Microsoft 70-411 Stdy Guide

7/21/2019 Microsoft 70-411 Stdy Guide

1/37

Microsoft 70-411Administering Windows Server 2012


2/37

ABOUTTHEEXAM

TheMicrosoft 70411 exam is part two of a series of three exams that test the skills and

knowledge necessary to administer a Windows Server 2012 infrastructure in an Enterprise

environment.

Passing

this

exam

validates

a

candidate's

ability

to

administer

the

tasks

required

to maintain a Windows Server 2012 infrastructure, such as user and group management,

networkaccess,anddatasecurity.Passingthisexamalongwiththeothertwoexamsconfirms

that a candidate has the skills and knowledge necessary for implementing, managing,

maintaining, and provisioning services and infrastructure in a Windows Server 2012

environment.

SixmajortopicsmakeuptheMicrosoft70411Certification.Thetopicsareasfollows:

Deploy,Manage,andMaintainServers

ConfigureFileandPrintServices

ConfigureNetworkServicesandAccess

ConfigureaNetwork

Policy

Server

Infrastructure

ConfigureandManageActiveDirectory

ConfigureandManageGroupPolicy

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.


3/37

OBJECTIVES

CHAPTER1: DEPLOY,MANAGE,ANDMAINTAINSERVERS

1.1Deployandmanageserverimages

1.2Implementpatchmanagement

1.3Monitorservers

CHAPTER2: CONFIGUREFILEANDPRINTSERVICES

2.1ConfigureDistributedFileSystem(DFS)

2.2Configure

File

Server

Resource

Manager

(FSRM)

2.3Configurefileanddiskencryption

2.4Configureadvancedauditpolicies

CHAPTER3: CONFIGURENETWORKSERVICESANDACCESS

3.1ConfigureDNSzones

3.2ConfigureDNSrecords

3.3ConfigureVPNandrouting

3.4ConfigureDirectAccess

CHAPTER4: CONFIGUREANETWORKPOLICYSERVERINFRASTRUCTURE

4.1ConfigureNetworkPolicyServer(NPS)

4.2ConfigureNPSpolicies

4.3ConfigureNetworkAccessProtection(NAP)

CHAPTER5: CONFIGUREANDMANAGEACTIVEDIRECTORY

5.1Configureserviceauthentication

5.2Configure

Domain

Controllers

5.3MaintainActiveDirectory

5.4Configureaccountpolicies


4/37


5/37

CHAPTER1DEPLOY,MANAGE,ANDMAINTAINSERVERS

1.1DEPLOYANDMANAGESERVERIMAGES

InstalltheWindowsDeploymentServices(WDS)role

Windows Deployment Services (WDS) is used to facilitate OS deployment. The WDS role is the updated and

redesignedversionofRemoteInstallationServices(RIS).ThroughityoumaydeployWindowsoperatingsystemsover

anetwork.

TouseWDS anexisting servermust configured as theDeployment Server and the Transport Server. Theymust

membersoforjoinadomainthathasDHCPandDNSrunningandproperlyconfigured.

Configureandmanageboot,install,anddiscoverimages

AtleastonebootimageandoneinstallimagemustbecreatedandmadeavailableinordertoboottotheWDSserver

andsubsequentlyinstallfromanimage.NotethattheclientcomputermustbecapableofperformingaPXEbootand

meet theminimumhardware requirements for theoperating systemof the install image.The clientmusthavea

minimumof512MBofRAM.

Updateimageswithpatches,hotfixes,anddrivers

OCSetup isacommandlinetoolused forapplyingupdates toanonlineWindows image.Thisallows installationof

*.msi files viaMSIExec.exe. It can also install and remove ComponentBased Servicing (CBS) packages online by

passingthemtoDISM.

Inorder to install the systemMSIpackagesviaOCSetup, theymust firstbe staged.Additionally, thepaths to the

packagesmustbespecifiedinananswerfile.Staginganinstallerfileinvolvesplacingitinthelocationspecifiedinthe

CustomSetupregistrykey.

Ifthe installationpackagerequiresacustom installer, itmustfirstberegistered.This isaccomplishedbyaddingthe

name

of

the

package

to

the

following

registry

key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\


6/37

Installfeaturesforofflineimages

Oscdimg is used to create an image in the *.iso format for customized Windows PE. You use Expand.exe to

decompresstheupdatefiles.Intlcfg.exeisusedtochangethelanguage&locale,fonts,inputsettings,etc.,foragiven

installation.

ThroughtheDeployment ImageServicingandManagement(DISM)toolyoucanbuildanddeployofflineWindows

images. It isascriptablecommandlineutilityused tomount/unmountsystem imagesaswellasupdateoperating

systemcomponents.

ForDISMtoworkproperly,theWindowsimagemustbelocal.Iftheanswerfileforanimageisnamedunattend.xml,

onlythesettingsspecifiedintheofflineServicingconfigurationpasscanbeapplied.

1.2IMPLEMENTPATCHMANAGEMENT

InstallandconfiguretheWindowsServerUpdateServices(WSUS)role

WindowsServerUpdateServices(WSUS)isaserverroleconfiguredviatheWSUSConfigurationWizard.

Forproperoperation,ensuretheserver'sfirewallallowsclientaccesstotheserversothatupdatescanberetrieved.

TheserveritselfmustbeabletoconnecttotheUpstreamServerifisdesignatedtodownloadupdatesfromelsewhere.

Ifthereisaproxyserver,itsnameandusercredentialsmustbeknownandprovidedwhenprompted.

Configuregroup

policies

for

updates

TheWSUSSetupprogramcanconfigure IIS toautomaticallydistribute the latestversionofAutomaticUpdates to

clientsthatcontactWSUS.ThiscanalsobedoneviadomainbasedGPOtoconfigureupdates.WithoutADDSonlythe

LocalGroupPolicyEditorcanbeusedtoconfigureAutomaticUpdates.


7/37

NotethattheDefaultDomainorDefaultDomainControllerGPOsshouldnotbealteredforconfiguringWSUSsettings.

Also,priortosettinganyGroupPolicyoptionsforWSUS,thelatestadministrativetemplateshouldbeappliedtothe

computerusedtomanageGroupPolicy.TheadministrativetemplatethatcontainstherelevantWSUSsettingsiscalled

Wuau.adm. ThefollowingAutomaticUpdatesoptionscanbemadeavailabletotheclients:

Notifyfordownloadandnotifyforinstall.

Autodownloadandnotifyforinstall.

Autodownloadandscheduletheinstall.

Allowlocaladmintochoosesetting.

Configureclient

side

targeting

Whencomputersareassignedtocomputergroupsyouhavetwooptionstochoosefrom:serversidetargetingand

clientside targeting. The former involves adding each computer to its group manually. The latter involves

automaticallyassigningthecomputersviaGroupPolicyorregistrysettings.

ConfigureWSUSsynchronization

WSUSmustfirstbesynchronizedbeforeattemptingtomigratecontent.NotethatbydefaultWSUS isconfiguredto

useMicrosoftUpdate to retrieveupdates. Synchronizationmeans theWSUS server contactsMicrosoftUpdate to

determineifnew

updates

have

been

made

ready

for

download

since

the

last

time

synchronization

was

performed.

ThiscanbedoneviatheWSUSconsole.

ConfigureWSUSgroups

WSUS allows you to target updates to specific groups of client computers. By default, each clientside targeted

computer isassigned to theAllComputersgroup.Serverside targetedcomputersareassigned to theUnassigned

Computers groupunlessmanually added elsewhere. Remember, computers can be assigned to groups by either

serversidetargetingorclientsidetargeting(manualorautomatic).


8/37

1.3MONITORSERVERS

ConfigureDataCollectorSets(DCS)

TheData

Collector

Set

is

an

XML

object

that

works

by

grouping

data

collectors

into

reusable

elements

to

fit

into

differentperformancemonitoringscenarios.ThedefaultDataCollectorSettemplatescancollectperformancedata

immediatelywithouttheneedforcomplicatedconfiguration.Additionalcounterscanbeaddedtothevariouslogfiles.

Thesecanbescheduledtostart,stop,anddefinethedurationofthecollectionasneeded.TocreateaDataCollector

SetagivenusermustbeloggedonasamemberoftheLocalAdministratorsorPerformanceLogUsersgroup.

Configurealerts

Alertscanbeconfiguredtogivenoticewhenparticulareventstakeplaceor predefinedperformancethresholdsare

reached.AlertscanbesentasmessagesorasloggedaseventsintheApplicationEventlog.Toconfigureanalert,start

theCreateNewDataCollectorSetWizardandchoosetheCreateManuallyoption.OnthesubsequentWhatTypeof

DataDoYouWanttoIncludepage,selectthedesiredPerformanceCounterAlertoption.

Monitorrealtimeperformance

ResourceMonitorisatoolthatprovidesrealtimeinformationregardingCPU,disk,network,andmemoryusage.Itis

veryusefulforidentifyingfilesthatarecausingprocesslockups.InordertouseResourceMonitor,theusermustbea

memberoftheLocalAdministratorsgrouporequivalentprivilegelevel.Constantlyhighutilizationinaparticulararea

indicatesfurtherinvestigationmaybenecessary.


9/37

Monitorvirtualmachines(VMs)

ResourcemeteringcantracksystemresourceusageforasingleVMorforagroupofVMs.Bydefaultitisnotenabled,

butyoucanbeviaEnableVMResourceMetering.Resourcemeteringstatisticsarecollectedonceeveryhourbydefault,

butcanbeconfiguredfordifferentparametersviaSetVMHostwiththeResourceMeteringSaveIntervaloption.To

displaythemeasurementdata,simplyuseMeasureVM.

Monitorevents;configureeventsubscriptions

It ispossibletocollectcopiesofevents frommultipleremotecomputers.Topreciselyspecify theremoteevent to

collect, create an event subscription.However,before a subscription canbeused to collect eventson a remote

computer,boththecollectorandthesourcecomputermustbeproperlyconfigured.

Inaworkgrouponlyenvironment,onlyNormalmode(pullsubscriptions)canbeused.AWindowsFirewallexception

forRemoteEventLogManagementmustbecreatedonthesourcecomputer.Anaccountwithadminprivilegestothe

EventLogReadersgroupisalsorequiredonthesourcemachine.

Configurenetworkmonitoring

NetworkMonitor3.4isaprotocolanalyzerutilitythatcancaptureandviewnetworktraffic.Thistoolisavailablefor

x86,ia64andx64.Itrequiresatleast1GBRAM and60MBfreeharddiskspace.

Anetworktracecanalsobeperformedwithoutusingaprotocolanalyzer.Thiscanbedonebystartingatracevia

commandlineusingthecommandNetshTracestartcapture=yes.Tostopthetrace,enterthecommandNetshTrace

stop.Thiswillcreatea*.etlfile,whichcanthenbeconvertedtoXMLformatforfurtheranalysis.


10/37

CHAPTER2CONFIGUREFILEANDPRINTSERVICES

2.1CONFIGUREDISTRIBUTEDFILESYSTEM(DFS)

InstallandconfigureDFSnamespaces

DFSNamespacesallowsgroupingofshared foldersthatare locatedondifferentservers intooneormore logically

structurednamespaces.Whenyoucreateanamespaceyoumaychoosetouseeitherastandalonenamespaceora

domainbasednamespace. Ifyougoaheadwithadomainbasednamespace,youmustchooseanamespacemode

whichisWindowsServerdependant.YoushouldpickastandalonenamespaceonlyifyoudonotuseADDS,orthat

youwant

to

create

asingle

namespace

that

has

oven

5000

DFS

folders

in

adomain.

IfyouwanttousetheWindowsServer2008mode,theforestmustbeoftheWindowsServer2003orhigherforest

functional level,and that thedomainmustbeof theWindows Server2008orhigherdomain functional level.All

namespaceserversmustbeatleastWindowsServer2008.

YoumayusetheSetDfsnRootGrantAdminAccountsandSetDfsnRootRevokeAdminAccountsWindowsPowerShell

cmdletstodelegateadministrationoftheDFsnamespace,aslongastheusersbelongtothelocaladmingroupofthe

namespaceserver.

ConfigureDFSReplicationTargets

DFS Replication allows you to keep folders synchronized between servers across very slow and weak network

connections.YouuseDFSReplicationtokeepfoldercontentsinsync.ToreplicatefoldertargetsyouneedtouseDFS

ManagementtoinvoketheReplicateFolderWizard.

Technicallyspeaking,afoldertargetissimplytheUNCpathofasharedfolder.Youmayaddmultiplefoldertargetsto

increasefolderavailability.YoumayaddafoldertargetviaDFSManagementortheNewDfsnFolderTargetcmdlet.

ConfigureReplicationScheduling

TheDistributed

File

System

Replication

(DFSR)

can

replicate

changes

according

to

the

schedule

created

during

site

topologydesign.IthasanefficientmultimasterreplicationenginewhichusesRPCforreplicatingafolderscope.The

possibleconfigurationmodesforthisserviceareWMIbasedandActiveDirectorybased.

You may edit the replication schedule or bandwidth via the SetDfsrConnectionSchedule cmdlet and the Set

DfsrGroupSchedulecmdlet.YoumayalsoforcereplicationviatheSyncDfsReplicationGroupcmdlet.To immediately

suspendreplication,useSuspendDfsReplicationGroup.


11/37

ConfigureRemoteDifferentialCompressionsettings

RemoteDifferentialCompression (RDC) isa featurewithAPIs fordetermininganddetecting ifa setof fileshave

changed.Therearefunctionstodetectinsertions,removals,andrearrangementsofdatainfiles.Thegoalistoallowan

applicationtoreplicateonlythechangedpartsofafile.ToinstallRDC,useServermanagercmdInstallRdc.

Configurestaging;configurefaulttolerance

DFSReplicationmakesuseofstagingfoldersforeachreplicatedfolderascachesforcachingthenewandchangedfiles

thatarereadytobereplicated.Bydefaultthecached filesaresaved inthe localpathofthereplicatedfolder.This

folderresidesintheDfsrPrivate\Stagingfolder.Thequotasizeofeachstagingfolderis4096MB.Ontheotherhand,

eachConflict andDeleted folder occupies 660MB.DFSReplicationmay createmultiple staging and Conflict and

Deletedfolders,eachmaintainingitsveryownquota.Dokeepinmind,youcanchangetheirsizes.Infact,ifyouhavea

staging folder quota configured to be way too small, additional CPU and disk resources will be necessary for

regeneratingthestagedfiles.

2.2CONFIGUREFILESERVERRESOURCEMANAGER(FSRM)

InstalltheFSRMrole

Inapre2012R2setup,youmayrelyontheFileServerResourceManager(FSRM)tocontrol,andmanagethequantity

andtypeofdatabeingstoredonaserver.ThisrolecanbeaddedviatheServerManager. Infact,whenyou install

FSRMyoucanalsoconfigureStorageUsageMonitoring(youselectdiskvolumesformonitoringandspecifyvolume

usage

threshold

for

report

generation)

and

Report

Options

page

(this

is

where

you

pick

a

save

location

for

usage

reportsorhavereportssenttoyoubyemail youwillbeaskedtospecifyrecipientemailaddressesaswellastheSMTP

servertouse).

Configurequotas

Tocreateaquota,youneedtochooseaquotapathwhichisavolumeorfolderwithstoragelimitapplied.Thenyou

mayuseatemplatetocreateasinglequotathat limitsspaceusageonanentirevolumeorfolder,oranautoapply

quotawhichallowsquotastobeautomaticallygeneratedandappliedtosubfolders.Aquotatemplatehasspacelimit,

quotatype(hardVSsoft)andnotificationsdefined.YoumayusetheDirquota.exetooltodefineandmanagequotas,

auto

apply

quotas

and

quota

templates.


12/37

Configurefilescreens

FileScreeningManagementallowsyoutocreatefilescreensforcontrollingthetypesoffilesthatuserscansaveand

use.Filescreeningtemplatescanbeappliedtonewvolumesorfolders,whilefilescreeningexceptionsareforusewith

filescreeningrules.Activescreeningdisallowsusersfromsavingunauthorizedfiles,whilepassivescreeningwouldonly

sendconfigurednotificationsbutdoesnotstopanything.Afilegroupdefinesanamespaceforafilescreen.Ithasaset

offilenamepatternsgroupedaseitherFilestoincludeorFilestoexclude.YoumayusetheFilescrn.exetooltocreate

andmanagefilescreens,templates,exceptionsandfilegroups.

Configurereports

Storage Reports Management allows you to schedule periodic storage reports, monitor attempts to save

unauthorized files,andgenerate storage reportsaccordingly. Ifyouwant togeneratea setof reportsbasedona

regularschedule,youshouldscheduleareporttask.Inanycaseyoumayusestorrept.exetofurtherconfigurereport

parametersandproducestoragereportsondemand(whichmeansGenerateReportsNow).

2.3CONFIGUREFILEANDDISKENCRYPTION

ConfigureBitlockerencryption

BitLocker is adisk encryption toolwith features forprotecting againstunauthorized access to localdrivedata. It

supportsfixeddatadrivewhenthedriveisformattedwithexFAT,FAT16,FAT32,orNTFSandthatthereis64MBof

availablediskspace.Toallowthedrivetobeunlockedautomatically,theOSdriveitselfmustbeprotectedbyBitLocker.

ConfiguretheNetworkUnlockfeature

NetworkUnlockprovidesautomaticunlockofvolumesuponsystem rebootatthetime it isconnectedtoawired

network.ForthisfeaturetoworktheclienthardwaremusthaveaDHCPdriverworkingfromwithinitsUEFIfirmware.

Simplyput,withthisfeatureenabledthevolumesprotectedbyTPM+PINprotectorswillnotrequiretheinputofaPIN

whenthemachinereboots.

ConfigureBitlockerpolicies

BitLocker Group Policy settings are in either the LocalGroup Policy Editor or theGPMC (you can find it under

ComputerConfiguration\AdministrativeTemplates\WindowsComponents\BitLockerDriveEncryption).Mostsettings

areappliedatthetimeBitLockerisinitiallyturnedonforadrive.Notethatyoucanhavepolicysettingsappliedto:


13/37

allBitLockerprotecteddrives.

drivesonthelocalcomputeronwhichtheOSisinstalled.

drivespermanentlyinstalledonthelocalcomputer.

removabledatadrives.

ConfiguretheEFSrecoveryagent

Youshouldensurethattheprivatekeyforthedatarecoveryagentisnotalwayskeptonlineforthesakeofsecurity.To

beprecise,thedatarecoveryagentskeyshouldbemadeoffline(as.pfxfile)atalltimeunlessitisneededforusebya

recoveryprocess.

YoumayadddatarecoveryagentstotheEFSPolicy.However,ithasnoeffectontheexistingencryptedfiles.Anyuser

whocandecryptanEFSfilecanaddotherusers'publickeystoit.Also,youcannotassignkeysfromagroupofusers

eachuserspublickeyhastobeaccessedonanindividualbasis.

ManageEFS

and

Bitlocker

certificates

including

backup

and

restore

Bydefaultthedatarecoveryagentiscontainedinthepersonalcertificatestoreoftheadministratoraccountofthefirst

domain controller.However,on standalone/workgroupmachines itwouldbe contained in thepersonal certificate

storeofthelocaladministrator.

EncryptingFileSystem(EFS)certificatesallowthecertificateholdertoencryptanddecryptdata.OrdinaryEFSusers

shouldbegrantedthistypeofcertificate.FileRecoverycertificatesareforrecoveringencryptedfiles.Domainadmins

and/ordesignateddatarecoveryagentsshouldbegrantedthistypeofcertificateinstead.Inanycaseyoushoulduse

theCertificatesMMCsnapintobackupthedefaultrecoverykeys.

2.4CONFIGUREADVANCEDAUDITPOLICIES

ImplementauditingusingGroupPolicyandAuditPol.exe

YoumayimplementauditpolicyusingGPO.Youneedtofirstspecifythecategoriesofeventsthataretobeaudited(it

istheeventcategoriesthatconstituteyourauditpolicy).YouthenspecifythesizeandbehavioroftheSecurity log.

Basicauditpolicy isnever compatiblewith theadvancedauditpolicy settingsappliedviaGroupPolicy.When the

advanced audit policy settings are applied through usingGroup Policy, the current computer's local audit policy

settingsare

cleared.

Atthecommand line,youuseauditpol/gettoshowthecurrentauditpolicy.Youuseauditpol/settosettheaudit

policy.Youuseauditpol/cleartoclearapolicy.Youuseauditpol/backuptosavethepolicytoafile,oruse/restoreto

restorethepolicyfromthebackupfile.


14/37

Createexpressionbasedauditpolicies

Expressionbasedauditpolicyallowstheuseofcomplexlogicforfilteringauditingtospecificcriteria.Inparticularyou

canspecifytheuseofthebooleanANDandORoperators.Youmayfurthergrouptogethercriteriatomakescriptlike

complexexpressions.

Createremovabledeviceauditpolicies

You may want to monitor attempts to use removable storage devices for accessing network resources. Under

AdvancedAudit Policy Configuration ObjectAccess there is an item known asAuditRemovable Storage.Once

enabled,fromtheEventViewer SecurityLogyoushouldseeevent4663forsuccessfulattemptsandevent4656for

failureattempts.


15/37

CHAPTER3CONFIGURENETWORKSERVICESANDACCESS

3.1CONFIGUREDNSZONES

Configureprimaryandsecondaryzones

YouusetheNewZoneWizardtocreatethezones.Inparticularyouneedtohaveaprimaryzoneforyourdomain.

Otherzonescanalsobecreatedthroughit.Youwanttocreateasecondaryzoneforloadsharingandfaulttolerance.

OnlyprimaryzonescanbestoredinAD.Asecondaryzoneissimplyasecondarysourceforinformationofazone.It

mustbeobtainedfromaremoteDNSserverandcanbestoredintextfileonly.BecauseADimplementsamultimaster

replicationmodel,secondaryzonesbecomequiteunnecessary.

Configurestubzones

Withastub

zone

the

DNS

server

serves

as

asource

only

for

information

about

the

authoritative

name

servers

for

the

zone,whichmust also be obtained from a remoteDNS server. You can use stub zones to keepdelegated zone

informationcurrent, toenableaDNSserver toperform recursionvia thestub zone's listofname serverswithout

queryingsomewhereelse,andtosimplifyadministration.


16/37

Configureconditionalforwards

YoumayhaveyourDNSserverdesignatedasaforwarder.YoucanusetheDNSManagerorthednscmdcommand

with the /ResetForwardersoption to configure this.DNSManager alsohasa section for configuring the so called

conditionalforwarder.

ConfigurezoneandconditionalforwardstorageinActiveDirectory

YoucanspecifythattheDNSserveronlyusesforwardersandnotattemptanyfurtherrecursioniftheforwardersfail

bycheckingtheDonotuserecursionforthisdomaincheckbox.YoucanalsodisablerecursionfortheDNSserverso

that itwillneverperformrecursiononanyquery.Bydoingsoyouwillnotbeabletouse forwardersonthesame

serveranymore.Keepinmind,youarenotallowedtouseadomainnameinaconditionalforwarderifthisDNSserver

ishostingaprimaryzone,secondaryzone,orstubzoneforthatdomainname.

Configurezonedelegation

Youuse

the

New

Delegation

Wizard

to

add

anew

delegated

domain.

Zone

delegation

works

like

"dividing"

your

DNS

namespace. You do this to distribute traffic loads among multiple servers and improve DNS name resolution

performance/resiliency.Youalsodo this toextend thenamespace toaccommodate theopeningofanewbranch

officeorremotesite.


17/37

Configurezonetransfersettings

YouusetheDNSManagertoperformzonetransfer.YoushouldallowzonetransfersonlyforDNSserversintheNS

resourcerecordsforazoneorforthespecifiedDNSserversandnothingelse.Inthecommandlineyouusednscmd.

/NonSecuremeanstransfercanbemadetoanyserver./SecureNsmeanstransferscanbemadeonlytothoselistedin

thezone'sNSresourcerecords./SecureListmeanstoaspecificserveronly.

Configurenotifysettings

DNSNotifymeansthemasterserverforazonewouldfirstnotifysomesecondaryservers inthatzoneofchanges.

Thosesecondaryserversthenchecktodeterminewhethertheyshouldinitiateazonetransfer.Thisisdonetoimprove

consistencyofzonedataamongthesecondaryservers.

3.2

CONFIGURE

DNSRECORDS

CreateandconfigureDNSResourceRecords(RR)includingA,AAAA,PTR,SOA,NS,SRV,CNAME,and

MXrecords

WithaDNSzonereadyyoucanrightclickonitandaddrecordsasnecessary.Exceptforimportantserversthatuse

staticaddresses,recordsshouldnotneedtobemanuallycreated.WhenActiveDirectoryisconfigured,theWizardwill

automaticallyconfigureDNSonanewdomaincontrollerandwillcreateresourcerecordsnecessary fortheproper

operationoftheDNSserver.


18/37

Configurezonescavenging

Bothagingandscavengingareforperformingcleanupandremovalofstaleresourcerecordssotheydon'taccumulate

inzonedata.TheDNSManagerUIcanbeusedtoconfigurethese.Or,ifyouusednscmd,/Agingisforenablingaging

for zones, while /RefreshInterval is for specifying the Refresh interval for a scavengingenabled zone.

/ScavengingIntervalisforfinetuningthescavenginginterval.

ConfigurerecordoptionsincludingTimeToLive(TTL)andweight

TimetoLive(TTL)isusedbynameserversfordeterminingthelengthoftimeanamecanbecached.BydefaulttheTTL

is60minutes.YoucanmodifytheTTLvaluesviatheDNSManagerUI.Ontheclientside,registryeditingwouldbecome

necessary

(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters).

ItisalsopossibletocutdowntheworkloadonthePDCemulatoroperationsmasterbyadjustingtheweightforDNS

service SRV resource records by editing the registry under

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. The valid value is between 0 and 65535,with a

defaultof100.Ahighervaluealwaysindicatesalowerpriority.


19/37

Configureroundrobin

RoundRobinLoadBalancing isprimarily forDNSservice.Youhaveabuiltinroundrobin featureoftheBINDDNS

serverwhichworksbycyclingthroughtheIPaddressescorrespondingtoaservergroup.Hardwareloadbalancers,I

contrast,arededicatedforroutingTCP/IPpacketstovariousserversinacluster.

FrominsidetheDNSManagerthereisaServeroptionssectionwhichprovidesyouwiththeEnableroundrobincheck

box.dnscmdalsohasa/RoundRobinoption.1meansonwhile0meansoff.

Configuresecuredynamicupdates

DNSSECincludesextensionsforhardeningtheDNSinfrastructureasspecifiedinseveralIETFRFCstandards,including

4033,4034and4035.Withit,thereareseveralnewtypesofrecord,whichareDNSKEY,RRSIG,DS,andNSEC/NSEC3.

DynamicDNSupdates canbeenabled forDNSSECsigned zones as long as activedirectory is there, and that the

scavengingstalerecordoptioncanbeusedforpurgingoldDNSSECrecords.Forthesetuptowork,aprimaryserver

mustbe

in

place

to

serve

key

management

and

key

generation

service

to

the

network

environment.

3.3CONFIGUREVPNANDROUTING

InstallandconfiguretheRemoteAccessrole

TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker;

Licensing;and

Virtualization.

You

do

not

configure

any

of

these

server

roles

during

server

installation.

Instead,

you

add

rolesthroughtheServerManagerDashboarduponsetupcompletion.

ImplementNetworkAddressTranslation(NAT)

ThroughRRAS itispossibleto implementNetworkAddressTranslation(NAT).NATalready includesaddressingand

nameresolutionfeaturesthatprovideDHCPandDNSservicestoclients,youareadvisedtonotrunDHCPserviceor

DHCP Relay Agentwith NAT addressing enabled. You should also NOT run the DNS service unless NAT TCP/IP

networkingnameresolutioniscurrentlydisabled.

ConfigureVPN

settings

TheSetupanewconnectionornetworklinkcanbeusedforstartinguptheSetUpaConnectionorNetworkwizard,

whichisahelpfulUItoallofthenetworkconnectiontypesyoucancreate.Thefirstoptionisforconfiguringinternet

connectivity,while thesecond is forsettingupaVPN.VPNcanbethrougheitherthe internetorviadirectdialup

(throughphoneline).


20/37

Configureremotedialinsettingsforusers

WhenRRAShasbeenaddedviatheServerManager,youmay invoketheRoutingandRemoteAccessServerSetup

Wizard via theRouting andRemoteAccess snapin. From there youmay clickConfigure andEnableRouting and

RemoteAccess. IntheRemoteAccesspageyoumayenabledialupsupport forendusers.Youmaysetupan IPv4

RemoteaccessserveroranIPv6Remoteaccessserver.BothIPv4ForwardingandIPv6Forwardingaresupported.

Configurerouting

ToallowRRAStobeoperatedasaIpv4router,youshouldalsoenableandconfigureRIP.Youcandosobyfirstclicking

onIpv4GeneralandthenclickontheActionmenu.


21/37

ForIPv4,RIPVersion2forInternetProtocolisthemostpopulrchoice.Youmayaddit,thenrightclickRIPandchoose

New Interface. Youwill need to pick the interface that is connected to a subnet onwhich the remote router is

connectedsoyourinterfacecancommunicateusingRIP.YoucanalsorightclickonRIPandchooseShowneighborsto

findoutabouttheroutingpartnersonthenetwork.StaticroutescanbemanuallyaddedbyrightclickingontheStatic

Routesitem.

3.4CONFIGUREDIRECTACCESS

Implementserverrequirements

YouneedtoinstalltheDirectAccessandVPNroleandthecorrespondingroleservices.Infactwewouldrecommend

thatyoualsoinstallrouting:


22/37

Afterroleinstallationyoumaycallupthewizardforfurtherconfiguration.Yourservermustbeamemberofadomain

orconfigurationwillfail.

AcompleteDirectAccesssolutionformobileaccesswouldrequireaDirectAccessserverrunningWindowsServer2012

withdualnetworkadapters.Youneedonefacingthe internetandanotherfacingtheintranet.Theformerneedsto

havetwoconsecutivepublicIPv4addressesassigned.TheremustalsobeadomaincontrollerandDNSserverrunning

WindowsServer

2012,

as

well

as

apublic

key

infrastructure

issuing

computer

certificates.

Implementclientconfiguration

DirectAccess aims to allow connectivity to the corporate network without the need for using traditional VPN

connections.ItsupportsdomainjoinedWindows7EnterpriseandUltimateeditionclientsaswellasWindows8clients.

Earlierclients,however,arenotsupported.

ConfigureDNSforDirectAccess

SplitbrainDNSreferstotheuseofthesameDNSdomainforbothInternetand intranetresources.Forthiskindof

setuptowork,youneedtolisttheFQDNsthatareduplicatedontheInternetandintranet.Youcanthenaccordingly

decidewhichresourcesyourDirectAccessclientmayreach.InanonsplitbrainsetuptheInternetnamespace isnot

thesameastheintranetnamespacesoyouwouldnotneedtomakesuchdecision.

IfyouareusingISATAPforIPv6connectivitytosupportyourDirectAccessclients,youbetteruseDNSserversthatrun

WindowsServer2008R2or later since theirDNSServerservicecansupport theprocessingofDNS trafficson the

ISATAPinterfaces.IfyourIPv6capablenonWindowsbasedDNSserverdonotsupportDNSdynamicupdateforIPv6

addresses,youwillneedtomanuallyaddAAAArecordsforyourservers.

TheDirectAccessSetupWizardallowsyoutoconfigurelocalnameresolutionbehavior.ThepossibleoptionsareUse

localname

resolution

only

ifthe

internal

network

DNS

servers

determined

that

the

name

does

not

exist;

Use

local

name resolution if the internal networkDNS serversdetermined that thename does not exist or if the internal

networkDNSserversarenotreachableandtheDirectAccessclientcomputer isonaprivatenetwork;andUse local

nameresolutionifthereisanytypeoferrorwhenattemptingtoresolvethenameusinginternalnetworkDNSservers.

Thefirstoptionisthemostsecure.

ConfigurecertificatesforDirectAccess

ThereshouldbeonecertificateperclientandoneperDirectAccessserver.Youmayusecertutiltodisplayinformation

onthedigitalcertificatesthathavebeeninstalledonaDirectAccessclient,DirectAccessserver,oranyotherintranet

resources.


23/37

CHAPTER4CONFIGUREANETWORKPOLICYSERVER

INFRASTRUCTURE

4.1CONFIGURENETWORKPOLICYSERVER(NPS)

ConfiguremultipleRADIUSserverinfrastructures

ARADIUSservergroupreferstoagroupofmultipleRADIUSservers.Thesetupallowsnetworkaccessrequeststobe

loadbalanceddynamicallybyaRADIUSproxy.DonotethateachRADIUSservergrouprepresentsoneuniquelydistinct

setof remoteaccesspolicies.Youmay in facthaveseparateRADIUSservergroupsdefined forseparate forestsor

untrusteddomains,whileallowingtheconnectionrequestpoliciestostayattheRADIUSproxy.

ConfigureRADIUSclients

WhenNPSisusedasaRADIUSserverorproxy,thecorrespondingnetworkaccessserversarecalledRADIUSclients.

TypesofclientsmayincludeWindowsbasednetworkaccessserversthatprovideremoteaccessconnectivity,wireless

APs,switchesandRADIUSproxiesthatforwardconnectionrequests.

NPSsendsandreceivesRADIUStrafficviaUDPports1812,1813,1645,and1646.WindowsFirewallontheNPSserver

willallowtheseRADIUStrafficstogetthroughbydefault.Shouldyouchangetheseportsbyhand,WindowsFirewall

mustbemodifiedaccordingly.

ManageRADIUStemplates

The template type known asRADIUSClients is for configuringRADIUS client settings that canbe reused through

selectingthetemplate intheproper locationoftheNPSconsole.RemoteRADIUSServers isanothertemplatetype

whichcanhelpyouconfigurethevariousremoteRADIUSserversettings.

ConfigureRADIUSaccounting

From inside theNPSconsoleyoucan invoketheAccountingConfigurationwizardwhichprovidestheseaccounting

settings:

SQLloggingonly youneedto configureadatalinktoaSQLServerforthistowork

Textloggingonly thisissimpleasitsimplylogsaccountingdatatoatextfile.

Parallellogging youlogbothtoSQLServerandtoatextfile


24/37

SQLloggingwithbackup youlogfirsttoSQL,andusetextfileasbackupifSQLfails.

Configurecertificates

For client authentication to take place a digital certificatemust be installed on the RADIUS server for providing

authentication,encryption,andvalidation.ThiscanbedoneviatheCertificateConsole.

4.2CONFIGURENPSPOLICIES

Configureconnectionrequestpolicies

Networkpolicies refer to conditions, constraints, and settings thatdesignatewho is authorized to connect to the

networkandtherevelantcircumstances.Youmayviewyournetworkpoliciesasruleswithconditionsandsettings.

NPSwill

compare

the

conditions

of

the

rule

to

the

properties

of

the

connection

requests.

ConnectionrequestpoliciesaretheconditionsandsettingsthatallowyoutoindicatetheRADIUSserversthatperform

the authentication and authorization of connection requests. If you use NPS as the RADIUS server, the default

connection requestpolicywillbe theonlyconfiguredpolicy.However, ifNPS servesasaproxyonly,NPSwillnot

processanyconnectionrequestslocally.

ConfigurenetworkpoliciesforVPNclients(multilinkandbandwidthallocation,IPfilters,encryption,

IPaddressing)

Youcanconfiguretheseparametersintheclientsidenetworkpolicies:

MultilinkandBandwidthAllocationProtocolBAPdealswithusingmultipledialupconnectionsfromonecomputer.

IPFiltersareforcreatingIPv4andIPv6filtersforcontrollingtheIPtrafficthattheclientscansendorreceive.

Encryptionisforspecifyingtheencryptionlevelrequired.

IPSettingsareforspecifyingtheclientIPaddressassignmentrulesthatareforuseinthenetworkpolicy.

IdleTimeoutisforspecifyingthemaxtimeinminutesthatthenetworkaccessservercanstayidlebeforecutting

offtheconnection.

SessionTimeoutisforspecifyingthemaxtimeinminutesthatausermaystayconnected.


25/37

ManageNPStemplates

YoucanuseNPStemplatestoconfigureNPSonservers.Therearemanytemplatesavailable,whichinclude:

SharedSecrets

RADIUSClients

RemoteRADIUSServers

IPFilters

HealthPolicies

RemediationServerGroups

Tocreateatemplate,youneedtousetheNPSConsole(yousimplyrightclickonatemplatetypeandclickNew).To

use

a

template,

from

within

the

RADIUS

client

properties

you

choose

the

option

known

as

Select

an

existing

Shared

Secretstemplate.

ImportandexportNPSpolicies

YoumayexportNPSconfigurationandpoliciesviaNetsh(youneedtousenetshnpsexport)orWindowsPowerShell

(viaExportNpsConfiguration).Withthelater,aXMLfilewillbecreatedforimportlater.Dorealizethattheexported

NPSserverconfigurationsareneverencryptedintheXMLfilesoyoumustbecarefulinprotectingit.

4.3CONFIGURENETWORKACCESSPROTECTION(NAP)

ConfigureSystemHealthValidators(SHVs)

WhenyouneedNPStobeconfiguredtoblockcertainclientsortraffics(inotherwords,toperformvalidation),the

stepsinvolvedare:

CreatingaSystemHealthValidatorSHV(youcandosoviatheNetworkPolicysnapin).

Creatingahealthpolicyforthecompliantclientsandalsothenoncompliantclients.

Creatinganetworkpolicyforthecompliantclientsandalsothenoncompliantclients.


26/37

Configurehealthpolicies

YouusetheNAPClientConfigurationconsoletoconfigureNAPuserinterfacesettings,NAPenforcementclientsettings,

aswellasHealthRegistrationAuthorityHRAsettingsontheclientcomputers.IfyouconfigureNAPclientsettingsvia

GroupPolicy,thesettingswillbeautomaticallyconfiguredwhentheGroupPolicyisrefreshed.

ConfigureNAPenforcementusingDHCPandVPN

NAPhasdifferentenforcementmechanisms.TheDHCPenforcementmechanismmakesuseoftheDHCPserverasits

gatekeeper.ClientsthatconnecttoyournetworkwillrequestanIPaddressfromDHCP.ThisiswhentheNAPenabled

DHCPserverwillperformenforcement theclientmustgiveacorrectresponseinordertoreceiveanIPaddresswith

fullnetworkaccess.VPNenforcement issimilar aVPNservercanenforcehealthpolicywhenaclientattemptsto

connectviaaVPNconnection.

ConfigureisolationandremediationofnoncompliantcomputersusingDHCPandVPN

NoncompliantclientscomputersarethosethatfailtomeetyourNAPhealthrequirements.Strictlyspeaking,onlyNAP

client computers are either compliant or noncompliant.NAP remediation server is for providing services to the

noncompliantclients.Infact,thenumberandtypeofremediationserverstobemadeavailabledeterminesthelevelof

accessrestrictionbythenoncompliantclients.Withouthelpfromaremediationserverthenoncompliantcomputers

willfailtoperformproperlyinthenetwork.Forthesakeofsecurityyoumayevenhavethenoncompliantcomputers

furtherisolatedinaseparateremediationnetwork.

With VPN enforcement, youmaywant to place your remediation servers on either the corporate network or a

perimeternetwork.LimitedaccesstocorporateresourcesmaybemadeavailableviaIPpacketfiltersappliedtothe

VPNconnection.WithDHCPenforcement,yourremediationserversmaybeplacedinsidethecorporatenetworkbut

access

is

limited

to

the

DHCP

NAP

enforcement

server

and

any

other

remediation

servers

that

you

explicitly

allow.

ConfigureNAPclientsettings

IfyouwanttouseNAPtoenforcehealthpoliciesontheclientcomputers,youwillhavetofirstconfigureNAPsettings

onthem.YoumaydosoviatheNAPClientConfigurationconsole NAPCLCFG.MSCortheNetshnapclientcommand

line(youmayalsousetheNAPclientconfigurationsettingsfromwithintheGPMC).Theclientcomponentscompile

healthstatusstatementsonclientcomputersforanalysisbytheserver.TheNAPenforcementclientenforcesnetwork

accessrestrictions.Generally,youshouldmakeuseoftheNAPClientConfigurationthroughGroupPolicyinADwhen

therearealotofclientcomputerstomanage.


27/37

CHAPTER5CONFIGUREANDMANAGEACTIVEDIRECTORY

5.1CONFIGURESERVICEAUTHENTICATION

CreateandconfigureServiceAccounts

Aserviceaccountisauseraccount,justthatitiscreatedforprovidingasecuritycontextforservices.Youmay

createandmanageserviceaccountsindividuallyviaActiveDirectoryUsersandComputers.

On a computer notjoined to a domain, youmay configure an application to run as Local Service,Network

Service,orLocalSystem.Theproblemwith theseaccounts is that theyare sharedamongmany servicesand

thereisnowaytohavethemmanagedatthedomainlevel.Ifyouuseadomainaccountinsteadofalocalone,

youcan

isolate

its

privileges,

just

that

you

must

manually

manage

the

passwords.

CreateandconfigureGroupManagedServiceAccounts

WhengroupManagedServiceAccounts(gMSA)isusedasserviceprincipal,Windowswillmanagethepassword

fortheaccount.gMSAislikeaManagedServiceAccountsMSAbutwithfunctionalityextendedacrossmultiple

servers.Withityoucantieagroupofserverstoonesingleserviceaccount,whichisparticularlyusefulformulti

instanceServercluster.

Donotethatthis isa feature that requiresWindowsServer2012R2DomainControllerwithActiveDirectory

PowerShellModule

imported

into

it.

CreateandconfigureManagedServiceAccounts

Amanaged serviceaccount (MSA)allowsservices tohave isolationof theirowndomainaccountsandat the

sametimeavoidingtheneedformanuallyadministeringtheaccountcredentials.Thegoalistocreateaclassof

domainaccountsformanagingandmaintainingservicesonthe localcomputers.Theclientcomputermustbe

running at leastWindows Server2008R2orWindows7 toenjoy the feature.Thedomainmustbe at least

Windows Server 2008 R2, or you will need to prepare the schema using adprep /forestprep and adprep

/domainpreprespectively.Inanycase,aMSAcanonlybeusedononedomainserver.

ConfigureKerberosdelegation

Constrained delegation is a feature of Kerberos V5. It allows a service to obtain service tickets using the

delegated user's identity. These service tickets allow access to only a restricted list of services running on

specificservers.Youmayaccordinglylimitthenetworkresourcesthataservicetrustedfordelegationmayreach.


28/37

Unconstraineddelegation isslightlydifferent it issupportedonlywhenauser initiallyrenderscredentialsfor

obtainingaticketgrantingticketthatcanbeforwardedtoanyservicetrustedfordelegation.

ManageServicePrincipalNames(SPNs)

Aserviceprincipalname (SPN) isassociatedwiththesecurityprincipal,which iseitherauseroragroup.It is

usedtosupportmutualauthenticationbetweentheclientapplicationandtheservice.ASPNcanbeassociated

withonlyoneaccount,butanaccountcanhavemorethanoneSPNs.Itmaybeformedeitherusinginformation

thataclientlearnedaboutaservice,orassuppliedbyActiveDirectory.

Youdon'tnormallyneedtocreateaSPNbyhand.AclientcanandshouldcreatetheSPNforaservice. It isa

musthave.WhenaclientusesKerberostoauthenticateitself,itwillrequestasessionticketfortheSPN.With

certificatebasedauthentication,thisSPNwillhavetobevalidatedagainstthecertificateoftheserver.

A SPN is formed like this service_class/host_name:port: Note thatWindows providesmany builtin service

classesbutyoucanalsodefineyourown.Thehostnameisthenameofthecomputerhost.Byregisteringthe

SPNin

Active

Directory

the

SPN

is

mapped

to

the

Windows

account

under

which

the

service

specified

is

running.

AutomaticSPNmanagementcanmakeyourlifemucheasier.WhenaWindowsServerthatbelongstoagMSA

changeitshostname,thecorrespondingSPNwillbeautomaticallyupdatedaswell.Still,youcanuseSetspn.exe

tomanuallyregister,editandverifySPNs.

5.2CONFIGUREDOMAINCONTROLLERS

Configure

Universal

Group

Membership

Caching

(UGMC)

Universal group membership caching (UGMC) is a featurewhich can locally cache a user'smembership in

universalgroupsonthedomaincontrollerauthenticatingtheuser. Itismostlyusefulfordeploymentinbranch

officewithoutaglobalcatalogduetoconcernonWANtraffic.SinceUGMCissitespecific,youmayenableitvia

ActiveDirectorySitesAndServices(underNTDSSiteSettings).

Transferandseizeoperationsmasters

YouuseNtdsutil.exetotransferandseizeoperationsmasterrole.Thetoolwillfirsttrytomakeatransferfrom

thecurrentroleowner.Itwillgoaheadandseizetheroleifthecurrentroleownerisunavailable.Youmayview

thecurrent

operations

master

role

holders

via

the

roles

option

of

Ntdsutil.

To

actually

seize

arole,

at

the

fsmo

maintenancepromptyouusetheseizecommand.


29/37

Installandconfigureareadonlydomaincontroller(RODC)

AReadOnlyDC(RODC)isanadditionaldomaincontrollerthathostsreadonlypartitionsoftheActiveDirectory

database.ItismostlyforuseinbranchofficewithpoorWANlink. Itcankeepcachedcredentialssothatfaster

logincanbecomepossible.However,thefirstdomaincontroller inaforestmustNOTbeanRODC.Unlessyou

haveamixofdifferentWindowsServerversions runningasdomain controllers,you shouldnotneed to run

adprep/rodcprepbeforeinstallingaRODC.

ConfigureDomainControllercloning

Cloningvirtualizeddomaincontrollersmakesthingseasywhendeployingmultipledomaincontrollers.Aslongas

boththesourceandtargetserversarerunningtheHyperVserverrole,cloningispossiblewithouttheneedto

use sysprep and the like. You may use the Active Directory Administrative Center ADAC UI to locate the

virtualized domain controller object and accordingly grant permissions tobe cloned. Then you run theGet

ADDCCloningExcludedApplicationListcmdlet to identifyprogramsor services thatarenot reallyclonable.And

then you run NewADDCCloneConfigFile to produce the necessary configuration file (which is

DCCloneConfig.xml)for

facilitating

the

export

and

import

of

VMs.

Normally

the

clone

domain

controller

will

be

placedinthesamesiteasthesourceunlessthereisadifferentsiteexplicitlyspecifiedinDCCloneConfig.xml.

5.3MAINTAINACTIVEDIRECTORY

BackupActiveDirectoryandSYSVOL

It

is

the

system

volume

(SYSVOL)

on

the

domain

controller

that

provides

a

default

Active

Directory

location

for

filesbeingsharedforaccessthroughoutadomain.TheSYSVOLfolderhasabunchofNETLOGONsharedfolders,

userlogonscriptsforearlierWindowsclients,filesystemjunctionsandFRSstagingdirectoriesandfiles.Onthe

otherhand,AD itselfhastheNtds.dit filewhich is theADdatabase, theEdb.chkcheckpoint file, theEdb*.log

transactionlogfiles,aswellastheRes1.logandRes2.logfiles.Theyareallconsideredassystemstatedata.

Agoodbackupshouldincludeatleastthesystemstatetogetherwiththecontentsofthesystemdisk.Youmust

backupatleast2domaincontrollersineachdomain,withonebeinganoperationsmasterroleholderexcluding

theRIDmaster.Donotethatyoucannotuseabackupfromonedomaincontrollertorestoreanotherone.Also

notethatabackupolderthanthetombstonelifetimesetinADshouldnotbeconsideredasagoodbackup.At

least 2 backups should be made within the tombstone lifetime (keep in mind, the default value for the

tombstonelifetimeis60days).

ManageActiveDirectoryoffline

YouusenetstopntdstostopADlocally.ThiscannotbedoneviaanyGUI. IfyoustartthesystemandpressF8to

enter theDirectoryServicesRestoreMode,youarealsoworkingoffline (youneed to logon locallyasa local

admin).


30/37

OptimizeanActiveDirectorydatabase

Active Directory (AD) can automatically perform online defragmentation of the database at the default

intervals of every 12 hours during Garbage Collection. Online defragmentation can optimize the database

withoutreducing itssize.Itcanreclaimspace inthedirectoryfornewobjectsthough.Infact,theprocesswill

create

a

new

and

compacted

version

of

Ntds.dit.

Anotheroption istodefragthedatabaseoffline,which isamorethoroughdefragalsocapableofcompacting

thedatabase.Beforeattemptingofflinedefragmentation,youarestronglyrecommendedtomakeafullsystem

statebackupofthedomaincontroller.Domakesurethereisenoughfreespaceonthedrive.Whenyouperform

offlinedefragmentationWindows isnotgoingtochangetheoriginalActiveDirectorydatabase. Instead itwill

produceadefragmentedcopy.Thisiswhytheprocessneedstousealargeamountoffreespaceonthedriveas

theworkspaceplusspaceforstoringthecopy(whichshouldbeatleast115%oftheoriginalsize).

AssaidbeforeyouusenetstopntdstostopADlocally.Fromwithinntdsutilyouneedtouseactivateinstance

ntdsandthenfilestoreachthefilemaintenanceprompt,thenstartthedefragprocessviacompactto.When

done

you

need

to

quit

ntdsutil

entirely

and

manually

copy

the

new

database

to

the

original

directory

database

location.

Cleanupmetadata

Metadatacleanup isaprocessyouneedtoperformonadomaincontrollerafterADDSremoval.Theprocess

primarilyremovesthosedataitemsthatidentifyadomaincontrollertotheADDSreplicationsystemaswellas

all FRS/DFS Replication connections. The processwill also try to transfer or seize any remaining operations

masterroles.

You

use

Active

Directory

Users

and

Computers

or

Active

Directory

Sites

and

Services

to

delete

a

domain

controllerpermanently.Youmayalsousentdsutil'smetadatacleanupcommandtocleanupthemetadata.

ConfigureActiveDirectorysnapshots

AsnapshotisinfactashadowcopyofthevolumesthatcontaintheActiveDirectorydatabase.Withityoucan

viewthedata inside itwithouttheneedtoruntheserver inDirectoryServicesRestoreMode.Donotethat it

doesnot letyoutocopy items from insidethesnapshottothe livedatabase,unlessyoumanuallyexportthe

objectsoutofit.Youcanusentdsutilundertheelevatedcommandprompttocreateasnapshot.Youreachthe

snapshot:promptvia the snapshotcommandand thenusecreate tocreate thesnapshot.Youmayview the

availablesnapshotsvialistall.Andyoumaymountoneviamount.

Performobject andcontainerlevelrecovery

Withanauthoritativerestoreyoureturnadeletedobjectorcontainertoitspredeletionstateatthetimeitwas

backedup. There are usually 2 parts to such restore process. First there is anonauthoritative restore from

backup, then there is an authoritative restore of the deleted objects. You need to do this before allowing

replicationtooccur.


31/37

To perform an authoritative restore, you need to use the authoritative restore subcommand ofNtdsutil or

Dsdbutil(whichisavailableifyouhavetheADLDSserverroleinplace).YouneedtofirststoptheADDSservice

ortheADLDSservice,andyoumustsettheactiveinstanceaccordingly.

SinceWindows

Server

2012

there

is

the

Active

Directory

recycle

bin

facility

which

allows

you

to

restore

active

directoryuserobjectsnatively, as long as your foresthas the Windows server2008R2 functional levelor

beyond.Theprocessdoestaketimetocompletesincereplicationisnecessary.

PerformActiveDirectoryrestore

Assaidbefore,ifyoustartthesystemandpressF8toentertheDirectoryServicesRestoreMode,youarealso

workingoffline.Youwillneedto logon locallyasa localadmin.ANonauthoritativerestoremeansyouhavea

domain controller restored frombackupmedia, then allow the restoreddata tobeupdated throughnormal

replication.Thisprocessusuallyrequiresthatyoutakethedomaincontrolleroffline.

Aftergoingoffline,youmay invoketheRestoreWizardtorestoretheSystemStatedata.YouclickStart Run,

thentypeinNtbackupto invoketheBackuptool.FromtheToolsmenuyouclickRestoreWizardtocallupthe

wizard.

5.4CONFIGUREACCOUNTPOLICIES

Configuredomainuserpasswordpolicy

Password policies are for domain accounts or local accounts they determine a number of settings for

passwords,suchas:

Enforcingpasswordhistory

Enforcingmaximumpasswordage

Enforcingminimumpasswordage

Enforcingminimumpasswordlength

Enforcingpasswordcomplexityrequirements

Storingpasswordsusingreversibleencryption


32/37

AtthedomainlevelthebestthingtodoforapplyingpasswordpoliciesistouseGroupPolicy.Thetooltouseis

ActiveDirectoryUsersandComputers.PSOisanothersolutionyoucanuse.Wewilltalkaboutthisinthenext

section.

ConfigureandapplyPasswordSettingsObjects(PSOs)

NotethatsinceWindowsServer2008youcanusefinegrainedpasswordpoliciestospecifymultiplepassword

policiestodifferentgroupsofuserswithinasingledomain.TherearetwoobjectclassesinActiveDirectorythat

dealwiththese.TheyarethePasswordSettingsContainerandthePasswordSettingsobjectPSO.Youcancreate

aPSOusingADSIEdit,oryoucanusetheNewADFineGrainedPasswordPolicycmdlettoachievethesame.

Delegatepasswordsettingsmanagement

Youmaydelegatepasswordmanagementtosomeoneelse.FromwithinActiveDirectoryUsersandComputers

you call up theDelegation of ControlWizard. Thiswizard allows you to pick the password related tasks to

delegate.

Configurelocaluserpasswordpolicy

LocalsecuritypolicyislocalserverspecificthepoliciesarenotstoredinActiveDirectory.Asalocaladminyou

mayopenuptheLocalSecurityPolicyUIviasecpol.msc.TheUIhasaNavigationpanewithanoptionknownas

AccountPolicies.YoucanclickPasswordPolicytomakethenecessarypolicysettings.

Configureaccountlockoutsettings

You all knowwhat account lockout is about. Technically, Account Lockout Policy settings are configured in

ComputerConfiguration\WindowsSettings\SecuritySettings\AccountPolicies\Account LockoutPolicy through

theGPMC.Intermsofduration,thevalidrangeisfrom1through99,999minutes.Ifyousetthevalueto0,the

accountislockedoutuntilyouexplicitlyhaveitunlocked.Accountlockoutthresholddeterminesthenumberof

failedlogonattemptsthatcanbetolerated.Thenumberofminutesthatcanbespecifiedisbetween1and999.


33/37

CHAPTER6CONFIGUREANDMANAGEGROUPPOLICY

6.1CONFIGUREGROUPPOLICYPROCESSING

Configureprocessingorderandprecedence

Bydefault,GroupPolicysettingsareprocessedinthisorder:LocalGroupPolicyobject>Site>Domain>OU

Keepinmind,localGPOsarealwaysprocessedfirst,whileGPOslinkedtotheOUarealwaysprocessedlast.The

lastonebeingprocessedcanoverwritesettingsmadeintheearlierGPOsshouldconflictsarise.Exceptionsmay

bepossibleifaGPOlinkisenforcedordisabled,orthatanOUhasBlockInheritanceenabled.

Configureblockingofinheritance

Youmaysetacontainertoblockanypoliciesfromhigherlevelsfrombeingapplied.DonotethatBlockPolicy

Inheritance is a containerproperty,NOT a linkproperty. In fact, Enforced at ahigher levelwill always take

precedenceoverBlockPolicyInheritanceatalowerlevel.Simplyput,GPOlinksthatareenforcedisnotallowed

tobeblocked.

Configureenforcedpolicies

Youmay

set

apolicy

at

ahigher

level

to

always

apply

via

enforcement

(i.e.

no

override).

Do

note

that

Enforced

is

a linkproperty,NOT a containerproperty. It always takesprecedenceoverBlockPolicy Inheritance.As said

previously,GPOlinksthatareenforcedisnotallowedtobeblocked.

ConfiguresecurityfilteringandWMIfiltering

WMIandsecuritygroupfilterscanbothbeusedtorestricteachGPOtothecomputersofamembershipgroup

running theversionofWindows forwhichtheGPO is targeting.Tobeprecise,security filteringappliespolicy

settingstoonlyaparticularsetofusersandcomputersthatyouchoose,whileWMIfilterscanbeusedbasedon

thetargetcomputerspecifications(make,model,OS...etc).

When

you

define

a

new

WMI

filter,

you

will

need

to

supply

a

WMI

query,

which

is

a

WMI

Query

Language

WQL

stringthatcanreturnavalueofTRUEwhenappliedtothecorrectWindowsversion.


34/37

Configureloopbackprocessing

BydefaultGroupPolicy isapplieddependingonwhereboththeuserandthecomputerobjectsare located.If

youwanttohavepolicyappliedbasedonlyonthe locationofthecomputerobject,theGroupPolicy loopback

featuremaybeofgreatuse,assumingyourclientcomputersareatleastWindows2000. WithMergeMode,the

computer'sGPOshavehigherprecedencethantheuser'sGPOs.WithReplaceMode,theuser's listofGPOs is

nevergatheredsoonlythecomputer'sGPOsareused.

Configureandmanageslowlinkprocessing

WhenprocessingGPOoveraslowlink,notallcomponentsareprocessed.Aratethatisslowerthan500Kbpsis

consideredaslowlink. YoumayusetheGroupPolicyObjectEditortospecifysettingsforslowlinkdetectionfor

computers(youwanttopayattentiontotheAllowprocessingacrossaslownetworkconnectionpolicyoption).

Theoptions thatareavailable forprocessing include IPSecuritypolicy,EFS recoverypolicy, InternetExplorer

Maintenancepolicy,ScriptspolicyandFolderRedirectionpolicy.

Configureclientsideextension(CSE)behavior

Clientsideextensions (CSE)arealmostalways implementedas .dll files.Theyareforprocessingandapplying

Group Policy settings at the target computers.With each CSE the GPO processing order is determined by

obtaining a listofGPOs.A computer policy canbeused to control thebehaviorof theCSE. Youmay set a

computerpolicyaccordinglyviatheGroupPolicyObjectEditor.Thepossiblecomputerpolicyoptionsyoucan

configureareAllowprocessingacrossaslownetworkconnection(whichshouldbeusedwithGroupPolicyslow

linkdetection),Donotapplyduringperiodicbackgroundprocessing(thepolicyisappliedbothatboottimeand

regularlyevery90minutes),andProcesseveniftheGroupPolicyobjectshavenotchanged.

6.2CONFIGUREGROUPPOLICYSETTINGS

Configure settings including software installation, folder redirection, scripts, and administrative

templatesettings

YoumayuseGroupPolicytoconfigurecomputerandusersettingsonnetworksbasedontheActiveDirectory

Domain Services (AD DS). ForGroup Policy towork, your networkmust be based on ADDS and that the

computers

you

want

to

manage

must

be

joined

to

the

domain.

You

must

also

have

the

relevant

permissions

to

createandeditthepolicyobjects.AlthoughyoumayconfigureGroupPolicysettings locally,youshouldavoid

doingsosincedomainbasedGroupPolicycancentralizemanagementwhilelocalizedpolicycannot.

YoumaymanageallaspectsofGroupPolicyviatheGroupPolicyManagementConsole(GPMC).


35/37

Importsecuritytemplates

YoumaywanttodeploysecuritytemplatesthroughimportingthemintoaGPO.FirstyoushouldcreateOUsfor

thedifferent

types

of

computers

that

are

to

use

adifferent

security

template.

Then

you

add

the

computer

accountsforthesecomputerstotheproperOU.FinallyyouaddalinktoaGPOforeachofthesecomputerOUs.

YoucanalwaysimportasecuritytemplateintoaGPOviatheGroupPolicyObjectEditor.

Importcustomadministrativetemplatefile

AdministrativeTemplates forGPOscanbeused tosetandcontrol registrysettings.AdministrativeTemplate

filesareXMLbasedfordefiningregistrybasedGroupPolicysettingsthatcanbeconfiguredviatheGroupPolicy

ManagementEditor.With the languageneutralADMX file it ispossible todetermine thenumber, typesand

locationsofpolicysettingsbycategoryintheeditor.ADMLfiles,ontheotherhand,areforsupplyinglanguage

specific

information

to

the

ADMX

files.

Note

that

when

you

use

GPEDIT.msc

to

launch

the

Group

Policy

Object

Editor,itwillautomaticallyreadallADMXfilesthatarestoredinthe%systemroot%\PolicyDefinitions\folder.

ConvertadministrativetemplatesusingADMXMigrator

TheADMXMigratorutility isa freeMMCsnap in toolyoucanuse toconvert legacyADM files into thenew

ADMXformat.YoucanalsousetheADMXMigrator'sADMXEditortoeditADMXfileviaaGUI.Thistoolcanbe

downloadedfrom:

http://www.microsoft.com/enhk/download/details.aspx?id=15058

Thetoolrequires.NETframework2.0attheleast.TheminimumOSversionrequiredisWindowsXPSP2.
http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058


36/37

Configurepropertyfiltersforadministrativetemplates

FromwithintheGPMCyoumaychangethecriteriafordisplayingAdministrativeTemplatepolicysettingsusing

propertyfilters.TheavailablepropertyfiltersareManaged,ConfiguredandCommented.Keepinmind,withthe

Managed filter theGroupPolicy servicewillonlygovernManagedpolicy settings. In termsofpolicy state,a

policysettingcanbeNotConfigured (thedefault),Enabled ,andDisabled.TheCommentedpropertyalsohas

severalstates,whichincludeAny,Yes,andNo.

6.3MANAGEGROUPPOLICYOBJECTS(GPOS)

Backup,import,copy,andrestoreGPOs

Fromwithin theGPMCconsoletreeyoucandoa lotof things.Forexample,youcanrightclickGroupPolicy

Objectsin

the

forest

and

domain

in

which

you

want

to

create

aGPO

and

then

click

New

to

create

anew

object.

Youmayalsochoosetocopy,backup,restoreor importGPOsviatheconsole.YouuseBackupGPOtomakea

backupofaGPO.YouusetheRestoreGroupPolicyObjectWizardortheRestoreGPOcmdlettorestoreaGP

thathasbeenbackedup.Youusethe ImportSettingsWizardto importaGPOfromanotherdomainorforest

(youmayneedtoupdatesomereferencesbyhand).AndyoumayuseCopyGPOtomakeaGPOcopy.Todelete

one,useRemoveGPO(alllinkstoitwillbedeletedaswell).

CreateandconfigureMigrationTable

Whenyoucopyor importaGPO fromanotherdomainyourelyonamigrationtabletotellhowthedomain

specificdata

should

be

handled.

From

the

GPMC

you

can

open

the

Migration

Table

Editor.

You

may

validate

yourmigrationtablebychoosingTools Validate.Oryoumayautopopulateamigrationtable (byscanninga

GPO)bychoosingTools AutopopulatefromGPO.Allmigrationtablesstoremapping informationasXMLfile

withanextensionof.migtable.

ResetdefaultGPOs

YouarenotsupposedtomodifythedefaultGPOs.However, ifyoudidandyouwanttofixthembyrestoring

themtothedefaultvalue,youshouldusethedcgpofixcommandwiththe/targetparameterspecified.

DelegateGroupPolicymanagement

YoumaydelegatesomeGroupPolicytaskstootherpeople.TheGPMC(thereisatabnamedDelegation)offers

severalcategoriesofAllowedPermissionsonaGPO,includingRead;Editsettings;Edit,delete,modifysecurity;

Read(fromSecurityFiltering)andCustom.Youcanfinetunetheseforproperdelegation.Notethattherightto

createnewGPOs canonlybedelegatedat thedomainsGroupPolicyObjects containeror theStarterGPOs

container.


37/37

6.4CONFIGUREGROUPPOLICYPREFERENCES

ConfigureGroupPolicyPreferences(GPP)settingsincludingprinters,networkdrivemappings,power

options,custom registry settings,ControlPanel settings, InternetExplorer settings, fileand folder

deployment,and

shortcut

deployment

GroupPolicyPreferences(GPP)cansimplifythedeploymentandstandardizationofconfigurations.Preferences

aresettings thatcanbechangedbyusers later (inotherwords, itonly setsan initialstate foranapplication

configuration). . You can also use GPP to configure applications that are not Group Policyaware. GPP is

consideredquitepowerfulsinceitcanbeusedtochangeorremoveregistrysetting,file,folder,andshortcut...

etc.Keep inmind, thepreference value can remain in the local registry and canoverwrite the application's

configurationsettings.

Configureitemleveltargeting

Itemleveltargeting(whichispartoftheCommonPropertieswiththeGPMC)isafeaturethatcanbeusedwith

GPP.YouuseittosetsophisticatedtargetingforeachindividualpreferenceconfiguredinaGPO.Inotherwords,

youuse ittochangethescopeof individualpreference items.Eachtargeting itemhasavaluewhich iseither

trueorfalse.YoucanusemultipletargetingitemstoapreferenceitemandyoucanuseANDorORtocombine

them.

Microsoft 70-411 Stdy Guide

Documents

Transcript of Microsoft 70-411 Stdy Guide