MCSA (E)History of Microsoft certificatesMCSE – MCITP – MCSE

Validity of MCSA certificate

Course Topics• Windows Management (Installation,

Modifying installation, Core)• Active Directory• Accounts (Users, Computers, OUs,

and Groups)• Group Policy• Networking (IPv4, IPv6, DHCP, and

DNS)• Managing Storage

• License (Editions)• Prerequisites (HW, Apps,

Storage Drivers)• Testing on Virtual Machine• BACKUP• Installation Modes

Installing Windows 2012 R2

• Upgrade https://technet.microsoft.com/en-us/library/dn303416.aspx• Migrationhttps://technet.microsoft.com/en-us/library/dn486773

Switching between modes• Full – Core - Minimal• GUI needs Vs Core advantages

Features on demand• Security, space• If we needed it later?• Online or to an Offline VHD

Adding roles to offline VHDs

• PowerShell• CMD• Alias• SConfig• RDP

Configuring Core

WinRM (Mostly for monitoring)RSAT (Useful for desktops)Another Server With Same Role

Non-domain joined computer (FW rule, PS script)

Remote Management

Active Directory

Each server has its own password policy (complexity, expiration, etc.), different companies, and many users for each server

Domain Vs WorkgroupDC redundancyDomain namingParent, child, tree, and forestTrust between domains

Active Directory

Domain ControllersInstallation ADDS + Promoting to DCRedundancyAdding extra DCs (Same subnet, IFM, Script)Uninstalling (demoting) DC

AD DC UpgradeFFLDFL

Global CatalogSRV Records

Domain Controllers

UserComputerGroup (types)Organizational UnitSites

AD Objects

What is SID?Creating AccountsCreating Template AccountsJoining a Computer

OnlineOffline

Inactive & Disabled Accounts

AD Users & Computers

SID, Username, & PWSecure ChannelBroken Secure Channel

AD Computers Accounts

DC PromoAD ACRecycle BinFine-grained Passwords

Extra

Automate Accounts CreationLDIFDE: Lightweight Data Interchange Format, Data ExchangeCSVDE: Comma Separated Value Data Exchange.

LDIFDE:dn: “cn=Elizabeth Andersen,ou=Research,dc=adatum,dc=com”changetype: add (or modify, delete)ObjectClass: userSAMAccountName: eanderUserPrincipalName: eander@adatum.comtelephoneNumber: 586-555-1234Then, save it with .ldf and run:ldifde –i –f <filename.ldf>

CSVDE:dn,samAccountName,userPrincipalName,telephoneNumber,objectClass“cn=Elizabeth Andersen,ou=Research,dc=adatum,dc=com”,eander,eander@adatum.com,586-555-1234,userThen you run the command:csvde.exe -i -f <filename.csv>

DSADDDSADD allows adding users to multiple OU; create OUs, computers, usersdsadd ou ou=test,dc=northwindtraders,dc=comdsadd user “cn=test321,ou=sales,dc=dabbas,dc=com” -disable noDSquery, Dsmod, DSget, DSMove, DSRmCheck the notes file

PowerShell

CSV file (first line is parameters)Import-Csv .\CSVimport.csv | foreach-object {$userprincipalname = $_.SamAccountName + "@{domainname}.com"

GroupsWhy we use Groups?Are OUs Groups?Type of Groups

Group Scopes

Group Conversions

Organizational Units

What OU can contain?Simplifying AdministrationPermissions on OUs?OUs & GPOs?

Users & Computers are ContainersRedirUser & RedirCmpAccidental DeletionDelegationDelegation Templates

Organizational Units

Networking – IPv4What is IP?Public Vs Private IPs

Subnetting & Default GatewayHostsIP AssignmentsExercises

Supernetting

Networking – IPv6Hexadecimal Notation

Addressing – 128 Bits – 8 of 16 Bits blocksShortening Address Rules

The Interface IDConverting MAC to EUI-64

Addresses Types:Link Local: Starts with FE80

Unique Local (Site Local): Starts with FD

Global

Communications Type:• Unicast: One to One• Multicast: One to Many• Anycast: One to Closest • No Broadcast as in IPv4

Transition to IPv6• Dual Stack Routers• Tunneling (6to4 & 4to6) • Intra-Site Automatic Tunnel

Addressing Protocol ISATAP• Teredo

Group PolicyWhat are GPOs & Why we use them?Where GPO Files are saved?GPOs Types:

Local GPONon-Local GPO

Creating & Managing a Local GPONon-Local Overwrites Local GPOs

Domain (Non-Local) GPOsCreating a GPOLinking (Applying) to an OUBlocking Top GPOs on a specific OUEnforcing Blocked GPO!How long GPO takes to be applied?

Templates GPOsPre-defined GPOsCan be downloadedMultiple OSs?

Central StoreUseful to avoid OSs diff. templatesFound under “PolicyDefinitions”

www.gpanswers.com

Scope of Management• User (Computer) Should be

linked to Users (Computers) OUs

• Policies are Cumulative• Computer overwrites UserProcessing Order

Local > Site > Domain > OU > OUAuthenticated Users

Starter GPOsPolicies Vs. PreferencesPolicies PreferencesSettings are permanent (greyed out UI)

User can change settings (drive map

Applied at startup, logon, refresh Same as policies, option to do not reapply

Removing policy reverts to defaults

Does not revert back automatically

Takes precedence over preferences

not available for local GPO

Useful for: preventing installing apps, prevent changing backgrounds

Useful for: desktop icons, shortcuts, add URL on desktop, drive map, file copy, update

GPO Permissions• Who have Full perm. By default?• Delegate PermissionGPO Security Settings

Comp. > Policies > Win. > Sec.User Tokens (Standard & Admin Tokens)Security TemplatesSecurity Configuration & Analysis

Software Restriction Policy & ApplockerSoftware Restriction Policy Applocker

Designed for legacy Windows (XP, 2003)

Designed for Win 7/8, 2008 R2, 2012

Fairly easy to bypass Less easy to bypass

All apps are allowed by defaults All apps are denied by defaults

DHCPWhat is DHCP?Why it’s better than Static IP?Allocation Methods:• Dynamic• Automatic• Manual

DORADiscover – Offer – Request –

Ack.Common ParametersPXE & DHCPRelay AgentExtra:• DB Backup• Failover Options

DNSWhat is DNS?Zones & Zones TypesHow DNS Works?Type of Queries (Recursive & Iterative)Type of Answers (Authoritative & Non-Authoritative)

Forwarders:• Root Hints• Conditional ForwardersStub ZonesManage CacheRecords Types (Resource Records)

Hyper-VWhat is Virtualization and Why?Benefits of Using Virtualization• Space, Power, Cooling• Less Management (at least centralized)• Optimize Resources to the max.• Greener, easier to backup, easier to

replicate, etc.

HypervisorHypervisor Types:• Type 1: Native or Bare Metal

(Hyper-V)• Type 2: Hosted (VMWare

Workstation)Hyper-V needs 64-Bit processorBIOS Should Support VirtualizationRAM & Storage Consideration

Enabling Hyper-V on Windows 8 & 8.1Hyper-V Configuration Settings• Dynamic Memory• Smart Paging• Resource Metering• Guest Integration Services• Memory Buffer• Memory Weight

Storage in Hyper-VVHD Max. 2 TB, VHDx up to 64 TBVHDx is more resilientHow to modify VHD files?How to Change VHD size? Disk Mgmt.?Differencing drivesPass through disksSnapshotsFiber Channel Adapter

Networking in Hyper-VSwitches Types:• External• Internal• PrivateVLANConfiguring MAC

Gen1 & Gen2Gen2 can be used on 2012, 8, 8.1 64-bit onlyHyper-V in R2 uses RDP (supports copy/paste, audio redirection)Online VHDx resize / shrink

NIC Teaming:Teaming

Switch IndependentStatic Teaming (Dependent)LACP (Dependent)

Load BalancingAddress HashHyper-V PortDynamic

Local StorageDisk Types, Basic & DynamicChoosing Storage Type Depends on:• Amount of Storage needed• Number of Users (at the same

time)• Data Sensitivity• Data Importance

RAID Types:SimpleSpannedStriped (RAID 0)Mirrored (RAID 1)Striped Set with Parity (RAID 5)

File Systems (Must know, not directly required)File. Allocation Table FAT/FAT32/exFAT• No SecurityNew TechFile System NTFS• Secured using Permissions• Encryption & Compression• Quotas• Auditing, File Tagging, Larger Files

Resilient File System ReFS• File can have 16 Exabyte size• File Name Length is up to 32000

char.• High Resiliency• Backward Compatible• No Disk Quotas

Creating VHD & VHDx through Disk ManagementAdding files to VHD & VHDx through Disk Management

Storage Spaces in 2012What is SAN?• Administration? Cost Wise?What about NAS?Virtual Disks (Not VHDs!)Storage Pools

Virtual Disk Configuration Layout• Simple, Two or Three way Mirror,

ParityProvisioning• Fixed, ThinAllocation• Data Store, Manual, Hot Spare

Storage Spaces Using Enclosures

• Approved JBOD:www.windowsservercatalog.com

• 2U/4U Rack mounted, up to 70 Drives

• Smart, can send not. to Windows about temp., storage status)

• Redundant fan, Power

Storage container not a self RAIDStorage Spaces Tiering• Fast SSD for hot or pinned data• Slow HDD for cold data

Share & NTFSShare Vs. NTFS permissionsShare NTFS

Network Only, no control over local access

Local and Network access

First line of defense Primary tool to control access

Options are: Read, change, Full

Much more

Applies to folders only Applies to files & folders

No inheritance Many options available for inheritance

Share• Cumulative permissions apply (deny

wins)• Can be combined with NTFS perms.• Administrative Share• Access-Based EnumerationNTFS• Change Owner• Inheritance apply order

• Permission can be either additive or subtractive (start with all denied then allow, or start with all allow then deny)

• Effective access: the result of applying these rules:

•Deny overrides allow•Allow permissions are cumulative•Explicit perm takes precedence over inherited

• Authorizing occurs to SID for users

Offline Files• Applies to network shares• Files stay available when

disconnected• High reliable sync. Mechanism• Can be configured using Offline

settings or GPO• Needs to be enabled first, then

apply on folders

Disk Quotas• Limit disk usage• Enabled on volume level• Soft Quota & Hard Quota• File Server Resource Manager FSRM is

handy• FSRM can apply quotas on folders,

Windows Explorer on volumes only• File Screening, Data Deduplication• Storage Reports Management

Volume Shadow Copy• Used in VM snapshots• Used by backup operations

(Windows, Acronis)• Used for File RecoveryIn File Recovery:• Quick restore for accidental

deletions• Scheduled• Used on the machine not only

shares

• VSS is configured under volume properties

• VSS is replaced with File History, starting Win. 8

• On servers, enabled under driver properties under disk management

• VSS by default creates two copies, at 7:00 AM and 12:00 PM

Work Folders• Similar to Offline Files feature• Allows access to joined & non-joined

domain workstations• Enables managing BYOD• Transparent conflict resolution• Hub-Spoke topology• Works with file screening, classification

(can classify documents), quotas• Security policies for encryption, screen

lock (data security if device was stolen)

Work Folders ConfigurationServer Side:• Define appropriate users and groups• Add & configure “work folders” role• DNS (workfolders.domain.com)• Certificates• ProxyClient Side:• Control panel configuration• Access using “work folders”

PrintersDefinitions:• Print Device• Printer• Print Server• Printer DriverPrinting workflow:• PC > Printer > Driver > Print

server > Print device

Network printers & Local printers• Central Management, drivers,

easier to install, queue management, less cost

Printer Management MMC• Printers FilteringCreating multiple instances (objects) of a printer, if we want to give higher priority for managers

Printing Options:• Direct print• Locally attached printer sharing• Network attached printing• Network attached printer

sharingPrinter Pool: Identical devices ONLYAdding 32-bit driver to a 64-bit serverEasy Print

FirewallWhy Windows Firewall?Firewall Interfaces• Control Panel• Windows Firewall Advanced• NetSH• PowerShell• GPO

Hardware Firewall & Software FirewallFirewall Modes:Domain• Work• Home• PublicOpening port Vs. Allowing ApplicationConnection security rules

Importing & Exporting Rules

Configuring Firewall under GPOComputer > Policies > Windows >

Security > Windows FW with Advanced Security