Exam prep: 70-411 & 70-417 MCSA: Administering Windows Server 2012Alfred Ojukwu

(R2)

Alfred Ojukwualojukwu@microsoft.com

19 Years of IT ExperienceSenior Consultant with Microsoft Consulting Services (MCS)Desktop Enterprise Management, ConfigMgr 2012 and IntuneMicrosoft Communities both Internal and ExternalBlogSite

http://thedevicepros.com @thedevicepros - twitter.com/thedevicepros

Facebook – http://www.facebook.com/thedeviceprofessionals

Member of #TheKrewe

But first… a little about me!

Session Objective(s): Certification OverviewExam Preparation per SectionDescribe key 70-411 & 70-417 exam objectivesPrepare more effectively using available study materialRelate practical Windows Server 2012 experience to exam

Identify areas that may require extra studyingAction plan for exam preparation and success

Session Objectives And Takeaways

Microsoft Certification

For YouIncreased confidence in your abilities at workEnhanced product knowledgeLearn about certification to educate your coworkers and bosses

For Your CareerMakes a great commitmentShows drive an initiativeTangible way to demonstrate mastery of a productSets you apart from your peers at review timeRecognition inside and outside of MicrosoftCompletely achievable at SPC

Changes to Certifications and Exams

Deeper Skill Set

Certification

Requirements

Broader Skill Set

Recertification

Relevance Rigor

MCSE and MCSD Certifications

Web Applications Windows Store Apps

Server Infrastructure Desktop Infrastructure

Business Intelligence Data Platform

Private Cloud

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Reflection of the real worldLearn more, validate moreSolutions are more complex, questions must reflect thatBest way to measure candidates know what they know

New item typesFewer multiple choiceCase studies

Scenario basedSee big picture and make decisions

Innovative item types

Increased Rigor

Exam Tips

Exam Basics40-60 questions1-4 hours to complete examCan review questionsCannot move between case studies

700 is passing700 is not 70%

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

How to interpret questions

One or Multiple Correct Answers

Goal Statement

Business ProblemAll questions have a consistent anatomy

Multiple Distracters

Questions are not intended to trick you

Exam ScoringEach exam has a "cut score"Each question is worth one pointNo partial creditNo points deducted for wrong answers

70-411

& 70-417

Deploy, Manage, and Maintain Servers (15-20 %)Configure File and Print Services (15-20 %)Configure Network Services and Access (15-20 %)Configure a Network Policy Server Infrastructure (15-20 %)Configure and Manage Active Directory (15-20 %)Configure and Manage Group Policy (15-20 percent)

Total Time: 195 minutes with comments, 150 minutes for exam

70-411 Exam Objectives

Deploy, Manage, and Maintain ServersDeploy and

manage server images

Implement patch management

Monitor servers

Windows Server 2012 - WDS

Install using Roles and Features

Requires RSATEnables PXE UseDeployment MethodsWDS Service must be enabled and show green

Configuration OptionsEnsure DHCP, NTFS shares are availableDecide on PXE boot requestsDon’t forget about WDSUtil

Using WDSAdd Install Images and DriversMulticast transmissions Install-WindowsFeature –Name WDS -ComputerName

Server01 –IncludeManagementTools (Servermanagercmd.exe deprecated)

Deploy and Manage Server Images (2/2)Update images - patches/hotfixes/drivers/features

Mount the offline image:DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>Add package or driver to image:DISM /Image:<temppath> /Add-Package /PackagePath:<path>DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>Commit the changes and unmount:DISM /Unmount-Image /MountDir:<temppath> /Commit

Deploy and Manage Server Images (1/2)Boot, capture, install, discover imagesBoot image is Windows PE + client (boot.wim on media)Capture image is used to capture a reference computer to use for your install imageInstall image is what you deploy (install.wim on media)Discover image when computer can’t use PXE (boot to discover image media)

Install WSUS roleDISM /Online /Enable-Feature /FeatureName: (dism /online /get-features)Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

GPOs, client side targetingServer-side targeting (default) Client-side targeting (typically GPO) Watch for non-domain joined clients or the manual step of creating groups in WSUS

Synchronization and WSUS groupsSynchronization – downloading updates from an upstream serverWatch for proxy server issue, firewall issue, or BITS issueWSUS groups – used for targeting updates to group computersWatch for client computers not showing up in the computer list

Implement Patch Management

Monitor Servers: Data Collector Sets

Concepts to know…Collect performance over a given timeExcellent for baselinesPerformance but also event trace, system configuration (registry)Several default DCSCan create DCS from current countersCan create Templates

Key Tips to KnowImageX, Package Manager and OCSetup – DeprecatedAutomatic Approvals for WSUSBoot, capture, install, discover imagesKnow your WDS Options with DHCPPXE is a driving factor for deploymentsDeploy & Capture ImagesUpdate images - patches/hotfixes/drivers/featuresInstalling Features for Offline Images

Exam Updates for R2Deploy, manage, and maintain server

Tasks currently measured Task changed\added sinc January 2014Deploy and manage server images Install the Windows Deployment Services (WDS) role; configure and manage boot, install, and discover images; update images with patches, hotfixes, and drivers; install features for offline images

Configure driver groups and packages

Implement patch management Install and configure the Windows Server Update Services (WSUS) role; configure group policies for updates; configure client-side targeting; configure WSUS synchronization; configure WSUS groups

Manage patch management in mixed environments

Monitor servers Configure Data Collector Sets (DCS); configure alerts; monitor real-time performance; monitor virtual machines (VMs); monitor events; configure event subscriptions; configure network monitoring

Schedule performance monitoring    

Exam Prep QuestionYour network contains a Microsoft Windows Deployment Services (WDS) server. You have added a custom image named CustomWin8.wim to the server.After creating and adding the custom image to the WDS server, you decide that the image is missing a feature. You mount the image to the c:\mount folder.You need to add the Telnet Client feature the CustomWin8.wim image.What should you do?

A. Run the command imagex /apply C:\mount\CustomWin8.wim 1 D:\B. Run the command dism /Image:C:\mount /Enable-Feature

/FeatureName:TelnetClientC. Run the command dism /Image:CustomWin8.wim /Enable-Feature

/FeatureName:TelnetClientD. Run the command imagex /image:C:\mount /Enable-Features

/FeatureName:TelnetClient

Configure File and Print ServicesConfigure Distributed

File System (DFS)

Configure File Server Resource Manager

(FSRM)

Configure file and disk encryption

Configure advanced audit policies

Configure DFS (1/2)OverviewDFS Replication and DFS Namespaces are role services (rolling up to File and Storage Services role)Know what’s new: PowerShell module, WMI mgmt., site awareness for DirectAccess, dedupe

Know what’s deprecated: dfscmd, FRS

Install and configure DFS NamespacesDomain-based namespaceStand-alone namespaceGet familiar with DFSnRoot & DfsnFolder for powershellRequires the management of referrals

Configure DFS (2/2)Configure DFS Replication TargetsKeep folders in sync, use the Replicate Folder wizard to configureConfig changes must replicate via AD DS and then each namespace server must poll a DC for the config change (speed it up by forcing AD DS replication and then running the dfsrdiag.exe PollAD /Member:Contoso\Server01 command)

Configure Replication SchedulingCreate replication group:

1. Multipurpose or data collection2. Hub and spoke, full mesh, or no topology3. Replicate continuously (select bandwidth limits if desired)4. Replicate during specific days/times (can set bandwidth to use per time slot)

Watch for staging folder size issues (if too small, high CPU or slow replication will result)Use a different physical disk for staging folder for improved I/O

Configure FSRM (1/2)Install FSRMAdd-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Configure QuotasConfigure quotas on specific folder or on a path (which handles newly created folders)Hard (users cannot exceed) or soft (users can exceed, used for monitoring)Built-in templates which can be used to create a quota or to create a new customized templateWhen quota threshold met, option to send email, log event, run command, or generate reportBe wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)

Configure FSRM (2/2)Configure File ScreensActive screening (cannot save unauthorized files)Passive screening (can save unauthorized files, used for monitoring)Built-in templates (block audio/video files, e-mail files, executable files, images, monitor exe/system)Be wary of deprecated filescrn.exeSet-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate

Configure ReportsRun reports on demand – DHTML, HTML, XML, CSV, or textBuilt-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property, folders by property, large files, least recently accessed files, most recently accessed files, quota usageSet scheduled reports and have reports emailed to admin(s)

Configure file and disk encryption (1/3)New FeaturesBitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)Change PIN and password by standard users (no longer require admin rights)Support for encrypted hard drives (encryption offloaded to the hard drive)

Configure BitLocker encryptionTPM version 1.2 or higher (required for provisioning prior to operating system deployment)TPM owner authorization – separate object new for Windows 8 – requires AD schema updateAdd BitLocker Drive Encryption feature, Enable-BitLocker (need volume/encryption method/key protector)

Configure file and disk encryption (2/3)Configure the Network Unlock feature (new)Install the BitLocker Network Unlock feature, WDS on Windows Server 2012, separate DHCP, UEFI DHCP drivers, PKI for issuing certificate (or self-signed certificate), Group Policy configuredFor TPM+PIN systems, Network Unlock allows a form of two-factor authentication without user intervention when booting (on untrusted networks, TPM+PIN is used)

Configure BitLocker policies (Win8 or Win2012)Choose drive encryption method and cipher strengthConfigure use of hardware-based encryption for *** drives (fixed/operating/removable)Enforce drive encryption type on *** drives – Full/Used onlyAllow network unlock at startup

Configure file and disk encryption (3/3)Configure the EFS recovery agentObtain a certificate for File Recovery for a data recovery agent user accountAdd data recovery agent (DRA) by editing GPO:

Add from AD DS if certificated are published in AD DS (default not published)Add from .cer files if not published in AD DS

Manage EFS and BitLocker certificates including backup and restoreFor certificates, can enable archiving on the certificate templates to allow recoveryDRA can have a self-signed certificate which is backed up with standard backup methodsWindows 7 requires permissions update to ms-TPM-OwnerInformation for TPM owner info backupBack up BitLocker recovery info to AD DS GPO setting (Pre-2008 requires schema extension)

Configure advanced audit policies (1/2)Implement auditing using Group Policy and AuditPol.exeKnow difference between basic Audit Policy settings and advanced Audit Policy settingsTo manually enable Advanced Audit subcategory auditing (high overhead for widespread use):auditpol /set /subcategory:"RPC Events" /success:enable

Auditpol has a /backup switch and a /restore switch

Global object access auditing (for file system or registry – automatically applies to all objects)For Global auditing, watch for situations that don’t also enable Audit File System and Audit Registry audit policy settings (required)Advanced Audit Policy settings take precedence over basic Audit Policy settings

Configure advanced audit policies (2/2)Create expression-based audit policiesAudit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set directly on a file/folder or in global policy), can be combined with Dynamic Access Control

Create removable device audit policiesRequires Windows 8 or Windows Server 2012Logs event when users attempt to access a removable storage device (Audit Removable Storage)Can also log removable storage device events (Audit Handle Manipulation)

Exam Updates for R2:

Tasks currently measured Task changed\added since January 2014Configure Distributed File System (DFS) Install and configure DFS namespaces; configure DFS Replication Targets; configure Replication Scheduling; configure Remote Differential Compression settings; configure staging; configure fault tolerance

Clone a DFS database; recover DFS databases; optimize DFS replication

Configure File Server Resource Manager (FSRM) Install the FSRM role; configure quotas; configure file screens; configure reports

Configure file management tasks

Configure File and Print Services

Exam Prep QuestionYou are the system administrator for Contoso, Ltd. You manage an Active Directory Domain Services (AD DS) domain. All servers run Windows Server 2008 R2. The forest functional level is set to Windows Server 2003. The domain functional level is set to Windows Server 2008. You are preparing to deploy DFS. The deployment must meet the following requirements.

Users must not be able to see folders that they do not have access toUsers must be able to create 3,000 total foldersMinimize changes to the environment

You need to deploy DFS to meet the requirements. What should you do?

A. Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone DFS namespace.

B. Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-based DFS namespace by deselecting DFS Windows Server 2008 mode.

C. Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.D. Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.

Configure Network Services and AccessConfigure DNS

zones

Configure DNS records

Configure VPN and routing

Configure DirectAccess

Configure DNS zones (1/2)Configure primary and secondary zonesPrimary zone can be stored in file or in AD DS – authoritative source for the zoneSecondary zone cannot be stored in AD DS and is a read-only copy of a primary zone

Configure stub zonesStub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisitionWatch for scenarios that offer stub zone and conditional forwarding as potential solutionsStub zones best when needing to dynamically maintain authoritative DNS servers for child zone

Configure conditional forwardersForwards to specific DNS servers which can then build up a cache for efficient resolutionOften the best solution for merger/acquisition but can also speed up internal name resolution

DNS = systemDNS = host name resolutionForward and reverse lookupsTypes of DNSPrimary, secondary, Active Directory-Integrated, and stub zones

For AD-Integrated, what is the domain partition, forestDNSZone, and domainDNSZone? Hint: replication scope

Records =SOA, NS, A, CNAME, PTR, SRV, and MX

Exam ContentDeploy and Configure Network Services

Windows Server 2012Network Services

IPv4 & IPv6 addressingDHCP – failover, name protectionDNS – zones, records, DNSSECIPAMVPN & routingDirectAccess

VPN and RoutingInstall and configure the Remote Access role1. Add-WindowsFeature RemoteAccess -IncludeManagementTools –IncludeAllSubFeature2. Run the Configure and Enable Routing and Remote Access wizard

Implement Network Address Translation (NAT)Need two interfaces prior to enabling via wizard

Configure VPN settingsFor SSTP, need to select the proper SSL certificate post install

Configure remote dial-in settings for usersDefault in AD is control access through NPS Network PolicyNeed to adjust policy or create new policy in order to allow users in

Configure routingIPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol

DirectAccess (1/2)Implement server requirementsNo longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP) integration, or two-factor authenticationCan use a single NIC card behind NAT (Windows Server 2012 required)Remote access servers and all client computers must be domain membersIPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)

Implement client configurationNeed to have security groups in place and then create GPOs

DirectAccess (2/2)Configure DNS for DirectAccessName Resolution Policy Table (NRPT) – used to send specific queries to specific DNS servers (otherwise, use normal name resolution) – Windows 7 or later required (config via GPO)

Configure certificates for DirectAccessIf using internal CA or self-signed certificate, CRL distribution point must be available externallyCan’t use self-signed cert in a multi-site environmentInternal PKI is required if Kerberos proxy over HTTPS not available/possible

Exam Updates for R2:

Tasks currently measured Task changed\added since January 2014Configure VPN and routing Install and configure the Remote Access role; implement Network Address Translation (NAT); configure VPN settings; configure remote dial-in settings for users; configure routing

Configure Web Application proxy in pass-through mode

Configure Network Services and Access

Exam Prep QuestionYou are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A) record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com.What should you do?

A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.

B. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.C. Add a second Address (AAAA) record for 10.10.5.254 and point it to

www2.tailspintoys.com.D. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.

Configure a Network Policy Server Infrastructure

Configure Network Policy Server (NPS)

Configure NPS policies

Configure Network Access Protection (NAP)

Configure NPS (1/2)Configure multiple RADIUS server infrastructures5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain membership optional, use NETSH to copy config from one proxy to another), user account DBs (such as AD DS)

Configure RADIUS clientsRequired: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)

Manage RADIUS templatesWatch for questions involving administrative overhead as that may indicate the creation of a template or use of existing template.

Configure NPS (2/2)Configure RADIUS accountingCan log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging for failover (if SQL logging fails, continue to log via text file)If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default install and sudden loss of functionality – could be out of disk space, consider moving logging to non-system disk)

Configure certificatesCertificate-based auth - NPS servers need a server certificateMinimize administrative overhead in large environment – autoenrollment

Configure NPS policies (1/2)Configure connection request policiesPolicies have conditions such as connection type, day/time, network, computerUseful to authenticate untrusted domain (proxy policy first in the policy order) while still authenticating locally via NPS (to AD DS)If no local processing by NPS, then server is a proxy (can forward one place or multiple)

Configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing)Watch for default installation on encryption as all encryption options are enabled (40-bit, 56-bit, 128-bit)Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)

Configure NPS policies (2/2)Manage NPS templatesCan use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and remediation server groups (minimize administrative overhead, speed up deployment)Can export templates to .XML file and import to another server

Import and export NPS policiesCan use NETSH or Export-NpsConfiguration to export entire NPS server config including policies

Configure NAP (1/2)Configure System Health Validators (SHVs)One default SHV – Windows Security Health Validator – can require specific firewall settings, antivirus settings, spyware protection, automatic updates settingsIf noncompliant with SHV, can restrict network access or remediateWindows XP does not have spyware protection settings available

Configure health policiesPolicy dictates how many SHV checks must be passed or failedHealth policies are added to network policies (NPS) to ascertain who should gain access

Configure NAP enforcement using DHCP and VPNNon-compliant devices – full access, full access with limited time, limited accessLimited access usually is tied with remediation servers for updating components for complianceIf full network + limited time and client subsequently becomes compliant, will be disconnected!

Exam Updates for R2:

Tasks currently measured Task changed\added since January 2014Configure Network Policy Server (NPS) Configure multiple RADIUS server infrastructures; configure RADIUS clients; manage RADIUS templates; configure RADIUS accounting; configure certificates

Configure a RADIUS server, including RADIUS proxy; manage configure RADIUS NPS templates

Configure a Network Policy Server Infrastructure

Configure NAP (2/2)Configure isolation and remediation of non-compliant computers using DHCP and VPNDefault network policy has automatic remediation enabled by defaultCan add remediation servers and a troubleshooting URL for employees

Configure NAP client settingsRemember that Group Policy overrides NETSH and NAP Client Configuration console Enable tracing - netsh nap client set tracing state = enableUse the NAP Client Configuration console to create .xml config file for use in a GPOBy default, NAP enforcement clients are disabledTo enforce health policies, must enable at least one NAP enforcement clientIPsec – need to configure NAP health registration authority settings

Configure and Manage Active DirectoryConfigure service

authentication

Configure Domain Controllers

Maintain Active Directory

Configure account policies

Configure service authentication (1/2)Create and configure Service AccountsUsed to enhance security but the pain point is the password management and SPN mgmt.

Create/configure Group Managed Service AccountsMust create/configure on a server running Windows Server 2012 or on a Windows 8 computerAutomated password management and can be used across multiple serversMinimum of one DC that runs Windows Server 2012Before you begin, must create KDS Root Key - Add-KDSRootKey –EffectiveImmediatelyNew-ADServiceAccount and Set-ADServiceAccount

Create and configure Managed Service AccountsIntroduced in Windows Server 2008 R2 / Windows 7New-ADServiceAccount with the –RestrictToSingleComputer parameter Automated password management and can be used on a single serverNot supported for scheduled tasks, Exchange, SQL

Configure service authentication (2/2)Configure Kerberos delegationIIS may require the Trust this computer for delegation to any service (Kerberos only) option

Manage Service Principal Names (SPNs)SetSPN (note that it cannot register duplicate names in a domain in Windows Server 2012)<service type>/<instance name>:<port number>/<service name>

Configure Domain Controllers (1/2)Configure Universal Group Membership CachingEliminates dependency on GC during logonsSet-ADObject "CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" –Replace @{options='32'}

Transfer and seize operations mastersNTDSUTIL can transfer and seize rolesMove-ADDirectoryServerOperationMasterRole for transfer, use –Force for seize

Install and configure an RODCCannot upgrade writable DC to RODCStaged installation – delegate installation to non-Domain Admin at remote site (+IFM for speed)

Configure Domain Controllers (2/2)Configure Domain Controller cloning

VM-GenerationID (supported on Hyper-V on 2012 and VMware 5.0 and later)Source VM must be 2012, PDC emulator must be 2012

1. Add the source DC to the Cloneable Domain Controllers group2. Run New-ADDCCloneConfig to create DCCloneConfig.xml file (IP info, site info)3. Export source DC (Hyper-V or Export-VM cmdlet)4. Import the VM (Hyper-V or Import-VM cmdlet)

DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out for unsupported services such as DHCP)CustomDCCloneAllowList.xml is for custom services that you are sure about

See http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx (the entire series is valuable)

Maintain Active Directory (1/2)Back up Active Directory and SYSVOLwbadmin start systemstatebackup -backuptarget:e:(this includes SYSVOL)

Manage Active Directory offlineStop the Active Directory Domain Services service (Services console or Stop-Service cmdlet)Can perform offline defrag (or other maintenance) and then start the service

Optimize an Active Directory databaseLDIFDE can be used to manually kick off a garbage collection process (free up space inside)NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second copy of .dit file)

Maintain Active Directory (2/2)Clean up metadataSince 2008, deletion of DC from default OU results in automatic metadata cleanupDeletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanupOtherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>

Configure Active Directory snapshotsNtdsutil, snapshot, activate instance ntds, create

Perform object- and container-level recoveryNtdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target DomainName -server DomainControllerName

Perform Active Directory restoreAuthoritative vs. non-authoritative (watch for situations where you restore and the objects gets subsequently deleted after the restore)

Configure account policies (1/2)Configure domain user password policyWithout fine-grained, one password and one lockout policy per domainConfigure via GPO

Configure and apply Password Settings ObjectsNew-ADFineGrainedPasswordPolicy – apply to user or groups (not OU)Active Directory Administrative Center

Delegate password settings managementCan delegate ability to apply a PSO to user or group (Write Property permissions on the PSO)

Configure account policies (2/2)Configure local user password policyCan use a GPO linked to an OU with the computer objects

Configure account lockout settings“Account lockout duration” setting set to 0 means an administrator must unlock locked accounts“Account lockout threshold” setting set to 0 means an account will never get locked out“Reset account lockout counter after” setting resets the number of failed logon attemptsWatch for requirements such as minimizing calls to the Help Desk, maintaining the highest level of security, or situations where a Denial of Service (DoS) is occurring

Exam Updates for R2:

Tasks currently measured Task changed\added since January 2014Configure service authentication Create and configure Service Accounts; create and configure Group Managed Service Accounts; create and configure Managed Service Accounts; configure Kerberos delegation; manage Service Principal Names (SPNs)

Configure virtual accounts

Maintain Active DirectoryBack up Active Directory and SYSVOL; manage Active Directory offline; optimize an Active Directory database; clean up metadata; configure Active Directory snapshots; perform object- and container level recovery; perform Active Directory restore

Active Directory Recycle Bin

Configure account policies Configure domain user password policy; configure and apply Password Settings Objects (PSOs); delegate password settings management; configure local user password policy; configure account lockout settings

Configure Kerberos Policy settings

Configure and manage Active Directory

Configure and Manage Group PolicyConfigure Group Policy processing

Configure Group Policy settings

Manage Group Policy objects (GPOs)

Configure Group Policy preferences

Exam ContentCreate and Manage Group Policy

GP optionsEnforceBlock inheritanceLoopback – merge, replace

WMI filtersADMX central store

Allows editing of the ADMX fileExtends the functionality of GPMC

Group Policy Preferences (GPP)

Exam ContentCreate and Manage Group Policy

Deploy software

Publish to usersAssign to usersAssign to computers

Software removalSoftware Restriction PoliciesAppLocker

Win7 & 2008 R2

Configure Group Policy processing (1/3)Configure processing order and precedenceLSDOU – remember this!Link order – 1 is highest (also referred to as the “top of the list”)

Configure blocking of inheritanceNothing above will apply unless a GPO is enforced

Configure enforced policiesRight-click a GPO and click Enforced to ensure that the GPO cannot blockedEnforced GPOs also ensure that the settings aren’t overwritten by GPOs applied lower in structure

Configure Group Policy processing (2/3)Configure security filtering and WMI filteringRead and Apply Group Policy (AGP) permissions are required for GPO to applyRoot\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server 2012 Datacenter”

Configure loopback processingLoopback with Replace – ensures that settings from User Configuration of GPOs that apply to the computer replace the settings that are set in User Configuration of GPOs that apply to the user

Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to the computer merge with the settings that are set in User Configuration of GPOs that apply to the user

Watch for scenarios such as a kiosk or public computer where all users must have the exact same settings on the computer!

Configure Group Policy processing (3/3)Configure and manage slow-link processingSome settings not applied when slow link detected (software installation, folder redirection, etc.)Default slow link is less than 500KbpsComputer Configuration\Administrative Templates\System\Group Policy

Configure client-side extension (CSE) behaviorAllow processing across a slow network connectionDo not apply during periodic background processingProcess even if the Group Policy objects have not changedSettings can be set on extensions such as Scripts, Security, Registry, or other extensions (note that some only have two options, not all three)

Configure Group Policy settings (1/2)Configure settings including software installation, folder redirection, scripts, and administrative template settingsAssign to user (shortcuts appear on Start menu, not installed yet)Assign to computer (no shortcut, install typical at startup)Publish to user (add/remove programs availability)

Import security templatesImport from Group Policy Object Policy/Computer Configuration/Windows Settings/Security Settings“Clear this database before importing” option will overwrite, without it you get a merge

Configure Group Policy settings (2/2)Import custom administrative template fileAdd/remove templates while editing GPOADM and ADMX (ADMX cuts down on SYSVOL size because it isn’t stored in GPO)ADMX – Central Store (ADM not supported in Central Store)

Convert admin templates using ADMX MigratorFree download, GUI conversion using “Generate ADMX from ADM”Command line - faAdmxConv.exe name.adm

Configure property filters for admin templatesManaged – any = all, yes = only, no = only unmanagedConfigured – any = all, yes = only, no = only not configuredCommented – any = all, yes = only, no = only uncommented(filters to limit what you see in the GUI)

Manage Group Policy objects (GPOs)Backup, import, copy and restore GPOsPW - bacjup-GPO, Import-GPO,CopyGPO, Restore-GPOC:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Script (.WSF scripts

Create and configure Migration TableManually open Migration Table Editor, select source, destinationCross-Domain Copying WizardUsers, Groups, computers and UNC paths

Reset default GPOsDcgpofix /target:Domain (can also use DC or Both as target)

Delegate Group Policy ManagementGroup Policy Creator Owners group - create new GPOs and edit/delete GPOs that they createdLinking a GPO requires additional permissions (can be granted via ADUC on OU)

Comparing Group Policy Preferences and GPO Settings

Group Policy Settings Group Policy Preferences

Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify

Are written to the normal locations in the registry that the application or operating system feature uses to store the setting

Typically disable the user interface for settings that Group Policy is managing

Do not cause the application or operating system feature to disable the user interface for the settings they configure

Refresh policy settings at a regular interval

Refresh preferences by using the same interval as Group Policy settings by default

Exam Updates for R2:

Tasks currently measured Task changed\added since January 2014Configure Group Policy processing Configure processing order and precedence; configure blocking of inheritance; configure enforced policies; configure security filtering and WMI filtering; configure loopback processing; configure and manage slow-link processing; configure client-side extension (CSE) behavior

Force Group Policy update; configure and manage slow-link processing and Group Policy caching

Configure and Manage Group Policy

Example questionYou are the system administrator for Woodgrove Bank. An existing GPO named GPO1 is linked to an OU named Corp. The Corp OU contains all user objects. You need to ensure that a GPO named GPO2 applies to all users in the Corp OU while also ensuring that settings in GPO2 take precedence over the same settings in GPO1.What should you do?

A. Link GPO2 to the domain.B. Link GPO2 to the site.C. Migrate GPO2 to a local GPO.D. Configure GPO2 to be enforced.

Session Objective(s): Certification OverviewExam Preparation per SectionDescribe key 70-411 & 70-417 exam objectivesPrepare more effectively using available study materialRelate practical Windows Server 2012 experience to exam

Identify areas that may require extra studyingAction plan for exam preparation and success

In Review: Session Objectives And Takeaways

Addition Exam Prep SessionsEXM08 Exam Prep: 70-410 and 70-417 - MCSA: Windows Server 2012 (Repeated)Tuesday, May 13 5:00 PM - 6:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)

EXM01 Exam Prep: 70-411 and 70-417 - MCSA: Windows Server 2012Monday, May 12 3:00 PM - 4:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)

EXM03 Exam Prep: 70-412 and 70-417 - MCSA: Windows Server 2012Monday, May 12 4:45 PM - 6:00 PM Room: Hilton L2 Ballrm F (Peter De Tender)

EXM10 Exam Prep: 70-413 and 70-414 - MCSE: Server Infrastructure Wednesday, May 14 10:15 AM - 11:30 AM Room: Hilton L2 Ballrm F (Ryan

Sokolowski)

Hands-on LabsAny session that starts with PCIT-H3XX Windows Server 2012 R2

Related Content

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.