Microsoft 70-410Installing and Configuring Windows Server 2012

ABOUTTHEEXAMThe Microsoft 70410 exam is part one of a series of three exams that test the skills andknowledgenecessary to implementa coreWindowsServer2012 infrastructure inanexistingenterprise environment. Passing this exam validates a candidates ability to implement andconfigure Windows Server 2012 core services, such as Active Directory and the networkingservices.Passingthisexamalongwiththeothertwoexamsconfirmsthatacandidatehastheskills and knowledge necessary for implementing, managing, maintaining, and provisioningservicesandinfrastructureinaWindowsServer2012environment. SixmajortopicsmakeuptheMicrosoft70410Certification.Thetopicsareasfollows:

InstallandConfigureServers ConfigureServerRolesandFeatures

ConfigureHyperV DeployandConfigureCoreNetworkServices

InstallandAdministerActiveDirectory CreateandManageGroupPolicy

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.

OBJECTIVES

CHAPTER1:INSTALLANDCONFIGURESERVERS1.1Installservers 1.2Configureservers 1.3Configurelocalstorage

CHAPTER2:CONFIGURESERVERROLESANDFEATURES2.1Configurefileandshareaccess 2.2Configureprintanddocumentservices 2.3Configureserversforremotemanagement

CHAPTER3:CONFIGUREHYPERV3.1Createandconfigurevirtualmachinesettings 3.2Createandconfigurevirtualmachinestorage 3.3Createandconfigurevirtualnetworks

CHAPTER4:DEPLOYANDCONFIGURECORENETWORKSERVICES4.1ConfigureIPv4andIPv6addressing 4.2DeployandconfigureDynamicHostConfigurationProtocol(DHCP)service 4.3DeployandconfigureDNSservice

CHAPTER5:INSTALLANDADMINISTERACTIVEDIRECTORY5.1Installdomaincontrollers 5.2CreateandmanageActiveDirectoryusersandcomputers 5.3CreateandmanageActiveDirectorygroupsandorganizationalunits(OUs)

CHAPTER6:CREATEANDMANAGEGROUPPOLICY6.1CreateGroupPolicyobjects 6.2Configuresecuritypolicies 6.3Configureapplicationrestrictionpolicies 6.4ConfigureWindowsFirewall

CHAPTER1INSTALLANDCONFIGURESERVERS

1.1INSTALLSERVERS Planforaserverinstallation

ServeroperatingsystemsdifferfromadesktopOS inthattheyareoftenoptimizedforhandlingprocessesthatrunbehindthescenes(backgroundprocesses). TheFoundationversionhasalimitationof15useraccountsandisavailableonlyforOEMs. TheEssentialsversionhasalimitof25useraccountswithsupportforpreconfiguredconnectivity. TheStandardversionhasfullWindowsServerfunctionalitywithamaxoftwovirtualinstances. TheDatacenterversionoffersunlimitedvirtualinstances.

Planforserverroles Aservercanbeconfiguredtoperformspecificroles.Theapplicationsthattheserverrunsdeterminetheparticularserversrole.Foraservertoundertakearole,additionalservicesandfeatureswillhavetobeinstalled.Thisiswhytheserversroleisthesinglemostimportantfactorindeterminingthehardwarethataserverrequires.NormallyyouaddrolesthroughtheServerManagerDashboarduponsetupcompletion.

Planforaserverupgrade IfyouarerunningWindowsServer2008StandardwithSP2orWindowsServer2008EnterprisewithSP2,youmayupgradetoWindowsServer2012StandardandWindowsServer2012Datacenter. IfyouarerunningWindowsServer2008DatacenterwithSP2,youmayupgradetoWindowsServer2012Datacenteronly. IfyouarerunningWindowsWebServer2008,youmayupgradetoWindowsServer2012Standardonly. InstallServerCore WhenyouinstallServer2012,youmaychoosebetweenServerCoreInstallationandServerwithaGUI,whichistheFullinstallationoption.YoucanstartaServerwithaGUIinstallationandthenremovetheGraphicalShellsotheendresultisaMinimalServerInterface.

OptimizeresourceutilizationbyusingFeaturesonDemandFeaturesonDemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveoraddrolesandfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailablethatkeepsthefeaturefiles. MigraterolesfrompreviousversionsofWindowsServer YoucanusetheWindowsServerMigrationToolstomigrateroles.FirstyouinstallWindowsServerMigrationToolsonthedestination2012servers.Next,youcreatethedeploymentfoldersandcopythemfromthedestinationserverstothesourceservers.Finally,youregisterWindowsServerMigrationToolsonthesourceservers.

1.2CONFIGURESERVERSConfigureServerCore Ifyouarerunningaservercoreinstallation,youusesconfigtoperformserverconfiguration.Ithasanumberofoptionsforyou tochoose from.The toolpresentsamenuwithoptionsyoucanchoosebypressingkeys.Youcanset thedomainnameorworkgroupname,setthecomputername,addanewlocaladminandconfigureremotemanagement.YoucanalsoconfigureWindowsUpdate. Delegateadministration Enterprise Admins, Domain Admins, Administrators, and Account Operators groups can create new computerobjectsinanyOU.Delegationofthepermissiontocreatecomputerobjectscanadministrativeoverhead.ThiscanbedonebyassigningthepermissionstoanOUsgroupsothat localmembersofthatOUcancreatecomputerobjectsonlyinthatOU.ThisisachievedviatheDelegateControlWizard.Addandremovefeaturesinofflineimages InDISMyoucanswitchfromaServerwithaGUIinstallationtoServerCore.Fromanelevatedcommandpromptyourundism /online /disable-feature /featurename:ServerCore-FullServer. To switch from Server Core to the Server with GUI you run dism /online /enable-feature /featurename:ServerCore-FullServer/featurename:Server-Gui-Shell /featurename:Server-Gui-Mgmt.

Toreboottheserver,runshutdown r -f.

Deployrolesonremoteservers Toinstall,configureanduninstallserverroleslocally,useServerManagerortheWindowsPowerShell.RemotelyyoumayuseServerManager,RemoteServer,RSAT,or theWindowsPowerShell.RSAT inparticularprovidesyouwithServerManager,MMC snapins, consoles and PowerShell cmdlets that run onWindows Server. There aremanydifferentversionsofRSAT,supportingfromVistatoWindowsServer2012. ConvertServerCoreto/fromfullGUI Toconvert toaServerCore installation,you runUninstallWindowsFeatureServerGuiMgmtInfra restart.On theother hand, to convert from a core only to a server with GUI you run Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell Restart.

Configureservices

WindowsServerwillstarttheServerManagerautomaticallyupon installationcompletionandthenateveryserverstartup.ServerManageristheprimaryconsoleforserverconfigurationandmanagement.Youcanmanageboththelocalserverand thenetworkedserversviaServerManager.YoucanconfigurewhetherServerManagershouldbeinvokedeverytimeyoustarttheserver.Youcanalsosethowoftenitrefreshestheinformationitdisplays. ConfigureNICteaming NICteamingreferstotheprocessofgroupingtogethermultiplephysicalNICs intoasingle logicalNICforachievingfaulttoleranceandloadbalancing.LinkaggregationthroughLACPintheformofNICteamingisnotthesameasMPIO.ItcannotimprovethethroughputofasingleI/Oflow.Itdoesimprovethroughputwhenyouhaveseveraluniqueflows. WindowsServer2012hasbuiltinsupportforNICTeaming.ItcanbeenabledviaServerManager.Amaximumof32physicaladaptorscanbeusedtogether.NotethatWindowsServer2012supportsteamingasaHyperVswitchportifyourvirtualmachinesareusingindependentMACaddresses. Alternatively, a hash can be created based upon components of the packet, and then assignment can bemadedynamicallytotheavailablenetworkadapters.InthecaseofVM,eachHyperVswitchportassociatedwithavirtualmachinethatisTeamingcapablemustallowMACspoofing.

1.3CONFIGURELOCALSTORAGEDesignstoragespaces Partitioningreferstotheprocessofcreatingvirtualmarkersthatseparatedriveletters.Apartitiontableisthelistofwhatpartitionshavebeenconfiguredonadrive.Afilesystem,ontheotherhand,isadatastructurethatanoperatingsystemusestokeeptrackoffilesonadiskorpartition.Onemaycreatefolderstoorganizeyourdataintogroupsandtostoredatahierarchicallyontheharddisk.Keepinmind,disksarephysical,whereasstoragepoolsandvolumesarelogical.TheStorageServicesRoleispartoftheFileandStorageServicesandisinstalledbydefault.Configurebasicanddynamicdisks

The2012ServerManagerhasadiskmanagementsection.The3thingsyoucanmanagethroughtheUIareVolumes,DisksandStoragePools.Rightclickingonavolumewilldisplayoptionssuchasfixingfileerrors,extendingvolumeandassigningdriveletters.Youcanevenanalyzeandoptimize(defrag)thedrivesviatheGUI.

ConfigureMBRandGPTdisks Thesearethehighlightsofthedifferencesbetweenthetwo: MasterBootRecord(MBR)diskssupportformax4partitiontableentries. MBRdiskpartitionsandlogicaldrivesareusuallycreatedbasedonthereportedcylinderboundaries. GUIDPartitionTable(GPT)comeswiththeUnifiedExtensibleFirmwareInterface(UEFI)standard. GPTdiskscanhaveverylargesizes. OnWindowsyoucanhaveamaximumof128partitionsperGPTdisk. BasicdisksanddynamicdiskscansupportMBRaswellasGPTdisks.Managevolumes NTFS5 isthenativefilesystemforWindows2012.NTFS5hasmanyfeaturesforsecurity,quotamanagement,diskcompressionandvolumemounting.TransactionalNTFSallows fileoperations tobeperformed ina transactionalmanner,with support for fullatomic,consistent,isolated,anddurablesemanticsfortransactions.SelfhealingNTFScancorrectdiskfilecorruptionsonlinewithoutrequiringChkdsk.exetoberunmanually.

Astoragepoolisacollectionofvolumes.Avolumeisthebasicunitofstoragethatrepresentsanallocatedspaceonadisk.Thekeyisflexibility;storagecanbeexpandedasneededwhenyouaddnewdrives. Createandmountvirtualharddisks(VHDs)VirtualHardDisk(VHD)isafileformatforspecifyingavirtualharddisktobeencapsulatedinasinglefile.ItisnotthesameasHyperV.VHDworksonalmostallCPUtypes.HyperVdoesnotworkonincompatibleprocessors.

Virtualharddiskformatiseitherdynamicallyexpandingorfixed.VHDBootstartsWindowsfromaVirtualHardDiskfile.ThisVHDfileismountedasavirtualdiskbutcanbeusedjustlikeanormalharddiskdrive. Configurestoragepoolsanddiskpools Astoragepoolallowsyoutomixandmatchdifferentdrivesforstoragepurposes.Apoolactsasacontainer.YoucancreatestoragepoolviatheGUI.IfyoupreferusingPowerShellforcreatingthestoragepools,youmustfirstusethegetstoragesubsystemcmdlet.Thepoolcreatedcanbeeasilyexpandedbyaddingnewdisks.Thepoolcanalsobedividedintospacesthatareusedlikephysicaldisks.Infact,withinapoolyoucancreatevirtualdiskswhichareknownasspaces. Datadeduplicationiseliminatingredundantdatainstoragepools.

CHAPTER2CONFIGURESERVERROLESANDFEATURES

2.1CONFIGUREFILEANDSHAREACCESSCreateandconfigureshares SimplenetworkfoldersharingcanbemanagedviatheNetworkandSharingCenter.TheNetworkandSharingCenterisaninterfaceforbasicnetworkingsetupaswellasnetworkdiscovery,connectionstatusandfilesharing.Youcancreateafoldersharesimplybyrightclickingonthefolderandchoosingtheappropriatesharingoption.Youcanalsomanageshared foldersviaComputerManagement.Alternatively, fromServerManagersFileandStoragesectionyoucanrightclickonaserverandchooseNewSharetoinvoketheNewShareWizard.

Configuresharepermissions AdvancedsharingandofflinefilescanbeconfiguredbyrightclickingonafileandchoosingSharewithAdvancedsharing.TheServerManagersFileandStoragesectioncanalsobeusedtomanagestorageresourcesandsharesonlocalorremoteserversinrealtime.

WiththeFileServerResourceManagerinstalled,youcanconfigureanumberofadvancedfilesharesettingssuchassecurity,encryptionandcaching.Keepinmind: Sharepermissionsapplyonlywhenauserisaccessingafileorfoldernonlocally.Theycanbeappliedonauseror

onagrouplevel. Assigningpermissionsonagroupbasisisalwaysrecommended. Individualpermissionsandgrouppermissionsarecombinedtoformtheuserseffectivepermissions.

Configureofflinefiles OfflineFilesmakenetworkfilesavailableevenwhenanetworkconnectiontotheserveriseitherunavailableorveryslow.Forthesakeofperformanceyoushouldcreatearootshareontheserver,letthesystemcreatetheusersfoldersandthensynchronizefilesatlogoffviaFolderRedirectionwithOfflineFiles.Forsecuritypurposesyouwanttocreateasecuritygroupforthoseuserswhohaveredirectedfoldersonaparticularshareandaccordinglylimitaccessonlytothoseusers.

ConfigureNTFSpermissions NTFSpermissions allow you to assignpermissionsmore granularly at the folder and file level.Keep inmind; filepermissionsalwaystakeprecedenceover folderpermissions.Youcanalwayssetthesebyrightclickingona fileorfolderandconfiguringthedesiredpermissionsfromProperties. Configureaccessbasedenumeration(ABE) Accessbased enumeration (ABE) is a builtin feature that can display only the files and folders that a user haspermissionstoread. Itworksonlywhenviewingfilesandfolders inasharedfolder.WhenyouusetheNewShareWizard,thereisanoptiontoenableit.

ConfigureVolumeShadowCopyService(VSS) VSSaimstocreateaconsistentshadowcopyofthedatatobebackedup.TheVSSservicecanensurethatallVSScomponentscancommunicatewitheachotherproperly.YoushouldknowtheseVSScomponentsandterms: TheVSSrequesterrequeststheactualcreationofshadowcopiesthroughabackupapplication. TheVSSwriterensuresthereisaconsistentdatasettobackup. TheVSSprovidercreatesandmaintainstheshadowcopiesviasoftwareorhardware. Completecopymeansmakingacompletefullandreadonlycopyoftheoriginalvolume.

Copyonwritemakesadifferentialcopy. Redirectonwritedoesnotmakeanychangestotheoriginalvolume. ConfigureNTFSquotas ThroughComputerManagementDiskManagementyoucansetquotaandcreatecustomquotaentries. ItworksevenifyourserverdidnotjoinAD. Quotamanagement isnotenabledbydefaultbutyoucanenable itbyhand. Infact,theServerManagersFileandStoragesectioncanbeusedtosetsoftorhardspacelimitsonavolumeorfoldertree.Youmayalsocreateandapplyquotatemplateswithstandardquotaproperties.

2.2CONFIGUREPRINTANDDOCUMENTSERVICESConfiguretheEasyPrintprintdriver EasyPrintisforterminalserviceprinting.ItallowsuserstoprintfromaTerminalServicesRemoteAppprogramoraterminalserverdesktopsessionusingthecorrectlocalprinter.TheRedirectonlythedefaultclientprinterpolicysettingcanbeused to specifywhether thedefault clientprinter is theonlyprinter tobe redirected inTerminal Servicessessions.

ConfigureEnterprisePrintManagementToprovideprintingservice,theprintspoolerservicemustberunning.Wheneversomething iswrongwiththeprintqueue,problemscanbeoftenbesolvedbystoppingandrestartingthespooler.

ConfigureDrivers

Printerdeviceconfiguration isdoneviaDevicesandPrinters folder located in theControlPanel.Onceaprinter isadded,youcanrightclickittoconfiguresharingandotherparameters.Insteadofconfiguringonaperprinterbasis,youcanmanageprinterdriversandpermissionsattheprintserverlevel.Whenthereisaprintingissue,thelogforthePrintServiceeventchannelcanbeveryhelpfulwithtroubleshooting.

Configureprinterpooling Printingpoolrequiresthatyoucreatealogicalprinterformedbyagroupofactualphysicalprintersthatusetheexactsamedriver.Printuserscannotchoosetheactualphysicalprintertouse.YoucanconfigurepoolingviatheWindowsprinterconfigurationappletoftheControlPanel.Configureprintpriorities Settingprintingprioritiesinvolveschangingtheorderofdocumentprinting.YoumusthavetheManageDocumentspermissiontomakethechanges.FromwithinPrintersandFaxesyoucangointoaspecificprintersqueue,rightclickonthedesireddocumentandthenchangeitsprioritylevel.ConfigureprinterpermissionsAlluserscanpause,resume,restart,orcancelprintingoftheirowndocuments.However,theManageDocumentspermissionwillberequiredtomanipulateprintjobsofotherpeople.IfyouhavetheManagePrinterspermission,youcanpauseorresumeprintingattheprinterlevel.

2.3CONFIGURESERVERSFORREMOTEMANAGEMENTConfigureWinRM RemoteManagementWinRM implementsWSManagement protocol,which is a standard SimpleObject AccessProtocolbasedprotocol.Itfacilitatestheinteroperationofdifferenthardwareandoperatingsystems. Computers that run Windows with WinRM will have management data supplied by Windows ManagementInstrumentation (WMI). If your remote connection is behind a firewall,make sure connections on port 3389 areallowedConfiguredownlevelservermanagement ManagingdownlevelserversmeansmanagingremoteserversrunningWindowsServer2008R2SP1fullserver,ServerCore,orWindowsServer2008SP2fullserver.YoumustensuretheyhaveWindowsManagementFramework(WMF)3.0properlyinstalled.Foraservercoremanagedserver,thereareseveralfeaturestoinstallusingDISM,including: NetFx2ServerCore MicrosoftWindowsPowerShell NetFx2ServerCoreWOW64 MicrosoftWindowsPowerShellWOW64

Configureserversfordaytodaymanagementtasks TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker,LicensingandVirtualization.YoumayaddrolesthroughtheServerManagerDashboarduponsetupcompletion. FromControlPanels SystemProperties you can enable remotedesktop connections to a server. SettingRemoteDesktopsessionstorunoveranencryptedchannelisconsideredbestpracticeasitcanpreventviewingofasession.ItisrecommendedtoalwaysusestrongpasswordswithanyaccountsthathaveaccesstoRemoteDesktop. Configuremultiservermanagement IfyouhavemultipleAdministratoraccounts inplace,tryto limitremoteaccessonlytothoseaccountsthatactuallyneedit.YoushoulduseLocalSecurityPolicytosetaccountlockoutsforthem.Before creating a subscription to collect events on a computer, configure both the collecting computer and thecomputerfromwhicheventswillbecollected.Alsonotethefollowing: Yourunthewinrmquickconfigcommandonthesourcecomputer. Youusethewecutilqccommandonthecollectorcomputer. You add the computer account of the collector computer to the local Administrators group of the source

computer.ConfigureServerCore To install, configureoruninstall server roles remotelyyoumayuseServerManager,RemoteServer,RSAT,or theWindows PowerShell. A Server Core installation option allows the installing of Windows Server with a minimalenvironment for running specific server roles. Everything is done via command prompt, which cuts down themaintenanceandmanagementrequirementsaswellastheattacksurface.ThroughtheRSATtoolsyoucanmanagecomputersrunningServer2012,Server2008R2,Server2008,orServer2003.BydefaulttheRSATtoolswillonlyopentheportsandenabletheservicesthatarerequiredforremotemanagementtofunction.ConfigureWindowsFirewallWindows Firewall can be configured via the Windows Firewall with Advanced Security interface or the Netshadvfirewallcommand.YoumayalsoaccessitviatheControlPanel.Itworksbyexaminingeachmessageand/orpacketthatpassesthroughitandblocksthosethatdonotmeetthespecifiedsecuritycriteria.

NetworkLocationandWindowsFirewallareintheorymutuallyindependent.TheconfigurationofWindowsFirewallwouldlargelybebasedonthecurrentnetworkcategoryorcategories.WhenconnectedtoaPublicnetwork,onlyCoreNetworkingruleswillbeenabled. Withinthenetshadvfirewallcontext,thefirewallsubcommandcanbeusedtochangetotheproperfirewallcontextsoyoucanview,create,andmodifyfirewallrules.

CHAPTER3CONFIGUREHYPERV

3.1CREATEANDCONFIGUREVIRTUALMACHINESETTINGSConfiguredynamicmemory

WithDynamicMemory, there isnoneed to stop and restart aVMwhen thememory size is changed. It is alsodistributesmemorymoreefficiently,whichcouldbeaperformancedrawback,thusrequiringanincreasetothesizeofthepagefileintheguestOS.YoumayalsoneedtoincreasethememorybufferconfiguredfortheVM.Keepinmind;youmusthaveadequateRAMtoavoidexperiencingperformanceproblems. Notethatbydefault,theminimumRAMvalueisthesameasthatoftheStartupRAM.ConfiguresmartpagingSmartPaginguses theharddiskasanoption forproviding thememory requiredbyaVM if thephysicalRAM isinsufficient.Usingthistechniqueafailuretoloadmayoccurwhenthememoryrequestsaretoohighatagiventime.Thisshouldonlybeusedasatemporaryfixbecauseusingharddrivespaceasmemoryhasanoticeableperformanceimpact.ConfigureResourceMetering

ResourcemeteringallowsyoutotracksystemresourceusageforyourVM.Itisnotenabledbydefault,though.YoucanactivateitviaEnableVMResourceMetering.Statisticsarecollectedonceeveryhourbydefault,orasdictatedbytheResourceMeteringSaveIntervaloption.Todisplaythedata,useMeasureVM.Configureguestintegrationservices

Integration Services aim to optimize the virtual environment drivers. Itworks by replacing the generic operatingsystemdriver files for components suchas themouse,keyboard,display,networkandSCSIcontroller,etc. Italsosynchronizes the system time between the guest and host OS. File interoperability and heartbeat are alsoimplemented.TheDataExchangeServicecanset,andalsogetinformationfrom,aVMrunninginachildpartition.TheGuestShutdownServicecanmakeashutdownrequestfromtheparentpartitiontothechildpartitionthroughWMIcalls.

3.2CREATEANDCONFIGUREVIRTUALMACHINESTORAGECreateVHDsandVHDX WithVHD,alltheactualdataisstoredinasinglefile,ofwhichyoucanrunonlyoneinstanceatatime.Thisisbecauseitabsorbsalmostalloftheprocessingpowerofthehostcomputer.NotethatVHDshaveasizelimitof2040GB.OnewaytocreateaVHDistousediskpartatthecommandprompt.Firstyouinvokethediskpartcommand,thenyouusethecreatevdiskcommand. VHDXistheformattouseifyouwanttogoover2040GBinsize.VHDXisalsoresilienttopowerfailure.WhenusingtheNewVMWizardyoucanchoosewhichyouprefer;VHDorVHDX.

You can set a VHD to a fixed size ormake it dynamic. A dynamic VHD is slower andmay becomemore easilyfragmented.However,itusesspaceasneededandisthereforesmalleringeneral.

Configuredifferencingdrives TocreateaVHDviatheWindowsGUI,openComputerManagementsDiskManagementsection.CreateVHDcanbeselected from theActionmenu.A dynamically expandingVHD can have amaximum size that is larger than theavailablefreespaceonthedrive. NotethatinthecontextofVHD,attachingmeansmountingwhiledetachingmeansdismounting.

ModifyVHDs YoucanexpandthesizeofaVHDthroughdiskpart.FirstmakesurethattheVHDisdetached.Thenselectitviatheselectvdiskfile=command,thentypeexpandvdiskmaximum=forspecifyingthenewsize. TheEditWizardcanbeusedtomodifyanexistingVHDaswell.

AdifferencingconfigurationisusefulwhenyouhaveanimageservingasaparentVHDthatyouprefernottomodify.Allmodificationstothe imagewillbemadetoaseparatechildVHD. InordertocreateadifferencingVHD,usetheparentoptionwiththecreatevdiskcommandorviaGUI.Configurepassthroughdisks Passthroughdisksarenotvirtualized.Thisisafeatureintendedtoprovidethefastestpossiblediskperformance.Dueto the restrictivedrawbacks ithas, its support isminimal inWindows Server2012. In fact, it is supportedduringHyperVLiveMigration if,andonly if,theVMbeingmigratedandthepassthroughdiskaremanagedbythesameHyperVcluster.Thesearebecomingobsolete. Managesnapshots AHyperVsnapshotcapturesthestatusofaVMatagiventime.ThissnapshotcanthenbeusedtorestoreaVMifnecessary.TocreateoneyousimplyselectaVMtocapturefromwithintheHyperVManagerinterfaceandthenselectSnapshot from theActionspane.Youmay takeamaximumof50snapshotsofaVM.Note thatsnapshot filesareAVHD/AVHDXfiles.EachVHDfilewillactasaparenttoitsAVHDfile.Similarly,eachVHDXfilewillactasaparenttoitsAVHDXfile.

ImplementavirtualFiberChanneladapterVirtualFiberChannelforHyperVallowstheguestOStohavedirectaccesstoaSANviaastandardWorldWideName(WWN) that is associatedwith aVM. This allows you touse FiberChannel SANs toperform virtualizationof theworkloads accessing the SAN. Inparticular it uses the existingN_Port IDVirtualization T11 standard formappingmultiplevirtualN_Port IDstoasinglephysicalFiberChannelN_port.There isanewNPIVportcreatedonthehostwheneveryoustartaVMconfiguredwithavirtualHBA.

3.3CREATEANDCONFIGUREVIRTUALNETWORKSImplementHyperVNetworkVirtualization HyperV is a server role that provides tools and services one can use to create a virtualized server computingenvironment.YouaddthisroleviaServerManagerAddRoles.Youmayalsoaddfeaturesformanagingit.

FromwithintheCreateVirtualNetworkspageyoucanalsoselecttheLANadaptersyouwanttohavesharedwithyourguestsessions.AHyperVhostserverMUSTrunona64bitsystem.Anexternalnetworkprovidescommunicationbetween a virtual machine and a physical network. An internal network provides communication between thevirtualizationserverandvirtualmachineswithinthesameserversystem.Aprivatenetworkprovidescommunicationbetweenvirtualmachines. Avirtualswitchcancombineboththeinternalandtheexternalnetworkswitchsegments.Withdirectaddressing,aguestsessioncanconnectdirectlytothebackboneofthenetwork.Thevirtualservercanactasaswitchthatconnectsallguestsessionstogether. ConfigureHyperVvirtualswitches Anetworkvirtualswitch inthecontextofHyperVrunsatthedatalink layer.There isaMACtablewiththe layer2addressesofalltheVMsconnectedtoit.The2possibleswitchmodesareTrunkModeandAccessMode.

ThepossibletypesofvirtualswitchesareExternal,PrivateandInternal.OnlyExternalandInternalVirtualSwitchescanrun inTrunkModeandAccessMode.Thenumberof internalvirtualswitchesthatcanbecreated isnot limitedbydefault.Optimizenetworkperformance Assaidbefore,withdirectaddressingaguestsessioncanconnectdirectlytothebackboneofthenetwork.Forittoworkyouneedtoconfigureanexternalconnection intheVirtualNetworkManager.Youalsomusthaveavalid IPaddressonthatexternalsegment. Tokeeptheguestsessionisolatedfromthenetwork,setupaninternalconnectionusinganIPaddressofasegmentthatiscommontotheotherguestsessionsonthesamehostsystem.ConfigureMACaddresses VMMACaddressescanbestaticordynamic.Bydefault,theMACaddress issettoDynamic. IfyouneedtheMACaddresstobecomestatic,youmuststoptheVMfirst.Configurenetworkisolation If thereareVLANs connected toyourHyperVplatform,eachofyourVMsmusthavea correctVLAN tag for thenetwork interfaces in use. You may want to use the PowerShell to set the necessary VLAN parameters. UseSetVMNetworkAdapterVlantosetalloftheVLANrelatedsettings.Configuresyntheticandlegacyvirtualnetworkadapters If you have an older OS to virtualize, you may want to ensure compatibility via SetVMProcessorCompatibilityForOlderOperatingSystemsEnabled$true.

CHAPTER4DEPLOYANDCONFIGURECORENETWORKSERVICES

4.1CONFIGUREIPV4ANDIPV6ADDRESSINGConfigureIPaddressoptionsInordertoconfigureprotocolsandaddressesforthenetworkinterfacesfromFileExplorer,yourightclickonNetworkandchooseProperties.

An IPaddress istheuniquenumber IDassignedtoanetwork interface. IPv4 is32bit,whereas IPv6 is128bit.Thegatewayaddressistypicallyaroutersaddress.InaClassAaddress,thefirstoctetisthenetworkportion.InaClassBaddress,thefirsttwooctetsarethenetworkportion.InaClassCaddress,thefirstthreeoctetsarethenetworkportion.ClassDaddressesareformulticast,whileclassEaddressesarereserved.PrivateIPaddressesarenonroutableandareforprivateuseonly.

An IPv6addressspacehas128bits.Therearetwomajor64bitparts:thenetworkprefixandthe interface ID.Theexam,however,haslimitedcoverageofIPv6.ConfiguresubnettingAsubnetmaskhasfourbytes,thustotaling32bits.Thesubnetmaskiswrittenusingthedotteddecimalnotation,withtheleftmostbitsalwayssettothevalueof1.ThroughapplyingasubnetmasktoanIPaddressyoueffectivelysplittheaddressintotwoparts.VariableLengthSubnetMasks(VLSM)allowfortheuseofalongmaskonnetworkswithfewhostsandashortmaskonsubnetswithrelativelymorehosts.ConfiguresupernettingClassless Interdomain Routing (CIDR) is also known as supernetting. It improves address spaceutilizationbyhavinganIPnetworkrepresentedbyaprefix.WithCIDR,youspecifyanIPaddressrangeusingacombinationofanIPaddressandnetworkmask.ConfigureinteroperabilitybetweenIPv4andIPv6WindowsServer2012supportsIPv4andIPv6.Bothareinstalledandenabledbydefault.YoumaytunnelIPv6trafficthroughanIPv4networkandviceversa.

ConfigureISATAP TherearetransitiontechnologiesyoumayconsiderifyouarenotreadyforIPv6.ISATAPallowsunicastcommunicationbetweenIPv6/IPv4hostsacrossyourIPv4intranet. WindowsServer2012canbeconfiguredtoactasanISATAProuter.VirtualIPaddresses(VIPs)allowyoutouseclusterbasedNetworkLoadBalancing.NeighborUnreachabilityDetection(NUD)canprotectagainstroutingloops.ConfigureTeredo6to4allowsunicastcommunicationstotakeplacebetweenIPv6/IPv4hostsandIPv6capablesitesthroughtheInternet.Teredoissimilarto6to4andcanworkevenwhenthereareprivateIPv4addressesandNATdevicesinvolved.IPHTTPSpermitsIPv6tobetunneledusingHTTPwithSSLasatransport.TouseTeredo,youneedtohavetwoconsecutivestaticpublicIPv4addressesonyouroutsidefacingnetworkinterface.YoucanusetheSetDAServerTeredoEnabledcmdlettoturnonTeredoforDirectAccess.

4.2DEPLOYANDCONFIGUREDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)SERVICECreateandconfigurescopesADHCPscope refers toanadministrativegroupingof IPaddresses.Youmay firstcreateascope foreachphysicalsubnet,thenusethescopetofurtherdefinetheparameterstobeusedbyyourclients.EachscopehasarangeofIPaddresses,asubnetmaskandascopename.YouusetheNewScopeWizardtocreateone.

EachsubnetcanhaveonlyoneDHCPscopewithasinglecontinuousrangeofIPaddresses.Tousemultipleaddressrangeswithinasinglescopeyouhavetocarefullyconfiguretherequiredexclusionranges,orconflictswilloccur.ConfigureaDHCPreservation AclientreservationisanIPaddressreservedforpermanentusebyaspecificDHCPclient.WhenmultipleDHCPserversareconfiguredwithascopethatcoverstherangeofthereserved IPaddress,youshouldmanuallymakethesameclientreservationateachoftheinvolvedDHCPservers.Also,ifyoutrytoreserveanaddressthatisalreadyinuse,theclientusingtheaddressmustfirstreleaseit.Thiscanbedoneviaipconfig/release.WhenspecificDHCPoptionsareconfiguredforareservedclient,thevalueswilloverrideanythingdistributedviaotherassignmentmethods.

ConfigureDHCPoptionsDHCPscopeoptionsareconfigured forassignment toDHCPclients,suchasaDNSserveraddress, routeraddress,WINSserveraddress,etc.ServeroptionsapplytoallscopesandclientsofaDHCPserver.Scopeoptionsapplyonlytoclientsofaselectedapplicablescope.ReservationoptionsapplyonlytoaspecificreservedDHCPclient.Classoptionsapplytomemberclientsofaspecifieduserorvendorclass.Userclassesgroupclientsthathavebeen identifiedashavingacommonneed forcertainoptionsconfiguration.Vendorclassesprovidevendorspecificoptions toclients.Mostofthetimeyoushouldonlyusescopeoptionstoassignmostoptionsclientsneed.NotethatwhentheDHCPserviceisinstalled,therearenodefaultDHCPoptiondefinitionscreatedsotheymustbeconfiguredmanually.ForBOOTP towork theremustbeaBOOTP table.Bydefault this table isempty.DHCPcanprovideassignment toBOOTPclients,buttheseclientscanonlyobtainanIPaddressleaseatboottime.Leaseexpirationtimesshouldbesetaccordinglysotheleasewillnotexpirebeforetheclientreboots.ConfigureclientandserverforPXEboot In order to support PXE Network Boot, there must be a working DHCP server with scope option 066 and 067configured,plusaTFTPserverandaNFSserver.ThejobofDHCPinthisscenarioistoprovidethePXEenabledhostwiththecorrectTFTPhostandbootfilename.ConfigureDHCPrelayagent ADHCPRelayAgentcanrelayDHCPmessagesbetweenclientsandserversondifferentsubnets.Keepinmind,DHCPisbroadcastbased and therefore cannotbe routedunless facilitatedbyRFC 1542 compliant relay agents. YoumayenabletheDHCPRelayAgentfeatureviaRRAS,whereitislistedasaroutingprotocol.NotethereisanagentforIPv4and another for IPv6. However, both of them cannot run simultaneouslywithin the DHCP service on the samecomputer.

AuthorizeDHCPserverForadomainjoinedDHCPMemberServer,youmayusetheDHCPMMCconsoletoauthorizetheserver.Ifitisnotauthorizeditwillnotleaseaddressestoclients.Thisisdoneforthesakeofsecurity.Iflocatedonaworkgroupserver,authorizationisnotnecessary.Iflocatedonadomaincontroller,itistypicallyautomaticallyauthorized.

4.3DEPLOYANDCONFIGUREDNSSERVICEConfigureActiveDirectoryintegrationofprimaryzones

You use the DNSManager to invoke theNew ZoneWizard. It is always recommended that the DNS zones beintegratedwithAD (due to theendlessnumberofbenefitsofferedbyAD,suchasADDSintegrated replicationofupdates).NotethatonlyprimaryzonescanbestoredinAD.Secondaryzonescanonlybestoredintextfiles.

Configureforwarders WhenanewDNSserverisnotalsoservingasadomaincontroller,youmayconfigureitbyfirstcreatingaforwardandreverse(optional) lookupzone,thendecidewhetherquerieswillbeforwardedtootherservers.YoucanchoosetodesignateaDNSserveronyourlocalnetworkasaforwarderbyconfiguringtheforwardingofqueries.AconditionalforwarderisonethatforwardsDNSqueriesaccordingtotheDNSdomainnameinvolved(onlysomebutnotallquerieswillbeforwarded).ConfigureRootHints Throughroothintsyoumayprepareserversthatareauthoritativeforanonrootzonesothatitispossibleforthemtodiscoverauthoritativeserversatahigherlevel.ThisisneededonDNSserversthatareauthoritativeatlowerlevelsofthenamespace.Youmayconfigureroothints(locatedinpropertiesoftheDNSserver)viatheDNSManagerconsole.Theroothintsfileisinfactthecachehintsfile.ThisfileistextbasedandcontainshostinformationforresolvingnamesoutsideoftheauthoritativeDNSdomains.ManageDNScache CachingmeanstheDNSserverscanremembertheresultsfromearlierresolutions.WithpropercachingitispossibletoreduceWANtrafficsincerequestscanbesatisfiedviathecache.However,itissometimesnecessarytouseipconfig/flushdnstoflushthecache.TheDNSManagerGUIalsohastheClearCacheoptionwhenyourightclickonaserver.

TheadvancedoptionknownasSecurecacheagainstpollutionisforpreventingahackerfrompollutingtheDNScache.

CreateAandPTRresourcerecords DNSrecordscanbecreatedviatheDNSManagerconsole.Yousimplyrightclickonazoneandthenchoosefromtheoptionsavailable.AhostresourcerecordisforassociatingtheDNSdomainnameofacomputertoanIPaddress.YouneedtohavesucharesourcerecordforacomputersharingresourcesthatneedstobeidentifiedbytheDNSdomainname.

When you create a new host record (A orAAAA), you have the option to also create an associated PTR recordautomatically.PTRresourcerecordscreatedthiswaywillbedeletedifthecorrespondinghostrecordisdeleted.

CHAPTER5INSTALLANDADMINISTERACTIVEDIRECTORY 5.1INSTALLDOMAINCONTROLLERSAddorremoveadomaincontrollerfromadomain Youneed to install theActiveDirectoryDomainServicesADDS roleon the server toallow it toactasaDomainController.Afterthisyouneedtopromotetheservertoadomaincontroller.YouusetheADDSInstallationWizardtoachievethis.WhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthelowestfunctionallevelthatispossible.Whenyouraisethefunctionallevel,neweradvancedfeaturesbecomeavailable,butthisisattheexpenseofcompatibility.Keepinmind;youcannothaveADDSinstalledonaserverthatalsorunstheHyperVServerrole.

Upgradeadomaincontroller DomaincontrollersthatrunWindows2000Servermustberemoved.YoushouldfirstraisetheforestfunctionalleveltoWindows Server 2003 (orhigher), installdomain controllers that runWindows Server 2012, and then removedomaincontrollersthatrunearlierversionsofWindows. Inorderto installthefirstWindowsServer2012domaincontroller inanexistingdomainorforest,thisservermusthaveproperconnectivity to theexisting schemamaster.To installor removeadomain ina forest theremustbeconnectivitytothedomainnamingmaster.OnadomaincontrollerthatyouplantoupgradetoWindowsServer2012,makesureyousize thedriveproperly.Thedrive thathostsNTDS.DITmusthave sufficient freespace toallow theupgradetogothrough.Thisisabout20%ofthesizeoftheDITfile. InstallActiveDirectoryDomainServices(ADDS)onaServerCoreinstallation In Windows Server 2012, commandline installation of AD relies on the ADDSDeployment Module of WindowsPowerShell.AdprepisfullyintegratedintotheADDSinstallationsoyoudonotneedtorunitmanually.TheActiveDirectoryModuleforWindowsPowerShellisinstalledbydefaultwhentheADDSserverroleisaddedona2012serverthereisnoadditionalsteprequiredotherthanaddingtheserverrole.ADDScanbeinstalledonaServerCoreinstallation,andisoftenrecommendedforreadonlydomaincontrollersinsmallerbranchoffices.On a server core, you add the Active Directory Services Role via InstallWindowsFeatureADDomainServices IncludeManagementTools. To promote the server core, use InstallADDSDomainControllerDomainNamemydomain.com InstallDNS:$True Credential (GetCredential). Youwillbe asked to supply a logoncredentialwithdomainadminrights. InstalladomaincontrollerfromInstallfromMedia(IFM) YoucanusetheNtdsutiltool'sifmcommandtocreateinstallationmediaforinstallingadditionaldomaincontrollers.This minimizes data replication over the network. For this to work, you have to log on to a domain controllerinteractively.Youmustalsobeabletomakeabackup.SinceIFMwillcreateatempdatabaseinthe%TMP%folder,makesureyouhaveenoughfreedrivespace;approximately110%ofthesizeoftheexistingADDS.ResolveDNSSRVrecordregistrationissuesService(SRV)recordsareresourcerecords.Theyindicatetheresourcesthatperformaparticularservice.Alldomaincontrollersare referencedbySRV records. In fact, through these records thedomaincontrollerscanadvertise theservicestheyprovide.AnSRVrecordmustbereadyfortheservicesof_kerberosand_ldap.IfyourDNSserverisNOTrunningWindows,youshouldverifytheSRVlocatorresourcerecordsthroughexaminingtheNetlogon.dnsfile.

ConfigureaglobalcatalogserverAglobalcatalog(GC)isadomaincontroller.EveryADhasatleastone.ItstoresacopyofallActiveDirectoryobjectsinaforest.Itenablesandfacilitatesusersearchesfordirectoryinformationthroughoutalldomains.Italsoresolvesuserprincipalnameswhentheauthenticatingdomaincontrollerdoesn'thaveknowledgeofthe involvedaccount.Italsohelpsotherdomaincontrollerstovalidatereferencestothoseobjectsthatbelongtootherdomainsintheforest.InasingledomainforestalldomaincontrollerscanrespondtoauthenticationorservicerequestssoyouhavelessworryregardingGCplacement.There isnoneed tohaveaGCata location thatdoesnotuseapplications thatareGCdependant.However,roaminguserswillneedtocontactGCwhenevertheylogonforthefirsttimeatanylocation.ToaddaGC,usetheActiveDirectorySitesandServicesconsole.

5.2CREATEANDMANAGEACTIVEDIRECTORYUSERSANDCOMPUTERSAutomatethecreationofActiveDirectoryaccounts Youcancreate,editanddeleteADdirectoryobjectsusingldifdefromwithinanelevatedcommandprompt(i.e.Runasadministrator).You canusean import file toautomateobject creation. Inparticular you can createuseraccountobjectsfroman.ldffile.TheCSVDEcommandcanserveasimilarpurpose,butyouneedtosupply.CSVfilescontainingtheuseraccountdata.Create,copy,configure,anddeleteusersandcomputers YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenterADACUItocreatenewresources,ADusers,printers,sharesandOUs.Ontheotherhand,youusetheADSitesandServicesconsoletocreateandmanagesites.Notethattousetheformeryoumustlogonasadomainadministrator.Configuretemplates To allow objects to be created easily, you can create template objects. You simply create objects as usualwithcommonlyusedpropertiesandDISABLEtheaccount.ThenwheneveryouneedtousethetemplateforobjectcreationyousimplyCOPYit. PerformbulkActiveDirectoryoperations BatchoperationsinADcanbeperformedusingtheLDIFDEutilityortheADSI/VBScript.TheformermakesuseoftheLDAPDataInterchangeFormatLDIFfile,whichisanInternetdraftstandardfileformatforperformingbatchoperationsondirectories.ActiveDirectoryServicesInterfacesADSIcanbeusedtowritedirectoryenabledapplications.VBScriptcanbeusedtowritesimplescriptsusingVBlikelanguage.

Configureuserrights ADuserrightscanbeconfiguredviatheADUsersandComputersconsolebyrightclickingthedesireduserobjectandthenchoosingProperties.FromtheSecuritytab,clickAdvancedtoviewallofthepermissionentriesthatexistandmakechangesaccordingly.Offlinedomainjoin OfflineDomainJoinisimplementedthroughDjoin.exe.Youuseittojoinacomputertoadomainwithoutphysicallycontactingadomaincontroller.You first rundjoin /provision tocreate thenecessarycomputeraccountmetadatawhichissavedina.txtfile.Thenyourundjoin/requestODJtoinsertthecomputeraccountmetadataintothedirectory.Onceyourebootthedestinationcomputer,thecomputerwillbejoinedtoAD.DirectAccessofflinedomainjoinfurtherallowsWindowsServer2012orWindows8basedcomputerstojoinADremotely.Manageinactiveanddisabledaccounts Tocleanup inactiveaccounts,youshouldusedsquery.Throughdsqueryyoucanquerythedirectoryusingspecificsearchcriteria.Forexample,youcanusedsquerycomputerwithinactive/disabledtosearchforcomputeraccountsthatareeffectivelyinactive/disabled.Dsqueryusercandothesamewithuseraccounts.

5.3CREATEANDMANAGEACTIVEDIRECTORYGROUPSANDORGANIZATIONALUNITS(OUS)Configuregroupnesting Groupnestingisaddingagroupasamemberofanothergroup.Thisisusefulforconsolidatingmemberaccounts.Bydefault,whenyounestagroupwithinanother, theuser rightsareautomatically inherited.Note thatgroupswithuniversalscopescanhaveothergroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.Groupswithglobalscopescanhaveothergroupswithglobalscopesfromthesamedomain.Groupswithdomainlocalscopescanhavegroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.Itcanalsohavegroupswithdomainlocalscopesfromwithinthesamedomain.Convertgroupsincludingsecurity,distribution,universal,domainlocal,anddomainglobal Distributiongroupsare forusewithemaildistribution lists,while securitygroupsare forassigningpermissions tosharedresources.Youmayusedsmodgrouptoconvertbetweengrouptypes.Groupswithdomainlocalscopesareformanagingaccesstoresourceswithinasingledomain.Groupswithglobalscopesareformanagingdirectoryobjectsthatrequirefrequentmaintenance.Theyareneverreplicatedtootherdomains.Groupswithuniversalscopesareforconsolidatinggroupsthatspanacrossmultipledomains.

ManagegroupmembershipusingGroupPolicy GroupPolicycanbeused toconfigurecomputeranduser settingswithinnetworksbasedon theActiveDirectoryDomainServices(ADDS).ForGroupPolicytowork,yournetworkmustbebasedonADDSandthecomputersyouwanttomanagemustbejoinedtothedomain.Youmustalsohavetherelevantpermissionstocreateandeditthepolicyobjects.Enumerategroupmembership Youmayusedsgetgrouptoshowthepropertiesandmembersofagroup.Thistaskcanbeautomatedusingascript.

DelegatethecreationandmanagementofActiveDirectoryobjects Withdelegationofadministration,theresponsibilityforspecificADadministrativetasksistransferredtothosewhomustperformtherespectivetasksonly.Simplyput,highleveladministratorsauthorizethedelegatedlowerlevelstaffadministratorstoperformspecificadministrativetasks.WhenyoudesignyourOUstructureyoushouldconsiderthefactorofdelegation. ManagedefaultActiveDirectorycontainers EverydomaincontainsastandardsetofdefaultcontainerscreatedduringADinstallation.Adomaincontaineristheroot container to the hierarchy. A builtin container keeps the default service administrator accounts. The userscontainer keepsnewuseraccounts and groups created for thedomain.The computers container keeps thenewcomputeraccountscreated.TheDomainControllersOUprovidesadefaultlocationforthecomputeraccountsofthedomaincontrollers.Notethere isnowaytoapplyGroupPolicysettingstothedefaultUsersandComputerscontainers.Youmust firstcreatenewOUs,movethedesireduserandcomputerobjectstothenewOUsandthenapplythedesiredgrouppolicy.Create,copy,configure,anddeletegroupsandOUs YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenter(ADAC)UItocreatenewresources,ADusers,printers,sharesandOUs.Youmayalsousenetgrouptocreateanewgroupaccount,butgroupnamesarelimitedto64characters.

CHAPTER6CREATEANDMANAGEGROUPPOLICY6.1CREATEGROUPPOLICYOBJECTS(GPOS)

ConfigureaCentralStore GroupPolicycanbeusedtoconfigurecomputerandusersettingsonnetworksbasedontheActiveDirectoryDomain Services (ADDS). Although you can choose to configureGroup Policy settings locally, it should beavoidedsincedomainbasedGroupPolicycentralizesmanagementwhilelocalizedpolicydoesnot.TheADMX/ADMLtemplatefilesareforkeepingadmintemplates.InAD,thesecanbereplicatedacrossdomaincontrollers.RatherthanreplicatingthemtotheSYSVOLfolderofalldomaincontrollers(eventhoughtheGPOsarebydefaultstored in theSYSVOL folder) inside thedomain,creatingaCentralStorewhichservesasa filelocationthatwillbecheckedbytheGroupPolicytoolsisconsideredbestpractice.ThisstorecanbecreatedviaWindowsVistaorlaterclientcomputer.

ManagestarterGPOs StarterGroupPolicyObjectsderivefromaGPO.TheseareusedtostoreAdministrativeTemplatepolicysettings.Groupingthesesettings insideasingleobjectmakes importsandexportsmucheasier.ThesearecreatedandmanagedviatheGroupPolicyManagementConsoleUI.SelectingNewGPOfromtheStarterGPOoptionallowthesebeusedastemplatesforGPOcreation.ConfigureGPOlinks ThesettingsofaGPOcanbeappliedbyaddingalinktothatGPO.MultipleGPOlinkscanbeaddedtoadomain,site,orOUviatheGPMC.Ifyouwanttoapplypolicysettingsbaseduponphysicallocationonly,addalinktothedesired site. If the settingsdonot clearly correspond to anyparticular site, linking to anOUor adomain isconsideredbestpractice.InorderforaGPOtobeappliedtoagivenuserorcomputer,thatuserorcomputermusthavebothReadandApplyGroupPolicy(AGP)permissionsforthatGPO.However,youcannothaveaGPOlinkeddirectlytoauser,acomputer,orasecuritygroup. Configuremultiplelocalgrouppolicies Multiple Local Group Policy (MLGP) is a collection of local GPOs. These objects include: Local Computer Policy Administrators Local Group Policy Non-Administrators Local Group Policy User-Specific Local Group Policy They may be edited via the Group Policy Object Editor. Note that these are available only on computers that are not domain controllers. Configuresecurityfiltering SecurityfilteringallowsyoutofinetunewhichusersandcomputerswillreceiveandapplythesettingsofaGPO.Security filtering isused toapplyonly someof the securityprincipalswithinacontainer towhich theGPO islinked.YoumayusetheGPMCtoaddandremovegroups,users,andcomputersthataretobeusedassecurityfiltersforaGPO.

6.2CONFIGURESECURITYPOLICIESConfigureUserRightsAssignment Userrightsare fordefiningcapabilitiesat the levelof localcomputeronly.Technicallytheycanbeappliedtoindividualuseraccounts,butshouldbeadministeredonagroupaccountbasis.Userrightsassignedtoagroupareappliedtoallmemberswithinthegroup.ConfigureSecurityOptionssettings It is possible to use Dynamic Access Control (DAC) to dramatically reduce the complexity of amalgamatedsecuritygroups.Youmaycreatecentralaccesspolicies for files tocentrallydeployandmanageauthorizationpolicies that includeconditionalexpressionsusingavarietyofcriteriasuchasuserclaims,deviceclaims,andresourceproperties.TheprimarygoalofSecurityAuditing, incontextofDAC, isregulatorycompliance.Thishelpstoestablishthepresenceofsuchpoliciesandalsoprovecomplianceornoncompliancewiththesestandards.Stagingallowsyoutoverifyproposedpolicychangesbeforeenforcingthem.ConfigureSecuritytemplates TheSecurityConfigurationWizard isusedtoproducesecuritypoliciesusingsecuritytemplatesthatare in.infformat. This allows for prioritization of templates to ensure the correct settings are taking the properprecedence.InAD,itisconsideredbestpracticetodeploysecuritytemplatesbyimportingthemintoaGPO.ThisisfacilitatedbyfirstcreatingOUsforthecomputersthataretousethevariousspecificsecuritytemplates,thenaddingthecomputers accounts to the proper OU. Finally, the OU is linked to the desired GPO. To import a securitytemplateintoaGPO,usetheGroupPolicyObjectEditorUI. ConfigureAuditPolicy There are many audit policy setting categories contained within Security Settings\Advanced Audit PolicyConfiguration.Theseare: AccountLogon AccountManagement DetailedTracking

DSAccess Logon/Logoff ObjectAccess PolicyChange PrivilegeUse System GlobalObjectAccessAuditing

ObjectAccess policy settings are used to track attempts to access specific objects or types of objects on anetworkor computer.Thisallows forauditingattempts toaccessa file,directory, registry key,oranyotherobject,suchasfilesandfolderswithinasharedfolder.TheappropriateObjectAccessauditingsubcategoryforsuccessand/orfailureeventsmustbeenabled,however.ConfigureLocalUsersandGroups Localusersandgroups canbemanaged through theServerManageror theTaskManager.You can create,modifyorremoveusersandgroupsasneeded.

ConfigureUserAccountControl(UAC)UserAccountControl(UAC) isafeaturethatcan limitprivilegesofusersbydefault.ThiscanbeoverriddenfromagivenuseraccountsessionbyusingtheRunasadministratoroptionfromagivencontextmenu,andthensupplyingtheadmincredentialswhenprompted.

6.3CONFIGUREAPPLICATIONRESTRICTIONPOLICIESConfigureruleenforcement SoftwareRestrictionPoliciesrelyonfourtypesofrulesto identifysoftware.TheseareHash,Certificate,PathandZone.ThesepoliciesdonotpreventrestrictedprocessesthatrununderthenameoftheSystemaccount.Notethateachtypeofrulehasitsbenefitsanddrawbacks.ArulemaybeUnrestrictedorDisallowed.Softwarerestrictionpoliciescanbeappliedtoallowonlya listoftrustedapplicationsortospecificallydisallowthoseundesiredapplicationsorfiletypesthatshouldbeprohibited.Bydefault,thereisnoruleorpolicyapplied.

ConfigureApplockerrules ApplockercanbeusedtoconfigureApplicationControlPoliciestoblocktheexecutionofasoftwareasneeded.YoucanhaveAppLockerrulesassociatedwithaspecificuserorgroupwithinanorganization.Norulesare inplacebydefault.Defaultrules,ifany,shouldNOTbeusedforproductionpurpose.UnlikeSoftwareRestrictionPolicies,anAppLockerrulecollectionwouldonlyfunctionasanallowedlistoffiles,whichmeansonlythosefilesthatarelistedwouldbeallowedtorun.ConfigureSoftwareRestrictionPoliciesSoftwarerestrictionpoliciescanbedealtwithviatheLocalSecurityPolicyEditor.Checkouttheleftpaneandyouwillseeitthere.Ifyouaddpoliciesthroughherethoseinheritedpolicieswillbeoverridden.ThisiswhyyoushouldaddnewpoliciesthroughtheActionmenuinstead.

6.4CONFIGUREWINDOWSFIREWALLConfigurerulesformultipleprofilesusingGroupPolicy Asastatefulhostbasedfirewall,WindowsFirewallcanbeconfiguredviatheWindowsFirewallwithAdvancedSecurityinterfaceorviatheNetshadvfirewallcommand.YoumayalsoaccessitviatheControlPanel.However,configurationviatheControlPanelismostlyfortypicalendusertasks.Configuration through group policy is possible. To do so, first determine theGroup Policy settings in a testenvironmentbeforeformaldeployment.Domainprofilesettingsareusedwhencomputersareconnectedtoanetworkthathasdomaincontrollersforthedomainofwhichthecomputer isamember.Ontheotherhand,standardprofilesettingsareusedwhenthenetworkdoesnotcontaindomaincontrollers.Configureconnectionsecurityrules Firewallrulesareused toallowservercomputers tosend traffic to,orreceive traffic from,programs,systemservices,computers,orusers.Firewallrulescanbecreatedtoallowtheconnection,allowaconnectiononlyifitissecuredthroughIPsec,orblocktheconnectionentirely.Rulesmaybeforeitherinboundtrafficoroutboundtrafficandmayspecifythecomputersorusers,program,service,port(allportsorspecifiedports),protocol(TCPvsUDP)andthetypeofnetworkadapterinvolved.

ConnectionsecurityrulesdefineauthenticationusingIPsecandenforceNetworkAccessProtection(NAP)policy. ConfigureWindowsFirewalltoallowordenyapplications,scopes,ports,andusers Thewindows services and thirdparty programs that require access should be determined initially and thenallowed tocommunicatebetweendifferentnetwork locations. Inside thenetshadvfirewallcontext thereareseveralsubcommandsthatallowchangessoyoucanview,create,andmodifyfirewallrules.Theseincludeadd,delete,setandshow.Directionoftrafficcanbeeitherinorout,whiletheavailableactionsareallow,blockorbypass.

Configureauthenticatedfirewallexceptions Authenticatedbypass rulesallow connections thatbypassother inbound ruleswhen the traffic isprotectedwithIPsec.Blockrulesexplicitlyblockparticulartypesoftraffic,andcanbeusedtooverrideamatchingallowrule. IfWindowsFirewall isblockingaspecificprogramthatshouldbeallowedtocommunicate, itshouldbeaddedtothelistofallowedprograms(alsocalledtheexceptionslist). ImportandexportsettingsUnderAdvancedsettings, intheActionPane,youcanchooseto importorexportyourfirewallpolicies.Also,fromwithinthenetshadvfirewallcommandpromptyoucanaccessthesesameimportandexportcommands.

CoverAbout the ExamObjectiveCHAPTER 1 INSTALL AND CONFIGURE SERVERS1.1 INSTALL SERVERSPlan for a server installationPlan for server rolesPlan for a server upgradeInstall Server CoreOptimize resource utilization by using Features on DemandMigrate roles from previous versions of Windows Server

1.2 CONFIGURE SERVERSConfigure Server CoreDelegate administrationAdd and remove features in offline imagesDeploy roles on remote serversConvert Server Core to/from full GUIConfigure servicesConfigure NIC teaming

1.3 CONFIGURE LOCAL STORAGEDesign storage spacesConfigure basic and dynamic disksConfigure MBR and GPT disksManage volumesCreate and mount virtual hard disks (VHDs)Configure storage pools and disk pools

CHAPTER 2 CONFIGURE SERVER ROLES AND FEATURES2.1 CONFIGURE FILE AND SHARE ACCESSCreate and configure sharesConfigure share permissionsConfigure offline filesConfigure NTFS permissionsConfigure accessbased enumeration (ABE)Configure Volume Shadow Copy Service (VSS)Configure NTFS quotas

2.2 CONFIGURE PRINT AND DOCUMENT SERVICESConfigure the Easy Print print driverConfigure Enterprise Print ManagementConfigure DriversConfigure printer poolingConfigure print prioritiesConfigure printer permissions

2.3 CONFIGURE SERVERS FOR REMOTE MANAGEMENTConfigure WinRMConfigure downlevel server managementConfigure servers for daytoday management tasksConfigure multiserver managementConfigure Server CoreConfigure Windows Firewall

CHAPTER 3 CONFIGURE HYPERV3.1 CREATE AND CONFIGURE VIRTUAL MACHINE SETTINGSConfigure dynamic memoryConfigure smart pagingConfigure Resource MeteringConfigure guest integration services

3.2 CREATE AND CONFIGURE VIRTUAL MACHINE STORAGECreate VHDs and VHDXConfigure differencing drivesModify VHDsConfigure passthrough disksManage snapshotsImplement a virtual Fiber Channel adapter

3.3 CREATE AND CONFIGURE VIRTUAL NETWORKSImplement HyperV Network VirtualizationConfigure HyperV virtual switchesOptimize network performanceConfigure MAC addressesConfigure network isolationConfigure synthetic and legacy virtual network adapters

CHAPTER 4 DEPLOY AND CONFIGURE CORE NETWORK SERVICES4.1 CONFIGURE IPV4 AND IPV6 ADDRESSINGConfigure IP address optionsConfigure subnettingConfigure supernettingConfigure interoperability between IPv4 and IPv6Configure ISATAPConfigure Teredo

4.2 DEPLOY AND CONFIGURE DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) SERVICECreate and configure scopesConfigure a DHCP reservationConfigure DHCP optionsConfigure client and server for PXE bootConfigure DHCP relay agentAuthorize DHCP server

4.3 DEPLOY AND CONFIGURE DNS SERVICEConfigure Active Directory integration of primary zonesConfigure forwardersConfigure Root HintsManage DNS cacheCreate A and PTR resource records

CHAPTER 5 INSTALL AND ADMINISTER ACTIVE DIRECTORY5.1 INSTALL DOMAIN CONTROLLERSAdd or remove a domain controller from a domainUpgrade a domain controllerInstall Active Directory Domain Services (AD DS) on a Server Core installationInstall a domain controller from Install from Media (IFM)Resolve DNS SRV record registration issuesConfigure a global catalog server

5.2 CREATE AND MANAGE ACTIVE DIRECTORY USERS AND COMPUTERSAutomate the creation of Active Directory accountsCreate, copy, configure, and delete users and computersConfigure templatesPerform bulk Active Directory operationsConfigure user rightsOffline domain joinManage inactive and disabled accounts

5.3 CREATE AND MANAGE ACTIVE DIRECTORY GROUPS AND ORGANIZATIONAL UNITS (OUS)Configure group nestingConvert groups including security, distribution, universal, domain local, and domain globalManage group membership using Group PolicyEnumerate group membershipDelegate the creation and management of Active Directory objectsManage default Active Directory containersCreate, copy, configure, and delete groups and OUs

CHAPTER 6 CREATE AND MANAGE GROUP POLICY6.1 CREATE GROUP POLICY OBJECTS (GPOS)Configure a Central StoreManage starter GPOsConfigure GPO linksConfigure multiple local group policiesConfigure security filtering

6.2 CONFIGURE SECURITY POLICIESConfigure User Rights AssignmentConfigure Security Options settingsConfigure Security templatesConfigure Audit PolicyConfigure User Account Control (UAC)

6.3 CONFIGURE APPLICATION RESTRICTION POLICIESConfigure rule enforcementConfigure Applocker rulesConfigure Software Restriction Policies

6.4 CONFIGURE WINDOWS FIREWALLConfigure rules for multiple profiles using Group PolicyConfigure connection security rulesConfigure Windows Firewall to allow or deny applications, scopes, ports, and usersConfigure authenticated firewall exceptionsImport and export settings