager, and then verify the presence of the new secondary forward lookup zone
Adatum.com.
Task 3: Enable and configure zone transfers
1.
Switch to LON-DC1.
2. Open a command prompt, and then run the following command to configure zone transfers for the
Adatum.com zone:
Dnscmd.exe /zoneresetsecondaries Adatum.com /notifylist 172.16.0.21
3. In DNS Manager, verify the changes to the Zone Transfers settings:
a. In the navigation pane, click Adatum.com, and then on the toolbar, click Refresh.
b.
Right-click Adatum.com, and then click Properties.
c. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
d. Click Notify, and verify that the server 172.16.0.21 is listed. Click Cancel.
e.
Close the Adatum.com Properties dialog box.
Task 4: Configure TTL, aging, and scavenging
1. On LON-DC1, open the Adatum.com zone properties.
2.
On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
3.
Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure
aging and scavenging options.
4.
Enable Scavenge stale resource records, and then use the default values.
Task 5: Configure clients to use the new name server
1. Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
2.
Use Network and Sharing Center to view the properties of Local Area Connection.
3.
Reconfigure Internet Protocol Version 4 (TCP/IPv4) as follows:
o Modify the Preferred DNS server: 172.16.0.21.
Results: After this exercise, you should have successfully installed and configured DNS on LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 81/523
Administering Windows Server® 2012
2-33
Exercise 4: Troubleshooting DNS
Scenario
After implementing the new server, you need to test and verify the configuration by using standard DNS
troubleshooting tools.
The main tasks for this exercise are as follows:
1. Test simple and recursive queries.
2. Verify start-of-authority (SOA) resource records with Windows PowerShell.
Task 1: Test simple and recursive queries
1. On LON-DC1, in DNS Manager, open the LON-DC1 properties.
2. On the Monitoring tab, perform a simple query against the DNS server. This is successful.
3.
Perform simple and recursive queries against this and other DNS servers. The recursive test fails
because there are no forwarders configured.
4.
Stop the DNS service, and then repeat the previous tests. They fail because no DNS server is available.
5.
Restart the DNS service, and then repeat the tests. The simple test is successful.
6. Close the LON-DC1 Properties dialog box.
Task 2: Verify start-of-authority (SOA) resource records with Windows PowerShell
1.
Open Windows PowerShell LON-DC1.
2.
Type the following command, and then press Enter:
resolve-dnsname –name Adatum.com –type SOA
3. View the results, and then close the Windows PowerShell prompt.
Results: After this exercise, you should have successfully tested and verified DNS.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 20411B-LON-SVR1 and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 82/523
2-34 Configuring and Troubleshooting Domain Name System
Module Review and Takeaways
Review Questions
Question: You are deploying DNS servers into an Active Directory domain, and your
customer requires that the infrastructure is resistant to single points of failure. What must
you consider while planning the DNS configuration?
Question: What is the difference between recursive and iterative queries?
Question: What must you configure before a DNS zone can be transferred to a secondary
DNS server?
Question: You are the administrator of a Windows Server 2012 DNS environment. Your
company recently acquired another company. You want to replicate their primary DNS zone.
The acquired company is using Bind 4.9.4 to host their primary DNS zones. You notice a
significant amount of traffic between the Windows Server 2012 DNS server and the Bind
server. What is one possible reason for this?
Question: You must automate a DNS server configuration process so that you can automate
the deployment of Windows Server 2012. What DNS tool can you use to do this?
Tools
Tool Use for Where to find it
Dnscmd.exe Configure DNS server role Command-line
Dnslint.exe Test DNS server Download from the Microsoft websiteand then use from the command-line
Nslookup.exe Test DNS name resolution Command-line
Ping.exe Simple test of DNS name resolution Command-line
Ipconfig.exe Verify and test IP functionality and viewor clear the DNS client resolver cache
Command-line
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 83/523
3-1
Module 3
Maintaining Active Directory Domain ServicesContents:
Module Overview 3-1
Lesson 1: Overview of AD DS 3-2
Lesson 2: Implementing Virtualized Domain Controllers 3-7
Lesson 3: Implementing Read-Only Domain Controllers 3-11
Lesson 4: Administering AD DS 3-15
Lesson 5: Managing the AD DS Database 3-23
Lab: Maintaining AD DS 3-32
Module Review and Takeaways 3-38
Module Overview
Active Directory® Domain Services (AD DS) is the most critical component in a Windows Server® 2012
domain-based network. AD DS contains important information about authentication, authorization, and
resources in your environment. This module focuses on explaining why you implement specific AD DS
features, how important components integrate with each other, and how you can ensure that your
domain-based network functions properly.You will learn about new features, such as virtualized domain controller cloning, recent features like read-
only domain controllers (RODCs), and a host of other features and tools that you can use in the AD DS
environment.
Objectives
After completing this module, you will be able to:
• Explain the general structure of AD DS.
• Implement virtualized domain controllers.
•
Implement RODCs.
•
Administer AD DS.
• Manage the AD DS database.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 84/523
3-2 Maintaining Active Directory Domain Services
Lesson 1
Overview of AD DS
The AD DS database stores information on user identity, computers, groups, services, and resources.
AD DS domain controllers also host the service that authenticates user and computer accounts when
they sign in to the domain. AD DS stores information about all of the domain’s objects, and all users andcomputers must connect to AD DS domain controllers when signing into the network. Therefore, AD DS
is the primary means by which you can configure and manage user and computer accounts on your
network.
This lesson covers the core logical components of an AD DS deployment.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe AD DS components.
•
Explain AD DS forest and schema structure.
•
Explain AD DS domain structure.
Overview of AD DS Components
AD DS is composed of both physical and logical
components. You need to understand the way the
components of AD DS work together so that you
can maintain your AD DS environment effectively.
Physical Components
AD DS information is stored in a single file on
each domain controller’s hard disk. The following
table lists some physical components and their
storage locations.
Physical component Description
Domain controllers Contain copies of the AD DS database.
Data store The file on each domain controller that stores the AD DS information.
Global catalog servers Host the global catalog, which is a partial, read-only copy of all the objects inthe forest. A global catalog speeds up searches for objects that might bestored on domain controllers in a different domain in the forest.
Read-only domaincontrollers (RODC)
A special AD DS install in read-only format. You typically use these in branchoffices where security and IT support may be less advanced than in anenterprise’s main corporate centers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 85/523
Administering Windows Server® 2012 3-3
Logical Components
AD DS logical components are structures that you use to implement an Active Directory design that is
appropriate for an organization. The following table describes some of the types of logical structures that
an Active Directory database might contain.
Logical component Description
Partition A section of the AD DS database. Although the database actually is just onefile named NTDS.DIT, users view, manage, and replicate it as if it consists ofdistinct sections or instances. These are partitions, or naming contexts.
Schema Defines the list of object types and attributes that all AD DS objects can have.
Domain A logical, administrative boundary for users and computers.
Domain tree A collection of domains that share a common root domain and a DomainName System (DNS) namespace.
Forest A collection of domains that share a common AD DS.
Site A collection of users, groups, and computers, which are defined by theirphysical locations. Sites are useful in planning administrative tasks such asreplication of changes to the AD DS database.
OU Organizational units (OUs) are containers in AD DS that provide a frameworkfor delegating administrative rights and for linking Group Policy Objects(GPOs).
Understanding AD DS Forest and Schema Structure
In AD DS forest and schema structure areimportant for the defining the functionality and
scope of your environment.
AD DS Forest Structure
A forest is a collection of one or more domain
trees. A tree is a collection of one or more
domains. The first domain that is created in the
forest is called the forest root domain. The forest
root domain contains a few objects that do not
exist in other domains in the forest. For example,
the forest root domain contains two special roles,
the schema master and the domain naming
master. In addition, the Enterprise Admins group and the Schema Admins group exist only in the forest
root domain. The Enterprise Admins group has full control over every domain within the forest.
The AD DS forest is a security boundary. This means that, by default, no users from outside the forest can
access any resources inside the forest. It also means that administrators from outside the forest have no
administrative access within the forest. One of the primary reasons why organizations deploy multiple
forests is because they need to isolate administrative permissions between different parts of the
organization.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 86/523
3-4 Maintaining Active Directory Domain Services
The AD DS forest is also the replication boundary for the configuration and schema partitions in the
AD DS database. This means that all domain controllers in the forest must share the same schema. A
second reason why organizations deploy multiple forests is because they must deploy incompatible
schemas in two parts of the organization.
The AD DS forest is also the replication boundary for the global catalog. This makes most forms of
collaboration between users in different domains easier. For example, all Microsoft®
Exchange Server 2010recipients are listed in the global catalog, making it easy to send mail to any of the users in the forest,
even those users in different domains.
By default, all the domains in a forest automatically trust the other domains in the forest. This makes it
easy to enable access to resources such as file shares and websites for all users in a forest, regardless of
the domain in which the user account is located.
AD DS Schema Structure
The AD DS schema is the AD DS component that defines all object types and attributes that AD DS uses to
store data. It is sometimes referred to as the blueprint for AD DS.
AD DS stores and retrieves information from a wide variety of applications and services. AD DS
standardizes how data is stored so that it can store and replicate data from these various sources. Bystandardizing how data is stored, AD DS can retrieve, update, and replicate data, while ensuring that the
integrity of the data is maintained.
AD DS uses objects as units of storage. All object types are defined in the schema. Each time that the
directory handles data, the directory queries the schema for an appropriate object definition. Based on
the object definition in the schema, the directory creates the object and stores the data.
Object definitions control both the types of data that the objects can store, and the syntax of the data.
Using this information, the schema ensures that all objects conform to their standard definitions. As a
result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that
is the original source of the data. Only data that has an existing object definition in the schema can be
stored in the directory. If a new type of data needs to be stored, a new object definition for the data must
first be created in the schema.
In AD DS, the schema defines the following:
• Objects that are used to store data in the directory
• Rules that define what types of objects you can create, what attributes must be defined (mandatory)
when you create the object, and what attributes are optional
• Structure and content of the directory itself
You can use an account that is a member of the Schema Administrators to modify the schema
components in a graphical form. Examples of objects that are defined in the schema include user,
computer, group, and site. Among the many attributes are location, accountExpires, buildingName,
company, manager, and displayName.The schema master is one of the single master operations domain controllers in AD DS. Because it is a
single master, you must make changes to the schema by targeting the domain controller that holds the
schema master operations role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest from the schema operations master role
holder, typically the first domain controller in the forest.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 87/523
Administering Windows Server® 2012 3-5
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should be made only when necessary.
Before making any changes, you should review the changes through a tightly-controlled process, and
then implement them only after you have performed testing to ensure that the changes will not adversely
affect the rest of the forest and any applications that use AD DS.
Although you might not make any change to the schema directly, some applications make changes tothe schema to support additional features. For example, when you install Exchange Server 2010 into your
AD DS forest, the installation program extends the schema to support new object types and attributes.
Understanding AD DS Domain Structure
An AD DS domain is a logical grouping of user,
computer, and group objects for the purpose of
management and security. All of these objects are
stored in the AD DS database, and a copy of this
database is stored on every domain controller in
the AD DS domain.
There are several types of objects that can be
stored in the AD DS database, including user
accounts. User accounts provide a mechanism
that you can use to authenticate and then
authorize users to access resources on the
network. Each domain-joined computer must
have an account in AD DS. This enables domain administrators to use policies that are defined in the
domain to manage the computers. The domain also stores groups, which are the mechanism for grouping
together objects for administrative or security reasons; for instance, user accounts and computer accounts.
The AD DS domain is also a replication boundary. When changes are made to any object in the domain,
that change is replicated automatically to all other domain controllers in the domain.
An AD DS domain is an administrative center. It contains an Administrator account and a Domain
Admins group, which both have full control over every object in the domain. Unless they are in the forest
root domain, however, their range of control is limited to the domain. Password and account rules are
managed at the domain level by default. The AD DS domain also provides an authentication center. All
user accounts and computer accounts in the domain are stored in the domain database, and users and
computers must connect to a domain controller to authenticate.
A single domain can contain more than 1 million objects, so most organizations need to deploy only a
single domain. Organizations that have decentralized administrative structures, or that are distributed
across multiple locations, might instead implement multiple domains in the same forest.
Domain Controllers
A domain controller is a server that you can configure to store a copy of the AD DS directory database
(NTDS.DIT) and a copy of the System Volume (SYSVOL) folder. All domain controllers except RODCs store
a read/write copy of both NTDS.DIT and the SYSVOL folder. NTDS.DIT is the database itself, and the
SYSVOL folder contains all the template settings for GPOs.
Changes to the AD DS database can be initiated on any domain controller in a domain except for RODCs.
The AD DS replication service then synchronizes the changes and updates to the AD DS database to all
other domain controllers in the domain. Additionally, either the file replication service (FRS), or the newer
Distributed File System Replication (DFS-R), replicates the SYSVOL folders.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 88/523
3-6 Maintaining Active Directory Domain Services
An AD DS domain should always have a minimum of two domain controllers. This way, if one of the
domain controllers fails, there is a backup to ensure continuity of the AD DS domain services. When
you decide to add more than two domain controllers, consider the size of your organization and the
performance requirements.
Organization Units
An OU is a container object within a domain that you can use to consolidate users, groups, computers,
and other objects. There are two reasons to create OUs:
• To configure objects contained within the OU. You can assign GPOs to the OU, and the settings apply
to all objects within the OU. GPOs are policies that administrators create to manage and configure
computer and user accounts. The most common way to deploy these policies is to link them to OUs.
•
To delegate administrative control of objects within the OU. You can assign management permissions
on an OU, thereby delegating control of that OU to a user or group within AD DS other than the
administrator.
You can use OUs to represent the hierarchical, logical structures within your organization. For example,
you can create OUs that represent the departments within your organization, the geographic regions
within your organization, or a combination of both departmental and geographic regions. You can useOUs to manage the configuration and use of user, group, and computer accounts based on your
organizational model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install
AD DS, including the following:
• Domain container. Serves as the root container to the hierarchy.
•
Users container. The default location for new user accounts and groups that you create in the
domain. The users container also holds the administrator and guest accounts for the domain, and
some default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
•
Domain Controllers OU. The default location for the computer accounts for domain controller
computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have GPOs linked to them,
except for the default Domain Controllers OU and the domain itself. All the other containers are
just folders. To link GPOs to apply configurations and restrictions, create a hierarchy of OUs, and
then link GPOs to them.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 89/523
Administering Windows Server® 2012 3-7
Lesson 2
Implementing Virtualized Domain Controllers
Virtualization is a common practice in IT departments. The consolidation and performance benefits that
virtualization provides are great assets to any organization. Windows Server 2012 AD DS and domain
controllers are now more aware of virtualization. In this lesson, you will learn the considerations forimplementing virtualized domain controllers in Windows Server 2012, and how you can deploy and
manage these domain controllers in the AD DS environment.
Lesson Objectives
After completing this lesson, you will be able to:
• Identify considerations for implementing cloned virtualized domain controllers.
• Explain how to deploy a cloned virtualized domain controller.
• Describe how to manage virtualized domain controller snapshots.
Understanding Cloned Virtualized Domain Controllers
Windows Server 2012 introduces virtualized
domain-controller cloning. In previous Windows
Server versions, domain controllers that were
running within a virtual machine were unaware of
their virtual state. This made performing processes
like cloning and restoring virtual machine
snapshots potentially dangerous, because changes
could occur to the operating-system environment
that the domain controller did not expect. For
example, two domain controllers cannot coexist inthe same forest with the same name, invocation
ID, and directory system agent (DSA) globally
unique identifier (GUID). In earlier Windows versions prior to Windows Server 2012, you created
virtualized domain controllers by deploying a Sysprepped base server image, and then promoting it
manually to be a domain controller. Windows Server 2012 provides specific virtualization capabilities to
AD DS Virtualized Domain Controllers (VDCs) to resolve those issues.
Windows Server 2012 VDCs provide two significant benefits:
• You can clone domain controllers safely to deploy additional capacity and save configuration time.
•
Accidental restoration of domain controller snapshots does not disrupt the AD DS environment.
Cloning VDCs in Windows Server 2012
In Windows Server 2012, cloning virtual machines that act as domain controllers provides the ability
to deploy domain controllers rapidly in your environment. For example, you may need to increase your
environment’s domain controllers to support increased AD DS usage. You can deploy additional domain
controllers quickly with the following process:
1. Run the cloning operation on an existing VDC.
2.
Shut down the existing VDC, and then use Hyper-V to export the virtual machine files.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 90/523
3-8 Maintaining Active Directory Domain Services
3. Start the existing VDC (if it’s intended to continue in production usage).
4.
Use Hyper-V to import the virtual machine files as a new virtual machine, and then start the virtual
machine, which now contains the new domain controller.
Virtual domain controller cloning provides the following benefits in Windows Server 2012:
•
Rapid domain-controller deployment in a new forest or domain.• Scalable provisioning of domain controllers to handle increased load.
• Quick replacement or recovery of domain controllers for business continuity.
• Fast provisioning of test environments.
Safe Cloning
Domain controllers have unique characteristics that make unmanaged cloning detrimental to the AD DS
database-replication process. Domain controllers that are simply cloned end up with the same name,
which is unsupported within the same domain or forest. In previous Windows Server versions, you had
to prepare a domain controller for cloning by using sysprep. After the cloning process, you then had to
promote the new server to a domain controller manually.
With Safe Cloning in Windows Server 2012, a cloned domain controller automatically runs a subset of the
sysprep process, and promotes with the existing local AD DS data as installation media.
Safe Backup and Restore
Rolling back to a previous snapshot of a VDC is problematic because AD DS uses multimaster replication
that relies on transactions being assigned numeric values called Update Sequence Numbers (USNs). The
VDC tries to assign USNs to prior transactions that have already been assigned to valid transactions. This
causes inconsistencies in the AD DS database. Windows Server 2003 and newer implements a process that
is known as USN rollback protection. With this in place, the VDC does not replicate, and you must demote
it forcibly or manually restore it.
Windows Server 2012 now detects the snapshot state of a domain controller, and synchronizes or
replicates the delta of changes, between a domain controller and its partners for AD DS and the SYSVOL.
You now can use snapshots without risk of permanently disabling domain controllers and requiring
manually forced demotion, metadata cleanup, and repromotion.
Deploying a Cloned Virtualized Domain Controller
When deploying a VDC, consider the following
regarding installation:
• All Windows Server 2012 computers support
VDC cloning automatically.
• The following requirements must be met to
support VDC cloning:
o
The primary domain controller (PDC)
Emulator FSMO role must be located on
a Windows Server 2012 domain
controller.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 91/523
Administering Windows Server® 2012 3-9
o The domain controller hosting the PDC Emulator flexible single master operations (FSMO) role
must be available during cloning operations.
• The following requirements must be met to support both VDC cloning and safe restore:
o
Guest virtual machines must be running Windows Server 2012.
o
The virtualization host platform must support VM Generation ID (VM GENID). This includesWindows Server 2012 Hyper-V®.
Creating a VDC Clone
To create a VDC clone in Windows Server 2012, perform the following steps:
1. Create a DcCloneConfig.xml file that contains the unique server configuration.
2.
Copy this file into the location of the AD DS database on the source domain controller
(C:\Windows\NTDS by default). This file can also be stored on removable media, if required.
3.
Take the source VDC offline and export or copy it.
4.
Create a new virtual machine by importing the exported one. This virtual machine is promoted
automatically as a unique domain controller.
Managing Virtualized Domain Controllers
The Windows Server 2012 safe restore capability
enables VDCs that are running Windows Server
2012 to participate gracefully in the AD DS
replication topology, after you apply a snapshot
within Hyper-V to the virtual machine that is
hosting the domain controller.
Taking and applying snapshots for a VDC inHyper-V requires specific considerations and
steps.
Validating AD DS Replication
When a virtual machine snapshot is applied to a
VDC, the safe restore process initiates, inbound replication for the changes in AD DS between the virtual
domain controller and the rest of the AD DS environment. The relative identifier (RID) pool is released,
and a new one is requested, to prevent duplicated SIDs in AD DS. It also initiates a nonauthoritative
replication of the SYSVOL folder. This process ensures that the new applied snapshot version of the virtual
domain controller is aware of all AD DS objects, fully up-to-date, and is fully functional.
To ensure that this process can complete successfully, the following elements of AD DS replication must
be considered:
• A virtual domain controller recovered from a Hyper-V snapshot must be able to contact a writable
domain controller.
• You may not restore all domain controllers in a domain simultaneously. If all domain controllers are
restored simultaneously, SYSVOL replication will halt, and all partners in synchronization will be
considered nonauthoritative. This is an important consideration for full environment rollback
situations that may occur frequently in a test environment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 92/523
3-10 Maintaining Active Directory Domain Services
• Changes originated on a restored virtual domain controller that have not replicated since the
snapshot was taken are lost. Because of this, you must ensure that all outgoing replication on a
domain controller has been completed before taking a snapshot of the virtual machine.
Using Windows PowerShell for Hyper-V Snapshot Management
You can use the following Windows PowerShell® cmdlets to perform snapshot management in Windows
Server 2012:
•
Checkpoint-VM
• Export-VMSnapshot
• Get-VMSnapshot
•
Remove-VMSnapshot
• Rename-VMSnapshot
• Restore-VMSnapshot
Considerations for Managing Virtual Domain Controller Snapshots
Consider the following when managing virtual domain controller snapshots in Windows Server 2012:
• Do not use snapshots to replace regular system state backups. In a frequently changing AD DS
environment, snapshots do not always contain the full contents of AD DS objects, due to replication
changes.
•
Do not restore a snapshot of a domain controller that was taken before it was promoted. Doing so
will require that you repromote the server manually after the snapshot is applied and the metadata
cleanup occurs.
• Do not host all virtual domain controllers on the same hypervisor or server. This introduces a single
point of failure into the AD DS infrastructure, and circumvents many of the benefits that virtualizing
your domain-controller infrastructure provides.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 93/523
Administering Windows Server® 2012 3-11
Lesson 3
Implementing Read-Only Domain Controllers
RODCs provide an alternative to a fully writable domain controller. In many scenarios, such as a remote
branch office or a location where a server cannot be placed in a secure physical environment, RODCs can
provide the functionality of a domain controller without potentially exposing your AD DS environment tounnecessary risks. This lesson will help you to better understand the methods and best practices that you
can use to manage RODCs in the Windows Server 2012 environment.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain considerations for implementing RODCs.
• Describe how to manage RODC credential caching.
• Identify the important aspects of managing local administration for RODCs.
Considerations for Implementing RODCs
An RODC has a read-only copy of an Active
Directory domain, which contains all of the
domain’s objects, but not all of their attributes.
System-critical attributes, such as passwords,
do not replicate to an RODC because it is not
considered secure. You can prevent additional
attributes from being replicated to RODCs by
marking the attribute as confidential and adding
it to the Filtered Attribute Set (FAS).
Understanding RODC Functionality
You cannot make changes to the domain
database on the RODC, because the AD DS
database on the RODC does not accept modification requests from clients and applications. All requests
for changes are forwarded to a writable domain controller. Because no changes occur on the RODC,
replication of Active Directory changes is one way only from writable domain controllers to the RODC.
Credential Caching
User and computer credentials are not replicated to an RODC by default. To use an RODC to enhance user
logon, you need to configure a Password Replication Policy (PRP) that defines which user credentials can
be cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen,
only passwords for the cached user and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC then a writable domain controller must be
contacted during the authentication process. Typically (in a branch office scenario), the credentials for
local users and computers are cached on an RODC. When RODCs are placed in a perimeter network, the
credentials for users and computers typically are not cached.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 94/523
3-12 Maintaining Active Directory Domain Services
Administrative Role Separation
To manage a writable domain controller, you must be a member of the domain local Administrators
group. Any user placed in the domain local Administrators group is given permissions to manage all
domain controllers in the domain. This causes problems for remote-office administration with a writable
domain controller, because the administrator in a remote office should not be given access to the
organization’s other domain controllers.
This gives the administrator of a remote office permission to manage only that RODC, which may also be
configured to provide other services such a file shares and printing.
Read-Only DNS
DNS is a critical resource for a Windows network. If you configure an RODC as a DNS server, then you can
replicate DNS zones through AD DS to the RODC. DNS on the RODC is read-only. DNS update requests
are referred to a writable copy of DNS.
Deploying RODCs
To deploy an RODC, ensure that the following activities are performed:
• Ensure that the forest functional level is Windows Server 2003 or newer. That means that all domain
controllers must be Windows Server 2003 or newer, and each domain in the forest must be at the
domain functional level of Windows Server 2003 or newer.
•
Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow
them to replicate to RODCs. This is required only if the Active Directory forest has been upgraded.
• Ensure that there is a writable domain controller running Windows Server 2008 or newer. An RODC
replicates the domain partition only from these domain controllers. Therefore, each domain with
RODCs must have at least one Windows Server 2008 or newer domain controller. You can replicate
the Schema and Configuration partitions from Windows Server 2003.
RODC Installation
Like a writable domain controller, you can install an RODC by using an attended or an unattendedinstallation. If you perform an attended installation by using the graphical interface, you select the RODC
as one of the additional domain controller options.
You also can delegate the RODC installation to the administrator in the remote office by using a staged
installation. In a staged installation, you need to perform the following steps:
1. Ensure that the server to be configured as the RODC is not a member of the domain.
2. A domain administrator uses Active Directory Users and Computers to precreate the RODC account
in the Domain Controllers organizational unit (OU). The wizard for performing this process prompts
for the necessary information, including the user or group that is allowed to join the RODC to the
domain.
3.
The administrator in the remote office runs the Active Directory Domain Services installation Wizard,and follows the wizard to join the domain as the precreated RODC account.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 95/523
Administering Windows Server® 2012 3-13
Managing RODC Credential Caching
RODCs provide the capability to store only a
subset of credentials for accounts in AD DS
through the implementation of credential
caching. With credential caching, a password
replication policy (PRP) determines which user
and computer credentials can be cached on a
specific RODC. If PRP allows an RODC to cache an
account’s credentials, authentication and service
ticket activities of that account can be processed
locally by the RODC. If an account’s credentials
cannot be cached on RODC, or they are not
cached on the RODC, authentication and service
ticket activities are chained by the RODC to a writable domain controller.
Password Replication Policy Components
The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specific
accounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is
on the Allowed List and a member of that group is on the Denied List, caching is not allowed for that
member.
There are two domain local groups that you can use to allow or deny caching globally to all RODCs in a
domain:
• Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group has
no members by default.
• Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default,
Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.
You can configure the Allowed List and Denied List for each RODC. The Allowed List contains only theAllowed RODC Password Replication Group. The default membership of the Denied List includes
Administrators, Server Operators, and Account Operators.
In most cases, you will want to add accounts separately to each RODC, or add global groups
containing accounts rather than globally allowing password caching. This allows you to limit the number
of credentials cached to only those accounts commonly at that location. Domain administrative accounts
should not be cached on RODCs in remote offices. You should cache computer accounts to speed up
authentication of computer accounts during system startup. Additionally, you should cache service
accounts for services that are running at the remote office.
Best Practices for Credential Caching
The following best practices should be observed to ensure the most effective use of cached credentials:
•
Create separate AD DS global groups for each RODC.
• Do not cache passwords for domain-wide administrative accounts.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 96/523
3-14 Maintaining Active Directory Domain Services
Managing Local Administration for RODCs
The management of RODCs is separated from
other domain controllers. Therefore, you can
delegate administration of RODCs to local
administrators in remote offices, without giving
those administrators access to writable domain
controllers.
You can delegate administration of an RODC in
the properties of the RODC computer account
on the Managed By tab. You should follow this
method to delegate the administration of an
RODC because you can manage it centrally
and easily.
You can specify only a single security principal on the Managed By tab of an RODC computer account.
Specify a group so that you can delegate management permissions to multiple users by making them
members of the group.
You also can delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles
option, as the following example shows:
C:\>dsmgmt
Dsmgmt: local roles
local roles: add Adatum\Research
You should cache the password for delegated administrators to ensure that you can perform system
maintenance when a writable domain controller is unavailable.
Note: You should never access the RODC with an account that has permissions similar
to Domain Admins. RODC computers are considered compromised by default , so, you shouldassume that by logging in to the RODC you are giving up domain admin credentials. Thus
domain administrators should have a separate server admin type account that is delegated
management access to the RODC.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 97/523
Administering Windows Server® 2012 3-15
Lesson 4
Administering AD DS
AD DS management happens in many different forms. The AD DS environment contains a large number
of management tools that enable you to monitor and modify AD DS, to ensure that your organization’s
domain infrastructure is serving its purpose and functioning properly. Windows Server 2012 includes abroader set of tools for working within AD DS than previous Windows versions included. Improvements to
the Active Directory Administrative Center and the addition of several cmdlets to the Active Directory
module for Windows PowerShell enable even greater control over your AD DS domain.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the Active Directory administrative snap-ins.
• Describe the Active Directory Administrative Center.
•
Explain how to manage AD DS by using management tools.
•
Describe the Active Directory module for Windows PowerShell.
• Explain how to manage operations master roles.
• Explain how to manage AD DS backup and recovery.
Overview of the Active Directory Administration Snap-ins
You typically will perform most Active Directory
administration by using the following snap-ins
and consoles:
•
Active Directory Users and Computers. Thissnap-in manages most common day-to-day
resources, including users, groups, and
computers. This is likely to be the most
heavily used snap-in for an Active Directory
administrator.
• Active Directory Sites and Services. This
manages replication, network topology, and
related services.
•
Active Directory Domains and Trusts. This configures and maintains trust relationships and the
domain and forest functional level.
•
Active Directory Schema. This schema examines and modifies the definition of Active Directory
attributes and object classes. The schema is the blueprint for Active Directory, and you typically do not
view or change it very often. Therefore, the Active Directory Schema snap-in is not fully installed, by
default.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 98/523
3-16 Maintaining Active Directory Domain Services
Overview of the Active Directory Administrative Center
Windows Server 2012 provides another option for
managing AD DS objects. The Active Directory
Administrative Center provides a graphical user
interface (GUI) built on Windows PowerShell. This
enhanced interface allows you to perform Active
Directory object management by using task-
oriented navigation. Tasks that you can perform
by using the Active Directory Administrative
Center include:
•
Creating and managing user, computer, and
group accounts.
•
Creating and managing OUs.
• Connecting to and managing multiple domains within a single instance of the Active Directory
Administrative Center.
•
Searching and filtering Active Directory data by building queries.
• Creating and managing fine-grained password policies.
• Recovering objects from the Active Directory Recycle Bin.
Installation Requirements
You can install the Active Directory Administrative Center only on computers that are running Windows
Server 2008 R2, Windows Server 2012, Windows® 7 or Windows 8. You can install the Active Directory
Administrative Center by:
• Installing the AD DS server role through Server Manager.
•
Installing the Remote Server Administration Tools (RSAT) on a Windows Server 2012 server or
Windows 8.
Note: The Active Directory Administrative Center relies on the Active Directory Web
Services (ADWS) service, which you must install on at least one domain controller in the domain.
The service also requires port 9389 to be open on the domain controller where ADWS is running.
New Active Directory Administrative Center Features in Windows Server 2012
Active Directory Administrative Center contains several new features in Windows Server 2012 that enable
the graphical management of AD DS functionality:
• Active Directory Recycle Bin. Active Directory Administrative Center now offers complete
management of the Active Directory Recycle Bin. Administrators can use Active Directory
Administrative Center to view and locate deleted objects, and manage and restore those objects
to their original or other desired location.
• Fine-Grained Password Policy. Active Directory Administrative Center also provides a graphical user
interface for the creation and management of password settings objects to implement fine-grained
password policies in an AD DS domain.
• Windows PowerShell History Viewer. Active Directory Administrative Center functionality is built
on Windows PowerShell. Any command or action that you perform within the Active Directory
Administrative Center interface is carried out in Windows Server 2012 through Windows PowerShell
cmdlets. When an administrator performs a task within the Active Directory Administrative Center
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 99/523
Administering Windows Server® 2012 3-17
interface, the Windows PowerShell History Viewer shows the Windows PowerShell commands that
were issued for the task. This enables administrators to reuse code to create reusable scripts, and
allows them to become more familiar with Windows PowerShell syntax and usage.
Overview of the Active Directory Module for Windows PowerShellThe Active Directory module for Windows
PowerShell in Windows Server 2012 consolidates
a group of cmdlets that you can use to manage
your Active Directory domains. Windows Server
2012 builds on the foundation built in the Active
Directory module for Windows PowerShell
originally introduced in Windows Server 2008 R2,
by adding an additional 60 cmdlets that expand
the preexisting areas of Windows PowerShell
capabilities and add new capabilities in the areas
of replication and resource access control.
The Active Directory module for Windows
PowerShell enables management of AD DS in the following areas:
1. User management
2.
Computer management
3. Group management
4. OU management
5.
Password policy management
6. Searching and modifying objects
7.
Forest and domain management
8.
Domain controller and operations master management
9. Managed service account management
10.
Site replication management
11.
Central access and claims management
Cmdlet Examples
• New-ADComputer creates a new computer object in AD DS.
•
Remove-ADGroup removes an Active Directory group.
•
Set-ADDomainMode sets the domain functional level for an Active Directory domain.
Installation
You can install the Active Directory module by using any of the following methods:
• By default, on a Windows Server 2008 R2 or Windows Server 2012 server, when you install the AD DS
or Active Directory Lightweight Directory Services (AD LDS) server roles.
•
By default, when you make a Windows Server 2008 R2 or Windows Server 2012 server a domain
controller.
•
As part of the RSAT feature on a Windows Server 2008 R2, Windows Server 2012, Windows 7 or
Windows 8 computer.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 100/523
3-18 Maintaining Active Directory Domain Services
Demonstration: Managing AD DS by Using Management Tools
The various AD DS management tools each have a purpose in the administration of the complete AD DS
environment. This demonstration will show you the primary tools that you can use to manage AD DS and
a task that you typically perform with the tool.
This demonstration shows how to:
• Create objects in Active Directory Users and Computers.
• View object attributes in Active Directory Users and Computers.
•
Navigate within Active Directory Administrative Center.
• Perform an administrative task in Active Directory Administrative Center.
• Use the Windows PowerShell Viewer in Active Directory Administrative Center.
• Manage AD DS objects with Windows PowerShell.
Demonstration Steps
Active Directory Users and ComputersView objects
1.
On LON-DC1, open Active Directory Users and Computers.
2. Navigate the Adatum.com domain tree, viewing Containers, Organizational Units (OUs) and
Computer, User, and Group objects.
Refresh the view
• Refresh the view in Active Directory Users and Computers.
Create objects
1.
Create a new computer object named LON-CL4 in the Computers container.
2. To create an object in Active Directory Users and Computers, right-click a domain, or a container
(such as Users or Computers), or an organizational unit, point to New, and then click the type of
object that you want to create.
3.
When you create an object, you are prompted to configure several of the object’s most basic
properties, including the properties that the object requires.
Configure object attributes
1.
In Active Directory Users and Computers, open the Properties page for LON-CL4.
2. Add LON-CL4 to the Adatum/Research group.
View all object attributes
1.
Enable the Advanced Features view in Active Directory Users and Computers.
2. Open the Properties page for LON-CL4, and then view the AD DS attributes.
Active Directory Administrative Center
Navigation
1. On LON-DC1, open Active Directory Administrative Center.
2. In Active Directory Administrative Center, click the Navigation nodes.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 101/523
Administering Windows Server® 2012 3-19
3. Switch to the tree view.
4.
Expand Adatum.com.
Perform administrative tasks
1. Navigate to the Overview view.
2.
Reset the password for Adatum\Adam to Pa$$w0rd, without requiring the user to change thepassword at the next logon.
3.
Use the Global Search section to find any objects that match the search string Rex.
Use the Windows PowerShell History Viewer
1. Open the Windows PowerShell History pane.
2. View the Windows PowerShell cmdlet that you used to perform the most recent task.
Windows PowerShell
Creating a group
1.
Open the Active Directory Module for Windows PowerShell.2.
Create a new group called SalesManagers by using the following command:
New-ADGroup –Name “SalesManagers”–GroupCategory Security –GroupScope Global –
DisplayName “Sales Managers” –Path ”CN=Users,DC=Adatum,DC=com”
3.
Open Active Directory Administrative Center, and confirm that the SalesManager group is
present in the Users container.
Move an object to a new organizational unit (OU)
1.
At the PowerShell prompt, move SalesManagers to the Sales OU by using the following command:
Move-ADObject “CN=SalesManagers,CN=Users,DC=Adatum,DC=com” –TargetPath
“OU=Sales,DC=Adatum,DC=com”
2.
Switch to Active Directory Administrative Center, and then confirm that the SalesManagers group
has been moved to the Sales OU.
Managing Operations Master Roles
In an AD DS environment multimaster replication
means that all domain controllers have the same
general capabilities and priorities when modifying
the AD DS database. However, certain operations
must be performed by only one system. In AD DS,
operation masters are domain controllers that
perform a specific function within the domain
environment.
Forest-Wide Operations Master Roles
The schema master and the domain-naming
master must be unique in the forest. Each role is
performed by only one domain controller in the
entire forest.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 102/523
3-20 Maintaining Active Directory Domain Services
Domain Naming Master Role
The domain-naming role is used when adding or removing domains and application partitions in the
forest. When you add or remove a domain or application partition, the domain naming master must be
accessible, or the operation will fail.
Schema Master Role
The domain controller holding the schema master role is responsible for making any changes to the
forest’s schema. All other domain controllers hold read-only replicas of the schema. When you need to
modify the schema, the modifications must be sent to the domain controller that hosts the schema master
role.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: relative identifier (RID) master, infrastructure
master, and primary domain controller (PDC) Emulator. Each role is performed by only one domain
controller in the domain.
RID Master Role
The RID master plays an integral part in the generation of security identifiers (SIDs) for security principals
such as users, groups, and computers. The SID of a security principal must be unique. Because any
domain controller can create accounts, and therefore, SIDs, a mechanism is necessary to ensure that the
SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by
appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs
to each domain controller in the domain. Therefore, each domain controller can be confident that the
SIDs that it generates are unique.
Infrastructure Master Role
In a multidomain environment, it is common for an object to reference objects in other domains. For
example, a group can include members from another domain. Its multivalued member attribute contains
the distinguished names of each member. If the member in the other domain is moved or renamed, the
infrastructure master of the group’s domain updates the references to the object.
PDC Emulator Role
The PDC Emulator role performs multiple, crucial functions for a domain:
•
Participates in special password update handling for the domain. When a user's password is reset or
changed, the domain controller that makes the change replicates the change immediately to the PDC
emulator. This special replication ensures that the domain controllers know about the new password
as quickly as possible.
• Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at
approximately the same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator acts as the default focal
point for all Group Policy changes.
• Provides a master time source for the domain. Many Windows components and technologies rely
on time stamps, so synchronizing time across all systems in a domain is crucial. The PDC emulator in
the forest root domain is the time master for the entire forest, by default. The PDC emulator in each
domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All other domain members
synchronize their time with their preferred domain controller.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 103/523
Administering Windows Server® 2012 3-21
• Acts as the domain master browser. When you open network in Windows, you see a list of
workgroups and domains, and when you open a workgroup or domain, you see a list of computers.
The browser service creates these two lists, called browse lists. In each network segment, a master
browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The
domain master browser serves to merge the lists of each master browser so that browse clients can
retrieve a comprehensive browse list.
Guidelines for Placing Operations Master Roles
• Place the domain-level roles on a high-performance domain controller.
•
Do not place the Infrastructure Master domain-level role on a global catalog server, except when
your forest contains only one domain or all of the domain controllers in your forest also are global
catalogs.
• Leave the two forest-level roles on a domain controller in the forest-root domain.
• Adjust the workload of the PDC emulator, if necessary, by offloading non-AD DS roles to other
servers.
Note: You can view the assignment of operations master roles by running the following
from a command prompt:
Netdom query fsmo
Managing AD DS Backup and Recovery
In earlier Windows versions, backing up Active
Directory involved creating a backup of the
SystemState, which was a small collection of files
that included the Active Directory database andthe registry.
In Windows Server 2012, the SystemState
concept still exists, but it is much larger. Because
of interdependencies between server roles,
physical configuration, and Active Directory,
the SystemState is now a subset of a Full Server
backup and, in some configurations, might be just
as big. To back up a domain controller, you must
back up all critical volumes fully.
Restoring AD DS Data
When a domain controller or its directory is corrupted, damaged, or failed, you have several options with
which to restore the system.
Nonauthoritative Restore
The first such option is called normal restore or nonauthoritative restore. In a normal restore operation,
you restore a backup of Active Directory as of a known good date. Effectively, you roll the domain
controller back in time. When AD DS restarts on the domain controller, the domain controller contacts
its replication partners and requests all subsequent updates. Effectively, the domain controller catches up
with the rest of the domain by using standard replication mechanisms.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 104/523
3-22 Maintaining Active Directory Domain Services
Normal restore is useful when the directory on a domain controller has been damaged or corrupted, but
the problem has not spread to other domain controllers. What about a situation in which damage has
been done, and the damage has been replicated? For example, what if you delete one or more objects,
and that deletion has replicated?
In such situations, a normal restore is not sufficient. If you restore a known good version of Active
Directory and restart the domain controller, the deletion (which happened subsequent to the backup) willsimply replicate back to the domain controller.
Authoritative Restore
When a known good copy of AD DS has been restored that contains objects that must override existing
objects in the AD DS database, an authoritative restore is necessary. In an authoritative restore, you
restore the known good version of Active Directory just as you do in a normal restore. However, before
restarting the domain controller, you mark the accidentally deleted or previously corrupted objects that
you wish to retain as authoritative so that they will replicate from the restored domain controller to its
replication partners. Behind the scenes, when you mark objects as authoritative, Windows increments the
version number of all object attributes to be so high that the version is virtually guaranteed to be higher
than the version number on all other domain controllers.
When the restored domain controller is restarted, it replicates from its replication partners all changes that
have been made to the directory. It also notifies its partners that it has changes, and the version numbers
of the changes ensure that partners take the changes and replicate them throughout the directory service.
In forests with the Active Directory Recycle Bin enabled, you can use the Active Directory Recycle Bin as a
more simple alternative to an authoritative restore.
Other Restore Options
The third option for restoring the directory service is to restore the entire domain controller. This is done
by booting to the Windows Recovery Environment, and then restoring a full server backup of the domain
controller. By default, this is a normal restore. If you also need to mark objects as authoritative, you must
restart the server in the Directory Services Restore Mode and set those objects as authoritative prior to
starting the domain controller into normal operation.Finally, you can restore a backup of the SystemState to an alternate location. This allows you to examine
files and, potentially, to mount the NTDS.dit file. You should not copy the files from an alternate restore
location over the production versions of those files. Do not do a piecemeal restore of Active Directory.
You also can use this option if you want to use the Install From Media option for creating a new domain
controller.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 105/523
Administering Windows Server® 2012 3-23
Lesson 5
Managing the AD DS Database
At the core of the AD DS environment is the AD DS database. The AD DS database contains all the critical
information required to provide AD DS functionality. Maintaining this database properly is a critical aspect
of AD DS management, and there are several tools and best practices of which you should be aware sothat you can manage your AD DS database effectively. This lesson will introduce you to AD DS database
management, and show you the tools and methods for maintaining it.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain the AD DS database architecture.
• Describe NTDSUtil.
• Explain restartable AD DS.
• Explain how to perform AD DS database management.
•
Describe how to create AD DS snapshots.
• Explain how to restore deleted objects.
• Describe how to configure the Active Directory Recycle Bin.
Understanding the AD DS Database
AD DS information is stored within the directory
database. Each directory partition, also called a
naming context, contains objects of a particular
replication scope and purpose. There are threeAD DS partitions on each domain controller, as
follows:
• Domain. The Domain partition contains all
the objects stored in a domain, including
users, groups, computers, and Group Policy
containers (GPCs).
• Configuration. The Configuration partition
contains objects that represent the logical
structure of the forest, including information about domains, as well as the physical topology,
including sites, subnets, and services.
•
Schema. The Schema partition defines the object classes and their attributes for the entire directory.
Domain controllers also can host application partitions. You can use application partitions to limit
replication of application-specific data to a subset of domain controllers. Active Directory integrated DNS
is a common example of an application that takes advantage of application partitions.
Each domain controller maintains a copy, or replica, of several partitions. The Configuration is replicated
to every domain controller in the forest, as is the Schema. The Domain partition for a domain is replicated
to all domain controllers within a domain, but not to domain controllers in other domains, with the
exception of global catalog servers. Therefore, each domain controller has at least three replicas: the
Domain partition for its domain, Configuration, and Schema.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 106/523
3-24 Maintaining Active Directory Domain Services
AD DS Database Files
The AD DS database is stored as a file named NTDS.dit. When you install and configure AD DS, you can
specify the location of the file. The default location is %systemroot%\NTDS. Within NTDS.dit are all of
the partitions hosted by the domain controller: the forest schema and configuration; the domain-naming
context; and, depending on the server configuration, the partial attribute set and application partitions.
In the NTDS folder, there are other files that support the Active Directory database. The Edb*.log files arethe transaction logs for Active Directory. When a change must be made to the directory, it is first written
to the log file. The change is committed to the directory as a transaction. If the transaction fails, it can be
rolled back.
The following table describes the different file level components of the AD DS database.
File Description
NTDS.dit • Main AD DS database file
• Contains all AD DS partitions and objects
EDB*.log Transaction log(s)
EDB.chk Database checkpoint file
Edbres00001.jrs
Edbres00002.jrs
Reserve transaction log file that allows the directory to processtransactions if the server runs out of disk space
AD DS Database Modifications and Replication
Under normal operations, the transaction log wraps around, with new transactions overwriting old
transactions that had already been committed. However, if a large number of transactions are made
within a short period of time, AD DS creates additional transaction log files, so you may see several
EDB*.log files if you look in the NTDS folder of a particularly busy domain controller. Over time, those
files are removed automatically.
The EDB.chk file acts like a bookmark into the log files, marking the location before which transactions
have been successfully committed to the database, and after which transactions remain to be committed.
If a disk drive runs out of space, it is highly problematic for the server. It is even more problematic if that
disk is hosting the AD DS database, because transactions that may be pending cannot be written to the
logs. Therefore, AD DS maintains two additional log files, edbres0001.jrs and edbres0002.jrs. These are
empty files of 10 megabytes (MB) each. When a disk runs out of space for normal transaction logs, AD DS
recruits the space used by these two files to write the transactions that are in a queue currently. After that,
it safely shuts down AD DS services, and dismounts the database. Of course, it will be important for an
administrator to remediate the issue of low disk space as quickly as possible. The file simply provides a
temporary solution to prevent the directory service from refusing new transactions.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 107/523
Administering Windows Server® 2012 3-25
What Is NTDSUtil?
NTDSUtil is a command-line executable that
you can use to perform database maintenance,
including the creation of snapshots, offline
defragmentation, and the relocation of the
database files.
You also can use NTDSUtil to clean up domain
controller metadata. If a domain controller is
removed from the domain while offline, it is
unable to remove important information from the
directory service. You can then use NTDSUtil to
clean out the remnants of the domain controller,
and it is very important that you do so.
NTDSUtil can also reset the password used to log on to the Directory Services Restore Mode. This
password is initially configured during the configuration of a domain controller. If you forget the
password, the NTDSUtil set dsrm command can reset it.
Understanding Restartable AD DS
In most scenarios where AD DS management is
required, you should restart the domain controller
in Directory Services Restore mode.
Windows Server 2012 enables administrators to
stop and start AD DS just like any other service,
and without restarting a domain controller, to
perform some management tasks quickly. This
feature is called Restartable Active Directory
Domain Services.
Restartable AD DS reduces the time required to
perform certain operations. You can stop AD DS
so that you can apply updates to a domain
controller. Also, administrators can stop AD DS to perform tasks such as offline defragmentation of the
Active Directory database, without restarting the domain controller. Other services that are running on
the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol
(DHCP), remain available to satisfy client requests while AD DS is stopped.
Restartable AD DS is available by default on all domain controllers that run Windows Server 2012. There
are no functional-level requirements or any other prerequisites for using this feature.
Note: You cannot perform a system state restore of a domain controller while AD DS
is stopped. To complete a system state restore of a domain controller, you need to start in
Directory Services Restore Mode (DSRM). You can however perform an authoritative restore
of Active Directory objects while AD DS is stopped by using Ntdsutil.exe.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 108/523
3-26 Maintaining Active Directory Domain Services
Restartable AD DS adds minor changes to the existing Microsoft Management Console (MMC) snap-ins. A
domain controller running Windows Server 2012 AD DS displays Domain Controller in the Services (Local)
node of the Component Services snap-in and the Computer Management snap-in. Using the snap-in, an
administrator can easily stop and restart AD DS the same way as any other service that is running locally
on the server.
Although stopping AD DS is similar to logging on in Directory Services Restore Mode, restartableAD DS provides a unique state, known as AD DS Stopped, for a domain controller that is running Windows
Server 2012.
Domain Controller States
The three possible states for a domain controller running Windows Server 2012 are:
•
AD DS Started. In this state, AD DS is started. The domain controller is able to perform AD DS related
tasks normally.
• AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some
characteristics of both a domain controller in DSRM and a domain-joined member server.
• DSRM. This mode (or state) allows standard AD DS administrative tasks.
With DSRM, the Active Directory database (Ntds.dit) on the local domain controller is offline. Another
domain controller can be contacted for logon, if one is available. If no other domain controller can be
contacted, by default you can do one of the following:
• Log on to the domain controller locally in DSRM by using the DSRM password.
• Restart the domain controller to log on with a domain account.
As with a member server, the server is joined to the domain. This means that Group Policy and other
settings are still applied to the computer. However, a domain controller should not remain in the AD DS
Stopped state for an extended period of time because in this state, it cannot service logon requests or
replicate with other domain controllers.
Demonstration: Performing AD DS Database Maintenance
There are several tasks and related tools that you can use to perform AD DS database maintenance.
This demonstration shows how to:
• Stop AD DS.
•
Perform an offline defragmentation of the AD DS database.
• Check the integrity of the AD DS database.
• Start AD DS.
Demonstration Steps
Stop AD DS
1.
On LON-DC1, open the Services console.
2.
Stop the Active Directory Domain Services service.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 109/523
Administering Windows Server® 2012 3-27
Perform an offline defragmentation of the AD DS database
• Run the following commands from a Windows PowerShell prompt. Press Enter after each line:
ntdsutil
activate instance NTDS
files
compact to C:\
Check the integrity of the offline database
1. Run the following commands from a Windows PowerShell prompt. Press Enter after each line:
Integrity
quit
Quit
2.
Close the command prompt window.
Start AD DS
1.
Open the Services console.
2.
Start the Active Directory Domain Services service.
Creating AD DS Snapshots
NTDSUtil in Windows Server 2012 can create
and mount snapshots of AD DS. A snapshot is
a form of historical backup that captures the
exact state of the directory service at the time of
the snapshot. You can use tools to explore the
contents of a snapshot to examine the state of
the directory service at the time the snapshot was
made, or connect to a mounted snapshot with
LDIFDE and export a reimport objects into AD DS.
Creating an AD DS Snapshot
To create a snapshot:
1.
Open the command prompt.
2.
Type ntdsutil, and then press Enter.
3. Type snapshot, and then press Enter.
4.
Type activate instance ntds, and then press Enter.
5.
Type create, and then press Enter.
6. The command returns a message that indicates that the snapshot set was generated successfully.
7.
The GUID that is displayed is important for commands in later tasks. Make note of the GUID or,
alternatively, copy it to the Clipboard.
8. Type quit, and then press Enter.
Schedule snapshots of Active Directory regularly. You can use the Task Scheduler to execute a batch file
by using the appropriate NTDSUtil commands.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 110/523
3-28 Maintaining Active Directory Domain Services
Mounting an AD DS Snapshot
To view the contents of a snapshot, you must mount the snapshot as a new instance of AD DS. This is also
accomplished with NTDSUtil.
To mount a snapshot:
1.
Open an elevated command prompt.
2. Type ntdsutil, and then press Enter.
3.
Type activate instance ntds, and then press Enter.
4.
Type snapshot, and then press Enter.
5. Type list all, and then press Enter.
6.
The command returns a list of all snapshots.
7.
Type mount {GUID}, where GUID is the GUID returned by the create snapshot command, and then
press Enter.
8.
Type quit, and then press Enter.
9.
Type quit, and then press Enter.
10. Type dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000,
and then press Enter.
11. The port number, 50000, can be any open and unique TCP port number.
12.
A message indicates that Active Directory Domain Services startup is complete.
13.
Do not close the command prompt window and leave the command you just ran, Dsamain.exe,
running while you continue to the next step.
Viewing an AD DS Snapshot
After the snapshot has been mounted, you can use tools to connect to and explore the snapshot. Even
Active Directory Users and Computers can connect to the instance.
To connect to a snapshot with Active Directory Users and Computers:
1. Open Active Directory Users and Computers.
2. Right-click the root node, and then click Change Domain Controller.
3.
The Change Directory Server dialog box appears.
4. Click <Type a Directory Server name[:port] here>.
5. Type LON-DC1:50000, and then press Enter.
6.
LON-DC1 is the name of the domain controller on which you mounted the snapshot, and 50000 is
the TCP port number that you configured for the instance. You now are connected to the snapshot.
7.
Click OK .
Note that snapshots are read-only. You cannot modify the contents of a snapshot. Moreover, there are no
direct methods with which to move, copy, or restore objects or attributes from the snapshot to the
production instance of Active Directory.
Unmounting an AD DS Snapshot
To unmount the snapshot:
1.
Switch to the command prompt in which the snapshot is mounted.
2. Press Ctrl+C to stop DSAMain.exe.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 111/523
Administering Windows Server® 2012 3-29
3. Type ntdsutil, and then press Enter.
4.
Type activate instance ntds, and then press Enter.
5.
Type snapshot, and then press Enter.
6. Type unmount GUID, where GUID is the GUID of the snapshot, and then press Enter.
7.
Type quit, and then press Enter.
8.
Type quit, and then press Enter.
Understanding How to Restore Deleted Objects
When an object in AD DS is deleted, it is moved
to the Deleted Objects container, and stripped
of many important attributes. You can extend
the list of attributes that remain when an object is
deleted, but you can never retain linked attribute
values (such as group membership).
As long as the object has not yet been scavenged
by the garbage collection process after reaching
the end of its tombstone lifetime, you can restore
or reanimate the deleted object.
To restore a deleted object:
1.
Click Start, and in the Start Search box, type LDP.exe, and then press Ctrl+Shift+Enter, which
executes the command as an administrator.
2.
The User Account Control dialog box appears.
3.
Click Use another account.4. In the User name box, type the user name of an administrator.
5. In the Password box, type the password for the administrative account, and then press Enter.
6.
LDP opens.
7. Click the Connection menu, click Connect, and then click OK .
8. Click the Connection menu, click Bind, and then click OK .
9.
Click the Options menu, and then click Controls.
10.
In the Load Predefined list, click Return Deleted Objects, and then click OK .
11.
Click the View menu, click Tree, and then click OK .12.
Expand the domain, and then double-click CN=Deleted Objects,DC=contoso,DC=com.
13.
Right-click the deleted object, and then click Modify.
14. In the Attribute box, type isDeleted.
15.
In the Operation section, click Delete.
16.
Press Enter.
17. In the Attribute box, type distinguishedName.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 112/523
3-30 Maintaining Active Directory Domain Services
18. In the Values box, type the distinguished name of the object in the parent container or the OU into
which you want the object’s restoration to occur. For example, type the distinguished name of the
object before it was deleted.
19.
In the Operation section, click Replace.
20.
Press Enter.
21. Select the Extended check box.
22.
Click Run, click Close, and then close LDP.
23.
Use Active Directory Users and Computers to repopulate the object’s attributes, reset the password
(for a user object), and enable the object (if disabled).
Configuring the Active Directory Recycle Bin
In Windows 2012, the Active Directory Recycle Bin
can be enabled to provide a simplified process for
restoring deleted objects. This feature overcomesproblems with authoritative restore or tombstone
reanimation. The Active Directory Recycle Bin
enables administrators to restore deleted objects
with full functionality, without having to restore
AD DS data from backups, and then restart AD DS
or reboot domain controllers. Active Directory
Recycle Bin builds on the existing tombstone
reanimation infrastructure and enhances your
ability to preserve and recover accidentally
deleted Active Directory objects.
How Active Directory Recycle Bin WorksWhen you enable Active Directory Recycle Bin, all link-valued and nonlink-valued attributes of the
deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same
consistent logical state that they were in immediately before deletion. For example, restored user accounts
automatically regain all group memberships and corresponding access rights that they had immediately
before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and Active
Directory Lightweight Directory Services (AD LDS) environments.
After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system
preserves all of the object's link-valued and non-link-valued attributes, and the object becomes logically
deleted . A deleted object is moved to the Deleted Objects container, and its distinguished name is
mangled. A deleted object remains in the Deleted Objects container in a logically deleted state
throughout the duration of the deleted object lifetime. Within the deleted object lifetime, you can recovera deleted object with Active Directory Recycle Bin and make it a live Active Directory object again.
The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute.
For an item deleted after the Active Directory Recycle Bin has been enabled (recycled object), the recycled
object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default,
msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the
deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object
lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. When tombstoneLifetime
is set to null, the recycled object lifetime defaults to 180 days. You can modify the values of the msDS-
deletedObjectLifetime and tombstoneLifetime attributes anytime. When msDS-deletedObjectLife is
set to some value other than null, it no longer assumes the value of tombstoneLifetime.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 113/523
Administering Windows Server® 2012 3-31
Enabling the Active Directory Recycle Bin
You can enable the Active Directory Recycle Bin only when the forest functional level is set to Windows
Server 2008 R2 or higher.
To enable the Active Directory Recycle Bin in Windows 2012, you can perform one the following:
•
From the Active Directory module for Windows PowerShell prompt, use the
Enable-ADOptionalFeature cmdlet.
•
From Active Directory Administrative Center, select the domain, and then click Enable Active
Directory Recycle Bin in the Tasks pane.
Only items deleted after the Active Directory Recycle Bin is turned on can be restored from the Active
Directory Recycle Bin.
Restoring Items from the Active Directory Recycle Bin
In Windows Server 2012, the Active Directory Administrative Center provides a graphical interface for
restoring AD DS objects that are deleted. When the Active Directory Recycle Bin has been enabled, the
Deleted Objects container is visible in Active Directory Administrative Center. Deleted objects will be
visible in this container until their deleted object lifetime period has expired. You can choose to restore
the objects to their original location or to an alternate location within AD DS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 114/523
3-32 Maintaining Active Directory Domain Services
Lab: Maintaining AD DS
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
U.K.. An IT office and data center in London supports the head office and other locations. A. Datum
recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is making several organizational changes that require modifications to the AD DS infrastructure.
A new location requires a secure method of providing onsite AD DS, and you have been asked to extend
the capabilities of Active Directory Recycle Bin to the entire organization.
Virtual Machine(s) 20411B-LON-DC1
20411B-LON-SVR1
User Name Administrator
Password Pa$$w0rd
Objectives
After completing this lab, you will be able to:
• Install and configure a RODC.
• Configure and view Active Directory snapshots.
•
Configure the Active Directory recycle bin.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
a.
User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Adatum
5.
Repeat steps 2 through 4 for 20411B-LON-SVR1.
Exercise 1: Installing and Configuring a RODC
Scenario
A. Datum is adding a new branch office. You have been asked to configure a RODC to service logon
requests at the branch office. You also need to configure password policies that ensure caching only of
passwords for local users in the branch office.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 115/523
Administering Windows Server® 2012 3-33
The main tasks for this exercise are as follows:
1.
Verify requirements for installing a RODC.
2.
Install an RODC.
3. Configure a password-replication policy.
Task 1: Verify requirements for installing a RODC
1.
On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the properties of Adatum.com, verify that the forest functional level is at least Windows
Server® 2003.
3.
On LON-SVR1, open Server Manager, and verify whether the computer is a domain member.
4. Use System Properties to place LON-SVR1 in a workgroup named TEMPORARY.
5.
Restart LON-SVR1.
6.
On LON-DC1, open Active Directory Users and Computers.
7.
Delete the LON-SVR1 computer account from the Computers container.
8.
In the Domain Controllers OU, precreate a RODC account by using default settings, except for the
following:
o
Computer name: LON-SVR1
o
Delegate to: ADATUM\IT
9.
Close Active Directory Users and Computers.
Task 2: Install an RODC
1.
Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd.
2.
On LON-SVR1, add the Active Directory Domain Services Role.
3. Complete the Active Directory Domain Services Installation Wizard by using default options except
those listed below:
o Domain: Adatum.com
o Network credentials: Adatum\April (a member of the IT group)
o
Password for April: Pa$$w0rd
o Directory Services restore mode password: Pa$$w0rd
o Replicate from: LON-DC1.Adatum.com
4.
When installation is complete, restart LON-SVR1.
Task 3: Configure a password-replication policy
1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2.
In the Users container, view the membership of the Allowed RODC Password Replication Group,
and verify that there are no current members.
3.
In the Domain Controllers OU, open the properties of LON-SVR1.
4.
On the Password Replication Policy tab, verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 116/523
3-34 Maintaining Active Directory Domain Services
5. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
6. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users.
7.
On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of LON-SVR1.
8. On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to LON-SVR1.
9. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
10. On the Password Replication Policy tab, open the Advanced configuration. On the Resultant
Policy tab, add Aziz, and then confirm that Aziz’s password can be cached.
11.
Attempt to log on to LON-SVR1 as Aziz. This logon will fail because Aziz does not have permission to
logon to the RODC, but authentication is performed and the credentials are cached.
12.
On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
13.
On the Password Replication Policy tab, open the Advanced configuration.
14.
On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Aziz’s password has been cached.
15.
On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
LON-SVR1, and then click Properties.
16.
On the Password Replication Policy tab, open the Advanced configuration.
17.
On the Policy Usage tab, prepopulate the password for Louise and LON-CL1.
18. Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added.
19.
Close all open windows on LON-DC1.
Results: After completing this exercise, you will have installed and configured a RODC.
Exercise 2: Configuring AD DS snapshots
Scenario
As part of the overall disaster recovery plan for A. Datum, you have been instructed to test the process for
taking Active Directory snapshots and viewing them. If the process is successful, you will schedule them to
occur on a regular basis to assist in the recovery of deleted or modified AD DS objects.
The main tasks for this exercise are as follows:
1. Create a snapshot of AD DS.
2.
Make a change to AD DS.
3.
Mount an Active Directory snapshot, and create a new instance.
4. Explore a snapshot with Active Directory Users and Computers.
5.
Unmount an Active Directory snapshot.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 117/523
Administering Windows Server® 2012 3-35
Task 1: Create a snapshot of AD DS
1.
On LON-DC1, open a command prompt window, and then type the following commands each
followed by Enter:
ntdsutil
snapshot
activate instance ntdscreate
quitQuit
2.
The command returns a message indicating that the snapshot set was generated successfully. The
globally unique identifier (GUID) that displays is important for commands in later tasks. Make a note
of the GUID or copy it to the Clipboard.
Task 2: Make a change to AD DS
1. On LON-DC1, open Server Manager.
2.
From Server Manager, open Active Directory Users and Computers.
3.
Delete Adam Barr's account from the Marketing OU.
Task 3: Mount an Active Directory snapshot, and create a new instance
1.
Open an administrative command prompt, and then type the following commands each followed
by Enter:
ntdsutil
snapshotactivate instance ntds
list all
The command returns a list of all snapshots.
2.
Type the following commands each followed by Enter:
mount guid quit
Quit
Where guid is the GUID of the snapshot you created.
3.
Use the snapshot to start an instance of Active Directory by typing the following command, all on one
line, and then press Enter:
dsamain /dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000
Note that datetime will be a unique value. There only should be one folder on your C:/ drive with a
name that begins with $snap.
A message indicates that AD DS startup is complete. Leave Dsamain.exe running, and do not close the
command prompt.
Task 4: Explore a snapshot with Active Directory Users and Computers
1.
Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then
click Change Domain Controller. Type the directory server name and port LON-DC1:50000, and
then press Enter. Click OK .
2.
Locate the Adam Barr user account object in the Marketing OU. Note that Adam Barr's object is
displayed because the snapshot was taken prior to deleting it.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 118/523
3-36 Maintaining Active Directory Domain Services
Task 5: Unmount an Active Directory snapshot
1.
In the command prompt, press Ctrl+C to stop DSAMain.exe.
2.
Type the following commands:
ntdsutil
snapshotactivate instance ntds
list all
unmount guidlist all
quit
Quit
Where guid is the GUID of the snapshot.
Results: After completing this exercise, you will have configured AD DS snapshots.
Exercise 3: Configuring the Active Directory Recycle BinScenario
As part of the Disaster Recovery plan for AD DS, you need to configure and test the Active Directory
Recycle Bin to allow for object and container level recovery.
The main tasks for this exercise are as follows:
1. Enable the Active Directory Recycle Bin.
2. Create and delete test users.
3.
Restore the deleted users.
4.
To prepare for the next module.
Task 1: Enable the Active Directory Recycle Bin
1.
On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2.
Enable the Recycle Bin.
3. Press F5 to refresh Active Directory Administrative Center.
Task 2: Create and delete test users
1.
In Active Directory Administrative Center, create the following users in the Research OU. Give each a
password of Pa$$w0rd:
o
Test1
o
Test2
2. Delete the Test1 and Test2 accounts.
Task 3: Restore the deleted users
1.
In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum
domain.
2.
Restore Test1 to its original location.
3.
Restore Test2 to the IT OU.
4. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 119/523
Administering Windows Server® 2012 3-37
To prepare for the next module
• When you finish the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have configured the Active Directory Recycle Bin.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 120/523
3-38 Maintaining Active Directory Domain Services
Module Review and Takeaways
Best Practices for Administering AD DS
• Do not virtualize all domain controllers on the same hypervisor host or server.
•
Virtual machine snapshots provide an excellent reference point or quick recovery method, but you
should not use them as a replacement for regular backups. They also will not allow you to recover
objects by reverting to an older snapshot.
• Use RODCs when physical security makes a writable domain controller unfeasible.
• Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool
for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center
for performing large-scale tasks or those tasks that involve multiple objects. You also can use the
Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated
administrative tasks.
• Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be
invaluable in saving time when recovering accidentally deleted objects in AD DS.
Tools
Tool Used for Where to find it
Hyper-V Manager Managing virtualized hosts onWindows Server 2012
Server Manager - Tools
Active Directory module forWindows PowerShell
Managing AD DS through scriptsand from the command line
Server Manager - Tools
Active Directory Users andComputers
Managing objects in AD DS Server Manager – Tools
Active DirectoryAdministrative Center
Managing objects in AD DS,enabling and managing the ActiveDirectory Recycle Bin
Server Manager - Tools
Ntdsutil.exe Managing AD DS snapshots Command prompt
Dsamain.exe Mounting AD DS snapshots forbrowsing
Command prompt
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 121/523
4-1
Module 4
Managing User and Service AccountsContents:
Module Overview 4-1
Lesson 1: Automating User Account Management 4-2
Lesson 2: Configuring Password-Policy and User-Account Lockout Settings 4-7
Lesson 3: Configuring Managed Service Accounts 4-14
Lab: Managing User and Service Accounts 4-20
Module Review and Takeaways 4-24
Module Overview
Managing user accounts in an enterprise environment can be a challenging task. You must ensure
that you configure the user accounts in your environment properly, and that you protect them from
unauthorized use and from users who abuse their account privileges. Using dedicated service accounts for
system services and background processes, as well as setting appropriate account policies, will help to
ensure that your Windows Server® 2012 environment gives users and applications the access they need to
function properly.
This module will help you to understand how to manage large groups of user accounts, explain the
different options available for providing adequate password security for accounts in your environment,
and show you how to configure accounts to provide authentication for system services and background
processes.
Objectives
After completing this module, you will be able to:
• Automate user account creation.
•
Configure password-policy and account-lockout settings.
• Configure managed service accounts.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 122/523
4-2 Managing User and Service Accounts
Lesson 1
Automating User Account Management
Active Directory® Users and Computers and the Active Directory Administrative Center provide
graphical user interfaces (GUIs) for creating one or more user accounts. While the interface that these
tools provide is easy to navigate, creating multiple users or performing modifications for multiple userscan be cumbersome. Windows Server 2012 contains a number of tools that enable you to manage user
accounts more efficiently in your Active Directory Domain Services (AD DS) domain. This lesson introduces
tools that allow you to perform tasks such as changing user attributes for many users, searching for users,
and importing and exporting users to and from external data sources or directories.
Lesson Objectives
After completing this lesson, you will be able to:
•
Explain how to export users by using the Comma-Separated Values Data Exchange tool.
• Explain how to import users by using the Comma-Separated Values Data Exchange tool.
• Describe how to import user accounts by using the LDAP Data Interchange Format (LDIFDE) Internet
standard.
• Explain how to import user accounts by using Windows PowerShell®.
Demonstration: Exporting Users Accounts with Comma-Separated ValuesData Exchange Tool
Comma-Separated Values Data Exchange tool is a command-line tool that exports or imports AD DS
objects to or from a comma-delimited text file, which also is known as a comma-separated value text
file or .csv file. You can create, modify, and open comma-delimited files by using familiar tools such as
Notepad and Microsoft Office Excel®
. Additionally, you can use these files to export information fromAD DS, for use in other areas of your organization, or you can use them to import information from
other sources for use in creating or modifying your domain’s AD DS objects.
The following is the basic syntax of the Comma-Separated Values Data Exchange tool command for
export:
csvde -f filename
However, this command will export all objects in your Active Directory domain. You will want to limit the
scope of the export, which you can do with the following four parameters:
•
-d RootDN. Specifies the distinguished name of the container from which the export will begin. The
default is the domain itself.
•
-p SearchScope. Specifies the scope of the search relative to the container specified by -d.
SearchScope can be either base (this object only), onelevel (objects within this container), or subtree
(this container and all subcontainers). The default is subtree.
• -r Filter. Filters the objects returned within the scope configured by -d and -p. Filter is specified in
Lightweight Directory Access Protocol (LDAP) query syntax. You will work with a filter in the lab for
this lesson. The LDAP query syntax is beyond the scope of this course. For more information, see
http://go.microsoft.com/fwlink/?LinkId=168752.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 123/523
Administering Windows Server® 2012 4-3
• -l ListOfAttributes. Specifies the attributes that will be exported. Use the LDAP name for each
attribute, separated by a comma, as in
-l DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
The output of a Comma-Separated Values Data Exchange tool export lists the LDAP attribute names on
the first line. Each object follows, one per line, and must contain exactly the attributes listed on the firstline, as illustrated in the following examples:
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=Employees,OU=UserAccounts,DC=contoso,DC=com",user,Jones,David,david.jones,[email protected]"CN=Lisa Andrews,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,[email protected]
In this demonstration, you will see how to:
• Export user accounts with Comma-Separated Values Data Exchange tool.
Demonstration Steps
1.
On LON-DC1, open a command prompt.
2.
In the command prompt window, type the following command, and then press Enter:
csvde -f E:\Labfiles\Mod04\UsersNamedRex.csv -r "(name=Rex*)" -l
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
3.
Open E:\LABFILES\Mod04\UsersNamedRex.csv in Notepad.
4.
Examine the file, and then close Notepad.
5. Close all open windows on LON-DC1.
Demonstration: Importing User Accounts with the Comma-SeparatedValues Data Exchange Tool
You also can use Comma-Separated Values Data Exchange tool to create user accounts by importing a
.csv file. If you have user information in existing Excel or Microsoft Office Access® databases, you will find
that Comma-Separated Values Data Exchange tool is a powerful way to take advantage of that
information to automate user account creation.
The following is the basic syntax of the Comma-Separated Values Data Exchange tool command for
import:
csvde -i -f filename -k
The ‑i parameter specifies import mode. Without this parameter, the default mode of the Comma-
Separated Values Data Exchange tool is export. The ‑f parameter identifies the file name to import from
or export to. The ‑k parameter is useful during import operations because it instructs the Comma-
Separated Values Data Exchange tool to ignore errors, including Object Already Exists.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 124/523
4-4 Managing User and Service Accounts
The import file itself is a comma-delimited text file (.csv or .txt) in which the first line defines the imported
attributes by their LDAP attribute names. Each object follows, one per line, and must contain exactly the
attributes listed on the first line, for example, a sample file will be as follows:
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=Employees,OU=UserAccounts,DC=contoso,DC=com",user,Jones,David,david.jones,[email protected]
"CN=Lisa Andrews,OU=Employees,OU=User
Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews,[email protected]
This file, when imported by the Comma-Separated Values Data Exchange tool command, will create a
user object for Lisa Andrews in the Employees organizational unit (OU). The file configures the user logon
names, last name and first name. You cannot use the Comma-Separated Values Data Exchange tool to
import passwords. Without a password, the user account will be disabled initially. After you have reset the
password, you can enable the object in AD DS.
In this demonstration, you will see how to:
• Import user accounts with the Comma-Separated Values Data Exchange tool.
Demonstration Steps1.
On LON-DC1, open E:\Labfiles\Mod04\NewUsers.csv with Notepad. Examine the information
about the users listed in the file.
2.
Open a command prompt, type the following command, and then press Enter:
csvde -i -f E:\Labfiles\Mod04\NewUsers.csv -k
3.
From Server Manager, open Active Directory Users and Computers, and confirm that the users
were created successfully.
4.
Examine the accounts to confirm that first name, last name, user principal name, and pre-Windows®
2000 logon name are populated according to the instructions in NewUsers.csv.
5.
Reset the passwords of the two accounts to Pa$$w0rd.
6.
Enable the two accounts.
7. Close all open windows on LON-DC1.
Demonstration: Importing User Accounts with LDIFDE
You can also use LDIFDE.exe to import or export Active Directory objects, including users. LDPA
Interchange Format (LDIF) is a standard file format that you can use to store information and perform
batch operations against directories that conform to the LDAP standards. LDIF supports both import and
export operations, and batch operations that modify objects in the directory. The LDIFDE commandimplements these batch operations by using LDIF files.
The LDIF file format consists of a block of lines, which together constitute a single operation. Multiple
operations in a single file are separated by a blank line. Each line, comprising an operation, consists of an
attribute name followed by a colon and the value of the attribute. For example, suppose you wanted to
import user objects for two sales representatives named Bonnie Kearney and Bobby Moore. The contents
of the LDIF file would look similar to the following example:
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 125/523
Administering Windows Server® 2012 4-5
dn: CN=Bonnie Kearney,OU=Employees,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: topobjectClass: person
objectClass: organizationalPerson
objectClass: usercn: Bonnie Kearney
sn: Kearneytitle: Operationsdescription: Operations (London)
givenName: Bonnie
displayName: Kearney, Bonnie
company: Contoso, Ltd.sAMAccountName: bonnie.kearney
userPrincipalName: [email protected]
mail: [email protected]: CN=Bobby Moore,OU=Employees,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: topobjectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bobby Mooresn: Moore
title: Legaldescription: Legal (New York)
givenName: BobbydisplayName: Moore, Bobbycompany: Contoso, Ltd.
sAMAccountName: bobby.mooreuserPrincipalName: [email protected]: [email protected]
Each operation begins with the domain-name (DN)attribute of the object that is the operation’s target.
The next line, changeType, specifies the type of operation: add, modify, or delete.
As you can see, the LDIF file format is not as intuitive or familiar as the comma-separated text format.
However, because the LDIF format also is a standard, many directory services and databases can export
LDIF files.
After creating or obtaining an LDIF file, you can perform the operations that the file specifies, by using
the LDIFDE command. From a command prompt, type ldifde /? for usage information. The two most
important switches for the LDIFDE command are:
• ‑i. Turns on import mode. Without this parameter, LDIFDE exports information.
• ‑f filename. The file from which to import, or to which to export.
In this demonstration, you will see how to:
• Import user accounts with LDIFDE.
Demonstration Steps
1.
Open E:\Labfiles\Mod04\NewUsers.ldf with Notepad. Examine the information about the users
that is listed in the file.
2.
Open a command prompt, type the following command, and then press Enter:
ldifde -i -f E:\Labfiles\Mod04\NewUsers.ldf -k
3.
Open Active Directory Users and Computers, and then confirm that the users were created
successfully.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 126/523
4-6 Managing User and Service Accounts
4. Examine the accounts to confirm that user properties are populated according to the instructions in
NewUsers.ldf.
5. Reset the passwords of the two accounts to Pa$$w0rd.
6.
Enable the two accounts.
7.
Close all open windows on LON-DC1.Question: What advantages does LDIFDE have over the Comma-Separated Values Data
Exchange tool when managing user accounts in an AD DS environment?
Demonstration: Importing User Accounts with Windows PowerShell
The Active Directory module for Windows PowerShell also can utilize the contents of a .csv file to import
objects into AD DS.
Two cmdlets are used to perform this task:
•
Import-CSV. This cmdlet creates objects from .csv files that can then be piped into other WindowsPowerShell cmdlets.
• New-ADUser. This cmdlet is used to create the objects that have been imported from the Import-
CSV cmdlet.
In this demonstration, you will see how to:
• Import user accounts with Windows PowerShell.
Demonstration Steps
1.
On LON-DC1, from Server Manager, open Active Directory Users and Computers, and under
Adatum.com, create a new OU named Import Users.
2.
Open E:\Labfiles\Mod04\ImportUsers.ps1 with Notepad. Examine the contents of the file.3. Next to $impfile, change path and filename to csv to E:\Labfiles\Mod04\ImportUsers.csv, and
then save the file.
4.
Open the Active Directory Module for Windows PowerShell.
5. Type the following commands, and then press Enter after each command. When prompted to change
the execution policy, press enter to accept the default option of Y:
Set-ExecutionPolicy remotesigned
E:\Labfiles\Mod04\importusers.ps1
6.
At the password prompt, type Pa$$w0rd.
7.
Open Active Directory Users and Computers, and verify that the user accounts have been importedinto the Import Users OU.
8.
Close all open windows on LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 127/523
Administering Windows Server® 2012 4-7
Lesson 2
Configuring Password-Policy and User-Account LockoutSettings
As an administrator, you must ensure that the user accounts in your environment conform to the security
settings established by your organization. Window Server 2012 uses account policies to configure
security-related settings for user accounts. This module will help you to identify the settings available for
configuring account security and the methods available to configure those settings.
Lesson Objectives
After this lesson, you will be able to:
• Explain user-account policies.
•
Explain how to configure user-account policies.
• Describe password settings objects.
•
Explain how to configure Password Settings Objects.
Understanding User-Account Policies
Account policies in AD DS define the default
settings for security-related attributes assigned
to user objects. In AD DS, account policies are
separated into two different groups of settings:
password policy and account lockout. You can
configure both groups of settings in the local
policy settings for an individual Windows Server
2012 server, or for the entire domain by using theGroup Policy Management Console (GPMC) in
AD DS. When settings between local policy and
group policy conflict, group policy settings
override local policy settings.
In Group Policy Management within AD DS, most policy settings can be applied at different levels
within the AD DS structure: domain, site, or OU. However, account policies can be applied only at one
level in AD DS—to the entire domain. Therefore, only one set of account policy settings can be applied to
an AD DS domain.
Password Policy
You define the password policy by using the following settings:
• Enforce password history. This is the number of unique, new passwords that must be associated with
a user account before an old password can be reused. The default setting is 24 previous passwords.
When you use this setting with the minimum password-age setting, the enforce password history
setting prevents constant reuse of the same password.
• Maximum password age. This is the number of days that a password can be used before the user
must change it. Regularly changing passwords helps to prevent the compromise of passwords.
However, you must balance this security consideration against the logistical considerations that result
from requiring users to change passwords too often. The default setting of 42 days is probably
appropriate for most organizations.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 128/523
4-8 Managing User and Service Accounts
• Minimum password age. This is the number of days that a password must be used before the user can
change it. The default value is one day, which is appropriate if you also enforce password history. You
can restrict the constant use of the same password if you use this setting in conjunction with a short
setting to enforce password history.
• Minimum password length. This is the minimum number of characters that a user’s password must
contain. The default value is seven. This default is a widely used minimum, but you should considerincreasing the password length to at least 10 to enhance security.
• Complexity requirements. Windows Server includes a default password filter that is enabled by
default, and you should not disable it. The filter requires that a password have the following
characteristics:
o
Does not contain your name or your user name
o Contains at least six characters
o
Contains characters from three of the following four groups:
Uppercase letters [A…Z]
Lowercase letters [a…z] Numerals [0…9]
Special, nonalphanumeric characters, such as !@#)(*&^%
Account Lockout Policy
You can define thresholds for account lockout, duration of the lockout, and a way to unlock accounts.
Thresholds for account lockout stipulate that accounts become inoperable after a certain number of failed
logon attempts during a certain amount of time. Account-lockout policies help detect and prevent brute
force attacks on account passwords. The following settings are available:
• Account lockout duration. Defines the number of minutes that a locked account remains locked.
After the specified number of minutes, the account is unlocked automatically. To specify that an
administrator must unlock the account, set the value to 0. Consider using fine-grained passwordpolicies to require administrators to unlock high security accounts, and then configuring this setting
to 30 minutes for normal users.
• Account lockout threshold. Determines the number of failed logon attempts that are allowed before
a user account is locked out. A value of 0 means that the account is never locked out. You should set
this value high enough to allow for users who mistype their password, but low enough to help ensure
that brute force attempts to guess the password fail. Common values for this setting range from three
to five.
• Reset account lockout counter after. Determines how many minutes must elapse after a failed logon
attempt before the bad logon counter is reset to 0. This setting applies when a user has typed in their
password incorrectly, but they have not exceeded the account lockout threshold. Consider setting this
value to 30 minutes.
Kerberos Policy
The Kerberos Policy configuration options contain settings for the Kerberos version 5 protocol Ticket
Granting Ticket (TGT), and the session-ticket lifetimes and time-stamp settings. For most organizations,
the default settings are appropriate.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 129/523
Administering Windows Server® 2012 4-9
Configuring User Account Policies
There are several options available for configuring
user-account policies when administering an
AD DS environment.
Local Policy Settings with Secpol.mscEach individual Windows Server 2012 computer
has its own set of account policies, which apply
to accounts created and managed on the local
computer. To configure these policy settings,
open the Local Security Policy console by running
secpol.msc from the command prompt. The
password-policy and account-policy settings can
be located within the Local Security Policy
Console by expanding Security Settings, and then expanding Account Policies.
Group Policy with Group Policy Management
In the AD DS domain environment, domain-wide account policy settings are configured within the Group
Policy Management Console. The settings can be found in the Computer Configuration, by expanding
the Policies node, expanding the under the Windows Settings node, expanding the Security Settings
node, and then expanding the Account Policies node.
The settings found within the Account Policies node are the same settings found in the Local Security
Policy, with the addition of the Kerberos Policy settings that apply to domain authentication.
The Group Policy Account Policy settings exist in the template of every Group Policy Object (GPO) created
in the GPMC). However, you can apply an account policy only once in a domain and in only one GPO. This
is the Default Domain Policy, and it links to the root of the AD DS domain. As such, the Account Policy
settings in the Default Domain Policy apply to every computer that is joined to the domain.
Note: If settings conflict between the account policy settings in the Local Security Policy
and the account policy settings in the Default Domain Policy GPO, the Default Domain Policy
settings take precedence.
Question: Why would you use secpol.msc to configure local account policy settings for a
Windows Server 2012 computer instead of using domain- based Group Policy account-policy
settings?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 130/523
4-10 Managing User and Service Accounts
What Are Password Settings Objects?
Starting with Windows Server 2008, administrators
can define more than one password policy in a
single domain by implementing fine-grained
password policies. These enable you to have more
granular control over user password requirements,
and you can have different password
requirements for different users or groups.
To support the fine-grained password policy
feature, AD DS in Windows Server 2008 and newer
versions includes two object types:
• Password Setting Container. Windows Server
creates this container by default, and you can
view it in the domain’s System container. The container stores the Password Settings Objects that you
create and link to global security groups or to users.
•
Password Settings Objects. Members of the Domain Admins group create Password Settings Objects,and then define the specific password and account-lockout settings to be linked to a specific security
group or user.
Fine-grained password policies apply only to user objects (or to inetOrgPerson objects, if you use those
instead of user objects) and to global security groups. By linking a Password Settings Objects to a user
or a group, you’re modifying an attribute called msDS-PSOApplied, which is empty by default. This
approach now treats password and account-lockout settings not as domain-wide requirements, but as
attributes to a specific user or a group.
For example, to configure a strict password policy for administrative accounts, create a global security
group, add the administrative user accounts as members, and link a Password Settings Object to the
group. Applying fine-grained password policies to a group in this manner is more manageable than
applying the policies to each individual user account. If you create a new service account, you simplyadd it to the group, and the account becomes managed by the Password Settings Object.
By default, only members of the Domain Admins group can set fine-grained password policies. However,
you also can delegate the ability to set these policies to other users.
Applying Fine-Grained Password Policies
You cannot apply a fine-grained password policy to an OU directly. To apply a fine-grained password
policy to users of an OU, you can use a shadow group. A shadow group is a global security group that
maps logically to an OU, and enforces a fine-grained password policy. You can add an OU’s users as
members of the newly created shadow group, and then apply the fine-grained password policy to this
shadow group. If you move a user from one OU to another, you must update the membership of the
corresponding shadow groups.
The settings managed by fine-grained password policy are identical to those in the Password Policy and
Accounts Policy nodes of a GPO. However, fine-grained password policies are neither implemented as
part of Group Policy nor are they applied as part of a GPO. Instead, there is a separate class of object in
Active Directory that maintains the settings for fine-grained password policy—the PSO.
You can create one or more PSOs in your domain. Each contains a complete set of password and lockout
policy settings. A Password Settings Object is applied by linking the Password Settings Object to one or
more global security groups or users.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 131/523
Administering Windows Server® 2012 4-11
To use a fine-grained password policy, your domain functional level must be at least Windows Server
2008, which means that all of your domain controllers in the domain are running at least Windows
Server 2008, and the domain functional level has been raised to at least Windows Server 2008.
To confirm and modify the domain functional level:
1.
Open Active Directory Domains and Trusts.
2. In the console tree, expand Active Directory Domains and Trusts, and then expand the tree until
you can see the domain.
3. Right-click the domain, and then click Raise domain functional level.
Configuring Password Settings Objects
You can create and apply Password Settings
Objects in the Windows Server 2012 environment
by using either of the following tools:
•
Active Directory Administrative Center
• Windows PowerShell
Configuring Password Settings ObjectsBy Using Windows PowerShell
In Windows Server 2012, new Windows
PowerShell cmdlets in the Active Directory
module for Windows PowerShell can be used to
create and manage Password Settings Objects in
your domain.
•
New-ADFineGrainedPasswordPolicy
This cmdlet is used to create a new Password Settings Object, and define the Password Settings
Object parameters. For example, the following command creates a new Password Settings Object
named TestPwd, and then specifies its settings:
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -
LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0"
-MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -
ProtectedFromAccidentalDeletion:$true
• Add-FineGrainedPasswordPolicySubject
This cmdlet enable you to link a user or group to an existing Password Settings Object. For example,
the following command links the TestPwd Password Settings Object to the AD DS group namedgroup1:
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects Marketing
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 132/523
4-12 Managing User and Service Accounts
Configuring Password Settings Objects By Using Active Directory AdministrativeCenter
The Active Directory Administrative Center provides a GUI for creating and managing Password Settings
Objects. To manage Password Settings Objects in Active Directory Administrative Center, follow these
steps:
1.
Open Active Directory Administrative Center.
2.
Click Manage, click Add Navigation Nodes, select the appropriate target domain in the Add
Navigation Node dialog box, and then click OK .
3.
In the Active Directory Administrative Center navigation pane, open the System container, and then
click Password Settings Container.
4.
In the Tasks pane, click New, and then click Password Settings.
5. Fill in or edit fields inside the property page to create a new Password Settings object.
6. Under Directly Applies To, click Add, type Marketing, and then click OK .
7.
This associates the Password Policy object with the members of the global group that you created
for the test environment.
8.
Click OK to submit the creation of the Password Settings Object.
Note: The Active Directory Administrative Center interface for Password Settings Object
management uses the Windows PowerShell cmdlets mentioned previously to carry out the
creation and management of Password Settings Objects.
Considerations for Configuring Password Settings Objects
It is possible for you to link more than one Password Settings Object to a user or a security group.
You might do this if a user is a member of multiple security groups, which might each have an assigned
Password Settings Object already, or if you assign multiple Password Settings Objects directly to a userobject. In either case, it is important to understand that you can apply only one Password Settings Object
as the effective password policy.
If you assign multiple Password Settings Objects to a user or a group, the
msDS-PasswordSettingsPrecedence attribute helps to determine the resultant Password Settings
Object. A Password Settings Object with a lower value takes precedence over a Password Settings Object
with a higher value.
The following process describes how AD DS determines the resultant Password Settings Object if you link
multiple Password Settings Objects to a user or a group:
1.
Any Password Settings Object that you link directly to a user object is the resultant Password Settings
Object. If you link multiple Password Settings Objects directly to the user object, the PasswordSettings Object with the lowest msDS-PasswordSettingsPrecedence value is the resultant Password
Settings Object. If two Password Settings Objects have the same precedence, the Password Settings
Object with the mathematically smallest objectGUID is the resultant PSO.
2. If you do not link any Password Settings Objects directly to the user object, AD DS compares the
Password Settings Objects for all global security groups that contain the user object. The Password
Settings Object with the lowest msDS-PasswordSettings
Precedence value is the resultant Password Settings Object. If you apply multiple Password Settings
Objects to the same user, and they have the same msDS-PasswordSettingsPrecedence value,
AD DS applies the Password Settings Object with the mathematically smallest globally unique
identifier (GUID).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 133/523
Administering Windows Server® 2012 4-13
3. If you do not link any Password Settings Objects to the user object, either directly or indirectly
(through group membership), AD DS applies the Default Domain Policy.
All user objects contain a new attribute called msDS-ResultantPSO. You can use this attribute to help
determine the distinguished name of the Password Settings Object that AD DS applies to the user object.
If you do not link a Password Settings Object to the user object, this attribute does not contain any value
and the Default Domain Policy GPO contains the effective password policy.
To view the effect of a policy that AD DS is applying to a user, open Active Directory Users and
Computers, and then, on the View menu, ensure that Advanced Features is enabled. Then open the
properties of a user account. You can view the msDS-ResultantPSO attribute on the Attribute Editor
tab, if the Show Constructed Attributes option has been configured under the Filter options.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 134/523
4-14 Managing User and Service Accounts
Lesson 3
Configuring Managed Service Accounts
Creating user accounts to provide authentication for applications, system services, and background
processes is a common practice in the Windows environment. Historically, accounts were created, and
often named, for use by a specific service. Windows Server 2012 supports AD DS account-like objectscalled managed service accounts that make service accounts easier to manage and less of a security risk
to your environment.
This lesson will introduce you to managed service accounts, and new functionality related to managed
service accounts in Windows Server 2012.
Lesson Objectives
After completing this lesson, you will be able to:
• Identify the challenges of using standard user accounts for services.
•
Describe managed service accounts.
•
Explain how to configure managed service accounts.
• Describe group-managed service accounts.
What Are The Challenges Of Using Standard User Accounts For Services?
Many applications such as Microsoft SQL Server®
or Internet Information Services (IIS) contain
services that are installed on the server that hosts
the application. These services typically run at
server startup or are triggered by other events.
Services often run in the background and do notrequire any user interaction.
For a service to start up and authenticate, a
service account is used. A service account may be
an account that is local to the computer, such as
the built-in Local Service, Network Service, or
Local System accounts. You also can configure a
service account to use a domain-based account located in AD DS.
To help centralize administration and to meet application requirements, many organizations choose to
use a domain-based account to run application services. This does provide some benefit over using a local
account. However, there are a number of associated challenges, such as the following:
•
Extra administration effort may be necessary to manage the service account password securely. This
includes tasks such as changing the password and resolving situations that cause an account lockout.
Service accounts also typically are configured to have passwords that do not expire, which may go
against your organization’s security policies.
•
It can be difficult to determine where a domain-based account is being used as a service account.
A standard user account may be used for multiple services on various servers throughout the
environment. A simple task, such as changing the password, may cause authentication issues for some
applications. It is important to know where and how a standard user account is being used when it is
associated with an application service.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 135/523
Administering Windows Server® 2012 4-15
• Extra administration effort may be necessary to manage the service principal name (SPN). Using a
standard user account may require manual administration of the SPN. If the logon account of the
service changes, the computer name is changed. Or, if a Domain Name System (DNS) host name
property is modified, the SPN registrations may need to be manually modified to reflect the change.
A misconfigured SPN causes authentication problems with the application service.
Windows Server 2012 supports an AD DS object used to ease service-account management, called amanaged service account. The following topics provide information on the requirements and use of
managed service accounts in Windows Server 2012.
What Is A Managed Service Account?
A Managed Service Account is an AD DS object
class that enables simplified password and SPN
management for service accounts.
Many network-based applications use an account
to run services or provide authentication. Forexample, an application on a local computer
might use the Local Service, Network Service, or
Local System accounts. These service accounts
may work fine. However, these typically are shared
among multiple applications and services, making
it difficult to manage for a specific application.
Furthermore, you cannot manage these local
service accounts at the domain level.
Alternatively, it is quite common that an application might use a standard domain account that is
configured specifically for the application. However, the main drawback is that you need to manage
passwords manually, which increases administration effort.
A managed service account can provide an application with its own unique account, while eliminating the
need for an administrator to administer the account’s credentials manually.
How a Managed Service Account Works
Managed Service Accounts are stored in AD DS as msDS-ManagedServiceAccount objects. This class
inherits structural aspects from the Computer class (which inherits from the User class). This enables an
Managed Service Account to fulfill User-like functions such as providing authentication and security
context for a running service. It also enables an Managed Service Account to use the same password
update mechanism used by Computer objects in AD DS, a process that requires no user intervention.
Managed service accounts provide the following benefits to simplify administration:
•
Automatic password management. A managed service account automatically maintains its ownpassword, including password changes.
•
Simplified SPN management. SPN management can be managed automatically if your domain is
configured at the Windows Server 2008 R2 domain functional level or higher.
Managed Service Accounts are stored in the CN=Managed Service Accounts, DC=<domain>,
DC=<com> container. You can see this by enabling the Advanced Features option in the View menu
within Active Directory Users and Computers. This container is visible by default in the Active Directory
Administrative Center.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 136/523
4-16 Managing User and Service Accounts
Requirements for Using Managed Service Accounts
To use a managed service account, the server that runs the service or application must be running
Windows Server 2008 R2 or Windows Server 2012. You also must ensure that .NET Framework 3.5.x and
the Active Directory module for Windows PowerShell are both installed on the server.
Note: A standard managed service account cannot be shared between multiple computersor be used in server clusters where the service is replicated between nodes.
To simplify and provide full automatic password and SPN management, we strongly recommend that
the AD DS domain be at the Windows Server 2008 R2 functional level or higher. However, if you have a
domain controller running Windows Server 2008 or Windows Server 2003, you can update the Active
Directory schema to Windows Server 2008 R2 to support this feature. The only disadvantage is that the
domain administrator must configure SPN data manually for the managed service accounts.
To update the schema in Windows Server 2008, Windows Server 2003, or mixed-mode environments, you
must perform the following tasks:
1.
Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.2.
Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active
Directory Management Gateway Service, or Windows Server 2003 with the Active Directory
Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with
domain controllers running Windows Server 2003 or Windows Server 2008 to use Windows
PowerShell cmdlets to manage managed service accounts.
Considerations for Managed Service Accounts on Windows Server 2012 DomainControllers
On Windows 2012, Managed Service Accounts are created as the new group Managed Service Account
object type by default. However, to accommodate this, you must fulfill the one of the requirements for
group Managed Service Accounts before you can create any Managed Service Account on a Windows
2012 domain controller.
On a Windows 2012 domain controller, a key distribution services root key must be created for the
domain before any Managed Service Accounts can be created. To create the root key, run the following
cmdlet from the Active Directory PowerShell module for Windows PowerShell:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
More information on group Managed Service Accounts, including further explanation of the cmdlet
above, and creating a Key Distribution Services (KDS) root key can be found later in this lesson.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 137/523
Administering Windows Server® 2012 4-17
Demonstration: Configuring Managed Service Accounts by UsingWindows PowerShell
Creating and configuring a Managed Service Account requires the use of four cmdlets from the Active
Directory Module for Windows PowerShell:
•
Add-KDSRootkey creates the KDS root key to support group Managed Service Accounts, arequirement on Windows Server 2012 DCs:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
• New-ADServiceAccount creates the Managed Service Account within AD DS:
New-ADServiceAccount –Name <MSA Name> -DNSHostname <DC DNS Name>
•
Add-ADComputerServiceAccount associates the Managed Service Account with a computer account
in the AD DS domain:
Add-ADComputerServiceAccount –identity <Host Computer Name> -ServiceAccount <MSA
Name>
• Install-ADServiceAccount installs the Managed Service Account on a host computer in the domain,
and makes the Managed Service Account available for use by services on the host computer:
Install-ADServiceAccount –Identity <MSA Name>
In this demonstration, you will see how to:
• Create the KDS root key for the domain.
Create and associate a managed service account.
Demonstration Steps
Create the Key Distribution Services (KDS) root key for the domain
1.
On LON-DC1, from Server Manager, open the Active Directory Module for Windows PowerShell
console.
2.
Use the Add-KDSRootKey cmdlet to create the domain KDS root key.
Create and associate a managed service account
1.
On LON-DC1, open the Active Directory Module for Windows PowerShell console.
2.
Use the New-ADServiceAccount cmdlet to create a Managed Service Account.
3.
Use the Add-ADComputerServiceAccount cmdlet to associate the Managed Service Account with
LON-SVR1.
4.
Use the Get-ADServiceAccount cmdlet to view the newly created Managed Service Account and
confirm proper configuration.
Install a managed service account
1. On LON-SVR1, open the Active Directory Module for Windows PowerShell console.
2. Use the Install-ADServiceAccount cmdlet to install the Managed Service Account on LON-SVR1.
3.
Open Server Manager, and start the Services console.
4.
Open the Properties pages for the Application Identity service, and then select the Log On tab.
5. Configure the Application Identity service to use Adatum\SampleApp_SVR1$.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 138/523
4-18 Managing User and Service Accounts
What Are Group Managed Service Accounts?
Group Managed Service Accounts enable you
to extend the capabilities of Standard Managed
Service Accounts to more than one server in your
domain. In server farm scenarios such as network
load balancing (NLB) clusters or IIS servers, there
often is a need to run system or application
services under the same service account. Standard
Managed Service Accounts cannot provide
managed service account functionality to services
that are running on more than one server. By
using Group Managed Service Accounts, you
can configure multiple servers to use the same
Managed Service Account, and still retain the benefits that Managed Service Accounts provide, like
automatic password maintenance and simplified SPN management.
Group Managed Service Account Requirements
In order to support group Managed Service Account functionality, your environment must meet the
following requirements:
•
At least one domain controller must be running Windows Server 2012 to store managed password
information.
• A KDS root key must be created on a domain controller in the domain.
To create the KDS root key, run the following command from the Active Directory Module for
Windows PowerShell on a Windows Server 2012 domain controller:
Add-KdsRootKey –EffectiveImmediately
Note: The –EffectiveImmediately switch uses the current time to establish the timestamp
that marks the key as valid. However, when using –EffectiveImmediately, the actual effective
time is set to 10 hours later than the current time. This 10-hour difference is to allow for AD DS
replication to replicate the changes to other domain controllers in the domain. For testing
purposes, it is possible to bypass this functionality by setting the –EffectiveTime parameter to
10 hours before the current time:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
Understanding Group Managed Service Account Functionality
Group Managed Service Accounts enable Managed Service Account functionality across multiple servers
by delegating the management of Managed Service Account password information to Windows Server2012 domain controllers. By doing this, the management of passwords is no longer dependent on the
relationship between a single server and AD DS, but rather controlled entirely by AD DS.
The group Managed Service Account object contains a list of principals (computers or AD DS groups) that
are allowed to retrieve group Managed Service Account password information from AD DS, and then use
the group Managed Service Account for authentication for services.
Group Managed Service Accounts are created by using the same cmdlets from the Active Directory
Module for Windows PowerShell. In fact, the cmdlets used for Managed Service Account management will
create group Managed Service Accounts, by default.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 139/523
Administering Windows Server® 2012 4-19
On a Windows Server 2012 domain controller, create a new Managed Service Account by using the
New-ADServiceAccount cmdlet with the –PrinicipalsAllowedToRetrieveManagedPassword
parameter. This parameter accepts one or more comma-separated computer accounts or AD DS groups
that are permitted to obtain password information for the group Managed Service Account that is stored
in AD DS on Windows Server 2012 domain controllers.
For example, the following cmdlet will create a new group Managed Service Account called SQLFarm, andenable the LON-SQL1, LON-SQL2, and LON-SQL3 hosts to use the group Managed Service Account:
New_ADServiceAccount –Name LondonSQLFarm –PrincipalsAllowedToRetrieveManagedPassword LON-
SQL1, LON-SQL2, LON-SQL3
Once a computer has been added to using the –PrincipalsAllowedToRetrieveManagedPassword, the
group Managed Service Account service account is available to be assigned to services by using same
assignment process as standard Managed Service Accounts.
Using AD DS Groups to Manage Group Managed Service Account Server Farms
AD DS security groups can be used to identify group Managed Service Accounts. When you use an AD DS
group for the PrincipalsAllowedToRetriveManagedPassword parameter, any computers that are
members of that group will be allowed to retrieve the password and utilize group Managed Service
Account functionality. When using an AD DS group as the principal allowed to retrieve a managed
password, any accounts that are members of the group will also have the same capability.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 140/523
4-20 Managing User and Service Accounts
Lab: Managing User and Service Accounts
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT
office and data center is located in London to support the London office and other locations. A. Datum
has recently deployed a Windows Server 2012 server and client infrastructure, and needs to implementchanges to how user accounts are managed in the environment.
Objectives
After completing this lab, you will be able to:
• Configure password-policy and account-lockout settings.
• Create and associate a Managed Service Account.
Lab Setup
Estimated Time: Estimated time: 45 minutes
Virtual Machine 20411B-LON-DC1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
a. User name: Adatum\Administrator
b.
Password: Pa$$w0rd
Exercise 1: Configuring Password-Policy and Account-Lockout Settings
Scenario
A. Datum has recently completed a security review for passwords and account-lockout policies. You
need to implement the recommendations contained in the report to control password complexity and
length. You also need to configure appropriate account-lockout settings. Part of your password policy
configuration will include a specific password policy to be assigned to the Managers security group. This
group requires a different password policy than what has been applied at the domain level.
The report has recommended that the following password settings should be applied to all accounts in
the domain:
• Password history: 20 passwords
•
Maximum password age: 45 days
• Minimum password age: 1 day
• Password length: 10 characters
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 141/523
Administering Windows Server® 2012 4-21
• Complexity enabled: Yes
• Account Lockout duration: 30 minutes
•
Account lockout threshold: 5 attempts
• Reset account lockout counter after: 15 minutes
The report has also recommended that a separate policy be applied to users in the Managers group, dueto the elevated privileges assigned to those user accounts. The policy applied to the Managers groups
should contain the following settings:
•
Password history: 20 passwords
• Maximum password age: 20 days
• Minimum password age: 1 day
•
Password length: 15 characters
• Complexity enabled: Yes
• Account Lockout duration: 0 minutes (An administrator will have to unlock the account)
•
Account lockout threshold: 3 attempts
• Reset account lockout counter after: 30 minutes
The main tasks for this exercise are as follows:
1.
Configure a domain-based password policy.
2. Configure an account-lockout policy.
3. Configure and apply a fine-grained password policy.
Task 1: Configure a domain-based password policy
1.
On LON-DC1, open the Group Policy Management console.
2. Edit the Default Domain Policy, and configure the following Account Password Policy settings:
o
Password history: 20 passwords
o
Maximum password age: 45 days
o Minimum password age: 1 day
o
Password length: 10 characters
o
Complexity enabled: Yes
Task 2: Configure an account-lockout policy
1.
In the Group Policy Management Editor, configure the following Account Lockout Policy settings for
the Default Domain Policy:
o Account Lockout duration: 30 minutes
o
Account lockout threshold: 5 attempts
o
Reset account lockout counter after: 15 minutes
2. Close Group Policy Management Editor.
3.
Close Group Policy Management.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 142/523
4-22 Managing User and Service Accounts
Task 3: Configure and apply a fine-grained password policy
1.
On LON-DC1, open the Active Directory Administrative Center console.
2.
Change the group scope for the Managers group to Global.
Note: Ensure you open the Properties page for the Managers group, and not theManagers OU.
3.
In Active Directory Administrative Center, configure a fine-grained password policy for the
Adatum\Managers group with the following settings:
o
Name: ManagersPSO
o
Precedence: 10
o Password length: 15 characters
o
Password history: 20 passwords
o
Complexity enabled: Yes
o
Minimum password age: 1 day
o
Maximum password age: 30 days
o
Number of failed logon attempts allowed: 3 attempts
o
Reset failed logon attempts count after: 30 minutes
o Until an administrator manually unlocks the account: selected
4.
Close Active Directory Administrative Center.
Results: After completing this exercise, you will have configured password-policy and account-lockout
settings.
Exercise 2: Creating and Associating a Managed Service Account
Scenario
You need to configure a managed service account to support a new Web-based application that is being
deployed to the DefaultAppPool Web service on LON-DC1. Using a managed service account will help
maintain the password security requirements for the account.
The main tasks for this exercise are as follows:
1.
Create and associate a Managed Service Account.
2.
Install a managed service account on a LON-DC1.
3.
To prepare for the next module.
Task 1: Create and associate a Managed Service Account
1. On LON-DC1, open the Active Directory Module for Windows PowerShell console.
2.
Create the KDS root key by using the Add-KdsRootKey cmdlet. Make the effective time minus 10
hours, so the key will be effective immediately.
3. Create the new service account named Webservice for the host LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 143/523
Administering Windows Server® 2012 4-23
4. Associate the Webservice managed account with LON-DC1.
5.
Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
Task 2: Install a managed service account on a LON-DC1
1. On LON-DC1, install the Webservice service account.
2.
From the Tools menu in Server Manager, open Internet Information Services (IIS) Manager.
3.
Configure the DefaultAppPool to use the Webservice$ account as the identity.
4. Stop and start the application pool.
To prepare for the next module
•
When you are finished the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have created and associated a Managed Service Account.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 144/523
4-24 Managing User and Service Accounts
Module Review and Takeaways
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
User accounts contained in a .csv file fail toimport when using the Comma-SeparatedValues Data Exchange tool.
User password settings are not applying asexpected.
The New-ADServiceAccount cmdlet failswith key-related messages.
Tools
Tool What it is used for Where to find it
Comma-Separated Values DataExchange tool
Importing and exporting usersby using .csv files
Command prompt: csvde.exe
LDIFDE Importing, exporting, andmodifying users by using .ldffiles
Command prompt: ldifde.exe
Local Security Policy Configuring local account-policy settings
Secpol.msc
Group Policy Managementconsole
Configuring domain GroupPolicy account-policy settings
Server Manager – Tools
Active Directory AdministrativeCenter
Creating and managingPassword Settings Objects
Server Manager – Tools
Active Directory module forWindows PowerShell
Creating and ManagingManaged Service Accounts
Server Manager - Tools
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 145/523
5-1
Module 5
Implementing a Group Policy InfrastructureContents:
Module Overview 5-1
Lesson 1: Introducing Group Policy 5-2
Lesson 2: Implementing and Administering GPOs 5-10
Lesson 3: Group Policy Scope and Group Policy Processing 5-16
Lesson 4: Troubleshooting the Application of GPOs 5-31
Lab: Implementing a Group Policy Infrastructure 5-38
Module Review and Takeaways 5-44
Module Overview
Group Policy provides an infrastructure within which you can define settings centrally and deploy them
to users and computers in your enterprise. In an environment managed by a well-implemented Group
Policy infrastructure, very little configuration takes place by an administrator directly touching a user’s
computer. You can define, enforce, and update the entire configuration by using the settings in Group
Policy Objects (GPOs) or GPO filtering. By using GPO settings, you can affect an entire site or domain
within an enterprise, or narrow your focus to a single organizational unit (OU). This module will detail
what Group Policy is, how it works, and how best to implement it in your organization.
Objectives
After completing this module, you will be able to:
• Describe the components and technologies that comprise the Group Policy framework.
•
Configure and understand a variety of policy setting types.
• Scope GPOs by using links, security groups, Windows® Management Instrumentation (WMI) filters,
loopback processing, and preference targeting.
• Describe how GPOs are processed.
•
Locate the event logs that contain Group Policy-related events and troubleshoot the Group Policyapplication.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 146/523
5-2 Implementing a Group Policy Infrastructure
Lesson 1
Introducing Group Policy
A Group Policy infrastructure has several interacting components, and you need to understand what
each component does, as well as how they work together and how you can assemble them into different
configurations. This lesson provides a comprehensive overview of Group Policy components, procedures,and functions.
Lesson Objectives
After completing this lesson, you will be able to:
• Identify the business requirements for configuration management.
• Describe the core components and terminology of Group Policy.
•
Explain the benefits of implementing GPOs.
• Describe GPOs.
• Explain the function and behavior of the client-side GPO components.
•
Explain GPO refresh.
• Create and configure GPOs.
What Is Configuration Management?
If you have only one computer in your
environment—at home, for example—and you
need to modify the desktop background, you
can achieve that in several different ways. Most
people would probably open Appearance andPersonalization from Control Panel, and make
the change by using the Windows interface.
While that works well for one computer, it may
be tedious if you want to make the change across
multiple computers. Implementing any change
and maintaining a consistent environment is more
difficult with multiple computers.
Configuration management is a centralized approach to applying one or more changes to one or more
users or computers. The key elements of configuration management are:
• Setting. A setting is also known as a centralized definition of a change. The setting brings a user or a
computer to a desired state of configuration.
• Scope. The scope of the change is the ability to change users’ computers.
•
Application. The application is a mechanism or process that ensures that the setting is applied to
users and computers within the scope.
Group Policy is a framework within Windows—with components that reside in Active Directory® Domain
Services (AD DS), on domain controllers, and on each Windows server and client—that enables you to
manage configuration in an AD DS domain.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 147/523
Administering Windows Server® 2012 5-3
Overview of Group Policies
The most granular component of Group Policy is
an individual policy setting, also known as a policy
that defines a specific configuration change to
apply, such as a policy setting that prevents a user
from accessing registry-editing tools. If you define
that policy setting, and then apply it to the user,
the user will be unable to run tools such as
Regedit.exe.
It is important to know that some settings affect a
user, known as user-configuration settings (or user
policies), and some affect the computer, known as
computer-configuration settings (or computer
policies).
Group Policy manages various policy settings, and the Group Policy framework is extensible. In the end,
you can manage just about any configurable setting with Group Policy.
Within the Group Policy Management Editor, you can define a policy setting by double-clicking it. The
policy setting Properties dialog box appears. A policy setting can have three states: Not Configured,
Enabled, and Disabled.
In a new GPO, every policy setting defaults to Not Configured. This means that the GPO cannot modify
the existing configuration of that particular setting for a user or computer. If you enable or disable a
policy setting, a change is made to the configuration of users and computers to which the GPO is applied.
When you return a setting to its Not Configured value, you return it to its default value.
The effect of the change depends on the policy setting. For example, if you enable the Prevent Access
To Registry Editing Tools policy setting, users are unable to launch the Regedit.exe Registry Editor. If
you disable the policy setting, you ensure that users can launch the Registry Editor. Notice the double
negative in this policy setting: You disable a policy that prevents an action, so you allow the action.
Some policy settings bundle several configurations into one policy, and these might require additional
parameters.
Note: Many policy settings are complex, and the effect of enabling or disabling them
might not be obvious. Furthermore, some policy settings affect only certain versions of the
Windows operating system. Be sure to review a policy setting’s explanatory text in the Group
Policy Management Editor detail pane or on the Explain tab in the policy setting’s Properties
dialog box. Additionally, always test the effects of a policy setting and its interactions with other
policy settings before deploying a change in your production environment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 148/523
5-4 Implementing a Group Policy Infrastructure
Benefits of Using Group Policy
Group Policies are very powerful administrative
tools. You can use them to push various settings
to a large number of users and computers.
Because you can apply them to various levels from
local to domain, you also can focus these settings
very precisely.
Primarily, you can use Group Policies to
configure settings that you do not want users
to configure. Additionally, you can use Group
Policies to standardize desktop environments on
all computers in an OU or in an entire enterprise,
to provide additional security and some advanced
system settings, and for other purposes that the following sections detail.
Apply Security Settings
In the Windows Server®
2012 operating system, GPOs include a large number of security-related settingsthat you can apply to both users and computers. For example, you can enforce settings for Windows
Firewall, and configure auditing and other security settings. You also can configure full sets of user-rights
assignments.
Manage Desktop and Application Settings
You can use a Group Policy to provide a consistent desktop and application environment to all users in
your organization. By using GPOs, you can configure each setting that affects the look and feel of user
environment and also configure settings for some applications that support GPOs.
Deploy Software
Group Policies enable you to deploy software to users and computers. You can use Group Policy to
deploy all software that is in the .msi format. Additionally, you can enforce automatic software installationor you can let your users decide whether they want the software to deploy to their machines.
Note: Deploying large packages with GPOs may not be the most efficient way of
distributing an application to your organization’s computers. In many circumstances, it may be
more effective to distribute the applications as part of the desktop computer image.
Manage Folder Redirection
With folder redirection, you can manage and back up data quickly and easily. By redirecting folders,
you also ensure that users have access to their data regardless of the computer on which they sign in.
Additionally, you can centralize all users’ data to one place on the network server, while still providing a
user experience that is similar to storing these folders on their computers. For example, you can configure
folder redirection to redirect the users’ Documents folders to a shared folder on a network server.
Configure Network Settings
Using Group Policy enables you to configure various network settings on client computers. For example,
you can enforce settings for wireless networks to allow users to connect only to specific service set
identifiers (SSIDs), and with predefined authentication and encryption settings. You also can deploy
policies that apply to wired network settings as well as configure the client side of services, such as
Network Access Protection (NAP).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 149/523
Administering Windows Server® 2012 5-5
Group Policy Objects
Policy settings are defined and exist within a
GPO. A GPO is an object that contains one or
more policy settings that apply to one or more
configuration settings for a user or a computer.
Note: GPOs can be managed in AD DS by
using the Group Policy Management Console
(GPMC).
GPOs are displayed in a container named Group
Policy Objects.
To create a new GPO in a domain, right-click the Group Policy Objects container, and then click New.
To modify the configuration settings in a GPO, right-click the GPO, and then click Edit. This opens the
Group Policy Management Editor snap-in.
The Group Policy Management Editor displays the thousands of policy settings available in a GPO in
an organized hierarchy that begins with the division between computer settings and user settings: the
Computer Configuration node and the User Configuration node.
The next two levels of the hierarchy are nodes called Policies and Preferences. You will learn about the
difference between these two nodes later in this module. Progressing further down the hierarchy, you can
see that the Group Policy Management Editor displays folders, which also are called nodes or policy
setting groups. Within the folders are the policy settings themselves.
Note: The GPO must be applied to a domain, site, or OU in the AD DS hierarchy for the
settings within the object to take effect.
GPO Scope
Configuration is defined by policy settings in
GPOs. However, the configuration changes in
a GPO do not affect computers or users in your
organization until you specify the computers
or users to which the GPO applies. This is called
scoping a GPO. The scope of a GPO is the
collection of users and computers that will apply
the settings in the GPO.
You can use several methods to manage the
scope of GPOs. The first is the GPO link. You can
link GPOs to sites, domains, and OUs in AD DS.
The site, domain, or OU then becomes the
maximum scope of the GPO. All computers and users within the site, domain, or OU, including those in
child OUs, will be affected by the configurations that the policy settings in the GPO specify.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 150/523
5-6 Implementing a Group Policy Infrastructure
Note: You can link a GPO to more than one domain, OU, or site. Linking GPOs to multiple
sites can introduce performance issues when the policy is being applied, and you should avoid
linking a GPO to multiple sites. This is because in a multisite network, the GPOs are stored in the
domain controllers of the forest root domain. The consequence of this is that computers in other
domains may need to traverse a slow wide area network (WAN) link to obtain the GPOs.
You can further narrow the scope of the GPO with one of two types of filters. Security filters specify
security groups that fall within the GPO’s scope, but to which the GPO explicitly should or should not
apply. WMI filters specify a scope by using characteristics of a system, such as operating-system version or
free disk space. Use security filters and WMI filters to narrow or specify the scope within the initial scope
that the GPO link created.
Note: Windows Server 2008 introduced a new component of Group Policy: Group Policy
Preferences. Settings that are configured by Group Policy Preferences within a GPO can be
filtered or targeted based on several criteria. Targeted preferences allow you to further refine the
scope of preferences within a single GPO.
Group Policy Client and Client-Side Extensions
Group Policy Application
It is important to understand how Group Policies
apply on client computers. The outline below
details the process:
1. When Group Policy refresh begins, a
service that is running on all Windows-based
computers, known as the Group Policy Clientin Windows Vista®, Windows 7, Windows 8,
Windows Server 2008, Windows Server 2008
R2, and Windows Server 2012, determines
which GPOs apply to the computer or user.
2.
This service downloads any GPOs that are not cached already.
3.
Client-side extensions (CSEs) interpret the settings in a GPO and make appropriate changes to the
local computer or to the currently logged-on user. There are CSEs for each major category of policy
setting. For example, there is a security CSE that applies security changes, a CSE that executes startup
and logon scripts, a CSE that installs software, and a CSE that makes changes to registry keys and
values. Each Windows version has added CSEs to extend the functional reach of Group Policy, and
there are several dozen CSEs in Windows.
One of the more important concepts to remember about Group Policy is that it is very client-driven. The
Group Policy client pulls the GPOs from the domain, triggering the CSEs to apply settings locally. Group
Policy is not a push technology.
In fact, you can configure the behavior of CSEs by using Group Policy. Most CSEs will apply settings in
a GPO only if that GPO has changed. This behavior improves overall policy processing by eliminating
redundant applications of the same settings. Most policies are applied in such a way that standard users
cannot change the setting on their computer—they will always be subject to the configuration enforced
by Group Policy. However, standard users can change some settings, and many can be changed if a user is
an administrator on that system. If users in your environment are administrators on their computers, you
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 151/523
Administering Windows Server® 2012 5-7
should consider configuring CSEs to reapply policy settings even if the GPO has not changed. That way,
if an administrative user changes a configuration so that it is no longer compliant with policy, the
configuration will be reset to its compliant state at the next Group Policy refresh.
Note: You can configure CSEs to reapply policy settings at the next background refresh,
even if the GPO has not changed. You can do this by configuring a GPO scoped to computers,and then defining the settings in the Computer Configuration\Policies\Administrative Templates
\System\ Group Policy node. For each CSE that you want to configure, open its policy-
processing policy setting, such as Registry Policy Processing for the Registry CSE. Click Enabled,
and select the Process even if the Group Policy objects have not changed check box.
The security CSE manages an important exception to the default policy-processing settings. Security
settings are reapplied every 16 hours, even if a GPO has not changed.
Note: Enable the Always Wait For Network At Startup And Logon policy setting for all
Windows clients. Without this setting, by default, Windows XP, Windows Vista, Windows 7, and
Windows 8 clients perform only background refreshes. This means that a client may start up, andthen a user might sign in without receiving the latest policies from the domain. The setting is
located in Computer Configuration\Policies\Administrative Templates\System\Logon. Be sure to
read the policy setting’s explanatory text.
Group Policy Refresh
Policy settings in the Computer Configuration node are applied at system startup, and then every 90 to
120 minutes thereafter. User Configuration policy settings are applied at logon, and then every 90 to 120
minutes thereafter. The application of policies is called Group Policy refresh.
Note: You also can force a policy refresh by using the GPUpdate command.
Demonstration: How to Create a GPO and Configure GPO Settings
Group Policy settings, also known as policies, are contained in a GPO, and you can view and modify them
by using the Group Policy Management Editor. This demonstration delves more closely into the categories
of settings available in a GPO.
Computer Configuration and User Configuration
There are two major divisions of policy settings: computer settings, which are contained in the Computer
Configuration node, and user settings, which are contained in the User Configuration node:
•
The Computer Configuration node contains the settings that are applied to computers, regardless
of who logs on to them. Computer settings are applied when the operating system starts, during
background refreshes, and every 90 to 120 minutes thereafter.
• The User Configuration node contains settings that are applied when a user logs on to the
computer, during background refreshes, and every 90 to 120 minutes thereafter.
Within the Computer Configuration and User Configuration nodes are the Policies and Preferences
nodes. Policies are settings that are configured and behave similarly to the policy settings in older
Windows operating systems. Preferences were introduced in Windows Server 2008.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 152/523
5-8 Implementing a Group Policy Infrastructure
Within the Policies nodes of Computer Configuration and User Configuration are a hierarchy of folders
that contain policy settings. Because there are thousands of settings, it is beyond the scope of this course
to examine individual settings. However, it is worthwhile to define the broad categories of settings in the
folders.
Software Settings Node
The Software Settings node is the first node. It contains only the Software Installation extension, which
helps you specify how applications are installed and maintained within your organization.
Windows Settings Node
In both Computer Configuration and User Configuration nodes, the Policies node contains a
Windows Settings node, which includes the Scripts, Security Settings, and Policy-Based QoS nodes.
Note: It also contains the Name Resolution Policy folder that contains settings for
configuring Windows 8 DirectAccess, which is discussed in a later module.
Scripts Node
The Scripts extension enables you to specify two types of scripts, startup/shutdown (in the Computer
Configuration node), and logon/logoff (in the User Configuration node). Startup/shutdown scripts
run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off. When you
assign multiple logon/logoff or startup/shutdown scripts to a user or computer, the Scripts CSE executes
the scripts from top to bottom. You can determine the order of execution for multiple scripts in the
Properties dialog box. When a computer is shut down, the CSE first processes logoff scripts, followed
by shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and
shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a
policy setting. You can use any ActiveX® scripting language to write scripts. Some possibilities include
Microsoft® Visual Basic® Scripting Edition (VBScript), Microsoft JScript®, Perl, and Microsoft MS-DOS®–
style batch files (.bat and .cmd). Logon scripts on a shared network directory in another forest are
supported for network logon across forests. Windows 7 and Windows 8 both support WindowsPowerShell® scripts, too.
Security Settings Node
The Security Settings node allows a security administrator to configure security by using GPOs. This can
be done after, or instead of, using a security template to set system security.
Policy-Based QoS Node
This quality of service (QoS) node, known as Policy-Based QoS node, defines policies that manage
network traffic. For example, you might want to ensure that users in the Finance department have priority
for running a critical network application during the end-of-year financial reporting period. The Policy-
Based QoS node enables you to do that.
In the User Configuration node only, the Windows Settings folder contains the additional Remote
Installation Services, Folder Redirection, and Internet Explorer Maintenance nodes. Remote
Installation Services (RIS) policies control the behavior of a remote operating-system installation. Folder
Redirection enables you to redirect user data and settings folders such as AppData, Desktop, Documents,
Pictures, Music, and Favorites from their default user profile location to an alternate location on the
network, where they can be centrally managed. Internet Explorer Maintenance enables you to administer
and customize Windows Internet Explorer®.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 153/523
Administering Windows Server® 2012 5-9
Administrative Templates Node
In the Computer Configuration and User Configuration nodes, the Administrative Templates
node contains registry-based Group Policy settings. There are thousands of such settings available for
configuring the user and computer environment. As an administrator, you might spend a significant
amount of time manipulating these settings. To assist you with the settings, a description of each policy
setting is available in two locations:
• On the Explain tab in the Properties dialog box for the setting. Additionally, the Settings tab in the
Properties dialog box for each setting also lists the required operating system or software for the
setting.
• On the Extended tab of the Group Policy Management Editor. The Extended tab appears on the
lower right of the details pane, and provides a description of each selected setting in a column
between the console tree and the settings pane. The required operating system or software for each
setting is also listed.
Demonstration
This demonstration shows how to:
1.
Open the Group Policy Management Console.
2.
Create a new GPO named Desktop in the Group Policy container.
3.
In the computer configuration, prevent the last logon name from displaying, and then prevent
Windows Installer from running.
4.
In the user configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
Demonstration Steps
Use the GPMC to create a new GPO
1. Sign in to LON-DC1 as administrator.
2. Open the Group Policy Management console.
3.
Create a new GPO called Desktop.
Configure Group Policy settings
1. Open the new Desktop policy for editing.
2.
In the computer configuration, prevent the last logon name from displaying, and prevent Windows
Installer from running.
3.
In the user configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
4.
Close all open windows.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 154/523
5-10 Implementing a Group Policy Infrastructure
Lesson 2
Implementing and Administering GPOs
In this lesson, you will examine GPOs in more detail, learning how to create, link, edit, manage, and
administer GPOs and their settings.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe domain-based GPOs.
• Explain how to create, link, and edit GPOs.
• Explain GPO storage.
•
Describe starter GPOs.
• Perform common GPO management tasks.
• Explain how to delegate administration of GPOs.
•
Describe how to use Windows PowerShell to manage GPOs.
Domain-Based GPOs
Domain-based GPOs are created in AD DS and
stored on domain controllers. You can use them
to manage configuration centrally for the
domain’s users and computers. The remainder of
this course refers to domain-based GPOs rather
than local GPOs, unless otherwise specified.
When you install AD DS, two default GPOs are
created: Default Domain Controllers Policy and
Default Domain Policy.
Default Domain Policy
This GPO is linked to the domain, and has no
security group or WMI filters. Therefore, it affects all users and computers in the domain, including
computers that are domain controllers. This GPO contains policy settings that specify password, account
lockout, and Kerberos version 5 protocol policies. You should not add unrelated policy settings to this
GPO. If you need to configure other settings to apply broadly in your domain, create additional GPOs that
link to the domain.
Default Domain Controllers Policy
This GPO is linked to the OU of the domain controllers. Because computer accounts for domain
controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be
kept in other OUs, this GPO affects only domain controllers. You should modify the Default Domain
Controllers GPO to implement your auditing policies and to assign user rights required on domain
controllers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 155/523
Administering Windows Server® 2012 5-11
Note: Windows computers also have local GPOs, which are used when computers are not
connected to domain environments. Windows Vista, Windows 7, Windows 8, Windows Server
2008, Windows Server 2008 R2, and Windows Server 2012 support the notion of multiple local
GPOs. The Local Computer GPO is the same as the GPO in the previous Windows versions. In
the Computer Configuration node, you can configure all computer-related settings. In the
User Configuration node, you can configure settings that you want to apply to all users on the
computer. The user settings in the Local Computer GPO can be modified by the user settings in
two new local GPOs: Administrators and Non-Administrators. These two GPOs apply user settings
to logged-on users according to whether they are members of the local Administrators group, in
which case they would use the Administrators GPO, or not members of the Administrators group,
and therefore use the Non-Administrators GPO. You can further refine the user settings with a
local GPO that applies to a specific user account. User-specific local GPOs are associated with
local, not domain, user accounts.
It is important to understand that domain-based GPO setting combined with those applied using
local GPOs, but as domain-based GPOs apply last, they take precedence over local GPO settings.
GPO Storage
Group Policy settings are presented as GPOs in
AD DS user interface tools, but a GPO is actually
two components: a Group Policy container and a
Group Policy template.
The Group Policy container is an AD DS object
stored in the Group Policy Objects container
within the domain-naming context of the
directory. Like all AD DS objects, each Group
Policy container includes a globally unique
identifier (GUID) attribute that uniquely identifiesthe object within AD DS. The Group Policy
container defines basic attributes of the GPO, but
it does not contain any of the settings. The settings are contained in the Group Policy template,
a collection of files stored in the System Volume (SYSVOL) of each domain controller in the
%SystemRoot%\SYSVOL\Domain\Policies\GPOGUID path, where GPOGUID is the GUID of the Group
Policy container. When you make changes to the settings of a GPO, the changes are saved to the Group
Policy template of the server from which the GPO was opened.
By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been
updated.
The Group Policy client can identify an updated GPO by its version number. Each GPO has a version
number that is incremented each time a change is made. The version number is stored as a Group Policy
container attribute and in a text file, Group Policy template.ini, in the Group Policy template folder. The
Group Policy client knows the version number of each GPO it has previously applied. If, during Group
Policy refresh, the Group Policy client discovers that the version number of the Group Policy container has
been changed, the CSEs will be informed that the GPO is updated.
GPO Replication
Group Policy container and Group Policy template are both replicated between all domain controllers in
AD DS. However, different replication mechanisms are used for these two items.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 156/523
5-12 Implementing a Group Policy Infrastructure
The Group Policy container in AD DS is replicated by the Directory Replication Agent (DRA). The DRA
uses a topology generated by the Knowledge Consistency Checker (KCC), which you can define or
refine manually. The result is that the Group Policy container is replicated within seconds to all domain
controllers in a site and is replicated between sites based on your intersite replication configuration.
The Group Policy template in the SYSVOL is replicated by using one of the following two technologies.
The File Replication Service (FRS) is used to replicate SYSVOL in domains running Windows Server 2008,Windows Server 2008 R2, Windows Server 2003, and Windows 2000. If all domain controllers are running
Windows Server 2008 or newer, you can configure SYSVOL replication by using Distributed File System
(DFS) Replication, which is a much more efficient and robust mechanism.
Because the Group Policy container and Group Policy template are replicated separately, it is possible for
them to become out of sync for a short time.
Typically, when this happens, the Group Policy container will replicate to a domain controller first. Systems
that obtained their ordered list of GPOs from that domain controller will identify the new Group Policy
container, will attempt to download the Group Policy template, and will notice that the version numbers
are not the same. A policy processing error will be recorded in the event logs. If the reverse happens, and
the GPO replicates to a domain controller before the Group Policy container, clients obtaining their
ordered list of GPOs from that domain controller will not be notified of the new GPO until the GroupPolicy container has replicated.
Starter GPOs
A Starter GPO is used as a template from which to
create other GPOs within GPMC. Starter GPOs
only contain Administrative Template settings.
You may use a Starter GPO to provide a starting
point for new GPOs created in your domain. The
Starter GPO already may contain specific settings
that are recommended best practices for your
environment. Starter GPOs can be exported to,
and imported from, cabinet (.cab) files to make
distribution to other environments simple and
efficient.
GPMC stores Starter GPOs in a folder named,
StarterGPOs, which is located in SYSVOL.
Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. These
Starter GPOs contain Administrative Template settings that reflect Microsoft-recommended best practices
for the configuration of the client environment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 157/523
Administering Windows Server® 2012 5-13
Common GPO Management Tasks
Like critical data and AD DS-related resources,
you must back up GPOs to protect the integrity
of AD DS and GPOs. GPMC not only provides
the basic backup and restore options, but also
provides additional control over GPOs for
administrative purposes. Options for managing
GPOs include the following:
Backing Up GPOs
You can back up GPOs individually or as a whole
with GPMC. You must provide only a backup
location, which can be any valid local or shared
folder. You must have Read permission on the
GPO to back it up. Every time that you perform a backup, a new backup version of the GPO is created,
which provides a historical record.
Restoring Backed Up GPOsYou can restore any version of a GPO. If one becomes corrupt or you delete it, you can restore any of the
historical versions of that GPO. The restore interface provides the ability for you to view the settings
stored in the backed-up version before restoring it.
Importing GPO Settings from a Backed Up GPO
You can import policy settings from one GPO into another. Importing a GPO allows you to transfer
settings from a backed up GPO to an existing GPO. Importing a GPO transfers only the GPO settings.
The import process does not import GPO links. Security principals defined in the source may need to be
migrated to target.
Note: It is not possible to merge imported settings with the current target GPO settings.
The imported settings will overwrite all existing settings.
Copying GPOs
You can copy GPOs by using GPMC, both in the same domain and across domains. A copy operation
copies an existing, live GPO to the desired destination domain. A new GPO always gets created during
this process. The new GPO is named “copy of OldGPOName”. For example, if you copied a GPO named
“Desktop”, the new version would be named “Copy of Desktop”. After the file is copied and pasted into
the Group Policy Objects container, you can rename the policy. The destination domain can be any
trusted domain in which you have the rights to create new GPOs. When copying between domains,
security principals defined in the source may need to be migrated to target.
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Migration Tables
When importing GPOs or copying them between domains, you can use migration tables to modify
references in the GPO that need to be adjusted for the new location. For example, you may need to
replace the Universal Naming Convention (UNC) path for folder redirection with a UNC path that is
appropriate for the new user group to which the GPO will be applied. You can create migration tables
prior to this process, or you can create them during the import or cross-domain copy operation.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 158/523
5-14 Implementing a Group Policy Infrastructure
Delegating Administration of Group Policies
Delegation of GPO-related tasks allows you to
distribute the administrative workload across the
enterprise. You can task one group with creating
and editing GPOs, while another group performs
reporting and analysis duties. A third group might
be in charge of creating WMI filters.
You can delegate the following Group Policy tasks
independently:
• Creating GPOs
• Editing GPOs
•
Managing Group Policy links for a site,
domain, or OU
• Performing Group Policy Modeling analyses on a given domain or OU
•
Reading Group Policy Results data for objects in a given domain or OU
• Creating WMI filters in a domain
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that
they have created.
Group Policy Default Permissions
By default, the following user and groups have Full Control over GPO management:
• Domain Admins
• Enterprise Admins
•
Creator Owner
• Local System
The Authenticated User group has Read and Apply Group Policy permissions.
Creating GPOs
By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new
GPOs. You can use two methods to grant a group or user this right:
•
Add the user or group to the Group Policy Creator Owners group.
• Explicitly grant the group or user permission to create GPOs by using GPMC.
Editing GPOs
To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission
by using the GPMC.
Managing GPO Links
The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can
manage this permission by using the Delegation tab on the container. You also can delegate it through
the Delegation of Control Wizard in Active Directory Users and Computers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 159/523
Administering Windows Server® 2012 5-15
Group Policy Modeling and Group Policy Results
You can delegate the ability to use the reporting tools in the same fashion, through GPMC or the
Delegation of Control Wizard in Active Directory Users and Computers.
Create WMI Filters
You can delegate the ability to create and manage WMI filters in the same fashion, through GPMC or theDelegation of Control Wizard in Active Directory Users and Computers.
Managing GPOs with Windows PowerShell
In addition to using the Group Policy
Management console and the Group Policy
Management Editor, you can also perform
common GPO administrative tasks by using
Windows PowerShell.
The following table lists some of the morecommon administrative tasks possible with
Windows PowerShell.
Cmdlet name Description
New-GPO Creates a new GPO
New-GPLink Creates a new GPO link for the specified GPO
Backup-GPO Backs up the specified GPOs
Restore-GPO Restores the specified GPOs
Copy-GPO Copies a GPO
Get-GPO Gets the specified GPOs
Import-GPO Imports the backed up settings into a specified GPO
Set-GPInheritance Grants specified permissions to a user or security group for thespecified GPOs
For example, the following command creates a new GPO called Sales:
New-GPO -Name Sales -comment "This the sales GPO"
The following code imports the settings from the backed up Sales GPO stored in the C:\Backups folder
into the NewSales GPO.
import-gpo -BackupGpoName Sales -TargetName NewSales -path c:\backups
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 160/523
5-16 Implementing a Group Policy Infrastructure
Lesson 3
Group Policy Scope and Group Policy Processing
A GPO is, by itself, a collection of configuration instructions that will be processed by the CSEs of
computers. Until the GPO is scoped, it does not apply to any users or computers. The GPO’s scope
determines the CSEs of which computers will receive and process the GPO, and only the computers orusers within the scope of a GPO will apply the settings in that GPO. In this lesson, you will learn to manage
the scope of a GPO. The following mechanisms are used to scope a GPO:
• The GPO link to a site, domain, or OU, and whether that link is enabled
• The Enforce option of a GPO
• The Block Inheritance option on an OU
• Security group filtering
• WMI filtering
• Policy node enabling or disabling
•
Preferences targeting
• Loopback policy processing
You must be able to define the users or computers to which you plan to deploy these configurations.
Consequently, you must master the art of scoping GPOs. In this lesson, you will learn each of the
mechanisms with which you can scope a GPO and, in the process, you will master the concepts of Group
Policy application, inheritance, and precedence.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe GPO links.
• Explain GPO processing.
•
Describe GPO inheritance and precedence.
• Use security filters to filter GPO scope.
• Explain how to use WMI filters to filter GPO scope.
• Describe how to enable and disable GPOs.
•
Explain how and when to use loopback processing.
• Explain considerations for computers that are disconnected, or which are connected by slow links.
• Explain when Group Policy settings take effect.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 161/523
Administering Windows Server® 2012 5-17
GPO Links
You can link a GPO to one or more AD DS sites,
domains, or OUs. After you have linked a GPO, the
users or computers in that container are within
the scope of the GPO, including computers and
users in child OUs.
Link a GPO
To link a GPO, either:
• Right-click the domain or OU in the GPMC
console tree, and then click Link as existing
GPO.
•
If you have not yet created a GPO, click
Create A GPO In This {Domain | OU | Site} And Link It Here.
You can choose the same commands to link a GPO to a site, but by default, your AD DS sites are not
visible in the GPMC. To show sites in the GPMC, right-click Sites in the GPMC console tree, and then clickShow Sites.
Note: A GPO linked to a site affects all computers in the site, without regard to the domain
to which the computers belong, as long as all computers belong to the same Active Directory
forest. Therefore, when you link a GPO to a site, that GPO can be applied to multiple domains
within a forest. Site-linked GPOs are stored on domain controllers in the domain in which you
create the GPO. Therefore, domain controllers for that domain must be accessible for site-linked
GPOs to be applied correctly. If you implement site-linked policies, you must consider policy
application when planning your network infrastructure. You can either place a domain controller
from the GPO’s domain in the site to which the policy is linked, or ensure that a WAN
connectivity provides accessibility to a domain controller in the GPO’s domain.
When you link a GPO to a container, you define the initial scope of the GPO. Select a GPO, and then click
the Scope tab to identify the containers to which the GPO is linked. In the details pane of the GPMC, the
GPO links are displayed in the first section of the Scope tab.
The impact of the GPO’s links is that the Group Policy Client downloads the GPO if either the computer or
the user objects fall within the scope of the link. The GPO will be downloaded only if it is new or updated.
The Group Policy Client caches the GPO to make policy refresh more efficient.
Link a GPO to Multiple OUs
You can link a GPO to more than one site or OU. It is common, for example, to apply configuration to
computers in several OUs. You can define the configuration in a single GPO, and then link that GPO toeach OU. If you later change settings in the GPO, your changes will apply to all OUs to which the GPO is
linked.
Delete or Disable a GPO Link
After you have linked a GPO, the GPO link appears in the GPMC underneath the site, domain, or OU. The
icon for the GPO link has a small shortcut arrow. When you right-click the GPO link, a context menu
appears:
• To delete a GPO link, right-click the GPO link in the GPMC console tree, and then click Delete.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 162/523
5-18 Implementing a Group Policy Infrastructure
Deleting a GPO link does not delete the GPO itself, which remains in that GPO container. However,
deleting the link does change the scope of the GPO, so that it no longer applies to computers and users
within the previously linked container object.
You also can modify a GPO link by disabling it:
•
To disable a GPO link, right-click the GPO link in the GPMC console tree and then clear the Link
Enabled option.
Disabling the link also changes the GPO scope so that it no longer applies to computers and users within
that container. However, the link remains so that you can more easily re-enable it.
Demonstration: How to Link GPOs
This demonstration shows how to:
• Open the Group Policy Management console.
• Create two new GPOs.
•
Link the first GPO to the domain.
• Link the second GPO to the IT OU.
• Disable the first GPO’s link.
•
Delete the second GPO.
• Re-enable the first GPO’s link.
Demonstration Steps
Create and edit two GPOs
1. Open the Group Policy Management Console.
2. Create two new GPOs called Remove Run Command and Do Not Remove Run Command.
3.
Edit the settings of the two GPOs.
Link the GPOs to different locations
1. Link the Remove Run Command GPO to the domain. The Remove Run Command GPO is now
attached to the Adatum.com domain.
2. Link the Do Not Remove Run Command GPO to the IT OU. The Do Not Remove Run Command
GPO is now attached to the IT OU.
3.
View the GPO inheritance on the IT OU. The Group Policy Inheritance tab shows the order of
precedence for the Group Policy objects.
Disable a GPO link
1. Disable the Remove Run Command GPO on the Adatum.com domain.
2.
Refresh the Group Policy Inheritance pane for the IT OU and then notice the results in the right pane.
The Remove Run Command GPO is no longer listed.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 163/523
Administering Windows Server® 2012 5-19
Delete a GPO link
1.
Select the IT OU, and then delete the Do Not Remove Run Command GPO link. Verify the removal of
the Do Not Remove Run command and the absence of the Remove Run command GPOs.
2.
Enable the Remove Run Command GPO on the Adatum.com domain. Refresh the Group Policy
Inheritance window for the IT OU, and then notice the results in the right pane.
Group Policy Processing Order
The GPOs that apply to a user, computer, or both
do not all apply at once. GPOs are applied in a
particular order. This order means that settings
that are processed first may be overwritten by
conflicting settings that are processed later.
Group Policy follows the following hierarchical
processing order:
1.
Local group policies. Each computer running
Windows 2000 or newer has at least one local
group policy. The local policies are applied
first.
2.
Site group policies. Policies linked to sites are processed second. If there are multiple site policies,
they are processed synchronously in the listed preference order.
3.
Domain group policies. Policies linked to domains are processed third. If there are multiple domain
policies, they are processed synchronously in the listed preference order.
4. OU group policies. Policies linked to top-level OUs are processed fourth. If there are multiple top-
level OU policies, they are processed synchronously in the listed preference order.
5. Child OU group policies. Policies linked to child OUs are processed fifth. If there are multiple child OU
policies, they are processed synchronously in the listed preference order. When there are multiple
levels of child OUs, policies for higher-level OUs are applied first and policies for the lower-level OUs
are applied next.
In Group Policy application, the general rule is that the last policy applied wins. For example, a policy that
restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the
OU level for the objects contained in that particular OU.
If you link several GPOs to an OU, their processing occurs in the order that the administrator specifies on
the OU’s Linked Group Policy Objects tab in the GPMC.
By default, processing is enabled for all GPO links. You can disable a container’s GPO link to block the
application of a GPO completely for a given site, domain, or OU. Note that if the GPO is linked to other
containers, they will continue to process the GPO if their links are enabled.
You also can disable the user or computer configuration of a particular GPO independent of either the
user or computer. If one section of a policy is known to be empty, disabling the other side speeds up
policy processing. For example, if you have a policy that only delivers user desktop configuration, you
could disable the computer side of the policy.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 164/523
5-20 Implementing a Group Policy Infrastructure
Configuring GPO Inheritance and Precedence
You can configure a policy setting in more than
one GPO, which results in GPOs conflicting with
each other. For example, you may enable a policy
setting in one GPO, disable it in another GPO, and
then not configure it in a third GPO. In this case,
the precedence of the GPOs determines which
policy setting the client applies. A GPO with
higher precedence prevails over a GPO with lower
precedence. Precedence is shown as a number in
the GPMC. The smaller the number—that is, the
closer to 1—the higher the precedence. Therefore,
a GPO that has a precedence of 1 will prevail over
other GPOs. Select the relevant AD DS container, and then click the Group Policy Inheritance tab to view
the precedence of each GPO.
When a policy setting is enabled or disabled in a GPO with higher precedence, the configured setting
takes effect. However, remember that policy settings are set to Not Configured, by default. If a policysetting is not configured in a GPO with higher precedence, the policy setting (either enabled or disabled)
in a GPO with lower precedence will take effect.
You can link more than one GPO to an AD DS container object. The link order of GPOs determines the
precedence of GPOs in such a scenario. GPOs with a higher-link order take precedence over GPOs with a
lower-link order. When you select an OU in the GPMC, the Linked Group Policy Objects tab shows the link
order of GPOs linked to that OU.
The default behavior of Group Policy is that GPOs linked to a higher-level container are inherited by
lower-level containers. When a computer starts up or a user logs on, the Group Policy Client examines the
location of the computer or user object in AD DS, and evaluates the GPOs with scopes that include the
computer or user. Then, the CSEs apply policy settings from these GPOs. Policies are applied sequentially,
beginning with the policies linked to the site, followed by those linked to the domain, followed by those
linked to OUs—from the top-level OU down to the OU in which the user or computer object exists. It is a
layered application of settings, so a GPO that is applied later in the process, because it has higher
precedence, overrides settings applied earlier in the process.
The sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, so
the resultant set of Group Policies for a user or computer will be the cumulative effect of site, domain, and
OU policies.
By default, inherited GPOs have lower precedence than GPOs linked directly to the container. For
example, you might configure a policy setting to disable the use of registry-editing tools for all users
in the domain by configuring the policy setting in a GPO linked to the domain. That GPO, and its policy
setting, is inherited by all users within the domain. However, you probably want administrators to be able
to use registry-editing tools, so you will link a GPO to the OU that contains administrators’ accounts, and
then configure the policy setting to allow the use of registry-editing tools. Because the GPO linked to the
administrators’ OU takes higher precedence than the inherited GPO, administrators will be able to use
registry-editing tools.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 165/523
Administering Windows Server® 2012 5-21
Precedence of Multiple Linked GPOs
If there are multiple GPOs linked to an AD DS container object, the objects’ link order determines their
precedence.
To change the precedence of a GPO link:
1.
Select the AD DS container object in the GPMC console tree.2.
Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4.
Use the Up, Down, Move To Top, and Move To Bottom arrows to change the link order of the
selected GPO.
Block Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This is known as blocking
inheritance. To block inheritance, right-click the domain or OU in the GPMC console tree, and then select
Block Inheritance.
The Block Inheritance option is a property of a domain or OU, so it blocks all Group Policy settings fromGPOs linked to parents in the Group Policy hierarchy. For example, when you block inheritance on an OU,
GPO application begins with any GPOs linked directly to that OU. Therefore, GPOs linked to higher-level
OUs, the domain, or the site will not apply.
You should use the Block Inheritance option sparingly because blocking inheritance makes it more
difficult to evaluate Group Policy precedence and inheritance. With security group filtering, you can
carefully scope a GPO so that it applies to only the correct users and computers in the first place, making
it unnecessary to use the Block Inheritance option.
Enforce a GPO Link
Additionally, you can set a GPO link to be Enforced. To enforce a GPO link, right-click the GPO link in the
console tree, and then select Enforced from the context menu.
When you set a GPO link to Enforced, the GPO takes the highest level of precedence; policy settings
in that GPO will prevail over any conflicting policy settings in other GPOs. Furthermore, a link that is
enforced will apply to child containers even when those containers are set to Block Inheritance. The
Enforced option causes the policy to apply to all objects within its scope. Enforced will cause policies to
override any conflicting policies and will apply regardless of whether a Block Inheritance option is set.
Enforcement is useful when you must configure a GPO that defines a configuration mandated by your
corporate IT security and usage policies. Therefore, you want to ensure that other GPOs do not override
those settings. You can do this by enforcing the GPO’s link.
Evaluating Precedence
To facilitate evaluation of GPO precedence, you can simply select an OU (or domain), and then click the
Group Policy Inheritance tab. This tab will display the resulting precedence of GPOs, accounting for GPO
link, link order, inheritance blocking, and link enforcement. This tab does not account for policies that are
linked to a site, nor does it account for GPO security or WMI filtering.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 166/523
5-22 Implementing a Group Policy Infrastructure
Using Security Filtering to Modify Group Scope
Although you can use Enforcement and Block
Inheritance options to control the application of
GPOs to container objects, you might need to
apply GPOs only to certain groups of users or
computers rather than to all users or computers
within the scope of the GPO. Although you cannot
directly link a GPO to a security group, there is a
way to apply GPOs to specific security groups.
The policies in a GPO apply only to users who
have Allow Read and Allow Apply Group Policy
permissions to the GPO.
Each GPO has an ACL that defines permissions to
the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a
user or computer. For example, if a GPO is scoped to a computer by its link to the computer’s OU, but the
computer does not have Read and Apply Group Policy permissions, it will not download and apply the
GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that itssettings apply only to the computers and users that you specify.
By default, Authenticated Users are given the Allow Apply Group Policy permission on each new GPO. This
means that by default, all users and computers are affected by the GPOs set for their domain, site, or OU,
regardless of the other groups in which they might be members. Therefore, there are two ways of filtering
GPO scope:
•
Remove the Apply Group Policy permission (currently set to Allow) for the Authenticated Users group,
but do not set this permission to Deny. Then, determine the groups to which the GPO should be
applied and set the Read and Apply Group Policy permissions for these groups to Allow.
• Determine the groups to which the GPO should not be applied and set the Apply Group Policy
permission for these groups to Deny. If you deny the Apply Group Policy permission to a GPO, theuser or computer will not apply settings in the GPO, even if the user or computer is a member of
another group that is allowed the Apply Group Policy Permission.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group:
1.
Select the GPO in the Group Policy Objects container in the console tree.
2. In the Security Filtering section, select the Authenticated Users group, and then click Remove.
Note: You cannot filter GPOs with domain local security groups.
3. Click OK to confirm the change.
4.
Click Add.
5.
Select the group to which you want the policy to apply, and then click OK .
Filtering a GPO to Exclude Specific Groups
The Scope tab of a GPO does not allow you to exclude specific groups. To exclude a group—that is, to
deny the Apply Group Policy permission—you must use the Delegation tab.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 167/523
Administering Windows Server® 2012 5-23
To deny a group the Apply Group Policy permission:
1.
Select the GPO in the Group Policy Objects container in the console tree.
2.
Click the Delegation tab.
3. Click the Advanced button. The Security Settings dialog box appears.
4.
Click the Add button.
5.
Select the group you want to exclude from the GPO. Remember, it must be a global group. GPO
scope cannot be filtered by domain local groups.
6.
Click OK . The group you selected is given the Allow Read permission, by default.
7. Clear the Allow Read permission check box.
8. Select the Deny Apply Group Policy check box.
9.
Click OK . You are warned that Deny permissions override other permissions. Because Deny
permissions override Allow permissions, we recommend that you use them sparingly. Microsoft
Windows reminds you of this best practice with the warning message. The process to exclude groups
with the Deny Apply Group Policy permission is far more laborious than the process to include groupsin the Security Filtering section of the Scope tab.
10. Confirm that you want to continue.
Note: Deny permissions are not exposed on the Scope tab. Unfortunately, when you
exclude a group, the exclusion is not shown in the Security Filtering section of the Scope tab. This
is yet one more reason to use Deny permissions sparingly.
What Are WMI Filters?
WMI is a management-infrastructure technology
that enables administrators to monitor and
control managed objects in the network. A WMI
query is capable of filtering systems based on
characteristics, including random access memory
(RAM), processor speed, disk capacity, IP address,
operating-system version, and service-pack level,
installed applications, and printer properties.
Because WMI exposes almost every property
of every object within a computer, the list of
attributes that you can use in a WMI query is
virtually unlimited. WMI queries are written byusing WMI Query Language (WQL).
You can use a WMI query to create a WMI filter, with which you can filter a GPO. You can use Group
Policy to deploy software applications and service packs. You might create a GPO to deploy an
application, and then use a WMI filter to specify that the policy should apply only to computers with a
certain operating system and service pack, such as Windows XP Service Pack 3 (SP3). The WMI query to
identify such systems is:
Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND
CSDVersion="Service Pack 3"
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 168/523
5-24 Implementing a Group Policy Infrastructure
When the Group Policy Client evaluates GPOs it has downloaded to determine which should be handed
off to the CSEs for processing, it performs the query against the local system. If the system meets the
criteria of the query, the query result is a logical True, and the CSEs process the GPO.
WMI exposes namespaces, within which are classes that can be queried. Many useful classes, including
Win32_Operating System, are found in a class called root\CIMv2.
To create a WMI filter:
1.
Right-click the WMI Filters node in the GPMC console tree, and then click New. Type a name and
description for the filter, and then click the Add button.
2.
In the Namespace box, type the namespace for your query.
3. In the Query box, enter the query.
4. Click OK .
To filter a GPO with a WMI filter:
1.
Select the GPO or GPO link in the console tree.
2.
Click the Scope tab.3.
Click the WMI drop-down list, and then select the WMI filter.
You can filter a GPO with only a single WMI filter, but you can create a WMI filter with a complex query
that uses multiple criteria. You can link a single WMI filter to one or more GPOs. The General tab of a
WMI filter displays the GPOs that use the WMI filter.
There are three significant caveats regarding WMI filters:
• First, the WQL syntax of WMI queries can be challenging to master. You often can find examples
on the Internet when you search by using the keywords WMI filter and WMI query, along with a
description of the query that you want to create.
•
Second, WMI filters are expensive in terms of Group Policy processing performance. Because the
Group Policy Client must perform the WMI query at each policy processing interval, there is a slight
impact on system performance every 90 to 120 minutes. With the performance of today’s computers,
the impact might not be noticeable. However, you should test the effects of a WMI filter prior to
deploying it widely in your production environment.
Note: Note that the WMI query is processed only once, even if you use it to filter the scope
of multiple GPOs.
• Third, WMI filters are not processed by computers running the Microsoft Windows 2000 Server
operating system. If a GPO is filtered with a WMI filter, a Windows 2000 Server system ignores the
filter, and then processes the GPO as if the results of the filter were true.
Demonstration: How to Filter Policies
This demonstration shows how to:
• Create a GPO that removes the Help menu link from the Start menu, and then link it to the IT OU.
• Use security filtering to exempt a user from the GPO.
•
Test Group Policy application.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 169/523
Administering Windows Server® 2012 5-25
Demonstration Steps
Create a new GPO, and link it to the IT organizational unit
1. Open the Group Policy Management console on LON-DC1.
2. Create a new GPO called Remove Help menu, and then link it to the IT organizational unit.
3.
Modify the settings of the GPO to remove Help from the Start menu.
Filter Group Policy application by using security group filtering
1. Remove the Authenticated Users entry from the Security Filtering list for the Remove Help menu
GPO in the IT organizational unit.
2. Add the user Ed Meadows to the Security Filtering list. Now, only Ed Meadows has the apply policy
permission.
Filter Group Policy application by using WMI filtering
1. Create a WMI filter called XP filter.
2.
Add the following query to the filter:
Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP
Professional"
3.
Save the query as XP filter.
4.
Create a new GPO called Software Updates for XP, and link it to the IT organizational unit.
5. Modify the policy’s properties to use the XP filter.
6.
Close the Group Policy Management console.
Enable of Disable GPOs and GPO Nodes
You can prevent the settings in the Computer
Configuration or User Configuration nodes
from processing during policy refresh by changing
the GPO Status.
To enable or disable a GPO's nodes, select the
GPO or GPO link in the console tree, click the
Details tab, shown in the figure, and then select
one of the following from the GPO Status drop-
down list:
•
Enabled. Both computer configurationsettings and user configuration settings will
be processed by CSEs during policy refresh.
•
All Settings Disabled. CSEs will not process the GPO during policy refresh.
• Computer Configuration Settings Disabled. During computer policy refresh, computer configuration
settings in the GPO will not be applied.
•
User Configuration Settings Disabled. During user policy refresh, user configuration settings in the
GPO will not be applied.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 170/523
5-26 Implementing a Group Policy Infrastructure
You can configure GPO status to optimize policy processing. For example, if a GPO contains only user
settings, then setting the GPO Status option to disable computer settings prevents the Group Policy client
from attempting to process the GPO during computer policy refresh. Because the GPO contains no
computer settings, there is no need to process the GPO, and you can save a few processor cycles.
Note: You can define a configuration that should take effect in case of an emergency,security incident, or other disasters in a GPO, and then link the GPO so that it is scoped to
appropriate users and computers. Then, disable the GPO. If you require the configuration to be
deployed, enable the GPO.
Loopback Policy Processing
By default, a user’s settings come from GPOs
scoped to the user object in AD DS. Regardless
of which computer the user logs on to, the
resultant set of policies that determine the user’s
environment is the same. There are situations,
however, in which you might want to configure
a user differently, depending on the computer in
use. For example, you might want to lock down
and standardize user desktops when users sign in
to computers in closely managed environments,
such as conference rooms, reception areas,
laboratories, classrooms, and kiosks. It also is
important for Virtual Desktop Infrastructure (VDI) scenarios, including remote virtual machines and
Remote Desktop Services (RDS).
Imagine a scenario in which you want to enforce a standard corporate appearance for the Windows
desktop on all computers in conference rooms and other public areas of your office. How will youcentrally manage this configuration by using Group Policy? Policy settings that configure desktop
appearance are located in the User Configuration node of a GPO. Therefore, by default, the settings
apply to users, regardless of which computer they sign in to. The default policy processing does not give
you a way to scope user settings to apply to computers, regardless of which user logs on. That is how
loopback policy processing can be useful.
Loopback policy processing alters the default algorithm that the Group Policy client uses to obtain
the ordered list of GPOs that should be applied to a user’s configuration. Instead of user configuration
being determined by the User Configuration node of GPOs that are scoped to the user object, user
configuration can be determined by the User Configuration node policies of GPOs that are scoped to the
computer object.
The Configure user Group Policy loopback processing mode policy, located in the Computer
Configuration\Policies\Administrative Templates\System\Group Policy folder in Group Policy
Management Editor, can be, like all policy settings, set to Not Configured, Enabled, or Disabled.
When enabled, the policy can specify the Replace or Merge mode:
• Replace. In this case, the GPO list for the user is replaced entirely by the GPO list already obtained for
the computer at computer startup. The settings in User Configuration policies of the computer’s GPOs
are applied to the user. The Replace mode is useful in a situation such as a classroom where users
should receive a standard configuration rather than the configuration applied to those users in a less
managed environment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 171/523
Administering Windows Server® 2012 5-27
• Merge. In this case, the GPO list obtained for the computer at computer startup is appended to the
GPO list obtained for the user when logging on. Because the GPO list obtained for the computer is
applied later, settings in GPOs on the computer’s list have precedence if they conflict with settings in
the user’s list. This mode would be useful to apply additional settings to users’ typical configurations.
For example, you might allow a user to receive the user’s typical configuration when logging on to a
computer in a conference room or reception area, but replace the wallpaper with a standard bitmap,
and disable the use of certain applications or devices.
Note: Note that when you combine loopback processing with security group filtering, the
application of user settings during policy refresh uses the computer’s credentials to determine
which GPOs to apply as part of the loopback processing. However, the logged-on user also must
have the Apply Group Policy permission for the GPO to be applied successfully. Also note that
the loopback processing flag is configured on a per-session basis rather than per GPO.
Considerations for Slow Links and Disconnected Systems
Some settings that you can configure with Group
Policy can be impacted by the speed of the link
that the user’s computer has with your domain
network. For instance, deploying software by
using GPOs would be inappropriate over slower
links. Furthermore, it is important to consider the
effect of Group Policies on computers that are
disconnected from the domain network.
Slow Links
The Group Policy Client addresses the issue of
slow links by detecting the connection speed tothe domain, and by determining whether the
connection should be considered a slow link. That determination is then used by each CSE to decide
whether to apply settings. The software extension, for example, is configured to forgo policy processing,
so that software is not installed if a slow link is detected.
Note: By default, a link is considered to be slow if it is less than 500 kilobits per second
(Kbps). However, you can configure this to a different speed.
If Group Policy detects a slow link, it sets a flag to indicate the slow link to the CSEs. The CSEs then can
determine whether to process the applicable Group Policy settings. The following table describes the
default behavior of the client-side extensions.
Client-side extension Slow link processing Can it be changed?
Registry policy processing On No
Internet Explorer maintenance Off Yes
Software Installation policy Off Yes
Folder Redirection policy Off Yes
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 172/523
5-28 Implementing a Group Policy Infrastructure
Client-side extension Slow link processing Can it be changed?
Scripts policy Off Yes
Security policy On No
Internet Protocol Security (IPsec)policy
Off Yes
Wireless policy Off Yes
Encrypted File System (EFS)Recovery policy
On Yes
Disk Quota policy Off Yes
Disconnected Computers
If a user is working while disconnected from the network, the settings previously applied by Group Policy
continue to take effect. That way, a user’s experience is identical, irrespective of whether he or she is onthe network or away. There are exceptions to this rule, most notably that startup, logon, logoff, and
shutdown scripts will not run if the user is disconnected.
If a remote user connects to the network, the Group Policy client wakes up and determines whether a
Group Policy refresh window was missed. If so, it performs a Group Policy refresh to obtain the latest
GPOs from the domain. Again, the CSEs determine, based on their policy processing settings, whether
settings in those GPOs are applied.
Note: This process does not apply to Windows XP or Windows Server 2003 systems. It
applies only to Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 7,
Windows 8, and Windows Server 2012.
Identifying When Settings Become Effective
There are several processes that must be
completed before Group Policy settings are
actually applied to a user or a computer. This
topic discusses these processes.
GPO Replication Must Happen
Before a GPO can take effect, the Group Policy
container in Active Directory must be replicated
to the domain controller from which the Group
Policy Client obtains its ordered list of GPOs.
Additionally, the Group Policy template in SYSVOL
must replicate to the same domain controller.
Group Changes Must Be Incorporated
Finally, if you have added a new group or changed the membership of a group that is used to filter the
GPO, that change also must be replicated. Furthermore, the change must be in the security token of the
computer and the user, which requires a restart (for the computer to update its group membership) or a
logoff and logon (for the user to update its group membership).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 173/523
Administering Windows Server® 2012 5-29
User or Computer Group Policy Refresh Must Occur
Refresh happens at startup (for computer settings), at logon (for user settings), and every 90 to 120
minutes thereafter, by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that when
you make a change in your environment, it will be, on average, one-half that time, or 45 to 60minutes, before the change starts to take effect.
By default, Windows XP, Windows Vista, Windows 7, and Windows 8 clients perform only background
refreshes at startup and logon, which means that a client might start up and a user might sign in without
receiving the latest policies from the domain. We highly recommend that you change this default
behavior so that policy changes are implemented in a managed, predictable way. Enable the policy
setting Always Wait For Network At Startup And Logon for all Windows clients. The setting is
located in Computer Configuration\Policies\Administrative Templates\System\Logon. Be sure to
read the policy setting’s explanatory text. Note that this does not affect the startup or logon time for
computers that are not connected to a network. If the computer detects that it is disconnected, it does
not "wait" for a network.
Logon or Restart
Although most settings are applied during a background policy refresh, some CSEs do not apply the
setting until the next startup or logon event. For example, newly added startup and logon script policies
do not run until the next computer startup or logon. Software installation will occur at the next startup if
the software is assigned in computer settings. Changes to folder-redirection policies will not take effect
until the next logon.
Manually Refresh Group Policy
When you experiment with Group Policy troubleshoot Group Policy processing, you might need to initiate
a Group Policy refresh manually so that you do not have to wait for the next background refresh. You can
use the GPUpdate command to initiate a Group Policy refresh. Used on its own, this command triggersprocessing identical to a background Group Policy refresh. Both computer policy and user policy are
refreshed. Use the /target:computer or /target:user parameter to limit the refresh to computer or user
settings, respectively. During background refresh, by default, settings are applied only if the GPO has been
updated. The /force switch causes the system to reapply all settings in all GPOs scoped to the user or
computer. Some policy settings require a logoff or reboot before they actually take effect. The /logoff
and /boot switches of GPUpdate cause a logoff or reboot, respectively. You can use these switches when
you apply settings that require a logoff or reboot.
For example, the command that will cause a total refresh application, and, if necessary, reboot and logon
to apply updated policy settings is:
gpupdate /force /logoff /boot
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 174/523
5-30 Implementing a Group Policy Infrastructure
Most CSEs Do Not Reapply Settings if the GPO Has Not Changed
Remember that most CSEs apply settings in a GPO only if the GPO version has changed. This means that if
a user can change a setting that was specified originally by Group Policy, the setting will not be brought
back into compliance with the settings that the GPO specifies until the GPO changes. Fortunately, most
policy settings cannot be changed by a nonprivileged user. However, if a user is an administrator of his or
her computer, or if the policy setting affects a part of the registry or of the system that the user has
permissions to change, this could be a real problem.
You have the option of instructing each CSE to reapply the settings of GPOs, even if the GPOs have not
been changed. Processing behavior of each CSE can be configured in the policy settings found in
Computer Configuration\Administrative Templates\System\Group Policy.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 175/523
Administering Windows Server® 2012 5-31
Lesson 4
Troubleshooting the Application of GPOs
With the interaction of multiple settings in multiple GPOs scoped by using a variety of methods,
Group Policy application can be complex to analyze and understand. Therefore, you must be equipped
to evaluate and troubleshoot your Group Policy implementation effectively, identify potential problemsbefore they arise, and solve unforeseen challenges. Windows Server provides tools that are indispensable
for supporting Group Policy. In this lesson, you will explore the use of these tools in both proactive and
reactive troubleshooting and support scenarios.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how to refresh GPOs on a client computer.
• Analyze the set of GPOs and policy settings that have been applied to a user or computer.
•
Generate Resultant Set of Policy (RSoP) reports to help in the analysis of GPO settings.
•
Proactively model the impact of Group Policy or Active Directory changes on the RSOP.
• Locate the event logs containing Group Policy–related events.
Refreshing GPOs
Computer configuration settings are applied at
startup, and then are refreshed at regular
intervals. Any startup scripts are run at computer
startup. The default interval is every 90 minutes,
but this is configurable. The exception to the set
interval is domain controllers, which have theirsettings refreshed every five minutes.
User settings are applied at logon and are
refreshed at regular, configurable intervals; the
default is also 90 minutes. Any logon scripts are
run at logon.
Note: A number of user settings require two
logons before the user sees the effect of the GPO. This is because users logging on to the same
computer use cached credentials to speed up logons. This means that, although the policy
settings are being delivered to the computer, the user is already logged on and the settings will
therefore not take effect until the next logon. The folder redirection setting is an example of this.
You can change the refresh interval by configuring a Group Policy setting. For computer settings, the
refresh interval setting is found in the Computer Configuration\Policies\Administrative Templates
\System\Group Policy node. For user settings, the refresh interval is found at the corresponding settings
under User Configuration. An exception to the refresh interval is security settings. The security settings
section of the Group Policy will be refreshed at least every 16 hours, regardless of the interval that you set
for the refresh interval.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 176/523
5-32 Implementing a Group Policy Infrastructure
You can also refresh Group Policy manually. The command line utility Gpupdate refreshes and delivers
any new Group Policy configurations. The Gpupdate /force command refreshes all the Group Policy
settings. There is also a new Windows PowerShell Invoke-Gpupdate cmdlet, which performs the same
function.
A new feature in Windows Server 2012 is Remote Policy Refresh. This feature allows administrators to use
the GPMC to target an OU and force Group Policy refresh on all of its computers and their currentlylogged-on users. To do this, you right-click any OU, and then click Group Policy Update. The update
occurs within 10 minutes.
Note: Sometimes, the failure of a GPO to apply is as a result of problems with the
underlying technology that is responsible for replicating both AD DS and SYSVOL. In Windows
Server 2012, you can view the replication status by using Group Policy Management, selecting
the Domain node, clicking the Status tab, and then click Detect Now.
Resultant Set of Policy
Group Policy inheritance, filters, and exceptions
are complex, and it is often difficult to determine
which policy settings will apply.
RSoP is the net effect of GPOs applied to a
user or computer, taking into account GPO
links, exceptions, such as Enforced and Block
Inheritance, and application of security and WMI
filters.
RSoP is also a collection of tools that help you
evaluate, model, and troubleshoot the application
of Group Policy settings. RSoP can query a local orremote computer, and then report back the exact
settings that were applied to the computer and to any user who has logged on to the computer.
RSoP also can model the policy settings that are anticipated to be applied to a user or computer under a
variety of scenarios, including moving the object between OUs or sites, or changing the object’s group
membership. With these capabilities, RSoP can help you manage and troubleshoot conflicting policies.
Windows Server 2012 provides the following tools for performing RSoP analysis:
• The Group Policy Results Wizard
•
The Group Policy Modeling Wizard
• GPResult.exe
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 177/523
Administering Windows Server® 2012 5-33
Generate RSoP Reports
To help you analyze the cumulative effect of GPOs
and policy settings on a user or computer in your
organization, the GPMC includes the Group Policy
Results Wizard. If you want to understand exactly
which policy settings have applied to a user or a
computer, and why, the Group Policy Results
Wizard is the tool to use.
Generate RSoP Reports with the GroupPolicy Results Wizard
The Group Policy Results Wizard can reach into
the WMI provider on a local or remote computer
that is running Window Vista or newer. The WMI
provider can report everything there is to know about the way Group Policy was applied to the system. It
knows when processing occurred, which GPOs were applied, which GPOs were not applied and why,
errors that were encountered, and the exact policy settings that took precedence and their source GPO.
There are several requirements for running the Group Policy Results Wizard, as follows:
• The target computer must be online.
• You must have administrative credentials on the target computer.
• The target computer must be running Windows XP or newer. The Group Policy Results Wizard cannot
access Windows 2000 systems.
• You must be able to access WMI on the target computer. This means the computer must be online,
connected to the network, and accessible through ports 135 and 445.
Note: Performing RSoP analysis by using Group Policy Results Wizard is just one exampleof remote administration. To perform remote administration, you may need to configure
inbound rules for the firewall that your clients and servers use.
• The WMI service must be started on the target computer.
•
If you want to analyze RSoP for a user, that user must have logged on at least once to the computer,
although it is not necessary for the user to be currently logged on.
After you have ensured that the requirements are met, you are ready to run an RSoP analysis.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree, and then click Group
Policy Results Wizard.
The wizard prompts you to select a computer. It then connects to the WMI provider on that computer,and provides a list of users that have logged on to it. You then can select one of the users, or you can skip
RSoP analysis for user configuration policies.
The wizard produces a detailed RSoP report in a dynamic HTML format. If Internet Explorer Enhanced
Security Configuration is set, you will be prompted to allow the console to display the dynamic content.
You can expand or collapse each section of the report by clicking the Show or Hide link, or by double-
clicking the heading of the section.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 178/523
5-34 Implementing a Group Policy Infrastructure
The report is displayed on three tabs:
• Summary. The Summary tab displays the status of Group Policy processing at the last refresh. You
can identify information that was collected about the system, the GPOs that were applied and denied,
security group membership that might have affected GPOs filtered with security groups, WMI filters
that were analyzed, and the status of CSEs.
•
Settings. The Settings tab displays the resultant set of policy settings applied to the computer or user.
This tab shows you exactly what has happened to the user through the effects of your Group Policy
implementation. You can learn a tremendous amount of information from the Settings tab, although
some data is not reported, including IPsec, wireless, and disk-quota policy settings.
• Policy Events. The Policy Events tab displays Group Policy events from the event logs of the target
computer.
After you generate an RSoP report with the Group Policy Results Wizard, you can right-click the report to
rerun the query, print the report, or save the report as either an XML file or an HTML file that maintains
the dynamic expanding and collapsing sections. You can open both file types with Internet Explorer, so
the RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results folder in the console tree,you can switch to Advanced View. In Advanced View, RSoP is displayed by using the RSoP snap-in, which
exposes all applied settings, including IPsec, wireless, and disk quota policies.
Generate RSoP Reports with GPResult.exe
The GPResult.exe command is the command-line version of the Group Policy Results Wizard.
GPResult taps into the same WMI provider as the wizard, produces the same information and, in fact,
enables you to create the same graphical reports. GPResult runs on Windows XP, Windows Vista,
Windows 7, Windows 8, Windows Server 2003, Windows Server 2008, and Windows Server 2012.
Note: Windows 2000 includes a GPResult.exe command, which produces a limited report
of Group Policy processing. However, it is not as sophisticated as the command that newerWindows versions include.
When you run the GPResult command, you are likely to use the following options:
/scomputername
This option specifies the name or IP address of a remote system. If you use a dot (.) as the computer
name, or do not include the /s option, the RSoP analysis is performed on the local computer:
/scope [user | computer]
This displays RSoP analysis for user or computer settings. If you omit the /scope option, RSoP analysis
includes both user and computer settings:
/userusername
This specifies the name of the user for which you want to display RSoP data:
/r
This option displays a summary of RSoP data:
/v
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 179/523
Administering Windows Server® 2012 5-35
This option displays verbose RSoP data, which presents the most meaningful information:
/z
This displays super verbose data, including the details of all policy settings applied to the system. Often,
this is more information than you will require for typical Group Policy troubleshooting:
/udomain\user/ppassword
This provides credentials that are in the Administrators group of a remote system. Without these
credentials, GPResult runs by using the credentials with which you are logged on:
[/x | /h] filename
This option saves the reports in the XML or HTML format. These options are available in Windows Vista
Service Pack 1 (SP1) and newer, Windows Server 2008 and newer, Windows 7, and Windows 8.
Troubleshoot Group Policy with the Group Policy Results Wizard or GPResult.exe
As an administrator, you will likely encounter scenarios that require Group Policy troubleshooting. You
might need to diagnose and solve problems, including the following:
• GPOs are not being applied at all.
•
The resultant set of policies for a computer or user is not what was expected.
The Group Policy Results Wizard and GPResult.exe often will provide the most valuable insight into
Group Policy processing and application problems. Remember that these tools examine the WMI RSoP
provider to report exactly what happened on a system. Examining the RSoP report will often point you
to GPOs that are scoped incorrectly or policy processing errors that prevented the application of GPO
settings.
Demonstration: How to Perform What-If Analysis with the Group PolicyModeling Wizard
If you move a computer or user between sites, domains, or OUs, or change its security group membership,
the GPOs scoped to that user or computer will change. Therefore, the RSoP for the computer or user will
be different. The RSoP will also change if slow link or loopback processing occurs, or if there is a change to
a system characteristic that a WMI filter targets.
Before you make any of these changes, you should evaluate the potential impact that a user or computer
will have on the RSoP. The Group Policy Results Wizard can perform RSoP analysis only on what has
actually happened. To predict the future, and to perform what-if analyses, you can use the Group Policy
Modeling Wizard.
To perform Group Policy Modeling, right-click the Group Policy Modeling node in the GPMC console
tree, click Group Policy Modeling Wizard, and then perform the steps in the wizard.
Modeling is performed by conducting a simulation on a domain controller, so you are first asked to select
a domain controller. You do not need to be logged on locally to the domain controller, but the modeling
request will be performed on the domain controller. You then are asked to specify the settings for the
simulation, including to:
•
Select a user or computer object to evaluate, or specify the OU, site, or domain to evaluate.
• Choose whether slow link processing should be simulated.
• Specify to simulate loopback processing and, if so, choose Replace or Merge mode.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 180/523
5-36 Implementing a Group Policy Infrastructure
• Select a site to simulate.
• Select security groups for the user and for the computer.
•
Choose which WMI filters to apply in the simulation of user and computer policy processing.
When you have specified the simulation’s settings, a report is produced that is very similar to the Group
Policy Results report discussed earlier. The Summary tab shows an overview of which GPOs will beprocessed, and the Settings tab details the policy settings that will be applied to the user or computer.
This report, too, can be saved by right-clicking it, and then choosing Save Report.
Demonstration
This demonstration shows how to:
•
Run GPResult.exe from the command prompt.
• Run GPResult.exe from the command prompt, and then output the results to an HTML file.
• Open the GPMC.
•
Run the Group Policy Reporting Wizard, and then view the results.
•
Run the Group Policy Modeling Wizard, and then view the results.
Demonstration Steps
Use GPResult.exe to create a report
1.
On LON-DC1, open a command prompt.
2. Run the following commands:
Gpresult /t
Gpresult /h results.html
3. Open the results.html report in Internet Explorer, and then review the report.
Use the Group Policy Reporting Wizard to create a report
1.
Close the command prompt, and then open the Group Policy Management Console.
2. From the Group Policy Results node, launch the Group Policy Results Wizard.
3.
Complete the wizard by using the defaults.
4.
Review the report, and then save the report to the Desktop.
Use the Group Policy Modeling Wizard to create a report
1.
From the Group Policy Modeling node, launch the Group Policy Modeling Wizard.
2.
Specify the user for the report as Ed Meadows and the computer container as the IT organizational
unit.
3.
Complete the wizard using the defaults, and then review the report.
4.
Close the Group Policy Management Console.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 181/523
Administering Windows Server® 2012 5-37
Examine Policy Event Logs
Windows Vista, Windows 7, Windows 8, Windows
Server 2008, and Windows Server 2012 improve
your ability to troubleshoot Group Policy not only
with RSoP tools, but also with improved logging
of Group Policy events, including the:
•
System log, in which you will find high-level
information about Group Policy, including
errors created by the Group Policy client
when it cannot connect to a domain
controller or locate GPOs.
• Application log, which captures events
recorded by CSEs.
• Group Policy Operational Log, which provides detailed information about Group Policy processing.
To find Group Policy logs, open the Event Viewer snap-in or console. The System and Application logs are
in the Windows Logs node. The Group Policy Operational Log is found in:
Applications And Services Logs\Microsoft \Windows\GroupPolicy\Operational
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 182/523
5-38 Implementing a Group Policy Infrastructure
Lab: Implementing a Group Policy Infrastructure
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT
office and a data center are located in London to support the London office and other locations. A. Datum
recently has deployed a Windows Server 2012 server and client infrastructure.
You have been asked to use Group Policy to implement standardized security settings to lock computer
screens when users leave computers unattended for 10 minutes or more. You also have to configure a
policy setting that will prevent access to certain programs on local workstations.
After some time, you have been made aware that a critical application fails when the screens saver starts,
and an engineer has asked you to prevent the setting from applying to the team of Research engineers
that uses the application every day. You have also been asked to configure conference room computers to
use a 45 minute timeout.
After creating the policies you need to evaluate the resultant set of policies for users in your environment
to ensure that the Group Policy infrastructure is optimized, and that all policies are applied as they were
intended.
Objectives
After completing this lab, you will be able to:
• Create and configure a GPO.
•
Manage Group Policy scope.
• Troubleshoot Group Policy application.
• Manage GPOs.
Lab Setup
Estimated Time: 90 minutes
Virtual machine(s) 20411B-LON-DC1
20411B-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Sign in using the following credentials:
a.
User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Adatum
5.
Repeat steps 2 and 3 for 20411B-LON-CL1. Do not sign in to LON-CL1 until directed to do so.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 183/523
Administering Windows Server® 2012 5-39
Exercise 1: Creating and Configuring GPOs
Scenario
You have been asked to use Group Policy to implement standardized security settings to lock computer
screens when users leave computers unattended for 10 minutes or more. You also have to configure a
policy setting that will prevent users from running the Notepad application on local workstations.
The main tasks for this exercise are as follows:
1.
Create and edit a Group Policy Object (GPO).
2.
Link the GPO.
3. View the effects of the GPO’s settings.
Task 1: Create and edit a Group Policy Object (GPO)
1.
On LON-DC1, from Server Manager, open the Group Policy Management console.
2. Create a GPO named ADATUM Standards in the Group Policy Objects container.
3.
Edit the ADATUM Standards policy, and navigate to User Configuration, Policies, Administrative
Templates, System.
4. Prevent users from running notepad.exe by configuring the Don’t run specified Windows
applications policy setting.
5. Navigate to the User Configuration, Policies, Administrative Templates, Control Panel,
Personalization folder, and then configure the Screen saver timeout policy to 600 seconds.
6.
Enable the Password protect the screen saver policy setting, and then close the Group Policy
Management Editor window.
Task 2: Link the GPO
• Link the ADATUM Standards GPO to the Adatum.com domain.
Task 3: View the effects of the GPO’s settings
1.
Sign in to LON-CL1 as Adatum\Pat with the password Pa$$w0rd.
2.
Attempt to change the screen saver wait time and resume settings. You are prevented from doing this
by Group Policy.
3.
Attempt to run Notepad. You are prevented from doing this by Group Policy.
Results: After this exercise, you should have successfully created, edited, and linked the required GPOs.
Exercise 2: Managing GPO ScopeScenario
After some time, you have been made aware that a critical application that the Research engineering
team uses is failing when the screen saver starts. You have been asked to prevent the GPO setting from
applying to any member of the Engineering security group. You also have been asked to configure
conference room computers to be exempt from corporate policy. However, they always must have a 45-
minute screensaver timeout applied.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 184/523
5-40 Implementing a Group Policy Infrastructure
The main tasks for this exercise are as follows:
1.
Create and link the required GPOs.
2.
Verify the order of precedence.
3. Configure the scope of a GPO with security filtering.
4.
Configure loopback processing.
Task 1: Create and link the required GPOs
1. On LON-DC1, open Active Directory Users and Computers and in the Research OU, create a sub-
OU called Engineers, and then close Active Directory Users and Computers.
2.
In the Group Policy Management Console, create a new GPO linked to the Engineers OU called
Engineering Application Override.
3.
Configure the Screen saver timeout policy setting to be disabled, and then close the Group Policy
Management Editor.
Task 2: Verify the order of precedence
• In the Group Policy Management console tree, select the Engineers OU, and then click the Group
Policy Inheritance tab. Notice that the Engineering Application Override GPO has precedence over
the ADATUM Standards GPO. The screen saver timeout policy setting you just configured in the
Engineering Application Override GPO will be applied after the setting in the ADATUM Standards
GPO. Therefore, the new setting will overwrite the standards setting, and will win. Screen saver
timeout will be disabled for users within the scope of the Engineering Application Override GPO.
Task 3: Configure the scope of a GPO with security filtering
1. On LON-DC1, open Active Directory Users and Computers. In the Research\Engineers OU, create
a global security group named GPO_Engineering Application Override_Apply.
2. In the Group Policy Management console, select the Engineering Application Override GPO. Notice
that in the Security Filtering section, the GPO applies by default to all authenticated users. Configure
the GPO to apply only to the GPO_Engineering Application Override_Apply group.
3. In the Users folder, create a global security group named GPO_ADATUM Standards_Exempt.
4.
In the Group Policy Management console, select the ADATUM Standards GPO. Notice that in the
Security Filtering section, the GPO applies by default to all authenticated users.
5.
Configure the GPO delegation to deny Apply Group Policy permission to the GPO_ADATUM
Standards_Exempt group.
Task 4: Configure loopback processing
1.
On LON-DC1, switch to Active Directory Users and Computers.
2.
Create a new OU called Kiosks.
3. Under Kiosks, create a sub-OU called Conference Rooms.
4.
Switch to the Group Policy Management console.
5.
Create a new GPO named Conference Room Policies and link it to the Kiosks\Conference Rooms
OU.
6.
Confirm that the Conference Room Policies GPO is scoped to Authenticated Users.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 185/523
Administering Windows Server® 2012 5-41
7. Edit the Conference Room Policies GPO and modify the Screen Saver timeout policy to launch the
screen saver after 45 minutes.
8. Modify the Configure user Group Policy loopback processing mode policy setting to use Merge
mode.
Results: After this exercise, you should have successfully configured the required scope of the GPOs.
Exercise 3: Verifying GPO Application
Scenario
After creating the policies that you need to evaluate the resultant set of policies for your environment’s
users to ensure that the Group Policy infrastructure is healthy, and that all policies are applied as they
were intended.
The main tasks for this exercise are as follows:
1.
Perform Resultant Set of Policy (RSoP) analysis.
2.
Analyze RSoP with GPResults.
3. Evaluate GPO results by using the Group Policy Modeling Wizard.
4. Review policy events and determine GPO infrastructure status.
Task 1: Perform Resultant Set of Policy (RSoP) analysis
1.
On LON-CL1, verify that you are still logged on as Adatum\Pat. If necessary, provide the password of
Pa$$w0rd.
2.
Run the command prompt as an administrator, with the user name Adatum\Administrator and the
password Pa$$w0rd.
3.
Run the gpupdate /force command. After the command has completed, make a note of the currentsystem time, which you will need to know for a task later in this lab:
Time: ____________________________________
4.
Restart LON-CL1, and then wait for it to restart before proceeding with the next task.
5. On LON-DC1, switch to the Group Policy Management console.
6. Use the Group Policy Results Wizard to run an RSoP report for Pat on LON-CL1.
7.
Review Group Policy Summary results. For both user and computer configuration, identify the time of
the last policy refresh and the list of allowed and denied GPOs. Identify the components that were
used to process policy settings.
8.
Click the Details tab. Review the settings that were applied during user and computer policyapplication, and then identify the GPO from which the settings were obtained.
9.
Click the Policy Events tab, and then locate the event that logs the policy refresh you triggered with
the GPUpdate command in Task 1.
10.
Click the Summary tab, right-click the page, and then choose Save Report. Save the report as an
HTML file your desktop. Then open the RSoP report from the desktop.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 186/523
5-42 Implementing a Group Policy Infrastructure
Task 2: Analyze RSoP with GPResults
1.
Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2.
Open a command prompt and run the gpresult /r command. RSoP summary results are displayed.
The information is very similar to the Summary tab of the RSoP report produced by the Group Policy
Results Wizard.
3. Type gpresult /v, and then press Enter. A more detailed RSoP report is produced. Notice that many
of the Group Policy settings applied by the client are listed in this report.
4. Type gpresult /z, and then press Enter. The most detailed RSoP report is produced.
5.
Type gpresult /h:"%userprofile%\Desktop\RSOP.html", and then press Enter. An RSoP report is
saved as an HTML file to your desktop.
6. Open the saved RSoP report from your desktop. Compare the report, its information, and its
formatting with the RSoP report you saved in the previous task.
Task 3: Evaluate GPO results by using the Group Policy Modeling Wizard
1.
Switch to LON-DC1.
2.
Start the Group Policy Modeling Wizard.
3. Select Adatum\Mike as the user, and LON-CL1 as the computer for modeling.
4.
When prompted, select the Loopback Processing check box, and then click Merge. Even though the
Conference Room Polices GPO specifies loopback processing, you must instruct the Group Policy
Modeling Wizard to consider loopback processing in its simulation.
5.
When prompted, on the Alternate Active Directory Paths page, choose the Kiosks\Conference
Rooms location. You are simulating the effect of LON-CL1 as a conference room computer.
6.
Accept all other options as defaults.
7.
On the Summary tab, scroll to and expand, if necessary, User Details, Group Policy Objects, and
Applied GPOs.
8.
Check whether the Conference Room Policies GPO applies to Mike as a User policy when he logs on
to LON-CL1 if LON-CL1 is in the Conference Rooms OU.
9.
Scroll to, and expand if necessary, User Details, Policies, Administrative Templates and Control
Panel/Personalization.
10.
Confirm that the screen saver timeout is 2,700 seconds (45 minutes), the setting configured by the
Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM
Standards GPO.
Task 4: Review policy events and determine GPO infrastructure status
1.
On LON-CL1, you are logged on as Adatum\Administrator.
2.
Open the Control Panel and then browse to the Event Viewer.
3.
Locate and review Group Policy events in the System log.
4. Locate and review Group Policy events in the Application log. Review the events and identify the
Group Policy events that have been entered in this log. Which events are related to Group Policy
application and which are related to the activities you have been performing to manage Group
Policy? Note that depending on how long the virtual machine has been running, you may not have
any Group Policy Events in the application log.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 187/523
Administering Windows Server® 2012 5-43
5. Browse to the Group Policy Operational log and locate the first event related in the Group Policy
refresh you initiated in Exercise 1, with the GPUpdate command. Review that event and the events
that followed it.
Results: After this exercise, you should have successfully used RSoP tools to verify the correct application
of your GPOs.
Exercise 4: Managing GPOs
Scenario
You must back up all critical GPOs. You use the Group Policy Management backup feature to back up the
ADATUM Standard GPO.
The main tasks for this exercise are as follows:
1. Perform a backup of GPOs.
2.
Perform a restore of GPOs.
3.
To prepare for the next module.
Task 1: Perform a backup of GPOs
1. Switch to LON-DC1, and in the Group Policy Management console, in the navigation pane, click on
the Group Policy Objects folder.
2. Back up the ADATUM Standards GPO to C:\ .
Task 2: Perform a restore of GPOs
•
In the Group Policy Management console, restore the previous back up of ADATUM Standards.
To prepare for the next module• When you have finished the lab, revert all virtual machines back to their initial state.
Results: After this exercise, you should have successfully performed common management tasks on your
GPOs.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 188/523
5-44 Implementing a Group Policy Infrastructure
Module Review and Takeaways
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Group Policy settings are not applied to allusers or computers in OU where GPO isapplied
Group Policy settings sometimes need tworestarts to apply
Tools
Tool Use for Where to find it
Group policy reporting RSoP Reporting information about thecurrent policies being delivered toclients.
Group Policy ManagementConsole
GPResult A command-line utility that displaysRSoP information.
Command-line utility
GPUpdate Refreshing local and Active DirectoryDomain Services (AD DS)-basedGroup Policy settings.
Command-line utility
Dcgpofix Restoring the default Group Policyobjects to their original state afterinitial installation.
Command-line utility
GPOLogView Exporting Group Policy-related eventsfrom the system and operational logsinto text, HTML, or XML files. For usewith Windows Vista, Windows 7, andnewer versions.
Command-line utility
Group Policy Managementscripts
Sample scripts that perform a numberof different troubleshooting andmaintenance tasks.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 189/523
6-1
Module 6
Managing User Desktops with Group PolicyContents:
Module Overview 6-1
Lesson 1: Implementing Administrative Templates 6-2
Lesson 2: Configuring Folder Redirection and Scripts 6-7
Lesson 3: Configuring Group Policy Preferences 6-12
Lesson 4: Managing Software with Group Policy 6-16
Lab: Managing User Desktops with Group Policy 6-19
Module Review and Takeaways 6-23
Module Overview
Using Group Policy Objects (GPOs), you can implement desktop environments across your organization
by using Administrative Templates, Folder Redirection, Group Policy preferences, and where applicable,
use software deployment to install and update application programs. It is important to know how to use
these various GPO features so that you can configure your users’ computer settings properly.
Objectives
After completing this module, you will be able to:
• Describe and implement Administrative Templates.
• Configure folder redirection and scripts by using GPOs.
• Configure GPO preferences.
• Deploy software by using GPOs.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 190/523
6-2 Managing User Desktops with Group Policy
Lesson 1
Implementing Administrative Templates
The Administrative Template files provide the majority of available GPO settings, which modify specific
registry keys. Using Administrative Templates sometimes is referred to as registry-based policy. For many
applications, the use of registry-based policy that the Administrative Template files deliver is the mostsimple and best way to support centralized management of policy settings. In this lesson, you will learn
how to configure Administrative Templates.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Group Policy administrative templates.
• Describe ADM and ADMX, or administrative template, files.
• Describe the central store.
• Describe example scenarios for using Administrative Templates.
• Explain how to configure settings with Administrative Templates.
What Are Administrative Templates?
You can use Administrative Templates to
control the environment of an operating system
and the user experience. There are two sets of
Administrative Templates: one for users and one
for computers.
Using the Administrative Template sections of the
GPO, you can deploy hundreds of modifications
to the registry. Administrative Templates have the
following characteristics:
• They are organized into subfolders that deal
with specific areas of the environment, such
as network, system, and Windows®
components.
• The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and the
settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
• Some settings exist for both user and computer. For example, there is a setting to prevent Windows
Messenger from running in both the user and the computer templates. In case of conflicting settings,the computer setting prevails.
• Some settings are available only to certain versions of Windows operating systems. For example, you
can apply a number of new settings only to Windows 7 and newer versions of the Windows operating
system. Double-clicking the settings displays the supported versions for that setting.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 191/523
Administering Windows Server ® 2012 6-3
What Are ADM and ADMX Files?
ADM Files
Traditionally, ADM files have been used to define
the settings that an administrator can configurethrough Group Policy. Each successive Windows
operating system and service pack has included
a newer version of these files. ADM files use their
own markup language. Therefore, it is difficult
to customize ADM files. The ADM templates are
located in the %SystemRoot%\Inf folder.
A major drawback of ADM files is that they
are copied into every GPO that is created, and
consume about 3 megabytes (MB) of space. This can cause the System Volume (SYSVOL) folder to
become very large and increase replication traffic.
ADMX FilesWindows Vista® and Windows Server® 2008 introduced a new format for displaying registry-based policy
settings. These settings are defined by using a standards-based XML file format known as ADMX files.
These new files replace ADM files.
Group Policy tools on Windows Vista and newer operating systems, and Windows Server 2008, continue
to recognize the custom ADM files that you have in your existing environment, but ignore any ADM file
that ADMX files have superseded. Unlike ADM files, ADMX files are not stored in individual GPOs. The
GPO Editor automatically reads and displays settings from the local ADMX file store. By default, ADMX
files are stored in the Windows\PolicyDefinitions folder, but they can be stored in a central location.
ADMX files are language neutral. The plain language descriptions of the settings are not part of the
ADMX files. They are stored in language-specific ADML files. This means that administrators who speak
different languages, such as English and Spanish, can look at the same GPO and see the policy
descriptions in their own language, because they can each use their own language-specific ADML files.
ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML language
files for the language of the installed operating system are added.
Migrate Classic Administrative Templates to .ADMX
ADMX Migrator is a snap-in for the Microsoft® Management Console (MMC) that simplifies the process of
converting your existing Group Policy ADM templates to the new ADMX format and provides a graphical
user interface for creating and editing Administrative Templates. You can download the ADMX Migrator
from the Microsoft Download website at http://go.microsoft.com/fwlink/?linkID=270013.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 192/523
6-4 Managing User Desktops with Group Policy
The Central Store
For domain-based enterprises, you can create a
central store location of ADMX files, which anyone
with permission to create or edit GPOs can access.
The GPO Editor on Windows Vista and Windows
Server 2008 (or newer) automatically reads and
displays Administrative Template policy settings
from ADMX files that the central store caches, and
then ignores the ones stored locally. If the domain
controller is not available, the local store is used.
You must create the central store, and then
update it manually on a domain controller. The
use of ADMX files is dependent on the computer’s
operating system where you are creating or editing the GPO. Therefore, the domain controller can be
a server with Windows 2000 or newer. The File Replication Service (FRS) will not replicate the domain
controller to that domain’s other controllers. Depending on your server operating system and
configuration, you can use either FRS or Distributed File System Replication (DFS-R) to replicate the data.
To create a central store for .admx and .adml files, create a folder that is named PolicyDefinitions in the
following location: \\FQDN\SYSVOL\FQDN\policies.
For example, to create a central store for the Test.Microsoft.com domain, create a PolicyDefinitions folder
in the following location: \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies.
A user must copy all files and subfolders of the PolicyDefinitions folder. The PolicyDefinitions folder on a
Windows 7–based computer resides in the Windows folder. The PolicyDefinitions folder stores all .admx
files and .adml files for all languages that are enabled on the client computer.
Note: You must update the PolicyDefintions for each service pack and for other additional
software, such as Microsoft Office 2010 ADMX files.
Discussion: Practical Uses of Administrative Templates
Spend a few minutes examining the
Administrative Templates, and consider how you
could employ some of them in your organization.
Be prepared to share information about your
organization’s current use of GPOs and logon
scripts, such as:
• How do you provide desktop security
currently?
• How much administrative access do users
have to their systems?
• Which Group Policy settings will you find
useful in your organization?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 193/523
Administering Windows Server ® 2012 6-5
Demonstration: Configuring Settings with Administrative Templates
Group Policy editing tools in Windows Server 2012 provide several functionalities that ease configuration
and management of GPOs. In this demonstration, you will review these options.
Filter Policy Settings for Administrative Templates
A disadvantage in the Group Policy editing tools in previous Windows versions is the inability to search for
a specific policy setting. With thousands of policies to choose from, it can be difficult to locate exactly the
setting you want to configure. The Group Policy Management Editor in Windows Server 2012 solves this
problem for Administrative Template settings. You now can create filters to locate specific policy settings.
To create a filter:
1. Right-click Administrative Templates, and then click Filter Options.
2. To locate a specific policy, select the Enable keyword filters check box, enter the words with which
to filter, and then select the fields within which to search.
You also can filter for Group Policy settings that apply to specific versions of Windows, Windows Internet
Explorer®, and other Windows components.
Unfortunately, the filter only applies to settings in the Administrative Templates nodes.
Filter Based on Comments
You also can search and filter based on policy-setting comments. Windows Server 2012 enables you to
add comments to policy settings in the Administrative Templates node. To do so, double-click a policy
setting, and then click the Comment tab.
It is a best practice to add comments to configured policy settings. You should document the justification
for a setting and its intended effect. You also should add comments to the GPO itself. Windows Server
2012 enables you to attach comments to a GPO. In the Group Policy Management Editor, in the console
tree, right-click the root node, click Properties, and then click the Comment tab.
How to Copy GPO SettingsStarter GPOs can contain only Administrative Templates policy settings. But in addition to using Starter
GPOs, there are two other ways to copy settings from one GPO into a new GPO:
• You can copy and paste entire GPOs in the Group Policy Objects container of the GPMC, so that you
have a new GPO with all settings of the source GPO.
• To transfer settings between GPOs in different domains or forests, right-click a GPO, and then click
Back Up. In the target domain, create a new GPO, right-click the GPO, and then click Import
Settings. You will be able to import the settings of the backed up GPO.
Additional Reading: Group Policy Search
http://go.microsoft.com/fwlink/?linkID=270014
This demonstration shows how to:
• Filter Administrative Template policy settings.
• Apply comments to Administrative Templates policy settings.
• Add comments to Administrative Templates policy settings.
• Create a new GPO by copying an existing GPO.
• Create a new GPO by importing settings that were exported from another GPO.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 194/523
6-6 Managing User Desktops with Group Policy
Demonstration Steps
Filter Administrative Template policy settings
1. On LON-DC1, open the Group Policy Management console.
2. Create a new Group Policy Object (GPO) named GPO1.
3. Open GPO1 for editing.
4. Locate the User Configuration, Policies, Administrative Templates node.
5. Filter the settings to display only those that contain the keywords screen saver .
6. Filter the settings to display only configured values.
Add comments to a policy setting
1. Locate the Personalization value from User Configuration\Policies\ Administrative Templates
\Control Panel.
2. Add a comment to both the Password Protect the screen saver and Enable screen saver values.
Add comments to a GPO• Open the GPO1 policy root node, and then add a comment to the Comment tab.
Create a new GPO by copying an existing GPO
• Copy GPO1, and then paste it to the Group Policy Objects folder.
Create a new GPO by importing settings that were exported from another GPO
1. Back up GPO1.
2. Create a new GPO called ADATUM Import.
3. Import the settings from the GPO1 backup into the ADATUM Import GPO.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 195/523
Administering Windows Server ® 2012 6-7
Lesson 2
Configuring Folder Redirection and Scripts
In Windows Server 2012, you can use GPOs to deploy scripts to users and computers. You also can
redirect folders that are included in the user’s profile to a central server. These features enable you to
configure the users’ desktop settings more easily and, where desirable, create a standardized desktopenvironment that meets your organizational needs.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe folder redirection.
• Explain the settings available for configuring folder redirection.
• Describe security settings for redirected folders.
• Explain how to configure folder redirection.
• Describe Group Policy settings for applying scripts.
• Explain how to configure scripts by using Group Policy.
What Is Folder Redirection?
You can use the Folder Redirection feature to
manage data effectively, and optionally, back up
data. By redirecting folders, you can ensure user
access to data regardless of the computers to
which the users sign in. Folder redirection has the
following characteristics:
• When you redirect folders, you change
the folder’s storage location from the user
computer’s local hard disk to a shared folder
on a network file server.
• After you redirect a folder to a file server, it
still appears to the user as if it is stored on the
local hard disk.
• You can use the Offline Files technology in conjunction with redirection to synchronize data in the
redirected folder to the user’s local hard drive. This ensures that users have access to their data if a
network outage occurs or if the user is working offline.
Advantages of Folder Redirection
There are many advantages of folder redirection, including:
• Users that sign in to multiple computers can access their data as long as they can access the network
share.
• Offline folders allow users to access their data even if they disconnect from the local area network
(LAN).
• Data that is stored on servers in network shares is backed up.
• Roaming profile size can be reduced greatly by redirecting data from the profile.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 196/523
6-8 Managing User Desktops with Group Policy
Settings for Configuring Folder Redirection
In a GPO, the following settings are available for
folder redirection:
• None. None is the default setting. Folder
redirection is not enabled.
• Basic. Basic folder redirection is for:
o Users who must redirect their folders to a
common area.
o Users who need their data to be private.
• Advanced . You can use Advanced redirection
to specify different network locations for
different Active Directory® security groups.
• Follow the Documents folder . Follow the Documents folder redirection is available only for the
Pictures, Music, and Videos folders. This setting makes the affected folder a subfolder of the
Documents folder.
Target Folder Locations for Basic and Advanced Settings
If you choose Basic or Advanced, you can choose from the following target folder locations:
• Create a folder for each user under the root path. This option creates a folder in the form
\\server\share\User Account Name\Folder Name. For example, if you want to store your users’
desktop settings in a shared folder called Documents, on a server called LON-DC1, you could define
the root path as \\lon-dc1\Documents.
Each user has a unique path for the redirected folder to ensure that data remains private. By default,
that user is granted exclusive rights to the folder. In the case of the Documents folder, the current
contents of the folder are moved to the new location.
• Redirect to the following location. This option uses an explicit path for the redirection location. It
causes multiple users to share the same path for the redirected folder. By default, that user is granted
exclusive rights to the folder. In the case of the Documents folder, the current contents of the folder
are moved to the new location.
• Redirect to the local user profile location. This option moves the location of the folder to the local user
profile under the Users folder.
• Redirect to the user’s home directory . This option is available only for the Documents folder.
Note: After the initial creation and application of a GPO that delivers folder redirection
settings, users require two logons before redirection takes effect. This is because users will sign inwith cached credentials.
Question: Users in the same department often sign in to different computers. They need
access to their Documents folder. They also need data to be private. What folder redirection
setting would you choose?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 197/523
Administering Windows Server ® 2012 6-9
Security Settings for Redirected Folders
You must create and configure the permissions
manually on a shared network folder to store the
redirected folders. However, folder redirection
also can create the user’s redirected folders.
Folder permissions are handled as follows:
• When you use this option, the correct
subfolder permissions are set automatically.
• If you manually create folders, you must know
the correct permissions. The slide illustrates
these permissions.
Demonstration: Configuring Folder Redirection
This demonstration shows how to:
• Create a shared folder.
• Create a GPO to redirect the Documents folder.
• Test folder redirection.
Demonstration Steps
Create a shared folder
1. On LON-DC1, create a folder named C:\Redirect.
2. Share the folder to Everyone with Read/Write permission.
Create a GPO to redirect the Documents folder
1. Open the Group Policy Management console. Create a GPO named Folder Redirection, and then
link it to the Adatum domain.
2. Edit the Folder Redirection GPO.
3. Configure the Documents folder properties to use the Basic-Redirect everyone’s folder to the
same location setting.
4. Ensure that the Target folder location is set to Create a folder for each user under the root path.
5. Specify the root path as \\LON-DC1\Redirect.
6. Close all open windows on LON-DC1.
Test folder redirection
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Check the properties of the Documents folder. The path will be \\LON-DC1\Redirect.
3. Sign out of LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 198/523
6-10 Managing User Desktops with Group Policy
Group Policy Settings for Applying Scripts
You can use Group Policy scripts to perform a
number of tasks. There may be actions that you
need to perform every time a computer starts up
or shuts down, or when users sign in or sign off.
For example, you can use scripts to:
• Clean up desktops when users sign out, and
shut down computers.
• Delete the contents of temporary directories.
• Map drives or printers.
• Set environment variables.
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts
that are assigned to the user who is logging on run in that user’s security context.
Other Group Policy settings control aspects of how scripts run. For example, if multiple scripts are
assigned, you can control whether they run synchronously or asynchronously.
You can write scripts in any scripting language that the Windows client can interpret, such as VBScript,
Jscript, or simple command or batch files.
Note: In Windows Server 2008 R2 and Windows Server 2012, the user interface (UI) in
Group Policy Editor for Logon, Logoff, Startup, and Shutdown scripts provides an additional tab
for Windows PowerShell® scripts. You can deploy your Windows PowerShell script by adding it to
this tab. Windows Server 2008 R2, Windows Server 2012, Windows 7, or Windows 8 can run
Windows PowerShell scripts through Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access tothat network location. If clients cannot access the network location, the scripts fail to run. Although any
network location stores scripts, as a best practice, use the Netlogon share because all users and computers
that are authenticated to Active Directory Domain Services (AD DS) have access to this location.
For many of these settings, using Group Policy preferences is a better alternative to configuring them in
Windows images or using logon scripts. Group Policy preferences are covered in more detail later in this
module.
Demonstration: Configuring Scripts with GPOs
This demonstration shows how to:
• Create a logon script to map a network drive.
• Create and link a GPO to use the script, and store the script in the Netlogon share.
• Sign in to the client to test the results.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 199/523
Administering Windows Server ® 2012 6-11
Demonstration Steps
Create a logon script to map a network drive
1. On LON-DC1, launch Notepad, and then type the following command:
Net use t: \\LON-dc1\Redirect
2. Save the file as Map.bat.
3. Copy the file to the clipboard.
Create and link a GPO to use the script, and store the script in the Netlogon share
1. Use the Group Policy Management console to create a new GPO named Drivemap, and then link it
to the Adatum.com domain.
2. Edit the GPO to configure a user logon script.
3. Paste the Map.bat script into the Netlogon share.
4. Add the Map.bat script to the logon scripts.
Sign in to the client to test the results
1. On LON-CL1, sign in as Adatum\Administrator with the password Pa$$word.
2. Verify that drive is mapped.
3. Sign out of LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 200/523
6-12 Managing User Desktops with Group Policy
Lesson 3
Configuring Group Policy Preferences
In previous Windows Server versions, you could not use Group Policy to control common settings that
affect the user and computer environment, such as mapped drives. Typically, these settings were delivered
through logon scripts or imaging solutions.
However, Windows Server 2012 includes the Group Policy preferences built-in to the GPMC, which enable
settings such as mapped drives to be delivered through Group Policy. Additionally, you can configure
preferences by installing the Remote Server Administration Tools (RSAT) on a computer that is running
Windows 7 or Windows 8. This allows you to deliver many common settings by using Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Group Policy preferences.
• Identify the differences between Group Policy settings and preferences.
• Describe Group Policy preference features.
• Explain how to configure settings by using preferences.
What Are Group Policy Preferences?
Group Policy preference extensions include more
than 20 Group Policy extensions that expand the
range of configurable settings within a GPO. You
now can use preferences to apply a number of
settings that had to be applied by scripts in the
past, such as drive mappings.
Group Policy preferences are supported natively
on Windows Server 2008 and newer versions, and
on Windows Vista Service Pack 2 (SP2) and newer
versions. You can download and install client-side
extensions (CSEs) of Group Policy preferences for
Windows Server 2003, Windows XP Service Pack 3
(SP3), and Windows Vista Service Pack 1 (SP1) to provide support for preferences on those systems.
Examples of the new Group Policy preference extensions include:
• Folder Options
• Drive Maps
• Printers
• Scheduled Tasks
• Services
• Start Menu
Configuring Group Policy preferences does not require any special tools or software installation, but they
are natively part of the GPMC in Windows Server 2008 (and newer), and are applied in the same manner
as Group Policy settings, by default. Preferences have two distinct sections: Windows Settings and Control
Panel Settings.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 201/523
Administering Windows Server ® 2012 6-13
When you configure a new preference, you can perform the following four basic actions:
• Create. Create a new preference setting for the user or computer.
• Delete. Remove an existing preference setting for the user or computer.
• Replace. Delete and recreate a preference setting for the user or computer. The result is that Group
Policy preferences replace all existing settings and files associated with the preference item.• Update. Modify an existing preference setting for the user or computer.
Comparing Group Policy Preferences and GPO Settings
Preferences are similar to policies in that they
apply configurations to the user or computer.
However, there are several differences in the way
that you can configure and apply them. One of
these differences is that preferences are not
enforced. However, you can configure preferencesto be reapplied automatically.
The following is a list of other differences between
Group Policy settings and preferences:
• Preference settings are not enforced.
• Group Policy settings disable the user
interface for settings that the policy manages. Preferences do not do this.
• Group Policy settings are applied at regular intervals. You can apply preferences once only or at
intervals.
• The end user can change any preference setting that is applied through Group Policy, but policy
settings prevent users from changing them.
• In some cases, you can configure the same settings through a policy setting as well as a preference
item. If conflicting preference and Group Policy settings are configured and applied to the same
object, the value of the policy setting always applies.
Features of Group Policy Preferences
After you create a Group Policy preference,
you must configure its properties. Different
preferences will require different input
information. For example, shortcut preferences
require target paths, whereas environment
variables require variable types and values.
Preferences also provide a number of features
in the common properties to assist in the
deployment.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 202/523
6-14 Managing User Desktops with Group Policy
General Properties Tab
The General Properties tab is where basic information is provided. The first step is to specify the action for
the preference: Create, Delete, Replace, or Update. Different settings will be available, depending on the
initial action selected. For example, when creating a drive mapping, you must provide a Universal Naming
Convention (UNC) path and an option for the drive letter, which you want to assign.
Common Properties TabThe common properties are consistent for all preferences. You can use the Common Property tab to
control the behavior of the preference as follows:
• Stop processing items in this extension if an error occurs. If an error occurs while processing a
preference, no other preferences in this GPO will process.
• Run in logged-on user’s security context . Preferences can run as the System account or the logged-on
user. This setting forces the logged-on user context.
• Remove this item when it is no longer applied . Unlike policy settings, preferences are not removed
when the GPO that delivered it is removed. This setting will change that behavior.
• Apply once and do not reapply . Normally, preferences are refreshed at the same interval as GroupPolicy settings. This setting changes that behavior to apply the setting only once on logon or startup.
• Use Item-level targeting. One of the most powerful features of preferences is item-level targeting. You
can use this feature to specify criteria easily, so that you can determine exactly which users or
computers will receive a preference. Criteria includes, but is not limited to:
o Computer name
o IP address range
o Operating system
o Security group
o
Usero Windows Management Instrumentation (WMI) queries
Demonstration: Configuring Group Policy Preferences
This demonstration shows how to:
• Configure a desktop shortcut with Group Policy preferences.
• Target the preference.
• Configure a new folder with Group Policy preferences.
• Target the preference.
• Test the preference.
Demonstration Steps
Configure a desktop shortcut with Group Policy preferences
1. On LON-DC1, in the Group Policy Management console, open the Default Domain Policy
for editing.
2. Navigate to Computer Configuration\Preferences\ Windows Settings\Shortcuts.
3. Create a new shortcut to the Notepad.exe program.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 203/523
Administering Windows Server ® 2012 6-15
Target the preference
• Target the preference for the computer, LON-CL1.
Configure a new folder with Group Policy preferences
1. Navigate to User Configuration\Preferences\Windows Settings\Folders.
2. Create a new folder for the C:\Reports folder.
Target the preference
• Target this preference for computers that are running the Windows 8 operating system.
Test the preferences
1. Switch to LON-CL1, and refresh the group policies by using the following command at the command
prompt:
gpupdate /force
2. Sign in and verify the presence of both the C:\Reports folder and the Notepad shortcut on the
Desktop.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 204/523
6-16 Managing User Desktops with Group Policy
Lesson 4
Managing Software with Group Policy
Windows Server 2012 includes a feature called Software Installation and Maintenance that AD DS,
Group Policy, and the Windows Installer service use to install, maintain, and remove software from your
organization’s computers. In this lesson, you will learn how to manage software with Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how Group Policy software distribution addresses the software lifecycle.
• Describe how Windows Installer enhances software distribution.
• Describe the difference between assigning and publishing software.
• Explain how to manage software upgrades by using Group Policy.
How Group Policy Software Distribution Helps to Address the SoftwareLifecycle
The software lifecycle consists of four phases:
preparation, deployment, maintenance, and
removal. You can use Group Policy to manage all
phases except the preparation. You can apply
Group Policy settings to users or computers in a
site, domain, or organization unit (OU) to install,
upgrade, or remove software automatically.
By applying Group Policy settings to software, you
can manage the phases of software deploymentwithout deploying software on each computer
individually.
How Windows Installer Enhances Software Distribution
To enable Group Policy to deploy and manage
software, Windows Server 2012 uses the Windows
Installer service. This component automates theinstallation and removal of applications by
applying a set of centrally defined setup rules
during the installation process. The Windows
Installer service installs the Microsoft Installer
(MSI) package files. MSI files contain a database
that stores all the instructions required to install
the application. Small applications may be
entirely stored as MSI files, whereas other larger
applications will have many associated source files
that the MSI references. Many software vendors provide MSI files for their applications.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 205/523
Administering Windows Server ® 2012 6-17
The Windows Installer service has the following characteristics:
• This service runs with elevated privileges, so that software can be installed by the Windows Installer
service, no matter which user is logged onto the system. Users only require read access to the
software distribution point.
• Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or
repair the application.
• Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe
file, the .exe file must be converted to an .msi file by using a third-party utility.
Question: Do users need administrative rights to install applications manually that have MSI
files?
Question: What are some disadvantages of deploying software through Group Policy?
Assigning and Publishing Software
There are two deployment types available fordelivering software to clients. Administrators can
either install software for users or computers in
advance by assigning the software, or give users
the option to install the software when they
require it by publishing the software in AD DS.
Both user and computer configuration sections
of a GPO have a Software Settings section. You
can add software to a GPO by adding a new
package to the Software Installation node, and
then specifying whether to assign or publish it.
You also can choose advanced deployment of apackage. Use this option to apply a customization file to a package for custom deployment. For
example, if you use the Office Customization tool to create a setup customization file to deploy Microsoft
Office 2010.
Assigning Software
Assigning software has the following characteristics:
• When you assign software to a user, the user’s Start menu advertises the software when the user logs
on. Installation does not begin until the user double-clicks the application's icon or a file that is
associated with the application.
• Users do not share deployed applications. When you assign software to a user, an application that
you install for one user through Group Policy will not be available to other users.
• When you assign an application to a computer, the application is installed the next time that the
computer starts. The application will be available to all users of the computer.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 206/523
6-18 Managing User Desktops with Group Policy
Publishing Software
Publishing software has the following characteristics:
• The Programs shortcut in Control Panel advertises a published program to the user. Users can install
the application by using the Programs applet, or you can set it up so that document activation installs
the application.
• Applications that users do not have permission to install are not advertised to them.
• Applications cannot be published to computers.
Note: When configuring Group Policy to deploy applications, they must be mapped to
UNC paths. If you use local paths, the deployment will fail.
Managing Software Upgrades by Using Group Policy
Software vendors occasionally release software
updates. These usually address minor issues, such
as an update or feature enhancements, which do
not warrant a complete application reinstallation.
Microsoft releases some software patches as .MSP
files.
Major upgrades that provide new functionality
require an upgrading of a software package to a
newer version. You can use the Upgrades tab to
upgrade a package by using the GPO. When you
perform upgrades by using Group Policy, you’ll
notice the following characteristics:
• You may redeploy a package if the original Windows Installer file has been modified.
• Upgrades will often remove the old version of an application and install a newer version, usually
maintaining application settings.
• You can remove software packages if they were delivered originally by using Group Policy. This is
useful if a line-of-business (LOB) application is being replaced with a different application. Removal
can be mandatory or optional.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 207/523
Administering Windows Server ® 2012 6-19
Lab: Managing User Desktops with Group Policy
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in London,
U.K. An IT office and a data center are located in London to support the London head office and other
locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has just opened up a new branch office. Users in this office require an automated method for
mapping drives to shared server resources and you decide to use Group Policy preferences. Furthermore,
you have been asked to create a shortcut to the Notepad application for all users that belong to the IT
security group. To help minimize profile sizes, you have been asked to configure folder redirection to
redirect several profile folders to each user’s home drive.
Objectives
After completing this lab, you will be able to:
• Implement settings by using Group Policy preferences.
• Configure folder redirection.
Lab Setup
Estimated Time: 45 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20411B-LON-CL1.
Exercise 1: Implementing Settings by Using Group Policy Preferences
Scenario
A. Datum has been using logon scripts to provide users with drive mappings to file shares. The
maintenance of these scripts is an ongoing problem because they are large and complex. Your manager
has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts
can be removed. You also have been asked to place a shortcut to the Notepad application for all users
that belong to the IT security group.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 208/523
6-20 Managing User Desktops with Group Policy
The main tasks for this exercise are as follows:
1. Create the required logon script.
2. Create a new GPO, and link it to the Branch Office 1 organization unit (OU).
3. Edit the Default Domain Policy with the required Group Policy preferences.
4. Test the preferences.
Task 1: Create the required logon script
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open File Explorer and create a folder, and then share it with Specific people by using the following
properties:
o Path: C:\Branch1
o Share name: Branch1
o Permissions: Everyone, Read/Write.
3. Launch Notepad, and then type the following command:
Net use S: \\LON-dc1\Branch1
4. Save the file to the desktop as BranchScript.bat.
5. On the desktop, copy the file to the Clipboard. You will paste the file into the appropriate folder later
in the lab.
Task 2: Create a new GPO, and link it to the Branch Office 1 organization unit (OU)
1. On LON-DC1, open Active Directory Users and Computers, and then create an organizational unit
(OU) in the Adatum.com domain called Branch Office 1.
2. Move user Holly Dickson from the IT OU to the Branch Office 1 OU.3. Move the LON-CL1 computer to the Branch Office 1 OU.
4. Open the Group Policy Management console.
5. Create and link a new GPO named Branch1 to the Branch Office 1 organizational unit.
6. Open the Branch1 GPO for editing.
7. Edit the GPO to configure a user logon script.
8. Paste the BranchScript.bat script into the Netlogon share.
9. Add the BranchScript.bat script to the logon scripts GPO setting.
Task 3: Edit the Default Domain Policy with the required Group Policy preferences1. On LON-DC1, open the Default Domain Policy for editing.
2. Navigate to User Configuration \ Preferences \ Windows Settings \ Shortcuts.
3. Create a new shortcut to the Notepad.exe program:
o Name: Notepad
o Action: Create
o Location: Desktop
o Target path: C:\Windows\notepad.exe
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 209/523
Administering Windows Server ® 2012 6-21
4. Target the preference for members of the IT security group.
5. Close all open windows.
Task 4: Test the preferences
1. Switch to LON-CL1 and restart the computer.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and then use the gpupdate /force command to refresh the
Group Policy.
4. Sign out of LON-CL1.
5. Sign in as Adatum\Holly with the password Pa$$w0rd.
6. Verify that a drive is mapped to \\LON-DC1\Branch1.
7. Verify that the shortcut to Notepad is on Holly’s desktop.
8. If the shortcut does not appear, repeat steps 2 through 5.
9. Sign out of LON-CL1.
Results: After this exercise, you should have created the required scripts and preference settings
successfully, and then assigned them by using GPOs.
Exercise 2: Configuring Folder Redirection
Scenario
In order to help minimize profile sizes, you have been asked to configure folder redirection for the branch
office users to redirect several profile folders to each user’s home drive.
The main tasks for this exercise are as follows:
1. Create a shared folder to store the redirected folders.
2. Create a new GPO and link it to the branch office OU.
3. Edit the folder redirection settings in the policy.
4. Test the folder redirection settings.
Task 1: Create a shared folder to store the redirected folders
• On LON-DC1, open File Explorer and then create a folder and share it with Specific people by using
the following properties:
o
Path: C:\Branch1\Redirect o Share name: Branch1Redirect
o Permissions: Everyone, Read/Write
Task 2: Create a new GPO and link it to the branch office OU
• On LON-DC1, open Group Policy Management and then create and link a new GPO named Folder
Redirection to the Branch Office 1 OU.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 210/523
6-22 Managing User Desktops with Group Policy
Task 3: Edit the folder redirection settings in the policy
1. Open the Folder Redirection GPO for editing.
2. Under User Configuration, browse to Folder Redirection and then configure the Documents folder
properties to use the Basic-Redirect everyone’s folder to the same location setting.
3. Ensure that the Target folder location is set to Create a folder for each user under the root path.4. Specify the root path as \\LON-DC1\Branch1Redirect.
5. Close all open windows on LON-DC1.
Task 4: Test the folder redirection settings
1. Switch to LON-CL1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and use the gpupdate /force command to refresh the
Group Policy.
4. Sign out and then sign in as Adatum\Holly with the password Pa$$word.
5. Browse to the desktop.
6. Right-click the desktop and use the Personalize menu to enable User’s Files on the desktop.
7. From the Desktop, open the Holly Dickson folder.
8. Right-click My Documents, and then click Properties.
9. In the My Document Properties dialog box, note that the location of the folder is now the network
share in a subfolder named for the user.
10. If the folder redirection is not evident, sign out, and then sign in as Adatum\Holly with the password
Pa$$word. Repeat steps 7 to 9.
11. Sign out of LON-CL1.
Results: After this exercise, you should have successfully configured folder redirection to a shared folder
on the LON-DC1 server.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 211/523
Administering Windows Server ® 2012 6-23
Module Review and Takeaways
Best Practices Related to Group Policy Management
• Include comments on GPO settings
• Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7,
and Windows 8
• Use Group Policy preferences to configure settings that are not available in the Group Policy set of
settings
• Use Group Policy software installation to deploy packages in .msi format to a large number of users
or computers
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
You have configured folder redirection foran OU, but none of the user’s folders are
being redirected to the network location.When you look in the root folder, youobserve that a subdirectory named foreach user has been created, but they areempty.
You have assigned an application to anOU. After multiple logons, users report thatno one has installed the application.
You have a mixture of Windows XP andWindows 8 computers. After configuringseveral settings in the AdministrativeTemplates of a GPO, users with WindowsXP operating system report that somesettings are being applied and others arenot.
Group Policy preferences are not beingapplied.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 212/523
6-24 Managing User Desktops with Group Policy
Review Questions
Question: Why do some Group Policy settings take two logons before going into effect?
Question: How can you support Group Policy preferences on Windows XP?
Question: What is the benefit of having a central store?
Question: What is the main difference between Group Policy settings and Group Policy
preferences?
Question: What is the difference between publishing and assigning software through Group
Policy?
Question: Can you use Windows PowerShell scripts as startup scripts?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 213/523
7-1
Module 7
Configuring and Troubleshooting Remote AccessContents:
Module Overview 7-1
Lesson 1: Configuring Network Access 7-2
Lesson 2: Configuring VPN Access 7-10
Lesson 3: Overview of Network Policies 7-19
Lesson 4: Troubleshooting Routing and Remote Access 7-25
Lab A: Configuring Remote Access 7-30
Lesson 5: Configuring DirectAccess 7-34
Lab B: Configuring DirectAccess 7-47
Module Review and Takeaways 7-56
Module Overview
Most organizations have users that work remotely, perhaps from home or maybe from customer sites.
To facilitate and support these remote connections, you must implement remote access technologies to
support this distributed workforce. You must become familiar with the technologies that enable remote
users to connect to your organization’s network infrastructure. These technologies include virtual privatenetworks (VPNs), and DirectAccess, a feature of the Windows® 7 and Windows 8 operating systems. It is
important that you understand how to configure and secure your remote access clients by using network
policies. This module explores these remote access technologies.
Objectives
After completing this module, you will be able to:
• Configure network access.
• Create and configure a VPN solution.
•
Describe the role of network policies.
•
Troubleshoot routing and remote access.
• Configure DirectAccess.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 214/523
7-2 Configuring and Troubleshoot ing Remote Access
Lesson 1
Configuring Network Access
Network Access in the Windows Server® 2012 operating system provides the required services that enable
remote users to connect to your network. To support the needs of both your organization and your
remote users, it is important that you are able to install and configure these Windows Server 2012network access components successfully.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the components of a Network Access Services infrastructure.
• Describe the Network Policy and Access Services role.
•
Describe Routing and Remote access.
• Explain network access authentication and authorization.
• Explain the types of authentication methods that are used for network access.
•
Describe a public key infrastructure (PKI).
• Explain how Dynamic Host Configuration Protocol (DHCP) servers are used with the Routing and
Remote Access Service.
Components of a Network Access Services Infrastructure
The underlying infrastructure in a complete
Network Access Services infrastructure in
Windows Server 2012 typically includes the
following components:
• Virtual Private Network (VPN) Server . Provides
remote access connectivity based on various
VPN tunneling protocols over a public
network, such as the Internet.
•
Active Directory® Domain Services (AD DS).
Services authentication requests from remote
access client connection attempts.
• Active Directory Certificate Services (AD CS). You can use digital certificates to provide for
authentication in remote access scenarios. By deploying AD CS, you can create a PKI in your
organization to support the issue, management, and revocation of certificates.• DHCP Server. Supplies accepted inbound remote access connections with an IP configuration for
network connectivity to the corporate local area network (LAN).
• Network Policy Server (NPS). Provides authentication services for other network access components.
•
Network Access Protection (NAP) components:
o NAP Health Policy Server. Evaluates system health against configured health policies that
describe health requirements and enforcement behaviors, such as requiring that connecting
clients must be compliant before they gain access to the network.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 215/523
Administering Windows Server® 2012 7-3
o Health Registration Authority (HRA). Obtains health certificates for clients that pass the health
policy verification.
o Remediation Servers. Provide remediation services to those clients that do not meet the health
requirements for the corporate network. Remediation Servers are special servers on a limited
network.
What Is the Network Policy and Access Services Role?
The Network Policy and Access Services role in
Windows Server 2012 provides the following
network connectivity solutions:
• Enforces health policies. Establishes and
enforces health policies automatically, which
can include software requirements, security
update requirements, and required computer
configurations.
• Helps to secure wireless and wired access.
When you deploy 802.1X wireless access
points, secure wireless access provides
wireless users with a secure certificate or
password-based authentication method that is simple to deploy. When you deploy 802.1X
authenticating switches, they allow you to secure your wired network by ensuring that intranet users
are authenticated before they can connect to the network or obtain an IP address using DHCP.
• Centralizes network policy management with Remote Authentication Dial-in User Service (RADIUS)
server and proxy. Rather than configuring network access policy at each network access server (such
as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers), you can
create policies in a single location that specify all aspects of network connection requests. Thesepolicies can include who is allowed to connect, when they can connect, and the level of security that
they must use to connect to your network.
Note: The Remote Access components are a separate server role in Windows Server 2012.
What Is the Remote Access Role?
The Remote Access role enables you to provide
users with remote access to your organization’s
network using one of the following technologies:
•
VPN Access. A VPN provides a point-to-point
connection between components of a private
network through a public network, such as
the Internet. Tunneling protocols enable a
VPN client to establish and maintain a
connection to a VPN server’s listening virtual
port. You also can connect branch offices to
your network with VPN solutions, deploy full-
featured software routers on your network,
and share Internet connections across the intranet.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 216/523
7-4 Configuring and Troubleshoot ing Remote Access
• DirectAccess. DirectAccess enables seamless remote access to intranet resources without the user first
establishing a VPN connection. DirectAccess ensures seamless connectivity to the application
infrastructure for both internal users and remote users.
You can deploy the following technologies during the installation of the Remote Access role:
•
DirectAccess and VPN Remote Access Service (RAS). Using DirectAccess and VPN RAS, you can enable
and configure:
o
DirectAccess solutions for your organization.
o VPN connections to provide end users with remote access to your organization’s network.
• Routing. This provides a full-featured software router and an open platform for routing and Internet
working. It offers routing services to businesses in LAN and wide area network (WAN) environments.
When you choose routing, Network Address Translation (NAT) is also installed. When you deploy
NAT, the server that is running Remote Access is configured to share an Internet connection with
computers on a private network, and to translate traffic between its public address and the private
network. By using NAT, the computers on the private network gain some measure of protection
because the router on which you configure NAT does not forward traffic from the Internet into the
private network unless a private network client requests it or traffic is explicitly allowed.
When you deploy VPN and NAT, you configure the server that is running Remote Access to provide
NAT for the private network, and to accept VPN connections. Computers on the Internet will not be
able to determine the IP addresses of computers on the private network. However, VPN clients will be
able to connect to computers on the private network as if they were physically attached to the same
network.
Network Authentication and Authorization
The distinction between authentication and
authorization is important in understanding why
connection attempts are accepted or denied:
• Authentication is the verification of the
connection attempt’s credentials. This process
consists of sending the credentials from the
remote access client to the Remote Access
server in either plaintext or encrypted form
by using an authentication protocol.
• Authorization is the verification that the
connection attempt is allowed. Authorization
occurs after successful authentication.
For a connection attempt to be accepted, the connection attempt must be authenticated and authorized.
It is possible for the connection attempt to be authenticated by using valid credentials, but not
authorized; in this case, the connection attempt is denied.
If you configure a Remote Access server for Windows Authentication, the security features of Windows
Server 2012 verify the authentication credentials, while the user account’s dial-in properties and locally
stored remote access policies authorize the connection. If the connection attempt is both authenticated
and authorized, then the connection attempt is accepted.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 217/523
Administering Windows Server® 2012 7-5
If you configure the Remote Access server for RADIUS authentication, the connection attempt’s
credentials are passed to the RADIUS server for authentication and authorization. If the connection
attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the
Remote Access server and the connection attempt is accepted. If the connection attempt is either not
authenticated or not authorized, the RADIUS server sends a reject message back to the Remote Access
server and the connection attempt is rejected.
Authentication Methods
The authentication of access clients is an
important security concern. Authentication
methods typically use an authentication
protocol that is negotiated during the connection
establishment process. The following methods
are supported by the Remote Access role.
PAPPassword Authentication Protocol (PAP) uses
plaintext passwords and is the least secure
authentication protocol. It typically is negotiated if
the remote access client and Remote Access server
cannot negotiate a more secure form of
validation. PAP is included in Microsoft Windows Server 2012 to support older client operating systems
than support no other authentication method.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication
protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors
of network access servers and clients use CHAP. Because CHAP requires the use of a reversibly encryptedpassword, you should consider using another authentication protocol, such as Microsoft® Challenge
Handshake Authentication Protocol (MS-CHAP) version 2.
MS-CHAP V2
MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:
1.
The authenticator (the Remote Access server or the computer that is running NPS) sends a challenge
to the remote access client. The challenge consists of a session identifier and an arbitrary challenge
string.
2. The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.
3.
The authenticator checks the response from the client and sends back a response containing an
indication of the success or failure of the connection attempt and an authenticated response based
on the sent challenge string, the peer challenge string, the client’s encrypted response, and the user
password.
4.
The remote access client verifies the authentication response and, if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 218/523
7-6 Configuring and Troubleshoot ing Remote Access
EAP
With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates
a remote access connection. The remote access client and the authenticator (either the Remote Access
server or the RADIUS server) negotiate the exact authentication scheme to be used. Routing and Remote
Access includes support for EAP-Transport Level Security (EAP-TLS) by default. You can plug in other EAP
modules to the server that is running Routing and Remote Access to provide other EAP methods.
Other Options
In addition to the previously mentioned authentication methods, there are two other options that you can
enable when selecting an authentication method:
• Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather the lack of
one. Unauthenticated access allows remote systems to connect without authentication. This option
should never be enabled in a production environment, however, as it leaves your network at risk.
Nonetheless, this option can sometimes be useful for troubleshooting authentication issues in a test
environment.
• Machine Certificate for Internet Key Exchange version 2 (IKEv2). Select this option if you wish to use
VPN Reconnect.
What Is a PKI?
A PKI consists of several components that help
you secure corporate communications and
transactions, including those used in remote
access scenarios. There are many components
that are required to work together to provide a
complete PKI solution. The PKI components in
Windows Server 2012 are:
• Certification Authority (CA). CA issues and
manages digital certificates for users, services,
and computers. By deploying CA, you
establish the PKI in your organization.
• Digital certificates. Digital certificates are
similar in function to an electronic passport. A digital certificate is used to prove the identity of the
user (or other entity). Digital certificates contain the electronic credentials that are associated with a
public key and a private key, which are used to authenticate users and other devices such as Web
servers and mail servers. Digital certificates also ensure that software or code is run from a trusted
source. Digital certificates contain various fields, such as Subject, Issuer, and Common Name. These
fields are used to determine the specific use of the certificate. For example, a Web server certificatemight contain the Common Name field of web01.contoso.com, which would make that certificate
valid only for that web server. If an attempt were made to use that certificate on a web server named
web02.contoso.com, the user of that server would receive a warning.
• Certificate templates. This component describes the content and purpose of a digital certificate. When
requesting a certificate from an AD CS enterprise CA, the certificate requestor will, depending on his
or her access rights, be able to select from a variety of certificate types based on certificate templates,
such as User and Code Signing. The certificate template saves users from low-level, technical decisions
about the type of certificate they need. In addition, they allow administrators to distinguish who
might request which certificates.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 219/523
Administering Windows Server® 2012 7-7
• CRLs and Online Responders.
o
Certificate revocation lists (CRLs) are complete, digitally signed lists of certificates that have been
revoked. These lists are published periodically and can be retrieved and cached by clients, based
on the configured lifetime of the CRL. The lists are used to verify a certificate’s revocation status.
o
Online Responders are part of the Online Certificate Status Protocol (OCSP) role service in
Windows Server 2008 and Windows Server 2012. An Online Responder can receive a request to
check for revocation of a certificate without requiring the client to download the entire CRL. This
speeds up certificate revocation checking, and reduces the network bandwidth. It also increases
scalability and fault tolerance by allowing for array configuration of Online Responders.
• Public key–based applications and services. This relates to applications or services that support public
key encryption. In other words, the application or services must be able to support public key
implementations to gain the benefits from it.
• Certificate and CA management tools. Management tools provide command-line and GUI-based
tools to:
o
Configure CAs.
o
Recover archived private keys.
o Import and export keys and certificates.
o
Publish CA certificates and CRLs.
o
Manage issued certificates.
• Authority information access (AIA) and CRL distribution points (CDPs). AIA points determine the
location where CA certificates can be found and validated, and CDP locations determine the points
where certificate revocation lists can be found during certificate validation process. Because CRLs can
become large, (depending on the number of certificates issued and revoked by a CA), you can also
publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since
the last regular CRL was published. This allows clients to retrieve the smaller delta CRLs and more
quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data
to be published more frequently, because the size of a delta CRL means that it usually does not
require as much time to transfer as a full CRL.
• Hardware security module (HSM). A hardware security module is an optional secure cryptographic
hardware device that accelerates cryptographic processing for managing digital keys. It is a high
security, specialized storage that is connected to the CA for managing the certificates. An HSM is
typically attached to a computer physically. This is an optional add-on in your PKI, and is most widely
used in high security environments where there would be a significant impact if a key were
compromised.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 220/523
7-8 Configuring and Troubleshoot ing Remote Access
Integrating DHCP with Routing and Remote Access
You can deploy the DHCP role with the Remote
Access role, which provides remote access clients
with a dynamically assigned IP address during
connection. When you use these services together
on the same server, the information that is
provided during dynamic configuration is
provided in a way that is different from typical
DHCP configuration for LAN–based clients.
In LAN environments, DHCP clients negotiate and
receive the following configuration information,
based entirely on settings that you configure in
the DHCP console for the DHCP server:
• A leased IP address that is provided from an available address pool of an active scope on the DHCP
server. The DHCP server directly manages and distributes the address to the LAN-based DHCP client.
•
Additional parameters and other configuration information that assigned DHCP options in theaddress lease provided. The values and list of options correspond to option types that you configure
and assign on the DHCP server.
When a Remote Access server provides dynamic configuration for remote access clients, it first performs
the following steps:
1. When the server that is running Remote Access starts with the Use DHCP to assign remote TCP/IP
addresses option, it instructs the DHCP client to obtain 10 IP addresses from a DHCP server.
2. The Remote Access server uses the first of these 10 IP addresses that are obtained from the DHCP
server for the Remote Access server interface.
3. The remaining nine addresses are allocated to TCP/IP-based clients as they dial in to establish a
session with the Remote Access server.
IP addresses that are freed when remote access clients disconnect are reused. When all 10 IP addresses are
used, the Remote Access server obtains 10 more from a DHCP server. When the Routing and Remote
Access service stops, all IP addresses that were obtained through DHCP are released.
When the Remote Access server uses this type of proactive caching of DHCP address leases for dial-up
clients, it records the following information for each lease response that it obtains from the DHCP server:
• The IP address of the DHCP server.
• The client-leased IP address (for later distribution to the Routing and Remote Access client).
• The time at which the lease was obtained.
•
The time at which the lease expires.
• The lease duration.
All other DHCP option information that the DHCP server returns—such as server, scope, or reservation
options—is discarded. When the client dials in to the server and requests an IP address (that is, when
Server Assigned IP Address is selected), it uses a cached DHCP lease to provide the dial-up client with
dynamic IP address configuration.
When the IP address is provided to the dial-up client, the client is unaware that the IP address has been
obtained through this intermediate process between the DHCP server and the Remote Access server. The
Remote Access server maintains the lease on the client’s behalf. Therefore, the only information that the
client receives from the DHCP server is the IP address.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 221/523
Administering Windows Server® 2012 7-9
In dial-up environments, DHCP clients negotiate and receive dynamic configuration using the following
modified behavior:
• A leased IP address from the Routing and Remote Access server cache of DHCP scope addresses. The
Routing and Remote Access server obtains and renews its cached address pool with the DHCP server.
•
If the DHCP server typically provides the additional parameters and other configuration information
that currently is provided through assigned DHCP options in the address lease, this information is
returned to the Remote Access client based on TCP/IP properties that are configured on the Remote
Access server.
Note: DHCP servers that are running Windows Server 2012 provide a predefined user
class—the Default Routing and Remote Access Class—for assigning options that are provided
only to Routing and Remote Access clients. To assign these options, you must create a DHCP
policy with a condition of the User Class Equals Default Routing and Remote Access Class.
Then, configure the required options.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 222/523
7-10 Configuring and Troubleshoot ing Remote Access
Lesson 2
Configuring VPN Access
To properly implement and support a VPN environment within your organization, it is important that you
understand how to select a suitable tunneling protocol, how to configure VPN authentication, and how to
configure the Network Policy and Access Services server role to support your chosen configuration.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe what a VPN connection is, and how it is used to connect remote network clients.
•
Describe the tunneling protocols used for a VPN connection.
• Describe VPN Reconnect.
• Describe configuration requirements for a VPN connection.
•
Explain how to configure VPN access.
•
Describe additional tasks that you can be completed after configuring a VPN server.
• Describe the features in and benefits of the Connection Manager Administration Kit.
•
Explain how to create a connection profile using the Connection Manager Administration Kit.
What Is a VPN Connection?
To emulate a point-to-point link, data is
encapsulated (or wrapped) and prefixed with a
header; this header provides routing information
that enables the data to traverse the shared or
public network to reach its endpoint.
To emulate a private link, data is encrypted
to ensure confidentiality. Packets that are
intercepted on the shared or public network are
indecipherable without encryption keys. The link
in which the private data is encapsulated and
encrypted is known as a VPN connection.
There are two types of VPN connections:
• Remote access
• Site-to-site
Remote Access VPN
Remote access VPN connections enable your users who are working offsite (for example, at home, at a
customer site, or from a public wireless access point) to access a server on your organization’s private
network using the infrastructure that a public network provides, such as the Internet. From the user’s
perspective, the VPN is a point-to-point connection between the computer, the VPN client, and your
organization’s server. The exact infrastructure of the shared or public network is irrelevant because it
appears logically as if the data is sent over a dedicated private link.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 223/523
Administering Windows Server® 2012 7-11
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices (or with other organizations) over a
public network while helping to maintain secure communications. A routed VPN connection across the
Internet logically operates as a dedicated WAN link. When networks connect over the Internet, a router
forwards packets to another router across a VPN connection. To the routers, the VPN connection operates
as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering
router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from
either router across the VPN connection typically do not originate at the routers.
Properties of VPN Connections
VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with
Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP), have the following
properties:
•
Encapsulation. With VPN technology, private data is encapsulated with a header containing routing
information that allows the data to traverse the transit network.
• Authentication. Authentication for VPN connections takes the following three different forms:
o
User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the
VPN connection, the VPN server authenticates the VPN client that is attempting the connection
by using a PPP user-level authentication method, and verifies that the VPN client has the
appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
o
Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec
security association, the VPN client and the VPN server use the IKE protocol to exchange either
computer certificates or a pre-shared key. In either case, the VPN client and server authenticate
each other at the computer level. We recommend computer-certificate authentication because it
is a much stronger authentication method. Computer-level authentication is only performed for
L2TP/IPsec connections.
o
Data origin authentication and data integrity. To verify that the data sent on the VPN connection
originated at the other end of the connection and was not modified in transit, the data contains a
cryptographic checksum based on an encryption key known only to the sender and the receiver.
Data origin authentication and data integrity are only available for L2TP/IPsec connections.
• Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption
processes depend on the sender and the receiver both using a common encryption key.
Packets that are intercepted in the transit network are unintelligible to anyone who does not have the
common encryption key. The encryption key’s length is an important security parameter. You can use
computational techniques to determine the encryption key. However, such techniques require more
computing power and computational time as the encryption keys get larger. Therefore, it is important
to use the largest possible key size to ensure data confidentiality.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 224/523
7-12 Configuring and Troubleshoot ing Remote Access
Tunneling Protocols for VPN Connections
PPTP, L2TP, and SSTP depend heavily on the
features originally specified for PPP. PPP was
designed to send data across dial-up or
dedicated point-to-point connections. For IP,
PPP encapsulates IP packets within PPP frames,
and then transmits the encapsulated PPP packets
across a point-to-point link. PPP was defined
originally as the protocol to use between a dial-up
client and a network access server.
PPTP
PPTP enables you to encrypt and encapsulate in
an IP header multi-protocol traffic that then is
sent across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access
and site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a
PPTP—enabled VPN server with one interface on the Internet, and a second interface on the intranet.
•
Encapsulation. PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses a
Transmission Control Protocol (TCP) connection for tunnel management, and a modified version of
Generic Route Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the
encapsulated PPP frames can be encrypted, compressed, or both.
• Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using
encryption keys that are generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN
clients must use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP
frames are encrypted. PPTP uses the underlying PPP encryption and encapsulating a previously
encrypted PPP frame.
L2TP
L2TP enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP
relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.
To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec. Client support for L2TP
is built in to the Windows XP, Windows Vista®, Windows 7, and Windows 8 remote access clients. VPN
server support for L2TP is built in to members of the Windows Server 2012, Windows Server 2008, and
Windows Server 2003 families.
•
Encapsulation: Encapsulation for L2TP/IPsec packets consists of two layers, L2TP encapsulation, and
IPsec encapsulation. L2TP encapsulates and encrypts data in the following way:
o
First layer. The first layer is the L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with
an L2TP header and a User Datagram Protocol (UDP) header.
o
Second layer. The second layer is the IPsec encapsulation. The resulting L2TP message is wrapped
with an IPsec encapsulating security payload (ESP) header and trailer, an IPsec Authentication
trailer that provides message integrity and authentication, and a final IP header. The IP header
contains the source and destination IP address that corresponds to the VPN client and server.
• Encryption: The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple
Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 225/523
Administering Windows Server® 2012 7-13
SSTP
SSTP is a tunneling protocol that uses the HTTP/Secure (HTTPS) protocol over TCP port 443 to pass
traffic through firewalls and web proxies, which otherwise might block PPTP and L2TP/IPsec traffic. SSTP
provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS
protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides
transport-level security with enhanced key negotiation, encryption, and integrity checking.
When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload using the
following encapsulation and encryption methods:
• Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP
uses a TCP connection (over port 443) for tunnel management and as PPP data frames.
• Encryption. The SSTP message is encrypted with the SSL channel of the HTTPS protocol.
IKEv2
IKEv2 uses the IPsec Tunnel Mode protocol over UDP port 500. IKEv2 supports mobility making it a good
protocol choice for a mobile workforce. IKEv2-based VPNs enable users to move easily between wireless
hotspots, or between wireless and wired connections.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods.
•
Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH) for
transmission over the network.
• Encryption. The message is encrypted with one of the following protocols by using encryption keys
that are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, and 3DES
encryption algorithms.
IKEv2 is supported only on computers that are running Windows 7, Windows 8, Windows Server 2008 R2,
and Windows Server 2012. IKEv2 is the default VPN tunneling protocol in Windows 7 and Windows 8.
What Is VPN Reconnect?
In dynamic business scenarios, users must be able
to securely access data anytime, from anywhere,
and access it continuously, without interruption.
For example, users might want to securely access
data that is on the company’s server, from a
branch office or while on the road.
To meet this requirement, you can configure
the VPN Reconnect feature that is available in
Windows Server 2012, Windows Server 2008 R2,
Windows 8, and Windows 7. With this feature,
users can access the company’s data by using
a VPN connection, which will reconnect
automatically if connectivity is interrupted. VPN Reconnect also enables roaming between different
networks.
VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN connectivity. Users
who connect via a wireless mobile broadband will benefit most from this capability. Consider a user with
a laptop that is running Windows 8. When the user travels to work in a train, he or she connects to the
Internet with a wireless mobile broadband card, and then establishes a VPN connection to the company’s
network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 226/523
7-14 Configuring and Troubleshoot ing Remote Access
from the tunnel, the wireless mobile broadband card reconnects automatically to the Internet. With older
versions of Windows client and server operating systems, VPN did not reconnect automatically. Therefore,
the user would have to repeat the multistep process of connecting to the VPN manually. This was time-
consuming and frustrating for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2012 and Windows 8 re-establish active VPN connections
automatically when Internet connectivity is re-established. Even though the reconnection might takeseveral seconds, users need not reinstate the connection manually, or authenticate again to access internal
network resources.
The system requirements for using the VPN Reconnect feature are as follows:
• Windows Server 2008 R2 or Windows Server 2012 as a VPN server.
•
Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012 client.
• Public Key Infrastructure PKI, because a computer certificate is required for a remote connection with
VPN Reconnect. You can use certificates issued by either an internal or public CA.
Configuration Requirements
Before deploying your organization’s VPN
solution, consider the following configuration
requirements:
• Your VPN server requires two network
interfaces. You must determine which
network interface will connect to the Internet,
and which network interface will connect to
your private network. During configuration,
you will be asked to choose which network
interface connects to the Internet. If youspecify the incorrect interface, your remote
access VPN server will not operate correctly.
• Determine whether remote clients receive IP addresses from a DHCP server on your private network
or from the remote access VPN server that you are configuring. If you have a DHCP server on your
private network, the remote access VPN server can lease 10 addresses at a time from the DHCP
server, and then assign those addresses to remote clients. If you do not have a DHCP server on your
private network, the remote access VPN server can automatically generate and assign IP addresses to
remote clients. If you want the remote access VPN server to assign IP addresses from a range that you
specify, you must determine what that range should be.
• Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS
server or by the remote access VPN server that you are configuring. Adding a RADIUS server is usefulif you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS
clients to your private network.
Note: To enable a RADIUS infrastructure, install the Network Policy and Access Services
server role. The NPS can act as either a RADIUS proxy or a RADIUS server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 227/523
Administering Windows Server® 2012 7-15
• Determine whether VPN clients can send DHCPINFORM messages to the DHCP server on your private
network. If a DHCP server is on the same subnet as your remote access VPN server, DHCPINFORM
messages from VPN clients will be able to reach the DHCP server after the VPN connection is
established. If a DHCP server is on a different subnet from your remote access VPN server, make sure
that the router between subnets can relay DHCP messages between clients and the server. If your
router is running Windows Server 2008 R2 or Windows Server 2012, you can configure the DHCP
Relay Agent service on the router to forward DHCPINFORM messages between subnets.
•
Ensure that the person who is responsible for the deployment of your VPN solution has the necessary
administrative group memberships to install the server roles and configure the necessary services;
membership of the local Administrators group is required to perform these tasks.
Demonstration: How to Configure VPN Access
This demonstration shows how to:
• Configure Remote Access as a VPN server.
•
Configure a VPN client.
Demonstration Steps
Configure Remote Access as a VPN server
1.
Sign in to LON-RTR as Adatum\Administrator with the password Pa$$w0rd.
2. On LON-RTR, open Server Manager, and add the Network Policy and Access Services role.
3.
Close Server Manager.
4.
Open the Network Policy Server console.
5. Register the server in AD DS.
6.
Leave the Network Policy Server window open.
7.
Open Routing and Remote Access.
8. Disable the existing configuration.
9. Reconfigure LON-RTR as a VPN Server using the following settings:
o
Local Area Connection 2 is the public interface.
o The VPN server allocates addresses from the pool: 172.16.0.100 - 172.16.0.111.
o The server is configured with the option No, use Routing and Remote Access to authenticate
connection requests.
10.
Start the VPN service.
Configure a VPN Client
1.
Switch to LON-CL2, and sign in as Adatum\Administrator with the password of Pa$$w0rd.
2. Create a new VPN connection with the following properties:
o
Internet address to connect to: 10.10.0.1
o
Destination name: Adatum VPN
o Allow other people to use this connection: true
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 228/523
7-16 Configuring and Troubleshoot ing Remote Access
3. Once you have created the VPN, modify its settings by viewing the properties of the connection, and
then select the Security tab to reconfigure the VPN using the following settings:
o Type of VPN: Point to Point Protocol (PPTP)
o
Authentication: Allow these protocols =Microsoft CHAP Version 2 (MS-CHAP v2)
4.
Test the VPN connection using the following credentials:o User name: Adatum\administrator
o
Password: Pa$$w0rd
5.
Wait for the VPN connection to be made. Your connection is unsuccessful. You receive an error
relating to authentication issues.
Completing Additional Configuration Tasks
After you complete the steps to deploy and
initially configure your Remote Access solution,your server is ready for use as a remote access
VPN server. However, the following are the
additional tasks that you can also perform on
your remote access/VPN server:
•
Configure static packet filters. Add static
packet filters to better protect your network.
• Configure services and ports. Choose which
services on the private network you want to
make available for remote access users.
•
Adjust logging levels. Configure the level of event details that you want to log. You can decide which
information you want to track in log files.
•
Configure the number of VPN ports. Add or remove VPN ports.
• Create a Connection Manager profile for users. Manage the client connection experience for users,
and simplify configuration and troubleshooting of client connections.
•
Add (AD CS. Configure and manage a CA on a server for use in a PKI.
• Increase remote access security. Protect remote users and the private network by enforcing use of
secure authentication methods, requiring higher levels of data encryption, and more.
• Increase VPN security. Protect remote users and the private network by requiring use of secure
tunneling protocols, configuring account lockout, and more.
•
Consider implementing VPN Reconnect. Consider adding VPN Reconnect to re-establish VPN
connections automatically for users who temporarily lose their Internet connections.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 229/523
Administering Windows Server® 2012 7-17
What Is the Connection Manager Administration Kit?
The Connection Manager Administration Kit
(CMAK) allows you to customize users’ remote
connection options by creating predefined
connections to remote servers and networks. The
CMAK wizard creates an executable file, which
you can then distribute in many ways, or include
during deployment activities as part of the
operating system image.
Connection Manager is a client network
connection tool that allows a user to connect to
a remote network, such as an Internet Service
Provider (ISP) or a corporate network protected
by a VPN server.
CMAK is a tool that you can use to customize the remote connection experience for users on your
network by creating predefined connections to remote servers and networks. You use the CMAK wizard to
create and customize a connection for your users.
CMAK is an optional component that is not installed by default. You must install CMAK to create
connection profiles that your users can install to access remote networks.
Distributing the Connection Profile
The CMAK wizard compiles the connection profile into a single executable file with an .exe file name
extension. You can deliver this file to users through any method that is available to you. Some methods to
consider are:
•
Include the connection profile as part of the image that is included with new computers.
You can install your connection profile as part of the client computer images that are installed on
your organization’s new computers.
•
Deliver the connection profile on removable media for the user to install manually.
You can deliver the connection profile installation program on a CD/DVD, USB flash drive, or any
other removable media that you permit your users to access. Some removable media support autorun
capabilities, which allow you to start the installation automatically, when the user inserts the media
into the client computer.
• Deliver the connection profile with automated software distribution tools.
Many organizations use a desktop management and software deployment tool such as
Microsoft System Center Configuration Manager (previously called Systems Management Server).
Configuration Manager provides the ability to package and deploy software that is intended for your
client computers. The installation can be invisible to your users, and you can configure it to reportback to the management console whether the installation was successful or not.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 230/523
7-18 Configuring and Troubleshoot ing Remote Access
Demonstration: How to Create a Connection Profile
This demonstration shows how to:
• Install CMAK.
•
Create a connection profile.
• Examine the profile.
Demonstration Steps
Install CMAK
1. If necessary, on LON-CL2, sign in as Adatum\administrator with the password Pa$$w0rd.
2.
Open Control Panel, and turn on a new windows feature called RAS Connection Manager
Administration Kit (CMAK) feature.
Create a connection profile
1.
In Administrative Tools, open the Connection Manager Administration Kit.
2.
Complete the Connection Manager Administration Kit Wizard to create the connection profile.
Examine the created profile
• Use Windows Explorer to examine the contents of the folder that you created with the Connection
Manager Administration Kit Wizard to create the connection profile. Normally, you would now
distribute this profile to your users.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 231/523
Administering Windows Server® 2012 7-19
Lesson 3
Overview of Network Policies
Network policies determine whether a connection attempt is successful. If the connection attempt is
successful, then the network policy also defines connection characteristics, such as day and time
restrictions, session idle-disconnect times, and other settings.
Understanding how to configure network policies is essential if you are to successfully implement VPNs
based on the Network Policy and Access Services server role within your organization.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe what a network policy is.
•
Describe network policy processing.
• Describe the process for creating a new network policy.
• Explain how to create a network policy for VPN connections.
What Is a Network Policy?
A network policy is a set of conditions, constraints,
and settings that enable you to designate who is
authorized to connect to the network, and the
circumstances under which they can or cannot
connect. Additionally, when you deploy NAP,
health policy is added to the network policy
configuration so that NPS performs client health
checks during the authorization process.
You can view network policies as rules: each
rule has a set of conditions and settings. NPS
compares the rule’s conditions to the properties
of connection requests. If a match occurs between
the rule and the connection request, then the settings that you define in the rule are applied to the
connection.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the list’s first rule, then the second, and so on, until a match is found.
Note: Once a matching rule is determined, further rules are disregarded. Therefore, it isimportant that you order your network policies appropriately, in order of importance.
Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 232/523
7-20 Configuring and Troubleshoot ing Remote Access
Network Policy Properties
Each network policy has four categories of properties:
• Overview . Overview properties allow you to specify whether the policy is enabled, whether the policy
grants or denies access, and whether a specific network connection method or type of network access
server is required for connection requests. Overview properties also enable you to specify whether to
ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS uses only the
network policy’s settings to determine whether to authorize the connection.
• Conditions. These properties allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions that are configured in the policy match the
connection request, NPS applies the network policy settings to the connection. For example, if you
specify the network access server IPv4 address (NAS IPv4 Address) as a condition of the network
policy, and NPS receives a connection request from a NAS that has the specified IP address, the
condition in the policy matches the connection request.
• Constraints. Constraints are additional parameters of the network policy that are required to match
the connection request. If the connection request does not match a constraint, NPS rejects the
request automatically. Unlike the NPS response to unmatched conditions in the network policy, if
a constraint is not matched, NPS does not evaluate additional network policies, and the connection
request is denied.
• Settings. The Settings properties allow you to specify the settings that NPS applies to the connection
request, provided that all of the policy’s network policy conditions are matched and the request is
accepted.
When you add a new network policy using the NPS Microsoft Management Console (MMC) snap-in,
you must use the New Network Policy Wizard. After you have created a network policy using the New
Network Policy Wizard, you can customize the policy by double-clicking it in NPS to obtain the policy
properties.
Note: The default policies on the NPS block network access. After creating your own
policies, you should change the priority, disable, or remove these default policies.
Network Policy Processing
When NPS performs authorization of a connection
request, it compares the request with each
network policy in the ordered list of policies,
starting with the first policy and moving down the
list. If NPS finds a policy in which the conditions
match the connection request, NPS uses thematching policy and the dial-in properties of the
user account to perform authorization. If you
configure the dial-in properties of the user
account to grant or control access through
network policy, and the connection request is
authorized, NPS applies the settings that you
configure in the network policy to the connection:
• If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 233/523
Administering Windows Server® 2012 7-21
• If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.
Process for Creating and Configuring a Network Policy
NPS uses network policies and the dial-inproperties of user accounts to determine
whether to authorize a connection request to your
network. You can configure a new network policy
in either the NPS MMC snap-in, or the Routing
and Remote Access Service MMC snap-in.
Creating Your Policy
When you use the New Network Policy Wizard
to create a network policy, the value that you
specify as the network connection method is
used automatically to configure the Policy
Type condition. If you keep the default value ofUnspecified, NPS evaluates the network policy that you create for all network connection types through
any type of network access server . If you specify a network connection method, NPS evaluates the
network policy only if the connection request originates from the type of network access server that you
specify.
For example, if you specify Remote Desktop Gateway, NPS evaluates the network policy only for
connection requests that originate from Remote Desktop Gateway servers.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to your
network, select Access denied. If you want user account dial-in properties in AD DS to determine access
permission, you can select the Access is determined by User Dial-in properties check box. This setting
overrides the NPS policy.
Configuring Your Policy
Once you have created your network policy, you can use the network policy’s Properties dialog box to
view or modify its settings.
Network Policy Properties - Overview Tab
From the Overview tab of the network policy’s Properties dialog box, or while running the New Network
Policy Wizard, you can configure the following settings:
• Policy name. Type a friendly and meaningful name for the network policy.
• Policy State. Designate whether to enable the policy.
•
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempt’s authorization.
• The network connection method to use for the connection request:
o
Unspecified. If you select Unspecified, NPS evaluates the network policy for all connection
requests that originate from any type of network access server, and for any connection method.
o Remote Desktop Gateway. If you specify Remote Desktop Gateway, NPS evaluates the
network policy for connection requests that originate from servers that are running Remote
Desktop Gateway.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 234/523
7-22 Configuring and Troubleshoot ing Remote Access
o Remote Access Server (VPN-Dial-up). If you specify Remote Access Server (VPN-Dial-up),
NPS evaluates the network policy for connection requests that originate from a computer that
is running Routing and Remote Access service configured as a dial-up or VPN server. If another
dial-up or VPN server is used, the server must support both the RADIUS protocol and the
authentication protocols that NPS provides for dial-up and VPN connections.
o
DHCP Server. If you specify DHCP Server, NPS evaluates the network policy for connectionrequests that originate from servers that are running DHCP.
o Health Registration Authority. If you specify Health Registration Authority, NPS evaluates
the network policy for connection requests that originate from servers that are running Health
Registration Authority.
o
HCAP server. If you specify HCAP server, NPS evaluates the network policy for connection
requests that originate from servers that are running HCAP.
Network Policy Properties - Conditions Tab
You must configure at least one condition for every network policy. You do this on the network policy’s
Properties dialog box Conditions tab. From this tab, NPS provides many condition groups, which allow
you to define clearly the properties that the connection request must have to match the policy.
The available condition groups from which you can select are:
• Groups. These specify user or computer groups that you configure in AD DS and to which you want
the other rules of the network policy to apply, when group members attempt to connect to the
network.
• Host Credential Authorization Protocol (HCAP). These conditions are used only when you want to
integrate your NPS NAP solution with Cisco Network Admission Control. To use these conditions, you
must deploy Cisco Network Admission Control and NAP. You also must deploy a HCAP server that is
running Internet Information Services (IIS) and NPS.
• Day and Time Restrictions. The Day and Time Restrictions condition allows you to specify, at a weekly
interval, whether to allow connections on a specific set of days and times.
• NAP. Settings include Identity Type, MS-Service Class, NAP-Capable Computers, Operating System,
and Policy Expiration.
• Connection Properties. Settings include Access Client IPv4 Address, Access Client IPv6 Address,
Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type.
• RADIUS Client Properties. Settings include Calling Station ID, Client Friendly Name, Client IPv4
Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
• Gateway . Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, and
NAS Port Type.
Network Policy Properties - Constraints TabConstraints are optional additional network policy parameters that differ from network policy conditions
in one substantial way: when a condition does not match a connection request, NPS continues to evaluate
other configured network policies to find a match for the connection request. When a constraint does not
match a connection request, NPS does not evaluate additional network policies, but rejects the
connection request and the user or computer is denied network access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 235/523
Administering Windows Server® 2012 7-23
The following list describes the constraints that you can configure on the network policy’s Properties
dialog box Constraints tab:
• Authentication Methods. Allows you to specify the authentication methods that are required for the
connection request to match the network policy.
• Idle Timeout . Allows you to specify the maximum time, in minutes, that the network access server can
remain idle before the connection disconnects.
• Session Timeout . Allows you to specify the maximum amount of time, in minutes, that a user can be
connected to the network.
• Called Station ID. Allows you to specify the telephone number of the dial-up server that clients use to
access the network.
• Day and time restrictions. Allows you to specify when users can connect to the network.
• NAS Port Type. Allows you to specify the access media types that are allowed for users to connect to
the network.
Network Policy Properties - Settings Tab
If all of the conditions and constraints that you configure in the policy match the connection request’s
properties, then NPS applies to the connection the settings that you configure on the network policy’s
Properties dialog box Settings tab. These settings include:
• RADIUS Attributes. This setting allows you to define additional RADIUS attributes to send to the
RADIUS server.
• NAP. This setting enables you to configure NAP–related settings, including whether connecting
clients are granted full network access, limited access, or are enabled for auto-remediation.
• Routing and Remote Access. This setting allows you to configure multilink and bandwidth allocation
protocol settings, IP filters, encryption settings, and other IP settings for the connections.
Demonstration: How to Create a Network Policy
This demonstration shows how to:
• Create a VPN policy based on Windows Group condition.
•
Test the VPN.
Demonstration Steps
Create a VPN policy based on Windows Groups condition
1.
On LON-RTR, switch to the Network Policy Server console.
2.
Disable the two existing network policies. These would interfere with the processing of the policy you
are about to create.
3.
Create a new Network Policy using the following properties:
o Policy name: Adatum VPN Policy
o
Type of network access server: Remote Access Server(VPN-Dial up)
o
Condition: Windows Groups = Domain Admins
o Permission: Access granted
o
Authentication methods: default
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 236/523
7-24 Configuring and Troubleshoot ing Remote Access
o Constraints: default
o
Settings: default
Test the VPN
1. Switch to LON-CL2.
2.
Test the Adatum VPN connection. Use the following credentials:
o
User name: Adatum\administrator
o Password: Pa$$w0rd
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 237/523
Administering Windows Server® 2012 7-25
Lesson 4
Troubleshooting Routing and Remote Access
Troubleshooting the Routing and Remote Access Service can be a time-consuming task. The issues might
be varied and not easily identifiable. Given that you might be using dial-up, dedicated, leased, or public-
based networks to satisfy your remote connectivity solution, you must perform troubleshooting in amethodical, systematic process.
In some cases, you can identify and resolve the problem quickly, while other cases might test your
understanding of all the available tools to help you determine the issue’s source and resolve it in a timely
fashion.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how to configure remote access logging.
•
Describe how to configure remote access tracing.
•
Explain how to resolve general VPN connectivity problems.
• Explain how to troubleshoot other common remote access issues.
Configuring Remote Access Logging
To configure remote-access logging, open the
Routing and Remote Access console, right-click
servername, and then click Properties. Click the
Logging tab to view the available options for, and
the location of the tracing log.
Initially, it might be best to specify more logging
options than you might necessarily need, rather
than specifying too few options. Once you
determine the logging level that is most useful
for troubleshooting your infrastructure, you can
change the options and/or level of logging at
your discretion.
Four logging levels are available on the Logging tab, as described in the following table.
Dialogue box option Description
Log Errors Only Specifies that only errors are logged in the system log in EventViewer.
Log Errors and Warnings Specifies that errors and warnings are both logged in the system login Event Viewer.
Log all events Specifies that the maximum amount of information is logged in thesystem log in Event Viewer.
Do not log any events Specifies that no events are logged in the system log in Event Viewer.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 238/523
7-26 Configuring and Troubleshoot ing Remote Access
The Log additional Routing and Remote Access information (used for debugging) check box
enables you to specify whether the events in the PPP connection-establishment process are written to the
PPP.LOG file. This log file is stored in the systemroot\Tracing folder (the default location).
Configuring Remote Access TracingThe Remote Access service in Windows Server
2012 has an extensive tracing capability that
you can use to troubleshoot complex network
problems. You can enable the components in
Windows Server 2012 to log tracing information
to files using the Netsh command, or through
the registry.
Enabling Tracing with the NetshCommand
You can use the Netsh command to enable anddisable tracing for specified components or for all
components. To enable and disable tracing for a
specific component, use the following syntax:
netsh ras set tracing component enabled|disabled
Where component is a component in the list of Routing and Remote Access service components found in
the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing
for the RASAUTH component, the command is as follows:
netsh ras set tracing rasauth enabled
To enable tracing for all components, use the following command:
netsh ras set tracing * enabled
Enabling Tracing through the Registry
You also can configure tracing by changing settings in the registry under the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
You can enable tracing for each Remote Access service component by setting the appropriate registry
values. You can enable and disable tracing for components while the Routing and Remote Access service
is running. Each component is capable of tracing, and appears as a subkey under the preceding Registry
key.
To enable tracing for each component, you can configure the following registry entries for each protocol
key:
EnableFileTracing REG_DWORD Flag
You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value
is 0.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 239/523
Administering Windows Server® 2012 7-27
You can change the default location of the tracing files by setting FileDirectory to the path that you want.
The log file’s file name is the component name for which tracing is enabled. By default, log files are placed
in the SystemRoot\Tracing folder.
FileDirectory REG_EXPAND_SZ Path
FileTracingMask determines how much tracing information is logged to the file. The default value is0xFFFF0000.
FileTracingMask REG_DWORD LevelOfTracingInformationLogged
You can change the log file size by setting different values for MaxFileSize. The default value is 0x10000
(64K).
MaxFileSize REG_DWORD SizeOfLogFile
Note: Tracing consumes system resources, and you should use it sparingly to help identify
network problems. After you capture the trace or identify the problem, you should disable
tracing immediately. Do not leave tracing enabled on multiprocessor computers.
Tracing information can be complex and detailed. Therefore, typically only Microsoft support
professionals or network administrators who are experienced with the Routing and Remote
Access service find this information useful.
You can save tracing information as files, and send it to Microsoft support for analysis.
Resolving General VPN Problems
To resolve general problems with establishing a
remote access VPN connection, perform thefollowing tasks:
•
Use the ping command to verify that the
host name is being resolved to its correct
IP address. The ping itself might not be
successful due to packet filtering that is
preventing the delivery of Internet Control
Message Protocol (ICMP) messages to and
from the VPN server.
• Verify that the credentials of the VPN client—
which consist of user name, password, and
domain name—are correct and that the VPN server can validate them.
• Verify that the user account of the VPN client is not locked out, expired, disabled, or that the
time that the connection is being made does not correspond to the configured logon hours. If the
password on the account has expired, verify that the remote access VPN client is using MS-CHAP v2.
MS-CHAP v2 is the only authentication protocol that Windows Server 2012 provides that allows you
to change an expired password during the connection process.
• Reset expired administrator-level account passwords by using another administrator-level account.
• Verify that the user account has not been locked out due to remote access account lockout.
• Verify that the Routing and Remote Access service is running on the VPN server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 240/523
7-28 Configuring and Troubleshoot ing Remote Access
• Verify that the VPN server is enabled for remote access from the VPN server Properties dialog box
General tab.
• Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for inbound
remote access from the properties of the Ports object in the Routing and Remote Access snap-in.
•
Verify that the VPN client, the VPN server, and the network policy that correspond to VPN
connections are configured to use at least one common authentication method.
•
Verify that the VPN client and the network policy that correspond to VPN connections are configured
to use at least one common encryption strength.
•
Verify that the connection’s parameters have permission through network policies.
Troubleshooting Other Issues
This topic lists other common issues that you
might encounter when using Remote Access in
Windows Server 2012.
Error 800: VPN Server is Unreachable
•
Cause: PPTP/L2TP/SSTP packets from the VPN
client cannot reach the VPN server.
•
Solution: Ensure that the appropriate ports
are open on the firewall.
o
PPTP. For PPTP traffic, configure the
network firewall to open TCP port 1723,
and to forward IP protocol 47 for GRE
traffic to the VPN server.
o
L2TP. For L2TP traffic, configure the network firewall to open UDP port 1701, and to allow IPsec
ESP–formatted packets (IP protocol 50).
o SSTP. For SSTP, enable TCP port 443.
Error 721: Remote Computer is Not Responding
• Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47). PPTP
uses GRE for tunneled data.
•
Solution: Configure the network firewall between the VPN client and the server to permit GRE.
Additionally, make sure that the network firewall permits TCP traffic on port 1723. Both of these
conditions must be met to establish VPN connectivity by using PPTP.
Note: The firewall might be on or in front of the VPN client, or in front of the VPN server.
Error 741/742: Encryption Mismatch Error
• Cause: These errors occur if the VPN client requests an invalid encryption level or if the VPN server
does not support an encryption type that the client requests.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 241/523
Administering Windows Server® 2012 7-29
• Solution: Check the properties on the Security tab of the VPN connection on the VPN client.
If Require data encryption (disconnect if none) is selected, clear the selection and retry the
connection. If you are using NPS, check the encryption level in the network policy in the NPS console,
or check the policies on other RADIUS servers. Ensure that the encryption level that the VPN client
requested is selected on the VPN server.
L2TP/IPsec Authentication IssuesThe following list describes the most common reasons that L2TP/IPsec connections fail:
• No certificate. By default, L2TP/IPsec connections require that, for IPsec peer authentication, an
exchange of computer certificates occur between the Remote Access server and Remote Access client.
Check the Local Computer certificate stores of both the Remote Access client and the Remote Access
server that are using the Certificates snap-in to ensure that a suitable certificate exists.
• Incorrect certificate. The VPN client must have a valid computer certificate installed, that was issued
by a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN server
trusts. Additionally, the VPN server must have a valid computer certificate installed that was issued by
a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN client
trusts.
• A NAT device exists between the remote access client and Remote Access server. If there is a NAT
between a Windows 2000 Server, Windows Server 2003, or Windows XP-based L2TP/IPsec client and
a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless the
client and server support IPsec NAT traversal (NAT-T).
• A firewall exists between the Remote Access client and the Remote Access server. If there is a firewall
between a Windows L2TP/IPsec cl ient and a Windows Server 2012 L2TP/IPsec server, and if you
cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec
traffic.
EAP-TLS Authentication Issues
When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating
server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating
server to validate the VPN client’s certificate, the following must be true for each certificate in the
certificate chain that the VPN client sends:
•
The current date must be within the certificate’s validity dates. When certificates are issued, they are
issued with a range of valid dates, before which they cannot be used, and after which they are
considered expired.
• The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CA
maintains a list of certificates that are not considered valid, and publishes an up-to-date certificate
revocation list CRL. By default, the authenticating server checks all certificates in the VPN clients’
certificate chain (the series of certificates from the VPN client certificate to the root CA) for
revocation. If any of the chain’s certificates have been revoked, certificate validation fails.• The certificate has a valid digital signature. CAs digitally sign certificates that they issue. The
authenticating server verifies the digital signature of each certificate in the chain (with the exception
of the root CA certificate), by obtaining the public key from the certificates’ issuing CA and
mathematically validating the digital signature.
For the VPN client to validate the authenticating server’s certificate for either EAP-TLS authentication,
the following must be true for each certificate in the certificate chain that the authenticating server
sends:
o
The current date must be within the certificate’s validity dates.
o The certificate must have a valid digital signature.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 242/523
7-30 Configuring and Troubleshoot ing Remote Access
Lab A: Configuring Remote Access
Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in
London, United Kingdom. An IT office and a data center are located in London to support the London
location and other locations. A. Datum has recently deployed a Windows Server 2012 server and clientinfrastructure.
The management at A. Datum wants to implement a remote access solution for their employees so that
the users can connect to the corporate network while away from the office. You decide to deploy a pilot
project that will enable users in the IT department to connect using a VPN to the corporate intranet.
Objectives
After completing this lab, you will be able to:
1.
Configure a VPN server.
2.
Configure VPN clients.
Lab Setup
Virtual machines 20411B-LON-DC1
20411B-LON-RTR
20411B-LON-CL2
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o
User name: Adatum\Administrator
o
Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-RTR and 20411B-LON-CL2.
Exercise 1: Configuring a Virtual Private Network Server
Scenario
A. Datum Corporation wants to implement a Remote Access solution for its employees so they can
connect to the corporate network while away from the office. You are required to enable and configure
the necessary server services to facilitate this remote access. To support the VPN solution, you need to
configure a Network Policy that reflects corporate remote connection policy. For the pilot, only the IT
security group should be able to use VPN. Required conditions include the need for a client certificate,
and connection hours are only allowed between Monday and Friday, at any time.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 243/523
Administering Windows Server® 2012 7-31
The main tasks for this exercise are as follows:
1.
Configure server and client certificates.
2.
Configure the Remote Access role.
3. Create a network policy for virtual private network (VPN) clients.
Task 1: Configure server and client certificates
1.
Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.
Open Certification Authority.
4.
From the Certificate Templates console, open the properties of the Computer certificate template.
5. On the Security tab, grant the Authenticated Users group the Allow Enroll permission.
6. Restart the Certification Authority.
7.
Close Certification Authority.
8.
Open the Group Policy Management Console.
9. Navigate to Forest: Adatum.com\Domains\Adatum.com.
10.
Edit the Default Domain Policy.
11.
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
12.
Create a new Automatic Certificate Request Settings for the Computer certificate template.
13. Close the Group Policy Management Editor and the Group Policy Management Console.
14. Switch to the LON-RTR computer.
15.
Create a management console by running mmc.exe.
16. Add the Certificates snap-in with the focus on the local computer account.
17. Navigate to the Personal certificate store, and Request New Certificate.
18.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and
then click Next.
19.
Enroll the Computer certificate that is listed.
20.
Close the console, and do not save the console settings.
21. Switch to the LON-CL2 computer, and sign in as Adatum\Administrator with the password
Pa$$w0rd.
22.
Open a command prompt, and run the gpupdate /force command to refresh the group policy
settings.
23.
Create a management console by running mmc.exe.
24. Add the Certificates snap-in with the focus on the local computer account.
25.
Navigate to the Personal certificate store.
26.
Verify that a certificate exists for LON-CL2 that has been issued by Adatum-LON-DC1-CA.
27.
Close the console, and do not save the console settings.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 244/523
7-32 Configuring and Troubleshoot ing Remote Access
Task 2: Configure the Remote Access role
1.
On LON-RTR, open Server Manager, and add the Network Policy and Access Services role.
2.
Close Server Manager.
3. Open the Network Policy Server console.
4.
Register the server in AD DS.
5.
Leave the Network Policy Server window open.
6. Open Routing and Remote Access.
7.
Disable the existing configuration.
8.
Reconfigure LON-RTR as a VPN Server with the following settings:
a. Local Area Connection 2 is the public interface
b.
The VPN server allocates addresses from the pool: 172.16.0.100 - 172.16.0.111
c.
The server is configured with the option No, use Routing and Remote Access to authenticate
connection requests.9.
Start the VPN service.
Task 3: Create a network policy for virtual private network (VPN) clients
1. On LON-RTR, switch to the Network Policy Server console.
2.
Disable the two existing network policies. These would interfere with the processing of the policy you
are about to create.
3. Create a new Network Policy using the following properties:
a.
Policy name: IT Pilot VPN Policy
b. Type of network access server: Remote Access Server (VPN-Dial up)
c. Condition: Windows Groups = IT
d.
Permission: Access granted
e.
Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)
f. Constraints: Day and time restrictions = All day Monday to Friday allowed.
g.
Settings: default
Results: After this exercise, you should have successfully deployed a VPN server, and configured access for
members of the IT global security group.
Exercise 2: Configuring VPN Clients
Scenario
You must now provide a simple client solution so that users can install a preconfigured L2TP-based VPN
connection, which enables them to connect to the corporate network.
The main tasks for this exercise are as follows:
1.
Configure and distribute a Connection Manager Administration Kit profile.
2.
Verify client access.
3. To prepare for the next lab.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 245/523
Administering Windows Server® 2012 7-33
Task 1: Configure and distribute a Connection Manager Administration Kit profile
1.
Switch to LON-CL2.
2.
From Control Panel, install the RAS Connection Manager Administration Kit (CMAK) feature.
3. From Administrative Tools, open the Connection Manager Administration Kit.
4.
Complete the Connection Manager Administration Kit Wizard using defaults except where statedbelow:
a.
Select the Target Operating System page: Windows Vista or above
b.
Create or Modify a Connection Manager profile page: New profile
c. Specify the Service Name and the File Name page:
Service name: Adatum Pilot VPN
File name: Adatum
d. Specify a Realm Name page: Do not add a realm name to the user name
e.
Add Support for VPN Connections page:
Phone book from this profile: enabled
VPN server name or IP address: 10.10.0.1
f.
Create or Modify a VPN Entry page: Edit the listed VPN entry. On the Security tab:
VPN strategy: Only use Layer Two Tunneling Protocol (L2TP).
g. Add a Custom Phone Book page: Automatically download phone book updates deselected.
5.
Open Windows Explorer and navigate to C:\Program Files\CMAK\Profiles
\Windows Vista and above\Adatum.
6. Double-click Adatum.exe, and complete the Adatum Pilot VPN Wizard:
o
Make this connection available for: All users
7.
In the connection window, click Cancel.
Task 2: Verify client access
1.
Sign out of LON-CL2.
2.
Sign in as Adatum\April with the password of Pa$$w0rd.
3. Open Network Connections.
4.
Test the Adatum Pilot VPN connection. Use the following credentials:
o
User name: Adatum\April
o
Password: Pa$$w0rd
To prepare for the next lab
• When you are finished the lab, revert all virtual machines back to their initial state.
Results: After this exercise, you should have successfully distributed a CMAK profile, and tested VPN
access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 246/523
7-34 Configuring and Troubleshoot ing Remote Access
Lesson 5
Configuring DirectAccess
Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure and are supported by
different clients. However, VPN connections must first be initiated by the user, and could requireadditional configuration on the corporate firewall. In addition, VPN connections usually enable remote
access to the entire corporate network. Moreover, organizations cannot effectively manage remote
computers unless they are connected. To overcome such limitations in VPN connections, organizations
can implement DirectAccess to provide a seamless connection between the internal network and the
remote computer on the Internet. With DirectAccess, organizations can manage remote computers more
effectively, because they are effectively considered part of the corporate network.
Lesson Objectives
After completing this lesson, you will be able to:
•
Discuss complexities of typical VPN connections.
•
Describe DirectAccess.
• Describe the components required to implement DirectAccess.
•
Explain how to use the Name Resolution Policy Table.
• Explain how DirectAccess works for internally connected clients.
• Explain how DirectAccess works for externally connected clients.
• List the DirectAccess prerequisites.
•
Explain how to configure DirectAccess.
Complexities of Managing VPNs
Many organizations rely on VPN connections to
provide their users with secure remote access to
resources on the internal corporate network.
These VPN connections must often be configured
manually, which can present interoperability issues
in situations when the users are using multiple
different VPN clients. Additionally, VPN
connections can pose the following problems:
• Users must initiate the VPN connections.
•
The connections may require multiple steps
to initiate, and the connection process can
take several seconds or more.
• Firewalls can pose additional considerations. If not properly configured on the firewall, VPN
connections may fail, or worse, may inadvertently enable remote access to the entire corporate
network.
• Troubleshooting failed VPN connections can often be a significant portion of Help Desk calls for
many organizations.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 247/523
Administering Windows Server® 2012 7-35
• VPN connected computers are not easily managed. VPN–based remote client computers present a
challenge to IT professionals, because these computers might not connect to the internal network for
weeks at a time, preventing them from downloading Group Policy Objects (GPOs) and software
updates.
Extending the Network to the Remotely-Connected Computers and Users
To overcome these limitations in traditional VPN connections, organizations can implement DirectAccess
to provide a seamless connection between the internal network and the remote computer on the Internet.
With DirectAccess, organizations can more easily manage remote computers, because they are always
connected.
What Is DirectAccess?
The DirectAccess feature in Windows Server 2012
enables seamless remote access to intranet
resources without first establishing a user-initiated
VPN connection. The DirectAccess feature alsoensures seamless connectivity to the application
infrastructure for internal users and remote users.
Unlike traditional VPNs that require user
intervention to initiate a connection to an
intranet, DirectAccess enables any IPv6-capable
application on the client computer to have
complete access to intranet resources.
DirectAccess also enables you to specify resources
and client-side applications that are restricted for remote access.
Organizations can benefit from DirectAccess by providing a way in which IT staff can manage remote
computers as they would manage local computers. Using the same management and update servers,you can ensure that remote computers are always up-to-date and in compliance with your security and
system health policies. You can also define more detailed access control policies for remote access when
compared with defining access control policies in VPN solutions.
DirectAccess offers the following features:
•
Connects automatically to the corporate intranet when connected to the Internet.
• Uses various protocols, including HTTPS, to establish IPv6 connectivity—HTTPS is typically allowed
through firewalls and proxy servers.
• Supports selected server access and end-to-end IPsec authentication with intranet network servers.
• Supports end-to-end authentication and encryption with intranet network servers.
• Supports management of remote client computers.
•
Allows remote users to connect directly to intranet servers.
DirectAccess also provides the following benefits:
• Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is also connected to the intranet. This connectivity enables remote client computers to
access and update applications more easily. It also makes intranet resources always available, and
enables users to connect to the corporate intranet from anywhere and anytime, thereby improving
their productivity and performance.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 248/523
7-36 Configuring and Troubleshoot ing Remote Access
• Seamless connectivity. DirectAccess provides a consistent connectivity experience, regardless of
whether the client computer is local or remote. This allows users to focus more on productivity and
less on connectivity options and process. This consistency can reduce training costs for users, with
fewer support incidents.
• Bidirectional access. You can configure DirectAccess in a way that the DirectAccess clients have
access to intranet resources and you can also have access from the intranet to those DirectAccessclients. Therefore, DirectAccess can be bidirectional. This ensures that the client computers are always
updated with recent security updates, the domain Group Policy is enforced, and there is no difference
whether the users are on the corporate intranet or on the public network. This bidirectional access
also results in:
o Decreased update time
o
Increased security
o
Decreased update miss rate
o Improved compliance monitoring
• Manage-out Support. The Manage-out Support feature is new in Windows Server 2012, and it
provides the ability to enable only remote management functionality in the DirectAccess client. This
new sub-option of the DirectAccess client configuration wizard automates the deployment of policies
that are used for managing the client computer. Manage-out support does not implement any policy
options that allow users to connect to the network for file or application access. Manage-out support
is unidirectional, and provides incoming-only access for administration purposes only.
• Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter control allows security architects to precisely control remote users
who access specified resources. You can use a granular policy to specifically define which user can
use DirectAccess, and the location from which the user can access it. IPsec encryption is used for
protecting DirectAccess traffic so that users can ensure that their communication is safe.
•
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP solutions,
resulting in the seamless integration of security, access, and health requirement policies between the
intranet and remote computers.
Components of DirectAccess
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
•
DirectAccess server
•
DirectAccess clients
• Network location server
•
Internal resources
• AD DS domain
• Group Policy
•
PKI (Optional for the internal network)
• Domain Name System (DNS) server
• NAP server
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 249/523
Administering Windows Server® 2012 7-37
DirectAccess Server
The DirectAccess server can be any Windows Server 2012 server that you join to a domain, and which
accepts connections from DirectAccess clients and establishes communication with intranet resources. This
server provides authentication services for DirectAccess clients, and acts as an IPsec tunnel mode endpoint
for external traffic. The new Remote Access server role allows centralized administration, configuration,
and monitoring for both DirectAccess and VPN connectivity.
Compared with previous implementation in Windows Server 2008 R2, the new DirectAccess Wizard-based
setup simplifies DirectAccess management for small and medium organizations. The wizard does this by
removing the need for full PKI deployment and removing the requirement for two consecutive public
IPv4 addresses for the physical adapter that is connected to the Internet. In Windows Server 2012, the
DirectAccess setup wizard detects the actual implementation state of the DirectAccess server, and selects
the best deployment automatically. This hides the complexity of manually configuring IPv6 transition
technologies from the administrator.
DirectAccess Clients
DirectAccess clients can be any domain-joined computer that is running Windows 8 Enterprise,
Windows 7 Enterprise, or Windows 7 Ultimate.
Note: With off-premise provisioning, you can join a Windows 8 Enterprise client computer
in a domain without connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, then the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or
Teredo. Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting
to the DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a SSL connection to ensure connectivity. The client has access to the Name
Resolution Policy Table (NRPT) rules and Connection Security tunnel rules.
Network Location Server
DirectAccess clients use the network location server (NLS) to determine their location. If the client
computer can connect with HTTPS, then the client computer assumes it is on the intranet and disables
DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS
server is installed with the web server role.
Note: The URL for the NLS is distributed by using GPO.
Internal Resources
You can configure any IPv6–capable application that is running on internal servers or client computers to
be available for DirectAccess clients. For older applications and servers, including those that are not based
on Windows operating systems and have no IPv6 support, Windows Server 2012 now includes native
support for protocol translation (NAT64) and name resolution (DNS64) gateway to convert IPv6
communication from DirectAccess client to IPv4 for the internal servers.
Note: As in the past, this functionality can also be achieved with Microsoft Forefront®
Unified Access Gateway. Likewise, as in past versions, these translation services do not support
sessions initiated by internal devices, only requests originating from IPv6 DirectAccess clients.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 250/523
7-38 Configuring and Troubleshoot ing Remote Access
Active Directory Domain
You must deploy at least one Active Directory domain, running at a minimum Windows Server 2003
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support,
which allows client computers from different domains to access resources that may be located in different
trusted domains.
Group PolicyGroup Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs, and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess in Windows Server
2012 enables client authentication requests to be sent over a HTTPS–based Kerberos proxy service that is
running on the DirectAccess server. This eliminates the need for establishing a second IPsec tunnel
between clients and domain controllers. The Kerberos proxy will send Kerberos requests to domain
controllers on behalf of the client.
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication,and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using ISATAP, you must use at least Windows Server 2008 R2, Windows Server 2008 Service Pack 2
(SP2) or newer, or a non-Microsoft DNS server that supports DNS message exchanges over ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess in Windows
Server 2012 provides the ability to configure NAP health check directly from the setup user interface,
instead of manually editing the GPO as is required with DirectAccess in Windows Server 2008 R2.
What Is the Name Resolution Policy Table?
To separate Internet traffic from intranet traffic
in DirectAccess, both Windows Server 2012 and
Windows 8 include the NRPT. NRPT is a feature
that allows DNS servers to be defined per DNS
namespace, rather than per interface.
The NRPT stores a list of rules. Each rule defines a
DNS namespace and configuration settings that
describe the DNS client’s behavior for that
namespace.
When a DirectAccess client is on the Internet,
each name query request is compared against the
namespace rules stored in the NRPT.
•
If a match is found, the request is processed according to the settings in the NRPT rule.
• If a name query request does not match a namespace listed in the NRPT, the request is sent to the
DNS servers that are configured in the TCP/IP settings for the specified network interface.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 251/523
Administering Windows Server® 2012 7-39
DNS settings are configured depending on the client location:
• For a remote client computer, the DNS servers are typically the Internet DNS servers that are
configured through the ISP.
• For a DirectAccess client on the intranet, the DNS servers are typically the intranet DNS servers that
are configured through DHCP.
Single-label names, for example, http://internal, typically have configured DNS search suffixes appended
to the name before they are checked against the NRPT.
If no DNS search suffixes are configured, and if the single-label name does not match any other single-
label name entry in the NRPT, the request is sent to the DNS servers that are specified in the client’s
TCP/IP settings.
Namespaces—for example, internal.adatum.com—are entered into the NRPT, followed by the DNS servers
to which requests matching that namespace should be directed. If an IP address is entered for the DNS
server, all DNS requests are sent directly to the DNS server over the DirectAccess connection; you need
not specify any additional security for such configurations. However, if a name is specified for the DNS
server (such as dns.adatum.com) in the NRPT, the name must be publicly resolvable when the client
queries the DNS servers specified in its TCP/IP settings.
The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources,
and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for
name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.
Some names need to be treated differently with regards to name resolution; these names should not be
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers
specified in the client’s TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name
resolution mechanism uses the following in order:
•
The local name cache
•
The hosts file
• NRPT
Then the name resolution mechanism finally sends the query to the DNS servers that are specified in the
TCP/IP settings.
How DirectAccess Works for Internal Clients
An NLS is an internal network server that hosts
an HTTPS-based URL. DirectAccess clients try toaccess a NLS URL to determine if they are located
on the intranet or on a public network. The
DirectAccess server can also be the NLS. In some
organizations where DirectAccess is a business-
critical service, the NLS should be highly available.
Generally, the web server on the NLS does not
have to be dedicated to just supporting
DirectAccess clients.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 252/523
7-40 Configuring and Troubleshoot ing Remote Access
It is critical that the NLS be available from each company location, because the behavior of the
DirectAccess client depends on the response from the NLS. Branch locations may require a separate NLS
at each branch location to ensure that the NLS remains accessible even when there is a link failure
between branches.
How DirectAccess Works for Internal Clients
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1. The DirectAccess client tries to resolve the Fully Qualified Domain Name (FQDN) of the NLS URL.
Because the FQDN of the NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess
client instead sends the DNS query to a locally configured (intranet-based) DNS server. The intranet-
based DNS server resolves the name.
2. The DirectAccess client accesses the HTTPS-based URL of the NLS, during which process it obtains the
certificate of the NLS.
3. Based on the CRL distribution points field of the NLS certificate, the DirectAccess client checks the
CRL revocation files in the CRL distribution point to determine if the NLS certificate has been revoked.
4.
Based on an HTTP response code 200 in the response DirectAccess client determines the success of
the NLS URL (successful access and certificate authentication and revocation check). The DirectAccess
client switches to domain firewall profile and ignores the DirectAccess policies and assumes it is in
internal network until next network change happens.
5.
The DirectAccess client computer attempts to locate and sign in to the AD DS domain by using its
computer account.
Because the client no longer references any DirectAccess rules in the NRPT for the rest of the
connected session, all DNS queries are sent through interface-configured (intranet-based) DNS
servers. With the combination of network location detection and computer domain logon, the
DirectAccess client configures itself for normal intranet access.
6.
Based on the computer’s successful logon to the domain, the DirectAccess client assigns the domain(firewall network) profile to the attached network.
By design, the DirectAccess Connection Security tunnel rules are scoped for the public and private firewall
profiles, and they are disabled from the list of active connection security rules.
The DirectAccess client has successfully determined that it is connected to its intranet, and does not use
DirectAccess settings (NRPT rules or Connection Security tunnel rules). The DirectAccess client can now
access intranet resources normally. It can also access Internet resources through normal means, such as a
proxy server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 253/523
Administering Windows Server® 2012 7-41
How DirectAccess Works for External Clients
When a DirectAccess client starts, the DirectAccess
client tries to reach the URL address specified for
NLS, and assumes that it is not connected to the
intranet because it cannot communicate with NLS.
Instead, the DirectAccess client starts to use NRPT
and connection security rules. The NRPT has
DirectAccess–based rules for name resolution, and
connection security rules define DirectAccess
IPsec tunnels for communication with intranet
resources. Internet-connected DirectAccess clients
use the following high-level steps to connect to
intranet resources:
• The DirectAccess client first attempts to access the NLS.
•
Then, the client attempts to locate a domain controller.
•
Finally, the client attempts to access intranet resources, and then Internet resources.
DirectAccess Client Attempts to Access the Network Location Server
The DirectAccess client attempts to access the NLS as follows:
1. The client tries to resolve the FQDN of the NLS URL. Because the FQDN of the NLS URL corresponds
to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally
configured (Internet-based) DNS server. An external Internet-based DNS server would not be able to
resolve the name.
2. The DirectAccess client processes the name resolution request as defined in the DirectAccess
exemption rules in the NRPT.
3.
Because the NLS is not found on the same network on which the DirectAccess client is currently
located, the DirectAccess client applies a public or private firewall network profile to the attached
network.
4. The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles,
provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and
access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller
After determining its network location, the DirectAccess client attempts to locate and sign in to a domain
controller. This process creates an IPsec tunnel or infrastructure tunnel by using the IPsec tunnel mode
and ESP to the DirectAccess server. The process is as follows:1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server, and then forwards it to the
DirectAccess client’s TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 254/523
7-42 Configuring and Troubleshoot ing Remote Access
3. Because the destination IPv6 address in the DNS name query matches a connection security rule
that corresponds with the infrastructure tunnel, the DirectAccess client uses Authenticated IP (AuthIP)
and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server. The
DirectAccess client (both the computer and the user) authenticates itself with its installed computer
certificate and its Microsoft Windows NT® LAN Manager (NTLM) credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based
authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol
negotiation and usage of multiple sets of credentials for authentication.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server, and then back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources
The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an internal website), the following process occurs:
1. The application or process that attempts to communicate constructs a message or payload, and then
hands it off to the TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess clientuses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
account’s Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts To Access Internet Resources
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet web server), the following process occurs:
1.
The DNS client service passes the DNS name for the Internet resource through the NRPT. There are
no matches. The DNS client service constructs the DNS name query that is addressed to the IP
address of an interface-configured Internet DNS server, and hands it off to the TCP/IP stack for
sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 255/523
Administering Windows Server® 2012 7-43
3. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
Internet tunnel or connection security rules is sent and received normally.
Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries. The difference is the IPsec tunnel that is established between the client and
DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec
infrastructure tunnel, and when accessing intranet resources, a second IPsec (intranet) tunnel isestablished.
Prerequisites for Implementing DirectAccess
Requirements for DirectAccess Server
To deploy DirectAccess, you need to ensure that
your server meets the following hardware and
network requirements:
•
The server must be joined to an AD DSdomain.
•
The server must have Windows Server 2012 or
Windows Server 2008 R2 operating system
installed.
• The Windows Server 2012 that will be
installed as the DirectAccess server can have a single network adapter installed, which is connected to
the intranet and published over Microsoft Forefront Threat Management Gateway (TMG) 2010 or
Microsoft Forefront Unified Access Gateway (UAG) 2010 for Internet connection. In the deployment
scenario where DirectAccess is installed on an Edge server, it needs to have two network adapters:
one that is connected to the internal network, and one that is connected to the external network. An
edge server is any server that resides on the edge between two or more networks, typically a private
network and Internet.
• Implementation of DirectAccess in Windows Server 2012 does not require two consecutive static,
public IPv4 addresses be assigned to the network adapter.
• You can circumnavigate the need for an additional public address by deploying Windows Server 2012
DirectAccess behind a NAT device, with support for a single or multiple interfaces. In this
configuration, only IP over HTTPS (IP-HTTPS) is deployed, which allows a secure IP tunnel to be
established using a secure HTTP connection.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 256/523
7-44 Configuring and Troubleshoot ing Remote Access
• On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and to monitor the status of the DirectAccess server. The
Remote Access Wizard provides you with the option to configure only DirectAccess, only VPN, or
both scenarios on the same server that is running Windows Server 2012. This was not possible in
Windows Server 2008 R2 deployment of DirectAccess.
•
For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) toachieve high availability and scalability for both DirectAccess and RAS.
Requirements for DirectAccess Client
To deploy DirectAccess, you also need to ensure that the client computer meets certain requirements:
• The client computer should be joined to an Active Directory domain.
• With the new 2012 DirectAccess scenario you can offline provision Windows 8 client computers for
domain membership without requiring the computer to be on premises.
• The client computer can be loaded with Windows 8 Enterprise, Windows 7 Enterprise, Windows 7
Ultimate, Windows Server 2012, or Windows Server 2008 R2. You cannot deploy DirectAccess on
clients running Windows Vista, Windows Server 2008, or other older versions of the Windows
operating systems.
Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:
•
AD DS. You must deploy at least one Active Directory domain. Workgroups are not supported.
• Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.
• DNS and domain controller. You must have at least one domain controller and at least one DNS
server running Windows Server 2012, Windows Server 2008 SP2, or Windows Server 2008 R2.
•
PKI. If you have only Windows 8 client computers, you do not need a PKI. Windows 7 client
computers require a more complex setup and therefore require a PKI.
• IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.
• ICMPv6 Echo Request traffic. You must create separate inbound and outbound rules that allow
ICMPv6 Echo Request messages. The inbound rule is required to allow ICMPv6 Echo Request
messages, and must be scoped to all profiles. The outbound rule to allow ICMPv6 Echo Request
messages must be scoped to all profiles, and is only required if the Outbound block is turned on.
DirectAccess clients that use Teredo for IPv6 connectivity to the intranet use the ICMPv6 message
when establishing communication.
•
IPv6 and transition technologies. IPv6 and the transition technologies must be available for use on theDirectAccess server. For each DNS server that is running Windows Server 2008 or Windows Server
2008 R2, you need to remove the ISATAP name from the global query block list.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 257/523
Administering Windows Server® 2012 7-45
Configuring DirectAccess
To configure DirectAccess, perform the
following steps:
1. Configure AD DS and DNS requirements:
o
Create a security group in AD DS, and
add all client computer accounts that will
be accessing the intranet through
DirectAccess.
o
Configure both internal and external DNS
servers with appropriate host names and
IP addresses.
2.
Configure the PKI environment:
o Add and configure the Certificate Authority server role, create the certificate template and CRL
distribution point, publish the CRL list, and distribute the computer certificates. This is not needed
if you launch the setup from the Getting Started Wizard.
3.
Configure the DirectAccess server:
o
Install Windows Server 2012 on a server computer with one or two physical network adapters
(depending on the DirectAccess design scenario).
o
Join the DirectAccess server to an Active Directory domain.
o Install the Remote Access role, and configure the DirectAccess server so that it is one of the
following:
The DirectAccess server is on the perimeter network with one network adapter that is
connected to the perimeter network, and at least one other network adapter that is
connected to the intranet. In this deployment scenario, the DirectAccess server is placed
between a front-end firewall and back-end firewall.
The DirectAccess server is published by using TMG, UAG, or other third-party firewalls. In this
deployment scenario, DirectAccess is placed behind a front-end firewall and it has one
network adapter connected to internal network.
The DirectAccess server is installed on an edge server (typically front end firewall) with one
network adapter that is connected to the Internet, and at least one other network adapter
that is connected to the intranet.
An alternative design is that the DirectAccess server has only one network interface, not two. For this
design, perform the following steps:
o
Verify that the ports and protocols that are needed for DirectAccess and ICMP Echo Request are
enabled in the firewall exceptions and opened on the perimeter and Internet-facing firewalls.
o
The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public, static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available, and that you have the ability to publish that address in your
externally-facing DNS server.
o
If you have disabled IPv6 on clients and servers, you must re-enable IPv6, because it is required
for DirectAccess.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 258/523
7-46 Configuring and Troubleshoot ing Remote Access
o Install a web server on the DirectAccess server to enable DirectAccess clients to determine if they
are inside or outside the intranet. You can install this web server on a separate internal server for
determining the network location.
o
Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters), or publish the
DirectAccess server that is deployed behind NAT, for Internet access.
o On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.
4.
Configure the DirectAccess clients, and test intranet and Internet access:
o Verify that DirectAccess group policy has been applied, and certificates have been distributed to
client computers.
o Test whether you can connect to the DirectAccess server from an intranet.
o
Test whether you can connect to the DirectAccess server from the Internet.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 259/523
Administering Windows Server® 2012 7-47
Lab B: Configuring DirectAccess
Scenario
Because A. Datum Corporation has expanded, many of the employees are now frequently out of the
office, either working from home or traveling. A. Datum wants to implement a remote access solution
for its employees so they can connect to the corporate network while they are away from the office.Although the VPN solution that you implemented provides a high level of security, business management
is concerned about the complexity of the environment for end users. In addition, IT management is
concerned that they are not able to manage the remote clients effectively. To address these issues, A.
Datum has decided to implement DirectAccess on client computers that are running Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment, and validate that the client computers can connect to
the internal network when operating remotely.
Objectives
After completing this lab, you will be able to:
•
Configure the server infrastructure to deploy DirectAccess.
• Configure the DirectAccess clients.
•
Validate the DirectAccess implementation.
Lab Setup
Virtual machines 20411B-LON-DC1
20411B-LON-SVR1
20411B-LON-RTR
20411B-LON-CL1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Sign in using the following credentials:
o
User name: Adatum\Administrator
o Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-SVR1 and 20411B-LON-RTR.
6.
Do not start 20411B-LON-CL1 until directed to do so.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 260/523
7-48 Configuring and Troubleshoot ing Remote Access
Exercise 1: Configuring the DirectAccess Infrastructure
Scenario
You decided to implement DirectAccess as a solution for remote client computers that are not able to
connect through VPN. In addition, you want to address management problems, such as GPO application
for remote client computers. For this purpose, you will configure the prerequisite components of
DirectAccess, and configure the DirectAccess server.
The main tasks for this exercise are as follows:
1. Configure Active Directory Domain Services (AD DS) and Domain Name System (DNS).
2.
Configure certificates.
3.
Configure internal resources.
4. Configure the DirectAccess server.
Task 1: Configure Active Directory Domain Services (AD DS) and Domain Name
System (DNS)
1.
Create a security group for DirectAccess client computers by performing the following steps:
a.
Switch to LON-DC1.
b.
Open the Active Directory Users and Computers console, and create an Organizational Unit
(OU) named DA_Clients OU.
c.
Within that OU, create a Global Security group named DA_Clients.
d.
Modify the membership of the DA_Clients group to include LON-CL1.
e. Close Active Directory Users and Computers.
2.
Configure firewall rules for ICMPv6 traffic by performing the following steps:
a.
Open the Group Policy Management Console, and then open Default Domain Policy.b. In the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.
c.
Create a new inbound rule with the following settings:
Rule Type: Custom
Protocol type: ICMPv6
Specific ICMP types: Echo Request
Name: Inbound ICMPv6 Echo Requests
d.
Create a new outbound rule with the following settings: Rule Type: Custom
Protocol type: ICMPv6
Specific ICMP types: Echo Request
Action: Allow the connection
Name: Outbound ICMPv6 Echo Requests
e. Close both the Group Policy Management Editor and the Group Policy Management Console.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 261/523
Administering Windows Server® 2012 7-49
3. Create required DNS records by performing the following steps:
a.
Open the DNS Manager console, and then create new host records with the following settings:
Name: nls
IP Address: 172.16.0.21
Name: crl
IP Address: 172.16.0.1
b. Close the DNS Manager console.
4.
Remove ISATAP from the DNS global query block list by performing the following steps:
a.
Open a command prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
b.
Ensure that the Command completed successfully message displays.
c.
Close the command prompt window.
5.
Switch to LON-RTR and configure the DNS suffix by performing the following steps:
a. In the Local Area Connection Properties dialog box, in the Internet Protocol Version 4
(TCP/IPv4) dialog box, add the Adatum.com DNS suffix.
b. Close the Local Area Connection Properties dialog box.
6.
Configure the Local Area Connection 2 properties as follows:
a.
Change the Local Area Connection 2\ Internet Protocol Version 4 (TCP/IPv4) configuration
using the following configuration settings:
IP address: 131.107.0.2
Subnet mask: 255.255.0.0
Task 2: Configure certificates
1.
Configure the CRL distribution settings by performing the following steps:
a.
Switch to LON-DC1, and open the Certification Authority console.
b. Configure Adatum-LON-DC1-CA certification authority with the following extension settings:
Add Location: http://crl.adatum.com/crld/
Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
Select the following:
Include in CRLs. Clients use this to find Delta CRL locations
Include in the CDP extension of issued certificates
Do not restart Certificate Services.
Add Location: \\LON-RTR\crldist$\
Variable: CaName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 262/523
7-50 Configuring and Troubleshoot ing Remote Access
Select the following:
Include in CRLs. Clients use this to find Delta CRL locations
Include in the CDP extension of issued certificates
c. Restart Certificate Services.
d.
Close the Certificate Authority console.
2. To duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.
In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:
Template display name: Adatum Web Server Certificate
Request Handling: Allow private key to be exported
Authenticated Users permissions: under Allow, click Enroll
b.
Close the Certificate Templates console.
c.
In the Certification Authority console, choose to issue a New Certificate Template and select theAdatum Web Server Certificate template.
d.
Restart the Certification Authority.
e. Close the Certification Authority console.
3.
Configure computer certificate auto-enrollment by performing the following steps:
a.
On LON-DC1, open the Group Policy Management Console.
b. In the Group Policy Management Console, navigate to Forest: Adatum.com
\Domains\Adatum.com.
c.
Edit the Default Domain Policy.
d. In the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Public Key Policies.
e. Under Automatic Certificate Request Settings, configure Automatic Certificate Request to
issue the Computer certificate.
f.
Close both the Group Policy Management Editor and the Group Policy Management Console.
Task 3: Configure internal resources
1.
Request a certificate for LON-SVR1 by performing the following steps:
a.
On LON-SVR1, open a command prompt, type the following command, and then press Enter:
gpupdate /force
b. At the command prompt, type the following command, and then press Enter:
mmc
2.
Add the Certificates snap-in for Local computer.
3.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates, and request a new certificate.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 263/523
Administering Windows Server® 2012 7-51
4. Under Request Certificates, select Adatum Web Server Certificate with the following setting:
o
Subject name: Under Common name, type nls.adatum.com
5.
In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
6.
Close the console window. When you are prompted to save settings, click No.7. To change the HTTPS bindings, perform the following steps:
a.
Open Internet Information Services (IIS) Manager.
b.
In the Internet Information Services (IIS) Manager console, navigate to and click Default Web
site.
c.
Configure Site Bindings by selecting nls.adatum.com for SSL Certificate.
d.
Close the Internet Information Services (IIS) Manager console.
Task 4: Configure the DirectAccess server
1.
Obtain required certificates for LON-RTR by performing the following steps:
a.
Switch to LON-RTR.
b. Open a command prompt, and refresh group policy by typing the following command:
gpupdate /force
c.
Open the Microsoft Management Console by typing mmc at a command prompt.
d.
Add the Certificates snap-in for Local computer.
e. In the Certificates snap-in, in the Microsoft Management Console , request a new certificate with
the following settings:
Certificate template: Adatum Web Server Certificate
Common name: 131.107.0.2
Friendly name: IP-HTTPS Certificate
f. Close the Microsoft Management Console.
2. Create CRL distribution point on LON-RTR by performing the following steps:
a.
Switch to Server Manager.
b.
In Internet Information Services (IIS) Manager, create new virtual directory named CRLD, and
assign c:\crldist as a home directory.
c.
Enable directory browsing and the allow double escaping feature.
3.
Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
o In the details pane of Windows Explorer, right-click the CRLDist folder, click Properties, and then
grant Full Control Share and NTFS permissions.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 264/523
7-52 Configuring and Troubleshoot ing Remote Access
4. Publish the CRL to LON-RTR by performing the following steps:
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess
clients.
a.
Switch to LON-DC1.
b.
Start the Certification Authority console.
c. In the console tree, open Adatum-LON-DC1-CA, right-click Revoked Certificates, point to All
Tasks, and then click Publish.
5. Complete the DirectAccess Setup Wizard on LON-RTR by performing the following steps:
a. On LON-RTR, open Server Manager.
b.
In Server Manager, in Tools, select Routing and Remote Access.
c. In Routing and Remote Access, disable the existing configuration, and close the console.
d.
In Server Manager console, start the Remote Management console, click Configuration, andstart the Enable DirectAccess Wizard.
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator,
and then restart from c).
e. Complete the wizard with following settings:
Network Topology: Edge is selected
131.107.0.2 is used by clients to connect to the Remote Access server.
f. In the Remote Access Management console, under Step 1, click Edit.
g.
Add the DA_Clients group.
h.
Clear the Enable DirectAccess for mobile computers only check box.
i. Remove the Domain Computers group.
j.
In the Remote Access Management console details pane, under Step 2, click Edit.
k.
On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.
l. On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to
authenticate IP-HTTPS connection.
m. On the Authentication page, click Use computer certificates, click Browse, and then click
Adatum Lon-Dc1 CA.
n.
On the VPN Configuration page, click Finish.
o In details pane of the Remote Access Management console, under Step 3, click Edit.
p.
On the Network Location Server page, click The network location server is deployed on a
remote web server (recommended), and in the URL of the NLS, type https://nls.adatum.com,
and then click Validate.
q.
Ensure that URL is validated.
r. On the DNS page, examine the values, and then click Next.
s.
In the DNS Suffix Search List, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 265/523
Administering Windows Server® 2012 7-53
t. On the Management page, click Finish.
u.
In the Remote Access Management console details pane, review the setting for Step 4.
v.
In Remote Access Review, click Apply.
w. Under Applying Remote Access Setup Wizard Settings, click Close.
6.
Update Group Policy settings on LON-RTR by performing the following step:
o
Open the command prompt, and type the following commands, pressing Enter after each line:
gpupdate /force
Ipconfig
Note: Verify that LON-RTR has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients
Scenario
After you configured the DirectAccess server and the required infrastructure, you must configure
DirectAccess clients. You decide to use Group Policy to apply DirectAccess settings to the clients and for
certificate distribution.
The main tasks for this exercise are as follows:
1.
Configure DirectAccess Group Policy settings.
2. Verify client computer certificate distribution.
3.
Verify internal connectivity to resources.
Task 1: Configure DirectAccess Group Policy settings
1. Start LON-CL1, and then sign in as Adatum\Administrator with the password of Pa$$w0rd. Open a
command prompt window, and then type the following commands, pressing Enter at the end of each
line:
gpupdate /force
gpresult /R
2. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Task 2: Verify client computer certificate distribution
1. On LON-CL1, open the Certificates MMC.
2.
Verify that a certificate with the name LON-CL1.adatum.com displays with Intended Purposes of
Client Authentication and Server Authentication.
3.
Close the console window without saving it.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 266/523
7-54 Configuring and Troubleshoot ing Remote Access
Task 3: Verify internal connectivity to resources
1.
On LON-CL1, open Windows Internet Explorer® from the Desktop, and in the address bar, type
http://lon-svr1.adatum.com/ . The default IIS 8 web page for LON-SVR1 displays.
2.
In Internet Explorer, go to https://nls.adatum.com/ . The default IIS 8 web page for LON-SVR1
displays.
3. Open a Windows Explorer window, in the address bar, type \\Lon-SVR1\Files, and then press Enter.
A window with the contents of the Files shared folder will display.
4. Close all open windows.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration
Scenario
When client configuration is completed, it is important to verify that DirectAccess works. You do this bymoving the DirectAccess client to the Internet, and trying to access internal resources.
The main tasks for this exercise are as follows:
1. Move the client computer to the Internet virtual network.
2.
Verify connectivity to the DirectAccess server.
3.
Verify connectivity to the internal network resources.
4. To prepare for the next module.
Task 1: Move the client computer to the Internet virtual network
1.
Switch to LON-CL1.2. Change the network adapter configuration to the following settings:
o
IP address: 131.107.0.10
o
Subnet mask: 255.255.0.0
o Default gateway: 131.107.0.2
3.
Disable and then re-enable the Local Area Network network adapter.
4.
Close the Network Connections window.
5.
On your host, in Hyper-V Manager, right-click 20411B-LON-CL1, and then click Settings. Change
the Legacy Network Adapter to be on the Private Network 2 network, and then click OK .
Task 2: Verify connectivity to the DirectAccess server
1. On LON-CL1, open a command prompt, and type the following command:
ipconfig
2.
Notice that the returned IP address starts with 2002. This is IP-HTTPS address.
3.
At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 267/523
Administering Windows Server® 2012 7-55
4. At the command prompt, type the following command, and then press Enter:
powershell
5.
At the Windows PowerShell® command-line interface, type the following command, and then press
Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
Task 3: Verify connectivity to the internal network resources
1.
Switch to Internet Explorer, and go to http://lon-svr1.adatum.com/ . You should see the default IIS
8 web page for LON-SVR1.
2. Open Windows Explorer, in the address bar, type \\LON-SVR1\Files, and then press Enter.
3.
A folder window with the contents of the Files shared folder should display.
4.
At a command prompt, type the following command, and then press Enter:
ping lon-dc1.adatum.com
5. Verify that you are receiving replies from lon-dc1.adatum.com.
6.
At the command prompt, type the following command, and then press Enter:
gpupdate /force
7. Close all open windows.
8. Switch to LON-RTR.
9.
Start the Remote Access Management console, and review the information on Remote Client
Status.
Note: Notice that LON-CL1 is connected via IP-HTTPS. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
10.
Close all open windows.
To prepare for the next module
• When you finish the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 268/523
7-56 Configuring and Troubleshoot ing Remote Access
Module Review and Takeaways
Tools
Tool Use for Where to find it
Services.msc Managing Windows services Administrative Tools
Launch from Run
Gpedit.msc Editing the local Group Policy Launch from Run
Mmc.exe Creating and managing the Microsoft ManagementConsole
Launch from Run
Gpupdate.exe Managing Group Policy application Run from a command-line
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 269/523
8-1
Module 8
Installing, Configuring, and Troubleshooting the NetworkPolicy Server Role
Contents:
Module Overview 8-1
Lesson 1: Installing and Configuring a Network Policy Server 8-2
Lesson 2: Configuring RADIUS Clients and Servers 8-6
Lesson 3: NPS Authentication Methods 8-12
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 8-20
Lab: Installing and Configuring a Network Policy Server 8-25
Module Review and Takeaways 8-29
Module Overview
The Network Policy Server (NPS) role in Windows Server® 2012 provides support for the Remote
Authentication Dial-In User Service (RADIUS) protocol, and can be configured as a RADIUS server or
proxy. Additionally, NPS provides functionality that is essential for the implementation of Network Access
Protection (NAP). To support remote clients and to implement NAP, it is important that you know how to
install, configure, and troubleshoot NPS.
Objectives
After completing this module, you will be able to:
•
Install and configure NPS.
• Configure RADIUS clients and servers.
• Explain NPS authentication methods.
•
Monitor and troubleshoot NPS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 270/523
8-2 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 1
Installing and Configuring a Network Policy Server
NPS is implemented as a server role in Windows Server 2012. While installing the NPS role, you
must decide whether to use NPS as a RADIUS server, RADIUS proxy, or a NAP policy server. After the
installation, you can configure the NPS role by using various tools. You must understand how to installand configure the NPS role in order to support your RADIUS infrastructure.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the NPS role service.
• Explain how to install NPS.
•
Describe the tools used to configure an NPS.
• Explain how to configure general NPS settings.
What Is a Network Policy Server?
NPS enables you to create and enforce
organization-wide network access policies for
client health, connection request authentication,
and connection request authorization. You also
can use NPS as a RADIUS proxy to forward
connection requests to NPS or other RADIUS
servers that you configure in remote RADIUS
server groups.
You can use NPS to centrally configureand manage network-access authentication,
authorization, and client health policies with any
combination of the following three functions:
• RADIUS server
•
RADIUS proxy
• NAP policy server
RADIUS Server
NPS performs centralized connection authentication, authorization, and accounting for wireless,
authenticating switch, and dial-up and virtual private network (VPN) connections. When using NPS asa RADIUS server, you configure network access servers, such as wireless access points and VPN servers,
as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection
requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files
on the local hard disk or in a Microsoft® SQL Server® database.
NPS is the Microsoft implementation of a RADIUS server. NPS enables the use of a heterogeneous set
of wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote
Access service, which is available in Windows® 2000 and more recent versions of Windows Server.
When an NPS server is a member of an Active Directory® Domain Services (AD DS) domain, NPS uses
AD DS as its user-account database and provides single sign-on (SSO), which means that users utilize the
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 271/523
Administering Windows Server® 2012
8-3
same set of credentials for network-access control (authenticating and authorizing access to a network) as
they do to access resources within the AD DS domain.
Organizations that maintain network access, such as Internet service providers (ISPs), have the challenge
of managing a variety of network-access methods from a single administration point, regardless of the
type of network-access equipment they use. The RADIUS standard supports this requirement. RADIUS is
a client-server protocol that enables network-access equipment, used as RADIUS clients, to submitauthentication and accounting requests to a RADIUS server.
A RADIUS server has access to user-account information, and can verify network-access authentication
credentials. If the user’s credentials are authentic, and RADIUS authorizes the connection attempt, the
RADIUS server then authorizes the user’s access based on configured conditions, and logs the network-
access connection in an accounting log. Using RADIUS allows you to collect and maintain the network-
access user authentication, authorization, and accounting data in a central location, rather than on each
access server.
RADIUS Proxy
When using NPS as a RADIUS proxy, you configure connection request policies that indicate which
connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS
servers you want to forward connection requests. You also can configure NPS to forward accounting
data for logging by one or more computers in a remote RADIUS server group.
With NPS, your organization also can outsource remote-access infrastructure to a service provider, while
retaining control over user authentication, authorization, and accounting.
You can create different NPS configurations for the following solutions:
• Wireless access
• Organization dial-up or VPN remote access
•
Outsourced dial-up or wireless access
• Internet access
•
Authenticated access to extranet resources for business partners
NAP Policy Server
When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoHs) sent by NAP-
capable client computers that attempt to connect to the network. NPS also acts as a RADIUS server when
it is configured with NAP, performing authentication and authorization for connection requests. You can
configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and
remediation server groups that allow client computers to update their configuration to become compliant
with your organization’s network policy.
Windows 8 and Windows Server 2012 include NAP, which helps protect access to private networks by
ensuring that client computers are configured in accordance with the organization’s network health
policies before they can connect to network resources. Additionally, NAP monitors client computercompliance with administrator-defined health policy while the computer is connected to the network.
NAP autoremediation allows you to ensure that noncompliant computers are updated automatically,
bringing them into compliance with health policy so that they can connect successfully to the network.
System administrators define network health policies, and then create these policies by using NAP
components that either NPS provides, depending on your NAP deployment, or that third-party
companies provide.
Health policies can include software requirements, security-update requirements, and required-
configuration settings. NAP enforces health policies by inspecting and assessing the health of client
computers, restricting network access when client computers are deemed unhealthy, and remediating
unhealthy client computers for full network access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 272/523
8-4 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Demonstration: Installing the Network Policy Server Role
This demonstration shows how to:
• Install the NPS role.
•
Register NPS in AD DS.
Demonstration Steps
Install the NPS Role
1.
Switch to LON-DC1.
2. Open Server Manager, and add the Network Policy and Access Services role.
3.
Close Server Manager.
Register NPS in AD DS
1. Open the Network Policy Server console.
2.
Register the server in AD DS.
3.
Leave the Network Policy Server window open.
Tools for Configuring a Network Policy Server
After you install the Network Policy Server role,
you can open the NPS Administrative tool on
the Administrative Tools menu, or you can
add the snap-in to create a custom Microsoft
Management Console (MMC) tool. You also can
use netsh commands to manage and configure
the NPS role.
The following tools enable you to manage the
Network Policy and Access Services server role:
• NPS MMC snap-in. Use the NPS MMC to
configure a RADIUS server, a RADIUS proxy,
or a NAP technology.
•
Netsh commands for NPS. The netsh commands for NPS provide a command set that is fully
equivalent to all configuration settings that are available through the NPS MMC snap-in. You can run
netsh commands manually at the netsh prompt or in administrator scripts.
One example of using netsh is that after you install and configure NPS, you can save the
configuration by using the netsh nps show config > path\file.txt command. You then save the NPS
configuration with this command each time that you make a change.
• Windows PowerShell®. You also can use Windows PowerShell Cmdlets to configure and manage a
Network Policy Server.
For example, to export the NPS configuration, you can use the Export-NpsConfiguration -Path
<filename> cmdlet.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 273/523
Administering Windows Server® 2012
8-5
Demonstration: Configuring General NPS Settings
This demonstration shows how to:
• Configure a RADIUS server for VPN connections.
•
Save the configuration.
Demonstration Steps
Configure a RADIUS server for VPN connections
1.
In the Network Policy Server console, launch the Configure VPN or Dial-Up Wizard.
2. Add LON-RTR as a RADIUS client.
3.
Use a shared secret of Pa$$word for authentication between the RADIUS client and the NPS server.
4.
Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2) for authentication.
Save the configuration
1.
Open Windows PowerShell.
2.
Use the Export-NpsConfiguration -Path lon-dc1.xml command to save the configuration.
3. Examine this configuration with notepad.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 274/523
8-6 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 2
Configuring RADIUS Clients and Servers
RADIUS is an industry-standard authentication protocol that many vendors use to support the exchange
of authentication information between elements of a remote-access solution. To centralize your
organization’s remote-authentication needs, you can configure NPS as a RADIUS server or a RADIUSproxy. While configuring RADIUS clients and servers, you must consider several factors, such as the
RADIUS servers that will authenticate connection requests from RADIUS clients and the ports that RADIUS
traffic will use.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a RADIUS client.
• Describe a RADIUS Proxy.
•
Explain how to configure a RADIUS client.
•
Describe the use of a connection request policy.
• Describe and configure connection-request processing for a RADIUS proxy environment.
• Explain how to create a new connection request policy.
What Is a RADIUS Client?
A network access server (NAS) is a device that
provides some level of access to a larger network.
An NAS using a RADIUS infrastructure also is a
RADIUS client, originating connection requests
and accounting messages to a RADIUS server for
authentication, authorization, and accounting.
Client computers, such as wireless laptop
computers and other computers that are running
client-operating systems, are not RADIUS clients.
RADIUS clients are network access servers—
including wireless access points, 802.1X
authenticating switches, VPN servers, and dial-up
servers—because they use the RADIUS protocol to communicate with RADIUS servers such as NPS servers.
To deploy NPS as a RADIUS server, a RADIUS proxy, or a NAP policy server, you must configure RADIUS
clients in NPS.
RADIUS Client Examples
Examples of network access servers include the following:
• Network access servers that provide remote access connectivity to an organization network or the
Internet, such as a computer that is running the Windows Server 2012 operating system, and the
Routing and Remote Access service that provides either traditional dial-up or VPN remote access
services to an organization’s intranet.
• Wireless access points that provide physical-layer access to an organization’s network by using
wireless-based transmission and reception technologies.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 275/523
Administering Windows Server® 2012
8-7
• Switches that provide physical-layer access to an organization’s network, using traditional local area
network (LAN) technologies, such as the Ethernet.
• NPS-based RADIUS proxies that forward connection requests to RADIUS servers that are members of
a remote RADIUS server group that you configure on the RADIUS proxy, or other RADIUS proxies.
What Is a RADIUS Proxy?
You can use NPS as a RADIUS proxy to route
RADIUS messages between RADIUS clients
(network access servers) and RADIUS servers that
perform user authentication, authorization, and
accounting for the connection attempt.
When you use NPS as a RADIUS proxy, NPS is a
central switching or routing point through which
RADIUS access and accounting messages flow.
NPS records information in an accounting logabout forwarded messages.
You can use NPS as a RADIUS proxy when:
• You are a service provider who offers outsourced dial, VPN, or wireless network-access services to
multiple customers.
Your NAS sends connection requests to the NPS RADIUS proxy. Based on the user name’s realm
portion in the connection request, the NPS RADIUS proxy forwards the connection request to a
RADIUS server that the customer maintains, and can authenticate and authorize the connection
attempt.
• You want to provide authentication and authorization for user accounts that are not members of the
domain in which the NPS server is a member, or of a domain that has a two-way trust with the NPSserver’s member domain.
This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of
configuring your access servers to send their connection requests to an NPS RADIUS server, you can
configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy
uses the realm-name portion of the user name, and then forwards the request to an NPS server in
the correct domain or forest. Connection attempts for user accounts in one domain or forest can be
authenticated for NAS in another domain or forest.
• You want to perform authentication and authorization by using a database that is not a Windows
account database.
In this case, NPS forwards connection requests that match a specified realm name to a RADIUS server,
which has access to a different database of user accounts and authorization data. An example of
another user database is SQL databases.
• You want to process a large number of connection requests. In this case, instead of configuring
your RADIUS clients to attempt to balance their connection and accounting requests across multiple
RADIUS servers, you can configure them to send their connection and accounting requests to an
NPS RADIUS proxy.
The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across
multiple RADIUS servers, and it increases processing of large numbers of RADIUS clients and
authentications each second.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 276/523
8-8 Installing, Configuring, and Troubleshooting the Network Policy Server Role
• You want to provide RADIUS authentication and authorization for outsourced service providers and
minimize intranet firewall configuration.
An intranet firewall is between your intranet and your perimeter network (the network between your
intranet and the Internet). By placing an NPS server on your perimeter network, the firewall between
your perimeter network and intranet must allow traffic to flow between the NPS server and multiple
domain controllers.
When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow
between the NPS proxy and one or multiple NPS servers within your intranet.
Demonstration: Configuring a RADIUS Client
This demonstration shows how to configure a RADIUS client.
Demonstration Steps
1.
Open Routing and Remote Access.
2.
Disable the existing configuration.
3.
Reconfigure LON-RTR as a VPN Server with the following information:
o
Public interface: Local Area Connection 2
o
The VPN server allocates addresses from the pool: 172.16.0.100 to 172.16.0.110
o Option to configure the server with: Yes, setup this server to work with a RADIUS server.
o
Primary RADIUS server: LON-DC1
o
Secret: Pa$$w0rd
4. Start the VPN service.
What Is a Connection Request Policy?
Connection request policies are sets of conditions
and settings that allow network administrators
to designate which RADIUS servers perform
authentication and authorization of connection
requests that the NPS server receives from RADIUS
clients. You can configure connection-request
policies to designate which RADIUS servers to use
for RADIUS accounting.
Note: When you deploy NAP by using
the VPN or 802.1X enforcement methods with
Protected Extensible Authentication Protocol
(PEAP) authentication, you must configure PEAP authentication in the connection request policy
even when connection requests are processed locally.
You can create a series of connection request policies so that some RADIUS request messages sent from
RADIUS clients are processed locally (NPS is a RADIUS server) and other types of messages are forwarded
to another RADIUS server (NPS is a RADIUS proxy).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 277/523
Administering Windows Server® 2012
8-9
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on a
variety of factors, including:
• The time of day and day of the week.
• The realm name in the connection request.
•
The connection type that you are requesting.• The RADIUS client’s IP address.
Conditions
Connection request policy conditions are one or more RADIUS attributes that are compared to the
attributes of the incoming RADIUS access-request message. If multiple conditions exist, NPS enforces the
policy only if all of the conditions in the connection-request message and in the connection request
policy match.
Settings
Connection request policy settings are a set of properties that are applied to an incoming RADIUS
message. Settings consist of the following groups of properties:
•
Authentication
• Accounting
• Attribute manipulation
•
Advanced
Default Connection Request Policy
When you install NPS, a default connection request policy is created with the following conditions:
•
Authentication is not configured.
• Accounting is not configured to forward accounting information to a remote RADIUS server group.
• Attribute manipulation is not configured with rules that change attributes in forwarded connection
requests.
• Forwarding Request is turned on, which means that the local NPS server authenticates and authorizes
connection requests.
• Advanced attributes are not configured.
The default connection request policy uses NPS as a RADIUS server. To configure an NPS server to act as
a RADIUS proxy, you also must configure a remote RADIUS server group. You can create a new remote
RADIUS server group while you are creating a new connection request policy with the New Connection
Request Policy Wizard. You either can delete the default connection request policy or verify that the
default connection request policy is the last policy processed.
Note: If NPS and the Routing and Remote Access service are installed on the same
computer, and you configure the Routing and Remote Access service for Windows authentication
and accounting, it is possible for Routing and Remote Access service authentication and
accounting requests to be forwarded to a RADIUS server. This can occur when Routing and
Remote Access service authentication and accounting requests match a connection request
policy that is configured to forward them to a remote RADIUS server group.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 278/523
8-10 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Configuring Connection-Request Processing
The default connection request policy uses NPS as
a RADIUS server, and processes all authentication
requests locally.
Considerations for ConfiguringConnection-Request Processing
When configuring connection-request processing,
consider the following:
• To configure an NPS server to act as a
RADIUS proxy and forward connection
requests to other NPS or RADIUS servers,
you must configure a remote RADIUS server
group, and then add a new connection request policy that specifies conditions and settings that the
connection requests must match.
• You can use the New Connection Request Policy Wizard to create a new remote RADIUS server group
when you create a new connection-request.
• If you do not want the NPS server to act as a RADIUS server and process connection requests locally,
you can delete the default connection request policy.
• If you want the NPS server to act as both a RADIUS server (processes connection requests locally) and
as a RADIUS proxy (forwards some connection requests to a remote RADIUS server group), then you
should add a new policy, and verify that the default connection request policy is the last policy
processed.
Ports for RADIUS and Logging
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for Internet Protocol
version 6 (IPv6) and IPv4 for all installed network adapters.
Note: If you disable either IPv4 or IPv6 on a network adapter, NPS does not monitor
RADIUS traffic for the uninstalled protocol.
The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in RFCs
2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests and
1646 for accounting requests. When you are deciding on what port numbers to use, make sure that you
configure NPS and the access server to use the same port numbers. If you do not use the RADIUS default
port numbers, you must configure exceptions on the firewall for the local computer to enable RADIUS
traffic on the new ports.
Configuring NPS UDP Port Information
You can use the following procedure to configure the User Datagram Protocol (UDP) ports that NPS uses
for RADIUS authentication and accounting traffic.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 279/523
Administering Windows Server® 2012
8-11
To configure NPS UDP port information by using the Windows interface:
1.
Open the NPS console.
2.
Right-click Network Policy Server, and then click Properties.
3. Click the Ports tab, and then examine the settings for ports. If your RADIUS authentication and
RADIUS accounting UDP ports vary from the provided default values (1812 and 1645 forauthentication, and 1813 and 1646 for accounting), type your port settings in Authentication and
Accounting.
Note: To use multiple port settings for authentication or accounting requests, separate the
port numbers with commas.
Demonstration: Creating a Connection Request Policy
This demonstration shows how to create a VPN connection request policy.
Demonstration Steps
1. On LON-DC1, switch to the Network Policy Server console.
2.
View the existing Connection Request Policies. The wizard created these automatically when you
specified the NPS role of this server.
3.
Create a new Connection Request Policy with the following settings:
o
Type of network access server: Remote Access Server (VPN-Dial up)
o Condition: NAS Port Type as Virtual (VPN)
o Other settings: default values
4.
Assign the new policy the highest priority.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 280/523
8-12 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 3
NPS Authentication Methods
NPS authenticates and authorizes a connection request before allowing or denying access when users
attempt to connect to your network through network access servers, also known as RADIUS clients, such
as wireless access points, 802.1X authenticating switches, dial-up servers, and VPN servers..
Because authentication is the process of verifying the user’s or computer’s identity that is attempting to
connect to the network, NPS must receive proof of identity from the user or computer in the form of
credentials.
Some authentication methods implement the use of password-based credentials. The network access
server then passes these credentials to the NPS server, which verifies the credentials against the user
accounts database.
Other authentication methods implement the use of certificate-based credentials for the user, the client
computer, the NPS server, or some combination. Certificate-based authentication methods provide strong
security and are recommended over password-based authentication methods.
When you deploy NPS, you can specify the required type of authentication method for access to yournetwork.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the password-based authentication methods for an NPS server.
•
Describe how certificates are used to provide authentication for network clients.
• Describe the types of certificates that are needed for various authentication methods.
• Describe how to deploy certificates for PEAP and EAP.
Password-Based Authentication Methods
Each authentication method has advantages and
disadvantages in terms of security, usability, and
breadth of support. However, password-based
authentication methods do not provide strong
security, and we do not recommend them. We
recommend that you use a certificate-based
authentication method for all network access
methods that support certificate use. This is
especially true for wireless connections, for whichwe recommend the use of PEAP-MS-CHAP v2 or
PEAP-TLS.
The authentication method you require is
determined by the configuration of the network access server, the client computer, and network policy on
the NPS server. Consult your access server documentation to determine which authentication methods are
supported.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 281/523
Administering Windows Server® 2012
8-13
You can configure NPS to accept multiple authentication methods. You also can configure your network
access servers, also called RADIUS clients, to attempt to negotiate a connection with client computers by
requesting the use of the most secure protocol first, then the next most secure, and so on, down to the
least secure. For example, the Routing and Remote Access service tries to negotiate a connection by using
the following protocols in the order shown:
1.
Extensible Authentication Protocol (EAP)
2. MS-CHAP v2
3. MS-CHAP
4.
Challenge Handshake Authentication Protocol (CHAP)
5. Shiva Password Authentication Protocol (SPAP)
6. Password Authentication Protocol (PAP)
When EAP is chosen as the authentication method, the negotiation of the EAP type occurs between the
access client and the NPS server.
MS-CHAP Version 2
MS-CHAP v2 provides stronger security for network access connections than MS-CHAP, its predecessor.
MS-CHAP v2 is a one-way encrypted password, mutual-authentication process that works as follows:
1.
The authenticator (the network access server or the NPS server) sends a challenge to the access client
that consists of a session identifier and an arbitrary challenge string.
2.
The access client sends a response that contains:
o
The user name.
o An arbitrary peer-challenge string.
o
A one-way encryption of the received challenge string, the peer-challenge string, the session
identifier, and the user’s password.
3. The authenticator checks the client’s response, and then sends back a response that contains:
o
An indication of the connection attempt’s success or failure.
o
An authenticated response based on the sent challenge string, the peer-challenge string, the
client’s encrypted response, and the user’s password.
4.
The access client verifies the authentication response and, if correct, uses the connection. If the
authentication response is not correct, the access client terminates the connection.
MS-CHAP
MS-CHAP, also known as MS-CHAP version 1, is a nonreversible, encrypted password-authentication
protocol.
The challenge handshake process works as follows:
1. The authenticator (the network access server or the NPS server) sends a challenge to the access client
that consists of a session identifier and an arbitrary challenge string.
2. The access client sends a response that contains the user name and a nonreversible encryption of the
challenge string, the session identifier, and the password.
3.
The authenticator checks the response and, if valid, authenticates the user’s credentials.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 282/523
8-14 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Note: If you use MS-CHAP, MS-CHAP v2, or EAP-TLS as the authentication protocol, then
you can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the data that was sent on the
Point-to-Point Protocol (PPP) or Point-to-Point Tunneling Protocol (PPTP) connection.
MS-CHAP v2 provides stronger security for network access connections than MS-CHAP. You should
consider using MS-CHAP v2 instead of MS-CHAP.
CHAP
The CHAP is a challenge-response authentication protocol that uses the industry-standard Message
Digest 5 (MD5) hashing scheme to encrypt the response.
Various vendors of network access servers and clients use CHAP. A server that is running Routing and
Remote Access supports CHAP, so access clients that require CHAP are authenticated. Because CHAP
requires the use of a reversibly-encrypted password, you should consider using another authentication
protocol, such as MS-CHAP v2.
Additional Considerations
When implementing CHAP, consider the following:
• When users’ passwords expire, CHAP does not provide the ability for them to change passwords
during the authentication process.
• Verify that your network access server supports CHAP before you enable it on an NPS server’s
network policy. For more information, refer to your NAS documentation.
• You cannot use MPPE with CHAP.
PAP
PAP uses plaintext passwords and is the least secure authentication protocol. It typically is negotiated
if the access client and network access server cannot negotiate a more secure authentication method.
When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone
capturing the packets of the authentication process can read the password easily, and then use it to gainunauthorized access to your intranet. We highly discourage the use of PAP, especially for VPN
connections.
Unauthenticated Access
With unauthenticated access, user credentials (a user name and password) are not required. Although
there are some situations in which unauthenticated access is useful, in most cases, we do not recommend
that you deploy unauthenticated access to your organization’s network.
When you enable unauthenticated access, users can access your network without sending user credentials.
Additionally, unauthenticated access clients do not negotiate the use of a common authentication
protocol during the connection establishment process, and they do not send NPS a user name or
password.If you permit unauthenticated access, clients can connect without being authenticated if the
authentication protocols that are configured on the access client do not match the authentication
protocols that are configured on the network access server. In this case, the use of a common
authentication protocol is not negotiated, and the access client does not send a user name and password.
This circumstance creates a serious security problem. Therefore, unauthenticated access should not be
allowed on most networks.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 283/523
Administering Windows Server® 2012
8-15
Using Certificates for Authentication
Certificates are digital documents that certification
authorities (CAs) issue, such as Active Directory
Certificate Services (AD CS) or the VeriSign public
CA. You can use certificates for many purposes,
such as code signing and securing email
communication. However, with NPS, you use
certificates for network access authentication
because they provide strong security for
authenticating users and computers, and
eliminate the need for less secure, password-
based authentication methods.
NPS servers use EAP-TLS and PEAP to perform
certificate-based authentication for many types of network access, including VPN and wireless
connections.
Authentication MethodsTwo authentication methods, when you configure them with certificate-based authentication types, use
certificates: EAP and PEAP. With EAP, you can configure the authentication type TLS (EAP-TLS), and with
PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAP v2).
These authentication methods always use certificates for server authentication. Depending on the
authentication type that you configure with the authentication method, you also might use certificates
for user authentication and client computer authentication.
Note: Using certificates for VPN connection authentication is the strongest form of
authentication available in Windows Server 2008 R2. You must use certificates for IPsec
authentication on VPN connections that are based on Layer Two Tunneling protocol over
Internet protocol security (L2TP/IPsec). PPTP connections do not require certificates, althoughyou can configure PPTP connections to use certificates for computer authentication when you
use EAP-TLS as the authentication method. For wireless clients (computing devices with wireless
network adapters, such as your portable computer or personal digital assistant), use PEAP with
EAP-TLS and smart cards or certificates for authentication.
Note: You can deploy certificates for use with NPS by installing and configuring the AD CS
server role.
Mutual Authentication
When you use EAP with a strong EAP type (such as TLS with smart cards or certificates), the client and
the server use certificates to verify their identities to each other, which is known as mutual authentication.
Certificates must meet specific requirements to allow the server and the client to use them for mutual
authentication.
One such requirement is that the certificate is configured with one or more purposes in Extend Key Usage
(EKU) extensions that correlate to the certificate use. For example, you must configure a certificate that
you use for a client’s authentication with the Client Authentication purpose. Similarly, you must configure
a certificate that you use for a server’s authentication with the Server Authentication purpose. When you
use certificates for authentication, the authenticator examines the client certificate, seeking the correct
purpose object identifier in EKU extensions. For example, the object identifier for the Client
Authentication purpose is 1.3.6.1.5.5.7.3.2. When you use a certificate for client computer authentication,
this object identifier must be present in the EKU extensions of the certificate or authentication will fail.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 284/523
8-16 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Certificate Templates
Certificate Templates is an MMC snap-in that enables customization of certificates that AD CS issues.
Customization possibilities include how certificates are issued and what the certificates contain, including
their purposes. In Certificate Templates, you can use a default template, such as the Computer template,
to define the template that the CA uses to assign certificates to computers. You also can create a
certificate template and assign purposes to it in EKU extensions. By default, the Computer template
includes the Client Authentication purpose and the Server Authentication purpose in EKU extensions.
The certificate template that you create can include any purpose for which you will use the certificate.
For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose as
well as the Client Authentication purpose. When using NPS, you can configure NPS to check certificate
purposes before granting network authorization. NPS can check additional EKUs and Issuance Policy
purposes, also known as Certificate Policies.
Note: Some non-Microsoft CA software might contain a purpose named All, which
represents all possible purposes. This is indicated by a blank (or null) EKU extension. Although All
is intended to mean all possible purposes, you cannot substitute the All-purpose for the Client
Authentication purpose, the Server Authentication purpose, or any other purpose that is relatedto network access authentication.
Required Certificates for Authentication
The following table details the certificates that are
required to deploy each of the listed certificate-
based authentication methods successfully.
CertificateRequired for EAP-TLS andPEAP-TLS?
Required for PEAP-MS-CHAP v2?
Details
CA certificate inthe Trusted RootCertification
Authoritiescertificate store forthe LocalComputer andCurrent User
Yes. The CA certificate isenrolled automatically fordomain member
computers. For nondomainmember computers, youmust import the certificatemanually into the certificatestore.
Yes. This certificate isenrolled automaticallyfor domain member
computers. Fornondomain membercomputers, you mustimport the certificatemanually into thecertificate store.
For PEAP-MS-CHAPv2, this certificate isrequired for mutual
authenticationbetween client andserver.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 285/523
Administering Windows Server® 2012
8-17
CertificateRequired for EAP-TLS andPEAP-TLS?
Required for PEAP-MS-CHAP v2?
Details
Client computercertificate in thecertificate store of
the client
Yes. Client computercertificates are requiredunless user certificates are
distributed on smart cards.Client certificates areenrolled automatically fordomain membercomputers. For nondomainmember computers, youmust import the certificatemanually or obtain it withthe Web-enrollment tool.
No. Userauthentication isperformed with
password-basedcredentials, notcertificates.
If you deploy usercertificates on smartcards, client
computers do notneed clientcertificates.
Server certificate inthe certificate storeof the NPS server
Yes. You can configure
AD CS to autoenroll servercertificates to members ofthe RAS and IAS servers
group in AD DS.
Yes. In addition tousing AD CS for servercertificates, you canpurchase server
certificates from otherCAs that clientcomputers alreadytrust.
The NPS server sendsthe server certificateto the clientcomputer. The client
computer uses thecertificate toauthenticate the NPSserver.
User certificate ona smart card
AD CS to auto-enroll servercertificates to members ofthe RAS and IAS serversgroup in AD DS.
No. Userauthentication isperformed withpassword-basedcredentials, notcertificates.
For EAP-TLS and
PEAP-TLS, if you donot auto-enroll clientcomputer certificates,user certificates onsmart cards arerequired.
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication providesauthenticated access to 802.11 wireless networks and wired Ethernet networks. 802.1X provides support
for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS
in a variety of ways.
If you configure the Validate server certificate option on the client, the client authenticates the server by
using its certificate. Client computer and user authentication is accomplished by using certificates from
the client certificate store or a smart card, providing mutual authentication.
With wireless clients, you can use PEAP-MS-CHAP v2 as the authentication method. PEAP-MS-CHAP v2 is
a password-based user authentication method that uses TLS with server certificates. During PEAP-MS-
CHAP v2 authentication, the NPS server supplies a certificate to validate its identity to the client (if the
Validate server certificate option is configured on the Windows 8 client). Client computer and user
authentication is accomplished with passwords, which eliminates some of the difficulty of deployingcertificates to wireless client computers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 286/523
8-18 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Deploying Certificates for PEAP and EAP
All certificates that you use for network access
authentication with EAP-TLS and PEAP must meet
the requirements for X.509 certificates and work
for connections that use Secure Sockets Layer-
Transport Layer Security (SSL/TLS). After this
minimum requirement is met, both client and
server certificates have additional requirements.
Minimum Server CertificateRequirements
You can configure clients to validate server
certificates by using the Validate server certificate
option within the authentication protocol’s
properties. With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the client
accepts the server authentication attempt when the certificate meets the following requirements:
•
The Subject name contains a value. If you issue a certificate to your NPS server that has a blankSubject, the certificate is not available to authenticate your NPS server. To configure the certificate
template with a Subject name:
a.
Open Certificate Templates.
b.
In the details pane, right-click the certificate template that you want to change, and then click
Properties.
c.
Click the Subject Name tab, and then click Build from this Active Directory information.
d. In Subject name format, select a value other than None.
• The computer certificate on the server chains to a trusted root CA, and does not fail any of the checks
that CryptoAPI performs and that the remote access or network policies specify.
• The NPS or VPN server computer certificate is configured with the Server Authentication purpose in
EKU extensions (the object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1).
•
The server certificate is configured with a required algorithm value of RSA. To configure the required
cryptography setting:
a.
Open Certificate Templates.
b. In the details pane, right-click the certificate template that you want to change, and then click
Properties.
c. Click the Cryptography tab. In Algorithm name, click RSA. Ensure that Minimum key size is
set to 2048.
•
The Subject Alternative Name (SubjectAltName) extension, if you use it, must contain the server’s fully
qualified domain name (FQDN). To configure the certificate template with the Domain Name System
(DNS) name of the enrolling server:
a. Open Certificate Templates.
b.
In the details pane, right-click the certificate template that you want to change, and then click
Properties.
c.
Click the Subject Name tab, and then click Build from this Active Directory information.
d.
In Include this information in alternate subject name, select DNS name.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 287/523
Administering Windows Server® 2012
8-19
With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate
store, except the following:
• Certificates that do not contain the Server Authentication purpose in EKU extensions.
• Certificates that do not contain a subject name.
•
Registry-based and smart card-logon certificates.
Minimum Client Certificate Requirements
With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets
the following requirements:
• An enterprise CA issued the client certificate or it is mapped to an Active Directory user or computer
account.
• The user or computer certificate on the client chains to a trusted-root CA; the certificate includes
the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication
is 1.3.6.1.5.5.7.3.2); and fails neither the checks that CryptoAPI performs, which the remote access or
network policies specify, nor the Certificate object identifier checks that the NPS network policies
specify.
• The 802.1X client does not use registry-based certificates that are either smart card-logon or
password-protected certificates.
• For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate
contains the user principal name (UPN). To configure the UPN in a certificate template:
a. Open Certificate Templates.
b.
In the details pane, right-click the certificate template that you want to change, and then click
Properties.
c. Click the Subject Name tab, and then click Build from this Active Directory information.
d.
In Include this information in alternate subject name, select User principal name (UPN).
• For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate
must contain the client’s FQDN, also known as the DNS name. To configure this name in the
certificate template:
a. Open Certificate Templates.
b.
In the details pane, right-click the certificate template that you want to change, and then click
Properties.
c.
Click the Subject Name tab, and then click Build from this Active Directory information.
d.
In Include this information in alternate subject name, select DNS name.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, withthe following exceptions:
•
Wireless clients do not display registry-based and smart card-logon certificates.
• Wireless clients and VPN clients do not display password-protected certificates.
• Certificates that do not contain the Client Authentication purpose in EKU extensions.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 288/523
8-20 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 4
Monitoring and Troubleshooting a Network Policy Server
You can monitor NPS by configuring and using logging for events, and user authentication and
accounting requests. Event logging enables you to record NPS events in the system and security event
logs. You can use request logging for connection analysis and billing purposes. The information that thelog files collect is useful for troubleshooting connection attempts and for security investigation.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the methods for monitoring NPS.
• Describe how to configure log file properties.
•
Describe how to configure SQL Server logging in NPS.
• Describe how to configure NPS events to be recorded in Event Viewer.
Methods Used to Monitor NPS
The two types of accounting, or logging, that you
can use to monitor NPS are:
• Event logging for NPS. You can use event
logging to record NPS events in the system
and security event logs. You use this primarily
for auditing and troubleshooting connection
attempts.
• Logging user authentication and accounting
requests. You can log user authentication and
accounting requests to log files in text format
or database format, or you can log to a stored
procedure in a SQL Server database. Use
request logging primarily for connection analysis and billing purposes, and as a security investigation
tool, because it enables you to identify an attacker’s activity.
To make the most effective use of NPS logging:
• Turn on logging (initially) for authentication and accounting records. Modify these selections after
you determine what is appropriate for your environment.
• Ensure that you configure event logging with sufficient capacity to maintain your logs.
•
Back up all log files on a regular basis, because they cannot be recreated when damaged or deleted.
• Use the RADIUS Class attribute to track usage and simplify identification of which department or
user to charge for usage. Although the Class attribute, which is generated automatically, is unique for
each request, duplicate records might exist in cases where the reply to the access server is lost and the
request is re-sent. You might need to delete duplicate requests from your logs to track usage
accurately.
• To provide failover and redundancy with SQL Server logging, place two computers that are running
SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database
replication between the two servers. For more information, refer to the SQL Server documentation.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 289/523
Administering Windows Server® 2012
8-21
Note: To interpret logged data, view the information on the Microsoft TechNet website:
Interpret NPS Database Format Log Files
http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409
Logging NPS AccountingYou can configure NPS to perform RADIUS
accounting for user authentication requests,
Access-Accept messages, Access-Reject messages,
accounting requests and responses, and periodic
status updates. You can use this procedure to
configure the log files where you want to store
the accounting data.
Considerations for ConfiguringAccounting for NPS
The following list provides more informationabout configuring NPS accounting:
• To send the log file data for collection by another process, you can configure NPS to write to a
named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The
named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the
Local File Properties dialog box, in Create a new log file, select Never (unlimited file size) when
you use named pipes.
•
To create the log file directory, use system environment variables (instead of user variables),
such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the
environment variable %windir%, locates the log file at the system directory in the subfolder
\System32\Logs (that is, %windir%\System32\Logs\).
•
Switching log-file formats does not cause a new log to be created. If you change log file formats,
the file that is active when the change occurs will contain a mixture of the two formats. Records at the
log’s start will have the previous format, and records at the log’s end will have the new format.
• If you are administering an NPS server remotely, you cannot browse the directory structure. If you
need to log accounting information to a remote server, specify the log file name by typing a Universal
Naming Convention (UNC) name, such as \\MyLogServer\LogShare.
• If RADIUS accounting fails due to a full hard-disk drive or other causes, NPS stops processing
connection requests, which prevents users from accessing network resources.
• NPS enables you to log to a SQL Server database in addition to, or instead of, logging to a local file.
Note: If you do not supply a full path statement in Log File Directory, the default path
is used. For example, if you type NPSLogFile in Log File Directory, the file is located at
%systemroot%\System32\NPSLogFile.
Configuring Log File Properties
To configure log file properties by using the Windows interface, perform the following tasks:
1.
Open the Network Policy Server MMC snap-in.
2. In the console tree, click Accounting.
3.
In the details pane, click Change Log File Properties.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 290/523
8-22 Installing, Configuring, and Troubleshooting the Network Policy Server Role
4. In Log File Properties, on the Log File tab, in Directory, type the location where you want to store
NPS log files. The default location is the systemroot\System32\LogFiles folder.
5. In Format, select from DTS Compliant, ODBC (Legacy), and IAS (Legacy).
6.
To configure NPS to start new log files at specified intervals, click the interval that you want to use:
o
For heavy transaction volume and logging activity, click Daily.o For lesser transaction volumes and logging activity, click Weekly or Monthly.
o
To store all transactions in one log file, click Never (unlimited file size).
o
To limit the size of each log file, click When log file reaches this size, and then type a file size,
after which a new log is created. The default size is 10 megabytes (MB).
7.
To configure NPS to delete log files automatically when the disk is full, click When disk is full delete
older log files. If the oldest log file is the current log file, it is not deleted.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
Configuring SQL Server Logging
You can configure NPS to perform RADIUS
accounting to a SQL Server database. You can use
this procedure to configure logging properties
and the connection to the running SQL Server
that stores your accounting data. The SQL Server
database can be on the local computer or on a
remote server.
Note: NPS formats accounting data as an
XML document that it sends to the report_event
stored procedure in the SQL Server database that
you designate in NPS. For SQL Server logging to
function properly, you must have a stored procedure named report_event in the SQL Server
database that can receive and parse the XML documents from NPS.
Configuring SQL Server Logging in NPS
To configure SQL Server logging in NPS using the Windows interface, perform the following tasks:
1.
Open the Network Policy Server MMC snap-in.
2.
In the console tree, click Accounting.
3.
In the details pane, click Change SQL Server Logging Properties. The SQL Server Logging
Properties dialog box opens.
4.
In Log the following information, select the information that you want to log:
o To log all accounting requests, select Accounting requests.
o
To log authentication requests, select Authentication requests.
o
To log periodic status, such as interim accounting requests, select Periodic accounting status.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 291/523
Administering Windows Server® 2012
8-23
o To log periodic status, such as interim authentication requests, select Periodic authentication
status.
5. To configure the number of concurrent sessions that you want to allow between the NPS server and
the SQL Server database, type a number in Maximum number of concurrent sessions.
6.
To configure the SQL Server data source, click Configure. The Data Link Properties dialog box
opens. On the Connection tab, specify the following:
o
To specify the server’s name on which the database is stored, type or select a name in Select or
enter a server name.
o
To specify the authentication method with which to sign in to the server, click Use Windows NT
integrated security, or click Use a specific user name and password, and then type your
credentials in User name and Password.
o To allow a blank password, select Blank password.
o To store the password, select Allow saving password.
o
To specify to which database to connect on the computer that is running SQL Server, click Select
the database on the server, and then select a database name from the list.
7.
To test the connection between the NPS server and the computer that is running SQL Server, click
Test Connection.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
Configuring NPS Events to Record in the Event Viewer
You can configure NPS event logging to record
connection-request failure and success events in
the Event Viewer system log.
Configuring NPS Event Logging
To configure NPS event logging by using the
Windows interface, perform the following tasks:
1.
Open the Network Policy Server (NPS)
snap-in.
2. Right-click NPS (Local), and then click
Properties.
3.
On the General tab, select each of the following options, as required, and then click OK :
o
Rejected authentication requests
o
Successful authentication requests
Note: To complete this procedure, you must be a member of the Domain Admins group or
the Enterprise Admins group.
Using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure
NPS to record.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 292/523
8-24 Installing, Configuring, and Troubleshooting the Network Policy Server Role
NPS records connection-request failure events in the System and Security event logs by default.
Connection-request failure events consist of requests that NPS rejects or discards. Other NPS
authentication events are recorded in the Event Viewer system sign in the basis of settings that you
specify in the NPS snap-in. Therefore, the Event Viewer security log might record some events containing
sensitive data.
Connection-Request Failure EventsAlthough NPS records connection-request failure events by default, you can change the configuration
according to your logging needs. NPS rejects or ignores connection requests for a variety of reasons,
including the following:
• The RADIUS message is not formatted according to RFCs 2865 or 2866.
•
The RADIUS client is unknown.
• The RADIUS client has multiple IP addresses and has sent the request on an address other than the
one that you define in NPS.
•
The message authenticator (also known as a digital signature) that the client sent is invalid because
the shared secret is invalid.
•
NPS was unable to locate the user name’s domain.
• NPS was unable to connect to the user name’s domain.
• NPS was unable to access the user account in the domain.
When NPS rejects a connection request, the information in the event text includes the user name, access
server identifiers, the authentication type, the name of the matching network policy, the reason for the
rejection, and other information.
Connection Request Success Events
Although NPS records connection request success events by default, you can change the configuration
according to your logging needs.
When NPS accepts a connection request, the information in the event text includes the user name, access
server identifiers, the authentication type, and the name of the first matching network policy.
Logging Schannel Events
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security
protocols, such as SSL and TLS. These protocols provide identity authentication and secure, private
communication through encryption.
Logging of client-certificate validation failures is a secure channel event and is not enabled on the NPS
server, by default. You can enable additional secure channel events by changing the following registry key
value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 293/523
Administering Windows Server® 2012
8-25
Lab: Installing and Configuring a Network Policy Server
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT
office and data center is located in London, to support the London office and other locations. A. Datum
has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN
servers that are located at different points to provide connectivity for its employees. You are responsible
for performing the tasks necessary to support these VPN connections.
Objectives
After completing this lab, you will be able to:
• Install and configure NPS to support RADIUS.
• Configure and test a RADIUS client.
Lab Setup
Estimated Time: 60 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-RTR
20411B-LON-CL2
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you mustcomplete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Sign in using the following credentials:
• User name: Adatum\Administrator
• Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-RTR and 20411B-LON-CL2.
Exercise 1: Installing and Configuring NPS to Support RADIUS
Scenario
You have been tasked with installing an NPS into the existing infrastructure to be used for RADIUS
services. In this exercise, you will configure the RADIUS server with appropriate templates to help manage
any future implementations. You also need to configure Accounting to log authentication information to
a local text file on the server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 294/523
8-26 Installing, Configuring, and Troubleshooting the Network Policy Server Role
The main tasks for this exercise are as follows:
1.
Install and configure the Network Policy Server.
2.
Configure NPS Templates.
3. Configure RADIUS accounting.
Task 1: Install and configure the Network Policy Server
1.
Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.
Using Server Manager, install the Network Policy and Access Services role by using default values
to complete the installation wizard.
4. Open the Network Policy Server console, and then register the server in Active Directory.
5.
Leave the Network Policy Server console open.
Task 2: Configure NPS Templates
1.
Create a new Shared Secrets template with the following properties:
o
Name: Adatum Secret
o
Shared secret: Pa$$w0rd
2. Create a new RADIUS Clients template with the following properties:
o
Friendly name: LON-RTR
o
Address (IP or DNS): LON-RTR
o Shared Secret: Use Adatum Secret template.
3.
Leave the Network Policy Server console open.
Task 3: Configure RADIUS accounting
1.
In the Network Policy Server console, launch the Accounting Configuration Wizard.
2. Choose the Log to a text file on the local computer option, and then use the default values to
complete the wizard.
3. Leave the Network Policy Server console open.
Results: After this exercise, you should have enabled and configured NPS to support the required
environment.
Exercise 2: Configuring and Testing a RADIUS Client
Scenario
You need to configure a server as a VPN server and a RADIUS client, including the client configuration,
and then you need to modify the Network Policy settings.
The main tasks for this exercise are as follows:
1.
Configure a RADIUS client.
2. Configure a network policy for RADIUS.
3.
Test the RADIUS configuration.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 295/523
Administering Windows Server® 2012
8-27
Task 1: Configure a RADIUS client
1.
Create a RADIUS Client by using the following properties:
o
Template: LON-RTR
2. Leave the console open, and then switch to LON-RTR.
3.
Logon as Adatum\Administrator with the password Pa$$w0rd.
4.
Open Routing and Remote Access, and Disable Routing and Remote Access.
5. Select Configure and Enable Routing and Remote Access.
6.
Reconfigure LON-RTR as a VPN Server:
o
Local Area Connection 2 is the public interface
o The VPN server allocates addresses from the pool: 172.16.0.100 > 172.16.0.110
o
The server is configured with the option Yes, setup this server to work with a RADIUS server.
o
Primary RADIUS server: LON-DC1
o
Secret: Pa$$w0rd
The VPN service starts.
Task 2: Configure a network policy for RADIUS
1. Switch to LON-DC1.
2. Switch to the Network Policy Server console.
3.
Disable the two existing network policies. These would interfere with the processing of the policy that
you are about to create.
4.
Create a new Network Policy by using the following properties:
o
Policy name: Adatum VPN Policy o Type of network access server: Remote Access Server(VPN-Dial up)
o
Condition: NAS Port Type = Virtual (VPN)
o
Permission: Access granted
o Authentication methods: default
o Constraints: default
o
Settings: default
Task 3: Test the RADIUS configuration
1.
Switch to LON-CL2 and sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
Create a new VPN connection with the following properties:
o
Internet address to connect to: 10.10.0.1
o Destination name: Adatum VPN
o
Allow other people to use this connection: true
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 296/523
8-28 Installing, Configuring, and Troubleshooting the Network Policy Server Role
3. After you have created the VPN, modify its settings by viewing the properties of the connection, and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
o Type of VPN: Point to Point Protocol (PPTP)
o
Authentication: Allow these protocols =Microsoft CHAP Version 2 (MS-CHAP v2)
4.
Test the VPN connection. Use the following credentials:o User name: Adatum\Administrator
o
Password: Pa$$w0rd
Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS
client.
To prepare for the next module
When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1.
On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4.
Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 297/523
Administering Windows Server® 2012
8-29
Module Review and Takeaways
Review Questions
Question: How can you make the most effective use of the NPS logging features?
Question: What consideration must you follow if you choose to use a nonstandard port
assignment for RADIUS traffic?
Question: Why must you register the NPS server in Active Directory?
Tools
Tool Use for Where to find it
Network PolicyServer
Managing and creating Network Policy Network Policy Server on theAdministrative Tools menu
Netsh command-line tool
Creating administrative scripts forconfiguring and managing the NetworkPolicy Server role
In a Command Prompt window,type netsh –c nps to administerfrom a command prompt
Event Viewer Viewing logged information fromapplication, system, and security events
Event Viewer on the AdministrativeTools menu
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 298/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 299/523
9-1
Module 9
Implementing Network Access ProtectionContents:
Module Overview 9-1
Lesson 1: Overview of Network Access Protection 9-2
Lesson 2: Overview of NAP Enforcement Processes 9-7
Lesson 3: Configuring NAP 9-14
Lesson 4: Monitoring and Troubleshooting NAP 9-19
Lab: Implementing NAP 9-23
Module Review and Takeaways 9-29
Module Overview
Your network is only as secure as the least-secure computer attached to it. Many programs and tools exist
to help you to secure your network-attached computers, such as antivirus or malware detection software.
However, if the software on some of your computers is not up to date, or not enabled or configured
correctly, then these computers continue to pose a security risk.
Computers that remain within the office environment and always connect to the same network are
relatively easy to keep configured and updated. Computers that connect to different networks, especiallyunmanaged networks, are less easy to control. For example, it is difficult to control laptop computers that
users use to connect to customer networks or public Wi-Fi hotspots. Furthermore, unmanaged computers
that are seeking to connect remotely to your network, such as users connecting from their home
computers, also pose a challenge.
Network Access Protection (NAP) enables you to create customized health-requirement policies to
validate computer health before allowing access or communication. Additionally, NAP updates compliant
computers automatically to ensure their ongoing compliance, and can limit the access of noncompliant
computers to a restricted network until they become compliant.
Objectives
After completing this module, you will be able to:
•
Describe how NAP can help protect your network.
• Describe the various NAP enforcement processes.
• Configure NAP.
•
Monitor and troubleshoot NAP.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 300/523
9-2 Implementing Network Access Protection
Lesson 1
Overview of Network Access Protection
NAP is a policy-enforcement platform that is built into the Windows® 8, Windows 7, Windows Vista®,
Windows XP with Service Pack 3 (SP3), Windows Server® 2008, Windows Server 2008 R2, and Windows
Server 2012 operating systems. You can use NAP to protect network assets more strongly by enforcingcompliance with system-health requirements. NAP provides the necessary software components to help
ensure that computers connected or connecting to your network remain manageable so they do not
become a security risk to your enterprise’s network and other attached computers.
Understanding the functionality and limitations of NAP will help you protect your network from the
security risks posed by noncompliant computers.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain how you can use NAP to enforce computer health requirements.
• Describe the scenarios in which you would use NAP.
• Describe the NAP enforcement methods.
•
Describe the architecture of a NAP–enabled network infrastructure.
What Is Network Access Protection?
NAP provides components and an application
programming interface (API) that can help enforce
compliance with your organization’s health-
requirement policies for network access or
communication.
NAP enables you to create solutions for validating
computers that connect to your networks, and
provide needed updates or access to requisite
health-update resources. Additionally, NAP
enables you to limit the access or communication
of noncompliant computers.
You can integrate NAP’s enforcement features
with software from other vendors or with custom programs.
It is important to remember that NAP does not protect a network from malicious users. Rather, it helps
you maintain the health of your organization’s networked computers automatically, which in turnhelps maintain your network’s overall integrity. For example, if a computer has all of the software and
configuration settings that the health policy requires, the computer is compliant and will have unlimited
network access. However, NAP does not prevent an authorized user with a compliant computer from
uploading a malicious program to the network or engaging in other inappropriate behavior.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 301/523
Administering Windows Server® 2012
9-3
How to Use NAP
You can use NAP in three distinct ways:
• To validate the health state. When a computer attempts to connect to the network, NAP validates
the computer’s health state against the health-requirement policies that the administrator defines.
You also can define what to do if a computer is not compliant. In a monitoring-only environment, all
computers have their health state evaluated, and NAP logs the compliance state of each computer foranalysis. In a limited access environment, computers that comply with the health-requirement policies
have unlimited network access. Computers that do not comply with health-requirement policies
could find their access limited to a restricted network.
• To enforce health-policy compliance. You can help ensure compliance with health-requirement
policies by choosing to update noncompliant computers automatically with missing software
updates or configuration changes through management software, such as Microsoft® System Center
Configuration Manager. In a monitoring-only environment, NAP will ensure that computers update
their network access before they receive required updates or configuration changes. In a limited
access environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically and you can define exceptions for computers that are not NAP compatible.
• To limit network access. You can protect your networks by limiting the access of noncompliant
computers. You can base limited network access on a specific amount of time, or on what resources
that the noncompliant computer can access. In the latter case, you define a restricted network that
contains health update resources, and the limited access will last until the noncompliant computer
comes into compliance. You also can configure exceptions so that computers that are not compatible
with NAP do not have limited network access.
NAP Scenarios
NAP provides a solution for the commonscenarios, such as roaming laptops, desktop
computers, visiting laptops, and unmanaged
computers. Depending on your needs, you can
configure a solution to address any or all of these
scenarios for your network.
Roaming Laptops
Portability and flexibility are two primary
advantages of a laptop, but these features also
present a system health threat. Users frequently
connect their laptops to other networks. While
users are away from your organization, theirlaptops might not receive the most recent software updates or configuration changes. Additionally,
exposure to unprotected networks, such as the Internet, could introduce security-related threats to
the laptops. NAP allows you to check any laptop’s health state when it reconnects to the organization’s
network, whether through a virtual private network (VPN), a Windows 8 DirectAccess connection, or the
workplace network connection.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 302/523
9-4 Implementing Network Access Protection
Desktop Computers
Although users typically do not take their desktop computers out of your company’s buildings, they still
can present a threat to your network. To minimize this threat, you must maintain these computers with
the most recent updates and required software. Otherwise, these computers are at risk of infection from
websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to
automate health state checks to verify each desktop computer’s compliance with health-requirement
policies. You can check log files to determine which computers do not comply. Additionally, by using
management software, you can generate automatic reports and automatically update noncompliant
computers. When you change health-requirement policies, you can configure NAP to provision
computers automatically with the most recent updates.
Visiting Laptops
Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops that these visitors bring into your organization might not meet system
health requirements and can present health risks. NAP enables you to determine which visiting laptops
are noncompliant and limit their access to restricted networks. Typically, you would not require or provide
any updates or configuration changes for visiting laptops. You can configure Internet access for visiting
laptops, but not for other organizational computers that have limited access.
Unmanaged Home Computers
Unmanaged home computers that are not a member of the company’s Active Directory® domain
can connect to a managed company network through VPN. Unmanaged home computers provide an
additional challenge because you cannot physically access these computers. Lack of physical access makes
enforcing compliance with health requirements, such as the use of antivirus software, more difficult.
However, NAP enables you to verify the health state of a home computer every time it makes a VPN
connection to the company network, and to limit its access to a restricted network until it meets system
health requirements.
NAP Enforcement Methods
Components of the NAP infrastructure, known
as enforcement clients and enforcement servers,
require health-state validation, and enforce
limited network access for noncompliant
computers. Windows 8, Windows 7, Windows
Vista, Windows XP with SP3, Windows Server
2008, Windows Server 2008 R2, and Windows
Server 2012 include NAP support for the following
network-access or communication methods:
•
IPsec-protected traffic. Internet Protocolsecurity (IPsec) enforcement confines
communication to compliant computers after
they connect successfully and obtain a valid IP address configuration. IPsec enforcement is the
strongest form of limited network access or communication in NAP.
• Institute of Electrical and Electronics Engineers (IEEE) 802.1X–authenticated network connections. IEEE
802.1X enforcement requires that a computer is compliant to obtain unlimited network access
through an IEEE 802.1X–authenticated network connection. Examples of this type of network
connection include an authenticating Ethernet switch or an IEEE 802.11 wireless access point (AP).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 303/523
Administering Windows Server® 2012
9-5
• Remote access VPN connections. VPN enforcement requires that a computer is compliant to obtain
unlimited network access through a remote access VPN connection. For noncompliant computers,
network access is limited through a set of IP packet filters that the VPN server applies to the VPN
connection.
• DirectAccess connections. DirectAccess connections require that a computer is compliant to obtain
unlimited network access through a DirectAccess server. For noncompliant computers, network accessis limited to the set of computers that are defined as infrastructure servers by using the infrastructure
tunnel. Compliant computers can create the separate intranet tunnel that provides unlimited access
to intranet resources. DirectAccess connections use IPsec enforcement.
• Dynamic Host Configuration Protocol (DHCP) address configurations. DHCP enforcement requires
that a computer is compliant to obtain an unlimited access Internet Protocol version 4 (IPv4) address
configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network.
These network access or communication methods, or NAP enforcement methods, are useful separately or
together for limiting noncompliant computer access or communication. A server that is running Network
Policy Server (NPS) in Windows Server 2012 acts as a health policy server for all of these NAP enforcement
methods.
NAP Platform Architecture
The following table describes the components of a
NAP-enabled network infrastructure.
Components Description
NAP clients These computers support the NAP platform for communication and forvalidation prior to network access of a system’s health.
NAP enforcement
points
• These are computers or network-access devices that use NAP or that you
can use with NAP to require evaluation of a NAP client’s health state, andthen provide restricted network access or communication. NAPenforcement points use a NPS that is acting as a NAP health policy server toevaluate the health state of NAP clients, whether to allow network access orcommunication, and the set of remediation actions that a noncompliantNAP client must perform.
• NAP enforcement points include the following:
o Health Registration Authority (HRA). A computer that runs WindowsServer 2012 and Internet Information Services (IIS), and that obtainshealth certificates from a certification authority (CA) for compliantcomputers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 304/523
9-6 Implementing Network Access Protection
Components Description
o VPN server . A computer that runs Windows Server 2012 and Routing andRemote Access, and that enables remote access VPN intranetconnections through remote access.
o DHCP server . A computer that runs Windows Server 2012 and the DHCP
Server service, and that provides automatic IPv4 address configurationto intranet DHCP clients.
o Network access devices. These are Ethernet switches or wireless accesspoints that support IEEE 802.1X authentication.
NAP health policyservers
These are computers that run Windows Server 2012 and the NPS service, andthat store health-requirement policies and provide health-state validation forNAP. NPS is the replacement for the Internet Authentication Service (IAS), andthe Remote Authentication Dial-In User Service (RADIUS) server and proxythat Windows Server 2003 provides.
NPS also acts as an authentication, authorization, and accounting (AAA) serverfor network access. When acting as an AAA server or NAP health policy server,NPS typically runs on a separate server for centralized configuration ofnetwork access and health-requirement policies. The NPS service also runs onNAP enforcement points, based on Windows Server 2012, that do not have abuilt-in RADIUS client, such as an HRA or a DHCP server. However, in theseconfigurations, the NPS service is acting as a RADIUS proxy to exchangeRADIUS messages with a NAP health policy server.
Health requirementservers
These computers provide the current system health state for NAP healthpolicy servers. An example of these would be a health requirement server foran antivirus program that tracks the latest version of the antivirus signaturefile.
AD DS This Windows directory service stores account credentials and properties, andstores Group Policy settings. Although not required for health-state validation,
Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
802.1X devices Authenticating Ethernet switch or an IEEE 802.11 wireless AP.
Restricted network • This is a separate logical or physical network that contains:
o Remediation servers. These computers contain health update resourcesthat NAP clients can access to remediate their noncompliant state.Examples include antivirus signature distribution servers and softwareupdate servers.
o NAP clients with limited access. These computers are placed on therestricted network when they do not comply with health-requirementpolicies.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 305/523
Administering Windows Server® 2012
9-7
Lesson 2
Overview of NAP Enforcement Processes
When a client attempts to access or communicate on the network, it must present its system health
state or proof-of-health compliance. If a client cannot prove that it is compliant with system-health
requirements, such as that it has the latest operating system and antivirus updates installed, then youcan limit its access to, or communication on, the network to a restricted network that contains server
resources. You can restrict this access until you remedy the health-compliance issues. After the updates
install, the client requests access to the network or attempts the communication again. If compliant, the
client receives unlimited access to the network or the communication is allowed.
Lesson Objectives
After completing this lesson, you will be able to:
•
Describe the general NAP enforcement processes.
• Discuss IPsec enforcement.
• Describe 802.1x enforcement.
• Explain VPN enforcement.
• Discuss DHCP enforcement.
NAP Enforcement Processes
Whatever form of NAP enforcement you select,
many of the client-server communications are
common. The following points summarize these
communications:
•
Between a NAP client and a HRA
The NAP client sends its current system
health state to the HRA and requests a health
certificate. If the client is compliant, the HRA
sends a health certificate to the NAP client. If
the client is noncompliant, the HRA sends
remediation instructions to the client.
• Between a NAP client and a remediation server
Although the NAP client has unlimited intranet access, it accesses the remediation server to ensure
that it remains compliant. If the NAP client has limited access, it communicates with the remediation
server to become compliant, based on instructions from the NAP health policy server.
• Between an HRA and a NAP health policy server
The HRA sends RADIUS messages to the NAP health policy server that contains the NAP client’s
system health state. The NAP health policy server sends RADIUS messages to indicate that the NAP
client has:
o Unlimited access because it is compliant . Based on this response, the HRA obtains a health
certificate, and then sends it to the NAP client.
o Limited access until it performs a set of remediation functions. Based on this response, the HRA
does not issue a health certificate to the NAP client.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 306/523
9-8 Implementing Network Access Protection
• Between an 802.1X network access device and a NAP health-policy server
The 802.1X network access device sends RADIUS messages to transfer Protected Extensible
Authentication Protocol (PEAP) messages that are sent by an 802.1X NAP client. The NAP health
policy server sends RADIUS messages to:
o
Indicate that the 802.1X client has unlimited access because it is compliant.
o Indicate a limited access profile to place the 802.1X client on the restricted network until it
performs a set of remediation functions.
o Send PEAP messages to the 802.1X client.
• Between a VPN server and a NAP health policy server
The VPN server sends RADIUS messages to transfer PEAP messages that are sent by a VPN-based
NAP client. The NAP health policy server sends RADIUS messages to:
o
Indicate that the VPN client has unlimited access because it is compliant.
o
Indicate that the VPN client has limited access through a set of IP packet filters that are applied
to the VPN connection.
o
Send PEAP messages to the VPN client.
• Between a DHCP server and a NAP health policy server
The DHCP server sends the NAP health policy server RADIUS messages that contain the DHCP client’s
system health state. The NAP health policy server sends RADIUS messages to the DHCP server to
indicate that the DHCP client has:
o
Unlimited access because it is compliant.
o Limited access until it performs a set of remediation functions.
• Between a NAP health policy server and a health requirement server:
When you are performing network access validation for a NAP client, the NAP health policy servermight have to contact a health requirement server to obtain information about the current
requirements for system health.
Communication Based on the Type of Enforcement
Depending upon the type of enforcement selected, the following communication occurs:
•
Between a NAP client and an 802.1X network access device
The NAP client performs authentication of the 802.1X connection, and then provides its current
system health state to the NAP health policy server.
The NAP health policy server provides either remediation instructions (because the 802.1X client is
noncompliant) or indicates that the 802.1X client has unlimited network access.
NAP routes these messages through the 802.1X network access device.
• Between a NAP client and a VPN server
The NAP client that acts as a VPN client indicates its current system health state to the NAP health
policy server.
The NAP health policy server responds with messages to provide either remediation instructions
(because the VPN client is noncompliant), or to indicate that the VPN client has unlimited intranet
access.
NAP routes these messages through the VPN server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 307/523
Administering Windows Server® 2012
9-9
• Between a NAP client and a DHCP server
The NAP client, also the DHCP client, communicates with the DHCP server to obtain a valid IPv4
address configuration and to indicate its current system health state.
The DHCP server allocates an IPv4 address configuration for the restricted network, and then provides
remediation instructions (if the DHCP client is noncompliant), or it allocates an IPv4 address
configuration for unlimited access (if the DHCP client is compliant).
IPsec Enforcement
With IPsec enforcement, a computer must be
compliant to initiate communications with other
compliant computers. Because IPsec-based
NAP enforcement uses IPsec, you can define
requirements for protected communications
with compliant computers based on one of the
following communications characteristics:
• IP address
•
Transmission Control Protocol (TCP) port
number
•
User Datagram Protocol (UDP) port number
IPsec enforcement restricts communication to compliant computers after they have connected
successfully and obtained a valid IP address configuration. IPsec enforcement is the strongest form of
limited network access or communication in NAP.
The components of IPsec enforcement consist of an HRA that is running Windows Server 2012 and an
IPsec enforcement client in one of the following operating systems:
• Windows XP Service Pack 3
• Windows Vista
•
Windows 7
• Windows 8
• Windows Server 2008
•
Windows Server 2008 R2
• Windows Server 2012
The HRA obtains X.509 certificates for NAP clients when the clients prove that they are compliant. These
health certificates then authenticate NAP clients when they initiate IPsec-protected communications with
other NAP clients on an intranet.
IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming
communication attempts sent from computers that cannot negotiate IPsec protection by using health
certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point,
each individual computer performs IPsec enforcement. Because you can take advantage of IPsec policy
settings, the enforcement of health certificates can be done for any of the following:
• All computers in a domain
• Specific computers on a subnet
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 308/523
9-10 Implementing Network Access Protection
• A specific computer
• A specific set of TCP or UDP ports
•
A set of TCP or UDP ports on a specific computer
Considerations for IPsec enforcement
When selecting an IPsec NAP enforcement method, consider the following points:
•
IPsec enforcement is more complex to implement than other enforcement methods, because it
requires an HRA and a CA.
• No additional hardware is required to implement IPsec enforcement. There is no need to upgrade
switches or Wireless Application Protocols (WAPs), which you would have to do if you select 802.1X
enforcement.
• You can implement IPsec enforcement in any environment.
• IPsec enforcement is very secure and difficult to circumvent.
•
You can configure IPsec to encrypt communication for additional security.
•
IPsec enforcement is applied to IPv4 and IPv6 communication.
802.1x Enforcement
With 802.1X enforcement, a computer must
be compliant to obtain unlimited network
access through an 802.1X-authenticated network
connection, such as to an authenticating Ethernet
switch or an IEEE 802.11 wireless AP.
For noncompliant computers, network access is
limited through a restricted access profile that
the Ethernet switch or wireless AP places on the
connection. The restricted access profile can
specify either IP packet filters, or a virtual local area
network (VLAN) identifier (ID) that corresponds to
the restricted network. 802.1X enforcement imposes
health policy requirements every time a computer attempts an 802.1X-authenticated network connection.
802.1X enforcement also monitors the health status of the connected NAP client actively, and then applies
the restricted access profile to the connection if the client becomes noncompliant.
The components of 802.1X enforcement consist of NPS in Windows Server 2012 and an EAP Host
enforcement client in Windows 8, Windows 7, Windows Vista, Windows XP Service Pack 3, Windows
Server 2008, Windows Server 2008 R2, and Windows Server 2012. 802.1X enforcement provides stronglimited network access for all computers that access the network through an 802.1X-authenticated
connection.
To implement 802.1X enforcement, you must ensure that the network switches or wireless APs support
802.1X authentication. The switches or wireless APs then act as an enforcement point for NAP clients. The
health status of the client is sent as part of the authentication process.
When a computer is noncompliant, the switch places the computer on a separate VLAN or uses packet
filters to restrict access to only remediation servers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 309/523
Administering Windows Server® 2012
9-11
Considerations for 802.1X enforcement
When considering the 802.1X NAP enforcement method, consider the following points:
• The switch or wireless AP that connects with the client enforces noncompliant computer isolation.
This makes it very difficult to circumvent, and therefore very secure.
•
Use 802.1X enforcement for internal computers. This type of enforcement is appropriate for local area
network (LAN) computers with both wired and wireless connections.
•
You cannot use 802.1X enforcement if your switches and wireless APs do not support the use of
802.1X for authentication.
VPN Enforcement
VPN enforcement imposes health-policy
requirements every time that a computer
attempts to obtain a remote access VPN
connection to the network. VPN enforcement
also actively monitors the health status of the
NAP client, and applies the restricted network’s
IP packet filters to the VPN connection if the client
becomes noncompliant.
The components of a VPN enforcement consist
of NPS in Windows Server 2012 and a VPN
enforcement client that is part of the remote
access client in:
• Windows 8
• Windows 7
• Windows Vista
• Windows XP SP3
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
VPN enforcement provides strong limited network access for all computers that access the network
through a remote access VPN connection. VPN enforcement uses a set of remote-access IP packet filters
to limit VPN client traffic, so that it can reach only the resources on the restricted network. The VPN server
applies the IP packet filters to the IP traffic that it receives from the VPN client, and silently discards all
packets that do not correspond to a configured packet filter.
Considerations for VPN enforcement
When considering the VPN NAP enforcement method, consider the following points:
• VPN enforcement is best suited in situations in which you are using VPN already. It is unlikely that
you will implement VPN connections on an internal network to use VPN enforcement.
•
Use VPN enforcement to ensure that staff members connecting from home computers are not
introducing malware to your network. Users often do not maintain their home computers correctly,
and they can represent a high risk. Many users do not have antivirus software, or do not apply
Windows updates regularly.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 310/523
9-12 Implementing Network Access Protection
• Use VPN enforcement to ensure that roaming laptops are not introducing malware to your network.
Roaming laptops are more susceptible to malware than computers directly on the corporate network,
because they may be unable to download virus updates and Windows updates from outside the
corporate network. They also are more likely to be in environments where malware is present.
DHCP Enforcement
DHCP enforces health-policy requirements
every time that a DHCP client attempts to lease
or renew an IP address configuration. DHCP
enforcement also actively monitors the NAP
client’s health status and, if the client becomes
noncompliant, renews the IPv4 address
configuration for access only to the restricted
network.
The components of DHCP enforcement consist
of a DHCP Enforcement service that is part of the
DHCP Server service in Windows Server 2012 and
a DHCP enforcement client that is part of the
DHCP Client service in:
•
Windows 8
• Windows 7
• Windows Vista
•
Windows XP SP3
• Windows Server 2008
•
Windows Server 2008 R2
•
Windows Server 2012
Because DHCP enforcement relies on a limited IPv4 address configuration that a user who has
administrator-level access can override, it is the weakest form of limited network access in NAP.
DHCP address configuration limits network access for the DHCP client through its IPv4 routing table.
DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not
have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4
address to 255.255.255.255 so that there is no route to the attached subnet.
To allow the noncompliant computer to access the restricted network’s remediation servers, the DHCP
server assigns the Classless Static Routes DHCP option. This option contains host routes to the restricted
network’s computers, such as the Domain Name System (DNS) and remediation servers. The result of
DHCP limited network access is a configuration and routing table that allows connectivity only to specific
destination addresses that correspond to the restricted network. Therefore, when an application attempts
to send to a unicast IPv4 address other than those supplied by the Classless Static Routes option, the
TCP/IP protocol returns a routing error.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 311/523
Administering Windows Server® 2012
9-13
Considerations for DHCP enforcement
When considering the DHCP NAP enforcement method, consider the following points:
• DHCP enforcement is easy to implement, and can apply to any computer with a dynamic IP address.
• DHCP enforcement is easy to circumvent. A client can circumvent DHCP enforcement by using a
static IP address. Additionally, a noncompliant computer could add static host routes to reach servers
that are not remediation servers.
•
DHCP enforcement is not possible for IPv6 clients. If computers on your network use IPv6 addresses
to communicate, DHCP enforcement is ineffective.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 312/523
9-14 Implementing Network Access Protection
Lesson 3
Configuring NAP
If you want your NAP deployment to work optimally, it is important that you understand what each of
the NAP components does, and how they interact to protect your network. If you want to protect your
network by using NAP, you need to understand the configuration requirements for the NAP client, as wellas how to configure NPS as a NAP health policy server, configure health policies and network policies, and
configure the client and server settings. It also is important to test the NAP before using it.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe System Health Validators (SHVs).
• Explain the use of a health policy.
• Discuss the use of remediation server groups.
• Describe the NAP client-configuration requirements.
•
Explain how to enable and configure NAP.
What Are System Health Validators?
System Health Agents (SHAs) and System
Health Validators (SHVs) are NAP infrastructure
components that provide health-state status
and validation. Windows 8 includes a Windows
Security Health Validator SHA that monitors the
Windows Security Center settings. Windows Server
2012 includes a corresponding Windows SecurityHealth Validator SHV.
The design of NAP makes it very flexible and
extensible, and it can interoperate with any
vendor’s software that provides SHAs and
SHVs that use the NAP API. An SHV receives a
statement of health (SoH), and then compares the system health-status information in the SoH with the
required system health state. For example, if the SoH is from an antivirus SHA, and it contains the last
version number for the virus-signature file, then the corresponding antivirus SHV can check with the
antivirus health requirement server for the latest version number to validate the NAP client’s SoH.
The SHV returns a SoH response (SoHR) to the NAP Administration Server. The SoHR can contain
remediation information about how the corresponding SHA on the NAP client can meet current system-
health requirements. For example, the SoHR that the antivirus SHV sends could instruct the NAP client’s
antivirus SHA to request the latest version, by name or IP address, of the antivirus signature file from a
specific antivirus signature server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 313/523
Administering Windows Server® 2012
9-15
What Is a Health Policy?
Health policies consist of one or more SHVs and
other settings that you can use to define client-
computer configuration requirements for the
NAP-capable computers that attempt to connect
to your network.
When NAP-capable clients attempt to connect
to the network, the client computer sends a
SoH to the NPS. The SoH is a report of the client
configuration state, and NPS compares the SoH to
the requirements that the health policy defines. If
the client configuration state does not match the
requirements that the health policy defines, then
depending on the NAP configuration, NAP:
•
Rejects the connection request.
•
Places the NAP client on a restricted network, where it can receive updates from remediation serversthat bring the client into compliance with health policy. After the NAP client achieves compliance and
resubmits its new health state, NPS enables it to connect.
• Allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy.
After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition
of a network policy that you want to use to enforce NAP, when client computers attempt connection to
your network.
What Are Remediation Server Groups?
A remediation server group is a list of restricted
network servers that provide resources that
bring noncompliant NAP-capable clients into
compliance with your defined client health policy.
A remediation server hosts the updates that a
NAP agent can use to bring noncompliant client
computers into compliance with health policy, as
NPS defines. For example, a remediation server
can host antivirus signatures. If a health policy
requires that client computers have the latestantivirus definitions, then the following work
together to update noncompliant computers:
•
An antivirus SHA
• An antivirus SHV
• An antivirus policy server
• The remediation server
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 314/523
9-16 Implementing Network Access Protection
NAP Client Configuration
Remember these basic guidelines when you
configure NAP clients:
• Some NAP deployments that use Windows
Security Health Validator require that youenable Security Center. Security Center is not
included with Windows Server 2008, Windows
Server 2008 R2, or Windows Server 2012.
• You must enable the Network Access
Protection Client service when you deploy
NAP to NAP-capable client computers.
• You must configure the appropriate NAP
enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy
You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients by using Group Policy. Some NAP deployments that use Windows Security Health
Validator require Security Center.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable Security Center in Group Policy:
1.
Open the Group Policy Management console.
2. In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-clickSecurity Center.
3.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK .
Enable the Network Access Protection Service on Clients
You can use the Enable the Network Access Protection Service on Clients procedure to enable and
configure NAP service on NAP-capable client computers. When you deploy NAP, enabling this service is
required.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable the Network Access Protection service on client computers:
1.
Open Control Panel, click System and Security, click Administrative Tools, and then double-click
Services.
2.
In the services list, scroll down to, and double-click, Network Access Protection Agent.
3.
In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 315/523
Administering Windows Server® 2012
9-17
Enable and Disable NAP Enforcement Clients
You can use the Enable and Disable NAP Enforcement Clients procedure to enable or disable one or more
NAP enforcement clients on NAP-capable computers. These clients can include:
• DHCP Enforcement Client
•
Remote Access Enforcement Client
• EAP Enforcement Client
• IPsec Enforcement Client (also used for DirectAccess connections)
•
Terminal Services Gateway (TS Gateway) Enforcement Client
To enable and disable NAP Enforcement Clients:
1.
Open the NAP Client Configuration console (NAPCLCFG.MSC).
2.
Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group onthe local computer, or you must have been delegated the appropriate authority. If the computer
is joined to a domain, members of the Domain Admins group might be able to perform this
procedure. As a security best practice, consider performing this procedure by using the Run as
command.
Demonstration: Configuring NAP
This demonstration shows how to:
• Install the NPS server role.
•
Configure NPS as a NAP health policy server.
• Configure health policies.
• Configure network policies for compliant computers.
•
Configure network policies for noncompliant computers.
• Configure the DHCP server role for NAP.
• Configure client NAP settings.
• Test NAP.
Demonstration Steps
Install the NPS server role
1.
Switch to LON-DC1, and sign in as a domain administrator.
2.
Open Server Manager, and then install the Network Policy and Access Services role.
Configure NPS as a NAP health policy server
1.
Open the Network Policy Server console.
2.
Configure the Windows Security Health Validator to require that all Windows 8 computers are
running a firewall.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 316/523
9-18 Implementing Network Access Protection
Configure health policies
1.
Create a health policy called Compliant in which the condition is that Client passes all SHV checks.
2. Create another health policy called Noncompliant in which the condition is that Client fails one or
more SHV checks.
Configure network policies for compliant computers1. Disable the two existing network policies. These would interfere with the processing of the policies
you are about to create.
2. Create a new network policy called Compliant-Full-Access that has a condition of the Compliant
health policy. Computers are granted unrestricted access.
Configure network policies for noncompliant computers
• Create a new network policy called Noncompliant-Restricted that has a condition of the
Noncompliant health policy. Computers are granted restricted access.
Configure the DHCP server role for NAP
1. Open the DHCP console.
2.
Modify the properties of the IPv4 scope to support Network Access Protection.
3. Create a new DHCP policy that allocates appropriate DHCP scope options to noncompliant
computers. These options assign a DNS suffix of restricted.Adatum.com.
Configure client NAP settings
1. Enable the DHCP Quarantine Enforcement Client on LON-CL1.
2.
Start the Network Access Protection Agent service.
3.
Use the local Group Policy Management console to enable the Security Center.
4. Reconfigure LON-CL1 to obtain an IP address from a DHCP server.
Test NAP
1.
Verify the obtained configuration by using ipconfig.
2. Disable and stop the Windows Firewall service.
3.
In the System Tray area, click the Network Access Protection pop-up warning. Review the
information in the Network Access Protection dialog box. Click Close.
4. Verify the obtained configuration by using ipconfig.
5.
Notice that the computer has a subnet mask of 255.255.255.255 and a DNS Suffix of
restricted.Adatum.com. Leave all windows open.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 317/523
Administering Windows Server® 2012
9-19
Lesson 4
Monitoring and Troubleshooting NAP
Troubleshooting and monitoring NAP is an important administrative task because of different technology
levels, including varied expertise and prerequisites, for each NAP enforcement method. Trace logs are
available for NAP, but are disabled by default. These logs serve two purposes: troubleshooting andevaluating a network’s health and security.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how NAP tracing can help monitor and troubleshoot NAP.
• Explain how to configure NAP Tracing.
•
Troubleshoot NAP with Netsh.
• Use the NAP event log to troubleshoot NAP.
What Is NAP Tracing?
Aside from the preceding general guidelines,
you can use the NAP Client Configuration
console to configure NAP tracing. Tracing
records NAP events in a log file, and is useful for
troubleshooting and maintenance. Additionally,
you can use tracing logs to evaluate your
network’s health and security. You can configure
three levels of tracing: Basic, Advanced, and
Debug.Enable NAP tracing when:
• Troubleshooting NAP problems.
•
Evaluating the overall health and security of your organization’s computers.
In addition to trace logging, you can view NPS accounting logs. These logs could contain useful NAP
information. By default, NPS accounting logs are located in %systemroot%\system32\logfiles.
The following logs might contain NAP-related information:
• IASNAP.LOG. This contains detailed data about NAP processes, NPS authentication, and NPS
authorization.
•
IASSAM.LOG. This contains detailed data about user authentication and authorization.
Demonstration: Configuring NAP Tracing
Two tools are available for configuring NAP tracing. The NAP Client Configuration console is part of the
Windows user interface, and netsh is a command-line tool.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 318/523
9-20 Implementing Network Access Protection
Using the Windows User Interface
You can use the Windows user interface to enable or disable NAP tracing and to specify the level of
recorded detail by performing the following steps:
1.
Open the NAP Client Configuration console by running napclcfg.msc.
2.
In the console tree, right-click NAP Client Configuration (Local Computer), and then clickProperties.
3.
In the NAP Client Configuration (Local Computer) Properties dialog box, select Enabled or
Disabled.
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.
4.
If Enabled is chosen, under Specify the level of detail at which the tracing logs are written , select
Basic, Advanced, or Debug.
Using a Command-Line Tool
To use a command-line tool to enable or disable NAP tracing and specify the level of recorded detail,
perform the following steps:
1.
Open an elevated command prompt.
2. To enable or disable NAP tracing, do one of the following:
o To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set
tracing state=enable level =[advanced or basic]
o To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable
level =verbose
o
To disable NAP tracing, type: netsh nap client set tracing state=disable
Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.
Viewing Log Files
To view the log files, navigate to the %systemroot%\tracing\nap directory, and then open the particular
trace log that you want to view.
DemonstrationThis demonstration shows how to:
• Configure tracing from the GUI.
•
Configure tracing from the command line.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 319/523
Administering Windows Server® 2012
9-21
Demonstration Steps
Configure tracing from the GUI
1.
On LON-CL1, open the NAPCLCFG – [NAP Client Configuration (Local Computer)] console.
2. From the NAP Client Configuration (Local Computer) properties, enable Advanced tracing.
Configure tracing from the command line
•
At the command prompt, type netsh nap client set tracing state = enable, and then press Enter.
Troubleshooting NAP
You can use the following tools to troubleshoot
NAP.
Netsh Commands
Use the netsh NAP command to help
troubleshoot NAP issues. The following command
displays the status of a NAP client, including the
following:
• Restriction state
• Status of enforcement clients
• Status of installed SHAs
• Trusted server groups that have been configured
netsh NAP client show state
The following command displays the local configuration settings on a NAP client, including:
• Cryptographic settings
• Enforcement client settings
• Settings for trusted server groups
•
Client tracing settings that have been configured
netsh NAP client show config
The following command displays the Group Policy configuration settings on a NAP client, including:
• Cryptographic settings
•
Enforcement client settings
• Settings for trusted server groups
• Client tracing settings that have been configured
netsh NAP client show group
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 320/523
9-22 Implementing Network Access Protection
Troubleshooting NAP with Event Logs
NAP services record NAP-related events into the
Windows event logs. To view these events, open
Event Viewer, select Custom Views, select Server
Roles, and then select Network Policy and
Access Services. The following events provide
information about NAP services that are running
on an NPS server:
•
Event ID 6272. Network Policy Server granted
access to a user.
Occurs when a NAP client authenticates
successfully, and, depending on its health
state, obtains full or restricted access to the
network.
• Event ID 6273. Network Policy Server denied access to a user.
Occurs when an authentication or authorization problem arises, which is associated with a reason
code.
•
Event ID 6274. Network Policy Server discarded the request for a user.
Occurs when a configuration problem arises, or if the RADIUS client settings are incorrect or NPS
cannot create accounting logs.
•
Event ID 6276. Network Policy Server quarantined a user.
Occurs when the client access request matches a network policy that is configured with a NAP
enforcement setting of Allow limited access.
• Event ID 6277. Network Policy Server granted access to a user, but put it on probation because the
host did not meet the defined health policy.
Occurs when the client access request matches a network policy that is configured with a NAP
enforcement setting of Allow full network access for a limited time when the date specified in
the policy has passed.
• Event ID 6278. Network Policy Server granted full access to a user because the host met the defined
health policy.
Occurs when the client access request matches a network policy that is configured with a NAP
enforcement setting of Allow full network access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 321/523
Administering Windows Server® 2012
9-23
Lab: Implementing NAP
Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT
office and data center in London support head office and other locations. A. Datum has recently deployed
a Windows Server 2012 server and client infrastructure.
To help increase security and compliance requirements, A. Datum is required to extend their VPN
solution to include NAP. You need to establish a way to verify and, if required, automatically bring client
computers into compliance whenever they connect remotely by using the VPN connection. You will
accomplish this goal by using NPS to create system health-validation settings, network and health
policies, and configuring NAP to verify and remediate client health.
Objectives
After completing this lab, you will be able to:
• Configure NAP components.
• Configure VPN access.
•
Configure the client settings to support NAP.
Lab Setup
Estimated Time: 60 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-RTR
20411B-LON-CL2
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o
User name: Adatum\Administrator o
Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411B-LON-CL2 and 20411B-LON-RTR.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 322/523
9-24 Implementing Network Access Protection
Exercise 1: Configuring NAP Components
Scenario
As the first step in implementing compliance and security, you should configure NAP components, such as
certificate requirements, health and network policies, and connection-request policies.
The main tasks for this exercise are as follows:
1.
Configure server and client certificate requirements.
2. Configure health policies.
3.
Configure network policies.
4.
Configure connection request polices for VPN.
Task 1: Configure server and client certificate requirements
1. Switch to the LON-DC1 virtual server.
2.
Open the Certification Authority tool.
3.
In the Certificate Templates Console, open the properties of the Computer certificate template.
4. On the Security tab, grant the Authenticated Users group the Allow Enroll permission.
5.
Restart the Certification Authority.
6.
Close the Certification Authority tool.
Task 2: Configure health policies
1.
Switch to the LON-RTR computer.
2.
Create a management console by running mmc.exe.
3. Add the Certificates snap-in with the focus on the local computer account.
4.
Navigate to the Personal certificate store and Request New Certificate.
5.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and
then click Next.
6.
Enroll the Computer certificate that is listed.
7.
Close the console, and do not save the console settings.
8. Using Server Manager, install the NPS Server with the following role services:
o Network Policy Server
9.
Open the Network Policy Server console.
10.
Under Network Access Protection, open the Default Configuration for the Windows SecurityHealth Validator.
11. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except A firewall is
enabled for all network connections.
12.
Create a health policy with the following settings:
o Name: Compliant
o
Client SHV checks: Client passes all SHV checks
o
SHVs used in this health policy: Windows Security Health Validator
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 323/523
Administering Windows Server® 2012
9-25
13. Create a health policy with the following settings:
o
Name: Noncompliant
o
Client SHV checks: Client fails one or more SHV checks
o SHVs used in this health policy: Windows Security Health Validator
Task 3: Configure network policies
1.
Disable all existing network policies.
2. Configure a new network policy with the following settings:
o
Name: Compliant-Full-Access
o
Conditions: Health Policies, Compliant
o Access permissions: Access granted
o Settings: NAP Enforcement, Allow full network access
3.
Configure a new network policy with the following settings:
o
Name: Noncompliant-Restricted
o Conditions: Health Policies, Noncompliant
o
Access permissions: Access granted
o
Settings: NAP Enforcement, Allow limited access is selected and Enable auto-remediation of
client computers is not selected.
o
IP Filters: IPv4 input filter
Destination network: 172.16.0.10/255.255.255.255
IPv4 output filter:
Source network: 172.16.0.10/255.255.255.255
Task 4: Configure connection request polices for VPN
1.
Disable existing connection request policies.
2. Create a new Connection Request Policy with the following settings:
o Policy name: VPN connections
o
Type of network access server: Remote Access Server (VPN-Dial up)
o
Conditions, Tunnel type: L2TP, SSTP, and PPTP
o Authenticate requests on this server: Enabled
o
On the Specify Authentication Methods page, perform the following:
a.
Select Override network policy authentication settings.
b. Add Microsoft: Protected EAP (PEAP).
c.
Add Microsoft: Secured password (EAP-MSCHAP v2).
d.
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection
is enabled.
Results: After this exercise, you should have installed and configured the required NAP components,
created the health and network policies, and created the connection request policies.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 324/523
9-26 Implementing Network Access Protection
Exercise 2: Configuring VPN Access
Scenario
After configuring NAP, you will configure a VPN server, and then enable the PING protocol through the
firewall for testing purposes.
The main tasks for this exercise are as follows:
1. Configure a VPN server.
2. Allow PING for testing purposes.
Task 1: Configure a VPN server
1. On LON-RTR, open Routing and Remote Access.
2. Disable Routing and Remote Access.
3.
Select Configure and Enable Routing and Remote Access.
4.
Use the following settings to complete configuration:
a.
Select Remote access (dial-up or VPN).
b.
Select the VPN check box.
c.
Select the interface called Public, and clear the Enable security on the selected interface by
setting up static packet filters check box.
d.
Under IP Address Assignment, From a specified range of addresses: 172.16.0.100 to
172.16.0.110
e.
Complete the process by accepting defaults when you receive a prompt, and by clicking OK to
confirm any messages.
5. In the Network Policy Server, click the Connection Request Policies node, and verify that the
Microsoft Routing and Remote Access Service Policy is disabled. This was created automatically
when Routing and Remote Access was enabled.
6.
Close Network Policy Server management console, and then the Routing and Remote Access console.
Task 2: Allow PING for testing purposes
1. On LON-RTR, open Windows Firewall with Advanced Security.
2.
Create an inbound rule with the following properties:
o Type: Custom
o
All programs
o
Protocol type: Choose ICMPv4 and then click Customize
o
Specific ICMP types: Echo Request
o
Default scope
o Action: Allow the connection
o
Default profile
o
Name: ICMPv4 echo request
3. Close the Windows Firewall with Advanced Security console.
Results: After this exercise, you should have created a VPN server and configured inbound
communications.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 325/523
Administering Windows Server® 2012
9-27
Exercise 3: Configuring the Client Settings to Support NAP
Scenario
In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and
configure the required client-side NAP components.
The main tasks for this exercise are as follows:
1. Enable a client NAP enforcement method.
2. Establish a VPN connection.
Task 1: Enable a client NAP enforcement method
1. Switch to the LON-CL2 computer.
2. Run the NAP Client Configuration tool (napclcfg.msc).
3.
Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.
4.
Close the NAP Client Configuration tool.
5.
Run services.msc, and then configure the Network Access Protection Agent service for automaticstartup.
6. Start the service.
7. Close the services console.
8.
Open the Local Policy Editor (gpedit.msc), and then enable the Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components
/Security Center/Turn on Security Center (Domain PCs only) setting.
9. Close the Local Group Policy Editor.
Task 2: Establish a VPN connection
1.
On LON-CL2, create a new VPN connection with the following properties:
o
Internet address to connect to: 10.10.0.1
o Destination name: Adatum VPN
o
Allow other people to use this connection: Enable
2.
After you have created the VPN, modify its settings by viewing the properties of the connection, and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
o
Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled)
o Properties of this authentication type:
Validate server certificate: Enable
Connect to these servers: Disable
Authentication method: Secured password (EAP-MSCHAP v2)
Enable Fast Reconnect: Disable
Enforce Network Access Protection: Enable
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 326/523
9-28 Implementing Network Access Protection
3. Test the VPN connection:
o
In the Network Connections window, connect Adatum VPN connection.
o
View the details of the Windows Security Alert. Verify that the correct certificate information is
displayed, and then click Connect.
4.
At the command prompt, run ipconfig /all to verify that the System Quarantine State is NotRestricted.
5.
Ping 172.16.0.10.
6.
Disconnect the Adatum VPN.
7. Switch to LON-RTR.
8.
Open Network Policy Server.
9.
In the Default Configuration of the Windows Security Health Validator, enable the Restrict access for
clients that do not have all available security updates installed option on the Windows
8/Windows 7/Windows Vista page.
10.
Switch back to LON-CL2, and then reconnect the VPN.11.
Run the ipconfig /all command to verify that the System Quarantine State is Restricted.
12.
Disconnect the VPN.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have
enabled and tested NAP on LON-CL2.
To prepare for the next module
When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 327/523
Administering Windows Server® 2012
9-29
Module Review and Takeaways
Review Questions
Question: What are the three main client configurations that you need to configure for most
NAP deployments?
Question: You want to evaluate the overall health and security of the NAP enforced
network. What do you need to do to start recording NAP events?
Question: On a client computer, what steps must you perform to ensure that its health is
assessed?
Tools
Tool Use For Where to find it
Services Enable and configure the NAPservice on client computers.
Click Start, click Control Panel, click Systemand Maintenance, click AdministrativeTools, and then double-click Services.
Netsh nap Using netsh, you can create scriptsto configure a set of NAPautomatically, and display theconfiguration and status of the NAPclient service.
Open a command window with administrativerights, and then type netsh –c nap. You cantype help to get a full list of availablecommands.
GroupPolicy
Some NAP deployments that useWindows Security Health Validatorrequire that Security Center isenabled.
Enable the Turn on Security Center(Domain PCs only) setting in the ComputerConfiguration/Administrative Templates /Windows Components/Security Centersections of Group Policy.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 328/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 329/523
10-1
Module 10
Optimizing File ServicesContents:
Module Overview 10-1
Lesson 1: Overview of FSRM 10-2
Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports 10-7
Lesson 3: Implementing Classification and File Management Tasks 10-16
Lab A: Configuring Quotas and File Screening Using FSRM 10-22
Lesson 4: Overview of DFS 10-26
Lesson 5: Configuring DFS Namespaces 10-33
Lesson 6: Configuring and Troubleshooting DFS-R 10-37
Lab B: Implementing DFS 10-41
Module Review and Takeaways 10-45
Module Overview
The files on your servers are constantly changing with content being added, removed, and modified.
The Windows Server®
2012 File and Storage Services server role is designed to help administrators in anenterprise environment manage the continually growing and changing amount of data. When storage
requirements change and the data being stored changes as well, you need to manage an increasingly
larger and complex storage infrastructure. Therefore, to meet the needs of your organization, you need
understand and control how the existing storage resources are used.
This module introduces you to File Server Resource Manager (FSRM) and Distributed File System (DFS),
two technologies that you can use to address and manage these issues.
Objectives
After completing this module, you will be able to:
•
Describe FSRM.
•
Use FSRM to manage quotas, file screens, and storage reports.
• Implement classification and file management tasks.
•
Describe DFS.
• Configure DFS namespaces.
• Configure and troubleshoot DFS Replication.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 330/523
10-2 Optimizing File Services
Lesson 1
Overview of FSRM
FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data
stored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders,
generate comprehensive storage reports, control the file classification infrastructure, and use filemanagement tasks to perform scheduled actions on sets of files. These tools help you monitor existing
storage resources, and aid in planning and implementing future policy changes.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe common capacity management challenges.
• Describe the features available within FSRM.
• Explain how to install and configure the FSRM role service.
Understanding Capacity Management Challenges
Capacity management is a proactive process of
determining the current and future capacity needs
for your enterprise's storage environment. As the
size and complexity of the data increases, the
need for capacity management also increases.
To effectively meet the storage needs of your
organization, you need to track how much
storage capacity is available, how much storage
space you need for future expansion, and how
you are using the environment’s storage.
Key Capacity Management Challenges
Capacity management brings with it the following
key challenges:
• Determining existing storage use. To manage your storage environment and ensure that you can
perform the simplest capacity management task, you need to understand your environment’s current
storage requirements. Knowing how much data is being stored on your servers, what types of data is
being stored, and how that data is currently being used is the benchmark for measuring the various
aspects of capacity management in your environment.
• Establishing and enforcing storage use policies. Capacity management includes ensuring that your
storage environment is being used to its full potential. Managing growth is important to ensure that
your storage environment is not overwhelmed by unplanned or unauthorized data storage on your
servers. Modern media data such as audio, video, and graphic files consume a large amount of
storage space and, if left unchecked, the unauthorized storage of these types of files can consume
the storage space that is required for legitimate business use.
• Anticipating future requirements. Storage requirements are constantly changing. New projects and
new organizational initiatives require increased storage. New applications and imported data require
additional storage. If you are not able to anticipate or prepare for events like these, your storage
environment may not be able to meet the storage requirements.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 331/523
Administering Windows Server® 2012 10-3
Addressing Capacity Management Challenges
To address these key challenges, you need to implement basic capacity management measures to
proactively manage the storage environment and prevent challenges from becoming problems. The
following is a list of capacity management measures that you can use to proactively manage your storage
environment:
•
Analyze how storage is being used. The first step in capacity management is analyzing the currentstorage environment. Accurate analysis begins with proper tools that provide usable and organized
information regarding the current state of your storage environment.
• Define storage resource management policies. A robust set of policies are necessary to maintain
the current storage environment and ensure that storage growth happens in a manageable and
predictable way. Preventing unauthorized files from being saved to your servers, ensuring that data is
stored in the right location, and ensuring that users have the required storage are a few of the key
areas your capacity management policies may address.
• Implement policies to manage storage growth. After implementing capacity management policies,
you need to have an effective tool to ensure that the policies that are established are technically
enforced. Quotas that are placed on a user’s data storage must be maintained, restricted files must be
prevented from being saved, and business files must be stored in the proper locations.
• Implement a system for reporting and monitoring. Establish a reporting and notification system to
inform you of how policies are enforced. These reports should be in addition to reports regarding the
general state of your capacity management system and data storage situation.
Question: What capacity management challenges have you experienced or are you
experiencing in your environment?
What Is FSRM?
FSRM is a role service of the File Services role inWindows Server 2012. You can install it as part of
the File Services role by using Server Manager.
Then, you can use the FSRM console to manage
FSRM on your server. FSRM is intended to act as a
capacity management solution for your Windows
Server 2012 server. It provides a robust set of tools
and capabilities that allow you to effectively
manage and monitor your server’s storage
capacity.
FSRM contains five components that work
together to provide a capacity management
solution.
Quota Management
Quota management is a component that allows you to create, manage, and obtain information about
quotas that are used to set storage limits on volumes or folders (and its contents). By defining notification
thresholds, you can send email notifications, log an event, run a command or script, or generate reports
when users approach or exceed a quota. Quota management also allows you to create and manage quota
templates to simplify the quota management process.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 332/523
10-4 Optimizing File Services
File Screening Management
File screening management is a component that allows you to create, manage, and obtain information
about file screens. You can use this information to prevent specific file types from being stored on a
volume or folder, or to notify you when users are storing these types of files are. When users attempt to
save unauthorized files, file screening can block the process and notify the administrators to allow for
proactive management.
Like quota management, file screening management allows you to create and manage file screen
templates to simplify file screening management. You can also create file groups that allow you to
manage which file types may be blocked or allowed.
Storage Reports Management
Storage reports management is a component that allows you to schedule and configure storage reports.
These reports provide information regarding the components and aspects of FSRM including:
•
Quota usage.
• File screening activity.
•
Files that may negatively affect capacity management, such as large files, duplicate files, orunused files.
• List and filter files according to owner, file group, or a specific file property.
Note: Storage reports can be run based on a schedule, or you can generate them on
demand.
Classification Management
Classification Management is a component that allows you to create and manage classification properties
that you can then assign to files. You can assign property values to files by using classification rules, which
can be applied on demand or based on a schedule. Classification allows you categorize and manage files
by using a wide array of properties to identify and group your files.
File Management Tasks
With the file management tasks component, you can schedule and configure specific tasks, which can
automate the application or expiration of custom commands, allowing for automated file management
procedures. File management tasks leverage the capabilities of classification management to allow you to
delete old files or move files to a specific location based on a file property (file name or file type).
Note: Volumes that FSRM manages must be formatted by using the NTFS file system. FSRM
is included with Windows Server 2003 Service Pack 1 (SP1) and newer.
Demonstration: How to Install and Configure FSRM
You can install FSRM in Windows 2012 by adding the FSRM role service within the File and Storage
Services role.
FSRM has several configuration options that apply globally to all FSRM components.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 333/523
Administering Windows Server® 2012 10-5
You can access these options by using the following steps:
1.
Open the File Server Resource Manager console.
2.
In the left pane, right-click the root File Server Resource Manager node, and then click Configure
Options.
FSRM OptionsIn the File Server Resource Manager Options properties dialog box, several tabs allow you to configure
various aspects of FSRM. The following tabs are available on the File Server Resource Manager Options
properties dialog box:
• Email Notifications tab. This tab allows you to provide the name or address of an SMTP server name,
along with other details that FSRM will use to send email notifications.
• Notification Limits tab. Notification limits allow you to specify a time period that FSRM will wait
between sending notifications to avoid excessive notifications from a repeatedly exceeded quota or
unauthorized file detection. It allows you set separate values for email notifications, entries recorded
to the event log, commands being run, or reports being generated. The default value for each is 60
minutes.
• Storage Reports tab. This tab allows you to configure and view the default parameters for any existing
storage reports. Report Locations tab. This tab allows you to view and modify the location in which the
following three different types of storage reports are stored: incident reports, scheduled reports, and
on demand reports. By default, each category is stored in its own folder: %systemdrive%\Storage
Reports.
Note: If FSRM generates a large number of storage reports, you may want to relocate the
storage report folders to another physical volume to decrease disk input/output (I/O) load on
your system volume. You may also want to change the location if the size of your storage reports
causes a capacity issue on your system volume.
• File Screen Audit tab. On this tab, a single check box allows to enable or disable the recording of file
screening activity to the auditing database. You can view the resulting file screening activity when you
run the File Screening Audit report from Storage Reports Management.
• Automatic Classification tab. This tab allows you to provide a schedule that governs the automatic
classification of files. Within the tab, you can specify which logs to generate, and if and how to
generate a report of the classification process.
• Access-Denied Assistance tab. This tab enables you to provide a customized message when FSRM
prevents a file-level operation as a result of a quota management of file screening management
restriction.
Managing FSRMManagement of a server running FSRM typically happens locally, through the FSRM Microsoft®
Management Console (MMC) console. However, there are other options available for managing a server
running FSRM.
Managing FRSM by using Windows PowerShell
Windows PowerShell® 3.0 contains new cmdlets for managing FSRM that extend management capabilities
to all aspects of FSRM. The FileServerResourceManager module for Windows PowerShell is installed on a
Windows Server 2012 computer automatically, when you install the FSRM role service.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 334/523
10-6 Optimizing File Services
The Windows PowerShell3.0 cmdlets replace the functionality previously supplied by the FSRM command
line executables dirquota.exe, filescrn.exe, and storrpt.exe. While these executables are still present in
Windows Server 2012, they have been deprecated and will be removed in a future version of Windows
Server. Therefore, you should create any management solutions involving command line tasks using the
Windows PowerShell cmdlets.
To see a complete list of available FSRM cmdlets, run the following command from a Windows PowerShellcommand-line interface:
Get-Command –Module FileServerResourceManager
Managing FSRM Remotely
You can connect remotely to another server that is running FSRM by using the FSRM console. From there,
you manage FSRM in the same way that you manage resources on your local computer.
To manage FSRM remotely by using the FSRM console:
• Ensure that both servers are running Windows Server 2008 R2 or newer, and have FSRM installed.
• Enable the Remote File Server Resource Manager Management exception from within Windows®
Firewall manually, either through the Control Panel, or by using Group Policy.
• Allow Remote Procedure Call (RPC) traffic through any firewalls between the two servers.
• Sign in to the local computer with an account that is a member of the local Administrators group on
the remote computer.
You also can run the FRSM Windows PowerShell cmdlets remotely by using Window PowerShell remoting
capabilities.
In this demonstration, you will see how to:
• Install the FSRM role service.
•
Specify FSRM configuration options.
• Manage FSRM by using Windows PowerShell.
Demonstration Steps
Install the FSRM role service
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2.
Open Server Manager.
3.
Install the File Server Resource Manager role service within the File and Storage Services role.
Specify FSRM configuration options
1.
Open the File Server Resource Manager console.
2.
Open the File Server Resource Manager Options window for the local instance of File Server
Resource Manager.
3.
Enable file screen auditing.
Manage FSRM by using Windows PowerShell
• From a Windows PowerShell command prompt, run the following command:
set-FSRMSetting -SMTPServer “server1” -AdminEmailAddress “[email protected]” -
FromEmailAddress “[email protected]”
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 335/523
Administering Windows Server® 2012 10-7
Lesson 2
Using FSRM to Manage Quotas, File Screens, and StorageReports
Data is the core component of your server infrastructure. Under most circumstances, the server
infrastructure provides the data that is contained in the files on the server, to your users or applications.
Whether files are added to your servers by users or applications, quota management can help you ensure
that users and applications use the only the amounts of space allotted to them. File screens in FSRM can
help you to control the file types that can be stored within your file and storage infrastructure, and
storage reports enable you to provide detailed reporting on quota management, file screening, and
several other aspects of FSRM functionality.
Lesson Objectives
After completing this lesson, you will be able to:
•
Describe quota management.
•
Describe quota templates.
• Explain how to monitor quota usage.
•
Describe file screening management.
• Describe file groups.
• Describe file screen templates and file screen exceptions.
• Describe storage reports.
•
Describe a report task.
• Explain how to use FSRM to manage quotas, file screens, and generate storage reports.
What Is Quota Management?
In FSRM, quota management allows you to limit
the disk space that is allocated to a volume or
folder. The quota limit applies to the entire folder
subtree.
Using quotas, you can manage capacity
restrictions in a variety of ways. For example, you
can use a quota to ensure that individual users do
not consume excessive amounts of storage withtheir home drives, or to limit the amount of space
consumed by multimedia files in a particular
folder.
Quota Types
You can create two different types of quotas within quota management:
•
A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
•
A soft quota does not enforce the quota limit, but it generates configured notifications.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 336/523
10-8 Optimizing File Services
Quota Notifications
To determine what happens when the quota limit approaches, you configure notification thresholds. For
each threshold that you define, you can send email notifications, log an event, run a command or script,
or generate storage reports. For example, you might want to notify the administrator and the user when
a folder reaches 85 percent of its quota limit, and then send another notification when the quota limit is
reached. In some cases, you might want to run a script that raises the quota limit automatically when a
threshold is reached.
Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Whenever possible, base a quota on a quota template. You can reuse a quota template
to create additional quotas, and it simplifies ongoing quota maintenance.
FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a
quota template to a parent volume or folder. Then, a quota that is based on the template is created for
each of the existing subfolders, and a quota is generated automatically for each new subfolder that is
created. You can also create quotas using the Windows PowerShell cmdlet, New-FSRMQuota.
What Are Quota Templates?
FSRM quota templates give you flexibility in
creating, using, and managing templates for
quotas. A quota template defines a space limit,
the quota type (hard or soft), and a set of
notifications to be generated when the quota limit
is approached or exceeded.
Quota templates simplify the creation and
maintenance of quotas. Using a quota template,
you can apply a standard storage limit and a
standard set of notification thresholds to many
volumes and folders on servers throughout your
organization.
Template-Based Quota Updating
If you base your quotas on a template, you can update all quotas that are based on the template by
editing that template. This feature simplifies the process of updating quota properties by providing a
central point where IT administrators can make all changes.
For example, you can create a User Quota template that you use to place a 200 megabyte (MB) limit on
the personal folder of each user. For each user, you would then create a quota based on the User Quota
template, and then assign it to the user’s folder. If you decide later to allow each user additional space onthe server, you only change the space limit in the User Quota template, and then choose to update each
quota that is based on that quota template.
Quota Template Examples
FSRM provides several quota templates. For example:
• You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personal
folder of each user, and then send storage reports to users who exceed the quota.
• For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant a
one-time 50 MB quota extension to users who exceed the 200 MB quota limit.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 337/523
Administering Windows Server® 2012 10-9
• Other default templates are designed for monitoring disk usage through soft quotas, such as the
Monitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you use
these templates, users can exceed the quota limit, but email and event log notifications are generated
when they do so.
Monitoring Quota Usage
In addition to the information in the notifications
sent by quotas, you can find about quota usage
in a variety of ways. You can view the quotas in
quota management within the FSRM console,
generate a Quota Usage report, or create soft
quotas for monitoring the overall disk usage. You
can also use a Windows PowerShell cmdlet.
Quota Usage Report
Use the Quota Usage report to identify quotasthat may soon be reached or exceeded, so that
you can take the appropriate action. Generating
a Quota Usage report will be covered in greater
detail in the Managing Storage Reports lesson.
Templates for Monitoring Disk Usage
To monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides the
following default templates that you can use (or adapt) for this purpose.
•
Monitor 200 GB Volume Usage
• Monitor 500 MB Share
Windows PowerShell
You can use the Get-FSRMQuota cmdlet to view FSRM quotas that exist on the server, along with the
statistics for each quota.
What Is File Screening Management?
File Screening Management allows you to create
file screens to block types of file from being saved
on a volume or in a folder tree. A file screen
affects all folders in the designated path. You use
file groups to control the types of files that file
screens manage. For example, you might create a
file screen to prevent users from storing audio and
video files in their personal folders on the server.
Like all components of FSRM, you can choose to
generate email or other notifications when a file
screening event occurs.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 338/523
10-10 Optimizing File Services
File Screen Types
You can configure a file screen as either active or passive:
• Active screening prevents users from saving unauthorized file types on the server, and generates
configured notifications when they attempt to do so.
•
Passive screening sends configured notifications to users who are saving specific file types, but it does
not prevent users from saving those files.
File Screening Management Considerations
To simplify file screen management, you can base your file screens on file screen templates, which will be
covered later in this lesson.
For additional flexibility, you can configure a file screen exception in a subfolder of a path where you have
created a file screen. When you place a file screen exception on a subfolder, you allow users to save file
types there that would otherwise be blocked by the file screen applied to the parent folder. You can also
create file screens in Windows PowerShell by using the New-FSRMFileScreen cmdlet.
Note: A file screen does not prevent users and applications from accessing files that weresaved to the path before the file screen was created, regardless of whether the files are members
of blocked file groups.
What Are File Groups?
Before you begin working with file screens,
you must understand the role of file groups in
determining which files are screened. You use a
file group to define a namespace for a file screen
or a file screen exception, or to generate a Files by
File Group storage report.
File Group Characteristics
A file group consists of a set of file name patterns,
which are grouped as files to include, and files to
exclude:
• Files to include: Files to which the file group
applies.
• Files to exclude: Files to which the file group does not apply.
For example, an Audio Files file group might include the following file name patterns:
•
Files to include: *.mp*: Includes all audio files created in the current and future MPEG formats (MP2,
MP3, and so forth).
• Files to exclude: *.mpp: Excludes files created in Microsoft Project (.mpp files), which would otherwise
be included by the *.mp* inclusion rule.
FSRM provides several default file groups, which you can view in File Screening Management by clicking
the File Groups node. You can define additional file groups or change the files to include and exclude.
Any change that you make to a file group affects all existing file screens, templates, and reports to which
the file group has been added.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 339/523
Administering Windows Server® 2012 10-11
Note: For convenience, you can modify file groups when you edit the properties of a file
screen, file screen exception, file screen template, or the Files by File Group report. Note that any
changes that you make to a file group from these property sheets affect all items that use that
file group.
What Are a File Screen Templates and File Screen Exceptions?
You use file screen templates and file screen
exceptions to expand the capabilities of file
screening management in FSRM.
File Screen Templates
To simplify file screen management, you can
create your file screens based on file screen
templates. A file screen template defines the
following:
• File groups to block
•
Screening types to perform
• Notifications to be generated
You can configure two screening types in a file screen template. Active screening does not allow users to
save any files related to the selected file groups that you configure with the template. Passive screening
allows users to save files, but provides notifications for monitoring.
FSRM provides several default file screen templates, which you can use to block audio and video files,
executable files, image files, and email files, to meet common administrative needs. To view the default
templates, in the File Server Resource Manager console tree, click the File Screen Templates node.
By creating file screens exclusively from templates, you can centrally manage your file screens by updatingthe templates instead of individual file screens.
Note: You create file screens from file screen templates, just as you create quotas from
quota templates.
File Screen Exceptions
Occasionally, you need to allow exceptions to file screening. For example, you might want to block
video files from a file server, but you need to allow your training group to save video files for their
computer-based training. To allow files that other file screens are blocking, create a file screen exception.
A file screen exception is a special type of file screen that overrides any file screening that wouldotherwise apply to a folder, and all its subfolders in a designated exception path. That is, it creates an
exception to any rules derived from a parent folder. To determine which file types the exception will allow,
file groups are assigned.
You create file screen exceptions by specifically choosing the Create File Screen Exception from the File
Screens node under File Screening Management in FSRM.
Note: File screen exceptions always override file screens with conflicting settings. Therefore,
you must plan and implement file screen exceptions carefully.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 340/523
10-12 Optimizing File Services
What Are Storage Reports?
FSRM can generate reports—called storage
reports—that help you understand file usage on
your storage server. You can use storage reports
to monitor disk usage patterns (by file type or
user), identify duplicate files and dormant files,
track quota usage, and audit file screening.
From the Storage Reports Management node,
you can create report tasks, which you then use
to schedule one or more periodic reports, or you
can generate reports on demand. For on-demand
and scheduled reports, current data is gathered
before the report is generated. Reports can also
be generated automatically to notify you when a user exceeds a quota threshold, or saves an
unauthorized file.
Storage Report TypesThe following table describes each storage report that is available.
Report Description
Duplicate Files This report lists files that appear to be duplicates (files with the same size andlast modified time). Use this report to identify and reclaim disk space that iswasted due to duplicate files. This is the only report that is not configurable.
File Screening Audit This report lists file screening events that have occurred on the server for aspecific number of days. Use this report to identify users or applications thatviolate screening policies.
Files by File Group This report lists files that belong to specific file groups. Use this report toidentify file group usage patterns and file groups that occupy large amountsof disk space. This can help you determine which file screens to configure onthe server.
Files by Owner This report lists files that are grouped by file owners. Use this report toanalyze usage patterns on the server, and to identify users who use largeamounts of disk space.
Files by Property This report lists files by the values of a particular classification property. Usethis report to observe file classification usage patterns.
Folders by Property This report lists folders by the value of a particular secure classificationproperty. Use this report to observe folder classification patterns.
Large Files This report lists files that are of a specific size or larger. Use this report toidentify files that are consuming the most disk space on the server. This canhelp you quickly reclaim large quantities of disk space.
Least RecentlyAccessed Files
This report lists files that are not accessed for a specific number of days. Thiscan help you identify seldom-used data that can be achieved and removedfrom the server.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 341/523
Administering Windows Server® 2012 10-13
Report Description
Most RecentlyAccessed Files
This report lists files that are accessed within a specified number of days. Usethis report to identify frequently used data that must be kept highly available.
Quota Usage This report lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so thatyou can take appropriate action.
Configuring Report Parameters
Except for the Duplicate Files report, all reports have configurable report parameters that determine
the content in the report. Parameters vary with the type of report. For some reports, you can use report
parameters to select the volumes and folders on which to report, set a minimum file size to include, or
restrict a report to files owned by specific users.
Saving Reports
Regardless of how you generate a report, or whether you choose to view the report immediately, the
report is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You can
save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats.
Scheduled reports, on-demand reports, and incident reports are saved in separate folders within a
designated report repository.
By default, the reports are stored in the subdirectories of the %Systemdrive%\StorageReports\ folder. To
change the default report locations, in the File Server Resource Manager Options dialog box, on the
Report Locations tab, specify where to save each type of storage report.
What Is a Report Task?
A report task is a set of storage managementreports that run based on a schedule.
The report task specifies which reports to
generate, what parameters to use, and which
volumes and folders to report on. The report task
also reports on how often to generate the reports,
and in which file formats to save them.
When you schedule a set of reports, the
reports are saved automatically in the report
repository. You can also have the reports emailed
automatically to a group of administrators.
You can schedule report tasks by using the following steps from within FSRM.
1.
Click the Storage Reports Management node.
2. Right-click Storage Reports Management, and then click Schedule a New Report Task . You also
can click Schedule a New Report Task in the Actions pane.
Note: To minimize the impact of report processing on server performance, generate
multiple reports on the same schedule so that the data is gathered only once.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 342/523
10-14 Optimizing File Services
Generating On Demand Reports
During daily operations, you may want to generate reports on demand to analyze the different aspects of
the current disk usage on the server. Before the reports are generated, current data is gathered.
When you generate reports on demand, the reports are saved in the report repository, but no report task
is created for later use. You can view the reports immediately after they are generated, or you can send
the reports to a group of administrators by email.
To generate reports on demand:
1. Click the Storage Reports Management node.
2.
Right-click Storage Reports Management, and then click Generate Reports Now (or in the Actions
pane, click Generate Reports Now).
Note: When generating an on-demand report, you can wait for the reports to be
generated and then immediately display them. If you choose to open the reports immediately,
you must wait while the reports generate. Processing time varies, depending on the types of
reports and the data scope.
Demonstration: Using FSRM to Manage Quotas and File Screens, and toGenerate On-Demand Storage Reports
In this demonstration, you will see how to:
• Create a quota.
•
Test a quota.
• Create a file screen.
•
Test a file screen.•
Generate a storage report.
Demonstration Steps
Create a quota
1.
Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Server Manager.
3.
Open the File Server Resource Manager console.
4.
Create a quota based on the 100 MB Limit on the E:\Labfiles\Mod10\Data folder.
Test a quota1. Open Windows PowerShell.
2.
Create a new, 130 MB file in the E:\Labfiles\Mod10\Data folder by using the following command:
fsutil file createnew largefile.txt 130000000
3.
Close Windows PowerShell.
Create a file screen
• In File Server Resource Manager, create a new file screen based on the Block Image Files
file-screen template for E:\Labfiles\Mod10\Data.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 343/523
Administering Windows Server® 2012 10-15
Test a file screen
1.
Open Microsoft Windows Explorer.
2.
Navigate to E:\Labfiles\Mod10.
3. Create a new bitmap (.bmp) image named testimage.
4.
Copy the testimage, and then paste it into the E:\Labfiles\Mod10\Data folder.
5.
View and close the error window.
6. Close the Windows Explorer window.
Generate a storage report
1.
Generate an on-demand report for Large Files on drive E.
2. View and close the html report.
3.
Close File Server Resource Manager.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 344/523
10-16 Optimizing File Services
Lesson 3
Implementing Classification and File Management Tasks
Most applications manage files based on the directory in which they are contained. This leads to
complicated file layouts that require attention from administrators. Such layout can also lead to frustration
among the users. In Windows Server 2012, Classification Management and File Management tasks enableadministrators to manage groups of files based on various file and folder attributes. With Classification
Management and File Management tasks, you can automate file and folder maintenance tasks such as
cleaning up stale data, or protecting sensitive information.
In this lesson, you will learn how Classification Management and File Management tasks work together to
make it easier for you to manage and organize the files and folders on your servers.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe classification management.
• Describe classification properties.
• Describe a classification rule.
•
Explain how to configure classification management.
• Identify considerations for using file classification.
• Describe file management tasks.
•
Explain how to configure file management tasks.
What Is Classification Management?
To reduce the cost and risk associated with data
management, the File Classification infrastructure
uses a platform that allows administrators to
classify files and apply policies based on that
classification. The storage layout is unaffected
by data management requirements, and the
organization can adapt more easily to a changing
business and regulatory environment.
Classification Management is designed to ease the
burden and management of data that is spread
out in your organization. Using Classification
Management, you can classify files in a variety ofways. In most scenarios, you perform classification manually. In Windows Server 2012, the File
Classification Infrastructure feature allows organizations to convert these manual processes into
automated policies. You can specify file management policies based on a file’s classification, and can
apply corporate requirements for managing data based on business value. You can also modify the
policies easily, and can use tools that support classification to manage files.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 345/523
Administering Windows Server® 2012 10-17
You can use file classification to perform the following actions:
1.
Define classification properties and values, which can be assigned to files by running classification
rules.
2.
Create, update, and run classification rules. Each rule assigns a single predefined property and value
to files within a specified directory, based on installed classification plug-ins.
When running a classification rule, you can reevaluate files that are already classified. You can choose to
overwrite existing classification values or add the value to properties that support multiple values.
What Are Classification Properties?
Classification properties are used to assign values
to files. There are many property types from which
you can choose. You can define these properties
based on the needs of your organization.
Classification properties are assigned to files that
use classification rules, which are discussed in the
next topic.
The following table defines the available property
types, and the policy that is applied when a file is
reclassified:
Property type Description
Yes/No A Boolean property that can have a value of either YES or NO. When multiplevalues are combined, a NO value overwrites a YES value.
Date-Time A simple date and time property. When multiple values are combined,conflicting values prevent reclassification.
Number A simple number property. When multiple values are combined, conflictingvalues prevent reclassification.
Multiple ChoiceList
A list of values that can be assigned to a property. More than one value canbe assigned to a property at a time. When multiple values are combined, eachvalue in the list is used.
Ordered List A list of fixed values. Only one value can be assigned to a property at a time.When multiple values are combined, the value highest in the list is used.
String A simple string property. When multiple values are combined, conflictingvalues prevent reclassification.
Multi-string A list of strings that can be assigned to a property. More than one value canbe assigned to a property at a time. When multiple values are combined, eachvalue in the list is used.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 346/523
10-18 Optimizing File Services
What Is a Classification Rule?
A classification rule assigns a Classification
Property to a file system object. A classification
rule includes information detailing when to assign
a classification property to a file.
Key Classification Rule Properties
To define the behavior of a classification rule, ask
yourself the following questions:
• Is the rule enabled? On the classification
rule Properties page, on the Rule Settings
tab, the Enabled check box allows you to
specifically disable or enable the classification
rule.
•
What is the scope of the rule? On the Rule Settings tab, the Scope parameter allows you to select a
folder or folders to which the classification rule will apply. When the rule is run, it processes and
attempts to classify all file system objects within this location.
• What classification mechanism will the rule use? On the classification rule Properties page, on the
rule’s Classification tab, you must choose a classification method that the rule will use to assign the
classification property. By default, there are two methods from which you can choose:
o Folder Classifier . The folder classifier mechanism assigns properties to a file based on the file’s
folder path.
o Content Classifier . The content classifier searches for strings or regular expressions in files. This
means that the content classifier classifies a file based on the textual contents of the file, such as
whether it contains a specific word, phrase, numeric value, or type.
•
What property will the rule assign? The main function of the classification rule is to assign a property
to a file object based on how the rule applies to that file object. On the Classification tab, you must
specify a property and the specific value that the rule will assign to that property.
• What additional classification parameters will be used? The core of the rule’s logic lies in the
additional classification parameters. Clicking the Advanced button on the Classification tab opens
the Additional Classification Parameters window. Here, you can specify additional parameters—
including strings or regular expressions—that if found in the file system object, will cause the rule to
apply itself. For example, this parameter could be the phrase “Social Security Number” or any number
with the format 000-00-000. If this parameter is found, then the classification parameter will apply a
YES value for a Confidential classification property to the file. This classification could then be
leveraged to perform some tasks on the file system object, such as moving it to a secure location.
A classification parameter can be one of the following three types:• RegularExpression. Match a regular expression by using the Microsoft .NET syntax. For example,
\d\d\d will match any three-digit string.
• StringCaseSensitive. Match a case-sensitive string. For example, Confidential will only match
Confidential’ and not confidential or CONFIDENTIAL.
• String. Match a string, regardless of case. Confidential will match Confidential, confidential, and
CONFIDENTIAL.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 347/523
Administering Windows Server® 2012 10-19
Classification Scheduling
You can run classification rules in two ways: on-demand, or based on a schedule. Either way you choose,
each time you run classification, it uses all rules that you have left in the Enabled state.
Configuring a schedule for classification allows you to specify a regular interval at which file classification
rules will run, ensuring that your server’s files are regularly classified and up to date with the latest
classification properties.
Demonstration: How to Configure Classification Management
This demonstration shows how to:
• Create a classification property.
•
Create a classification rule.
• Modify the classification schedule.
Demonstration StepsCreate a Classification Property
1. Open File Server Resource Manager, and expand the Classification Management node.
2. Using the Classification Properties node, create a new Classification Property named
Confidential, with the Yes/No property type.
Create a Classification Rule
1.
Using the Classification Rules node, create a new Classification Rule named Confidential Payroll
Documents.
2.
Configure the rule to classify documents with a value of Yes for the Confidential classification
property, if the file contains the string expression PAYROLL.
Modify the Classification Schedule
1.
Create a classification schedule that runs every Sunday at 8:30 AM.
2.
Using the Classification Rule node, manually run Classification With All Rules Now, and view the
report.
Considerations for Using File Classification
Although Classification Management provides
a powerful mechanism to catalog, categorize,
and classify your file system objects, you should
consider certain factors when dealing with
Classification Management.
How Classification Properties Are Stored
Classification properties are stored in an alternate
data stream, which is a feature of NTFS. If a file
moves within NTFS, the alternate data streams
move with the file, but they do not appear in the
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 348/523
10-20 Optimizing File Services
file’s contents. In Microsoft Office applications, the classification properties are also stored within file
formats as custom document properties or server document properties.
How Movement Affects Classification Properties
When moving a file from one NTFS file system to another, if you use a standard mechanism such as Copy
or Move, the file retains its classification properties. However, if you move a file to a non-NTFS file system,
regardless of how you move the file, file classification properties are not retained. If the file is the product
of a Microsoft Office application, then the classification properties remain attached, regardless of how the
file is moved.
Classification Management Process in Windows Server
Classification properties are available only to servers running Windows Server 2008 R2 or newer. However,
Microsoft Office documents will retain classification property information in Document Properties, which
is viewable regardless of the operating system being used.
Conflicting Classification Rules
At times, classification rules can conflict. When this happens, the file classification infrastructure will
attempt to combine properties. The following behaviors will occur when conflicting classification rules
arise:
• For Yes or No properties, a YES value takes priority over a NO value.
• For ordered list properties, the highest property value takes priority.
•
For multiple choice properties, the property sets are combined into one set.
• For multiple string properties, a multistring value is set that contains all the unique strings of the
individual property values.
• For other property types, an error occurs.
Classification Management Cannot Classify Certain Files
File Classification Infrastructure will not identify individual files within a container, file such as a .zip or .vhdfile. In addition, File Classification Infrastructure will not allow content classification for the contents of
encrypted files.
What Are File Management Tasks?
File management tasks automate the
process of finding subsets of files on a server,
and then applying simple commands to them
on a scheduled basis. Files are identified by
classification properties that have been assigned
to the file by a classification rule.
File management tasks include a file expiration
command, and you can also create custom tasks.
You can define files that will be processed by a file
management task through the following
properties:
•
Location
• Classification properties
• Creation time
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 349/523
Administering Windows Server® 2012 10-21
• Modification time
• Last accessed time
•
File name
You also can configure file management tasks to notify file owners of any impending policy that will be
applied to their files.
File Expiration Tasks
File expiration tasks automatically move all files that match certain criteria to a specified expiration
directory, where an administrator can then back up those files and delete them. When you run a file
expiration task, a new directory is created within the expiration directory. The new directory is grouped
by the server name on which the task was run, and it is named according to the name of the file
management task and the time it was run. When an expired file is discovered, it is moved into the new
directory, while preserving its original directory structure.
Custom File Management Tasks
Expiration is not always a desired action to be performed on files. File management tasks allow you to run
custom commands. Using the Custom Commands dialog box, you can run an executable file, script, orother custom command to perform an operation on the files within the scope of the file management
task.
Note: You configure custom tasks by selecting the Custom type on the Action tab of the
Create File Management Task window.
Demonstration: How to Configure File Management Tasks
In this demonstration, you will see how to:
•
Create a file management task.
•
Configure a file management task to expire documents.
Demonstration Steps
Create a File Management Task
1.
Open File Server Resource Manager, and then expand the File Management Tasks node.
2. Create a file management task named Expire Confidential Documents with a scope of
E:\Labfiles\Mod10\Data.
Configure a File Management Task to expire documents
1.
On the Action tab, configure the task for file expiration to E:\Labfiles\Mod10\Expired.
2.
Add a condition that Confidential equals Yes.
3.
Run the File Management Task , and then view the report.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 350/523
10-22 Optimizing File Services
Lab A: Configuring Quotas and File Screening Using FSRM
Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in
London, United Kingdom. An IT office and data center in London support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
Each network client within the Adatum domain is provided with a server-based home folder that is used
to store personal documents or files that are works-in-progress. It has come to your attention that home
folders are becoming quite large, and may contain file types such as .MP3 files that are not approved due
to corporate policy. You decide to implement FSRM quotas and file screening to help address this issue.
Objectives
After completing this lab, you will be able to:
• Configure FSRM quotas.
•
Configure file screening and generate a storage report.
Lab SetupEstimated Time: 30 minutes
Virtual Machine(s) 20411B-LON-DC1
20411B-LON-SVR1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you mustcomplete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Sign in using the following credentials:
o User name: Adatum\Administrator
o
Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 351/523
Administering Windows Server® 2012 10-23
Exercise 1: Configuring FSRM Quotas
Scenario
To control the size of home folders, you are implementing FSRM quotas. Each home folder is limited to
100 MB. To ensure that administrators are made aware of home folders that are running out of space, an
event is written to the event log when a user exceeds 85 percent of their storage quota so that it can betracked by administrators.
The main tasks for this exercise are as follows:
1.
Create a quota template.
2. Configure a quota based on the quota template.
3.
Test that the quota is functional.
Task 1: Create a quota template
1. On LON-SVR1, from Server Manager, install the File Server Resource Manager.
2.
In the File Server Resource Manager console, use the Quota Templates node to configure a template
that sets a hard limit of 100 MB on the maximum folder size.
3. Configure the template to record an event in the Event Log when the folder reaches 85 percent and
100 percent capacity.
Task 2: Configure a quota based on the quota template
1. Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod10\Users folder by using the quota template that you created in Task 1.
2. Configure the quota to auto apply on existing and new subfolders.
3.
Create an additional folder named Max in the E:\Labfiles\Mod10\Users folder, and ensure that the
new folder is listed in the quotas list in File Server Resource Manager.
Task 3: Test that the quota is functional
1.
Open a Windows PowerShell window, and use the following commands to create a file in the
E:\Labfiles\Mod10\Users\Max folder. Press Enter after each line:
E:
cd \Labfiles\Mod10\Users\Maxfsutil file createnew file1.txt 89400000
2.
Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then
press Enter:
fsutil file createnew file2.txt 16400000
4.
Notice that the file cannot be created. The message returned from Windows references disk space,
but the file creation fails because it would surpass the quota limit. Close the Windows PowerShell
window.
5. Close all open windows on LON-SVR1.
Results: After completing this exercise, you should have configured an FSRM quota.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 352/523
10-24 Optimizing File Services
Exercise 2: Configuring File Screening and Storage Reports
Scenario
Managers are concerned that large media files are being stored in home folders, which violates corporate
policy. Managers want to prevent media files such as video, audio, and graphics files from being saved.
You need to implement file screening to prevent media files from being stored in home folders. However,
you have also been made aware that several users store Microsoft Project files with the extension.mpp in
their home directories. You must ensure that the file screen you create does not restrict the storage of
these files.
You have also been asked to provide a report to your manager documenting any attempts to save
restricted media files on LON-SVR1.
The main tasks for this exercise are as follows:
1. Create a file screen.
2. Create a file group.
3.
Test the file screen.
4.
Generate an on-demand storage report.
5. To prepare for the next lab.
Task 1: Create a file screen
1.
On LON-SVR1, open File Server Resource Manager.
2. Create a File Screen based on the Block Audio and Video Files file screen template for the
E:\Labfiles\Mod10\Users directory.
Task 2: Create a file group
1. On LON-SVR1, open the File Server Resource Manager Configuration Options dialog box, and on
the File Screen Audit tab enable the Record file screening activity in auditing database option.
Note: This step allows recording of file screening events. These recordings will supply data
for a File Screen Audit report, which will be run later in this exercise.
2. Create a new File Group with the following properties:
o
File group name: MPx Media Files
o
Files to include: *.mp*
o Files to exclude *.mpp
3.
Modify the Block Audio and Video Files template to only use the MPx Media Files file group.
Task 3: Test the file screen
1.
On the taskbar, click the Windows Explorer shortcut.
2. Create a new text document in E:\Labfiles\Mod10, and then rename it as musicfile.mp3.
3.
Copy musicfile.mp3 into E:\Labfiles\Mod10\Users. You will be notified that the system was unable
to copy the file.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 353/523
Administering Windows Server® 2012 10-25
Task 4: Generate an on-demand storage report
1.
Open the File Services Resource Manager console.
2.
Right-click Storage Reports Management, select Generate Reports Now, and then provide the
following parameters:
o
Generate only the File Screening Audit report
o Report on E:\Labfiles\Mod10\Users
3. Review the generated reports in Windows Internet Explorer.
4.
Close all open windows on LON-SVR1.
To prepare for the next lab
• When you finish the lab, do not shut down the virtual machines. You will need them for the next lab.
Results: After completing this exercise, you will have configured file screening and storage reports in
FSRM.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 354/523
10-26 Optimizing File Services
Lesson 4
Overview of DFS
You can use DFS to meet the challenges of managing data for branch offices by providing fault-tolerant
access and wide area network (WAN)–friendly replication of files that are located throughout an
enterprise.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe DFS.
•
Describe DFS namespaces.
• Describe DFS Replication.
• Describe how DFS namespaces and DFS replication work.
•
Describe data deduplication.
•
Describe scenarios where DFS can be used.
• Explain how to install the DFS role.
What Is DFS?
To access a file share, users typically require the
Universal Naming Convention (UNC) name to
access the shared folder content. Many large
organizations have hundreds of file servers that
are dispersed geographically throughout an
organization. This introduces a number ofchallenges for users who are trying to find and
access files efficiently.
Through the use of a namespace, DFS can simplify
the UNC folder structure. In addition, DFS can
replicate the virtual namespace and the shared
folders to multiple servers within the organization.
This can ensure that the shares are located as close as possible to users, thereby providing an additional
benefit of fault tolerance for the network shares.
DFS includes two technologies that are implemented as role services:
•
DFS Namespace (DFS-N). Allows administrators to group shared folders that are located on differentservers into one or more logically structured namespaces. Each namespace appears to users as a
single shared folder with a series of subfolders. The subfolders typically point to shared folders that
are located on various servers in multiple geographical sites throughout the organization.
• DFS-R. A multimaster replication engine that synchronizes files between servers for local and WAN
network connections. DFS Replication supports replication scheduling, bandwidth throttling, and uses
remote differential compression (RDC) to update only the portions of files that have changed since
the last replication. You can use DFS Replication in conjunction with DFS namespaces or as a
standalone file replication mechanism.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 355/523
Administering Windows Server® 2012 10-27
What Is a DFS Namespace?
DFS namespaces enable a virtual representation
of shared folder structures. You can create either
a domain-based or standalone namespace. Each
type has different characteristics.
Domain-Based Namespace
A domain-based namespace can be used when:
•
Namespace high availability is required, which
is accomplished by replicating the namespace
to multiple namespace servers.
• You need to hide the name of the namespace
servers from users. This also makes it easier to
replace a namespace server or migrate the namespace to a different server. Users will then access the
\\ domainname \ namespace format as opposed to the \\ servername \ share format.
If you choose to deploy a domain-based namespace, you will also need to choose whether to use theMicrosoft Windows 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode
provides additional benefits such as support for access-based enumeration, and it increases the number of
folder targets from 5,000 to 50,000. With access-based enumeration, you can also hide folders that users
do not have permission to view.
To use Windows Server 2008 mode, the following requirements must be met:
•
The Active Directory® forest must be at Windows Server 2003 or higher forest functional level.
• The Active Directory domain must be at the Windows Server 2008 domain functional level.
• All namespace servers must be Windows Server 2008.
Standalone NamespaceA standalone namespace is used when:
• An organization has not implemented Active Directory Domain Services (AD DS).
•
An organization does not meet the requirements for a Windows Server 2008 mode, a domain-based
namespace, and there are requirements for more than 5,000 DFS folders. Standalone DFS namespaces
support up to 50,000 folders with targets.
• An organization is hosting a DFS namespace in a failover cluster.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 356/523
10-28 Optimizing File Services
What Is DFS Replication?
DFS-R provides a way to keep folders
synchronized between servers across well-
connected and limited bandwidth connections.
Take note of the following key points related to
DFS-R:
•
DFS-R uses Remote Differential Compression
(RDC). RDC is a client-server protocol that
can be used to efficiently update files over a
limited bandwidth network. RDC detects data
insertions, removals, and rearrangements in
files, enabling DFS-R to replicate only the
changed file blocks when files are updated.
RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS-R also supports cross-file
RDC, which allows DFS-R to use RDC, even when a file with the same name does not exist at the
client. Cross-file RDC can determine files that are similar to the file that needs to be replicated, and it
uses blocks of similar files that are identical to the replicating file to minimize the amount of data thatneeds to be replicated.
•
DFS-R uses a hidden staging folder to stage a file before sending or receiving it. Staging folders act as
caches for new and changed files to be replicated from sending members to receiving members. The
sending member begins staging a file when it receives a request from the receiving member. The
process involves reading the file from the replicated folder and building a compressed representation
of the file in the staging folder. After it has been constructed, the staged file is sent to the receiving
member; if RDC is used, only a fraction of the staging file might be replicated. The receiving member
downloads the data and builds the file in its staging folder. After the file download completes on
the receiving member, DFS-R decompresses the file and installs it into the replicated folder. Each
replicated folder has its own staging folder, which by default is located under the local path of the
replicated folder in the DfsrPrivate\Staging folder.
• DFS-R detects changes on the volume by monitoring the file system update sequence number (USN)
journal and replicates changes only after the file is closed.
•
DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. The
protocol sends less than 1 KB per file across the network to synchronize the metadata associated with
changed files on the sending and receiving members.
• DFS-R uses a conflict resolution heuristic of “last writer wins” for files that are in conflict (that is, a file
that is updated at multiple servers simultaneously) and “earliest creator wins” for name conflicts. Files
and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted
folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for
retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and
Deleted folder, which is located under the local path of the replicated folder in the DfsrPrivate
\ConflictandDeleted folder.
•
DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss,
or DFS-R database loss.
• DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to
obtain configuration and monitoring information from the DFS-R service.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 357/523
Administering Windows Server® 2012 10-29
How DFS-N and DFS-R Work
Even though DFS-N and DFS-R are separate
role services, you can use them together to
provide high availability and data redundancy.
The following process describes how DFS-N and
DFS-R work together:
1.
User accesses a folder in the virtual
namespace. When a user attempts to access
a folder in a namespace, the client computer
contacts the server that is hosting the
namespace root. The host server can be a
standalone server that is hosting a standalone
namespace, or a domain-based configuration
that is stored in AD DS and then replicated to various locations to provide high availability. The
namespace server sends back to the client computer a referral containing a list of servers that host
the shared folders (called folder targets) that are associated with the folder being accessed. DFS is a
site-aware technology, so client computers can be configured to access namespaces that are withintheir site first to ensure the most reliable access.
2.
Client computer accesses the first server in the referral. The client computer caches the referral
information and then contacts the first server in the referral. This referral typically is a server in the
client’s own site, unless there is no server located within the client’s site. In this case, the administrator
can configure the target priority.
On the slide example, the Marketing folder that is published within the namespace actually contains two
folder targets. One share is located on a file server in New York, and the other share is located on a file
server in London. The shared folders are kept synchronized by DFS-R. Even though multiple servers host
the source folders, this fact is transparent to users, who only access a single folder in the namespace. If
one of the target folders becomes unavailable, users will be redirected to the remaining targets within the
namespace.
What Is Data Deduplication?
In Windows Server 2012, you can enable data
deduplication for nonsystem volumes. Data
deduplication optimizes volume storage by
finding redundant data on a volume, and ensuring
that the data is stored only once on the volume.
This is achieved by storing the data in a single
location, and providing reference to the singlelocation for other redundant copies of the data.
Data is segmented into 32 KB to 218 KB chunks,
so data deduplication can optimize not only
redundant files, but also portions of files that are
redundant on the volume.
Data deduplication can be implemented in conjunction with DFS-R to provide an even more efficient
storage and replication infrastructure.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 358/523
10-30 Optimizing File Services
How Data Deduplication Works
Once a volume has data deduplication enabled, Windows 2012 optimizes the volumes by maintaining the
following components:
• Unoptimized files. These include any files that do not meet the file-age criteria for data deduplication.
In order to be optimized by data deduplication, files must remain static for a certain amount of time.
Unoptimized files could include system state files, encrypted files, files smaller than 32 KB, files withextended attibutes, or files that are in use by other applications.
• Optimized files. Optimized files are stored as reparse points. A reparse point contains a pointer to the
locations of the chunk data within the chunk store, so the respective chunks can be retrieved when
required.
• Chunk store. Optimized file data is located in the chunk store.
Benefits of Data Deduplication
Data deduplication can help you cope with storage growth in the following areas:
•
Capacity optimization. Data deduplication enables a server to store more data in less physical disk
space.
• Scale and performance. Data deplucation is highly scalable in Windows Server 2012. It can run on
multiple volumes without affecting other services and applications running on the server. Data
deduplication can be throttled to accommodate other heavy workloads on the server, so that no
performance degradation occurs for important server tasks.
• Reliability data integrity. Windows Server 2012 uses checksum. Consistency and validation to ensure
that the integrity of data affected by data deduplication remains intact. Data deduplication also
maintains redundant copies of the most frequently used data on a volume to protect against data
corruption.
• Bandwidth efficiency. In combination with DFS-R, or other file replication technology such as
BranchCache, data deduplication can greatly reduce the bandwidth consumed replicating file data,
provided that replication partners are also running Windows Server 2012.
•
Simple optimization management. Windows Server 2012 and Windows PowerShell 3.0 contain
integrated support for data deduplication. Implementation and management within Windows
Server 2012 is done with familiar tools.
Implementing Data Deduplication
Use the following process to implement data deduplication on a server:
1.
Install the Data Deduplication role service for the File Services role.
This can be performed by using the Add Roles and Features Wizard in Server Manager, or by using
the following Windows PowerShell cmdlets:
Import-Module ServerManager
Add-WindowsFeature -name FS-Data-Deduplication
Import-Module Deduplication
2.
Enable data deduplication on one or more volumes.
Within Server Manager, you can right-click a volume and select Configure Data Deduplication,
which opens the Data Deduplication Settings page.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 359/523
Administering Windows Server® 2012 10-31
Alternatively, you can use the following Windows PowerShell cmdlet to enable data deduplication (for
the volume E:, in this case):
Enable-DedupVolume E:
3. Optionally, configure data deduplication jobs for a volume.
By default, built-in jobs are created and scheduled when you enable data deduplication for a volume.
If required, you can manually configure these jobs, or create additional jobs to further manage how
data deduplication functions.
Additional Reading: Data Deduplication Overview
http://go.microsoft.com/fwlink/?linkID=270996
DFS Scenarios
Several key scenarios can benefit from DFS-N and
DFS-R. These scenarios include:
• Sharing files across branch offices.
• Data collection.
•
Data distribution.
Sharing Files Across Branch Offices
Large organizations that have many branch offices
often have to share files or collaborate between
these locations. DFS-R can help replicate files
between branch offices or from a branch office to
a hub site. Having files in multiple branch offices also benefits users who travel from one branch office toanother. The changes that users make to their files in one branch office are replicated back to their branch
office.
Note: This scenario is recommended only if users can tolerate some file inconsistencies as
changes are replicated throughout the branch servers. Also, note that DFS-R only replicates a file
after it is closed. Therefore, DFS-R is not recommended for replicating database files or any files
that are held open for long periods of time.
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing
the files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using
DFS-R and then backed up at the hub site by using standard backup procedures. This increases the branch
office data recoverabili ty if a server fails, because fi les will be available in two separate locations and
backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware and
onsite IT personnel expertise. Replicated data can also be used to make branch off ice file shares fault
tolerant. If the branch office server fails, clients in the branch office can access the replicated data at the
hub site.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 360/523
10-32 Optimizing File Services
Data Distribution
You can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-business
(LOB) data throughout your organization. DFS-N and folder targets can increase data availability and
distribute client load across various file servers.
Demonstration: How to Install the DFS Role
This demonstration shows how to install the DFS Role.
Demonstration Steps
Install the DFS role
• Under the File and Storage Management role, install the DFS Namespaces and DFS Replication
role services.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 361/523
Administering Windows Server® 2012 10-33
Lesson 5
Configuring DFS Namespaces
Configuring a DFS namespace consists of several tasks, including creating the namespace structure,
creating folders within the namespace, and adding folder targets. You can also choose to perform
additional management tasks, such as configuring the referral order, enabling client fail back, andimplementing DFS-R. This lesson provides information on how to complete these configuration and
management tasks to deploy an effective DFS solution.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the process for deploying namespaces to publish content.
• Describe permissions required to create and manage a namespace.
• Explain how to create and configure DFS namespaces and folder targets.
• Describe the options for optimizing a namespace.
Deploying Namespaces to Publish Content
Most DFS implementations consist primarily
of content that is published within the DFS
namespace. To configure a namespace for
publishing content to users, perform the following
procedures:
1.
Create a namespace.
Use the New Namespace Wizard to create the
namespace from within the DFS Management
console. When a new namespace is created,
you must provide the name of the server that
you want to use as the namespace server, and
namespace name and type (either domain-
based or standalone). You can also specify whether the namespace is enabled for Windows
Server 2008 mode.
2.
Create a folder in the namespace.
After you create the namespace, add a folder in the namespace that will be used to contain the
content that you want to publish. During the folder creation, you have the option to add folder
targets, or you can perform a separate task to add, edit, or remove folder targets later.3.
Add folder targets.
After you create a folder within the namespace, the next task is to create folder targets. The folder
target is a shared folder’s UNC path on a specific server. You can browse for shared folders on remote
servers and create shared folders as needed. Additionally, you can add multiple folder targets to
increase the folder’s availability in the namespace. If you add multiple folder targets, consider using
DFS-R to ensure that the content is the same between the targets.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 362/523
10-34 Optimizing File Services
4. Set the ordering method for targets in referrals.
A referral is an ordered list of targets that a client computer receives from the namespace server when
a user accesses a namespace root or folder. When a client receives the referral, the client attempts to
access the first target in the list. If the target is not available, the next target is attempted. By default,
targets in the client’s site are always listed first in the referral. You can configure the method for
ordering targets outside the client’s site on the Referrals tab of the Namespace Properties dialog box.You have the choice of configuring the lowest cost, random order, or configuring the ordering
method to exclude targets outside the client’s site.
Note: Folders inherit referral settings from the namespace root. You can override the
namespace settings on the Referrals tab of the Folder Properties dialog box by excluding
targets outside the client’s site.
Optional Management Tasks
A number of optional management tasks that you can consider include:
•
Set target priority to override referral ordering. You can have a specific folder target that you wanteveryone to use from all site locations, or a specific folder target that should be used last among all
targets. You can configure these scenarios by overriding the referral ordering on the Advanced tab of
the Folder Target Properties dialog box.
• Enable client failback. If a client cannot access a referred target, the next target is selected. Client
failback will ensure that clients fail back to the original target after it is restored. You can configure
client failback on the Referrals tab of the Namespace Properties dialog box by selecting the Clients
fail back to preferred targets check box. All folders and folder targets inherit this option. However,
you can also override a specific folder to enable or disable client failback features, if required.
• Replicate folder targets using DFS-R. You can use DFS-R to keep the contents of folder targets in sync.
The next topic discusses DFS-R in detail.
Permissions Required to Create and Manage a Namespace
To perform DFS namespace management tasks,
a user either has to be a member of an
administrative group or has to be delegated
specific permission to perform the task. To
delegate the required permissions, right-click
the namespace and then click Delegate
Management Permissions.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 363/523
Administering Windows Server® 2012 10-35
The following table describes the groups that can perform DFS administration by default, and the method
for delegating the ability to perform DFS management tasks.
TaskGroups that can perform thetask by default
Delegation method
Create a domain-basednamespace.
Domain admins Click Delegate ManagementPermissions.
Add a namespace server to adomain-based namespace.
Domain admins Add users to local administratorsgroup on the namespace server.
Manage a domain-basednamespace.
Local administrators on eachnamespace server
Click Delegate ManagementPermissions.
Create a standalonenamespace.
Local administrators on eachnamespace server
Add users to local administratorsgroup on the namespace server.
Manage a standalonenamespace.
Local administrators on eachnamespace server
Click Delegate ManagementPermissions.
Create a replication group, orenable DFS-R on a folder.
Domain admins Add users to local administratorsgroup on the namespace server.
Demonstration: How to Create Namespaces
This demonstration shows how to:
• Create a new namespace.
• Create a new folder and folder target.
Demonstration Steps
Create a new namespace
1.
Open the DFS Management console.
2.
Create a domain-based namespace on LON-SVR1 named Research.
Create a new folder and folder target
1.
Create a new folder named Proposals in the \\Adatum.com\Research namespace.
2.
Create a folder target for Proposals that points to \\LON-SVR1\Proposal_docs.
3. Confirm namespace functionality by navigating to \\Adatum.com\Research, and confirming that
the Proposals folder displays.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 364/523
10-36 Optimizing File Services
Optimizing a Namespace
Namespaces have a number of configuration
options with which you can optimize its usability
and performance.
Rename or Move a FolderYou can rename or move a folder in a namespace.
This allows you to reorganize the hierarchy of
folders to best suit your organization’s users. For
example, when your company reorganizes, you
can reorganize the namespace to match the new
structure.
Disable Referrals to a Folder
A referral is a list of targets that a client computer receives from a domain controller or namespace server
when the user accesses a root or folder with namespace targets. By disabling a folder target’s referral, you
prevent client computers from accessing that folder target in the namespace. This is useful when you are
moving data between servers.
Specify Referral Cache Duration
Clients do not contact a namespace server for a referral each time they access a folder in a namespace;
instead, namespace root referrals are cached. Clients that use a cached referral will renew the cache
duration value of the referral each time a file or folder is accessed using the referral. This means that the
clients will use the referral indefinitely until the client’s referral cache is cleared or the client is restarted.
You can customize the referral cache duration. The default is 300 seconds (5 minutes).
Configure Namespace Polling
To maintain a consistent domain-based namespace across namespace servers, namespace servers must
poll AD DS periodically to obtain the most current namespace data. The two modes for namespace
polling are:
• Optimize for consistency . Namespace servers poll the primary domain controller (PDC) emulator each
time a namespace change occurs. This is the default.
• Optimize for scalability . Each namespace server polls its closest domain controller at periodic intervals.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 365/523
Administering Windows Server® 2012 10-37
Lesson 6
Configuring and Troubleshooting DFS-R
To configure DFS-R effectively, it is important to understand the terminology and requirements that are
associated with the feature. This lesson provides information on the specific elements, requirements, and
scalability considerations as they relate to DFS-R. This lesson also provides a process for configuring aneffective replication topology.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe replication groups and replicated folders.
• Describe the initial replication process.
•
Explain how to configure DFS-N and DFS-R.
• Describe DFS troubleshooting options.
Replication Groups and Replicated Folders
A replication group comprises a set of member
servers that participate in replicating one or more
replicated folders. There are two main types of
replication groups:
• Multipurpose replication group. This
replication group helps to configure
replication between two or more servers
for publication, content sharing, or other
scenarios.
•
Replication group for data collection. This
replication group configures a two-way
replication between two servers, such as a
branch office server and a hub server. This group type is used to collect data from the branch office
server to the hub server. You can then use standard backup software to back up the hub server data.
A replicated folder is synchronized between each member server. Creating multiple replicated folders
within a single replication group helps to simplify the following for the entire group:
• Replication Group type
• Topology
•
Hub and spoke configuration
• Replication schedule
• Bandwidth throttling
The replicated folders that are stored on each member can be located on different volumes in the
member. Replicated folders do not need to be shared folders or part of a namespace, although the DFS
Management snap-in makes it easy to share replicated folders, and optionally, publish them to an existing
namespace.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 366/523
10-38 Optimizing File Services
Replication Topologies
When configuring a replication group, you must define its topology. You can select between the
following:
• Hub and spoke. To select this option, you require at least three member servers in the replication
group. This topology works well in publication scenarios where data originates at the hub and is
replicated to members at the spokes.
•
Full mesh. If ten or fewer members are in the replication group, this topology works well, with each
member replicating to all others, as required.
•
No topology. Choose this option if you want to manually configure a custom topology after creating
the replication group.
Initial Replication Process
When you first configure replication, you choose
a primary member that has the most updated
files to be replicated. This server is considered
authoritative for any conflict resolution that
occurs when the receiving members have files that
are older or newer when compared to the same
files on the primary member.
Consider the following concepts about the initial
replication process:
• Initial replication does not begin immediately.
The topology and DFS-R settings must be
replicated to all domain controllers, and each
member in the replication group must poll its closest domain controller to obtain these settings.Active Directory replication latency and the long polling interval (60 minutes) on each member
determine the amount of time this takes.
• Initial replication always occurs between the primary member and its receiving replication partners.
After a member has received all files from the primary member, that member will replicate files to its
receiving partners. In this way, replication for a new replicated folder starts from the primary member
and then progresses out to the other replication group members.
• When receiving files from the primary member during initial replication, the receiving members
with files that are not present on the primary member will move those files to their respective
DfsrPrivate\PreExisting folder. If a file is physically identical to a file on the primary member, then
the file is not replicated. If the version of a file on the receiving member is different from the primary
member’s version, the receiving member’s version is moved to the Conflict and Deleted folder, andRDC can be used to download only the changed blocks.
• To determine whether files are identical on the primary member and receiving member, DFS-R
compares the files using a hash algorithm. If the files are identical, only minimal metadata is
transferred.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 367/523
Administering Windows Server® 2012 10-39
• After the initialization of the replicated folder, the primary member designation is removed.
(Initialization takes place after all files that exist prior to DFS-R configuration, are added to the DFS-R
database.) That member then is treated like any other member, and its files are no longer considered
authoritative over other members that have completed initial replication. Any member that has
completed initial replication is considered authoritative over members that have not completed initial
replication.
Demonstration: How to Configure DFS-R
In this demonstration, you will see how to:
•
Create a new folder target for replication.
• Create a new replication group.
Demonstration Steps
Create a new folder target for replication
•
On LON-SVR1, create a folder target for \\LON-SVR4\Proposal_docs.
Create a new replication group
1.
Add the folder to the replication group for LON-SVR1 and LON-SVR4.
2.
Declare LON-SVR1 as the primary member, and create a full-mesh replication.
Troubleshooting DFS
Windows Server 2012 provides a number of tools
that you can use to monitor and troubleshoot
DFS-R. The tools include:
• Diagnostic Reports. Use Diagnostic Reports to
run a diagnostic report for the following:
o
Health Report. Shows extensive
replication statistics and reports on
replication health and efficiency.
o Propagation Test. Generates a test file in
a replicated folder to verify replication
and provide statistics for the propagation
report.
o
Propagation Report. Provides information about the progress for the test file that is generated
during a propagation test. This report will ensure that replication is functional.
• Verify Topology . Use Verify Topology to verify and report on the status of the replication group
topology. This will report any members that are disconnected.
• Dfsrdiag.exe. Use this command-line tool to monitor the replication state of the DFS-R service.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 368/523
10-40 Optimizing File Services
Troubleshooting DFS
DFS problems generally fall into one of the following categories:
•
Unable to access the DFS namespace. Ensure that both the Net Logon service and DFS service are
running on all servers that are hosting the namespace.
•
Inability to find shared folders. If clients cannot connect to a shared folder, use standardtroubleshooting techniques to ensure that the folder is accessible and that clients have permissions.
Remember that clients connect to the shared folder directly.
• Unable to access DFS links and shared folders. Verify that the underlying folder is available and that
the client has permissions on it. If a replica exists, verify whether the problem is related to replication
latency (refer to the following replication latency entry in this list).
• Security-related issue. Remember that the client accesses the shared folder directly. Therefore, you
must verify the shared folder and ACL permissions on the folder.
• Replication latency. Remember that the DFS-R topology is stored in the domain's AD DS.
Consequently, there is some latency before any modification to the DFS-N is replicated to all domain
controllers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 369/523
Administering Windows Server® 2012 10-41
Lab B: Implementing DFS
Scenario
A. Datum Corporation has deployed a new branch office. This office has a single server. To support
branch staff requirements, you must configure DFS. To avoid the need to perform backups remotely, a
departmental file share in the branch office will be replicated back to the head office for centralizedbackup, and branch data files will be replicated to the branch server to provide quicker access.
Objectives
After completing this lab, you will be able to:
• Install the DFS role service.
• Configure a DFS namespace.
•
Configure DFS Replication.
Lab Setup
Estimated Time: 45 minutes
Lab Setup
Estimated time: 30 minutes
Virtual Machine(s) 20411B-LON-DC1
20411B-LON-SVR1
20411B-LON-SVR4
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o
Password: Pa$$w0rd 5.
Perform steps 2 through 4 for 20411B-LON-SVR1 and 20411B-LON-SVR4.
Exercise 1: Installing the DFS role service
Scenario
To support the creation of a replicated namespace, you have been asked to perform the installation of the
DFS server role for LON-SVR1 and LON-SVR4.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 370/523
10-42 Optimizing File Services
The main tasks for this exercise are as follows:
1.
Install the DFS role service on LON-SVR1.
2.
Install the DFS role service on LON-SVR4.
Task 1: Install the DFS role service on LON-SVR1
•
On LON-SVR1, from Server Manager, under the File and Storage Management role, install the
DFS Namespaces and DFS Replication role services.
Task 2: Install the DFS role service on LON-SVR4
• On LON-SVR4, in Server Manager, under the File and Storage Management role, install the
DFS Namespaces and DFS Replication role services.
Results: After completing this exercise, you will have installed the DFS role service on LON-SVR1 and
installed the DFS role service on LON-SVR4.
Exercise 2: Configuring a DFS Namespace
Scenario
You have been asked to configure a DFS namespace to support the newly requested file structure.
Management has requested that the new structure meet the following requirements:
• Namespace: \\Adatum.com\BranchDocs
•
File shares to include:
o \\LON-SVR4\ResearchTemplates
o
\\LON-SVR1\DataFiles
The main tasks for this exercise are as follows:1. Create the BranchDocs namespace.
2.
Enable access-based enumeration for the BranchDocs namespace.
3.
Add the ResearchTemplates folder to the BranchDocs namespace.
4. Add the DataFiles folder to the BranchDocs namespace.
5. Verify the BranchDocs namespace.
Task 1: Create the BranchDocs namespace
1. Switch to LON-SVR1 and then open Server Manager.
2.
Open DFS Management.3.
Create a new namespace with the following properties:
o
Server: LON-SVR1
o Name: BranchDocs
o
Namespace type: Domain-based namespace, and select Enable Windows Server 2008 mode
4.
Under the Namespaces node, verify that the namespace has been created.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 371/523
Administering Windows Server® 2012 10-43
Task 2: Enable access-based enumeration for the BranchDocs namespace
• In DFS Management, in the \\Adatum.com\BranchDocs Properties dialog box, on the Advanced
tab, select the Enable access-based enumeration for this namespace check box.
Task 3: Add the ResearchTemplates folder to the BranchDocs namespace
•
Add a new folder to the BranchDocs namespace:
o Folder name: ResearchTemplates
o Add a folder target:
Path: \\LON-SVR4\ResearchTemplates
Create share
Local path: C:\BranchDocs\ResearchTemplates
Permissions: All users have read and write permissions
Task 4: Add the DataFiles folder to the BranchDocs namespace
• Add a new folder to theBranchDocs
namespace:
o
Folder name: DataFiles
o
Add a folder target:
Path: \\LON-SVR1\DataFiles
Create share
Local path: C:\BranchDocs\DataFiles
Permissions: All users have read and write permissions
Task 5: Verify the BranchDocs namespace
1. On LON-SVR1, open Windows Explorer, in the address bar type, type \\Adatum.com\BranchDocs\
and then press Enter.
2.
Verify that both ResearchTemplates and DataFiles display, and then close the window.
Results: After completing this exercise, you will have configured a DFS namespace.
Exercise 3: Configuring DFS-R
Scenario
You have been asked to ensure that the files contained in the new DFS namespace are replicated to both
LON-SVR1 and LON-SVR4 to ensure data availability.
The main tasks for this exercise are as follows:
1. Create another folder target for DataFiles.
2. Configure replication for the namespace.
3.
To prepare for the next module.
Task 1: Create another folder target for DataFiles
1. In DFS Management, expand Adatum.com\BranchDocs, and then click DataFiles.
2.
In the details pane, notice that there is currently only one folder target.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 372/523
10-44 Optimizing File Services
3. Add a new folder target:
o
Path to target: \\LON-SVR4\DataFiles
o
Create share
o Local path: C:\BranchDocs\DataFiles
o
Permissions: All users have read and write permissions
o
Create folder
4. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure replication for the namespace
1.
Complete the Replicate Folder Wizard:
o Primary member: LON-SVR1
o
No topology
o
Use defaults elsewhere, and accept any messages.
2.
Create a new replication topology for the namespace:
o Type: Full mesh
o
Schedule and bandwidth: Use default settings
3.
In the details pane, on the Memberships tab, verify that the replicated folder displays on both
LON-SVR4 and LON-SVR1.
Task 3: To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.
On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 20411B-LON-SVR1 and 20411B-LON-SVR4.
Results: After completing this exercise, you will have configured DFS-R.
Question: What are the requirements for deploying a namespace in Windows Server 2008
mode?
Question: What are the benefits of hosting a namespace on several namespace servers?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 373/523
Administering Windows Server® 2012 10-45
Module Review and Takeaways
Review Questions
Question: How do FSRM templates for quotas and file screens provide a more efficient
FSRM management experience?
Question: Why does DFS-R make a more efficient replication platform than FRSM?
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 374/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 375/523
11-1
Module 11
Configuring Encryption and Advanced AuditingContents:
Module Overview 11-1
Lesson 1: Encrypting Files by Using Encrypting File System 11-2
Lesson 2: Configuring Advanced Auditing 11-6
Lab: Configuring Encryption and Advanced Auditing 11-13
Module Review and Takeaways 11-17
Module Overview
As an administrator of the Windows Server® 2012 operating system, you should ensure the continued
security of the files and folders on your servers. You can encrypt sensitive files by using native Windows
Server 2012 tools. However, you must be aware of some considerations and implementation methods in
order to provide a reliable environment.
By using Windows Server 2012, you can understand how files and folders are being used on your
Windows Server 2012 computers. You can also audit file and folder access. Auditing file and folder access
can give you insight into general usage, and more critical information, such as unauthorized usage
attempts.
This module describes the Windows Server 2012 tools that can help you to provide increased file system
security on your servers.
Objectives
After completing this module, you will be able to:
• Encrypt files by using EFS.
• Configure advanced auditing.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 376/523
11-2 Configuring Encryption and Advanced Auditing
Lesson 1
Encrypting Files by Using Encrypting File System
Encrypting File System (EFS) is a built-in component of the NTFS file system that enables encryption and
decryption of file and folder contents on an NFTS volume. It is important to understand how EFS works
before implementing EFS in your environment. You should also know how to recover the encrypted files,and troubleshoot issues when EFS encryption does not work properly.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe EFS.
• Explain how EFS works.
•
Explain how to recover EFS–encrypted files.
• Explain how to encrypt a file by using EFS.
What Is EFS?
EFS is a feature that can encrypt files that are
stored on an NTFS formatted partition. By default,
this option is available to all users. You can also
use EFS to encrypt files on a file share.
After a file is encrypted by using EFS, it can
only be accessed by authorized users. If a user is
authorized, then access to the file is transparent
and it can be opened like an unencrypted file. If a
user is not authorized, attempts to open the filewill result in an access denied message.
EFS encryption acts as an additional layer of
security in addition to NTFS permissions. If users
are given NTFS permission to read a file, they must still be authorized by EFS to decrypt the file.
The default configuration of EFS requires no administrative effort. Users can begin encrypting files
immediately, and EFS automatically generates a user certificate with a key pair for a user if one does not
already exist. Using a certification authority (CA) to issue user certificates enhances manageability of the
certificates.
You can disable EFS on client computers by using Group Policy. In the Properties of the policy, navigate to
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting FilesSystem, and then click Don’t allow.
Note: If you are not using certificates from a CA and you want to allow EFS to be used on a
file share, then you must configure the file server computer account to be trusted for delegation.
Domain controllers are trusted for delegation by default.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 377/523
Administering Windows Server® 2012 11-3
How EFS Works
EFS uses a combination of public-key and
symmetric-key encryption to protect files from
attack. EFS uses a symmetric key to encrypt the
file, and a public key to protect the symmetric key.
Symmetric key encryption uses the same key
to encrypt and then decrypt a file. This type of
encryption is faster and stronger than public key
encryption. Because it is difficult to secure the
symmetric key during a cross-network transfer,
it requires additional security. Symmetric key
encryption is the typical method for encrypting
large amounts of data.
EFS uses public key encryption to protect the symmetric key that is required to decrypt the file contents.
Each user certificate contains a private key and a public key that is used to encrypt the symmetric key.
Only the user with the certificate and its private key can decrypt the symmetric key.
The file encryption process is as follows:
1. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is
encrypted with the user’s public key, and the encrypted FEK is then stored with the file. This ensures
that only the user who has the matching EFS encryption private key can decrypt the file. After a user
encrypts a file, the file remains encrypted for as long as it is stored on the disk.
2.
To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by
using the cipher command. When this occurs, EFS decrypts the FEK with the user’s private key, and
then decrypts the data by using the FEK.
Note: In addition to the user that encrypted the file, additional copies of the symmetric keyare encrypted with the recovery agent public key, and are available to any other authorized users.
Recovering EFS–Encrypted Files
If a user who encrypted a file by using EFS loses
the private key for any reason, then you need a
method for recovering the EFS–encrypted file. The
private key is part of a user certificate that is used
for encryption. Backing up a user certificate is one
method for recovering EFS–encrypted files. The
backed-up user certificate can be imported into
another profile and you can use it to decrypt
the file. However, this method is difficult to
implement when there are many users.
A better method for recovering EFS-encrypted
files is to make use of a recovery agent. A recovery
agent is an individual who is authorized to decrypt all EFS encrypted files. The default recovery agent is
the domain administrator. However, you can delegate the recovery agent role to any user.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 378/523
11-4 Configuring Encryption and Advanced Auditing
When you add a new recovery agent through Group Policy, the agent is added automatically to all
newly encrypted files, but the agent is not automatically added to the existing encrypted files. Because
the recovery agent for a file is set at the time that the file is encrypted, an encrypted file must be accessed
and saved to update the recovery agent.
To back up the recovery agent certificate, you should always export the certificate with the private key
and keep it in a secure location. The two reasons to back up the private key for the recovery agent (or therecovery key) are:
• To secure against system failure. The domain administrator key that is used by default for EFS
recovery is stored only on the first domain controller in the domain. If anything happened to this
domain controller, EFS recovery would be impossible.
•
To make the recovery key portable. The recovery key is not automatically available to the recovery
agent on all computers. The recovery key must be installed in the recovery agent’s profile. If roaming
profiles are not used, then exporting and importing the recovery key is a method to update the
recovery agent’s profile on a particular computer.
Demonstration: Encrypting a File by Using EFS
This demonstration shows how to:
• Verify that a computer account supports EFS on a network share.
•
Use EFS to encrypt a file on a network share.
• View the certificate used for encryption.
• Test access to an encrypted file.
Demonstration Steps
Verify that a computer account supports EFS on a network share1. On LON-DC1, open Active Directory Users and Computers.
2.
Verify that that LON-DC1 is trusted for delegation to any service.
Use EFS to encrypt a file on a network share
1. Log on to LON-CL1 as Adatum\Doug with a password of Pa$$w0rd.
2.
Navigate to \\LON-DC1\Mod11Share.
3.
Create a new Microsoft® Word document named MyEncryptedFile.
4. Open MyEncryptedFile, type My secret data, and then save the file.
5.
Encrypt MyEncryptedFile.
6.
Log off of LON-CL1.
View the certificate used for encryption
1.
On LON-DC1, navigate to C:\Users\ . Notice that Doug has a profile on the computer. This is where
the self-signed certificate is stored. It cannot be viewed in the Microsoft Management Console (MMC)
Certificates snap-in unless Doug logs on locally to the server.
2.
Navigate to C:\Users\Doug\AppData\roaming\Microsoft\SystemCertificates\My\Certificates.
This is the folder that stores the self-signed certificate for Doug.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 379/523
Administering Windows Server® 2012 11-5
Test access to an encrypted file
1.
Log on to LON-CL1 as Adatum\Alex.
2. Attempt to open \\LON-DC1\Mod11Share\MyEncryptedFile by using Microsoft Word. The
attempt will fail because the file is encrypted by Doug.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 380/523
11-6 Configuring Encryption and Advanced Auditing
Lesson 2
Configuring Advanced Auditing
Auditing logs report a variety of activities in your enterprise to the Windows® Security Log. You can
then monitor these auditing logs to identify issues that warrant further investigation. Auditing can log
successful activities as well, to provide documentation of changes. It can also log failed and potentiallymalicious attempts to access enterprise resources. When configuring auditing, you will specify audit
settings, enable an audit policy, and then monitor events in the security logs.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe audit policies.
• Explain how to specify audit settings for a file or folder.
• Explain how to enable audit policy.
• Explain how to evaluate events in the security log.
•
Describe the advanced audit policy configuration.
• Explain how to configure advanced auditing.
Overview of Audit Policies
Audit policy configures a system to audit
categories of activities. If audit policy is not
enabled, a server will not audit those activities.
You can view audit policies in Group Policy,
under Computer Configuration. In ComputerConfiguration, expand Policies\Windows Settings
\Security Settings\Local Policies, and then click
Audit Policy. To configure auditing, you must
define the policy setting. In the Group Policy
Management Editor, double-click any policy
setting, and select the Define These Policy
Settings check box. Then, select whether to
enable auditing of Success events, Failure events, or both.
The following table defines each audit policy and its default settings on a Windows Server 2012 domain
controller.
Audit policysetting
Description Default setting
Audit AccountLogon Events
Creates an event when a user or computerattempts to authenticate by using an ActiveDirectory® account. For example, when a user logson to any computer in the domain, an accountlogon event is generated.
Successful accountlogons are audited.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 381/523
Administering Windows Server® 2012 11-7
Audit policysetting
Description Default setting
Audit LogonEvents
Creates an event when a user logs on interactively(locally) to a computer or over the network(remotely). For example, if a workstation and a
server are configured to audit logon events, theworkstation audits a user logging on directly to thatworkstation. When the user connects to a sharedfolder on the server, the server logs that remotelogon. When a user logs on, the domain controllerrecords a logon event because logon scripts andpolicies are retrieved from the domain controller.
Successful logons areaudited.
Audit AccountManagement
Audits events, including the creation, deletion, ormodification of user, group, or computer accounts,and the resetting of user passwords.
Successful accountmanagement activitiesare audited.
Audit DirectoryService Access
Audits events that are specified in the system accesscontrol list (SACL), which is seen in an Active
Directory object’s Properties Advanced SecuritySettings dialog box. In addition to defining the auditpolicy with this setting, you must also configureauditing for the specific object or objects by usingthe SACL of the object or objects. This policy issimilar to the Audit Object Access policy that youuse to audit files and folders, but this policy appliesto Active Directory objects.
Successful directoryservice access events are
audited, but fewobjects’ SACLs specifyaudit settings.
Audit PolicyChange
Audits changes to user rights assignment policies,audit policies, or trust policies.
Successful policychanges are audited.
Audit Privilege Use Audits the use of a privilege or user right. See theexplanatory text for this policy in the Group PolicyManagement Editor.
No auditing isperformed by default.
Audit SystemEvents
Audits system restart, shutdown, or changes thataffect the system or security logs.
Successful systemevents are audited.
Audit ProcessTracking
Audits events such as program activation andprocess exit. See the explanatory text for this policyin the Group Policy Management Editor.
No events are audited.
Audit ObjectAccess
Audits access to objects such as files, folders,registry keys, and printers that have their ownSACLs. In addition to enabling this audit policy, youmust configure the auditing entries in objects’
SACLs.
No events are audited.
Notice that most major Active Directory events are already audited by domain controllers, assuming that
the events are successful. Therefore, the creation of a user, the resetting of a user’s password, the logon to
the domain, and the retrieval of a user’s logon scripts are all logged.
However, not all failure events are audited by default. You might need to implement additional failure
auditing based on your organization’s IT security policies and requirements. For example, if you audit
failed account logon events, you can expose malicious attempts to access the domain by repeatedly trying
to log on as a domain user account without yet knowing the account’s password. Auditing failed account
management events can reveal a malicious user who is attempting to manipulate the membership of a
security-sensitive group.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 382/523
11-8 Configuring Encryption and Advanced Auditing
One of the most important tasks you must perform is to balance and align the audit policy with your
corporate policies, and with what is realistic. Your corporate policy might state that all failed logons
and successful changes to Active Directory users and groups must be audited. That is easy to achieve in
Active Directory Domain Services (AD DS). But how, exactly, are you going to use that information?
Verbose auditing logs are useless if you do not know how, or do not have the tools, to manage those logs
effectively. To implement auditing, you must have a well-configured audit policy, and have the tools with
which to manage audited events.
Specifying Auditing Settings on a File or Folder
Many organizations elect to audit file system
access to provide insight into resource usage and
potential security issues. Windows Server 2012
supports granular auditing based on user or
group accounts and the specific actions
performed by those accounts. To configure
auditing, you must complete three steps:specify auditing settings, enable audit policy,
and evaluate events in the security log.
You can audit access to a file or folder by adding
auditing entries to its SACL. To do this, perform
the following steps:
1.
Open the properties dialog box of the file or folder, and then click the Security tab.
2. On the Security tab, click Advanced.
3.
Click Auditing.
4.
To add an entry, click Edit. This opens the Auditing tab in Edit mode.
5. Click Add to select the user, group, or computer to audit.
6.
In the Auditing Entry dialog box, indicate the type of access to audit.
Considerations for Configuring Auditing for Files and Folders
You can audit for successes, failures, or both as the specified user, group, or computer attempts to access
the resource by using one or more of the granular access levels.
You can audit successes for the following purposes:
• To log resource access for reporting and billing.
• To monitor access that would suggest users are performing actions greater than what you had
planned, indicating that permissions are too generous.
• To identify access that is out of character for a particular account, which might be a sign that a user
account has been breached by a hacker.
You can audit failed events for the following purposes:
• To monitor for malicious attempts to access a resource to which access has been denied.
• To identify failed attempts to access a file or folder to which a user does require access. This would
indicate that the permissions are not sufficient to meet a business requirement.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 383/523
Administering Windows Server® 2012 11-9
Auditing entries directs Windows operating systems to audit the successful or failed activities of a security
principal (user, group, or computer) to use a specific permission. Full Control includes all individual access
levels, so this entry covers any type of access. For example, if you assign Full Control to the Consultant
group, and if a Consultant group member attempts access of any kind and fails, this activity will be
logged.
Typically, auditing entries reflect the permission entries for the object, but auditing entries andpermissions entries may not always match. In the above scenario, keep in mind, that a member of the
Consultants group can also belong to another group that does have permission to access the folder.
Because that access will be successful, the activity is not logged. Therefore, if you are concerned about
restricting folder access and ensuring that users do not access it in any way, you should monitor failed
access attempts. However, you should also audit successful access to identify situations in which a user is
accessing the folder through another group membership that is potentially incorrect.
Note: Audit logs can get large quite rapidly. Therefore, configure the bare minimum
required to achieve your company’s security objective. When you specify to audit the successes
and failures on an active data folder for the Everyone group by using Full Control (all
permissions), this generates enormous audit logs that could affect the performance of the server,and can make locating a specific audit event almost impossible.
Enabling Audit Policy
Configuring auditing entries in the security
descriptor of a file or folder does not, in itself,
enable auditing. Auditing must be enabled by
defining the appropriate Audit object access
policy setting within Group Policy.
After auditing is enabled, the security subsystembegins to log access as directed by the audit
settings.
The policy setting must be applied to the server
that contains the object that is being audited.
You can configure the policy setting in the server’s
local Group Policy Object (GPO), or you can use a
GPO that is scoped to the server.
You can define the policy then to audit Success events, Failure events, or both. The policy setting must
specify auditing of Success or Failure attempts that match the type of auditing entry in the object’s SACL.
For example, to log a failed attempt by Consultants to access the Confidential Data folder, you must
configure the Audit object access policy to audit failures, and you must configure the SACL of theConfidential Data folder to audit failures. If the audit policy audits successes only, the failure entries in the
folder’s SACL will not trigger logging.
Locating Audit Policy Settings
In Group Policy Management in AD DS, there is a group of standard settings in a GPO that control audit
behavior. This set of audit policy settings is found under Computer Configuration, in the following node:
Windows Settings\Security\Local Policies\Audit Policy. The audit policy settings govern the following
basic settings:
• Audit account logon events
•
Audit account management
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 384/523
11-10 Configuring Encryption and Advanced Auditing
• Audit directory service access
•
Audit logon events
• Audit object access
• Audit policy change
• Audit privilege use
• Audit process tracking
•
Audit system events
Note: Remember that audited and logged access is the combination of the settings in audit
policy and the audit entries on specific files and folders. If you have configured audit entries to
log failures, but the policy enables only logging for successes, your audit logs will remain empty.
Evaluating Events in the Security Log
After you have enabled the Audit Object Access
Policy setting and specified the access you want
to audit by using object SACLs, the system begins
to log access according to the audit entries. You
can view the resulting events in the server’s
security log. To do this, in Administrative Tools,
open the Event Viewer console, and then expand
Windows Logs\Security.
In the security log, audit events are represented as
either Audit Success or Audit Failure Event Types.
The Details field of each event will contain the
relevant information, depending on what type ofevent was audited. Many audit categories will return a large number of events. These events can be
tedious to navigate, so event filtering is recommended. You can filter based on the details field, and
include appropriate information, such as the name of a user or the name of a file or folder that is being
audited.
Advanced Audit Policies
In Windows Server 2012 and Windows Server
2008 R2, administrators can audit more specific
aspects of client behavior on the computer or
network. This makes it easier for the administrator
to identify the behaviors that are of greatest
interest. For example, in Computer Configuration
\Policies\Windows Settings\Security Settings
\Local Policies\Audit Policy, there is only one
policy setting—Audit logon events—for logon
events. In Computer Configuration\Policies
\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies, you can
instead choose from ten different policy settings in the Logon/Logoff category. This provides you with a
more detailed control of what aspects of logon and logoff you can track.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 385/523
Administering Windows Server® 2012
11-11
These security auditing enhancements can help your organization’s audit compliance with important
business-related and security-related rules by tracking precisely defined activities, such as:
• A group administrator who has modified settings or data on servers that contain finance information.
• An employee within a defined group who has accessed an important file.
•
That the correct SACL is applied to every file and folder or registry key on a computer or file share, asa verifiable safeguard against undetected access.
Understanding Advanced Audit Policy Settings
There are ten groups of advanced audit policy settings that you can configure in Group Policy for
Windows Server 2012:
• Account Logon. These settings enable auditing the validation of credentials, and other Kerberos-
specific authentication and ticket operation events.
• Account Management . You can enable auditing for events relating to the modification of user
accounts, computer accounts, and groups with the Account Management group of settings.
• Detailed Tracking. These settings control auditing of encryption events, Windows process creation and
termination events, and remote procedure call (RPC) events.
• DS Access. These audit settings involve access to Directory Services, including general access, changes,
and replication.
• Logon/Logoff . Standard logon and logoff events are audited by this group of settings. Other account
specific activity, such as Internet Protocol security (IPsec), Network Policy Server, and other
uncategorized logon and logoff events are also audited.
• Object Access. These settings enable auditing for any access to AD DS, registry, application, and file
storage.
• Policy Change. When you configure these settings, internal changes to audit policy settings are
audited.
• Privilege Use. Within the Windows environment, Windows Server 2012 audits attempts of privilege
use, when you configure these settings.
• System. System settings are used for auditing changes to the state of the security subsystem.
• Global Object Access Auditing. These settings are for controlling the SACL settings for all objects on
one or more computers. When settings in this group are configured and applied with Group Policy,
SACL membership is determined by the configuration of the policy setting, and the SACLs are
configured directly on the server itself. You can configure SACLs for file system and registry access
under Global Object Access Auditing.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 386/523
11-12 Configuring Encryption and Advanced Auditing
Demonstration: Configuring Advanced Auditing
This demonstration shows how to create and edit a GPO for audit policy configuration.
Demonstration Steps
Create and edit a GPO for audit policy configuration1. On LON-DC1, open Group Policy Management.
2.
Create a new GPO called File Audit.
3.
Edit the File Audit GPO, and enable Success and Failure audit events for the Audit Detailed File
Share and Audit Removable Storage settings.
4.
Close Group Policy Management.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 387/523
Administering Windows Server® 2012
11-13
Lab: Configuring Encryption and Advanced Auditing
Scenario
A. Datum is a global engineering and manufacturing company with head office based in London, United
Kingdom. An IT office and data center are located in London to support the London location and other
locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
You have been asked to configure the Windows Server 2012 environment to protect sensitive files, and to
ensure that access to files on the network is audited appropriately. You have also been asked to configure
auditing for the new server.
Objectives
After completing this lab, you will be able to:
• Encrypt and recover files by using EFS management tools.
• Configure advanced auditing.
Lab Setup
Estimated Time: 40 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-CL1
20411B-LON-SVR1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you mustcomplete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
o User name: Adatum\Administrator
o
Password: Pa$$w0rd
5.
Perform steps 2 through 4 for 20411B-LON-CL1 and 20411B-LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 388/523
11-14 Configuring Encryption and Advanced Auditing
Exercise 1: Encrypting and Recovering Files
Scenario
Your organization wants to allow users to start encrypting files with EFS. However, there are concerns
about recoverability. To enhance the management of the certificates used for EFS, you are going to
configure an internal CA to issue certificates to users. You will also configure a recovery agent for EFS,and verify that the recovery agent can recover files.
The main tasks for this exercise are as follows:
1.
Update the recovery agent certificate for the Encrypting File System (EFS).
2. Update Group Policy on the computers.
3.
Obtain a certificate for EFS.
4.
Encrypt a file.
5. Use the recovery agent to open the file.
Task 1: Update the recovery agent certificate for the Encrypting File System (EFS)1.
On LON-DC1, from Server Manager, open the Group Policy Management administrative tool.
2. Edit the Default Domain Policy that is linked to Adatum.com.
3. In the Group Policy Management Editor, browse to Computer Configuration\Policies
\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.
4. In the Encrypting File System folder, delete the existing Administrator certificate.
5.
Create a new Data Recovery Agent.
6.
Read the information about the new certificate, and verify that it was issued by AdatumCA.
Task 2: Update Group Policy on the computers
1.
On LON-DC1, use the Windows PowerShell® command-line interface to run gpupdate /force.
2.
On LON-CL1, open a command prompt and run gpupdate /force.
3. Log off of LON-CL1.
Task 3: Obtain a certificate for EFS
1.
On LON-CL1, log on as Adatum\Doug with a password of Pa$$w0rd.
2.
Run mmc.exe to open an empty MMC console.
3. Add the Certificates snap-in to the MMC console.
4.
In the MMC console, right-click Personal, and request a new certificate.
5.
Select a Basic EFS certificate.
6. Verify that the new certificate was issued by AdatumCA.
7.
Close the console, and do not save the changes.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 389/523
Administering Windows Server® 2012
11-15
Task 4: Encrypt a file
1.
On LON-CL1, browse to \\LON-DC1\Mod11Share\Marketing.
2.
Open the properties of DougFile.
3. Enable encryption in the advanced attributes for only the DougFile.
4.
Close Windows Explorer.
5.
Log off of LON-CL1.
Task 5: Use the recovery agent to open the file
1.
On LON-DC1, browse to E:\Labfiles\Mod11\Mod11Share\Marketing.
2.
Open DougFile.txt, modify the contents, and then save the file.
Results: After completing this exercise, you will have encrypted and recovered files.
Exercise 2: Configuring Advanced Auditing
Scenario
Your manager has asked you to track all access to file shares that are stored on LON-SVR1. You also need
to be aware of any time a user accesses a file on a removable storage device that is attached to the server.
You have decided to implement the appropriate object access settings by using Advanced audit policy
Configuration.
The main tasks for this exercise are as follows:
1.
Create a Group Policy Object (GPO) for advanced auditing.
2. Verify audit entries.
Task 1: Create a Group Policy Object (GPO) for advanced auditing
1.
On LON-DC1, from Server Manager open Active Directory Users and Computers.
2. Create a new OU in Adatum.com named File Servers.
3.
Move LON-SVR1 from the Computers container to the File Servers OU.
4.
On LON-DC1, open Group Policy Management.
5. Create a new GPO called File Audit, and link it to the File Servers OU.
6.
Edit the File Audit GPO and under Computer Configuration, browse to the Advanced Audit Policy
Configuration\Audit Policies\Object Access node.
7.
Configure both the Audit Detailed File Share and Audit Removable Storage settings to recordSuccess and Failure events.
8. Restart LON-SVR1 and log on as Adatum\Administrator with a password of Pa$$w0rd.
Task 2: Verify audit entries
1.
Log on to LON-CL1 as Adatum\Allan with a password of Pa$$w0rd.
2. Open Windows Explorer, and navigate to \\LON-SVR1\Mod11.
3. Open Testfile.txt in Notepad, and then close Notepad.
4.
Switch to LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 390/523
11-16 Configuring Encryption and Advanced Auditing
5. Open Event Viewer, and view the Audit Success events in the Security Log.
6.
Double-click one of the log entries with a Source of Microsoft Windows security auditing, and a
Task Category of Detailed File Share.
7.
Click the Details tab, and note the access that was performed.
Results: After completing this exercise, you will have configured advanced auditing.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 20411B-LON-SVR1 and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 391/523
Administering Windows Server® 2012
11-17
Module Review and Takeaways
Review Questions
Question: Some users are encrypting files that are stored on network shares to protect them
from other departmental users with NTFS permissions to those files. Is this an effective way
to prevent users from viewing and modifying those files?
Question: Why might EFS be considered a problematic encryption method in a widely-
distributed network file server environment?
Question: You have configured an audit policy by using Group Policy to apply to all of the
file servers in your organization. After enabling the policy and confirming that the Group
Policy settings are being applied, you discover that no audit events are being recorded in the
event logs. What is the most likely reason for this?
Tools
Tool Used to Where to find it?
Group Policy ManagementConsole
Manage GPOs containing auditpolicy settings
Server Manager - Tools
Event Viewer View audit policy events Server Manager - Tools
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 392/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 393/523
12-1
Module 12
Implementing Update ManagementContents:
Module Overview 12-1
Lesson 1: Overview of WSUS 12-2
Lesson 2: Deploying Updates with WSUS 12-5
Lab: Implementing Update Management 12-9
Module Review and Takeaways 12-13
Module Overview
Windows Server® Update Services (WSUS) improves security by applying security updates to servers in
a timely way. It provides the infrastructure to download, test, and approve security updates. Applying
security updates quickly helps prevent security incidents that are a result of known vulnerabilities. While
implementing WSUS, you must keep in mind the hardware and software requirements for WSUS, the
settings to configure, and the updates to approve or remove according to your organization’s needs.
Objectives
After completing this module, you will be able to:
•
Describe the role of WSUS.• Deploy updates with WSUS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 394/523
12-2 Implementing Update Management
Lesson 1
Overview of WSUS
The WSUS role provides a central management point for updates to your Windows® operating system
computers. By using WSUS, you can create a more efficient update environment in your organization,
and stay better informed of the overall update status of the computers on your network. This lessonintroduces you to WSUS, and describes the key features of the WSUS server role.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe WSUS.
• Explain the WSUS update management process.
•
Identify the server requirements for WSUS.
What Is WSUS?
WSUS is a server role included in the
Windows Server 2012 operating system, and that
downloads and distributes updates to Windows
clients and servers. WSUS can obtain updates
that are applicable to the operating system
and common Microsoft applications such as
Microsoft® Office and Microsoft SQL Server®.
In the simplest configuration, a small organization
can have a single WSUS server that downloads
updates from Microsoft Update. The WSUS serverthen distributes the updates to computers that are
configured to obtain automatic updates from the
WSUS server. You must approve the updates before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the
centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that are used for testing updates.
WSUS can generate reports to help with monitoring of update installation. These reports can identify
which computers have not applied recently approved updates. Based on these reports, you can
investigate why updates are not being applied.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 395/523
Administering Windows Server® 2012
12-3
The WSUS Update Management Process
The update management process allows you to
manage and maintain WSUS and the updates
retrieved by WSUS. This process is a continuous
cycle during which you can reassess and adjust
the WSUS deployment to meet changing needs.
The four phases in the update management
process are:
•
Assess
• Identify
• Evaluate and plan
•
Deploy
The Assess Phase
The goal for the assess phase is to set up a production environment that supports update management
for routine and emergency scenarios. The assess phase is an ongoing process that you use to determine
the most efficient topology for scaling the WSUS components. As your organization changes, you might
identify the need to add more WSUS servers in different locations.
The Identify Phase
The identify phase is concerned with identifying new updates that are available and determining whether
they are relevant to the organization. You have the option to configure WSUS to retrieve all updates
automatically, or to retrieve only specific types of updates. WSUS also identifies which updates are
relevant to registered computers.
The Evaluate and Plan Phase
After relevant updates have been identified, you need to evaluate whether they work properly in your
environment. It is always possible that the specific combination of software in your environment might
have problems with an update.
To evaluate updates, you should have a test environment in which you can apply updates to verify proper
functionality. During this time, you might identify dependencies that enable an update to function
properly, and you can plan any changes that need to be made.
The Deploy Phase
After you have thoroughly tested an update and determined any dependencies, you can approve it for
deployment in the production network. Ideally, you should approve the update for a pilot group of
computers before approving the update for the entire organization.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 396/523
12-4 Implementing Update Management
Server Requirements for WSUS
You can use Server Manager to install and
configure the WSUS server role. However, for you
to be able to implement WSUS, your server must
meet some minimum hardware and software
requirements.
The software required for WSUS 3.0 SP2 includes:
• Windows Server 2012, Windows Server 2008
R2, Windows Server 2008 Service Pack 1 (SP1)
or newer, Windows Server 2003 SP1 or newer,
Windows Small Business Server 2008, or
Windows Small Business Server 2003
• Internet Information Services (IIS) 6.0 or newer
•
Microsoft .NET Framework 2.0 or newer
•
Microsoft Management Console (MMC) 3.0
• Microsoft Report Viewer Redistributable 2008 or newer
•
SQL Server 2012, SQL Server 2008, SQL Server 2005 SP2, or Windows Internal Database
The minimum hardware requirements for WSUS are approximately the same as the minimum hardware
requirements for Windows Server operating systems. However, you must consider disk space as part of
your deployment. A WSUS server requires about 10 gigabytes (GB) of disk space, and you should allocate
at least 30 GB of disk space for the downloaded updates.
A single WSUS server can support thousands of clients. For example, a single WSUS server with 4 GB of
RAM and dual quad-core CPUs can support up to 100,000 clients. However, in most cases, an organization
with that many clients will likely have multiple WSUS servers to reduce the load on wide area network
(WAN) links.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 397/523
Administering Windows Server® 2012
12-5
Lesson 2
Deploying Updates with WSUS
This lesson explains the specifics of deploying updates with WSUS to client computers. Deploying
updates to Windows update clients through WSUS can provide numerous benefits. You can configure
updates to be downloaded, approved, and installed automatically, without the input of an administrator.Alternatively, you can exercise more control of the update process and provide a controlled environment
in which to deploy updates. You can perform testing on an isolated test computer group before
approving an update for approval in your entire organization.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe how to configure the Automatic Updates feature to use WSUS.
• Explain how to administer WSUS.
•
Identify computer groups in WSUS.
•
Describe the options for approving WSUS updates.
Configuring Automatic Updates
When you enable the Automatic Updates
feature on a server, the default configuration
automatically downloads updates from Microsoft
Update and installs them. After you have
implemented WSUS, your clients should be
configured to obtain updates automatically from
the WSUS server instead.The location from which Automatic Updates
obtains updates is controlled by a registry key.
Although it is possible to configure the registry
key manually by using the Regedit tool, this is not
recommended except when the computer is not
in a domain. If a computer is in a domain, it is much more efficient to create a Group Policy Object (GPO)
that configures the registry key.
For Active Directory® Domain Services (AD DS) environments, Automatic Updates are typically configured
in a GPO by configuring the settings located under Computer Configuration. To locate the settings,
expand Policies, expand Administrative Templates, expand Windows Components, and then locate the
Windows Updates node.
In addition to configuring the source for updates, you can also use a GPO to configure the following
settings:
• Update frequency. This setting determines how often the updates are detected.
•
Update installation schedule. This setting determines when updates are installed. This setting also
determines when updates are rescheduled for, when updates cannot be installed at the scheduled
time.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 398/523
12-6 Implementing Update Management
• Automatic restart behavior. This setting determines whether the computer will restart automatically if
required by an update.
• Default computer group in WSUS. This setting determines the computer group in which the
computer will be registered during initial registration with WSUS.
WSUS Administration
The WSUS administration console is an MMC
snap-in that you can use to administer WSUS. You
can use this tool to:
• Identify and download updates.
•
Approve updates for deployment.
• Organize computers into groups.
• Review the update status of computers.
•
Generate reports.
Monitoring is an essential part of maintaining a
service. WSUS logs detailed health information to
the event log. In addition, you can download a management pack to facilitate monitoring in Microsoft
System Center 2012 - Operations Manager.
Controlling Updates on Client Computers
Client computers perform updates according to either manual configuration or, in most AD DS
environments, Group Policy. In some cases, you might want to initiate the update process outside of the
normal update schedule. You can use the wuauclt.exe tool to control the auto-update behavior on
Windows Update client computers. The following command initiates the detection of Microsoft Updates
from the Windows Update source.
Wuauclt.exe /detectnow
Administration with Windows PowerShell®
In Windows Server 2012, WSUS includes Windows PowerShell cmdlets that you can use to manage your
WSUS server. The following table lists these cmdlets.
cmdlet Description
Add-WsusComputer Adds a specified client computer to a specified target group.
Approve-WsusUpdate Approves an update to be applied to clients.
Deny-WsusUpdate Declines the update for deployment.
Get-WsusClassification Gets the list of all WSUS classifications currently available in thesystem.
Get-WsusComputer Gets the WSUS computer object that represents the clientcomputer.
Get-WsusProduct Gets the list of all products currently available on WSUS bycategory.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 399/523
Administering Windows Server® 2012
12-7
cmdlet Description
Get-WsusServer Gets the value of the WSUS update server object.
Get-WsusUpdate Gets the WSUS update object with details about the update.
Invoke-WsusServerCleanup Performs the process of cleanup on a specified WSUS server.
Set-WsusClassification Sets whether the classifications of updates that WSUSsynchronizes are enabled or disabled.
Set-WsusProduct Sets whether the product representing the category of updatesto synchronize is enabled or disabled.
Set-WsusServerSynchronization Sets whether the WSUS server synchronizes from MicrosoftUpdate, or from an upstream server and uses the upstreamserver properties.
What Are Computer Groups?
Computer groups are a way to organize the
computers to which a WSUS server deploys
updates. The two computer groups that exist
by default are All Computers and Unassigned
Computers. New computers that contact the
WSUS server are assigned automatically to both
of these groups.
You can create custom computer groups for
controlling how updates are applied. Typically,
custom computer groups contain computers
with similar characteristics. For example, you
might create a custom computer group for each
department in your organization. You can also create a custom computer group for a test lab where you
first deploy updates for testing. You would also typically group servers separate from client computers.
When you manually assign new computers to a custom computer group, it is called server-side targeting.
You can also use client-side targeting to assign computers to a custom computer group. To use client-side
targeting, you need to configure a registry key or GPO for the computer that specifies the custom
computer group to be joined during initial registration with the WSUS server.
Server-side targeting enables administrators to manage WSUS computer group membership manually.
This is useful when the AD DS structure does not support the logical client-side for computer groups, orwhen computers need to be moved between groups for testing or other purposes. Client-side targeting is
used most commonly in large organizations where automated assignment is required and computers
must be assigned to specific groups.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 400/523
12-8 Implementing Update Management
Approving Updates
The default configuration for WSUS does not
automatically approve updates for application
to computers. Although it is possible to
automatically approve updates, it is not
recommended. The recommended process for
approving updates is to first test updates in a lab
environment, then a pilot group, and only then to
the production environment. This process reduces
the risk of an update causing an unexpected
problem in your production environment. You
would perform this process by approving updates
for specific groups of computers before approving
the update for the All Computers group.
Some updates are not considered critical and do not have any security implications. You might decide not
to implement some of these updates. For any updates that you decide not to implement, you can decline
the update. After an update is declined, it is removed from the list of updates on the WSUS server in thedefault view.
If you apply an update and find that it is causing problems, you can use WSUS to remove that update.
However, the update can be removed only if that specific update supports removal. Most updates support
removal.
When you look at the details of an update, it will indicate if the update is superseded by another update.
Superseded updates are typically no longer required, because a newer update includes the changes in this
update and more. Superseded updates are not declined by default, because in some cases they are still
required. For example, the older update might be required if some servers are not running the latest
service pack.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 401/523
Administering Windows Server® 2012
12-9
Lab: Implementing Update Management
Scenario
A. Datum is a global engineering and manufacturing company with head office based in London, UK. An
IT office and a data center are located in London to support the London location and other branch office
locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has been manually applying updates to servers in a remote location. This has resulted in
difficulty identifying which servers have updates applied and which do not. This is a potential security
issue. You have been asked to automate the update process by extending A. Datum’s WSUS deployment
to include the branch office.
Objectives
After completing this lab, you will be able to:
• Implement the WSUS server role.
•
Configure update settings.
•
Approve and deploy an update by using WSUS.
Lab Setup
Estimated Time: 60 minutes
Virtual machines 20411B-LON-DC1
20411B-LON-SVR1
20411B-LON-SVR4
20411B-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o
User name: Adatum\Administrator
o
Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411B-LON-SVR1, 20411B-LON-SVR4, and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 402/523
12-10 Implementing Update Management
Exercise 1: Implementing the WSUS Server Role
Scenario
Your organization already has a WSUS server called LON-SVR1, which is located in the head office. You
need to install the WSUS server role on LON-SVR4 at a branch location. LON-SVR4 will use LON-SVR1 as
the source for Windows Update downloads. The installation on LON-SRV4 will use the Windows InternalDatabase for the deployment.
The main tasks for this exercise are as follows:
1.
Install the Windows Server Update Services (WSUS) server role.
2. Configure WSUS to synchronize with an upstream WSUS server.
Task 1: Install the Windows Server Update Services (WSUS) server role
1.
Log on to LON-SVR4 as Adatum\Administrator with a password of Pa$$w0rd.
2. From Server Manager, install the Windows Server Update Services role with the WID Database and
WSUS Services Role Services. Also configure the updates location as C:\WSUSUpdates.
3.
Open the Windows Server Update Services console and complete the installation when prompted.
4. On the Windows Server Update Services Configuration Wizard, click Cancel.
5.
Close the Update Services console.
Task 2: Configure WSUS to synchronize with an upstream WSUS server
1. On LON-SVR4, complete the Windows Server Update Services Configuration Wizard, specifying the
following settings:
o Upstream Server: LON-SVR1.Adatum.com
o No proxy server
o
Default languages
o
Manual sync schedule
o Begin initial synchronization
2.
In the Windows Server Update Services console, under Options, set the Computers to Use Group
Policy or registry settings on computers.
Results: After completing this exercise, you should have implemented the WSUS server role.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 403/523
Administering Windows Server® 2012
12-11
Exercise 2: Configuring Update Settings
Scenario
You need to configure the Group Policy settings to deploy automatic WSUS settings to client computers.
With the WSUS role configured on LON-SVR4, you must ensure that the Research department has its own
computer group in WSUS on LON-SVR4. You must also configure client computers in the Research OU touse LON-SVR4 as their source for updates.
The main tasks for this exercise are as follows:
1.
Configure WSUS groups.
2. Configure Group Policy to deploy WSUS settings.
3.
Verify the application of Group Policy settings.
4.
Initialize Windows Update.
Task 1: Configure WSUS groups
1.
On LON-SVR4, if necessary, open the Windows Server Update Services console.
2.
Create a new computer group named Research.
Task 2: Configure Group Policy to deploy WSUS settings
1. Switch to LON-DC1.
2.
Open Group Policy Management.
3.
Create and link a new GPO to the Research OU named WSUS Research, and configure the following
policy settings under the Windows Update node:
o
Configure Automatic Updates: Auto download and schedule the install
o Microsoft Update service location: http://LON-SVR4.Adatum.com:8530
o
Intranet statistics server: http://LON-SVR4.Adatum.com:8530
o
Client-side targeting group: Research
4. Move LON-CL1 to the Research OU.
Task 3: Verify the application of Group Policy settings
1.
Switch to LON-CL1.
2.
Restart LON-CL1.
3. On LON-CL1, log on as Adatum\Administrator with a password of Pa$$w0rd.
4.
Open a command prompt by using the Run as Administrator option.
5.
At the command prompt, run the following command:
Gpresult /r
6. In the output of the command, confirm that under Computer Settings, WSUS Research is listed
under Applied Group Policy Objects.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 404/523
12-12 Implementing Update Management
Task 4: Initialize Windows Update
1.
On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /reportnow /detectnow
2.
Switch to LON-SVR4.
3. In the Update Services console, expand Computers, All Computers, and then click Research.
4.
Verify that LON-CL1 appears in the Research Group. If it does not then repeat steps 1-3. It may take
several minutes for LON-CL1 to display.
5.
Verify that updates are reported as needed. If there are not updates reported, repeat steps 1-3. It may
take 10-15 minutes for updates to register.
Results: After completing this exercise, you should have configured update settings for client computers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 405/523
Administering Windows Server® 2012
12-13
Exercise 3: Approving and Deploying an Update by Using WSUS
Scenario
After you have configured the Windows Update settings, you can now view, approve, and then deploy
required updates. You have been asked to use LON-CL1 as a test case for the Research department. You
will approve, deploy, and verify an update on LON-CL1 to confirm the proper configuration of the WSUSenvironment.
The main tasks for this exercise are as follows:
1.
Approve WSUS updates for the Research computer group.
2. Deploy updates to LON-CL1.
3.
Verify update deployment to LON-CL1.
Task 1: Approve WSUS updates for the Research computer group
1. On LON-SVR4, open the WSUS console.
2.
Approve the Security Update for Microsoft Office 2010 (KB2553371), 32-bit edition update for
the Research group.
Task 2: Deploy updates to LON-CL1
1.
On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow
2.
Open Windows Update and then check for updates.
3. Click Install to install the approved update.
Task 3: Verify update deployment to LON-CL1
1.
On LON-CL1, open Event Viewer.
2. Navigate to Applications and Services Logs\ Microsoft\Windows, and view the events under
WindowsUpdateClient – Operational.
3.
Confirm that events are logged in relation to the update.
Results: After completing this exercise, you should have approved and deployed an update by using
WSUS.
To prepare for the next module
When you finish the lab, revert all virtual machines back to their initial state. To do this, perform thefollowing steps:
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411B-LON-SVR1, 20411B-LON-SVR4, and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 406/523
12-14 Implementing Update Management
Module Review and Takeaways
Review Questions
Question: A colleague has argued that all updates to the Windows operating system should
be applied automatically when they are released. Do you recommend an alternative process?
Question: Your organization implements several applications that are not Microsoft
applications. A colleague has proposed using WSUS to deploy application and operating
system updates. Are there any potential issues with using WSUS?
Question: Why is WSUS easier to manage in an AD DS domain?
Tools
Tool Use Where to find it
WSUS Administrationconsole
Administer WSUS Server Manager - Tools
Windows PowerShell WSUScmdlets Administer WSUS from thecommand–line interface Windows PowerShell
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 407/523
13-1
Module 13
Monitoring Windows Server 2012Contents:
Module Overview 13-1
Lesson 1: Monitoring Tools 13-2
Lesson 2: Using Performance Monitor 13-8
Lesson 3: Monitoring Event Logs 13-16
Lab: Monitoring Windows Server 2012 13-19
Module Review and Takeaways 13-25
Module Overview
When a system failure or an event that affects system performance occurs, you must be able to repair the
problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern
network environment, the ability to determine the root cause quickly often depends on having an
effective performance-monitoring methodology and toolset.
You can use performance-monitoring tools to identify components that require additional tuning and
troubleshooting. By identifying components that require additional tuning, you can improve the efficiency
of your servers.
Objectives
After completing this module, you will be able to:
• Describe the monitoring tools for Windows Server® 2012.
• Use Performance Monitor to view and analyze performance statistics of programs that are running on
your servers.
• Monitor event logs to view and interpret the events that occurred.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 408/523
13-2 Monitoring Windows Server 2012
Lesson 1
Monitoring Tools
Windows Server2012 provides a range of tools to monitor an operating system and applications on a
computer. You can use these tools to tune your system for efficiency and troubleshoot problems. You
should use these tools and complement them where necessary with your own tools.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Task Manager.
•
Describe Performance Monitor.
• Describe Resource Monitor.
• Describe Event Viewer.
Overview of Task Manager
Task Manager has been enhanced in Windows
Server 2012 to provide more information to help
you identify and resolve performance-related
problems. Task Manager includes the following
tabs:
• Processes. The Processes tab displays a list
of running programs, subdivided into
applications and internal Windows processes.
For each running process, this tab displays a
summary of processor and memory usage.
• Performance. The Performance tab displays a
summary of central processing unit (CPU) and
memory usage, and network statistics.
• Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
• Details. The Details tab lists all the running processes on the server, providing statistics about the CPU,
memory, and other resource consumption. You can use this tab to manage the running processes. For
example, you can stop a process, stop a process and all related processes, and change the processes’
priority values. By changing a process’s priority, you determine how much CPU resource the process
can consume. By increasing the priority, you allow the process to request for more CPU resource.• Services. The Services tab provides a list of the running Windows services, together with related
information: whether the service is running and the processor identity value (PID) of the running
service. You can start and stop services by using the list on the Services tab.
Generally, you might consider using Task Manager when a performance-related problem first manifests
itself. For example, you might examine the running processes to determine if particular program is using
excessive CPU resources. Always remember that Task Manager shows a snapshot of current resource
consumption, and you also may need to examine historical data to determine a true picture of a server
computer’s performance and response under load.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 409/523
Administering Windows Server® 2012
13-3
Overview of Performance Monitor
Performance Monitor enables you to view current
performance statistics, or to view historical data
that is gathered by using data collector sets.
With Windows Server 2012, you can monitoroperating system performance through
performance objects and counters in the objects.
Windows Server 2012 collects data from counters
in various ways, including:
• A real-time snapshot value.
• The total since the last computer startup.
•
An average over a specific time interval.
• An average of last values.
• The number per second.
•
A maximum value.
• A minimum value.
Performance Monitor works by providing you with a collection of objects and counters that record data
about computer resource usage.
There are many counters that you can research and consider monitoring to meet your specific
requirements.
Primary Processor Counters
CPU counters are a feature of the computer’s CPU that stores the count of hardware-related events. The
primary processor counters include:
• Processor > % Processor Time. This counter measures the percentage of elapsed time the processor
spends executing a nonidle thread. If the percentage is greater than 85 percent, the processor is
overwhelmed and the server may require a faster processor. In other words, this counter displays the
percentage of elapsed time that a given thread used the processor to run instructions. An instruction
is the basic unit of execution in a processor, and a thread is the object that executes instructions.
Included in this count is code that handles some hardware interrupts and trap conditions.
• Processor > Interrupts/sec. This counter displays the rate, in incidents per second, at which the
processor received and serviced hardware interrupts.
• System > Processor Queue Length. This counter displays an approximate number of threads that each
processor is servicing. The server does not have enough processor power if the value is more than two
times the number of CPUs for an extended period. The processor queue length, sometimes referredto as processor queue depth, that this counter reports is an instantaneous value that is representative
only of a current snapshot of the processor. Therefore, you must observe this counter over an
extended period to notice data trends. Additionally, the System > Processor Queue Length counter
reports a total queue length for all processors, not a length for each processor.
Primary Memory Counters
The Memory performance object consists of counters that describe the behavior of the computer’s
physical and virtual memory. Physical memory is the amount of random access memory (RAM) on the
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 410/523
13-4 Monitoring Windows Server 2012
computer. Virtual memory consists of space in physical memory and on disk. Many of the memory
counters monitor paging, which is the movement of pages of code and data between disk and physical
memory.
The Memory > Pages/sec counter measures the rate at which pages are read from or written to disk to
resolve hard-page faults. If excessive paging results in a value that is greater than 1,000, there may be a
memory leak. In other words, the Memory>Pages/sec counter displays the number of hard page faultsper second. A hard page fault occurs when the requested memory page cannot be located in RAM
because it exists currently in the paging file. An increase in this counter indicates that more paging is
occurring, which in turn suggests a lack of physical memory.
Primary Disk Counters
The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks
store file, program, and paging data. Disks are read to retrieve these items, and are written to record
changes to them. The total values of physical disk counters are the total of all the values of the logical
disks (or partitions) into which they are divided. The primary disk counters include:
•
Physical Disk > % Disk Time. This counter indicates how busy a particular disk is, and it measures the
percentage of time that the disk was busy during the sample interval. A counter approaching 100
percent indicates that the disk is busy nearly all of the time, and a performance bottleneck is possibly
imminent. You may consider replacing the current disk system with a faster one.
•
Physical Disk > Avg. Disk Queue Length. This counter indicates how many disk requests are waiting to
be serviced by the I/O manager in Windows® 7 at any given moment. If the value is larger than two
times the number of spindles, it means that the disk itself may be the bottleneck. The longer the
queue is, the less satisfactory the disk throughput.
Note: Throughput is the total amount of traffic that passes a given network-connection
point for each time unit. Workload is the amount of processing that the computer does at a
given time.
Primary Network Counters
Most workloads require access to production networks to ensure communication with other applications
and services, and to communicate with users. Network requirements include elements such as throughput
and the presence of multiple network connections.
Workloads might require access to several different networks that must remain secure. Examples include
connections for:
•
Public network access
• Networks for performing backups and other maintenance tasks
• Dedicated remote-management connections
•
Network-adapter teaming for performance and failover
• Connections to the physical host computer
• Connections to network-based storage arrays
By monitoring the network performance counters, you can evaluate your network’s performance. The
primary network counters include:
• Network Interface > Current Bandwidth. This counter indicates the current bandwidth being
consumed on the network interface in bits per second (bps). Most network topologies have maximum
potential bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at
bandwidths of 10 Mbps, 100 Mbps, 1 Gigabit per second (Gbps), and higher. To interpret this counter,
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 411/523
Administering Windows Server® 2012
13-5
divide the value given by 1,048,576 for Mbps. If the value approaches the network’s maximum
potential bandwidth, you should consider implementing a switched network or upgrading to a
network that supports higher bandwidths.
• Network Interface > Output Queue Length. This counter indicates the current length of the output
packet queue on the selected network interface. A growing value, or one that is consistently higher
than two, could indicate a network bottleneck, which you should investigate.
• Network Interface > Bytes Total/sec. This measures the rate at which bytes are sent and received over
each network adapter, including framing characters. The network is saturated if you discover that
more than 70 percent of the interface is consumed.
Overview of Resource Monitor
The Resource Monitor interface in Windows Server
2012 provides an in-depth look at your server’s
real-time performance.
You can use Resource Monitor to monitor the
use and performance of CPU, disk, network, and
memory resources in real time. This enables you
to identify and resolve resource conflicts and
bottlenecks.
By expanding the monitored elements, system
administrators can identify which processes are
using which resources. Furthermore, you can use
Resource Monitor to track a process or processes
by selecting their check boxes. When you select a process, it remains selected in every pane of Resource
Monitor, which provides the information that you require regarding that process at the top of the screen,
no matter where you are in the interface.
Overview of Event Viewer
Windows Event Viewer provides access to the
Windows Server 2012 event logs. Event logs
provide information regarding system events
that occur within Windows. These events include
information, warning, and error messages about
Windows components and installed applications.
Event Viewer provides categorized lists of essentialWindows log events, including application,
security, setup, and system events, as well as log
groupings for individual installed applications
and specific Windows component categories.
Individual events provide detailed information
regarding the type of event that occurred, when the event occurred, the source of the event, and
technical detailed information to assist in troubleshooting the event.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 412/523
13-6 Monitoring Windows Server 2012
Additionally, Event Viewer allows you to consolidate logs from multiple computers onto a centralized
computer by using subscriptions. Finally, you can configure Event Viewer to perform an action based on a
specific event or events occurring. This may include sending an email message, launching an application,
running a script, or other maintenance actions that could notify you or attempt to resolve a potential
issue.
Event Viewer in Windows Server 2012 contains the following important features:
• The inclusion of several new logs. You can access logs for many individual components and
subsystems.
•
The ability to view multiple logs. You can filter for specific events across multiple logs, thereby making
it simple to investigate issues and troubleshoot problems that might appear in several logs.
•
The inclusion of customized views. You can use filtering to narrow searches to only events in which
you are interested, and you can save these filtered views.
• The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. Event Viewer is integrated with Task Scheduler.
• The ability to create and manage event subscriptions. You can collect events from remote computers,
and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in
Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs. These logs provide detailed information that
includes:
• A description of the event
• An event ID number
•
The component or subsystem that generated the event
•
Information, Warning, or Error status
• The time of the occurrence
• The user’s name on whose behalf the event occurred
•
The computer on which the event occurred
• A link to Microsoft TechNet for more information about the event
Windows Server Logs
Event Viewer has many built-in logs, including those in the following table.
Built-In Log Description and Use
Application log This log contains errors, warnings, and informational events that pertain tothe operation of applications such as Microsoft Exchange Server, the SimpleMail Transfer Protocol (SMTP) service, and other applications.
Security log This log reports the results of auditing, if you enable it. Audit events aredescribed as successful or failed, depending on the event. For instance, thelog would report success or failure regarding whether a user was able toaccess a file.
Setup log This log contains events related to application setup.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 413/523
Administering Windows Server® 2012
13-7
Built-In Log Description and Use
System log General events are logged by Windows components and services, and areclassified as error, warning, or information. Windows predetermines theevents that system components log.
Forwarded events This log stores events that are collected from remote computers. To collectevents from remote computers, you must create an event subscription.
Application and Services Logs
Applications and Services logs store events from a single application or component rather than events
that might have system-wide impact. This category of logs includes four subtypes:
• Admin
• Operational
•
Analytic
• Debug
Admin logs are of interest to IT professionals who use Event Viewer to troubleshoot problems. These logs
provide guidance about how to respond to issues, and primarily target end users, administrators, and
support personnel. The events found in the Admin channels indicate a problem and a well-defined
solution upon which an administrator can act.
Events in the Operational log also are useful for IT professionals, but they are likely to require more
interpretation. You can use operational events to analyze and diagnose a problem or occurrence, and to
trigger tools or tasks based on the problem or occurrence.
Analytic and Debug logs are not as user friendly. Analytic logs store events that trace an issue, and they
often log a high volume of events. Developers use debug logs when they are debugging applications. By
default, both Analytic and Debug logs are hidden and disabled.
By default, Windows log files are 1,028 kilobytes (KB) in size, and events are overwritten as needed.
If you want to clear a log manually, you must be logged in to the server as a local administrator. If
you want to centrally configure event log settings, you can do so by using Group Policy. Open the
Group Policy Manage Editor for your selected Group Policy object (GPO), and then navigate to
Computer Configuration\Policies\Administrative Templates\Windows Components
\Event Log Service.
For each log, you can define:
• The location of the log file.
• The maximum size of the log file.
•
Automatic backup options.
• Permissions on the logs.
• Behavior that occurs when the log is full.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 414/523
13-8 Monitoring Windows Server 2012
Lesson 2
Using Performance Monitor
You can use Performance Monitor to collect, analyze, and interpret performance-related data about your
organization’s servers. This enables you to make informed capacity planning decisions. However, to make
informed decisions, it is important that you know how to establish a performance baseline, how to usedata collector sets, and how to use reports to help you compare performance data to your baseline.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a baseline.
• Describe data collector sets.
•
Explain how to capture counter data with a data collector set.
• Explain how to configure an alert.
• Explain how to view Performance Monitor reports.
•
Identify the key parameters that you should track when monitoring network infrastructure services.
• Identify considerations for monitoring virtual machines.
Baseline, Trends, and Capacity Planning
By calculating performance baselines for your
server environment, you can interpret real-time
monitoring information more accurately. A
baseline for your server’s performance indicates
what your performance-monitoring statistics looklike during normal use, and you can establish a
baseline by monitoring performance statistics
over a specific period. When an issue or symptom
occurs in real time, you can compare your
baseline statistics to your real-time statistics, and
then identify anomalies.
Trends Analysis
You should consider the value of performance data carefully to ensure that it reflects your real server
environment.
Additionally, you should consider performance analysis, as well as business or technological growth andupgrade plans. It is possible to reduce the number of servers in operation after you measure performance
and assess the required environment.
By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. Review
historical analysis with consideration to your business, and use this to determine when additional capacity
is required. Some peaks are associated with one-time activities , such as extremely large orders. Other
peaks occur on a regular basis, such as a monthly payroll. These peaks could require increased capacity to
meet an increasing number of employees.
Planning for future server capacity is a requirement for all organizations. Business planning often requires
additional server capacity to meet targets. By aligning your IT strategy with your business strategy, you
can support business objectives.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 415/523
Administering Windows Server® 2012
13-9
Furthermore, you should consider virtualizing your environment to reduce the number of physical servers
that you require. You can consolidate servers by implementing the Hyper-V® role in the Windows Server
2012 environment.
Capacity Planning
Capacity planning focuses on assessing server workload, the number of users that a server can support,
and the ways to scale systems to support additional workload and users in the future.
New server applications and services affect the performance of your IT infrastructure. These services
could receive dedicated hardware although they often use the same local area network (LAN) and wireless
area network (WAN) infrastructure. Planning for future capacity should include all hardware components
and how new servers, services, and applications affect the existing infrastructure. Factors such as power,
cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. You
should consider how your servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 R2 and updating operating systems might affect your
servers and network. An update can sometimes cause a problem with an application. Careful performance
monitoring before and after you apply updates can identify problems.
An expanding business requires you to provide support for more users. You should consider businessrequirements when purchasing hardware. By doing this, you can meet future business requirements by
increasing the number of servers or by adding capacity to existing hardware.
Capacity requirements include:
•
More servers
• Additional hardware
• Reducing application loads
•
Reducing users
Understanding Bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package might cause the bottleneck.
By using performance-monitoring tools on a regular basis, and comparing the results to your baseline and
to historical data, you can identify performance bottlenecks before they affect users.
After you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
• Running fewer applications
•
Adding resources to the computer
A computer suffering from a severe resource shortage might stop processing user requests, whichrequires immediate attention. However, if your computer experiences a bottleneck, but still operates
within acceptable limits, you might decide to defer any changes until you resolve the situation or you
have an opportunity to take corrective action.
Analyzing Key Hardware Components
By understanding how your operating system uses the four key hardware components—processor, disk,
memory, and network—and how they interact with one another, you begin to understand how to
optimize server performance.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 416/523
13-10 Monitoring Windows Server 2012
Processor
Processor speed is one important factor in determining your server’s overall processor capacity. Processor
speed is determined by the number of operations that are performed in a measured period. Servers with
multiple processors, or processors with multiple cores, generally perform processor-intensive tasks with
greater efficiency, and typically are faster, than single processor or single-core processor computers.
Processor architecture also is important. 64-bit processors can access more memory and have a significanteffect on performance. However, it is important to note that both Windows Server 2012 and Windows
Server 2008 R2 are available in 64-bit editions only.
Disk
Hard disks store programs and data. Consequently, the throughput of its disks affects the speed of the
workstation or server, especially when the workstation or server is performing disk-intensive tasks. Most
hard disks have moving parts, and it takes time to position the read/write heads over the appropriate disk
sector to retrieve the requested information.
By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the
potential for the disk subsystem to create a performance bottleneck.
You also should remember that information on the disk moves into memory before it is used. If there is asurplus of memory, the Windows Server operating system creates a file cache for items recently written to,
or read from, the disks. Installing additional memory in a server can often improve the disk subsystem
performance, because accessing the cache is faster than moving the information into memory.
Memory
Programs and data load from the disk into memory before the program manipulates the data. In servers
that run multiple programs, or where datasets are extremely large, increasing the amount of memory
installed can help improve server performance.
Windows Server uses a memory model in which excessive memory requests are not rejected, but handled
by a process known as paging. During paging, data and programs in memory not currently being utilized
by processes are moved into an area on the hard disk, known as the paging file. This frees up physicalmemory to satisfy the excessive requests, but because a hard disk is comparatively slow, it has a negative
effect on workstation performance. By adding more memory, and by using a 64-bit processor architecture
that supports larger memory, you can reduce the need for paging.
Network
It is easy to underestimate the effect of a poorly performing network, because it is not as easy to see or to
measure as the three other workstation components. However, the network is a critical component for
performance monitoring, because network devices store so many of the programs, the data that is
processing, and applications.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 417/523
Administering Windows Server® 2012
13-11
What Are Data Collector Sets?
A data collector set is the foundation of Windows
Server performance monitoring and reporting in
Performance Monitor.
You can use data collector sets to gatherperformance-related information and other
system statistics, on which you can conduct
analysis with other tools within Performance
Monitor, or with third-party tools.
Although it is useful to analyze current
performance activity on a server computer, you
might find it more useful to collect performance
data over a set period, and then analyze and
compare it with data that you gathered previously. You can use this data comparison to determine
resource usage to plan for growth and to identify potential performance problems.
Data collector sets can contain the following types of data collectors:
• Performance counters. This data collector provides server performance data.
• Event trace data. This data collector provides information about system activities and events, which
often is useful for troubleshooting.
• System configuration information. This data collector allows you to record the current state of registry
keys and to record changes to those keys.
You can create a data collector set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting individual data collectors and setting each individual option in
the data collector set properties.
Demonstration: Capturing Counter Data with a Data Collector Set
This demonstration shows how to:
• Create a data collector set.
•
Create a load on the server.
• Analyze the resulting data in a report.
Demonstration Steps
Create a data collector set
1.
Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Open Performance Monitor.
3.
Create a new User Defined data collector set with the following key counters:
o
Processor > % Processor Time
o Memory > Pages/sec
o
PhysicalDisk > % Disk Time
o
PhysicalDisk > Avg. Disk Queue Length
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 418/523
13-12 Monitoring Windows Server 2012
o System > Processor Queue Length
o
Network Interface > Bytes Total/sec
4.
Start the data collector set.
Create a disk load on the server
1.
Open a command prompt, and then use the fsutil command to create a large file.
2.
Copy the file to the LON-DC1 server to generate network load.
3. Create a new copy of the large file on the local hard disk by copying it from LON-DC1.
4.
Delete all the newly created files.
Analyze the resulting data in a report
1. Switch to Performance Monitor, and then stop the data collector set.
2.
Select the Performance Monitor tool, and then select View Log Data.
3.
Add the data that you collected in the data collector set to the chart.
4.
Change the view to Report.
Demonstration: Configuring an Alert
With alert counters, you can create a custom data collector set that contains performance counters for
which you can configure actions that occur based on the measured counters exceeding or dropping
below the limits that you define. After you create the data collector set, you must configure the actions
that the system will take when the alert criteria are met.
Alert counters are useful in situations where a performance issue arises periodically, and you can use the
actions to run programs, generate events, or a combination of these.
This demonstration shows how to:
• Create a data collector set with an alert counter.
• Generate a server load that exceeds the configured threshold.
• Examine the event log for the resulting event.
Demonstration Steps
Create a data collector set with an alert counter
1. Create a new User Defined data collector set.
2.
Use the Performance Counter Alert option, and then add only the Processor > % Processor Time
counter.
3. Set the threshold to be above 10 percent and to generate an entry in the event log when this
condition is met.
4. Start the data collector set.
Generate a server load that exceeds the configured threshold
1.
Open a command prompt, and then run a tool to generate a load on the server.
2. When the tool has run for a minute, stop it.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 419/523
Administering Windows Server® 2012
13-13
Examine the event log for the resulting event
• Open Event Viewer, and examine the Diagnosis-PLA log for performance alerts.
Demonstration: Viewing Reports in Performance Monitor
This demonstration shows how to view a performance report.
Demonstration Steps
View a performance report
1. In the navigation pane, expand Reports/User Defined/LON-SVR1 Performance.
2.
Expand the folder beneath LON-SVR1 Performance. The previous collection process of the data
collector set generated this report. You can change from the chart view to any other supported view.
3. Close all open windows.
Monitoring Network Infrastructure Services
Because network infrastructure services are an
essential foundation of many other server-based
services, it is important that they are configured
correctly and that they run optimally.
Your organization can benefit in several ways
by gathering performance-related data on your
network infrastructure services, including that it:
• Helps optimize network infrastructure server
performance. By providing performancebaseline and trend data, you can help
your organization to optimize network
infrastructure server performance.
• Enables troubleshooting of servers. Where server performance degrades, either over time or during
periods of peak activity, you can help to identify possible causes and take corrective action. Thereby,
you can bring the service back within the limits of your Service Level Agreement (SLA).
•
Enables you to use Performance Monitor to gather and analyze the relevant data.
Monitoring DNS
Domain Name System (DNS) provides name-resolution services on your network. You can monitor the
Windows Server 2012 DNS Server role to determine the following aspects of your DNS infrastructure:
• General DNS server statistics, including the number of overall queries and responses that the DNS
server is processing.
• User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) counters for measuring DNS
queries and responses that the DNS server processes respectively by using either of these transport
protocols.
• Dynamic update and secure dynamic update counters for measuring registration and update activity
that dynamic clients generate.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 420/523
13-14 Monitoring Windows Server 2012
• Memory usage counter, for measuring system memory usage and memory allocation patterns that
are created by operating the server computer as a DNS server.
• Recursive lookup counters for measuring queries and responses when the DNS Server service uses
recursion to look up and fully resolve DNS names on behalf of requesting clients.
•
Zone transfer counters, including specific counters for measuring the following: all zone transfer
(AXFR), incremental zone transfer (IXFR), and DNS zone-update notification activity.
Monitoring DHCP
The Dynamic Host Configuration Protocol (DHCP) service provides dynamic IP configuration services on
your network. You can monitor the Windows Server 2012 DHCP server role to determine the following
aspects of your DHCP server:
• The Average Queue Length, which indicates the current length of the DHCP server’s internal message
queue. This number represents the number of unprocessed messages that the server receives. A large
number might indicate heavy server traffic.
•
The Milliseconds per packet (Avg.) counter is the average time in milliseconds that the DHCP server
uses to process each packet that it receives. This number varies depending on the server hardware
and its I/O subsystem. A spike could indicate a problem, either with the I/O subsystem becoming
slower or because of an intrinsic processing overhead on the server.
Considerations for Monitoring Virtual Machines
Server virtualization has only been a part of
the Windows Server operating system since
the release of Windows Server 2008 and
the introduction of the Hyper-V role. Many
organizations have migrated some or all of their
server workloads to virtual machines that arerunning on the Hyper-V platform. From a
monitoring perspective, it is important to
remember that servers running as guest virtual
machines consume resources in the same way as
physical host server computers.
With Hyper-V server virtualization, you can create
separate virtual machines, and run them concurrently by using the resources of a single server operating
system. These virtual machines are known as guests, while the computer running Hyper-V is the host .
Virtual machine guests function as normal computers. Virtual machine guests that are hosted on the same
hypervisor remain independent of one another. You can run multiple virtual machines that are using
different operating systems on a host server simultaneously, as long as the host server has enoughresources.
When you create a virtual machine, you configure characteristics that define the available resources for
that guest. These resources include memory, processors, disk-configuration and storage technology, and
network-adapter configuration. These virtual machines operate within the boundaries of the resources
that you allocate to them, and can suffer from the same performance bottlenecks as host servers. As a
result, it is important that you monitor virtual machines in the same way, and with the same tools, that
you monitor your host servers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 421/523
Administering Windows Server® 2012
13-15
Note: It addition to monitoring the virtual machine guests, always remember that you must
monitor the host that runs them.
Microsoft provides a tool, Hyper-V Resource Metering, that enables you to monitor resource consumption
on your virtual machines.
Resource metering allows you to track the resource utilization of virtual machines hosted on Windows
Server 2012 computers that have the Hyper-V role installed.
With resource metering, you can measure the following parameters on individual Hyper-V virtual
machines:
• Average graphics processing unit (GPU) use
• Average physical memory use, including:
o
Minimum memory use
o Maximum memory use
• Maximum disk-space allocation
•
Incoming network traffic for a network adapter
• Outgoing network traffic for a network adapter
By measuring how much of these resources each virtual machine uses, an organization can bill
departments or customers based on their hosted virtual-machine use, rather than charging a flat fee per
virtual machine. An organization with only internal customers also can use these measurements to see
patterns of use and plan future expansions.
You perform resource-metering tasks by using Windows PowerShell® cmdlets in the Hyper-V Windows
PowerShell module. There is no GUI tool that allows you to perform this task. You can use the following
cmdlets to perform resource metering tasks:
•
Enable-VMResourceMetering. Starts collecting data, per virtual-machine.
•
Disable-VMResourceMetering. Disables resource metering per virtual machine.
• Reset-VMResourceMetering. Resets virtual machine resource-metering counters.
• Measure-VM. Displays resource-metering statistics for a specific virtual machine.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 422/523
13-16 Monitoring Windows Server 2012
Lesson 3
Monitoring Event Logs
Event Viewer provides a convenient and accessible location for you to view events that occur and that
Windows Server records into one of several log files based on the type of event that occurs. To support
your users, you should know how to access event information quickly and conveniently, and know how tointerpret the data in the event log.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a custom view.
• Explain how to create a custom view.
•
Describe event subscriptions.
• Explain how to configure an event subscription.
What Is a Custom View?
Event logs contain vast amounts of data, and it
could be a challenge to narrow the set of events
to just those events that interest you. In previous
Windows versions, you could apply filters to logs,
but you could not save those filters. In Windows
Server 2008 and Windows Server 2012, custom
views allow you to query and sort just the events
that you want to analyze. You also can save,
export, import, and share these custom views.Event Viewer allows you to filter for specific
events across multiple logs, and display all events
that may be related to an issue that you are
investigating. To specify a filter that spans multiple logs, you need to create a custom view.
Create custom views in the Action pane in Event Viewer. You can filter custom views based on multiple
criteria, including:
•
The time that the event was logged.
• Event level to display, such as errors or warnings.
• Logs from which to include events.
•
Specific Event IDs to include or exclude.
• User context of the event.
• Computer on which the event occurred.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 423/523
Administering Windows Server® 2012
13-17
Demonstration: Creating a Custom View
This demonstration shows how to:
• View Server Roles custom views.
•
Create a custom view.
Demonstration Steps
View Server Roles custom views
•
In Event Viewer, examine the predefined Server Roles custom views.
Create a custom view
1.
Create a new custom view to select the following event types:
o
Critical
o Warning
o Error
2.
Select the following logs:
o System
o Application
3.
Name the custom view as Adatum Custom View
4. View the resulting filtered events in the details pane.
What Are Event Subscriptions?
Event Viewer enables you to view events
on a single remote computer. However,
troubleshooting an issue might require you to
examine a set of events that are stored in multiple
logs on multiple computers. For this purpose,
Event Viewer provides the ability to collect copies
of events from multiple remote computers, and
then store them locally. To specify which events
to collect, create an event subscription. After
a subscription is active and events are being
collected, you can view and manipulate these
forwarded events as you would any other locally
stored events.
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The
event-collecting functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are
participating in the forwarding and collecting process.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 424/523
13-18 Monitoring Windows Server 2012
Enabling Subscriptions
To enable subscriptions, perform the following tasks:
1. On each source computer, run the following command at an elevated command prompt to
enable WinRM:
winrm quickconfig
2.
On the collector computer, type the following command at an elevated command prompt to
enable the Wecsvc:
wecutil qc
3.
Add the computer account of the collector computer to the local Administrators group on each of
the source computers.
Demonstration: Configuring an Event Subscription
This demonstration shows how to:
• Configure the source computer.
• Configure the collector computer.
•
Create and view the subscribed log.
Demonstration Steps
Configure the source computer
1.
Switch to LON-DC1 and if necessary, sign in as Adatum\Administrator with the password
Pa$$w0rd.
2.
Run the winrm quickconfig command at a command prompt.
Note: The service is already running.
3. Open Active Directory Users and Computers, and add the LON-SVR1 computer as a member of
the domain local Administrators group.
Configure the collector computer
1.
Switch to LON-SVR1, and then open a command prompt.
2.
Run the wecutil qc command.
Create and view the subscribed log
1.
Switch to Event Viewer.
2.
Create a new subscription to collect events from LON-DC1:
o Collector initiated
o
Source computer LON-DC1
o
All events types
o Last 30 days
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 425/523
Administering Windows Server® 2012
13-19
Lab: Monitoring Windows Server 2012
Scenario
A. Datum Corporation is a global engineering and manufacturing company with its head office in
London, UK. An IT office and data center are located in London to support the London location and other
locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.
Because the enterprise has deployed new servers, it is important to establish a performance baseline with
a typical load for these new servers. You are tasked to work on this project. Additionally, to make the
process of monitoring and troubleshooting easier, you decide to perform centralized monitoring of event
logs.
Objectives
After completing this lab, you will be able to:
• Establish a performance baseline.
•
Identify the source of a performance problem.
•
View and configure centralized event logs.
Lab Setup
Estimated Time: 60 minutes
Virtual Machines 20411B-LON-DC1
20411B-LON-SVR1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20411B-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o
User name: Administrator
o
Password: Pa$$w0rd
o Domain: Adatum
5.
Repeat steps 2 through 4 for 20411B-LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 426/523
13-20 Monitoring Windows Server 2012
Exercise 1: Establishing a Performance Baseline
Scenario
In this exercise, you will use Performance Monitor on the server, and create a baseline by using typical
performance counters.
The main tasks for this exercise are as follows:
1.
Create and start a data collector set.
2. Create a typical workload on the server.
3.
Analyze the collected data.
Task 1: Create and start a data collector set
1. Switch to the LON-SVR1 computer.
2. Open Performance Monitor.
3.
Create a new User Defined data collector set by using the following information to complete
the process:
o
Name: LON-SVR1 Performance
o
Create: Create manually (Advanced)
o Type of data: Performance counter
o
Select the following counters:
Memory, Pages/sec
Network Interface, Bytes Total/sec
PhysicalDisk, %Disk Time
PhysicalDisk, Avg. Disk Queue Length
Processor, %Processor Time
System, Processor Queue Length
o
Sample interval: 1 second
o Where to store data: default value
4.
Save and close the data collector set.
5.
In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then
click Start.
Task 2: Create a typical workload on the server
1.
Open a command prompt, and then run the following commands by pressing Enter after
each command:
Fsutil file createnew bigfile 104857600
Copy bigfile \\LON-dc1\c$
Copy \\LON-dc1\c$\bigfile bigfile2
Del bigfile*.*
Del \\LON-dc1\c$\bigfile*.*
2.
Do not close the command prompt.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 427/523
Administering Windows Server® 2012
13-21
Task 3: Analyze the collected data
1.
Switch to Performance Monitor.
2.
Stop the LON-SVR1 Performance data collector set.
3. Switch to the Performance Monitor node.
4.
View logged data, and then add the following counters:
o
Memory, Pages/sec
o Network Interface, Bytes Total/sec
o
PhysicalDisk, %Disk Time
o
PhysicalDisk, Avg. Disk Queue Length
o Processor, %Processor Time
o
System, Processor Queue Length
5.
On the toolbar, click the down arrow, and then click Report.
6.
Record the values that are listed in the report for later analysis. Recorded values include:
o
Memory, Pages/sec
o
Network Interface, Bytes Total/sec
o PhysicalDisk, %Disk Time
o PhysicalDisk, Avg. Disk Queue Length
o
Processor, %Processor Time
o
System, Processor Queue Length
Results: After this exercise, you should have established a baseline for performance-comparison purposes.
Exercise 2: Identifying the Source of a Performance Problem
Scenario
In this exercise, you will simulate a load to represent the system in live usage, gather performance data by
using your data collector set, and then determine the potential cause of the performance problem.
The main tasks for this exercise are as follows:
1. Create additional workload on the server.
2.
Capture performance data by using a data collector set.
3.
Remove the workload, and review the performance data.
Task 1: Create additional workload on the server
1.
On LON-SVR1, switch to the command prompt.
2.
Change to the C:\Labfiles folder.
3. On LON-SVR1, run StressTool.exe 95.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 428/523
13-22 Monitoring Windows Server 2012
Task 2: Capture performance data by using a data collector set
1.
Switch to Performance Monitor.
2.
In Performance Monitor, click User Defined, in the results pane, right-start LON-SVR1 Performance.
3. Wait one minute to allow the data capture to occur.
Task 3: Remove the workload, and review the performance data
1.
At the command prompt, press Ctrl+C. Leave the command prompt running.
2. Switch to Performance Monitor.
3.
Stop the data collector set.
4.
In Performance Monitor, in the navigation pane, click Performance Monitor.
5.
On the toolbar, click View log data.
6. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Remove.
7.
Click Add.
8.
In the Select Log File dialog box, click Up One Level.
9.
Double-click the LON-SVR1_date-000002 folder, and then double-click DataCollector01.blg.
10. Click the Data tab, and then click OK .
Note: If you receive an error at this point, or the values in your report are zero, repeat steps
4 through 9.
11. Recorded values:
o
Memory, Pages/sec
o
Network Interface, Bytes Total/sec
o PhysicalDisk, %Disk Time
o
PhysicalDisk, Avg. Disk Queue Length
o
Processor, %Processor Time
o System, Processor Queue Length
Question: Compared with your previous report, which values have changed?
Question: What would you recommend?
Results: After this exercise, you should have used performance tools to identify a potential performance
bottleneck.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 429/523
Administering Windows Server® 2012
13-23
Exercise 3: Viewing and Configuring Centralized Event Logs
Scenario
In this exercise, you will use LON-DC1 to collect event logs from LON-SVR1. Specifically, you will use this
process to gather performance-related alerts from your network servers.
The main tasks for this exercise are as follows:
1.
Configure subscription prerequisites.
2. Create a subscription.
3.
Configure a performance counter alert.
4.
Introduce additional workload on the server.
5. Verify results.
Task 1: Configure subscription prerequisites
1.
Switch to LON-SVR1.
2.
At the command prompt, run winrm quickconfig to enable the administrative changes that are
necessary on a source computer.
3.
Add the LON-DC1 computer to the local Administrators group.
4. Switch to LON-DC1.
5.
At a command prompt, run wecutil qc to enable the administrative changes that are necessary on a
collector computer.
Task 2: Create a subscription
1.
Open Event Viewer.
2.
Create a new subscription with the following properties:
o Computers: LON-SVR1
o
Name: LON-SVR1 Events
o
Collector Initiated
o Events: Critical, Warning, Information, Verbose, and Error
o
Logged: Last 7 days
o
Logs: Applications and Services> Microsoft > Windows > Diagnosis-PLA > Operational
Task 3: Configure a performance counter alert
1.
Switch to LON-SVR1.2.
Open Performance Monitor.
3.
Create a new User Defined data collector set by using the following information to complete the
process:
o
Name: LON-SVR1 Alert
o Create: Create manually (Advanced)
o
Type of data: Performance counter Alert
o
Select the following counters: Processor, %Processor Time above 10 percent
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 430/523
13-24 Monitoring Windows Server 2012
o Sample interval: 1 second
o
Where to store data: default value
o
Alert Action: Log an entry in the application event log
4. Start the LON-SVR1 Alert data collector set.
Task 4: Introduce additional workload on the server
1.
Switch to the command prompt.
2. Change to the C:\Labfiles, and then run StressTool.exe 95.
3.
Wait one minute for the data capture to occur, and at the command prompt, press Ctrl+ C, and then
close the command prompt.
Task 5: Verify results
• Switch to LON-DC1, and then open Forwarded Events.
Question: In Performance Monitor, are there any performance-related alerts in the subscribed
application log? Hint: They have an ID of 2031.
Results: At the end of this exercise, you will have centralized event logs and examined these logs for
performance-related events.
To prepare for the next module
When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4.
Repeat steps 2 and 3 for 20411B-LON-SVR1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 431/523
Administering Windows Server® 2012
13-25
Module Review and Takeaways
Review Questions
Question: What significant counters should you monitor in Performance Monitor?
Question: Why is it important to monitor server performance periodically?
Question: Why should you use performance alerts?
Tools
Tool Use for Where to find it
Fsutil.exe Configuring and managing the file system Command line
PerformanceMonitor
Monitoring and analyzing real-time and loggedperformance data
Start menu
Logman.exe Managing and scheduling performance-counterand event-trace log collections
Command line
Resource Monitor Monitoring the use and performance of CPU, disk,network, and memory in real time
Start menu
Event Viewer Viewing and managing event logs Start menu
Task Manager Identifying and resolving performance-relatedproblems
Start menu
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 432/523
13-26 Monitoring Windows Server 2012
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to accessthe course evaluation form.
Microsoft will keep your answers to this survey
private and confidential and will use your responses
to improve your future learning experience. Your
open and honest feedback is valuable and
appreciated.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 433/523
L1-1
Module 1: Deploying and Maintaining Server Images
Lab: Using Windows Deployment Servicesto Deploy Windows Server 2012
Exercise 1: Installing and Configuring Windows Deployment Services
Task 1: Read the supporting documentation
•
Read the supporting documentation in the exercise scenario to determine the deployment details.
Task 2: Install the Windows Deployment Services role
1. Switch to the LON-SVR1 computer.
2.
In Server Manager, click Manage, and then click Add Roles and Features.
3.
In the Add Roles and Features Wizard window, click Next.
4.
On the Select installation type page, click Next.5.
On the Select destination server page, click Next.
6.
On the Select server roles page, select the Windows Deployment Services check box.
7. In the Add Roles and Features Wizard window, click Add Features.
8.
On the Select server roles page, select click Next.
9.
On the Select features page, click Next.
10. On the WDS page, review the information presented, and then click Next.
11.
On the Select role services page, click Next.
12.
On the Confirm installation selections page, click Install.13. On the Installation Results page, click Close.
Task 3: Configure Windows Deployment Services
1.
In Server Manager, click Tools, and then click Windows Deployment Services.
2. In the Windows Deployment Services console, expand Servers.
3. Right-click LON-SVR1.Adatum.com, and then click Configure Server. Click Next.
4.
On the Install Options page, click Next.
5.
On the Remote Installation Folder Location page, click Next.
6.
In the System Volume Warning dialog box, click Yes.
7.
On the PXE Server Initial Settings page, click Respond to all client computers (known and
unknown), and then click Next.
8.
On the Operation Complete page, clear the Add images to the server now check box, and then
click Finish.
Results: After completing this exercise, you will have installed and configured Windows Deployment
Services.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 434/523
L1-2 Deploying and Maintaining Server Images
Exercise 2: Creating Operating System Images with Windows DeploymentServices
Task 1: Insert the Windows Server 2012 Installation media in LON-SVR1
1. On the host computer, open Hyper-V Manager.
2.
In Hyper-V® Manager, right-click the 20411B-LON-SVR1 virtual machine, and then click Settings.
3.
In the Settings window, under IDE Controller 1, click DVD Drive.
4. In the Settings window, under Media, click to select Image file, and then click Browse.
5.
In the Open window, double-click Local Disk (C:), double-click Program Files, double-click
Microsoft Learning, double-click 20411, double-click Drives, and then double-click
WIndows2012_RTM.iso.
6. Click OK to close the Settings for 20411B-LON-SVR1 window.
Task 2: Add a boot image
1.
Switch to LON-SVR1.
2.
In Windows Deployment Services, in the console tree, expand LON-SVR1.Adatum.com.
3. Right-click Boot Images, and then click Add Boot Image.
4.
In the Add Image Wizard, on the Image File page, click Browse.
5.
In the Select Windows Image File dialog box, in the navigation pane, click Computer, double-click
DVD Drive (D:), double-click sources, and then double-click boot.wim.
6.
On the Image File page, click Next.
7.
On the Image Metadata page, click Next.
8. On the Summary page, click Next.
9.
On the Task Progress page, click Finish.
Task 3: Add an install image
1. In the Windows Deployment Services console, right-click Install Images, and then click Add Image
Group.
2. In the Add Image Group dialog box, in the Enter a name for the image group field, type
Windows Server 2012, and then click OK .
3.
In the Windows Deployment Services console, right-click Windows Server 2012, and then click Add
Install Image.
4.
In the Add Image Wizard, on the Image File page, click Browse.
5.
In the File name text box, type D:\sources\install.wim, and then click Open.
6. On the Image File page, click Next.
7.
On the Available Images page, clear all check boxes except Windows Server 2012
SERVERSTANDARDCORE , and then click Next.
8.
On the Summary page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 435/523
Administering Windows Server® 2012 L1-3
9. On the Task Progress page, click Finish.
10.
Minimize the Windows Deployment Services window.
Results: After completing this exercise, you will create an operating system image with Windows
Deployment Services.
Exercise 3: Configuring Custom Computer Naming
Task 1: Configure automatic naming
1.
In Windows Deployment Services, in the console tree, right-click LON-SVR1.Adatum.com, and then
click Properties.
2. Click the AD DS tab.
3.
In the Format text box, type BRANCH-SVR-%02# .
4.
Under Computer Account Location, click The following location, and then click Browse.
5. In the Browse for a Directory Service Folder dialog box, expand Adatum, click Research, and then
click OK .
6. In the LON-SVR1 Properties dialog box, click OK .
Task 2: Configure Administrator approval
1.
In Windows Deployment Services, in the console tree, right-click LON-SVR1.Adatum.com, and then
click Properties.
2.
Click the PXE Response tab.
3.
Select the Require administrator approval for unknown computers check box. Change the PXEResponse Delay to 3 seconds, and then click OK .
4.
On the taskbar, click the Windows PowerShell® shortcut.
5. At the command prompt, type the following command, and then press Enter:
WDSUTIL /Set-Server /AutoAddPolicy /Message:“The Adatum administrator is authorizing
this request. Please wait.”
6. Close the command prompt window.
Task 3: Configure Active Directory® Domain Services (AD DS) permissions
1.
Switch to the LON-DC1 computer.
2.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In Active Directory Users and Computers, expand Adatum.com, right-click Research, and then click
Delegate Control.
4. In the Delegation of Control Wizard, click Next.
5. On the Users or Groups page, click Add.
6.
In the Select Users, Computers, or Groups dialog box, click Object Types.
7. In the Object Types dialog box, select the Computers check box, and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 436/523
L1-4 Deploying and Maintaining Server Images
8. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
text box, type LON-SVR1, click Check Names, and then click OK .
9. On the Users or Groups page, click Next.
10.
On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
11.
On the Active Directory Object Type page, click Only the following objects in the folder, selectthe Computer objects check box, select the Create selected objects in this folder check box, and
then click Next.
12. On the Permissions page, in the Permissions list, select the Full Control check box, and then click
Next.
13. On the Completing the Delegation of Control Wizard page, click Finish.
Results: After completing this exercise, you will have configured custom computer naming.
Exercise 4: Deploying Images with Windows Deployment Services
Task 1: Configure a Windows Deployment Services server for multicast transmission
1. Switch to the LON-SVR1 computer.
2.
In Windows Deployment Services, in the console tree, right-click Multicast Transmissions, and then
click Create Multicast Transmission.
3.
In the Create Multicast Transmission Wizard, on the Transmission Name page, in the Type a name
for this transmission field, type Windows Server 2012 Branch Servers, and then click Next.
4. On the Image Selection page, in the Select the image group that contains the image list, click
Windows Server 2012.
5. In the Name list, click Windows Server 2012 SERVERSTANDARDCORE, and then click Next.
6.
On the Multicast Type page, verify that Auto-Cast is selected, and then click Next.
7.
Click Finish.
Task 2: Configure the client for Pre-Boot EXecution Environment (PXE) Booting
1.
On the host computer, switch to Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-SVR3, and then click Settings.
3. In the Settings for 20411B-LON-SVR3 dialog box, click BIOS.
4.
In the results pane, click Legacy Network adapter.5.
Use the arrows to move Legacy Network adapter to the top of the list, and then click OK .
6.
In Hyper-V Manager, click 20411B-LON-SVR3 , and in the Actions pane, click Start.
7. In the Actions pane, click Connect.
8.
When the computer reboots, review the PXE Dynamic Host Configuration Protocol (DHCP) notice.
When prompted, press F12 for Network Boot.
Question: Do you see the admin approval message?
Answer: Yes.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 437/523
Administering Windows Server® 2012 L1-5
9. Switch to the LON-SVR1 computer.
10.
In Windows Deployment Services, click Pending Devices.
11.
Right-click the pending request, and then click Approve.
12. In the Pending Device dialog box, click OK .
13.
Switch to the LON-SVR3 computer.
Question: Which image is the default?
Answer: Microsoft® Windows Setup (x64)
Question: Does setup start?
Answer: Yes.
14. You do not have to continue setup.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state
1.
On the host computer, start Hyper-V Manager.
2. Right-click 20411B-LON-DC1 in the Virtual Machines list, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411B-LON-SVR3 and 20411B-LON-SVR1 .
Results: After completing this exercise, you will have deployed an image with Windows Deployment
Services.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 438/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 439/523
L2-7
Module 2: Configuring and Troubleshooting Domain NameSystem
Lab: Configuring and Troubleshooting DNS
Exercise 1: Configuring DNS Resource Records
Task 1: Add the required MX record
1. Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then click DNS.
3. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
4. Right-click Adatum.com, and then click New host (A or AAAA).
5. In the New Host dialog box, in the Name box, type Mail1.
6. In the IP address box, type 172.16.0.250, and then click Add Host.
7. In the DNS dialog box, click OK .
8. In the New Host dialog box, click Done.
9. Right-click Adatum.com, and then click New Mail Exchanger (MX).
10. In the New Resource Record dialog box, in the Fully qualified domain name (FQDN) of mail
server box, type Mail1.Adatum.com, and then click OK .
Task 2: Add the required Lync server records
1. Right-click Adatum.com, and then click New host (A or AAAA).
2. In the New Host dialog box, in the Name box, type Lync-svr1.
3. In the IP address box, type 172.16.0.251, and then click Add Host.
4. In the DNS dialog box, click OK .
5. In the New Host dialog box, click Done.
6. Right-click Adatum.com, and then click Other New Records.
7. In the Resource Record Type dialog box, in the Select a resource record type list, click Service
Location (SRV), and then click Create Record.
8. In the New Resource Record dialog box, in the Service box, type _sipinternaltls.
9. In the Protocol box, type _tcp.
10. In Port Number, type 5061.
11. In the Host offering this service box, type Lync-svr1.adatum.com.
12. Click OK , and then click Done.
Task 3: Create the reverse lookup zone
1. In DNS Manager, in the navigation pane, click Reverse Lookup Zones.
2. Right-click Reverse Lookup Zones, and then click New Zone.
3. In the New Zone Wizard, click Next.
4. On the Zone Type page, click Primary zone, and then click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 440/523
L2-8 Configuring and Troubleshooting Domain Name System
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next.
7. On the second Reverse Lookup Zone Name page, in the Network ID: box, type 172.16.0, and then
click Next.
8.
On the Dynamic Update page, click Next.9. On the Completing the New Zone Wizard page, click Finish.
Results: After this exercise, you should have configured the required messaging service records and the
reverse lookup zone successfully.
Exercise 2: Configuring DNS Conditional Forwarding
Task 1: Add the conditional forwarding record for contoso.com
1. In DNS, in the navigation pane, click Conditional Forwarders.
2. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
3. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
4. Click in the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then
press Enter. Validation will fail since the server cannot be contacted.
5. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check
box.
6. Click OK .
Results: After this exercise, you should have successfully configured conditional forwarding.
Exercise 3: Installing and Configuring DNS Zones
Task 1: Install the DNS server role on LON-SVR1
1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. If necessary, on the taskbar, click Server Manager.
3. In Server Manager, in the navigation pane, click Dashboard, and then in the details pane, click Add
roles and features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, in the Roles list, select the DNS Server check box.
8. In the Add Roles and Features Wizard dialog box, click Add Features.
9. On the Select server roles page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 441/523
Administering Windows Server® 2012 L2-9
10. On the Select features page, click Next.
11. On the DNS Server page, click Next.
12. On the Confirm installation selections page, click Install.
13. After the role is installed, click Close.
Task 2: Create the required secondary zones on LON-SVR1
1. Pause your mouse pointer in the lower left of the display, and then click Start.
2. From Start, type cmd.exe, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
Dnscmd.exe /zoneadd Adatum.com /secondary 172.16.0.10
4. In Server Manager, click Tools, and then click DNS.
5. From Start, click DNS.
6. In DNS Manager, in the navigation pane, expand LON-SVR1, and then click Forward Lookup Zones.
Notice the new zone.
Task 3: Enable and configure zone transfers
1. Switch to LON-DC1.
2. Pause your mouse pointer in the lower-left of the display, and then click Start.
3. From Start, type cmd.exe, and then press Enter.
4. At the command prompt, type the following command, and then press Enter:
Dnscmd.exe /zoneresetsecondaries Adatum.com /notifylist 172.16.0.21
5.
In DNS Manager, in the navigation pane, click Adatum.com, and then on the toolbar, click Refresh.6. Right-click Adatum.com, and then click Properties.
7. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
8. Click Notify, and verify that the server 172.16.0.21 is listed.
9. Click Cancel.
10. Click OK to close the Adatum.com Properties dialog box.
Task 4: Configure TTL, aging, and scavenging
1. On LON-DC1, in DNS Manager, right-click Adatum.com, and then click Properties.
2. In the Adatum.com Properties dialog box, click the Start of Authority (SOA) tab.
3. In the Minimum (default) TTL box, type 2, and then click OK .
4. Right-click LON-DC1, and then click Set Aging/Scavenging for All Zones.
5. In the Set Aging/Scavenging Properties dialog box, select the Scavenge stale resource records
check box, and then click OK .
6. In the Server Aging/Scavenging Confirmation dialog box, select the Apply these settings to the
existing Active Directory-integrated zones check box, and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 442/523
L2-10 Configuring and Troubleshooting Domain Name System
Task 5: Configure clients to use the new name server
1. Switch to LON-CL1.
2. Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
3. On the Start screen, type Control, and then click Control Panel.
4. In Control Panel, click Network and Internet.
5. In Network and Internet, click Network and Sharing Center.
6. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area
Connection.
7. In the Local Area Connection Status dialog box, click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, in the Preferred DNS server
box, type 172.16.0.21, and then click OK .
10. In the Local Area Connection Properties dialog box, click Close.
11. In the Local Area Connection Status dialog box, click Close.
Results: After this exercise, you should have successfully installed and configured DNS on LON-SVR1.
Exercise 4: Troubleshooting DNS
Task 1: Test simple and recursive queries
1. Switch to LON-DC1.
2. On LON-DC1, switch to DNS Manager.
3. In the navigation pane, right-click LON-DC1, and then click Properties.
4. Click the Monitoring tab.
5. On the Monitoring tab, select A simple query against this DNS server, and then click Test Now.
6. On the Monitoring tab, select A recursive query to other DNS servers, and then click Test Now.
Notice that the Recursive test fails for LON-DC1, which is normal given that there are no forwarders
configured for this DNS server to use.
7. Pause your mouse pointer in the lower-left of the display, and then click Start.
8. In Start, type cmd, and then press Enter.
9. At the command prompt, type the following command, and then press Enter:
sc stop dns
10. Switch back to DNS Manager.
11. In DNS Manager, in the LON-DC1 Properties dialog box, on the Monitoring tab, click Test Now.
Now, both simple and recursive tests fail because no DNS server is available.
12. Switch to the command prompt.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 443/523
Administering Windows Server® 2012 L2-11
13. At the command prompt, type the following command, and then press Enter:
sc start dns
14. Switch back to DNS Manager.
15. On the Monitoring tab, click Test Now. The simple test completes successfully.
16. Close the LON-DC1 Properties dialog box.
Task 2: Verify start-of-authority (SOA) resource records with Windows PowerShell
1. On LON-DC1, on the taskbar, click Windows PowerShell.
2. At the Windows PowerShell® prompt, type the following command, and then press Enter:
resolve-dnsname –name Adatum.com –type SOA
3. Close the Windows PowerShell prompt.
Results: After this exercise, you should have successfully tested and verified DNS.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-SVR1 and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 444/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 445/523
L3-13
Module 3: Maintaining Active Directory Domain Services
Lab: Maintaining AD DS
Exercise 1: Installing and Configuring a RODC
Task 1: Verify requirements for installing a RODC
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2.
In Active Directory Users and Computers, in the navigation pane, right-click the Adatum.com
domain, and then click Raise domain functional level.
3.
In the Raise domain functional level window, confirm that the Current domain functional level is set
to Windows Server 2008 R2. The minimum level for RODC support is Windows Server 2003. Click
Cancel.
4. Switch to LON-SVR1.
5. On LON-SVR1, in Server Manager, click Local Server, and then click LON-SVR1 beside Computer
name.
6. In the System Properties window, click Change.
7. In the Computer Name/Domain Changes window, click the Workgroup radio button, type
TEMPORARY into the Workgroup field, and then click OK .
8. In the Computer Name/Domain Changes window, click OK .
9.
Click OK twice to confirm the name change and pending server restart.
10. In the System Properties window, click Close.
11. In the Microsoft Windows window, click Restart Now.
12.
Switch to LON-DC1.13. On LON-DC1, in Active Directory Users and Computers, in the navigation pane, expand
Adatum.com, and then click Computers.
14.
Right-click LON-SVR1, and then click Delete.
15. Click Yes twice.
16. In Active Directory Users and Computers, right-click Domain Controllers, and then click
Pre-create Read-only Domain Controller account.
17. In the Active Directory Domain Services Installation Wizard window, click Next.
18. Click Next to accept the current credentials.
19.
In the Computer name field, type LON-SVR1, and then click Next.
20. On the Select a site page, click Next.
21. On the Additional Domain Controller Options page, click Next.
22.
On the Delegation of RODC Installation and Administration page, type Adatum\IT in the Group
or user field, and then click Next.
23. On the Summary page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 446/523
L3-14 Maintaining Active Directory Domain Services
24. Click Finish to complete the wizard.
25. Close Active Directory Users and Computers.
Task 2: Install an RODC
1. Log on to LON-SVR1 as Administrator with the password Pa$$w0rd.
2.
On LON-SVR1, in Server Manager, click Manage, and then click Add Roles and Features.
3.
In the Add Roles and Features Wizard, click Next.
4. Ensure that Role-based or feature-based installation is selected, and then click Next.
5. Select LON-SVR1, and then click Next.
6. On the Select server roles page, select the check box to select Active Directory Domain Services,
click Add Features, and then click Next.
7. On the Select features page, click Next.
8.
Click Next, and then click Install to continue the installation.
9.
When the installation completes, click Close.
10. In Server Manager, click the Notifications icon, and then click Promote this server to a domain
controller.
11. In the Deployment Configuration window, beside Domain, click Select.
12. In the Windows Security window, type Adatum\April for User name and Pa$$w0rd as a password,
and then click OK .
13. In the Select a domain from the forest window, click Adatum.com, and then click OK .
14.
In the Deployment Configuration window, click Next.
15. On the Domain Controller Options screen, under Type the Directory Services Restore Mode
(DSRM) password, type Pa$$w0rd in the Password and Confirm password fields, and then clickNext.
16. On the Additional Options page, beside Replicate from, click the drop-down box, click
LON-DC1.Adatum.com, and then click Next.
17. On the Paths page, click Next.
18. On the Review Options page, click Next.
19. On the Prerequisites Check page, click Install.
20. After the Active Directory Domain Services Wizard has completed, LON-SVR1 will restart.
Task 3: Configure a password-replication policy
Configure password-replication groups
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, click the Users container, double-click Allowed
RODC Password Replication Group, click the Members tab, and then verify that there is nothing
listed.
3.
Click OK .
4. In Active Directory Users and Computers, click the Domain Controllers OU, right-click LON-SVR1,
and then click Properties.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 447/523
Administering Windows Server® 2012 L3-15
5. Click the Password Replication Policy tab, and confirm that Allowed RODC Password Replication
Group and Denied RODC Password Replication Policy Group are both listed.
6. Click OK .
Create a group to manage password replication to the remote office RODC
1.
On LON-DC1, in Active Directory Users and Computers, right-click the Research OU, click New, andthen click Group.
2. In the New Object – Group window, type Remote Office Users in the Group name field, confirm
that Global and Security are selected, and then click OK .
3. In Active Directory Users and Computers, click the Research OU, and then double-click the Remote
Office Users group.
4. In the Remote Office Users Properties window, click the Members tab.
5. Click Add, type Aziz; Colin; Lukas; Louise and then click Check Names.
6.
Click Object Types, select Computers, and then click OK .
7.
In the Enter the object names to select field, type LON-CL1, click Check names, and then click OK .8. Click OK to the close the Remote Office Users Properties window.
Configure a password-replication policy for the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, right-click
LON-SVR1, and then click Properties.
2. In the LON-SVR1 Properties window, click the Password Replication Policy tab, and then click Add.
3. In the Add Groups, Users, and Computers window, click the radio button to select Allow passwords
for the account to replicate to this RODC, and then click OK .
4. In the search window, in the Enter the object names to select field, type Remote Office Users, click
Check Names, and then click OK .5. In the LON-SVR1 Properties window, click Apply, and do not close the window.
Evaluate the resulting password-replication policy
1. On LON-DC1, in the LON-SVR1 Properties window, on the Password Replication Policy tab, click
Advanced.
2. Click the Resultant Policy tab, click Add, type Aziz, click Check Names, and then click OK .
3. Confirm that the Resultant Setting for Aziz is Allow.
4. Click Close, and then click OK to close the LON-SVR1 Properties dialog box.
Monitor credential caching
1. Switch to LON-SVR1.
2. Attempt to sign in as Adatum\Aziz with the password Pa$$w0rd. The sign in will fail, because Aziz
does not have permission to sign in to LON-SVR1. However, the credentials for Aziz’s account were
processed and cached on LON-SVR1.
3. Switch to LON-DC1.
4. In Active Directory Users and Computers, click the Domain Controllers OU, double-click LON-SVR1,
and then click the Password Replication Policy tab.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 448/523
L3-16 Maintaining Active Directory Domain Services
5. On the Password Replication Policy tab, click Advanced. Notice that Aziz’s account’s password has
been stored on LON-SVR1.
6. Click Close, and then click OK .
Prepopulate credential caching
1.
On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, double-click LON-SVR1, and then click the Password Replication Policy tab.
2. On the Password Replication Policy tab, click Advanced, and then click Prepopulate Passwords.
3.
Type Louise; LON-CL1, click Check names, click OK , and then click Yes.
4. Click OK , and confirm that Louise and LON-CL1 have both been added to the list of accounts with
cached credentials.
5. Close all open windows on LON-DC1.
Results: After completing this exercise, you will have installed and configured a RODC.
Exercise 2: Configuring AD DS snapshots
Task 1: Create a snapshot of AD DS
1. On LON-DC1, move your mouse to the bottom left corner, and then click the Start charm.
2.
From the Start screen, type cmd, and then press Enter.
3. At the command prompt, type the following, and then press Enter:
ntdsutil
4. At the command prompt, type the following, and then press Enter:
snapshot
5.
At the command prompt, type the following, and then press Enter:
activate instance ntds
6. At the command prompt, type the following, and then press Enter:
create
Either make note of the GUID number that the command returns, or copy the GUID to the clipboard.
7.
After the snapshot is created, at the command prompt, type the following, and then press Enter:
quit
8. At the command prompt, type the following, and then press Enter:
quit
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 449/523
Administering Windows Server® 2012 L3-17
Task 2: Make a change to AD DS
1. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In Active Directory Users and Computers, double-click the Marketing OU, right-click Adam Barr, and
then click Delete.
3. Click Yes to confirm the deletion.
Task 3: Mount an Active Directory snapshot, and create a new instance
1.
On LON-DC1, move your mouse to the bottom left corner, and click the Start charm.
2. On the Start screen, type cmd, right-click the Command Prompt, and then click Run as
Administrator.
3. At the command prompt, type the following, and then press Enter:
ntdsutil
4. At the command prompt, type the following, and then press Enter:
snapshot
5.
At the command prompt, type the following, and then press Enter:
activate instance ntds
6. At the command prompt, type the following, and then press Enter:
list all
7. At the command prompt, type the following, and then press Enter:
mount <GUID>
Where <GUID> is the GUID returned by the Create command in Task 1.
8. At the command prompt, type the following, and then press Enter:
quit
9. At the command prompt, type the following, and then press Enter:
quit
10.
At the command prompt, type the following, and then press Enter:
dsamain /dbpath C:\$SNAP_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000
Note that datetime will be a unique value. There only should be one folder on your C:\ drive with a
name that begins with $snap.
A message indicates that Active Directory Domain Services startup is complete. Leave Dsamain.exe
running, and do not close the command prompt.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 450/523
L3-18 Maintaining Active Directory Domain Services
Task 4: Explore a snapshot with Active Directory Users and Computers
1. Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then
click Change Domain Controller.
2. Click <Type a Directory Server name[:port] here>, type LON-DC1:50000, and then press Enter.
Click OK .
3. In the navigation pane, double-click Adatum.com.
4. In the navigation pane, double-click the Marketing OU.
5.
Locate the Adam Barr user account object. Note that the Adam Barr object is displayed because the
snapshot was taken prior to deleting it.
Task 5: Unmount an Active Directory snapshot
1. In the command prompt, press Ctrl+C to stop DSAMain.exe.
2. Type the following commands:
ntdsutil
snapshotactivate instance ntdslist all
unmount guid
list allquit
Quit
Where guid is the GUID of the snapshot.
Results: After completing this exercise, you will have configured AD DS snapshots.
Exercise 3: Configuring the Active Directory Recycle Bin
Task 1: Enable the Active Directory Recycle Bin
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Click Adatum (local).
3.
In the Tasks pane, click Enable Recycle Bin, click OK on the warning message box, and then click OK
to the refresh Active Directory Administrative Center message.
4. Press F5 to refresh Active Directory Administrative Center.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 451/523
Administering Windows Server® 2012 L3-19
Task 2: Create and delete test users
1. In Active Directory Administrative Center, double-click the Research OU.
2.
In the Task pane, click New, and then click User.
3. Enter the following information under Account, and then click OK :
o
Full name: Test1
o
User UPN logon: Test1
o Password: Pa$$w0rd
o Confirm password: Pa$$w0rd
4.
Repeat the previous steps to create a second user, Test2.
5. Select both Test1 and Test2. Right-click the selection, and then click Delete.
6. Click Yes at the confirmation prompt.
Task 3: Restore the deleted users
1.
In Active Directory Administrative Center, click Adatum (Local), and then double-click DeletedObjects.
2.
Right-click Test1, and then click Restore.
3. Right-click Test2, and then click Restore To.
4. In the Restore To window, click the IT OU, and then click OK .
5.
Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state by completing the following steps:
1.
On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-SVR1.
Results: After completing this exercise, you will have configured the Active Directory Recycle Bin.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 452/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 453/523
L4-21
Module 4: Managing User and Service Accounts
Lab: Managing User and Service Accounts
Exercise 1: Configuring Password-Policy and Account-Lockout Settings
Task 1: Configure a domain-based password policy
1.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In Group Policy Management, expand Forest: Adatum.com. expand Domains, expand
Adatum.com, expand Group Policy Objects, right-click Default Domain Policy, and then click Edit.
3.
In the Group Policy Management Editor, in the navigation pane, under Computer Configuration,
expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies,
and then click Password Policy.
4. Double-click Enforce password history.
5.
In the Enforce password history Properties window, type 20 in the Keep password history for field,
and then click OK .
6. Double-click Maximum password age.
7.
In the Maximum password age Properties window, type 45 in the Password will expire in field, and
then click OK .
8.
Double-click Minimum password age.
9.
In the Minimum password age Properties window, ensure that the Password can be changed after
field is 1, and then click OK .
10.
Double-click Minimum password length.
11.
In the Minimum password length Properties window, type 10 in the Password must be at least field,
and then click OK .
12.
Double-click Password must meet complexity requirements.
13. In the Password must meet complexity requirements Properties window, click Enabled, and then
click OK .
14.
Do not close the Group Policy Management Editor.
Task 2: Configure an account-lockout policy
1.
In the Group Policy Management Editor, in the navigation pane, click Account Lockout Policy.
2.
Double-click Account lockout duration.
3.
In the Account lockout duration Properties window, click Define this policy setting, type 30 in theminutes field, and then click OK .
4. In the Suggested Value Changes window, note the suggested values, including the automatic
configuration of Account lockout threshold, and then click OK .
5.
Double-click Reset account lockout counter after.
6. In the Reset account lockout counter after Properties window, type 15 in the Reset account lockout
counter after field, and then click OK .
7. Close Group Policy Management Editor.
8. Close Group Policy Management.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 454/523
L4-22 Managing User and Service Accounts
Task 3: Configure and apply a fine-grained password policy
1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2.
In Active Directory Administrative Center, in the navigation pane, click Adatum (local).
3.
In the details pane, double-click the Managers OU.4. In the details pane, right-click the Managers group, and then click Properties.
Note: Ensure you open the Properties page for the Managers group, and not the
Managers OU. In the Managers window, under Group scope, click Global, and then click OK .
5. In Active Directory Administrative Center, in the navigation pane, click Adatum (local).
6.
In the details pane, double-click the System container.
7. In the details pane, right-click the Password Settings Container, click New, and then click Password
Settings.
8.
In the Create Password Settings window, complete the following steps:
a. Type ManagersPSO in the Name field.
b.
Type 10 in the precedence field.
c.
Type 15 in the Minimum password length field.
d. Type 20 in the Number of passwords remembered field.
e. Type 30 in the Enforce maximum password age field.
f.
Click Enforce account lockout policy.
g. Type 3 in the Number of failed logon attempts field.
h. Type 30 in the Reset failed logon attempts count field.
i.
Click the Until an administrator manually unlocks the account option.
9.
In the Directly Applies to section, click Add.
10. In the Enter the object names to select field, type Adatum\Managers, click Check Names, and
then click OK .
11. In the Create Password Settings window, click OK .
12. Close Active Directory Administrative Center.
Results: After completing this exercise, you will have configured password-policy and account-lockout
settings.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 455/523
Administering Windows Server® 2012 L4-23
Exercise 2: Creating and Associating a Managed Service Account
Task 1: Create and associate a Managed Service Account
1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Module for Windows
Powershell.
2.
Type the following In the Windows PowerShell® command window, and then press Enter:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
3. Type the following In the Windows PowerShell command window, and then press Enter:
New-ADServiceAccount –Name Webservice –DNSHostName LON-DC1 –
PrincipalsAllowedToRetrieveManagedPassword LON-DC1$
4. Type the following In the Windows PowerShell command window, and then press Enter:
Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount Webservice
5.
Type the following In the Windows PowerShell command window, and then press Enter:
Get-ADServiceAccount -Filter *
6.
Note the output of the command, ensuring the newly created account is listed.
7. Minimize the Windows PowerShell command window.
Task 2: Install a managed service account on a LON-DC1
1.
On LON-DC1, type the following In the Windows PowerShell command window, and then press Enter:
Install-ADServiceAccount –Identity Webservice
2.
In Server Manager click the Tools menu, and then click Internet Information Services (IIS)
Manager.
3.
In the Internet Information Services (IIS) Manager console, expand LON-DC1
(Adatum\Administrator), and then click Application Pools. When the Internet Information
Services (IIS) Manager window appears, click No.
4. In the details pane, right-click the DefaultAppPool, and then click Advanced Settings.
5.
In the Advanced Settings dialog box, click Identity and then click the ellipses.
6.
In the Application Pool Identity dialog box, click Custom Account and then click Set.
7. In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field, and then
click OK three times.
8.
In the Actions pane, click Stop to stop the application pool.
9. Click Start to start the application pool.
10.
Close the Internet Information Services (IIS) Manager.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 456/523
L4-24 Managing User and Service Accounts
To prepare for the next module
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing this exercise, you will have created and associated a Managed Service Account.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 457/523
L5-25
Module 5: Implementing a Group Policy Infrastructure
Lab: Implementing a Group PolicyInfrastructure
Exercise 1: Creating and Configuring GPOs
Task 1: Create and edit a Group Policy Object (GPO)
1.
On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the
Group Policy Objects container.
3.
In the console tree, right-click the Group Policy Objects container, and then click New.
4. In the Name box, type ADATUM Standards, and then click OK .
5.
In the details pane of the Group Policy Management console, right-click the ADATUM Standards
GPO, and then click Edit.
6. In the console tree, expand User Configuration, Policies, and Administrative Templates, and then
click System.
7. Double-click the Don’t run specified Windows applications policy setting.
8.
In the Don’t run specified Windows applications window, click Enabled.
9.
Click Show.
10. In the Show Contents dialog box, in the Value list, type notepad.exe, and then click OK .
11.
In the Don’t run specified Windows applications dialog box, click OK .
12.
In the console tree, expand User Configuration, Policies, Administrative Templates, and ControlPanel, and then click Personalization.
13.
In the details pane, click the Screen saver timeout policy setting.
14.
Double-click the Screen Saver timeout policy setting.
15. Click Enabled.
16.
In the Seconds box, type 600, and then click OK .
17.
Double-click the Password protect the screen saver policy setting.
18. Click Enabled, and click OK .
19.
Close the Group Policy Management Editor.
Task 2: Link the GPO
1. In the Group Policy Management console tree, right-click the Adatum.com domain, and then click
Link an Existing GPO.
2. In the Select GPO dialog box, click ADATUM Standards, and then click OK .
Task 3: View the effects of the GPO’s settings
1.
Switch to LON-CL1, and sign in as Adatum\Pat with the password Pa$$w0rd.
2.
On the Start screen, click the Desktop tile.
3. Right-click the desktop, and then click Personalize.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 458/523
L5-26 Implementing a Group Policy Infrastructure
4. Click Screen Saver. Notice that the Wait control is disabled—you cannot change the timeout. Notice
that the On resume, display logon screen option is selected and disabled, and that you cannot
disable password protection.
5.
Click OK to close the Screen Saver Settings dialog box.
6.
Pause the mouse pointer in the lower-right corner of the display, and then click Start.
7. Right-click the Start screen, and then click All apps.
8.
In the Apps list, click Notepad. Notepad does not open.
Results: After this exercise, you should have successfully created, edited, and linked the required GPOs.
Exercise 2: Managing GPO Scope
Task 1: Create and link the required GPOs
1.
On LON-DC1, switch to Server Manager, click Tools and then click Active Directory Users and
Computers.
2.
In the console tree, expand the Adatum.com domain and click the Research organizational
unit (OU).
3.
Right-click the Research OU, point to New, and then click Organizational Unit.
4.
Type Engineers, and then click OK .
5. Close Active Directory® Users and Computers.
6.
Switch to the Group Policy Management console.
7.
In the console tree, expand Forest: Adatum.com, Domains, Adatum.com, Research, and then click
the Engineers OU.
8.
Right-click the Engineers OU, and then click Create a GPO in this domain and Link it here.
9. Type Engineering Application Override, and then click OK .
10. Right-click the Engineering Application Override GPO, and then click Edit.
11.
In the console tree, expand User Configuration, Policies, Administrative Templates, and Control
Panel, and then click Personalization.
12.
Double-click the Screen saver timeout policy setting.
13.
Click Disabled, and click OK .
14.
Close the Group Policy Management Editor.
Task 2: Verify the order of precedence
1.
In the Group Policy Management console tree, click the Engineers OU.
2. Click the Group Policy Inheritance tab. Notice that the Engineering Application Override GPO has
higher precedence than the ADATUM Standards GPO. The screen saver timeout policy setting you
just configured in the Engineering Application Override GPO is applied after the setting in the
ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting, and will win.
Screen saver timeout will be disabled for users within the scope of the Engineering Application
Override GPO.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 459/523
Administering Windows Server® 2012 L5-27
Task 3: Configure the scope of a GPO with security filtering
1.
On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and
Computers.
2.
In the console tree, if necessary, expand the Adatum.com domain and the Research OU, and then
click the Engineers OU.
3. Right-click the Engineers OU, point to New, and then click Group.
4.
Type GPO_Engineering Application Override_Apply, and then press Enter.
5.
Switch to the Group Policy Management console.
6. In the console tree, if required, expand the Engineers OU, and then double-click the link of the
Engineering Application Override GPO under the Engineers OU. A message appears.
7. Read the message, select the Do not show this message again check box, and then click OK . In the
Security Filtering section, you will see that the GPO applies by default to all authenticated users.
8. In the Security Filtering section, click Authenticated Users.
9.
Click the Remove button. A confirmation prompt appears.10.
Click OK .
11.
In the details pane, click the Add button.
12. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples): box, type GPO_Engineering Application Override_Apply, and then press Enter.
13. Switch to Active Directory Users and Computers.
14. In the console tree, expand the Adatum.com domain, and then click the Users folder.
15.
Right-click Users, point to New, and then click Group.
16. Type GPO_ADATUM Standards_Exempt, and then press Enter.
17. Switch to the Group Policy Management console.
18.
In the console tree, click the Adatum.com domain object, and then double-click the Adatum
Standards GPO. In the Security Filtering section, notice that the GPO applies by default to all
authenticated users.
19.
Click the Delegation tab.
20. Click the Advanced button. The ADATUM Standards Security Settings dialog box appears.
21.
Click the Add button. The Select Users, Computers, Service Accounts, or Groups dialog box
appears.
22.
In the Enter the object names to select (examples): box, type GPO_ADATUM Standards_Exempt,
and press Enter.
23. Select the Deny check box next to Apply group policy.
24.
Click OK . A warning message appears to remind you that deny permissions override allow
permissions. Click Yes. Notice that the permission appears on the Delegation tab as Custom.
Task 4: Configure loopback processing
1.
On LON-DC1, switch to Active Directory Users and Computers.
2. In the console, click Adatum.com.
3.
Right-click Adatum.com, point to New, and the click Organizational Unit.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 460/523
L5-28 Implementing a Group Policy Infrastructure
4. In the New Object – Organizational Unit dialog box, type Kiosks, and then click OK .
5.
Right-click Kiosks, point to New, and then click Organizational Unit.
6.
In the New Object – Organizational Unit dialog box, type Conference Rooms, and then click OK .
7. Switch to the Group Policy Management console. Refresh the console if necessary.
8.
In the tree, expand the Kiosks OU, and then click the Conference Rooms OU.
9.
Right-click the Conference Rooms OU, and then click Create a GPO in this domain, and Link
it here.
10.
In the New GPO box, in the Name box, type Conference Room Policies, and then press Enter.
11. In the console tree, expand Conference Rooms, and then click the Conference Room Policies GPO.
12. Click the Scope tab. Confirm that the GPO is scoped to apply to Authenticated Users.
13.
Right-click the Conference Room Policies GPO in the console tree, and then click Edit.
14.
In the Group Policy Management Editor console tree, expand User Configuration, Policies,
Administrative Templates, and Control Panel, and then click Personalization.
15.
Double-click the Screen saver timeout policy setting.
16. Click Enabled.
17.
In the Seconds box, type 2700, and then click OK .
18.
In the console tree, expand Computer Configuration, Policies, Administrative Templates, and
System, and then click Group Policy.
19.
Double-click the Configure user Group Policy loopback processing mode policy setting.
20.
Click Enabled.
21. In the Mode drop-down list, select Merge, and then click OK .
22.
Close the Group Policy Management Editor.
Results: After this exercise, you should have successfully configured the required scope of the GPOs.
Exercise 3: Verifying GPO Application
Task 1: Perform Resultant Set of Policy (RSoP) analysis
1.
Switch to LON-CL1.
2.
Verify that you are logged on as Adatum\Pat. If necessary, provide the password of Pa$$w0rd.
3.
Pause your mouse pointer in the lower-right corner of the display, and then click Start.
4.
Right-click the Start screen, and then click All apps.
5. In the Apps list, right-click Command Prompt, and then click Run as administrator.
6.
In the User Account Control dialog box, in the User name box, type Administrator. In the
Password box, type Pa$$w0rd. Click Yes.
7. At the command prompt, type the following command, and then press Enter:
gpupdate.exe /force
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 461/523
Administering Windows Server® 2012 L5-29
8. Wait for the command to complete. Make a note of the current system time, which you will need to
know for a task later in this lab. To record the system time, type the following command, and then
press Enter twice:
Time
9.
Restart LON-CL1.
10. Wait for LON-CL1 to restart before proceeding with the next task. Do not sign in to LON-CL1.
11.
Switch to LON-DC1.
12.
Switch to the Group Policy Management console.
13.
In the console tree, if required, expand Forest: Adatum.com, and then click Group Policy Results.
14. Right-click Group Policy Results, and click Group Policy Results Wizard.
15.
On the Welcome to the Group Policy Results Wizard page, click Next.
16.
On the Computer Selection page, click Another computer, type LON-CL1, and then click Next.
17.
On the User Selection page, click Display policy settings for, click Select a specific user, selectADATUM\Pat, and then click Next.
18. On the Summary Of Selections page, review your settings, and then click Next.
19.
Click Finish. The RSoP report appears in the details pane of the console.
20.
Review the Group Policy Results. For both user and computer configuration, identify the time of the
last policy refresh and the list of allowed and denied GPOs. Identify the components that were used
to process policy settings.
21. Click the Details tab. Review the settings that were applied during user and computer policy
application and identify the GPO from which the settings were obtained.
22.
Click the Policy Events tab, and then locate the event that logs the policy refresh you triggered with
the GPUpdate command in Task 1.
23.
Click the Summary tab, right-click the page, and then click Save Report.
24. In the navigation pane, click Desktop, and then click Save.
25. Open the saved RSoP report from the Desktop. Examine the RSoP report, and then close it.
Task 2: Analyze RSoP with GPResults
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Right-click the Start screen, and then click All apps.
3.
In the Apps list, click Command Prompt.
4.
At the command prompt, type the following command, and then press Enter:
gpresult /r
RSoP summary results are displayed. The information is very similar to the Summary tab of the RSoP
report produced by the Group Policy Results Wizard.
5. At the command prompt, type the following command, and then press Enter:
gpresult /v
Notice that many of the Group Policy settings applied by the client are listed in this report.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 462/523
L5-30 Implementing a Group Policy Infrastructure
6. At the command prompt, type the following command, and then press Enter:
gpresult /z
The most detailed RSoP report is produced.
7. At the command prompt, type the following command, and then press Enter:
gpresult /h:"%userprofile%\Desktop\RSOP.html"
An RSoP report is saved as an HTML file to your desktop.
8.
Open the saved RSoP report from your desktop.
9.
Compare the report, its information, and its formatting with the RSoP report you saved in the
previous task.
Task 3: Evaluate GPO results by using the Group Policy Modeling Wizard
1. Switch to LON-DC1.
2.
In the Group Policy Management console tree, expandForest:Adatum.com
, and then clickGroupPolicy Modeling.
3. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. The Group
Policy Modeling Wizard appears.
4. Click Next.
5. On the Domain Controller Selection page, click Next.
6.
On the User And Computer Selection page, in the User information section, click the User button,
and then click Browse. The Select User dialog box appears.
7.
Type Mike, and then press Enter.
8.
In the Computer information section, click the Computer button, and then click Browse. TheSelect Computer dialog box appears.
9.
Type LON-CL1, and then press Enter.
10. Click Next.
11. On the Advanced Simulation Options page, select the Loopback Processing check box, and then
click Merge. Even though the Conference Room Polices GPO specifies the loopback processing, you
must instruct the Group Policy Modeling Wizard to consider loopback processing in its simulation.
12.
Click Next.
13.
On the Alternate Active Directory Paths page, click the Browse button next to Computer location.
The Choose Computer Container dialog box appears.
14.
Expand Adatum and Kiosks, and then click Conference Rooms. You are simulating the effect of
LON-CL1 as a conference room computer.
15.
Click OK .
16.
Click Next.
17. On the User Security Groups page, click Next.
18.
On the Computer Security Groups page, click Next.
19.
On the WMI Filters for Users page, click Next.
20. On the WMI Filters for Computers page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 463/523
Administering Windows Server® 2012 L5-31
21. Review your settings on the Summary of Selections page, and then click Next.
22.
Click Finish.
23.
On the Details tab, scroll to and expand, if necessary, User Details, Group Policy Objects, and
Applied GPOs.
24.
Verify if the Conference Room Policies GPO apply to Mike as a User policy when he logs on toLON-CL1, if LON-CL1 is in the Conference Rooms OU.
25.
Scroll to, and expand if necessary, User Details, Policies, Administrative Templates and Control
Panel/Personalization.
26.
Confirm that the screen saver timeout is 2,700 seconds (45 minutes), the setting configured by the
Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM
Standards GPO.
Task 4: Review policy events and determine GPO infrastructure status
1. Switch to LON-CL1.
2.
Pause your mouse pointer in the lower-right corner of the display and then click Settings. Click
Control Panel.
3. Click System and Security.
4.
Click Administrative Tools.
5.
Double-click Event Viewer.
6. In the console tree, expand Windows Logs, and then click the System log.
7.
Sort the System log by Source.
8.
Locate events with Group Policy as the Source. You can even click the Filter Current Log link in the
Actions pane and then select Group Policy in the Event Sources drop-down list.
9.
Review the information associated with Group Policy events.
10.
In the console tree, click the Application log.
11. Sort the Application log by the Source column.
12.
Review the events and identify the Group Policy events that have been entered in this log. Which
events are related to Group Policy application and which are related to the activities you have been
performing to manage Group Policy? Note that depending on how long the virtual machine has been
running, you may not have any Group Policy Events in the application log.
13.
In the console tree, expand Applications and Services Logs, Microsoft, Windows, and Group
Policy, and then click Operational.
14. Locate the first event related in the Group Policy refresh you initiated in Exercise 1, with the
GPUpdate command. Review that event and the events that followed it.
Results: After this exercise, you should have successfully used RSoP tools to verify the correct application
of your GPOs.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 464/523
L5-32 Implementing a Group Policy Infrastructure
Exercise 4: Managing GPOs
Task 1: Perform a backup of GPOs
1.
Switch to LON-DC1.
2. Switch to the Group Policy Management console and then click the Group Policy Objects node.
3.
In the details pane, right-click ADATUM Standards, and then click Back Up.
4.
In the Back Up Group Policy Object dialog box, in the Location box, type C:\ .
5. Click Back Up.
6. In the Backup dialog box, click OK .
Task 2: Perform a restore of GPOs
1. In the Group Policy Management console, right-click ADATUM Standards, and then click Restore
from Backup.
2.
In the Restore Group Policy Object Wizard dialog box, click Next.
3.
On the Backup Location page, click Next.
4.
On the Source GPO page, click Next.
5.
On the Completing the Restore Group Policy Object Wizard page, click Finish.
6. In the Restore dialog box, click OK .
7.
Close all open windows.
To prepare for the next module
When you have finished the lab, revert all virtual machines back to their initial state.
1. On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411B-LON-CL1.
Results: After this exercise, you should have successfully performed common management tasks on your
GPOs.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 465/523
L6-33
Module 6: Managing User Desktops with Group Policy
Lab: Managing User Desktops with GroupPolicy
Exercise 1: Implementing Settings by Using Group Policy Preferences
Task 1: Create the required logon script
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the taskbar, click File Explorer.
3. In the navigation pane, click Computer.
4. In the details pane, double-click Local Disk (C:) , and then on the Home tab, click New folder.
5. Name the new folder Branch1.
6.
Right-click the Branch1 folder, click Share with, and then click Specific people.7. In the File Sharing dialog box, click the drop-down arrow and select Everyone, and then click Add.
8. For the Everyone group, click the Permission Level drop-down arrow, and then select Read/Write.
9. Click Share and then click Done.
10. Close the Local Disk (C:) window.
11. Pause your mouse pointer in the lower right of the display, and then click Start.
12. Type Notepad and then press Enter.
13. In Notepad, type Net use S: \\LON-DC1\Branch1.
14. Click the File menu, and then click Save.
15. In the Save As dialog box, in the File name box, type BranchScript.bat.
16. In the Save as type list, select All Files (*.*).
17. In the navigation pane, click Desktop, and then click Save.
18. Close Notepad.
19. On the desktop, right-click the BranchScript.bat file, and then click Copy. You will paste the file into
the appropriate folder later in the lab.
Task 2: Create a new GPO, and link it to the Branch Office 1 organization unit (OU)
1. On LON-DC1, pause your mouse pointer in the lower right of the display, and then click Start.
2. Click Administrative Tools.
3. In Administrative Tools, double-click Active Directory Users and Computers.
4. In Active Directory Users and Computers, click Adatum.com.
5. Right-click Adatum.com, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and
then click OK .
7. In the navigation pane, click IT.
8. In the details pane, right-click Holly Dickson, and then click Move.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 466/523
L6-34 Managing User Desktops with Group Policy
9. In the Move dialog box, click Branch Office 1, and then click OK .
10. In the navigation pane, click Computers.
11. In the details pane, right-click LON-CL1, and then click Move.
12. In the Move dialog box, click Branch Office 1, and then click OK .
13. Pause your mouse pointer in the lower right of the display, and then click Start.
14. Click Administrative Tools, and then double-click Group Policy Management.
15. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
16. Right-click Branch Office 1 and then click Create a GPO in this domain and link it here.
17. In the New GPO dialog box, in the Name box, type Branch1, and then click OK .
18. In the navigation pane, click Group Policy Objects.
19. Right-click the Branch1 GPO and then click Edit.
20. In the Group Policy Management Editor, under User Configuration expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).21. In the details pane, double-click Logon.
22. In the Logon Properties dialog box, click Show Files.
23. In the details pane, right-click a blank area, and then click Paste.
24. Close the Logon window.
25. In the Logon Properties dialog box, click Add.
26. In the Add a Script dialog box, click Browse.
27. Click the BranchScript.bat script, and then click Open.
28.
Click OK twice to close all dialog boxes.29. Close the Group Policy Management Editor.
Task 3: Edit the Default Domain Policy with the required Group Policy preferences
1. In Group Policy Management, click the Group Policy Objects folder, in the details pane, right-click
the Default Domain Policy, and then click Edit.
2. Expand User Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts,
point to New, and then click Shortcut.
3. In the New Shortcut Properties dialog box, in the Action list, click Create.
4. In the Name box, type Notepad.
5. In the Location box, click the arrow, and then select Desktop.
6. In the Target path box, type C:\Windows\Notepad.exe.
7. On the Common tab, select the Item-level targeting check box, and then click Targeting.
8. In the Targeting Editor dialog box, click New Item, and then click Security Group.
9. In the lower part of the dialog box, click the ellipsis button.
10. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT,
and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 467/523
Administering Windows Server® 2012 L6-35
11. Click OK twice.
12. Close all open windows.
Task 4: Test the preferences
1. Switch to LON-CL1.
2. Pause your mouse pointer in the lower right of the display, and then click Settings.
3. Click Power, and then click Restart.
4. When the computer has restarted, sign in as Adatum\Administrator with the password Pa$$w0rd.
5. From Start, type cmd.exe, and then press Enter.
6. At the command prompt, type the following command, and then press Enter:
gpupdate /force
7. Sign out of LON-CL1.
8. Sign in as Adatum\Holly with the password Pa$$word.
9. Click Desktop, and on the taskbar, click File Explorer.
10. Examine the navigation pane, and verify that you have a drive mapped to \\lon-dc1\Branch1.
11. Verify that the notepad shortcut is on Holly’s desktop.
12. If the shortcut does not appear, repeat steps 4 through 8.
13. Sign out LON-CL1.
Results: After this exercise, you should have created the required scripts and preference settings
successfully, and then assigned them by using GPOs.
Exercise 2: Configuring Folder Redirection
Task 1: Create a shared folder to store the redirected folders
1. On LON-DC1, on the taskbar, click File Explorer.
2. In the navigation pane, click Computer.
3. In the details pane, double-click Local Disk (C:) , and then on the Home tab, click New folder.
4. Name the new folder Branch1Redirect.
5. Right-click the Branch1Redirect folder, click Share with, and then click Specific people.
6. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
7. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.
8. Click Share, and then click Done.
9. Close the Local Disk (C:) window.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 468/523
L6-36 Managing User Desktops with Group Policy
Task 2: Create a new GPO and link it to the branch office OU
1. On LON-DC1, from Server Manager, click Tools and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
3.
Right-click Branch Office 1, and then click Create a GPO in this domain and Link it here.4. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK .
Task 3: Edit the folder redirection settings in the policy
1. Expand Branch Office 1, right-click Folder Redirection, and then click Edit.
2. In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection.
3. Right-click Documents, and then click Properties.
4. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down
arrow, and then select Basic – Redirect everyone’s folder to the same location.
5. Ensure the Target folder location box is set to Create a folder for each user under the root path.
6. In the Root Path box, type \\LON-DC1\Branch1Redirect, and then click OK .
7. In the Warning dialog box, click Yes.
8. Close all open windows on LON-DC1.
Task 4: Test the folder redirection settings
1. Switch to LON-CL1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. From Start, type cmd.exe, and then press Enter.
4. At the command prompt, type the following command, and then press Enter:
gpupdate /force
5. Sign out and then sign in as Adatum\Holly with the password Pa$$word.
6. From Start, click Desktop.
7. Right-click the desktop, and then click Personalize.
8. In the navigation pane, click Change desktop icons.
9. In Desktop Icon Settings, select the User’s Files check box, and then click OK .
10. On the desktop, double-click Holly Dickson.
11. Right-click My Documents, and then click Properties.
12. In the My Document Properties dialog box, note that the location of the folder is now the network
share in a subfolder named for the user.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 469/523
Administering Windows Server® 2012 L6-37
13. If the folder redirection is not evident, sign out, and then sign in as Adatum\Holly with the password
Pa$$word. Repeat steps 10 through 12.
14. Sign out of LON-CL1.
Results: After this exercise, you should have successfully configured folder redirection to a shared folderon the LON-DC1 server.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 470/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 471/523
L7-39
Module 7: Configuring and Troubleshooting Remote Access
Lab A: Configuring Remote Access
Exercise 1: Configuring a Virtual Private Network Server
Task 1: Configure server and client certificates
1. Switch to LON-DC1.
2.
Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. In Server Manager, click Tools, and then click Certification Authority.
4. In the certsrv management console, expand Adatum-LON-DC1-CA, right-click Certificate
Templates, and then click Manage.
5. In the Certificate Templates Console details pane, right-click Computer, and then click Properties.
6.
In the Computer Properties dialog box, click the Security tab, and then click Authenticated Users.
7.
In Permissions for Authenticated Users, select the Allow check box for the Enroll permission, andthen click OK .
8.
Close the Certificate Templates Console.
9. In certsrv – [Certification Authority (Local)], right-click Adatum-LON-DC1-CA, point to All Tasks
and then click Stop Service.
10. Right-click Adatum-LON-DC1-CA, point to All Tasks and then click Start Service.
11. Close the certsrv management console.
12. In Server Manager, click Tools, and then click Group Policy Management.
13.
In the Group Policy Management list pane, expand Forest: Adatum.com, expand Domains, and then
expand Adatum.com.
14.
In the list pane, under Adatum.com, right-click Default Domain Policy, and then click Edit.
15. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, and then expand Public Key Policies.
16.
In the navigation pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
17.
In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.
18. On the Certificate Template page, accept the default setting of Computer, and then click Next.
19. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish.
20. Close the Group Policy Management Editor.
21. Close Group Policy Management.
22. Switch to the LON-RTR computer, and sign in as Adatum\Administrator with the password
Pa$$w0rd.
23. Pause your mouse pointer in the lower left of the taskbar and then click Start.
24. Type mmc.exe, and then press Enter.
25.
On the File menu, click Add/Remove Snap-in.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 472/523
L7-40 Configuring and Troubleshoot ing Remote Access
26. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account,
click Next, and then click Finish.
27. In the Add or Remove Snap-ins dialog box, click OK .
28. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
29. In the Certificate Enrollment dialog box, click Next.
30. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and
then click Next.
31. Select the Computer check box, and then click Enroll.
32.
Verify the status of certificate installation as Succeeded, and then click Finish.
33. Close the Console1 window.
34. When prompted to save console settings, click No.
35. Switch to LON-CL2, and sign in as Adatum\Administrator with the password Pa$$w0rd.
36.
In Start, type cmd.exe, and then press Enter.
37. At the command prompt, type gpupdate /force, and then press Enter.
38. Close the command prompt.
39.
Pause your mouse pointer in the lower left of the taskbar, and then click Start.
40. In Start, type mmc, and then press Enter.
41. On the File menu, click Add/Remove Snap-in.
42.
In the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account,
click Next, and then click Finish.
43.
In the Add or Remove Snap-ins dialog box, click OK .44.
In the console tree, expand Certificates, and then expand Personal.
45. Verify that a certificate exists for LON-CL2 that has been issued by Adatum-LON-DC1-CA.
46. Close the Console1 window.
47.
When prompted to save console settings, click No.
Task 2: Configure the Remote Access role
1. Switch to LON-RTR.
2. If necessary, on the taskbar, click Server Manager.
3.
In the Details pane, click Add roles and features.4. In the Add Roles and Features Wizard, click Next.
5.
On the Select installation type page, click Role-based or feature based installation, and then click
Next.
6.
On the Select destination server page, click Next.
7. On the Select server roles page, select the Network Policy and Access Services check box.
8. Click Add Features, and then click Next twice.
9.
On the Network Policy and Access Services page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 473/523
Administering Windows Server® 2012 L7-41
10. On the Select role services page, verify that the Network Policy Server check box is selected, and
then click Next.
11. On the Confirm installation selections page, click Install.
12. Verify that the installation was successful, and then click Close.
13.
In Server Manager, click Tools, and then click Network Policy Server.14. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register
server in Active Directory.
15.
In the Network Policy Server message box, click OK .
16. In the subsequent Network Policy Server dialog box, click OK .
17. Leave the Network Policy Server console window open.
18.
In Server Manager, click Tools, and then click Routing and Remote Access. At the Enable
DirectAccess Wizard click Cancel and then click OK .
19. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.20. In the dialog box, click Yes.
21.
In the Routing and Remote Access console, right-click LON-RTR (local) and then click Configure
and Enable Routing and Remote Access.
22. Click Next, select Remote access (dial-up or VPN), and then click Next.
23. Select the VPN check box, and then click Next.
24. Click the Local Area Connection 2 network interface. Clear the Enable security on the selected
interface by setting up static packet filters check box, and then click Next.
25. On the IP Address Assignment page, click From a specified range of addresses, and then click
Next.26. On the Address Range Assignment page, click New. In the Start IP address text box, type
172.16.0.100, in the End IP address text box, type 172.16.0.110, and then click OK .
27.
Verify that 11 IP addresses were assigned for remote clients, and then click Next.
28. On the Managing Multiple Remote Access Servers page, click Next.
29. Click Finish.
30. In the Routing and Remote Access dialog box, click OK .
31. If prompted, click OK again.
Task 3: Create a network policy for virtual private network (VPN) clients1.
On LON-RTR, switch to Network Policy Server.
2. In Network Policy Server, expand Policies, and then click Network Policies.
3. In the details pane, right-click the policy at the top of the list, and then click Disable.
4.
In the details pane, right-click the policy at the bottom of the list , and then click Disable.
5. In the navigation pane, right-click Network Policies, and then click New.
6. In the New Network Policy Wizard, in the Policy name text box, type IT Pilot VPN Policy.
7. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click
Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 474/523
L7-42 Configuring and Troubleshoot ing Remote Access
8. On the Specify Conditions page, click Add.
9. In the Select condition dialog box, click Windows Groups, and then click Add.
10.
In the Windows Groups dialog box, click Add Groups.
11. In the Select Group dialog box, in the Enter the object name to select (examples) text box,
type IT, and then click OK .12. Click OK again, click Next, and on the Specify Access Permission page, click Access granted, and
then click Next.
13.
On the Configure Authentication Methods page, clear the Microsoft Encrypted Authentication
(MS-CHAP) check box, and then click Next.
14.
On the Configure Constraints page, click Day and time restrictions.
15. Select the Allow access only on these days and at these times check box, and then click Edit.
16. In the Day and time restrictions dialog box, click Sunday, and then click Denied.
17. Click Saturday, click Denied, and then click OK .
18.
Click Next.
19. On the Configure Settings page, click Next.
20. On the Completing New Network Policy page, click Finish.
Results: After this exercise, you should have successfully deployed a VPN server, and configured access for
members of the IT global security group.
Exercise 2: Configuring VPN Clients
Task 1: Configure and distribute a Connection Manager Administration Kit profile
1. Switch to LON-CL2.
2.
Pause your mouse pointer in the lower left of the taskbar, and then click Start.
3. On the Start screen, type Control, and then in the Apps list, click Control Panel.
4. Click Programs, and in Programs, click Turn Windows features on or off .
5.
In Windows Features, select the RAS Connection Manager Administration Kit (CMAK) check box,
and then click OK .
6. Click Close.
7.
In Control Panel, click Control Panel Home.
8. In the View by list, click Large icons.
9. Click Administrative Tools, and then double-click Connection Manager Administration Kit.
10.
In the Connection Manager Administration Kit Wizard, click Next.
11. On the Select the Target Operating System page, click Windows Vista or above, and then click
Next.
12. On the Create or Modify a Connection Manager profile page, click New profile, and then click
Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 475/523
Administering Windows Server® 2012 L7-43
13. On the Specify the Service Name and the File Name page, in the Service name text box, type
Adatum Pilot VPN, in the File name text box, type Adatum, and then click Next.
14. On the Specify a Realm Name page, click Do not add a realm name to the user name, and then
click Next.
15.
On the Merge Information from Other Profiles page, click Next.
16. On the Add Support for VPN Connections page, select the Phone book from this profile check
box.
17. In the VPN server name or IP address text box, type 10.10.0.1, and then click Next.
18. On the Create or Modify a VPN Entry page, click Edit.
19.
In the Edit VPN Entry dialog box, click the Security tab.
20. In the VPN strategy list, click Only use Layer Two Tunneling Protocol (L2TP), and then click OK .
21. Click Next.
22. On the Add a Custom Phone Book page, clear the Automatically download phone book updates
check box, and then click Next.23. On the Configure Dial-up Networking Entries page, click Next.
24.
On the Specify Routing Table Updates page, click Next.
25. On the Configure Proxy Settings for Internet Explorer page, click Next.
26. On the Add Custom Actions page, click Next.
27.
On the Display a Custom Logon Bitmap page, click Next.
28. On the Display a Custom Phone Book Bitmap page, click Next.
29. On the Display Custom Icons page, click Next.
30.
On the Include a Custom Help File page, click Next.31.
On the Display Custom Support Information page, click Next.
32. On the Display a Custom License Agreement page, click Next.
33. On the Install Additional Files with the Connection Manager profile page, click Next.
34.
On the Build the Connection Manager Profile and Its Installation Program page, click Next.
35. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.
36. On the taskbar, click the File Explorer icon.
37.
In the Windows Explorer address box, type C:\Program Files\CMAK\Profiles\Windows Vista and
above\Adatum, and then press Enter.
38. Double-click Adatum.exe.
39.
In the Adatum Pilot VPN dialog box, click Yes.
40. In the second Adatum Pilot VPN dialog box, click All users, and then click OK .
41. In the Adatum Pilot VPN dialog box, click Cancel.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 476/523
L7-44 Configuring and Troubleshoot ing Remote Access
Task 2: Verify client access
1. Sign out of LON-CL2.
2.
Sign in as Adatum\April with the password of Pa$$w0rd.
3. On the Start screen, type Control, and then in the Apps list, click Control Panel.
4.
In Control Panel, click Network and Internet.
5.
In the Network and Internet window, click Network and Sharing Center.
6. In the Network and Sharing Center, click Change adapter settings.
7. In the Network Connections window, right-click the Adatum Pilot VPN connection, and then click
Connect/Disconnect.
8. In the Networks list on the right, click Adatum Pilot VPN, and then click Connect.
9. In Adatum Pilot VPN, in the User name text box, type Adatum\April.
10.
In the Password text box, type Pa$$w0rd.
11.
Select the Save password check box, and then click Connect.12. Wait for the VPN connection to be made.
13.
Close all open windows.
To prepare for the next lab
1. On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411B-LON-RTR and 20411B-LON-DC1.
Results: After this exercise, you should have successfully distributed a CMAK profile, and tested VPN
access.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 477/523
Administering Windows Server® 2012 L7-45
Lab B: Configuring DirectAccess
Exercise 1: Configuring the DirectAccess Infrastructure
Task 1: Configure Active Directory® Domain Services (AD DS) and Domain Name
System (DNS)1. Create a security group for Windows® DirectAccess client computers by performing the
following steps:
a.
Switch to LON-DC1.
b. Sign in as Adatum\Administrator with the password Pa$$w0rd.
c. In Server Manager, click Tools, and then click Active Directory Users and Computers.
d.
In the Active Directory Users and Computers console, right-click Adatum.com, click New, and
then click Organizational Unit
e. In the New Object – Organizational Unit window, in the Name text box, type DA_Clients OU,
and then click OK .
f. In the Active Directory Users and Computers console, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
g. In the New Object - Group dialog box, under Group name, type DA_Clients.
h. Under Group scope, click Global, under Group type, click Security, and then click OK .
i.
In the details pane, double-click DA_Clients.
j. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
k. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK .
l.
Under Enter the object names to select (examples), type LON-CL1, and then click OK .
m.
Verify that LON-CL1 displays below Members, and then click OK .
n. Close the Active Directory Users and Computers console.
2. Configure firewall rules for ICMPv6 traffic by performing the following steps:
Note: It is important to configure firewall rules for ICMPv6 traffic to enable subsequent
testing of DirectAccess in the lab environment.
a. In Server Manager, click Tools, and then click Group Policy Management.
b. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, and
then expand Adatum.com.
c.
Under Adatum.com, right-click Default Domain Policy, and then click Edit.
d. In the Group Policy Management Editor, navigate to Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with
Advanced Security, and then click Windows Firewall with Advanced Security.
e. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules,
and then click New Rule.
f. On the Rule Type page, click Custom, and then click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 478/523
L7-46 Configuring and Troubleshoot ing Remote Access
g. On the Program page, click Next.
h. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
i. In the Customize ICMP Settings dialog box, click Specific ICMP types, click Echo Request, and
then click OK .
j. Click Next.
k. On the Scope page, click Next.
l.
On the Action page, click Next.
m. On the Profile page, click Next.
n. On the Name page, in the Name text box, type Inbound ICMPv6 Echo Requests, and then
click Finish.
o. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click
New Rule.
p.
On the Rule Type page, click Custom, and then click Next.q. On the Program page, click Next.
r.
On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
s. In the Customize ICMP Settings dialog box, click Specific ICMP types, click Echo Request, and
then click OK .
t. Click Next.
u.
On the Scope page, click Next.
v. On the Action page, click Allow the connection, and then click Next.
w.
On the Profile page, click Next.
x.
On the Name page, in the Name text box, type Outbound ICMPv6 Echo Requests, and then
click Finish.
y. Close the Group Policy Management Editor and the Group Policy Management Console.
3.
Create required DNS records by performing the following steps:
a. In Server Manager, click Tools, and then click DNS.
b. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click
Adatum.com.
c. Right-click Adatum.com, and then click New Host (A or AAAA).
d. In the Name text box, type nls. In the IP address text box, type 172.16.0.21, click Add Host,
and then click OK .
e. In the New Host dialog box, in the Name text box, type CRL. In the IP address text box, type
172.16.0.1, and then click Add Host.
f. In the DNS dialog box informing you that the record was created, click OK .
g. In the New Host dialog box, click Done.
h.
Close the DNS Manager console.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 479/523
Administering Windows Server® 2012 L7-47
4. Remove ISATAP from the DNS global query block list by performing the following steps:
a. Move the mouse pointer to the lower-right corner, select search on the right menu, and then
type cmd.exe. Press Enter.
b. In the command prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
c.
Ensure that the Command completed successfully message displays.
d. Close the Command Prompt window.
5. Configure the DNS suffix on LON-RTR by performing the following steps:
a. Switch to LON-RTR.
b. Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c.
In the Network and Sharing Center window, click Change adapter settings.
d.
In the Network Connection window, right-click Local Area Connection, and then clickProperties.
e. In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
f.
In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced.
g. On the DNS tab, in the DNS suffix for this connection text box, type Adatum.com, and then
click OK .
h. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK .
i. In the Local Area Connection Properties dialog box, click OK .
6.
Configure the Local Area Connection 2 properties on LON-RTR:
a.
In the Network Connection window, right-click Local Area Connection 2, and then click
Properties.
b.
In the Local Area Network 2 Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
c. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, in the IP address text box, type
131.107.0.2 and in the Subnet mask text box, type 255.255.0.0.
d. Click OK , and then click OK again.
e.
Close Network Connections.
Task 2: Configure certificates
1. To configure the certificate revocation list (CRL) distribution settings, perform the following steps:
a.
On LON-DC1, in Server Manager, on the Tools menu, click Certification Authority.
b. In the details pane, right-click Adatum-LON-DC1-CA, and then click Properties.
c. In the Adatum-LON-DC1-CA Properties dialog box, click the Extensions tab.
d.
On the Extensions tab, click Add. In the Location text box, type http://crl.adatum.com/crld/ .
e. Under Variable, click <CaName>, and then click Insert.
f. Under Variable, click <CRLNameSuffix>, and then click Insert.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 480/523
L7-48 Configuring and Troubleshoot ing Remote Access
g. Under Variable, click <DeltaCRLAllowed>, and then click Insert.
h. In the Location text box, at the end of the Location string, type .crl, and then click OK .
i.
Select the Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates check boxes, and then click Apply. in the dialog box
asking you to restart Active Directory Certificate Services, click No.
j. Click Add.
k. In the Location text box, type \\LON-RTR\crldist$\ .
l.
Under Variable, click <CaName>, and then click Insert.
m. Under Variable, click <CRLNameSuffix>, and then click Insert.
n. Under Variable, click <DeltaCRLAllowed>, and then click Insert.
o.
In the Location text box, at the end of the string, type .crl, and then click OK .
p. Select both the Publish CRLs to this location and Publish Delta CRLs to this location check
boxes, and then click OK .
q.
Click Yes to restart Active Directory Certificate Services.
2. Duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a. In the Certification Authority console, expand Adatum-LON-DC1-CA, right-click Certificate
Templates, and then click Manage.
Note: Users require the Enroll permission on the certificate.
b. In the Certificate Templates console, in the content pane, right-click the Web Server template,
and then click Duplicate Template.
c. Click the General tab, and in the Template display name text box, type Adatum Web Server
Certificate.
d. Click the Request Handling tab, and then click Allow private key to be exported.
e. Click the Security tab, and then click Authenticated Users.
f.
In the Permissions for Authenticated Users window, under Allow, click Enroll, and then click OK .
g. Close the Certificate Templates console.
h. In the Certification Authority console, right-click Certificate Templates, and navigate to
New/Certificate Template to Issue.
i.
Click Adatum Web Server Certificate, and then click OK .
j.
In certsrv – [Certification Authority (Local)], right-click Adatum-LON-DC1-CA, point to All Tasks
and then click Stop Service.
k. Right-click Adatum-LON-DC1-CA, point to All Tasks and then click Start Service.
l.
Close the Certification Authority console.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 481/523
Administering Windows Server® 2012 L7-49
3. Configure computer certificate auto-enrollment by performing the following steps:
a. On LON-DC1, switch to Server Manager, click Tools, and then click Group Policy
Management.
b. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, and
then expand Adatum.com.
c. In the Adatum.com console, right-click Default Domain Policy, and then click Edit.
d. In the Group Policy Management Editor, expand Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, and then expand Public
Key Policies.
e. In the Public Key Policies details pane, right-click Automatic Certificate Request Settings, point
to New, and then click Automatic Certificate Request.
f.
In the Automatic Certificate Request Setup Wizard, click Next.
g. On the Certificate Template page, click Computer, click Next, and then click Finish.
h. Close both the Group Policy Management Editor and the Group Policy Management Console.
Task 3: Configure internal resources
1. Request a certificate for LON-SVR1 by performing the following steps:
a. On LON-SVR1, move the mouse to the lower-right corner of the screen, click Search, type cmd,
and then press Enter.
b. At the command prompt, type the following command, and then press Enter:
gpupdate /force
c. At the command prompt, type the following command, and then press Enter:
mmc
d.
Click File, and then click Add/Remove Snap-in.
e. Click Certificates, click Add, click Computer account, click Next, click Local computer, click
Finish, and then click OK .
f. In the Certificates snap-in console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
g.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h. Click Next twice.
i. On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j. In the Certificate Properties dialog box, on the Subject tab, under Subject name, under Type,
click Common name.
k. In the Value text box, type nls.adatum.com, and then click Add.
l. Click OK , click Enroll, and then click Finish.
m.
In the Certificates snap-in details pane, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n. Close the console window. When you are prompted to save settings, click No.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 482/523
L7-50 Configuring and Troubleshoot ing Remote Access
2. To change the HTTPS bindings, perform the following steps:
a. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. At
the Internet Information Services (IIS) Manager message box, click No.
b. In the Internet Information Services (IIS) Manager console, navigate to LON-SVR1/Sites, and
then click Default Web Site.
c. In the Actions pane, click Bindings, and then click Add.
d. In the Add Site Binding dialog box, click https, in the SSL Certificate dialog box, click the
certificate with the name nls.adatum.com, click OK , and then click Close.
e. Close the Internet Information Services (IIS) Manager console.
Task 4: Configure the DirectAccess server
1. Obtain required certificates for LON-RTR by performing the following steps:
a. Switch to LON-RTR.
b. Open a command prompt, type the following command, and then press Enter:
gpupdate /force
c. In the command prompt, type mmc.exe, and then press Enter.
d. Click File and then click Add/Remove Snap-in.
e. Click Certificates, click Add, click Computer account, click Next, select Local computer, click
Finish, and then click OK .
f. In the Certificates snap-in console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
g. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h.
Click Next twice.
i. On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j.
In the Certificate Properties dialog box, on the Subject tab, under Subject name, under Type,
click Common name.
k. In the Value text box, type 131.107.0.2, and then click Add.
l.
Click OK , click Enroll, and then click Finish.
m. In the Certificates snap-in details pane, verify that a new certificate with the name 131.107.0.2
was issued with Intended Purposes of Server Authentication.
n.
Right-click the certificate, and then click Properties.
o. In the Friendly Name text box, type IP-HTTPS Certificate, and then click OK .
p. Close the console window. If you are prompted to save settings, click No.
2. Create CRL distribution point on LON-RTR by performing the following steps:
a. Switch to Server Manager.
b. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
c.
If the Internet Information Service Manager message box displays, click No.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 483/523
Administering Windows Server® 2012 L7-51
d. In the console tree, expand to LON-RTR, expand Sites, click Default Web Site, right-click
Default Web Site, and then click Add Virtual Directory.
e. In the Add Virtual Directory dialog box, in the Alias text box, type CRLD. Next to Physical
path, click the ellipsis (…) button.
f.
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
g. Type CRLDist, and then press Enter.
h. In the Browse for Folder dialog box, click OK .
i.
In the Add Virtual Directory dialog box, click OK .
j. In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,
click Enable.
k. In the console, click the CRLD folder.
l. In the middle pane of the console, double-click the Configuration Editor icon.
m. Click the down-arrow of the Section drop-down list, expand system.webServer, expand
security, and then click requestFiltering.n. In the middle pane of the requestFiltering console, double-click allowDoubleEscaping to
change the value from False to True.
o. In the actions pane, click Apply.
p. Close Internet Information Services (IIS) Manager.
Question: Why do you make the CRL available on the edge server?
Answer: You make the CRL available on the edge server so that the Internet DirectAccess clients can
access the CRL.
3. Share and secure the CRL distribution point by performing the following steps:
Note: You perform these steps to assign permissions to the CRL distribution point.
a. On the taskbar, click the Windows Explorer icon.
b. In Windows Explorer, double-click Local Disk (C:).
c.
In the Windows Explorer details pane, right-click the CRLDist folder, and then click Properties.
d. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
e. In the Advanced Sharing dialog box, click Share this folder.
f. In the Share name text box, add a dollar sign ($) to the end of the name so that the share name
is CRLDist$.
g. In the Advanced Sharing dialog box, click Permissions.
h.
In the Permissions for CRLDist$ dialog box, click Add.
i. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j. In the Object Types dialog box, select Computers, and then click OK .
k.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select text box, type LON-DC1, click Check Names, and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 484/523
L7-52 Configuring and Troubleshoot ing Remote Access
l. In the Permissions for CRLDist$ dialog box, in the Group or user names list, click LON-DC1
(ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, click Allow,
and then click OK .
m. In the Advanced Sharing dialog box, click OK .
n.
In the CRLDist Properties dialog box, click the Security tab.
o. On the Security tab, click Edit.
p. In the Permissions for CRLDist dialog box, click Add.
q.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
r. In the Object Types dialog box, click Computers, and then click OK .
s. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select text box, type LON-DC1, click Check Names, and then click OK .
t. In the Permissions for CRLDist dialog box, in the Group or user names list, click LON-DC1
(ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, click Allow,
and then click OK .
u.
In the CRLDist Properties dialog box, click Close.
v. Close the Windows Explorer window.
4. Publish the CRL to LON-RTR by performing the following steps:
Note: These steps make the CRL available on the edge server for Internet-based
DirectAccess clients.
a. Switch to LON-DC1.
b. In Server Manager, click Tools, and then click Certification Authority.
c. In the Certification Authority console, expand Adatum-LON-DC1-CA, right-click Revoked
Certificates, point to All Tasks, and then click Publish.
d. In the Publish CRL dialog box, click New CRL, and then click OK .
e. On the taskbar, click the Windows Explorer icon.
f.
In the Windows Explorer address bar, type \\LON-RTR\CRLDist$, and then press Enter.
g. In the Windows Explorer window, notice the Adatum-LON-DC1-CA files.
h. Close the Windows Explorer window.
5. Complete the DirectAccess Setup Wizard on LON-RTR by performing the following steps:
Note: These steps configure LON-RTR as a DirectAccess server.
a.
On LON-RTR, open Server Manager, click Tools, and then click Routing and Remote Access. If
prompted, click No to launching the DirectAccess wizard.
b. In Routing and Remote Access, disable the existing configuration, and close the console.
c.
In Server Manager, on the Tools menu, click Remote Access Management.
d. In the Remote Access Management console, click Configuration.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 485/523
Administering Windows Server® 2012 L7-53
e. In the results pane, click Run the Getting Started Wizard.
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator,
and then restart from c).
f.
In the Configure Remote Access Wizard, click Deploy DirectAccess only.
g.
In the Network Topology pane, verify that Edge is selected, and verify that 131.107.0.2 is the
public name used by clients to connect to the Remote Access server.
h.
Click Next.
i. On the Configure Remote Access page, click Finish.
j. When the configuration completes, click Close.
k. In the Remote Access Management console, under Step 1, click Edit, and then click Next.
l.
Under Select Groups, in the details pane, click Add.
m.
In the Select Group dialog box, type DA_Clients, click OK .
n. Clear the Enable DirectAccess for mobile computers only check box.
o.
Remove the Domain Computers group, and then click Next. Click Finish.
p. In the Remote Access Management console, under Step 2, click Edit.
q. On the Network Topology page, verify that Edge is selected, type 131.107.0.2, and then click
Next.
r. On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to
authenticate IP-HTTPS connections, and then click Next.
s. On the Authentication page, click Use computer certificates, click Browse, click Adatum-
LON-DC1-CA, click OK , and then click Finish.
t. In the Remote Access Setup pane, under Step 3, click Edit.
u. On the Network Location Server page, click the The network location server is deployed on
a remote web server (recommended). In the URL field of the network location server (NLS),
type https://nls.adatum.com, and then click Validate.
v. Ensure that URL is validated.
w. Click Next, on the DNS page, examine the values, and then click Next.
x. In the DNS Suffix Search List, click Next.
y. On the Management page, click Finish.
z.
Under Step 4, click Edit.
aa. On the DirectAccess Application Server Setup page, click Finish.
bb. Click Finish to apply the changes.
cc.
In Remote Access Review, click Apply.
dd. Under Applying Remote Access Setup Wizard Settings, click Close.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 486/523
L7-54 Configuring and Troubleshoot ing Remote Access
6. Update Group Policy settings on LON-RTR by performing the following steps:
a. Move the mouse pointer on the lower-right corner, on the menu bar, click Search, type cmd, and
then press Enter.
b. At the command prompt, type the following commands, pressing Enter at the end of each line:
gpupdate /force Ipconfig
Note: Verify that LON-RTR has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients
Task 1: Configure DirectAccess Group Policy settings
1. Start LON-CL1 and sign in as Adatum\Administrator with the password of Pa$$w0rd. This is to
ensure that the LON-CL1 computer connects to the domain as a member of the DA_Clients security
group.
2.
At Start, type cmd to open a command prompt window.
3. At the command prompt, type the following command, and then press Enter:
gpupdate /force
4. At the command prompt, type the following command, and then press Enter:
gpresult /R
5.
Verify that DirectAccess Client Settings GPO displays in the list of the Applied Policy objects for the
Computer Settings.
Note: If the policy is not being applied, run the gpupdate /force command again. If the
policy is still not being applied, restart the computer. After the computer restarts, sign in as
Adatum\Administrator and run the Gpresult –R command again.
Task 2: Verify client computer certificate distribution
1. In the command prompt, type mmc.exe, and then press Enter.
2.
In the MMC console, click File and then click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK .
4.
In the Certificates snap-in console, click to Certificates (Local Computer), expand
Personal, and then click Certificates.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 487/523
Administering Windows Server® 2012 L7-55
5. In the Certificates details pane, verify that a certificate with the name LON-CL1.adatum.com displays
with Intended Purposes of Client Authentication and Server Authentication.
6. Close the console window. When you are prompted to save settings, click No.
Task 3: Verify internal connectivity to resources
1.
On LON-CL1, on the desktop, in the task bar, click Internet Explorer.
2. In the Windows Internet Explorer® address bar, type http://lon-svr1.adatum.com/ , and then press
Enter. The default IIS 8 web page for LON-SVR1 displays.
3.
In the Internet Explorer address bar, type https://nls.adatum.com/ , and then press Enter. The
default IIS 8 web page for LON-SVR1 displays.
4.
Leave the Internet Explorer window open.
5. On the taskbar, click the Windows Explorer icon.
6. In the Windows Explorer address bar, type \\Lon-SVR1\Files, and then press Enter. A window with
the Files shared folder contents displays.
7.
Close all open windows.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration
Task 1: Move the client computer to the Internet virtual network
1. Switch to LON-CL1.
2.
On LON-CL1, move the mouse pointer to the lower-right end of the screen, click Settings, selectControl Panel, and then click Network and Internet.
3. Click Network and Sharing Center.
4. Click Change Adapter Settings.
5. Right-click Local Area Connection, and then click Properties.
6. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address.
8.
Complete the following settings, and then click OK :o IP address: 131.107.0.10
o
Subnet mask: 255.255.0.0
o Default gateway: 131.107.0.2
9. In the Local Area Connection Properties dialog box, click OK .
10.
In the Network Connections window, right-click Local Area Connection, and then click Disable.
11. In the Network Connections window, right-click Local Area Connection, and then click Enable.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 488/523
L7-56 Configuring and Troubleshoot ing Remote Access
12. On your host, in Hyper-V Manager, right-click 20411B-LON-CL1, and then click Settings.
13. Change the Legacy Network Adapter to be on the Private Network 2 network, and then click OK .
Task 2: Verify connectivity to the DirectAccess server
1. On LON-CL1, move the mouse pointer to the lower-right corner, on the right menu, click Search,
type cmd, and then press Enter.
2. At the command prompt, type the following command, and then press Enter:
ipconfig
3. Notice the returned IP address starts with 2002. This is an IP-HTTPS address.
4. At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
5. At the command prompt, type the following command, and then press Enter:
powershell
6. At the Windows PowerShell® command-line interface, type the following command, and then press
Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
Task 3: Verify connectivity to the internal network resources
1. Switch to Internet Explorer, and in the address bar, type http://lon-svr1.adatum.com, and then
press Enter. The default IIS 8 web page for LON-SVR1 displays.
2. Leave the Internet Explorer window open.
3. On the taskbar, click the Windows Explorer icon.
4.
In the Windows Explorer address bar, type \\LON-SVR1\Files, and then press Enter. A folder window
with the contents of the Files shared folder displays.
5. Switch to the command prompt window.
6.
At the command prompt, type the following command, and then press Enter:
ping lon-dc1.adatum.com
7. Verify that you are receiving replies from lon-dc1.adatum.com.
8. At the command prompt, type the following command, and then press Enter:
gpupdate /force
9. Close all open windows.
10. Switch to LON-RTR.
11. Switch to Remote Access Management.
12.
In the console, click REMOTE CLIENT STATUS.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 489/523
Administering Windows Server® 2012 L7-57
Note: Notice that LON-CL1 is connected via IP over HTTPS (IP-HTTPS). In the Connection
Details pane, in the bottom-right of the screen, note the use of Kerberos for the Machine and the
User.
13. Close all open windows.
To prepare for the next module
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-CL1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411B-LON-SVR1, 20411B-LON-RTR, and 20411B-LON-DC1.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 490/523
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 491/523
L8-59
Module 8: Installing, Configuring, and Troubleshooting theNetwork Policy Server Role
Lab: Installing and Configuring a Network
Policy ServerExercise 1: Installing and Configuring NPS to Support RADIUS
Task 1: Install and configure the Network Policy Server
1. Switch to LON-DC1.
2.
Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.
If necessary, on the taskbar, click Server Manager.
4. In the details pane, click Add roles and features.
5.
In the Add Roles and Features Wizard, click Next.6.
On the Select installation type page, click Role-based or feature based installation, and then click
Next.
7.
On the Select destination server page, click Next.
8.
On the Select server roles page, select the Network Policy and Access Services check box.
9. Click Add Features, and then click Next twice.
10.
On the Network Policy and Access Services page, click Next.
11.
On the Select role services page, verify that the Network Policy Server check box is selected, and
then click Next.
12.
On the Confirm installation selections page, click Install.
13.
Verify that the installation was successful, and then click Close.
14. Close the Server Manager window.
15.
Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
16.
Click Network Policy Server.
17. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register
server in Active Directory.
18.
In the Network Policy Server message box, click OK .
19. In the subsequent Network Policy Server dialog box, click OK .
20.
Leave the Network Policy Server console window open.
Task 2: Configure NPS Templates
1. In the Network Policy Server console, in the navigation pane, expand Templates Management.
2.
In the navigation pane, right-click Shared Secrets, and then click New.
3.
In the New RADIUS Shared Secret Template dialog box, in the Template name box, type
Adatum Secret.
4.
In the Shared secret and Confirm shared secret boxes, type Pa$$w0rd, and then click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 492/523
L8-60 Installing, Configuring, and Troubleshooting the Network Policy Server Role
5. In the navigation pane, right-click RADIUS Clients, and then click New.
6.
In the New RADIUS Client dialog box, in the Friendly name box, type LON-RTR.
7.
Click Verify, and in the Verify Address dialog box, in the Address box, type LON-RTR, and then
click Resolve.
8.
Click OK .9. In the New RADIUS Client dialog box, under Shared Secret, in the Select an existing Shared
Secrets template, click Adatum Secret, and then click OK .
10.
Leave the console open.
Task 3: Configure RADIUS accounting
1.
In Network Policy Server, in the navigation pane, click Accounting.
2.
In the details pane, click Configure Accounting.
3. In the Accounting Configuration Wizard, click Next.
4.
On the Select Accounting Options page, click Log to a text file on the local computer, and then
click Next.
5. On the Configure Local File Logging page, click Next.
6.
On the Summary page, click Next.
7.
On the Conclusion page, click Close.
8. Leave the console open.
Results: After this exercise, you should have enabled and configured NPS to support the required
environment.
Exercise 2: Configuring and Testing a RADIUS Client
Task 1: Configure a RADIUS client
1. In the Network Policy Server console, expand RADIUS Clients and Servers.
2.
Right-click RADIUS Clients, and then click New.
3.
In the New RADIUS Client dialog box, clear the Enable this RADIUS client check box.
4. Select the Select an existing template check box.
5. Click OK .
6.
Leave the Network Policy Server console open.
7. Switch to LON-RTR.
8. Sign in as Adatum\Administrator with the password Pa$$w0rd.
9.
Pause your mouse pointer in the lower left of the taskbar, and then click Start.
10.
In Start, click Administrative Tools, and then double-click Routing and Remote Access.
11. If required, at the Enable DirectAccess Wizard dialog box, click Cancel. Click OK .
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 493/523
Administering Windows Server® 2012
L8-61
12. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.
13. In the dialog box, click Yes.
14.
In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure
and Enable Routing and Remote Access.
15. Click Next, select Remote access (dial-up or VPN), and then click Next.
16.
Select the VPN check box, and then click Next.
17.
Click the network interface called Local Area Connection 2. Clear the Enable security on the
selected interface by setting up static packet filters check box, and then click Next.
18.
On the IP Address Assignment page, select From a specified range of addresses, and then click
Next.
19.
On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address
and 172.16.0.110 next to End IP address, and then click OK . Verify that 11 IP addresses were
assigned for remote clients, and then click Next.
20.
On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work with
a RADIUS server, and then click Next.
21.
On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1.
22. In the Shared secret box, type Pa$$w0rd, and then click Next.
23.
Click Finish.
24.
In the Routing and Remote Access dialog box, click OK .
25. If prompted again, click OK .
Task 2: Configure a network policy for RADIUS
1.
Switch to the LON-DC1 computer.
2. Switch to Network Policy Server.
3.
In Network Policy Server, expand Policies, and then click Network Policies.
4.
In the details pane, right-click the policy at the top of the list, and then click Disable.
5.
In the details pane, right-click the policy at the bottom of the list, and then click Disable.
6. In the navigation pane, right-click Network Policies, and then click New.
7.
In the New Network Policy Wizard, in the Policy name box, type Adatum VPN Policy.
8.
In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click
Next.
9.
On the Specify Conditions page, click Add.
10. In the Select condition dialog box, click NAS Port Type, and then click Add.
11.
In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK .
12.
Click Next, and on the Specify Access Permission page, click Access granted, and then click Next.
13.
On the Configure Authentication Methods page, click Next.
14. On the Configure Constraints page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 494/523
L8-62 Installing, Configuring, and Troubleshooting the Network Policy Server Role
15. On the Configure Settings page, click Next.
16.
On the Completing New Network Policy page, click Finish.
Task 3: Test the RADIUS configuration
1. Switch to LON-CL2.
2.
Sign in as Adatum\Administrator with the password of Pa$$w0rd.
3.
On the Start screen, type Control, and then in the Apps list, click Control Panel.
4. In Control Panel, click Network and Internet.
5.
Click Network and Sharing Center.
6.
Click Set up a new connection or network .
7. On the Choose a connection option page, click Connect to a workplace, and then click Next.
8. On the How do you want to connect page, click Use my Internet connection (VPN).
9.
Click I’ll set up an Internet connection later.
10.
On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.
11. In the Destination name box, type Adatum VPN.
12.
Select the Allow other people to use this connection check box, and then click Create.
13.
In the Network And Sharing Center window, click Change adapter settings.
14. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
15.
In the Type of VPN list, click Point to Point Tunneling Protocol (PPTP).
16.
Under Authentication, click Allow these protocols, and then click OK .
17. In the Network Connections window, right-click the Adatum VPN connection, and then click
Connect/Disconnect.18. In the Networks list on the right, click Adatum VPN, and then click Connect.
19. In Network Authentication, in the User name box, type Adatum\Administrator.
20.
In the Password box, type Pa$$w0rd, and then click OK .
21.
Wait for the VPN connection to be made. Your connection is successful.
Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS
client.
To prepare for the next moduleWhen you are finished the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 495/523
L9-63
Module 9: Implementing Network Access Protection
Lab: Implementing NAP
Exercise 1: Configuring NAP Components
Task 1: Configure server and client certificate requirements
1.
On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.
2.
In the certsrv management console, expand Adatum-LON-DC1-CA, right-click Certificate
Templates, and then select Manage on the context menu.
3.
In the Certificate Templates Console details pane, right-click Computer, and then click Properties.
4. Click the Security tab in the Computer Properties dialog box, and then select Authenticated Users.
5.
In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission,
and then click OK .
6.
Close the Certificate Templates Console.7.
In certsrv – [Certification Authority (Local)], right-click Adatum-LON-DC1-CA, point to All Tasks
and then click Stop Service.
8.
Right-click Adatum-LON-DC1-CA, point to All Tasks and then click Start Service.
9.
Close the certsrv management console.
Task 2: Configure health policies
1. Switch to the LON-RTR computer.
2.
Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
4. On the Start screen, type mmc.exe, and then press Enter.
5.
On the File menu, click Add/Remove Snap-in.
6.
In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account,
click Next, and then click Finish.
7.
In the Add or Remove Snap-ins dialog box, click OK .
8. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
9.
The Certificate Enrollment dialog box opens. Click Next.
10.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, andthen click Next.
11. Select the Computer check box, and then click Enroll.
12. Verify the status of certificate installation as Succeeded, and then click Finish.
13.
Close the Console1 window.
14.
Click No when prompted to save console settings.
15. On LON-RTR, switch to Server Manager.
16.
In Server Manager, in the details pane, click Add roles and features.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 496/523
L9-64 Implementing Network Access Protection
17. Click Next.
18.
On the Select installation type page, click Next.
19.
On the Select destination server page, click Next.
20. On the Select server roles page, select the Network Policy and Access Services check box.
21.
Click Add Features, and then click Next twice.
22.
On the Network Policy and Access Services page, click Next.
23. On the Select Role Services page, click Next.
24.
Click Install.
25.
Verify that the installation was successful, and then click Close.
26. Close the Server Manager window.
27.
Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
28.
Click Network Policy Server.
29.
Expand Network Access Protection, expand System Health Validators, expand Windows SecurityHealth Validator, and then click Settings.
30.
In the right pane under Name, double-click Default Configuration.
31. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall is
enabled for all network connections check box, and then click OK .
32. In the navigation pane, expand Policies.
33. Right-click Health Policies and then click New.
34.
In the Create New Health Policy dialog box, under Policy name, type Compliant.
35.
Under Client SHV checks, verify that Client passes all SHV checks is selected.
36. Under SHVs used in this health policy, select the Windows Security Health Validator check box.
37.
Click OK .
38.
Right-click Health Policies, and then click New.
39. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
40.
Under Client SHV checks, select Client fails one or more SHV checks.
41.
Under SHVs used in this health policy, select the Windows Security Health Validator check box.
42. Click OK .
Task 3: Configure network policies
1.
In the navigation pane, under Policies, click Network Policies.
Important: Disable the two default policies found under Policy Name by right-clicking
the policies, and then clicking Disable.
2. Right-click Network Policies, and then click New.
3. On the Specify Network Policy Name and Connection Type page, under Policy name, type
Compliant-Full-Access, and then click Next.
4. On the Specify Conditions page, click Add.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 497/523
Administering Windows Server® 2012 L9-65
5. In the Select condition dialog box, double-click Health Policies.
6.
In the Health Policies dialog box, under Health policies, select Compliant, and then click OK .
7.
On the Specify Conditions page, click Next.
8. On the Specify Access Permission page, click Next.
9.
On the Configure Authentication Methods page, clear all check boxes, select the Performmachine health check only check box, and then click Next.
10.
Click Next again.
11.
On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is
selected, and then click Next.
12.
On the Completing New Network Policy page, click Finish.
13.
Right-click Network Policies, and then click New.
14. On the Specify Network Policy Name And Connection Type page, under Policy name, type
Noncompliant-Restricted, and then click Next.
15.
On the Specify Conditions page, click Add.
16. In the Select condition dialog box, double-click Health Policies.
17.
In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK .
18.
On the Specify Conditions page, click Next.
19. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
20.
On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next.
21.
Click Next again.
22.
On the Configure Settings page, click NAP Enforcement. Click Allow limited access.23.
Clear the Enable auto-remediation of client computers check box.
24. In the Configure Settings window, click IP Filters.
25.
Under IPv4, click Input Filters, and then click New.
26.
In the Add IP Filter dialog box, select Destination network .
27. In the IP address box, type 172.16.0.10.
28.
In the Subnet mask box, type 255.255.255.255, and then click OK .
29.
Click Permit only the packets listed below, and then click OK .
30.
Under IPv4, click Output Filters, and then click New.31.
In the Add IP Filter dialog box, select Source network.
32.
In the IP address box, type 172.16.0.10.
33. In the Subnet mask box, type 255.255.255.255, and then click OK .
34.
Click Permit only the packets listed below, and then click OK .
35.
On the Configure Settings page, click Next.
36. On the Completing New Network Policy page, click Finish.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 498/523
L9-66 Implementing Network Access Protection
Task 4: Configure connection request polices for VPN
1.
Click Connection Request Policies.
2.
Disable both the default Connection Request policies that are found under Policy Name by right-
clicking each of the policies, and then clicking Disable.
3.
Right-click Connection Request Policies, and then click New.4. On the Specify Connection Request Policy Name And Connection Type page, in the Policy name
box, type VPN connections.
5.
Under Type of network access server, select Remote Access Server (VPN-Dial up), and then
click Next.
6.
On the Specify Conditions page, click Add.
7. In the Select Condition dialog box, double-click Tunnel Type, and then select PPTP, SSTP, and
L2TP. Click OK , and then click Next.
8. On the Specify Connection Request Forwarding page, verify that Authenticate requests on this
server is selected, and then click Next.
9.
On the Specify Authentication Methods page, select the Override network policy authentication
settings check box.
10.
Under EAP Types, click Add.
11.
In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP
(PEAP), and then click OK .
12.
Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Secured password (EAP-MSCHAP v2), and then click OK .
13.
Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
14.
Verify that Enforce Network Access Protection is selected, and then click OK .
15. Click Next twice, and then click Finish.
Results: After this exercise, you should have installed and configured the required NAP components,
created the health and network policies, and created the connection request policies.
Exercise 2: Configuring VPN Access
Task 1: Configure a VPN Server
1.
On LON-RTR, pause your mouse pointer in the lower-left of the taskbar, and then click Start.
2.
Click Routing and Remote Access. If prompted, at the Enable DirectAccess Wizard dialog box,
click Cancel and then click OK .
3.
In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable
Routing and Remote Access.
4. In the dialog box, click Yes.
5.
In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure
and Enable Routing and Remote Access.
6.
Click Next, select Remote access (dial-up or VPN), and then click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 499/523
Administering Windows Server® 2012 L9-67
7. Select the VPN check box, and then click Next.
8.
Click the network interface called Local Area Connection 2. Clear the Enable security on the
selected interface by setting up static packet filters check box, and then click Next.
9.
On the IP Address Assignment page, select From a specified range of addresses, and then click
Next.
10. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address
and 172.16.0.110 next to End IP address, and then click OK . Verify that 11 IP addresses were
assigned for remote clients, and then click Next.
11.
On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and
Remote Access to authenticate connection requests is selected, and then click Next.
12.
Click Finish.
13.
Click OK twice, and then wait for the Routing and Remote Access Service to start.
14. Switch to Network Policy Server.
15.
In the Network Policy Server, click Connection Request Policies, and in the results pane, verify that
the Microsoft Routing and Remote Access Service Policy, is Disabled.
Note: Click Action, and then click Refresh. If the Microsoft Routing and Remote Access
Service Policy is Enabled, right-click it, and then click Disable.
16. Close the Network Policy Server management console.
17.
Close the Routing and Remote Access console.
Task 2: Allow PING for testing purposes
1. On LON-RTR, pause your mouse pointer in the lower-left of the taskbar, and then click Start.
2. Click Administrative Tools, and then double-click Windows Firewall with Advanced Security.
3.
Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
4. Select Custom, and then click Next.
5. Select All programs, and then click Next.
6.
Next to Protocol type, select ICMPv4, and then click Customize.
7.
Select Specific ICMP types, select the Echo Request check box, click OK , and then click Next.
8. Click Next to accept the default scope.
9.
In the Action window, verify that Allow the connection is selected, and then click Next.
10.
Click Next to accept the default profile.
11. In the Name window, under Name, type ICMPv4 echo request, and then click Finish.
12.
Close the Windows Firewall with Advanced Security console.
Results: After this exercise, you should have created a VPN server and configured inbound
communications.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 500/523
L9-68 Implementing Network Access Protection
Exercise 3: Configuring the Client Settings to Support NAP
Task 1: Enable a client NAP enforcement method
1.
Switch to the LON-CL2 computer.
2. On the Start screen, type napclcfg.msc, and then press Enter.
3.
In NAPCLCFG – [NAP Client Configuration (Local Computer)], in the navigation pane, click
Enforcement Clients.
4. In the results pane, right-click EAP Quarantine Enforcement Client, and then click Enable.
5.
Close NAPCLCFG – [NAP Client Configuration (Local Computer)].
6.
Pause your mouse in the lower-left of the taskbar, and then click Start.
7. In Start, type Services.msc, and then press Enter.
8.
In Services, in the results pane, double-click Network Access Protection Agent.
9.
In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
10.
Click Start, and then click OK .
11. Pause your mouse in the lower-left of the taskbar, and then click Start.
12. In Start, type gpedit.msc, and then press Enter.
13.
In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
14.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK .
15.
Close the console window.
16. Close the Services console, and then close the Administrative Tools and System and Security windows.
Task 2: Establish a VPN connection
1.
On LON-CL2, on the desktop, point your mouse to the lower-right corner of the taskbar, and then
click Settings.
2.
Click Control Panel, and then click Network and Internet.
3.
Click Network and Sharing Center.
4. Click Set up a new connection or network .
5.
On the Choose a connection option page, click Connect to a workplace, and then click Next.
6.
On the How do you want to connect page, click Use my Internet connection (VPN).
7.
Click I’ll set up an Internet connection later.
8.
On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.
9.
In the Destination name box, type Adatum VPN.
10. Select the Allow other people to use this connection check box, and then click Create.
11.
In the Network And Sharing Center window, click Change adapter settings.
12.
Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
13.
Under Authentication, click Use Extensible Authentication Protocol (EAP).
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 501/523
Administering Windows Server® 2012 L9-69
14. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, select
Microsoft: Protected EAP (PEAP) (encryption enabled), and then click Properties.
15. Ensure that the Verify the server’s identity by validating the certificate check box is selected.
16.
Clear the Connect to these servers check box, and then under Select Authentication Method,
ensure that Secured password (EAP-MSCHAP v2) is selected.
17. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access
Protection check box.
18. Click OK twice to accept these settings.
19.
In the Network Connections window, right-click the Adatum VPN connection, and then click
Connect/Disconnect.
20. In the Networks list on the right, click Adatum VPN, and then click Connect.
21.
In Network Authentication, in the User name box, type Adatum\Administrator.
22.
In the Password box, type Pa$$w0rd, and then click OK .
23.
The Windows Security Alert window appears the first time that this VPN connection is used. ClickShow certificate details.
24. Click Connect. Wait for the VPN connection to occur. Because LON-CL2 is compliant, it should have
unlimited access to the intranet subnet.
25.
Pause your mouse in the lower-left of the taskbar, and then click Start.
26. In Start, type cmd.exe, and then press Enter.
27.
Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should
be Not Restricted.
28. At the command prompt, type ping 172.16.0.10, and then press Enter. This should be successful. The
client now meets the requirement for VPN full connectivity.
29. Switch to Network Connections.
30.
Right-click Adatum VPN, and then click Connect/Disconnect.
31.
In the Networks list on the right, click Adatum VPN, and then click Disconnect.
32. Switch to LON-RTR.
33.
In Administrative Tools, double-click Network Policy Server.
34.
Expand Network Access Protection, expand System Health Validators, expand Windows Security
Health Validator, and then click Settings.
35.
In the right pane, under Name, double-click Default Configuration.
36.
On the Windows 8/Windows 7/Windows Vista tab, select the Restrict access for clients that donot have all available security updates installed check box, and then click OK .
37.
Switch to LON-CL2.
38. In the Networks list on the right, click Adatum VPN, and then click Connect.
39.
Switch to the command prompt.
40.
Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should
be Restricted.
41.
Switch to Network Connections.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 502/523
L9-70 Implementing Network Access Protection
42. Right-click Adatum VPN, and then click Connect/Disconnect.
43.
In the Networks list on the right, select Adatum VPN, and then click Disconnect.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have
enabled and tested NAP on LON-CL2.
To prepare for the next module
When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the
following steps:
1.
On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4.
Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 503/523
L10-71
Module 10: Optimizing File Services
Lab A: Configuring Quotas and FileScreening Using FSRM
Exercise 1: Configuring FSRM Quotas
Task 1: Create a quota template
1.
Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the taskbar, click the Server Manager shortcut.
3.
In Server Manager, click Manage, and then click Add Roles and Features.
4.
In the Add Roles and Features Wizard, click Next.
5. Confirm that role-based or feature-based installation is selected, and then click Next.
6.
Confirm that LON-SVR1.Adatum.com is selected, and then click Next.7.
On the Select server roles page, expand File and Storage Services (Installed), expand File and
SCSI Services, and then select the File Server Resource Manager check box.
8.
In the pop-up window, click Add Features.
9.
Click Next twice to confirm the role service and feature selection.
10. On the Confirm installation selections page, click Install.
11.
When the installation completes, click Close.
12.
In Server Manager, click Tools, and then click File Server Resource Manager.
13. In the File Server Resource Manager console, expand Quota Management, and then click Quota
Templates.
14.
Right-click Quota Templates, and then click Create Quota Template.
15. In the Create Quota Template dialog box, in the Template name field, type 100 MB Limit Log to
Event Viewer.
16. Under Notification thresholds, click Add.
17. In the Add Threshold dialog box, click the Event log tab.
18.
On the Event log tab, select the Send warning to event log check box, and then click OK .
19.
In the Create Quota Template dialog box, click Add.
20. In the Add Threshold dialog box, in the Generate notification when the usage reaches (%) field,
type 100.
21. Click the Event Log tab, select the Send warning to event log check box, and then click OK twice.
Task 2: Configure a quota based on the quota template
1.
In the File Server Resource Manager console, click Quotas.
2. Right-click Quotas, and then click Create Quota.
3.
On the Create Quota dialog box, in the Quota path field, type E:\Labfiles\Mod10\Users.
4.
Click Auto apply template and create quotas on existing and new subfolders.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 504/523
L10-72 Optimizing File Services
5. In the Derive properties from this quota template (recommended) list, click 100MB Limit Log to
Event Viewer, and then click Create.
6. In the details pane, verify that the E:\Labfiles\Mod10\Users path has been configured with its own
quota entry. You may have to refresh the Quotas folder to view the changes.
7.
From the taskbar, open Windows Explorer.
8. In the Windows Explorer window, click drive E, expand Labfiles, expand Mod10, and then
expand Users.
9. In the Users folder, create a new folder named Max.
10.
In File Server Resource Manager, on the Action menu, click Refresh.
11.
In the details pane, notice that the newly created folder now displays in the list.
Task 3: Test that the quota is functional
1. On LON-SVR1, on the taskbar, click the Windows PowerShell shortcut.
2.
In the Windows PowerShell window, type the following commands. Press Enter at the end of
each line:
E:
cd \Labfiles\Mod10\Users\Max
fsutil file createnew file1.txt 89400000
This creates a file that is over 85 megabytes (MB), which will generate a warning in Event Viewer.
3. On the taskbar, click the Server Manager shortcut.
4.
In Server Manager, click Tools, and then click Event Viewer.
5.
In the Event Viewer console, expand Windows Logs, and then click Application.
6. In the details pane, note the event with Event ID of 12325.
7.
In the Windows PowerShell window, type the following command, and then press Enter:
fsutil file createnew file2.txt 16400000
Notice that the file cannot be created. The message returned from Windows references disk space,
but the file creation fails because it would surpass the quota limit.
8.
In the Windows PowerShell window, type exit, and then press Enter.
9.
Close all open windows on LON-SVR1.
Results: After completing this exercise, you should have configured an FSRM quota.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 505/523
Administering Windows Server® 2012 L10-73
Exercise 2: Configuring File Screening and Storage Reports
Task 1: Create a file screen
1.
On LON-SVR1, open Server Manager and then from the Tools menu click File Server Resource
Manager.
2.
In the File Server Resource Manager console tree, expand File Screening Management, and thenclick File Screens.
3.
Right-click File Screens, and then click Create File Screen.
4.
In the Create File Screen window, in the File screen path text box, type E:\Labfiles\Mod10\Users.
5. In the Create File Screen window, click the Derive properties from this file screen template
(recommended) drop-down list box, and then click Block Audio and Video Files.
6.
Click Create.
Task 2: Create a file group
1.
On LON-SVR1, right-click File Server Resource Manager (Local), and then click Configure Options.
2.
In the File Server Resource Manager Options dialog box, click the File Screen Audit tab.
3. On the File Screen Audit tab, select the Record file screening activity in auditing database check
box, and then click OK .
Note: This step is to allow recording of file screening events. These recordings will supply
data for a File Screen Audit report, which will be run later in this exercise.
4.
In the File Server Resource Manager console tree, expand File Screening Management, and then
click File Groups.
5.
Right-click File Groups, and then click Create File Group.
6. In the Create File Group Properties window, in the File group name box, type MPx Media Files.
7.
In the Files to include box, type *.mp*, and then click Add.
8.
In the Files to exclude box, type *.mpp, click Add, and then click OK .
9. In the File Server Resource Manager console tree, expand File Screening Management, and then
click File Screen Templates.
10.
Right-click the Block Audio and Video Files template, and then click Edit Template Properties.
11. On the Settings tab, under File groups remove the check box next to Audio and Video Files.
12.
Select the check box next to MPx Media Files.
13.
Click OK . Click Yes at the message prompt.
14. Click OK at the message.
Task 3: Test the file screen
1.
On the taskbar, click the Windows Explorer shortcut.
2. In the Windows Explorer window, in the left pane, click Allfiles (E:).
3. In the right pane, right-click and point to New, and then click Text Document.
4.
Rename New Text Document.txt to musicfile.mp3. Click Yes to change the file name extension.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 506/523
L10-74 Optimizing File Services
5. Right-click musicfile.mp3, and then click Copy.
6.
In the left pane, expand Allfiles (E:), expand Labfiles, expand Mod10, right-click Users, and then
click Paste. You will be notified that the system was unable to copy the file to
E:\Labfiles\Mod10\Users.
7.
Click Cancel.
Task 4: Generate an on-demand storage report
1.
In the File Server Resource Manager console, click Storage Reports Management.
2.
Right-click Storage Reports Management, and then click Generate Reports Now.
3. Under Select reports to generate, select the File Screening Audit check box.
4.
Click the Scope tab and then click Add.
5.
In the Browse for Folder dialog box, browse to E:\Labfiles\Mod10\Users, and then click OK .
6. Click OK to close the Storage Reports Task Properties.
7.
In the Generate Storage Reports dialog box, verify that Wait for reports to be generated and
then display them is selected, and then click OK .
8. In the Windows Internet Explorer window, review the generated html reports.
9.
Close all open windows on LON-SVR1.
To prepare for the next lab
• When you finish the lab, do not shut down the virtual machines. You will need them for the next lab.
Results: After completing this exercise, you will have configured file screening and storage reports in
FSRM.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 507/523
Administering Windows Server® 2012 L10-75
Lab B: Implementing DFS
Exercise 1: Installing the DFS role service
Task 1: Install the DFS role service on LON-SVR1
1.
Switch to LON-SVR1.
2.
On the taskbar, click Server Manager.
3. In Server Manager, click Manage, and then click Add Roles and Features.
4.
In the Add Roles and Features Wizard, click Next.
5.
On the Select installation type page, click Next.
6. On the Select destination server page, click Next.
7.
On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services,
and then select the DFS Namespaces check box.
8.
In the Add Roles and Features pop-up window, click Add Features.9.
Select the DFS Replication check box, and then click Next.
10.
On the Select features page, click Next.
11. On the Confirm installation selections page, click Install.
12.
When the installation completes, click Close.
13.
Close Server Manager.
Task 2: Install the DFS role service on LON-SVR4
1.
Switch to LON-SVR4.
2.
In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Next.
5.
On the Select destination server page, click Next.
6. On the Select server roles page, expand File and Storage Services, expand File and SCSI Services,
and then select the DFS Namespaces check box.
7.
In the Add Roles and Features pop-up window, click Add Features.
8. Select the DFS Replication check box, and then click Next.
9.
On the Select features page, click Next.
10.
On the Confirm installation selections page, click Install.
11. When the installation completes, click Close.
12. Close Server Manager.
Results: After completing this exercise, you will have installed the DFS role service on LON-SVR1 and
installed the DFS role service on LON-SVR4.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 508/523
L10-76 Optimizing File Services
Exercise 2: Configuring a DFS Namespace
Task 1: Create the BranchDocs namespace
1.
Switch to LON-SVR1 and then open Server Manager.
2. In Server Manager, click Tools, and then click DFS Management.
3.
In the navigation pane, click Namespaces.
4.
Right-click Namespaces, and then click New Namespace.
5. In the New Namespace Wizard, on the Namespace Server page, under Server, type LON-SVR1, and
then click Next.
6.
On the Namespace Name and Settings page, under Name, type BranchDocs, and then click Next.
7. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that
the namespace will be accessed by \\Adatum.com\BranchDocs.
8. Ensure that the Enable Windows Server 2008 mode check box is selected, and then click Next.
9.
On the Review Settings and Create Namespace page, click Create.
10.
On the Confirmation page, ensure that the Create namespace task is successful, and then
click Close.
11.
In the navigation pane, expand Namespaces, and then click \\Adatum.com\BranchDocs.
12.
In the details pane, click the Namespace Servers tab, and ensure that there is one entry that is
enabled for \\LON-SVR1\BranchDocs.
Task 2: Enable access-based enumeration for the BranchDocs namespace
1. In the navigation pane, under Namespaces, right-click \\Adatum.com\BranchDocs, and then
click Properties.
2.
In the \\Adatum.com\BranchDocs Properties dialog box, click the Advanced tab.3. On the Advanced tab, select the Enable access-based enumeration for this namespace check box,
and then click OK .
Task 3: Add the ResearchTemplates folder to the BranchDocs namespace
1. In DFS Management, right-click Adatum.com\BranchDocs, and then click New Folder.
2.
In the New Folder dialog box, under Name, type ResearchTemplates.
3.
In the New Folder dialog box, click Add.
4. In the Add Folder Target dialog box, type \\LON-SVR4\ResearchTemplates, and then click OK .
5.
In the Warning dialog box, click Yes.
6.
In the Create Share dialog box, in the Local path of shared folder box, type
C:\BranchDocs\ResearchTemplates.
7.
Click All users have read and write permissions, and then click OK .
8.
In the Warning dialog box, click Yes.
9. Click OK again to close the New Folder dialog box.
Task 4: Add the DataFiles folder to the BranchDocs namespace
1.
In DFS Management, right-click Adatum.com\BranchDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type DataFiles, and then, click Add.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 509/523
Administering Windows Server® 2012 L10-77
3. In the Add Folder Target dialog box, type \\LON-SVR1\DataFiles, and then click OK .
4.
In the Warning dialog box, click Yes.
5.
In the Create Share dialog box, in the Local path of shared folder box, type
C:\BranchDocs\DataFiles.
6.
Click All users have read and write permissions, and then click OK . The permissions will beconfigured later.
7.
In the Warning dialog box, click Yes.
8.
Click OK again to close the New Folder dialog box.
Task 5: Verify the BranchDocs namespace
1.
On LON-SVR1, open Windows Explorer, in the address bar type \\Adatum.com\BranchDocs\ , and
then press Enter.
2. In the BranchDocs window, verify that both ResearchTemplates and DataFiles display.
3.
Close the BranchDocs window.
Results: After completing this exercise, you will have configured a DFS namespace.
Exercise 3: Configuring DFS-R
Task 1: Create another folder target for DataFiles
1. In DFS Management, expand Adatum.com\BranchDocs, and then click DataFiles.
2. In the details pane, notice that there is currently only one folder target.
3.
Right-click DataFiles, and then click Add Folder Target.
4.
In the New Folder Target dialog box, under Path to folder target, type \\LON-SVR4\DataFiles,
and then click OK .
5.
In the Warning dialog box, click Yes to create the shared folder on LON-SVR4.
6. In the Create Share dialog box, under Local path of shared folder, type C:\BranchDocs\DataFiles.
7.
In the Create Share dialog box, under Shared folder permissions, select All users have read and
write permissions, and then click OK .
8. In the Warning dialog box, click Yes to create the folder on LON-SVR4.
9.
In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure replication for the namespace
1. In DFS Management, in the Replicate Folder Wizard, on both the Replication Group and Replicated
Folder Name page, accept the default settings, and then click Next.
2. On the Replication Eligibility page, click Next.
3. On the Primary Member page, select LON-SVR1, and then click Next.
4.
On the Topology Selection page, select No topology, and then click Next.
5.
In the Warning dialog box, click OK .
6. On the Review Settings and Create Replication Group page, click Create.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 510/523
L10-78 Optimizing File Services
7. On the Confirmation page, click Close.
8.
In the Replication Delay dialog box, click OK .
9.
In the DFS Management console, expand Replication, and then click
Adatum.com\BranchDocs\DataFiles.
10.
In the Action pane, click New Topology.11. In the New Topology Wizard, on the Topology Selection page, click Full mesh, and then click Next.
12.
On the Replication Group Schedule and Bandwidth page, click Next.
13.
On the Review Settings and Create Topology page, click Create.
14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK .
15. In the details pane, on the Memberships tab, verify that the replicated folder displays on both
LON-SVR4 and LON-SVR1.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411B-LON-SVR1 and 20411B-LON-SVR4.
Results: After completing this exercise, you will have configured DFS-R.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 511/523
L11-79
Module 11: Configuring Encryption and Advanced Auditing
Lab: Configuring Encryption and AdvancedAuditing
Exercise 1: Encrypting and Recovering Files
Task 1: Update the recovery agent certificate for the Encrypting File System (EFS)
1.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Default Domain Policy.
3.
In the Group Policy Management Console dialog box, click OK to clear the message.
4. Right-click Default Domain Policy, and then click Edit.
5.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and then clickEncrypting File System.
6.
Right-click the Administrator certificate, and then click Delete.
7. In the Certificates window, click Yes.
8.
Right-click Encrypting File System, and then click Create Data Recovery Agent.
9.
Read the information for the new certificate that was created. Notice that this certificate was obtained
from AdatumCA.
10.
Close the Group Policy Management Editor.
11. Close Group Policy Management.
Task 2: Update Group Policy on the computers
1.
On LON-DC1, on the taskbar, click the Windows PowerShell® command-line interface shortcut.
2.
At the Windows PowerShell prompt, type the following command, and then press Enter:
gpupdate /force
3. Close the command prompt.
4.
Switch to LON-CL1.
5.
On LON-CL1, at the Start screen, type cmd, and then press Enter.
6.
At the prompt, type the following command, and then press Enter
gpupdate /force
7.
Close the command prompt.
8.
Log off of LON-CL1.
Task 3: Obtain a certificate for EFS
1.
On LON-CL1, log on as Adatum\Doug with a password of Pa$$w0rd.
2.
On the Start screen, type mmc, and then press Enter.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 512/523
L11-80 Configuring Encryption and Advanced Auditing
3. In Console1, click File, and then click Add/Remove Snap-in.
4.
In the list of available snap-ins, click Certificates, and then click Add.
5.
In the Add Or Remove Snap-ins dialog box, click OK .
6. In the left pane, click Certificates – Current User, right-click Personal, point to All Tasks, and then
click Request New Certificate.7. In the Certificate Enrollment Wizard, click Next.
8.
On the Select Certificate Enrollment Policy page, click Next to use the Active Directory Enrollment
Policy.
9. On the Request Certificates page, select the Basic EFS check box, and then click Enroll.
10.
On the Certificate Installation Results page, click Finish.
11.
In the Console1 window, in the left pane, expand Certificates – Current User, expand Personal, and
then click Certificates.
12.
Read certificate details, and note that it was issued by AdatumCA.
13.
Close Console1, and do not save the settings.
Task 4: Encrypt a file
1.
On LON-CL1, open Windows Explorer, type \\LON-DC1\Mod11Share\Marketing in the address
field, and then press Enter.
2.
Right-click DougFile, and then click Properties.
3.
On the General tab, click Advanced.
4. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and
then click OK .
5. In the DougFile Properties dialog box, click OK .
6. In the Encryption Warning dialog box, click Encrypt the file only, and then click OK . Wait a few
seconds for the file to be encrypted.
7. Look at the color of the file name.
8.
Close the Windows® Explorer window.
9.
Log off of LON-CL1.
Task 5: Use the recovery agent to open the file
1.
On LON-DC1, on the taskbar, click the Windows Explorer shortcut.
2.
In the Windows Explorer, browse to E:\Labfiles\Mod11\Mod11Share\Marketing.
3.
Double-click DougFile.txt.
4. In Notepad, add some text to the file, click File, and then click Save.
5.
Close Notepad and Windows Explorer.
Results: After completing this exercise, you will have encrypted and recovered files.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 513/523
Administering Windows Server® 2012 L11-81
Exercise 2: Configuring Advanced Auditing
Task 1: Create a Group Policy Object (GPO) for advanced auditing
1.
On LON-DC1, open Server Manager, click Tools, and then click Active Directory Users and
Computers.
2.
In Active Directory Users and Computers, right-click Adatum.com, click New, and then clickOrganizational Unit.
3.
Type File Servers, and then press Enter.
4.
Click the Computers container, right-click LON-SVR1, click Move, click the File Servers
organizational unit (OU), and then click OK .
5.
In Server Manager, click Tools, and then click Group Policy Management.
6.
In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, click and then right-click File Servers, and then click Create a GPO in this domain
and Link it here.
7. In the New GPO window, type File Audit, and then press Enter.
8.
Double-click the Group Policy Objects container, right-click File Audit, and then click Edit.
9.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
10. Double-click Audit Detailed File Share.
11.
In the Properties dialog box, select the Configure the following events check box.
12. Select both Success and Failure check boxes, and then click OK .
13. Double-click Audit Removable Storage.
14.
In the Properties dialog box, select the Configure the following events check box.
15.
Select both Success and Failure check boxes, and then click OK .
16. Close the Group Policy Management Editor.
17.
Restart LON-SVR1.
18.
Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
Task 2: Verify audit entries
1.
Log on to LON-CL1 as Adatum\Allan with a password of Pa$$w0rd.
2.
On the Start screen, type \\LON-SVR1\Mod11, and then press Enter.
3.
Double-click the Testfile.txt file to open it in Notepad.
4.
Close Notepad.
5.
Switch to LON-SVR1.
6. On LON-SVR1, in Server Manager, click Tools, and then click Event Viewer.
7.
In Event Viewer, double-click Windows Logs, and then click Security.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 514/523
L11-82 Configuring Encryption and Advanced Auditing
8. Double-click one of the log entries with a Source of Microsoft Windows security auditing, and a
Task Category of Detailed File Share.
9. Click the Details tab, and note the access that was performed.
Results: After completing this exercise, you will have configured advanced auditing.
To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.
On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 20411B-LON-SVR1 and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 515/523
L12-83
Module 12: Implementing Update Management
Lab: Implementing Update Management
Exercise 1: Implementing the WSUS Server Role
Task 1: Install the Windows Server® Update Services (WSUS) server role
1.
Log on to LON-SVR4 as Adatum\Administrator with a password of Pa$$w0rd.
2.
On LON-SVR4, in Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4.
On the Select installation type page, ensure Role-based or feature-based installation is selected,
and then click Next.
5.
On the Select destination server page, click Next.
6.
On the Select server roles page, select the Windows Server Update Services check box.
7.
In the pop-up window, click Add Features.
8.
On the Select server roles page, click Next.
9.
On the Select features page, click Next.
10.
On the Windows Server Update Services page, click Next.
11. On the Select role services page, confirm that both WID Database and WSUS Services are selected,
and then click Next.
12. On the Content location selection page, in the text box, type C:\WSUSUpdates, and then click
Next.
13.
On the Web Server Role (IIS) page, click Next.
14. On the Select role services page, click Next.
15.
On the Confirm installation selections page, click Install.
16.
When the installation completes, click Close.
17. In Server Manager, click Tools, and then click Windows Server Update Services.
18.
In the Complete WSUS Installation window, click Run, and wait for the task to complete. Click Close.
19.
Do not close the Windows Server Update Services Configuration Wizard window.
Task 2: Configure WSUS to synchronize with an upstream WSUS server
1.
In the Windows Server Update Services Configuration Wizard window, click Next twice.
2.
On the Choose Upstream Server page, click the Synchronize from another Windows Server
Update Services server option, in the Server name text box, type LON-SVR1.Adatum.com, and
then click Next.
3. On the Specify Proxy Server page, click Next.
4.
On the Connect to Upstream Server page, click Start Connecting. Wait for the upstream server
settings to be applied, and then click Next.
5. On the Choose Languages page, click Next.
6.
On the Set Sync Schedule page, click Next.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 516/523
L12-84 Implementing Update Management
7. On the Finished page, click the Begin initial synchronization option, and then click Finish.
8.
In the Windows Server Update Services console, in the navigation pane, double-click LON-SVR4, and
then click Options.
9.
In the Options pane, click Computers. In the Computers dialog box, select Use Group Policy or
registry settings on computers. Click OK .
Results: After completing this exercise, you should have implemented the WSUS server role.
Exercise 2: Configuring Update Settings
Task 1: Configure WSUS groups
1.
On LON-SVR4, in the WSUS console, in the navigation pane, double-click LON-SVR4, and then
double-click Computers.
2.
Click All Computers, and then, in the Actions pane, click Add Computer Group.
3.
In the Add Computer Group dialog box, in the Name text box, type Research, and then click Add.
Task 2: Configure Group Policy to deploy WSUS settings
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Group Policy Management.
3.
In the Group Policy Management Console, double-click Forest: Adatum.com, double-click Domains,
and then double-click Adatum.com.
4.
Right-click the Research OU, and then click Create a GPO in this domain, and Link it here.
5.
In the New GPO dialog box, in the Name text box, type WSUS Research, and then click OK .6. Double-click the Research organizational unit (OU), right-click WSUS Research, and then click Edit.
7.
In the Group Policy Management Editor, under Computer Configuration, double-click Policies,
double-click Administrative Templates, double-click Windows Components, and then click
Windows Update.
8.
In the Setting pane, double-click Configure Automatic Updates, and then click the Enabled option.
9. In the Configure automatic updating field, click and select 4 – Auto download and schedule the
install, and then click OK .
10.
In the Setting pane, double-click Specify intranet Microsoft update service location, and then click
the Enabled option.
11.
In the Set the intranet update service for detecting updates and the Set the intranet statistics
server text boxes, type http://LON-SVR4.Adatum.com:8530, and then click OK .
12.
In the Setting pane, double click Enable client-side targeting.
13.
In the Enable client-side targeting dialog box, click the Enabled option, in the Target group name
for this computer text box, type Research, and then click OK .
14.
Close the Group Policy Management Editor and the Group Policy Management console.
15. Open Active Directory Users and Computers.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 517/523
Administering Windows Server® 2012
L12-85
16. In Active Directory Users and Computers, double-click Adatum.com, click Computers, right-click
LON-CL1, and then click Move.
17. In the Move dialog box, click the Research OU, and then click OK .
18.
Close Active Directory Users and Computers.
Task 3: Verify the application of Group Policy settings1. Switch to LON-CL1.
2.
On LON-CL1, move the mouse pointer to the right-hand side of the screen, click the Settings icon,
click Power, and then click Restart.
3. After LON-CL1 restarts, log on as Adatum\Administrator with a password of Pa$$w0rd.
4.
On the Start screen, type cmd, right-click the Command Prompt tile, and then click Run as
Administrator.
5. At the command prompt, type the following command, and then press Enter:
Gpresult /r
6.
In the output of the command, confirm that, under COMPUTER SETTINGS, WSUS Research is listed
under Applied Group Policy Objects.
Task 4: Initialize Windows® Update
1.
On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /reportnow /detectnow
2. Switch to LON-SVR4.
3.
In the Update Services console, expand Computers, All Computers, and then click Research.
4.
Verify that LON-CL1 appears in the Research Group. If it does not then repeat steps 1-3. It may takeseveral minutes for LON-CL1 to display.
5.
Verify that updates are reported as needed. If there are not updates reported, repeat steps 1-3. It may
take 10-15 minutes for updates to register.
Results: After completing this exercise, you should have configured update settings for client computers.
Exercise 3: Approving and Deploying an Update by Using WSUS
Task 1: Approve WSUS updates for the Research computer group
1.
On LON-SVR4, in Windows Server Update Services, under Updates, click Security Updates, right-
click Security Update for Microsoft Office 2010 (KB2553371), 32-bit edition , and then click
Approve.
2. In the Approve Updates window, in the Research drop-down list box, select Approved for Install.
3.
Click OK and then click Close.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 518/523
L12-86 Implementing Update Management
Task 2: Deploy updates to LON-CL1
1.
On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow
2.
Click to the Start screen and then type Windows Update.
3. Under Search, click Settings and then click Windows Update.
4.
Click Check for updates now.
5.
Click We’ll install 1 important update automatically.
6. Click Install to install the approved update.
7.
Close the PC Settings window when the installation is complete.
Task 3: Verify update deployment to LON-CL1
1. On LON-CL1, on the Start screen, type Event Viewer, click Settings, and then press Enter.
2.
In Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and
click WindowsUpdateClient – Operational to view events.
3. Confirm that events are logged in relation to the update.
Results: After completing this exercise, you should have approved and deployed an update by using
WSUS.
To prepare for the next module
When you finish the lab, revert all virtual machines back to their initial state. To do this, perform the
following steps:
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4.
Repeat steps 2 to 3 for 20411B-LON-SVR1, 20411B-LON-SVR4, and 20411B-LON-CL1.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 519/523
L13-87
Module 13: Monitoring Windows Server® 2012
Lab: Monitoring Windows Server 2012
Exercise 1: Establishing a Performance Baseline
Task 1: Create and start a data collector set
1.
Switch to the LON-SVR1 computer.
2.
Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
3. In Start, type Perf , and in the Apps list, click Performance Monitor.
4.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click
User Defined.
5.
Right-click User Defined, point to New, and then click Data Collector Set.
6.
In the Create new Data Collector Set Wizard, in the Name box, type LON-SVR1 Performance.
7.
Click Create manually (Advanced), and then click Next.
8.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
9. On the Which performance counters would you like to log? page, click Add.
10.
In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
11.
In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
12. In the Available counters list, expand PhysicalDisk , click %Disk Time, and then click Add >>.
13.
Click Avg. Disk Queue Length and then click Add >>.
14.
In the Available counters list, expand System, click Processor Queue Length, and then clickAdd >>.
15.
In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and
then click OK .
16.
On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Next.
17. On the Where would you like the data to be saved? page, click Next.
18.
On the Create the data collector set? page, click Save and close, and then click Finish.
19.
In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then
click Start.
Task 2: Create a typical workload on the server
1. Pause your mouse in the lower-left of the taskbar, and then click Start.
2.
In Start, type Cmd, and in the Apps list, click Command Prompt.
3.
At the command prompt, type the following command, and then press Enter:
Fsutil file createnew bigfile 104857600
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 520/523
L13-88 Monitoring Windows Server 2012
4. At the command prompt, type the following command, and then press Enter:
Copy bigfile \\LON-dc1\c$
5.
At the command prompt, type the following command, and then press Enter:
Copy \\LON-dc1\c$\bigfile bigfile2
6. At the command prompt, type the following command, and then press Enter:
Del bigfile*.*
7. At the command prompt, type the following command, and then press Enter:
Del \\LON-dc1\c$\bigfile*.*
8.
Do not close the command prompt.
Task 3: Analyze the collected data
1.
Switch to Performance Monitor.
2.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4. On the toolbar, click View Log Data.
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
6.
In the Select Log File dialog box, double-click Admin.
7.
Double-click LON-SVR1 Performance, double-click the LON-SVR1_date-000001 folder, and then
double-click DataCollector01.blg.
8.
Click the Data tab, and then click Add.
9.
In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec,
and then click Add >>.
10.
Expand Network Interface, click Bytes Total/sec, and then click Add >>.
11.
Expand PhysicalDisk , click %Disk Time, and then click Add >>.
12. Click Avg. Disk Queue Length and then click Add >>.
13.
Expand Processor, click %Processor Time, and then click Add >>.
14.
Expand System, click Processor Queue Length, click Add >>, and then click OK .
15.
In the Performance Monitor Properties dialog box, click OK .
16.
On the toolbar, click the down arrow, and then click Report.
17.
Record the values listed in the report for later analysis.
Results: After this exercise, you should have established a baseline for performance-comparison purposes.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 521/523
Administering Windows Server® 2012
L13-89
Exercise 2: Identifying the Source of a Performance Problem
Task 1: Create additional workload on the server
1.
On LON-SVR1, switch to the command prompt.
2. At the command prompt, type the following command, and then press Enter:
C:
3.
At the command prompt, type the following command, and then press Enter:
Cd\Labfiles
4.
At the command prompt, type the following command, and then press Enter:
StressTool 95
Task 2: Capture performance data by using a data collector set
1.
Switch to Performance Monitor.
2.
In Performance Monitor, click User Defined, in the results pane, right-click LON-SVR1 Performance,
and then click Start.
3.
Wait one minute to allow the data capture to occur.
Task 3: Remove the workload, and review the performance data
1. After one minute, switch to the command prompt.
2.
Press Ctrl+C.
3.
Do NOT close the command prompt.
4. Switch to Performance Monitor.
5.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
6.
In Performance Monitor, in the navigation pane, click Performance Monitor.
7. On the toolbar, click View log data.
8. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Remove.
9. Click Add.
10.
In the Select Log File dialog box, click Up One Level.
11.
Double-click the LON-SVR1_date-000002 folder, and then double-click DataCollector01.blg.
12.
Click the Data tab, and then click OK .
Note: If you receive an error at this point, or the values in your report are zero, repeat
steps 4 through 11.
Question: Compared with your previous report, which values have changed?
Answer: Memory and disk activity are reduced, although processor activity has increased
significantly.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 522/523
L13-90 Monitoring Windows Server 2012
Question: What would you recommend?
Answer: You should continue to monitor the server to ensure that the processor workload does not
reach capacity.
Results: After this exercise, you should have used performance tools to identify a potential performancebottleneck.
Exercise 3: Viewing and Configuring Centralized Event Logs
Task 1: Configure subscription prerequisites
1. On LON-SVR1, switch to the command prompt.
2. At the command prompt, type the following command, and then press Enter:
winrm quickconfig
3.
If prompted, type Y, and then press Enter.
4.
On the taskbar, click Server Manager.
5. In Server Manager, in the navigation pane, click Local Server. On the toolbar, click Tools, and then
click Computer Management.
6. In Computer Management (Local), expand System Tools, expand Local Users and Groups, and then
click Groups.
7. In the results pane, double-click Administrators.
8. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.9. In the Object Types dialog box, select the Computers check box, and then click OK .
10.
In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK .
11. In the Administrators Properties dialog box, click OK .
12.
Switch to LON-DC1.
13.
Pause your mouse in the lower-left of the taskbar, and then click Start.
14. In Start, type Cmd, and in the Apps list, click Command Prompt.
15.
At the command prompt, type the following command, and then press Enter:
Wecutil qc
16. When prompted, type Y, and then press Enter.
Task 2: Create a subscription
1.
Pause your mouse in the lower-left of the taskbar, and then click Start.
2.
In Start, type Event, and in the Apps list, click Event Viewer.
3. In Event Viewer, in the navigation pane, click Subscriptions.
4.
Right-click Subscriptions, and then click Create Subscription.
8/21/2019 20411B-ENU-TrainerHandbook.pdf
http://slidepdf.com/reader/full/20411b-enu-trainerhandbookpdf 523/523
Administering Windows Server® 2012
L13-91
5. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
6.
Click Collector Initiated and then click Select Computers.
7.
In the Computers dialog box, click Add Domain Computers.
8. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK .9. In the Computers dialog box, click OK .
10.
In the Subscription Properties – LON-SVR1 Events dialog box, click Select Events.
11.
In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error
check boxes.
12.
In the Logged list, click Last 7 days.
13.
In the Event logs list, expand Applications and Services, expand Microsoft, expand Windows,
expand Diagnosis-PLA, and then select the Operational check box.
14.
Click the mouse back in the Query Filter dialog box, and then click OK .