40005B ENU Trainer Handbook

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

40005B First Look Clinic: Windows Server 2012

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDii First Look Clinic: Windows Server 2012

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

2012 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 40005B

Part Number: X18-72398

Released: 11/2012

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDMICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy

Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only

MOC Courses that are conducted by a MCT at or through an Authorized Learning Center. c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or

exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location.

d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private

Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement.

Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session

to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.

g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy

Program. h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in

good standing that currently holds the Learning Competency status. i. Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructor-

led courseware that educates IT professionals or developers on Microsoft technologies.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDj. Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner

Network program member in good standing. k. Personal Device means one (1) device, workstation or other digital electronic device that you

personally own or control that meets or exceeds the hardware level specified for the particular MOC Course.

l. Private Training Session means the instructor-led training classes provided by MPN Members for

corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.

m. Trainer Content means the trainer version of the MOC Course and additional content designated

solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines.

2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content.

2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.

a. If you are a Authorized Learning Center:

i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure

server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or

2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session.

ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual

will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content,

3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session,

4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and

servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance

with the applicable classroom set-up guide.

b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either:

1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or

2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session.

ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual

will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content,

3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session,

4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,

5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session,

6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance

with the applicable classroom set-up guide.

c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDd. If you are a MCT.

i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.

ii. Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices. 2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.

2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement.

3. PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other

provisions in this agreement, then these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or

through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDsurvive this agreement.

c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the

beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control.

4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time.

a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an

Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services.

b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means.

5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,

make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement.

reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation;

access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content;

access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or

transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.

6. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You

must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting.

8. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or

sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.

9. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control.

11. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.

The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are

the entire agreement for the Licensed Content. 13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS

AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY

LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS.

This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or

content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,

or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne:

tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDx First Look Clinic: Windows Server 2012

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED First Look Clinic: Windows Server 2012 xi

Acknowledgments Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Andrew J Warren Content Developer Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent teaching and writing. He has been involved as a subject matter expert for many of the Windows Server 2012 courses, and the technical lead on a number of other courses. He also has been involved in developing TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.

Marcin Policht Technical Reviewer Marcin Policht obtained his Master of Computer Science degree over 15 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of directory services, virtualization, system management, and database management.

He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last six years.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDxii First Look Clinic: Windows Server 2012

Contents Module 1: Server Management in Windows Server 2012

Lesson 1: What's New in Server Manager 1-2 Lesson 2: Windows PowerShell and Server Core Enhancements 1-7 Lesson 3: What Is New in AD DS? 1-11 Lesson 4: Dynamic Access Control 1-16

Module 2: Storage and Networking in Windows Server 2012 Lesson 1: Storage Enhancements 2-2 Lesson 2: DirectAccess Improvements 2-10 Lesson 3: Networking Technologies Improvements 2-18 Lesson 4: Introducing IP Address Management 2-25

Module 3: Hyper-V in Windows Server 2012 Lesson 1: Storage Enhancements 3-2 Lesson 2: Hyper-V Networking Improvements 3-5 Lesson 3: Failover Clustering and Virtual-Machine Monitoring 3-8 Lesson 4: Virtual Machine Movement and High Availability in Hyper-V 3-12

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED About This Clinic xiii

About This Clinic This section provides you with a brief description of the clinic, audience, suggested prerequisites, and clinic objectives.

Clinic Description This three-hour clinic introduces you to the key new features in Windows Server 2012. It outlines the new management and access features such as Server Manager, Active Directory and Windows PowerShell. It also covers storage and network improvements as well as high availability and Hyper-V enhancements.

Audience This clinic is intended for IT Professionals who are interested in learning about the new features and functionality in Windows Server 2012. People who are key influencers and technology decision makers in an IT organization will also be interested in attending this clinic and will benefit from gaining early insight into some of the latest technologies included in Windows Server 2012. In general, early adopters of new technology or people looking to gain early insight into new functionality in Windows Server 2012 will benefit from attending this First Look Clinic.

Student Prerequisites This clinic requires that you meet the following prerequisites:

Working experience and background knowledge of:

Windows Server 2008 or Windows server 2008 R2

Windows Vista or Windows 7

Hyper-V

Basic understanding of Active Directory, DNS, DHCP, and general networking technologies.

Clinic Objectives After completing this Clinic, students will be able to:

Explain the new features in Server Manager.

Explain the Windows PowerShell enhancements, and the enhancements to the Server Core installation of Windows Server 2012.

Describe the new and improved features in Active Directory Domain Services (AD DS).

Explain the benefits of Dynamic Access Control.

Explain the new storage enhancements in Windows Server 2012.

Explain the remote access improvements in Windows Server 2012.

Describe the improvements in networking technologies in Windows Server 2012.

Describe the availability enhancements in Windows Server 2012.

Describe the storage enhancements in Hyper-V in Windows Server 2012.

Describe new networking features for Hyper-V.

Describe Hyper-V Replica.

Describe new features in guest clustering and VM Monitoring.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDxiv About This Clinic

Describe new features in Live Migration.

Clinic Outline The clinic consists of three modules, as shown below.

Module 1: Server Management in Windows Server 2012

Module 2: Storage and Networking in Windows Server 2012

Module 3: Hyper-V in Windows Server 2012

Clinic Materials The following materials are included with your kit:

Clinic Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.

Clinic evaluation At the end of the clinic, you will have the opportunity to complete an online evaluation to provide feedback on the Clinic, training facility, and instructor.

To provide additional comments or feedback on the Clinic, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED1-1

Module1 Server Management in Windows Server 2012

Contents: Module Overview 1-1

Lesson 1: What Is New in Server Manager? 1-2

Lesson 2: Windows PowerShell and Server Core Enhancements 1-7

Lesson 3: What Is New in AD DS? 1-11

Lesson 4: Dynamic Access Control 1-16

Module Review and Takeaways 1-22

Module Overview Windows Server 2012 has many new and improved features to assist you with server management and administration. In this module, you will see some of the key new features that make management more functional and more straightforward.

Objectives After completing this module, you will be able to:

Explain the new features in Server Manager.

Explain the PowerShell and Server Core enhancements.

Describe the new and improved features in Active Directory Domain Services (AD DS).

Explain the benefits of Dynamic Access Control.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED1-2 Server Man

Lesson What I

If yoandfeatserv

LesAfte

Ad

AlthWinonedepWinmulare or v

manrequeachMan

WinservPowFurtYoufrom

Youserv

nagement in Window

1 Is New our organizatio physical or vi

tures from onevers from a sin

sson Objectier completing

Explain how t

Explain how t

Explore the n

Perform serve

dministerin

hough you canndows Server 2e server at a timploy roles and fndows Server 2ltiple servers, rlocal or remot

virtual.

Note: In Winaging multipuires a separath server you wnager to mana

ndows PowerShvers. In WindowwerShell. Now, thermore, Servu can use thesem Windows Po

u can use the Svers:

Add roles and

Launch Wind

View events

Perform serve

ws Server 2012

in Serveon is large, yourtual. In additi

e central consogle location, d

ives this lesson, yo

to administer s

to deploy roles

ew user interfa

er managemen

ng Servers

n remotely ma2008 R2, you cme, and you cafeatures. Serve2012 enables yregardless of wte and whethe

indows Server le servers fromte instance of S

wish to manageage many serv

hell provides aws Server 2008you can run a

ver Manager ise XML configuowerShell.

Server Manage

d features

ows PowerShe

er configuratio

er Manau may be requon, you might

ole. Windows Sdelivering true

ou will be able

servers from a

s and features

ace.

nt using the ne

with Serv

nage servers inan only attachannot remoteler Manager in you to managewhether the seer they are phy

2008 R2, m Server ManaServer Managee. In Windows ers.

a very powerfu8 R2, only a fewall Server Manas able to generration files to

er console to p

ell sessions

on tasks

ager? uired to admint wish to maintServer 2012 Semulti-server m

to:

central locatio

to remote ser

ew Server Man

er Manage

n h to y

e rvers

ysical

ger er for Server 2012, y

ul scripting intew Server Manaager commandrate XML confconfigure dep

perform the fol

nister many sertain these serv

erver Managermanagement.

on.

rvers.

nager console.

er

you can use on

erface that youager actions cods from withinfiguration files ployment of ro

llowing tasks o

rvers, whether vers and deplor enables you t

.

ne instance of

u can use to mould be run w

n Windows Powwhen you add

oles or features

on both local s

local or remooy roles and to manage mu

f Server

manage your within Windows

werShell. d a role or feas to another se

servers and rem

ote

ultiple

s

ture. erver

mote

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDGSeyosith

A ofg

CThmto

ThMFosecore

BSePrarbeimer

A

Manru20reroWyofaadevruto

Yocofean

Grouping Seerver Managerour servers to mplify finding

hat enables yo

server with mften want servroup servers h

Centralized Dhe Dashboard

manage. You cao resolve the p

he ability to seManager. After or example, yoervers. If you pommands. In Seducing the ov

Best Practiceerver Managerractices Analyzre problems the aware of hea

mpacts the servrror events.

Adding and

Managing rolesnd features, is unning Window008 R2 Server emotely deployoles or feature

Windows Serveou to remotelyacilitate any redd roles and feven when the unning. In addo remove roles

ou cannot addonfiguration fieatures from a nother server o

rvers r enables you tenable you to a particular seu to see all pri

multiple roles wvers grouped bowever you w

Dashboard in Server Man

an quickly see problems.

ee the status oyou have view

ou might wantperformed thesServer Manageverall time take

e Analyzers r includes a Bezer, you can dehat you need talth issues assover functionali

d Removin

s, their associatstill a primary ws Server 2012Manager, youy roles and feas to virtual mar 2012 Server y deploy roles quired server eatures to virtuassociated virtition, you can s and features.

d roles or featule of a role or Windows Pow

or modify the

to manage ma view an overaerver. Server Mint servers quic

will appear in mby location, dewant, and then

nager provideswhich server g

f all of your sewed the status to stop a servse actions coner, you can seleen to perform

est Practices Anetermine wheto rectify. Best ociated with spity. This analys

ng Roles an

ted role Servicfunction of a

2. In Windowsu could neitheratures, nor depachines from thManager enaband features arestarts. You cual hard disks tual machine isuse Server Ma

ures to multiplfeature deploy

werShell script script to conn

any servers froall picture of thManager automckly, for exam

multiple grouppartment, or sview the statu

s an essential hgroups, or role

ervers in one dof your server

vice on multiplsecutively it wect multiple sethe actions.

nalyzer tool fother roles on yPractices Anal

pecific roles besis includes qu

nd Feature

ces, server Server r ploy he host. bles and an also (VHDs) s not anager

e servers with yment. You causing this conect to multiple

om one interfahe health of yomatically organple.

ps. This can be some other meus of the serve

health report oes, have proble

dashboard viewrs, you might wle servers, or y

would take up mervers and per

or all Windowsyour network alyzer examinesefore those heerying associa

es

a single comman then confignfiguration filee servers.

First Look Clinic

ce. You could,our organizatinizes servers b

useful in manyetric. In Serverrs based on yo

of all of the seems and then

w is a useful fewish to take soyou might wanmore of your tform these act

s Server 2012 rare functionings how a role fu

ealth issues cauated event logs

mand, but youure a deploym

e. You can run

c: Windows Server

, therefore, orgons enterprise

by role, a struct

y situations, br Manager youour groups.

rvers that you examine the d

eature of Serveome remedialnt to restart a gtime to issue ttions concurre

roles. With Besg efficiently orunctions so youse a failure ths for warning a

u can save an Xment of roles a

this script aga

2012 1-3

ganize e and to ture

ut you u can

details

er action. group of he

ently,

st r if there u can

hat and

XML nd

ainst

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED1-4 Server Management in Windows Server 2012

Demonstration: Optional: Exploring the User Interface

This demonstration shows how to navigate the user interface in Windows Server 2012.

Demonstration Steps 1. Sign in to server LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. If the Server Manager console is open, click the X in the top right corner to close the Server Manager console.

Note: The shortcut keys described here will work if you have the virtual machine in full-screen mode. You can put the virtual machine in full-screen mode by double-clicking on the top of the virtual machine window. You can get in and out of full-screen mode by pressing Ctrl+Alt+Pause.

3. Pause the mouse pointer over the bottom left hand corner of the Taskbar and click Start. Alternatively, either hold down the Ctrl and Esc keys, or press the Windows logo key.

4. In Start, right-click Computer. Notice that the context menu appears in the Taskbar.

5. Right-click Computer. Notice that the context menu disappears.

6. In the Start menu, click on the user that is signed in (Administrator), and then click Sign out.

7. Once signed out, press Ctrl+ Alt+ Delete.

8. Sign in to LON-DC1 by using the Adatum\Administrator account and the password Pa$$w0rd.

Note: If the Virtual machine is in full-screen mode and you cannot access the Ctrl+Alt+Delete keys, press Ctrl+Alt+Pause to remove the full-screen focus.

The virtual machine can be put into full-screen mode by double clicking on the top of the virtual machine window.

9. When you have logged on, pause the mouse pointer over the bottom right of the desktop, or press Windows logo key + C. The charms bar appears.

10. Click Settings, click Power, and then click Restart.

11. Choose Other (Planned) from the drop down list.

12. Press Esc. The drop down list will disappear.

13. Move the mouse pointer over the bottom right or upper right corner of the desktop, or press Windows logo key + C.

14. Click Search. Notice the items in the Administrative Tools list and the other lists such as Apps, Windows Accessories.

15. In the Search box, type explorer.

16. In the Apps list, click File Explorer.

17. In the Libraries dialog box, click the red X in the top right corner of the window.

18. Pause the mouse pointer in the bottom right or upper right corner of the desktop, or press Windows logo key + C.

19. In the charms bar, click Start. Note that the start menu appears.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDFirst Look Clinic: Windows Server 2012 1-5

20. Click on Control Panel.

21. Close Control Panel by clicking the red X in the upper right corner.

22. Press Windows Logo + R to launch the search or run dialog. Click Cancel to close the Run dialog.

23. On the taskbar, click Windows PowerShell.

24. Close Windows PowerShell by clicking the red X in the upper right corner of the screen.

25. On the taskbar, click the Server Manager icon.

Demonstration: Exploring Server Management in Windows Server 2012

This demonstration shows how to:

Launch Server Manager

Add a server role or feature

View role related events

Run the Best Practice Analyzer for a role

List the available tools in Server Manager

Open the Start Menu

Sign out and sign in

Remove a role

Demonstration Steps 1. If necessary, sign in to server LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.

2. Click Close to close the Server Manager console.

3. On the Windows Server 2012 taskbar, click the Server Manager icon on the Windows Server 2012 taskbar to open the Server Manager console.

4. In the Server Manager console, click Manage, and then click Add Roles and Features. This action launches the Add Roles and Features Wizard.

5. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

6. On the Select installation type page of the Add Roles and Features Wizard, select Role-based or featured-based installation, and then click Next.

7. On the Select destination server page of the Add Roles and Features Wizard, select a server from the server pool, verify that LON-DC1.Adatum.com is selected, and then click Next.

8. On the Select server roles page of the Add Roles and Features Wizard, select the Network Policy and Access Services check box.

9. In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.

10. On the Select features page, select the Client for NFS check box, and then click Next.

11. On the Network Policy and Access Services page, click Next.

12. On the Select role services page, click Next.

13. On the Confirmation page of the Add Roles and Features Wizard, select the Restart the destination server automatically if required check box, click Yes and then click Install.

MCT U

SE ON

LY. STUD

ENT U

SE PROH


14. On the Installation progress page of the Add Roles and Features Wizard, click Close.

15. Click the flag icon next to Server Manager Dashboard and review the messages.

16. In the Server Manager console, click the Dashboard node on the Left Hand side.

17. In the Roles and Server Groups area in the middle of the screen in the DNS box, click Events.

18. On the DNS - Events Detail View, change the time period to 18 hours and the Event Sources to All, and then click OK.

19. In the Roles and Server Groups area, under DNS, click BPA results.

20. In the DNS - BPA Results Detail View dialog box, in the Severity Levels drop-down menu, select the All check box, and then click OK.

21. In the Server Manager console, click on the Tools menu, show and review the tools that are installed on LON-DC1.

22. Pause the mouse pointer in the lower left of the Taskbar, and then click Start.

23. In the Start menu, click Administrator, and then click Sign out.

24. Sign in to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.

25. In Server Manager, click Manage, and then click Remove Roles and Features.

26. In the Remove Roles and Features Wizard, on the Before you begin page, click Next three times.

27. On the Remove features page, clear the Client for NFS check box and then click Next.

28. Click Remove.

29. Click Close.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDLessonWind

WWta(ISca

InthSela

LeA

U

WdeadupPoPousfode

Aasincoexau

Yommusalco

th

n 2 ows Po

Windows PoweWindows Serveasks. Windows SE). In additionan use Window

n Windows Serhe graphical inerver 2012, yoater if necessar

esson Objecfter completin

Describe th

Describe ho

Configure W

Using Wind

Windows Poweesigned to assdministrative tp of cmdlets thowerShell promowerShell scripse for system aor other purpoesigned with s

n increasing ns Microsoft Excnterfaces that bommands. Thexecute the taskutomate comp

ou can extendmodule includemanagement ta

seful for perfoso includes fe

ommands by p

Note: Youhe Get-Comma

owerSherShell is a comr 2012. WindoServer 2012 e

n, the numberws PowerShell

rver 2008 R2, tnterface has beu can now rem

ry.

ctives ng this lesson, y

he functions of

ow to remove

Windows Serve

dows Powe

rShell is a scripist you in perf

tasks. Windowshat you executmpt or combinpts. Other scripadministration

oses. Windows system adminis

umber of Micchange Serverbuild Windowsese products ak at a later timplex tasks simp

Windows Powes Windows Poasks, and the Drming domainatures such aspressing the ta

u can determinand cmdlet.

ell and Smmand-line sheows PowerShelextends Windor of cmdlets hato perform all

here is no wayeen deployed wmove the grap

you will be ab

f Windows Pow

the graphical

er using Wind

erShell in W

pting languageforming day-tos PowerShell iste at a Windowne into Windopting language

n tasks were dePowerShell is stration tasks i

rosoft product 2010, have grs PowerShell llow you to vie

me without havplifies a server

werShell functiowerShell cmdDNS Server mon name server tab completio

ab key rather t

ne which Wind

Server Cell and task-bal simplifies the

ows PowerShelas increased frol of the tasks t

y to convert a without triggehical user inte

le to:

werShell ISE.

shell from Win

ows PowerShe

Windows

e o-day s made ws

ows es in esigned

in mind.

ts, such raphical

ew the generaving to go throadministrator

ionality by addlets that are sp

odule includes (DNS) server mon. Tab complhan having to

dows PowerSh

Core Enased scripting e automation ol with a new Inom approximathat you can p

Server Core deering the neederface (GUI) on

ndows Server 2

ell ISE.

Server 201

ated Windows ough all of thes job and save

ding modules. pecifically usefWindows Pow

management tetion allows a type the com

hell cmdlets are

First Look Clinic

hancemtechnology thof common syntegrated Scriately 200 to merform in Serv

eployment on for a new inst

n a standard se

2012.

12

PowerShell sce steps in the Ges time.

For example, ful for performwerShell cmdletasks. Windowdministrators

mplete comman

e available by

c: Windows Server

ments hat is built intoystems adminispting Environmore than 2000

ver Manager.

a server on wtallation. In Werver, and reins

ript, so that yoGUI. Being able

the Active Dirming Active Direts that are spe

ws PowerShell nto complete nd.

executing

2012 1-7

o stration ment 0. You

which indows stall it

ou can e to

rectory rectory ecifically now

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED1-8 Server Man

WinWinPowand

Wincmdandthe

Winprovscrip

Youdete

Re

ServWinperfcomcomoptthe dep

Admdev

Althversbaccau

The

nagement in Window

ndows Powndows PowerShwerShell. It pro the paramete

ndows PowerShdlets from the save Windowfull functional

ndows PowerShvides you withpts.

u can use the Wermine which W

moving an

ver Core is a mndows Server 2form managem

mmand line or mputer. Server ion for Windowfollowing adv

ployment of W

Reduced updCore installs fdeployments software updtime required

Reduced hardless hard disk

ministration ofice drivers, or

hough there arsions. Previouskwards and fosed many dep

re are two way

Server Core. TWindows Servaccess to an iimage.

Minimal Servgraphical comServer Interfafeatures, but

ws Server 2012

werShell ISE hell ISE is an in

ovides commaners that can be

hell ISE simplifISE. You can a

ws PowerShell slity of each cm

hell ISE providh debugging to

Windows PoweWindows Pow

nd Restori

minimal installa2012. With Serment tasks locaremotely fromCore is the dews Server 2012antages over a

Windows Server

date requiremefewer componrequire the apates. This redu

d for an admin

dware footprink space.

f Server Core cwhere admini

re obvious bens versions of Seorwards betweeployments of th

ys of installing

This is the stanver 2012 with nstallation sou

er Interface. It mponents are ace and Windowithout needi

ntegrated scripnd completione used with tho

fies the procesalso use a scripscripts. The ab

mdlet, and can

es color-codeools that you c

erShell ISE envwerShell modul

ng the Gra

ation option fover Core, you ally from the

m another efault installatio2. Server Core a traditional r 2012:

ents. Because Snents, Server Cpplication of feuces the amounistrator to serv

nt. Server Core

an be difficultstrators have l

nefits to using erver Core haden the Server Che Full version

g a Server Core

ndard deploymthe graphical

urce with all se

works the samnot installed, b

ows Server 201ng to specify a

pting environmn functionality,ose commands

ss of using Winpting window wility to view cmcreate syntact

d cmdlets to acan use to deb

ironment to vle you need to

aphical Int

or

on has

Server ore ewer nt of vice Server Co

e computers re

in some instaimited comma

Server Core, td to be configuCore version a when Server C

e version of W

ment of Server administration

erver files, such

me as a deploybut nor are the12 with a graphan installation

ment that assis, and allows yos.

ndows PowerSwithin Windowmdlet paramettically correct W

assist with troubug simple and

iew available co load to acces

terface

re.

equire less rand

nces, such as wand line abiliti

here were certured using a coand the full verCore would ha

indows Server

Core. Conversn componentsh as a mounte

yment of Windey removed. Yhical interface source.

sts you when uou to see all av

Shell because yws PowerShell ters ensures thWindows Pow

ubleshooting. Td complex Win

cmdlets by moss a particular

dom access m

when configures.

tain tradeoffs ommand line, rsion was not ave been more

r 2012 configu

sion to the fulls is possible oned Windows im

dows Server 20You can conver

by installing t

using Windowsvailable comm

you can executISE to constru

hat you are awwerShell comm

The ISE also ndows PowerS

odule. You cancmdlet.

emory (RAM)

ring third party

to previous and conversio

possible. This e suitable.

ration:

l version of nly if you havemage file (.WIM

012, except thart between Mithe graphical

s mands

te uct ware of

ands.

Shell

n then

and

y

on

M)

at the nimal

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDFirst Look Clinic: Windows Server 2012 1-9

Note: Removing the GUI reduces the disk footprint by around 300 MB, while Server Core is approximately 4 GB smaller.

You can uninstall the graphical interface either partially or completely by using the Remove Roles and Features Wizard in Server Manager. This feature enables you to deploy a server and configure remote administration using the graphical interface and then uninstall the graphical interface and manage the server remotely.

You can also choose to leave a partial graphical interface so that you can still run administration tools such as Server Manager locally.

You can switch from Server Core to the graphical version of Windows Server 2012 by running the following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that hosts the full version of the Windows Server 2012 installation files:

Import-Module ServerManager Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount\windows\winsxs

Another related installation option is Features on Demand. This is a full installation of Windows Server 2012, but with only the basic required roles and features installed. Additional roles and features may be installed later as required from a remote source, reducing local storage requirements and footprint.

Demonstration: Administering Windows Server with Windows PowerShell ISE

This demonstration shows how to:

Launch Windows PowerShell ISE.

Use the IntelliSense feature of Windows PowerShell ISE.

View the installed roles and features on LON-DC1.

Demonstration Steps 1. On LON-DC1, on the Windows taskbar, right-click the Windows PowerShell icon, and then click

Windows PowerShell ISE.

2. In the Windows PowerShell ISE command line area, type get-. Cmdlet names appear in an IntelliSense list. This is a list of items that match what you have typed in order to help you identify the command you are looking for

3. Scroll through the list of cmdlets, and locate Get-Help.

4. Single click Get-Help in the IntelliSense and pause the mouse over the cmdlet in the IntelliSense list. Notice the parameter help window that appears, outlining the parameters and switches that can be used with Get-Help.

5. Double-click Get-Help in the IntelliSense list. This puts the Get-Help cmdlet into the Windows PowerShell ISE command line interface.

6. Press Enter and note the help text that is displayed.

7. In the Windows PowerShell ISE Commands tab on the right hand side of the window, type feature. The ISE displays a list of cmdlets that contain feature in the name.

8. Scroll through the list, click on Get-WindowsFeature and click the Show Details button.

MCT U

SE ON

LY. STUD

ENT U

SE PROH


9. Note the parameters for Get-WindowsFeature: section which appears and the boxes that are present which allow you to enter parameters for the variables listed.

10. In the ComputerName: box type LON-DC1.

11. Click the Insert button. If the Insert button is greyed out you can just proceed to the next step.

12. Click the Run button.

13. The Windows PowerShell ISE returns the list of features on the LON-DC1.

14. Close the Commands tab by clicking the black X in the top right hand corner.

15. In Windows PowerShell ISE, type get-win.

16. In the IntelliSense list, double-click Get-WindowsFeature.

17. The Get-WindowsFeature is now present in the command line interface.

18. After Get-WindowsFeature press the Space bar and then type | Sort-,.

19. The IntelliSense list appears listing the sort-object cmdlet.

20. Double-click Sort-Object in the IntelliSense list.

21. Press the Space bar and then type InstallState,.

22. You should now have the following command in the Windows PowerShell ISE:

Get-Windowsfeature | Sort-Object InstallState

23. Press Enter.

24. Windows PowerShell ISE lists all possible features on the server sorted by Available, Installed, and Removed.

25. Close Windows PowerShell ISE.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDLessonWhat

Wex

LeA

Im

Wfoininscp

Sota

n 3 t Is NewWindows Servextension of the

esson Objecfter completin

Identify the

Explain how

Describe th

Explain how

Describe Gr

mportant

Windows Serveor AD DS. Windnterface is the nstallations andcripting and aurevious comm

ome new featuable.

Feature

Deployment

Simplified adm

w in AD r 2012 includee GUI, and sim

ctives ng this lesson, y

e new features

w to use the A

he improved do

w AD DS virtua

roup Managed

New Featu

r 2012 has sevdows PowerShunderlying cod configuratioutomation andand-line-only

ures are descri

ministration

DS? es important im

mplified domain

you will be ab

for AD DS.

ctive Directory

omain deploy

alization is safe

d Service Acco

ures

veral new featuhell commandmponent behins. It enables f

d new GUIs foractivities.

bed in the foll

Improveme

Server Mremote aConfigur(also call

Deploym

When yoServer 20forest re

Improve

ImprovemeManager c A GUI fo

A GUI to

Group P

AD DS-s

mprovements tn deployment

le to:

y Recycle Bin.

ment capabilit

er.

ounts.

ures line ind full r

lowing

ent

Manager now eand local comration Wizard led DCPromo)

ment now uses

ou install Activ012 performs adiness.

d support for

ents to configuconsole includeor the Active D

o implement fi

olicy health m

pecific perform

to AD DS, such. This lesson ex

ties.

enables installaputers. The Acreplaces Activ

).

s Windows Pow

ve Directory onprerequisite c

virtualizing do

ure and monite:

Directory Recyc

ne-grained pa

monitoring.

mance monito

First Look Clinic: W

h as: security explores these

ation of the ADctive Directoryve Directory In

werShell in the

n the member hecks that vali

omain controll

tor AD DS thro

cle Bin.

asswords.

oring and best

Windows Server 20

enhancementsimprovements

D DS role on by Domain Servistallation Wiza

e background.

server, Windoidate domain a

lers.

ough the Serve

practice analy

012 1-11

s, s.

both ices ard

ows and

er

ysis.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITED1-12 Server Ma

Fe

Sudo

Afo

Whi

AA

Ac

Thein Wfeatthe (LDA

YouBin Centhe erroBin locaUseno l

anagement in Windo

eature

upport for virtomain control

ctive Directoryor Windows Po

Windows Poweistory viewer

ctive Directoryctivation (AD B

tive Direct

Active DirectoWindows 2008 ture by using WLdp.exe LightwAP) tool.

u can now accefrom the Activ

nter in Windowrecovery of Ac

oneously deletlets administra

ate or restore d of Windows Ponger require

ows Server 2012

ualized lers

y module owerShell

rShell

y Based BA)

tory Recyc

ory Recycle BinR2. You could

Windows Poweweight Directo

ess the Active ve Directory Aws Server 2012ctive Directoryed. The Activeators enable thdeleted objectPowerShell or d.

Improvemen

Active DireServer Man

Improvem

Cloning doautomated

RestorationDS environ

The Active DmanagemenActive Directrequired to cPowerShell tofunctionality

When adminthey can noware executedPowerShell c

Key Managedomain-memWindows 8. A(CSVLK) requInternet.

cle Bin

n was introducd only access therShell cmdletory Access Pro

Directory Recydministrative . This simplifie

y objects that we Directory Reche Recycle Bints in the domaLdp.exe to ena

t

ectory managenager console

ents in the virt

omain controlld deployment

n of domain cnment.

irectory modut, Dynamic Actory Installatiocreate a domaio install AD DSis now include

nistrators use tw view the undd. This reducesommands.

ment Servers (mber computeActivating the uires a one-tim

ced his ts and tocol

ycle

es were cycle and in. able the recycl

ement tools, w.

tual environm

lers is now a suand rollback p

ontroller snap

ule has new cmcess Control, an Wizard (alsoin controller. WS, Active Direced in the cmd

he Active Direderlying Windothe time requ

(KMS) are no lers running Wi

initial customme contact with

le bin or resto

which you can

ent include:

upported optiprotection.

pshots does no

mdlets for repland other opeo called DCProWhen you use ctory Installatiolet.

ectory Adminisows PowerSheuired to learn t

onger requirendows Server er-specific volh Microsoft Ac

re objects in d

open from the

on to enable

ot disrupt the A

ication topolorations. Using

omo) is no longWindows

on Wizard

strative Centerell commands tthe Windows

d to activate 2012 and lume license kctivation over t

domain partitio

e

AD

gy the

ger

r, that

ey the

ons is

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDATh

D

WthDdoyoSeseM

Yom

Active Directhe Active Direc

It must be m

The Active you delete base OU do

Active Dire

You must bDirectory R

The recyclecontroller ipreserves o

Objects arelifetime of t

After the AActive Dire

Deploying

With Windows he AD DS role CPromo to proomain controlou can promoterver Managereparate wizard

Manager.

ou can add themethods:

The graphicthe graphicinstall the bdeploymen

o Installs

o Installs

o Config

o Enable

o Prepare

The ServerMmodule for

Note: You

tory Recyclectory Recycle

manually enab

Directory Recyan organizatio

oes not restore

ctory Recycle

be a member oRecycle Bin.

e bin increases n the forest. D

objects and all

e preserved in the forest. This

ctive Directoryctory Administ

Domain C

Server 2008, yto add the binomote the comler. In Windowte a domain cor to add the A

d to configure

e AD DS role b

cal Server Mancal wizard in Sebinary files andnt wizard perfo

AD DS remot

DNS by defau

ures the doma

s configuratio

es schema ext

Manager Power local or remo

u can also use

e Bin CharacBin has the fol

bled. As soon a

ycle Bin cannoonal unit (OU)e the child obj

Bin requires at

of the Domain

the size of theDisk space that

attribute data

the recycle bins is 180 days b

y Recycle Bin istrative Center

Controllers

you could instanary files and umputer to be aws Server 2012ontroller by usD DS role. YouAD DS within

binaries using

nager. You canerver Managerd perform all torms the follow

ely.

ult.

ain controller a

n of advanced

ension and do

erShell moduleote installation

the command

cteristics llowing charac

as it is enabled

ot restore sub-twith nested Oects. That mus

t least Window

Administrator

e Active Directis used by the.

n for a configuby default.

s enabled, deleconsole.

s

all use a 2, sing u use a Server

these

n use r to he required co

wing tasks:

as a Global Ca

d mode setting

omain prepara

e. You can adds.

d-line tool, Dis

cteristics:

d, you cannot d

trees of objectOUs, users, grost be done in a

ws Server 2008

rs group to rec

tory database e recycle bin co

urable amount

eted restorabl

onfiguration ta

talog.

gs.

tion automatic

d AD DS binari

sm.exe, to dep


disable it.

ts in a single aoups, and coma subsequent o

8 R2 Forest Fun

cover objects f

(NTDS.DIT) onontinues to in

t of time to ma

e objects can

asks of a doma

cally in the ba

ies using the A

loy the AD DS

Windows Server 20

action. For examputers, restorinoperation.

nctional Level.

from the Activ

n every domaincrease over tim

atch the tomb

be viewed in t

ain controller.

ckground.

AD DS PowerSh

S role.

012 1-13

mple, if ng the

ve

n me as it

stone

the

The

hell

MCT U

SE ON

LY. STUD

ENT U

SE PROH


Im

Windomdomexamin thID, a201conimaconvirtuDom

Win

SafA clpro

SafRollthatThedomsnapof tV isync

CreTo c

1.

2.

3.

4.

anagement in Windo

provemen

ndows Server 2main controllermain controllermple, two domhe same forestand security id2, you could ctrollers by depge and manuatroller. Windoualization capamain Controlle

ndows Server 2

Domain cont

Accidental re

fe Cloning oned domain motes itself us

fe Backup aing back to a t relies on chanse USNs toget

main controllerpshot reassignhe VDC. This mis capable of dchronization w

eating a VDCcreate a VDC c

Grant the sou

Run Get-ADD

Run New-AD

Export and th

ows Server 2012

nts to Dom

2012 introducer cloning. Clonr presents certmain controllet with the samdentifier. Prior create virtualizploying a Syspally promotingws Server 201abilities to AD ers (VDCs) to re

2012 VDCs hav

rollers can be

storation of do

controller autsing the existin

nd Restore previous snapnges being assther with the dr keeps track o

ns existing USNmechanism caudetecting that with replication

C Clone clone in Windo

urce VDC the p

DCCloningExclu

DCCloneConfi

hen import the

main Contr

es virtualized ning a virtualiztain challengesrs cannot coexe name, invocto Windows Sed domain repped base s

g it to be a dom2 provides speDS Virtualized

esolve those is

ve two new ca

safely cloned t

omain control

omatically sysng local AD DS

shot of a VDC signed increasdatabase identof the USNs of Ns to new chanuses inconsistea snapshot res

n partners to e

ows Server 201

permission to b

udedApplicati

igFile.

e virtual machi

roller Virtu

zed s. For xist cation Server

erver main ecific d ssues.

pabilities:

to deploy add

ler snapshots d

preps (based oS data as instal

is problematicing numeric v

tifier, called Invits replication

nges, these chaencies in the Astore has beenensure that loc

12, perform th

be cloned.

onList cmdlet.

ne of the sour

ualization

ditional capacit

does not disru

on settings in llation media.

c because AD alues called UvocationID, un

n partners. Whanges are igno

AD DS databasn applied to a Vcal USNs are cu

e following hig

.

rce domain co

ty and save co

upt the AD DS

DcCloneConfi

DS uses multipdate Sequen

niquely identifyen a VDC restoored by the ree. Windows SeVDC and forceurrent.

gh level steps:

ontroller.

onfiguration tim

environment.

g.xml) and

-master replicce Numbers (Uy updates. Eacored from a plication partnerver 2012 Hypes inbound

:

me.

ation USNs). ch

ners per-

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDG

StmpapsethexWfathauseMpa

co

Gorpa

Thanthin

G

Group Man

tandalone Manmanaged doma

assword manarincipal name ervers. Group Mhe same functixtend that fun

When connectinarm, such as a he authenticatuthentication rervices use the

Managed Servicassword for th

Note: Groomputers runn

roup Managedr on systems cassword synch

he Group Mannd managemehat supports a nstance of the

Note: Forroup Managed

naged Serv

naged Service ain accounts thagement and s(SPN) manageManaged Servonality within ctionality overng to a serviceNetwork Loadion protocols srequire that al

e same principace Accounts ar

he account inst

oup Managed ning Windows

d Service Accoonfigured as a

hronization bet

naged Service Aent of membersingle identityservice they ar

r Windows Serd Service Acco

vice Accou

Accounts are hat provide ausimplified serveement to singlvice Accounts p

the domain br multiple serve hosted on a sd Balancing clusupporting mul instances of tal. When Groure used as servtead of relying

Service AccouServer 2012.

ounts provide aa Network Loatween service

Account suppor hosts for all iy to which exisre connecting

rver 2012, the Wounts instead o

unts

tomatic er e provide ut also

vers. server uster, utual the

up vice principals, g on the admin

unts can only b

a single identid Balancing clinstances whe

orts hosts thatnstances of a ssting client comto.

Windows Powof the original

the Windowsnistrator to ma

be configured

ty solution forluster. Adminis

en using a Gro

t are kept offliservice. This mmputers can a

werShell cmdletStandalone M


operating sysanage the pass

and administe

r services runnstrators do noup Managed S

ne for an extemeans you can

uthenticate w

ts default to mManaged Servic

Windows Server 20

stem manages sword.

ered on

ing on a servet need to manService Accoun

nded time perdeploy a serveithout knowin

managing the ce Accounts.

012 1-15

the

er farm nage nt.

riod, er farm g the

MCT U

SE ON

LY. STUD

ENT U

SE PROH


Lesson 4Dynam

Dynconit mrepl

LesAfte

Int

Becstorprovresomosperfacce

Dynis a resocentfile Conpermof hmulmus

Dyn

anagement in Windo

4 mic Acce

namic Access Cfigure Dynam

more straightfolace, the existi

sson Objectier completing

Describe Dyn

Explain identi

Explain the h

Implement D

troduction

ause much of red on file servvide security aources. In prevst access contrformed using ess control list

namic Access Cnew access co

ources that enatral file access server in the o

ntrol helps impmissions. Dyna

how the share ltiple criteria inst satisfy both

namic Access C

Data classificaacross the org

Access controdata. For examwithin the org

Auditing of aFor example,

Optional RMSsensitive Micrcontaining He

ows Server 2012

ess ConControl is a newic Access Contrward to transng authorizati

ives this lesson, yo

amic Access C

ity, claims, and

igh-level steps

ynamic Access

n to Dynam

the data in anvers, IT adminisand access convious versions orol to file serveNTFS file systes.

Control in Windontrol mechanables administpolicies that c

organization. Dplement securiamic Access Coand NTFS file nto the access the NTFS ACL

Control provide

ation. You canganization.

ol to files. Centmple, these poganization.

ccess to files. Cyou can ident

S protection inrosoft Office dealth Insuranc

trol w claims-basetrol to reflect yslate business ron model.

ou will be able

Control.

d central acces

s necessary to

s Control.

mic Access

n organization strators must h

ntrol to file servof Windows Seer resources waem permission

dows Server 2ism for file systrators to defincan apply to evDynamic Accesty over file serontrol ensures system permisdecision. This

L and the centr

es:

use automati

tral access pololicies can rest

Central audit ptify who access

ntegration. Autocuments. Fore Portability a

d authorizatioyour organizatrules into acce

to:

ss policy.

implement Dy

Control

is help ver erver, as s and

012 stem ne very ss rvers, in additiothat this cent

ssions might caugments the

ral access polic

c and manual

icies enable ortrict access to p

policies can aidsed highly sen

tomatic Rightsr example, yound Accountab

on system in Wtions businessess control rule

ynamic Access

on to any existral overriding hange. Dyname NTFS Access cy to gain acce

classification o

rganizations topersonal empl

d compliance sitive informat

s Managemenu can configurbility Act (HIPA

Windows Servers structure andes to enhance,

Control.

ting share andpolicy is still e

mic Access ConControl Lists (

ess to the file.

of files to tag d

o define who cloyee medical

reporting and tion.

t Services (RMre RMS to encrAA) informatio

r 2012. You cad processes, ma rather than

d NTFS file systenforced, regarntrol combines(ACL) so that u

data in file ser

can access parhealth inform

forensic analy

MS) encryption rypt all documn.

an aking

tem rdless s users

rvers

ticular ation

ysis.

for ments

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDD

Dbathfe

W

InCco

IdIdsoauvegreaunatrSIcodo

Buusau

CCSeab

Soabobco

ynamic Access

Central accbusiness an

Auditing foreporting a

Protecting 2012 enviro

Access denincident tim

ynamic Accessased file servehe resource, aneatures, you ca

What are Id

n order to planontrol, you muoncepts.

dentity dentity is informource about anuthoritative beersions of Winroup account epresent the iduthenticate to ame and passwranslates into tID of the securontroller "claimomain membe

ut identity doeser as a form outhoritative.

Claim laims provide erver 2003 usebout users whi

ome examplesbout a specificbject. An entitombination of

s Control focu

ess policy for and regulatory c

or compliance nd forensic an

sensitive inforonment and w

ied remediatiome for troubles

s Control provrs. Dynamic Acnd conditionalan now grant a

dentity, Cl

n and implemeust understand

mation providn entity. This idecause the soudows Server usecurity identi

dentity of a usethe domain w

word. The uniqthe SID. The dority principal ams" the user's Sers trust the do

es not need toof identity, pro

information fre claims in Actiich are unders

s of claims are c entity. Specify can contain those claims t

ses on four ma

access to files.compliance.

and analysis. Enalysis.

mation. Identiwhen it leaves t

on. Improve thshooting.

vides a flexible ccess Control expressions w

access to files a

aims, and

ent Dynamic Ad some fundam

ed from a trusdentity is consurce is trusted. sed the user afiers (SIDs) to er or compute

with a specific uque logon namomain controllnd the SIDs ofSID is valid andomain controll

o be limited to ovided that the

rom a trusted sive Directory Fstood by both

the users depically, claims stmore than onto control acce

ain end-to-end

Enable organ

Enable targete

fy and protectthe Windows S

he access denie

way to apply uses claims in

within permissiand folders ba

Central Ac

Access mental

sted idered Older

and

er. Users user

me ler validates thf all the groupd should be usler, the respon

the user's SIDe application t

source about aFederation Servpartners in an

partment and state the value e claim. Wheness to resource

d scenarios:

nizations to set

ed auditing acr

t sensitive infoServer 2012 en

ed experience

and manage athe authenticaon and auditin

ased on AD DS

ccess Polic

he password ap of which the sed as the iden

nse is treated a

D. Applications rusts the sourc

an entity. Windrvices (AD FS); n AD FS federa

security clearaof a particula

n configuring res.


t safety net po

ross file servers

ormation both nvironment.

to reduce the

access and audation token, reng entries. WitS attributes.

cy?

nd provides baprincipal is a mntity of the useas authoritative

can use any ince of the infor

dows Server 2these claims ation.

nce; these clair attribute of aresource acces

Windows Server 20

licies that refle

s for complian

in a Windows

e helpdesk load

diting to domaesource propeth this combin

ack a token wmember. The der. Because alle.

nformation abrmation to be

008 and Windare statements

ims state somea user or compss, you can use

012 1-17

ect

nce

s Server

d and

ain-rties on

nation of

ith the domain

bout the

dows made

ething puter e any

MCT U

SE ON

LY. STUD

ENT U

SE PROH


Windows Server 2012 introduces two new types of claims:

User Claim. A user claim is information provided by a Windows Server 2012 domain controller about a user. Windows Server 2012 domain controllers can use most AD DS user attributes as claim information. This provides you with many possibilities to configure and use claims for access control.

Device Claim. A device claim is information provided by a Windows Server 2012 domain controller about a device represented by a computer account in AD DS. As with a user claim, a device claim, often called a computer claim, can use most of the AD DS attributes that are applicable to computer objects.

Central Access Policy The Central Access Policy is a feature in Windows Server 2012 that enables you to create a policy that is applied to one or more file servers. Central Access Policy is created in the Active Directory Administrative Center, stored in AD DS, and applied by using GPOs. Central Access Policy contains one or more Central Access Policy rules. Each rule contains settings that determine applicability and permissions.

Note: Before you create Central Access Policy, you must create at least one central access rule. A central access rule defines all parameters and conditions that control access to specific resources and has three configurable elements:

Name. For each central access rule you should provide a meaningful name.

Target resources. Define what data the policy applies to. This is defined by specifying an attribute and its value. For example, a particular central policy might apply to any data classified as Sensitive.

Permissions. A list of one or more access control entries (ACEs) that define which users can access the data. For example, you can specify Full Control Access to a user with attribute EmployeeType populated with the value FTE. This is the key component of each central access rule. You can combine and group conditions that you place in central access rule. You can set permission as proposed (for staging purposes) or current.

After you have configured one or more central access rules, you then place these rules in Central Access Policy which is applied to the resources.

Central access policy enhances, but does not replace, the local access policies or discretionary access control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a file allows access to a specific user, but a central policy is also applied to the file that restricts access to the same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but the DACL does not allow access, then the user cannot obtain access to the file.

Before you implement Central Access Policy, you must:

1. Use security groups or optionally create claims and connect them with attributes on user or computer objects.

2. Create file property definitions.

3. Create one or more Central Access Rules.

4. Create a Central Access Policy object and place rules in it.

5. Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a Central Access Policy exists in AD DS.

MCT U

SE ON

LY. STUD

ENT U

SE PROH

IBITEDOToap

O

Amstusimeabe

ToC

D

Th

On the file serveoolkit to autompplied on whic

Overview o

s you could semany required teps that must se Dynamic Ac

mportant that yach componenefore you imp

o successfully ontrol, you ne

Enable supAD DS. This2012 domaPolicy mech

Configure cobjects thaextend the access.

Configure rproperties t

Classify fileto automat

Create and properties, of resourcecontrol accclaims and

Create and resources. Wthe Group

Demonstra

his demonstra

Implement

er, apply that matically applych shares.

of How to

ee in previous tcomponents abe complete

ccess Control fyou understannt and each colement Dynam

implement Dyeed to do and

port for Dynams is done on thain controller bhanism. It is m

claims for usert you want to ability of acce

resource propethat you want

s. Using file clatically assign va

configure Cenyou should cr

es where you wess. Central Acresource prop

configure CenWhen you creaPolicy mechan

ation: Impl

tion shows ho

Central Acces

policy to a spey central polici

Implemen

topics, there aand configuratbefore you actfeatures. It is vnd the purposeonfiguration stmic Access Con

ynamic Access understand fo

mic Access Cohe Windows Seby using the G

mandatory to d

rs and devices.use in Dynam

ess control to u

erty definitionto use in cond

assification is nalues to resou

ntral Access Poeate Central A

want to apply tccess Policy ruperties to build

ntral Access Poate Central Acnism to apply t

ementing

w to:

ss Policies

ecific shared foies across mult

nt Dynamic

re tion tually ery e of ep

ntrol.

ollowing:

ntrol in erver roup o this before c

You use claimic Access Contuse the value o

s. By defining ditional expres

not mandatoryrce properties

olicy rules. AfteAccess Policy ruthe rule and alles are the cor

d conditional e

olicy. Central Acess Policy, yothe policy to o

Dynamic

older. You can tiple file serve

c Access C

configuring an

ms to identify atrol implemenof an attribute

resource propssions used for

y for Dynamic based on pre

er you have deules. In each rulso define the re of Dynamic expressions.

Access Policy isou actually justone or more re

Access Co


also use the Drs and report o

Control

nything else.

attributes of ustation. By usin

e as a condition

perty definitionr access contro

Access Contro-defined criter

efined claims aule, you defineconditional exAccess Contro

s acting like a t place a rule oesources.

ontrol

Windows Server 20

Data Classificaton which polic

ser and compung claims, you n for evaluatin

ns, you identifyol.

ol, but it enablria.

and resource e both the scoxpression that ol. However, it

security net ovor rules in it an

012 1-19

tion cies are

uter actually

ng

y object

les you

pe will

t uses

ver your nd use

MCT U

SE ON

LY. STUD

ENT U

SE PROH


Demonstration Steps 1. On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative

Center.

2. In the Active Directory Administrative Center console, in the navigation pane click Dynamic Access Control.

3. Double-click Claim Types.

4. In the Tasks pane, click New and then select Claim Type.

5. In the Create Claim Type dialog box, in the Source attribute section, select attribute department.

6. In the Display name text box type Company Department.

7. Select both User and Computer check boxes.

8. Click OK.

9. In the Active Directory Administrative Center console, in the navigation pane click Dynamic Access Control.

10. Double-click Claim Types.

11. In the Tasks pane, click New and then select Claim Type.

12. In the Create Claim Type dialog box, in the Source attribute section, select attribute employeeType.

13. Select both User and Computer check boxes.

14. Click OK.

15. In ADAC console, click Dynamic Access Control.

16. In the central pane double-click Resource Properties.

17. In the Resource Properties list, locate the property Department.

40005B ENU Trainer Handbook

Documents

Transcript of 40005B ENU Trainer Handbook