Exam Prep70-411 Administering Windows Server 2012Brian Svidergol

What we’ll cover today

Study for Success

Microsoft Certification Overview

Microsoft Certification Overview

Certification Overview

Microsoft Certifications

Master

Expert

Associate

Microsoft Certified Solutions Master (MCSM)

Microsoft Certified Solutions Expert

(MCSE)

Microsoft Certified Solutions Associate

(MCSA)

Solution/cloud focus

MCSE and MCSD certifications

Web Applications SharePoint

Server Infrastructure

Desktop Infrastructure

SharePoint Data Platform

Private Cloud

MCSA: Windows Server 2012

+Administering Windows Server 2012

Configuring Advanced Windows Server 2012 Services

EX

AM41

1+ =E

XA

M412

Installing and Configuring Windows Server 2012

EX

AM41

0 MCSA: Windows Server 2012

Taking the Exam

Upgrade paths

Upgrading Your Skills to MCSA Windows Server 2012

Any of the following certifications qualify:

MCSA: Windows Server 2008MCITP: Virtualization Administrator on Windows Server 2008 R2MCITP: Enterprise Messaging Administrator 2010MCITP: Lync Server Administrator 2010MCITP: SharePoint Administrator 2010MCITP: Enterprise Desktop Administrator on Windows 7

+

* Individuals that have earned the MCITP: Enterprise Administrator or MCITP: Server Administrator have also earned the MCSA: Windows Server 2008

70-417+

Study for Success

Replace the Ns with your exam number to find your prep guide: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-NNN

Second tab shows Skills Measured.Third tab shows Preparation Materials, including a link to the Learning Plan for the exam.

List of available languages

Topics covered on the exam

Studying for the Exam

Know What to Expect

How to interpret the questions

One or Multiple Correct Answers

Goal Statement

Business ProblemAll questions have a consistent anatomy

Multiple Distracters

Questions are not intended to trick you

Question types go beyond multiple choice

Choose All That Apply

Case Studies

Best Answer

Code Review

Extending Matching items

Build ListsDrag & DropActive Screen

Choose All That Apply

Case Studies

Best Answer

Code Review

Extending Matching items

Build ListsDrag & DropActive Screen

Graphics Interpretation

Two PartAnalysis

Multi-sourceReasoning

Be sure to view the exam item type demo before you take your first exam!

Installing and Configuring Windows Server 2012

The ObjectivesObjective Weight

Deploy, Manage, and Maintain Servers

17%

Configure File and Print Services 15%

Configure Network Services and Access

17%

Configure a Network Policy Server Infrastructure

14%

Configure and Manage Active Directory

19%

Configure and Manage Group Policy

18%

Deploy, Manage, and Maintain ServersDeploy and

manage server images

Implement patch management

Monitor servers

Deploy and Manage Server Images (1/2)Install the Windows Deployment Services (WDS) role

Prerequisites: AD DS/DHCP/DNS/NTFS, member of AdministratorsInstall-WindowsFeature –Name WDS -ComputerName Server01 –IncludeManagementTools (Servermanagercmd.exe deprecated)

Boot, capture, install, discover imagesBoot image is Windows PE + client (boot.wim on media)Capture image is used to capture a reference computer to use for your install imageInstall image is what you deploy (install.wim on media)Discover image when computer can’t use PXE (boot to discover image media)

Update images - patches/hotfixes/drivers/features

DISM (ImageX, Package Manager, OCSetup - deprecated), 22 DISM cmdletsdism /online /enable-feature /FeatureName:TelnetClient

Deploy and Manage Server Images (2/2)Update images - patches/hotfixes/drivers/features

Mount the offline image:DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>Add package or driver to image:DISM /Image:<temppath> /Add-Package /PackagePath:<path>DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>Commit the changes and unmount:DISM /Unmount-Image /MountDir:<temppath> /Commit

Example questionYou have an existing image that you use to deploy to servers. You need to add a package to the image.

What should you do first?

A. Run the DISM /Image:<temppath> /Add-Package /PackagePath:<path>B. Run the DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>C. Run the DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>D. Run the DISM /Unmount-Image /MountDir<temppath> /Commit

Implement Patch ManagementInstall WSUS role

DISM /Online /Enable-Feature /FeatureName: (dism /online /get-features)Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

GPOs, client side targetingServer-side targeting (default) – best in smaller deployments, make changes on the flyClient-side targeting (typically GPO) – best in large deployments, automated membershipWatch for non-domain joined clients or the manual step of creating groups in WSUS

Synchronization and WSUS groupsSynchronization is where WSUS downloads updates from upstream server or Microsoft UpdateWatch for proxy server issue (configure in WSUS), firewall issue, or BITS issueWSUS groups – used for targeting updates to groups of computersWatch for client computers not showing up in the computer list (configure them for WSUS first)

Monitor Servers (1/2)Configure Data Collector Sets (DCS)

3 types of collectors – performance counters (system performance), event trace data (activities and system events), system configuration information (registry)Built in templates – Active Directory Diagnostics, Basic, System Diagnostics, System Performance, WDAC Diagnostics

Alerts / Monitor Real-Time PerformanceMonitor performance counter then alert when threshold is exceededStart a DCS, log event in Event Log, run a task (such as email or script)

Monitor VMsPrerequisites: Windows Server 2012 Failover Cluster, Windows Server 2012 VMs, FW rule for VM Monitoring, enabled for monitoringMonitor services, restart service upon failure, reboot and/or move VM thereafter, automate, manual, or integrate with System Center

Monitor Servers (2/2)Monitor Events

Centralize event log data to a single collector server (default protocol HTTP over port 5985)Use winrm quickconfig on source and wecutil qc on collectorWorks in non-domain environment but need to set TrustedHosts for WinRM

Configure Event SubscriptionsUse Event Viewer to create a subscription, default location is ForwardedEvents logCan use existing custom view (useful when trying to minimize administrative overhead)

Configure Network MonitoringSystem Center Operations Manager + OS mgmt. packs + network device discoveryPerformance Monitor – DCS + performance monitor data + alert or log

Example questionYou have a standalone Hyper-V host server running Windows Server 2012. You need to monitor the VMs that run Windows Server 2012.

What should you do first?

A. Migrate the VMs to a Windows Server 2012 Failover Cluster.B. Install Windows Server 2012 SP1 on the host server.C. Install Windows Server 2012 SP1 on the VMs.D. Join the host server to an Active Directory domain.

Configure File and Print ServicesConfigure Distributed

File System (DFS)

Configure File Server Resource Manager

(FSRM)

Configure file and disk encryption

Configure advanced audit policies

Configure DFS (1/2)OverviewDFS Replication and DFS Namespaces are role services (rolling up to File and Storage Services role)Know what’s new: PowerShell module, WMI mgmt., site awareness for DirectAccess, dedupeKnow what’s deprecated: dfscmd, FRS

Install and configure DFS NamespacesDomain-based namespace (can use multiple namespace servers, not Failover Clustering)

For ABE and increased scalability – DFS Windows Server 2008 mode required:1. The forest functional level must be Windows Server 2003 or higher2. The domain functional level must be Windows Server 2008 or higher3. All namespace servers must be running Windows Server 2008 or newer

Stand-alone namespace (can be combined with Failover Clustering)Useful for non-AD DS environmentCan scale to 50,000 folders (higher than Windows 2000 Server Mode which is ~5,000)

Configure DFS (2/2)

Configure DFS Replication TargetsKeep folders in sync, use the Replicate Folder wizard to configureConfig changes must replicate via AD DS and then each namespace server must poll a DC for the config change (speed it up by forcing AD DS replication and then running the dfsrdiag.exe PollAD /Member:Contoso\Server01 command)

Configure Replication SchedulingCreate replication group:

1. Multipurpose or data collection2. Hub and spoke, full mesh, or no topology3. Replicate continuously (select bandwidth limits if desired)4. Replicate during specific days/times (can set bandwidth to use per time slot)

Watch for staging folder size issues (if too small, high CPU or slow replication will result)Use a different physical disk for staging folder for improved I/O

Configure FSRM (1/2)

Install FSRMAdd-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Configure QuotasConfigure quotas on specific folder or on a path (which handles newly created folders)Hard (users cannot exceed) or soft (users can exceed, used for monitoring)Built-in templates which can be used to create a quota or to create a new customized templateWhen quota threshold met, option to send email, log event, run command, or generate reportBe wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)

Configure FSRM (2/2)Configure File ScreensActive screening (cannot save unauthorized files)Passive screening (can save unauthorized files, used for monitoring)Built-in templates (block audio/video files, e-mail files, executable files, images, monitor exe/system)Be wary of deprecated filescrn.exeSet-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate

Configure ReportsRun reports on demand – DHTML, HTML, XML, CSV, or textBuilt-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property, folders by property, large files, least recently accessed files, most recently accessed files, quota usageSet scheduled reports and have reports emailed to admin(s)

Configure file and disk encryption (1/3)New Features

BitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)Change PIN and password by standard users (no longer require admin rights)Support for encrypted hard drives (encryption offloaded to the hard drive)

Configure BitLocker encryptionTPM version 1.2 or higher (required for provisioning prior to operating system deployment)TPM owner authorization – separate object new for Windows 8 – requires AD schema updateAdd BitLocker Drive Encryption feature, Enable-BitLocker (need volume/encryption method/key protector)

Configure file and disk encryption (2/3)Configure the Network Unlock feature (new)Install the BitLocker Network Unlock feature, WDS on Windows Server 2012, separate DHCP, UEFI DHCP drivers, PKI for issuing certificate (or self-signed certificate), Group Policy configuredFor TPM+PIN systems, Network Unlock allows a form of two-factor authentication without user intervention when booting (on untrusted networks, TPM+PIN is used)

Configure BitLocker policies (Win8 or Win2012)Choose drive encryption method and cipher strengthConfigure use of hardware-based encryption for *** drives (fixed/operating/removable)Enforce drive encryption type on *** drives – Full/Used onlyAllow network unlock at startup

Configure file and disk encryption (3/3)Configure the EFS recovery agent

Obtain a certificate for File Recovery for a data recovery agent user accountAdd data recovery agent (DRA) by editing GPO:

Add from AD DS if certificated are published in AD DS (default not published)Add from .cer files if not published in AD DS

Manage EFS and BitLocker certificates including backup and restoreFor certificates, can enable archiving on the certificate templates to allow recoveryDRA can have a self-signed certificate which is backed up with standard backup methodsWindows 7 requires permissions update to ms-TPM-OwnerInformation for TPM owner info backupBack up BitLocker recovery info to AD DS GPO setting (Pre-2008 requires schema extension)

Example questionYou are the system administrator for Contoso, Ltd. You manage an Active Directory Domain Services (AD DS) domain. All servers run Windows Server 2008 R2. The forest functional level is set to Windows Server 2003. The domain functional level is set to Windows Server 2008. You are preparing to deploy DFS. The deployment must meet the following requirements.• Users must not be able to see folders that they do not have access to• Users must be able to create 3,000 total folders• Minimize changes to the environment

You need to deploy DFS to meet the requirements. What should you do?

A. Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone DFS namespace.

B. Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-based DFS namespace by deselecting DFS Windows Server 2008 mode.

C. Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.D. Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.

Configure advanced audit policies (1/2)Implement auditing using Group Policy and AuditPol.exeKnow difference between basic Audit Policy settings and advanced Audit Policy settingsTo manually enable Advanced Audit subcategory auditing (high overhead for widespread use):auditpol /set /subcategory:"RPC Events" /success:enable

Auditpol has a /backup switch and a /restore switch

Global object access auditing (for file system or registry – automatically applies to all objects)For Global auditing, watch for situations that don’t also enable Audit File System and Audit Registry audit policy settings (required)Advanced Audit Policy settings take precedence over basic Audit Policy settings

Configure advanced audit policies (2/2)Create expression-based audit policies

Audit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set directly on a file/folder or in global policy), can be combined with Dynamic Access Control

Create removable device audit policiesRequires Windows 8 or Windows Server 2012Logs event when users attempt to access a removable storage device (Audit Removable Storage)Can also log removable storage device events (Audit Handle Manipulation)

Configure Network Services and AccessConfigure DNS

zones

Configure DNS records

Configure VPN and routing

Configure DirectAccess

Configure DNS zones (1/2)

Configure primary and secondary zonesPrimary zone can be stored in file or in AD DS – authoritative source for the zoneSecondary zone cannot be stored in AD DS and is a read-only copy of a primary zone

Configure stub zonesStub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisitionWatch for scenarios that offer stub zone and conditional forwarding as potential solutionsStub zones best when needing to dynamically maintain authoritative DNS servers for child zone

Configure conditional forwardersForwards to specific DNS servers which can then build up a cache for efficient resolutionOften the best solution for merger/acquisition but can also speed up internal name resolution

Configure DNS zones (2/2)Configure zone and conditional forward storage in Active DirectoryDNS must be a domain controller, zone must be primary/stub/conditionalReplication for integrated zones – all DNS + DCs in forest, all DNS + DCs in domain, all DCs in domain, all DCs in partition

Configure zone delegationKey scenarios – delegate management, distribute load/improve perf/fault tolerance

Configure zone transfer settingsAll servers, listed name servers, specific list – best security is specific list

Configure notify settingsCan notify name servers which helps secondary servers have more consistent DNS data

Configure DNS records (1/2)Create configure Resource Records (RR) including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX recordsKnow that AAAA is IPv6 A recordUse dnscmd /recordadd for mass record creation (or PowerShell)Add-DnsServerResourceRecord -A -Name “test" -ZoneName "woodgrovebank.com" -IPv4Address 172.16.1.200

Configure zone scavengingMust enable at server level and at zone level (watch for troubleshooting scenarios or choose all)Must also be enabled at resource record level (by default it is, but watch for troubleshooting)Cleans up dynamic records only (not static)Avoid DNScmd.exe /ageallrecords

Configure DNS records (2/2)

Configure record options including TTL and weightTTL default is 1 hour – can be updated at zone level or individual resource record levelWeight default is 100 with a possible range of 0-65535 (higher means usually picked more)

Configure round robinOn and working by default, can disable with registry edit for certain resource record typesHKLM\System\CurrentControlSet\Services\DNS\Parameters\DoNotRoundRobinTypesLocal subnet priority takes precedence over round-robin for multi-homed names

Configure secure dynamic updatesSecure updates option only available when a zone is AD DS integratedRun dnscmd /Config woodgrovebank.com /AllowUpdate 2 to force a zone to secure only

VPN and RoutingInstall and configure the Remote Access role1. Add-WindowsFeature RemoteAccess -IncludeManagementTools –

IncludeAllSubFeature2. Run the Configure and Enable Routing and Remote Access wizard

Implement Network Address Translation (NAT)Need two interfaces prior to enabling via wizard

Configure VPN settingsFor SSTP, need to select the proper SSL certificate post install

Configure remote dial-in settings for usersDefault in AD is control access through NPS Network PolicyNeed to adjust policy or create new policy in order to allow users in

Configure routingIPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol

DirectAccess (1/2)

Implement server requirementsNo longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP) integration, or two-factor authenticationCan use a single NIC card behind NAT (Windows Server 2012 required)Remote access servers and all client computers must be domain membersIPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)

Implement client configurationNeed to have security groups in place and then create GPOs

DirectAccess (2/2)

Configure DNS for DirectAccessName Resolution Policy Table (NRPT) – used to send specific queries to specific DNS servers (otherwise, use normal name resolution) – Windows 7 or later required (config via GPO)

Configure certificates for DirectAccessIf using internal CA or self-signed certificate, CRL distribution point must be available externallyCan’t use self-signed cert in a multi-site environmentInternal PKI is required if Kerberos proxy over HTTPS not available/possible

Example questionYou are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A) record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com.

What should you do?

A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.

B. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com.

C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.

Configure a Network Policy Server Infrastructure

Configure Network Policy Server (NPS)

Configure NPS policies

Configure Network Access Protection (NAP)

Configure NPS (1/2)

Configure multiple RADIUS server infrastructures5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain membership optional, use NETSH to copy config from one proxy to another), user account DBs (such as AD DS)

Configure RADIUS clientsRequired: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)

Manage RADIUS templatesWatch for questions involving administrative overhead as that may indicate the creation of a template or use of existing template.

Configure NPS (2/2)

Configure RADIUS accountingCan log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging for failover (if SQL logging fails, continue to log via text file)If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default install and sudden loss of functionality – could be out of disk space, consider moving logging to non-system disk)

Configure certificatesCertificate-based auth - NPS servers need a server certificateMinimize administrative overhead in large environment – autoenrollment

Configure NPS policies (1/2)

Configure connection request policiesPolicies have conditions such as connection type, day/time, network, computerUseful to authenticate untrusted domain (proxy policy first in the policy order) while still authenticating locally via NPS (to AD DS)If no local processing by NPS, then server is a proxy (can forward one place or multiple)

Configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing)Watch for default installation on encryption as all encryption options are enabled (40-bit, 56-bit, 128-bit)Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)

Configure NPS policies (2/2)

Manage NPS templatesCan use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and remediation server groups (minimize administrative overhead, speed up deployment)Can export templates to .XML file and import to another server

Import and export NPS policiesCan use NETSH or Export-NpsConfiguration to export entire NPS server config including policies

Configure NAP (1/2)Configure System Health Validators (SHVs)One default SHV – Windows Security Health Validator – can require specific firewall settings, antivirus settings, spyware protection, automatic updates settingsIf noncompliant with SHV, can restrict network access or remediateWindows XP does not have spyware protection settings available

Configure health policiesPolicy dictates how many SHV checks must be passed or failedHealth policies are added to network policies (NPS) to ascertain who should gain access

Configure NAP enforcement using DHCP and VPNNon-compliant devices – full access, full access with limited time, limited accessLimited access usually is tied with remediation servers for updating components for complianceIf full network + limited time and client subsequently becomes compliant, will be disconnected!

Configure NAP (2/2)Configure isolation and remediation of non-compliant computers using DHCP and VPNDefault network policy has automatic remediation enabled by defaultCan add remediation servers and a troubleshooting URL for employees

Configure NAP client settingsRemember that Group Policy overrides NETSH and NAP Client Configuration console Enable tracing - netsh nap client set tracing state = enableUse the NAP Client Configuration console to create .xml config file for use in a GPOBy default, NAP enforcement clients are disabledTo enforce health policies, must enable at least one NAP enforcement clientIPsec – need to configure NAP health registration authority settings

Configure and Manage Active DirectoryConfigure service

authentication

Configure Domain Controllers

Maintain Active Directory

Configure account policies

Configure service authentication (1/2)Create and configure Service AccountsUsed to enhance security but the pain point is the password management and SPN mgmt.

Create/configure Group Managed Service AccountsMust create/configure on a server running Windows Server 2012 or on a Windows 8 computerAutomated password management and can be used across multiple serversMinimum of one DC that runs Windows Server 2012Before you begin, must create KDS Root Key - Add-KDSRootKey –EffectiveImmediatelyNew-ADServiceAccount and Set-ADServiceAccount

Create and configure Managed Service AccountsIntroduced in Windows Server 2008 R2 / Windows 7New-ADServiceAccount with the –RestrictToSingleComputer parameter Automated password management and can be used on a single serverNot supported for scheduled tasks, Exchange, SQL

Configure service authentication (2/2)Configure Kerberos delegationIIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)SetSPN (note that it cannot register duplicate names in a domain in Windows Server 2012)<service type>/<instance name>:<port number>/<service name>

Configure Domain Controllers (1/2)Configure Universal Group Membership CachingEliminates dependency on GC during logonsSet-ADObject "CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" –Replace @{options='32'}

Transfer and seize operations mastersNTDSUTIL can transfer and seize rolesMove-ADDirectoryServerOperationMasterRole for transfer, use –Force for seize

Install and configure an RODCCannot upgrade writable DC to RODCStaged installation – delegate installation to non-Domain Admin at remote site (+IFM for speed)

Configure Domain Controllers (2/2)Configure Domain Controller cloning• VM-GenerationID (supported on Hyper-V on 2012 and VMware 5.0 and later)• Source VM must be 2012, PDC emulator must be 2012

1. Add the source DC to the Cloneable Domain Controllers group2. Run New-ADDCCloneConfig to create DCCloneConfig.xml file (IP info, site info)3. Export source DC (Hyper-V or Export-VM cmdlet)4. Import the VM (Hyper-V or Import-VM cmdlet)

DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out for unsupported services such as DHCP)CustomDCCloneAllowList.xml is for custom services that you are sure about

See http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx (the entire series is valuable)

Maintain Active Directory (1/2)Back up Active Directory and SYSVOLwbadmin start systemstatebackup -backuptarget:e:(this includes SYSVOL)

Manage Active Directory offlineStop the Active Directory Domain Services service (Services console or Stop-Service cmdlet)Can perform offline defrag (or other maintenance) and then start the service

Optimize an Active Directory databaseLDIFDE can be used to manually kick off a garbage collection process (free up space inside)NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second copy of .dit file)

Maintain Active Directory (2/2)Clean up metadataSince 2008, deletion of DC from default OU results in automatic metadata cleanupDeletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanupOtherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>

Configure Active Directory snapshotsNtdsutil, snapshot, activate instance ntds, create

Perform object- and container-level recoveryNtdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target DomainName -server DomainControllerName

Perform Active Directory restoreAuthoritative vs. non-authoritative (watch for situations where you restore and the objects gets subsequently deleted after the restore)

Configure account policies (1/2)Configure domain user password policyWithout fine-grained, one password and one lockout policy per domainConfigure via GPO

Configure and apply Password Settings ObjectsNew-ADFineGrainedPasswordPolicy – apply to user or groups (not OU)Active Directory Administrative Center

Delegate password settings managementCan delegate ability to apply a PSO to user or group (Write Property permissions on the PSO)

Configure account policies (2/2)Configure local user password policyCan use a GPO linked to an OU with the computer objects

Configure account lockout settings“Account lockout duration” setting set to 0 means an administrator must unlock locked accounts“Account lockout threshold” setting set to 0 means an account will never get locked out“Reset account lockout counter after” setting resets the number of failed logon attemptsWatch for requirements such as minimizing calls to the Help Desk, maintaining the highest level of security, or situations where a Denial of Service (DoS) is occurring

Configure and Manage Group PolicyConfigure Group Policy processing

Configure Group Policy settings

Manage Group Policy objects (GPOs)

Configure Group Policy preferences

Configure Group Policy processing (1/3)Configure processing order and precedenceLSDOU – remember this!Link order – 1 is highest (also referred to as the “top of the list”)

Configure blocking of inheritanceNothing above will apply unless a GPO is enforced

Configure enforced policiesRight-click a GPO and click Enforced to ensure that the GPO cannot blockedEnforced GPOs also ensure that the settings aren’t overwritten by GPOs applied lower in structure

Configure Group Policy processing (2/3)Configure security filtering and WMI filteringRead and Apply Group Policy (AGP) permissions are required for GPO to applyRoot\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server 2012 Datacenter”

Configure loopback processingLoopback with Replace – ensures that settings from User Configuration of GPOs that apply to the computer replace the settings that are set in User Configuration of GPOs that apply to the user

Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to the computer merge with the settings that are set in User Configuration of GPOs that apply to the user

Watch for scenarios such as a kiosk or public computer where all users must have the exact same settings on the computer!

Configure Group Policy processing (3/3)Configure and manage slow-link processingSome settings not applied when slow link detected (software installation, folder redirection, etc.)Default slow link is less than 500KbpsComputer Configuration\Administrative Templates\System\Group Policy

Configure client-side extension (CSE) behaviorAllow processing across a slow network connectionDo not apply during periodic background processingProcess even if the Group Policy objects have not changedSettings can be set on extensions such as Scripts, Security, Registry, or other extensions (note that some only have two options, not all three)

Configure Group Policy settings (1/2)Configure settings including software installation, folder redirection, scripts, and administrative template settingsAssign to user (shortcuts appear on Start menu, not installed yet)Assign to computer (no shortcut, install typical at startup)Publish to user (add/remove programs availability)

Import security templatesImport from Group Policy Object Policy/Computer Configuration/Windows Settings/Security Settings“Clear this database before importing” option will overwrite, without it you get a merge

Configure Group Policy settings (2/2)Import custom administrative template fileAdd/remove templates while editing GPOADM and ADMX (ADMX cuts down on SYSVOL size because it isn’t stored in GPO)ADMX – Central Store (ADM not supported in Central Store)

Convert admin templates using ADMX MigratorFree download, GUI conversion using “Generate ADMX from ADM”Command line - faAdmxConv.exe name.adm

Configure property filters for admin templatesManaged – any = all, yes = only, no = only unmanagedConfigured – any = all, yes = only, no = only not configuredCommented – any = all, yes = only, no = only uncommented(filters to limit what you see in the GUI)

Manage Group Policy objects (GPOs)Back up, import, copy, and restore GPOsPowerShell – Backup-GPO, Import-GPO, Copy-GPO, Restore-GPOC:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Scripts (.WSF scripts)

Create and configure Migration TableManually open Migration Table Editor, select source, destinationCross-Domain Copying WizardUsers, groups, computers, and UNC paths

Reset default GPOsdcgpofix /target:Domain (can also use DC or Both as target)

Delegate Group Policy managementGroup Policy Creator Owners group – create new GPOs and edit/delete GPOs that they createdLinking a GPO requires additional permissions (can be granted via ADUC on OU)

Configure Group Policy preferencesConfigure Group Policy Preferences (GPP) settings including printers, network drive mappings, power options, custom registry settings, Control Panel settings, Internet Explorer settings, file and folder deployment, and shortcut deploymentBeware of tattooing scenarios – use the “Remove this item when it is no longer applied” optionUse the “Apply once and do not reapply” option to allow user customization

Configure item-level targetingUse single GPO but set different settings for different users or computerTargets can be specific CPU, battery presence, security group membership, WMI, and many more

Example questionYou are the system administrator for Woodgrove Bank. An existing GPO named GPO1 is linked to an OU named Corp. The Corp OU contains all user objects. You need to ensure that a GPO named GPO2 applies to all users in the Corp OU while also ensuring that settings in GPO2 take precedence over the same settings in GPO1.

What should you do?

A. Link GPO2 to the domain.B. Link GPO2 to the site.C. Migrate GPO2 to a local GPO.D. Configure GPO2 to be enforced.

Related contentBreakout Sessions (WCA-B346 - What's New in Windows Server 2012 Active Directory)

Hands-on Labs (WCA-H306 – Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control)

Related Exams - 70-412 and 70-417

Find Me Later At Info Desk (Tues/Thurs. 9:15am -12:15pm)

Also Find Me Later At Study Hall (Wed. 9:15am – 12:15pm)

lVVALAfsfalselVVALAfsfalse

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

Complete an evaluation on CommNet and enter to win!

MS tag

Scan the Tagto evaluate this session now on myTechEd Mobile

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.