Upload
leonardo-hernandez
View
413
Download
22
Tags:
Embed Size (px)
DESCRIPTION
win
Citation preview
O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20410A Installing and Configuring Windows Server® 2012
ii 20410A: Installing and Configuring Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20410A
Part Number: X18-48636
Released: 07/2012
MICROSOFT LICENSE TERMSMICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of itsaffiliates) and you. Please read them. They apply to your use of the content accompanying this agreement whichincludes the media on which you received it, if any. These license terms also apply to Trainer Content and anyupdates and supplements for the Licensed Content unless other terms accompany those items. If so, those termsapply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft LearningCompetency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-LedCourseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center ownsor controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds thehardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Sessionor Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the MicrosoftInstructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training sessionto End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as aMicrosoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course thateducates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-LedCourseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT AcademyProgram.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Networkprogram in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as MicrosoftOfficial Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in goodstanding.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic devicethat you personally own or control that meets or exceeds the hardware level specified for the particularMicrosoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members forcorporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.These classes are not advertised or promoted to the general public and class attendance is restricted toindividuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy ProgramMember to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additionalsupplemental content designated solely for Trainers’ use to teach a training session using the MicrosoftInstructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainerpreparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not include any software, virtual harddisks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copyper user basis, such that you must acquire a license for each individual that accesses or uses the LicensedContent.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware isin digital format, you may install one (1) copy on up to three (3) Personal Devices. You may notinstall the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they canaccess one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they canaccess one (1) Trainer Content,
provided you comply with the following:iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized TrainingSession,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree thattheir use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreementprior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be requiredto denote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with theMicrosoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught forall your Authorized Training Sessions,
viii. you will only deliver a maximum of 10 hours of training per week for each Authorized TrainingSession that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resourcesfor the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware isin digital format, you may install one (1) copy on up to three (3) Personal Devices. You may notinstall the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to thecommencement of the Authorized Training Session that is the subject matter of the MicrosoftInstructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemptioncode and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how theycan access one (1) Trainer Content,
provided you comply with the following:iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the AuthorizedTraining Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-LedCourseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own validlicensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for your Authorized TrainingSessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that isthe subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware isin digital format, you may install one (1) copy on up to three (3) Personal Devices. You may notinstall the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencementof the Private Training Session that is the subject matter of the Microsoft Instructor-LedCourseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) digital version of theMicrosoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the uniqueredemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that theiruse of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior toproviding them with the Microsoft Instructor-Led Courseware. Each individual will be required todenote their acceptance of this agreement in a manner that is enforceable under local law prior totheir accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensedcopy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that isthe subject of the Microsoft Instructor-Led Courseware being taught for all your Private TrainingSessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is thesubject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, andx. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for yourpersonal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access theMicrosoft Instructor-Led Courseware online using the unique redemption code provided to you by thetraining provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up tothree (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an AuthorizedTraining Session or Private Training Session, and install one (1) additional copy on another PersonalDevice as a backup copy, which may be used only to reinstall the Trainer Content. You may notinstall or use a copy of the Trainer Content on a device you do not own or control.
ii. You may customize the written portions of the Trainer Content that are logically associated withinstruction of a training session in accordance with the most recent version of the MCT agreement.If you elect to exercise the foregoing rights, you agree to comply with the following: (i)customizations may only be used for teaching Authorized Training Sessions and Private TrainingSessions, and (ii) all customizations will comply with this agreement. For clarity, any use of“customize” refers only to changing the order of slides and content, and/or not using all the slides orcontent, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may notseparate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you maynot distribute any Licensed Content or any portion thereof (including any permitted modifications) to anythird parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs orservices. These license terms will apply to your use of those third party programs or services, unless otherterms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses alsoapply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subjectmatter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to theother provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version ofthe Microsoft technology. The technology may not work the way a final version of the technology willand we may change the technology for the final version. We also may not release a final version.Licensed Content based on the final version of the technology may not contain the same information asthe Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide youwith any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly orthrough its third party designee, you give to Microsoft without charge, the right to use, share andcommercialize your feedback in any way and for any purpose. You also give to third parties, withoutcharge, any patent rights needed for their products, technologies and services to use or interface withany specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. Youwill not give feedback that is subject to a license that requires Microsoft to license its software,technologies, or products to third parties because we include your feedback in them. These rightssurvive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft LearningCompetency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content onthe Pre-release technology upon (i) the date which Microsoft informs you is the end date for using theLicensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of thetechnology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copiesof the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you somerights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you morerights despite this limitation, you may use the Licensed Content only as expressly permitted in thisagreement. In doing so, you must comply with any technical limitations in the Licensed Content that onlyallows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,• modify or create a derivative work of any Licensed Content,• publicly display, or make the Licensed Content available for others to access or use,• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,• work around any technical limitations in the Licensed Content, or• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite thislimitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted toyou in this agreement. The Licensed Content is protected by copyright and other intellectual property lawsand treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in theLicensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.You must comply with all domestic and international export laws and regulations that apply to the LicensedContent. These laws include restrictions on destinations, end users and end use. For additional information,see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you failto comply with the terms and conditions of this agreement. Upon termination of this agreement for anyreason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content inyour possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the LicensedContent. The third party sites are not under the control of Microsoft, and Microsoft is not responsible forthe contents of any third party sites, any links contained in third party sites, or any changes or updates tothird party sites. Microsoft is not responsible for webcasting or any other form of transmission receivedfrom any third party sites. Microsoft is providing these links to third party sites to you only as aconvenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third partysite.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates andsupplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of lawsprinciples. The laws of the state where you live govern all other claims, including claims under stateconsumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of thatcountry apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the lawsof your country. You may also have rights with respect to the party from whom you acquired the LicensedContent. This agreement does not change your rights under the laws of your country if the laws of yourcountry do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "ASAVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVEAFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAYHAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENTCANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT ANDITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROMMICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UPTO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies too anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; ando claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. Theabove limitation or exclusion may not apply to you because your country may not allow the exclusion orlimitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in thisagreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clausesdans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Touteutilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantieexpresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection duesconsommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garantiesimplicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LESDOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommagesdirects uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autresdommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilitéstricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Sivotre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoiresou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votreégard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droitsprévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votrepays si celles-ci ne le permettent pas.
Revised June 2012
xii 20410A: Installing and Configuring Windows Server® 2012
Acknowledgments Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Stan Reimer - Content Developer and Lead Subject Matter Expert Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author. Stan has extensive experience consulting on Active Directory® Domain Services (AD DS) and Microsoft Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press®. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12 years.
Damir Dizdarevic - Content Developer and Subject Matter Expert Damir Dizdarevic, an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and Microsoft Certified IT Professional (MCITP), is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server®, Exchange Server, security and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft® Official Curriculum (MOC) courses, and has published more than 400 articles in various Information Technology (IT) magazines, such as Windows ITPro and INFO Magazine. Damir is also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable Professional (MVP) for Windows Server Infrastructure Management.
Gary Dunlop - Subject Matter Expert Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. He has authored a number of Microsoft Learning titles, and has been an MCT since 1997.
Siegfried Jagott - Content Developer Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at Atos Germany. He is an award winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft Press) and has authored and technically reviewed several MOC courses on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 SP1. Siegfried has coauthored various other Windows® operating system, System Center Virtual Machine Manager (SC VMM) and Exchange books, and is a frequent presenter on these topics at international conferences such as the IT & Dev Connections conference, held in spring 2012, in Las Vegas. Siegfried has planned, designed, and implemented some of the world’s largest Windows and Exchange Server infrastructures for international customers. He received an MBA from Open University in England, and is an MCSE since 1997.
Jason Kellington - Subject Matter Expert Jason Kellington (MCT, MCITP, and MCSE) is a consultant, trainer, and author. He has experience working with a wide range of Microsoft technologies, and focuses on enterprise network infrastructure. Jason works in several capacities with Microsoft. He is a content developer for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
20410A: Installing and Configuring Windows Server® 2012 xiii
Vladimir Meloski - Content Developer Vladimir is a MCT, an MVP on Exchange Server, and consultant, providing unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync® Server, and Microsoft System Center. Vladimir has devoted 16 years of professional experience in information technology. Vladimir has been involved in Microsoft conferences in Europe and in the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has been also involved as a subject matter expert and technical reviewer for several MOC courses.
Nick Portlock - Subject Matter Expert Nick has been an MCT for 15 years. He is a self-employed IT trainer, consultant, and author. Last year, Nick taught in over 20 countries. He specializes in AD DS, Group Policy, and Domain Name System (DNS), and has consulted with a variety of companies over the last decade. He has reviewed more than 100 Microsoft courses. Nick is a member of the Windows 7 Springboard Series Technical Expert Panel (STEP) program.
Brian Svidergol - Technical Reviewer Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions based around Windows operating systems, AD DS, Exchange Server, System Center, virtualization, and Microsoft Desktop Optimization Package (MDOP). He holds the MCT, MCITP (Enterprise Administrator (EA)), MCITP (Virtualization Administrator (VA)), MCITP (Exchange 2010), and several other Microsoft and industry certifications. Brian authored Microsoft Official Curriculum (MOC) course 6426C: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory. He has also worked for several years on Microsoft certification exam development and related training content.
Orin Thomas - Subject Matter Expert Orin Thomas is an MVP, an MCT, and has a variety of MCSE and MCITP certifications. He has written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. He has been working in IT since the early 1990's. He regularly speaks at events such as TechED in Australia, and around the world on Windows Server, Windows Client, System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group.
Byron Wright - Content Developer and Subject Matter Expert Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems implementation, and technical training. Byron is also a sessional instructor for the Asper School of Business at the University of Manitoba, teaching management information systems and networking. Byron has authored and co-authored a number of books on Windows Server operating systems, Windows Vista, and Exchange Server, including the Windows Server 2008 Active Directory Resource Kit.
xiv 20410A: Installing and Configuring Windows Server® 2012
Contents
Module 1: Deploying and Managing Windows Server 2012
Lesson 1: Windows Server 2012 Overview 1-2 Lesson 2: Overview of Windows Server 2012 Management 1-14 Lesson 3: Installing Windows Server 2012 1-19 Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24 Lesson 5: Introduction to Windows PowerShell 1-32 Lab: Deploying and Managing Windows Server 2012 1-37
Module 2: Introduction to Active Directory Domain Services Lesson 1: Overview of AD DS 2-2 Lesson 2: Overview of Domain Controllers 2-8 Lesson 3: Installing a Domain Controller 2-13 Lab: Installing Domain Controllers 2-18
Module 3: Managing Active Directory Domain Services Objects Lesson 1: Managing User Accounts 3-3 Lesson 2: Managing Group Accounts 3-15 Lesson 3: Managing Computer Accounts 3-22 Lesson 4: Delegating Administration 3-27 Lab: Managing Active Directory Domain Services Objects 3-30
Module 4: Automating Active Directory Domain Services Administration Lesson 1: Using Command-line Tools for Administration 4-2 Lesson 2: Using Windows PowerShell for Administration 4-7 Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13 Lab: Automating AD DS Administration by Using Windows PowerShell 4-20
Module 5: Implementing IPv4 Lesson 1: Overview of TCP/IP 5-2 Lesson 2: Understanding IPv4 Addressing 5-6 Lesson 3: Subnetting and Supernetting 5-11 Lesson 4: Configuring and Troubleshooting IPv4 5-16 Lab: Implementing IPv4 5-23
20410A: Installing and Configuring Windows Server® 2012 xv
Module 6: Implementing DHCP Lesson 1: Installing a DHCP Server Role 6-2 Lesson 2: Configuring DHCP Scopes 6-7 Lesson 3: Managing a DHCP Database 6-12 Lesson 4: Securing and Monitoring DHCP 6-16 Lab: Implementing DHCP 6-21
Module 7: Implementing DNS Lesson 1: Name Resolution for Windows Clients and Servers 7-2 Lesson 2: Installing and Managing a DNS Server 7-10 Lesson 3: Managing DNS Zones 7-16 Lab: Implementing DNS 7-20
Module 8: Implementing IPv6
Lesson 1: Overview of IPv6 8-2 Lesson 2: IPv6 Addressing 8-8 Lesson 3: Coexistence with IPv6 8-13 Lesson 4: IPv6 Transition Technologies 8-17 Lab: Implementing IPv6 8-22
Module 9: Implementing Local Storage
Lesson 1: Overview of Storage 9-2 Lesson 2: Managing Disks and Volumes 9-11 Lesson 3: Implementing Storage Spaces 9-20 Lab: Implementing Local Storage 9-25
Module 10: Implementing File and Print Services
Lesson 1: Securing Files and Folders 10-2 Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15 Lesson 3: Configuring Network Printing 10-18 Lab: Implementing File and Print Services 10-23
Module 11: Implementing Group Policy
Lesson 1: Overview of Group Policy 11-2 Lesson 2: Group Policy Processing 11-10 Lesson 3: Implementing a Central Store for Administrative Templates 11-15 Lab: Implementing Group Policy 11-19
xvi 20410A: Installing and Configuring Windows Server® 2012
Module 12: Securing Windows Servers Using Group Policy Objects
Lesson 1: Windows Security Overview 12-2 Lesson 2: Configuring Security Settings 12-6 Lab A: Increasing Security for Server Resources 12-15 Lesson 3: Restricting Software 12-21 Lesson 4: Configuring Windows Firewall with Advanced Security 12-25 Lab B: Configuring AppLocker and Windows Firewall 12-29
Module 13: Implementing Server Virtualization with Hyper-V
Lesson 1: Overview of Virtualization Technologies 13-2 Lesson 2: Implementing Hyper-V 13-8 Lesson 3: Managing Virtual Machine Storage 13-15 Lesson 4: Managing Virtual Networks 13-22 Lab: Implementing Server Virtualization with Hyper-V 13-27
Lab Answer Keys Module 1 Lab: Deploying and Managing Windows Server 2012 L1-1 Module 2 Lab: Installing Domain Controllers L2-9 Module 3 Lab: Managing Active Directory Domain Services Objects L3-13 Module 4 Lab: Automating AD DS Administration by Using Windows PowerShell L4-21 Module 5 Lab: Implementing IPv4 L5-25 Module 6 Lab: Implementing DHCP L6-29 Module 7 Lab: Implementing DNS L7-35 Module 8 Lab: Implementing IPv6 L8-41 Module 9 Lab: Implementing Local Storage L9-45 Module 10 Lab: Implementing File and Print Services L10-49 Module 11 Lab: Implementing Group Policy L11-55 Module 12 Lab A: Increasing Security for Server Resources L12-59 Module 12 Lab B: Configuring AppLocker and Windows Firewall L12-65 Module 13 Lab: Implementing Server Virtualization with Hyper-V L13-71
About This Course xvii
About This Course This section provides you with a brief description of the course—20410A: Installing and Configuring Windows Server® 2012— audience, suggested prerequisites, and course objectives.
Course Description Note: This first release (A) Microsoft® Official Curriculum (MOC) version of course 20410A has been developed on prerelease software (Windows® 8 Release Preview and Windows Server® 2012 Release Candidate (RC)). Microsoft Learning will release a B version of this course after the release to manufacturing (RTM) version of the software is available.
This course is part one of a series of three courses, which provide the skills and knowledge necessary to implement a core Windows Server 2012 infrastructure in an existing enterprise environment.
The three courses in total will collectively cover implementing, managing, maintaining, and provisioning services and infrastructure in a Windows Server 2012 environment.
While there is some cross-over in skillset and tasks across the courses, this course will primarily cover the initial implementation and configuration of those core services, such as Active Directory® Domain Services (AD DS), networking services, and initial Hyper-V® configuration.
Audience This course is intended for Information Technology (IT) Professionals who have good Windows operating system knowledge and experience, and want to acquire the skills and knowledge necessary to implement the core infrastructure services in an existing Windows Server 2012 environment.
The secondary audience consists of those seeking certification in the 70-410, Installing and Configuring Windows Server 2012 exam.
Student Prerequisites This course requires that you meet the following prerequisites:
• A good understanding of networking fundamentals
• An understanding and experience configuring security and administration tasks in an enterprise environment
• Experience supporting or configuring Windows operating system clients
• Good hands-on Windows client operating system experience with Windows Vista®, Windows 7, or Windows 8.
Students would also benefit from having some previous Windows Server operating system experience.
Course Objectives After completing this course, students will be able to:
• Install and Configure Windows Server 2012.
• Describe AD DS.
• Manage AD DS objects.
• Automate AD DS administration.
xviii About This Course
• Implement TCP/IPv4.
• Implement Dynamic Host Configuration Protocol (DHCP).
• Implement Domain Name System (DNS).
• Implement IPv6.
• Implement local storage.
• Share files and printers.
• Implement Group Policy.
• Use Group Policy Objects to secure Windows Servers.
• Implement server virtualization using Hyper-V.
Course Outline This section provides an outline of the course:
Module 1, Deploying and Managing Windows Server 2012
Module 2, Introduction to Active Directory Domain Services
Module 3, Managing Active Directory Domain Services Objects
Module 4, Automating Active Directory Domain Services Administration
Module 5, Implementing IPv4
Module 6, Implementing DHCP
Module 7, Implementing DNS
Module 8, Implementing IPv6
Module 9, Implementing Local Storage
Module 10, Implementing File and Print Services
Module 11, Implementing Group Policy
Module 12, Securing Windows Servers Using Group Policy Objects
Module 13, Implementing Server Virtualization with Hyper-V
Exam/Course Mapping This course, 20410A: Installing and Confiruging Windows Server® 2012 , has a direct mapping of its content to the objective domain for the Microsoft exam 70-410: Installing and Configuring Windows Server 2012.
The table below is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
About This Course xix
Note The exam objectives are available online at the following URL http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab2.
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Course Content
Install and Configure Servers Module Lesson Lab
Install servers.
This objective may include but is not limited to: Plan for a server installation; plan for server roles; plan for a server upgrade; install Server Core; optimize resource utilization by using Features on Demand; migrate roles from previous versions of Windows Server
Mod 1 Lesson 1 Mod 1 Ex 1
Configure servers.
This objective may include but is not limited to: Configure Server Core; delegate administration; add and remove features in offline images; deploy roles on remote servers; convert Server Core to/from full GUI; configure services; configure NIC teaming
Mod 1 Lesson 1/2 Mod 1 Ex 1/2/3
Mod 3 Lesson 4 Mod 1 Ex 2
Configure local storage.
This objective may include but is not limited to: Design storage spaces; configure basic and dynamic disks; configure MBR and GPT disks; manage volumes; create and mount virtual hard disks (VHDs); configure storage pools and disk pools
Mod 9 Lesson 2/3 Mod 9 Ex 3/4
Configure Server Roles and Features
Configure file and share access.
This objective may include but is not limited to: Create and configure shares; configure share permissions; configure offline files; configure NTFS permissions; configure access-based enumeration (ABE); configure Volume Shadow Copy Service (VSS); configure NTFS quotas
Mod 10 Lesson 1/2 Mod 10 Ex 1/2
Configure print and document services.
This objective may include but is not limited to: Configure the Easy Print print driver; configure Enterprise Print Management; configure drivers; configure printer pooling; configure print priorities; configure printer permissions
Mod 10 Lesson 3 Mod 10 Ex 3
Configure servers for remote management.
This objective may include but is not limited to: Configure WinRM; configure down-level server management; configure servers for day-to-day management tasks; configure multi-server management; configure Server Core; configure Windows Firewall
Mod 1 Lesson 1/2/4
Mod 12 Lesson 3 Mod 12 Ex 2
xx About This Course
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Course Content
Configure Hyper-V Create and configure virtual machine settings.
This objective may include but is not limited to: Configure dynamic memory; configure smart paging; configure Resource Metering; configure guest integration services
Mod 13 Lesson 2 Mod 13 Ex 3
Create and configure virtual machine storage.
This objective may include but is not limited to: Create VHDs and VHDX; configure differencing drives; modify VHDs; configure pass-through disks; manage snapshots; implement a virtual Fibre Channel adapter
Mod 9 Lesson 1
Mod 13 Lesson 2/3 Mod 13 Ex 3/4
Create and configure virtual networks.
This objective may include but is not limited to: Implement Hyper-V Network Virtualization; configure Hyper-V virtual switches; optimize network performance; configure MAC addresses; configure network isolation; configure synthetic and legacy virtual network adapters
Mod 13 Lesson 4 Mod 13 Ex 2
Deploy and Configure Core Network Services
Configure IPv4 and IPv6 addressing.
This objective may include but is not limited to: Configure IP address options; configure subnetting; configure supernetting; configure interoperability between IPv4 and IPv6; configure ISATAP; configure Teredo
Mod 1 Lesson 4 Mod 1 Ex 1/2
Mod 5 Lesson 2/3/4 Mod 5 Ex 1/2 Mod 8 Lesson 3/4 Mod 8 Ex 2
Deploy and configure Dynamic Host Configuration Protocol (DHCP) service.
This objective may include but is not limited to: Create and configure scopes; configure a DHCP reservation; configure DHCP options; configure client and server for PXE boot; configure DHCP relay agent; authorize DHCP server
Mod 6 Lesson 1/2/3/4 Mod 6 Ex 1/2
Deploy and configure DNS service.
This objective may include but is not limited to: Configure Active Directory integration of primary zones; configure forwarders; configure Root Hints; manage DNS cache; create A and PTR resource records
Mod 7 Lesson 1/2/3 Mod 7 Ex 1/2/3
About This Course xxi
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Course Content
Install and Administer Active Directory
Install domain controllers.
This objective may include but is not limited to: Add or remove a domain controller from a domain; upgrade a domain controller; install Active Directory Domain Services (AD DS) on a Server Core installation; install a domain controller from Install from Media (IFM); resolve DNS SRV record registration issues; configure a global catalog server
Mod 2 Lesson 3 Mod 2 Ex 1/2
Create and manage Active Directory users and computers.
This objective may include but is not limited to: Automate the creation of Active Directory accounts; create, copy, configure, and delete users and computers; configure templates; perform bulk Active Directory operations; configure user rights; offline domain join; manage inactive and disabled accounts
Mod 1 Lesson 4
Mod 3 Lesson 1 Mod 3 Ex 2 Mod 4 Lesson 1/2/3 Mod 4 Ex 1/2/3
Create and manage Active Directory groups and organizational units (OUs).
This objective may include but is not limited to: Configure group nesting; convert groups including security, distribution, universal, domain local, and domain global; manage group membership using Group Policy; enumerate group membership; delegate the creation and management of Active Directory objects; manage default Active Directory containers; create, copy, configure, and delete groups and OUs
Mod 3 Lesson 2/4 Mod 3 Ex 1/2/3
Mod 4 Lesson 1 Mod 4 Ex 4
Create and Manage Group Policy
Create Group Policy objects (GPOs).
This objective may include but is not limited to: Configure a Central Store; manage starter GPOs; configure GPO links; configure multiple local group policies; configure security filtering
Mod 11 Lesson 1/2/3 Mod 11 Ex 1/2
Configure security policies.
his objective may include but is not limited to: Configure User Rights Assignment; configure Security Options settings; configure Security templates; configure Audit Policy; configure Local Users and Groups; configure User Account Control (UAC)
Mod 12 Lesson 2 Mod 12 Lab A Ex 1/2/3
xxii About This Course
Exam Objective Domain: Exam 70-410: Installing and Configuring Windows Server 2012 Course Content
Create and Manage Group Policy Configure application restriction policies.
This objective may include but is not limited to: Configure rule enforcement; configure Applocker rules; configure Software Restriction Policies
Mod 12 Lesson 3 Mod 12 Lab B Ex 1
Configure Windows Firewall.
This objective may include but is not limited to: Configure rules for multiple profiles using Group Policy; configure connection security rules; configure Windows Firewall to allow or deny applications, scopes, ports, and users; configure authenticated firewall exceptions; import and export settings
Mod 12 Lesson 4 Mod 12 Lab B Ex 2
Important Attending this course in itself will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following:
• Minimum of one years real world, hands-on experience Installing and configuring a Windows Server Infrastructure
• Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-410&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
About This Course xxiii
Course Materials The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook.
• Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.
• Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
• To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].
Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration In this course, you will use Microsoft® Hyper-V to perform the labs.
xxiv About This Course
Important At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course.
Virtual machine Role
20410A-LON-DC1 A domain controller running Windows Server 2012 in the Adatum.com domain.
20410A-LON-SVR1 A member server running Windows Server 2012 in the Adatum.com domain.
20410A-LON-SVR2 A member server running Windows Server 2012 in the Adatum.com domain. This server will be located on a second subnet.
20410A-LON-SVR3 A blank virtual machine on which students will install Windows Server 2012.
20410A-LON-SVR4 A stand-alone server running Windows Server 2012 that will be used for joining domains and initial configuration.
20410A-LON-HOST1 A bootable VHD for running Windows Server 2012 as the host for Hyper-V.
20410A-LON-CORE A standalone server running Windows Server 2012 Server Core.
20410A-LON-RTR A router that is used for network activities that require a separate subnet.
20410A-LON-CL1 A client computer running Windows 8 and Microsoft Office 2010 Service Pack 1 (SP1) in the Adatum.com domain.
20410A-LON-CL2 A client computer running Windows 8 and Office 2010 SP1 in the Adatum.com domain that is located in a second subnet.
Software Configuration The following software is installed on each virtual machine:
• Microsoft Network Monitor 3.4 is installed on LON-SVR2.
Course Files There are lab files associated with the labs in this course. The lab files are located in the folder E:\Labfiles\LabXX on NYC-DC1.
About This Course xxv
Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
• Hardware level 6 with 8 gigabytes (GB) of random access memory (RAM)
1-1
Module 1 Deploying and Managing Windows Server 2012
Contents: Module Overview 1-1
Lesson 1: Windows Server 2012 Overview 1-2
Lesson 2: Overview of Windows Server 2012 Management 1-14
Lesson 3: Installing Windows Server 2012 1-19
Lesson 4: Post-Installation Configuration of Windows Server 2012 1-24
Lesson 5: Introduction to Windows PowerShell 1-32
Lab: Deploying and Managing Windows Server 2012 1-37
Module Review and Takeaways 1-45
Module Overview
Understanding the capabilities of a new server operating system enables you to leverage that operating system effectively. If you do not understand the capabilities of your new operating system, you may end up using it like you used the previous operating system, and you may forego the advantages of the new system. By understanding how to utilize your new Windows Server® 2012 operating system fully, and by understanding the tools that are available to manage that functionality you will provide your organization with more value.
This module introduces the new Windows Server 2012 administrative interface. In this module, you will learn about the different roles and features that are available with the Windows Server 2012 operating system. You will also learn about the different installation options from which you can choose when deploying Windows Server 2012.
This module discusses the configuration steps that you can perform both during installation and after deployment to ensure that the servers can begin functioning in its assigned role. You will also learn how to use Windows PowerShell® to perform common administrative tasks in Windows Server 2012.
Objectives
After completing this module, you will be able to:
• Describe Windows Server 2012.
• Describe the management tools available in Windows Server 2012.
• Install Windows Server 2012.
• Perform post-installation configuration of Windows Server 2012.
• Perform basic administrative tasks using Windows PowerShell.
1-2 Deploying
Lesson Windo
Befoeditconsuit201cost
Thisandand
Les
Afte
•
•
•
•
•
•
On
As aabohowpubheacoureadworyoueveto leloca
TheLocaprov
•
and Managing Wind
1 ows Serv
ore deploying tions might befiguration is aable than a ph2 in an efficienting your orga
s lesson provid features. Usin installation o
sson Objecti
er completing
Describe the
Explain the d
List the differ
Describe the installation of
Explain the fu2012.
Explain the p
n Premises
an IT professioout cloud compw software andblic or private crt of the futureld also have hdy for the clourked with localr career, it worything is movearn about deally?”
reality is, not ally-deployed vide the follow
InfrastructureSystem (DNS)to connect anto connect ei
ows Server 2012
ver 201Windows Serv
enefit your orgppropriate for
hysical deploymnt manner. If yanization time
des an overviewng this informaptions are righ
ives
this lesson, yo
place of a loca
ifference betw
ent editions o
difference betf Windows Ser
unction of the
urpose of vario
Servers
onal, you probaputing. You md services are bcloud becausee of enterpriseeard that Wind
ud. As an IT proly deployed seuld be reasona
ving to the cloploying Windo
every service aservers form t
wing resources
e services. Serv) and Dynamicnd communicather to each o
2 Overvver 2012, you anization’s ser
r Windows Servment, and whiyou do not havand money by
w of the variouation, you will ht for your org
ou will be able
ally deployed s
ween the privat
f Windows Ser
tween a Serverrver 2012.
server roles th
ous Windows
ably have hearight have hear
being moved te the cloud is ae computing. Ydows Server 2ofessional whoervers for mosable to ask, “Ifud, why do I nows Server 201
and applicatiothe backbone s to clients:
vers provide clic Host Configuate with other other or to rem
view need to underrvers. You alsover 2012, whech installationve an understay making a cho
us Windows Sebe able to det
ganization.
to:
server on a mo
te and public c
rver 2012.
r Core installat
hat are availab
Server 2012 fe
rd rd to a at the You 012 is
o has t of
f need 12
on used on a dof an organiza
ients with infrauration Protocoresources. Wit
mote resources
rstand how eao need to knowether a virtual d source allowsanding of thesoice that you m
erver 2012 editermine which
odern network
clouds.
tion of Window
le on compute
eatures.
aily basis shouational networ
astructure resool (DHCP) servthout these ses, including res
ch of the Windw whether a padeployment ms you to deplose issues, you cmust later cor
itions, installath Windows Serv
k.
ws Server 2012
ers running W
uld be hosted rk. Locally-dep
ources, includivices. These seervices, clients wsources hosted
dows Server 20articular hardw
might be more y Windows Secould end up rect.
tion options, rover 2012 editio
2 and tradition
Windows Server
in the cloud. ployed servers
ng Domain Narvices allow clwould not be
d in the cloud.
012 ware
erver
oles, on
nal
r
ame ients able
20410A: Installing and Configuring Windows Server® 2012 1-3
• Shared files and printers. Servers provide a centralized location that allows users to store and share documents. Servers also host resources such as shared printers that allow groups of users to leverage resources more efficiently. Without these centralized locally deployed resources, sharing files and backing up files centrally would be a more complex and time-intensive process. While it might be possible to host some of this information in the cloud, it doesn’t always make sense to send a job to a printer that is in the next room through a server hosted at a remote location.
• Hosted applications. Servers host applications such as Microsoft® Exchange Server, Microsoft SQL Server®, Microsoft Dynamics®, and Microsoft System Center. Clients access these applications to accomplish different tasks, such as accessing e-mail or self-service deployment of desktop applications. In some cases, these resources can be deployed to the cloud. In many cases these resources must be hosted locally for performance, cost, and regulatory reasons. The choice on whether to host these resources locally or in the cloud depends on the specifics of the individual organization.
• Network access. Servers provide authentication and authorization resources to clients on the network. By authenticating against a server, a user and client can prove their identity. Even when many of an organization’s servers are located in the cloud, people still need to have some form of local authentication and authorization infrastructure.
• Application, Update, and Operating System deployment. Servers are often deployed locally to assist with the deployment of applications, updates, and operating systems to clients on the organizational network. Because of intensive bandwidth utilization, these servers must be in proximity to the clients to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet connectivity is going to rely more on servers on the premises than an organization that has access to high-speed broadband. It is important that, even in a case of Internet connectivity issues, work in an organization can continue. Productivity will be negatively affected if the failure of the organization’s Internet connection suddenly means that no one is able to access their shared files and printers.
While Windows Server 2012 is promoted as being ready for the cloud, remember that, for all the cloud-ready features the product has, the operating system is still eminently suited to the traditional workhorse tasks that server operating systems have performed for at least the last two decades. If you have been working as an IT professional for some time, it is likely that you will configure and deploy Windows Server 2012 to perform the same or similar workloads that you configured for servers running Windows Server 2003 and maybe even for Windows NT 4.
Question: What is the difference between a server and a client operating system?
Question: How has the role of the server evolved over time from the Microsoft Windows NT 4.0 Server operating system to Windows Server 2012?
1-4 Deploying
Wh
Clouenc
The
•
•
•
PubA pupubpubbec
In cmaythe
Priv201appto ustorconman
and Managing Wind
hat Is Clou
ud computing ompasses seve
most commo
Infrastructureform of cloudvirtual machinhosting proviplatform, andthat runs on tinfrastructurean example oServer 2012 acloud, but in
Platform as aplatform. For and the cloudService.
Software as ainfrastructurecloud hosting
blic and Privublic cloud is a
blic use. A pubblic cloud secuause costs are
ontrast, privaty be hosted bycloud services
vate clouds are2 managemen
plications. For euse a self-servicrage componefigured in sucnual deployme
Question: WWindows Serv
ows Server 2012
ud Comput
is a general deeral different t
n forms of clo
e as a Service (Id computing, yne in the cloudder manages t
d you manage the cloud prove. Windows Azof IaaS. You caas a virtual masome cases th
Service (PaaS)example, a pr
d hosting prov
a Service (Saas)e that supportsg provider. Win
vate Cloudsa cloud servicelic cloud may rity is not as stabsorbed by
te clouds are cly the organizats are not share
e more than simnt suite, which example, in ance portal to re
ents. Windows h a way that thent of virtual m
hich type of clver 2012?
ting?
escription thatechnologies.
oud computing
(IaaS). With thiyou can run a d. The cloud the hypervisorthe virtual ma
vider’s ure™ Computn run Windowchine in an Iaa
he operating sy
). With PaaS, trovider may alvider hosts the
). The cloud hos that applicatindows InTune™
s that is hostedhost a single ttrong as privatmultiple tenan
oud infrastruction itself, or m
ed with any oth
mply large scamakes it poss
n organization equest multi-tieServer 2012 ahis service req
machines and d
loud would yo
t
g are:
s full
r achine
e is ws aS ystem will host
he cloud hostilow you to ho database serv
osting provideion. You purch™ and Microso
d by a cloud seenant, or hostte cloud securnts.
cture that is demay be hostedher organizatio
le hypervisor dsible to providethat has its ower applicationsnd the compouest can be prdatabase serve
ou use to deplo
t the virtual m
ing provider pst databases. Yver. SQL Azure
er hosts your ahase and run aoft Office 365
ervices providet tenants from ity, but public
edicated to a sd by a cloud seon.
deployments; e self-service dwn private clous including we
onents of the Srocessed automer software.
oy a custom vi
achines in an
provisions you You manage te™ is an examp
pplication anda software appare examples
er, and is mademultiple orgacloud hosting
single organizaervices provide
they can use tdelivery of servud, it would beeb-server, dataSystem Center matically, with
irtual machine
IaaS cloud.
with a particuhe database itple of Platform
d all of the plication from a
of SaaS.
e available for anizations. As sg typically cost
ation. Private cer who ensures
the System Cevices and e possible for abase-server, a
2012 suite arehout requiring
e running
ular tself,
m as a
a
such, ts less
clouds s that
nter
users and e the
O
ThSealSeth
Wsyse
Thed
Options for
here are severaerver 2012 frolow organizaterver 2012 thahan pay for fea
When deployingystems adminielecting the ap
he following taditions.
Edition
Windows ServStandard edit
Windows ServDatacenter ed
Windows ServFoundation e
Windows ServEssentials
Microsoft HypServer 2012
Windows StoServer 2012 Workgroup
Windows StoServer 2012 S
Windows MuServer 2012 S
r Windows
al different edm which to chions to select a
at best meets tatures that the
g a server for astrators can sa
ppropriate edit
able lists the W
D
ver 2012 tion
ver 2012 dition
ver 2012 dition j
ver 2012
per-V
rage
rage Standard
ltiPoint Standard
s Server 20
itions of Windhoose. These eda version of Wtheir needs, ratey do not requ
a specific role,ave substantialtion.
Windows Serve
Description
Provides all roplatform. SuppIncludes two v
Provides all ro2012 platformmachines run processor core
Aimed at smajoined to a doprocessor core
Next edition ocannot functioDesktop Servitwo processor
Stand-alone Hcost (free) for 64 sockets andWindows Serv
Entry-level uncore, 32 GB of
Supports 64 soSupports 4 TBdomain join. Sdoes not supp(AD DS), ActivFederation Se
Supports multseparate mouRAM, and a mand DHCP Serand AD FS. Do
012
dows ditions
Windows ther ire.
, ly by
er 2012
oles and featurports up to 64virtual machine
oles and featurm. Includes unli
on the same hes, and up to 4
ll business owomain, and ince and up to 32
of Small Busineon as a Hyper-ces server. It hr cores and 64
Hyper-V platfohost OS, but vd 4 TB of RAMver 2012 roles
ified storage af RAM. Suppor
ockets, but is lB of RAM. IncluSupports someport others incve Directory Cervices (AD FS).
tiple users accese, keyboard, a
maximum of 12rver roles, but oes not suppor
20410A: Instal
res available o4 sockets and ue licenses.
res that are avaimited virtual hardware. Sup4 TB of RAM.
ners, this editiludes limited s2 GB of RAM.
ess Server. Mu-V®, Failover Chas limits for 2
GB of RAM.
orm for virtual virtual machin
M. Supports doother than lim
appliance. Limrts domain join
licensed on a tudes two virtuae roles includincluding Active ertificate Servic.
essing the samand monitors.
2 sessions. Supdoes not supprt domain join
lling and Configuring
n the Windowup to 4 terabyt
ailable on the machine licenports 64 socke
on allows onlyserver roles. Su
st be root servClustering, Serv5 users and 50
machines withes are licensedmain join. Doe
mited file servic
ited to 50 usen.
two-socket incal machine liceng DNS and DDirectory® Doces (AD CS), an
me host compu Limited to on
pports some roport others incn.
g Windows Server®
ws Server 2012 tes (TB) of RAM
Windows Servses for virtual ets, up to 640
y 15 users, canupports one
ver in domain.ver Core, or Re0 devices. Supp
h no UI. No licd normally. Sues not supportces features.
rs, one proces
crementing baenses. SupportHCP Server ro
omain Servicesnd Active Dire
uter directly usne socket, 32 Goles including Dcluding AD DS
2012 1-5
M.
ver
nnot be
It emote ports
ensing pports t other
sor
sis. ts
oles, but
ectory
sing GB of DNS , AD CS,
1-6 Deploying
Ed
WSe
see
Wh
ServWinWinthan201comoptServinst201ovedep
•
•
IncrinstServ
The
•
•
and Managing Wind
dition
Windows MultiPerver 2012 Pre
Note: For mothe Windows
hat Is Serv
ver Core is a mndows Server 2ndows PowerShn by using GU2 Server Core
mponents and ions than the fver 2012. Serveallation option2. Server Corer a traditional
ployment:
Reduced updrequires you tadministrator
Reduced hardvirtualized, th
reasing numbealled operatinver Core–insta
re are two way
Server Core. TWindows Servinstallation so
Server Core wdeployment ocomponents and Windowsneeding to sp
ows Server 2012
De
Point emium
SuseRAanan
ore informationServer Catalog
ver Core?
minimal installa2012 that you hell or a commI-based tools. installation ofadministrativefull installationer Core installan when installie has the follow
Windows Serv
date requiremeto install fewer to service Ser
dware footprinhis means that
ers of Microsofg systems. Forlled version of
ys of installing
The standard dver 2012 with ource with all s
with Managemof Windows Seare not installes Server 2012 wpecify an insta
escription
upports multipparate mouse,
AM, and a maxnd DHCP Servend AD FS. Supp
n about the difg at http://ww
ation option fomanage from
mand line ratheA Windows Se
ffers fewer e managementn of Windows ation is the deng Windows Swing advantagver 2012
ents. Because Sr software updrver Core.
nt. Server Coreyou can deplo
ft server applicr example, youf Windows Serv
g Windows Ser
deployment ofthe graphical server files, suc
ment. Also knowerver 2012 wited nor removewith a graphicllation source.
ple users access, keyboard, anximum of 22 seer roles, but doports domain j
fferences betwww.windowsser
or
er erver
t
fault Server ges
Server Core insdates. This red
e computers reoy more serve
cations are desu can install SQver 2008 R2.
rver 2012 in a S
f Server Core. administrationch as a mounte
wn as Server Ch the graphicaed. You can cocal interface by
sing the same nd monitors. Liessions. Suppooes not suppojoin.
ween Windowsrvercatalog.com
stalls fewer couces the amou
equire less RAMrs on the same
signed to run QL Server 2012
Server Core co
It is possible ton componentsed Windows im
Core-Full Serveal component,onvert betweeny installing the
host computeimited to two orts some rolert others inclu
s Server 2012 em/svvp.aspx.
mponents, its unt of time req
M and less hare host.
on computers2 on computer
onfiguration:
o convert to ths only if you hamage file (.wim
er. This works t, except that thn Server Core
e graphical fea
er directly usinsockets, 4 TB os including DNding AD DS, A
editions,
deployment quired for an
rd disk space. W
with Server Crs running the
he full version ave access to am) image.
the same as a he graphical with Managemtures, but with
ng of NS AD CS,
When
ore–
of an
ment hout
20410A: Installing and Configuring Windows Server® 2012 1-7
You can switch from Server Core to the graphical version of Windows Server 2012 by running the following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that hosts the full version of the Windows Server 2012 installation files:
Import-Module ServerManager Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source c:\mount
Installing the graphical components gives you the option of performing administrative tasks using the graphical tools. You can also add the graphical tools using the sconfig.cmd menu-driven command-line tool. You will learn more about how to perform this task in Lesson 4, “Post-installation Configuration of Windows Server 2012.”
Once you have performed the necessary administrative tasks, you can return the computer to its original Server Core configuration. You can switch a computer that has the graphical version of Windows Server 2012 to Server Core by removing the following features:
• Graphical Management Tools and Infrastructure
• Server Graphical Shell
Note: Be careful when removing graphical features, as some servers will have other components installed that are dependent upon those features.
When connected locally, you can use the tools that are listed in the following table to manage Server Core deployments of Windows Server 2012.
Tool Function
Cmd.exe Allows you to run traditional command-line tools such as ping.exe, ipconfig.exe, and netsh.exe.
PowerShell.exe Launches a Windows PowerShell session on the Server Core deployment. You can then perform Windows PowerShell tasks normally.
Sconfig.cmd A command-line menu-driven administrative tool that allows you to perform most common server administrative tasks.
Notepad.exe Allows you to use the Notepad.exe text editor within the Server Core environment.
Regedt32.exe Provides registry access within the Server Core environment.
Msinfo32.exe Allows you to view system information about the Server Core deployment.
Taskmgr.exe Launches the Task Manager.
Note: If you accidentally close the command window on a computer that is running Server Core, you can recover the command window by performing the following steps: 1. Press Ctrl+Alt+DEL, and then select Task Manager. 2. From the File menu, click New Task (Run…), and then type cmd.exe.
Server Core supports most—but not all—Windows Server 2012 roles and features. You cannot install the following roles on a computer running Server Core:
• AD FS
1-8 Deploying
•
•
•
Eveserv
the
Theconto pServYouby r
Net
Wi
To pWinorgaawaopeshipof Wenhpart201manServ
Win
Ro
A(A
A
A
ASe
and Managing Wind
Application S
Network Polic
Windows Dep
n if a role is avvice that is asso
Note: You caquery Get-Wi
Windows Servsole than the t
perform an admver Core operau can enable rerunning the fo
sh.exe firew
indows Se
properly plan hndows Server 2anization’s req
are of what rolerating system.ps with a differWindows Serveanced and otht, the roles tha2 are familiar naged Windowver 2003.
ndows Server 2
ole
ctive DirectoryAD CS)
D DS
D FS
ctive Directoryervices (AD LD
ows Server 2012
erver
cy and Access
ployment Serv
vailable to a coociated with th
n check whichindowsFeatur
ver 2012 admitraditional meministrative taating system fremote managellowing comm
all set serv
rver 2012
how you are g2012 to suppoquirements, yoes are availabl. Each version rent set of roleer are releasedhers are depreat are availableto IT professio
ws Server 2008
2012 supports
y Certificate Se
y Lightweight DS)
Services (NPA
vices (Windows
omputer that ihat role may n
roles on Servere | where-ob
inistration paraethod of manask, you are morom one compement of a com
mand:
vice remotead
Roles
going to use rt your
ou need to be fle as part of thof Windows S
es. As new vers, some roles a
ecated. For thee in Windows Sonals that have8 and Window
the server role
ervices
Directory
AS)
s DS)
s running the not be available
er Core are avbject {$_.Insta
adigm focusesging each servore likely to mputer, than youmputer that is
dmin enable A
fully he erver
sions re most Server e s
es that are liste
Function
Allows yourelated ro
A centralizobjects, infor authen
Provides wfederation
Supports sdirectory-infrastruct
Server Core ine.
vailable and whllState -eq “R
s more on manver separately.anage multiplu are to connerunning Serve
ALL
ed in the follow
u to deploy cele services.
zed store of inncluding user antication and a
web single signn support.
storage of appaware applicature of AD DS.
nstallation opti
hich are not byRemoved”}.
naging many s. This means the computers t
ect to each comer Core throug
wing table.
ertification aut
nformation aboand computer authorization.
n-on (SSO) and
plication-specitions that do n.
ion, a specific
y running
servers from ohat when you that are runninmputer individgh sconfig.cmd
thorities and
out network accounts. Use
d secured iden
fic data for not require the
role
one want
ng the dually. d, or
ed
ntify
e full
20410A: Installing and Configuring Windows Server® 2012 1-9
Role Function
Active Directory Rights Management Services (AD RMS)
Allows you to apply rights management policies to prevent unauthorized access to sensitive documents.
Application Server Supports centralized management and hosting of high-performance distributed business applications, such as those built with Microsoft .NET Framework 4.5, and .NET Enterprise Services.
DHCP Server Provisions client computers on the network with temporary IP addresses.
DNS Server Provides name resolution for TCP/IP networks.
Fax Server Supports sending and receiving of faxes. Also allows you to manage fax resource on the network.
File and Storage Services Supports the management of shared folders storage, distributed file system (DFS), and network storage.
Hyper-V® Enables you to host Virtual Machines on computers that are running Windows Server 2012.
Network Policy and Access Services Authorization infrastructure for remote connections, including Health Registration Authority (HRA) for Network Access Protection (NAP).
Print and Document Services Supports centralized management of document tasks, including network scanners and networked printers.
Remote Access Supports Seamless Connectivity, Always On, and Always Managed features based on DirectAccess. Also supports Remote Access through virtual private network (VPN) and dial-up connections.
Remote Desktop Services (RDS) Supports access to virtual desktops, session-based desktops, and RemoteApp programs.
Volume Activation Services Allows you to automate and simplify the management of volume license keys and volume key activation. Allows you to manage a Key Management Service (KMS) host or configure AD DS–based activation for computers that are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows DS Allows you to deploy server operating systems to clients over the network.
Windows Server Update Services (WSUS) Provides a method of deploying updates for Microsoft products to network computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s configuration (such as firewall settings), to support the role. Windows Server 2012 also automatically deploys role dependencies simultaneously. For example, when you install the WSUS role, the Web Server (IIS) role components that are required to support the WSUS role are also installed automatically.
1-10 Deploying
YouServrole
Wh
Wincomsup
For as itservothe
Winare
Fe
.N
.N
Ba(B
W
Bi
W
C
D
En
Fa
G
g and Managing Win
u add and remver 2012 Servees using the In
Question: W
hat Are the
ndows Server 2mponents that port the serve
example, Wint only providesver. It is not a rer servers on t
ndows Server 2listed in the fo
eature
NET Framewor
NET Framewor
ackground IntBITS)
Windows BitLoc
itLocker netwo
Windows Branc
lient for NFS
ata Center Bri
nhanced Stora
ailover Cluster
roup Policy M
ndows Server 2012
ove roles usinger Manager costall-Window
hich roles are
e Features
2012 features aoften supportr directly.
dows Server Bs backup suppresource that che network.
2012 includes tollowing table.
k 3.5 Features
k 4.5 Features
elligent Transf
cker® Drive En
ork unlock
chCache®
dging
age
ing
anagement
g the Add Rolensole. If you a
wsFeature and
often co-locat
s of Windo
are independet role services o
Backup is a featport for the loccan be used by
the features th.
fer Service
cryption
es and Featurere using Serve
d Remove-Win
ted on the sam
ows Server
ent or
ture cal y
hat
Descriptio
Installs .NE
Installs .NEinstalled b
Allows asyother netw
Supports fstartup en
Provides aunlock locoperating
Allows theserver or aBranchCac
Provides a(NFS) serv
Allows youConverged
Provides sin Enhancdevice, inc
A high-av2012 to pa
An admin
es Wizard, whier Core, then yndowsFeature
me server?
r 2012?
on
ET Framework
ET Frameworkby default.
ynchronous trawork applicatio
full-disk and funvironment pro
a network-basecked BitLocker systems.
e server to funa BranchCacheche clients.
access to files svers.
u to enforce bd Network Ad
support for aded Storage Accluding data a
vailability featuarticipate in fa
istrative mana
ch is availableyou can also ade Windows Po
k 3.5 technolog
k 4.5 technolog
ansfer of files tons are not ad
ull-volume encotection.
ed key protectr–protected do
ction as eithere content serve
stored on netw
bandwidth allodapters.
ditional functiccess (IEEE 166access restrictio
ure that allows ailover clusteri
agement tool f
e from the Windd and removeowerShell cmd
gies.
gies. This featu
to ensure that dversely impac
cryption, and
tor that can omain-joined
r a hosted cacher for
work file system
cation on
onality availab67 protocol) ons.
Windows Servng.
for administeri
ndows e lets.
ure is
cted.
he
m
ble
ver
ing
20410A: Installing and Configuring Windows Server® 2012 1-11
Feature Description
Group Policy across an enterprise.
Ink and Handwriting Services Allows use of Ink Support and Handwriting Recognition.
Internet Printing Client Supports use of Internet Printing Protocol.
IP Address Management (IPAM) Server Centralized management of IP address and namespace infrastructure.
Internet SCSI (iSCSI) Target Storage Provider
Provides iSCSI target and disk management services to Windows Server 2012.
Internet Storage name Service (iSNS) Server service
Supports discovery services of iSCSI storage area networks (SANs).
Line Printer Remote (LPR) Port Monitor Allows computer to send print jobs to printers that are shared using the Line Printer Daemon (LPD) service.
Management Open Data Protocol (OData) IIS Extension
Allows you to expose Windows PowerShell cmdlets through an OData–based web service running on the IIS platform.
Media Foundation Supports media file infrastructure.
Message Queuing Supports message delivery between applications.
Multipath input/output (I/O) Supports multiple data paths to storage devices.
Network Load Balancing (NLB Allows traffic to be distributed in a load balanced manner across multiple servers that host the same stateless application.
Peer Name Resolution Protocol (PNRP) Name resolution protocol that allows applications to resolve names on the computer.
Quality Windows Audio Video Experience Supports audio and video streaming applications on IP home networks.
Remote Access Server (RAS) Connection Manager Administration Kit
Allows you to create connection manager profiles that simplify remote access configuration deployment to client computers.
Remote Assistance Allows remote support through invitations.
Remote Differential Compression (RDC) Transfers the differences between files over a network, minimizing bandwidth utilization.
Remote Server Administration Tools Collection of consoles and tools for remotely managing roles and features on other services.
Remote Procedure Call (RPC) over HTTP Proxy
Relays RPC traffic over HTTP as an alternative to VPN connections.
Simple TCP/IP Services Supports basic TCP/IP services, including Quote of the Day.
1-12 Deploying and Managing Windows Server 2012
Feature Description
Simple Mail Transfer Protocol (SMTP) Server
Supports transfer of email messages.
Simple Network Management Protocol (SNMP) Service
Includes SNMP agents that are used with the network management services.
Subsystem for UNIX-based Applications Supports Portable Operating System Interface for UNIX (POSIX)–compliant UNIX-based applications.
Telnet Client Allows outbound connections to Telnet servers and other Transmission Control Protocol (TCP)-based services.
Telnet Server Allows clients to connect to the server using the Telnet protocol.
Trivial File Transfer Protocol (TFTP) Client Allows you to access TFTP servers.
User Interfaces and Infrastructure Contains the components necessary to support the graphical interface installation option on Windows Server 2012. On graphical installations, this feature is installed by default.
Windows Biometric Framework (WBF) Allows use of fingerprint devices for authentication.
Windows Feedback Forwarder Supports sending of feedback to Microsoft when joining a Customer Experience Improvement Program (CEIP).
Windows Identity Foundation 3.5 Set of .NET Framework classes that support implementing claims based identity on .NET applications.
Windows Internal Database Relational data store that can only be used by Windows roles and features such as WSUS.
Windows PowerShell Task-based command-line shell and scripting language used to administer computers running Windows operating systems. This feature is installed by default.
Windows PowerShell Web Access Allows remote management of computers by running Windows PowerShell sessions in a web browser.
Windows Process Activation service (WAS) Allows applications hosting WCF services that to not use HTTP protocols to use features of IIS.
Windows Search service Allows fast searches of files hosted on a server for clients compatible with the Windows Search Service.
Windows Server Backup Backup and recovery software for Windows Server 2012.
Windows Server Migration Tools Collection of Windows PowerShell cmdlets that assist in the migration of server roles, operating system settings, files, and shares from computers running previous versions of Windows Server operating systems to
20410A: Installing and Configuring Windows Server® 2012 1-13
Feature Description
Windows Server 2012.
Windows Standards-Based Storage Management
Set of Application Programming Interfaces (APIs) that allow the discovery, management, and monitoring of storage devices that use standards such as Storage Management Initiative Specification (SMI-S).
Windows System Resource Manager (WSRM)
Allows you to control the allocation of CPU and memory resources.
Windows TIFF IFilter Supports Optical Character Recognition on Tagged Image File Format (TIFF) 6.0-compliant files.
WinRM IIS Extension Windows Remote Management for IIS.
Windows Internet Naming Service (WINS) Server
Supports name resolution for NetBIOS names.
Wireless local area network (LAN) Service Allows the server to use a wireless network interface.
Windows on Windows (WoW) 64 Support Supports running 32-bit applications on Server Core installations. This feature is installed by default.
XPS Viewer Supports the viewing and singing of documents in XPS formats
Features on Demand Features on Demand is a Windows Server 2012 installation option where features are not available directly on the deployed server, but can be added if you have access to a remote source, such as a mounted image of the full operating system. The advantage of a Features on Demand installation is that it requires less hard disk space than a traditional installation. The disadvantage is that you must have access to a mounted installation source if you want to add a role or feature, something that is not necessary if you perform an installation of Windows Server 2012 with the graphical features enabled.
Question: Which feature do you need to install to support NetBIOS name resolution for client computers running a Microsoft Windows NT 4.0 workstation?
1-14 Deploying
Lesson 2Overvi
Initiprovset oadm
In thadm
Les
Afte
•
•
•
•
•
Wh
ServyouWinManandas gperfacrosam
Youperfand
•
•
•
•
BesServPracare inclissufunc
g and Managing Win
2 iew of Wially configurinvides multiple of circumstanc
ministrators to
his lesson you ministrative tas
sson Objecti
er completing
Describe Serv
Describe how
Describe how
Describe how
Describe how
hat Is Serv
ver Manager is will use to ma
ndows Server 2nager console remote serve
groups. By manform the sameoss multiple se
me role, or are
u can use the sform the follow remote serve
Add roles and
Launch Wind
View events
Perform serve
st Practice Aver Manager inctices Analyzerproblems thatuding queryines associated wctionality.
ndows Server 2012
Windowng a server cor
tools to perfoces. The Windoperform admi
will learn abosks on comput
ives
this lesson, yo
ver Manager.
w to use admin
w to use Server
w to configure
w to configure
ver Manage
s the primary ganage comput2012. You can to manage bors. You can alsnaging serverse administrativervers that eithmembers of th
erver managewing tasks on rs:
d features
ows PowerShe
er configuratio
Analyzers ncludes a Best r, you can detet you need to g associated ewith specific ro
ws Serverrectly can saveorm specific adows Server 201inistrative task
ut the differeners that are ru
ou will be able
nistrative tools.
r Manager to p
services.
remote manag
er?
graphical tool ters running use the Server
oth the local seso manage sers as groups, yove tasks quicklyher perform thehe same group
r console to both local serv
ell sessions
on tasks
Practices Anaermine whetheremediate. Bes
event logs for woles before tho
er 2012 e you from su
dministrative ta12 manageme
ks on more tha
nt managemennning the Win
to:
.
perform a varie
gement.
that
r erver vers
ou can y e p.
vers
lyzer tool for aer roles on youst Practices Anwarning and eose health issu
Managbstantial probasks, each of went interface alan one server s
nt tools that yondows Server 2
ety of tasks.
all Windows Seur network arenalyzer examinerror events—sues cause a fai
gement blems later. Wiwhich is approlso enhances tsimultaneously
ou can use to 2012 operating
erver 2012 role functioning enes how a role so you can be lure that impa
ndows Server priate for a givthe ability for sy.
perform g system.
es. With Best efficiently or iffunctions—aware of heal
acts the server
2012 ven server
f there
th
A
WspadaprorealMseincoSeA
Thab
•
•
•
•
•
•
•
•
•
Yo
St
D
In
•
•
Administra
When you use Specific role-reldministrative tppropriate admole or feature uemotely, the apso loaded. For
Manager to insterver, the DHCnstalled on theomplete set oferver 2012 by dministration
he tools that about in Lesson
Active DireadministratDirectory R
Active Direusers, comp
DNS Consoincludes cre
Event Viewevent logs.
Group Policmanage the
IIS Manage
Performanccounters as
Resource Mnetwork ut
Task Sched
ou can access
Note: You ctart menu.
Demonstra
n this demonst
Log on to W
Add a featu
tive Tools
Server Manageated or featuretask, the consoministrative tousing Server Mppropriate admr example, if yotall the DHCP
CP console will local server. Yf administrativinstalling the Tools feature.
administrators n 5), include:
ctory Administtive tasks such
Recycle Bin. Yo
ctory Users anputers, and gro
ole. With the Deating forward
er. You can us
cy Managemeeir application
er Tool. You ca
ce Monitor. Yossociated with
Monitor. You cailization.
uler. You can u
each of these
can also pin fre
ation: Usin
tration, you wi
Windows Serve
ure by Using th
er to perform ae-related
ole launches thol. When you
Manager locallyministrative toou use Server role on anotheautomatically
You can install e tools for WinRemote Server
most common
trative Center.as raising domu also use this
nd Computers. oups. You can
DNS console, yod and reverse l
e the Event Vi
nt Tool. With tn in AD DS.
n use this tool
ou can use thisspecific resou
an use this con
use this conso
tools from the
equently used
g Server M
ll see how Serv
er 2012 and vi
he Add Roles a
a
he install a y or
ool is
er y be
the ndows r
nly use, (aside
. With this conmain and foress console to ma
With this toolalso use this t
ou can configuookup zones a
ewer to view e
this tool, you c
l to manage w
s console to vierces that you w
nsole to view r
le to manage
e Tools menu
tools to the W
Manager
ver Manager is
ew the Windo
and Features W
20410A: Installin
from Window
nsole, you can st functional leanage Dynam
l, you can creatool to create O
ure and managand managing
events recorde
can edit Group
websites.
ew record perfwant to monit
real-time infor
the execution
in Server Man
Windows Serve
s used to perfo
ows Server 201
Wizard.
ng and Configuring W
ws PowerShell,
perform Activevels and enabic Access Cont
ate and managOrganizationa
ge the DNS Seg DNS records
ed in the Wind
p Policy Objec
formance datator.
rmation on CP
of scheduled
nager.
er 2012 taskba
orm the follow
12 desktop.
Windows Server® 20
which you wil
ve Directory bling the Activtrol.
ge Active Direcal Units (OUs).
erver role. This.
dows Server 20
cts (GPOs) and
a by selecting
U, memory, di
tasks.
ar, or to the
wing tasks:
012 1-15
l learn
ve
ctory
s
012
isk and
1-16 Deploying and Managing Windows Server 2012
• View role-related events.
• Run the Best Practice Analyzer for a role.
• List the tools available from Server Manager
• Restart Windows Server 2012.
Demonstration Steps
Log on to Windows Server 2012 and view the Windows Server 2012 desktop
• Log on to LON-DC1, and then close the Server Manager console.
Add a feature by Using the Add Roles and Features Wizard 1. Open Server Manager from the taskbar.
2. Start the Add Roles and Features Wizard.
3. Select Role-based or featured-based installation.
4. Select Select a server from the server pool, verify that LON-DC1.Adatum.com is selected, and then click Next.
5. On the Select server roles page, select Fax Server.
6. In the Add Roles and Features Wizard dialog box, click Add Features.
7. On the Select features page, click BranchCache.
8. On the Fax Server page, click Next.
9. On the Print and Document Services page, click Next.
10. On the Select role services page, click Next.
11. On the Confirmation page, select the Restart the destination server automatically if required check box, click Yes, click Install and then click Close.
12. Click the flag icon next to Server Manager Dashboard, and review the messages.
View role-related events 1. Click the Dashboard node.
2. In the Roles and Server Groups pane, under DNS, click Events.
3. On the DNS - Events Detail View, change the time period to 48 hours, and the Event Sources to All.
Run the Best Practice Analyzer for a role
1. Under DNS, click BPA results.
2. Select All on the Severity Levels drop-down menu, and then click OK.
List the tools available from Server Manager
• Click on the Tools menu, and review the tools that are installed on LON-DC1.
Log off the currently logged-on user
1. On the Start menu, click Administrator, and then click Sign Out.
2. Log on to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.
R
•
C
SeanYocomcothap
St
Se
•
•
•
•
anru
S
Reopop
•
•
•
•
Yofa
MMadtombe
Restart Wind
In a Windo
Shutdown
Configuring
ervices are prond provide serou can managonsole, which
menu in Server omputer, you shose that are rpplications tha
tartup Type
ervices use one
Automatic. when the se
Automatic
Manual. Th
Disabled. T
Note: If a send then locateunning state.
ervice Reco
ecovery optionpening the DNptions:
Take no act
Restart the
Run a Prog
Restart the
ou can configuailures. You can
Managed SeManaged servicdvantage of a o a schedule. T
minimizes the cecause admini
dows Server
ws PowerShell
/r /t 60
g Services
ograms that rurvices to clientge services throis available thrManager. Whshould disableequired by theat are installed
es
e of the follow
The service sterver boots.
(Delayed Start
e service must
he service is d
erver is behavie those service
overy
ns determine wNS Server Prop
tion. The servic
Service. The s
ram. Allows yo
Computer. Th
ure different ren also configu
rvice Accouce accounts aremanaged serv
These passwordchance that theistrators tradit
r 2012
l window, type
n in the backgs and the hostough the Servirough the Tooen securing a
e all services exe roles, feature on the server
wing startup ty
arts automatic
t). The service
t be started m
isabled and ca
ing problemats that are conf
what a service perties window
ce remains in a
ervice restarts
ou to run a pro
he computer re
ecovery optionre a period of
unts e special domavice account isd changes are e service accouionally assign
e the following
ground t server. ces
ols
xcept es, and r.
ypes:
cally
starts automat
anually, either
annot be starte
tically, open thfigured to star
does in the evw. On the Reco
a failed state u
automatically
ogram or a scr
estarts after a
ns for the first time after whi
ain-based accos that the acco
automatic, anunt password wsimple passwo
20410A: Installin
g command, a
tically after the
r by a program
ed.
he Services conrt automaticall
vent that it faiovery tab, you
until attended
y.
ript.
preconfigured
failure, the secich the service
ounts that youount password nd do not requwill be compro
ords to service
ng and Configuring W
nd then press
e server has bo
m or by an adm
nsole, sort by sly, and which a
ls. You access have the follow
to by an adm
d number of m
cond failure, ae failure clock r
u can use with is rotated auto
uire administraomised, somet
e accounts with
Windows Server® 20
Enter:
ooted.
ministrator.
startup type, are not in a
the Recovery twing recovery
inistrator.
minutes.
and subsequenresets.
services. The omatically accator interventiothing that haph the same ser
012 1-17
tab by y
nt
cording on. This
ppens rvice
1-18 Deploying
acroservrota
Co
Youthe on amanManWintoo
YouMan
1.
2.
3.
Youcan remtoo
Rem
Remservof W
1.
2.
3.
Youopt
g and Managing Win
oss a large numvice-specific acated and mana
Question: Wdomain-base
onfiguring
u rarely performserver room. Aa daily basis wnagement technagement, youndows PowerShls to manage a
u can enable Renager by perfo
In the Server Server node.
In the Properopens the Co
In the ConfigThis Server F
u can enable redisable Remo
mote manageml.
mote Deskt
mote Desktop vers that they mWindows Serve
In the Server
Next to Remo
In the System
o Don’t all
o Allow coconnectio
o Allow CoAuthentsupport n
u can enable anion by using th
ndows Server 2012
mber of serverccounts that araged by the op
hat is the advad service acco
Remote M
m systems admAlmost all task
will be performehnologies. Witu can use Remhell, and remoa computer re
emote Managorming the fol
Manager cons
rties dialog boonfigure Remo
gure Remote MFrom Other C
emote manageote Managemement on a com
op
is the traditionmanage. You cer 2012 by per
Manager cons
ote Desktop,
m Properties d
low connectio
onnections froons from Rem
onnections onication. Allownetwork-level
nd disable Remhe sconfig.cm
rs, and never bre local rather perating system
antage of a maount?
Manageme
ministration froks that you pered using remoth Windows Re
mote Shell, remote managememotely.
ement from Slowing steps:
sole, click the L
ox for the locaote Managem
Managementomputers che
ement from thent by using thputer running
nal method bycan configure rforming the fo
sole, click the L
click Disabled
dialog box, on
ons to this co
om computerote Desktop c
nly from Comws secure conn
authentication
mote Desktop md command-
bother to updathan domain-
m.
anaged service
ent
om rform ote emote ote
ent
erver
Local
l server, next tment dialog bo
t dialog box, seeck box, and th
he command lihe same metho the Server Co
y which systemRemote Desktollowing steps
Local Server n
d.
the Remote t
omputer. The d
rs running anylients that do
mputers runniections from cn.
on computersline tool.
ate those passw-based. The pa
e account com
to Remote Maox.
elect the Enabhen click OK.
ine by runningod that you usore installation
ms administratotop on a comp:
node.
tab, select one
default state o
y version of Rnot support N
ng Remote Dcomputers run
s that are runn
words. Virtual assword for vir
mpared with a
anagement, c
ble Remote M
g the commanse to enable it.n option using
ors remotely coputer that runn
e of the follow
of remote desk
Remote DeskNetwork Level A
Desktop with Nnning Remote
ning the Server
accounts are rtual accounts
traditional
click Disabled.
Management O
d WinRM -qc. You can disabthe sconfig.cm
onnect to the ning the full ve
wing options:
ktop is disable
top. Allows Authentication
Network LeveDesktop client
r Core installat
is
. This
Of
c. You ble md
ersion
d.
n
el ts that
tion
LessonInstal
Wcosude
Inthre
LeA
•
•
•
•
In
Mopfoorra
OMdeWm
•
•
n 3 ling Wi
When preparingonfiguration isuitable than a eploy Window
n this lesson yohat you can usequirements, a
esson Objecfter completin
Describe th
Identify the
Determine necessary t
Describe th
nstallation
Microsoft distribptical media aormat is becomrganizations aather than phy
Once you have Microsoft, you c
eploy the opeWindows Servemethods, includ
Optical Me
o Disadv
Re
Is u
Yo
Yo
USB Media
o Advant
All
Th
indows g to install Wins appropriate. Yfull graphical u
ws Server 2012
ou will learn abe to install the
and the decisio
ctives ng this lesson, y
he different me
e different inst
whether a como install Windo
he decisions th
n Methods
butes Windownd in an .iso im
ming more comcquire softwar
ysically.
the operatingcan then use yrating system. r 2012 by usinding the follow
dia
antages includ
equires that the
usually slower
ou cannot upda
ou can only pe
tages include:
l computers al
he image can b
Server ndows Server 2You also needuser interface in an efficient
bout the procee operating sysons that you ne
you will be ab
ethods that yo
allation types
mputer or virtuows Server 20
at you need to
ws Server 2012 mage format. mmon as re over the Int
system from your own meth
You can instang a variety of wing:
de:
e computer ha
than USB med
ate the installa
rform one inst
low boot from
be updated as
2012 2012, you nee to know whet(GUI) deploymt manner.
ess of installingstem, the diffeeed to make w
le to:
ou can use to in
that you can c
ual machine m12.
o make when
on ISO
ernet
hod to ll
as access to a D
dia.
ation image w
tallation per D
m USB media.
new software
20410A: Installin
ed to understanther a Server C
ment, and whic
g Windows Seerent installatiowhen using the
nstall Window
choose when i
meets the minim
performing a W
DVD-ROM driv
ithout replacin
DVD-ROM at a
updates and d
ng and Configuring W
nd whether a Core deploymch installation
rver 2012, inclon options, thee Installation W
ws Server 2012.
nstalling the W
mum hardwar
Windows Serv
ve.
ng the media.
time.
drivers becom
Windows Server® 20
particular hardent might be msource allows
uding the mete minimum sysWizard.
.
Windows Serve
e requirement
ver 2012 instal
e available.
012 1-19
dware more you to
thods stem
er 2012.
ts
lation.
1-20 Deploying and Managing Windows Server 2012
The answer file can be stored on a USB drive, minimizing the amount of interaction that the administrator must perform.
o Disadvantages include:
It requires the administrator to perform special steps to prepare USB media from ISO file.
• Mounted ISO image
o Advantages include:
With virtualization software, you can mount the ISO image directly, and install Windows Server 2012 on the virtual machine.
• Network Share
o Advantages include:
It is possible to boot a server off a boot device (DVD or USB drive) and install from installation files hosted on a network share.
o Disadvantages include:
This method is much slower than using Windows Deployment Services. If you already have access to a DVD or USB media, it is simpler to use those tools for operating system deployment.
• Windows DS
o Advantages include:
You can deploy Windows Server 2012 from WIM image files or specially prepared VHD files.
You can use the Windows Automated Installation Kit (AIK) to configure lite-touch deployment.
Clients perform a Pre-Boot eXecution Environment (PXE) boot to contact the WDS server and the operating system image is transmitted to the server over the network.
WDS allows multiple concurrent installations of Windows Server 2012 using multicast network transmissions.
• System Center Configuration Manager
o Advantages include:
System Center Configuration Manager allows you to fully automate the deployment of Windows Server 2012 to new servers that do not have an operating system installed. This process is called Zero Touch deployment.
• Virtual Machine Manager Templates
o Advantages include:
Windows Server 2012 is usually deployed in private cloud scenarios from preconfigured virtual machine templates. You can configure multiple components of the System Center suite to allow self-service deployment of Windows Server 2012 virtual machines.
Question: What is another method that you can use to deploy Windows Server 2012?
In
HspthrudiruWWch
Wto“bch
nstallation
ow you deplopecific server dhat deploymenunning Windowifferent actionunning an x86
When you are pWindows Servehoose one of t
Installation O
Fresh installat
Upgrade
Migration
When you perfoo an existing voboot to VHD” shoose when pe
n Types
y Windows Sedepends on thnt. Deploying tws Server 2008s than deployiedition of Win
performing ther 2012 operatithe options in
ption Des
tion Allinstimpe
AnoriiteupWiYo20op
UseWiSerset
orm a fresh insolume. You cascenario. Booterforming a ty
rver 2012 on ae circumstanceto a server tha8 R2 requires ing to a serverndows Server 2e installation oing system, yothe following
scription
ows you to pestallations are tme. You can alsrform a dual b
n upgrade presginal server. Yms and want tgrade to Windndows Server u can only upg12. You launcherating system
e migration wndows Server rver Migrationttings.
stallation, you an also install Wt to VHD requiypical installati
a es of t is
r 2003.
of the u can table.
erform a fresh the most frequso use this optboot if you wan
serves the filesYou perform anto continue to dows Server 202003 R2, Windgrade to an eqh an upgrade b
m.
hen migrating2003 R2, or W
n Tools feature
can deploy WWindows Serveres special preon using the W
20410A: Installin
install on a neuently used, antion to configunt to keep the
s, settings, andn upgrade whe use the same 012 from x64 vdows Server 20quivalent or neby running set
g from an x86 vWindows Servee in Windows S
Windows Serverer 2012 to a speparation and Windows Setup
ng and Configuring W
ew disk or volund take the shure Windows Se existing oper
applications ien you want to server hardwaversions of Wi008, and Windewer edition otup.exe from w
version of Winr 2008. You caServer 2012 to
r 2012 to an upecially-prepais not an optiop wizard.
Windows Server® 20
ume. Fresh ortest amount
Server 2012 toating system.
installed on tho keep all of thare. You can ondows Server dows Server 20of Windows Sewithin the orig
ndows Server 2an use the Wino transfer files a
npartitioned dred VHD file inon that you ca
012 1-21
t of
e hese
only 2003,
008 R2. rver
ginal
2003, ndows and
disk, or n a an
1-22 Deploying
Ha
HarhardServrequthe the
Eachon nresodiffeDHC
Winandneevirtuwith
Win
•
•
•
•
The
•
•
•
Vali
g and Managing Win
ardware Re
dware requiredware that is rver 2012 serveuirements migservices that tserver, and th
h role service anetwork, disk Iources. For exaerent stresses oCP role.
ndows Server 2 certain other d to match theual machine toh enough mem
ndows Server 2
Processor arc
Processor spe
Memory (RAM
Hard disk driv
Datacenter ed
640 logical pr
4 TB of RAM
63 failover clu
Additional Redation Progra
Question: WRAM?
ndows Server 2012
equiremen
ments define trequired to runer. Your actual ght be greater,the server is hoe responsivene
and feature plI/O, processor,ample, the file on server hard
2012 is suppornon-Microsofe same hardwo host Windowmory and hard
2012 has the fo
hitecture: x86-
eed: 1.4 gigahe
M): 512 megab
ve space: 32 G
dition of Wind
rocessors
uster nodes
eading: For mm, see http://w
hy does a serv
nts for Win
the minimum n the Windowshardware and depend o
osting, the loadess of your ser
aces a unique , and memory server role pla
dware than the
rted on Hyper-ft virtualizationare specificatio
ws Server 2012 disk space.
ollowing minim
-64
ertz (GHz)
bytes (MB)
GB, more if the
dows Server 20
more informatiowww.windows
ver need more
ndows Serv
s
on d on rver.
load
aces e
-V® n platforms. Wons as physica
2, you need to
mum hardware
server has mo
012 supports th
on about the Wservercatalog.
hard disk driv
ver 2012
Windows Serveral deploymentsensure that yo
e requirement
ore than 16 GB
he following h
Windows Serv.com/svvp.aspx
ve space if it h
r 2012 virtualizs. For exampleou configure t
ts:
B of RAM
hardware maxi
ver Virtualizatiox.
as more than
zed deploymee, when creatinhe virtual mac
mums:
on
16 GB of
ents ng a chine
In
ThsypatothdeSefil
1.
2.
3.
4.
5.
6.
7.
8.
nstalling W
he process of dystem is simpleast. The persono make fewer dhat they do maeployment. A erver 2012, if yle, involves pe
. Connect tothis include
o Insert aWindoand bo
o Connec
o Perform
. On the first
o Langua
o Time a
o Keyboa
. On the secoselect Repaand you are
. In the Windchoose fromInstallation
. On the Liceaccept the
. On the Wh
o Upgrato upgversion
o Custom
. On the WhWindows Syou click N
. On the Sett
Windows S
deploying a seer today than in performing tdecisions, althoake are criticaltypical installayou do not havrforming the f
the installatioe:
a DVD-ROM cows Server 2012
oot from the D
ct a specially p
m a PXE boot,
t page of the W
age to install
nd currency fo
ard or input m
ond page of thair Your Compe no longer ab
dows Setup wim the available.
ense Terms palicense terms
hich Type Of I
de. Select this rade to Windo
n of Windows S
m. Select this o
here do you werver 2012. Yoext, the instal
tings page, pr
Server 2012
erver operatingit has been in the deploymeough the deci to the succes
ation of Windove an existing following steps
on source. Opt
ontaining the 2 installation f
DVD-ROM.
prepared USB
and connect t
Windows Setup
ormat
method
he Windows Seputer. Use thisble to boot into
zard, on the Se operating sy
age, review thebefore you can
nstallation Do
option if you ows Server 201Server rather t
option if you w
want to installou can also cholation process
rovide a passw
2
g the nt has sions s of the
ows answer s:
ions for
files,
drive that host
to a Windows
p wizard, selec
etup wizard, cs option in theo Windows Se
elect The Opeystem installati
e terms of then proceed with
o You Want p
have an existi12. You shouldthan booting f
want to perform
Windows paoose to repartwill copy files
word for the loc
20410A: Installin
ts the Window
DS server.
ct the followin
lick Install noe event that anerver 2012.
erating Systeion options. Th
e operating sysh the installati
page, you have
ng installationd launch upgrafrom the instal
m a new insta
ge, choose anition and refo
s and reboot th
cal Administra
ng and Configuring W
ws Server 2012
g:
ow. You can alsn installation h
m You Want he default opt
stem license. Yon process.
e the following
n of Windows Sades from withllation source.
llation.
n available diskrmat disks fromhe computer s
ator account.
Windows Server® 20
2 installation fi
so use this paghas become co
To Install pagion is Server C
You must choo
g options:
Server that yohin the previou
k on which to im this page. Wseveral times.
012 1-23
les.
ge to orrupted,
ge, Core
ose to
u want us
install When
1-24 Deploying
Lesson 4Post-In
Theyouyouwill
Thisnetwprod
LesAfte
•
•
•
•
•
Ov
Unlisystprocyouneecommemthatthe acco
YouMan
•
•
•
•
•
•
•
•
g and Managing Win
4 nstallati Windows Serv have complet can deploy it play on your o
s lesson coverswork addressinduct activation
sson Objectier completing
Describe how
Describe how
Describe how
Explain how t
Describe how
verview of
ike previous veems, the Windcess minimizes need to answd to configure
mputer name, ambership infort you provide dpassword for
ount.
u use the Locanager console
Configure the
Set the comp
Join an Active
Configure the
Enable autom
Add roles and
Enable remot
Configure Wi
ndows Server 2012
ion Conver 2012 instated installationin a productio
organization’s
s how to perfong informationn options.
ives this lesson, yo
w to Server Ma
w to configure
w to join an Act
to activate Win
w to perform p
Post-Insta
ersions of Windows Server 20s the number
wer. For exampe network conna user accountrmation. The oduring the instthe default loc
l Server node to perform th
e IP address
puter name
e Directory do
e time zone
matic updates
d features
te desktop
ndows Firewa
nfiguratllation processn, you need toon environmennetwork.
rm a range of n, setting a ser
ou will be able
nager to perfo
the network.
tive Directory
ndows Server 2
ost-installation
allation Co
dows operatin012 installationof questions th
ple, you no lonnections, a t, and domain only informatiotallation procecal Administra
in the Server he following ta
main
ll settings
tion of Ws involves answ
o perform sevent. These steps
post-installatirver’s name an
to:
orm post-insta
domain.
2012.
n configuratio
onfiguratio
ng n hat ger
on ess is tor
sks:
Windowwering a minimeral post-instals allow you to
ion configuratnd joining it to
allation configu
on of a Server C
on
ws Servemal number oflation configuprepare the se
tion tasks, incluo the domain, a
uration tasks.
Core compute
er 2012f questions. Onration steps berver for the ro
uding configuand understan
er.
2 nce efore ole it
ring nding
C
TococochdeobYocl
If rasefrsew
pab
C
Yo
1.
2.
3.
4.
C
YocoCco
Configuring
o communicatorrect IP addreompleted instaheck the serveefault, a newlybtain IP addreou can view a icking the Loc
the server hasange of 169.25erver has not bom a DHCP seerver has not b
with the networ
Note: If youroblematic, anbout impleme
Configuratio
ou can configu
. In the Serveconfigure. T
. Right-click Properties
. In the AdapProperties
. In the Interaddress info
o IP addr
o Subnet
o Default
o Preferr
o Alterna
Command-L
ou can set IPv4ommand fromonnection witommand:
Netsh int255.255.2
g Server N
te on the netwess informationallation, you ner’s IP address c
y-deployed serss informationserver’s IP add
cal Server nod
s an IPv4 addre54.0.1 to 169.2been configureerver. This maybeen configurerk infrastructu
u are using onnd IPv6 addresnting IPv6 in M
on Using Ser
ure IP address
er Manager coThis will open
on the networ.
pter Propertie.
rnet Protocolormation, and
ress
t Mask
t Gateway
red DNS server
ate DNS server
ine IPv4 Ad
4 address infom the interface
th the IPv4 add
terface ipv4 255.0
Network Se
work, a server nn. Once you haeed to either sconfiguration.rver attempts tn from a DHCPdress configurade in Server Ma
ess in the APIP54.255.254, th
ed with an IP ay be because aed on the netwre that blocks
ly an IPv6 netws information
Module 8, “Imp
rver Manag
information fo
onsole, click onthe Network C
rk adapter for
es dialog box,
Version 4 (TC then click OK
r
r
ddress Confi
rmation manuipv4 context. dress 10.10.10
set address
ettings
needs ave set or By
to P server. ation by anager.
PA hen the address a DHCP work, or, if therthe adapter fr
work, then an is still configuplementing IPv
ger
or a server ma
n the address nConnections w
which you wa
click Internet
CP/IPv4) PropK twice:
iguration
ually from an eFor example, t
0.10 and subne
“Local Area
20410A: Installin
re is a DHCP srom receiving
IPv4 address ired automaticv6.”
anually by perf
next to the netwindow.
ant to configur
t Protocol Ve
perties dialog
elevated commto configure thet mask 255.25
a Connection”
ng and Configuring W
erver, becausean address.
in this range iscally. You will l
forming the fo
twork adapter
re an address,
rsion 4 (TCP/
g box, enter th
mand prompt bhe adapter nam55.255.0, type
” static 10.1
Windows Server® 20
e there is a pro
s not earn more
ollowing steps:
r that you wan
and then click
/IPv4), and the
e following IPv
by using the nmed Local Arethe following
10.10.10
012 1-25
oblem
t to
k
en click
v4
netsh.exe ea
1-26 Deploying
Youconthe
You
NetWitNetthe usinmod
1.
2.
3.
4.
5.
6.
Ho
WhecomjoinwithpracscheComtheipershistdeteDNSthat
You
1.
2.
3.
4.
5.
g and Managing Win
u can use the sfigure the adaprimary DNS
Netsh inte
u will learn mo
twork Card h Network Carwork Card Teacards fails, the
ng that shared del or use the
Ensure that th
In Server Ma
Next to Netw
In the NIC Teyou want to a
Right-click on
In the New T
ow to Join
en you install Wmputer is assig
ing a domain,h the name it wctice, you shoueme when devmputers shouldir function andsonal ties, suchorical characteermine that a S server in Met a server nam
u change this n
In Server Ma
In the ProperProperties d
In the System
In the Computo the compu
Restart the co
ndows Server 2012
ame context oapter named Lserver, type th
rface ipv4 s
re about confi
Teaming rd Teaming, yoaming, a compe computer is aaddress. Netwsame driver. T
he server has m
anager, click th
work Adapter
eaming dialogadd to the tea
n these selecte
Team dialog bo
the Doma
Windows Servned a random you should cowill use in the uld use a consvising a compud be given namd location, not h as pet namesers. It is simpleserver named lbourne, than ed Copernicus
name using the
anager, click th
rties window, cialog box.
m Properties d
uter Name/Duter.
omputer to im
of the netsh.exocal Area Con
he following co
et dnsserver
iguring IPv4 in
ou can increasputer uses oneable to mainta
work card teamTo team netwo
more than one
he Local Serve
Teaming, clic
g box, hold dowm.
ed network ada
ox, provide a n
ain
ver 2012, the name. Prior toonfigure the sedomain. As a bistent naming uter name. mes that reflecnames with
s, or fictional oer for everyoneMEL-DNS1 is it is to determ
s holds the DN
e Server Mana
he Local Serve
click the active
dialog box, in
omain Chang
plement the n
xe command tonnection to uommand:
rs “Local Are
n Module 5, “Im
se the availabile network addrain communicaming does not ork cards, perfo
e network adap
er node.
ck Disabled. T
wn the Ctrl ke
apters, and the
name for the t
o erver best
ct
or e to a
mine NS role in the M
ager console by
er node.
e text next to C
the Compute
ges dialog box
name change.
o configure DNse the DNS se
ea Connection
mplementing I
lity of a networess for multipation with othrequire that th
orm the follow
pter.
This will launch
y, and then cli
en click Add t
team, and then
Melbourne off
y performing t
Computer Nam
r Name tab, c
x, enter the new
NS configuratirver at IP addr
n” static 10
IPv4.”
ork resource. Wple cards. In theer hosts on thhe network ca
wing steps:
h the NIC Team
ick each netwo
to New Team.
n click OK.
fice.
the following
me. This will la
click Change.
w name that y
ion. For exampress 10.10.10.5
.10.10.5 prim
When you confe event that oe network tha
ards be the sam
ming dialog b
ork adapter th
.
steps:
aunch the Syst
you want to as
ple, to 5 as
mary
figure ne of t are
me
box.
at
tem
sign
Prto
•
•
•
Ndo
To
1.
2.
3.
4.
5.
6.
P
OjococowyocowA
Uando
1.
2.
rior to joining o be domain-jo
Ensure thatcontroller. Ugoals.
Complete o
o Create to join the do
o Join thjoin op
Verify that domain.
ow that you homain-joined,
o join the dom
. In Server M
. In the Prop
. In the Syste
. In the Comoption. Ent
. In the Windthe domain
. Restart the
Performing
Offline Domain oin a computeromputer does onnection. Thi
where connectivou are deployionnected via s
were deployingustralia or isla
se the djoin.exn offline domaomain join by
. Log on to tcomputers
. Open an elYou also ne
the domain, boined:
t you are able Using the Ping
one of the follo
a computer ato the domainmain automat
e computer toperations.
the security ac
have renamed you can join t
main using Serv
Manager, click
perties window
em Propertie
mputer Name/er the new do
dows Securityn.
computer.
g Offline D
Join is a featur to the domainot have an as feature can bvity is intermiting a server tosatellite uplink. servers to locnds in the Sou
xe command lain join. You caperforming th
the domain coto the domain
evated commaeed to specify
be sure to com
to resolve the g tool to ping t
owing tasks:
ccount in the n. This is oftentically.
o the domain u
ccount that is
your Windowsthe server to th
ver Manager, p
k the Local Ser
w, next to Work
s dialog box, o
/Domain Chanmain name, an
y dialog box, e
Domain Joi
ure you can usein when that
active network be useful in sitttent, such as w a remote site . For example, ations in Outb
uth Pacific.
ine tool to peran perform anhe following st
ntroller with an.
and prompt anthe domain to
mplete the follo
IP address of the domain co
domain that m done when la
using a securit
used for the d
s Server 2012 she domain.
perform the fo
rver node.
kgroup, click W
on the Compu
nges dialog bond then click O
enter domain c
in
e to
tuations when
if you back
rform offline
teps:
a user account
nd use the djoo which you wa
20410A: Installin
owing steps to
the domain coontroller by ho
matches the naarge numbers
ty account that
omain operat
server and hav
ollowing steps:
WORKGROUP
uter Name tab
ox, in the MemOK.
credentials tha
that has the a
oin.exe commaant to join the
ng and Configuring W
o verify that the
ontroller and costname accom
ame of the comof computers
t has the right
ion already ex
ve verified tha
:
P.
b, click Chang
mber Of area,
at allow you to
appropriate rig
and with the /pe computer, th
Windows Server® 20
e new server is
contact that domplishes both
mputer that yoneed to be jo
t to perform do
xists within the
t it is ready to
e.
click the Dom
o join the com
ghts to join oth
provision opthe name of the
012 1-27
s ready
omain of these
ou want ined to
omain-
e
be
main
puter to
her
tion. e
1-28 Deploying
3.
4.
Ac
You201organotirequprevsystpericanThefor a
•
•
Witperf
You
1.
2.
3.
4.
Becyouente
g and Managing Win
computer youtarget of the adatum.com
djoin.exe join.txt
Transfer the g/requestODJCanberra-joincommand pro
djoin.exe
Restart the co
Question: In traditional do
tivating W
u must activate2 that you instanization is coices for producuires activationvious versions em, there is noiod. If you do not perform ore are two genactivation:
Manual activadeploying a s
Automatic ac
h manual activforms the activ
u can perform
Click the Loca
In the Proper
In the Windo
If a direct conabout performusing a local
ause compute can perform er the product
ndows Server 2012
u will be joininoffline domainusing the save
/provision /
generated saveJ option. For en.txt to compuompt on Canb
/requestODJ
omputer to co
what situationomain join?
Windows Se
e every copy otall, to ensure
orrectly licensect updates. Win after installaof the Windowo longer an acnot perform a
operating systeneral strategie
ation. Suitablesmall number o
ctivation. Suita
vation, you entvation over the
manual activa
al Server node
rties window, n
ows Activation
nnection cannoming activatiotelephone num
ers running themanual activatt key, and slmg
ng to the doman join. For exaefile Canberra-
domain adatu
efile to the newxample, to pe
uter Canberra, berra:
/loadfile ca
mplete the do
n would you p
erver 2012
f Windows Serthat your d and to receiindows Server tion. Unlike ws server operctivation gracectivation, you
em customizats that you can
e when you areof servers.
ble when you
ter the produce phone or thr
tion from the
e.
next to Produc
n dialog box, e
ot be establishn using a webmber.
e Server Core ition using thegr.vbs /ato to
ain, and the nample, to join t-join.txt, type t
um.com /machi
w computer, arform the offliyou would run
anberra-join.
omain-join ope
erform an offl
2
rver
ve 2012
rating e
ion. n use
e
are deploying
ct key and the rough a specia
Server Manag
ct ID, click No
enter the prod
hed to the Micsite from a de
nstallation optslmgr.vbs co
o perform activ
ame of the savthe computer Cthe following c
ine canberra
and then run thine domain join the following
txt /windows
eration.
ine domain jo
g larger numbe
server contacal clearinghous
ger console by
ot Activated.
duct key, and t
crosoft activatievice that has a
tion do not haommand. Use tvation once th
vefile that youCanberra to thcommand:
/savefile c
he djoin.exe coin, after transfeg command fr
spath %system
oin rather than
ers of servers.
ts Microsoft ose website.
performing th
then click Acti
on servers, detan Internet con
ave the Server the slmgr.vbshe product key
u will transfer the domain
:\canberra-
ommand witherring the saverom an elevate
mroot% /local
a
r an administr
he following st
ivate.
tails will displannection, or by
Manager conss /ipk commany is installed.
o the
the efile ed
los
rator
teps:
ay y
sole, nd to
Pruspe20
Yocaseco
Oaccora
Pea on
A
Inacyoonbacoth
YoSeInen
C
Perucapebacowa
ThmusthA
Yo
•
•
revious versionsing the sysprerformed this 012, you can r
ou can performan use a retail et number of aomputers up t
OEM keys are activation whenomputers that arely used with
erforming actimethod of actn each system
Automatic A
n previous versctivation of muou to manage n the KMS servased activationomputers. Whehe KMS server
ou use the Volervices to perfnternet. You canterprise netw
Configuring
erforming posunning the Seran be dauntingerformed the tased tools thatonfiguration p
with performingcommand-line
he good news majority of post
sing the sconfhis utility minimdministrator m
ou can use sco
Configure D
Configure t
ns of the Windrep utility, but task, and due earm a deploy
m manual activproduct key to
activations thao a set activat
special type on a computer i
are running ch computers th
vation manuativating large manually.
Activation
sions of the Wultiple clients. a KMS server
ver. When youn. Active Direcen you use Voto renew its a
lume Activatioorm activation
an use VAMT tworks.
g a Server
st installation orver Core operg to administratask before. Int simplify the process, IT profg complex cone interface.
is that you cat-installation cig.cmd commamizes the possmaking syntax
onfig.cmd to p
Domain and W
the computer’s
dows Server oplimited the nuto an overall l
yment up to 99
vation using eo activate onlyt you can use. ion limit.
of activation kes first poweredlient operating
hat are running
lly in large-scanumbers of co
indows Server The Volume Athrough a new
u install Volumctory-based acolume Activatioctivation statu
on Managemen of multiple cto generate lic
Core Insta
on a computerating system oators that havestead of havinpost-installatiofessionals are fnfiguration tas
n perform theconfiguration tand-line tool. sibility of the errors when u
perform the fol
Workgroup info
s name
perating systemumber of timesimit of three r99 times.
ither the retaiy a single comUsing a multi
ey that are prod on. This typeg systems suchg server opera
ale server deplomputers auto
operating sysActivation Servw interface. Th
me Activation Stivation allowson Services, eaus.
nt Tool (VAMTomputers on nense reports a
allation
r option e not
ng GUI-on faced ks from
e tasks Using
sing more com
llowing tasks:
ormation
20410A: Installin
m allowed yous due to activarearms per inst
l product key, puter. Howeveple activation
ovided to a mae of activation h as Windows ating systems.
oyments can bomatically with
stem, you coulvices server rolhis simplifies thServices, you cas automatic acach computer
T) 3.0 in conjunetworks that and manage cl
mplicated com
ng and Configuring W
u to generalizeation being reatallation. With
or the multipler, a multiple akey, you can a
anufacturer ankey is typically7 and Window
be cumbersomhout having to
d use KMS to e in Windows
he process of ian also configctivation of doactivated mus
nction with Voare not conneient and serve
mmand-line uti
Windows Server® 20
e a Windows imarmed each tim Windows Serv
le activation kactivation key activate multip
nd allow automy used with ws 8. OEM key
me. Microsoft penter product
perform centrServer 2012 anstalling a KMure Active Dire
omain-joined st periodically c
olume Activatiected directly ter activation on
ilities.
012 1-29
mage me you ver
ey. You has a
ple
matic
ys are
provides t keys
ralized llows
MS key ectory-
contact
on to the n
1-30 Deploying and Managing Windows Server 2012
• Add local Administrator accounts
• Configure Remote Management
• Enable Windows Update
• Download and install updates
• Enable Remote Desktop
• Configure Network Address information
• Set the date and time
• Perform Windows Activation
• Enable the Windows Server GUI
• Log off
• Restart the server
• Shut down the server
Configure IP Address Information
You can configure the IP address and DNS information using sconfig.cmd or netsh.exe. To configure IP address information using sconfig.cmd, perform the following steps:
1. From a command-line command, run sconfig.cmd.
2. Choose option 8 to configure Network Settings.
3. Choose the index number of the network adapter to which you want to assign an IP address.
4. In the Network Adapter Settings area, choose between one of the following options:
o Set Network Adapter Address
o Set DNS Servers
o Clear DNS Server Settings
o Return to Main Menu
Change Server Name
You can change a server’s name using the netdom command with the renamecomputer option. For example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a server’s name using sconfig.cmd by performing the following steps:
1. From a command-line command, run sconfig.cmd.
2. Choose option 2 to configure the new computer name.
3. Type the new computer name, and then press Enter.
You must restart a server for the configuration change to take effect.
Joining the Domain You can join a Server Core computer to a domain using the netdom command with the join option. For example, to join the adatum.com domain using the Administrator account, and to be prompted for a password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*
20410A: Installing and Configuring Windows Server® 2012 1-31
Note: Prior to joining the domain, verify that you are able to ping the DNS server by hostname.
To join a Server Core computer to the domain using sconfig.cmd, perform the following steps:
1. From a command-line command, run sconfig.cmd.
2. Choose option 1 to configure Domain/Workgroup.
3. To choose the Domain option, type D and then press Enter.
4. Type the name of the domain to which you want to join the computer.
5. Provide the details in domain\username format, of an account that is authorized to join the domain.
6. Type the password associated with that account.
To restart the computer, complete a domain join operation it is necessary.
Adding Roles and Features You can add and remove roles and features on a computer that is running the Server Core installation option by using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows PowerShell cmdlets. These cmdlets are available after you load the ServerManager Windows PowerShell module.
For example, you can view a list of roles and features that are installed by executing the following command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq “Installed”}
You can install a Windows role or feature using the Install-WindowsFeature cmdlet. For example, to install the NLB feature, execute the command:
Install-WindowsFeature NLB
Not all features are directly available for installation on a computer running the Server Core operating system. You can determine which features are not directly available for installation by running the following command:
Get-WindowsFeature | Where-Object {$_.InstallState -eq “Removed”}
You can add a role or feature that is not directly available for installation by using the -Source parameter of the Install-WindowsFeature cmdlet. You must specify a source location that hosts a mounted installation image that includes the full version of Windows Server 2012. You can mount an installation image using the DISM.exe command-line utility.
Add the GUI
You can configure a Server Core computer with the GUI using the sconfig.cmd command-line utility. To do this, choose option 12 from within the sconfig.cmd Server Configuration menu.
Note: The process of adding and removing the graphical component of the Windows Server 2012 operating system by using the Install-WindowsFeature cmdlet was covered in Lesson 1.
You can also use the dism.exe command-line tool to add and remove Windows roles and features from a Server Core deployment, even though this tool is used primarily for managing image files.
1-32 Deploying
Lesson Introd
WinServWitsyst
In thmos
ThisspecPowscrip
LesAfte
•
•
•
•
Wh
Windesiadmup oPowPowlangpuradmdesi
An isuchgrapgenthroadm
Youmodrelaspec
g and Managing Win
5 uction t
ndows PowerShver 2012 operah Windows Poems administr
his lesson, youst critical piece
s lesson describcific cmdlets a
werShell Integrpts.
sson Objectier completing
Describe the
Describe Winwith a particu
Describe comfeatures.
Describe the
hat Is Wind
ndows PowerShigned to assist
ministrative tasof cmdlets tha
werShell prompwerShell scriptsguages that wepose, but have
ministration tasigned with sys
increasing numh as Microsoft phical interfac
nerated Windoough all of theministrator’s jo
u can extend Wdule includes Wted managemcifically useful
ndows Server 2012
to Windhell is a commating system thowerShell, you ration tasks.
u will learn aboe of a server ad
bes how to usend to find rela
rated Scripting
ives this lesson, yo
purpose of Wi
dows PowerShular cmdlet.
mmon Window
functionality o
dows Pow
hell is a scriptit you in perforsks. Windows Pt you execute pt, or combines. Unlike otherere designed ie been adaptesks, Windows Pstem administr
mber of MicrosExchange Seres that build Wws PowerShel
e steps in the Gb, and saves ti
Windows PoweWindows Pow
ment tasks. Thefor performin
dows Pomand-line shell
hat simplifies tcan automate
out Windows Pdministrator’s
e the Windowated cmdlets. Tg Environment
ou will be able
indows Power
hell cmdlet syn
ws PowerShell c
of Windows Po
werShell?
ng language ming day-to-d
PowerShell is mat a Windows
e into Windowr scripting nitially for anod for system PowerShell is ration tasks in
soft products—ver 2010—hav
Windows Powel script, so you
GUI. Being ableme.
erShell functionerShell cmdlet DNS Server mg DNS server-
owerShand task-base
the automatioe common task
PowerShell, antoolkit.
s PowerShell’sThis lesson also(ISE) to assist
to:
Shell.
ntax, and expla
cmdlets used t
owerShell ISE.
day made s
ws
other
mind.
—ve erShell commau can execute te to automate
nality by addints that are spec
module include-related manag
ell ed scripting te
on of common ks, leaving you
d why Window
s built-in discoo discusses hoyou in creatin
ain how to det
to manage ser
ands. These prthe task at a lacomplex tasks
ng modules. Focifically usefules Windows Pogement tasks.
echnology builsystems admi
u more time fo
ws PowerShell
overability to leow to leverage
g effective Wi
termine comm
rvices, processe
roducts allow yater time withos simplifies a s
or example, th for performinowerShell cmd
t into the Wininistration taskor more difficu
is perhaps the
earn how to usthe Windows ndows PowerS
mands associat
es, roles and
you to view thout having to gserver
he Active Direcng Active Direcdlets that are
dows ks. ult
e
se
Shell
ed
e go
ctory ctory-
W
Wsyveno
Cin
•
•
•
•
•
•
•
•
•
•
•
•
•
Yo
Yo
Wascm
Yocmlo
Windows P
Windows Poweyntax. Each noerbs. The availoun.
ommon Windnclude:
Get
New
Set
Restart
Resume
Stop
Suspend
Clear
Limit
Remove
Add
Show
Write
ou can learn th
Get-Help
ou can learn th
Get-Help
Windows Powessociated set omdlet by execu
Help Cmdl
ou can determmdlet. Which Woad a module u
PowerShell
rShell cmdletsun has a collecable verbs diff
ows PowerShe
he available ve
-Noun NounNa
he available W
-Verb VerbNa
rShell parametof parameters. uting the com
ltName
mine which WinWindows Powusing the Imp
l Cmdlet S
use a verb-noction of associfer with each c
ell cmdlet verb
erbs for a parti
ame
Windows Powe
ame
ters start with You can learnmand:
ndows PowerSerShell cmdletort-Module c
Syntax
oun iated cmdlet’s
bs
icular Window
rShell nouns fo
a dash. Each W what the para
Shell cmdlets ats are availablecmdlet.
20410A: Installin
ws PowerShell n
or a specific ve
Windows Poweameters are fo
are available bye depends on w
ng and Configuring W
noun by execu
erb by executi
erShell cmdletor a particular W
y executing thwhich module
Windows Server® 20
uting the comm
ng the comma
t has its own Windows Pow
he Get-Commes are loaded. Y
012 1-33
mand:
and:
werShell
and You can
1-34 Deploying
Co
Theto urelaServ
Ser
Youcmdrunn
•
•
•
•
•
•
•
•
Eve
Yourunn
•
•
•
•
•
•
•
Pro
Yourunn
•
•
•
•
•
g and Managing Win
ommon Cm
re are certain use as a server te to services, verManager ru
rvice Cmdle
u can use the fodlets to managning Windows
Get-Service.
New-Service
Restart-Serv
Resume-Serv
Set-Service.
Start-Service
Stop-Service
Suspend-Ser
ent Log Cmd
u can use the foning Windows
Get-EventLo
Clear-EventL
Limit-EventL
New-EventLoServer 2012.
Remove-Eve
Show-EventL
Write-EventL
ocess Cmdle
u can use the foning Windows
Get-Process.
Start-Proces
Stop-Process
Wait-Proces
Debug-Proce
ndows Server 2012
mdlets for
cmdlets that yadministratorevent logs, pr
unning on the
ts
ollowing Windge services on s Server 2012:
View the prop
e. Creates a new
vice. Restarts a
vice. Resumes
Configures the
e. Starts a stop
e. Stops a runn
rvice. Suspend
dlets
ollowing Winds Server 2012:
og. Displays eve
Log. Deletes al
Log. Sets event
og. Creates a
entLog. Remov
Log. Shows th
Log. Allows yo
ets
ollowing Winds Server 2012:
. Provides info
s. Starts a proc
s. Stops a proc
s. Waits for th
ess. Attaches a
Server Ad
you are more l. These primar
rocesses, and server.
dows PowerSha computer th
perties of a ser
w service.
n existing serv
a suspended
e properties of
pped service.
ning service.
ds a service.
dows PowerSh
ents in the spe
ll entries from
t log age and
new event log
ves a custom e
e event logs o
ou to write eve
dows PowerSh
rmation on a p
cess.
cess.
e process to st
a debugger to
ministratio
ikely rily
ell hat is
rvice.
vice.
service.
f a service.
ell cmdlets to
ecified event lo
the specified
size limits.
and a new ev
event log and
of a computer.
ents to an even
ell cmdlets to
process.
top before acc
o one or more
on
manage even
og.
event log.
vent source on
unregisters all
nt log.
manage proce
cepting input.
running proce
t logs on a com
n a computer r
event sources
esses on a com
esses.
mputer that is
running Windo
s for the log
mputer that is
ows
S
Than
•
•
•
W
Wenwcoyopaco
WusexsctoThan
Wpsc
Yode
D
In
•
•
•
D
U
1.
2.
erverManag
he ServerManand roles. These
Get-Windoinstalled, anaccess to an
Install-WinWindowsFoperating s
Remove-W
What Is Wi
Windows Powenvironment th
when using Winommand compou to see all avarameters thatommands.
Windows Powesing Windows xecute cmdletcripting windoo construct andhe ability to vind can create
Windows Powerovides you wcripts.
ou can use theetermine whic
Demonstra
n this demonst
Use Window
View the cm
Use the Get
Demonstrati
Use Window
. Ensure that
. In Server M
ger Module
ager module ae cmdlets are:
owsFeature. Vnd whether thn installation s
ndowsFeatureFeature cmdlesystems.
WindowsFeatu
ndows Po
rShell ISE is anat provides yo
ndows PowerSpletion functiovailable commt can be used w
rShell ISE simpPowerShell bes from the ISE.w within Windd save Windowew cmdlet parsyntactically-c
rShell ISE provith debugging
e Windows Powch Windows Po
ation: Usin
tration, you wi
ws PowerShell
mdlets made a
t-WindowsFea
ion Steps
ws PowerShe
t you are logge
Manager, click
e
allows you to a
View a list of ave feature is avsource.
e. Installs a part is aliased to t
ure. Removes a
werShell I
n integrated scou with assistahell. It provide
onality, and allmands and the
with those
plifies the procecause you can. You can also dows PowerShws PowerShell rameters ensucorrect Window
vides color-codg tools that you
werShell ISE enowerShell mod
g Window
ll see how to c
l ISE to import
available in the
ature cmdlet fr
ell ISE to im
ed on to LON-
k Tools, and th
add one of thr
vailable roles aailable. An una
rticular Windothis command
a particular W
SE?
cripting nce es ows
cess of n use a ell ISE scripts. res that you arws PowerShell
ded cmdlets tou can use to d
nvironment todule you need
ws PowerSh
complete the f
t the ServerMa
e ServerManag
rom Windows
port the Se
-DC1 as Admin
hen click Wind
20410A: Installin
ee cmdlets tha
and features. Aavailable featu
ows Server roled and is availab
Windows Server
re aware of thcommands.
o assist with troebug simple a
o view availableto load to acc
hell ISE
following tasks
anager module
ger Module
PowerShell IS
erverManag
nistrator.
dows PowerSh
ng and Configuring W
at are useful fo
Also displays wure can only be
e or feature. Thble in previous
r role or featur
e full function
oubleshootingand complex W
e cmdlets by mcess a particula
s:
e
E
er module
hell ISE.
Windows Server® 20
or managing f
whether the feae installed if yo
he Add-s versions of W
re.
ality of each c
g. The ISE also Windows Powe
module. You car cmdlet.
012 1-35
features
ature is ou have
Windows
cmdlet,
erShell
an then
1-36 Deploying and Managing Windows Server 2012
3. At the prompt, type Import-Module ServerManager.
View the cmdlets made available in the ServerManager Module • In the Commands pane, use the Modules drop-down menu to select the Server Manager module.
Use the Get-WindowsFeature cmdlet from Windows PowerShell ISE
1. Click Get-WindowsFeature, and then click Show Details.
2. In the ComputerName field, type LON-DC1, and then click Run.
Demonstration: Using Windows PowerShell
In this demonstration, you will see how to use Windows PowerShell to display the running services and processes on a server.
Demonstration Steps
Use Windows PowerShell to display the running services and processes on a server
1. On LON-DC1, open a Windows PowerShell session.
2. Execute the following commands, and then press Enter:
Get-Service | where-object {$_.status -eq “Running”} Get-Command -Noun Service Get-Process Get-Help Process
3. Right-click on the Windows PowerShell icon on the taskbar and click Run as Administrator.
20410A: Installing and Configuring Windows Server® 2012 1-37
Lab: Deploying and Managing Windows Server 2012 Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.
The marketing department has purchased a new web-based application. You need to install and configure the servers for this application in the data center. One server has a graphic interface and the second server is configured as Server Core.
Objectives
After completing this lab, you will be able to:
• Deploy Windows Server 2012.
• Configure Windows Server 2012 Server Core.
• Manage servers by using Server Manager.
• Manage servers with Windows PowerShell.
Lab Setup
Estimated time: 60 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-CORE
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 1 to 3 for 20410A-LON-CORE. Do not log on until directed to do so.
1-38 Deploying and Managing Windows Server 2012
Exercise 1: Deploying Windows Server 2012
Scenario
The first Windows Server® 2012 server that you are installing for the Marketing department will host an SQL Server 2012 database engine instance. You want to configure the server so that it will have the full GUI, as this will allow the application vendor to run support tools directly on the server, rather than requiring a remote connection.
The main tasks for this exercise are as follows:
1. Install the Windows Server 2012 server.
2. Change the server name.
3. Change the date and time.
4. Configure the network and network teaming.
5. Add the server to the domain.
Task 1: Install the Windows Server 2012 server 1. In the Hyper-V Manager console, open the settings of 20410A-LON-SVR3
2. Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This file is located at C:\Program Files\Microsoft Learning\20410\Drives.
3. Start 20410A-LON-SVR3. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, click Next, and then click Install Now.
o Language to install: English (United States)
o Time and currency format: English (United States)
o Keyboard or input method: US
4. Click to install the Windows Server 2012 Release Candidate Datacenter (Server with a GUI) operating system.
5. Accept the license terms and then click Custom: Install Windows only (advanced).
6. Install Windows Server 2012 on Drive 0.
Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process.
7. Enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish to complete the installation.
Task 2: Change the server name 1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.
2. In Server Manager, on the Local Server node, click on the randomly-generated name next to Computer name.
3. In the System Properties dialog box, on the Computer Name tab, click Change.
4. In the Computer name box, type LON-SVR3, and then click OK.
5. Click OK again, and then click Close.
6. Restart the computer.
20410A: Installing and Configuring Windows Server® 2012 1-39
Task 3: Change the date and time 1. On LON-SVR3, on the taskbar, click the time display, and then click Change date and time settings.
2. Click Change Time Zone, and set the time zone to your current time zone.
3. Click Change Date and Time, and verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom.
4. Close the Date and Time dialog box.
Task 4: Configure the network and network teaming 1. On LON-SVR3, click Local Server, and then next to NIC Teaming, click Disabled.
2. Press and hold the Ctrl key and then in the Adapters And Interfaces area, click both Local Area Connection and Local Area Connection 2.
3. Right-click on the selected network adapters, and then click Add to New Team.
4. Enter LON-SVR3 in the Team name, box, click OK, and then close the NIC Teaming dialog box. Refresh the console pane.
5. Next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.
6. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
7. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
8. Enter the following IP address information, then and click OK.
o IP address: 172.16.0.101
o Subnet Mask: 255.255.0.0
o Default Gateway: 172.16.0.1
o Preferred DNS server: 172.16.0.10
9. Close all dialog boxes.
Task 5: Add the server to the domain 1. On LON-SVR3, in the Server Manager console, click Local Server.
2. Next to Workgroup, click WORKGROUP.
3. On the Computer Name tab, click Change.
4. Click the Domain option, and in the Domain box, enter adatum.com.
5. Enter the following account details
o Username: Administrator
o Password: Pa$$w0rd
6. In the Computer Name/Domain Changes dialog box, click OK.
7. Restart the computer to apply changes.
8. In the System Properties dialog box, click Close.
9. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
1-40 Deploying and Managing Windows Server 2012
Exercise 2: Configuring Windows Server 2012 Server Core
Scenario
The web-based tier of the marketing application is a .NET application. To minimize the operating system footprint and reduce the need to apply software updates, you have chosen to host the IIS component on a computer running the Server Core installation option of the Windows Server 2012 operating system.
To enable this, you will need to configure a computer that is running Windows Server 2012 with the Server Core installation option.
The main tasks for this exercise are as follows:
1. Change the server name.
2. Change the computer’s date and time.
3. Configure the network.
4. Add the server to the domain.
Task 1: Change the server name 1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.
2. On LON-CORE, type sconfig.cmd.
3. Click option 2 to select Computer Name.
4. Set the computer name as LON-CORE.
5. In the Restart dialog box, click Yes to restart the computer.
6. After the computer restarts, log on to server LON-CORE using the Administrator account.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
Task 2: Change the computer’s date and time 1. On LON-CORE, in the sconfig.cmd main menu, type 9 to select Date and Time:
2. Click Change time zone, and then set the time zone to the same time zone that your classroom uses.
3. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK three times to dismiss the dialog boxes.
4. Exit sconfig.cmd.
Task 3: Configure the network 1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.
2. Type 8 to configure Network Settings.
3. Type the number of the network adapter that you want to configure.
4. Type 1 to set the Network Adapter Address.
5. Select static IP address configuration, and then enter the address 172.16.0.111.
6. At the Enter subnet mask prompt, type 255.255.0.0.
7. At the Enter default gateway prompt, type 172.16.0.1.
8. Type 2 to configure the DNS server address.
9. Set the preferred DNS server to 172.16.0.10.
10. Do not configure an alternate DNS server address.
20410A: Installing and Configuring Windows Server® 2012 1-41
11. Exit sconfig.cmd.
12. Verify network connectivity to lon-dc1.adatum.com using the Ping tool.
Task 4: Add the server to the domain 1. On LON-CORE, at the command prompt, type sconfig.cmd, and then press Enter.
2. Type 1 to switch to configure Domain/Workgroup.
3. Type D to join a domain.
4. At the Name of domain to join prompt, type adatum.com.
5. At the Specify an authorized domain\user prompt, type adatum\administrator.
6. At the Type the password associated with the domain user prompt, type Pa$$w0rd.
7. At the prompt, click Yes.
8. Restart the server.
9. Log on to server LON-CORE with the adatum\administrator account using the password Pa$$w0rd.
Results: After finishing this exercise you will have configured a Windows Server 2012 Server Core deployment, and verified the server’s name.
Exercise 3: Managing Servers
Scenario After deploying the servers LON-SVR3 and LON-CORE for hosting the Marketing application, you need to install appropriate server roles and features to support the application. With this in mind, you will install the Windows Server Backup feature on both LON-SVR3 and LON-CORE. You will install the Web Server role on LON-CORE.
You also need to configure the World Wide Web Publishing service on LON-CORE with the following settings:
• Startup type: Automatic
• Log on as: Local System Account
• First failure: Restart the Service
• Second failure: Restart the Service
• Subsequent failures: Restart the server
• Reset fail count after: 1 days
• Restart service after: 1 minute
• Restart computer after: 1 minute
The main tasks for this exercise are as follows:
1. Create a server group.
2. Deploy features and roles to both servers.
3. Review services, and change a service setting.
1-42 Deploying and Managing Windows Server 2012
Task 1: Create a server group 1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. Click the Active Directory tab, and then click Find Now.
4. In the Server group name box, type LAB-1.
5. Add LON-CORE and LON-SVR3 to the server group.
6. Click LAB-1. Press and hold the Ctrl key to select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3.
8. Right-click LON-CORE, and then click Start Performance Counters.
Task 2: Deploy features and roles to both servers 1. In Server Manager on LON-DC1, click the LAB-1 server group, right-click LON-CORE, and then click
Add Roles and Features.
2. Click Next, click Role-based or feature-based installation, and then click Next.
3. Verify that LON-CORE.Adatum.com is selected, and then click Next.
4. Select the Web Server (IIS) Server role.
5. Select the Windows Server Backup feature.
6. Add the Windows Authentication role service, and then click Next.
7. Select the Restart the destination server automatically if required check box, and then click Install.
8. Click Close.
9. Right-click LON-SVR3, click Add Roles and Features, and then click Next.
10. Click Role-based or feature-based installation, and then click Next.
11. Verify that LON-SVR3.Adatum.com is selected, and then click Next twice.
12. Click Windows Server Backup, and then click Next.
13. Select the Restart the destination server automatically if required check box, click Install, and then click Close.
14. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
Task 3: Review services, and change a service setting 1. On LON-CORE, in a command prompt window, enter the command netsh.exe firewall set service
remoteadmin enable ALL
2. Log on to LON-DC1 with the adatum\Administrator account.
3. In Server Manager, click LAB-1, right-click LON-CORE, and then click Computer Management.
4. Expand Services and Applications, and then click Services.
5. Verify that the Startup type of the World Wide Web Publishing service is set to Automatic.
6. Verify that the service is configured to use the Local System account.
20410A: Installing and Configuring Windows Server® 2012 1-43
7. Configure the following service recovery settings:
o First failure: Restart the Service
o Second failure: Restart the Service
o Subsequent failures: Restart the Computer.
o Reset fail count after: 1 days
o Reset service after: 1 minute
8. Configure the Restart Computer option to 2 minutes, and close the Service Properties dialog box.
9. Close the Computer Management console.
Results: After finishing this exercise you will have created a server group, deployed roles and features, and configured the properties of a service.
Exercise 4: Using Windows PowerShell to Manage Servers
Scenario
The Marketing application vendor has indicated that they can provide some Windows PowerShell scripts to configure the web server that is hosting the application. You need to verify that remote administration is functional before running the scripts.
The main tasks for this exercise are as follows:
1. Use Windows PowerShell® to connect remotely to servers and view information.
2. Use Windows PowerShell to install new features remotely.
Task 1: Use Windows PowerShell® to connect remotely to servers and view information 1. On LON-DC1, in Server Manager, click the LAB-1 server group.
2. Right-click LON-CORE, and then click Windows PowerShell.
3. Type Import-Module ServerManager.
4. Type Get-WindowsFeature, and review roles and features.
5. Use the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq “Running”}
6. Type get-process to view a list of processes on LON-CORE.
7. Review the IP addresses assigned to the server with the following command:
Get-NetIPAddress | Format-table
8. Review the most recent 10 items in the security log with the following command:
Get-EventLog Security -Newest 10
9. Close Windows PowerShell.
Task 2: Use Windows PowerShell to install new features remotely 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
1-44 Deploying and Managing Windows Server 2012
2. Type import-module ServerManager.
3. Type the following command to verify that the XPS Viewer feature has not been installed on LON-SVR3
Get-WindowsFeature -ComputerName LON-SVR3
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5. Type the following command to verify that the XPS Viewer feature has now been deployed on LON-SVR3:
Get-WindowsFeature -ComputerName LON-SVR3
6. From the Tools drop down in the Server Manager console, choose Windows PowerShell ISE.
7. In the Untitled1.ps1 script pane, type the following:
Import-Module ServerManager Install-WindowsFeature WINS -ComputerName LON-SVR3 Install-WindowsFeature WINS -ComputerName LON-CORE
8. Save the script as InstallWins.ps1 in a new folder named Scripts.
9. Press F5 to execute InstallWins.ps1.
Results: After finishing this exercise you will have used Windows PowerShell to perform a remote installation of features on multiple servers.
To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, switch to the Hyper-V Manager console.
2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.
20410A: Installing and Configuring Windows Server® 2012 1-45
Module Review and Takeaways Review Questions
Question: What is the benefit of using Windows PowerShell to automate common tasks?
Question: What are the advantages to performing a Server Core deployment compared to the Full GUI deployment?
Question: What tool can you use to determine which cmdlets are contained in a Windows PowerShell module?
Question: Which role can you use to manage Key Management Services (KMS)?
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Remote management connections fail.
Windows PowerShell cmdlets not available.
Cannot install the GUI features on Server Core deployments.
Unable to restart a computer running Server Core.
Unable to join the domain.
2-1
Module 2 Introduction to Active Directory Domain Services
Contents: Module Overview 2-1
Lesson 1: Overview of AD DS 2-2
Lesson 2: Overview of Domain Controllers 2-8
Lesson 3: Installing a Domain Controller 2-13
Lab: Installing Domain Controllers 2-18
Module Review and Takeaways 2-21
Module Overview
Active Directory® Domain Services (AD DS) and its related services form the foundation for enterprise networks that run Windows® operating systems. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable hierarchical directory, and provides a method for applying configuration and security settings for objects in the enterprise. In this module, we will study the structure of AD DS, and various components, such as forest, domain, and organizational units (OUs).
The process of installing AD DS on a server is refined and improved with Windows Server® 2012. This module also examines some of the choices that are now available for installing AD DS on a server.
Objectives
After completing this module, you will be able to:
• Describe the structure of Active Directory® Domain Services (AD DS).
• Describe the purpose of domain controllers.
• Install a domain controller.
2-2 Introductio
Lesson Overvi
Thehostformprov
In thAD Win
LesAfte
•
•
•
•
•
Ov
AD comcomimpthe wornetwcan optsoftinfraBranfewcom
PhyAD som
Ph
D
D
n to Active Directory
1 iew of A AD DS databats the service t
ms a security bvides the struc
his lesson, youDS domain co
ndows Server 2
sson Objectier completing
Describe the
Describe AD
Describe OUs
Describe AD
Explain how ain the AD DS
verview of
DS is composemponents. Undmponents of Aportant part of
knowledge ofrk together, yowork, and conaccess. In add
ions including tware and updastructure, remnchCache and. Group Policy
mponents is the
ysical CompDS informatio
me of the physi
hysical compo
omain control
ata store
y Domain Services
AD DS ase stores infothat authentica
boundary, in adcture with whic
u will explore hontrollers have2012 server to
ives this lesson, yo
components o
DS domains.
s and their pur
DS forests and
a Schema provdomain datab
AD DS
ed of both phyderstanding theD DS work togsupporting A
f how the AD Dou can efficienttrol what reso
dition, there arinstallation anates, managin
mote access, Dcertificate han
y is a very powee key to succe
ponents on is stored in aical componen
nent De
llers C
Thin
ormation on usates user and ddition to it bech you can con
how OUs work, additional rolbe a domain c
ou will be able
of AD DS.
rpose.
d trees, and ex
vides a set of rbase.
ysical and logie way the
gether is an D DS services. DS componenttly manage yources your use
re many other nd configuringng the security irectAccess, ndling to menerful tool to mssful use of Gr
a single file onnts and where
escription
ontain copies
he file on eachnformation.
ser identity, cocomputer accoeing a searchanfigure and m
, and why youles. You will excontroller.
to:
plain how you
ules that mana
cal
With ts
our ers
g of
tion a manage all of troup Policy.
n each domainthey are store
of the AD DS
h domain cont
omputers, grouounts when th
able database omanage objects
would use thexplore various
u can deploy th
age the object
hese, and a cle
n controllers’ hed.
database.
troller that sto
ups, services anhey log on to tof objects in ths in the databa
em. You will eways that you
hem in a netw
ts and attribut
ear understand
hard disk. The f
res the AD DS
nd resources. Ithe domain. ADhe domain. ADase.
xamine why sou can promote
work.
tes that are sto
ding of the AD
following table
It also D DS D DS
ome a
ored
D DS
e lists
20410A: Installing and Configuring Windows Server® 2012 2-3
Physical component Description
Global catalog servers Host the global catalog, which is a partial, read-only copy of all the objects in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.
Read-only domain controller (RODC)
A special install of AD DS in a read-only form. This is often used in Branch Offices where security and IT support are often less advanced than in the main corporate centers.
Logical Components
AD DS logical components are structures that are used to implement an appropriate Active Directory design for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain.
Logical component Description
Partition A section of the AD DS database. Although the database is one file: NTDS.DIT, it is viewed, managed and replicated as if it consisted of distinct sections or instances, and these are the partitions, also referred to as naming contexts.
Schema Defines the list of attributes that all objects in AD DS can have.
Domain A logical, administrative boundary for users and computers.
Domain tree A collection of domains that share a common root domain and a Domain Name System (DNS) namespace.
Forest A collection of domains that share a common AD DS.
Site A collection of users, groups, and computers as defined by their physical locations. Sites are useful in planning administrative tasks such as replication of the AD DS.
OU These are containers in AD DS, which provide a framework for delegating administrative rights and also for linking Group Policy.
Additional Reading: For more information about domains and forests, please see Domains and Forests Technical Reference at http://go.microsoft.com/fwlink/?LinkId=104447.
2-4 Introductio
AD
An Acommanstordatathe
Thestoraccowhiaccewana cohavtoge
An Agrodomdomandin e
Wh
An Owithuserare
•
•
Youyouwithregiyou
n to Active Directory
D DS Doma
AD DS domainmputer, and grnagement andred in the AD Dabase is storedAD DS domai
re are several red in the AD Dounts. User accch to authentiess resources onts to log on toomputer that ie an account iether objects f
AD DS domainup, which have
main, their rangmain level by d autonomous,very domain i
hat Are OU
Organizationahin a domain trs, groups, comtwo reasons to
To configure You can assigOU, and the swithin the OUare policies thmanage and accounts. Thethese policies
To delegate aon an OU, theadministrator
u can use OUs can create OU
hin your organions. You can tr organization
y Domain Services
ains
n is a logical goup objects fo
d security. All oDS database, ad on every domn.
types of objecDS database, icounts providecate and then
on the networko the domain, s a member ofn AD DS. The for administrat
n is an adminise full control oge of control i
default. Althou the Enterprisen the AD DS fo
Us?
al Unit (OU) is athat you can umputers, and oo create OUs:
objects contaign Group Policsettings apply U. Group Policyhat administraconfigure com
e most commos is to link them
administrative ereby delegatir.
to represent thUs that represenization, or crethen manage t
nal model.
rouping of useor the purposeof these objectand a copy of tmain controlle
cts that can bencluding user e a mechanism authorize usek. When a usethey must do f the AD DS dodomain also stive or security
strative centerover every objes limited to thgh a domain ce Admins grouorest.
a container obse to consolid
other objects. T
ined within thecy Objects to thto all objects
y Objects (GPOtors create to
mputer and useon way to depm to OUs.
control of objing control of
he hierarchicaent the depart
eate OUs that athe configurat
er, e of ts are this r in
e
m by ers to r so at
omain. For thistores groups, wy reasons, for i
. It holds an Adect in the dom
he domain. Pasconstitutes a sup in the fores
bject ate There
e OU. he
Os)
er loy
ects within thethat OU to a u
l, logical structtments within yare a combination and use o
s reason, eachwhich are the instance user a
dministrator amain; however,ssword and accsecurity boundst root domain
e OU. You canuser or group w
tures within yoyour organization of both df user, group,
domain-joinemechanism fo
accounts and c
account and a unless they acount rules are
dary that is largn has full contr
n assign managwithin AD DS
our organizatiotion, the geog
departmental aand computer
ed computer mor grouping computer acco
Domain Admire in the forese managed at gely self-manarol over every o
gement permiother than the
on. For exampgraphic regionand geographir accounts bas
must
ounts.
ins t root the
aging object
ssions e
ple, s ic sed on
20410A: Installing and Configuring Windows Server® 2012 2-5
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD DS, including the following:
• Domain container. Serves as the root container to the hierarchy.
• Builtin container. Stores a number of default groups.
• Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain, and some default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
• Domain controllers OU. The default location for the computer accounts for domain controllers computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have Group Policies linked to them, except for the default domain controllers OU and the domain itself. All the other containers are just folders. To link Group Policies to apply configurations and restrictions, create a hierarchy of OUs, and then link Group Policies to them.
Hierarchy Design
The design of an OU hierarchy is dictated by the administrative needs of the organization. The design could be based on geographic, functional, resource, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as effectively and with as much flexibility as possible. For example, if all computers that IT administrators use must be configured in a certain way, you can group all computers in an OU, and then assign a policy to manage its computers. To simplify administration, you also can create OUs inside other OUs.
For example, your organization might have multiple offices, and each office might have a set of administrators who are responsible for managing user and computer accounts in the office. In addition, each office might have different departments with different computer configuration requirements. In this situation, you could create an OU for the office that is used to delegate administration, and create a department OU inside the office OU to assign desktop configurations.
Although there is no technical limit to the number of levels in your OU structure, for the purpose of manageability limit your OU structure to a depth of no more than 10 levels. Most organizations use five levels or fewer to simplify administration. Note that Active Directory-enabled applications can have restrictions on the OU depth within the hierarchy, or the number of characters that can be used in the distinguished name (the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory).
2-6 Introductio
Wh
A fotreedomforerootin oforescheaddSchedomcon
Exam
•
•
Wh
Theall odatafor A
AD widstanthatvaristordatais m
AD handefi
Objthis AD orig
n to Active Directory
hat Is an A
orest is a colleces. A tree is a cmains.. The firsest is called thet domain holds
other domains est root domaiema master an
dition, the Enteema Admins g
main. The Entetrol over every
mples of why
In certain circorganization,might be the domain of adof the parent
There may be(adatum.comexists in one fdifferent namtree.
hat Is the A
schema is theobjects and atta. It is sometimAD DS.
DS stores and e variety of ap
ndardizes how t it can store aous sources. Bred, AD DS cana, while ensuri
maintained.
DS uses objecdles data, the inition in the s
ect definitionsinformation, tDS can store,
ginal source of
y Domain Services
AD DS Fore
ction of one orollection of ont domain that e forest root dos a few objectsin the forest. Fn holds two sp
nd the domainerprise Adminsgroup exist onlrprise Admins y domain in th
more than one
cumstances, it and these aredomain at the
datum.com, andomain, for e
e a requiremen) and Fabrikamforest, you cou
mespaces, all ob
AD DS Sch
e AD DS comptributes that A
mes referred to
retrieves inforpplications and
data is storednd replicate d
By standardizinn retrieve, updng that the int
ts as units of sdirectory quechema, the dir
s control the tythe schema enretrieve, and vthe data. Only
est?
r more domainne or more is created in t
omain. The fors that do not eFor example, tpecial roles, thn naming masts group and thly in the forestgroup has ful
he forest.
e domain may
might be advae typically struce root of a fore
nd have a namexample atl.ada
nt to have diffem, Inc. (fabrikauld add a tree bjects in this fo
hema?
onent that defAD DS uses to so as the bluepr
rmation from ad services. AD in the directoata from these
ng how data is ate, and replictegrity of the d
storage. All objries the schemrectory creates
ypes of data thnsures that all ovalidate the day data that ha
n
the rest exist he e
ter. In he t root l
y be required i
antageous to hctured in a treest. Another de that is basedatum.com.
erent namespaam.com) were to accommod
orest would fu
fines store rint
a DS
ory so e
cate data
jects are definma for an appro
s the object an
hat the objectsobjects confor
ata that it mans an existing o
n the forest:
have more thaee. For instanceomain could b
d on the DNS s
aces in the forto merge, the
date the seconunction as if th
ned in the scheopriate object nd stores the d
s can store, anrm to their staages, regardle
object definitio
an one domaine, The A. Datube added to thstructure and
rest. If A. Datumn although the
nd namespace.he domains we
ema. Each timedefinition. Ba
data.
d the syntax ondard definitio
ess of the applon in the schem
n in the m Corporationhe tree as a chincludes the n
m Ltd e organization Apart from th
ere both in the
e that the direcsed on the obj
of the data. Usons. As a resulication that is ma can be stor
n ild ame
n he e same
ctory ject
ing t, the red in
20410A: Installing and Configuring Windows Server® 2012 2-7
the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema.
In AD DS, the schema defines the following:
• Objects that are used to store data in the directory
• Rules that define what types of objects you can create, what attributes must be defined when you create the object (mandatory), and what attributes are optional
• Structure and the content of the directory itself
You can use an account that is a member of the Schema Administrators to modify the schema components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many attributes are location, accountExpires, buildingName, company, manager, and displayName.
The schema master is one of the single master operations domain controllers in AD DS. Because it is a single master, you must make changes to the schema by targeting the domain controller that holds the schema master operations role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary, through a tightly controlled process, and after you have performed testing to ensure that there will be no adverse effects to the rest of the forest.
Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Microsoft® Exchange Server 2010 into your AD DS forest, the installation program extends the schema to support new object types and attributes.
Additional Reading
For more information about Windows Server 2012 Release Candidate, see http://www.microsoft.com/en-us/server-cloud/windows-server/v8-default.aspx.
For more information about Windows Server 2012 Overview, see http://www.microsoft.com/en-us/server-cloud/windows-server/v8-overview.aspx.
For more information about Windows Server 2012 Capabilities, see http://www.microsoft.com/en-us/server-cloud/windows-server/2012-capabilities.aspx.
For more information about Windows Server 8 (a one-hour long video), see http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F.
2-8 Introductio
Lesson 2Overvi
Beccriti
Thisproc
All dperfless
LesAfte
•
•
•
•
•
Wh
A docondataVoluexcea reSYSVthe sett
YousyncdatadomDistandAD Kerboptdescwhithe
An Adom
n to Active Directory
2 iew of Dause domain ccal to the corr
s lesson examicess. In additio
domain controformed on speon.
sson Objectier completing
Describe the
Describe the
Describe the the logon pro
Describe the
Explain the fu
hat Is a Do
omain controllfigured to stoabase (NTDS.Dume (SYSVOL)ept read-only
ead/write copyVOL folder. NTSYSVOL foldeings for GPOs.
u can use the Achronize changabase betweenmain. The SYSVtributed File Sy updates betwDS database. Dberos service, wionally configucribed in the nch provides loservice that is
AD DS domainmain controller
y Domain Services
Domaincontrollers arerect functionin
nes domain coon, this lesson
ollers are essenecific domain c
ives this lesson, yo
purpose of do
purpose of the
AD DS logon pocess.
functionality o
unctions of ope
omain Con
ler (DC) is a sere a copy of th
DIT) and a copy folder. All dodomain contro
y of both NTDSTDS.DIT is the r contains all t.
AD DS replicatiges and updatn the domain cVOL folders areystem (DFS) Reween each otheDomain controwhich is used ure domain conext topic. Domgon and passwsues the Ticke
n should alwayrs fails, there is
n Contro responsible fo
ng of the netwo
ontrollers, the discusses the
ntially the samcontrollers call
ou will be able
omain controlle
e global catalo
process, and th
of SRV records
erations maste
ntroller?
rver that is he AD DS direcy of the Systemmain controlleollers (RODCs)S.DIT and the database itsel
the template
ion service to tes to the AD Dcontrollers in te replicated eiteplication. Theer, and unless ollers host sevby user and co
ontrollers to homain controlleword change ct to Get Ticket
ys have a minims a backup to e
ollers or all authenticork.
logon processpurpose of the
e, but there arled operations
to:
ers.
og.
he importance
.
ers.
ctory m ers ) store
f, and
DS the ther by the file
e domain contrthey are an ROeral other Actiomputer accouost a copy of thers also run somcapabilities, ants (TGT) to an a
mum of two densure continu
cations, doma
s, and the impoe global catalo
re certain opermasters, whic
e of DNS and s
e replication serollers in each ODC, they all sive Directory–unts for logonhe Active Direme important nd the Key Distaccount that l
domain controuity of the AD
in controller d
ortance of theog.
rations that cach are discusse
service (SRV) r
ervice (FRS), odomain replic
store a read/wrelated service
n authenticatioectory Global C
services includtribution centeogs on to the
llers. This way,DS domain se
deployment is
e DNS in that
an only be ed at the end o
esource record
r by the newecate all the cha
write copy of thes, including thon. You can Catalog, whichding Kerberos,er (KDC). The KAD DS domai
, if one of the ervices. When y
of this
ds in
r anges he he
is , KDC is n.
you
depe
InbeofBifr
Youncous
openseit
W
Wcothouobcoonpdomgdaofth
ThthinpeexacExthca
Inindo
ecide to add merformance re
n a branch office deployed to f information iitLocker ensurom it.
Note: An ou can deploynreliable Wideontroller, whicsers locally wit
Note: Winperating systencrypts the enecret key and (to another co
What Is the
Within a single ontains all the hat domain. Thutside the dombject in AD DSontrollers for tne domain in trovide any resomain. For thi
more domain colobal catalog. atabase that cf every object hat is created i
he global catahe subset of atnclude firstnamerform a searcxample, when ccount so thatxchange serveheir Active Direatalog to chec
n a single domn a multi-domaomain control
more than twoquirements; h
ce where secureduce the im
is much lower es that there i
RODC is a doy an RODC in ae Area Networh might presethout providin
ndows BitLockms, and for cetire operating (optionally) pa
omputer.
e Global C
domain, the Ainformation a
his informationmain. For examS is directed tothat domain. Ifthe forest, theults for objects reason, you controllers to stThe global catontains a searfrom all the ds the first dom
log does not cttributes that ame, displaynach against a gloan Exchange s
t it can decide r is able to locectory accountk for universal
ain, all domainain environmelers are config
o domain controwever, two d
rity may be lesmpact of a brea
than with a fus a very low ch
main controllea remote site wk (WAN) connnt a security rig any write ca
ker® is a drive eertain Window
system so thaassing an integ
atalog?
AD DS databasbout every ob
n is not replicample, a query fo one of the dof there is moren that query ws in a differentcan configure tore a copy oftalog is a districhable represeomains in a m
main controller
contain all attrare most likely ame, and locatobal catalog raserver receiveshow to route
cate the recipiet, the domain l group memb
n controllers shent, the Infrastrgured to hold a
rollers, considedomain contro
ss than optimaach of defenseull read-write dhance of an int
er that holds a where users minection. Ratherisk, you could
apability to the
encryption syss client operat
at the computegrity check. A d
e bject in ted or an omain e than will not t one or
f the buted entation ulti-domain fo
r in the forest r
ributes for eacto be useful intion. There coather than a ds an incoming the message.
ent in a multi-dcontroller perf
berships before
hould be confructure mastera copy of the g
20410A: Instal
er the size of yllers should be
al, there are soes. If an RODC domain controtruder being a
read-only copight have difficr than deploy ainstall a RODC
e AD DS datab
stem that is avting system veer cannot startdisk stays encr
orest. By defauroot domain.
h object. Insten cross-domai
ould be a variedomain contro
email, it needBy automaticadomain enviroforming the ae the user is au
figured as holdr should not bglobal catalog
lling and Configuring
your organizate considered a
ome additionais compromis
oller. If a hard able to gain an
py of the AD Dculty logging oa full read/writC, which can abase.
vailable for Winersions. BitLockt without beinrypted even if y
ult, the only gl
ead, the globalin searches. Thty of reasons wller that is nots to search for
ally querying aonment. Whenuthentication uthenticated.
ders of the globe a global catag depends on r
g Windows Server®
tion and the an absolute mi
l measures thaed, the potentdrive is stolen,
ny useful inform
DS database. on over an te domain uthenticate
ndows Server ker securely g supplied a you transfer
obal catalog s
l catalog mainhese attributeswhy you wouldt a global catalr the recipienta global catalon a user logs omust contact
obal catalog; hoalog server. Wreplication traf
2012 2-9
inimum.
at can tial loss , then mation
server
tains might d log. For ’s g, the n to a global
owever, Which
ffic and
2-10 Introduct
netwserv
Th
WheDNSdomspecrecousindomIf thauthThe(SIDusercredMicto c
Siterecotryin
Admcondatabran
SRVthe thosthe /reg
271(413storpartaccoby vacco
AlthuserAD AD the seco
ion to Active Directo
work bandwidver.
Question: Sh
e AD DS L
en you log on S for SRV reco
main controllercify informatioorded in DNS bng DNS lookupmain controllerhe logon is suchority (LSA) bu access token
Ds) for the userr is a member.dentials for anyrosoft Office W
check the level
s are used by ords in DNS. Tng elsewhere.
ministrators canectivity and bacenter by an nch office as se
V records are reSRV records ase records by rSRV records; i
gisterdns from
Note: A SID587809-500, w30086281-375red (usually thet of the SID thaount and everyvirtue of the uount because
hough the logor provides credDS database. IDS database, tdomain contr
ondary proces
ry Domain Services
th. Many orga
hould a domain
Logon Proc
to AD DS, yourds to locate tr. SRV records on on availableby all domain ps, clients can r to service theccessful, the locuilds an accesscontains the sr and any grou. This providesy process initia
Word® and att of the user’s p
a client systemhen the client
n define sites bandwidth. Founreliable WAeparate sites in
egistered in Dre not enteredrestarting the f you want to
m a command
D is a unique nwhere S-1-5-252200129-2715e AD DS domaat uniquely idey group that ynique RID. Youit ends with th
on process appdentials, usuallIf the user accothe user becomoller. At this ps in the backg
anizations are o
n controller be
cess
ur system lookhe nearest suiare records th
e services, andcontrollers. Bylocate a suitabeir logon requcal security token for the ecurity identif
ups of which th the access ated by that uempts to openpermissions fo
m when it needsystem attem
in AD DS. Sitesor example, theAN link. In this n AD DS.
NS by the Netd in DNS correNet Logon serreregister the prompt, just a
umber in the f1 represents th587809) are thain), and the laentifies that ac
you create havu can tell that he “well-known
pears to the usly a user accouount name anmes an authenoint, the user round submits
opting to mak
e a global cata
ks in table
hat are
y ble ests.
user. fiers he
ser. For exampn a file. Word u
or that file.
ds to contact apt to connect
s will usually aere might be acase, it would
t Logon serviceectly, you can trvice on that dhost record in
as you would f
form of S-1-5-he type of ID, he number of tast section (500ccount in the de a unique SIDthis particular
n” RID 500.
ser as a single unt name and d the passwor
nticated user, adoes not haves the TGT to th
ke every doma
alog?
ple, after loggiuses the crede
a domain contto a domain c
align with partsa branch office be better to d
e that is runnintrigger the domdomain contronformation in Dfor any other c
-21-41300862the next threethe database w0) is the relativdatabase. EverD but they onlyr SID is the SID
event, it is actpassword, wh
rd match the inand is issued ae access to anyhe domain con
ain controller a
ing on to AD Dentials in the u
roller. It starts controller in th
s of the netwoe that is connedefine the data
ng on each domain controlle
oller. This proceDNS, you muscomputer.
81-375220012e blocks of numwhere the accove ID (RID), whry user and comy differ from e
D for the admin
tually made upich are then cnformation th
a ticket-grantiny resources on ntroller, and re
a global catalo
DS, a user runsuser’s access to
by looking uphe same site be
ork that have gected to the maacenter and th
omain controlleer to reregisteress only reregist run ipconfig
29-mbers ount is hich is the mputer each other nistrator
p of two parts.hecked againsat is stored in ng ticket (TGT)the network.
equests access
g
s oken
p SRV efore
good ain he
er. If r isters g
. The st the the ) by A to
thlom
Wpcoev
ofnaofvireth
D
ThThloco
D
V1.
2.
W
AeqpecoadabdoopSi“f
•
•
he local machiocal computer.machine.
When a user surocess is run aontroller returnvent at that co
Note: A dften overlookeame and a pasf the Authenticsual confirmat
ecord the activhe Security Log
Demonstra
he demonstrathese records a
ogon, passwordontrollers to fi
Demonstrati
View the SRV. Open the D
. View the dithat clients
What Are O
lthough all doqual, there areerformed by taontroller. For edditional domble to connectomain controlperations masingle Master Ofizz-mos”). The
Each forest domain nam
Each AD DScontroller (
ne. The domai. At this point
bsequently attgain, and the ns the ticket, t
omputer.
domain-joineded. You do notssword to log ocated Users grtion in the formvity. Additionag of the Event
ation: View
tion shows theare crucial to thd changes, andnd replication
ion Steps
V records byDNS Manager
ifferent SRV recan discover t
Operations
omain controllee some tasks thargeting one pexample, if youain to the foret to the domailers that have ters, single ma
Operations (FSMey are distribut
has one schemming master.
S domain has oPDC} emulato
in controller isin the process,
tempts to conTGT is submitthe user can ac
computer alst see the transaon to AD DS. Oroup. Althoughm of a graphiclly, if auditing Viewer.
wing the SR
e various typeshe operability d Group Policypartners.
y using DNSr window, and
ecords that arethem.
s Masters?
ers are essentihat can only beparticular domu need to add est, then you mn naming masthese roles are
aster roles, or FMOs) (pronouted as follows:
ma master and
one RID master.
ssues a ticket to, the user is au
nect to anotheted to the neaccess the comp
o logs on to Aaction when thOnce authentih the computec user interfaceis enabled, the
RV Record
s of SRV recordof AD DS, bec
y Object (GPO)
S Managerexplore the u
e registered by
?
ally e
main an
must be ster. The e called Flexible nced
d one
er, one infrastr
20410A: Installin
o the user, whuthenticated to
er computer orest domain cputer on the n
AD DS when thhe computer ucated, the com
er logon procee (GUI), there aere are more e
ds in DNS
ds that the domcause they are ) editing. SRV
nderscore DN
y domain contr
ructure master
ng and Configuring W
ho is then able o AD DS and lo
on the networkontroller. Whe
network, which
hey start—a facuses its compumputer becomess does not haare event log eevents that are
main controlleused to find drecords are al
S domains.
rollers to prov
r, and one prim
Windows Server® 20
to interact wiogged on to t
k, the secondaen the domainh generates a l
ct that is uter account
mes a member ave any events that e viewable in
ers register in Ddomain controso used by do
vide alternate p
mary domain
012 2-11
th the he local
ry n ogon
DNS. ollers for omain
paths so
2-12 Introduction to Active Directory Domain Services
The following is a list of Single Master Roles:
• Schema master. The domain controller where any schema changes are made. To make changes you would typically log on the schema master as a member of both the Schema Admins and Enterprise Admins groups. A user who is a member of both of these groups and who has the appropriate permissions could also edit the schema by using a script.
• Domain naming master. The domain controller that records additions and removals of domains and also domain name changes.
• RID master. Whenever an object is created in AD DS, the domain controller where the object is created assigns the object a unique identifying number known as a SID. To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain.
• Infrastructure master. This role is responsible for maintaining inter-domain object references, such as when a group in one domain contains a member from another domain. In this situation, the infrastructure master is responsible for maintaining the integrity of this reference. For example, when you look at the security tab of an object, the system looks up the SIDs that are listed and translates them into names. In a multi-domain forest, the infrastructure master looks up SIDs from other domains. The Infrastructure role should not reside on a global catalog server. The exception is when you follow best practices and make every domain controller a global catalog. In that case, the Infrastructure role is disabled because every domain controller knows about every object in the forest.
Note: The Infrastructure role should not reside on a global catalog server. For example, the security tab on an object (file, folder, printer) has a list of SIDs with a matrix of permissions assigned. To ease administration, these SIDs are converted into names such as users and groups, usually before you even see the SIDs appear. If there is more than one domain in the AD DS forest, then there may be SIDs from remote domains in the security tab, and because they are not recognized on the local domain, a mechanism is necessary to look up the actual names. The infrastructure master does this by referring to a GC. If the infrastructure master is also configured as a GC, then the infrastructure service is disabled.
• PDC emulator. The domain controller that holds the PDC emulator role is the time source for the domain. The domain controllers that hold the PDC emulator role in the forest sync with the domain controller that has the PDC emulator role in the forest root domain. You set this domain controller to synchronize with an external atomic time source. The PDC emulator is the domain controller that receives urgent password changes. If a user’s password is changed, the information is sent immediately to the domain controller holding the PDC emulator role. This means that if a user’s password was changed and they subsequently tried to logon, if they were authenticated by a domain controller in a different location that hadn’t yet received an update about the new password, it would contact the domain controller holding the PDC emulator role and check for recent changes. When a group policy other than a local group policy is opened for editing, the copy that is edited is the one stored on the PDC emulator.
Note: The global catalog is not one of the Operations Master roles.
Question: Why would you make a domain controller a global catalog server?
LessonInstal
Sosyredoyo
Thusdisnup
LeA
•
•
•
•
In
Prpdodcre
“TInMht1”
yodchosu
WcoDin
n 3 ling a D
ometimes youystem. It mightesources. Perhaomain controlou use varies w
his lesson examsing Server Maiscusses installnapshot of thepgrading a do
esson Objecfter completin
Explain how
Explain how
Explain how
Explain how
nstalling a
rior to Windowractice to use tomain controlcpromo on a eceive the follo
The Active nstallation W
Manager. Fottp://go.micr”
Note: Theou run on a secpromo.exe haowever, in Winupported for u
When you run Somputer, on a
Directory Domnstalled, but AD
Domainneed to insta
t be that the eaps you are pllers. You also
with the circum
mines several wanager to instaing AD DS on
e AD DS databaomain controlle
ctives ng this lesson, y
w to install a d
w to install a d
w to upgrade a
w to install a d
Domain C
ws Server 2012the dcpromo.lers. If you atteWindows Serv
owing error me
Directory Wizard is reor more rosoft.com/fw
e dcpromo.exeerver to make tas been the prndows Server 2unattended ins
Server Manageremote comp
main Services D DS is not yet
Controll additional do
existing domaianning for a nmight be setti
mstances.
ways to install all AD DS on aa Server Core ase that is storer from an ear
you will be ab
omain control
omain control
a domain cont
omain control
Controller
2, it was comm.exe tool to inempt to run ver 2012 serveessage:
Domain Selocated in
informationwlink/?LinkId=
e tool is a tool the server an Areferred metho2012, this toolstallations from
er, you can choputer, or by merole. At the ent set up on tha
oller omain controln controllers a
new remote offng up a test la
additional do local machineinstallation, a
red on removarlier Windows o
le to:
ller by using th
ller on a Serve
troller.
ller by using In
by Using
mon stall
r, you
Services Server
n, see =22092
that AD DS domainod to install AD is replaced wi
m the comman
oose whether embers of a send of the initiaat server. A me
20410A: Installin
lers on your Ware overworkedfice that requiab or a backup
main controllee and on a remnd installing Aable media. Yooperating syst
he GUI.
er Core installa
nstall from Me
a GUI
n controller. UnD DS, and it usith Server Man
nd–line interfac
the operationerver pool. Youal installation pessage to that
ng and Configuring W
Windows Served and you neeres you to dep
p site. The insta
ers. It demonstmote server. ThAD DS on a coou will also exatem to Window
ation of Windo
edia (IFM).
ntil Windows Ssually runs in Gnager. Dcpromce.
is performed u then choose process, the ADeffect displays
Windows Server® 20
er 2012 operated additional ploy one or moallation metho
trates the prochis lesson also mputer using amine the procws Server 2012
ows Server 201
Server 2012, GUI mode;
mo.exe is still
on the local to add the Ac
D DS binaries as in Server Ma
012 2-13
ting
ore od that
cess of
a cess of 2.
12.
ctive are nager.
2-14 Introduction to Active Directory Domain Services
You can select the link to Promote this server to a domain controller, and then AD DS promotion wizard runs. You are then asked the following questions about the proposed structure.
Required information Description
Add a domain controller to an existing domain
Choose whether an additional domain controller is added to a domain.
Add a new domain to an existing forest Create a new domain in the forest.
Add a new forest Create a new forest.
Specify the domain information for this operation
Supply information about the existing domain to which the new domain controller will connect.
Supply the credentials to perform this operation
Enter the name of a user account that has the rights to perform this operation.
Some other information you need to collect before running the promotion is listed in the following table.
Required information Description
DNS name for the AD DS domain For example, adatum.com
NetBIOS name for the AD DS domain For example, adatum
Whether the new forest needs to support Domain controllers running previous versions of Windows operating systems (affects choice of functional level)
Will there also be Windows Server 2008 domain controller?
Whether this domain controller will contain DNS
Your DNS must be functioning well to support AD DS
Location to store the database files (For example, NTDS.DIT, edb.log, or edb,chk)
By default, these files will be stored in C:\windows\NTDS
The wizard continues through several different pages where you can enter prerequisites such as the NetBIOS domain name, DNS configuration, whether this domain controller should be a global catalog server, and the Directory Services Restore Mode password. Finally, you must reboot to complete the installation.
Note: If you need to reinstall the AD DS database from a backup, reboot the domain controller in Directory Services Restore Mode. When the domain controller boots up, it is not running the AD DS services; instead, it is running as a member server in the domain. To log on to that server in the absence of AD DS, log on using the Directory Services Recovery Mode password.
InS
Incothcaon
•
•
•
U
ThSeupcosesenoInWA
U
FofrSe20
Yoindo
A20upW
nstalling aerver 2012
nstall AD DS byonnect to the she AD DS binaan complete thne of three wa
In Server Mto completconfiguratioand setup o
Create an a/unattend:“D:\answerffile.
Run dcprom
dcpromo //replicaO/database/safeMode
Upgrading
here are two werver 2012 dompgrade the opontrollers, or inervers as domaecond is the pro old or disuse
nstead, you havWindows Serve
D DS database
Upgrading to
or an organizaom one runninerver 2012 fun008 operating
ou can achieventroducing newomain control
lthough there 008 domain, wpgrade the sch
Windows Serve
Domain C2
y using Server server core serries and the sehe installation ays:
Manager, click te the post-depon. This starts of the domain
answer file and:”D:\answerfifile.txt” is the p
mo /unattend
/unattend /InOrNewDomain:ePath:"c:\ntdeAdminPasswo
a Domain
ways to upgradmain controlle
perating systemntroduce Windain controllers.referred methoed code and five a clean instr 2012 operatie.
o Windows
ation to upgradng at Window
nctional level, asystem to the
e this by upgraw domain contlers.
is no reason twhen the time hema. To upgrr 2012 installa
Controller
Manager to rerver. Once youerver is rebootand configura
the notificationployment the configuratcontroller.
d run dcpromoile.txt” where path to the an
d with the app
nstallDns:yereplica /repds" /logPathrd:Pa$$w0rd
n Controlle
de to a Windower: you can eithm on existing ddows Server 20. Of the two, thod, because thles remaining.
tallation of theing system and
Server 201
de an AD DS dws Server 2008 all the domaine Windows Ser
ading all of thetrollers runnin
to prevent Wincomes to have
rade the schemtion media.
on a Serve
emotely u install ted, you ation in
n icon
tion
o
swer
propriate switc
s /confirmgllicadomaindn:"c:\ntdslog/rebootOnCom
er
ws her domain 012 he here are
e d
2
domain functional leve
n controllers mver 2012 oper
e existing domg Windows Se
ndows Server 2e domain contma, you must r
20410A: Installin
er Core In
ches, for examp
obal catalognsname:”mynewgs" /sysvolpampletion:yes
el to an AD DSmust first be uprating system.
main controllererver 2012, and
2012 servers frtrollers runninrun the adpre
ng and Configuring W
stallation
ple:
g:yes wdomain.com” ath:"c:\sysvo
S domain runnpgraded from t
rs to Windows d then phasing
rom being parg Windows Se
ep tool that is i
Windows Server® 20
of Window
ol"
ning at Windowthe Window Se
Server 2012, og out the exist
rt of a Windowerver 2012, youincluded in the
012 2-15
ws
ws erver
or by ting
ws Server u must e
2-16 Introduct
To urun gro
•
•
•
In aWindom
Int
Theeithupg
1.
2.
3.
Witevedoin
To i
1.
2.
to WServ200
Ins
If younreaddlocaoftethe
For remAD datadom
ion to Active Directo
upgrade the scadprep /foreups to have th
Schema Adm
Enterprise Ad
Domain Adm
ddition, you mndows Server 2main, in an elev
roduce Win
re are two wayher upgrade Wgrade the oper
Insert the inst
After the lang
After the opeinstallation dand apps.
h this type of urything is upgng an upgrade
ntroduce a cle
Deploy and c
Promote the the other me
Note: You cWindows Servever, you must e8 R2, or perfo
stalling a D
ou have an inteliable, or cost
d another domation or branchen better to deInstall from M
example, if yomote office and
DS, you will neabase and the main controller
ry Domain Services
chema, log onestprep from ahe necessary rig
ins for the fore
dmins for the f
mins for the dom
must run the ad2012 servers asvated cmd.exe
ndows Serve
ys to introduceWindows Server
rating system o
tallation disk f
guage selectio
erating system do you want?
upgrade, thereraded in placee.
ean install of W
configure a new
new server to thods describe
can upgrade der 2012. To upeither performrm a clean inst
Domain Co
ervening netwtly, you might ain controller h office. In thiseploy AD DS to
Media (IFM) me
ou connect to ad use Server Meed to copy thSYSVOL folde
r. This process
to the schemaan elevated cmghts to run th
est
orest
main where th
dprep commas domain conte window, run
er 2012 Dom
e Windows Ser 2008 to Windof a Windows
or Windows Se
n page, select
selection wind? window, choo
e is no need toe. Remember t
Windows Serve
w installation o
be a domain ced previously.
directly from Wgrade servers
m an interim uptall.
ontroller b
work that is slofind it necessaat a remote
s scenario, it iso a server by uethod.
a server in theanager to inst
he entire AD Der to the new
must take pla
a master for thmd.exe windowis command:
he schema mas
and again in earollers. To do tadprep /dom
main Contro
rver 2012 domdows Server 20Server 2008 d
erver 2012, an
Install now.
dow and the liose Upgrade:
o preserve useo check for ha
er 2012 as a do
of Windows Se
controller in th
Windows Servethat are runnipgrade to Win
by Using IF
w, ary to
using
tall
DS
ce
he forest, and w. You must be
ster resides
ach domain wthis, on the Inf
mainprep /gpp
ollers
main controller012, or you caomain control
nd run Setup.
icense acceptaInstall Windo
rs’ settings andardware and so
omain membe
erver 2012 and
he domain by
r 2008 and Wing an earlier v
ndows Server 2
FM
in the supporte a member of
where you planfrastructure mprep.
rs into your don have a cleanller to Window
ance page, on ows and keep
d reinstall appoftware compa
er:
d join it to the
using Server M
indows Server version of Win2008 or Windo
t\adprep direcf all of the foll
n to introduce master for the
omain. You cann installation. Tws Server 2012
the Which typp files, setting
plications; atibility before
e domain.
Manager or on
2008 R2 dows
ows Server
ctory, owing
n To 2:
pe of gs,
e
ne of
20410A: Installing and Configuring Windows Server® 2012 2-17
over a potentially unreliable wide area network (WAN) connection. As an alternative, and to significantly reduce the amount of traffic copied over the WAN link, you can make a backup of AD DS by using the NTDSUTIL tool. When you run Server Manager to install AD DS, you can then select the option to Install from Media. Most of the copying is then done locally (perhaps from a USB drive), and the WAN link is used only for security traffic, and to ensure that the new domain controller receives any changes that are made after you create the IFM backup.
To install a domain controller by using IFM, browse to a writable domain controller but not an RODC. Use the NTDSUTIL tool to create a snapshot of the AD DS database, and then copy it to the server that will be promoted to a domain controller. Use Server Manager to promote the server to a domain controller by selecting the Install from Media option, and by providing the local path to the IFM directory that you created previously.
The full procedure is as follows:
1. On the full domain controller, type the following commands (where C:\IFM is the destination directory that will contain the snapshot of the AD DS database) at an administrative command prompt, and press Enter after each line:
Ntdsutil activate instance ntds ifm create SYSVOL full C:\IFM
2. On the server that you are promoting to a domain controller, perform the following steps:
a. Use Server Manager to add the AD DS Role.
b. Wait while the AD DS binaries are installed.
c. In Server Manager, click the notification icon to complete the post-deployment configuration and a wizard runs.
d. At the appropriate time during the wizard, select the option to install from IFM, and then provide the local path to the snapshot directory.
AD DS then installs from the snapshot. When the domain controller reboots, it contacts other domain controllers in the domain and updates AD DS with any changes that were made since the snapshot was created.
Additional Reading: For more information about the steps necessary to install AD DS, see http://technet.microsoft.com/en-us/library/hh472162.aspx.
Question: What is the reason to specify the Directory Services Restore Mode password?
2-18 Introduction to Active Directory Domain Services
Lab: Installing Domain Controllers Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You have been asked by your manager to install a new domain controller in the data center to improve logon performance. You have been asked also to create a new domain controller for a branch office by using IFM.
Objectives
After performing this lab, you will be able to:
• Install a domain controller.
• Install a domain controller by using IFM.
Lab Setup Estimated time: 60 minutes
Virtual Machines 20410A-LON-DC1 (start first)
20410A-LON-SVR1
20410A-LON-RTR
20410A-LON-SVR2
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
2. In the Actions pane, click Connect. Wait until the virtual machine starts.
3. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
4. Repeat steps 1 to 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Installing a Domain Controller
Scenario
Users have been experiencing slow logon in London during peak usage times. The server team has determined that the domain controllers are overwhelmed when many users are authenticating simultaneously. To improve logon performance, you are adding a new domain controller in the London data center.
20410A: Installing and Configuring Windows Server® 2012 2-19
The main tasks for this exercise are as follows:
1. Add an Active Directory® Domain Services (AD DS) role to a member server.
2. Configure a server as a domain controller.
3. Configure a server as a global catalog server.
Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. From Server Manager, add LON-SVR1 to the server list.
3. Add the Active Directory Domain Services server role to LON-SVR1. Add all required features as prompted.
4. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.
Task 2: Configure a server as a domain controller 1. Use Server Manager on LON-DC1 perform post-deployment configuration to promote LON-SVR1 to
a domain controller with the following options:
a. Add a domain controller to the existing adatum.com domain
b. Use the credentials Adatum\Administrator with the password Pa$$w0rd.
c. For Domain Controller Options, install the Domain Name System but remove the selection to install the Global Catalog.
d. DSRM password: Pa$$w0rd.
e. All other options: default.
Task 3: Configure a server as a global catalog server 1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. Use Active Directory Sites and Services to make LON-SVR1 a global catalog server.
Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM
Scenario
You have now been assigned by management to manage one of the new branch offices that are being configured. A faster network connection is scheduled to be installed in a few weeks. Until that time, network connectivity is very slow.
It has been determined that the branch office requires a domain controller to support local logons. To avoid problems with the slow network connection, you are using IFM to install the domain controller in the branch office.
The main tasks for this exercise are as follows:
1. Use the NTDSUTIL tool to generate Install from Media (IFM).
2. Add the AD DS role to the member server.
3. Use IFM to configure a member server as a new domain controller.
2-20 Introduction to Active Directory Domain Services
Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM) • On LON-DC1, open an administrative command-line interface, and use NTDSUTIL to create an IFM
backup of the AD DS database and of the SYSVOL folder.
Task 2: Add the AD DS role to the member server 1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.
2. Open a command prompt and map K: to \\LON-DC1\C$\IFM.
3. Add the AD DS server role to LON-SVR2.
Task 3: Use IFM to configure a member server as a new domain controller 1. Open a command prompt and use Robocopy to copy the IFM backup from K: to c:\ifm on
LON-SVR2.
2. Use Server Manager on LON-SVR2 to perform the post-deployment configuration of AD DS using the following options:
a. Add a domain controller to the existing adatum.com domain
b. Use Adatum\Administrator with the password Pa$$w0rd for credentials.
c. DSRM password: Pa$$w0rd
d. Use the IFM media to configure and install AD DS.
e. Accept all other defaults.
3. Restart LON-SVR2 to complete the AD DS installation.
Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.
To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
20410A: Installing and Configuring Windows Server® 2012 2-21
Module Review and Takeaways Review Questions
Question: What are the two main purposes of organizational units?
Question: Why would an organization need to deploy an additional tree in the AD DS forest?
Question: Which deployment method would you use if you had to install an additional domain controller in a remote location that had a limited WAN connection?
Question: If you needed to promote a Server Core installation of Windows Server 2012 to be a domain controller, which tools could you use?
3-1
Module 3 Managing Active Directory Domain Services Objects
Contents: Module Overview 3-1
Lesson 1: Managing User Accounts 3-3
Lesson 2: Managing Group Accounts 3-15
Lesson 3: Managing Computer Accounts 3-22
Lesson 4: Delegating Administration 3-27
Lab: Managing Active Directory Domain Services Objects 3-30
Module Review and Takeaways 3-36
Module Overview
User accounts are fundamental components of network security. Stored in Active Directory® Domain Services (AD DS), they identify users for the purposes of authentication and authorization. Because of their importance, an understanding of user accounts and the tasks related to supporting them are critical aspects of administering a Microsoft Windows® enterprise network.
Although users and computers, and even services, change over time, business roles and rules tend to remain more stable. Your business probably has a finance role, which requires certain capabilities in the enterprise. The user or users who perform that role might change over time, but the role will remain relatively the same. For that reason, it is not sensible to manage an enterprise by assigning rights and permissions to individual users, computers, or service identities. Instead, you should associate management tasks with groups. Consequently, it is important that you know how to use groups to identify administrative and user roles, to filter Group Policy, to assign unique password policies, and to assign rights and permissions.
Computers, like users, are security principals:
• They have an account with a logon name and password that Windows changes automatically on a periodic basis.
• They authenticate with the domain.
• They can belong to groups, and have access to resources, and you can configure them by using Group Policy.
Managing computers—both the objects in Active Directory and the physical devices—is one of the day-to-day tasks of most IT pros. New computers are added to your organization, taken offline for repairs, exchanged between users or roles, and retired or upgraded. Each of these activities requires managing the computer’s identity, which is represented by its object, or account, and AD DS. As a result, it is important that you know how to create and manage computer objects.
In small organizations, one person may be responsible for performing all of these day-to-day administrative tasks. However, in large enterprise networks, with thousands of users and computers, that is not feasible. It is important for an enterprise administrator to know how to delegate specific
3-2 Managing Active Directory Domain Services Objects
administrative tasks to designated users or groups to ensure that enterprise administration is efficient and effective.
Objectives
After completing this module, you will be able to:
• Manage user accounts with graphical tools.
• Manage groups with graphical tools.
• Manage computer accounts.
• Delegate permissions to perform AD DS administration.
LessonMana
A orsem
LeA
•
•
•
•
•
•
A
Begyope
AInMfo
•
•
•
•
inFe
n 1 aging U
user object inr account. It is ecure processe
management.
esson Objecfter completin
View AD DS
Explain how
Describe ho
Describe ho
Explain how
Manage us
AD DS Adm
efore you can roup, and comou understanderform these v
Active Directns
Most AD DS adollowing snap-
Active Diresnap-in maresources, iand organizadministrat
Active Direservices.
Active Direthe forest f
Active Direattributes achanged. T
Note: To nstall Remote Seatures node o
ser Accn AD DS is far m
the cornerstoes regarding th
ctives ng this lesson, y
S objects by us
w to create use
ow to configur
ow to create u
w to use user-a
er accounts.
ministratio
begin creatingmputer accound which tools yvarious manag
tory Admin
ministration is-ins and conso
ctory Users ananages most concluding userszational units. tor.
ctory Sites and
ctory Domainsunctional leve
ctory Schema.and object clasherefore, the A
administer ADServer Adminisof Server Mana
ounts more than justne of identity
he administrat
you will be ab
sing various A
er accounts tha
re important u
ser profiles.
account templ
n Tools
g and managints, it is importa
you can use to gement tasks.
istration Sn
s performed wles:
nd Computers. ommon day-tos, groups, comThis is likely to
d Services. This
s and Trusts. Tl.
This schema esses. It is the bActive Directo
D DS from a costration Tools ager on Windo
t a handful of and access in ion of user acc
le to:
D DS manage
at you can use
user-account a
lates to create
ng user, ant that
nap-
ith the
This o-day
mputers, o be the most
s snap-in mana
his snap-in co
examines and lueprint for ADry Schema sna
omputer that is(RSAT). RSAT iows Server® 20
20410A: Instal
properties relaAD DS. Theref
counts are the
ment tools.
e in an enterpr
ttributes.
user accounts
heavily used s
ages replicatio
onfigures and m
modifies the dD DS. It is rareap-in is not ins
s not a domainis a feature tha012.
lling and Configuring
ated to the usefore, consisten
e cornerstone o
rise network.
s.
snap-in for an
on, network to
maintains trust
definition of Aly viewed, andstalled, by defa
n controller, yoat can be insta
g Windows Server®
er’s security idnt, efficient, anof enterprise s
Active Directo
opology, and re
t relationships
Active Directoryd even more raault.
ou must alled from the
2012 3-3
entity, nd ecurity
ory
elated
and
y arely
3-4 Managing Active Directory Domain Services Objects
You also can install RSAT on Windows clients, including Windows Vista® Service Pack 1 (or newer), Windows® 7, and Windows 8. After you download the RSAT installation files from Microsoft’s website, run the Setup Wizard, which steps you through the installation. After installing RSAT, you must turn on the tool or tools that you want to be visible. To do this, use the Turn Windows Features On or Off command in the Programs And Features application in Control Panel.
Additional Reading: To download the RSAT installation files, see http://www.microsoft.com/downloads.
Active Directory Administrative Center
Windows Server 2012 provides another option for managing AD DS objects. The Active Directory Administrative Center provides a graphical user interface (GUI) built upon Windows PowerShell®. This enhanced interface allows you to perform AD DS object management by using task-oriented navigation. Tasks that you can perform by using the Active Directory Administrative Center include:
• Create and manage user, computer, and group accounts.
• Create and manage organizational units (OUs).
• Connect to, and manage, multiple domains within a single instance of the Active Directory Administrative Center.
• Search and filter Active Directory data by building queries.
Windows PowerShell
You can use the Active Directory Module for Windows PowerShell to create and manage objects in AD DS. Windows PowerShell is not just a scripting language. It also enables you to run commands that perform administrative tasks, such as creating new user accounts, configuring services, deleting mailboxes, and similar functions.
Windows PowerShell is installed by default on Windows Server 2012, but the Active Directory Module is only present when:
• You install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles.
• You run Dcpromo.exe to promote a computer to a domain controller.
• You install RSAT.
Directory Service Command-Line Tools You also can use the Directory Service command-line tools, in addition to Windows PowerShell. These tools enable you to create, modify, manage, and delete AD DS objects, such as users, groups, and computers. You can use the following commands:
• Dsadd. Use to create new objects.
• Dsget. Use to display objects and their properties.
• Dsmod. Use to edit objects and their properties.
• Dsmove. Use to move objects.
• Dsquery. Use to query AD DS for objects that match criteria that you supply.
• Dsrm. Use to delete objects.
conud
C
InreWthre
A in20paacyore
W
•
•
•
A auin
Toto
acloof
CA us
YoW
Tost
1.
2.
Note: It isommands. Forumber of all usquery user –
Creating Us
n AD DS, all useesources must
With this user ahe AD DS domesources.
user account nformation tha012. A user accassword, as weccount also coou can configuequirements.
With a user acco
Allow or de
Grant users
Manage usdirectories,
user account uthenticate. Wn the domain/f
o maximize seo the network
Note: Altccounts in the ogon and accef this course.
Creating Useuser account
ser object also
ou can use theWindows Powe
o create a userteps:
. Right-click User.
. In the First
s possible to p example, typisers that have
–name John*
ser Accoun
ers that requirbe configuredccount, users
main and receiv
is an object that defines a usecount includesell as group m
ontains many oure based upo
ount, you can:
eny users perm
s access to pro
ers’ access to rand printer q
enables a userWhen creating a
forest in which
curity, you shohas a unique u
hough AD DS local security ss to local reso
er Accounts includes the u
o includes seve
e Active DirectrShell, or the d
r object by usi
the OU or the
name box, ty
ipe the resultsing the followia name startin
| dsget user –
nts
re access to ned with a user acan authentica
ve access to ne
at contains aller in Windowss the user namemberships. A
other settings tn your organiz
:
mission to log o
ocesses and ser
resources suchueues.
r to log on to ca user account
h the user acco
ould avoid muuser account a
accounts are taccounts man
ources. Local u
user name anderal other attrib
tory Users or Cdsadd.exe com
ng the Active
e container in w
ype the user’s f
s of the Dsqueing at a commng with John: –office
etwork ccount. ate to etwork
of the s Server
me and A user that zational
on to a compu
rvices for a spe
h as AD DS obj
computers andt, you must proount is created
ltiple users shaand password.
the focus of thnager (SAM) dauser accounts a
password, whbutes that des
Computers conmmand-line to
Directory User
which you wan
first name.
20410A: Instal
ry command tmand prompt r
uter based on
ecific security c
jects and their
d domains witovide a user lo
d.
aring one acco
his course, youatabase of eacare, for the mo
hich serve as thcribe and man
nsole, Active Dool to create a
rs or Compute
nt to create th
lling and Configuring
to other Directreturns the offi
their user acco
context.
r properties, sh
th an identity togon name, w
ount, so that e
u also can storech computer, eost part, beyon
he logon credenage the user.
Directory Admi user object.
ers console, pe
e user, point t
g Windows Server®
tory Service ice telephone
ount identity.
hared folders, f
that the domawhich must be u
each user that
e user enabling local nd the scope
entials for a us
nistrative Cent
erform the follo
o New, and th
2012 3-5
files,
ain can unique
logs on
ser. A
ter,
owing
hen click
3-6 Managing Active Directory Domain Services Objects
3. In the Initials box, type the user’s middle initial(s).
Note: The Initials property is meant for the initials of a user’s middle name, not the initials of the user’s first or last name.
4. In the Last name box, type the user’s last name.
5. The Full name box is populated automatically, although you can make modifications to it, if necessary.
The Full name box is used to create several attributes of a user object, most notably, the common name (CN) and display name properties. The CN of a user is the name displayed in the details pane of the snap-in, and it must be unique within the container or OU. If you are creating a user object for a person with the same name as an existing user in the same OU or container, you need to enter a unique name in the Full name field.
6. In the User logon name box, type the name with which the user will log on, and from the drop-down list, select the user principal name (UPN) Suffix that will be appended to the user logon name following the @ symbol.
User names in AD DS can contain special characters, including periods, hyphens, and apostrophes. These special characters let you generate accurate user names, such as O’Hare and Smith-Bates. However, certain applications may have other restrictions, so we recommend that you use only standard letters and numerals until you fully test the applications in your enterprise for compatibility with special characters. The list of available UPN suffixes can be managed by using the Active Directory Domains and Trusts snap-in. Right-click the root of the snap-in, click Properties, and use the UPN Suffixes tab to add or remove suffixes. The DNS name of your AD DS domain is always available as a suffix, and you cannot remove it.
7. In the User logon name (pre-Windows 2000) box, enter the pre-Windows 2000 logon name, often called the downlevel logon name. In the AD DS database, the name for this attribute is sAMAccountName.
Note: It is important to implement a user-account naming strategy, especially in large networks where users may share the same name full name. A combination of last name and first name, and where necessary, additional characters, should yield a unique user account name. Strictly speaking, it is only the UPN name that must be unique within your AD DS forest. The Full name needs to be unique only within the organizational unit where it resides, while the downlevel name must be unique within that domain.
8. Click Next.
9. Enter a temporary password for the user in the Password and Confirm password boxes.
10. Select the User must change password at next logon check box.
We recommend that you always select this option, so that the user can create a new password unknown to the IT staff. Appropriate support staff can reset the user’s password, if necessary to log on as the user or access the user’s resources. Only users should know their own passwords on a day-to-day basis.
11. Click Next.
12
13
14
15
C
Walp
a scsedoenExchob
Wdecaar
A
Thdi
•
•
•
•
2. Review the
The New Oproperties, additional p
3. Right-click
4. Configure t
5. Click OK.
Configuring
When you creatso configure aroperties, or at
Note: Theuser account a
chema, which ecurity group coes not changnterprise-levelxchange Servehanges are reqbjects, includin
When you use Aefine many attan associate a re, and how yo
Attribute Cat
he attributes oialog box, and
Account attflags. You cDirectory U
Personal incontains thdescriptioninformationinfo attribuOrganizatio
User configlogon scrip
Group memYou also ca
summary, and
Object – User insuch as name properties, wh
the user objec
the user prope
g User Acc
te a user accouall the associatttributes.
e attributes thaare defined asmembers of thcan modify. Gee frequently. H application, s
er 2010, is introquired. These cng user object
Active Directortributes beyonuser object wi
ou can use the
tegories
of a user objec include
tributes: The Acan configure mUsers and Com
formation: Thee name prope and contact i
n. The Telephoute. It is a very on tab shows t
guration manat, and home fo
mbership: The an change the
d then click Fin
nterface allowsand passwordich you can co
ct that you cre
erties.
count Attr
unt in AD DS, yted account
at are associat part of the AD
he Schema Adenerally, the scHowever, wheuch as Microso
oduced, many changes enabls, to have add
ry Users and Cnd those requirith many attrib
em in your org
t fall into seve
Account tab. Thmany of theseputers snap-in
e General, Adderties that you nformation. Th
ones tab also isuseful genera
the job title, de
gement: The Polder.
Member Of tauser’s primary
nish.
s you to configd settings. Howonfigure after y
ated, and then
ributes
you
ted with D DS mins chema n an oft schema e itional attribut
Computers to cred to allow thbutes, it is impanization.
eral broad cate
hese propertiee attributes whn. The Account
dress, Telephoconfigure whehe Address ans where the Nol-purpose textepartment, co
Profile tab. Her
ab. You can ady group.
20410A: Instal
gure a limited wever, a user oyou create the
n click Proper
tes.
create a new uhe user to logoportant that yo
egories that ap
es include logohen you createt Properties se
nes, and Orgaen you create d Telephones otes field is loct field that manmpany, and o
re, you can co
dd the user to,
lling and Configuring
number of accobject in AD De object.
rties.
user object, yoon by using thou understand
ppear on tabs o
on names, pass a new user w
ection details t
anization tabs. a user object, tabs provide dcated, which cny enterprises rganizational r
nfigure the us
and remove t
g Windows Server®
count-related S supports do
u are not reque account. Sinwhat these at
of the user pro
swords, and acith the Active the account att
The General talong with the
detailed contacorresponds to
underuse. Therelationships.
ser’s profile pa
the user from,
2012 3-7
zens of
uired to nce you tributes
operties
ccount
tributes.
ab e basic
act o the e
th,
groups.
3-8 Managing Active Directory Domain Services Objects
• Remote Desktop Services: The Remote Desktop Services Profile, Environment, Remote control, Sessions, and Personal Virtual Desktop tabs. These tabs enable you to configure and manage the user’s experience when the user connects to a Remote Desktop Services session.
• Remote access: The Dial-in tab. You can enable and configure remote access permission for a user on the Dial-in tab.
• Applications: The COM+ tab. This tab enables you to assign the user to an Active Directory COM+ partition set. This feature facilitates the management of distributed applications.
Viewing All Attributes The Attribute Editor tab allows you to view and edit all attributes of a user object.
Note: The Attribute Editor tab is not visible until you enable Advanced Features from the View menu of the Microsoft Management Console (MMC).
The Attribute Editor displays all system attributes of the selected object. The Filter button enables you to choose to see even more attributes, including backlinks and constructed attributes.
Backlinks are attributes that result from references to the object from other objects. The easiest way to understand backlinks is to look at an example: the memberOf attribute:
• When a user is added to a group, it is the group’s member attribute that is changed. The distinguished name of the user is added to this multivalued attribute.
• The member attribute of a group is called a forward link attribute.
• A user’s memberOf attribute is updated automatically by AD DS when the user is referred to by a group’s member attribute. In other words, you do not ever write directly to the user’s memberOf attribute. AD DS maintains it dynamically.
A constructed attribute is one of the results from a calculation that AD DS performs. An example is the tokenGroups attribute. This attribute is a list of the security identifiers (SIDs) of all the groups to which the user belongs, including nested groups. To determine the value of tokenGroups, AD DS must calculate the effective membership of the user, which takes a few processor cycles. Because of this, the attribute is not stored as part of the user object, nor is it dynamically maintained. Instead, it is calculated when needed. Because of the processing required to produce constructed attributes, the Attribute Editor tab does not display them by default. In addition, you cannot use constructed attributes in Lightweight Directory Access Protocol (LDAP) queries.
Modifying Attributes for Multiple Users
The Active Directory Users and Computers snap-in enables you to modify the properties of multiple user objects simultaneously. To modify attributes of multiple users in the Active Directory Users and Computers snap-in:
1. Select several user objects by holding the Ctrl key as you click each user, or by using any other multiple-selection technique. Be certain that you select only objects of one class, such as users.
2. After you select the objects, right-click any one of them, and then click Properties.
When you have selected the user objects, a subset of properties is available for modification:
• General: Description, Office, Telephone Number, Fax, Web page, E-mail
• Account: UPN suffix, Logon hours, Computer restrictions (logon workstations), all Account options, and Account expires
• Address: Street, P.O. Box, City, State/province, ZIP/Postal Code, and Country/region
•
•
C
Socoth
Yo
•
pa
•
•
WpaasMinof
Profile: Pro
Organizatio
Creating Us
ome of the oponfigure for yohe Profile tab o
ou can configu
Profile pathusually, a Usettings aredefine a usethen whichuser’s logonavailable. T
Note: It isath.
Logon scripon. Typicallfile, it is mo(GPOs) or Gfilename (wfolder on a
Home foldepersonal dofolder. You path.
When configuriath, this is subs the shared pa
Modify File permnstance, the filef his or her ho
file path, Logo
on: Job Title, D
ser Profile
ptional propertour user accouof the Accoun
ure three prop
h. This is eitherUNC path. The e stored in the er profile by uever domain cn, their desktohis is known a
s good practic
pt. This is the nly, you use theore usual for adGroup Policy Pwith extension)ll domain cont
er. This value eocuments. Youalso must spe
ng the profile stituted for tharent folder exmissions on the permissions me folder.
on script, and H
Department, Co
es
ties that you caunts are locatent Property pa
perties on this
r a local, or mouser’s desktopprofile. Once sing a UNC pa
computer servop settings willas a roaming p
e to use a sub
name of a batcese commandsdministrators t
Preferences. If y) only. Scripts strollers.
enables you tou can specify eecify a drive let
path and home actual user nxists, and the ahe shared foldeare modified o
Home folder
ompany, and M
an d on age.
page:
ore p you
ath, ices a be rofile.
folder of the u
ch file that cons to create drivto implement you use a logishould be stor
o create a perseither a local ptter that is use
me folder locatname during aadministrator mer, then the uson the newly-c
20410A: Instal
Manager
user’s home fo
ntains commanve mappings. Rlogon scripts bn script, this vared in the C:\W
onal storage aath, or more u
ed to map a ne
tions, if you usapplication of tmodifying the ser’s subfolder created subfol
lling and Configuring
older for the us
nds that execuRather than usby using Groualue should be
Windows\SYSV
area in which uusually, a UNC etwork drive to
se the variablethe properties account propis created aut
lder so that th
g Windows Server®
ser’s profile
ute when the use a logon scripp Policy Objece in the form o
VOL\domain\sc
users can save path to the u
o the specified
e %username%s. Additionally,perties has at letomatically. In e user has full
2012 3-9
user logs pt batch cts of a cripts
their ser’s
d UNC
% in the so long east this control
3-10 Managing
Cre
Useprocan the foldserva neratheach
If yosimitemuseraccohom
To c
1.
2.
To c
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
It is attr
•
•
•
•
•
g Active Directory Do
eating Use
rs in a domainperties. For exbelong to thenetwork durin
ders and roamiver. Because ofew user, you caher than createh property.
ou want to creilar properties,
mplate. A user ar account that ount for sales
me folder, and
create a user a
Create a user
Disable the unetwork.
create a user b
Right-click th
In the First n
In the Last na
Modify the Fu
In the User lofrom the drop
In the User lo
Click Next.
In the Passwo
Select the app
If you createddisabled che
important to ibutes that are
General tab. N
Address tab. Note that the
Account tab.
Profile tab. Pr
Organization
omain Services Objec
er Account
n often share mample, all sale
e same securityng similar houring profiles stof this, to save tan copy an exe a blank accou
eate multiple u, you can use aaccount templyou have pop
representativeroaming prof
account templa
account, and
ser account te
based on the te
e user accoun
ame box, type
ame box, type
ull name valu
ogon name bop-down list.
ogon name (p
ord box and t
propriate pass
d the new usereck box to enab
understand the copied:
No properties
P.O. box, city, e street addres
Logon hours,
rofile path, log
tab. Departm
cts
ts with Use
many similar es representativy groups, log ors, and have hoored on the satime when creisting user accunt and popul
users with broaa user accountate is a generi
pulated with coes, which you tile path.
ate, perform th
prepopulate i
emplate so tha
emplate, perfo
t template, an
e the user’s firs
e the user’s last
e, if necessary.
ox, type the us
pre-Windows
he Confirm p
sword options.
r account by coble the new ac
hat not all attri
are copied fro
state or provinss itself is not c
logon worksta
gon script, hom
ent, company,
er Accoun
ves on to ome me ating
count late
adly t ic ommon propethen configure
he following st
t with the app
t the template
orm the follow
nd then click C
st name.
t name.
.
ser logon nam
2000) box, ty
assword box,
opying a disabccount.
butes are copi
om the Genera
nce, ZIP or poscopied.
ations, account
me drive, and h
, and manager
t Templat
erties. For exame with group m
teps:
propriate attrib
e account cann
wing steps:
opy. The Copy
me, and then se
ype the user’s u
type the user’
bled user acco
ied. The follow
al tab.
stal code, and
t options, and
home folder p
r are copied.
es
mple, you can memberships, l
butes.
not be used to
y Object – Use
elect the appro
user name.
’s password.
ount, clear the
wing list summ
country or reg
account expir
path are copied
create a templogon hours, a
o log on to the
er Wizard appe
opriate UPN su
Account is
marizes the
gion are copie
ration are copi
d.
plate a
e
ears.
uffix
ed.
ied.
20410A: Installing and Configuring Windows Server® 2012 3-11
• Member Of tab. Group membership and primary group are copied.
It is not useful to configure any other attributes in the template, because they will not be copied.
Demonstration: Managing User Accounts by Using Active Directory Users and Computers
After you have created a user account, there are a number of tasks that you perform that are considered Account Management tasks, and may include:
• Renaming a user account.
• Resetting a user password.
• Unlocking a user account.
• Disabling or enabling a user account.
• Moving a user account.
• Deleting a user account.
Renaming a User Account
When you need to rename a user account, there can be one or more attributes that you must change.
To rename a user in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user, and then click Rename.
2. Type the new common name (CN) for the user, and press Enter.
The Rename User dialog box appears and prompts you to enter additional name attributes.
3. Type the Full name (which corresponds to the CN and Name attributes).
4. Type the First name and Last name.
5. Type the Display name.
6. Type the User logon name and User logon name (pre-Windows 2000).
Reset a User Password
When attempting to log on, a user who forgets the logon password will see a logon error message.
Before the user can log on successfully, you must reset the password. You do not need to know the user’s old password to do so.
To reset a user’s password in the Active Directory Users and Computers snap-in:
1. Right-click the user object, and then click Reset Password.
The Reset Password dialog box appears.
2. Enter the new password in both the New Password and Confirm Password boxes.
It is a best practice to assign a temporary, unique, strong password for the user.
3. Select the User Must Change Password at Next Logon check box.
It is a best practice to force the user to change the password at the next logon, so that the user creates a password known only by the user.
4. Click OK.
3-12 Managing Active Directory Domain Services Objects
5. Communicate the temporary password to the user in a secure manner.
Unlocking a User Account An Active Directory domain supports account lockout policies. A lockout policy is designed to prevent intruders from penetrating the enterprise network by attempting to log on repeatedly with various passwords until they find the correct password. When users attempt to log on with an incorrect password, a logon failure is generated. When too many logon failures occur within a specified period of time, which you define in the lockout policy, the account is locked out. The next time that users attempt to log on, a notification clearly states the account lockout.
Your lockout policy can define a period of time after which a lockout account is unlocked automatically. But when users try to log on and discover that they are locked out, it is likely they will contact the help desk for support.
To unlock a user account in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user object, and then click Properties.
2. Click the Account tab.
3. Select the Unlock Account check box.
Windows Server 2012 also provides the option to unlock a user’s account when you choose the Reset Password command.
To unlock a user account while resetting the user’s password, perform the following step:
• In the Reset Password dialog box, select the Unlock the user’s account check box.
This method is particularly handy when a user’s account is locked out because the user did, in fact, forget the password. You can now assign a new password, specify that the user must change the password at the next logon, and unlock the user’s account: all in one dialog box.
Note: Watch for drives mapped with alternate credentials, because this is a common cause of account lockout. If the password is changed, and the Windows client attempts repeatedly to connect to the drive, that account is locked out.
Disabling and Enabling User Accounts User accounts are security principals that can be given access to network resources. Each user is a member of Domain Users and of the Authenticated Users special identity. By default, each user account has at least Read access to the information stored in Active Directory. For this reason, it is important not to leave user accounts open. This also means that you should configure password policies, auditing, and procedures to ensure that accounts are being used appropriately.
If a user account is provisioned before it is needed, or if the employee for whom you have set up an account is, or will be, absent for an extended period, disable the account.
To disable an account in the Active Directory Users and Computers snap-in:
• Right-click a user, and then click Disable Account.
If an account is disabled already, the Enable Account command appears when you right-click the user.
Moving a User Account
To move a user object in the Active Directory Users and Computers snap-in, perform the following steps:
1. Right-click the user, and then click Move.
20410A: Installing and Configuring Windows Server® 2012 3-13
2. Click the folder to which you want to move the user account, and then click OK.
Alternatively, you can drag the user object to the destination OU.
Deleting a User Account
When an account is no longer necessary, you can delete it from your directory.
To delete a user account in Active Directory Users and Computers, perform the following steps:
1. Select the user and press Delete; or right-click the user, and then click Delete.
You are prompted to confirm your choice because of the significant implications of deleting a security principal.
2. Confirm the prompt by clicking OK.
Demonstration
This demonstration shows how to:
1. Open Active Directory Users and Computers.
2. Delete a user account.
3. Create a template account.
4. Create a new user account from a template.
5. Modify the user account properties.
6. Rename the user account.
7. Move the user account.
Demonstration Steps
Open Active Directory Users and Computers 1. Log on as Administrator.
2. Open Active Directory Users and Computers.
Delete a user account • Locate Ed Meadows in the Managers OU, and delete the account.
Create a template account
1. Create a folder called C:\userdata, and share it. Grant Everyone Full Control shared permissions on the folder. Note that the NTFS permissions remain unaffected.
2. Create a new user account called _Managers_template. Ensure that the account is created in a disabled state with a strong password.
3. Modify the properties of the template account so that it has a Home folder located in the new shared folder.
Create a new user account from a template 1. Copy the template account, and then configure the new user account with the Full name Ed
Meadows, and the logon name of Ed.
2. Configure a strong password, and then enable the account.
Modify the user account properties
1. Open the Ed Meadows account, and then verify that the Home folder has been automatically defined as part of the copy process.
3-14 Managing Active Directory Domain Services Objects
2. View additional properties.
Rename the user account • Rename the account Ed Meadows2, but cancel the operation after viewing the options for renaming
the various account names.
Move the user account • Move the Ed Meadows account to the IT OU.
LessonMana
Winusreened
BeWm
Le
A
•
•
•
•
•
G
Intyyoth
DenThcaa m
SeYoengm
Beusshadto
n 2 aging GWhile it might bn small networsers need the sequired user acnabling you toditing the file
efore implemeWindows Servemanagement ri
esson Objec
fter completin
Describe gr
Describe gr
Explain how
Describe de
Manage gr
Group Type
n a Windows Sypes of groupsou create a grohe New Objec
istribution gronabled, are usehis means thatannot be givenmessage to a
message to all g
ecurity groupsou can therefontries in accessroups as a mea
must be a secur
Note: The
ecause you case only securithould create thdded to the usoken.
roup Acbe practical, evks, it becomessame level of accounts, and ao change a usepermissions di
enting groups r group types,ghts and abilit
ctives
ng this lesson, y
roup types.
roup scopes.
w to implemen
efault groups a
oups in Windo
es
erver enterpriss: security and oup, you chooct – Group dia
oups, which areed primarily byt they do not hn permission todistribution g
group membe
s are security pore use these gs control lists (ans of distriburity group.
e default grou
n use security ty groups. Howhe group as a ser’s security a
ccountsven desirable, s impractical anaccess to a folassign the grouer’s file permissirectly.
in your organ and how bestties.
you will be ab
nt group mana
and special ide
ows Server.
se, there are twdistribution. W
ose the group tlog box.
e not security-y email applicahave SIDs, so to resources. Seroup sends thers.
principals with groups in perm(ACLs) to contrution for email
p type is Secu
groups for bowever, we recodistribution grccess token, w
s to assign permnd inefficient ider, it is more up the requiresions by addin
ization, you mt to use these t
le to:
agement.
entities.
wo When
type in
-ations. hey ending e
SIDs. mission rol security forapplications.
rity.
oth resource acommend that iroup. Otherwis
which can lead
20410A: Installin
missions and ain large enterpefficient to crd permissions
ng or removing
must understanto manage acc
r resource acceIf you want to
ccess and emaf a group is usse, the group ito an unneces
ng and Configuring W
bilities to indivprise networksreate a group t. This has the ag them from g
nd about the sccess to resourc
ess. You also co use a group t
ail distribution,sed only for emis assigned a Sssary size incre
Windows Server® 20
vidual user accs. For example,that contains tadded benefit groups rather t
cope of variouces or to assig
can use securitto manage sec
, many organizmail distributioSID, and the SIease of the sec
012 3-15
counts , if many the of
than
us n
ty curity, it
zations on, you D is curity
3-16 Managing
Exchacro
Gro
Winscopthe the scop
•
•
•
g Active Directory Do
Note: The bhange Server doss the enterpr
oup Scope
ndows Server sping. The scoprange of a grogroup membepes:
Local. These eworkstations,are not domamember worklocal, which mon the compuimportant cha
o You can
o Members
Any grou
User
User
Univ
Domain Locaresponsibilitieconsequentlycharacteristic
o You can compute
o Members
Any grou
User
User
Univ
Global. Theseglobal grouplocation. The
o You can
o Members
omain Services Objec
benefit of usingdeployments, erise.
es
supports the nope of a group doup’s abilities oership. There a
exist on stand-on domain-m
ain controllers,kstations. Locameans that theuter where thearacteristics of
assign abilities
s can be from
security princiups.
rs, computers,
rs, computers,
versal groups d
l. These are uses (rights). Domy, the group’s ss of domain lo
assign abilitiesers in the local
s can be from
security princiups.
rs, computers,
rs, computers,
versal groups d
e are used prims often are useimportant cha
assign abilities
s can be only f
cts
g distribution especially whe
otion of groupdetermines boor permissionsare four group
-alone servers member servers, or on domainal groups are tey are availableey exist. The f a local group
s and permissio
anywhere in t
ipals from the
and global gro
and global gro
defined in any
sed primarily tomain local groscope is localizocal groups are
s and permissiodomain.
anywhere in t
ipals from the
and global gro
and global gro
defined in any
marily to consoed to consolidaaracteristics of
s and permissio
from the local
groups becomere there is a n
p oth s, and
or s that n-ruly e only
p are:
ons only on lo
he AD DS fore
domain: users
oups from any
oups from any
domain in the
o manage accups exist on dzed to the dome:
ons only on do
he AD DS fore
domain: users
oups from any
oups from any
domain in the
olidate users thate users that f global groups
ons anywhere
domain, and c
mes more evideneed to nest th
ocal resources,
est, and can inc
s, computers, g
y domain in th
y trusted doma
e forest.
ess to resourcomain contro
main in which t
omain local re
est, and can inc
s, computers, g
y domain in th
y trusted doma
e forest.
hat have similaare part of a ds are:
in the forest.
can include:
ent in large-schese distributio
meaning on t
clude:
global groups,
e forest.
ain.
es or to assignllers in an AD they reside. Th
esources, mean
clude:
global groups,
e forest.
ain.
ar characteristidepartment or
cale on groups
the local comp
, or domain loc
n managementDS forest, andhe important
ning on all
, or domain loc
ics. For exampr geographic
puter.
cal
t d
cal
ple,
•
Im
Anesurupuis m
EaobNshlekn
•
•
•
•
IdThruggap
Us
Universal. Tof both domgroups are:
o You ca
o Membe
Us
Un
o Properthe entgroupsexampthe me
mplement
dding groups esting—can crupport your buules. Now that urposes and tetime to align
management.
arlier in this lesbjects can be mow is time to
hould be memeads to the besnown as IGDLA
Identities
Global grou
Domain loc
Access
dentities (user hose role grouules, for examproups (domainranted by addppropriate leve
sers, computer
These groups amain local gro:
n assign abilit
ers can be from
sers, computer
niversal groups
rties of universterprise on all s’ membershiple, if a universa
embership list
ting Group
to other groureate a hierarchusiness roles ayou have lear
echnical charathe two in a st
sson, you learnmembers of eaidentify what t
mbers of each gst practice for A, which is:
ups
cal groups
and computerups (global grople, determininn local groups)ing the domaiel of access.
rs, and global g
are most usefuoups and globa
ies and permis
m anywhere in
rs, and global g
s defined in an
al groups are domain contro
p lists more accal group is usetypically is qui
p Managem
ps—a process hy of groups tnd manageme
rned the busincteristics of grtrategy for gro
ned what typeach group scotypes of objecgroup scope. Tgroup nesting
r accounts) areoups) are memng who has Re) are granted ain local group
groups from th
ul in multidomal groups. Spec
ssions anywhe
n the AD DS fo
groups from a
ny domain in t
propagated toollers that hoscessible, whiched for email diicker in distrib
ment
called hat ent ess roups, it oup
es of pe. ts
This g,
e members of gmbers of domaead permissionaccess to resouto the folder’s
20410A: Installin
hen local dom
ain networks acifically, the im
re in the fores
orest, and can
ny domain in
the forest.
o the global cast the global cah can be usefulistribution puruted multidom
global groupsin local group
n to a specific curces. In the cas ACL, with a p
ng and Configuring W
main.
as they combinmportant chara
st, as with glob
include:
the forest.
atalog, and maatalog role. Thl in multidomarposes, the promain networks
s, which represps, which reprecollection of foase of a sharedpermission tha
Windows Server® 20
ne the charactacteristics of u
bal groups
ade available ahis makes univeain scenarios. Focess for deters.
sent business resent managemolders. These rd folder, accesat provides the
012 3-17
teristics niversal
across ersal For rmining
oles. ment rule s is
e
3-18 Managing Active Directory Domain Services Objects
Note: This approach of groups nesting was earlier known as AGDLP, which stands for: accounts, global groups, domain local groups, permissions. The terminology used in this course, IGDLA, has more general scope of application, and it also aligns with industry-standard terminology.
In a multidomain forest, there are universal groups also, which fit in between global and domain local groups. global groups from multiple domains are members of a single universal group. That universal group is a member of domain local groups in multiple domains. You can remember the nesting as IGUDLA.
IGDLA Example
This best practice for implementing group nesting translates well even in multi-domain scenarios. Consider the following, which describes usage of IGDLP scenario.
This figure on the slide represents a group implementation that reflects not only the technical view of group management best practices (IGDLA), but also the business view of role-based, rule-based management.
Consider the following scenario:
The sales force at Contoso, Ltd. has just completed its fiscal year. Sales files from the previous year are in a folder called Sales. The sales force needs Read access to the Sales folder. Additionally, a team of auditors from Woodgrove Bank, a potential investor, require Read access to the Sales folder to perform the audit. You would perform the following steps to implement the security required by this scenario:
1. Assign users with common job responsibilities or other business characteristics to role groups implemented as global security groups. Do this separately in each domain. Salespeople at Contoso are added to a Sales role group; Auditors at Woodgrove Bank are added to an Auditors role group.
2. Create a group to manage access to the Sales folders with Read permission. This is implemented in the domain containing the resource that is being managed. In this case, the Sales folder resides in the Contoso domain. The resource access management rule group is created as a domain local group, ACL_Sales Folders_Read.
3. Add the role groups to the resource access management rule group to represent the management rule. These groups can come from any domain in the forest or from a trusted domain, such as Woodgrove Bank. Global groups from trusted external domains, or from any domain in the same forest, can be members of a domain local group.
4. Assign the permission that implements the required level of access. In this case, grant the Allow Read permission to the domain local group.
This strategy results in two single points of management, reducing the management burden. There is one point of management that defines who is in Sales, and one that defines who is an Auditor. Those roles, of course, are likely to have access to a variety of resources beyond simply the Sales folder. There is another single point of management to determine who has Read access to the Sales folder. Furthermore, the Sales folder may not just be a single folder on a single server. It could be a collection of folders across multiple servers, each of which assigns the Allow Read permission to the single domain local group.
D
D
ThauThinADarUEnfothof
•
•
•
•
•
•
•
•
Default Gro
Default Grou
here are a numutomatically ohese are called
nclude well-knodministrators, esktop Users. re created in asers containernterprise Admollowing list prhe subset of def AD DS:
Enterprise AAdministratall domain the domain
Schema Adthe Active D
Administratcontrollers administratchange theAdministratgroup in th
Domain Adof its domadefault, addAdmins ow
Server Opedomain conrestore opedefault, this
Account Opaccounts foControllers accounts ththose grouhas no mem
Backup Opoperations this group
Print Operacontrollers.
oups and S
ups
mber of groupn a Windows S
d default local own groups, sBackup OperaThere are add domain, both
rs, including Doins, and Schem
rovides a summefault groups t
Admins (in thetors group in econtrollers. It
n naming cont
dmins (Users CoDirectory sche
tors (Built-in Cand data in th
tive groups in e membership tors group in t
he forest.
dmins (Users Cain. It thereforeded to the loca
wnership of all d
rators (Built-inntrollers. It haserations, formas group has no
perators (Builtor users, group
OU), and in thhat are membeps. Account Ombers.
erators (Built-ion domain cohas no membe
ators (Built-in C It also can log
Special Ide
s that are creaServer 2012 Segroups, and thuch as ators, and Remitional groups
h in the Builtinomain Adminsma Admins. Thmary of capabthat have sign
e Users containevery domain also owns the ext in all fores
ontainer of thema.
Container of Eahe domain namthe domain, aof Enterprise Athe forest root
ontainer of Eae inherits all ofal Administratdomain comp
n Container of s the right to loat disks, createo members.
-in Container ops, and compuhe Users and Cers of the Admperators also c
in Container oontrollers, and ers.
Container of Eg on locally an
entities
ated erver. hey
mote that and s, he ilities of ificant permiss
ner of the forein the forest, gConfiguration
st domains.
e Forest Root
ach Domain). Tming context. Ind the AdminAdmins, Schemt domain is arg
ch Domain). Tf the capabilitiors group of euters.
Each Domain)og on locally,
e or delete sha
of Each Domaters located in
Computers conministrators or can log on loc
of Each Domainlog on locally
Each Domain). nd shut down d
20410A: Installin
sions and user
st root domaingiving it compn partition of t
Domain). This
This group hasIt can change istrators group
ma Admins, anguably the mo
This group is adies of the Admeach domain m
). This group cstart and stopres, and shut d
ain). This groupn any OU in thntainer. AccouDomain Admi
cally to domain
n). This group and shut dow
This group cadomain contro
ng and Configuring W
r rights related
n). This group plete access to the directory a
group owns a
s complete conthe membershp in the forest nd Domain Adost powerful se
dded to the Aministrators gromember comp
can perform mp services, perfodown domain
p can create, me domain (excnt Operators cins groups, non controllers. B
can perform bwn domain con
n maintain priollers.
Windows Server® 20
d to the manag
is a member othe configura
and has full con
and has full co
ntrol over all dhip of all otherroot domain c
mins. The ervice administ
Administrators oup. It is also,
puter, giving D
maintenance taorm backup acontrollers. By
modify, and decept the Domacannot modifyr can they mo
By default, this
backup and rentrollers. By de
int queues on
012 3-19
gement
of the tion of ntrol of
ntrol of
domain r can
tration
group by omain
asks on nd y
elete ain y dify
s group
estore efault,
domain
3-20 Managing Active Directory Domain Services Objects
You need to carefully manage the default groups that provide administrative privileges, because they typically have broader privileges than are necessary for most delegated environments, and because they often apply protection to their members.
The Account Operators group is a good example of this. If you examine the capabilities of the Account Operators group in the preceding list, you can see that its rights are very broad—it can even log on locally to a domain controller. In very small networks, such rights would probably be appropriate for one or two individuals who typically would be domain administrators anyway. In large enterprises, the rights and permissions granted to Account Operators usually are far too broad.
Additionally, the Account Operators group is, like the other administrative groups, a protected group.
Protected groups are defined by the operating system and cannot be unprotected. Members of a protected group become protected. The result of protection is that the permissions (ACLs) of members are modified so that they no longer inherit permissions from their OU, but rather receive a copy of an ACL that is quite restrictive. For example, if you add Jeff Ford to the Account Operators group, his account becomes protected, and the help desk, which can reset all other user passwords in the Employees OU, cannot reset Jeff Ford’s password.
You should try to avoid adding users to the following groups that do not have members by default: Account Operators, Backup Operators, Server Operators, and Print Operators. Instead, create custom groups to which you assign permissions and user rights that achieve your business and administrative requirements.
For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but should not be able to perform restore operations that could lead to database rollback or corruption, and should not be able to shut down a domain controller, do not put Scott in the Backup Operators group. Instead, create a group and assign it only the Backup Files And Directories user right, then add Scott as a member.
Special Identities
Windows and AD DS also support special identities, which are groups for which membership is controlled by the operating system. You cannot view the groups in any list (in the Active Directory Users and Computers snap-in, for example), you cannot view or modify the membership of these special identities, and you cannot add them to other groups. You can, however, use these groups to assign rights and permissions. The most important special identities, often referred to as groups (for convenience), are described in the following list:
• Anonymous Logon. This identity represents connections to a computer and its resources that are made without supplying a user name and password. Prior to Windows Server 2003, this group was a member of the Everyone group. Beginning with Windows Server 2003, this group is no longer a default member of the Everyone group.
• Authenticated Users. This represents identities that have been authenticated. This group does not include Guest, even if the Guest account has a password.
• Everyone. This identity includes Authenticated Users and the Guest account. On computers that are running versions of Windows that precede Windows Server 2003, this group includes Anonymous Logon.
• Interactive. This represents users accessing a resource while logged on locally to the computer that is hosting the resource, as opposed to accessing the resource over the network. When a user accesses any given resource on a computer to which the user is logged on locally, the user is added to the Interactive group automatically for that resource. Interactive also includes users logged on through a Remote Desktop connection.
20410A: Installing and Configuring Windows Server® 2012 3-21
• Network. This represents users accessing a resource over the network, as opposed to users who are logged on locally at the computer that is hosting the resource. When a user accesses any given resource over the network, the user is automatically added to the Network group for that resource.
The importance of these special identities is that you can use them to provide access to resources based on the type of authentication or connection, rather than the user account. For example, you could create a folder on a system that allows users to view its contents when they are logged on locally to the system, but that does not allow the same users to view the contents from a mapped drive over the network. You could achieve this by assigning permissions to the interactive special identity.
Demonstration: Managing Groups
This demonstration shows how to:
1. Create a new group.
2. Add members to the group.
3. Add a user to the group.
4. Change the group type and scope.
Demonstration Steps
Create a new group 1. Open Active Directory Users and Computers.
2. Create a new Global Security group in the IT OU called IT Managers.
Add members to the group • Select multiple users, and then add them to the new group.
Add a user to the group
• Open the properties of Ed Meadows, and from the Member Of tab, add him to the IT Managers group.
Change the group type and scope
• Open the properties of the IT Managers group, and on the General tab, change the group scope to Universal and the type to Distribution.
3-22 Managing
Lesson 3Manag
A coday
•
•
•
•
It is con
Les
Afte
•
•
•
•
•
Wh
Befodire
WheconThisCon
Thebetwcreasuba GPthatobje
g Active Directory Do
3 ging Coomputer accouadministrative
Configuring c
Moving the c
Managing the
Renaming, re
important thafigure and ma
sson Objecti
er completing
Explain the p
Describe how
Explain how t
Describe com
Explain how t
hat Is the C
ore you createectory service,
en you create tainer is creates container is nntainer class.
re are subtle bween a containate an OU withdivide the ComPO to a contait you create cuects, instead o
omain Services Objec
omputerunt begins its e tasks include
computer prop
computer betw
e computer its
esetting, disabl
at you know hoaintain the com
ives
this lesson, yo
urpose of the
w to configure
to control who
mputer account
to reset the sec
Computer
e a computer oyou must have
a domain, theed by default (not an OU. It is
but important ner and an OUhin a containermputers OU. Yiner. Thereforeustom OUs to f using the Co
cts
r Accoulife cycle whene the following
perties.
ween OUs.
self.
ing, enabling,
ow to performmputer objects
ou will be able
AD DS Compu
the location o
o has permissio
ts and the secu
cure channel.
rs Containe
object in the e a place to pu
e Computers (CN=Computes an object of t
differences U. You cannot r, so you canno
You also cannoe, we recommehost compute
omputers conta
unts n you create itg:
and eventuall
m these variouss within your o
to:
uters container
of computer ac
on to create co
ure channel.
er?
ut it.
ers). the
ot ot link end r ainer.
t and join it to
ly deleting the
s computer-morganization.
r.
ccounts.
omputer accou
your domain.
e computer obj
anagement ta
unts.
Thereafter, da
bject.
sks so you can
ay-to-
n
S
McofoanThCth
Cis obseobOm
Yoorexyoaddeenco
Thadad
AGfofode
C
Thco
•
•
•
pecifying
Most organizatiomputer objecor client compnd other user shese two OUs ontrollers OU
he AD DS insta
omputer objecno technical d
bject in a clienerver’s or dombjects are com
OUs typically armanagement o
our administrarganizations cxample, you mou can delegatdministrators fesktop-suppornables each sitomputers to th
hese specific edministrative mdministration.
dditionally, byPOs that are li
or collections oor organizationesktop or lapto
Controlling
hree conditionomputer to an
A computedirectory se
You must hthe computyou to join that matchethe domain
You must bAdministratallows you
the Locati
ions create at cts: one to hosuters, such as systems, and aare in additionthat is created
allation.
cts are createddifference betwnt’s OU and a cain controller’
mputer objects.re created to pf client objects
ative model mreate sub-OUs
might create ante permissionsfor each type ort teams oftente’s support tehe domain by
examples asidemodel so that
y using separatinked to the clof computers bns to separate op configurati
g Permissio
ns are requiredn Active Directo
r object shouldervice.
have appropriater object. Thea physical comes that of the
n.
be a member otors group on to change the
ion of Com
least two OUs st computer acdesktops, laptanother for sern to the Domad by default du
d in both OUs. ween a compucomputer objes OU; comput. However, sep
provide uniques to one team
ight necessitats beneath a sen OU for file ans to manage coof server. Simil divide a pare
eam to create cusing those co
e, what is mostyour OUs can
te OUs, you calient and the sby linking GPOclients into de
ion to the app
ons to Cre
d for you to joiory domain:
d be created i
ate permissione permissions amputer with a object in AD D
of the local the computer
e computer’s d
mputer Acc
for ccounts ops, rvers. ain uring
There uter ect in a er
parate e scopes of maand managem
te further dividrver OU, to cond print serveromputer objeclarly, geographnt OU for cliencomputer objeomputer objec
t important is tprovide single
an create varioerver OUs. Wi
Os that containesktop and lapropriate OUs.
ate Comp
in a
n the
s on allow name
DS to
r. This omain or wor
20410A: Installin
counts
anagement, soment of server
ding your clienollect and manrs, and an OU cts in the apprhically-distribunts into sub-Oects in the site cts.
that your OU se points of ma
ous baseline coth Group Polic
n configurationptop OUs. You
uter Acco
kgroup memb
ng and Configuring W
o that you can objects to ano
nt and server Oage specific tyfor database s
ropriate OU touted organizat
OUs for each sit for client com
structure reflecanagement for
onfigurations bcy, you can spn instructions tthen can link
unts
bership.
Windows Server® 20
delegate other.
OUs. Many ypes of serversservers. By doio the team of tions with locate. This approa
mputers, and to
cts your r the delegatio
by using differeecify configurato OUs. It is coGPOs that spe
012 3-23
s. For ng so,
al ach o join
on of
ent ation ommon ecify
3-24 Managing Active Directory Domain Services Objects
Note: It is not mandatory to create a computer object in the directory service, but it is highly recommended. However, many administrators join computers to a domain without first creating a computer object. When you do this, Windows attempts to join the domain to an existing object. When Windows does not find the object, it fails back and creates a computer object in the default Computer container.
The process of creating a computer account in advance is called prestaging a computer. There are two major advantages of prestaging a computer:
• The account is in the correct OU and is therefore delegated according to the security policy defined by the ACL of the OU.
• The computer is within the scope of GPOs linked to the OU, before the computer joins the domain.
After you have been given permission to create computer objects, you can do so by right-clicking the OU and choosing Computer from the New menu. Enter the computer name, following the naming convention of your enterprise, and select the user or group that will be allowed to join the computer to the domain with this account. The two computer names—Computer Name and Computer Name (Pre-Windows 2000)—should be the same. There, very rarely, is a justification for configuring them separately.
Note: You can use the Redircmp.exe command-line tool to reconfigure the default computer container. For example, if you want to change the default computer container to an organizational unit called mycomputers, use the following syntax: redircmp ou=mycomputers,DC=contoso,dc=com
Delegating Permissions
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have permission to create computer objects in any new OU. However, as discussed earlier, we recommend that you tightly restrict membership in the first three groups, and that you do not add Administrators to the Account Operators group.
Instead, you should delegate the permission to create computer objects (called Create Computer Objects) to appropriate administrators or support personnel. This permission, assigned to an OU’s group, allows group members to create computer objects in that OU. For example, you might allow your desktop support team to create computer objects in the clients OU, and allow your file server administrators to create computer objects in the file servers OU. To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose a custom task to delegate. The next lesson discusses delegation.
C
Evm(suspa(LdoNthw
CbeNdo
•
•
•
R
Thp
•
•
•
Computer A
very member cmaintains a comsAMAccountNser account doassword in the
LSA) secret, andomain approxetLogon servic
he domain, whwith a domain c
omputer accoetween compuevertheless, ceomain. Examp
After reinsteven thougBecause theoriginal comauthenticat
A computeworking awremembersauthenticat
A computecan think ojust disagrecannot auth
Resetting t
he most commroblems are:
Messages acontroller ccomputer apassword oincorrect, o(another wabetween thbeen lost.
Error messaindicate simpasswords, failed. One computer’s
A compute
Accounts a
computer in amputer accounName) and pasoes. The compe form of a locd changes its pimately every ce uses the cre
hich establishescontroller.
unts and the suters and theirertain scenarioles of such sce
alling the opegh the technicie new installatmputer accounte to the doma
r has not beenway from the os the current ation can fail.
r’s LSA secret of this as the coees with the dohenticate, and
he Secure
mon signs of co
at logon indicacannot be contaccount mighton the computor that the trusay of saying th
he computer a
ages or eventsmilar problems
trusts, secure such error is N
s event log.
r account is m
and Secur
n AD DS domant with a user nssword, just likuter stores its al security autpassword with30 days. The edentials to logs the secure ch
secure relationr domain are ros might arise enarios include
rating system ian used the sation generatednt password inain.
n used for an eoffice. Computnd previous pa
gets out of synomputer forgeomain over wh the secure ch
Channel
omputer-acco
ate that a domtacted, that th be missing, th
ter account is st relationship he secure relatind the domain
in the event los or suggest thchannels, or re
NETLOGON Ev
missing in AD D
e Channel
ain name ke a
thority h the
g on to hannel
nships obust. in which a come:
on a workstatame computerd a new SID, ann the domain,
extended perioers change theassword. If the
nchronization etting its passwhat the passwohannel cannot
unt
main e
hat the
ionship) n has
og hat elationships wvent ID 3210: F
DS.
20410A: Installin
ls
mputer is no lo
tion, the worksr name as was nd because theit does not be
od, perhaps beeir passwords e computer is
with the passwword. Althoughord really is. Wbe created.
with the domaiFailed To Auth
ng and Configuring W
onger able to a
station is unab used in the pe new comput
elong to the do
ecause the useevery 30 days,unused within
word that the h it did not for
When this happ
n or a domainhenticate, whic
Windows Server® 20
authenticate w
ble to authenticrevious installater does not komain and can
er is on vacatio, and AD DS
n this period,
domain knowrget its passwo
pens, the comp
n controller havch appears in t
012 3-25
with the
cate, ation. now the nnot
on or
ws. You ord, it puter
ve he
3-26 Managing Active Directory Domain Services Objects
When the secure channel fails, you must reset the secure channel. Many administrators do this by removing the computer from the domain, putting it in a workgroup, and then rejoining the domain. This is not a good practice, because it has the potential to delete the computer account altogether. This loses the computer’s SID, and more importantly, its group memberships. When you rejoin the domain, even though the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated. If the trust with the domain has been lost, do not remove a computer from the domain, and then rejoin it. Instead, reset the secure channel.
To reset the secure channel between a domain member and the domain, use the Active Directory Users and Computers snap-in, DSMod.exe, NetDom.exe, or NLTest.exe. If you reset the account, the computer’s SID remains the same, and it maintains its group memberships.
To reset the secure channel by using the Active Directory Users and Computers snap-in:
1. Right-click a computer, and then click Reset Account.
2. Click Yes to confirm your choice.
3. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using DSMod:
1. At a command prompt, type the following command:
dsmod computer “ComputerDN” –reset.
2. Rejoin the computer to the domain, and then restart the computer.
To reset the secure channel by using NetDom, at a command prompt, type the following command, where the credentials belong to the local Administrators group of the computer:
netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}
This command resets the secure channel by attempting to reset the password on both the computer and the domain, so it does not require rejoining or rebooting.
To reset the secure channel by using NLTest, on the computer that has lost its trust, at a command prompt, type the following command:
NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER
You also can use Windows PowerShell with Active Directory Module to reset a computer account. The following example demonstrates how to reset the secure channel between the local computer and the domain to which it is joined. You must run this command on the local computer:
Test-ComputerSecureChannel –Repair
Note: You also can reset a remote computer’s password with Windows PowerShell: invoke-command -computername Workstation1 -scriptblock {reset-computermachinepassword}
LessonDeleg
AacsosoOofde
LeA
•
•
•
A
AgpecaasalinAlis
Easupespmin
Thexoneagm
Ainpe
Thpeusad
n 4 gating A
lthough a singccounts, as theome point, it isome specific as
OUs to bring def administrativelegate admin
esson Objecfter completin
Describe AD
Determine
Delegate ad
AD DS Perm
ll AD DS objecroups, can be ermissions. Thalled access cossigned to useso known as s
n the object’s DCL. The ACL cost (SACL) that
ach object in Aufficient permiermissions to cpecific AD DS o
manage access n a folder, you
he DACL of anxample, you cane property. Itasily manage pranular permis
mobile telepho
ssigning the hn AD DS, it is nermissions at t
he permissionsermission to resers, all user odministrative t
Adminisgle person cane network grows necessary forspect of netwoepartmental ove delegation. nistrative tasks
ctives ng this lesson, y
D DS permissio
a user’s effect
dministrative c
missions
cts, such as usesecured by use permissions
ontrol entries (Ars, groups, or c
security principDACL, which isontains the sysincludes audit
AD DS has its ossions, you cacontrol the levobject. The deto objects andcan give a gro
n object also alan allow (or det is a property permissions tossions and allone number or
elp desk permot a good prathe level of org
s you assign toeset passwordsbjects within ttask.
stration easily managews, so too doer teams with pork managemer geographic sIt is importantto users on ob
you will be ab
ons.
ive AD DS per
control to a sp
ers, computersing a list of on an object aACEs), and thecomputers, whpals. ACEs are s part of the obstem access coing settings.
own ACL. If yon modify the vel of access onlegation of ad
d properties inoup the ability
llows you to aseny) permissioset that includ commonly us
ow or deny perthe street add
mission to resetctice to assignganizational u
o an OU are ins for user objehat OU will inh
n e a small netw
es the volume oarticular specient. In AD DS estructure to tht that you knowbjects within th
le to:
missions on an
pecified user or
s, and
are ey are hich are saved bject’s ontrol
u have
n a dministrative con AD DS. Just ay, for example,
ssign permissioon to change pdes multiple, spsed collectionsrmission to chadress.
t passwords fon permissions tnits.
herited by all ects and attachherit that perm
20410A: Installin
work with a hanof work that realizations to eenvironments,e networked ow why and hohose OUs.
n AD DS objec
r group of use
ontrol involvesas you can give
to reset passw
ons to an objephone and emapecific properts of propertiesange just som
or each individto individual o
objects in the h that permissimission. In just
ng and Configuring W
ndful of user aelates to netw
evolve, each wi, it is commonobjects, and toow to create O
ct.
ers of an AD DS
s assigning pee a group the words on user
ect’s specific prail options. Thties. Using pro. But, you coue of the inform
ual user objecobjects. Instead
OU. So, if youion to the OU t one step, you
Windows Server® 20
and computer work managem
ith responsibil practice to cr
o enable configUs, and how t
S object.
ermissions thatability to chanobjects.
roperties. For his is, in fact, nooperty sets, yould assign more
mation, such a
t is tedious. Evd, you should a
u give the helpthat contains
u have delegat
012 3-27
ment. At ity for
reate guration o
t nge files
ot just u can e s the
ven so, assign
p desk the ted that
3-28 Managing
Chilits pfromeachena
Eff
Effefor abaseandpassmemPassaboassian eYouwheexpassi
To cyou
1.
2.
3.
permwithdsA
PermThisassipermthan
Allogrotask
Denhas to r
g Active Directory Do
ld objects inhepermissions from the domain h new object ibled.
fective AD
ective permissioa security prined on the cum explicit ACE. Ysword, for exambership in a sword permiss
ove the user obgned to a groeffective permur effective peren you considelicit and inherigned different
calculate effec can perform t
Right-click th
Click Advanc
In the Enter tThe selected
Note: You amissions. For ehin the Help D
Acls "OU=Help
missions, whets means that, igning them tomission that hn a permission
ow permissionsups have beenks assigned to
ny permissionsbeen allowed eset password
omain Services Objec
erit the permisom its parent citself. The reass created with
DS Permi
ons are the rescipal, such as a
mulative effect Your ability tomple, may be group that is a
sion on an OU bject. The inheup to which yoission of Allowrmissions can ber Allow and Dited ACEs, andt permissions.
tive permissiothe following
e object, file o
ced, click the E
the object nacheck boxes in
also can use thexample, to gra
Desk OU, use thDesk,OU,DC=
ther assigned tn the end, an A
o groups, but ias been assign
n assigned to a
s, which allow n granted permall of those gr
, which deny athe permissios, the Deny pe
cts
sions of the pacontainer OU. son child objec the Include i
ssions
sulting permisa user or grouof each inheri
o reset a user’s due to your
allowed the Reseveral levels
erited permissioou belong resu
w: Reset Passwobe complicate
Deny permissiod the fact that
ns for a specifprocedure:
or folder, click
Effective Perm
me to select fndicate the eff
he DSACLS comant Amy Readhe following sy=Adatum,DC=C
to your user acACE applies tot is also possib
ned directly toa group to whi
access, are cummissions that aroups, and task
access, overridon to reset passermission prev
arent containeIf it is a first-lects inherit permnheritable pe
sions p, ted
eset
on ults in ord. d
ons, you may belon
ic user or a gro
Properties, an
missions tab, a
field, type the fective permiss
mmand-line to and Execute pyntax: Com" /G Dom
ccount or to a o you, the userble to assign A
you, the user,ch you belong
mulative. Wheallow a variety ks assigned dir
e equivalent Aswords, and an
vents you from
er or OU. That evel container missions from ermissions fro
ng to multiple
oup, an AD DS
nd then click t
and then click
name of a usesions of the us
ool to view or permissions on
ain\Amy:GRGE
group to whicr. The best pra
ACEs to individ, is neither mog.
en you belong of tasks, you w
rectly to your u
Allow permissionother group
m resetting pas
container or Oor OU, it inhetheir parents
om this objec
e groups, each
S object, or for
the Security ta
Select.
er or group, anser or group fo
modify AD DSn computer ob
E;computer
ch you belongactice is to manual users or co
ore important n
to several growill be able to user account.
ons. If you arethat has been swords.
OU in turn inhrits the permisis that, by defa
ct’s parent op
of which may
r a file or folde
ab.
nd then click Oor that file or f
S bjects
g, are equivalenage permissioomputers. A nor less impor
oups, and thosperform all of
e in one groupdenied permi
erits ssions ault, tion
y be
er,
OK. folder.
nt. ons by
rtant
se f the
that ssion
20410A: Installing and Configuring Windows Server® 2012 3-29
Note: Use Deny permissions rarely. In fact, it is unnecessary to assign Deny permissions, because if you do not assign an Allow permission, users cannot perform the task. Before assigning a Deny permission, check to see if you could achieve your goal by removing an Allow permission instead. For example, if you want to delegate an Allow permission to a group, but exempt only one member from that group, you can use a Deny permission on that specific user account while the group still has an Allow permission.
Each permission is granular. Even if you have been denied the ability to reset passwords, you may still have the ability, through other Allow permissions, to change the user’s logon name or email address.
In this lesson, you learned that child objects inherit the inheritable permissions of parent objects by default, and that explicit permissions can override inheritable permissions. This means that an explicit Allow permission will actually override an inherited Deny permission.
Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can make evaluating effective permissions tedious. You can use the permissions reported by the DSACLs command or on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating effective permissions, but it is still a manual task.
Demonstration: Delegating Administrative Control
In this demonstration, you will see how to:
1. Delegate a standard task.
2. Delegate a custom task.
3. View AD DS permissions resulting from these delegations.
Demonstration Steps
Delegate a standard task
1. Open Active Directory Users and Computers.
2. Use the Delegate Control Wizard to grant the IT group the following standard management tasks on the IT OU:
o Create, delete, and manage user accounts
o Reset user passwords and force password change at next logon
o Read all user information
Delegate a custom task • Use the Delegate Control Wizard to grant the following permissions on the IT OU to the IT group:
o Full Control on computer objects
o Create computer objects
o Delete computer objects
View AD DS permissions resulting from these delegations
1. Enable the Advanced Features view in Active Directory Users and Computers.
2. View the Properties of the IT OU.
3. Use the Security tab to verify the assigned permissions. Close all open windows.
3-30 Managing Active Directory Domain Services Objects
Lab: Managing Active Directory Domain Services Objects Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop-support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
To begin deployment of the new branch office you are preparing AD DS objects. As part of this preparation, you need to create an OU for the branch office and delegate permission to manage it. Then you need to create users and groups for the new branch office. Finally, you need to reset the secure channel for a computer account that has lost connectivity to the domain in the branch office.
Objectives
After completing this lab, you will be able to:
• Delegate administration for a branch office.
• Create and configure user accounts in AD DS.
• Manage computer objects in AD DS.
Lab Setup Estimated time: 60 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-CL1
User name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, from Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-CL1.
20410A: Installing and Configuring Windows Server® 2012 3-31
Exercise 1: Delegating Administration for a Branch Office
Scenario
A. Datum delegates management of each branch office to a specific group. This allows an employee who works onsite to be configured as an administrator when required. Each branch office has a branch administrators group that is able to perform full administration within the branch office organizational unit. There is also a branch office help desk group that is able to manage users in the branch office organizational unit, but not other objects. You need to create these groups for the new branch office and delegate permissions to the groups.
The main tasks for this exercise are as follows:
1. Delegate administration for Branch Administrators.
2. Delegate a user administrator for the Branch Office Help Desk.
3. Add a member to the Branch Administrators.
4. Add a member to the Branch Help Desk group.
Task 1: Delegate administration for Branch Administrators 1. On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit in
the Adatum.com domain called Branch Office 1.
2. Create the following global security groups in the Branch Office 1 organizational unit:
o Branch 1 Help Desk
o Branch 1 Administrators
o Branch 1 Users
3. Move Holly Dickson from the IT organizational unit to the Branch Office 1 organizational unit.
4. Move the following users to the Branch Office 1 organizational unit:
o Development\Duncan Bart
o Managers\Ed Meadows
o Marketing\Connie Vrettos
o Research\Barbara Zighetti
o Sales\Arlene Huff
5. Move the LON-CL1 computer to the Branch Office 1 organizational unit, and then restart the computer.
6. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
7. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate administration of the Branch Office 1 organizational unit to the Branch 1 Administrators security group.
8. Delegate the following common tasks:
o Create, delete, and manage user accounts
o Reset user passwords and force password change at next logon
o Read all user information
o Create, delete and manage groups
o Modify the membership of a group
3-32 Managing Active Directory Domain Services Objects
o Manage Group Policy links
9. Delegate the following custom tasks:
o Create and delete computer objects in the current OU
o Full control of computer objects in the current OU
Task 2: Delegate a user administrator for the Branch Office Help Desk 1. On LON-DC1, in Active Directory Users and Computers, use the Delegate Control Wizard to delegate
administration of the Branch Office 1 organizational unit to the Branch 1 Help Desk security group.
2. Delegate the following common tasks:
o Reset user passwords and force password change at next logon
o Read all user information
o Modify the membership of a group
Task 3: Add a member to the Branch Administrators 1. Add Holly Dickson to the Branch 1 Administrators global group.
2. Add the Branch 1 Administrators global group to the Server Operators domain local group. Log off -LON-DC1.
3. Log on as Adatum\Holly with a password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group.
4. From Server Manager, open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box.
5. Attempt to delete Sales\Aaren Ekelund. You are unsuccessful as you lack the required permissions.
6. Try to delete Branch Office 1\Ed Meadows. You are successful because you have the required permissions.
Task 4: Add a member to the Branch Help Desk group 1. Add Bart Duncan to the Branch 1 Help Desk global group.
2. Close Active Directory Users and Computers, and then close Server Manager.
3. Open Server Manager, and then open Active Directory Users and Computers. In the User Account Control dialog box, specify Adatum\Administrator and Pa$$w0rd as the required credentials. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group.
4. Add the Branch 1 Help Desk global group to the Server Operators domain local group. Log off LON-DC1.
5. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group.
6. Open Server Manager and then open Active Directory Users and Computers. Confirm your current credentials in the User Account Control dialog box.
7. Try to delete Branch Office 1\Connie Vrettos. You are unsuccessful because you lack the required permissions.
8. Reset Connie’s password to Pa$$w0rd. You are successful. Log off LON-DC1.
9. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
20410A: Installing and Configuring Windows Server® 2012 3-33
Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS
Scenario You have been a given a list of new users for the branch office, and you need to begin creating them.
The main tasks for this exercise are as follows:
1. Create a template user for the branch office.
2. Configure the template’s settings.
3. Create a new user for the branch office, based on the template.
4. Log on as a user to test account settings.
Task 1: Create a template user for the branch office 1. On LON-DC1, create a folder called C:\branch1-userdata, and then share it.
2. Modify the shared folder permissions so that the Everyone group as Full Control Allow permissions.
3. From Server Manager, open Active Directory Users and Computers and create a new user with the following properties in the Branch Office 1 organizational unit:
o Full name: _Branch_template
o User logon name: _Branch_template
o Password: Pa$$w0rd
o Account is disabled
Task 2: Configure the template’s settings • Modify the following properties of the _Branch_template account:
o City: Slough
o Group: Branch 1 Users
o Home folder: \\lon-dc1\branch1-userdata\%username%
Task 3: Create a new user for the branch office, based on the template 1. Copy the _Branch_template user account, and configure the following properties:
o First name: Ed
o Last name: Meadows
o Password: Pa$$w0rd
o User must change password at next logon is cleared.
o Account is disabled is cleared.
2. Verify that the following properties have been copied during account creation:
o City: Slough
o Home folder path: \\lon-dc1\branch1-userdata\Ed
3-34 Managing Active Directory Domain Services Objects
o Group: Branch 1 Users
3. Log off from LON-DC1.
Task 4: Log on as a user to test account settings 1. Switch to LON-CL1 and log off.
2. Log on to LON-CL1 as Adatum\Ed with the password Pa$$w0rd. You are able to log on successfully.
3. Verify that you have a drive mapping for Z: to Ed’s home folder on LON-DC1, and then log off.
Results: After this exercise, you should have successfully created and tested a user account created from a template.
Exercise 3: Managing Computer Objects in AD DS
Scenario
A workstation has lost its connectivity to the domain and cannot properly authenticate users. When users attempt to access resources from this workstation, access is denied. You need to reset the computer account to recreate the trust relationship between the client and the domain.
The main tasks for this exercise are as follows:
1. Reset a computer account.
2. Observe the behavior when a client logs on.
3. Rejoin the domain to reconnect the computer account.
Task 1: Reset a computer account 1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.
2. Open Active Directory Users and Computers. Confirm your credentials in the User Account Control dialog box.
3. Navigate to Branch Office 1.
4. Reset the LON-CL1 computer account.
Task 2: Observe the behavior when a client logs on • Switch to LON-CL1 and attempt to log on as Adatum\Ed with the password Pa$$w0rd. A message is
displayed that explains that The trust relationship between this workstation and the primary domain failed. Click OK to acknowledge the message.
Task 3: Rejoin the domain to reconnect the computer account 1. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Control Panel. Switch to Large icons view, and then open System.
3. View the Advanced system settings, and then select the Computer Name tab. Use the Network ID button to rejoin the computer to the domain.
4. Complete the wizard to rejoin the computer to the domain. Use the following to help complete the wizard:
o User name: administrator
o Password: Pa$$w0rd
20410A: Installing and Configuring Windows Server® 2012 3-35
o Domain: Adatum
o Do you want to enable a domain user account on this computer: No
5. Restart the computer when prompted.
6. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
Prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-DC1.
3-36 Managing Active Directory Domain Services Objects
Module Review and Takeaways Review Questions
Question: Members of a Sales department in a company that has branches in multiple cities travel frequently between domains. How can you provide these members with access to printers on various domains that are managed by using domain local groups?
Question: You are responsible for managing accounts and access to resources for your group members. A user in your group transfers into another department within the company. What should you do with the user’s account?
Question: What is the main difference between the Computers container and an OU?
Question: When should you reset a computer account? Why is it better to reset the computer account than to disjoin and rejoin it to the domain?
Best Practices
Best Practices for User Account Management • Do not let users share user accounts. Always create a user account for each individual, even if that
person will not be with your organization for long.
o Educate users about the importance of password security.
o Ensure that you choose a naming strategy for user accounts that enables you to identify the user to whom the account relates. Also ensure that your naming strategy uses unique names within your domain.
Best Practices for Group Management
• When managing access to resources, try to use both domain local group and role groups.
o Use Universal groups only when necessary because they add weight to replication traffic.
o Use Windows PowerShell with Active Directory Module for batch jobs on groups.
o Avoid adding users to built-in and default groups.
Best Practices Related to Computer Account Management • Always provision a computer account before joining computers to a domain, and then place them in
appropriate OUs.
o Redirect the default Computer container to another location.
o Reset the computer account, instead of disjoining and rejoining.
o Integrate the Offline Domain Join functionality with unattended installations.
Real-world Issues and Scenarios 1. A project manager in your department is starting a group project that will continue for the next year.
Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give the project manager permission to manage anything else in AD DS. What is the best way to do this?
2. You are working as an IT technician in Contoso, Ltd. You are managing the Windows Server-based infrastructure. You have to find a method for joining new Windows® 8-based computers to a domain during the installation process, without intervention of a user or an administrator.
20410A: Installing and Configuring Windows Server® 2012 3-37
Tools
Tool Use Where to find it
Active Directory Users and Computers
Manage groups Administrative Tools
Windows Power Shell with Active Directory Module
Manage groups Installed as Windows Feature
DS utilities Manage groups Command line
Windows PowerShell with Active Directory Module
Computer account management
Administrative Tools
Djoin.exe Offline domain join Command line
Redircmp.exe Change default computer container
Command line
DSACLS View and modify AD DS permissions
Command line
4-1
Module 4 Automating Active Directory Domain Services Administration
Contents: Module Overview 4-1
Lesson 1: Using Command-line Tools for Administration 4-2
Lesson 2: Using Windows PowerShell for Administration 4-7
Lesson 3: Performing Bulk Operations with Windows PowerShell 4-13
Lab: Automating AD DS Administration by Using Windows PowerShell 4-20
Module Review and Takeaways 4-24
Module Overview
You can use command-line tools and Windows PowerShell® to automate Active Directory® Domain Services (AD DS) administration. Automating administration speeds up processes that you might otherwise perform manually. Windows PowerShell includes cmdlets for performing AD DS administration and for performing bulk operations. You can use bulk operations to change many AD DS objects in a single step rather than updating each object manually.
Objectives
After completing this module, you will be able to:
• Use command-line tools for AD DS administration.
• Use Windows PowerShell cmdlets for AD DS administration.
• Perform bulk operations by using Windows PowerShell.
4-2 Automating
Lesson Using
Winadmandthesuses
Les
Afte
•
•
•
•
Be
MansuchAD Gravisuin thWhedo n
GratheyadmComcan
Som
•
•
•
g Active Directory Do
1 Comma
ndows Server® ministration. M
managementse command-ls.
sson Objecti
er completing
Describe the
Describe how
Describe how
Describe how
nefits of U
ny administrath as Active DirDS administraphical tools ar
ually represent he form of raden informationnot need to m
phical tools woy cannot be au
ministration, yommand-line to
be used by ot
me benefits of
Faster implemfrom a humaaccounts baseuser account
Customized pgather informgathered, theconvention—group. This p
AD DS adminActive Direct
Note: Serve
omain Services Admi
and-line2012 includesany organizat
t of AD DS objine tools to en
ives
this lesson, yo
benefits of usi
w and when to
w and when to
w and when to
Using Com
tors prefer to urectory Users ation whenever
re intuitive to uinformation a
dio buttons andn is represente
memorize synta
ork well in mautomated. To aou need commools can be usether applicatio
using comman
mentation of bn resources aped on the expoindividually.
processes for Amation about ae graphical pro
—is correct. Therocess allows c
nistration on setory Users an
er core can be
nistration
e Tools s several commions create scrects such as u
nsure that if re
ou will be able
ing command-
use csvde.
use ldifde.
use DS comm
mmand-Lin
use graphical tand Computersr possible. use because thand provide opd dialog boxesed graphically, ax.
ny situations, automate AD
mand-line toolsed in scripts, oons.
nd-line tools a
bulk operationspplication. Youorted informat
AD DS adminisa new group, aogram can verien, the graphiccompany-spec
erver core. Servnd Computers
administered
for Admmand-line toolripts that use cser accounts a
equired, you ca
to:
-line tools for
mands.
e Tools fo
tools, s, for
hey ptions s. you
but DS s. r they
are:
s. For exampleu use a commation. This is mu
stration. You caand then creatify that the infcal program uscific rules to be
ver core cannos. However, yo
remotely by u
ministras that you cancommand-lineand groups. Yoan modify the
AD DS admini
or Adminis
e, you can expoand-line tool ouch faster than
an use a custoe the new groformation formses a commane enforced.
ot run graphicu can use com
using graphica
ation n use to perfore tools to autoou must underscripts that yo
istration.
stration
ort a list of newor script to crean manually cre
omized graphicoup. When the mat—such as tnd-line tool to
cal administratmmand-line to
l tools.
rm AD DS mate the crearstand how to our organizatio
w user accounate the new useating each ne
cal program toinformation is
the naming create the new
ion tools suchols on server c
tion use
on
nts ser ew
o s
w
as core.
W
Csimcoapdainda
Thmoncsyousca
ExToda
Th
O
O
Aex
C
Th
Cs
ThTh
What Is Csv
Csvde is a commmports Active Domma-separatpplications areata from .csv f
nteroperability atabases or sp
he main limitamodify existing
nly create newsvde to createou cannot use ser accounts aan use csvde t
xport Objeco export objecata will be exp
he basic syntax
Csvde –f
Other options t
Option
-d RootDN
-p SearchSco
-r Filter
-l ListOfAtrri
fter the exportxported. The h
Create Objec
he basic syntax
svde –i –f fi
he -i parametehe -k paramet
vde?
mand-line tooDirectory objeted values (.csve capable of exfiles. This makewith other ap
preadsheets.
tion of csvde Active Directo
w objects. For ee a set of new u
it to modify tfter they are c
to export a list
cts by Usingcts by using csported. With o
x to use csvde
filename
hat you can us
ope
ibutes
t completes, thheader row is a
cts by Using
x for using csv
ilename –k
er specifies imter instructs cs
ol that exports ects to or from v) file. Many xporting or imes csvde usefupplications, suc
is that it cannoory objects; it cexample, you cuser accounts,he properties
created. You caof users and t
g csvde vde, as a mininly the filenam
e for export is:
se with csvde
Description
Specifies thewill begin. T
Specifies theoption -d. Thonelevel (obsubcontaine
Limits the obon Lightweig
Specifies theattribute, an
he .csv file willa comma-sepa
g csvde
vde to create o
port mode. Thvde to ignore
or a
porting ul for ch as
ot can can use but
of the an also use csvtheir email add
mum, you neeme specified, a
are listed in th
e distinguishedhe default is th
e scope of the he SearchScobjects within thrs). The defaul
bjects returnedght Directory A
e attributes to d separate the
contain a heaarated list with
objects is:
he -f parameteerror message
20410A: Instal
vde to export dresses.
ed to specify tll objects in th
he following ta
d name of the he domain.
search relativepe option canhis container), lt is subtree.
d to those thatAccess Protoco
be exported. Uem with comm
ader row and o the names of
er identifies thees, including t
lling and Configuring
object proper
he filename ofhe domain will
able.
container from
e to the contain be either bas or subtree (th
t match the filol (LDAP) quer
Use the LDAP mas.
one row for eaf the attributes
e file name frohe “Object Alr
g Windows Server®
ties. For exam
f the .csv file to be exported.
m which the ex
iner specified e (this object ohis container a
ter. The filter iry syntax.
name for each
ach object thats for each obje
om which to imready Exists” er
2012 4-3
ple, you
o which
xport
by the only), and all
is based
h
t was ect.
mport. rror
4-4 Automating
mespos
Theattrspec
Youuser
csvd
http
http
Wh
LdifexpLikeThe(LDIdataobtaserv
An commodopeopethe
The
dn: chaobjobjobjobjcn: sn: titdesgivdiscomsAMAusemai
g Active Directory Do
ssage. The supsible are creat
.csv file that isibutes for the cified in the he
u cannot use csr accounts crea
Note: For mde /?, and the
Additional p://go.microso
Additional p://go.microso
hat Is Ldifd
fde is a commort, create, mo
e csvde, ldifde file must be inIF). Most applia in LDIF formain data in LDvice.
LDIF file is textmposing a singdifying a user eration specifieeration, such asLDIF file.
following is a
CN=Bonnie Kngetype: addectClass: toectClass: peectClass: orectClass: usBonnie KearKearney
le: Operatiocription: OpenName: BonnplayName: Kepany: ContosAccountName:rPrincipalNal: bonnie.ke
omain Services Admi
ppress errors oed, instead of
s being used fdata in the .cseader row.
svde to imporated by csvde
more informatin press Enter.
Reading: For oft.com/fwlink/
Reading: For oft.com/fwlink/
de?
and-line tool todify, or deletee uses data than LDAP Data Ications cannoat. It is more liIF format from
t-based, with ble operation sobject. Each li
es something as an attribute o
n example of a
earney,OU=Em p rson ganizationaler ney
ns erations (Loie arney, Bonnio, Ltd. bonnie.kear
me: bonnie.karney@adatum
nistration
option is usefustopping whe
or an import msv file. Each row
rt passwords, be have a blank
on about para
more informa/?LinkId=1687
more informa/?LinkId=1687
that you can ue AD DS objecat is stored in anterchange Fo
ot export or imikely that you
m another direc
blocks of lines uch as creatinne within the about the or the type of
an LDIF file th
mployees,OU=U
Person
ondon)
e
rney [email protected]
ul when imporen partially com
must have a hew must contain
because passwpassword and
ameters for csv
ation about LD52.
ation about LD52
use to ts. a file. ormat port can ctory
g or
operation. A b
at creates a sin
User Accounts
um.com
rting objects tomplete.
eader row thatn exactly the c
words in a .csv fd are disabled.
vde, at a comm
DAP query synt
DAP query synt
blank line sepa
ngle user.
s,DC=adatum,D
o ensure that a
t contains namcorrect numbe
file are not pro
mand prompt,
tax, see
tax, see
arates multiple
DC=com
all of the objec
mes of LDAP er of items as
otected. As a r
, type
e operations w
cts
result,
within
20410A: Installing and Configuring Windows Server® 2012 4-5
For each operation in an LDIF file, the changetype line defines the operation to be performed. The valid values are add, modify, or delete.
Export Objects by Using ldifde
When using ldifde to export objects, the minimum information you must provide is a filename to hold the data. When no other options are selected, all objects in the domain are exported. The basic syntax for exporting objects by using LDIFE is:
Ldifde –f filename
Some other options you can use when exporting objects ldifde are listed in the following table.
Option Description
-d RootDN The root of the LDAP search. The default is the root of the domain.
-r Filter An LDAP search filter that limits the results returned.
-p SearchScope The scope, or depth, of the search. This can be:
• subtree (the container and all child containers)
• base (the immediate child objects of the container only)
• onelevel (the container and its immediate child containers)
-l ListOfAttributes A comma-separated list of attributes to include in the export.
-o ListOfAttributes A comma-separated list of attributes to exclude in the export.
Import Objects by Using ldifde When you use ldifde to import objects, you must specify the operation to perform on the object. For each operation in an LDIF file, the changetype line defines the operation to be performed.
The basic syntax for using ldifde to import objects is:
Ldifde –i –f filename –k
The -i parameter specifies import mode. The -f parameter identifies the file name to import from. The -k parameter instructs ldifde to ignore errors, including the “Object Already Exists” error. The option suppress errors is useful when importing objects to ensure that all objects possible are created instead of stopping when partially complete.
You cannot use ldifde to import passwords, because passwords in an LDIF file would not be secure. As a result, user accounts created by ldifde have a blank password and are disabled.
4-6 Automating
Wh
Wintoouse to cobjecom
To
D
D
D
D
D
D
Use
The
To m
Dsmo
To d
Dsg
To d
Dsrm
To c
Dsa
g Active Directory Do
hat Are DS
ndows Server 2ls called DS coin scripts. You
create, view, mects. The follow
mmand-line to
ool
Sadd
Sget
Squery
Smod
Srm
Smove
er Managem
following are
modify the dep
od user “cn=
display the em
et user “cn=
delete a user a
m “cn=Joe He
create a new u
dd user “cn=
Question: Wcommands?
omain Services Admi
S Comman
2012 includes commands, whicu can use DS coodify, and remwing table desols.
ment Comm
examples of c
partment of a
Joe Healy,ou
mail of a user ac
Joe Healy,ou
account, type:
aly,ou=Manag
user account, ty
Joe Healy,ou
hat criteria wo
nistration
nds?
command-linech are suitableommand-line
move AD DS scribes DS
mand Examp
commands tha
user account,
=Managers,dc
ccount, type:
=Managers,dc
ers,dc=adatu
ype:
=Managers,dc
ould you use to
e e for tools
Description
Creates AD
Displays pro
Searches for
Modifies AD
Removes AD
Moves AD D
ples
at you could ty
type:
c=adatum,dc=c
c=adatum,dc=c
um,dc=com”
c=adatum,dc=c
o select betwe
DS objects.
operties of AD
r AD DS object
D DS objects.
D DS objects.
DS objects.
ype at a comm
com” –dept IT
com” –email
com”
een using csvd
DS objects.
ts.
mand prompt.
T
de, ldifde, andd the DS
LessonUsing
WusWto
LeA
•
•
•
•
U
Yocrcmpaofth
C
n 2 g WindoWindows Powe
se than previoWindows Poweo create, modif
esson Objecfter completin
Use Window
Use Window
Use Window
Use Window
Using Wind
ou can use Wireate, modify, mdlets can be art of a script tf the cmdlets fhe following ta
Cmdlet
New-ADUser
Set-ADUser
Remove-ADU
Set-ADAccou
Set-ADAccou
Unlock-ADA
Enable-ADAc
Disable-ADA
ows PowrShell is the prus scripting larShell includesfy, and remove
ctives ng this lesson, y
ws PowerShell
ws PowerShell
ws PowerShell
ws PowerShell
dows Powe
ndows PowerSand delete useused for indivto perform bufor managing able.
r
User
untPassword
untExpiration
Account
ccount
Account
werShelreferred scriptinguages such s an extensive e user account
you will be ab
l cmdlets to m
l cmdlets to m
l cmdlets to m
l cmdlets to m
erShell Cm
Shell cmdlets ter accounts. Th
vidual operatiolk operations. user accounts
De
Cr
M
De
Re
n M
Unac
En
Di
ll for Ading environmeas Microsoft®
list of cmdletsts, groups, com
le to:
anage user ac
anage groups
anage compu
anage organiz
mdlets to M
to hese
ons or as Some are in
escription
reates user acc
Modifies proper
eletes user acc
esets the passw
Modifies the exp
nlocks a user accepted numb
nables a user a
isables a user a
20410A: Instal
dministent in Window
® Visual Basic Ss to manage Amputer accoun
ccounts.
s.
uter accounts.
zational units (
Manage Us
counts.
rties of user ac
counts.
word of a user
piration date o
account when er of incorrect
account.
account.
lling and Configuring
ration ws Server 2012.Scripting EditioAD DS objects. nts, and organ
(OUs).
sers
ccounts.
r account.
of a user accou
it is locked aftt login attemp
g Windows Server®
. It is much eason (VBScript). Cmdlets can bizational units
unt.
ter exceedingpts.
2012 4-7
sier to
be used s.
the
4-8 Automating Active Directory Domain Services Administration
Create New User Accounts
When you use the New-ADUser cmdlet to create new user accounts, you can set most user properties including a password. For example:
• If you do not use the –AccountPassword parameter, no password is set and the user account is disabled. The –Enabled parameter cannot be set as $true when no password is set.
• If you use the –AccountPassword parameter to specify a password, then you must specify a variable that contains the password as a secure string, or choose to be prompted for the password. A secure string is encrypted in memory. If you set a password then you can enable the user account by setting the –Enabled parameter as $true.
Some commonly used parameters for the New-ADUser cmdlet are listed in the following table.
Parameter Description
AccountExpirationDate Defines the expiration date for the user account.
AccountPassword Defines the password for the user account.
ChangePasswordAtLogon Requires the user account to change passwords at the next logon.
Department Defines the department for the user account.
Enabled Define whether the user account is enabled or disabled.
HomeDirectory Defines the location of the home directory for a user account.
HomeDrive Defines the drive letters that are mapped to the home directory for a user account.
GivenName Defines the first name for a user account.
Surname Defines the last name for a user account.
Path Defines the OU or container where the user account will be created.
The following is a command you could use to create a user account with a prompt for a password:
New-ADUser “Joe Healy” –AccountPassword (Read-Host –AsSecureString “Enter password”) -Department IT
Question: Are the parameters for all cmdlets that you use to manage user accounts the same?
U
Yomustofota
C
C
YoNth
Using Wind
ou can use Wimodify, and del
sed for individo perform bulkor managing gable.
Cmdlet
New-ADGrou
Set-ADGroup
Get-ADGrou
Remove-ADG
Add-ADGrou
Get-ADGrou
Remove-ADG
Add-ADPrincipalG
Get-ADPrincipalG
Remove-ADPrincipalG
Create New G
ou can use theNew-ADGrouphe only require
Parameter
Name
GroupScope
DisplayName
GroupCatego
dows Powe
ndows PowerSlete groups. Thual operations
k operations. Sgroups are liste
up
p
p
Group
upMember
pMember
GroupMembe
GroupMembe
GroupMembe
GroupMembe
Groups
e New-ADGrop cmdlet, you med parameter.
e
ory
erShell Cm
Shell to createhese cmdlets cs or as part of
Some of the cmed in the follow
De
Cr
M
Di
De
Ad
Di
er Re
ership Ad
ership Di
ership Re
oup cmdlet to must use the GThe following
Desc
Defi
DefiUniv
Defi
Defido n
mdlets to M
, can be a script
mdlets wing
escription
reates new gro
Modifies proper
isplays propert
eletes groups.
dds members
isplays membe
emoves memb
dds group me
isplays group
emoves group
create groupsGroupScope p table lists com
ription
nes the name
nes the scope versal. You mu
nes the LDAP
nes whether itnot specify eith
20410A: Instal
Manage Gr
oups.
rties of groups
ties of groups
to groups.
ership of grou
bers from grou
mbership to o
membership o
p membership
s. However, whparameter in ammonly used p
of the group.
of the group ust provide th
display name
t is a security gher, a security
lling and Configuring
roups
s.
.
ps.
ups.
objects.
of objects.
from an objec
hen you createaddition to theparameters fo
as DomainLois parameter.
for the object
group or a distgroup is creat
g Windows Server®
ct.
e groups usinge group name. r New-ADGro
cal, Global, or
.
tribution grouted.
2012 4-9
g the This is
oup.
r
p. If you
4-10 Automating Active Directory Domain Services Administration
Parameter Description
ManagedBy Defines a user or group that can manage the group.
Path Defines the OU or container in which the group is created.
SamAccountName Defines a name that is backward compatible with older operating systems.
The following command is an example of what you could type at a Windows PowerShell prompt to create a new group:
New-ADGroup –Name “CustomerManagement” –Path “ou=managers,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security
Manage Group Membership
There are two sets of cmdlets that you can use to manage group membership: *-ADGroupMember and *-ADPrincipalGroupMembership. The distinction between these two sets of cmdlets is the perspective used when modifying group membership. They are:
• The *-ADGroupMember cmdlets modify the membership of a group. For example, you add or remove members of a group.
o You cannot pipe a list of members to these cmdlets.
o You can pass a list of groups to these cmdlets.
• The *-ADPrincipalGroupMembership cmdlets modify the group membership of an object such as a user. For example, you can modify a user account to add it as a member of a group.
o You can pipe a list of members to these cmdlets.
o You cannot provide a list of groups to these cmdlets.
Note: When you pipe a list of objects to a cmdlet, you pass a list of objects to a cmdlet. More information about how to pipe a list of objects is covered in Lesson 3: Performing Bulk Operations with Windows PowerShell.
The following is a command you could use to add a member to a group.
Add-ADGroupMember CustomerManagement –Members “Joe Healy”
U
Yomcmpaofar
C
CYojode
Th
Th
Ne
RYore
Using Wind
ou can use Wimodify, and delmdlets can be art of a script tf the cmdlets fre listed in the
Cmdlet
New-ADCom
Set-ADComp
Get-ADComp
Remove-ADC
Test-Comput
Reset-Compu
Create New Cou can use the
oined to the doeploying the c
he following ta
Parameter
Name
Path
Enabled
he following is
ew-ADCompute
Repair the Trou can use theelationship bet
dows Powe
ndows PowerSlete computerused for indivto perform bufor managing following tab
mputer
puter
puter
Computer
terSecureCha
uterMachineP
Computer Ae New-ADComomain. You docomputer.
able lists comm
s an example t
r –Name LON-
rust Relatioe Test-Computween a comp
erShell Cm
Shell to createaccounts. Th
vidual operatiolk operations. computer acco
ble.
annel
Password
Accounts mputer cmdleo this so you ca
monly used pa
that you can u
SVR8 –Path “
onship for a uterSecureChauter and the d
mdlets to M
, ese
ons or as Some
ounts
Description
Creates a ne
Modifies pr
Displays pro
Deletes a co
Verifies or rcomputer a
Resets the p
et to create a nan create the c
arameters for N
Description
Defines the
Defines thewill be crea
Defines whedisabled. Bya random p
se to create a
ou=marketing
Computer Aannel cmdlet wdomain. You m
20410A: Installin
Manage Co
ew computer
roperties of a c
operties of a c
omputer accou
repairs the trusand the domai
password for a
new computer computer acco
New-ADComp
e name of the c
e OU or containted.
ether the comy default, the cpassword is ge
computer acc
g,dc=adatum,d
Account with the –Rep
must run the cm
ng and Configuring W
omputer A
account.
computer acco
computer acco
unt.
st relationshipn.
a computer acc
account befoount in the cor
puter.
computer acco
ner where the
mputer accountcomputer acconerated.
count:
dc=com –Enabl
pair parametermdlet on the c
Windows Server® 20
Accounts
ount.
ount.
p between a
count.
re the computrrect OU befor
ount.
computer acc
t is enabled orount is enabled
led $true
r to repair a locomputer with
012 4-11
ter is re
count
r d and
st trust the lost
4-12 Automati
truscom
Test
Us
Youmodusedto pfor
Cm
N
Se
G
R
Cre
Youphy
The
Pa
N
Pa
P
The
New“ou=
ng Active Directory D
st relationship. mputer accoun
t-ComputerSe
ing Windo
u can use Winddify, and deletd for individua
perform bulk omanaging OU
mdlet
New-ADOrgan
et-ADOrganiz
et-ADOrgani
emove-ADOr
eate New OU
u can use Newysical locations
following tab
arameter
Name
ath
rotectedFrom
following is a
-ADOrganizat=marketing,d
Question: In required?
Domain Services Adm
The followingt:
cureChannel -
ows Power
dows PowerShte OUs. These cal operations ooperations. Soms are listed in
nizationalUnit
zationalUnit
zationalUnit
rganizationalU
Us
w-ADOrganiza within in you
le shows comm
mAccidentalDe
n example you
ionalUnit –Nc=adatum,dc=
the slide exam
ministration
g is a command
-Repair
rShell Cmd
ell to create, cmdlets can b
or as part of a me of the cmdthe following
t
Unit
ationalUnit cmr organization
monly used pa
eletion
u can use whe
ame Sales –P=com” -Protec
mple, is the Pro
d that you cou
dlets to Ma
e script
dlets table.
De
Cr
M
D
D
mdlet to create.
arameters for t
Descrip
Define
Define
PrevenThe de
n you want to
Path ctedFromAccid
otectedFromA
uld use to repa
anage OU
escription
reates OUs.
Modifies prope
isplays proper
eletes OUs.
e a new OU to
the New-ADO
ption
es the name of
es the location
nts the OU froefault value is
o create a new
dentalDeletio
AccidentalDe
air the trust re
s
rties of OUs.
rties of OUs.
represent dep
Organizationa
f the new OU.
n of the new O
om being delet$true.
organizationa
on $true
eletion parame
lationship for
partments or
alUnit cmdlet.
OU.
ted accidental
al unit:
eter
a
ly.
LessonPerfo
Wwg
Tofobu
Le
A
•
•
•
•
•
•
W
A mminpelik
YotoEadi
•
•
•
Th
1.
2.
n 3 orming BWindows Powewhich would no
raphical tools.
o perform bulkor a list of AD Dulk operations
esson Objec
fter completin
Describe bu
Use graphic
Query AD D
Modify AD
Use .csv file
Modify and
What Are B
bulk operationmultiple objectsmuch faster thandividually. It merforming mankelihood of ma
ou can performools, at a commach method foifferent capab
Graphical toproperties t
Command-have more
Scripts can
he general pro
. Define a qumay want t
. Modify the that you watools, you m
Bulk OprShell is a pow
ormally be ted
k operations uDS objects, ans that you requ
ctives
ng this lesson, y
ulk operations
cal tools to pe
DS objects by u
DS objects by
es.
d execute Wind
Bulk Opera
n is a single acs. Performing aan changing mmay also be mny individual aaking a typogr
m bulk operatimand prompt, or performing ilities. For exam
ools tend to bthat they can m
-line tools tendoptions for m
combine mult
ocess for perfo
uery. You use tto modify all u
objects defineant to modify, may use a list o
perationwerful scriptingious to perform
using Windowsd how to workuire.
you will be ab
.
rform bulk op
using Window
y using Window
dows PowerSh
ations?
ction that chana bulk operatio
many objects ore accurate, bactions increasraphical error.
ions with grapor by using scbulk operationmple:
e limited in thmodify.
d to be more fodifying objec
tiple command
orming bulk op
the query to seser accounts i
ed by the querand then edit
of objects or v
ns with g environmentm manually. Y
s PowerShell, yk with .csv files
le to:
perations.
ws PowerShell.
ws PowerShell
hell scripts to p
nges on is
because ses the
phical cripts. ns has
he
flexible than gct properties.
d-line actions
perations is as
elect the objecn a specific OU
ry. When usingt the propertievariables to ide
20410A: Installin
Windowt that you can You can also pe
you must first s. Then you ca
.
perform bulk o
raphical tools
for the most c
follows:
cts that you waU.
g graphical tooes of those objentify the obje
ng and Configuring W
ws Powuse to performerform some b
understand hon create script
operations.
when defining
complexity and
ant to modify.
ols, you typicaects. When uscts that you w
Windows Server® 20
werShellm bulk operatibulk operation
ow to create qts that perform
g queries, and
d flexibility.
For example,
ally select the oing command
want to modify
012 4-13
ons,
ns in
ueries m the
they
you
objects d-line y.
4-14 Automating Active Directory Domain Services Administration
Demonstration: Using Graphical Tools to Perform Bulk Operations
You can use Active Directory Administrative Center and Active Directory Users and Computers to modify the properties of multiple objects at the simultaneously. To perform a bulk operation with using graphical tools, perform the following steps:
1. Perform a search or create a filter to display the objects that you want to modify.
2. Select the objects.
3. Examine the properties of the objects.
4. Modify the properties that you want to change.
When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that displayed in the user interface.
In this demonstration, you will see how to:
• Create a query for all users.
• Configure the company attribute for all users.
• Verify that the company attribute has been modified.
Note: When you use graphical tools to modify multiple user accounts simultaneously, you are limited to modifying the properties that display in the user interface.
Demonstration Steps
Create a query for all users
1. On LON-DC1, open Active Directory Administrative Center.
2. Browse to Global Search, and add the criteria Object type is user/inetOrgPerson/computer/group/organization unit.
3. Verify that the criteria that you added is for the type User, and perform the search.
Configure the Company attribute for all users
1. Select all the user Accounts and modify their properties.
2. Type the Company as A. Datum.
Verify that the Company attribute has been modified
• Open the properties of Adam Barr, and verify that the company is A. Datum.
Q
IntoYoquopus
C
YoALaPo
•
•
•
ThLa
O
Querying O
n Windows Powo obtain lists oou can also usueries for objeperations. Thesed parameter
Parameter
SearchBase
SearchScope
ResultSetSize
Properties
Create a Que
ou can use theAD* cmdlets. Thanguage. The owerShell Expr
It is easier t
You can use
There is aut
he following taanguage.
Operator
-eq
-ne
-lt
-le
-gt
Objects wit
werShell, you uf objects, suche these cmdle
ects on which ye following tabrs with the Get
D
e
e
ery
e Filter paramhe Filter paramLDAPFilter paression Langua
to write querie
e variables ins
tomatic conve
able lists comm
th Window
use the Get-*h as user accouts to generateyou can perfor
ble lists commot-AD* cmdlets
Description
Defines the ADOU.
Defines at whaYou can choosubtree.
Defines how mall objects are
Defines whichproperties, typuse a property
eter or the LDmeter is used farameter is useage is preferre
es in Windows
ide the querie
ersion of variab
monly used op
ws PowerS
cmdlets unts. e rm bulk only s.
D DS path to b
at level below se to search o
many objects t returned, you
h object propepe an asterisk y for filtering.
DAPFilter parafor queries wried for queries ed because:
PowerShell Ex
s.
ble types, when
perators you ca
D
E
N
L
L
G
20410A: Installin
Shell
begin searchin
the SearchBanly in the base
to return in resu should set th
rties to return (*). You do no
meter to creatitten in Windowritten as LDA
xpression Lang
n required.
an use in Wind
Description
Equal to
Not equal to
Less than
Less than or eq
Greater than
ng and Configuring W
ng, for example
ase a search she, one level do
sponse to a quhis to $null.
and display. Tot need to use
te queries for ows PowerShelAP query strin
guage.
dows PowerSh
qual to
Windows Server® 20
e, the domain
hould be perfoown, or the ent
uery. To ensure
To return all this paramete
objects with thll Expression gs. Windows
hell Expression
012 4-15
or an
ormed. tire
e that
er to
he Get-
4-16 Automati
Op
-g
-l
The
Get
Theall it
Get
Theolde
Get
Thedep
Get
http
Mo
To plist ocmduse
To pcmdchafromperf
Thethosattruser
Get
ng Active Directory D
perator
ge
ike
following is a
-ADUser Admi
following is ats child OUs:
-ADUser –Sea
following is aer than a speci
-ADUser –Fil
following is apartment that h
-ADUser –Fil
Note: For mp://technet.mic
Question: W
odifying O
perform a bulkof objects thatdlet to modify the Set-AD* c
pass the list of dlet for furtherracter. The pip
m the query toforms a specifi
following is ase accounts thibute set. This r accounts and
-ADUser –Fil
Domain Services Adm
command tha
nistrator –P
command tha
rchBase “ou=
command thaific date:
ter ‘lastlog
command thahave a last log
ter ‘lastlog
more informaticrosoft.com/en
hat is the diffe
Objects wit
k operation, yot you have quethe objects. In
cmdlets to mo
queried objecr processing, ype character pao a second cmdied operation
command thahat do not have
code would gd set the comp
ter ‘company
ministration
at you could u
Properties *
at you could u
=Marketing,dc
at you could u
ondate –lt “
at you could ugon date older
ondate –lt “
on about filten-us/library/hh
erence betwee
th Window
ou need to paseried to anothn most cases, yodify the objec
cts to another you use the pipasses each objdlet, which theon each objec
at you could ue the company
generate a list opany attribute
y –eq “$null”
Des
Gre
Use
use to show all
use to return a
c=adatum,dc=c
use to show all
“January 1, 2
use to show all than a specifi
“January 1, 2
ring with Get-h531527(v=ws
en using –eq a
ws PowerS
ss the er
you cts.
pe ( | ) ect
en ct.
use for y of to A. Datum.
”’ | Set-ADUs
scription
eater than or e
es wildcards fo
of the proper
ll the user acco
com” –SearchS
of the user ac
2012”’
of the user acc date:
2012” –and de
-AD* cmdlets, s.10) .
nd –like when
hell
ser –Company
equal to
or pattern mat
rties for a user
ounts in the M
Scope subtree
ccounts with a
ccounts in the
epartment –eq
see
n comparing st
“A. Datum”
ching
account:
Marketing OU,
e
last logon dat
Marketing
q “Marketing
trings?
and
te
”’
Thon
Ge
U
Ina geusor
Wa
Th
Ge
W
A thfilinsirefowob
Yocowthcoea
Th
FiGrRoQi
UInmty
he following isn since a speci
et-ADUser –Fi
Use Objects
nstead of usingtext file. This ienerate that liser accounts torganization.
When you use asingle line.
he following e
et-Content C
Question: the Filter p
Working w
.csv file can cohan a simple lisle can have mu
nformation. Eacngle object, an
epresents a proor bulk operati
where multiple bject are requ
ou can use theontents of a .cs
work with the dhe variable, yoolumn of data ach column by
he following is
irstName,Lastreg,Guzik,IT obin,Young,Reiong,Wu,Marke
Use Foreach n many cases, ymany rows therype of loop do
s a command tific date, and t
ilter ‘lastl
from a Text
g a list of objecs useful when st by using a qo be disabled.
a text file to sp
xample disabl
:\users.txt
Which attributparameter?
with CSV Fi
ontain much mst. Similar to aultiple rows anch row in the .nd each columoperty of the oions such as crpieces of infoired.
e Import-Csv sv file into a va
data. After the u can then refhas a name th
y name.
s an example a
tName,Depart
esearch eting
to Process you are creatinre are in each .oes not require
that you couldthen disables t
ogondate –lt
t File
cts from a queyou need a lis
query. For examThere is no qu
pecify a list of o
es the user acc
| Disable-AD
tes of a user ac
les
more informat spreadsheet,
nd columns of .csv file repres
mn in the .csv fobject. This is ureating user acrmation about
cmdlet to readariable, and thdata is import
fer to each indhat is based on
a .csv file with
ment
CSV Data ng script that w.csv file. You ca
e that you know
d use to generathem:
“January 1,
ery to perform st of objects tomple, the humuery that can i
objects, the te
counts that are
Account
ccount can yo
ion a .csv
ents a ile useful ccounts t each
d the hen ted into ividual row of n the header ro
a header row:
will be reused an use a foreaw how many r
20410A: Installin
ate a list of use
2012”’ | Di
a bulk operato modify or rem
man resources didentify a list o
ext file needs to
e listed in a te
ou use when cr
f data and eachow (the first ro
for multiple .cach loop to prrows there are
ng and Configuring W
er accounts th
isable-ADAcco
tion, you can umove, and it idepartment mof users that ha
o have the nam
ext file:
reating a query
h individual coow) of the .csv
csv files, and yoocess each row.
Windows Server® 20
hat have not lo
ount
use a list of objis not possible
may generate aave left the
me of each ob
y by using
olumn of data.v file. You can r
ou do not know in a .csv file.
012 4-17
ogged
jects in e to a list of
bject on
. Each refer to
ow how This
4-18 Automating Active Directory Domain Services Administration
The following is a command that you could use to import a .csv file into a variable, and use a foreach loop to display the first name from each row in a .csv file:
$users=Import-CSV C:\users.csv Foreach ($i in $users) { Write-Host “The first name is: $i.FirstName” }
Question: In the foreach loop, how does $i change?
Demonstration: Performing Bulk Operations with Windows PowerShell
You can use a script to combine multiple Windows PowerShell commands to perform more complex tasks. Within a script, you often use variables and loops to process data. Windows PowerShell scripts have a .ps1 extension.
The execution policy on a server determines whether scripts are able to run. The default execution policy on Windows Server 2012 is RemoteSigned. This means that local scripts can run without being digitally signed. You can control the execution policy on by using the Set-ExecutionPolicy cmdlet.
In this demonstration, you will see how to:
• Configure the department for users in the Research OU.
• Create a LondonBranch OU.
• Run the script to create new user accounts in LondonBranch.
• Verify that the new user accounts were created in LondonBranch.
Demonstration Steps
Configure the department for users in the Research OU
1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, search for user accounts in the Research OU using the following command:
Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com”
3. Set the department attribute of all users in the Research OU using the following command:
Get-ADUser –Filter * –SearchBase “ou=Research,dc=adatum,dc=com” | Set-ADUser –Department Research
4. Display a table-formatted list of users in the Research department. Display the distinguished name and department by using the following command:
Get-ADUser –Filter ‘department –eq “Research”’ | Format-Table DistinguishedName,Department
5. Use the Properties parameter to allow the previous command to display the department correctly. Use the following command:
Get-ADUser –Filter ‘department –eq “Research”’ –Properties Department | Format-Table DistinguishedName,Department
20410A: Installing and Configuring Windows Server® 2012 4-19
Create a LondonBranch OU
• At the Windows PowerShell prompt, create a new OU named LondonBranch using the following command:
New-ADOrganizationalUnit LondonBranch –Path “dc=adatum,dc=com”
Run the script to create new user accounts in LondonBranch
1. Open E:\Labfiles\Mod04\DemoUsers.csv, and read the header row.
2. Edit DemoUsers.ps1, and review the contents of the script. Note that the script:
o Refers to the location of the .csv file.
o Uses a foreach loop to process the .csv file contents.
o Refers to the columns defined by the header in the .csv file.
3. At the Windows PowerShell prompt, change to the E:\Labfiles\Mod04 directory and run the following command:
.\DemoUsers.ps1
Verify that the new user accounts were created in LondonBranch
1. In Server Manager, open Active Directory Administrative Center tool.
2. In Active Directory Administrative Center, browse to Adatum (local)>LondonBranch, and verify that the user accounts were created. Note that the passwords are disabled because no password was set during creation.
4-20 Automating Active Directory Domain Services Administration
Lab: Automating AD DS Administration by Using Windows PowerShell
Scenario A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
As part of configuring a new branch office, you need to create user and group accounts. Creating multiple users with graphical tools is inefficient, so, you will be using Windows PowerShell.
Objectives
After completing this lab, you will be able to:
• Create user accounts and group accounts by using Windows PowerShell.
• Use Windows PowerShell to create user accounts in bulk.
• Modify user accounts in bulk.
Lab Setup
Lab Setup
Estimated time: 45 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-CL1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
20410A: Installing and Configuring Windows Server® 2012 4-21
Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell
Scenario A. Datum Corporation has a number of scripts that have been used in the past to create user accounts by using command-line tools. It has been mandated that all future scripting will be done by using Windows PowerShell. As the first step in creating scripts, you need to identify the syntax required to manage AD DS objects in Windows PowerShell.
The main tasks for this exercise are as follows:
1. Create a user account by using Windows PowerShell.
2. Create a group by using Windows PowerShell.
Task 1: Create a user account by using Windows PowerShell 1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, create a new OU named LondonBranch.
New-ADOrganizationalUnit LondonBranch
3. Create a new user account for Ty Carlson in the LondonBranch OU using the following command:
New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path “ou=LondonBranch,dc=adatum,dc=com”
4. Set the password for the new account as Pa$$w0rd, using the following command:
Set-ADAccountPassword Ty
5. Enable the new user account using the following command:
Enable-ADAccount Ty
6. On LON-CL1, log on as Ty using a password of Pa$$w0rd.
7. Verify that logon is successful and then sign out of LON-CL1.
Task 2: Create a group by using Windows PowerShell 1. On LON-DC1, at the Windows PowerShell prompt, create a new global security group for users in the
London branch office, using the following command:
New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security
2. At the Windows PowerShell prompt, add Ty as a member of LondonBranchUsers, using the following command:
Add-ADGroupMember LondonBranchUsers –Members Ty
3. At the Windows PowerShell prompt, confirm that Ty has been added as a member of LondonBranchUsers, using the following command:
Get-ADGroupMember LondonBranchUsers
4-22 Automating Active Directory Domain Services Administration
Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk
Scenario
You have been given a .csv file that contains a large list of new users for the branch office. It would be inefficient to create these users individually with graphical tools. Instead, you will use a Windows PowerShell script to create the users. A colleague that is experienced with scripting has provided you with a script that she created. You need to modify the script to match the format of your CSV file.
The main tasks for this exercise are as follows:
1. Prepare the .csv file.
2. Prepare the script.
3. Run the script.
Task 1: Prepare the .csv file 1. On LON-DC1, read the contents in E:\Labfiles\Mod04\LabUsers.ps1 to identify the header
requirements for the .csv file
2. Edit the contents in C:\Labfiles\Mod04\LabUsers.csv and add the appropriate header.
Task 2: Prepare the script 1. On LON-DC1, use Windows PowerShell ISE to modify the variables in LabUsers.ps1.
o $csvfile: E:\Labfiles\Mod04\labUsers.csv
o $OU: “ou=LondonBranch,dc=adatum,dc=com”
2. Save the modified LabUsers.ps1.
3. Review the contents of the script.
Task 3: Run the script 1. On LON-DC1, open a Windows PowerShell prompt, and run E:\Labfiles\Mod04\LabUsers.ps1.
2. At the Windows PowerShell prompt, verify that the users were created by using the following command:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”
3. On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk
Scenario You have received a request to update all user accounts in the new branch office OU with the correct address of the new building. You have also been asked to ensure that all of the new user accounts in the branch office are configured to force the users to change their passwords at their next logon. You decide
20410A: Installing and Configuring Windows Server® 2012 4-23
to run a script to force all user accounts in the London branch to change their password the next time that they log on.
The main tasks for this exercise are as follows:
1. Force all user accounts in LondonBranch to change password at next logon.
2. Configure the address for user accounts in LondonBranch.
3. To prepare for the next module.
Task 1: Force all user accounts in LondonBranch to change password at next logon 1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, create a query for user accounts in the LondonBranch OU using the following command:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide DistinguishedName
3. At the Windows PowerShell prompt, modify the previous command to force all user accounts to change their password at the next logon.
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –ChangePasswordAtLogon $true
Task 2: Configure the address for user accounts in LondonBranch 1. On LON-DC1, open Active Directory Administrative Center tool.
2. Open the properties for all user accounts in LondonBranch.
3. Set the address for multiple users as follows:
o Street: Branch Office
o City: London
o Country/Region: United Kingdom
Results: After completing this exercise, you will have modified user accounts in bulk.
To prepare for the next module When you finish the lab, revert all virtual machines back to their initial state by performing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 to 3 for 20410A-LON-DC1.
4-24 Automating Active Directory Domain Services Administration
Module Review and Takeaways Question: A colleague is creating a Windows PowerShell script that creates user accounts from data in a .csv file, but is experiencing errors when attempting to set a default password. Why might this be happening?
Question: You are an administrator for a school district that creates 20,000 new user accounts for students each year. The administration system for students can generate a list of the new students and then export it as a .csv file. After the data has been exported to a .csv file, what information do you need to work with the data in a script?
Question: The Research department in your organization has been renamed to Research and Development. You need to update the Department property of users in the Research department to reflect this change.
Question: You have created a query for user accounts with the department property set to Research by using the Get-ADUser cmdlet and the –Filter parameter. What is the next step to update the department property to Research and Development?
5-1
Module 5 Implementing IPv4
Contents: Module Overview 5-1
Lesson 1: Overview of TCP/IP 5-2
Lesson 2: Understanding IPv4 Addressing 5-6
Lesson 3: Subnetting and Supernetting 5-11
Lesson 4: Configuring and Troubleshooting IPv4 5-16
Lab: Implementing IPv4 5-23
Module Review and Takeaways 5-27
Module Overview
Internet Protocol Version 4 (IPv4) is the network protocol used on the Internet and local area networks. To ensure that you can you understand and troubleshoot network communication, it is essential that you understand how IPv4 is implemented.. In this module, you will see how to implement anIPv4 addressing scheme, and determine and troubleshoot network-related problems.
Objectives
At the end of this module, you will be able to:
• Describe the TCP/IP protocol suite.
• Describe IPv4 addressing.
• Determine a subnet mask necessary for supernetting or subnetting.
• Configure IPv4 and troubleshoot IPv4 communication.
5-2 Implement
Lesson Overvi
Tranprovrelaare foun
Les
At t
•
•
•
•
Th
Thecomprotdist
•
•
•
•
Ben
Rathprov
•
•
•
•
ing IPv4
1 iew of Tnsmission Convides communtes to other prused by applicndation for un
sson Objecti
he end of this
Describe the
Describe the
Describe TCP
Describe a so
e TCP/IP P
tasks performmmunication ptocols. These pinct layers of t
Application application laresources.
Transport laycontrol data tnetwork.
Internet layecontrol packe
Network inteInternet layer
nefits of Arc
her than creatvides several b
Separate prot
Creating or mprotocol stac
Having multipprotocols tha
Because the spersonnel wh
TCP/IP trol Protocol/
nication in a herotocols to enacation to acce
nderstanding a
ives
lesson, you w
elements of th
individual pro
/IP application
ocket and ident
Protocol Su
med by TCP/IP process are distprotocols are othe TCP/IP stac
layer. Applicaayer protocols
yer. The transtransfer reliabi
er. The interneet movement b
erface layer. Tr are transmitte
chitecture L
ing a single prbenefits:
tocols make it
modifying protk.
ple protocols ot provide only
stack is split inho are uniquely
Internet Protoeterogeneous able network cpt network co
and troublesho
will be able to:
he TCP/IP suite
tocols that ma
n layer protoco
tify port numb
uite
in the tributed betweorganized intock:
tions use the to access netw
port layer protility on the
et layer protocobetween netwo
The network ined on the med
Layers
rotocol, dividin
easier to supp
ocols to suppo
operating at thy the level of se
to layers, the dy qualified in t
ocol (TCP/IP) isnetwork. This communicatiommunications
ooting network
e of protocols.
ake up the TCP
ols.
bers for specifi
een o four
work
tocols
ols orks.
nterface layer dia.
ng the network
port a variety o
ort new standa
he same layer ervice required
development othe operations
s an industry slesson provide
on. It also coves. Combined tok communicat
P/IP suite.
ied protocols.
protocols defi
k functions int
of computing
ards does not
makes it possid.
of the protocos of the particu
tandard suite es an overview
ers the conceptogether this ovtion.
ne how datag
to a stack of se
platforms.
require modif
ible for applica
ols can proceedular layers.
of protocols thw of IPv4 and ht of sockets whverview provid
rams from the
eparate protoc
fication of the
ations to selec
d simultaneou
hat how it hich des a
e
cols
entire
ct the
usly by
P
Thdeseneth
AThcoseseac
TThcop
•
•
Than
In
Thpanla
Th
•
•
•
•
Protocols in
he Open Systeefines distinct ending, and reetwork. The lahe TCP/IP stack
Application Lhe applicationorresponds to ession layers oervices and uticcess network
ransport Lahe transport laommunicationrogrammers th
TCP. Providcommunicamake commdesired in mclients, and
UDP. Proviresponsibilithan TCP. Anot delay pName Syste
he transport land is based on
nternet Laye
he Internet layrotocols, inclund Internet Coayer data into u
he Internet lay
IP. IP is respServer® 201IPv4 and IP
ARP. ARP isadapters—tlocal host. Alocalized. Saddress of a
IGMP. IGM
ICMP. ICM
n the TCP/
ems Interconnelayers related ceiving data tryered suite of k carry out the
Layer layer of the Tthe applicatiof the OSI modlities that enabresources.
ayer ayer corresponn using TCP or he choice of TC
des connectionation confirmsmunication relmost cases andd other applica
des connectioity of the applApplications suplayback. UDP em (DNS) nam
ayer protocol tn the commun
er
yer correspondding: IP; Addre
ontrol Messageunits called pa
yer protocols a
ponsible for ro12 operating sPv6.
s used by IP tothat is, adapteARP is broadcaome implemea network ada
MP provides sup
P sends error
/IP Suite
ection (OSI) mto packaging,ransmissions oprotocols that
ese functions.
TCP/IP model on, presentatio
el. This layer pble application
nds to the tranUser DatagramCP or UDP as
n-oriented reli that the destiiable, TCP cond is used by mations that mov
nless and unreication. Applic
uch as streaminis also used by
me lookups.
that an applicaication require
ds to the netwoess Resolutione Protocol (ICMackets, address
are:
outing and addystem implem
o determine thers installed onast-based, meantations of TC
apter is used to
pport for mult
messages in an
odel , over a t form
n, and provides ns to
sport layer of m Protocol (UDa transport lay
able communnation is ready
nfirms that all post applicationve large amou
eliable commucations use UDng audio and vy applications
ation uses is deements of the
ork layer of th Protocol (ARP
MP). The protos them, and rou
dressing. The Wment a dual-lay
he media accesn computers onaning that ARP
CP/IP provide so determine th
titasking applic
n IP-based net
20410A: Instal
the OSI modeDP). The TCP/yer protocol:
ications for apy to receive dapackets are recns. Web server
unts of data us
unication. WheDP for faster covideo use UDPthat send sma
etermined by tapplication.
e OSI model aP); Internet Groocols at the Intute them to th
Windows 8 opyer IP protocol
ss control (MAn the local netP frames cannsupport for Rehe correspond
cations over ro
twork.
lling and Configuring
el and is responIP protocol su
pplications. Coata before it seceived. Reliablrs, File Transfese TCP.
en using UDP, ommunication P so that a singall amounts of
the developer
and consists ofoup Managemternet layer enheir destinatio
perating systeml stack, includi
AC) address of twork—from tot transit a rou
everse ARP (RAing IP address
outers in IPv4
g Windows Server®
nsible for end-ite offers appl
onnection-orieends the data.le communica
er Protocol (FT
reliable delive with less overgle missing paf data, such as
r of an applicat
f several separament Protocol ncapsulate tranns.
m and the Winng support for
local network the IP address uter and are th
ARP) in which ts.
networks.
2012 5-3
-to-end ication
nted To tion is P)
ery is the rhead acket will Domain
tion,
ate (IGMP); nsport
ndows r both
of a herefore the MAC
5-4 Implement
Net
Thedatasendthe driv
TC
Appcomservprotsom
Pr
H
H
FT
RP
Se(S
SiP
Pve
ing IPv4
twork Inter
network intera link and phyding and receiTCP/IP protoc
ver and the net
P/IP Appli
plications use ammunicate ovever must be ustocol to comm
me common ap
rotocol
HTTP
HTTP/Secure (H
TP
emote Desktorotocol (RDP)
erver MessageSMB)
imple Mail Trarotocol (SMTP
ost Office Protersion 3 (POP3
rface Layer
rface layer (somsical layers of iving packets ocol suite becautwork adapter
ications
application layer the networking the same a
municate. The fpplication laye
D
U
HTTPS) Aa
U
op Uo
e Block U
ansfer P)
U
tocol 3)
U
metimes referrthe OSI modeon the networuse the tasks a.
yer protocols tok. A client and application layfollowing tabler protocols.
Description
Used for comm
A version of HTand web serve
Used to transfe
Used to remotover a network
Used by server
Used to transfe
Used to retriev
red to as the lil. The networkk media. This lre performed
o
yer e lists
munication bet
TTP that encryrs.
er files betwee
ely control a ck.
rs and client co
er email messa
ve messages fr
ink layer or dak interface layelayer is often nby the combin
tween the web
ypts communic
en FTP clients a
computer runn
omputers for f
ages over the I
rom some ema
ata link layer) cer specifies thenot formally conation of the n
b browsers and
cation betwee
and servers.
ning Windows
file and printer
Internet.
ail servers.
corresponds toe requirementsonsidered partnetwork adapt
d web servers.
en web browse
operating syst
r sharing.
o the s for t of ter
ers
tems
W
Wcohoappa
•
•
•
Th
W
Aknconoapof
Yocow
What Is a S
When an applicommunicationost, it creates appropriate. A sart of the com
The transpouses, which
The TCP or application
The IPv4 ordestination
his combinatio
Well-Known
pplications arenown ports andonsistent port on-standard ppplications typf these well-kn
Port
80
443
110
25
53
53
20, 21
ou need to beommunication
when required.
Question: A
Socket?
cation wants ton with an applia TCP or a UDsocket identifie
mmunication pr
ort protocol thh could be TCP
UDP port nums are using
r IPv6 address hosts
on of transport
Ports
e assigned a pd have been anumbers to m
port number, thpically use a ranown ports.
Protocol
TCP
TCP
TCP
TCP
UDP
TCP
TCP
aware of the n. Most applica
For example,
Are there othe
o establish cation on a reP socket, as es the followinrocess:
hat the applicaP or UDP
mbers that the
of the source
t protocol, IP a
ort number bessigned to spe
make it easier fohen you need ndom source
Ap
HT
HT
PO
SM
D
D
FT
port numbers ations have a dsome web-bas
er well-known
mote
ng as
ation
e
and
address, and p
etween 0 and ecific applicatioor client applicto specify the port number a
pplication
TTP used by a
TTPS for a sec
OP3 used for e
MTP that is use
NS used for m
NS used for zo
TP used for file
that applicatiodefault port nused application
ports that you
20410A: Instal
port creates a s
65,535. The firons. Applicatiocations to con port number above 1,024. T
web server
ure web serve
email retrieval
ed for sending
most name reso
one transfers
e transfers
ons use, so youmber for this ns run on a po
u can think of?
lling and Configuring
socket.
rst 1,024 portsons listening fo
nnect. If an appwhen connect
The following t
er
g email messag
olution reques
u can configupurpose, but
ort other than
?
g Windows Server®
s are known asor connectionsplication listenting to it. Clientable identifies
ges
sts
re firewalls to it can be chanport 80 or por
2012 5-5
s well-s use s on a nt s some
allow nged rt 443.
5-6 Implement
Lesson 2Under
Undandaddbetwsup
Les
At t
•
•
•
•
•
IPv
To cfamNetdireEachuniq
Eachadddottdivibits betwsepa
Sub
Eachwhisubn
In thpartwithand
inteswit
ing IPv4
2 standinderstanding IPv maintain IPv4
dressing, subneween hosts. Toposed to work
sson Objecti
he end of this
Describe the
Identify publi
Understand h
Describe a sim
Describe a co
v4 Address
configure netwmiliar with IPv4
work communected to the IPvh networked cque IPv4 addre
h IPv4 addressdresses more reted decimal nodes a 32-bit IPwhich are con
ween zero andarated by a pe
bnet Mask
h IPv4 addressch the computnet mask iden
he simplest scet of the netwoh an IP address a host ID of 0
Note: The terchangeably. Atches to repres
ng IPv4 v4 network co4 networks. Onet masks, and do identify IPv4 k. .
ives
lesson, you w
information re
ic and private
how dotted de
mple IPv4 netw
omplex IPv4 ne
sing
work connectivaddresses and
nication for a cv4 address of
computer mustess.
s is 32 bits longeadable, they aotation. DottedPv4 address intnverted to a ded 255. The deceriod (dot). Eac
s is composed ter is located. tifies which pa
enarios, each ork ID, while a 0s of 192.168.230.0.0.45.
erms network,A large netwosent subnets.
Addresommunication ne of the core default gatewacommunicatio
will be able to:
equired to con
IPv4 addresses
ecimal notation
work with class
etwork with cla
vity, you must d how they wocomputer is that computert be assigned
g. To make IP are shown in d decimal notato four groupsecimal numbeimal numbers ch decimal num
of a network IThe host ID un
art of an IPv4 a
octet in a subn0 represents a3.45 and a sub
, subnet, and Vrk is often sub
sing is critical to encomponents oays allows youon errors you
nfigure an IPv4
s.
n relates to bin
sfull addressin
assless address
be ork.
r. a
ation s of 8 r are
mber is called
ID and a host niquely identifaddress is the
net mask is eithn octet that is
bnet mask of 2
VLAN (Virtual bdivided into s
nsuring that yoof IPv4 is addru to identify thneed to under
4 host.
nary numbers.
g.
sing.
an octet.
ID. The networfies the compunetwork ID, an
her 255 or 0. A part of the ho
255.255.255.0
Local Area Neubnets, and V
ou can implemressing. Underse proper comrstand how the
rk IDi identifieuter on that spnd which part
A 255 represenost ID. For exahas a network
etwork) are oftVLANs are conf
ment, troubleshstanding munication e process is
es the networkpecific networkis the host ID.
nts an octet thmple, a compu
k ID of 192.168
en used figured on
hoot,
k on k. A
at is uter 8.23.0
D
A ne
Oanlo
Beis sene
Wthcogade
CPrho
P
DIndeIn
P
PuAIPRporThyo
P
Thadrere
Default Gate
default gatewetworks. The m
On an intranet, nd remote. Yoocal hosts to co
efore a host seon the same n
ending host traetwork, the ho
When a host trahe appropriateontain any rouateway. The hoefault gateway
lient computerotocol (DHCPost. Most serve
Question: incorrectly?
Public and
evices and honternet requireevices that do
nternet do not
Public IPv4 A
ublic IPv4 addssigned Numb
Pv4 addresses tIRs then assignroviders (ISPs)r more public he number of ou depends up
Private IPv4
he pool of IPv4ddresses. Techelatively small emote hosts an
eway
way is a device,multiple intern
any given netu must configommunicate w
ends an IPv4 pnetwork, or onansmits the paost transmits th
ansmits a packe router for theuting informatiost assumes thy is used in mo
rs usually obtaP) server. This iers have a stat
How is networ?
Private IP
sts that connee a public IPv4
not connect drequire a pub
Addresses
resses must bebers Authority to regional Intn IPv4 address. Usually, youraddresses fromaddresses thatpon how many
Addresses
4 addresses is hnologies suchnumber of pund services on
, usually a routal networks in
twork might haure one of the
with hosts on re
packet, it uses in a remote netacket directly the packet to a
ket to a remotee packet to reaion about the hat the defaultost cases.
ain their IP adds more straigh
tic IP configura
rk communica
v4 Addres
ct directly to taddress. Host
directly to the blic IPv4 addre
e unique. Inter(IANA) assign
ternet registriees to Internet ISP allocates ym its address pt your ISP allocy devices and
becoming smas network adblic IPv4 addrethe Internet.
ter, on a TCP/n an organizati
ave several roue routers as theemote networ
its own subnettwork. If the deto the destinatrouter for del
e network, IPv4ach the destinadestination su
t gateway cont
dressing informhtforward thanation that is as
tion affected i
sses
the ts and
ss.
rnet s public
es (RIRs). service you one pool. cates to hosts that you
aller, so RIRs address translatesses, and at t
20410A: Instal
IP network thaion can be refe
uters that conne default gatewrks.
t mask to deteestination hosttion host. If theivery.
4 consults theation subnet. I
ubnet, IPv4 fortains the requi
mation from a n manually assssigned manua
if a default gat
u have to conn
are reluctant totion (NAT) enahe same time,
lling and Configuring
at forwards IP erred to as an
nect it to otheway for local h
ermine whethet is on the same destination h
e internal routiIf the routing trwards the pacired routing in
Dynamic Hosigning a defaually.
teway is config
nect to the Inte
o allocate supeable administra, enable local h
g Windows Server®
packets to othintranet.
er networks, bohosts. This ena
er the destinatme network, thhost is on a dif
ng table to detable does notcket to the defnformation. Th
t Configuratioult gateway on
gured
ernet.
erfluous IPv4 ators to use a hosts to conne
2012 5-7
her
oth local ables the
ion host he fferent
etermine t ault
he
on n each
ect to
5-8 Implement
IANpac
Ne
1
1
1
Ho
Whedecbasethe binamasIP a
Witdeczeroto arighvaluin ais th
MosCalccon
Bi
1
ing IPv4
A defines the kets originatin
etwork
0.0.0.0/8
72.16.0.0/12
92.168.0.0/16
ow Dotted
en you assign imal notation.ed on the decibackground, c
ary. To understsk for complexddresses in bin
hin an 8-bit ocimal value. A bo value. A bit ta decimal valuehtmost bit in thue of 1. The hign octet are set
he highest pos
st of the time, culator applicaversions, as sh
nary
0000011 0110
address rangeng from, or des
Decimal N
IP addresses, y Dotted decimimal number scomputers usetand how to c
x networks, younary.
ctet, each bit pbit that is set tthat is set to 1 e. The low-ordhe octet—reprgh-order bit—t to 1 the octesible value of
you can use aation included hown in the fol
01011 0000001
es in the followstined to, thes
Range
10.0.0.0-1
172.16.0.0
192.168.0
Notation R
you use dottedmal notation is system. Howeve IP addresses hoose a subneu must unders
position has ao 0 always hascan be conver
der bit—the resents a decim
—the leftmost bet’s decimal vaan octet.
a calculator to in Windows o
llowing examp
11 00011000
wing table as pe ranges.
10.255.255.255
0-172.31.255.2
.0-192.168.255
Relates to
d
ver, in in
et stand
s a rted
mal bit in the octetlue is 255 (tha
convert decimoperating systeple.
D
1
private. Interne
5
255
5.255
Binary Nu
t—represents at is: 128 + 64
mal numbers toems can perfor
otted decima
131.107.3.24
et-based route
umbers
a decimal valu+ 32 + 16 + 8
o binary and vrm decimal-to
l notation
ers do not forw
ue of 128. If all8 + 4 + 2 + 1).
vice versa. The o-binary
ward
l bits That
S
IP
ThEamnefr
Casadfoexch
ad
S
Yothpath
teno
imple IPv4
Pv4 Address
he IANA organach class of ad
mask that definetwork. IANA om Class A th
lasses A, B, andssign to IP addddresses are uor multicastingxperimental usharacteristics o
Class
A
B
C
Note: Theddress classes.
imple IPv4
ou can use subhe subnet masart of the netwhe 10.0.0.0 net
Note: Theest the local coot permitted f
4 Impleme
s Classes
nizes IPv4 addddress has a difes the numbehas named therough Class E.
d C are IP netwdresses on hostsed by compu
g. The IANA resse. The followiof each IP addr
First octet
1-127
128-191
192-223
e Internet no lo
Networks
bnetting to divk defines full o
work ID, and a twork with a su
e IPv4 address onfiguration ofor configuring
entations
resses into clafferent defaultr of valid hoste IPv4 address.
works that yout computers. C
uters and appliserves Class E ng table lists tress class.
Default
255.0.0
255.25
255.25
onger uses rou
vide a large neoctets as part o0 represents a
ubnet mask of
127.0.0.1 is usf the IPv4 protg IPv4 hosts.
sses. t subnet s on the
s classes
u can Class D cations for
the
t subnet mask
0.0
5.0.0
5.255.0
uting based on
etwork into muof the networkan octet that is255.255.0.0 to
sed as a loopbtocol stack. Co
20410A: Instal
k Number onetworks
126
16,384
2,097,152
n the default s
ultiple smaller k ID and host Is part of the ho create 256 sm
back address; yonsequently, th
lling and Configuring
of Nupe
1
6
2 2
subnet mask o
networks. In sID. A 255 repreost ID. For examaller networ
you can use thhe network ad
g Windows Server®
umber of hoster network
6,777,214
5,534
54
of IPv4
simple IPv4 neesents an octeample, you canks.
is address to dress 127 is
2012 5-9
ts
tworks, et that is n use
5-10 Implemen
Mo
In csimmigfor tID. Tsubexamdivi
17
In mreprbits is an
17
Var
ModsubnetwThis
nting IPv4
ore Compl
omplex netwople combinatio
ght subdivide othe network IDThis allows younets and hostsmple shows a de a class B ne
72.16.0.0/255
many cases, ratresentation of in the networ
n example of C
2.16.0.0/20
riable Lengt
dern routers sunets of differework with 256 s allows you to
Question: Do
lex IPv4 Im
orks, subnet mons of 255 andone octet withD, and some thu to have the ss that you requsubnet mask t
etwork into 16
5.255.240.0
ther than usingthe subnet ma
rk ID is specifieCIDR:
th Subnet M
upport the usent sizes when addresses into
o use IP addres
oes your organ
mplementa
asks might nod 0. Rather, yosome bits tha
hat are for the specific numbeuire. The followthat can be use6 subnets:
g a dotted decask, the numbed instead. Thi
Masks
e of variable leyou subdivideo 3 smaller netsses in a netwo
nization use sim
ations
t be ou at are
host er of wing ed to
cimal ber of s is called clas
ength subnet me a larger netwtworks with 12ork more effici
mple or comp
ssless interdom
masks (VLSMs)work. For exam28 addresses, 6iently.
plex networking
main routing (C
). VLSMs allowmple, you could
64 addresses, a
g?
IDR). The follo
w you to created subdivide a sand 64 addres
owing
e small sses.
LessonSubne
Inalthm
LeA
•
•
•
•
•
•
H
InfoIf ID
Inmsucobich
ThbyAne
•
•
Th
Wsubi
n 3 etting an most organizlocate those s
he correct nummultiple networ
esson Object the end of th
Describe ho
Identify wh
Calculate a
Calculate a
Identify an
Describe su
How Bits A
n simple netwoour octets, andthe octet is 25
D. If the octet i
n complex netwmask to binary, ubnet mask. A ontiguous 1s ait and continuhange to all 0s
he network ID y the 1s. The hny bits taken fetwork ID.
Each bit tha
Each bit tha
he mathematic
When you use mubnet. Using mits than you ne
and Supzations, you neubnets for spe
mber of bits to rks into a sing
ctives his lesson, you
ow bits are use
en to use subn
subnet mask t
subnet mask t
appropriate su
upernetting.
Are Used in
orks, subnet md each octet ha55, that octet is 0, that octet
works, you canand evaluate subnet mask
and 0s. The 1s e uninterruptes.
of a subnet mhost ID can be from the host
at is 1 is part o
at is 0 is part o
cal process use
more bits for tmore bits than eed allows for
pernettieed perform suecific purposesinclude in thele larger netwo
will be able to
ed in a subnet
netting.
that supports
that supports
ubnet mask fo
n a Subnet
asks are compas a value of 2is part of the nis part of the
n convert the seach bit in theis composed ostart at the lef
ed until the bit
mask can be ideidentified by tID and allocat
of the network
of the host ID.
ed to compare
the subnet mayou need allogrowth in the
ng ubnetting to ds or locations. Te subnet masksork through su
o:
mask.
a specific num
a specific num
or a scenario.
t Mask
posed of 55 or 0.
network host ID.
subnet e of ftmost ts
entified the 0s. ed to the netw
k ID.
e an IP address
sk, you can haws for subnet
e number of ho
20410A: Installin
divide your netTo do this yous. In some caseupernetting.
mber of subnet
mber of hosts.
work ID must b
s and a subnet
ave more subngrowth, but li
osts you can h
ng and Configuring W
twork into smau need to undees, you may al
ts.
be contiguous
t mask is called
nets, but fewer mits growth foave, but limits
Windows Server® 20
aller subnets aerstand how toso need to com
with the origi
d ANDing.
hosts on eachor hosts. Usings growth in sub
012 5-11
nd o select mbine
inal
h g fewer bnets.
5-12 Implemen
Th
WhemusuniqID—the netw
By u
•
•
•
•
Ca
Befomanrequnum
Youyouwhenum
Thesubnum
Nu
1
2
3
4
5
6
To dexam
nting IPv4
e Benefits
en you subdivst create a uniqque IDs are de
—you allocate snetwork ID. Th
works.
using subnets,
Use a single, physical locat
Reduce netwotraffic and redsegment.
Increase secu
Overcome limeach segmen
lculating S
ore you defineny subnets anduire. This enab
mber of bits fo
u can calculate need in the n
ere n is the nummber of subnet
following tabnets that you c
mber of bits.
umber of bits
determine the mple, if you ch
of Using S
ide a network que ID for eac
erived from thesome of the bhis enables yo
you can:
large network tions.
ork congestionducing broadc
rity by dividin
mitations of cut can have.
Subnet Ad
e a subnet masd hosts for eacbles you to user the subnet m
the number onetwork. Use thmber of bits. Tts that your ne
le indicates thcan create by
(n) Num
2
4
8
16
32
64
subnet addrehoose to subne
Subnetting
into subnets, ch subnet. These main networits in the host u to create mo
across multip
n by segmenticasts on each
g the network
rrent technolo
dresses
sk, estimate hoch subnet you e the appropriamask.
of subnet bits the formula 2n, The result is thetwork require
e number of using a specifi
mber of subne
sses quickly, yoet the network
g
you se rk ID to ore
le
ng
k and using fire
ogies, such as e
ow may ate
that
e es.
ic
ts (2n)
ou can use thek 172.16.0.0 by
ewalls to contr
exceeding the
e lowest value y using 3 bits,
rol communica
e maximum nu
bit in the subthis mean the
ation.
mber of hosts
net mask. For e subnet mask
s that
is
25in
Th
neIn
C
Toreonrenunuanca
OauAneth
55.255.224.0. Tncrement betw
he following ta
Binary netwo
172.16.00000
172.16.00100
172.16.01000
172.16.01100
172.16.10000
172.16.10100
172.16.11000
172.16.11100
Note: Youetwork, rather
nternet.
Calculating
o determine hequired numben a subnet. Caequired by usinumber of bits. umber of hostnd is also the man configure o
On each subnetutomatically an address withetwork. An addhe broadcast a
The decimal 22ween each subn
able shows exa
rk number
0000.00000000
0000.00000000
0000.00000000
0000.00000000
0000.00000000
0000.00000000
0000.00000000
0000.00000000
u can use a suthan calculati
g Host Add
ost bits in the er of bits for thlculate the nung the formulaThis result mu
ts that you neemaximum numon that subnet.
t, two host IDsnd cannot be h the host ID adress with the ddress for tha
24 is 11100000net address.
amples of calc
0
0
0
0
0
0
0
0
bnet calculatong them manu
dresses
mask, determhe supporting mber of host ba 2n-2, where nust be at least ed for your netmber of hosts t.
s are allocated used by comp
as all 0s represehost ID as all t network.
0 in binary, an
ulating subnet
Decimal netw
172.16.0.0
172.16.32.0
172.16.64.0
172.16.96.0
172.16.128.0
172.16.160.0
172.16.192.0
172.16.224.0
or to determineually. Subnet c
ine the hosts
bits n is the the twork, that you
puters. ents the 1s is
20410A: Installin
nd the lowest b
t addresses.
work number
0
0
0
0
e the appropricalculators are
ng and Configuring W
bit has a value
iate subnets foe widely availab
Windows Server® 20
of 32, so that
or your ble on the
012 5-13
is the
5-14 Implemen
Thebits
Nu
1
2
3
4
5
6
You
1.
2.
The
Ne
1
1
1
To cyoucalc
Dis
Reaque
Youconallosub
Theeachrouthavprinto 1
You
nting IPv4
following tab.
umber of bits
u can calculate
The first host
The last host
following tab
etwork
72.16.64.0/19
72.16.96.0/19
72.16.128.0/19
create an appr need, and ho
culate an appro
scussion: C
d the followinestions on the
u are identifyinfiguration for cated the 10.3net as required
re are four buh should have ting between te up to 700 us
nters. The typic1.
u also need to
le shows how
(n) Num
0
2
6
14
30
62
each subnet’s
is one binary
is two binary d
le shows exam
9
ropriate addrew many hosts opriate subnet
Creating a
g scenario andslide.
ng an appropria new campus
34.0.0/16 netwd.
ildings on the its own subne
the buildings. sers. Each buildcal ratio of use
allocate a sub
many hosts a
mber of hosts
s range of host
digit higher th
digits lower th
mples of calcula
Host range
172.16.64.1 –
172.16.96.1 –
172.16.128.1
ssing scheme you need on
t mask.
Subnettin
d answer the
ate network s. You have be
work that you c
new campus, et to allow for Each building ding will also hers to printers i
net for the ser
class C netwo
(2n-2)
t addresses by
han the curren
han the next su
ating host add
– 172.16.95.25
– 172.16.127.2
1 – 172.16.159.
for your organeach subnet. O
ng Scheme
een can
and
will have is 50
rver data cente
rk has availabl
y using the foll
nt subnet ID.
ubnet ID.
dresses.
54
254
.254
nization, you mOnce you have
e for a New
er that will hol
le based on th
owing process
must know howe that informa
w Office
d up to 100 se
he number of h
s:
w many subnetion, you can
ervers.
host
ets
W
Suinaphaexusaladsunethin
To1919
Sunea
Th
What Is Sup
upernetting conto a single larppropriate whas grown and xpanded. For esing the netwol of its IP addrdditional netwubnet mask of etworks then yhem. You can unto a single ne
o perform sup92.168.16.0/2492.168.54.0/24
upernetting is etwork ID to tspecific numb
Number of bi
1
2
3
4
he following ta
Network
192.168.0001
192.168.0001
192.168.0001
pernetting
ombines multige network. Ten you have athe address spexample, a braork 192.168.16resses and be a
work 192.168.1255.255.255.0
you must perfouse supernettitwork.
ernetting, the 4 and 192.168.4.
the opposite ohe host ID. The
ber of bits.
ts Nu
2
4
8
16
able shows an
10000.0000000
10001.0000000
10000.0000000
g?
ple small netwhis may be small network
pace needs to anch office tha6.0/24 might eallocated the 7.0/24. If the d
0 is used for thorm routing bng to combine
networks that.17.0/24 can b
of subnetting. e following tab
umber of netw
6
example of su
00/24
00/24
00/23
works
k that be
at is xhaust
default hese etween e them
t you are combbe supernetted
When you peble shows how
works combine
upernetting tw
Range
192.168
192.168
192.168
20410A: Installin
bining must bed, but you cann
erform supernew many netwo
ed
wo class C netw
8.16.0-192.168
8.17.0-192.168
8.16.0-192.168
ng and Configuring W
e contiguous. not supernet 1
etting, you allorks that you ca
works.
8.16.255
8.17.255
8.17.255
Windows Server® 20
For example, 192.168.16.0/2
ocate bits froman combine by
012 5-15
4 and
m the y using
5-16 Implemen
Lesson 4Config
If IPensuIPv4usef
Thesystdeta
LesAt t
•
•
•
•
•
•
Co
Youaddcan variDNSsho
IPv4
•
•
•
•
Statmetcom
YounetsAreagate
Ne
ad
nting IPv4
4 guring aPv4 is configureure the availab4. Windows Seful for scripting
troubleshootiems. Howeverailed analysis o
sson Objectihe end of this
Configure IPv
Configure a s
Use IPv4 trou
Describe the
Describe the
Use Network
onfiguring
u typically confdress. This is do
document theous services oS server is acceuld not chang
4 configuration
IPv4 address
Subnet mask
Default gatew
DNS servers
tic configuratiothod of compu
mputers. Manu
u can configuresh command-la Connection weway of 10.10.
tsh interfac
dr=10.10.0.1
and Troed incorrectly,bility of networver 2012 introg.
ing tools in Wr, you may notof network com
ives lesson, you w
v4 manually to
server so that i
ubleshooting to
troubleshootin
function of Ne
Monitor to ca
IPv4 Man
figure servers wone to ensure te IP addresses n your networessed at a spece.
n includes:
way
on requires thauter managemally entering a
e a static IP adline tool. For ewith the static.0.1.
ce ipv4 set a
10 mask=255.2
ublesho then it affectsrk services, yooduces the ab
indows Server t be familiar wmmunication.
will be able to:
o provide a sta
t obtains an IP
ools.
ng process use
etwork Monito
apture and ana
ually
with a static IPthat you knowthat are used
rk. For examplecific IP address
at you visit eacment is reasonaa static configu
ddress either inexample, the foc IP address 10
address name=
255.0.0 gatew
ooting Is the availabiliu need to undility to configu
2012 are simiith Network M
tic configurati
Pv4 configurat
ed to resolve f
or.
alyze network
P w and
for e, a s that
ch computer aable for serversuration also in
n the propertieollowing comm0.10.0.10, the s
="Local Area
way=10.10.0.1
IPv4 ty of services t
derstand how ture IPv4 by usi
ilar to previousMonitor which
ion for a serve
tion automatic
undamental IP
traffic.
and input the Is, but it is verycreases the ris
es of the netwomand configurubnet mask of
Connection"
1
that are runninto configure aing Windows P
s versions of Wcan be used to
er.
cally.
Pv4 problems.
IPv4 configuray time consumsk of configura
ork connectionres the interfacf 255.255.0.0,
source=stat
ng on a servernd troubleshoPowerShell. Th
Windows operao perform very
ation manuallying for client
ation mistakes.
n or by using tce named Locaand a default
ic
r. To oot his is
ating y
y. This
.
the al
Wcoav
Thin25
N
N
Po
C
DIPcoinfocoIt thThthco
Dbuyo
•
Windows Serveonfiguration. Tvailable for co
Cmdlet
Set-NetIPAd
Set-NetIPInt
Set-NetRout
Set-DNSClie
he following cnterface named55.255.0.0, and
Set-NetIPAddPrefixLength New-NetRoute
NextHop 10.1
AdditionaowerShell see:
Question:
Configuring
HCP for IPv4 ePv4 configuratomputers withndividually. Theor IPv4 configuonfigure to obalso assigns a
hat you define he DHCP servihe request origonfiguration fr
HCP helps simut you must bou must do th
Include resithe service
r 2012 also haThe following tnfiguring IPv4
ddress
terface
te
ntServerAddr
ode is an examd Local Area Cd a default gat
ress –Interf16 –InterfaceA
0.0.1
al Reading: Fohttp://technet
Do any compu
g IPv4 Aut
enables you toions for large
hout having to e DHCP serviceuration from cobtain an IPv4 additional IPv4 for each of yoce identifies th
ginated and asrom the releva
mplify the IP coe aware that ife following:
ilience in yourfrom function
s Windows Potable describes
4.
D
resses
mple of the WiConnection witteway of 10.10
faceAlias “Lo
Alias “Local
or more informt.microsoft.com
uters or device
tomatically
o assign automnumbers of assign each o
e receives requomputers thatddress automasettings from
our network’s she subnet fromssigns IP ant scope.
onfiguration prf you use DHC
DHCP servicening.
owerShell® cmds some of the
Description of
Modifies an exmask
Enables or dis
Modifies routidefault gatew
Configures theinterface
indows Powerth the static IP 0.0.1.
ocal Area Con
Area Connect
mation about Nm/en-us/librar
es in your orga
y
matic
ne uests t you atically. scopes
subnets. m which
rocess, CP to assign IPv
e design so tha
20410A: Installin
dlets that you available Wind
f IPv4 configu
xisting IP addr
abled DHCP fo
ing table entriway (0.0.0.0)
e DNS server t
Shell cmdlets taddress 10.10
nnection” –IP
tion” –Destin
et TCP/IP Cmdry/hh826123.
anization have
v4 information
at the failure o
ng and Configuring W
can use to madows PowerSh
uration uses
ress and sets th
or an interface
es, including t
that is used fo
that you can u0.0.10, the sub
Pv4Address 10
nationPrefix
dlets in Windo
e static IP addr
n and the serv
of a single serve
Windows Server® 20
anage networkhell cmdlets th
he subnet
e
the
r an
use to configunet mask of
0.10.0.10
0.0.0.0/0
ows
esses?
ice is business
er does not pr
012 5-17
k hat are
re the
-critical,
revent
5-18 Implemen
•
If yorequAdd
WheConAPIPbut
APIPindi
IPv
Mosperf200that
IPC
IpcocurrAddto r
Theopt
Co
ip
ip
ip
ip
ip
PinPingechprimICM
Tra
Tracseriedest
nting IPv4
Configure thenetwork and
ou use a laptouire a differentdressing (APIPA
en you configunfiguration taPA to assign itwith no defau
PA is useful focation that the
v4 Trouble
st IPv4 connecformed at a co8 includes a nt help you diag
Config
onfig is a commrent TCP/IP neditionally, you efresh DHCP a
following tabions for ipcon
ommand
pconfig /all
pconfig /relea
pconfig /rene
pconfig /displ
pconfig /flush
ng g is a commano request mes
mary TCP/IP coMP messages.
acert
cert is a commes of ICMP echtination. This t
e scopes on thprevent comm
p to connect tt IP configuratA) or an altern
ure Windows-b to control th
tself an IP addrult gateway or
r troubleshoote computer ca
eshooting
ctivity troublesommand-line. umber of comgnose network
mand-line tooetwork configucan use the ip
and DNS settin
le describes thfig.
ase
w
laydns
hdns
nd-line tool thassages and dispommand that y
mand-line tool ho requests. Trtool also deter
e DHCP servemunication.
to multiple nettion. Windowsnate static IP ad
based computhe behavior if ress automaticDNS server; th
ting DHCP; if tannot commun
Tools
shooting is Windows Serv
mmand-line took problems.
ol that displays uration. pconfig commngs.
he command-l
Descriptio
View deta
Release tthe DHCP
Renew th
View the
Purge the
at verifies IP-leplays the receiyou use to tro
that identifiesracert then disrmines which r
r carefully. If y
tworks, such as operations syddress for this
ters to obtain a DHCP serve
cally from the his enables lim
the computer nicate with a D
ver ols
the
mand
ine
on
ailed configura
he leased confP server
he leased confi
DNS resolver
e DNS resolve
evel connectivipt of correspoubleshoot con
the path takesplays the list orouter has faile
you make a mi
s at work andystem support situation.
an IPv4 addrer is not availab169.254.0.0 to
mited functiona
has an addresDHCP server.
ation informat
figuration bac
iguration
cache entries
cache
ity to another onding echo rennectivity; how
en to a destinaof router interfed, and what t
stake, it can af
at home, eachthe use of Aut
ss from DHCPble. By default,o 169.254.255.2ality.
s from the AP
tion
ck to
TCP/IP compueply messages
wever, firewalls
tion computerfaces betweenhe latency (or
ffect the entire
h network migtomatic Privat
P, use the Alter, Windows use255 address ra
IPA range, it is
uter. It sends Is. Ping is the s might block t
r by sending an a source and
speed) is. The
e
ht e IP
rnate es ange,
s an
CMP
the
a a
ese
20410A: Installing and Configuring Windows Server® 2012 5-19
results might not be accurate if the router is busy, because the ICMP packets are assigned a low priority by the router.
Pathping
Pathping is a command-line tool that traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail, because it sends 100 packets for each router, which enables it to establish trends.
Route Route is a command-line tool that allows to view and modify the local routing table. You can use this to verify the default gateway which is listed as the route 0.0.0.0. In Windows Server 2012 you can also use PowerShell cmdlets to view and modify the routing table. The cmdlets for viewing and modifying the local routing table include Get-NetRoute, New-NetRoute, and Remove-NetRoute.
Telnet
You can use the Telnet Client feature to verify whether a server port is listening. For example, the command telnet 10.10.0.10 25 attempts to open a connection with the destination server, 10.10.0.10, on port 25, SMTP. If the port is active and listening, it returns a message to the Telnet client.
Netstat Netstat is a command-line tool that enables you to view network connections and statistics. For example, the command netstat –ab returns all listening ports and the executable that is listening.
Resource Monitor Resource Monitor is a graphical utility that allows you to monitor system resource utilization. You can use Resource Monitor to view TCP and UDP ports that are in use. You can also verify which applications are using specific ports and the amount of data they are transferring on those ports.
Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a Windows Server networking problem, the Diagnose Connection Problems option helps you diagnose and repair the problem. Windows Network Diagnostics returns a possible description of the problem and a potential remedy. However, the solution might require manual intervention from the user.
Event Viewer Event logs are files that record significant events on a computer, such as when a process encounters an error. When these events occur, the Windows operating system records the event in an appropriate event log. You can use Event Viewer to read the event log. IP conflicts are listed in the System event log and might prevent services from starting.
5-20 Implemen
Th
TheproThewill all uthenconaffeservcongrocom
To tprocundprocthe
Som
1.
2.
3.
4.
nting IPv4
e Troubles
first step in trblem is identif causes of a prmost likely dif
users. If a probn the problemfiguration of t
ects all users, thver configuratifiguration issuup of users, th
mmon denomin
troubleshoot ncess. You can i
derstand how tcess, you needrouting path t
me of the steps
If you know wverify that it iindicates that
Use ping to shost, you veriFirewall on mping responsehosts on the s
You can use ause Windowsconnect to th
Use ping to sget a responsclient computrouter is expe
Note: You c
Question: Arproblems?
shooting P
roubleshootingfying the scoperoblem that afffer from a pro
blem affects on is likely relate
that one comphen it is likely ton issue or a n
ue. If a problemhen you need tnator among t
network commidentify wherethe overall comd to understanthrough your n
s that you can
what the corres configured tt the host faile
see if the remoify both name
member serverse may not indsame network
an application s Internet Explohe port of the r
see if the defause when you pter, such as theriencing error
can force ping
re there any ot
Process
g a network e of the probleffects a single oblem that affenly a single useed to the puter. If a probthat it is eithernetwork m affects only to determine tthat group of
munication proe the process ismmunication pd the routing network, you c
use to identify
ct network cothat way. If ipced to obtain an
ote host responresolution and
s and client coicate that the
k it often indica
to test the serorer® to test coremote applica
ult gateway reing the defaule default gaters.
g to use IPv4 in
ther steps that
em. user ects er,
blem r a
a the users.
oblems, you nes breaking dowprocess works. and firewall cocan use Tracer
y that cause of
nfiguration forconfig returnsn IP address fro
nds. If you used whether the
omputers oftenremote host isates that the p
rvice you are connectivity to ation.
esponds. Most lt gateway, theway being con
nstead of IPv6
t you use to tro
eed to understwn and prevenTo understan
onfiguration ort.
f network com
r the host sho an address onom DHCP.
e ping to reture host respondn blocks ping as not functionaproblem is on t
connecting to a web server.
routers responen there is likenfigured incor
by using the -
oubleshoot ne
and the overanting commund the overall c
on your netwo
mmunication p
uld be, then un the 169.254.
rn the DNS nas. Be aware thattempts. In sual. If you can pthe remote ho
on the remoteYou can also u
nd to ping reqely a configurarectly. It is also
-4 option.
etwork connec
ll communicatnication only ifcommunicatiork. To help ide
problems are:
se ipconfig to0.0/16 networ
me of the remat Windows
uch a case, lackping other remost.
e host. For exause Telnet to
quests. If you dtion error on to possible that
ctivity
tion f you n
entify
o rk, it
mote
k of a mote
ample,
do not the t the
W
NyothCteneFotrer
Yoentha cocoNm
Yothlone
U
ObeFr
Th
•
•
•
Wofas
Eacotu
Wreyo
What Is Ne
etwork Monitoou to capture he network to apturing pack
echnique that etwork probleor example, byransmitted on rrors that are n
ou can install Nndpoint in thehird computer.third compute
onfigure port mommunicationetwork Monito
mode.
ou can downlohat is running eocal network adew capture.
Using Netwo
Once you have ehavior is experame Summary
he Frame Sum
Time and d
Source anddetermine w
Protocol naARP, (ICMPservices mig
When you selecf that particulas you proceed
ach layer in thontainer of theurn, is encapsu
When you haveelevant to yourou can select t
etwork Mo
or is a packet and examine nwhich your coets is an advanhelps you to idms and work ty examining tha network younot reported b
Network Monie communicati. If you install er, then you mmirroring to co
n process, to thor can monito
oad Network Meither Windowdapters. When
ork Monitor
captured netwected or not. Ty pane.
mmary pane dis
date: this enab
d destination: twhich comput
ame: the higheP, TCP, SMB, anght be experie
ct a frame in thar frame. You c.
e network arche layer below. ulated in an Eth
e gathered a lar specific probto show only D
onitor?
analyzer that enetwork packe
omputer is connced troubleshdentify unusuatowards a resohe packets u may be able by an applicatio
itor on either on process, orNetwork Mon
must configure opy the netwohe switch port or the packets s
Monitor from tws 8 or Windown you launch N
r
work packets, yTo help you, N
splays all captu
les you to dete
his provides thters are involve
est-level protond others. Knoencing or caus
he Frame Sumcan step throu
hitecture—froIn other wordhernet frame.
arge amount oblem. You can uDNS–related pa
enables ets on nnected. hooting al olution.
to see on.
r on a itor on port mirroring
ork packets thawhere the comsent to other c
the Microsoft ws Server 2012
Network Monit
you must be aetwork Monit
ured packets, a
ermine in whic
he source and ed in the dialo
col that Netwoowing the highing the proble
mary pane, thugh the frame’
m the applicats, an HTTP req
of data, it can buse filtering toackets.
20410A: Installin
g on the netwoat are destinedmputer with Ncomputers, be
download web2. Once installtor, you can vi
ble to interpreor displays the
and provides t
ch order the p
destination IPog.
ork Monitor cah-level protocoem that you ar
he Frame Detai’s details, exam
tion on down—quest is encaps
be difficult to do show only th
ng and Configuring W
ork switches. Ed for endpoint
Network Monitecause it opera
bsite and instaed, Network Miew existing ca
et what you see packets in a
the following i
ackets were tr
P addresses so
an identify is lol enables you re troubleshoo
ils pane updatmining the con
—encapsulatesulated in an I
determine whhose frames of
Windows Server® 20
Ensure that yots in the tor is connecteates in promisc
all it on a workMonitor binds aptures, or beg
ee, and whethesummarized li
information:
ransmitted.
that you can
isted. For exam to pinpoint w
oting.
tes with the content of each e
s its data in thPv4 packet, wh
ich frames areinterest. For e
012 5-21
u
ed. cuous
kstation to the
gin a
er the ist in the
mple, which
ontents element
he hich in
e example,
5-22 Implementing IPv4
Demonstration: How to Capture and Analyze Network Traffic by Using Network Monitor
You can use Network Monitor to capture and view packets that are transmitted on the network. This allows you to view detailed information that would not normally be possible to see. This type of information can be useful for troubleshooting.
Demonstration Steps
Prepare to perform a packet capture
1. Log on to LON-SVR2 as Adatum\Administrator with a password of Pa$$w0rd.
2. Open a Windows PowerShell prompt and run the following command:
• ipconfig /flushdns
3. Open Network Monitor 3.4, and create a new capture tab.
Capture packets from a ping request 1. In Network Monitor, start a packet capture.
2. At the Windows PowerShell prompt, ping LON-DC1.adatum.com.
3. In Network Monitor, stop the packet capture.
View ICMP echo request and echo response packets
1. In Network Monitor, scroll down and select the first ICMP packet.
2. Expand the Icmp portion of the packet to view that it is an Echo Request. This is a ping request.
3. Expand the Ipv4 portion of the packet to view the source and destination IP addresses.
4. Expand the Ethernet portion of the packet to view the source and destination MAC addresses.
5. Select the second ICMP packet.
6. In the Icmp portion of the packet, verify that it is an Echo Reply. This is the response to the ping request.
Filter the display of packets for the DNSQueryName of LON-DC1.adatum.com 1. In Network Monitor, in the Display Filter pane, load the standard DNS filter DNSQueryName.
2. Edit the filter to apply for DNS queries for LON-DC1.adatum.com, and apply the filter.
3. Verify that the packets have been filtered to show only packets that match the filter.
20410A: Installing and Configuring Windows Server® 2012 5-23
Lab: Implementing IPv4 Scenario
A. Datum has an IT office and data center in London which supports the London location and other locations. They have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
After a security review, your manager has asked you to calculate new subnets for the branch office to support segmenting network traffic. You also need to troubleshoot a connectivity problem on a server in the branch office.
Objectives After completing this lab, you will be able to:
• Calculate subnets for a given set of requirements.
• Troubleshoot IPv4 connectivity issues.
Lab Setup
Estimated Time: 45 minutes
Logon Information
Virtual Machines 20410A-LON-DC1
20410A-LON-RTR
20410A-LON-SVR2
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2-4 for 20410A-LON-RTR, and 20410A-LON-SVR2.
Exercise 1: Identifying Appropriate Subnets
Scenario The new branch office is configured with a single subnet. After a security review, all branch office network configurations are being modified to place servers on a separate subnet from the client computers. You need to calculate the new subnet mask and the default gateways for the subnets in your branch.
The current network for your branch office is 192.168.98.0/24. This network needs to be subdivided into three subnets as follows:
5-24 Implementing IPv4
• One subnet with at least 100 IP addresses for clients
• One subnet with at least 10 IP addresses for servers
• One subnet with at least 40 IP addresses for future expansion
The main tasks for this exercise are as follows:
1. Calculate the bits required to support the hosts on each subnet.
2. Calculate subnet masks and network IDs.
Task 1: Calculate the bits required to support the hosts on each subnet 1. How many bits are required to support 100 hosts on the client subnet?
2. How many bits are required to support 10 hosts on the server subnet?
3. How many bits are required to support 40 hosts on the future expansion subnet?
4. If all subnets are the same size can they be accommodated?
5. Which feature allows a single network to be divided into subnets of varying sizes?
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
Task 2: Calculate subnet masks and network IDs 1. Given the number of host bits allocated, what is the subnet mask that you will use for the client
subnet?
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask.
Binary Decimal
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask
Binary Decimal
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask
Binary Decimal
20410A: Installing and Configuring Windows Server® 2012 5-25
4. For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool.
Description Binary Decimal
Network ID
First host
Last host
Broadcast
5. For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool.
Description Binary Decimal
Network ID
First host
Last host
Broadcast
6. For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool.
Description Binary Decimal
Network ID
First host
Last host
Broadcast
Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4
Scenario
A server in the branch office is unable to communicate with the domain controller in the head office. You need to resolve the network connectivity problem.
5-26 Implementing IPv4
The main tasks for this exercise are as follows:
1. Prepare for troubleshooting.
2. Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1.
Task 1: Prepare for troubleshooting 1. On LON-SVR2, open Windows PowerShell and ping LON-DC1 and verify that it is functional.
2. Run the Break.ps1 script that is located in E:\Labfiles\Mod05. This script creates the problem that you will troubleshoot and repair in the next task.
Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1 1. Use your knowledge of IPv4 to troubleshoot and repair the connectivity problem between
LON-SVR2 and LON-DC1. Consider using the following tools:
• IPConfig
• Ping
• Tracert
• Route
• Network Monitor
2. When you have repaired the problem, ping LON-DC1 from LON-SVR2 to confirm that the problem is resolved.
Note: If you have additional time, run an additional break script from \\LON-DC1\E$\Labfiles\Mod05 and troubleshoot that problem.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
To prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
20410A: Installing and Configuring Windows Server® 2012 5-27
Module Review and Takeaways Review Questions
Question: You have just started as a server administrator for a small organization with a single location. The organization is using the 131.107.88.0/24 address range for the internal network. Is this a concern?
Question: You are working for an organization that provides web hosting services to other organizations. You have a single /24 network from your ISP for the web hosts. You are almost out of IPv4 addresses and have asked ISP for an additional range of addresses. Ideally, you would like to supernet the existing network with the new network. Are there any specific requirements for supernetting?
Question: You have installed a new web-based application that runs on a non-standard port number. A colleague is testing access to the new web-based application, and indicates that he cannot connect to it. What are the most likely causes of his problem?
Best Practices
When implementing IPv4, use the following best practices:
• Allow for growth when planning IPv4 subnets. This ensures that you do not need to change you IPv4 configuration scheme.
• Define purposes for specific address ranges and subnets. This allows you to easily identify hosts based on their IP address and use firewalls to increase security.
• Use dynamic IPv4 addresses for clients. It is much easier to manage the IPv4 configuration for client computers by using DHCP than with manual configuration.
• Use static IPv4 addresses for servers. When servers have a static IPv4 address, it is easier to identify where services are located on the network.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
IP conflicts
Multiple default gateways defined
Incorrect IPv4 configuration
5-28 Implementing IPv4
Tools
Tool Use for Where to find it
Network Monitor
Capture and analyze network traffic Download from Microsoft web site
IPConfig View network configuration Command prompt
Ping Verify network connectivity Command prompt
Tracert Verify network path between hosts Command prompt
Pathping Verify network path and reliability between hosts
Command prompt
Route View and configure the local routing table
Command prompt
Telnet Test connectivity to a specific port Command prompt
Netstat View network connectivity information
Command Prompt
Resource monitor
View network connectivity information
Tools in Server Manager
Windows Network Diagnostics
Diagnose problem with a network connection
Properties of the network connection
Event Viewer View network related system events Tools in Server Manager
6-1
Module 6 Implementing DHCP
Contents: Module Overview 6-1
Lesson 1: Installing a DHCP Server Role 6-2
Lesson 2: Configuring DHCP Scopes 6-7
Lesson 3: Managing a DHCP Database 6-12
Lesson 4: Securing and Monitoring DHCP 6-16
Lab: Implementing DHCP 6-21
Module Review and Takeaways 6-26
Module Overview
Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server® 2012 infrastructure. It is the primary means of distributing important network configuration information to network clients, and it provides configuration information to other network-enabled services, including Windows Deployment Services (Windows DS) and network access protection (NAP). To support and troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to deploy, configure, and troubleshoot the DHCP server role.
Objectives After completing this module, you will be able to:
• Install the DHCP server role.
• Configure DHCP scopes.
• Manage a DHCP database.
• Secure and monitor the DHCP server role.
6-2 Implement
Lesson Installi
Usinexpnetw
Les
Afte
•
•
•
•
•
•
•
Be
TheInteenvaddwithinstsubto o
Whenetwtimemanhancon
Witinfoinfocha
DHCadmhav
DHCenvalonadd
ing DHCP
1 ing a DHng DHCP can hlains how the work with Acti
sson Objecti
er completing
Describe the
Explain how D
Explain how t
Explain how t
Describe the
Explain how a
Explain how t
nefits of U
DHCP protocernet Protocol ironment. Wit
d a client to a nh information aalled it, includnet mask, and
other networks
en you need towork, managine-consuming pnage thousanddhelds, desktofigurations for
h the DHCP seormation; this hormation changnge the inform
CP is also a keyministrators to ing to deal wit
CP version 6 (vironment. Statng with additiodress automatic
HCP Sehelp simplify cDHCP protocove Directory®
ives
this lesson, yo
benefits of usi
DHCP allocate
the DHCP leas
the DHCP leas
purpose of a D
a DHCP server
to add and aut
Using DHC
ol simplifies co(IP) clients in ahout using DHnetwork, you habout the netwing the IP add the default gas.
o manage mang them manuprocess. Manyds of computeop computers,r organizations
erver role, you helps to eliminges in the netw
mation directly
y service for moffer complexth their netwo
v6) stateful andteful configuraonal DHCP datcally, and the
rver Roclient computeol works, and dDomain Servic
ou will be able
ing DHCP.
s IP addresses
e generation p
e renewal proc
DHCP relay ag
role is author
thorize the DH
CP
onfiguration oa network HCP, each timehave to configuwork on which
dress, the netwateway for acc
ny computers ually can becomy corporations r devices, incluand laptops. I
s of this size.
can help to ennate human erwork, you can y on each com
mobile users whx network-confrk-configurati
d stateless conation occurs wta. Stateless coDHCPv6 serve
le er configuratiodiscusses howces (AD DS).
to:
to network cl
process works.
cess works.
ent.
rized.
HCP server role
of
e you ure it h you
work’s cess
in a me a
uding It is not feasib
nsure that all crror during conupdate it usinputer.
ho change netfiguration infoon details.
nfigurations arhen the DHCP
onfiguration ocer only assigns
on. This lesson to control DH
ients.
.
e.
le to manually
clients have apnfiguration. Wng the DHCP se
tworks often. Dormation to no
re supported foPv6 server assigccurs when thother IPv6 co
describes the HCP in a Windo
y manage the
ppropriate conWhen key config
erver role with
DHCP enables ontechnical use
or configuringgns the IPv6 ae subnet routenfiguration set
benefits of DHows Server 201
network IP
nfiguration guration hout having to
network ers, without us
g clients in an Iddress to the cer assigns the ttings.
HCP, 12
o
sers
IPv6 client, IPv6
Nwfrwtoth
YoinseCal
H
Dotththdaei
DcolimThse
Fohaobre
If ad
H
YopUtran
1.
AP is part of awith system hea
om the corpowith internal seco-date antiviruhe intranet.
ou can install Dnstallation allowerver, you musore DHCP roleready.
How DHCP
HCP allocates therwise knowhe lease duratihe duration forays. The defauight days, and
HCP uses IP bommunicationmited to commhis means thaterver for each
or a computeras to be configbtain an IP addespond to a DH
a computer isddress and is c
How DHCP
ou use the fourocess to assignderstanding
roubleshoot prn IP address. T
. The DHCP cpacket to ea computera computerrelay agentDHCP relaythe DHCP s
a new toolset talth requiremerate network. curity policies.
us program ins
DHCP as a rolews you to creast install and coe from a graph
P Allocates
IP addresses own as a lease. A
on to unlimiter not more tha
ult lease time fofor wireless cl
roadcasts to inns. Therefore, Dmunication witt in many netwIP subnet.
r to be considegured to obtaidress automatHCP broadcast
s configured wconsidered a n
P Lease Ge
ur step DHCP lgn an IP addreshow each steproblems when The four steps
client broadcaevery computer that has the r or router that responds. In ty agent forwarserver with wh
that can preveents. NAP withDHCP NAP en. For example, talled before t
e on a Windowate a server witonfigure the ro
hical user inter
s IP Addres
on a dynamic Although you ced, you typicalan a few hoursor wired clientients it is three
nitiate DHCP servers athin their IP suworks, there is
ered a DHCP cn an IP addres
tically. In a nett.
with an IP addrenon-DHCP clie
neration W
ease-generatioss to clients.. p works helps yclients cannotare:
asts a DHCPDISer in the subneDHCP server rt is running a the latter case,ds the messagich it is config
nt full access t DHCP helps i
nables administall network cl
they are assign
ws Server 2012th a reduced aole from the cface (GUI)–bas
sses
basis, can set ly set
s or ts is e days.
are ubnet. a DHCP
lient, it ss automaticaltwork where a
ess by an admnt, and will no
Works
on
you t obtain
SCOVER t. Only ole, or DHCP , the
ge to ured.
20410A: Instal
to the intranetsolate potentitrators to ensuients must be ned an IP conf
2 Server Core iattack surface. ommand-line sed console w
ly. By default, DHCP server i
ministrator, thaot communicat
lling and Configuring
t for computerally malware-iure that DHCPup-to-date an
figuration that
nstallation. A To manage Dinterface. Youhere the DHCP
every computis installed, a D
n that computte with a DHC
g Windows Server®
rs that do not infected comp
P clients are cond have a validt allows full acc
Server Core DHCP from theu also can manP role is install
ter is configureDHCP client w
ter has a staticP server.
2012 6-3
comply puters ompliant d, up-cess to
e core nage the led
ed to ill
c IP
6-4 Implement
2.
3.
4.
http
Ho
WheleasThisbacaddon a
To rbroathatDHCmescha
Cliehavsubcomassucon
Theprotavaisam
ing DHCP
A DHCP Serveclient..
The client reccase, it usuallthe DHCP serserver identifthe client has
The DHCP semessage as naddress clientreason, the DDHCP server
Additional p://go.microso
ow DHCP L
en the DHCP lse time, the clies is an automakground. Com
dress for a longa network with
renew the IP aadcasts a DHCt leased the IP CPACK messagssage containsnged since the
nt computers e been movednet. If renewal
mputer attempumes that it is figuration from
DHCP role ontocol enables ilability. If one
me subnet.
er responds w
ceives the DHCy selects the server closest to ier. This informs chosen to acc
rvers receive totification that information i
DHCP server casends a DHCP
Reading: For oft.com/fwlink/
Lease Rene
ease reaches 5ent attempts ttic process tha
mputers might g time if they ohout being shu
ddress lease, tCPREQUEST me
address originge back to thes any new parae original lease
also attempt rd while they wel is successful,
pts to contact ton a new subn
m any DHCP s
n Windows Sersynchronizatio DHCP server
ith a DHCPOF
CPOFFER packeerver that madthe client. The
ms the DHCP scept.
he DHCPREQUat the client dein the DHCP dnnot provide t
PNAK message
more informa/?LinkID=1120
ewal Work
50 percent of tto renew the leat occurs in thehave the same
operate continut down.
the client essage. The senally sends a client; this
ameters that he was created.
renewal duringere offline; forthe lease perio
the configurednet and enterserver.
rver 2012 suppon of lease infois not available
FER packet. Th
et. It might recde the fastest re client then brervers that rec
UEST. Those seeclines that serdatabase and rthe address th
e.
ation about ho075&clcid=0x4
ks
the ease. e e IP
nually
rver
ave
g the startup pr example, a laod is reset. If td default gatews the Discovery
ports a new feaormation betwe, the other D
his packet cont
ceive packets fresponse to itsroadcasts a DHceive the broa
ervers that the rver’s offer. Thesponds with
hat was offered
ow DHCP techn409.
process. This isptop computehe renewal is uway. If the gatey phase, where
ature, DHCP Sween DHCP serHCP servers co
tains a potent
from multiple s DHCPDISCOVHCPREQUEST dcast which se
client has note chosen servea DHCPACK m
d in the initial
nology works
s because cliener might be plunsuccessful, teway does note it attempts to
erver Failover rvers and increontinues to se
ial address for
servers; in thaVER. This typicthat contains aerver’s DHCPO
t accepted useer stores the IP
message. If for DHCPOFFER, t
see:
nt computers mugged into a nthen the clientt respond, the o obtain an IP
protocol. Thiseases DHCP service clients in
r the
at cally is a
OFFER
e the P some the
might new t client
s ervice n the
W
DcolimThsenudeseForeYoagcose
Wrocobot
D
DcowoccobaDinmpthcl
A
YoIPm
doA
St
A D
What Is a D
HCP uses IP bommunicationmited to commhis means thaterver for each umber of subneploy servers ferver might seor the DHCP seequest, it mustou can enablegent on each somputer or roervers in differ
With the DHCP outer. Then, yoonfigure the agroadcasts and ther subnets u
DHCP Serv
HCP allows a configuration in
which it starts. Dccurs before aomputer; and ased on IP broHCP server in
nformation to cmust be author
rocess of regishe Active Direcients.
Active Direct
ou must authoP addresses. It multiple AD DS
Note: Foromains with thdmins group h
tandalone D
standalone DS domain, and
DHCP Rela
roadcasts to inns. Therefore, Dmunication witt in many netwIP subnet. If th
nets, it might bfor every subnrvice collectionerver to respot be able to recthis by config
subnet. A DHCuter that listenent subnets
relay agent, thou can configugent with the forward them
using a router t
er Authori
client computenformation aboDHCP communy authenticatbecause the D
oadcasts, an ina network canclients. To avoized. DHCP au
stering the DHctory domain t
tory Requir
orize the Windis possible to hdomains. The
r authorizationhe exception ohave adequate
DHCP Serve
HCP server is ad that has the
y Agent
nitiate DHCP servers athin their IP suworks, there is here are a largbe expensive toet. A single DHns of smaller snd to a DHCP ceive DHCP re
guring a DHCPCP relay agentns for DHCP br
he DHCP broaure the agent iIP address of t
m to the DHCP that is compat
ization
er to acquire out the netwonication typication of the use
DHCP protocol correctly confi
n provide invaloid this, the seruthorization is CP Server servto support DH
ements
ows Server 20have a single D
erefore, an Ente
n purposes, yoof the forest roe privilege to a
er Considera
a computer thDHCP server r
are ubnet. a DHCP e o HCP ubnets. client quests.
P relay is a roadcasts from
adcast packets n the subnet tthe DHCP servserver in anot
tible with Requ
ork in ally er or
is igured lid rver the
vice in CP
012 DHCP servDHCP server perprise Admin
u must have aoot domain; in authorize a DH
ations
hat is running Wole installed a
20410A: Instal
m DHCP clients
can be relayethat requires IPver. The agent ther subnet. Youest for Comm
ver role in AD Dproviding IP adistrator accou
an Enterprise A this instance,
HCP server.
Windows Servend configured
lling and Configuring
s and then rela
d into anotherP addresses. Acan then capt
ou can also relment (RFC) 154
DS before it caddresses for sunt must autho
Administrator imembers of t
er 2012, that id. If the standa
g Windows Server®
ays them to DH
r IP subnet acrdditionally, yoture the client ay DHCP pack
42.
an begin leasinbnets that con
orize the DHCP
n all he Domain
s not part of aalone DHCP se
2012 6-5
HCP
ross a ou can
kets into
ng ntain P server.
an AD erver
6-6 Implementing DHCP
detects an authorized DHCP server in the domain, it does not lease IP addresses and shuts down automatically.
Rogue DHCP Servers
Many network devices have built-in DHCP server software. Many routers can act as a DHCP server, but it is often the case that these servers do not recognize DHCP-authorized servers and might lease IP addresses to clients.
Additional Reading:
For more information about DHCP Resources see: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409.
For more information about Networking Collection see: http://go.microsoft.com/fwlink/?LinkId=99883&clcid=0x409.
Demonstration: Adding the DHCP Server Role
Demonstration Steps
Install and authorize the DHCP server role
1. Switch to LON-SVR1.
2. Open Server Manager and install the DHCP Server role.
3. In the Add Role Wizard, accept all default settings.
4. Close Server Manager.
LessonConfi
Yoponex
LeA
•
•
•
•
•
•
W
A avDto
Fo19su1919scal19
ad
To
•
•
•
•
•
n 2 guring ou must configrimary methodn an IP subnetxplains DHCP s
esson Objecfter completin
Describe th
Describe a
Describe th
Describe th
Explain how
Create and
What Are D
DHCP scope ivailable for leaHCP server. A
o the IP addres
or example, a s92.168.1.0/24 upports a rang92.168.1.254. W92.168.1.0/24 cope that definlocates an add92.168.1.254.
Note: Remddress. This ad
o configure a s
Name and
IP addresslists the ent
Subnet maorganizatio
Exclusionsrange, but t
Delay: This
DHCP Sgure the DHCPd by which yout, and can havescopes, and ho
ctives ng this lesson, y
he purpose of a
DHCP reservat
he DHCP Optio
he DHCP Class-
w DHCP Optio
configure a D
DHCP Scop
s a range of IPase, and that aDHCP scope t
sses in a given
scope for the (subnet mask
ge from 192.16When a compsubnet requesned the range dress between
member that tddress should b
scope, you mu
description:
range: This ptire range of a
ask: This propeon’s network in
: This propertythat will not b
s property is th
ScopesP scopes after u can configure settings specow to manage
you will be ab
a DHCP scope
tion.
ons.
-Level Options
ons are applied
DHCP scope
pes?
P addresses thare managed btypically is con subnet.
network of 255.255.25
68.1.1 throughuter or device sts an IP addrein this examp 192.168.1.1 a
the DHCP servbe excluded fr
ust define the f
This property
property lists thddresses for a
erty is used bynfrastructure.
y lists single ade offered for l
he amount of t
you install there options for cific to hardwae them.
le to:
.
s.
d.
at are by a nfined
5.0), in the
ess, the le nd
ver, if deployedrom the IPv4 a
following prop
identifies the
he range of adgiven subnet.
y client compu
ddresses or bloease.
time to delay b
20410A: Instal
e DHCP role oa group of IP
are or custom
d to the same address range.
perties:
scope.
ddresses that c.
ters to determ
ocks of addres
before making
lling and Configuring
n a server. A Daddresses. A Dgroups of clie
subnet, consu
can be offered
mine their locat
sses that fall w
g DHCPOFFER.
g Windows Server®
DHCP scope is DHCP scope is nts. This lesson
mes an IPv4
for lease, and
tion in the
ithin the IP ad
.
2012 6-7
the based
n
usually
dress
6-8 Implement
•
•
IPv
Youseve
Whe
•
•
•
•
•
Wh
It ofsuchadd
UsinIP ascopresethatDHCdevan Iaddcent
Con
To caddreseTyplapt
The
1.
2.
ing DHCP
Lease duratiaddresses, an
Options: You
o option 00
o option 00
o option 01
v6 scopes
u can configureeral different o
en configuring
Name and d
Prefix: The IPnetwork addr
Exclusions: Tbut will not b
Preferred life
Options: As w
hat Is a DH
ften is desirabh as network p
dress.
ng a DHCP resddresses that pe are not assiervation is a spt is reserved peCP client. A DHices with reserP address eve
dresses. Configtralize manage
nfiguring DHC
configure a resdress or physicaervation. You cically, MAC adtop computers
process for co
Open the DH
Expand the D
on: This proped longer dura
u can configure
03 – Router (th
06 – Domain N
15 – DNS suffi
e the IPv6 scopoptions to mod
g a DHCPv6 sc
escription: Th
Pv6 address prress.
This property lbe offered for l
e times: This p
with IPv4, you
HCP Reserv
le to provide nprinters—with
ervation, you you set aside figned to anoth
pecific IP addreermanently foHCP reservatiorvations are gun if a scope is uring reservatement of fixed
CP Reservatio
servation, you al address. Thican acquire a nddresses for nes also note this
onfiguring a D
CP server role
DHCP scope, an
erty lists the leations for more
e many option
he default gate
Name System
x
pe options as adify, and an en
cope, you must
his property id
refix is analogo
ists single addease.
property defin
can configure
vation?
network devicea predetermin
can ensure thafrom a configuher device. A Dess, within a scr lease to a spe
on also ensuresuaranteed depleted of ions enables y
d IP addresses.
ons
must know ths address indic
network interfaetwork printerss information o
DHCP reservatio
e.
nd then click R
ase duration. Ue static networ
nal properties
eway for the s
(DNS) Servers
a separate sconhanced lease
t define the fo
entifies the sco
ous to the IPv4
resses or block
nes how long le
e many option
es—ned IP
at the ured DHCP ope, ecific s that
you to
he device’s netcates to the Dace’s MAC adds and other neon the bottom
on includes th
Reservations.
Use shorter durks.
on a scope, bu
ubnet)
ope, in the DHCmechanism.
ollowing prope
ope.
4 address rang
ks of addresse
eased address
s.
twork interfaceHCP server thadress by using etwork devicesm of their chass
he following ste
rations for sco
ut typically you
CP console’s IP
erties:
ge; in essence,
es that fall with
es are valid.
e media accessat the device sthe ipconfig/
s are printed osis.
eps:
opes with limit
u will configur
Pv6 node. The
it defines the
hin the IPv6 pr
s control (MACshould have a /all commandn the device. M
ted IP
re:
re are
refix
C)
. Most
3.
W
DadnedecosecaanDthEn
C
Th
Oc
. Click More
What Are D
HCP servers caddress; they aletwork resourcefault gatewayommon configerver, scopes, ran apply DHCPnd vendor leveHCP options, a
he RFC documngineering Tas
Common DH
he following ta
Option code
1
3
6
15
44
46
47
51
58
59
31
33
43
249
e Actions, and
DHCP Opti
an configure mso provide infces, such as DNy. DHCP optionguration data treservations, aP options at thels. An option and most optientation foundsk Force (IETF)
HCP Options
able lists the c
Name
Subnet mas
Router
DNS servers
DNS domai
WINS/NBNSService)
WINS/NetB
NetBIOS sco
Lease time
Renewal (T1
Rebinding (
Perform rou
Static route
Vendor-spe
Classless sta
then click New
ions?
more than just ormation abouNS servers andns are values fthat applies tond class optio
he server, scopcode identifieon codes comd on the Intern website.
s
ommon optio
sk
s
n name
S servers (Win
T node type (W
ope ID
1) time value
(T2) time value
uter discovery
ecific informati
atic routes
w Reservation
an IP ut d the or
o the ns. You e, user, s the
me from net
n codes that W
dows Internet
WINS / NetBIO
e
on
20410A: Instal
n.
Windows-base
Naming Servi
OS over TCP/IP
lling and Configuring
ed DHCP client
ice / NetBIOS
P)
g Windows Server®
ts request.
Name
2012 6-9
6-10 Implemen
Ho
DHCfollo
1.
2.
3.
4.
Youprio
If thoveandthe
YouassiaddIP pven
De
Youor tman201
Dem
Aut1.
2.
3.
nting DHCP
ow Are DH
CP applies optowing order:
Server level. to all DHCP c
Scope level. to all clients o
Class level. Aall clients thaof a class.
Reserved clieoption is assig
u need to undeority, when you
he DHCP optiorride previous a different deeffective settin
u can also confgnment policy
dresses and setphones. The codor informatio
emonstrati
u can create sche Netsh netwnage scopes re2. The Netsh
monstration
thorize the Switch to LON
Open the DH
Authorize the
HCP Option
tions to client c
A server-levelclients of the D
A scope-level of a scope.
A class-level opt identify them
ent level. A regned to one D
erstand these ou are configuri
on settings thaly applied sett
efault gatewayng.
figure addressy contains a settings to differeonditions definon, in order to
on: Creati
opes using eitwork configuraemotely if the command-line
n Steps
DHCP ServeN-SVR1.
CP console.
e lon-svr1.ada
ns Applied
computers in t
option is assigDHCP server.
option is assig
ption is assignemselves as mem
eservation-leveDHCP client.
options when ing different se
t are applied atings. For examy is applied for
s assignment et of conditionent types of Ded in these podifferentiate v
ng and Co
her the Microsation commanDHCP server ie tool is also u
er
atum.com ser
d?
the
gned
gned
ed to mbers
el
configuring Dettings on mu
at each level comple, if the def
a reserved clie
policies at thes that you def
DHCP clients, suolicies include various types o
onfiguring
soft Managemnd-line tool. Ths running on aseful for script
ver in AD DS.
HCP, so you wltiple levels.
onflict, then thfault gateway ent, then the r
e server level oine in order touch as computmultiple criterof clients.
a DHCP S
ment Console (he Netsh comma Server Core iting and autom
will know which
he options thais configured areserved client
or scope level.o lease differenters, laptops, nria, such as MA
Scope
MMC) for the mand-line tooinstallation of mating server
h level setting
t are applied lat the scope let setting becom
. Address nt DHCP IP network printeAC address or
DHCP server rl allows you toWindows Servprovisioning.
s has
ast evel, mes
ers, or
role, o ver
20410A: Installing and Configuring Windows Server® 2012 6-11
Configure scope and scope options in DHCP
1. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand and right-click IPv4, and then click New Scope.
2. Create a new scope with the following properties:
o Name: Branch Office
o IP Address Range: 172.16.0.100–172.16.0.200
o Length: 16
o Subnet Mask: 255.255.0.0
o Exclusions: 172.16.0.190-172.16.0.200
o Other settings: use default values
o Configure options Router 172.16.0.1
3. Use default settings for all other pages, and then activate the scope.
6-12 Implemen
Lesson 3Manag
Thethatman
Les
Afte
•
•
•
•
Wh
TheconleasconconclienDHCare fold
DH
Theserv
Fil
D
D
J5J5
J5
nting DHCP
3 ging a D
DHCP databat you understanage the datab
sson Objecti
er completing
Describe the
Explain how t
Explain how t
Explain how t
hat Is a DH
DHCP databataining data th
ses, and reservtains the data figuration infonts that have lCP server. By dstored in the %
der.
HCP Service
following tabvice database f
le
Dhcp.mdb
Dhcp.tmp
50.log and 50#####.log
50.chk
Note: You s
DHCP Dase stores inforand how to bacbase and its da
ives
this lesson, yo
DHCP databas
to back up and
to reconcile a
to move a DHC
HCP Datab
ase is a dynamhat relates to sations. The dafile that store
ormation and teased an IP ad
default, the DH%systemroot%
Database F
le describes sofiles.
Descripti
Dhcp.md
Dhcp.tmdatabasesometim
J50.log adatabase
This is a
should not rem
Databasermation aboutck up the dataata.
ou will be able
se.
d restore a DH
DHCP databas
CP database.
base?
ic database scopes, addrestabase also s both the DHthe lease data ddress from thHCP database f%\System32\Dh
iles
ome of the DH
ion
db is the DHCP
mp is a temporae index mainte
mes remains in
and J50#####e uses this log
checkpoint file
move or alter a
e t the IP addresabase and reso
to:
HCP database.
se.
ss
CP for e files hcp
HCP
P server datab
ary file that thenance operatthe Systemroo
#.log are logs oto recover da
e.
any of the DHC
ss leases. If theolve database
base file.
e DHCP databtions. Followingot\System32\D
of all database ta when neces
CP service data
ere is a problemissues. This les
base uses as a g a system fail
Dhcp directory
transactions. ssary.
abase files.
m, it is importasson explains h
swap file durinlure, Dhcp.tmp
y.
The DHCP
ant how to
ng p
ThTCWco
Byinre
HK
Yo
B
YoyoauA ba
A
Thsypp
M
If coof
W
Wfo
•
•
•
•
•
Dba
he DHCP serveCP/IP configur
Windows Internomplex.
y default, the Dntervals. You caegistry key:
KEY_LOCAL_MAC
ou can also ba
Backing Up
ou can back uou can configuutomatic backmanual backu
ackup.
Automatic (S
he default bacystemroot\Systractice, you caroperties to po
Manual (Asy
you have an ionsole. This acf the DHCP ad
What Is Back
When a synchroollowing:
All scopes
Reservation
Leases
All options,
All registry settings) th
HKEY_LOCA
To back up
Note: TheHCP server usackup method
er database is ration parametnet Name Serv
DHCP databasan change this
CHINE\SYSTEM\
ack up a DHCP
p and Rest
p a DHCP dataure it to backukup is called a sup is called an
Synchronou
ckup path for ttem32\Dhcp\B
an modify this oint to anothe
ynchronous)
mmediate neection requires edministrators g
ked Up?
onous or async
ns
, including serv
keys and otheat are set in D
AL_MACHINE\SY
this key, open
e DNS dynamies when regist
d.
dynamic. It upters. Because t
vice (WINS) ser
se and related s default interv
\CurrentCont
P database ma
oring a DH
abase manuallp automaticalsynchronous basynchronous
us) Backup
the DHCP backBackup. As a bpath in the ser volume.
) Backup
ed to create a either adminis
group.
chronous back
ver options, sc
er configuratioDHCP server pr
YSTEM\Curren
n Registry Edit
c update credtering DHCP c
pdates as DHCthe DHCP datarver database,
registry entrieval by changin
rolSet\Servi
nually at any t
HCP Datab
ly, or ly. An
backup. s
k is est rver
backup, you ctrative-level p
kup occurs, the
cope options, r
on settings (foroperties. Thes
tControlSet\
or and save th
entials (user nlient compute
20410A: Installin
P clients are aabase is not a maintaining t
es are backed ung the value of
ces\DHCPServ
time.
base
can run the maermissions, or
e entire DHCP
reservation op
r example, aude settings are
\Services\DHC
he specified ke
ame, domain, ers in DNS are
ng and Configuring W
ssigned, or as distributed dahe DHCP serve
up automaticaf BackupInter
ver\Parameter
anual backup othat the user
database is sa
ptions, and clas
dit log settingsstored in the f
CPServer\Para
ey to a text file
and passwordnot backed up
Windows Server® 20
they release tatabase like theer database is
ally at 60-minurval in the follo
rs
option in the Daccount be a
aved, including
ss options
s and folder lofollowing regis
ameters
e.
d) that the p with any
012 6-13
heir e less
ute owing
DHCP member
g the
cation stry key:
6-14 Implemen
Res
If yoprodataperm
Bac
Wheadmprot
Usi
Youup t
Thedata
expo
To r
impo
serv
http
Re
Recaffe
Theleas
•
•
Whesuminco
To candowntimefutu
nting DHCP
storing a Da
ou need to resmpted for the abase is restormissions, or be
ckup Securi
en the DHCP dministrators cantected.
ing Netsh
u also can use cthe database t
following coma for all scopes
ort "c:\My F
restore the DH
ort "c:\My F
Note: The Nver role installe
Additional p://go.microso
conciling a
onciling scopeect client comp
DHCP Server se information
Detailed IP adthe DHCP dat
Summary IP athe server’s R
en you are recmmary entries aonsistencies.
correct and rep reconcile sco
ner, or creates e that is assignure use.
atabase
tore the databbackup’s loca
red. To restore e a member of
ty
database file isn access. This e
commands in to a remote loc
mmand is a scrs:
older\Dhcp C
HCP database,
older\Dhcp C
Netsh DHCP coed.
Reading: For oft.com/fwlink/
a DHCP D
es can fix inconputers.
service stores in two forms:
ddress lease intabase stores
address lease iegistry stores
conciling scopeare compared
pair these incope inconsistena temporary r
ned to the scop
base, use the Ration. Once yo
the database,f the DHCP ad
s backed up, itensures that a
the Netsh DHCcation using a
ript that you ca
Configuration
use the follow
Configuration
ontext does no
more informat/?LinkId=9988
atabase
nsistencies tha
scope IP addr
nformation, wh
nformation, w
es, the detail ato find
onsistencies, yoncies, the DHCreservation forpe. When the
Restore functiou have selecte, the user accoministrators g
t should be in ny network inf
CP context to script file.
an use from th
n" all
wing command
n" all
ot exist on serv
tion about back9&clcid=0x40
t can
ress-
hich
which
and
ou must reconP service either those addresslease time exp
on in the DHCPed the locationount must eithroup.
a protected loformation in t
back up the d
he Netsh DHC
d:
ver computers
king up the DH09.
ncile any scopeer restores thoses. These resepires, the addre
P server conson, DHCP serviceer have admin
ocation that onhe backup file
database; this i
P prompt to b
s without the D
HCP database
e inconsistencise IP addresseervations are vesses are then
ole. You will bee stops, and th
nistrative-level
nly the DHCP es remains
s useful for ba
back up the DH
DHCP
see:
es. After you ses to the originvalid for the lea recovered for
e he
acking
HCP
select nal ase r
M
Inromenth
YoonDthcap
Moving a D
n the event thaole to another
move the DHCPnsures that cliehe likelihood o
ou move the dn to the old DHCP service o
he DHCP databan restore it usrocedure.
DHCP Data
at you must mserver, it is als
P database to tent leases are of client-config
database initiaHCP server. Thn the old DHCbase to the nesing the norma
abase
ove the DHCPso advisable ththe same serveretained, and
guration issues
lly by backinghen, shut downCP server. Nextw server, wheral database re
P server hat you er. This reduces
s.
it up n the t, copy re you store
20410A: Installinng and Configuring WWindows Server® 20012 6-15
6-16 Implemen
Lesson 4Securin
DHCprec
DHCprocan
ThisDHC
LesAfte
•
•
•
•
•
•
Pre
DHCdesiinfoauthyouunawith
Basiuna
•
•
•
nting DHCP
4 ng and CP protocol hacautions, IP lea
CP is a core seperly, or if theidentify the p
s lesson explainCP servers, and
sson Objectier completing
Explain how t
Explain how t
Explain how t
Describe DHC
Describe DHC
Identify comm
eventing a
CP by itself canigned to work
ormation is in phenticate with should take puthorized com
h DHCP.
ic precautions uthorized acce
Ensuring thausers can accto the networbe able to obphysically fro
Enabling audaddition to alMake sure to
Requiring aunow support allows for por(WPA) Enterp
Monitoas no built-in mases could be
rvice in many re is a situatioroblem and de
ns how to prevd how to confi
ives this lesson, yo
to prevent an
to restrict unau
to delegate ad
CP statistics.
CP audit loggin
mon issues tha
an Unautho
n be difficult tbefore the ne
place for a cliea domain con
precautions to mputers from o
that you shouess include:
at you reduceess an active nrk, their comp
btain an IP addm the switchin
dit logging onllowing you toschedule time
uthenticated Institute of Elert-level user au
prise and WPA
oring Dmethod for augranted to dev
organization’sn that is causinetermine pote
vent unauthorigure DHCP se
ou will be able
unauthorized
uthorized, non
dministration o
ng.
at are possible
orized Com
o secure—it isecessary ent computer tntroller. This is prevent
obtaining a lea
uld take to lim
e physical accenetwork conneuters are likely
dress. If a netwng infrastructu
n all DHCP seo trace when ae at regular int
Layer 2 conneectrical and Eleuthentication. 2 Enterprise, a
HCP uthenticating uvices and user
s network enving problems w
ential causes to
rized users fromervers so that a
to:
computer from
n–Microsoft DH
of the DHCP se
with DHCP.
mputer fro
s
to why
ase
it
ess: If ection y to
work port is noture.
ervers: This cann unauthorizetervals to revie
ections to theectronics EnginSecure wireles
also use 802.1X
users. This mears who are una
ironments. If twith the DHCPo resolve the p
m obtaining a a specific grou
m obtaining a
HCP servers fro
erver role.
om Obtain
t being used, y
n provide an hed user obtaineew the audit lo
e network: Moneers, Inc. (IEEss standards, sX authenticatio
ans that if you authorized.
he DHCP serviP server, it is improblem.
lease, how to up can manage
lease.
om leasing IP
ning a Leas
you should dis
historical view ed an IP addreogs.
ost enterprise EE) 802.1X authsuch as Wi-Fi Pon.
do not take
ice is not workmportant that y
manage rogue them.
addresses.
se
sconnect it
of activity, in ess in the netw
hardware swithentication. ThProtected Acce
king you
ue
work.
tches his ess
•
RA
Mmarthseauneco
Tomcop
If seis
Yosu
D
Enadby
•
•
Threseis is
P
Ado
Implementsystem hearunning an the networreceive the healthy com
Restricting Addresses
Many devices amultiple DHCP re almost neveherefore, it is perver that doesuthenticated setwork. In thisonfiguration d
o eliminate anmust first locateommunicatinghysically, or by
users complaierver. Use the not the IP add
ou can use theubnet.
Delegating
nsure that onlydminister the Dy performing e
Limit the mAdministrat
Assign userDHCP mem
he DHCP Admestrict and graervers. Therefoin the built-inon local serve
Permissions
uthorization oown-level adm
ting NAP: NAlth requiremeup-to-date an
k, they receivenecessary upd
mputers access
Unauthor
nd network opserver implem
er homogeneopossible that ats not check foervers will be e case, clients mata.
unauthorizede it, and then pg on the netwoy disabling the
in that they doipconfig /all cdress of an aut
e DHCP Server
DHCP Ad
y authorized pDHCP server roeither of the fo
membership of tors group.
rs that require mbership of the
ministrators locant access to ad
ore, the DHCP n groups on doers
Required to
of a DHCP servministrator to a
AP allows admints, such as runtivirus client. e an IP addressdates. The adms to the intern
rized, Non
perating systemmentations. Netous in nature; t some point ar Active Directenabled on th
might obtain in
d DHCP server,prevent it fromork by disabline DHCP service
o not have concommand to cthorized DHCP
r Locator utility
dministrati
persons can ole. You can dollowing tasks:
the DHCP
read-only acce DHCP Users
al group is usedminister DHCAdministrator
omain controll
o Authorize
vice is only avaauthorize the d
nistrators to vnning all the lIf users who d
s configurationministrator canal local area n
–Microsof
ms have tworks
a DHCP tory–e ncorrect
you m g it
e.
nnectivity to thcheck the IP adP server, then t
y (Dhcploc.exe
on
o this :
cess to group.
ed to CP s group lers, or
e and Admin
ilable to Enterdomain, use Ac
20410A: Installin
validate that a atest Window
do not meet sen to access a ren restrict accesetwork (LAN).
ft DHCP Se
he network, chddress of the Dthere is proba
e) to locate the
nister DHCP
rprise administctive Directory
ng and Configuring W
client computws operating syecurity requireemediation nes to the netwo
ervers from
heck the IP addDHCP Server fibly a rogue se
e DHCP server
P
trators. If the ny delegation.
Windows Server® 20
ter is complianystem updates ments try to a
etwork where tork by allowing
m Leasing
dress of their Dield. If the IP aerver in the ne
s that are activ
need exists for
012 6-17
nt with or
access they can g only
IP
DHCP address twork.
ve on a
r a
6-18 Implemen
•
•
Wh
DHCactivdetethe clienusefamopacprov
Youin th
DHDHCquicuse
DH
DHCaddaddusinresp
Wh
TheDHCleasinfoserv%syYouserv
Theweeaudnam
nting DHCP
DHCP Adminservice.
DHCP Users.
hat Are DH
CP statistics prvity and use. Yermine quicklyDHCP service nts. An exampful is if the admount of negatikets, which mividing the cor
u can configurehe General tab
HCP Server SCP server statisckly the state oaddresses, and
HCP Scope S
CP scope statisdresses are in udresses availabng scope statispect to the add
hat Is DHC
DHCP audit loCP server activse requests, graormation allowver performancystemroot%\syu can configurever’s Propertie
DHCP audit loekday that the it logging is e
me is DhcpSrvL
nistrators. An
. Any user in th
HCP Statist
rovide informaYou can use thy whether theror with the nele in which staministrator notve acknowledgight indicate threct data to cl
e the refresh rab of server’s P
Statistics stics provide aof the DHCP sed total availab
Statistics
stics provide muse, and how mle in the servetics, an admindresses availab
CP Audit Lo
og provides a vity. You can uants, and deni
ws you to troubce. The log filestem32\dhcp e the log file sees window.
og files are nafile was createnabled on a M
Log-Mon.log.
y user in the D
he DHCP User
tics?
ation about DHis console to
re is a problemetwork’s DHCPatistics might btices an excessgement (NAK)hat the server ients.
ate for the statroperties wind
an overview of erver. Informa
ble addresses c
much fewer demany addresser statistics, it mistrator can qu
ble.
ogging?
traceable log se this log to tals. This
bleshoot DHCPes are stored infolder by defaettings in the
med based oned. For examp
Monday, the fil
DHCP Adminis
s group can ha
HCP
m with P be sive ) is not
tistics dow.
DHCP server tion such as n
can help to pro
tails—such as es are availablemight be that ouickly determin
of track
P n the ult.
n the le, if e
strators group
ave read-only
usage. You caumber of offe
ovide a picture
total addressee. If you noticeonly one scopene the status o
can manage t
access to the
n use this dataers, number of e of the server’
es in the scopee that there aree is near its deof the particula
the server’s DH
DHCP console
a to understanrequests, tota’s health.
e, how many e a low numbeepletion point.ar scope with
HCP
e.
nd l in-
er of By
F
Th
CC
•
•
•
•
D
ThDSocl
ields That M
he following ta
Field
ID
Date
Time
Description
IP Address
Host Name
MAC Address
Common Eveommon event
ID,Date,Tim
00,06/22/9
56, 06/22/9
55, 06/22/9
Discussion:
he following taHCP issues. Enolution columnass.
Make Up a D
able describes
Descriptio
A DHCP se
The date o
The time a
A descript
The IP add
The host n
The MAC
ent ID Codet ID codes inclu
me,Description,
9,22:35:10,Sta
99,22:35:10,Au
99,22:45:38,Au
Common
able describes nter the possibn, and then dis
DHCP Audit
the fields in a
n
erver event ID
on which this e
at which this e
tion of the DH
dress of the DH
name of the D
address used
es ude:
,IP Address,Ho
rted,,,,
thorization fai
thorized(servic
n DHCP Iss
some commoble solutions inscuss them wit
t Log
DHCP audit lo
code.
entry was logg
entry was logg
CP server even
HCP client.
HCP client.
by the client’s
ost Name,MAC
ilure, stopped
cing),,domain1
ues
on n the th the
20410A: Installin
og.
ged on the DH
ed on the DHC
nt.
network adap
C Address
servicing,,dom
1.local
ng and Configuring W
HCP server.
CP server.
pter hardware.
main1.local,,
Windows Server® 20
.
012 6-19
6-20 Implementing DHCP
Issue Description Example Solution
Address conflicts
The same IP address is offered to two different clients.
An administrator deletes a lease. However, the client that had the lease is still operating as if the lease is valid. If the DHCP server does not verify the IP address, it might lease the IP to another machine, causing an address conflict. This can also occur if two DHCP servers have overlapping scopes.
Failure to obtain a DHCP address
The client does not receive a DHCP address and instead receives an Automatic Private IP Addressing (APIPA) self-assigned address.
If a client’s network card driver is configured incorrectly, it might cause a failure to obtain a DHCP address. Additionally, the DHCP server or relay agent on the client’s subnet.
Address obtained from an incorrect scope
The client is obtaining an IP address from the wrong scope, causing it to experience communication problems.
If the client is connected to the wrong network or the DHCP relay agent is incorrectly configured this error could occur.
DHCP database suffers data corruption or loss
The DHCP database become unreadable or is lost due to a hardware failure.
A hardware failure can cause the database to become corrupted.
DHCP server exhausts its IP address pool
The DHCP server’s IP scopes have been depleted. Any new clients requesting an IP address are refused.
For example, if all the IPs assigned to a scope are leased this error occurs.
20410A: Installing and Configuring Windows Server® 2012 6-21
Lab: Implementing DHCP Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations as well. A. Datum have recently deployed a Windows 2012 Server infrastructure with Windows 8 clients.
You have recently accepted a promotion to the server support team. One of your first assignments is to configure the infrastructure service for a new branch office. As part of this assignment, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and do not use DHCP.
Objectives After performing this lab you will be able to:
• Install and configure the DHCP server role.
• Configure the DHCP scope and options.
• Configure a client computer to use DHCP, and then test the configuration.
• Configure a lease as a reservation.
• Install and configure a DHCP relay.
• Test DHCP relay with client.
Lab Setup
Estimated Time: 75 minutes
Logon Information
Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-RTR 20410A-LON-CL1 20410A-LON-CL2
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
6-22 Implementing DHCP
6. For the optional Exercise 2, you should repeat steps 2 to 4 for 20410A-LON-RTR, 20410A-LON-SVR2, and 20410A-LON-CL2.
Exercise 1: Implementing DHCP
Scenario As part of configuring the infrastructure for the new branch office, you need to configure a DHCP server that will provide IP addresses and configuration to client computers. Servers are configured with static IP addresses and usually do not use DHCP for obtaining IP addresses.
One of the client computers in the branch office needs to access an accounting application in the head office. The network team uses firewalls based on IP addresses to restrict access to this application. The network team has requested that you assign a static IP address to this client computer. Rather than configuring a static IP address on the client computer manually, you decide to create a reservation in DHCP for the client computer.
The main tasks for this exercise are as follows:
1. Install DHCP server role.
2. Configure the DHCP scope and options.
3. Configure client to use DHCP and then test the configuration.
4. Configure a lease as a reservation.
Task 1: Install DHCP server role 1. Switch to LON-SVR1.
2. Open Server Manager, and install the DHCP Server role.
3. In the Add Roles and Features Wizard, accept all defaults.
Task 2: Configure the DHCP scope and options 1. Switch to LON-SVR1.
2. In Server Manager, open the DHCP console.
3. Authorize the lon-svr1.adatum.com server in AD DS.
4. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.
5. Create a new scope with the following properties:
o Name: Branch Office
o IP Address Range: 172.16.0.100–172.16.0.200
o Length: 16
o Subnet Mask: 255.255.0.0
o Exclusions: 172.16.0.190-172.16.0.200
o Configure options Router 172.16.0.1
o For all other settings use default values
6. Activate the scope.
Task 3: Configure client to use DHCP and then test the configuration 1. To configure a client, switch to LON-CL1.
20410A: Installing and Configuring Windows Server® 2012 6-23
2. Reconfigure the Local Area Connection using the following information:
o Configure Internet Protocol Version 4 (TCP/IPv4)
o Obtain an IP address automatically
o Obtain DNS server address automatically
3. Open a command prompt, and initiate the DHCP process using the ipconfig /renew command.
4. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes
Task 4: Configure a lease as a reservation 1. Switch to LON-CL1.
2. In a command prompt, type ipconfig/all to display the physical address of the network adapter.
3. Switch to LON-SVR1.
4. Open the DHCP console.
5. In the DHCP console, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office scope, right-click Reservations, and then click New Reservation.
6. Create a new reservation for LON-CL1 using the physical address of the LON-CL1 network adapter, and the IP address 172.16.0.55.
7. On LON-CL1, use the ipconfig command to renew and then verify the IP address.
Task 5: To prepare for the optional exercise If you are going to complete the optional lab, revert the following virtual machines: 20410A-LON-CL1 and 20410-LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)
Scenario
Your manager has asked you to configure a DHCP relay for another subnet in your branch office. This avoids the need to configure an addition DHCP server on the subnet.
The main tasks for this exercise are as follows:
1. Install DHCP relay.
2. Configure DHCP relay.
3. Test DHCP relay with client.
Task 1: Install DHCP relay 1. Switch to LON-RTR.
2. In Server Manager, open Routing and Remote Access.
3. Use the following steps to add the DHCP Relay agent to the router:
6-24 Implementing DHCP
o In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol.
o In the Routing protocols list, click DHCP Relay Agent and then click OK.
Task 2: Configure DHCP relay 1. Open Routing and Remote Access.
2. Use the following steps to configure the DHCP Relay agent:
o In the navigation pane, right-click DHCP Relay Agent and then click New Interface.
o In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.
o In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
o Right-click DHCP Relay Agent and then click Properties.
o In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK.
3. Close Routing and Remote Access.
Task 3: Test DHCP relay with client
Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope.
1. Switch to LON-SVR1.
2. Open the DHCP console.
3. In DHCP, in the navigation pane, expand lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.
4. Create a new scope with the following properties:
o Name: Branch Office 2
o IP Address Range: 10.10.0.100–10.10.0.200
o Length: 16
o Subnet Mask: 255.255.0.0
o Exclusions: 10.10.0.190-10.10.0.200
o Other settings use default value
o Configure options Router 10.10.0.1 and other setting use default values
5. Activate the scope.
6. To test the client, switch to LON-CL2.
7. Open the Network and Sharing Center window and configure Local Area Connection, Internet Protocol Version 4 (TCP/IPv4) properties with following settings:
o Obtain IP address automatically
o Obtain DNS server address automatically
8. Open the command prompt.
20410A: Installing and Configuring Windows Server® 2012 6-25
9. In the command prompt, type following command:
ipconfig /renew
10. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16.
Results: After completing these tasks, you will have implemented DHCP relay agent.
To prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.
6-26 Implementing DHCP
Module Review and Takeaways Module Review Questions
Question: You have two subnets in your organization and want to use DHCP to allocate addresses to client computers in both subnets. You do not want to deploy two DHCP servers. What factors must you consider?
Question: Your organization has grown, and your IPv4 scope is almost out of addresses. What should you do?
Question: What information do you require to configure a DHCP reservation?
Question: Can you configure option 003 – Router as a Server-level DHCP scope option?
Best Practices • Spend time designing your IP addressing scheme so that it will accommodate both your current and
IT infrastructure and any potential future IT infrastructure needs.
• Determine which devices need DHCP reservations, such as network printers, network scanners, or IP based cameras.
• Secure your network from non-authorized, rogue DHCP servers.
• Configure the DHCP database on highly available disk drive configurations, such as redundant array of independent disks (RAID)–5 or RAID–1, to provide DHCP service availability in case of single disk failure.
• Back up the DHCP database regularly, and test the restore procedure in isolated, non-production environment.
• Monitor the system utilization of DHCP servers, and upgrade the hardware of DHCP server if needed, in order to provide better service performance.
Tools
Tool Use for Where to find it
IPConfig.exe Managing and troubleshooting client IP settings Command-line
Netsh.exe Configuring both client and server-side IP settings, including those for DHCP server role
Command-line
Regedit.exe Editing and fine-tuning settings, including those for the DHCP server role
Windows interface or Command line
Network Monitor Capture and analyze DHCP traffic on a subnet Download from the Microsoft website
7-1
Module 7 Implementing DNS
Contents: Module Overview 7-1
Lesson 1: Name Resolution for Windows Clients and Servers 7-2
Lesson 2: Installing and Managing a DNS Server 7-10
Lesson 3: Managing DNS Zones 7-16
Lab: Implementing DNS 7-20
Module Review and Takeaways 7-25
Module Overview
Name resolution, one of the most important concepts of every network infrastructure, is the process of software translating between names that users can read and understand, and numerical IP addresses, which are necessary for TCP/IP communications. Client computers use the name resolution process when locating hosts on the Internet, and when locating other hosts and services in an internal network. Doman Name System (DNS) is one of the most common technologies for name resolution. Active Directory® Domain Services (AD DS) depends heavily on DNS, as does Internet traffic. This module discusses some basic name resolution concepts as well as installing and configuring DNS service and its components.
Objectives After completing this module, you will be able to:
• Describe name resolution for Windows® operating system clients and Windows Server® servers
• Install and manage DNS service
• Manage DNS zones
7-2 Implement
Lesson Name
YouThenamhow
LesAfte
•
•
•
•
•
•
•
Wh
ThedestHowandof tcomto csysthostin NWin
Na
ThedevWinappinclserv
EarlrequWinWin
add
ing DNS
1 Resolut
u can configure computer use
me. This lessonw to troublesho
sson Objectier completing
Describe com
Describe DNS
Describe DNS
Describe how
Describe Link
Describe how
Troubleshoot
hat Are Co
TCP/IP set of tination compwever, comput rememberinghis, administra
mputers. Admincomputer IP adem such as DNt name format
NetBIOS name ndows Internet
me Type
type of nameeloper. If the a
ndows sockets,plication to requding Internetvices. NetBIOS
ier versions ofuire NetBIOS tndows 2000, alndows, but do
Note: You cdress or by hos
tion fore a computer tes name resolu focuses on dioot problems w
ives this lesson you
mputer names.
S.
S zones and re
w Internet DNS
k Local Multica
w a client resolv
t name resolut
omputer N
protocols idenuters by their ter users are mg names than nators usually asnistrators thenddresses in a nNS. These namt (which is recoformat (which
t Name Service
e (host name oapplication dev, then host nam
quest services tt applications, is used by ma
f Microsoft® Wto support netl operating synot require N
can use Windost name. NetBI
r Windoto communicaution to find anfferent types owith name res
u will be able t
ecords.
S names are re
ast Name Reso
ves a name.
tion.
Names?
ntifies source aIP addresses.
much better at numbers. Becssign names ton link these namname resolutiomes are in eitheognized by DNh is recognizede (WINS)).
or NetBIOS namveloper designmes are used. through NetBIuse Windows
any earlier Win
Windows®, suchworking capabstems supportetBIOS themse
ows sockets apOS application
ows Clieate over a netwn IP address thof computer nsolution.
to:
solved.
olution.
and
using ause o mes n
er NS) or d by
me) that an apns an applicatiIf, on the otheOS, a NetBIOSsockets—and
ndows operatin
h as Microsoft bilities such ast NetBIOS for belves.
pplications to sns require the
ents andwork by using hat correspondames, the met
pplication usesion to request er hand, the apS name is usedthus use host
ng system app
Windows 98 as file sharing. Hbackward com
specify the desuse of a NetB
d Servea name in plads to a name, thods used to
is determinednetwork servi
pplication deved. Most current names—to acplications.
and Windows However, sincempatibility with
stination host eIOS name.
rs ce of an IP addsuch as a hostresolve them,
d by the applicces through eloper designst applications,ccess network
Millennium Ede Microsoft h earlier versio
either by IP
dress. t and
cation
s an
dition,
ns of
H
A TCch
YoquYoIn
N
A nana15lo
Thor
ht
W
Dreadin
Wlonacoberedoadch
Dquloreth
Oadpim20
Host Names
host name is CP/IP host. Theharacters, perio
ou can use houalified domaiou can combin
nternet, and in
NetBIOS Nam
NetBIOS namame can repreame; the final 5-character na
ogged on. The
he NetBIOS narganize NetBIO
Additionattp://technet.m
What Is DN
NS is a serviceesolve FQDNs ddresses. All Wnclude a DNS s
When you use Docate network ames (for examomputer then enefit is that IPemember (for eomain name tyddition, you cahange while th
NS uses a dataueries on and
ocate a print seesolve the namhe user-friendl
Originally, one fddresses. This roblems assoc
mportant, beca001:db8:4136:
a user-friendlye host name cods, and hyph
st names in vain name (FQDne an alias witcludes periods
mes
me is a 16-charaesent a single ccharacter iden
ame may inclusixteenth char
amespace is flaOS names into
al Reading: Fomicrosoft.com/
NS?
e that uses a diand other hos
Windows serveservice.
DNS, users on resources by t
mple, microsofresolves to anPv4 addresses example, 131.1ypically is easian use host nahe underlying
abase of nameupdates to the
erver can use tme to a printer
y name can re
file on the Intelist quickly beciated with usin
ause IPv6 addre38c:384f:3764
y name that is an be up to 25ens.
arious forms. TN). An alias is h a domain nas as separators
acter name thcomputer or a ntifies the resode the compuracter is a 1-by
at, meaning tho a hierarchica
or more inform/en-us/library/
istributed datast names to IP r operating sys
your network typing in user-ft.com), which IP address. Thmay be difficu107.0.32), whiler to remembmes that do nIP addresses c
es and IP addree DNS databasthe DNS name’s IP address, s
emain the sam
ernet containecame too longng a single interesses are more4:b59c:3d97).
associated wit55 characters l
he two most ca single name
ame to create s. An example
at identifies a group of com
ource or serviceter name, the yte hexadecim
hat names can l structure, as y
mation about Ne/cc738412(WS
abase to
stems
can -friendly the
he ult to le a er. In
not an be changed
esses to providse. For exampl
e printserver.cosuch as 172.16e.
ed a list of all dg to manage aernet file. Withe complex tha
20410A: Instal
th a computerlong, and can
common forme associated wian FQDN. An of an FQDN is
NetBIOS resoumputers. The fire that is beingdomain name
mal identifier.
be used only oyou can with F
etBIOS name reS.10).aspx
d to suit your
de this service.le, within an oontoso.com, a6.23.55. Even if
domain namesnd distribute. h the adoptionan IPv4 addres
lling and Configuring
r’s IP address tcontain alpha
s are as an aliaith an IP addreFQDN is strucs payroll.conto
urce on the nerst 15 characte
g referred to one, and the nam
once within a FQDNs.
esolution see:
organizationa
. DNS client soorganization, a and the DNS clf the printer’s I
s and their corDNS was deve
n of IPv6, DNSses (for examp
g Windows Server®
to identify it asbetic and num
as, and as a fuess, such as paytured for use o
oso.com.
etwork. A NetBers are used fon the compute
me of the user
network. You
l needs.
oftware perforuser who is tr
lient software IP address cha
responding IPeloped to solve becomes eve
ple,
2012 7-3
s a meric
lly yroll. on the
BIOS or the er. The who is
cannot
ms rying to will nges,
e the n more
7-4 Implement
DNShieranddowstru
Thenamorga
If hodomfromensuinte
In a
•
•
•
DN
A Dnamzonfor domrespIP a
ZonAD zonthe onlywhi
Thelook
For
Forwhostresotypenam
Rev
Revman
ing DNS
S groups inforrarchical struct descending in
wnward even fcture is known
Internet uses mespace, a domanizations atte
osts that are lomain internallym Internet domure uniquenes
ernal use in mu
ddition to reso
Locate doma
Resolve IP adhost.
Locate mail se
NS Zones a
NS zone is a smespace that ce is hosted onresponding to
main. For examponsible for reddress would
ne content canDS database. We in a file, thatserver. When
y one copy of le all others ar
most commokup zones.
rward Looku
ward lookup zt (A), alias (CN
ource records. es, the most co
me to an IP add
verse Looku
erse lookup zonner as a forwa
mation about ture of domainnto separate burther into indn as a DNS nam
a single DNS nmain name muempt to use th
ocated on the y, without regismain names, oss is to create auch the same w
olving host na
in controllers a
dresses to hos
erver for emai
and Record
pecific portioncontains DNS rn a DNS server o queries for remple, the DNS
solving www.ccontain the co
be stored in aWhen the DNSt file is locatedthe zone is nothe zone can bre read-only.
nly used types
up Zones
ones resolve hNAME), service
Although forwommon recorddress.
up Zones
ones resolve IPard zone, but
network resouns is an invertebranches with cdividual child dmespace.
namespace wiust be registerehe same doma
Internet do nostering it. Howr connectivity an internal domway that privat
mes to IP add
and global cat
st names. This
l delivery. This
ds
n of DNS records. A DNSthat is respon
ecords in a speserver that is contoso.com toontoso.com zo
a file or in the S server stores
d in a local foldot stored in ADbe writable co
s of zones in W
host names to (SRV), mail exward lookup zd type is the ho
P addresses tothe IP address
urces into a hieed tree structucommon leveldomains. The r
th multiple roed with a DNSin name.
ot need to resowever, you mus
to Internet resmain in the .lote IP addresses
resses, DNS ca
talog servers. T
is useful when
s is used for th
S nsible ecific
o an one.
s the der on D DS,
py,
Windows Serve
IP addresses, achange (MX),
zones are capaost (A) record.
domain names is the part of
erarchical strure beginning ws of parent dorepresentation
ot servers. To S registrar. This
olve names in st still ensure tsources might
ocal domain. Ts are reserved
an be used to:
This is used wh
n a log file con
he delivery of a
er DNS are forw
and hosts comstart of autho
able of hosting. This record is
es. A reverse zothe query whi
cture of domawith a root do
omains, and den of the entire
participate in s ensures that
your domain, that the domat be affected. Ahe .local domafor internal us
hen logging on
ntains only the
all Internet em
ward lookup z
mmon resourcerity (SOA), and
g a number of s used when re
one functions ile the host na
ains. The omain at its apescending hierarchical do
the Internet Dno two
you can host in name is uni
A common waain is reservedse.
n to AD DS.
IP address of
mail.
zones and reve
e records includ name server different reco
esolving a host
in the same ame is the retu
ex,
omain
DNS
a que y to for
a
erse
uding (NS) rd t
urned
inno
MFoca
Mem
Hadfr
RThlothde
ReExreth
Rewmpo
H
Wena thovarseyoar
Toa p
1.
2.
3.
4.
5.
nformation. Reot always conf
Many standard or example, if an use a revers
Many email servmail servers try
aving a reversddresses. Manyom a particula
Resource Reche DNS zone f
ocate the resouhat resolves a hevice, such as
esource recordxchange serveequests the mahe host that is
esource recordwhich is useful imail server the
ort the service
How Intern
When resolvingntire system ofsingle server.
he Internet, calverall practice re representedervers are preloou register a dre paying to b
o see how thesDNS name letrocess for the
. A workstati
. If the local location of
. The local D
. The local D
. The IP addr
verse lookup zfigured, but yo
Internet protothe forward lose lookup to co
vers use a revey to detect op
e zone is impoy applications ar IP address, y
cords file stores resource. The mosthost name to aa router.
ds also help finr needs to findail exchanger (running the S
ds also can conif an organizatreceiving orga
e is listening, an
net DNS N
g DNS names of computers isThere are hunlled root serverof DNS resolu
d by 13 FQDNsoaded on each
domain name oecome part of
se servers wort us look at thename www.m
ion queries the
DNS server dothe .com DNS
DNS server que
DNS server que
ress of www.m
zones host SOAou should conf
ocols rely on reookup indicateonfirm that 19
erse lookup asen Simple Ma
ortant if you hrecord this inf
you can look u
urce records. Rt common resoan IP address.
nd resources fod the server th(MX) resource MTP mail serv
ntain custom ation has multipanization prefend the protoco
ames Are
on the Internet used rather thdreds of servers, which mana
ution. These ses; a list of theseh DNS server. Won the Internef this system.
k together to e name resoluticrosoft.com:
e local DNS se
oes not have thS servers.
eries a .com DN
eries the micro
microsoft.com i
A, NS, and poifigure them to
everse zone loes that training92.168.2.45 is a
one way of reil Transfer Prot
ave applicatioformation in s
up the host nam
Resource recoource record isThe host can b
or a particular at is responsibrecord for tha
vice.
attributes. MX ple mail serverers. SRV recordol that you sho
Resolved
t, an han just ers on age the
ervers e 13 When
et, you
resolve tion
rver for the IP
he information
NS server for t
soft.com DNS
s returned to t
20410A: Instal
inter (PTR) reso reduce warni
ookup data to vg.contoso.comassociated with
educing spam.tocol (SMTP) s
ons that rely onecurity or eveme using the
rds specify a res an A resourcbe a workstati
domain. For ible for deliveriat domain. This
records, for inrs. The MX recds also containould use to co
address www
n, then it quer
he location of
server for the
the workstatio
lling and Configuring
ource recordsing and error m
validate forwa is resolved to h training.cont
. By performinservers (open r
n looking up hnt logs. If you reverse zone
esource type, ce record. This on, server, or a
nstance, whenng mail for ans record point
nstance, have aord tells the se
n information rommunicate w
w.microsoft.com
ies a root DNS
f the microsoft
e IP address of
on.
g Windows Server®
. Reverse zonemessages.
ard zone inform 192.168.2.45, toso.com.
g a reverse loorelays).
hosts by their Isee suspiciousinformation.
and the IP addis a simple recanother netwo
n a Microsoft nother domains to the “A” re
a preference aending server regarding on with the service
m.
S server for the
t.com DNS serv
www.microso
2012 7-5
es are
mation. you
okup,
P s activity
dress to cord ork
, it ecord of
ttribute, which which .
e
vers.
ft.com.
7-6 Implement
The
•
•
Wh
In WresoMulvarithis netwaddIPv6sup
LLM
•
•
•
For infra
LLMIt usadd
To ufeatdisa
If yodisa
ing DNS
name resolut
Caching. Aftehours. Subseq
Forwarding. of querying rserver at an In
hat Is Link
Windows Serveolving names tlticast Name Rous limitationslesson) it is us
works. Althougdresses, it has b6; so if you waported and en
MNR is commo
There are no name resolut
Implementati
These service
example, you astructure.
MNR is supportses a simple sy
dresses.
use LLMNR, yoture is availablabled for any n
ou want to conable LLMNR via
Group Policy Multicast NamSet this value
ion process ca
er a local DNS quent resolutio
A DNS server oot servers. Fonternet service
-Local Mu
er 2012, a new to IP addressesResolution (LLMs (which are besually used ongh LLMNR is abeen designednt to use it, yo
nabled on your
only used in ne
DNS or NetBIOion.
ion of these se
s are not avail
might want to
ted on Windowystem of reque
ou need to ture in the Netwo
network that y
ntrol the use oa Group Policy
= Computer Cme Resolution to Enabled if
an be modified
server resolveon requests fo
can be configor example, reqe provider (ISP
ulticast Nam
method for s is Link-local MNR). Becauseeyond the scoly on localizedble to resolve
d specifically foou must have Ir hosts.
etworks where:
OS services fo
ervices is not p
able.
o set up a tem
ws Vista®, Winest and reply m
n on the Network and Sharinou designate a
of LLMNR on yy, set the follow
Configuration\. you do not wa
d by caching o
es a DNS namer the DNS nam
ured to forwaquests for all I
P).
me Resolu
e of pe of
d IPv4
or Pv6
:
r
practical for an
porary networ
dows Server 2messages to re
work Discoveryng Center. Be aas Public.
your network, ywing Group Po
\Administrative
ant to use LLM
or forwarding:
e, it caches theme are given th
rd DNS requesnternet names
ution?
ny reason.
rk for testing p
2008 and all neesolve compute
y feature for alaware that Net
you can configolicy value:
e Templates\N
MNR or to Disa
e results for aphe cached info
sts to another s can be forwa
purposes witho
ewer Windowser names to IP
l nodes on thetwork Discove
gure it via Gro
Network\DNS C
abled if you wa
pproximately 2ormation.
DNS server inarded to a DNS
out server
s operating sysPv6 or IPv4
e local subnet. ery is usually
up Policy. To
Client\Turn of
ant to use LLM
24
nstead S
stems.
This
ff
MNR.
H
WdisupredeLe
W
WreNp
Yo
•
•
pnaW
H
WanIf ho
W
1.
2.
3.
4.
5.
6.
7.
NAN
How a Clie
Windows operaifferent methouch as DNS, Wrocess. DNS is esolving host nescribed in deesson, What is
WINS
WINS provides egistering dynaetBIOS namesrovide backwa
ou can resolve
Broadcast routers do
Lmhosts fimaintenanc
Note: Therovides a new ames that are
WINS to provid
Host Name R
When an applicnd DNS when NetBIOS over
ost names.
Windows opera
. Checking w
. Searching t
. Sending a D
. Converting
. Contacting
. Broadcastinattached.
. Searching t
Note: YouetBIOS over Tlternatively, yoetBIOS name
nt Resolve
ating systems sods for resolvin
WINS, and the hthe Microsoft
names to IP Adtail in the secoDNS.
a centralized damic mappings. Support is reard compatibil
e NetBIOS nam
messages. Brnot propagate
le on all comce solution, be
e DNS server rzone type, theunique acrosse support for
Resolution P
cation specifiesattempting to
r TCP/IP is ena
ating systems r
whether the ho
the DNS resolv
DNS request to
the host nam
the host’s con
ng as many as
the Lmhosts fil
u can control tCP/IP, none ofou can modifyresolution me
es a Name
support a numng computer nhost name reso
standard for ddresses and isond topic of th
database for gs of a networketained for WINity.
mes by using:
oadcast messae broadcasts.
puters. Using ecause you mu
ole in Windowe GlobalName an entire foresingle-label na
Process
s a host name o resolve the hbled, TCP/IP a
resolve host na
ost name is the
ver cache. In D
o its configure
e to a NetBIO
nfigured WINS
three NetBIOS
le.
the order usedf the NetBIOS the NetBIOS n
thods are atte
mber of names, olution
s his
k’s NS to
ages, however,
an Lmhosts fiust maintain th
ws Server 2008es zone, which est. This eliminames.
and uses Windost name. Thelso uses NetBI
ames by:
e same as the l
DNS client reso
ed DNS servers
S name and ch
S servers.
S name query
d to resolve naname resolutinode type, whmpted.
20410A: Instal
, do not work
le for NetBIOShe file manuall
8 R2 and Windyou can use to
nates the need
dows sockets, e hosts file is loIOS name reso
local host nam
olver cache, en
s.
hecking the lo
request messa
ames. For examion methods a
hich changes th
lling and Configuring
well on large
S name resoluty on all comp
ows Server 20o contain singto use the Ne
TCP/IP uses thoaded into theolution method
me.
tries from hos
ocal NetBIOS n
ages on the su
mple, if you disare attempted.he order in wh
g Windows Server®
networks beca
tion is a high uters.
12 also gle-label etBIOS-based
he DNS resolvee DNS resolverds when resolv
ts file are pre-
name cache.
ubnet that is d
sable . hich the
2012 7-7
ause
er cache r cache. ving
-loaded.
irectly
7-8 Implement
Tro
LikesomoccuresoWhesombecobv
TooTheuse issu
•
•
•
•
•
Tro
Whecombetwpro
1.
2.
3.
ing DNS
oubleshoo
e most of othemetimes requirur when the Dource records—en resource re
metimes be moause configura
vious.
ols and Com command-linto troubleshoes are as follow
Nslookup: Uvaluable inforvalidate their resolution.
Dnscmd: Usebatch files to and configura
Dnslint: Use DNS quickly, are testing.
IPconfig: Usetool includes clients. You ccan clear the use ipconfig
Monitoring operform simpschedule thesWindows Serv
oubleshooti
en you troublemputer is usingween resolutioblem, troubles
Open an elev/flushdns.
Attempt to pname resolutis related to n
Attempt to pFor example, command pro
oting Nam
r technologieses troubleshoo
DNS server—an—are not confiecords are causore difficult to ation problem
mmands ne tools and coot these and ows:
se this tool to rmation aboutconfiguration
e this commanhelp automat
ation of new D
this tool to diaand can gene
e this commanadditional coman view the clilocal cache us/registerdns.
on DNS serveple local queriese tests for regver 2008 and W
ng Process
eshoot name rg, and in what on attempts. If shoot the nam
vated comman
ing the remoteion. If the ping
name resolutio
ing the remoteif you are worompt: Ping LO
e Resoluti
s, name resoluoting. Issues cand its zones anigured propersing issues, it cidentify the isss are not alwa
ommands thatother configur
query DNS inft DNS server stn. Additionally,
d-line tool to e routine DNS
DNS servers on
agnose commorate a report i
nd to view andmmand-line oient local DNSsing ipconfig/.
er: To test if thes and recursivgular intervals. Windows Serv
resolution, youorder the comyou cannot co
me resolution a
nd prompt, and
e host by its IPg succeeds witon.
e host by its hrking at ContoON-dc1.conto
on
tion an nd ly. can sue ys
t you ation
formation. Thetatus. You also you can test z
manage the DS managementn your network
on DNS issuesn HTML forma
d modify IP conptions that yo cache using t
/flushdns. If yo
e server can cove queries fromThe DNS server 2012 in the
u must understmputer uses theonnect to a res follows:
d then clear th
P address. Thisth the IP addre
ost name. For oso, Ltd, you woso.com.
e tool is flexiblo can use it to zone transfers,
DNS server rolet tasks or to pek.
s. This tool diagat regarding th
nfiguration deou can use to tthe command ou want to re-
ommunicate wm the DNS servver Monitoringe DNS Server N
tand what namem. Be sure tomote host and
he DNS resolve
s helps identifyess but fails by
accuracy, use would enter the
le and can prolook up resou, security optio
e. This tool is uerform simple
gnoses confighe status of th
etails that the croubleshoot aipconfig/disp
-register a hos
with upstream ver Monitoring tab is availab
Name Propertie
me resolution mo clear the DNSd suspect a na
er cache by typ
y whether the y its host name
the FQDN wite following co
ovide a lot of rce records anons, and MX re
useful in scriptunattended s
uration issues e domain that
computer usesnd support DNplaydns, and yst in DNS, you
servers you cang tab. You alsble only in es window.
methods the S resolver cachme resolution
ping IPConfig
issue is relatede, then the pro
th a trailing pemmand at the
nd ecord
ting etup
in t you
s. This NS you can
an so can
he
g
d to oblem
eriod. e
20410A: Installing and Configuring Windows Server® 2012 7-9
4. If the ping is successful, then the problem is most likely not related to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry to the end of the file. In the previous Contoso, Ltd example, you would add the following line and save the file:
10.10.0.10 LON-dc1.contoso.com
5. Perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache. To display the DNS resolver cache, at a command prompt type IPConfig /displaydns.
6. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
7. At the command prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution:
Nslookup.exe –d2 LON-dc1.contoso.com. > filename.txt
Note: You also should know how to interpret the DNS resolver cache output so that you can identify whether the name resolution problem lies with the client computer’s configuration, the name server, or the configuration of records within the name server zone database. Unfortunately interpreting the DNS resolver cache output is beyond the scope of this lesson.
7-10 Implemen
Lesson 2Installi
To uprocandman
LesAfte
•
•
•
•
•
•
Wh
Theservreso
DN
A Dquezondiffecach
DN
DNSTheexam
DN
Thebe aserv
nting DNS
2 ing anduse a DNS servcedure. To ma their purpose
nage the DNS
sson Objectier completing
Describe the
Describe root
Describe DNS
Describe forw
Explain how D
Describe how
hat Are the
components vers, DNS serveolvers, or DNS
NS Server
NS server answeries. DNS serves of a particuerent resourcehe lookups to
NS Servers o
S servers on thse servers hostmple .COM, .N
NS Resolver
DNS resolver any computer vers also can is
d Managvice, you must anage your DNe. In this lessonServer role.
ives this lesson, yo
components o
t hints.
S queries.
warding.
DNS server cac
w to install the
e Compon
of a DNS soluters on the Inteclients.
wers recursive ers also can ho
ular domain. Zoe records. DNSsave time for c
on the Intern
he Internet aret information
NET, and .EDU)
generates andthat is perform
ssue DNS requ
ging a Dfirst install it.
NS service, it is n, you will lear
ou will be able
of a DNS solut
ching works.
DNS server ro
nents of a
tion include Dernet, and DNS
and iterative ost one or moones contain servers also ccommon quer
net
e accessible puabout public d).
d sends iterativming a DNS loests to other D
DNS SerInstalling the Dimportant than about DNS c
to:
ion.
ole.
DNS Solut
NS S
DNS re
an ries.
blicly. domains, such
ve or recursiveokup that req
DNS servers.
rver DNS service oat you understcomponents, a
tion?
as common to
e queries to thuires interactio
n a DNS servetand the DNS sand about how
op level doma
e DNS Server. on with the DN
r is a simple server componw to install and
ains (TLDs) (for
A DNS resolveNS server. DNS
nents d
r
er can S
W
AroInreitsseneanD
Roincasew
WDnoatth
It Rea thin
W
A sepau
seD
AR
Th
•
•
What Are R
s previously dioot hints are a nternet that yoesolve a DNS qs own cache. Tervers in the Decessary informn iterative queNS namespace
oot Servers arenstall the DNS ache.dns file thetup files. You
within a forest.
When a DNS seDo Not Use Re
ot be able to pttempt to sendhis query, the f
is important tecursion on a recursive quer
he responsibilitn more detail.
What Are D
DNS query is ent to a DNS Srovides either uthoritative re
Note: It iservers also canNS queries to
AuthoritativeResponses
he two types o
Authoritatcorrect, becserver is au
Non-authorequested d
Root Hints
iscussed in lesslist of the 13 F
our DNS serverquery by usingThe root hints NS hierarchy, mation for a Dery to the next e.
e installed autorole. They are hat is includedalso can add r
erver communiecursion For Tperform queried a recursive qfirst server resp
to understand DNS server mery is a query thty for providin
DNS Queri
a name resoluServer. The DNan authoritativsponse to the
s important ton act as DNS re
other DNS ser
e or Non-A
of responses ar
tive. An authocause the requthoritative wh
oritative. A nodomain in its c
s?
son one, topicFQDNs on ther uses if it cann a DNS forwarlist the highesand can provi
DNS server to plowest layer o
omatically whecopied from t in the DNS roroot hints to a
icates with a roThis Domain oes on the root uery to its forwponds that the
that recursioneans that the shat is made to ng a complete
es?
ution query thaS server then ve or a non-client query.
note that DNesolvers and servers.
uthoritative
re:
ritative responuest is directeden it hosts a p
on-authoritativcache answers
c four, e not rder or t de the
perform of the
en you the ole DNS server to
oot hint serveroption (on thehints. If you c
warding servee host could no
n on a DNS serserver uses its a DNS server answer to the
at is
S end
e
nse is one in wd to the authorprimary or seco
ve response is a query by us
20410A: Installin
o support look
r, it uses only ae DNS server pconfigure the sr; then if the foot be found.
rver and recursroot hints to tin which the r
e query. The ne
which the serveritative server ondary copy o
one where thesing forwarder
ng and Configuring W
kups for non-c
an iterative quroperties windserver using a orwarding serv
sive queries artry to resolve arequester asks ext topics discu
er returns an anthat manages
of a DNS zone.
e DNS server ts or root hints
Windows Server® 20
ontiguous dom
uery. If you seledow), the serve
forwarder, it wver does not a
re not the sama DNS query, wthe server to a
uss recursive q
nswer that it k the domain. A
that contains ts. Because the
012 7-11
mains
ect the er will will answer
e thing. whereas assume
queries
knows is A DNS
he answer
7-12 Implementing DNS
provided might not be accurate (because only the authoritative DNS server for the given domain can issue that information), it is called non-authoritative response.
If the DNS server is authoritative for the query’s namespace, the DNS server checks the zone and then does one of the following:
• Returns the requested address.
• Returns an authoritative “No, that name does not exist.”
Note: An authoritative answer can be given only by the server with direct authority for the queried name.
If the local DNS server is non-authoritative for the query’s namespace, then the DNS server does one of the following:
• Checks its cache and return a cached response.
• Forwards the unresolvable query to a specific server, called a forwarder.
• Uses well-known addresses of multiple root servers to find an authoritative DNS server to resolve the query. This process uses root hints.
Recursive Queries
In a recursive query the requester asks the DNS server to provide a fully resolved name before returning the answer. The DNS server may have to perform several queries to other DNS servers before it finds the answer.
A recursive query has two possible results:
• The DNS server returns the IP address of the host requested.
• The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so, the DNS server in question will not attempt to forward its DNS requests to another server. This is useful when you do not want a particular DNS server to communicate outside its local network.
Iterative Queries
Iterative queries access domain name information that resides across the DNS system; by using them, you can resolve names across many servers quickly and efficiently. When a DNS server receives a request that it cannot answer using its local information or its cached lookups, it makes the same request to another DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer with either the IP address for the domain name (if known), or with a referral to the DNS servers that are responsible for the domain being queried.
W
A quthcoac
Ofofolonaneimyo
Thmto
imw
C
A Dnam
C
InmA
p
What Is For
forwarder is aueries for extehat network. Yoonditional forwccording to sp
Once you desigorwarder, thenorward to it theocally. By usingame resolutionetwork, such a
mproves the efour network’s
he forwarder mmeans either yoo communicate
Best Pracmprove securitwhich ensures t
Conditional
conditional foNS domain naames ending w
multiple DNS se
onditional Fo
n Windows Sermoved to a nod
ctive Directory
Best Pracrovides for fas
rwarding?
a network DNSernal names toou also can crewarders to forwpecific domain
gnate a networ other DNS see queries that
g a forwarder, n for names ouas names on thfficiency of namcomputers.
must be able toou configure ite.
ctice: Use a cety because youthat no server w
Forwarder
orwarder is a Dame. For examwith corp.contoervers. This can
orwarding in W
rver 2008 R2 ade in the DNS y integration.
ctice: Use condter name reso
S server that fo DNS servers oeate and use ward queries names.
rk DNS server arvers in the nethey cannot reyou can manautside of your he Internet. Thme resolution
o communicatt to forward re
ntral forwardinu can isolate thwithin the net
DNS server on aple, you can coso.com to then be useful wh
Windows Serv
nd Windows Sconsole. You c
ditional forwarlution.
orwards outside
as a etwork esolve
age
is for
te with the DNequests to anot
ng DNS serverhe forwarding work is comm
a network thatonfigure a DN
e IP address ofhen you have m
ver 2008 R2 a
Server 2012, thcan replicate t
rders if you ha
20410A: Installin
NS server that ther DNS serv
r for Internet nDNS server in
municating dire
t forwards DNNS server to fof a specific DNmultiple DNS n
and 2012
he conditional his informatio
ave multiple in
ng and Configuring W
is located on ter, or configur
name resolutio a perimeter n
ectly to the Int
S queries accorward all querS server, or to namespaces in
forwarder conn to other DN
nternal namesp
Windows Server® 20
the Internet. Tre it to use roo
on. This can network, ernet.
ording to the qries that it rece
the IP addresn a forest.
nfiguration hasNS servers thro
paces. This
012 7-13
his ot hints
query’s eives for ses of
s been ugh
7-14 Implemen
Ho
DNSorgait ta
WhesucctimetheidomTheonemodDNS
A cadata
In Win thMan
Theclienthe
Youavainot secu
Ho
TheServa roservservWiz
YoudomDiredurdom
OncManautoMan
WheDNStype
nting DNS
ow DNS Se
S caching increanization’s DN
akes to provide
en a DNS servcessfully, it adde, this builds air associated IPmains that the default time t
e hour. The zondifying the SOS zone.
aching-only sea; it only answ
Windows Servehe DNS Managnager. You can
DNS client cant-side cachinlocal DNS clie
u can prevent Dilable in Windobe overwritte
urity against ca
ow to Insta
DNS server rover 2012 by deole-based manver to performver role by usinzard in Server M
u can also add main controllerectory Domaining which you
main controller
ce you install tnager snap-in omatically to tnager from the
en you install tSCmd tool to se: dnscmd.exe
erver Cach
eases the perfoNS system by de DNS lookups
er resolves a Dds the name to cache of dom
P addresses fororganization uto keep a namne owner can c
OA record for th
erver is the ideers lookup req
er 2012, you cager console. Wn also delete si
ache is a DNS cg, at a comma
ent cache. If yo
DNS client cacows Server 200n for the duratache poisoning
all the DNS
ole is not instaefault. Instead,ner when you the role. You
ng the Add RoManager.
the DNS server Options pag
n Services Insta promote your.
he DNS serverbecomes avai
the Server Mane run window
the DNS servescript and autoe /?
ing Works
ormance of thdecreasing the s.
DNS name o its cache. Ov
main names anr most of the uses or accesse
me in the cachechange this byhe appropriate
al type of DNSquests for DNS
an access the cWhen you enabingle entries (o
cache that the and-line prompou need to clea
hes from bein08 R2 and Wintion of the timg attacks.
S Server Ro
lled on Windo you must addconfigure theinstall the DN
oles and Featur
er role from thge of the Activeallation Wizardr server to a
r role, the DNSlable to add tonager console by typing dns
er role, the dnsomate DNS co
s
e time
ver d
es. e is y e
S server to useS clients.
content of DNble this view, cor the entire ca
DNS client sept run the ipcoar the local cac
g overwritten ndows Server 2
me to live (TTL)
ole
ows d it in e S res
he e
d,
S o your adminisand to the DN
smgmt.msc.
scmd.exe comonfiguration. Fo
e as a forwarde
S server cachecached contentache) from DN
rvice stores ononfig /displayche, you can u
with the DNS 2012. When en) value. Cache
strative consolNS Manager co
mmand-line toor help with th
er. It will not h
e by selecting tt displays as a
NS server cach
n the local comydns comman
use ipconfig /f
Cache Lockinnabled the caclocking provid
les. The snap-ionsole. You ca
ol is also addehis tool, at the
ost any DNS z
the Advanced node in DNS e.
mputer. To viewnd. This will disflushdns.
g feature whicched records wdes improved
in is added an run the DNS
ed. You can usee command pro
zone
view
w splay
ch is will
S
e the ompt,
20410A: Installing and Configuring Windows Server® 2012 7-15
To administer a remote DNS server, add the Remote Server Administrative tools to your administrative workstation, which must be running a Windows Vista SP1 or newer Windows operating system.
Demonstration: Installing the DNS Server Role
In many scenarios you will want to have more than one DNS server on your network. You can install additional DNS servers by using Server Manager console. If you want to enable your DNS server to resolve Internet names, you will probably want to enable forwarding.
Demonstration Steps
Install a second DNS server
1. On LON-SVR1, open Server Manager.
2. Start the Add Roles and Features Wizard.
3. Add the DNS Server role.
Configure Forwarding
• Configure the DNS Server with a forwarder on IP address 172.16.0.10.
7-16 Implemen
Lesson 3Manag
DNSotheconless
LesAfte
•
•
•
•
Wh
The
•
•
•
•
Pri
WhezoninfomasAD zonstor
SecWhezonhostzonseconon
Stu
A stidennamsepa
nting DNS
3 ging DNS service is a ker services wittroller promoton, you will lea
sson Objectier completing
Describe DNS
Describe dyna
Describe Acti
Describe how
hat Are DN
four DNS zon
Primary
Secondary
Stub
Active Directo
mary zone
en a zone thate, the DNS ser
ormation abouster copy of zoDS. When the e_name.dns, ared in AD DS, t
condary zonen a zone thate information.ts the zone. The information.ondary zone can-Windows DN
ub zone
tub zone is a rentify that zonemespaces, whicarate DNS nam
NS Zonekey service for hin the netwotion. The DNS arn about Acti
ives this lesson, yo
S zone types.
amic updates.
ve Directory-in
w to create an A
NS Zone Ty
ne types are:
ory–integrated
t a DNS serverrver is the primt this zone, an
one data eitherDNS server stnd is located othis is the only
ne t a DNS server. The zone at this DNS server. Because a secannot be store
NS zones.
eplicated copye’s authoritativch might be nemespaces reso
es AD DS. Serverrk. You usuallyserver can theive Directory–i
ou will be able
ntegrated zon
Active Directo
ypes?
d
hosts is a primmary source fond it stores ther in a local file tores the zone on the server iy DNS server th
hosts is a secothis server mus must have necondary zone ed in AD DS. S
y of a zone thae DNS serversecessary whenlve names for
s and clients ay install a DNSen host zone dintegrated DN
to:
es.
ry-integrated
mary r
e or in in a file, the pn the %windir
hat has a writa
ondary zone, tst be obtainedetwork access tis a copy of a econdary zone
at contains onl. A stub zone ra corporate mclients in both
alike use DNS tS server with a data in an ActivNS zones.
zone.
primary zone fir%\System32\Dable copy of th
the DNS served from anotherto the remote primary zone es can be usef
ly those resouresolves name
merger requireh namespaces.
to locate domdomain contrve Directory d
ile by default iDns folder. Whhe database.
r is a secondarr remote DNS DNS server tothat another s
ful if you are re
rce records thaes between sepes that the DN
ain controllersroller during doatabase. In thi
is named hen the zone i
ry source for thserver that als
o receive updaserver hosts, theplicating data
at are necessaparate DNS S servers for tw
s and omain is
s not
he so ted
he a from
ry to
wo
A
•
•
ThU
A
If zo
W
A ticldyre
Thclofa du
•
•
•
Th
1.
2.
3.
InIncllo
Bym
stub zone con
The delega
The IP addr
he master servsually this is th
Active Direct
AD DS stores one. This enab
What Are D
dynamic updame. Dynamic uients that chanynamically regecords without
he Dynamic Hient service pef whether the DHCP server, uring the follo
When the cservice is st
When an IP
When an ad
he process of d
. The client izone then tintegrated
. Eventually, the zone. Tname serve
. If the zone then authe
n some configun this case you ient registers t
ookup) record.
y default, Windmodify this beh
nsists of the fo
ted zone’s SOA
ress of one or
vers for a stub he DNS server
tory–Integr
the zone, thenbles you to edit
Dynamic U
ate is an updaupdates are imnge locations gister and updat manual interv
ost Configuraterforms the regclient’s IP addor is fixed. The
owing events:
client starts antarted.
P address is co
dministrator ru
dynamic upda
dentifies a nathe name servzone, the clien
if the zone suhis is the prim
er for an Active
is configured nticates and re
urations, you mcan configure
that it is a (hos
dows operatinhavior in the cl
ollowing:
A resource rec
more master s
zone are one that is hosting
ated zone
n DNS can uset zone data on
Updates?
te to DNS in rmportant for D- they can ate their resouvention.
tion Protocol (gistration, regaress is obtainee registration o
d the DHCP cl
nfigured, adde
uns the comm
tes is as follow
me server ander refuses thent may have to
pports dynammary server for
e Directory–int
for secure dyne-sends the up
may not want ce the DHCP sest/address) rec
ng systems atteient IP configu
cord, NS resou
servers that yo
or more DNS g the primary z
e the multimasn more than on
eal NS
urce
(DHCP) ardless
ed from occurs
lient
ed, or changed
and-line comm
ws:
d sends an upde client’s updato do this sever
ic updates, thea standard, filetegrated zone
namic updatespdate.
clients to updarver to registecord, and the D
empt to registeuration, or thro
20410A: Installin
urce records, an
ou can use to u
servers that arzone for the d
ster replicationne DNS server
d on any netw
mand ipconfig
date. If the namte. If the zone ral times.
e client reachee-based zone .
s, the DNS serv
ate their recorr the records oDHCP server re
er their recordough Group P
ng and Configuring W
nd A resource
update the stu
re authoritativdelegated dom
n model to repr simultaneous
work connectio
g /registerdn
me server hostis not an Activ
es a DNS serveor any domain
ver refuses the
rds even in a don the clients’ egisters the PT
ds with their Dolicy.
Windows Server® 20
records.
ub zone.
e for the childmain name.
plicate the primsly.
on.
ns.
ts only a seconve Directory–
er that can writn controller th
e change. The c
dynamic updatbehalf. By def
TR (pointer/rev
NS server. You
012 7-17
zone.
mary
ndary
te to hat is a
client
te zone. fault, a verse
u can
7-18 Implemen
Wh
In Lzonthe WheDire
Thezon
•
•
•
•
De
To cchacon
Dem
Cre
1.
2.
3.
4.
5.
6.
Cre
•
nting DNS
hat Are Ac
esson 1, you lee data in the ADNS server is en this happenectory–integrat
benefits of ane are significa
Multimasterprimary zoneby a single printegrated zowritable DC tThis builds reimportant in can update thprimary serve
Replication oDirectory repActive Directothan replicati
Secure dyna
Granular secyou to delegacontrol list (A
Question: Ca
emonstrati
create an Activnges in an Acttrollers throug
monstration
eate an Acti
On LON-DC1
Start the New
Create new A
Name the zon
Allow only se
Review record
ate a record
Create a New
ctive Direc
earned that DNAD DS databasan AD DS domns, this creatested zone.
n Active Directnt:
r updates. Unls —which canrimary server—ones can be wro which the zodundancy intogeographicallyheir DNS recorer.
of DNS zone dlication is attriory–integratedng the entire z
mic updates.
curity. As with ate administra
ACL) on the zon
an you think of
on: Creati
ve Directory intive Directory igh AD DS repli
n Steps
ve Director
1, open the DN
w Zone Wizard
Active Directory
ne Contoso.co
cure dynamic
ds in the new z
w Host record
tory-Integ
NS server canse provided thmain controlles an Active
tory–integrated
ike standard only be modi
—Active Directritten to by anyone is replicateo the DNS infray distributed ords without ha
data by usingibute-level repd zone can levezone file as in
An Active Dire
other Active Dtion of zones, ne.
f any disadvan
ng an Acti
ntegrated zoneintegrated zonication mecha
y–integrate
NS Manager co
.
y–integrated f
om.
updates.
zone.
in Adatum.co
grated Zon
store hat r.
d
fied ory–y ed. astructure. In aorganizations taving to conne
g AD DS replicplication in wherage these betraditional DN
ectory–integra
Directory objedomains, and
ntages to storin
ive Directo
e, you must insne are replicatenism.
ed zone
onsole.
forward lookup
m zone named
nes?
addition, Multthat use dynamect to a potent
cation. One oich only changenefits of Activ
NS zone transfe
ated zone can
cts, an Active resource reco
ng DNS inform
ory–Integr
stall DNS serveed to all other
p zone.
d www which
timaster updatmic update zotially geograph
f the characteged attributes ve Directory reer models.
enforce secure
Directory-inteords by modify
mation in AD D
rated Zone
er on a Domair DNS servers o
points to 172
tes are particunes, because chically distant
ristics of Activare replicated
eplication, rath
e dynamic upd
egrated zone aying the access
DS?
e
n Controller. Aon domain
2.16.0.100.
larly clients
e d. An her
dates.
llows s
All
20410A: Installing and Configuring Windows Server® 2012 7-19
Verify replication to a second DNS server
• Verify that new record is replicating to the LON-SVR1 DNS server.
7-20 Implementing DNS
Lab: Implementing DNS Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows 2012 Server infrastructure with Windows 8 clients. You need to configure the infrastructure service for a new branch office.
Your manager has asked you to configure the domain controller in the branch office as a DNS server. You have also been asked to create some new host records to support a new application that is being installed. Finally, you need to configure forwarding on the DNS server in the branch office to support Internet name resolution.
Objectives After completing this lab you will be able to:
• Install and configure DNS.
• Create host records in DNS.
• Manage the DNS server cache.
Lab Setup
Estimated Time: 40 minutes
Logon Information
Virtual Machines 20410A-LON-DC1 20410A-LON-SVR1 20410A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Exercise 1: Installing and Configuring DNS
Scenario
As part of configuring the infrastructure for the new branch office, you need to configure a DNS server that will provide name resolution for the branch office. The DNS server in the branch office will also be a
20410A: Installing and Configuring Windows Server® 2012 7-21
domain controller. The Active Directory-integrated zones required to support logons will be replicated automatically to the branch office.
The main tasks for this exercise are as follows:
1. Configure LON-SVR1 as a domain controller without installing the DNS server role.
2. Review configuration settings on the existing DNS server to confirm root hints.
3. Add the DNS server role for the branch office on the domain controller.
4. Verify replication of the Adatum.com Active Directory–integrated zone.
5. Use NSLookup to test non-local resolution.
6. Configure Internet name resolution to forward to the head office.
7. Use NSLookup to confirm name resolution.
Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role 1. Use Add roles and features task in Server Manager to add the Active Directory Domain Services
role to LON-SVR1.
2. Start the wizard to promote LON-SVR1 to domain controller.
3. Choose to add LON-SVR1 as additional domain controller in Adatum.com domain.
4. Do not install DNS Server.
Task 2: Review configuration settings on the existing DNS server to confirm root hints 1. On LON-DC1, open the DNS Manager console.
2. In DNS Manager, open the Properties window of LON-DC1.
3. Review root hints and forwarder configuration.
Task 3: Add the DNS server role for the branch office on the domain controller • Use Server Manager to add the DNS Server role to LON-SVR1.
Task 4: Verify replication of the Adatum.com Active Directory–integrated zone 1. On LON-SVR1, open the DNS Manager console.
2. Expand Forward Lookup Zones, and verify that the Adatum.com and _msdcs.Adatum.com zones are replicated.
If you do not see these zones, open Active Directory Sites and Services, and force replication between LON-DC1 and LON-SVR1, and then try again.
Task 5: Use NSLookup to test non-local resolution 1. On LON-SVR1, on Local Area Connection Network Adapter, in the preferred DNS server field,
remove the IP address 172.16.0.10.
2. Make 127.0.0.1 the preferred DNS server for LON-SVR1.
3. Open a command prompt window on LON-SVR1, and start nslookup.
4. Try to resolve www.nwtraders.msft with nslookup.
5. You will receive negative reply (this is expected).
7-22 Implementing DNS
Task 6: Configure Internet name resolution to forward to the head office 1. On LON-SVR1, open the DNS Manager console.
2. Configure a forwarder for LON-SVR1 to be 172.16.0.10.
Task 7: Use NSLookup to confirm name resolution • On LON-SVR1, in a command prompt window, start nslookup and try to resolve
www.nwraders.msft. You should get reply and IP address.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
Exercise 2: Creating Host Records in DNS
Scenario Several new web-based applications are being implemented in the head office. Each application requires that you configure a host record in DNS. You have been asked to create the new host records for these applications.
The main tasks for this exercise are as follows:
1. Configure a client to use LON-SVR1 as a DNS server.
2. Create several host records in the Adatum.com domain for web apps.
3. Verify replication of new records to LON-SVR1.
4. Use the ping command to locate new records from LON-CL1.
Task 1: Configure a client to use LON-SVR1 as a DNS server 1. Log on to LON-CL1 as Adatum\Administrator using the password Pa$$w0rd.
2. Open Control Panel.
3. Open the Properties window for the Local Area Network Connection adapter.
4. Configure preferred DNS server to be 172.16.0.21.
Task 2: Create several host records in the Adatum.com domain for web apps 1. On LON-DC1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.
3. Create new record named www with IP address 17.16.0.100.
4. Create new record named ftp with IP address 172.16.0.200.
Task 3: Verify replication of new records to LON-SVR1 1. On LON-SVR1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.
3. Ensure that records www and ftp display. (You might have to refresh the Adatum.com zone for these records to appear.)
Task 4: Use the ping command to locate new records from LON-CL1 1. On LON-CL1, open a command prompt window.
2. Ping www.adatum.com. Ensure that ping resolves this name to 172.16.0.100.
20410A: Installing and Configuring Windows Server® 2012 7-23
3. Ping ftp.adatum.com. Make sure that ping resolves this name to 172.16.0.200.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache
Scenario After you changed some host records in zones configured on LON-DC1, you noticed that clients that use LON-SVR1 as their DNS server, still get old IP addresses during name resolving process. You want to make sure which component is caching this data.
The main tasks for this exercise are as follows:
1. Use the ping command to locate Internet record from LON-CL1.
2. Update Internet record to point to the LON-DC1 IP address, retry the location using ping.
3. Examine the content of the DNS cache.
4. Clear the cache, and retry ping.
Task 1: Use the ping command to locate Internet record from LON-CL1 1. On LON-CL1, open a command prompt window.
2. Use ping to locate www.nwtraders.msft.
3. Ensure that name resolves to an IP address. Document the IP address.
Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping 1. On LON-DC1, open the DNS Manager console.
2. Navigate to the nwtraders.msft forward lookup zone.
3. Change the IP address for the record www to be 172.16.0.10.
4. From LON-CL1, ping www.nwtraders.msft
5. Note that you will still have this record resolved with old IP.
Task 3: Examine the content of the DNS cache 1. On LON-SVR1, in the DNS Manager console, enable Advanced View.
2. Browse the content of the Cached Lookups container.
3. On LON-CL1, in a command prompt window, type ipconfig /displaydns.
4. Examine the cached content.
Task 4: Clear the cache, and retry ping 1. Clear the cache on the LON-SVR1 DNS Server.
2. Retry the ping to www.nwtraders.msft on LON-CL1 (The result will still return the old IP address.)
3. Clear the client resolver cache on LON-CL1 by typing ipconfig /flushdns in a command prompt window.
4. On LON-CL1, retry ping to www.nwtraders.msft. (The result should work.)
7-24 Implementing DNS
Results: After completing this exercise, you will have DNS Server cache examined.
To prepare for next module After you finish the lab, revert the virtual machines to their initial state.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
20410A: Installing and Configuring Windows Server® 2012 7-25
Module Review and Takeaways Review Questions
Question: You are troubleshooting DNS name resolution from a client computer. What must you remember to do before each test?
Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider when planning the DNS configuration?
Question: What benefits do you realize by using forwarders?
Best Practices:
When implementing DNS, use the following best practices:
• Always use host names instead of NetBIOS names.
• Use forwarders rather than root hints.
• Be sure to be aware of potential caching issues when troubleshooting name resolution.
• Use Active Directory-integrated zones instead of primary and secondary zones.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Client can sometimes cache invalid DNS records.
DNS Server performs slowly.
Tools
Name of tool Used for Where to find it
DNS Manager console Manage DNS server role Administrative Tools
NSLookup command line tool Troubleshoot DNS Command line utility
Ipconfig command line tool Troubleshoot DNS Command line utility
8-1
Module 8 Implementing IPv6
Contents: Module Overview 8-1
Lesson 1: Overview of IPv6 8-2
Lesson 2: IPv6 Addressing 8-8
Lesson 3: Coexistence with IPv4 8-13
Lesson 4: IPv6 Transition Technologies 8-17
Lab: Implementing IPv6 8-22
Module Review and Takeaways 8-26
Module Overview
IPv6 is a technology that helps the Internet support a growing user base and an increasingly large number of IP-enabled devices. The current IPv4 has been the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses. This is due in large part to the rapid growth of new network-aware devices.
Objectives
After completing this module, you will be able to:
• Describe the features and benefits of IPv6.
• Describe IPv6 addressing.
• Describe IPv6 coexistence with IPv4.
• Describe IPv6 transition technologies.
8-2 Implement
Lesson Overvi
IPv6Vist
It is IPv6
LesAfte
•
•
•
Be
IPv6anddesc
Lar
ThemucA 32pos2128 340456addprov
Hie
Theare opt
StaIPv6disccon
Req
Thepaymetprot
ing IPv6
1 iew of I6 has been inca. The use of I
important for6 into those ne
sson Objectier completing
Describe the
Describe the
Describe the
nefits of IP
6 support is inc Windows 8. Tcribes why IPv
rger address
IPv6 address ch larger than 2-bit address ssible addresseor ,282,366,920,9 (or 3.4x1038 o
dresses. As the vides for the re
erarchical ad
IPv6 address many more adimization.
ateless and s6 has auto-concover router infiguration. A s
quired supp
IPv6 standardload (ESP) heathods and cryptect IPv6 pack
Pv6 luded with WiPv6 is becomi
r you to underetworks. This le
ives this lesson, yo
benefits of IPv
differences be
IPv6 address s
Pv6
cluded in WindThe following lv6 is being imp
s space
space is 128-bthe 32-bit add
space has 232 os; a 128-bit ad
938,463,463,37or 340 undecill
Internet contiequired larger
ddressing a
space is designddresses, route
stateful addnfigure capabiformation so t
stateful addres
port for Inte
ds require suppaders that are dptographic algets. This guara
ndows clients ng more comm
stand how thisesson discusse
ou will be able
v6.
etween IPv4 an
space.
dows Server 20ist of benefits
plemented.
bit, of which is dress space in or 4,294,967,29ddress space h
74,607,431,768ion) possible nues to grow, r address space
nd routing
ned to be morers can proces
dress configlity without Dythat hosts can s configuratio
ernet Protoc
port for the Audefined by IPs
gorithms are noantees the ava
and servers stmon on corpo
s technology aes the benefits
to:
nd IPv6.
012
IPv4. 96 as
8,211,
IPv6 e.
infrastructu
re efficient for s data much m
guration ynamic Host Caccess the Intn is when you
col security
uthentication Hsec. Although sot specified, IPilability of IPse
tarting with Worate networks
affects current of IPv6, and h
ure
routers, whichmore efficiently
Configuration Pternet; this is re use the DHCP
y (IPsec)
Header (AH) asupport for spPsec is definedec on all IPv6 h
Windows Servers and parts of t
networks, andhow it differs fr
h means that ey because of a
Protocol (DHCeferred to as aPv6 protocol.
nd encapsulatpecific IPsec aud from the starhosts.
r 2008 and Winthe Internet.
d how to integrom IPv4.
even though taddress
CP), and it can a stateless add
ting security thentication
rt as the way to
ndows
grate
here
ress
o
E
OtrIPapor
P
Aasinde
Im
IPcayo
Ex
IP
D
WunHalexth
IPthhidaenanan
IP
Th
nd-to-end c
One of the desiranslation mecPv6 hosts can cpplications sucrganizations m
Prioritized d
n IPv6 packet ssigned a priorn a timely manelivery is time-
mproved su
Pv6 has much ban use the autou can connec
xtensibility
Pv6 has been d
Differences
When the IPv4 nimaginable thowever, due tolocation practxplosion of Inthat a replacem
Pv6 addresses whe address spaierarchical rouay Internet topnough bits to nd flexibility fond routing. Th
Pv4 and IPv
he following ta
IPv4
Source and dbits (4 bytes)
IPsec supportincludes suppWindows 200systems, but ivendors.
communica
gn goals for IPhanisms such communicate dch as video con
may choose to
elivery
contains a fielrity. For exampner. You can s-sensitive.
upport for si
better supportomatic configuct and share in
designed so th
s Between
address space hat it could evo changes in ttice that did noternet hosts, , i
ment would be
were made 12ce can be subting domains pology. With 1create multiplor designing hese are feature
v6 Comparis
able highlights
estination addlong.
t is optional. Mport for IPsec i00 and newer oit is not implem
tion
Pv6 is to providas network addirectly with enferencing andcontinue usin
d that specifieple, when you set this field to
ingle-subne
t of automatic uration featureformation.
at developers
IPv4 and
was designedver be exhaustetechnology andot anticipate thit was clear by necessary.
28 bits long so divided into that reflect mo
128 bits there ae levels of hierierarchical addes that are cur
son
s the differenc
dresses are 32
Microsoft n the Microsooperating mented by all
de sufficient address translatieach other oved other peer-tg translation m
es how fast theare streaming
o ensure that n
et environm
configurationes in IPv6 to cr
can extend it
IPv6
d, it was ed. d an he 1992
that
odern-are rarchy, dressing rrently lacking
ces between IP
IPv6
Source (16 byte
ft® IPsec suoperatinsupport
20410A: Instal
ddress space sion (NAT). This
er the Internet.to-peer applicamechanisms as
e packet shoulg video traffic, network device
ments
n and operatioreate tempora
with much few
on the IPv4-b
Pv4 and IPv6.
and destinatioes) long.
upport is requing system impt IPsec.
lling and Configuring
so that you dos simplifies com. This also simpations. Howevs a security me
d be processeit is critical tha
es determine t
n on single suary ad-hoc net
wer constraints
based Internet.
on addresses a
red. Any devicplementing IPv
g Windows Server®
o not have to ummunication bplifies support ver, many easure.
d; so traffic caat the packets hat the packet
bnet networkstworks through
s than IPv4.
.
re 128 bits
ce or v6 must
2012 8-3
use because for
an be arrive
t
s. You h which
8-4 Implementing IPv6
IPv4 IPv6
The IPv4 header contains no identification of packet flow for Quality of Service (QoS) handling by routers.
Packet-flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field.
Fragmentation is done by both routers and the sending host.
Fragmentation is not done by routers, only by the sending host.
Header includes a checksum. Header does not include a checksum.
Header includes options. All optional data is moved to IPv6 extension headers.
Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address.
ARP Request frames are replaced with multicast Neighbor Solicitation messages.
Internet Group Management Protocol (IGMP) is used to manage local subnet group membership.
IGMP is replaced with Multicast Listener Discovery (MLD) messages.
Internet Control Message Protocol (ICMP) Router Discovery—which is optional—is used to determine the IPv4 address of the best default gateway.
ICMP Router Discovery is replaced with required ICMPv6 Router Solicitation and Router Advertisement messages.
Broadcast addresses are used to send traffic to all nodes on a subnet.
There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used.
Must be configured either manually or through DHCP.
Does not require either manual configuration or DHCP.
Uses host (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses.
Uses IPv6 host (AAAA) resource records in DNS to map host names to IPv6 addresses.
Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names.
Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.
Must support a 576-byte packet size (possibly fragmented).
Must support a 1280-byte packet size (without fragmentation).
IPv6 Equivalents to IPv4
The following table shows IPv6 equivalents to some common IPv4 addresses.
IPv4 Address IPv6 Address
Unspecified address 0.0.0.0 Unspecified address is ::
Loopback address is 127.0.0.1 Loopback address is ::1
Autoconfigured addresses (169.264.0.0/16) Link-local addresses (FE80::/64)
IP
Thmexasreas
11oc
Hanar
20
Thhobew
H
Insyfode
co
Tocofoth
•
•
•
•
To1.ze
IPv4 Address
Broadcast add
Multicast add
Pv6 Addre
he most distinmuch larger addxpressed in fous 192.168.1.1. epresents a bins follows:
1000000.10101ctets = 32 Bi
owever, an IPvn IPv4 addressre expressed in
001:DB8:0:2F
his might seemosts and will raetween binary
with subnets, an
Hexadecima
n the hexadeciymbols for eacor the hex systeecimal numbe
Note: Youonvert betwee
o convert an IPonvert each ofour bits at a timhe right and m
the first bit
the second
the third bi
the fourth b
o calculate the. In the exampero. Therefore,
dresses
dresses (224.0.0
ess Space
guishing featudresses. IPv4 aur groups of dEach groupingnary octet. In b
1000.0000000its)
v6 address is fos. Because of thn hexadecimal
3B:2AA:FF:FE
m complex for arely type IPv6y and hexadecind calculating
l Numberin
mal numberinch position. Beem; hence, the
er 16.
u can use the Cen binary, decim
Pv6 binary addf these eight bme. You should
moving left. Tha
[0010] is assig
bit [0010] is a
t [0010] is assi
bit [0010] bit i
e hexadecimal ple of 0010, the, the hex value
0.0/4)
ure of IPv6 is itaddresses are ecimal numbe
g of numbers binary, 192.168
1.00000001 (
our times largehis, IPv6 addre (hex).
28:9C5A
end users, but6 addresses maimal than it is thosts and net
ng System (B
g system, somcause 10 symbe letters A thro
Calculator appmal, and hexad
dress that is 12locks of 16 bitd number eachat is:
gned the value
assigned the va
igned the valu
s assigned the
value for this e only bit that e of this sectio
IPv6 Ad
Not ap
IPv6 m
ts use of
ers, such
8.1.1 is
4
er than esses
t the assumptianually. The IPto convert bettworks.
Base 16)
me letters reprebols (0 throughough F are use
plication includdecimal numb
28 bits long, yots into four hexh section of fo
e of 1.
alue of 2.
ued of 4.
e value of 8
section of fouis set to 1 is thn of four bits i
20410A: Instal
ddress
pplicable in IPv
ulticast addres
ion is that usePv6 address in tween binary a
esent numbersh 9) already ex
ed. The hexade
ded with Windbers.
ou break it intx characters. F
our binary num
r bits, add up he bit assignedis 2.
lling and Configuring
v6
sses (FF00::/8)
rs will rely on hex is also eas
and decimal. T
s because, therxist, there musecimal number
dows Server 20
o eight blocksFor each of thembers 1, 2, 4, a
the value of ed the value 2. T
g Windows Server®
DNS names tosier to convertThis simplifies w
re must be 16 st be six new syr 10 is equal to
012 to
s of 16 bits. Yoe blocks, you end 8, starting
ach bit that is The rest are se
2012 8-5
o resolve t working
unique ymbols o the
ou then evaluate from
set to et to
8-6 Implementing IPv6
Converting From Binary to Hexadecimal
The following table describes converting 8-bits of binary into hexadecimal:
[0010][1111]
Binary 0010 1111
Values of each binary position 8421 8421
Adding values where the bit is 1 0+0+2+0=2 8+4+2+1=15 or hexadecimal F
The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers represents one IP address:
0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is now divided along 16-bit boundaries (eight blocks of 16 bits):
0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010
Each block is further broken into sections of four bits. The following table shows the binary and corresponding hexadecimal values for each section of four bits:
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
20410A: Installing and Configuring Windows Server® 2012 8-7
Compressing Zeros
When multiple contiguous zero blocks occur, you can compress these and represent them in the address as a double-colon (::); this further simplifies the IPV6 notation. The computer recognizes “::” and substitutes it with the number of blocks necessary to make the appropriate IPv6 address.
In the following example, the address is expressed using zero compression:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
To determine how many 0 bits are represented by the “::”, you can count the number of blocks in the compressed address, subtract this number from eight, and then multiply the result by 16. Using the previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by 16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located.
You can use zero compression only once in a given address. If you use it twice or more, then there is no way to show how many 0 bits are represented by each instance of the double-colon (::).
To convert an address into binary, use the reverse of the method described previously:
1. Add in zeros using zero compression.
2. Add leading zeros.
3. Convert each hex number into its binary equivalent.
8-8 Implement
Lesson 2IPv6 A
An eusedtrouadd
LesAfte
•
•
•
•
•
IPv
Likeis diaddorde128IP spare
Intemanaddalso
IPv
The
Al
Re
G
Li
Uad
M
The
ing IPv6
2 Addressi
essential part od. This allows yubleshooting. Ydress to ensure
sson Objectier completing
Describe IPv6
Describe Unic
Describe zone
Describe add
Configure IPv
v6 Prefixes
e the IPv4 addrivided by alloc
dress space for er bits (bits tha-bit IPv6 addrpace. The highknown as a fo
ernet Assignednages IPv6, an
dress space willo specified the
v6 Format P
following tab
location
eserved
lobal unicast a
nk-local unica
nique local unddresses
Multicast addre
remaining IPv
ng of working wityou to understYou also need
e that hosts are
ives this lesson, yo
6 prefixes.
cast IPv6 addre
e IDs.
ress autoconfi
v6 client settin
s
ress space, thecating portionsvarious IP fun
at are at the bess) define are
h-order bits anrmat prefix.
Numbers Autd has defined l be divided informat prefixe
refixes
le shows the I
addresses
ast addresses
nicast
esses
v6 address spa
th IPv6 is undetand the overa to understande properly con
ou will be able
ess types.
guration for IP
gs on a netwo
e IPv6 address s of the availab
nctions. The higeginning of th
eas statically innd their fixed v
thority (IANA) how the IPv6
nitially. IANA hes.
Pv6 address-sp
Prefix binary
0000 0000
001
1111 1110 1
1111 1100
1111 1111
ace is unassign
erstanding theall communicad the processefigured.
to:
Pv6.
ork host.
space ble gh-he n the values
as
pace allocation
y value Pva
-
2
1000 F
F
F
ed.
e different addation process bes available for
n by format pr
refix hexadecalue
-
2 or 3
FE8
FD
FF
ress types andbetween IPv6 hr configuring a
refixes.
imal Fracspac
1/2
1/8
1/1
1/2
1/2
d when they arhosts and perfa host with an
ction of the adce
256
8
1024
256
256
re form IPv6
ddress
IP
ThpCFo
U
A asThhaIPaddi
Thbebithan
G
GSefie
•
•
•
•
Li
Alo
Pv6 Prefixes
he prefix is therefix’s bits. Prelassless Interdoor example, 20
Note: IPv
Unicast IPv
unicast IPv6 assigned to a sihis is equivalenas several type
Pv4, computersddresses. Diffeifferent purpo
he bits in unicaetween netwoits are the netwhe host ID. By dn IPv6 address
Note: The
Global Unica
lobal unicast aervice Provideelds in the glo
Fixed portassigned gl
Global rouThe combinsite prefix, won the IPv6organizatio
Subnet ID.16 bits. Themultiple lev
Interface Isize is 64 biwas based oaddress wa
ink-Local U
ll IPv6 hosts haocal address is
s
e part of the adefixes for IPv6 somain Routing001:DB8::/48 a
6 does not use
v6 Address
address is an IPngle interface nt to unicast aes of unicast ads typically have
erent address tses.
ast IPv4 addreork ID and intework ID, and tdefault, the ints is randomly g
e interface ID i
ast Addresse
addresses are er (ISP). They arbal unicast ad
ion set to 001obal addresse
uting prefix. Tnation of the twhich is assign
6 Internet thenon’s site.
The Subnet IDe organizationvels of address
D. The Interfacits. This is eitheon the Media s bound.
nicast Addr
ave a link-locaautomatically
ddress that indsubnets, routeg (CIDR) notatnd 2001:DB8:0
e subnet mask
s Types
Pv6 address thin a single comddresses in IPvddresses, and e multiple IPv6types are used
esses are split erface ID: the fihe second 64 terface ID port
generated.
in IPv6 is equiv
es
equivalent to pre routable anddress are:
1. The three hies is 2000::/3. T
This field identthree fixed bitsned to an organ forward IPv6
D is used withi’s site can use sing hierarchy,
ce ID identifieser randomly gAccess Contro
resses
al address thatgenerated an
dicates the bitses, and addressions. An IPv6 p0:2F3B::/64 are
ks.
hat is mputer. v4. IPv6 unlike 6 for
evenly rst 64 bits are tion of
valent to the I
public IPv4 add reachable gl
igh-order bits Therefore, all g
ifies the globas and the 45-banization’s indtraffic that ma
n an organizathese 16 bits w and an efficie
s the interfaceenerated, or a
ol (MAC) addre
is used for cod non-routabl
20410A: Instal
s that have fixs ranges are exprefix is writtee IPv6 address
Pv4 host ID as
dresses that alobally on the
are set to 001global unicast a
al routing prefibit global routiividual site. Onatches the 48-
tion’s site to idwithin its site tent routing inf
e on a specific assigned by DHess of the netw
ommunication le. In this way,
lling and Configuring
xed values, or txpressed in then in address/pprefixes.
s discussed in M
re available froIPv6 portion o
1. The address addresses beg
ix for a specificing prefix is usnce the assign-bit prefix to th
dentify subnetto create 65,53frastructure.
subnet within HCPv6. In the work interface
only on the lo link-local add
g Windows Server®
that are the sue same way as
prefix-length n
Module 5.
om an Interneof the Internet
prefix for currgin with either
c organizationsed to create ament occurs, rhe routers of t
ts. This field’s s36 subnets, or
the site. This fpast, the Interfcard to which
ocal subnet. Thdresses are sim
2012 8-9
bnet s IPv4 notation.
t t. The
rently 2 or 3.
n’s site. a 48-bit routers he
size is
field’s face ID the
he link-milar to
8-10 Implemen
IPv4of IP
Linkbroaadd
The
Un
Uniqwith
IPv4comcoma m
To astrugenensu
Theaddflagthe
Zo
Eachthe linkintecoma zozon
Add
Eachwill negexamfor t
EachaddIPv6exam
fe80
nting IPv6
4 Automatic PrPv6 communic
k-local addressadcasts. For ex
dition, link-loca
prefix for link
ique Local U
que local addrhin an organiz
4 private IP admpanies used tmmunicate dire
erger or a buy
avoid the duplcture allocates
nerated. The likures that each
first seven bitdresses have th
value set to 0address prefix
ne IDs
h IPv6 host hahost has mult-local address
erface. To allowmmunication oone ID is addede ID is used in
ress%zone_ID
h sending hostassociate with
gotiation of zomple, on the sthe zone ID on
h interface in adition to physic6 hosts use themple, the inte
0::2b0:d0ff:
rivate IP Addrecation.
ses are used foxample, link-loal addresses ar
k-local address
Unicast Add
resses are the ation, but not
dresses were ahe same addreectly. It also cayout.
lication probles 40-bits to ankelihood of tw organization
ts of the organhe address pref0 has not yet bx of FD::/8.
s a single link-iple network inis reused on e
w hosts to idenon each uniqued to the link-lo the following
t determines th each interfacne ID betweensame network, n its interface.
a Windows-bacal network cae interface inderface ID for th
fee9:4143%3
essing (APIPA)
or communicatocal addresses re used for nei
ses is always FE
dresses
IPv6 equivalenon the Interne
a relatively smaess space. This
aused problem
ems experiencen organization o randomly gehas a unique a
nization identiffix of FC00::/7.
been defined. T
-local address.nterfaces, the each network ntify link-local e network inteocal address. A format:
the zone ID thae. There is no
n hosts. For host A might
ased host is assrds, interfacesex of an interfe network card
addresses. Ho
tion in many sare used whenghbor discove
E80::/64. The fi
nt of IPv4 privaet.
all part of the s caused probl
ms when mergi
ed with IPv4 pidentifier. The
enerated 40-baddress space.
fier have the fi. The Local (L) Therefore, uniq
If same
rface, A
at it
use 3 for the z
signed a uniqu also include loace as the zond is 3.
owever, a link-
scenarios whern communicatery which is the
inal 64-bits are
ate addresses.
overall IPv4 adems when sepng the networ
private addresse 40-bit organbit identifies be.
ixed binary valflag is set 1 to
que local addr
zone ID on its
ue interface indoopback and t
ne ID for that i
-local address
re IPv4 would ting with a DHe IPv6 equival
e the interface
These address
ddress space, aparate organizrks of two orga
ses, the IPv6 unization identifeing the same
lue of 1111110o indicate a locresses with the
interface, and
dex, which is atunnel interfacnterface. In th
is an essential
have used HCPv6 server. Ient of ARP in
e identifier.
ses are routab
and many ations tried toanizations foll
nique local adier is randomlyare very small
0. All unique local address. Ane L flag set to 1
d host B might
an integer. In ces. Windows-
he following
part
n IPv4.
le
o owing
dress y l. This
ocal n L 1 have
use 6
-based
p
A
Inpseimis
A
Dholifadst
•
•
•
•
•
TTy
•
•
•
St
Wthse
Wdi
Note: Yourompt. This wi
Address Au
n most cases, yrovide IPv6 hoeveral ways aumplemented. Y
performed by
Autoconfigu
uring autoconost goes throufecycle of the ddresses are intates:
Tentative. Duplicate acannot rece
Valid. In thtraffic.
Preferred. and from it
Deprecatecommunica
Invalid. In
ypes of Autypes of autoco
Stateless. Aincludes a r
Stateful. CDHCPv6 to configuratio
o It recei
o There a
Both. Conf
tateful Con
With stateful cohere are any spervers—then a
When IPv6 atteifferent than w
u can view thell display the l
utoconfigu
you will use auosts with an IPvtoconfiguratio
You control hoy using a type
ured Addres
nfiguration theugh several staIPv6 address. An one or more
In the tentativaddress detecteive unicast tra
he valid state, t
In the preferret.
d. In a deprecaation.
the invalid sta
toconfiguraonfiguration in
Address configrouter prefix b
onfiguration isobtain addres
on when:
ves instruction
are no routers
figuration is ba
figuration
onfiguration, opecific scope o DHCPv6 serve
mpts to commwith IPv4, whic
e zone ID of a ocal IP configu
uration for
toconfiguratiov6 address. Thon can be ow autoconfiguof autoconfigu
ss States
e IPv6 address ates that defineAutoconfigureof the followi
ve state, verificion performs vaffic.
the address ha
ed state, the a
ated state, the
te, the addres
ation nclude:
guration is onlybut does not in
s based on thesses and other
ns to do so in R
present on th
ased on receip
organizations coptions that yoer is necessary
municate with ah uses broadc
link-local addruration.
r IPv6
on to ere are
uration uration.
of a e the ed ng
cation is occurverification. W
as been verified
ddress enable
e address is val
s no longer all
y based on thenclude addition
e use of a stater configuration
Router Advert
e local link.
t of Router Ad
can control howou need to cony.
a DHCPv6 servast IPv4 addre
20410A: Installin
resses by typin
ring to determWhen an addres
d as unique, a
s a node to se
lid, but its use
lows a node to
e receipt of Ronal configurat
eful address con options. A ho
isement messa
dvertisement m
w IPv6 addresnfigure—such
ver, it uses muesses.
ng and Configuring W
ng IPconfig at
mine if the addss is in the ten
nd can send a
end and receiv
is discouraged
o send or rece
outer Advertiseion options su
onfiguration post uses statefu
ages.
messages and
ses are assigneas the IPv6 ad
ulticast IPv6 ad
Windows Server® 20
t a command
dress is uniquetative state, a
nd receive uni
e unicast traffi
d for new
ive unicast tra
ement messaguch as DNS ser
rotocol such aul address
on DHCPv6.
ed using DHCPddresses of DN
ddresses. This is
012 8-11
. node
icast
ic to
ffic.
ges. This rvers.
as
Pv6. If NS
s
8-12 Implementing IPv6
Demonstration: Configuring IPv6 Client Settings
In most cases, IPv6 is configured dynamically by using DHCPv6 or router advertisements. However, you can also configure IPv6 manually with a static IPv6 address. The process for configuring IPv6 is similar to the process for configuring IPv4.
Demonstration Steps
View IPv6 configuration by using IPconfig.
1. On LON-DC1, open a Windows PowerShell® prompt.
2. Use ipconfig to view the link-local IPv6 address on Local Area Connection.
3. Use the Get-NetIPAddress cmdlet to view network configuration.
Configure IPv6 on LON-DC1 1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the
Local Server.
2. Open the properties of Internet Protocol Version 6 (TCP/IPv6), and enter the following information:
o Use the following IPv6 address
o IPv6 address: FD00:AAAA:BBBB:CCCC::A
o Subnet prefix length: 64
o Use the following DNS server addresses
o Preferred DNS server: ::1
Configure IPv6 on LON-SVR1
1. On LON-DC1, use Server Manager to open the properties window of Local Area Connection for the Local Server.
2. Open the properties window of Internet Protocol Version 6 (TCP/IPv6), and enter the following:
o Use the following IPv6 address
o IPv6 address: FD00:AAAA:BBBB:CCCC::15
o Subnet prefix length: 64
o Use the following DNS server addresses
o Preferred DNS server: FD00:AAAA:BBBB:CCCC::A
Verify IPv6 communication is functional
1. On LON-SVR1, open a Windows PowerShell prompt.
2. Use ipconfig to view the IPv6 address for Local Area Connection.
3. Use ping -6 to test IPv6 communication with LON-DC1.
4. Use ping -4 to test IPv4 communication with LON-DC1
LessonCoexi
Frus
Thleex
Le
A
•
•
•
•
W
WwDtoimkiin
•
•
•
•
•
CIPwfocous
n 3 istence rom its inceptise both IPv4 a
his lesson provesson also descxplains how D
esson Objec
fter completin
Describe IP
Describe m
Configure D
Explain IPv6
What Are N
When planningwhat types of n
escribing the no define their cmportant if youinds of tunnelsncluding the fo
IPv4-only only IPv4 (adoes not su
IPv6-only only IPv6 (adoes not suis not commphones and
IPv6/IPv4 Vista or late
IPv4 node.
IPv6 node.
oexistence occPv4 infrastructuwill achieve trueoreseeable futuonverted to IPvsing an IPv4-to
with IPon, IPv6 was dnd IPv6 for ma
vides an overvcribes the diffeNS resolves na
ctives
ng this lesson, y
P node types.
methods to pro
DNS to suppor
6 over IPv6 tun
Node Type
an IPv6 netwoodes or hosts nodes in the focapabilities onu use tunnelins require speciollowing:
node. A node and has only IPupport IPv6.
node. A node and has only IPupport IPv4. Thmon today. Hod handheld co
node. A nodeer use IPv4 and
. A node that i
. A node that i
curs when the ure, an IPv6 ine migration whure, you can acv6/IPv4 nodeso-IPv6 proxy o
Pv4 designed for loany years. Con
iew of the techerent node typames to IPv6 a
you will be ab
vide coexisten
rt IPv6.
nneling.
es?
ork, you shoulare on the netollowing ways the network. g, because cerfic node types
that implemePv4 addresses)
that implemePv6 addresses)his node is ablowever, it mighmputers, use t
that implemed IPv6 by defa
mplements IP
mplements IP
largest numbefrastructure, ohen all IPv4 nochieve practicas. IPv4-only noor translation g
ong-term coexnsequently, yo
hnologies thatpes and IP stacddresses and t
le to:
nce for IPv4 an
d know twork. helps This is rtain s,
ents ) and
ents ) and e to communiht become mothe IPv6 proto
ents both IPv4 ault.
v4. It can be a
v6. It can be a
er of nodes (IPor an infrastrucodes are conveal migration w
odes can commgateway.
20410A: Installin
xistence with IPu need to und
t support the tck implementathe various typ
nd IPv6.
icate only withore prevalent aocol exclusively
and IPv6. Win
an IPv4-only no
an IPv6-only no
Pv4 or IPv6 nocture that is a certed to IPv6-o
when as many municate with
ng and Configuring W
Pv4; in most caderstand how t
two IP protocotions of IPv6. pes of IPv6 tra
h IPv6 nodes aas smaller deviy.
ndows Server 2
ode or an IPv6
ode or an IPv6
des) can commcombination oonly nodes. HoIPv4-only nodIPv6-only nod
Windows Server® 20
ases your netwthey coexist.
ols’ coexistenceFinally, this les
ansition techno
nd applicationices, such as ce
2008 and Wind
6/IPv4 node.
6/IPv4 node.
municate usingof IPv4 and IPvowever, for thees as possible
des only when
012 8-13
work will
e. This sson ologies.
ns, and ellular
dows
g an v6. You e are you are
8-14 Implemen
IPv
RathaddwithWinsimuIP laWinless
DuA dbegthroThislayeIPv6add
Du
DuaconprotUDP
DN
JustWheIPv6coex
•
•
•
regi
WheTheWin
Eachwhe
nting IPv6
v4 and IPv
her than replad IPv6 to their eh Windows Serndows operatinultaneous use ayer architectundows Server 2
efficient dual
al IP Layer Aual IP layer arc
ginning with Wough Windowss architecture cer protocols su6, and there arding any new p
al Stack Arc
al stack architetain separate itocol driver in P.
NS Infrastruc
t as DNS is useen IPv6 is adde6 name-to-addxistence are:
Host (A) reso
IPv6 host (AA
Reverse looku
Note: In moistered in DNS
en a name can client then se
ndows Server 2
h prefix has a en you ping a
v6 Coexiste
cing IPv4, mosexisting IPv4 nrver 2008 and ng systems supof IPv4 and IP
ure. The Windo2003 operatingstack architec
Architecturechitecture, was
Windows Vista, s Server 2012 acontains both ch as TCP and
re fewer files toprotocols in th
chitecture
ecture containsimplementatioWindows Serv
cture Requi
ed as a supported to the netwdress and addr
urce records fo
AAA) resource
up pointer (PT
ost cases, the IS dynamically.
n be resolved telects which ad2012 by using
precedence lehost, the ping
ence
st organizationnetwork. StartiWindows Vist
pport the Pv6 through a ows XP and g systems usedture.
e s implementedand continuinand WindowsIPv4 and IPv6
d User Datagrao maintain to e network-car
s both IPv4 anons of transpover 2003 and W
rements
ting service onwork, you needress-to-name r
or IPv4 nodes
records
R) resource re
Pv6 host (AAA
to both an IPv4ddress to use bthe Get-NetP
vel assigned tocommand wil
ns ng a,
dual
d a
d ng 8. Internet layer
am Protocol (Uprovide IPv6 crd configuratio
d IPv6 Internert layer protocWindows XP, c
n an IPv4 netwd to ensure tharesolution are
cords for IPv4
AA) resource re
4 and IPv6 addbased on prefixPrefixPolicy cm
o it. In most call use the IPv6
rs with a singleUDP). Dual stacconnectivity. IPon.
et layers, and hcols, such as TCcontains a sepa
work, it is also rat the records added. The D
and IPv6 nod
ecords that IPv
dress, both adx polices. You mdlet.
ases, IPv6 is praddress instea
e implementatck allows for ePv6 is also ava
has separate prCP and UDP. Tarate impleme
required on anthat are necesNS records tha
es
v6 nodes requ
ddresses are recan view the p
referred over Iad of the IPv4
tion of transpoasier migratioilable without
rotocol stacks Tcpip6.sys, the entation of TC
n IPv6 networkssary to suppoat are required
ire are
turned to the prefix policies
Pv4. For examaddress.
ort n to
that IPv6 P and
k. ort d for
client. in
ple,
20410A: Installing and Configuring Windows Server® 2012 8-15
The following table displays the typical prefix policies for Windows Server 2012.
Prefix Precedence Label Description
::1/128 50 0 IPv6 loopback
fc00::/7 45 13 Unique local
::/0 40 1 Default gateway
::ffff:0:0/96 10 4 IPv4 compatible address
2002::/16 7 14 6to4
2001::/32 5 5 Teredo
::/96 1 10 IPv4 compatible address (depreciated)
fec0::/10 1 11 Site local (depreciated)
3ffe::/16 1 12 6Bone (depreciated)
Additional Reading: For more information about prefix policies see http://technet.Microsoft.com/library/bb877985.
Demonstration: Configuring DNS to Support IPv6
Similar to IPv4 nodes, IPv6 nodes use dynamic DNS automatically-created host records. You can also manually create host records for IPv6 addresses. An IPv6 host (AAAA) resource record is a unique record type and different that IPv4 host (A) resource record.
Demonstration Steps
Configure an IPv6 host (AAAA) resource record
1. On LON-DC1, in Server Manager, open the DNS tool and browse to the Adatum.com forward lookup zone.
2. In DNS Manager, verify that IPv6 addresses have been registered dynamically for LON-DC1 and LON-SVR1.
3. Create a new host record in Adatum.com with the following settings:
o Name: WebApp
o IP address: FD00:AAAA:BBBB:CCCC::A
Verify name resolution for an IPv6 host (AAAA) resource record 1. On LON-SVR1, if necessary, open a Windows PowerShell prompt.
2. Use ping to test communication with WebApp.adatum.com.
8-16 Implemen
Wh
IPv6IPv6pacinfra
•
•
Unli(L2ToveIPv6
nting IPv6
hat Is IPv6
6 over IPv4 tun6 packets with kets can be seastructure. Wit
The IPv4 Proan encapsulat
The Source aIPv4 addressecan configurepart of the tuderived autom
ike tunneling fTP), there is nor IPv4 tunnelin6 tunneling, it
6 Over IPv4
nneling is the ean IPv4 headent over an IPvthin the IPv4 h
otocol field is sted IPv6 packe
and Destinatioes of the tunnee tunnel endpounnel interfacematically.
for the Point-to exchange of ng does not prdoes not need
4 Tunnelin
encapsulation er so that IPv6v4-only header:
set to 41 to indet.
on fields are seel endpoints. Yoints manually, or they can b
to-Point Tunnemessages for trovide securityd to establish a
ng?
of
dicate
et to You y as be
eling Protocol tunnel setup, m
y for tunneled a protected co
(PPTP) and Lamaintenance, IPv6 packets.
onnection first.
ayer Two Tunnor terminationThis means th.
neling Protocon. Additionallyat when you u
l y, IPv6 use
LessonIPv6 T
Trantrth
Thanad
LeA
•
•
•
•
•
W
ISyobeIScousmorcoISIS
Aad
A
Fo20
WIScoot
n 4 Transitiransitioning frond services relyransition by allhat allow IPv6
his lesson provnd Teredo, whddresses PortP
esson Objecfter completin
Describe IS
Describe 6t
Describe Te
Describe Po
Describe th
What Is ISA
SATAP is an adou can use to etween IPv6/IP
SATAP hosts doonfiguration, asing standard
mechanisms. Yorganizations’ somponent is eSATAP-based aSATAP on your
n ISATAP addrddress is forma
[64-bit unic
n ISATAP addr
[64-bit unic
or example, FD001:db8::200:5
What Is an ISSATAP allows Ionfiguration. Ather IPv6 clien
on Techom IPv4 to IPvy on IPv4 for itowing commucommunicatio
vides informathich help proviProxy, which p
ctives ng this lesson, y
ATAP.
to4.
eredo.
ortProxy.
he transition pr
ATAP?
dress-assignmprovide unicasPv4 hosts acroo not require aand can createaddress autoc
ou mainly use site, and althouenabled by defaddresses if it cr network.
ress that is basatted like the f
cast prefix]:0:5
ress that is bas
cast prefix]:200
D00::5EFE:192.5EFE:131.107.1
SATAP RoutPv6 clients on An ISATAP routs on other IPv
hnologiv6 requires coet to be removeunication betwon over IPv4 ne
ion about Intrde connectivitrovides compa
you will be ab
rocess from IP
ment technologst IPv6 connec
oss an IPv4 intrany manual e ISATAP addreonfiguration ISATAP withinugh the ISATAfault, it only ascan resolve the
sed on a privatfollowing exam
EFE:w.x.y.z
sed on a public
0:5EFE:w.x.y.z.
168.137.133 is137.133 is an e
ter? an IPv4-only iter advertises v6 subnets.
ies existence betwed quickly. Ho
ween IPv4-onlyetworks.
a-Site Automaty between IPvatibility for app
le to:
v4 to IPv6.
gy that ctivity ranet.
esses
an AP ssigns e name
te IPv4 mple:
c IPv4 address
s an example oxample of a p
intranet to coman IPv6 prefix,
20410A: Installin
ween the two powever, there ay and IPv6-onl
atic Tunnel Adv4 and IPv6 tecplications.
s is formatted
of a private IPvublic IPv4 add
mmunicate wi, and allows th
ng and Configuring W
protocols. Tooare several tecy hosts. There
dressing Protochnology. This
like the follow
v4 address, anddress.
thout additionhe clients to co
Windows Server® 20
many applicahnologies thatare also techn
ocol (ISATAP),s lesson also
wing example:
d
nal manual ommunicate w
012 8-17
ations t aid nologies
6to4,
with
8-18 Implemen
Ho
YoureconamISAT
Youdiffi
List Youhost
Oth
•
•
•
nodAs ssho
Wh
6to4unichostentifollohexIPv4
EnaWin
To eyouWin
•
•
•
nting IPv6
w ISATAP T
u can initiate ISord in DNS thame automaticaTAP for severa
u can also definicult to manag
Note: By dethat prevents
u need to remot record to con
her ways you ca
Use the Wind
Use Netsh In
Configure the
Note: All ISAdes are part of such, you shouuld instead de
hat Is 6to4
4 is a technolocast IPv6 connts across the IPire IPv4 Interneowing 6to4 adadecimal repre4 address:
2002:WWXX:Y
abling 6to4 ndows Ope
enable Window enable Intern
ndows operatin
IPv6 forwardi
The private in192.168.0.0/2
A 64-bit IPv6 derives the inis the private
Tunneling W
SATAP tunnelinat resolves to tlly begin usingl computers si
ne ISATAP namge.
efault, WindowISATAP resolu
ove ISATAP fronfigure ISATAP
an configure h
dows PowerShe
nterface IPv6
e ISATAP Rou
ATAP nodes athe same AD
uld use ISATAPeploy native IPv
4?
ogy that you uectivity betwePv4 Internet. 6et as a single l
ddress, WWXX:esentation of w
YYZZ:Subnet_I
Router Funrating Syste
ws Server 2012net Connectionng system, the
ng is enabled
nterface conne24 prefix.
subnet prefix ntranet subnet
interface’s ind
Works
ng in many wathe IPv4 addreg the specifiedimultaneously.
me resolution i
ws Server 2008ution, even if thom the Global P clients.
hosts with an I
ell cmdlet Set-
ISATAP Set R
uter Name Gro
re connected tDS site which
P only for limitv6 support.
se to provide een IPv6 sites a6to4 treats the ink. In the YYZZ is the cow.x.y.z, a publi
ID:Interface_ID
nctionality iems
2 as a 6to4 roun Sharing (ICS)e following occ
on the 6to4 tu
ects to a single
is selected forprefix from 20
dex.
ays, but the simess of the ISATAd ISATAP route.
in a hosts file,
8 or newer DNShe host recordQuery Block L
SATAP router
-NetIsatapCo
Router x.x.x.x.
oup Policy sett
to a single IPvmay not be deed testing. For
and
olon-ic
D,
n
uter, . When you en
curs:
unneling and p
e subnet, and u
r advertisemen002:WWXX:YY
mplest way is tAP router. Winer. By using thi
but this is not
S servers haved is created anList in DNS if y
are:
onfiguration –
.
ting.
v6 subnet. Thisesirable. r intranet-wide
nable ICS on a
private interfa
uses private IP
nt on the privaYZZ:InterfaceIn
to configure andows hosts this method, you
t recommende
a Global Qued properly con
you are using a
–Router x.x.x.
s means that a
e deployment,
a computer tha
ces.
Pv4 addresses f
ate intranet. Thndex::/64, in wh
n ISATAP hosthat can resolveu can configur
ed because it is
ry Block nfigured. an ISATAP
.x.
ll ISATAP
, you
at is running a
from the
he 6to4 compohich InterfaceIn
t e this re
s
onent ndex
•
Thde
H
Wauinananroof
Ex
Inofwroththfo
FoHapth
W
TeIPIPInbeteIScomanTeit
TTh
•
•
Router adv
he router adveerived 6to4 su
How 6to4 Tu
Within a site, loutoconfigure 6ndividual subnend a default rony of the subnouter on the sif ::/0 that forw
xample
n the example f a default rou
with Host C in aouter in Site 1, he traffic with ahe tunneled traorwards the IPv
or example, Hoost C resides oppears in the she IPv4-encaps
What Is Ter
eredo tunnelinPv4-only InternPv4 NAT. Terednternet connecehind a NAT. Technology for SATAP, or 6to4ommunicating
more IPv4 NATsnd as IPv6 coneredo will be uis not used at
eredo Comhe Teredo com
Teredo clieTeredo clie
Teredo serin the initiaclients in di
ertisement me
ertisement mebnet prefix.
unneling Wo
cal IPv6 route6to4 addressesets are configuoute with the nnet prefixes thate border has
wards traffic to
network showte using the n
another site, Husing the 200
an IPv4 headeaffic, removes v6 packet to H
ost A resides oon subnet 2 wislide, lists the asulated IPv6 p
redo?
ng enables younet when the cdo was createdctions use privaTeredo is a lastIPv6 connectiv
4 connectivity ig nodes, Tereds are upgraded
nnectivity becoused less frequall.
ponents mponents are a
ent. Supports nts or nodes o
rver. Connectsal Teredo clientifferent sites o
essages are sen
ssages adverti
orks
rs advertise 20s. IPv6 routers ured automatinext-hop addrat the site usesa 2002::/16 roa 6to4 relay o
wn in the slide, ext-hop addreost A sends th
02::/16 route iner and tunnels
the IPv4 headHost C.
on subnet 1 wiithin Site 2 andaddresses in thacket to the 6t
u to tunnel acrclients are behd because manate IPv4 addret-resort transitvity. If native IPis present betwo is not used. d to support 6
omes ubiquitouuently, until ev
as follows:
a Teredo tunnon the IPv6 Int
s to both the IPt configurationr between Ter
nt on the priva
se the ICS com
002:WWXX:YYZwithin the sitecally with a 64
ress of the advs is forwarded oute that forwaon the IPv4 Inte
Host A and Hess of the 6to4he traffic to then its routing tait to the 6to4 er, and using t
thin Site 1 andd uses the pubhe IPv4 and IPvto4 router in S
ross the ind an
ny esses tion Pv6, ween As
6to4, us, entually
neling interfaceernet through
Pv4 and IPv6 In, and to faciliredo clients an
20410A: Installin
ate interface.
mputer as a de
ZZ:Subnet_ID::e deliver traffic4-bit subnet rovertising routerto a 6to4 rout
ards traffic to oernet.
ost B can com4 router in Sitee 6to4 router iable and the 6trouter in Site the subnet pre
d uses the pubblic IPv4 addrev6 headers whSite 2.
e through which a Teredo rela
nternet. The rotate the initial
nd IPv6-only ho
ng and Configuring W
efault router an
:/64 subnet prc between 6tooute for direct r. IPv6 traffic tter on the site other 6to4 site
mmunicate withe 1. When Hostin Site 1 as IPvto4 tunnel inte2. The 6to4 roefix route in its
blic IPv4 addreess of 131.107.hen the 6to4 ro
ch packets areay.
ole of the Terel communicatiosts on the IPv
Windows Server® 20
nd contain the
refixes so that 4 hosts. Hosts delivery to nehat does not mborder. The 6
es and a defau
h each other bt A communic
v6 packets. Theerface, encaps
outer in Site 2 rs routing table
ess of 157.60.91210.49. The taouter in Site 1
e tunneled to o
edo server is toon between Tv6 Internet.
012 8-19
e
hosts on
eighbors match to4
ult route
because cates e 6to4 ulates receives e,
1.123. able that
sends
other
o assist eredo
8-20 Implemen
•
•
Wh
YouappappfaciappaddandalloTCP
Portonlyembappflexthat
Som
•
•
•
http
nting IPv6
Teredo relaythe IPv6 Inter
Teredo host-Additionally, Internet withothrough a puconnectivity tan IPv6 transi
hat Is Port
u can use the Pplication-layer plications that dlitates the com
plications that cdress type, Inte
TCP port. Thiw IPv6 nodes
P applications.
tProxy can proy application-lbed address or
plication-layer ible. Additionat you typically
me areas where
An IPv4-only
An IPv6-only
An IPv6 node
Additional p://go.Microso
y. Forwards pacrnet.
-specific relaya Teredo hostout needing ablic IPv4 addreto the IPv6 Intition technolog
tProxy?
PortProxy servigateway for ndo not suppor
mmunication bcannot connec
ernet layer prots service’s primto communica
oxy only TCP dayer protocolsr port informadata. PortProxally, you will fawould addres
e PortProxy ca
node can acce
node can acce
e can access an
Reading: For oft.com/fwlink/
ckets between
y. Has interfac-specific relayn intermediateess or throughernet can be tgy, such as 6to
ice as an odes or rt IPv6. PortPro
between nodesct using a comtocol (IPv4 or
mary purpose iate with IPv4-o
data, and it sups that do not tion inside the
xy cannot chanare better usings by using Por
n be helpful a
ess an IPv6-on
ess an IPv4-on
n IPv4-only ser
more informa/?LinkID=1120
n Teredo client
es on, and concan communi
e Teredo relayh a private IPv4hrough a direco4.
oxy s or
mmon IPv6), is to only
pports
e nge address ing other tunnertProxy.
nd provide so
nly node.
nly node.
rvice that is run
ation about IPv079&clcid=0x4
ts on the IPv4
nnects to, the icate directly w
y. The connecti4 address and ct connection
nformation at tling technolog
olutions during
nning on a Po
v6 transition te409.
Internet and I
IPv4 and IPv6 with Teredo cliivity to the IPva neighboringto the IPv6 In
the applicationgies to address
g a transition p
ortProxy comp
echnologies se
Pv6-only hosts
Internet. ients over the v4 Internet cang NAT. The ternet, or thro
n level, and is ns many of the
phase include w
uter.
ee
s on
IPv4 n be
ough
not issues
when:
P
Thexinrep
Tous
•
•
•
•
•
Mcodeas
IPAW
Process for
he industry-wixpected to taknto consideratiesult, the transrocess that allo
o achieve the gse the followin
Upgrade yoof either IPvchange appSockets app(APIs) so thcreation, an
Upgrade ronative IPv6
Upgrade demany otherprinters and
Update thehave to upgrecords (reqoptional. Aupdate for IPv6 addres
Upgrade hoadd DNS reYou can de
Most organizatioexistence for evices that do s ISATAP.
Pv6 is enabled s a best practi
Windows opera
r Transition
de migration fke considerableon when desigition plan for ows for extend
goal of a pureng general gui
our applicationv6 or IPv4. Forplications to usplication prog
hat name resolnd other funct
outing infrastrurouting and IP
evices to suppr types of devid scanners—a
e DNS infrastrugrade the DNSquired) and podditionally, enIPv6 host addsses automatic
osts to IPv6/IPesolver supporeploy ISATAP in
ions will most an extended pnot support IP
by default force, you should
ating systems r
ning to IPv
from IPv4 to IPe time. This wagning IPv6 andIPv6 is a multided coexistenc
IPv6 environmdelines:
ns to be indepr example, youse new Windoramming interution, socket ions are indep
ucture for natiPv6 routing pr
ort IPv6. The mces do not. Yolso support IPv
ucture to suppS infrastructureointer (PTR) rensure that the Dress (AAAA) recally.
v4 nodes. Yourt to process Dn a limited cap
likely add IPv6period of timePv6, and coexi
Windows Vistd not disable IPrely on IPv6.
v6–Only
Pv6 is as taken d as a step ce.
ment,
endent u can ws rfaces
pendent regard
ve IPv6 routinrotocols.
majority of curou need to verv6.
ort IPv6 addree to support thsource recordsDNS servers suesource record
u must upgradDNS query resupacity to test IP
6 to an existing. There are stilistence is muc
ta or newer cliPv6 unless the
20410A: Installin
dless of wheth
g. You must u
rrent networkirify that all net
ess and pointehe new IPv6 hs in the IP6.ARupport DNS trads so that IPv6
e hosts to use ults that contaiPv6 and DNS f
g IPv4 environll in existence h simpler than
ents and Windere is a technic
ng and Configuring W
her you are usi
upgrade router
ng hardware stwork attached
r (PTR) resourcost address (A
RPA reverse doaffic over IPv6hosts can reg
both IPv4 andin both IPv4 afunctionality.
nment and conmany legacy a
n using transiti
dows Server 20cal reason to d
Windows Server® 20
ng IPv4 or IPv
rs to support b
supports IPv6, d devices—suc
ce records. YoAAAA) resourceomain, but this6 and DNS dynister their nam
d IPv6. You alsnd IPv6 addre
ntinue to haveapplications anion technologi
008 or newer so so. Some fea
012 8-21
6.
both
but ch as
u might e s is namic mes and
so must sses.
nd ies such
servers. atures in
8-22 Implementing IPv6
Lab: Implementing IPv6 Scenario
A. Datum Corporation has an IT office and data center in London, which support the London location and other locations. They have recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. You now need to configure the infrastructure service for a new branch office.
The IT manager at A. Datum has been briefed by several application vendors about newly added support for IPv6 in their products. A. Datum does not have IPv6 support in place at this time. The IT manager would like you to configure a test lab that uses IPv6. As part of the test lab configuration, you also need to configure ISATAP to allow communication between an IPv4 network and an IPv6 network.
Objectives After completing this lab, you will be able to:
• Configure IPv6.
• Configure an ISATAP router.
Lab Setup
Estimated Time: 40 minutes
Logon Information
Virtual Machines 20410A-LON-DC1 20410A-LON-RTR 20410A-LON-SVR2
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-RTR and 20410A-LON- SVR2.
Exercise 1: Configuring an IPv6 Network
Scenario
As the first step in configuring the test lab, you need to configure LON-DC1 as an IPv4–only node, and LON-SVR2 as an IPv6–only node. You also need to configure LON-RTR to support IPv6 routing.
20410A: Installing and Configuring Windows Server® 2012 8-23
The main tasks for this exercise are as follows:
1. Verify IPv4 routing.
2. Disable IPv6 on LON-DC1.
3. Disable IPv4 on LON-SVR2.
4. Configure an IPv6 network on LON-RTR.
5. Verify IPv6 on LON-SVR2.
Task 1: Verify IPv4 routing 1. On LON-SVR2, open a Windows PowerShell prompt.
2. Ping LON-DC1 to verify that IPv4 is routing through LON-RTR.
3. Use ipconfig to verify that LON-SVR2 has only a link-local IPv6 address.
Task 2: Disable IPv6 on LON-DC1 1. On LON-DC1, in Server Manager, on the Local Server, open the Local Area Connection properties.
2. Disable IPv6 for Local Area Connection.
Task 3: Disable IPv4 on LON-SVR2 1. On LON-SVR2, in Server Manager, open the properties of Local Area Connection on the Local
Server.
2. Disable IPv4 for Local Area Connection.
Task 4: Configure an IPv6 network on LON-RTR 1. On LON-RTR, open Windows PowerShell.
2. Use the following New-NetRoute cmdlet to add an IPv6 network on Local Area Connection 2 to the local routing table:
New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –Publish Yes
3. Use the following Set-NetIPInterface cmdlet to enable router advertisements on Local Area Connection 2:
Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising Enabled
4. Use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the 2001:db8:0:1::/64 network.
Task 5: Verify IPv6 on LON-SVR2 • On LON-SVR2, use ipconfig to verify that Local Area Connection 2 has an IPv6 address on the
2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6–only network.
8-24 Implementing IPv6
Exercise 2: Configuring an ISATAP Router
Scenario
After configuring the infrastructure for an IPv4–only network and an IPv6–only network, you need to configure ISATAP to support communication between the IPv4–only nodes and the IPv6–only nodes.
The main tasks for this exercise are as follows:
1. Add an ISATAP host record to DNS.
2. Enable the ISATAP router on LON-RTR.
3. Remove ISATAP from the DNS Global Query Block List.
4. Enable ISATAP on LON-DC1.
5. Test connectivity.
Task 1: Add an ISATAP host record to DNS 1. On LON-DC1, in Server Manager, open the DNS tool.
2. Add an ISATAP host record that resolves to 172.16.0.1.
Task 2: Enable the ISATAP router on LON-RTR 1. On LON-RTR, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:
Set-NetIsatapConfiguration –Router 172.16.0.1
2. Use the following Get-NetIPAddress cmdlet to identify the interface index of the ISATAP interface with 172.16.0.1 in the link-local address. Interface index:
Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address
3. Use the Get-NetIPAddress cmdlet to verify the following on the ISATAP interface:
o Forwarding is enabled
o Advertising is disabled
Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List
4. Use the following Set-NetIPAddress cmdlet to enable router advertisements on the ISATAP interface:
Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled
5. Use the following New-NetRoute cmdlet to configure a network route for the ISATAP interface:
New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish Yes
6. Use the following Get-NetIPAddress cmdlet to verify that the ISATAP interface has an IPv6 address on the 2001:db8:0:2::/64 network:
Get-NetIPAddress –InterfaceIndex IndexYouRecorded
20410A: Installing and Configuring Windows Server® 2012 8-25
Task 3: Remove ISATAP from the DNS Global Query Block List 1. On LON-DC1, open Regedit and browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
2. Modify GlobalQueryBlockList to remove isatap.
3. Restart the DNS service.
4. Ping isatap to verify it can be resolved. The name should resolve and you should receive four request timed out messages from 172.16.0.1.
Task 4: Enable ISATAP on LON-DC1 1. On LON-DC1, use the following Set-NetIsatapConfiguration cmdlet to enable ISATAP:
Set-NetIsatapConfiguration –State Enabled
2. Use ipconfig to verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network.
Task 5: Test connectivity 1. On LON-SVR2, use the following ping command to test connectivity to the ISATAP address for LON-
DC1:
ping 2001:db8:0:2:0:5efe:172.16.0.10
2. User Server Manager to modify the properties of TCP/IPv6 on the Local Area Connection 2, and add 2001:db8:0:2:0:5efe:172.16.0.10 as the preferred DNS server.
3. Use the ping command to test connectivity to LON-DC1.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6–only network and an IPv4–only network.
To prepare for the next module After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
8-26 Implementing IPv6
Module Review and Takeaways Review Questions
Question: What is the main difference between 6to4 and Teredo?
Question: How can you provide a DNS server dynamically to an IPv6 host?
Question: Your organization is planning to implement IPv6 internally. After some research, you have identified unique local IPv6 addresses as the correct type of IPv6 addresses to use for private networking. To use unique local IPv6 addresses, you must select a 40-bit identifier that is part of the network. A colleague suggests using all zeros for the 40 bits. Why is this not a good idea?
Question: How many IPv6 addresses should an IPv6 node be configured with?
Best Practice:
Use the following best practices when implementing IPv6:
• Do not disable IPv6 on Windows 8 or Windows Server 2012.
• Enable coexistence of IPv4 and IPv6 in your organization rather than using transition technologies.
• Use unique local IPv6 addresses on your internal network.
• Use Teredo to implement IPv6 connectivity over the IPv4 Internet.
9-1
Module 9 Implementing Local Storage
Contents: Module Overview 9-1
Lesson 1: Overview of Storage 9-2
Lesson 2: Managing Disks and Volumes 9-11
Lesson 3: Implementing Storage Spaces 9-20
Lab: Implementing Local Storage 9-25
Module Review and Takeaways 9-30
Module Overview
Storage is one of the key components that you must consider when planning and deploying Windows Server® 2012 operating systems. Most organizations require a great deal of storage because users work regularly with applications that create new files that need to be stored in a central location. Storage demands increase when users keep their files for longer periods of time. Every time a user logs on to a server, an audit trail is created in an event log, which also uses storage. Even as files are created, copied, and moved, storage is required.
This module introduces you to different storage technologies. It discusses how to implement the storage solutions in Windows Server 2012, and how to use Storage Spaces, a new feature that you can use to combine disks into pools that are then managed automatically.
Objectives
After completing this module you will be able to:
• Explain the various storage technologies.
• Manage disks and volumes.
• Implement Storage Spaces.
9-2 Implement
Lesson Overvi
Wheare acceben
As yThis
•
•
•
•
Les
Afte
•
•
•
•
•
•
Dis
Thecan systOuttype
•
ing Local Storage
1 iew of Sen you plan a various types essed via Ether
nefits as well as
you prepare tos lesson addres
Does the stor
Does the stor
How much st
How much reinvestment re
sson Objecti
er completing
Describe disk
Describe dire
Describe netw
Describe stor
Describe Red
Describe RAID
sk Types a
re are various use to provideems. The spee
tputs per secones of disks are:
Enhanced InteEIDE is basedin 1986. The Iinterface suppTechnology AAdvanced TecInterface (ATAto the ATA-2 channels, eacThese drives ahave two dev128 gigabytemaximum of
Storage server deployof storage tharnet, or even cs its limitations
o deploy storagsses questions
rage need to b
rage need to b
orage does yo
esilience do yoemains secure
ives
this lesson, yo
k types and per
ct-attached st
work-attached
age area netw
undant Array
D levels.
nd Perform
types of disks e storage to se
ed of disks is mnd (IPOS).The :
egrated Drive E on standards Integrated Driports both theAttachment 2 (chnology AttaAPI) standards(Fast ATA) sta
ch connecting are commonlyvices chained a (GB) limitatio133 megabyte
ment, one of tat you can utiliconnected withs.
ge for your enyou might co
be fast?
be highly availa
our deploymen
ou need to addin the future?
ou will be able
rformance.
orage.
storage.
work (SAN).
of Independen
mance
available thaterver and clien
measured in Inpmost common
Electronics (EIDthat were creave Electronics
e Advanced (ATA-2) and chment Packe
s. Enhanced refandard, which two devices. In
y found conneat any time. Dun on storage ues (MB) per sec
the key compoze, from locallh optical fiber.
vironment, yonsider, such as
able?
nt actually req
d to the initial
to:
nt Disks (RAID)
t you nt put n
DE). ated (IDE)
et fers provides fasten practice, thected using a 4ue to the addrusing EIDE. Furcond. EIDE dri
onents that yoly attached sto. You should b
ou will need tos the following
uire?
storage requir
).
er transfer ratese terms EIDE, ID40-wire cable oressing standarrther, the speeives are almost
ou will require orage, to storabe aware of ea
o make some img:
rement to ensu
s and allows foDE, and ATA aor 80-wire cabrds of this techeds of EIDE aret never used o
is storage. Thege that is remch solution’s
mportant deci
ure that your
or multiple re synonymoule, and can onhnology, theree limited to a on servers toda
ere otely
sions.
us. nly e is a
ay.
20410A: Installing and Configuring Windows Server® 2012 9-3
• Serial Advanced Technology Attachment (SATA). SATA is a computer bus interface, or channel, for connecting the motherboard or device adapters to mass storage devices such as hard disk drives and optical drives. SATA was designed to replace EIDE. It is able to use the same low-level commands, but SATA host adapters and devices communicate via a high-speed serial cable over two pairs of conductors. SATA was introduced in 2003 and can operate at speeds of 1.5, 3.0, and 6.0 GB per second, depending on the SATA revision (1, 2 or 3 respectively). SATA drives are less expensive than other drive options, but also provide less performance. Organizations may choose to deploy SATA drives when they require large amounts of storage, but not high performance. SATA disks are generally low-cost disks that provide mass storage. However, for the lower cost they are also less reliable compared to serial attached SCSI (SAS) disks.
A variation on the SATA interface is eSATA, which is designed to enable high-speed access to externally-attached SATA drives.
• Small computer system interface (SCSI). SCSI is a set of standards for physically connecting and transferring data between computers and peripheral devices. SCSI was originally introduced in 1978 and was designed as an interface on a lower-level communication, subsequently allowing it to take less processing power and perform transactions at higher speeds. SCSI became a standard in 1986. Similar to EIDE, SCSI was designed to run over parallel cables; however, recently the usage has been expanded to run over other mediums. The 1986 parallel specification of SCSI had initial speed transfers of 40 MB per second. The more recent 2003 implementation, Ultra 640 SCSI, also known as Ultra 5, can transfer data at speeds of 5,120 MB per second. SCSI disks provide higher performance than SATA disks, but are also more expensive.
• SAS. SAS is a further implementation of the SCSI standard. SAS depends on a point-to-point serial protocol that replaces the parallel SCSI bus technology, and uses the standard SCSI command set. SAS offers backwards-compatibility with second generation SATA drives. SAS drives provide are reliable and made for 24 hours a day, seven days a week (24/7) operations in data centers. With up to 15,000 rotations per minute (RPM), these disks are also the fastest traditional hard disks.
• Solid State Drives (SSDs). SSDs are data storage devices that use solid-state memory to store data rather than using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips to store the data and do not contain any moving parts. SSDs provide fast disk access, use less power, and are less susceptible to failure from being dropped than traditional hard disks (such as SAS drives), but are also much more expensive per GB of storage. SSDs typically use a SATA interface so you can usually replace hard disk drives with SSDs without any modifications.
Note: Fibre Channel, fire-wire, or USB-attached disks are also available storage options. They define either the transport bus or the disk type. For example, USB-attached disks use mostly with SATA or SSD drives to store data.
9-4 Implement
Wh
AlmThisattaare direconaltePrimthe powcomSSDof t
Adv
A tyare comconmai
DASandconope
DisStormulare stor
DASservDASbusy
ing Local Storage
hat Is Dire
most all servers s type of storagached storage (physically loca
ectly with an exnected to the rnative comm
marily, DAS stoserver. Becaus
wer failure, themes in various dD, which affect he storage, an
vantages of
ypical DAS systconnected dir
mputer, there anected directlyntain.
S is also usually sizes to accomfigure. In mos
erating system
sadvantagesring data localltiple servers. Tlooking for. Fu
rage on that co
S also has drawver operating sS shares the pry servers, disk
ct Attache
provide somege is referred t(DAS). DAS canated inside thexternal array, oserver with a Uunications me
orage is physicse of this, if thee storage is unadisk types suchthe speed andd has both ad
f Using DAS
tem is made urectly to a comare no networky to the server
y the least expmmodate variot instances, yorecognizes it,
s of Using Dly on DAS ma
This can make urthermore, if omputer is una
wbacks in its acsystem, DAS carocessing powaccess may slo
ed Storage
e built-in storato as direct n include diskse server, conneor disks that arUSB cable or a
ethodology. ally connectede server suffersavailable. DASh as SATA, SASd the performavantages and
S
p of a data stomputer throughk devices such r that utilizes it
pensive storageous installation
ou would simpand then use
DAS kes data centrit more company one devicavailable.
ccess methodoan be slower ther and server mow when the o
e?
ge.
s that ected re an
d to s a S or ance disadvantages
orage device thh a host bus adas hubs, switc
t, making DAS
e available todns. In addition ly plug in the dDisk Managem
alization morelex to back up
ce that has DA
ologies. Due tohan other stormemory to whoperating syste
s.
hat includes a dapter (HBA). ches, or routerS the easiest st
day, and is wid to being inexdevice, ensurement to config
e difficult becap the data andS connected t
o the way readrage technologhich it is conneem is overload
number of haBetween the D
rs. Instead, the torage system
dely available ixpensive, DAS ie that the runngure the disks.
ause the data i for users, to loo it suffers a p
ds and writes agies. Another dected. This meded.
ard disk drives DAS and the storage is to deploy and
n various speeis very easy to
ning Windows
s located on ocate the data
power outage,
are handled bydrawback is th
eans that on ve
that
d
eds
a they the
y the hat ery
W
NcoacDeaacdianSA
EathdewSt
Tohapneac
Toarthdire
A
Nfapof
Nth
•
•
•
•
Nw
D
NreshM
What Is Ne
Network attachonnected to a ccessed over tAS in that the ach individual cross the netwistinct solutionnd an enterpriAN.
ach NAS devichat solely contevice, which re
with sharing thetorage Server,
o enable NAS ave any serverrovide a netwoetwork shares ccessible to us
oday, most SAre identical; thhe SAN to the isk drives (aggeliability are th
Advantages
AS is an ideal ast data accessroductivity gaif the files.
AS also fits nichan DAS in the
NAS storag
NAS offers devices wit
NAS offers
NAS units aserve up da
AS can also bewithout IT staff
Disadvantag
AS is slower thelies heavily onharing/storage
Microsoft Excha
etwork Att
ed storage (NAdedicated stohe network. Nstorage is notserver, but rat
work to many sns: a low-end ase-class NAS t
ce has a dedicarols the accesseduces the ovee storage devica feature of W
storage, you nr interfaces sucork configuraton the deviceers on the net
AN solutions ofe access methservers using F
gregates) are thhe same.
of Using NA
choice for orgs for multiple cins because th
cely into the me following wa
ge is usually mu
a single locatih DAS.
centralized sto
are accessible fata via CIFS an
e considered aat hand.
es of Using
han SAN technn the network e solution and ange Server an
ached Sto
AS) is storage trage device anAS is different
t directly attacther is accessibervers. NAS haappliance (NASthat integrates
ated operatings to the data oerhead associace with other s
Windows Serve
need a storagech as keyboardion and then a by using the
twork.
ffer SAN and Nod is the only FCOE or iSCSI,he same, the m
AS
ganizations thaclients at the fie processing p
market as a midys:
uch larger tha
on for all critic
orage at an aff
from any operd NFS at the s
a Plug and Play
NAS
nologies. NAS supporting thcannot (and s
nd Microsoft SQ
rage?
that is nd then t than hed to
ble as two S only), s with
g system on the ated server services
er 2012.
e device. Frequds, mice and maccess the devname of the N
NAS together. thing that cha while NAS se
methods for w
at are looking le level. Users
power of the N
d-priced soluti
n DAS.
cal files, rather
fordable price
rating system. same time thus
y solution that
is frequently ae NAS solutionhould not) be QL Server®.
20410A: Instal
s. An example
uently, these dmonitors. Insteavice across the NAS and the sh
The backend anges. Enterprrvices are madriting are the s
for a simple aof NAS benef
NAS device is d
ion. It is not ex
r than inter-dis
.
They often has Windows and
t is easy to inst
accessed via Etn. For this reasused with dat
lling and Configuring
of NAS softwa
evices are appad, to configunetwork. You
hare created. T
head units, disrises often prode available viasame, and the
nd cost-effectfit from performdedicated sole
xpensive, but i
spersing them
ave multi-protod Linux hosts a
tall, deploy, an
thernet protocson, NAS is cota-intensive ap
g Windows Server®
are is Windows
pliances that dre the device, can then crea
These shares ar
sks, and technovision storagea CIFS and NFS overhead and
ive way to achmance and
ely to the distri
it suits more n
on various se
ocol support aat the same tim
nd manage, wi
cols. Because ommonly used pplications suc
2012 9-5
s®
o not you
ate re then
ologies from S; the d
hieve
ibution
eeds
rvers or
and can me.
ith or
of this, it as a file
ch as
9-6 Implement
NASsystpro
NASthis,usedapp
http
Wh
The(SANthathighusuabustraffnum
A SAstorany otheYoufrom
Unliand
Adv
SANDAScheset hav
SAN
•
•
•
•
ing Local Storage
S is affordable em that readsne to the poss
S is also slower, it relies heavid as a file shar
plications such
Additional p://go.microso
hat Is a SA
third type of N). A SAN is a t connects comh-performanceally includes v-adapters (HBAfic, and storag
mbers (LUNs) f
AN enables mrage in which astorage unit. A
er network, suu can, thereforem anywhere.
ike DAS or NA offers method
vantages of
N technologiesS and NAS solucksum calculatup. This speeding to read/wr
Ns also provide
Centralizationgrow indepenrequired. Storreconfiguring
Common infrfor configurat
Storage devic
Data transfer
for small to m and writes da
sibility of data
r than SAN tecily on the netwring and storagas Microsoft®
Reading: For oft.com/fwlink/
AN?
storage is a stospecialized hig
mputer systeme storage subsarious componAs), special swe disk arrays wor storage.
ultiple servers any server canA SAN uses a ch as a local ae, use a SAN to
AS, a SAN is cods to minimize
f Using SAN
s read and writutions, if you wted. With SAN
d is accomplishrite an entire f
e:
n of storage inndently. They arage on a give
g or re-cabling
rastructure for tion and deplo
ces that are inh
directly from
mid-size busineata in differentloss dependin
chnologies. NAwork that is supge solution; it Exchange Ser
more informa/?LinkID=1996
orage area netgh speed netws or host serve
systems. A SANnents such as
witches to help with logical un
to access a po potentially acnetwork like area network (Lo connect man
ntrolled by a he overhead (su
N
te at block levewrite a file of 8
N, the file is wrihed by fiber acfile by using a
nto a single poalso enable sto
en server can bg of devices.
attaching storoyment.
herently share
device to devi
esses and, simi ways than a S
ng on the size o
AS is frequentlypporting the Ncannot and shver and Micro
ation about Wi647.
twork work ers to N host route it
ool of ccess ny LAN). ny different de
hardware devicuch as using ra
els, making da8 GB, the entiretten to the dis
ccess methodochecksum.
ol, which enaborage to be dybe increased o
rage, which en
d by multiple
ice without ser
ilar to DAS, haSAN solution. Nof the data be
y accessed viaNAS solution. Fhould not be uosoft SQL Serve
indows Storag
evices and hos
ce and offers taw disks).
ata access muce file will havesk based on thologies and blo
bles storage reynamically assir decreased as
nables a single
systems.
rver interventi
s overheads oNAS systems aeing copied.
a Ethernet protFor this reason
used with data er®.
ge Server, see
sts to provide a
the fastest acc
ch faster. For ee to be read/whe block size foock level writin
esources and signed from ths needed witho
e common man
on.
f an operatingare more frequ
tocols. Becausen, NAS is commintensive
access to any d
cess to the stor
example, with ritten and its or which the SAng, instead of
erver resourcee pool when itout complex
nagement mo
g uently
e of monly
device
rage
most
AN is
es to t is
del
•
D
Threenw
TounInth
op
W
RAst(pstsidethdiav
RAredeorrethse
H
RAfuto
•
•
A high levethrough thesupplies an
Disadvantag
he main drawbequires managntry level SAN
without any SA
o manage a SAnderlying tech
n addition, eachis, organizatio
Note: SANptions are Fibr
What Is RA
AID is a technotorage systemspotentially) higtorage systemsngle logical unepending on the failure of onisks, or providevailable by usi
AID provides aedundancy—theploying Windrganizations, itedundant comhis redundancyerver fails. By i
How RAID W
AID enables faunction even ifolerance:
Disk mirroranother dis
Parity inforthat was stoinformationanother disdata that isdata that w
el of redundane network. As d hard disks.
es of Using
back to SAN tegement tools a
can often cosN disks or con
AN, you often hnology, includh storage vend
ons often have
Ns can be impre Channel and
AID?
ology that yous that provide gh performancs by combiningnit called a RAthe configuratine or more of e higher perfong a single dis
an important chat you can usdows Server 20t is important ponents such y is to ensure tmplementing
Works
ault tolerance bf one or more
ring. With disk sk. If one of the
mation. Parityored on a diskn for each blocsk or across mus still available was stored on t
cy. Most SANswell, the stora
SAN
echnology is thnd expert skill
st as much as anfiguration.
use commandding the LUN sdor often imp
e dedicated pe
plemented usind Internet SCS
u can use to cohigh reliability
ce. RAID impleg multiple diskID array, whicion, can withstthe physical h
ormance than isk.
component—se when plann012 servers. In that the serveas redundant
that the serverRAID, you can
by using additdisks in the su
mirroring, all e disks fails, th
y information isk. If you use thick of data thatultiple disks. Ifon the functio
the failed disk.
s are deployedage device con
hat due to thels. It is also cona fully loaded s
d-line tools. Yosetup, the Fibrlements SANs
ersonnel whose
ng a variety of I (iSCSI).
onfigure y and ments ks into a h, tand ard is
ing and most rs are availablepower supplie
r remains availn provide the s
tional disks to ubsystem fail. R
of the informahe other disk is
s used in the eis option, the st is written to tf one of the disonal disks alon
20410A: Instal
d with multiplentains redunda
e complexities nsiderably moserver with a D
ou must have are Channel bacusing differen
e only job is to
technologies.
e all of the times, and redundable even whe
same level of r
ensure that thRAID uses two
ation that is ws still available
event of a diskserver or RAIDthe disks, and sks in the RAID
ng with the par
lling and Configuring
e network deviant componen
in the configure expensive t
DAS or an NAS
a firm understck end, the blont tools and feo manage the
The most com
me. Most servedant network aen a single comredundancy fo
he disk subsyst options for en
written to one d.
k failure to calcD controller cal
then stores thD array fails, thrity informatio
g Windows Server®
ices and pathsts such as pow
uration, SAN ofhan DAS or NAS device, and t
anding of the ock sizing, andatures. BecausSAN deploym
mmon
ers provide higadapters. The gmponent on thr the storage s
tem can continnabling fault
disk is also writ
culate the infolculates the pa
his informationhe server can uon to recreate
2012 9-7
s wer
ften AS; an that is
d so on. se of ent.
hly-goal of he system.
nue to
tten to
rmation arity n on use the the
9-8 Implementing Local Storage
RAID subsystems can also provide potentially better performance than single disks by distributing disk reads and writes across multiple disks. For example, when implementing disk striping, the server can read information from all hard disks in the stripe set. When combined with multiple disk controllers, this can provide significant improvements in disk performance.
Note: Although RAID can provide a greater level of tolerance for disk failure, you should not use RAID to replace traditional backups. If a server has a power surge or catastrophic failure and all of the disks fail, then you would still need to rely on standard backups.
Hardware RAID vs. Software RAID
You implement hardware RAID by installing a RAID controller in the server, and then configuring RAID by using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden from the operating system while the RAID arrays are exposed to the operating system as single disks. The only configuration you need to perform in the operating system is to create volumes on the disks.
Software RAID is implemented by exposing all of the disks available on the server to the operating system and then configuring RAID from within the operating system. Windows Server 2012 supports the use of software RAID, and you can use Disk Management to configure several different levels of RAID.
When choosing to implement hardware or software RAID, consider the following:
• Hardware RAID requires disk controllers that are RAID-capable. Most disk controllers shipped with new servers have this functionality.
• To configure hardware RAID, you need to access the disk controller management program. Normally, you can access this during the server boot process or by using a web page that runs management software.
• Implementing disk mirroring for the disk containing the system and boot volume with software RAID can require additional configuration when a disk fails. Because the RAID configuration is managed by the operating system, you must configure one of the disks in the mirror as the boot disk. If that disk fails, you may need to modify the boot configuration for the server to start the server. This is not an issue with hardware RAID, because the disk controller will access the available disk and expose it to the operating system.
• In older servers, you may get better performance with software RAID when using parity because the server processor can calculate parity more quickly than the disk controller can. This is no longer an issue with newer servers, where you may get better performance on the server because you can offload the parity calculations to the disk controller.
Question: Should all disks be configured with the same amount of fault tolerance?
R
Wwcomdimth
RAID Level
When implemewhat level of RAommon Raid le
mirroring), RAIDistributed pari
mirrored set in he features for
Level Des
RAID 0 Strwitmi
Daseqea
RAID 1 Miwitstr
Dato sim
RAID 2 Dain diswrsepdis
RAID 3 Dain diswrsepdis
RAID 4 Dain eapaa d
s
nting RAID, yoAID to implemevels are RAIDD 5 (also knowty) and RAID 1a stripe set). Teach different
scription
riped set thout parity orrroring
ata is written quentially to ch disk
irrored set thout parity orriping
ata is written both disks
multaneously
ata is written bits to each sk with parity itten to parate disk or sks
ata is written bytes to each sk with parity itten to parate disk or sks
ata is written blocks to ch disk with rity written to
dedicated disk
ou need to decent. The most
D 1 (also knownwn as striped se1+0 (also knowhe table belowt RAID level.
Performan
r High readand write performan
r Good performan
Extremelyhigh performan
Very high performan
k
Good readperformanpoor writeperforman
cide
n as et with wn as w lists
nce Space utilizati
nce
All spacthe disavailab
nce Can onthe amof spacis availaon the smalles
nce
One ordisks uparity
nce One diused foparity
d nce, e nce
One diused foparity
20410A: Instal
ion Red
ce on ks is
ble
A sifailuin tall d
nly use mount ce that able
st disk
Cansingfailu
r more sed for
Cansingfailu
sk or
Cansingfailu
sk or
Cansingfailu
lling and Configuring
undancy
ingle disk ure results he loss of data
n tolerate a gle disk ure
n tolerate a gle disk ure
n tolerate a gle disk ure
n tolerate a gle disk ure
g Windows Server®
Comments
Use only in situations whyou require hperformanceand can toledata loss
Frequently ufor system anboot volumewith hardwaRAID
Requires thadisks be synchronized
Not currentlyused
Requires thadisks be synchronized
Rarely used
Rarely used
2012 9-9
here high e rate
used nd es re
t all
d
y
t all
d
9-10 Implementing Local Storage
Level Description Performance Space utilization Redundancy Comments
RAID 5 Striped set with distributed parity
Data is written in blocks to each disk with parity spread across all disks
Good read performance, poor write performance
The equivalent of one disk used for parity
Can tolerate a single disk failure
Commonly used for data storage where performance is not critical, but maximizing disk usage is important
RAID 6 Striped set with dual distributed parity
Data is written in blocks to each disk with double parity written across all disks
Good read performance, poor write performance
The equivalent of two disks used for parity
Can tolerate two disk failures
Commonly used for data storage where performance is not critical but maximizing disk usage and availability are important
RAID 0+1
Striped sets in a mirrored set
A set of drives is striped, and then the strip set is mirrored
Very good read and write performance
Only half the disk space is available due to mirroring
Can tolerate the failure of two or more disks as long as all failed disks are in the same striped set
Not commonly used
RAID 1+0
Mirrored set in a stripe set
Several drives are mirrored to a second set of drives, and then one drive from each mirror is striped
Very good read and write performance
Only half the disk space is available due to mirroring
Can tolerate the failure of two or more disks as long as both disks in a mirror do not fail
Frequently used in scenarios where performance and redundancy are critical, and the cost of the required additional disks is acceptable
LessonMana
IdthTh
Fosoqu
•
•
Thto
LeA
•
•
•
•
•
•
•
S
A thWorsyre
M
Thpadiinth
•
•
•
n 2 aging Ddentifying whichat your envirohere are other
or example, onolutions, you nuestions:
What disks
Will the typ
his lesson addools you need
esson Objecfter completin
Describe se
Describe th
Explain a re
Describe ho
Explain mo
Create mou
Describe th
electing a
partition tablehe method tha
Windows Server volumes on aystems, you caecord (MBR) an
MBR
he MBR partitiartitioning schisks since the f
n the 1980s. Thhe following ch
Supports a
A partition
If you initiaand the resits space.
Disks andch storage teconment is prepr steps that you
nce you have ineed to figure
will you alloca
pe of file system
resses these anto manage dis
ctives ng this lesson, y
electing a parti
he difference b
esilient file syst
ow to select a
unt points and
unt points and
he process of e
Partition
e format, or paat an operatingr 2012 uses toa disk. For Winn decide betwnd GUID partit
ion table formaheme that has first personal che MBR partitioharacteristics:
maximum of f
can have max
alize a disk largst of the storag
d Volumhnology that ypared for data u will need to
dentified the bout the best w
ate to a storag
ms be the sam
nd similar quescs.
you will be ab
ition table form
between basic
tem.
file system.
d links.
d links.
extending and
Table Form
artition style, rg system such organize part
ndows operatinween master botion table (GPT
at is the standbeen used on
computers camon table forma
four primary p
ximum of 2 ter
ger than 2 TB uge will not be u
mes you will want tstorage requitake to prepar
best storage soway to manage
ge pool?
me for all disks?
stions, includin
le to:
mat.
and dynamic d
shrinking volu
mat
efers to as
titions ng oot T).
ard hard
me out at has
partitions per d
rabytes (TB) (2.
using MBR, theused. You mus
20410A: Installin
to deploy is threments. This,re for data sto
olution, or have that storage.
?
ng why it is im
disk types.
umes.
drive
.19 x 10^12 by
e disks are onlst convert the
ng and Configuring W
he first critical s however, is o
orage requirem
ve chosen a m. Ask yourself t
mportant to ma
ytes)
y able to storedisk to GPT if
Windows Server® 20
step in makingnly the first ste
ments.
ix of storage the following
anage disks, an
e volumes up tyou want to u
012 9-11
g sure ep.
nd what
to 2 TB use all of
9-12 Implemen
in si
GPT
Thelimi
•
•
•
•
arch
Sel
WheServand
Bas
Basiusedsystcallepartpartinto
By dconbasi
Somby cdiskare
Dyn
Dynsyststorcan
Whethatassi
nting Local Storage
Note: You size. This provid
T
GPT was introtations of MBR
GPT is the suc
Supports a m
A partition ca
A hard disk ca
Note: If you
Additional hitecture, see h
lecting a D
en selecting a ver 2012, you c dynamic disk
sic Disk
ic storage usesd by all versionem. A disk thaed a basic disktitions, such astitions. You ca
o logical drives
default, when yvert basic diskic disk, all data
me applicationconverting basks to dynamic davailable with
namic Disk
namic storage ems and the M
rage is called aperform disk
en you configut is made fromgn a drive lett
should use thedes you with a
oduced with WR, and to addr
ccessor of MBR
maximum of 12
an have up to
an have up to
ur hard disk is
Reading: For http://support
Disk Type
type of disk focan choose be
ks.
s normal partitns of the Windat is initialized k. A basic disk cs primary partin subdivide exs.
you initialize aks to dynamic da on the disk w
s cannot addresic disks to dyndisks unless thdynamic disks
is supported inMicrosoft Winda dynamic diskand volume m
ure dynamic dm free space on
er or configur
e MBR partitiona bit more spac
Windows Serveress larger disk
R partition tab
8 partitions pe
8 zettabytes (Z
18 exabytes (E
larger than 2 T
frequently ask.microsoft.com
or use in Windetween basic d
tion tables thadows operatingfor basic storacontains basic itions and extextended partiti
a disk in Windodisks without a
will be lost.
ess data that isnamic disks. Fohey need to uss.
n all Windowsdows NT® Servk. A dynamic dmanagement w
disks, you creatn one or more e it with a mo
n table formatce because GP
r 2003 and Wiks. GPT has the
ble format
er drive
ZB)
EB), with 512 k
TB, you should
ked questions m/kb/302873.
dows disks
at are g age is
ended ions
ows, the disk isany loss of dat
s stored on dyor these reasone some of the
operating sysver 4.0 operatiisk contains dy
without the nee
te volumes ratdisks. You canunt point.
t for disk drivePT requires mo
indows® XP 64e following cha
kilobytes (KB)
d use the GPT
about the GU
s configured ata; however, w
ynamic disks. Tns, most adminadditional vo
stems includingng system. A dynamic volumed to restart W
ther than partin format the vo
es that never suore disk space
4-bit Edition toaracteristics:
logical block a
partition table
ID partitioning
as a basic disk. when convertin
There is also nonistrators do nlume configur
g the Windowdisk that is inites. With dynam
Windows opera
tions. A volumolume with a f
urpass 2 TB than MBR.
o overcome th
addressing (LB
e format.
g table disk
You can easilyng a dynamic d
o performancenot convert baration options
ws XP operatingtialized for dynmic storage, yoating systems.
me is a storage file system, an
he
BA)
y disk to
e gain asic
that
g namic ou
unit d can
20410A: Installing and Configuring Windows Server® 2012 9-13
The following is a list of the dynamic volumes that are available:
• Simple volumes. A simple volume uses free space from a single disk. It can be a single region on a disk, or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or on to additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.
• Spanned volumes. A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored, and is not fault-tolerant; therefore, if you lose one disk, you will lose the entire spanned volume.
• Striped volumes. A striped volume has data that is spread across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended, and is not fault-tolerant. This means that the loss of one disk causes the immediate loss of all the data. Striping is also known as RAID-0.
• Mirrored volumes. A mirrored volume is a fault-tolerant volume that has all data duplicated onto two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
• RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume that has data striped across a minimum of three or more disks. Parity is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
Required Disk Volumes
Regardless of which type of disk you use, you must configure both a system volume and a boot volume on one of the hard disks in the server:
• System volumes. The system volume contains the hardware-specific files that are needed to load Windows operating system (for example, Bootmgr and BOOTSECT.bak). The system volume can—but does not have to—be the same as the boot volume.
• Boot volumes. The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%’System32 folders. The boot volume can—but does not have to—be the same as the system volume.
Note: When you install the Windows 8 operating system or the Windows Server 2012 operating system in a clean installation, a separate system volume is created to enable encrypting the boot volume by using Windows BitLocker® drive encryption.
Additional Reading: For more information about how basic disks and volumes work, see http://go.microsoft.com/fwlink/?LinkID=199648.
For more information about dynamic disks and volumes, see http://go.microsoft.com/fwlink/?LinkID=199649.
9-14 Implemen
Sel
Whe201ReF
File
The of tsystchatop copcaseallostor
A dWheestanextloca
Becpartsup
FATsystform
exFAsuitlargcent
NT
NTF4.0. hardthe
NTFadvaddsyst
NTFDomRep
Res
TheNTFdireveri
nting Local Storage
lecting a F
en you configu2, you can choS file systems.
e Allocation
file allocation he file systemsems support. Tracterized by aof the volumeies of the FAT e one becomecation tables ared in a fixed lo
isk formatted wen a file is creaablished. This et cluster. Thereation on the dr
ause of the siztitions that weports partition
T does not provem for disks a
mat external m
AT (Extended Fable, such as w
ger than 2 TB. eters, and porta
FS
FS is the standaUnlike FAT, th
dware, such astables.
FS is an improvanced data str
ditional extensiem journaling
FS is required fmain Services (plication Servic
ilient File Sys
Resilient File SFS. ReFS was dectories, disk vofication, error
File System
ure your disks oose between
n Table (FAT
table (FAT) is s that WindowThe FAT file sya table that rese. To protect thfile system ares damaged. Inand the root docation so tha
with FAT is alloated, an entry entry in the tabe is no organizrive.
ze limitation were less than 2 ns of up to 2 T
vide any securttached to Wi
media such as U
FAT) is a file sywhen you needexFAT is suppoable media pla
ard file systemhere are no spes 512-byte sect
vement over FAructures to impions such as se, and encrypti
for a number o(AD DS), Volumces (FRS). NTFS
stem (ReFS)
System (ReFS) eveloped to imolumes, and ocorrection, an
m
in Windows SFAT, NTFS, an
T)
the most simpws operating ystem is sides at the vehe volume, twe maintained i
n addition, the irectory must t the system’s
ocated in clustis created in tble either indiczation to the F
with the file alloGB in size. To B.
rity for files onndows Server USB flash med
ystem designedd a disc formatorted in a numayers.
m for all Windoecial objects otors. In additio
AT in several wprove performecurity access con.
of Windows Seme Shadow SeS also provides
was introducemprove upon Nther items. Ad
nd scalability.
erver d
plistic
ery o in file be boot files can
ters, whose sizhe directory, acates that this
FAT directory s
ocation table, tenable larger
the partition. 2012 servers. Yia.
d especially fot that works w
mber of media
ows operating on the disk, andon, in NTFS the
ways, such as bmance, reliabilit
control lists (A
erver 2008 R2 ervices (VSS), Ds a much highe
ed with WindoNTFS by offeri
dditionally, ReF
n be correctly l
zes are determand the first cluis the last clus
structure, and f
the original redisks, Microso
You should nYou might con
r flash drives. with a television
devices, such
systems begind there is no dere are no spe
better supportty, and disk sp
ACLs), which yo
roles and featDistributed Fileer level of secu
ows Server 201ng larger max
FS offers great
ocated.
mined by the sizuster number ster of the file,files are given
elease of FAT coft developed
ever use FAT onsider using FA
It can be usedn, which requias modern fla
nning with Windependence onecial locations o
t for metadatapace utilizationou can use for
ures such as Ae System (DFS)urity than FAT
2 to enhance ximum sizes foer resiliency, m
ze of the volumcontaining da, or points to tthe first open
could only acceFAT32. FAT32
or FAT32 as thAT or FAT32 to
d where FAT32res a disc thatt panel TVs, m
ndows NT Servn the underlyion the disk, su
, and the use on. NTFS also ha
auditing, file
Active Directory and File or FAT 32.
the capabilitieor individual filmeaning bette
me. ata is the n
ess
he file o
is not is
media
ver ng
uch as
of as
y®
es of es, r data
Reopw
Yoercher
htFo
W
ThWfil
•
•
•
•
•
•
•
•
•
Re
•
•
•
•
•
•
•
eFS uses featuperating syste
write to ReFS ha
ou should use rror checking ahoice was NTFrror checking,
Additionattp://go.microor more inform
Question: it?
What Is a R
he Resilient FilWindows Serve
le system, and
Metadata in
Expanded p
Maximizes of power (wexperience circumstanc
Large volum
Storage po
Data stripin
Disk scrubb
Resiliency t
Shared stor
eFS inherits so
BitLocker d
Access-con
Update seq
Change not
Symbolic lin
Volume sna
File IDs
res from NTFSm versions. Ward-drive parti
ReFS with verand correctionS), it makes sebetter reliabili
al Reading: Fosoft.com/fwlin
mation on how
What file syste
Resilient Fi
e System (ReFr 2012. ReFS is provides the f
ntegrity with c
protection aga
reliability, espwhile NTFS hascorruption in ces)
me, file, and di
oling and virtu
ng for perform
bing for protec
to corruptions
rage pools acro
ome features fr
rive encryptio
trol lists for se
quence numbe
tifications
nks, junction p
apshots
S, and is designindows 8 clienitions and to s
ry large volumn. Because ReFense to use ReFity, and less co
or more informnk/?LinkID=19w NTFS works,
em do you cur
le System?
FS) is a new feas based on thefollowing adva
checksums
ainst data corru
ecially during s been known similar
irectory sizes
ualization, whi
mance (bandwid
ction against la
with recovery
oss machines f
rom NTFS, incl
n
ecurity
er (USN) journa
points, mount
ned to maintaints or older Wihares on a ser
es and very larS was not avaFS with Windoorruption.
mation on how9652. see http://go.m
rrently use on
?
ature in e NTFS antages:
uption
a loss to
ch makes crea
dth can be ma
atent disk erro
for maximum
for additional
luding the follo
al
points and rep
20410A: Installin
in backward coindows client orver, just as the
rge file shares ilable prior to
ows Server 201
w FAT works, s
microsoft.com
your file serve
ating and man
anaged) and re
ors
m volume availa
failure toleran
owing:
parse points
ng and Configuring W
ompatibility woperating systey can with tho
to overcome Windows Serv
12 instead of N
ee
m/fwlink/?LinkI
er? Will you co
naging file syst
edundancy for
ability
nce and load b
Windows Server® 20
with its older Wems can read ose running N
the NTFS limitver 2012 (the oNTFS to achiev
D=199654.
ontinue to use
ems easier
r fault toleranc
balancing
012 9-15
Windows and
NTFS.
tation of only
ve better
ce
9-16 Implemen
BecNTFhardimpcorr
Beyfiles
At
M
M
M
Mvo
M
M
M
Msy
Mpo
Wh
Witcreadire
Mo
Mousystdiskcomlettegain
Sincopethena nenamyou
nting Local Storage
ause ReFS useFS. Therefore, Wd-drive partitio
plied in its namrection, and sc
ond its greates, directories, d
ttribute
Maximum size o
Maximum size o
Maximum num
Maximum numolume
Maximum file n
Maximum path
Maximum size o
Maximum numystem
Maximum numool
hat Are Mo
h the NTFS anate mount poiectories, and vo
ount Points
unt points are ems to make a
k useable by thmmonly, mouner mappings son access to the
ce the Microsoerating system n use to mounew hard disk tome such as C:\d
are actually a
s a subset of fWindows 8 clieons and shares
me, the new filecalability.
r resiliency, Redisk volumes, a
of a single file
of a single volu
ber of files in a
ber of director
name length
length
of any storage
ber of storage
ber of spaces
ount Point
d ReFS file sysnts and links tolumes.
used in Windoa portion of a he operating synt points are aso that the ope
e disk through
oft Windows 20was first intro
nt a hard disk to a server, rathdatadrive to thccessing the n
eatures from Nents or older Ws on a server, je system offers
eFS also surpasand other item
ume
a directory
ries in a
e pool
e pools in a
in a storage
ts and Link
stems, you cano refer to files
ows operatingdisk or the enystem. Most ssociated with erating system
the drive lette
000 Server duced, you hato an empty foher than mounhe drive. Whennew hard disk.
NTFS, it is desiWindows clientust as they cans greater resilie
sses NTFS by oms, as listed in t
Limit
~16 exabyte
2^78 bytes w(2^64 * 16 *
Windows st
2^64
2^64
32,000 Unico
32,000
4 petabytes
No limit
No limit
ks?
n ,
g tire
drive can
er.
ave been able older that is locnting the driven you do this, a
gned to maintt operating syn with those ruency, meaning
offering larger the following t
es (EB) (18.446
with 16 KB clu* 2^10)
tack addressing
ode characters
(PB)
to enable volucated on anot
e using a drive any time you a
tain backwardystems can reaunning NTFS. g better data v
maximum sizetable.
6.744.073.709.5
uster size
g allows 2^64
s
ume mount pother drive. For letter, you can
access the C:\d
compatibility d and write toHowever, as
verification, err
es for individu
551.616 bytes)
4 bytes
oints, which yoexample, if yon assign a folddatadrive folde
with o ReFS
ror
ual
)
ou can ou add der er,
20410A: Installing and Configuring Windows Server® 2012 9-17
Volume mount points can be useful in the following scenarios:
• If you are running out of drive space on a server and you want to add disk space without modifying the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
• If you are running out of available letters to assign to partitions or volumes. If you have several hard disks that are attached to the server, you may run out of available letters in the alphabet to which to assign drive letters. By using a volume mount point, you can add additional partitions or volumes without using more drive letters.
• If you need to separate disk input/output (I/O) within a folder structure. For example, if you are using an application that requires a specific file structure, but which uses the hard disks extensively, you can separate the disk I/O by creating a volume mount point within the folder structure.
Note: You can assign volume mount points only to empty folders on an NTFS partition. This means that if you want to use an existing folder name, you must first rename the folder, create and mount the hard disk using the required folder name, and then copy the data to the mounted folder.
Links
A link is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path. Windows supports the following two types of links:
• A symbolic file link (also known as a soft link)
• A symbolic directory link (also known as a directory junction)
A link which is stored on a server share could refer back to a directory on a client that is not actually accessible from the server where the link is stored. Because the link processing is done from the client, the link would work correctly to access the client, even though the server cannot access the client.
Links operate transparently: applications that read or write to files that are named by a link behave as if they are operating directly on the target file. For example, you can use a symbolic link to link to a Hyper-V® parent virtual hard disk file from another location. Hyper-V uses the link to work with the parent virtual hard drive (VHD) as it would use the original file. The benefit of using symbolic links is that you do not need to modify the properties of your differencing VHD.
Note: In Hyper-V, you can use a differencing virtual hard disk (VHD) to save space by making changes only to the child VHD, when the child VHD is part of a parent/child VHD relationship.
Links are sometimes easier to manage than mount points. Mount points force you to place the files on the root of the volumes, whereas with links you can be more flexible with where you save files.
You can create links in a Windows Explorer window, or by using the mklink.exe tool in a command-line interface window.
9-18 Implementing Local Storage
Demonstration: Creating Mount Points and Links
In this demonstration, you will see how to create a mount point and then assign it to a folder. Then you will see the process of creating a link between folders and a link for a file, and see how to use both links.
Demonstration Steps
Create a mount point
1. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$w0rd.
2. Open Computer Management, and then expand Disk Management.
3. In Disk Management, initialize Disk2 with GPT (GUID Partition Table).
4. On Disk 2, create a Simple Volume with the following parameters:
o Size: 4000 MB
o Do not assign a drive letter or drive path
o File system: NTFS
o Volume label: MountPoint
5. Wait until the volume is created, right-click MountPoint, and then click Change Drive Letter and Paths.
6. Change the drive letter as follows:
o Mount in the following empty NTFS folder
o Create new Folder C:\MountPointFolder and use it as mount point.
7. On the taskbar, open a Windows Explorer window, and then click Local Disk (C:). You should now see the MountPointFolder with a size of 4,095,996 KB assigned to it. Notice the icon that is assigned to the mount point.
Create a link between folders 1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32 with the name
System32 Shortcut.
2. In Windows Explorer, in the right pane, double-click System32 Shortcut. Notice how the shortcut path changes automatically to the correct path in the Address bar.
Create a link for a file
1. In Windows Explorer, on drive C, create a shortcut to C:\Windows\System32\mspaint.exe and name it Paint Shortcut.
2. In Windows Explorer, in the right pane, double-click Paint Shortcut. Note how the link opens Paint. Using links can be very useful if you want to refer to a file such as a virtual hard disk that is located on another drive.
E
In20sodiVopM
Waw
•
•
•
•
•
voD
•
Tocm
ht
Fode
xtending a
n versions of W003 or Windowoftware to shriisk. Since Windista, this functperating syste
Management sn
When you wantware of the fo
You only haNTFS volumcannot be r
You can on
To extend aspace is not
You can extvolume witdisk fails, alpartitions, t
When you wthat you cathe requireexample, yo
Note: As olume before yuring the defr
If bad clust
o modify a volmdlet.
Additionattp://technet.m
or more informe/library/cc73
and Shrink
Windows prior ws Vista®, you nk or extend adows Server 20ionality is inclum so you can nap-in to resiz
t to resize a vollowing:
ave the ability mes. FAT, FAT3resized.
nly extend ReFS
a volume, the t adjacent to t
tend a volumeh other disks, ll data on the vthus you canno
want to shrinkannot reclaim sment to shrinkou can remove
a best practiceyou shrink it. Tragment proce
ers are found
lume, you can
al Reading: Fomicrosoft.com/
mation about h1894.
king Volum
to Windows Serequired addi
a volume on y003 and Winduded in the Wuse the Disk
ze NTFS volum
olume, you mu
to shrink or e32 or exFAT vo
S volumes, not
available disk the volume, yo
e using free spyou create a dvolume is lost.ot extend you
k a partition, imspace beyond k a partition me the page file
e for shrinkingThis method reess, you can ide
on the partitio
use Disk Man
or more inform/de-de/library/
how to shrink
mes
erver tional our ows indows
mes.
ust be
xtend olumes
t shrink them.
space must beou will not be a
ace on the samdynamic disk w. Also, a stripedr boot partitio
mmovable filesthe location w
more, you neede, shrink the vo
g volumes, youeturns the maxentify any imm
on, you will no
agement, the
mation about h/cc771473.
a basic volume
20410A: Installin
e adjacent to table to extend
me disk as welwith a striped vd volume cann
ons by using an
s such as pagewhere these filed to delete or molume, and the
u should defragximum amoun
moveable files.
ot be able to sh
Diskpart.exe t
how to extend
e, see http://te
ng and Configuring W
the volume thad the disk.
ll as other diskvolume. In a stnot contain bonother disk.
e files are not res are on the vmove the immen add the pag
gment the filent of free disk s.
hrink it.
ool, or the Res
d a basic volum
echnet.microso
Windows Server® 20
at is extended
ks. When you etriped volume,oot or system
relocated. Thisvolume. If you
movable files. Fge file back ag
s on the space.
size-Partition
me, see
oft.com/de-
012 9-19
. If free
extend a , if one
s means have
For gain.
n
9-20 Implemen
Lesson 3Implem
Manadmphy
SANexpthathow
Manadmphy
SANexpthathow
Les
Afte
•
•
•
•
Wh
StorthatWinNTFandexteYouof acreaprimdo nmul
To c
•
•
nting Local Storage
3 mentingnaging physica
ministrators. Toysical disks tog
Ns require specensive. To ovet pools disks tow to configure
naging physicaministrators. Toysical disks tog
Ns require specensive. To ovet pools disks tow to configure
sson Objecti
er completing
Describe the
Describe vario
Describe adva
Configure Sto
hat Is the S
rage Spaces is t is built into Wndows 8. It is aFS and ReFS vo pooled storag
ernal drives of u can use Storaany type and siate highly avaimary advantagnot manage siltiple disks as o
create a highly
Disk drive. Thusing a drive
Virtual disk (oapplications. in-time (JIT) asuch as mirro
g Storagal disks that aro overcome thether.
cial configuratercome these isogether and pand implemen
al disks that aro overcome thether.
cial configuratercome these isogether and pand implemen
ives
this lesson, yo
use of Storage
ous options fo
anced manage
orage Spaces.
Storage Sp
a storage virtuWindows Serve feature that is
olumes, that prge for numerodiffering sizes
age Spaces to aize to a storaglable virtual d
ge of Storage Sngle disks, butone unit.
y-available virt
his is a volume letter.
or storage spacHowever, virtuallocations, andoring.
ge Spacre attached diris problem, ma
ion, however, ssues, you canresents them tnt the Storage
re attached diris problem, ma
ion, however, ssues, you canresents them tnt the Storage
ou will be able
e Spaces.
or configuring
ement options
paces Feat
ualization capaer 2012 and s available for rovides redund
ous internal ans and interfaceadd physical de pool, and thisks from it. Th
Spaces is that yt can manage
tual disk, you n
that you can a
ce). This is veryual disks are md they include
ces rectly to a servany organizati
and sometimen use Storage Sto the operatine Spaces featur
rectly to a servany organizati
and sometimen use Storage Sto the operatine Spaces featur
to:
virtual disks.
s for Storage S
ure?
ability
both dancy d
es. disks hen he you
need the follow
access from yo
y similar to a pmore flexible bee resiliency to p
ver has provenions used SAN
es special hardSpaces, which ing system as are.
ver has provenions used SAN
es special hardSpaces, which ing system as are.
paces.
wing:
our Windows o
physical disk froecause they inphysical disk fa
n to be a tedioNs that essentia
dware, which mis a Windows Sa single disk. T
n to be a tedioNs that essentia
dware, which mis a Windows Sa single disk. T
operating syste
om the perspenclude thin proailures with bu
us task for ally grouped
makes them Server 2012 fe
This lesson exp
us task for ally grouped
makes them Server 2012 fe
This lesson exp
em, for examp
ective of users ovisioning or juuilt-in function
eature lains
eature lains
ple, by
and ust-nality
•
•
V
YoyoyocoMcoth
Storage poovirtual disksattached to
Physical disstorage poo
o One phrequire
o A miniparity.
o Three-w
o Disks m
o Disks cIf you w
Virtual Disk
ou can create our storage poou can also creonfigure virtua
Manager or Winonsider the redhe following ta
Feature
Storage layou
ol. A storage ps. You can add
o another stora
sk. Physical disol, the disks ne
hysical disk is red to create a
mum of three
way mirroring
must be blank
can be attachewant to use fa
k Configur
virtual disks frool contains meate redundanal disks or Storndows PowerSdundancy funcable.
Desc
ut Thisallo
• SlothSDfa
• Todedgaw
• PinSfa
pool is a collectd to a storage age pool.
ks are disks sueed to satisfy t
required to creresilient mirro
physical disks
requires at lea
and unformat
d using a varieilover clusterin
ration Opt
rom storage pomore than one nt virtual disks.rage Spaces in Shell, you needctionality show
cription
s feature definocated. Valid o
Simple. A simplogically sequehese sequentia
Striping makes Do not host imailover capabi
Two-way and tof the data thadata copies forensure that all data across mugreater data tha risk of corrupwhen writing d
Parity. A parity nformation, is Spaces to contiailed. Parity is
tion of one or pool any avail
uch as SATA orthe following r
eate a storage r virtual disk.
are required t
ast five physic
ted; no volum
ety of bus inteng with storag
tions
ools. If disk, . To Server
d to wn in
nes the numbeoptions include
le space has dantial data is seal segments cait possible to
mportant data olities when the
three-way mirrt they host (tw
r three-way midata copies ar
ultiple physicalhroughput andpting at-rest dadata.
space is very striped acrossinue to servicealways rotated
20410A: Installin
more physicaable physical d
r SAS disks. If yrequirements:
pool; a minim
to create a virt
al disks.
me must exist o
rfaces includine pools, you c
er of disks frome:
ata striping buegmented acroan be made toaccess multipon a simple voe disk that is st
rors. Mirror spawo data copiesirrors). Duplicare always curre drives. Mirror
d lower access ata, and do no
similar to a sim multiple phys
e read and writd across availa
ng and Configuring W
l disks that yodisk that is not
you want to ad
mum of two ph
tual disk with
on them.
ng iSCSI, SAS, Scannot use SAT
m the storage p
ut no redundaoss all disks in o different phyle segments o
olume, becausetoring the data
aces maintain s for two-way ation happens ent. Mirror spar spaces providlatency. They
ot require the e
mple space. Dasical drives. Pate requests ev
able disks to en
Windows Server® 20
u can use to ct formatted or
dd physical dis
hysical disks is
resiliency thro
SATA, SCSI, anTA, USB or SCS
pool that are
ncy. In data sta way that acc
ysical storage df data concurre it provides na fails.
two or three cmirrors and thwith every wr
aces also stripede the benefit also do not inextra journalin
ata, along withrity enables Sten when a drivnable I/O
012 9-21
reate r
sks to a
ough
nd USB. SI disks.
triping, cess to drives. rently. no
copies hree ite to
e the of troduce
ng stage
h parity torage ve has
9-22 Implementing Local Storage
Feature Description
optimization. Storage spaces require a minimum of three physical drives for parity spaces. Parity spaces have increased resiliency through journaling.
Disk sector size A storage pool’s sector size is set when it is created. If the list of drives being used contains only 512 and/or 512e drives, then the pool is defaulted to 512e. If, however, the list contains at least one 4-KB drive, then the pool sector size is defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size that all contained spaces in the pool will inherit. After an administrator defines this, the Windows operating system will only permit you to add drives that have a compliant sector size, that is: 512 or 512e for a 512e storage pool, and 512, 512e, or 4 KB for a 4-KB pool.
Drive allocation • This defines how the drive is allocated to the pool. Options are:
• Data Store. This is the default allocation when any drive is added to a pool. Storage spaces can automatically select available capacity on data-store drives for both storage space creation and JIT allocation.
• Manual. Administrators can choose to specify manual as the usage type for drives that are added to a pool. A manual drive is not used automatically as part of a storage space unless it is specifically selected at the creation of that storage space. This usage property makes it possible for administrators to specify particular types of drives for use by only certain Storage Spaces.
• Hot Spare. Drives added as Hot-Spares to a pool are reserve drives that are not used in the creation of a storage space. If a failure occurs on a drive that is hosting columns of a storage space, a reserve drive is called upon to replace the failed drive.
Provisioning schemes
• You can provision a virtual disk by using two different schemes:
• Thin provisioning space. Thin provisioning is a mechanism that allows storage to be easily allocated on a just-enough and JIT basis. Storage capacity in the pool is organized into provisioning slabs that are not allocated until the point in time when datasets grow to require the storage. As opposed to the traditional fixed storage allocation method—where large pools of storage capacity are allocated but may remain unused—thin provisioning optimizes utilization of available storage. Organizations are also able to save on operating costs such as electricity and floor space that are associated with keeping unused drives operating. The downside of using thin provisioning is lower performance of your disks.
• Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also employ the flexible provisioning slabs. The difference between thin provisioning and a fixed provisioning space is that the storage capacity in the fixed provisioning space is allocated at the same time that the space is created.
Cluster disk requirement
Failover clustering prevents interruption to workloads or data in the event of a machine failure. For a pool to support failover, clustering all assigned drives must support a multi-initiator protocol, such as SAS.
Note: You can use Storage Spaces to create both thin and fixed provisioning virtual disks within the same storage pool. Having both provisioned types in the same storage pool is convenient, particularly when they are related to the same workload. For example, you can choose to have a thin provisioning space to host a database and a fixed provisioning space to host its log.
A
SemSetocrexpandi
Facoporpoda
Wex
W
ht
D
In
D
C
1.
Question: available on
Advanced M
erver Managermanagement oerver Managero and remove reate, managexample, in Servhysical disks thnd Server Manisks are unhea
ailed disks in aorrected by reroblem. Tools r chkdsk do nool. The new daily maintenan
Windows Powexamples of the
Windows Pow
Get-StorageP
Get-VirtualD
Repair-Virtu
Get-Physical“Healthy”}
Reset-Physic
Get-VirtualD
Additionattp://technet.m
Demonstra
n this demonst
Demonstrati
Create a stor
. On LON-SV
What do you cn the physical
Managem
r provides youf virtual disks ar, you can creaphysical disks , and delete viver Manager yhat are attachenager will displlthy.
a virtual disk omoving the disuch as defragot apply for re
disk will automnce, or you can
rShell® providee command-lin
werShell cmdle
Pool
Disk
alDisk
Disk | Where
calDisk
Disk | Get-Phy
al Reading: Tomicrosoft.com/
ation: Conf
tration, you wi
ion Steps
rage pool
VR1, in Server
call a virtual ddisks portion
ent Optio
with basic and storage poate storage pofrom pools, anirtual disks. Foyou can view ted to a virtual lay if any of th
r storage poolsk that is causgmenting, scanepairing a stor
matically resyncn trigger it ma
es advanced mne interfaces a
et
{$_.HealthSta
ysicalDisk
o learn more a/en-us/library/
figuring St
ll see how to c
Manager, acce
isk that is largeof the storage
ns for Stor
ools. In ols, add nd r he disk,
hese
are ing the n disk. age pool. To rchronize whennually.
management ore listed in the
atus –ne
about storage /hh848705.asp
torage Spa
create a storag
ess File and St
20410A: Installin
er than the ame pool?
rage Space
replace a failedn disk mainten
options for virte following tab
Description
Lists storag
Lists virtual
Repairs a V
Lists unhea
Removes a
Lists physicdisk
cmdlets in Wipx.
aces
ge pool, a simp
torage Service
ng and Configuring W
mount of disk s
es
d disk, you addnance occurs. T
tual disks and ble.
n
ge pools
l disks
Virtual Disk
althy physical d
physical disk f
cal disks that a
indows PowerS
ple virtual disk
es and Storag
Windows Server® 20
space
d a new disk toThis will occur
storage pools.
disks
from a storage
re used for a v
Shell, see
k, and a volum
ge Pools.
012 9-23
o the during
. Some
e pool
virtual
e.
9-24 Implementing Local Storage
2. In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and add all of the available disks.
Create a simple virtual disk and a volume
1. In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o Storage pool: StoragePool1
o Disk name: Simple vDisk
o Storage layout: Simple
o Provisioning type: Thin
o Size: 2 GB
2. On the View results page, wait until the creation is completed, make sure the Create a volume when this wizard closes check box is selected.
3. In the New Volume Wizard, create a volume with these settings:
o Virtual disk: Simple vDisk
o File system: ReFS
o Volume label: Simple Volume
20410A: Installing and Configuring Windows Server® 2012 9-25
Lab: Implementing Local Storage Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. One of your first assignments is configuring the infrastructure service for a new branch office.
Your manager has asked to add disk space to a file server. After creating volumes, your manager has also asked you to resize those volumes based on updated information he has been given. Finally, you need to make data storage redundant by creating a 3-way mirrored virtual disk.
Objectives After completing this lab, you will be able to:
• Install and configure a new disk.
• Resize volumes.
• Configure a storage pool.
• Configure a redundant storage space.
Lab Setup Estimated time: 30 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-SVR1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
1. In Hyper-V® Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
2. In the Actions pane, click Connect. Wait until the virtual machine starts.
3. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
4. Repeat steps 1 to 3 for 20410A-LON-SVR1.
9-26 Implementing Local Storage
Exercise 1: Installing and Configuring a New Disk
Scenario
The file server in your branch office is low on disk space. You need to add a new disk to the server and create volumes based on specifications provided by your manager.
The main tasks for this exercise are as follows:
1. Initialize a new disk.
2. Create and format two simple volumes on the disk.
3. Verify the drive letter in a Windows® Explorer window.
Task 1: Initialize a new disk 1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, open Computer Management, and then access Disk Management.
3. Initialize Disk 2 and configure it to use GPT (GUID Partition Table).
Task 2: Create and format two simple volumes on the disk 1. In the Computer Management console, on Disk 2, create a Simple Volume with the following
attributes:
o Volume size: 4000 MB
o Drive Letter: F
o File system: NTFS
o Volume label: Volume1
2. In the Computer Management console, on Disk 2, create a Simple Volume with the following attributes:
o Volume size: 5000 MB
o Drive Letter: G
o File system: ReFS
o Volume label: Volume2
Task 3: Verify the drive letter in a Windows® Explorer window 1. Use Windows Explorer to make sure you can access the following volumes:
o Volume1 (F:)
o Volume2 (G:),
2. On Volume2 (G:), create a folder named Folder1.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.
20410A: Installing and Configuring Windows Server® 2012 9-27
Exercise 2: Resizing Volumes
Scenario
After installing the new disk in your file server, you are contacted by your manager who indicates that the information he gave you was incorrect. He now needs you to resize the volumes without losing any data.
The main tasks for this exercise are as follows:
1. Shrink Volume1.
2. Extend Volume2.
Task 1: Shrink Volume1 • Use Disk Management to shrink Volume1 (F:) by 1000 MB.
Task 2: Extend Volume2 1. Use Disk Management to extend Volume2 (G:) by 1000 MB.
2. Use Windows Explorer to verify that the folder Folder1 is still on drive G.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space
Scenario
Your server does not have a hardware-based RAID card, but you have been asked to configure redundant storage. To support this feature, you need to create a storage pool.
After creating the storage pool, you will also need to create a redundant virtual disk. As the data is critical, the request for redundant storage specifies that you need to use a three-way mirrored volume. Shortly after the volume is in use, a disk fails and you have to add another disk to the storage pool to replace it.
The main tasks for this exercise are as follows:
1. Create a storage pool from five disks that are attached to the server.
2. Create a three-way mirrored virtual disk.
3. Copy a file to the volume, and verify that it is visible in Windows Explorer.
4. Remove a physical drive.
5. Verify that the mspaint.exe file is still accessible.
6. Add a new disk to the storage pool.
7. To prepare for the next module.
Task 1: Create a storage pool from five disks that are attached to the server 1. On LON-SVR1, open Server Manager.
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
3. Create a storage pool with the following settings:
o Name: StoragePool1
o PhysicalDisk3
o PhysicalDisk4
9-28 Implementing Local Storage
o PhysicalDisk5
o PhysicalDisk6
o PhysicalDisk7
Task 2: Create a three-way mirrored virtual disk 1. On LON-SVR1, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with the following
settings:
o Storage pool: StoragePool1
o Name: Mirrored Disk
o Storage Layout: Mirror
o Resiliency settings: Three-way mirror
o Provisioning type: Thin
o Virtual disk size: 10 GB
2. In the New Volume Wizard, create a volume with the following settings:
o Virtual disk: Mirrored Disk
o Drive letter: H
o File system: ReFS
o Volume label: Mirrored Volume
Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer 1. On the Start screen, type command prompt, and then press Enter.
2. Type the following command:
Copy C:\windows\system32\mspaint.exe H:\
3. Open Windows Explorer from the taskbar, and access Mirrored Volume (H:). You should now see mspaint.exe in the file list.
Task 4: Remove a physical drive • On Host machine, in Hyper-V Manager, in the Virtual Machines pane, change 20410A-LON-SVR1
settings to the following:
o Remove Hard Drive 20410A-LON-SVR1-Disk5.vhdx.
Task 5: Verify that the mspaint.exe file is still accessible 1. Switch to LON-SVR1.
2. Use Windows Explorer and browse to H:\mspaint.exe to ensure access to the file is still available.
3. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. Notice the warning that displays next to Mirrored Disk.
4. Open Mirrored Disk Properties, and access the Health pane. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded.
20410A: Installing and Configuring Windows Server® 2012 9-29
Task 6: Add a new disk to the storage pool 1. Switch to LON-SVR1.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, click Add Physical Disk, and then click PhysicalDisk8 (LON-SVR1).
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.
To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1.
9-30 Implementing Local Storage
Module Review and Takeaways Review Questions
Question: Your current volume runs out of disk space. You have another disk available in the same server. What actions in Windows can you perform to help you add disk space?
Question: What are the two different types of disks in Disk Management?
Question: What are the most important implementations of RAID?
Question: You attach five 2 TB disks to your Windows Server 2012 computer. You want to manage them almost automatically, and if one disk fails, you want to make sure the data is not lost. What feature can you implement to accomplish this?
Best Practices The following are recommended best practices:
• If you want to shrink a volume, defragment the volume first so you can reclaim more space from the volume.
• Use the GPT partition table format for disks larger than 2 TB.
• For very large volumes, use ReFS.
• Do not use FAT or FAT32 on Windows Server disks.
• Use the Storage Spaces feature to let the Windows operating system manage your disks.
Tools
Tool Use Where to find it
Disk Management • Initialize disks.
• Create and modify volumes.
In Server Manager on the Tools menu (part of Computer Management)
Diskpart.exe • Initialize disks.
• Create and modify volumes from a command prompt.
Command prompt
Mklink.exe • Create a symbolic link to a file or folder. Command prompt
Chkdsk.exe • Check a disk for a NTFS–formatted volume. Cannot be used for ReFS or Virtual Disks.
Command prompt
Defrag.exe • Disk defragmentation tool for NTFS–formatted volumes. Cannot be used for ReFS or Virtual Disks.
Command prompt
10-1
Module 10 Implementing File and Print Services
Contents: Module Overview 10-1
Lesson 1: Securing Files and Folders 10-2
Lesson 2: Protecting Shared Files and Folders using Shadow Copies 10-15
Lesson 3: Configuring Network Printing 10-18
Lab: Implementing File and Print Services 10-23
Module Review and Takeaways 10-28
Module Overview
Accessing files and printers on the network is one of the most common activities in the Windows Server® environment. Reliable, secure access to files and folders and print resources is often the first requirement of a Windows Server 2012-based network. To provide access to file and print resources on your network, you must understand how to configure these resources within Windows Server 2012 server, and how to configure appropriate access to the resources for users in your environment.
This module discusses how to provide these important file and print resources from Windows Server 2012. You will learn how to enable and configure file and print services in Windows Server 2012, and you will learn important considerations and best practices for working with file and print services.
Objectives
After completing this module, you will be able to:
• Secure shared files and folders.
• Protect shared files and folders by using shadow copies.
• Configure network printing.
10-2 Implemen
Lesson Securin
Thedataof m
Thisserv
Les
Afte
•
•
•
•
•
•
•
Wh
NTFon aThefoldfold
TheNTF
•
•
•
•
NT
The
StaStanassi
nting File and Print S
1 ng Files files and foldea. Providing apmanaging file a
s lesson gives yvers, so that yo
sson Objecti
er completing
Explain NTFS
Describe a sh
Explain perm
Explain how e
Explain acces
Describe Offl
Create and co
hat Are NT
FS permissionsa storage drive permissions t
ders govern useders.
following poiFS permissions
NTFS permissindividual filefolders.
NTFS permissto objects tha
NTFS permisssuch as read o
NTFS permissassigned to a
FS Permissi
re are two ass
ndard Permindard permissgn standard p
ervices
s and Foers that your sppropriate accand print servi
you informatioour organizatio
ives
this lesson, yo
file system pe
ared folder.
issions inherita
effective perm
s-based enum
ine files.
onfigure a sha
TFS Permis
are assigned te that is formahat you assigner access to th
nts describe th:
sions can be ase or folder, or s
sions can be asat include user
sions are contror write.
sions can be in folder are also
ion Types
ignable NTFS
issions ions provide thermissions in t
olders servers store tycess to these fices in Window
on necessary toon’s data is ava
ou will be able
ermissions.
ance.
issions work w
meration.
red folder.
ssions?
to files or foldtted with NTF
n to NTFS files hese files and
he key aspects
ssigned to an sets of files or
ssigned individrs, groups, and
rolled by deny
nherited from po assigned to
permissions ca
he most commthe main NTFS
ypically containles and folders
ws Server 2012
o secure files aailable and pro
to:
when you acce
ers S. and
s of
dually d computers.
ing or grantin
parent foldersnewly created
ategories: stan
monly used peS Permissions A
n your organizs, usually over 2.
and folders onotected.
ss shared folde
g specific type
. By default, th folders or file
ndard, and adv
rmission settinAssignment w
zation’s businethe network,
n your Window
ers.
es of NTFS file
he NTFS permies within that p
vanced.
ngs for files anindow.
ess and functiois an importan
ws Server 2012
and folder ac
issions that areparent folder.
nd folders. You
onal nt part
cess,
e
u
20410A: Installing and Configuring Windows Server® 2012 10-3
The following table details the standard permissions options for NTFS files and folders.
File permissions Description
Full Control Grants the user complete control of the file or folder, including control of permissions.
Modify Grants the user permission to read, write, or delete a file or folder, including creating a file or folder.
Read and Execute Grants the user permission to read a file and start programs.
Read Grants the user permission to see file or folder content and start programs.
Write Grants the user permission to write to a file.
List folder contents (folders only)
Grants the user permission to view a list of the folder’s contents.
Note: Granting users Full Control permissions on a file or a folder gives them the ability to perform any file system operation on the object, and the ability to change permissions on the object. They can also remove permissions on the resource for any or all users, including you.
Advanced Permissions
Advanced permissions can provide a much greater level of control over NTFS files and folders. Advanced permissions are accessible by clicking the Advanced button, and then accessing the Security tab of a file or folder’s Properties sheet.
The following table details the Advanced permissions for NTFS files and folders.
File permissions Description
Traverse Folder/Execute File
The Traverse Folder permission applies only to folders. This permission grants or denies the user’s ability to browse through folders to reach other files or folders, even if the user has no permissions for the traversed folders. The Traverse Folder permission takes effect only when the group or user is not granted the Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.
The Execute File permission grants or denies access to program files that are running.
If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.
List Folder/Read Data
The List Folder permission grants the user permission to view file names and subfolder names. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. In addition, this setting has no effect on viewing the file structure from a command-line interface.
The Read Data permission grants or denies the user permission to view data in files. The Read Data permission applies only to files,
10-4 Implementing File and Print Services
File permissions Description
Read Attributes The Read Attributes permission grants the user permission to view the basic attributes of a file or a folder such as read-only and hidden attributes. Attributes are defined by NTFS.
Read Extended Attributes
The Read Extended Attributes permission grants the user permission to view the extended attributes of a file or folder. Extended attributes are defined by applications, and can vary by application.
Create Files/Write Data
The Create Files permission applies only to folders, and grants the user permission to create files in the folder.
The Write Data permission grants the user permission to make changes to the file and overwrite existing content by NTFS. The Write Data permission applies only to files.
Create Folders/Append Data
The Create Folders permission grants the user permission to create folders in the folder. The Create Folders permission applies only to folders.
The Append Data permission grants the user permission to make changes to the end of the file, but not to delete or overwrite existing data. The Append Data permission applies only to files.
Write Attributes The Write Attributes permission grants the user permission to change the basic attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply that you can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table.
Write Extended Attributes
The Write Extended Attributes permission grants the user permission to change the extended attributes of a file or folder. Extended attributes are defined by programs, and can vary by program.
The Write Extended Attributes permission does not imply that the user can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To grant Create or Delete permissions, see the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table.
Delete Subfolders and Files
The Delete Subfolders and Files permission grants the user permission to delete subfolders and files, even if the Delete permission is not granted on the subfolder or file. The Delete Subfolders and Files permission applies only to folders.
Delete The Delete permission grants the user permission to delete the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.
Read Permissions Read Permissions grants the user permission to read permissions about the file or folder, such as Full Control, Read, and Write.
Change Permissions Change Permissions grants the user permission to change permissions on the file or folder, such as Full Control, Read, and Write.
20410A: Installing and Configuring Windows Server® 2012 10-5
File permissions Description
Take Ownership The Take Ownership permission grants the user permission to take ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.
Synchronize The Synchronize permission assigns different threads to wait on the handle for the file or folder, and then synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.
Note: Standard permissions are combinations of several individual Advanced permissions that are grouped into commonly file and folder usage scenarios.
NTFS Permissions Examples The following are basic examples of assigning NTFS permissions.
Example 1
For the Marketing Pictures folder, an administrator has chosen to assign Adam Carter Allow permissions for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have Read access to the files and folders that are contained in the Marketing Pictures folder.
Example 2 When applying NTFS permissions, the results are cumulative. For example, let us carry on with the given example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to Adam Carter’s user account with the permissions assigned to the Marketing group, Adam would have both Read and Write permissions for the Marketing Pictures folder.
Important Rules for NTFS Permissions There are two groupings of NTFS permissions:
• Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a file or a folder take precedence over those that are inherited from a parent folder.
• Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions, any Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules apply only when two NTFS permission settings conflict with each other.
Note: Permissions inheritance is discussed in more detail later in this lesson.
10-6 Implemen
Ho
You
1.
2.
3.
Wh
ShaacceWheconsimumaiNTFconan eare
Mosto hfolddep
file
AccUseaddsharexam
Sha
Win
•
•
•
•
nting File and Print S
w to Config
u can view and
Right-click th
In the Properthat have bee
To open an eusers or grou
hat Are Sh
red folders areess to files on yen you share atents are madultaneously ovntain a separa
FS permissionstents. These pextra level of smade availabl
st organizationhost shared folders according partment in on
Note: The sor a group of
cessing a Shrs typically acc
dress. The UNCred folder nammple, the UNC
aring a Fold
ndows Server 2
Select the appselect the New
Use the File Son the Sharin
Use AdvancedProperties wi
Use the Netsh
ervices
gure NTFS P
configure NT
e file or folder
rties window, cen assigned pe
ditable permisps, click the Ed
hared Folde
e a key compoyour server froa folder, the foe available to
ver the networate set of perm, which apply ermissions areecurity for filee on the netw
ns deploy dedders. You can to categories e shared folde
sharing procesfiles.
hared Foldecess a shared f
C address contame, separated bC path for the
der on the N
2012 provides
propriate drivew Share task.
Sharing Wizardng tab of the f
d Sharing by cndow.
h command-li
Permissions
FS permission
r for which you
click the Securermissions to v
ssions dialog bdit button.
ers?
onent to grantiom the networolder and all ofmultiple users
rk. Shared foldmissions from t
to the folder’se used to provis and folders t
work.
icated file servstore files in sor functions. F
er, and shared
s applies only
r folder over theains the nameby a backwardSales shared fo
Network
different ways
e, and then in
d, either from tfolder’s Proper
clicking the Ad
ne tool from a
s by following
u want to assig
rity tab. In thisview the specif
box so that you
ing rk. f its s ers he
s ide that
vers hared For example, yfiles for the M
to the folder l
e network by u of the server
d slash (\) and older on the L
s to share a fol
the Files and S
the folder’s rigrties window.
dvanced Shari
a command–lin
these steps:
gn permissions
s tab, you can fic permissions
u can modify e
you can put shMarketing depa
level. You cann
using its Univeon which the fpreceded by t
LON-SVR1 serv
lder:
Storage Servic
ght-click menu
ing button on
ne window.
s, and then cli
select the currs assigned to e
existing permi
hared files for tartment in ano
not share an in
ersal Naming Cfolder is hostetwo backward ver would be \
ces section in S
u, or by clicking
n the Sharing t
ck Properties
rent users or geach principal.
ssions or add
the Sales other.
ndividual
Convention (UNed, and the act
slashes (\\). Fo\\LON-SVR1\Sa
Server Manage
g the Share b
tab of the fold
.
groups
new
NC) tual or ales.
er,
utton
der’s
20410A: Installing and Configuring Windows Server® 2012 10-7
Note: When sharing a folder, you will be asked to give the shared folder a name. This name does not have to be the same name as the actual folder. It can be a descriptive name that better describes the folder contents to network users.
Administrative Shares
You can create administrative (or hidden) shared folders that need to be available from the network, but should be hidden from users browsing the network. You can access an administrative shared folder by typing in its UNC path, but the folder will not display if you browse the server by using a Windows® Explorer window. Administrative shared folders also typically have a more restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the folder’s contents.
To hide a shared folder, append the dollar symbol ($) to the folder’s name. For example, a shared folder on LON-SVR1 named Sales can be made into a hidden shared folder by naming it Sales$. The shared folder is accessible over the network by using the UNC path \\LON-SVR1\Sales$.
Note: Shared folder permissions apply only to users who access the folder over the network. They do not affect users who access the folder locally on the computer where the folder is stored.
Shared Folder Permissions Just like NTFS permissions, you can assign shared folder permissions to users, groups, or computers. However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or folders within the shared folder. Shared folder permissions are set once for the shared folder, itself and apply universally to the entire contents of the shared folder for users who access the folder over the network.
When you create a shared folder, the default assigned shared permission for the Everyone group is set to Read.
The following table lists the permissions that you can grant to a shared folder.
Shared folder permission Description
Read Users can view folder and file names, view file data and attributes, run program files and scripts, and navigate the folder structure within the shared folder.
Change Users can create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, and perform all tasks permitted by the Read permission.
Full Control Users can change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.
Note: When you assign Full Control permissions on a shared folder to a user, that user can modify permissions on the shared folder, which includes removing all users, including you, from the shared folders permissions list. In most cases, you should grant Change Permission instead of Full Control permission.
10-8 Implemen
Pe
By dinhea fofoldthat(parstru
Ho
Con
Ad
M
Ne
Fo
M
M
Ne
Fa
In ththe
•
•
•
•
Per
SompareIn thexpprec
nting File and Print S
rmissions
default, NTFS aeritance to pro
older structure.der, it is automt are set on anrent folders) incture.
w Inheritan
nsider the follo
dam Carter
arketing grou
ew York Editor
lder or File
arketing (folde
arketing Pictu
ew York (folde
all_Composite.j
his example, Afolder structu
The top-levelRead access.
In the next lepermissions inthat are set o
In the third leYork Editors. the Read permobjects, cumu
The fourth anset for this filefrom both the
rmission Co
metimes, explicent folder. In the given examlicitly granted cedence over t
ervices
Inheritanc
and shared folopagate permi. When you creatically assigny folders that
n the hierarchy
nce Is Applie
owing example
p
rs group
er)
res (folder)
er)
jpg (file)
Adam is a memre. They are as
folder, Marke
vel, the Markenheritance, Adn the Marketin
evel, the New YIn addition to mission from tulating with an
nd last level is te, Adam has be Marketing fo
onflicts
citly set permisthese cases, the
mple, if Adam CWrite access tthe inherited d
ce
ders use ssions througheate a file or aed the permisexist above it
y of the folder
ed
e structure:
Assigned
Read – M
None set
Write – N
None set
mber of two gros follows:
eting, has an as
eting Pictures fdam has Read ng folder.
York folder hathis explicitly
the Marketing ny explicit Rea
the Fall_Compboth Read and older and the N
ssions on a filee explicitly assCarter was dento the New Yodeny Write acc
hout a sions
Permissions
Marketing
New York Edito
oups that are
ssigned permi
folder has no eaccess to this
s Write permisassigned Writefolder. These d and Write pe
posite.jpg file. Write access t
New York fold
e or folder will signed permissnied Write acceork folder, the gcess permissio
A
ors
R
R
R
R
assigned perm
ssion for the M
explicit permisfolder and its
ssions assignede permission, tpermissions permissions set
Even though nto the file due
der.
conflict with psions always ovess to the paregranted Writen.
Adam’s Permis
Read
Read (inherited
Read(i) + Write
Read(i) + Write
missions for file
Marketing Gro
ssions set, but contents from
d to one of Adthe New York
pass down to fit on those files
no explicit per to the inherit
permissions inverride the inhent Marketing e access permis
ssions
d)
e
e(i)
es or folders w
oup giving them
because of m the permissio
dam’s groups—folder also inhle and folder
s.
missions have ed permission
herited from aherited permisfolder, but the
ssions would t
within
m
ons
—New herits
been s
a sions. en ake
B
YoexanTo
•
•
•
•
Are
R
Aanreinpeovun
E
AgWpefa
•
•
•
Efba
•
•
Blocking Inh
ou can also disxplicitly defineny parent foldo block inherit
Right-click
In the Prop
In the Adva
In the next
t this point, yoemove all inhe
Resetting De
fter you blockn effect on theeset that behavnheritable perermissions on verride all expnder the Inclu
ffective Pe
ccess to a file ranted based o
When a user attermission thatactors, includin
Explicitly dethat apply t
Explicitly dethat apply tbelongs.
How the uslocally, or o
ffective NTFS pased on the fa
Cumulativeto all the ghas Read pcumulative
Deny permoverride aninherited Dexplicit Allo
heritance
sable the inhee permissions fers. Windows tance on a file
the file or fold
perties window
anced Security
Advanced Sec
ou are promptrited permissio
efault Inheri
inheritance, ce permissions fvior from one rmissions fromthe current folicitly assigned
ude inheritabl
ermissions
or folder in Won a combinattempts to accet applies is depng:
efined and inhto the user.
efined and inhto the groups
ser is accessingover the netwo
permissions areactors listed ab
e permissions aroups of whichermission and Modify permi
issions overridn inherited DenDeny permissioow overrides th
ritance behavifor a set of objServer 2012 por folder, com
der where you
w, click the Sec
y Settings wind
curity Settings
ed to either coons from the o
itance Beha
changes made for the child oof the parent m this object
older are propad permissions fle permission
s
Windows Servertion of permissess a file or folpendent on va
herited permiss
herited permissto which the u
g the file or folork.
e the cumulativbove. The follow
are the combinh the user is a is a member o
issions.
de equivalent Any permission.n, but is expliche inherited D
or for a file orjects without irovides an opt
mplete the follo
want to block
urity tab, and
dow, click the C
window, click
onvert the inheobject to start
avior
to permissionbject (and its cfolders by selecheck box. W
agated down tfor those files s from this ob
r 2012 is sions. der, the rious
sions
sions user
lders—
ve permissionswing principle
nation of the hmember. For eof a group tha
Allow permissi For example, citly granted W
Deny for the pa
20410A: Installin
r a folder (and ncluding any otion for blockiowing steps:
k inheritance, a
then click the
Change Perm
the Disable i
erited permisswith a blank p
ns on the parencontents) thatecting the Rep
When you selecto all child objand folders. Tbject’s parent
s that are assiges determine e
highest NTFS pexample, if a u
at has Modify p
ions. However,if a user is den
Write access toarticular subfo
ng and Configuring W
its contents) oof the inheriteng inheritance
and then click
e Advanced b
missions button
nheritance bu
sions into explpermissions sla
nt folder structhas blocked in
place all childt this check boects in the treehis check box t check box.
gned to a usereffective NTFS
permissions gruser is a membpermission, th
, an explicit Alnied Write acc
o a subfolder older or file.
Windows Server® 20
on an NTFS dred permissionse on a file or a
Properties.
utton.
n.
utton.
icit permissionate.
ture no longernheritance, un objects with ox, the existinge structure, anis located dire
r for a file of fopermissions:
ranted to the uber of a groupe user is assign
low permissiocess to a folderor a particular f
012 10-9
ive to from folder
ns or
r have nless you g set of nd ectly
older
user and p that ned
n can r via an file, the
10-10 Implementing File and Print Services
• You can apply permissions to a user or to a group. Assigning permissions to groups is preferred because they are more efficient than managing permissions that are set for many individuals.
• NTFS file permissions take priority over folder permissions. For example, if a user has Read permission to a folder, but has been granted Modify permission to certain files in that folder, the effective permission for those files will be set to Modify.
• Every object in an NTFS drive or in Active Directory® Domain Services (AD DS) is owned. The owner controls how permissions are set on the object and to whom permissions are granted. For example, a user who creates a file in a folder where they have Modify permissions can change the permissions on the file to Full Control.
Effective Permissions Tool
Windows Server 2012 provides an Effective Permissions tool that shows the effective NTFS permissions on a file or folder for a user, based on permissions assigned to the user account and groups that the user account belongs to. You can access Effective Permissions tool by using the following steps:
1. Right-click the file or folder for which you want to analyze permissions, and then click Properties.
2. In the Properties window, click the Advanced button.
3. In the Advanced Security Settings window, click the Effective Permissions tab.
4. Choose a user or group to evaluate by using the Select button.
Combining NTFS Permissions and Shared Folder Permissions
NTFS permissions and shared folder permissions work together to control access to file and folder resources that are accessed from a network. When you configure access to network resources on an NTFS drive, use the most restrictive NTFS permissions to control access to folders and files, and combine them with the most restrictive shared folder permissions to control access to the network.
How Combining NTFS and Shared Folder Permissions Works When you apply both NTFS and shared folder permissions, remember that the more restrictive of the two permissions dictates the access that a user will have to a file or folder. . The following two examples explain this further:
• If you set the NTFS permissions on a folder to Full Control, but you set the shared folder permissions to Read, then that user has only Read permission when accessing the folder over the network. Access is restricted at the shared folder level, and any greater access at the NTFS permissions level does not apply.
• Likewise, if you set the shared folder permission to Full Control, and you set the NTFS permissions to Write, then the user will have no restrictions at the shared folder level, but the NTFS permissions on the folder will grant only Write permissions to that folder.
The user must have appropriate permissions on both the NTFS file or folder and the shared folder. If no permissions exist for the user (either as an individual or as the member of a group) on either resource, access is denied.
Considerations for Combined NTFS and Shared Folder Permissions
The following are several considerations that make administering permissions more manageable:
• Grant permissions to groups instead of users. Groups can always have individuals added or deleted, while permissions on a case-by-case basis are difficult to track and cumbersome to manage.
• Use Deny permissions only when necessary. Because Deny permissions are inherited, assigning deny permissions to a folder can result in users not being able to access files further down in the folder structure tree. You should assign Deny permissions only in the following situations:
•
•
•
W
Wfilacbecomneenth
E
Tofo
1.
2.
3.
4.
5.
Wen
inenth
o To excl
o To exclgroup
Never denydeny Admipermissions
Grant permsettings aredepartmengroup for aupdate dep
Use NTFS pand shareda group thapermissions
What Is Acc
With access-basles and foldersccess. Access-better user expeomplex view o
making it easiereed. Windows numeration ofhe network.
nabling Acc
o enable accesolder:
. Open Serve
. In the navig
. In the navig
. In the Shareenumeratio
. In the Propcheck box.
When the Enabnabled on the
Note: Thenterface wherenumeration is he shared folde
lude a subset o
lude one spec
y the Everyonenistrators acces list, as long a
missions to an oe propagated tts of the comp
all user accounpartment grou
permissions ins folder permisat contains mas that are mor
cess-Based
sed enumeratis which they hbased enumererience becaus
of the contentsr for users to fServer 2012 a
f folders that a
cess-Based
ss-based enum
er Manager.
gation pane, c
gation pane, c
es pane, right-on, and then cl
perties window
ble access-basshared folder.
e File and Store you can confi
not available ier in Windows
of a group tha
ific permission
e group accessess—including as you grant pe
object that is athroughout thpany together nts on the domps before new
stead of sharedssions can be dany users at the specific.
d Enumera
on, users see oave permissionation providesse it displays as of a shared foind the files th
allows access-ba server shares
Enumeratio
meration for a
lick File and S
lick Shares.
-click the sharelick Propertie
w, click Setting
sed enumerat. This setting is
age Services cigure access-bin any of the ps Explorer.
at has Allow pe
n when you ha
s to an object. yourself. Inste
ermissions for
as high in the fe tree. For exainto a Read fo
main) to the shaw users receive
d permissions difficult. Conside shared folde
ation?
only the n to s a a less older, hat they based over
on
shared
Storage Servic
ed folder for ws.
gs, and then se
tion check boxs unique to ea
console is the obased enumeraproperties wind
20410A: Installing
ermissions
ve granted Fu
If you deny evead, remove ththe object to
folder structurample, insteadolder, assign Dare. In this ma
e the shared fo
for fine-graineder assigning ter level, and th
ces.
which you wan
elect the Enabl
x is selected, aach shared fold
only place in tation for a shadows that are
g and Configuring W
ull Control perm
veryone accesshe Everyone gother users, g
re as possible, of bringing g
Domain Users (anner, you elimolder.
ed access. Conthe most restr
hen use NTFS p
nt to enable ac
le access-base
ccess-based eder on the serv
he Windows Sred folder. Accaccessible by
Windows Server® 201
missions to a u
s to an object, roup from theroups, or com
so that the secroups represe
(which is a defminate the nee
nfiguring both ictive permissipermissions to
ccess-based
ed enumerati
numeration is ver.
Server 2012 cess-based right-clicking
12 10-11
user or a
you e puters.
curity nting all
fault ed to
NTFS ions for
o assign
ion
10-12 Implem
Wh
An ostoruserclien
Offlthe the cliensyncfiles
Offlope
•
•
•
•
•
•
•
•
On the Offl
•
•
•
•
enting File and Print
hat Are Of
offline file is a red on a client rs can access nnt computer is
ine files and foclient, and thenetwork copynt is reconnectchronization scs is controlled
ine files are averating systems
Windows 8
Windows Serv
Windows 7
Windows Serv
Windows Serv
Windows Vist
Windows Serv
Windows XP
a Windows SeCaching buttoine Settings w
Only the filewhen you setby default, anconnected to
No files or pcomputers fro
All files and offline. Wheor program isautomaticallyon the server opened are n
Optimized fofiles (.exe, .dllthat client cocache instead
Services
ffline Files?
copy of a netwcomputer. By
network-baseds disconnected
olders are edite changes are y of the files thted to the netwchedule and bby the client o
vailable to the s:
ver 2012 clien
ver 2008 R2
ver 2008
ta®
ver 2003
erver 2012 comon in the Adva
window:
es and prograt up a shared fnd users controo the network.
programs fromom making co
programs thanever a user as automaticallyy made availab
until the cachnot available of
or performan) that are run mputer. The n
d of the shared
?
work file that iy using offline fd files when thd from the netw
ted or modifiedsynchronized e next time thwork. The
behavior of offoperating syste
following
ts
mputer, you vieanced Sharing
ms that usersfolder. When yol which files a
m the shared opies of the file
at users openccesses the shy made availabble offline remhe is full or theffline.
nce. If you selefrom the share
next time the cd folder on the
s files eir work.
d by with e
fline em.
ew the Offline window . The
s specify are ayou use this opand programs
folder are avaes and program
n from the shaared folder or ble offline to tain in the offli
e user deletes t
ect the Optimied folder by a client computee server.
Settings winde following opt
available offliption, no files othey want to a
ailable offlinems on the shar
ared folder arr drive and opehat user. Files ne files cache the files. Files a
ized for perfoclient comput
er runs the exe
dow for a sharetions are availa
ine. This is theor programs aaccess when th
e. This option red folder.
re automaticaens a file or prand programsand synchron
and programs
ormance checter are automa
ecutable files, i
ed folder by clable within the
e default optiore available ofhey are not
blocks client
ally available rogram in it, ths that are ize with the vethat are not
k box, executaatically cachedt will access its
icking e
on ffline
hat file
ersion
able d on s local
20410A: Installing and Configuring Windows Server® 2012 10-13
Note: The Offline Files feature must be enabled on the client computer for files and programs to be cached automatically. In addition, the Optimized for performance option does not have any effect on client computers that use Windows Vista or older, as these operating systems perform the program-level caching automatically, as specified by this option.
Configuring the Always Work Offline Setting
You can configure Windows Server 2012 and Windows 8 computers to use the Always available offline mode when accessing shared folders. When you configure this option, client computers always use the locally cached version of the files from a network share, even if they are connected to the file server by a high-speed network connection.
This configuration typically results in faster access to files for client computers, especially when connectivity or speed of a network connection is intermittent. Synchronization with the files on the server occurs according to the offline files configuration of the client computer.
How to Enable the Always Work Offline Mode To enable Always work offline mode, you use Group Policy to enable the Configure slow-link mode setting, and you set the latency value to 1:
1. On an AD DS domain controller, open Group Policy Management Console.
2. To optionally create a new Group Policy Object (GPO) for Offline Files settings, right-click the appropriate domain or Organizational Unit (OU), and then click Create a GPO in this domain, and Link it here.
3. In the console tree, right-click the GPO for which you want to configure the Offline Files settings, and then click Edit.
4. In the Group Policy Management Editor, in the console tree, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then expand Offline Files.
5. Right-click Configure slow-link mode, and then click Edit.
6. In the Configure slow-link mode window, click Enabled.
7. In the Options box, click Show.
8. In the Show Contents window, in the Value name box, specify the shared folder path for which you want to enable Always Offline mode.
Note: To enable Always Offline mode on all file shares, type a wildcard character (*).
9. In the Value box, type 1 to set the latency threshold to one millisecond, and then click OK.
Demonstration: Creating and Configuring a Shared Folder
Creating and configuring a shared folder is typically done within Windows Explorer, from the Sharing tab on the Properties window of the file or folder. When creating a shared folder, always ensure that you set permissions that are appropriate for all of the files and folders within the shared folder location.
Demonstration Steps
Create a shared folder
1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
10-14 Implementing File and Print Services
2. Create a folder named Data on drive E.
3. Share the Data folder.
Assign permissions for the shared folder
• Grant the Authenticated Users Change permissions for \\LON-SVR1\Data.
Configure access-based enumeration 1. Open Server Manager.
2. Navigate to the Share pane in the File and Storage Services management console.
3. Open the Data Properties window for the \\LON-SVR1\Data, and enable access-based enumeration.
Configure offline files
1. Open the Data Properties window for E:\Data.
2. Navigate to the Sharing tab and open the advanced sharing settings.
3. Open the caching settings, and then disable offline files.
LessonProte
Shpof
Thsn
Le
A
•
•
•
•
W
A a cofostvifilsn
A alis thalco
Bybearfoch
Betral
Shthp
n 2 ecting S
hadow copies revious versionffsite. Files and
his lesson intronapshots in Wi
esson Objec
fter completin
Describe sh
Describe co
Identify me
Restore dat
What Are S
shadow copy set of data, su
opies provide tolders based otorage drives. Aew and potenles and foldersnapshot was ta
shadow copy l files for eachtaken, Windo
he drive. A spelocated for tra
ontent might b
y default, the ce modified. Yore retained untor new snapshohanges betwee
ecause a snapsraditional backso lost.
hadow copies hat need to berevious version
hared Fare used to ren of a file fromd folders can b
oduces you to indows Server
ctives
ng this lesson, y
hadow copies.
onsiderations f
ethods for rest
ta from a shad
Shadow Co
is a static imaguch as a file or the capability n snapshots thAfter a snapshtially restore ps that existed aaken.
does not makh snapshot. Insws Server 201
ecific amount oacking the chabe in the curre
changed disk bou can also deftil the allocateots. The amouen snapshots.
shot is not a cokups. If the disk
are suitable foe logically consns is likely to b
Files andestore previousm a shadow cobe recovered b
shadow copie2012.
you will be ab
for scheduling
oring data fro
dow copy.
opies?
ge (or a snapshfolder. Shadowto recover file
hat are taken ohot is taken, yoprevious versioat the time tha
ke a complete tead, after a sn2 tracks changof disk space isnged disk bloc
ent version of t
blocks are storfine how much
ed disk space isnt of disk spac
omplete copy k containing a
or recovering dsistent before abe corrupt and
d Foldes versions of fipy than from a
by administrato
es, and shows y
le to:
shadow copie
m shadow cop
hot) of w
es and of ou can ons of at the
copy of napshot ges to s cks. When youthe file, and so
red on the samh disk space is s full, after whce that is used
of files, shado drive is lost o
data files, but na backup is pe
d require datab
20410A: Installing
ers usingles and foldersa traditional bors, or directly
you how to co
es.
pies.
u access a prevome might be
me drive as the allocated for ich, older snap
d by a snapsho
ow copies cannor damaged, th
not for more cerformed. A dabase repairs.
g and Configuring W
g Shados. It is much fa
backup copy, wy by end users.
onfigure a sche
vious version oin the snapsho
e original file, bshadow copie
pshots are remot is based on t
not be used ashen the snapsh
complex data—atabase that is
Windows Server® 201
ow Copaster to restorewhich might be
edule of drive
of a file, some ot.
but this behaves. Multiple snamoved to makethe size of disk
s a replacemenhots of that dr
—such as data restored from
12 10-15
ies e a e stored
of the
vior can apshots e room k
nt for ive are
bases—m
10-16 Implem
Co
TheMonat ndesi
Whe
•
•
•
Re
Prevuserthatinstof a
Admdirecan netwversof t
Whecan avaiprevprev
Winaccerunn
enting File and Print
onsideratio
default schednday through
noon. You can ired for your o
en scheduling
Consider thatshadow copieserver. You shcopies more t
Increase the ffrequently chlikelihood tha
Increase the ffile changes a
storing Da
vious versions rs or administrt they can do tructions on ho
a file.
ministrators caectly on the ser
access previowork from a fisions are acceshe file or folde
en viewing prebrowse the av
ilable, you canvious version ovents overwrit
ndows XP SP2 essing previouning Windows
Services
ons for Sch
dule for creatinFriday at 07:00modify the de
organization.
shadow copie
t increasing thes increases thhould not schethan once eac
frequency of sanging data. T
at recent file ch
frequency of sare captured.
ata from a
of files can berators. Most usthis and they wow to restore a
n access previrver that storeus versions of le share. In bossed from the er.
evious versionsvailable files ann review each vof a file to an aing the curren
or newer, Wins file versions
s XP SP1 or old
heduling S
ng shadow cop0 A.M., and ag
efault schedule
es:
e frequency ofe load on the
edule drive shah hour.
hadow copies This increases thanges are cap
hadow copies
Shadow C
e restored by esers are unawawill need a previous vers
ous versions os the files. Usefiles over the th cases, previProperties win
s of a folder, ynd select only version beforealternate locatnt file version.
dows Vista, anwithout instal
der operating s
hadow Co
pies is gain e as
f
adow
for the ptured.
for important
Copy
either are
sion
of files ers
ious ndow
you the file that yo deciding whic
tion instead of
nd Windows 7 ling any additsystems, you m
opies
t data. This inc
ou need. If much one to restof restoring it to
operating sysional software
must install the
creases the like
ultiple versionsore. Finally, yoo its previous l
tem clients aree. For Windowse Previous Ver
elihood that re
s of files are ou can copy a ocation. This
e capable of s XP clients tharsions Client.
ecent
at are
20410A: Installing and Configuring Windows Server® 2012 10-17
Demonstration: Restoring Data from a Shadow Copy
Shadow copies can be created using the default schedule, or you can modify the schedule to provide more frequent snapshots. In either case, you will only see the versions of the file as it has changed. Taking a shadow copy of a file that doesn’t change has no actual effect on the shadow copy. No additional versions are available, and no space is used in the snapshot, for that particular file.
Demonstration Steps
Configure shadow copies 1. On LON-SVR1, open Windows Explorer.
2. Enable Shadow Copies for Local Disk (C:).
Create a new file 1. Open Windows Explorer.
2. Create a folder in drive C named Data.
3. Create a text file named TestFile.txt in the Data folder.
4. Change the contents of TestFIle.txt by adding the text Version 1.
Create a shadow copy
1. In Windows Explorer, right-click Local Disk (C:) and then click Configure Shadow Copies.
2. In the Shadow Copies window, click Create Now.
3. When the shadow copy is complete, click OK.
Modify the file 1. In Windows Explorer, double-click TestFile.txt to open the document.
2. In Notepad, type Version 2.
3. Close Notepad, and click Save to save the changes.
Restore a previous version
1. In Windows Explorer, right-click TestFile.txt, and then click Restore previous versions.
2. Restore the most recent version.
3. In the warning window, click Restore.
4. Open TestFile.txt to open the document and verify that the previous version is restored.
10-18 Implem
Lesson 3Config
By unetwcon
WinroleimpWin
LesAfte
•
•
•
•
•
•
•
Be
YouWinthis jobsthat
Theas aprinto mconinstdist
By cwhe
A nelowbecexam
Net
enting File and Print
3 guring N
using the Printwork and centsole, you can m
ndows Server 2e that you can portant aspectsndows Server 2
sson Objectier completing
Identify the b
Describe Enha
Identify secur
Create multip
Describe prin
Describe Bran
Identify meth
nefits of N
u can configurendows Server 2
configurations to the printet is connected
biggest benefa print server isnting. Instead omany individuanection to thealled centrally ributed to wor
centralizing prether printing
etwork printerer consumableause the initiample, a single
work printers
Services
Networkt and Documetralize print sermonitor print
2012 introduceuse to manags of network p2012.
ives the lesson, yo
benefits of netw
anced Point an
rity options for
ple configurati
ter pooling.
nch Office Dire
hods for deploy
Network P
e network prin2012 as a printn, client compur server for deto the networ
fit of using Wis centralized mof managing cal devices, youe server. Printe
on the server,rkstations.
inting on a serproblems are
r is more expenes costs and bel cost of the pnetwork print
can also be pu
k Printint Services rolrver and netwoqueues, and re
es new featuree your networrinting, and in
u will be able
work printing.
nd Print.
r network prin
ons for a print
ect Printing.
ying printers t
rinting
nting by using t server for useuters submit prlivery to a prinrk.
ndows Server management oclient connectio manage their
er drivers are , and then
rver, you also scaused by the
nsive than thoetter quality printer is spread
ter could servic
ublished in AD
ng e in Windows ork printer maeceive importa
es and importark printing envntroduces new
to:
nting.
t device.
to clients.
ers. In rint nter
2012 of ons r
simplify troubprinter, serve
ose typically usrinting. Therefd over all the cce 100 users o
D DS, which allo
Server 2012, yanagement. Byant notificatio
ant changes tovironment bett network print
leshooting. It r, or client com
sed for local prfore, the cost ocomputers tha
or more.
ows users to se
you can share y using the Prinns regarding p
o the Print andter. This lessonting features t
is relatively eamputer.
rinting but it aof printing is sat connect to t
earch for print
printers on a nt Managemeprint server act
Document Sen explains the hat are availab
sy to determin
also has significstill minimized,that printer. Fo
ters in their do
nt tivity.
ervices
ble in
ne
cantly ,
or
omain.
W
EnWdPrin8.
UD
Thininofopspfedde
InWdePrlaPa
VU
Th
•
•
•
•
•
UUanidfr
Wseto
If in
What Is Enh
nhanced PointWindows Serve
rivers for netwrint uses the n
ntroduced in W.
UnderstandiDrivers
he Windows pn previous versn relatively the f version 3 (v3perating systepecific device teatures. Under rivers for eachevice, to suppo
ntroducing Windows Serve
evice driver mrint Class Drive
arge set of devaper Specificat
ersion 4 drivernlike v3 driver
he V4 driver m
Sharing a p
Driver files
A single dri
Driver packtimes.
The printer
Using Enhannder the v4 mnd Print. Whendentify the prinom Windows
With Enhanced erver. Driver ino be transferre
the driver stonstalled, and if
hanced Po
t and Print is ar 2012 that ma
work printers. Eew version 4 (
Windows Serve
ng V3 Drive
printer driver stsions of Windo
same form sin) drivers in Wims. With v3 drthat they prodthe v3 model print device iort both platfo
the V4 Prinr 2012 and Wianagement aners that suppovices. Commontion (XPS).
rs are typicallyrs, v4 drivers a
model provides
printer does no
are isolated o
iver can suppo
kages are smal
driver and the
ced Point amodel, printer sn a network prnt device. The Update or Win
Point and Prinnstallation for ned over the net
re on the clienan appropriat
oint and Pr
new function akes it easier tEnhanced Poin(v4) driver typeer 2012 and W
ers and V4
tandard that isows Server has nce the introdndows 2000 rivers, printer m
duced, to ensu, printer infrasn the environmorms.
ter Driver indows 8 inclund installation.rt similar printn printing lang
y delivered by ure not delivere
s the following
ot require prov
n a per-driver
ort multiple de
ler and more s
e printer user
and Print forsharing and drrinter is installedriver then insndows Softwar
nt, the print denetwork print twork from ser
nt machine doete driver canno
rint?
in o install
nt and e that is indows
s used existed
uction
manufacturersre that Windowtructure mana
ment, and sepa
de support fo. Under the v4ting features aguages may in
using Windowed from a prin
g benefits:
visioning drive
basis, prevent
evices.
streamlined th
interface can b
r Driver Instriver installatioed on a client stalls directly fre Update Serv
evice drivers ndevices becomrver to client.
es not containot be obtained
20410A: Installing
s created custows application
agement requiarate 32 and 6
r v4 print drive4 model, print and printing lanclude Printer C
ws Update or Wter store that
ers that match
ting driver file
han v3 drivers,
be deployed in
tallation on operates aucomputer, the
from the drivevices.
o longer needmes faster beca
n a driver for thd from Window
g and Configuring W
omized print dns could use alires administra64-bit drivers f
ers, and enabldevices manufnguage that mControl Langu
Windows Softwis hosted on th
the client arch
naming confli
resulting in fa
ndependently.
tomatically une server and clr store on the
d to be maintaause printer dr
he network prws Update or W
Windows Server® 201
drivers for eachll of their printators to maintafor a single pri
es improved pfacturers can c
may be commouage (PCL), .ps
ware Update Sehe print server
hitecture.
icts.
aster driver ins
.
nder Enhancedient work togeclient machin
ined on the prrivers no longe
inter that is beWindows Serv
12 10-19
h ter’s ain int
print create on to a or XML
ervices. r.
tallation
d Point ether to e, or
rint er need
eing er
10-20 Implem
Upddriv
Sec
WhecaseconalloconWin
Theprin
•
•
•
De
Creagrothe prio
Dem
Cre1.
2.
3.
4.
Cre
1.
2.
3.
4.
enting File and Print
date Services, Wver from the pr
curity Opt
en a printer is es no security sidered to be wed to print ofiguration for
ndows server.
permissions tnting include:
Print: This pedocuments oEveryone gro
Manage thisdrivers. By de
Manage docpermission is manages thatall print jobs.
emonstrati
ating multiple ups to print hihigh priority p
ority queue.
monstration
eate a shareOpen the Dev
Add a printer
Name the pri
Share the prin
eate a secon
Open the Dev
Add a printer
Name the pri
Share the prin
Services
Windows uses rint server.
tions for N
shared over ais required. Thopen access, t
on it. This is thea printer that
hat are availab
ermission allown the printer.
oup is assigned
s printer: This efault, this perm
cuments: This assigned to C
t job. Administ
on: Creati
configurationgh priority job
print queue, th
n Steps
ed printer vices and Print
r using the LPT
nter AllUsers.
nter using the
nd shared p
vices and Print
r using the LPT
nter Executiv
nter using the
a fallback me
Network Pr
network, in mhe printer is that is everyone default is shared on a
ble for shared
ws users to prinBy default, the
d this permissio
permission allmission is give
permission allREATOR OWNtrators, Server
ng Multip
ns for a print dbs to a printer he print server
ter window.
T1 local port, a
.
default setting
rinter that u
ter window.
T1 local port, a
es.
default setting
chanism to en
rinting
many
ne is
nt e on.
ows users to mn to Administr
ows users to mNER, which me
Operators, an
ple Configu
evice enables that is being uwill process th
and the Broth
gs.
uses the sam
and the Broth
gs.
nable cross-pla
modify printer rators, Server O
modify and deeans that the und Print Opera
urations fo
you to assign used by other he job before
her Color Leg
me port
her Color Leg
atform printing
settings, incluOperators, and
elete print jobsuser who createtors also have
or a Print D
print queues tusers. When aany jobs comi
Type1 Class d
Type1 Class d
g using the pri
uding updatingd Print Operat
s in the queue.es a print job this permissio
Device
to specific usea print job is seng from the n
driver.
driver.
nt
g tors.
. This
on for
rs or ent to ormal
In
1.
2.
W
Prpcoppop
Pravpoexbepca
A ofU
Th
•
•
W
BrcoWPrinplotorepre
Br
ncrease prin
. Open the E
. Increase the
What Is Pri
rinter pooling hysical printeromputers, the rinter. When joool, they can brinter in the pr
rinter pooling vailability of neool. If one prinxample, from aeing offline), arinters. If a priapacity, you ca
printer pool isf one physical SB connection
he requiremen
Printers muprinters mumodel is us
Printers shoclose togetfind their d
What Is Bra
ranch Office Dosts for organi
Windows Serverinting is enab
nformation frorint jobs direct
onger travels too the branch oeduces traffic brint server, andesults in increa
ranch Office D
nting priorit
Executives Prin
e Priority to 10
nter Pooli
is a way to coms into a single printer pool a
obs are submitbe processed brinter pool.
increases the etwork printinnter in the pooa large print joall jobs are sennter pool doesan add anothe
s configured oprinter. In mo
n.
nts for a printe
ust use the samust accept prinsed.
ould be in the her. When useocument. The
anch Office
Direct Printing zations that hr roles. When
bled, Windows m the print setly to the printo the central s
office printer. Tbetween the cld the branch oased network e
Direct Printing
ty for a high
ter properties
0.
ng?
mbine multiplelogical unit. Tppears to be atted to the priby any availab
scalability andg by using a p
ol is unavailablob, a paper jamt to the remais not have suff
er printer to th
on a server by ost cases, the p
er pool are as f
me driver: Cliennt jobs in the sa
same locationers retrieve there is no way fo
e Direct P
reduces netwoave centralizedBranch Office clients obtainrver, but send ter. The print derver and then
This configuratlient computeoffice printer, aefficiency.
is transparent
h priority pr
window.
e To client a single nter le
d printer le (for m, or ning ficient e printer pool
specifying muports are an IP
follows:
nts use a singleame format. In
n: The printers eir print jobs, tor users to kno
rinting?
ork d their Direct printer the
data no n back tion r, the and
to the
20410A: Installing
rint queue
without perfo
ultiple ports foraddress on th
e printer driven many cases,
in a printer pothey must checow which print
g and Configuring W
orming any clie
r a printer. Eace network, ins
er for generatinthis means tha
ool should be ck all printers ter has printed
Windows Server® 201
ent configurat
ch port is the lstead of a loca
ng print jobs. Aat a single prin
located physicin the printer
d their docume
12 10-21
ion.
ocation l LPT or
All nter
cally pool to ent.
10-22 Implem
userthe cach
Con
BranWin
To c
1.
2.
3.
To cfollo
SetRen
De
Depmanwellscalthou
The
•
•
•
enting File and Print
r. In addition, twide area nethed on the clie
nfiguring B
nch Office Direndows PowerSh
configure Bran
In Server Man
In the navigatnetwork print
Click the PrinDirect Printi
configure Branowing comma
t-Printer -nanderingMode B
eploying P
ploying printernaging printinl-designed sysable and can busands of com
options for de
Group Policy Policy prefereto Windows Xand Windowsassociated wicomputer accgroup. For W
GPO created GPO for distrWindows XP
Manual instalAdd Printer Wavailable onlyinstall the pri
Services
the user can pwork (WAN) lient computer
ranch Offic
ect Printing is hell® command
nch Office Dire
nager, open th
tion pane, expter for which B
nters node, rigng.
nch Office Dirend at a Windo
ame "<PrinteBranchOffice
rinters to
rs to clients is ag services on ttem for deplobe used to ma
mputers.
eploying print
preferences. Yences to deploXP, Windows Vs 8 clients. Theth either the ucount, and can
Windows XP com
by Print Manaibution to cliecomputers mu
llation. Each usWizard; It is imy to the user thnter manually.
print even if thnk to the datain the branch
e Direct Pri
configured byd-line interfac
ect Printing fro
he Print Manag
pand Print ServBranch Office D
ght-click on th
ect Printing usiows PowerShel
r Name Here>
Clients
a critical part othe network. Aying printers inage hundred
ters are:
You can use Groy shared printVista, Windowse printer can buser account on be targeted bmputers, you m
agement. The nt computers ust be configu
ser can add prportant to nothat installed th.
he print server a center is dowoffice..
nting
y an administrae.
om the Print M
gement conso
vers, and then Direct Printing
e desired prin
ing a Windowsll window com
" -ComputerN
of A s
ds or
roup ters s 7, e
or by must install the
Print Managembased on eithered to run Pus
rinters manualte that networhem. If multipl
is unavailablewn). This is bec
ator using the
Management co
le.
expand the pg will be enable
ter, and then c
s PowerShell cmmand prompt
Name <Print S
e Group Policy
ment administer a user accoshprinterconne
ly by either brrk printers thate users share a
e for some reascause the print
Print Manage
onsole, use the
rint server thated.
click Enable B
command-linet:
Server Name H
y Preference C
trative tool canunt or a compections.exe.
rowsing the net are installed a computer, th
son (for exampter information
ement console
e following ste
t is hosting the
Branch Office
e interface, typ
Here> -
Client Extensio
n add printers puter account.
etwork or usinmanually are hey must each
ple if n is
or a
eps:
e
e the
n.
to a
g the
h
20410A: Installing and Configuring Windows Server® 2012 10-23
Lab: Implementing File and Print Services Scenario
Your manager has recently asked you to configure file and print services for the branch office. This requires you to configure a new shared folder that is used by multiple departments, configure shadow copies on the file servers, and configure a printer pool.
Objectives
After performing this Lab you will be able to:
• Create and configure a file share.
• Configure a shadow copy
• Create and configure a printer pool.
Lab Setup
Estimated Time: 40 minutes
Logon Information
Virtual Machines 20410A-LON-CL1
20410A-LON-DC1
20410A-LON-SVR1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 20410A-LON-DC1 and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410A-LON-SVR1.
6. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Creating and Configuring a File Share
Scenario
Your manager has asked you to create a new shared folder for use by all departments. There will be a single file share with separate folders for each department. To ensure that users only see files to which they have access, you need to enable access-based enumeration on the share.
10-24 Implementing File and Print Services
There have been problems in other branch offices with conflicts when offline files are used for shared data structures. To avoid conflicts, you need to disable Offline Files for this share.
The main tasks for this exercise are as follows:
1. Create the folder structure for the new share.
2. Configure NTFS permissions on the folder structure.
3. Create the shared folder.
4. Test access to the shared folder.
5. Enable access-based enumeration.
6. Test access to the share.
7. Disable Offline Files for the share.
Task 1: Create the folder structure for the new share 1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. Open a Windows Explorer window, and create the following folders:
o E:\Data
o E:\Data\Development
o E:\Data\Marketing
o E:\Data\Research
o E:\Data\Sales
Task 2: Configure NTFS permissions on the folder structure 1. In Windows Explorer, block the NTFS permissions inheritance for E:\Data, and when prompted,
convert inherited permissions into explicit permissions.
2. In Windows Explorer, remove permissions for LON-SVR1\Users on subdirectories in E:\Data.
3. In Windows Explorer, add the following NTFS permissions for the folder structure:
Folder Permissions
E:\Data No change
E:\Data\Development Modify: Adatum\Development
E:\Data\Marketing Modify: Adatum\Marketing
E:\Data\Research Modify: Adatum\Research
E:\Data\Sales Modify: Adatum\Sales
Task 3: Create the shared folder 1. In Windows Explorer, share the E:\Data folder.
2. Assign the following permissions to the shared folder:
o Change: Adatum\Authenticated Users
20410A: Installing and Configuring Windows Server® 2012 10-25
Task 4: Test access to the shared folder 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
Note: Bernard is a member of the Development group.
2. Open Windows Explorer.
3. Navigate to \\LON-SVR1\Data.
4. Attempt to open the Development, Marketing, Research, and Sales folders.
Note: Bernard should have access to the Development folder. However, although Bernard can still see the other folders, he does not have access to their contents.
5. Log off LON-CL1.
Task 5: Enable access-based enumeration 1. Switch to LON-SVR1
2. Open Server Manager.
3. Select File and Storage Management.
4. Select Shares.
5. Open the Properties window for the Data share, and from the Settings page, enable Access-based enumeration.
Task 6: Test access to the share 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
2. Click the Desktop tile and then open a Windows Explorer window, and navigate to \\LON-SVR1\Data.
Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions.
3. Open the Development folder to confirm access.
4. Log off LON-CL1.
Task 7: Disable Offline Files for the share 1. Switch to LON-SVR1.
2. Open Windows Explorer.
3. Navigate to E:\
4. Open the Properties window for the Data folder, and disable Offline file caching.
Results: After finishing this exercise, you will have created a new shared folder for use by multiple departments.
10-26 Implementing File and Print Services
Exercise 2: Configuring Shadow Copies
Scenario
A. Datum Corporation stores daily backups offsite for disaster recovery. Every morning the backup from the previous night is taken offsite. To recover a file from backup requires the backup tapes to be shipped back onsite. The overall time to recover a file from backup can be a day or more.
Your manager has asked you to ensure that shadow copies are enabled on the file server so you can restore recently modified or deleted files without using a backup tape. Because the data in this branch office changes frequently, you have been asked to configure a shadow copy to be created once per hour.
The main tasks for this exercise are as follows:
1. Configure shadow copies for the file share.
2. Create multiple shadow copies of a file.
3. Recover a deleted file from a shadow copy.
Task 1: Configure shadow copies for the file share 1. Switch to LON-SVR1.
2. Open Windows Explorer.
3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
4. Enable Shadow Copies for the E:\ drive.
5. Configure the settings to schedule hourly shadow copies for the E:\ drive.
Task 2: Create multiple shadow copies of a file 1. On LON-SVR1, switch to Windows Explorer, and navigate to the E:\Data\Development folder.
2. Create a new text file named Report.txt.
3. Switch the Shadow Copies window, and then click Create Now.
Task 3: Recover a deleted file from a shadow copy 1. Switch back to the Windows Explorer window.
2. Delete the Report.txt file.
3. Open the Properties window for E:\Data\Development, and then click the Previous Versions tab.
4. Open the most recent version of the Development folder, and then copy the Report.txt file.
5. Paste the file back into the Development folder.
6. Close Windows Explorer and all open windows.
Results: After finishing this exercise, you will have enabled shadow copies on the file server.
Exercise 3: Creating and Configuring a Printer Pool
Scenario
Your manager has asked you to create a new shared printer for your branch office. However, instead of creating the shared printer on the local server in the branch office, he has asked you to create the shared printer in the head office and use Branch Office Direct Printing. This allows the printer to be managed in the head office, but prevents print jobs from traversing WAN links.
20410A: Installing and Configuring Windows Server® 2012 10-27
To ensure high availability of this printer, you need to format it as a pooled printer. Two physical print devices of the same model have been installed in the branch office for this purpose.
The main tasks for this exercise are as follows:
1. Install the Print and Document Services server role.
2. Install a printer.
3. Configure printer pooling.
4. Install a printer on a client computer.
Task 1: Install the Print and Document Services server role 1. On LON-SVR1, open Server Manager.
2. Install the Print and Document Services role, and accept the default settings.
Task 2: Install a printer 1. On LON-SVR1 use the Print Management console to install a printer with following parameters:
a. IP Address: 172.16.0.200
b. Driver: Microsoft XPS Class Driver
c. Name: Branch Office Printer
2. Enable Branch Office Direct Printing.
3. List the printer in AD DS.
Task 3: Configure printer pooling 1. In the Print Management console, create a new port on LON-SVR1 with the following configuration:
a. Type: Standard TCP/IP port
b. IP Address: 172.16.0.201
c. Connection: Generic Network Card
2. Open the Branch Office Printer Properties page, and on the Ports tab, enable printer pooling.
3. Select port 172.16.0.201 as the second port.
Task 4: Install a printer on a client computer 1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2. Add a printer, selecting the Branch Office Printer on LON-SVR1 printer.
Results: After finishing this exercise, you will have Installed the Print and Document Services server role and installed a printer with printer pooling.
To prepare for the next module After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.
10-28 Implementing File and Print Services
Module Review and Takeaways Review Questions:
Question: How does inheritance affect explicitly assigned permissions on a file?
Question: Why should you not use shadow copies as a means for data backup?
Question: In which scenarios could Branch Office Direct Printing be beneficial?
Tools
Name of tool Used for Where to find it
Effective Permissions Tool
Assessing combined permissions for a file, folder or shared folder.
Under Advanced, on the Security tab of the Properties page of a file, folder or shared folder.
Netsh command-line tool
Configuring Windows Server 2012 networking components.
Command prompt.
Print Management administrative
Managing the print environment in Windows Server 2012.
The Tools menu in Server Manager.
11-1
Module 11 Implementing Group Policy
Contents: Module Overview 11-1
Lesson 1: Overview of Group Policy 11-2
Lesson 2: Group Policy Processing 11-10
Lesson 3: Implementing a Central Store for Administrative Templates 11-15
Lab: Implementing Group Policy 11-19
Module Review and Takeaways 11-23
Module Overview
Maintaining a consistent environment across an organization is challenging. Administrators need a mechanism to configure and enforce user and computer settings and restrictions. Group Policy can provide that consistency by enabling administrators to centrally manage and apply configuration settings.
This module provides an overview of Group Policy and provides details about how to implement group policies.
Objectives
After completing this module, you will be able to:
• Create and manage Group Policy Objects.
• Describe Group Policy processing.
• Implement a central store for administrative templates.
11-2 Implemen
Lesson Overvi
GroPolistruuses
GroPolistruuses
Les
Afte
•
•
•
•
•
•
•
Co
Groallomodregican whi(use
GP
A GpoliuserSYSVPoliPolithe
GroA Gcha(ADof tand
nting Group Policy
1 iew of Gup Policy allowcy functions, scture, and defs and groups.
up Policy allowcy functions, scture, and defs and groups.
sson Objecti
er completing
Describe the
Describe mul
Describe stor
Describe GPO
Describe start
Describe the
Describe the
omponents
up Policies arew administratodifying the comistry settings ogroup Group ch you can theers, groups or c
Os
GPO is an objeccy settings thars, computers, VOL, and can cy Managemecy Managemeobjects in tho
oup Policy Sroup Policy senge to apply t
D DS). Group Pohe computing Windows® op
Group Pws you to contso you can appfines local and
ws you to contso you can appfines local and
ives
this lesson, yo
components o
tiple local Gro
age options fo
O policies and
ter GPOs.
process of del
process of cre
s of Group
e configurationors to enforce mputer-specif
on domain-basPolicies toget
en apply to seccomputers).
ct that containat apply configor both. GPObe managed b
ent Console (Gent Editor. GPOse containers.
Settings etting is the moto an object (aolicy has thous environment.
perating system
Policy trol the compuply Group Poli domain grou
trol the compuply Group Poli domain grou
ou will be able
of Group Policy
oup Policy Obje
or domain GPO
preferences.
egating GPO m
ating and man
p Policy
n settings thatsettings by ic and user-spsed computersher, to make Gcurity principle
ns one or moreguration settins are stored inby using the G
GPMC). Within Os are logically
ost granular co computer or sands of config. Not all settingms. Each new v
uting environmcy correctly. Tp policies. It al
uting environmcy correctly. Tp policies. It al
to:
y.
ects (GPOs).
Os.
management.
naging GPOs.
t
ecific s. You GPOs, es
e ng for
roup the GPMC, yo
y linked to Act
omponent of Ga user, or bothgurable settinggs can be appversion introdu
ment. It is impohis lesson provlso describes t
ment. It is impohis lesson provlso describes t
ou can open antive Directory®
Group Policy. h) within Activgs. These settilied to all oldeuces new setti
ortant to undevides an overvthe types of se
ortant to undevides an overvthe types of se
nd edit a GPO ® containers to
It defines a spve Directory Dongs can affect
er versions of Wngs and capab
erstand how Gview of Group ettings availabl
erstand how Gview of Group ettings availabl
by using the Go apply setting
ecific configuromain Servicest nearly every aWindows Servebilities that on
Group Policy le for
Group Policy le for
Group s to
ration s area er® ly
20410A: Installing and Configuring Windows Server® 2012 11-3
apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it simply ignores it.
Most policy settings have three states:
• Not Configured. The GPO will not modify the existing configuration of the particular setting for the user or computer.
• Enabled. The policy setting will be applied.
• Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.
Note: Some settings are multi-valued or have text string values. These are typically used to provide specific configuration details to applications or operating system components. For example, a setting may provide the URL of the home page for Windows Internet Explorer® or blocked applications.
The effect of the change depends on the policy setting. For example, if you enable the Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in this policy setting: You disable a policy that prevents an action, so you allow the action.
Group Policy Settings Structure
There are two distinct areas of Group Policy settings:
• User settings. These are settings that modify the HKey Current User hive of the registry.
• Computer settings. These are settings that modify the HKEY Local Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section Description
Software settings Contain software settings that can be deployed to either the user or the computer. Software that is deployed to a user is specific to that user. Software that is deployed to the computer is available to all users of that computer.
Windows operating system settings
Contain script settings and security settings for both user and computer, and Internet Explorer maintenance for the user configuration.
Administrative templates Contain hundreds of settings that modify the registry to control various aspects of the user and computer environment. New administrative templates may be created by Microsoft or other vendors. You can add these new templates to the GPMC. For example, Microsoft has Office 2010 templates that are available for download, and that you can add to the GPMC.
Group Policy Management Editor
The Group Policy Management Editor (GPME) displays the individual Group Policy settings that are available in a GPO. These are displayed in an organized hierarchy that begins with the division between computer settings and user settings, and then expands to show the Computer Configuration node and the User Configuration node. The Group Policy Management Editor is where all Group Policy settings and preferences are configured.
11-4 Implemen
Gro
In abotPreflate
Loc
All sPoliimp
Wh
In WVistconconon fWinsystWinfeatWindiffeis onGrocom
WinPoli
•
•
•
dom
Ho
The
1.
2.
3.
Witlocaloca
nting Group Policy
oup Policy P
ddition to theh the Computferences providr in this modu
cal Group P
systems runnincies that are a
ported to other
hat Are Mu
Windows operaa®, there was ofiguration in tfiguration wasfrom that locandows Vista® aems, and Wind
ndows Server oture–multiple lndows Server 2erent user settnly available foup Policy. The
mputer.
ndows 8 and Wcy Objects:
Local Group P
Administrato
User-specific
Note: The emain controller
w the Layer
layers of Loca
Local Group P
Administrato
User-specific
h the exceptioal Group Policial Group Policy
Preferences
Group Policy er Configuratide even more
ule.
olicy
ng the Microsovailable. Localr computers.
ultiple Loc
ating systems only one availhe local Groups applied to alll computer. Th
and newer cliendows Server 2operating systelocal GPOs. In 2012, it is now tings for differeor the users’ co
ere is only one
Windows Serve
Policy (contain
r and Non-Ad
Local Group P
exception to thrs cannot have
rs Are Proce
al Group Policy
Policy
rs and Non-Ad
Local Group P
on of the categes to groups, y, or the Admi
sections showon and User Ccapabilities w
oft® Windows l policy setting
cal GPOs?
prior to Windoable user p Policy. That l users who loghis is still true, nt operating 008 and neweems have an aWindows 8 anpossible to haent local usersonfigurations set of comput
er 2012 provide
ns the compute
ministrator Gr
Policy
his feature is de local Group P
essed
y Objects are p
dministrators G
Policy
gories of Admibut only to indnistrator or No
wn in the previoConfiguration nwith which to co
2000 operatings only apply t
ows
gged but
er dded
nd ave s; this in ter configurati
e this ability w
er configuratio
oup Policy
omain controlPolicies
processed in th
Group Policy
nistrator or Nodividual local uon-Administra
ous table, a Prnodes in the Gonfigure the e
ng systems or no the local ma
ions available
with the followi
on settings)
llers. Due to th
he following o
on-Administrauser accounts.ator settings, a
references nodGroup Policy Menvironment, a
newer also havachine, but can
that affects all
ing three layer
he nature of th
order:
ator, it is not p Domain userss appropriate.
de is present uManagement Eand are discuss
ve local Groupn be exported
l users of the
rs of Local Gro
heir role,
ossible to apps are subject to
nder ditor. sed
p and
oup
ply o the
thenPo
S
GGacan
G
Gsete%SethcrMPo
G
ThEathveGSYthar
Byin
ThnuthPorech
Wemwde
Note: Dohat are runningnabling the Tuolicy Object.
torage of
roup Policy seroup Policy Mctually two comnd a Group Po
Group Policy
roup Policy teettings that yoemplates are st
%SystemRoot%erver 2012 conhousands of coreate a new Gr
Management Edolicy container
Group Policy
he Group Policach Group Polhe object withiersion numberroup Policy teYSVOL is locathe GUID of there saved to the
y default, when a GPO only if
he Group Policumber that is he Group Policolicy Client knefresh, the Grohanged, the CS
When editing amulator Flexib
what computer efault. It is pos
main administg Windows clieurn Off Local
Domain G
ettings are presanagement tomponents: a Golicy container
y Template
mplates are thu can change.tored in the
%\PolicyDefinitntains Group Ponfigurable setroup Policy, thditor presents r is created.
y Container
cy container isicy container iin AD DS. The rs, but it does mplate, whiched in the %Sys
e Group Policye Group Policy
n Group Policyf the GPO has
cy Client can idincremented e
cy container, aows the versio
oup Policy ClieSEs will be info
Group Policy,ble Single Mast
you are usingssible to chang
trators can disaent operating Group Policy
GPOs
sented as GPOool, but a GPOGroup Policy te.
he actual collec Group Policy
ions folder. WPolicy templatettings. When y
he Group Policythe templates
s an Active Direincludes a globGroup Policy cnot contain an
h is a collectionstemRoot% \S
y container. Why template of t
y refresh occubeen updated
dentify an updeach time a chnd in a text file
on number of ent discovers thormed that the
, the version oter Operationsg to perform thge the focus of
able processinsystems and W
y Objects Proc
Os in the is
emplate,
ction of
indows es with you y s in a new GPO
ectory object tbally unique idcontainer definy of the settinn of files storedYSVOL\Domahen you makethe server from
rs, the Group d.
dated GPO by ange is made.e, GPT.ini, in theach GPO thathat the versione GPO is upda
n the compute (FSMO) role i
he editing, thef the GPMC to
20410A: Installin
ng Local GroupWindows Servecessing policy
O. When you e
that is stored identifier (GUIDnes basic attri
ngs. Instead, thd in the SYSVOin\Policies\GP
e changes to thm which the GP
Policy client-s
its version num. The version nhe Group Polict it has previoun number of thted.
er that has thes the version b
e GPMC is focuo edit a version
ng and Configuring W
p Policy Objecter operating sy setting in a do
edit and save t
in the Active DD) attribute thabutes of the Ghe settings areOL of each domOGUID path, w
he settings of aPO was opene
ide extensions
mber. Each GPnumber is storecy Template fously applied. Ifhe Group Polic
e primary dombeing edited. Iused on the PDn on a differen
Windows Server® 20
ts on clients ystems by omain Group
he GPO, a new
Directory databat uniquely ide
GPO such as line contained in main controllewhere GPOGUa GPO, the chaed.
s (CSEs) apply s
PO has a versioed as an attribolder. The Grof, during Groucy container ha
main controller It does not maDC emulator bnt domain cont
012 11-5
w Group
base. entifies nks and the
er. UID is anges
settings
on bute of up p Policy as been
(PDC) atter y troller.
11-6 Implemen
Wh
GroWinPrefextesettthe
to hinstThedow
ChaPref
•
•
•
•
•
•
•
•
Com
Althuses
•
•
•
•
•
•
•
•
•
nting Group Policy
hat Are Gr
up Policy Prefndows Server 2ferences includensions that exings within a Gneed for logo
Note: Windhave the Groupalled to procese can be dow
wnload website
aracteristicsferences have
Preferences e
Unlike Groupthat are estab
Preferences c
Preferences c
Unlike Groupyou can chan
Preferences csecurity grou
Preferences a
Unlike Group
mmon Uses
hough you cans are as follow
Drive mappin
Configuring d
Setting enviro
Mapping prin
Setting powe
Configuring S
Configuring d
Configuring I
Scheduling ta
roup Polici
ferences are a 2012 operatingde more than xpand the rangGPO. Preferencn scripts.
dows XP operap Policy client-ss Group Polic
wnloaded frome.
s of Preferethe following
exist for both c
p Policy settingblished by pref
can be manage
can be applied
p Policy settingnge this behavi
can easily be tap membership
are not availab
p Policy, the us
s for Group
n configure mas:
ngs for users
desktop shortc
onment variab
nters
r options
Start menus
data sources
nternet option
asks
ies and Pre
feature in the g system. 20 Group Policge of configurces help to red
ting systems n-side extensioncy preferences.
m the Microsoft
nces characteristics
computers and
gs, preferencesferences.
ed through the
only once at s
gs, preferencesior.
argeted to certp or operating
le for local gro
er interface of
Policy Prefe
any settings th
cuts for users o
bles
ns
eferences?
cy able duce
need ns . t
s:
d users.
s are not enfor
e Remote Serv
startup or logo
s are not remo
tain users or cosystem versio
oup policies.
f the setting is
erences
hrough Group
or computers
?
rced, and users
ver Administra
on, or refreshe
oved when the
omputers throon.
not disabled.
Policy prefere
s can change t
tion Tools (RSA
ed at intervals.
GPO is no lon
ough a variety
nces, some of
the configurat
AT).
nger applied, b
of ways, such
the more com
ions
but
as
mmon
W
Stcrcamw
AStACCWavof
Ex
YoththGse
W
Thforedi
In
ThGSpVde
D
APousthGpataduGmM
What Are S
tarter GPOs arreation of GPOan choose to u
makes it easier with the same b
Available Settarter GPOs cadministrative Tonfiguration sonfiguration s
Windows Settinvailable, becauf services and
xporting St
ou can export hat is completehe .cab file to oPO that define
ettings, then yo
When to Use
he most commor a type of coestrictions, or aifferent depart
ncluded Sta
he GPMC incluPOs. These popecialized Secuista and Windoesign security
Delegating
dministrators olicy administrsers do not hahey can be usePOs. For examarticular Organasked with peruties, while thePOs for that O
might be put inManagement In
Starter GPO
e templates thOs. When creatuse a starter GPand faster to c
baseline config
ttings an only containTemplates nodection or the Cection. The So
ngs nodes of Guse these nodeare more com
tarter GPOs
starter GPOs tely independeother administes Internet Expou could expo
e Starter GP
mon situation imputer role. Fall file servers ttments.
rter GPOs
udes a link to colicies provide urity – Limitedows XP SP2 oppolicies.
Managem
can delegate srative tasks to ve to be doma
ers that are grample, a user wh
nizational Unitforming repore help desk gr
OU. A third gron charge of crenstrumentation
Os?
hat assist in theting new GPOsPO as the sourcreate multipleguration.
n settings fromde of either theComputer
oftware Settingroup Policy ar
es involve intermplex and dom
to a Cabinet fint of the sourctrators, who caplorer security ort the starter G
POs
n which you wFor example, yoto have the sa
create a Startepreconfigured
d Functionality perating system
ment of GP
some of the Gother users. Tain administraanted certain rho manages a t (OU) could brting and analyroup is allowedoup of developeating Windown (WMI) filters
e s, you rce. This e GPOs
m the e User
gs and re not raction
main-dependen
le (.cab) and tce domain/foran then use it isettings. If you
GPO to a .cab
would use a staou may want ame baseline G
er GPO folder, d security-orie
(SSLF) clients ms. You can us
POs
roup hese tors;
rights to
be ysis d to edit pers ws .
20410A: Installin
nt.
hen load that rest. Exportingin other areas.u want all sitesfile, and then
arter GPO is wall corporate la
Group Policy se
which containnted settings ffor both user se these polici
ng and Configuring W
.cab file into a a starter GPO. For example, s and domainsdistribute it.
when you wantaptops to haveettings, but en
ns a number offor enterprise and computeres as starting
Windows Server® 20
another enviroO allows you to
you may creas to employ th
a group of see the same deable variations
f predefined stclients (EC) anr settings on Wpoints when y
012 11-7
onment o send te a
he same
ettings esktop s for
tarter nd Windows you
11-8 Implementing Group Policy
The following Group Policy tasks can be delegated independently:
• Creating GPOs
• Editing GPOs
• Managing Group Policy links for a site, domain, or OU
• Performing Group Policy modeling analysis
• Reading Group Policy results data
• Creating WMI filters
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that they have created.
Group Policy Default Permissions
By default, the following users and groups have full access to manage Group Policy:
• Domain Admins
• Enterprise Admins
• Creator Owner
• Local System
The Authenticated User group has Read and Apply Group Policy permissions only.
Permissions for Creating GPOs By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. You can use two methods to grant a group or user this right:
• Add the user to the Group Policy Creator Owners group
• Explicitly grant the group or user permission to create GPOs by using GPMC
Permissions for Editing GPOs
To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission by using the GPMC.
Managing GPO Links
The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can manage this permission by using the Delegation tab on the container. You can also delegate it through the Delegation of Control Wizard in Active Directory Users and Computers.
Group Policy Modeling and Group Policy Results You can delegate the ability to use the reporting tools in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.
Creating WMI Filters You can delegate the ability to create and manage WMI filters in the same fashion, either through GPMC or through the Delegation of Control Wizard in Active Directory Users and Computers.
20410A: Installing and Configuring Windows Server® 2012 11-9
Demonstration: Creating and Managing GPOs
In this demonstration, you will see how to use the GPMC to create a new GPO. You will also see how you can use the Group Policy Management Editor to edit the GPO settings. Finally, you will see how Windows PowerShell® is used to create a GPO.
Demonstration Steps
Create a GPO by using the GPMC
• Log on to LON-DC1 as Administrator and create a policy named Prohibit Windows Messenger.
Edit a GPO with the Group Policy Management Editor
1. Edit the policy to prohibit the use of Windows Messenger.
2. Link the Prohibit Windows Messenger GPO to the domain.
Use Windows PowerShell to create a GPO
• Use Windows PowerShell to create a GPO named Desktop Lockdown.
11-10 Implem
Lesson 2Group
UndThisandyoudetecreacon
LesAfte
•
•
•
•
•
GP
Oncsettto liA Gto amullink
•
•
•
OncpolipareReaGPO
YouDele
GPOsystsyst
enting Group Policy
2 Policy
derstanding hos lesson shows how to contro want to applyermine what sated. These potrollers. The ap
sson Objectier completing
Describe a GP
Describe how
Describe the
Describe the
Describe GPO
PO Links
ce you have crings that you wink the policy tPO link is the
a container. Yoltiple containeGPOs to the f
Sites
Domains
OUs
ce a GPO is lincy is applied tent object. Thid and Apply G
O.
u can disable lieting links doe
Os cannot be lem containersem containers
Processow Group Polic
you how Grouol the applicaty, they must beettings are app
olicies are usedpplication of p
ives this lesson, yo
PO link.
w GPOs are app
Group Policy p
default GPOs.
O security filter
eated a GPO awant it to delivto an Active Dlogical connec
ou can link a sirs by using thefollowing type
ked to a contao all the objecs is because th
Group Policy p
nks to containes not delete t
inked directly s of AD DS, incs receive Grou
sing cy is applied isup Policy is asstion of Group e linked to conplied to object
d to deliver paspolicies can als
ou will be able
plied to contai
processing ord
ring.
and defined alver, the next s
Directory contaction of the pongle GPO to e GPMC. You cs of containers
ainer, by defaucts in the contahe default permermission. You
ners, which remhe actual GPO
to users, groucluding Builtin,p Policy settin
s the key to besociated with APolicy. After crntainers. GPOsts. There are twssword and secso be controlle
to:
iners and obje
der.
l the tep is
ainer. olicy
can s:
ult the ainer, and submissions of theu can modify t
moves the confO, only the logi
ps or compute, Computers, Ugs from GPOs
eing able to deActive Directoreating the GPs are applied inwo default polcurity settings
ed through sec
ects.
sequently all te GPO are sucthis behavior b
figuration settical connectio
ers. In additionUsers, or Mana linked to the
evelop a Groupory objects, howPOs and confign a specific ordlicies that are as for the domacurity filtering.
the child contah that Authen
by managing p
tings. You can n to the conta
n, GPOs cannoaged Service Adomain level o
p Policy stratew it is processeguring the settder. This orderautomatically in and for dom.
ainers under thticated Users h
permissions on
also delete linainer.
ot be linked toAccounts. The Aonly.
egy. ed, tings r may
main
hat have
n the
nks.
the AD DS
A
CstAThcodore
Urederu
locosew
YoreTecoThin
Yoansefu
A thlooc
G
Garapovap
G
•
Applying G
omputer confitartup, and theny startup scrihe default inteonfigurable. Thomain controlefreshed every
ser settings arefreshed at regefault is also 9un at logon.
Note: A nogons before tomputer use cettings are bei
will not take eff
ou can changeefresh interval emplates\Sysorresponding she security set
nterval that you
ou can also refny new Group ettings. There iunction.
new feature ihe GPMC to taogged-on userccurs within 10
Group Polic
POs are not apre applied in applied later in verwrite any copplied earlier.
POs are applie
Local groupWindows 2has a local
GPOs
iguration settien are refreshepts are run at
erval is every 9he exception tlers, which hav
y five minutes.
e applied at logular, configur90 minutes. An
number of usehe user sees thached credentng delivered tfect until the n
e the refresh insetting is foun
stem\Group Psettings underttings section ou set for the re
fresh Group PoPolicy configu
is also a new W
n Windows Serget an OU an
rs. To do this, y0 minutes.
cy Process
pplied simulta logical order.the process ofonflicting poli
ed in the follow
p policies: Each000 or newer Group Policy c
ngs are applieed at regular incomputer star
90 minutes, buto the set interve their setting
ogon and are able intervals; y logon script
r settings requhe effect of thetials to speed uo the compute
next logon. The
nterval by confnd in the ComPolicy node. For User Configuof the Group Pefresh interval.
olicy manuallyurations. The GWindows Powe
rver 2012 is Rend force Groupyou right-click
sing Order
neously; rathe GPOs that aref applying GPOcy settings tha
wing order:
h system runnpotentially alrconfigured.
ed at ntervals. rtup. t this is rval is gs
the s are
uire two e GPO. This is up logons. Thier, the user is ae folder redire
figuring a Groputer Configuor user settingration. An exc
Policy will be re.
y. The commanGpupdate /foerShell Invoke
emote Policy Rp Policy refreshany OU, and t
r
er, they e Os at were
ing eady
20410A: Installing
because usersis means that, already loggedction setting is
up Policy settiuration\Polic
gs, the refresh ception to the efreshed at lea
nd line utility Gorce commande-Gpupdate cm
Refresh. This feh on all of its cthen click Gro
g and Configuring W
s logging on toalthough the d on and thus s an example o
ing. For compucies\Administinterval is founrefresh intervaast every 16 ho
Gpupdate refrd refreshes all tmdlet, which p
eature allows acomputers and
oup Policy Up
Windows Server® 201
o the same policy the settings
of this.
uter settings, ttrative nd at the al is security seours, regardles
reshes and delthe Group Polperforms the s
administratorsd their currentdate. The upd
12 11-11
the
ettings. ss of the
livers icy
same
s to use tly date
11-12 Implem
•
•
•
•
Objof arestto rwou
of p
If mconlink
Youknoexamcom
Wh
Durdefaand
Def
Thissecupasssettthis conto acreathen
Def
Thisdesi
enting Group Policy
Site group po
Domain groumultiple polic
OU group pounique to thecan link a pol
Child OU pol
ects in the cona conflict betwrict access to reverse that pould be availabl
Note: Othepolicies on con
multiple policietrol the order ed.
u can also disabown to be empmple, if you ha
mputer-side of
hat Are the
ring the installaault GPOs are Default Doma
fault Doma
s policy is linkeurity principlessword policy sings, and Kerbpolicy should figured. If you
apply to the enate new policien link the polic
fault Doma
s GPO is linkedigned to provi
olicies: Policies
up policies: Polces at the dom
olicies: Policies e objects in thalicy to the Sale
icies: Any polic
ntainers receiveen settings, tregistry editingolicy. Because e.
r methods sucntainers.
s are applied aof processing.
ble the user orpty, then you save a policy ththe policy.
e Default G
ation of the ADcreated: Defauain Controller
in Policy
ed to the domas in the domaiettings, the ac
beros policy. Anot have othe
u need to confntire domain thes to deliver thcies to the dom
in Controlle
d to the domaide auditing se
that are linke
icies that are lmain level. Thes
linked to OUsat OU. For exaes OU to delive
cies that are lin
ve the cumulathe last policy ag tools, but yothe OU-level p
ch as Enforcem
at the same lev. The default p
r computer cohould disable
hat only delive
GPOs?
D DS role, twoult Domain PoPolicy.
ain and affectsn. It contains t
ccount lockouts a best practier settings igure other sethen you shoulhe settings, andmain.
ers Policy
in controllers’ettings and use
d to sites are p
inked to the dse policies are
s are processedmple, the Saleer those setting
nked to child O
ive effect of alapplied takes
ou could configpolicy is applie
ment and Inher
vel, the adminpreference ord
nfiguration of the empty secrs user deskto
o olicy,
s all the t ce,
ttings d d
OU, and shouer rights, and s
processed nex
domain are proprocessed in o
d next. These pes users may hgs.
OUs are proce
ll polices in theeffect. For exagure an OU-leed later in the
ritance Blockin
istrator can aser is the order
f a particular Gction to speed p configuratio
ld only affect dshould not be
xt.
ocessed next. Torder of prefe
policies contaiave special req
essed last.
eir processing ample, a domaevel policy and
process, acces
ng can change
ssign a preferer in which the
GPO. If one secup policy pro
on, you could d
domain controused for othe
There are ofteerence.
n settings thatquired settings
order. In the cain-level policy link it to the Iss to registry t
the effect
ence value to policies were
ction of a policocessing. For disable the
ollers. This polr purposes.
n
t are s. You
case y may IT OU ools
cy is
icy is
G
Bypbebepamreth
EadepeReByhaG
be
DIf yoalexto
LiAcoshexcoof
p
Thth
GPO Securi
y nature, a GPrinciples in theelow the parenehavior and haarticular secur
may want to exestrictive deskthrough securit
ach GPO has aefines permissermission is foead and Applyy adjusting theave the GPO sroup Policy, o
Note: Theeen authentica
Deny Accessmost security
ou can exemptl the users in txempt that groo Deny.
imit Permislternatively, if ontainer, you chould receive txample, you momputers. Youf the laptops, a
Note: Nevrinciples would
he ACL of a GPhen clicking th
ity Filterin
O applies to ae container, annt. You may wave certain GPity principles. empt certain utop policy. Youy filtering.
an Access Contions to that G
or Authenticatey Group Policye permissions ettings appliedr limit permiss
e Authenticateated to AD DS
to Group Pprinciples in tt particular secthe Sales OU soup (or user) b
ssions to Groyou have crea
can remove ththe GPO settin
may have a GPOu could removeand then gran
ver deny accesd never receive
PO is accessede Delegation
g
ll the security nd all child con
wish to change POs apply onlyFor example, yusers in an OUu can accompl
trol List (ACL) tPO. The defaued Users to havy permission apin the ACL, yod. There are twsions to Group
ed Users groupS.
Policy the container scurity principlehould receive
by adding that
oup Policyated a GPO thae Authenticate
ngs, and then gO with compue the Authentit them the Re
ss to the Authee the GPO sett
d in the GPMC >Advanced ta
ntainers that
y to you
U from a ish this
that ult ve the pplied. u can control
wo approachesp Policy.
p includes all u
should receivees by denying a policy excep
t group to the
at should only ed Users grougrant them theter configuraticated Users gad and Apply
enticated Usertings.
by selecting tab.
20410A: Installing
which securitys you might ta
user and comp
e the policy setthem access t
pt the Sales MaACL of the GP
be applied top from the ACe Read and Aption settings throup from theGroup Policy
r group. If you
he GPO in the
g and Configuring W
y principles recake to do this:
puter accounts
ttings but somto the Group Panagers groupPO, and then s
o a few securityCL, add the secpply Group Pohat should onlye ACL, add the permission.
u do, then secu
e Group Policy
Windows Server® 201
ceive permissiodeny access to
s that have
me should not, Policy. For examp. Then you casetting the per
y principles in curity principleolicy permissiony apply to laptcomputer acc
urity
Object folder
12 11-13
on to o the
then mple, if an rmission
a es that ns. For top counts
and
11-14 Implem
Dis
Sce
TheCorSale
•
•
•
•
Somto s
De
In thPoliMod
Dem
UseHT1.
2.
3.
Use
•
enting Group Policy
scussion: I
enario
slide illustrateporation’s AD
es OU with its c
GPO1 is linkecontainer. Ththat turn off tminutes of inregistry editin
GPO2 has setof the Sales U
GPO3 configu
GPO4 configumode.
me users in thepecifically gra
Question: W
Question: W
Question: W
Question: WControl Pane
Question: If yit?
Question: Ca
emonstrati
his demonstracy (RSoP), anddeling Wizard
monstration
e GpupdateML file On LON-DC1
Use Gpresult
Open the HT
e the Group
Use the Grouwho log onto
dentifying
es a portion ofDS structure, child OUs and
ed to the Adatue GPO configuthe monitors aactivity, and re
ng tools.
ttings to lock dUsers OU, and
ures power op
ures a differen
e Sales OU havnt access to Co
hat power opt
hat power opt
hat power opt
ill users in the l be able to ac
you needed to
an GPO2 be ap
on: Using
tion you will sd output the re
to test policie
n Steps
e to refresh
1, use Gpupda
t /H to create
ML report and
p Policy Mod
p Policy Modeo any compute
g Group Po
f the A. Datumwhich contain the Servers O
um domain ures power opand disks afterestricts access
down the deskconfigure prin
ptions for lapto
nt set of power
ve administrativontrol Panel.
tions will the s
tions will the la
tions will all ot
Sales Users Occess Control P
o grant access
pplied to other
Group Po
ee how to useesults to an HTes.
Group Polic
te to refresh t
an HTML file t
d review the re
deling Wiza
eling Wizard toer.
olicy Appli
m s the
OU.
tions r 30 to
ktops nters for Sales
ops in the Sale
r options to en
ve rights on th
ervers in the S
aptops in the S
ther computer
U who have crPanel?
to Control Pan
r department O
olicy Diagn
e Gpupdate to TML file. You w
cy, display R
he GPOs.
that displays th
esults.
ard to test t
o simulate a po
ication
Users.
s Laptops OU.
nsure that the
heir computers
Servers OU rec
Sales Laptops
rs in the doma
reated local po
nel to some us
OUs?
nostic Tool
refresh Groupwill also see ho
RSOP, and o
he current GPO
the policy
olicy applicatio
.
servers never
s, and have cre
ceive?
OU receive?
in receive?
olicies to gran
sers, how wou
ls
p Policy, displaow to use the G
output the r
O settings.
on for users in
go into power
eated local po
t access to
ld you do
ay Resultant SeGroup Policy
results to an
n the Manager
r save
olicies
et of
n
rs OU
LessonImpleTemp
InadpThlo
LeA
•
•
•
•
W
If wedww.astdidiseAanwSe
Thwthbewad
YocoCmA
n 3 ementinplates n a large organdministrator edrovides a singlhis lesson disc
ocation to prov
esson Objecfter completin
Describe th
Describe ad
Describe ho
Describe m
What Is the
your organizaworkstations, thditing GPOs. If
which to hold thworkstation you
dmx (ADMX) atored in the locifferent adminifferent operatervice pack levDMX and ADMnd ADML files
workstation witerver 2012 dom
he Central Stoworkstations cahat the adminiefore loading
workstation detdministration e
ou must createontroller, name:\Windows\SY
must then copyDML files in th
ng a Cen
nization, there dits a GPO, thele folder in SYSusses the files vide consistenc
ctives ng this lesson, y
he central store
dministrative t
ow administrat
managed and u
e Central S
ation has multihere could be pf you do not hhe template fiu are editing frand .adml (ADcal PolicyDefinistration workting systems ovels, there mayML files. For exthat are storeh no service pmain controlle
re addresses tn download thstrator is usingthe local ADMtects a Central experience am
e and provisioe the folder PoSVOL\sysvol\{D
y all the contenhis folder are a
ntral Sto
may be manye template fileSVOL that conthat make up cy in the temp
you will be ab
e.
emplates.
tive templates
nmanaged po
Store?
iple administrapotential issueave a Central les, then the rom will use th
DML) files that nitons folder. Ikstations have r are at differe
y be differencexample, the ADd on a Windowack installed m
er.
his issue. The Che same ADMXg to perform a
MX and ADML Store, it then
mong multiple
n the Central SolicyDefinitioDomain Naments of the C:\Walso in a langua
ore for
y GPOs and mues are pulled frtains all of thethe templates
plates that adm
le to:
work.
olicy settings.
ation es when Store in
he are f
ent es in the DMX ws 7
may not be the
Central Store pX and ADML f
administration files in the Grodownloads thworkstations.
Store manuallyons, and store e}\Policies\. Th
Windows\Policyage-specific fo
20410A: Installing
Admin
ultiple adminisrom the local we templates reqs, and discusseministrators use
e same as the
provides a singfiles when editalways checks
oup Policy Obje template file
y. First you muthe folder at
his folder will nyDefinitions foolder (such as
g and Configuring W
istrative
strators managworkstation. Tquired to crea
es how to create.
files that are s
gle point fromting a GPO. Ths to see if a Ceject Editor. Whes. In this way,
ust create a fo
now be your Colder to the Ceen-US).
Windows Server® 201
e
ging them. Whhe central storte and edit GPte a central sto
tored on a Wi
m which admine local workst
entral Store exihen the local there is a con
lder on a dom
entral Store. Yentral Store. Th
12 11-15
hen an re POs. ore
ndows
istration ation ists
nsistent
main
You he
11-16 Implem
Wh
An afiles
•
•
ADM%SyalsotemWo
Adm
•
•
•
•
AD
PriolangPoliincr
Ho
Admevesettsettenvsettchathat
enting Group Policy
hat Are Ad
administratives types: ADMX
ADMX files spchange. AMD
ADML files geconfigure thesettings in theEditor. ADML
MX and ADMLystemRoot%\Po create your o
mplates in XML rd, Office Exce
ministrative Te
They are orgaenvironment,
The settings ithe user secti
Some settingMessenger frothe computer
Some settingnew settings Double-clickicannot be pro
DM Files
or to Windows guage-specificcy template. If
reases the size
ow Admini
ministrative Tery aspect of thing in the teming that contrironment. For ing that prevenges the valuet aspect.
dministrati
template is m and ADML.
pecify the regiDX files are lan
enerate the use Administrative Group Policy
L files are langu
L files are storePolicyDefinitionown custom ad
format. Admiel® and Office
mplates have
anized into sub, such as netwo
n the computeon edit the HK
s exist for bothom running inr setting preva
s are availablethat can be apng the settingocessed by an
Vista, adminisc, and were diff an ADM file iof SYSVOL, an
istrative Te
mplates have he computing
mplate correspools an aspect oexample, whe
ents access to Ce in the registr
ive Templa
made up of two
stry setting to guage-neutra
er interface tove Templates py Managemenuage-specific.
ed in the ns folder. You dministrative nistrative temPowerPoint®)a
the following
bfolders that hork, system, an
er section editKEY_CURRENT
h user and comn both the userails.
e only to certaipplied only to s will display tolder Window
strative templaficult to customis used in multnd therefore in
emplates W
settings for almenvironment. onds to a regisof the computen you enable Control Panel, ry key that con
ates?
o XML
l.
o policy t
can
plates that conare also availab
characteristics
house configurnd Windows co
t the HKEY_LOT_USER registry
mputer. For exr and the com
in versions of Wthe Windows
the supported ws operating sy
ates had an .admize. ADM filetiple GPOs, thencreases the siz
Work
most Each stry ting the this
ntrols
ntrol Microsofble from the M
s:
ration optionsomponents.
OCAL_MACHINy hive.
xample, there iputer templat
Windows oper7 and newer oversions for thystem is simpl
dm (ADM) file es are stored inen the file is stze of Active D
ft Office produMicrosoft down
for specific ar
NE registry hive
is a setting to tes. In case of c
rating systemsoperating systehat setting. Anly ignored by t
extension. ADn SYSVOL as ptored multiple irectory replica
ucts (such as Onload website.
reas of the
e, and settings
prevent Windoconflicting sett
s, such as severems versions. ny setting that that system.
DM files were part of the Gro times. This ation traffic.
Office .
in
ows tings,
ral
oup
20410A: Installing and Configuring Windows Server® 2012 11-17
The Administrative Templates node is organized as shown in the following table.
Section Nodes
Computer settings • Control Panel
• Network
• Printers
• System
• Windows Components
• All Settings
User settings • Control Panel
• Desktop
• Network
• Shared Folders
• Start Menu and Taskbar
• System
• Windows Components
• All Settings
Most of those nodes contain multiple subfolders to further organize settings into logical groupings. Even with this organization, finding the setting you need can be a daunting task. To help you locate settings, the All Settings folder allows you to filter the entire list of settings by either the computer or the user section. The following filter options are available:
• Managed or unmanaged
• Configured or not configured
• Commented
• By keyword
• By platform
You can also combine multiple criteria. For example, you could filter to find all the configured settings that apply to Internet Explorer 10 by using the keyword ActiveX.
11-18 Implem
Ma
TheandAdmThepoliit is comconsettdoe
Ma
A mcha
•
•
•
Un
In clongpermconsettyouGro
enting Group Policy
anaged an
re are two typ unmanaged.
ministrative Te Group Policy cy settings anno longer wit
mputer. The Grtrol unmanageings are persis
es not remove
anaged Polic
managed policyracteristics:
The user interesult in the athrough a Grointerface.
Changes are reserved regis
o HKLM\So
o HKCU\So
o HKLM\So
o HKCU\So
Changes madout of scope applied to a uAdditionally,
managed P
ontrast, an unger applies, thmanent changfiguration to ting. By default from implemup Policy pref
nd Unmana
pes of policy seAll policy settimplates are mservice controd removes a phin scope of th
roup Policy sered policy settistent. The Grouunmanaged p
cy Settings
y setting has th
rface (UI) is locappropriate UIoup Policy set
made in restricstry keys are:
oftware\Policie
oftware\Policie
oftware\Micros
oftware\Micros
de by a Group of the GPO. Fouser will be relthe UI interfac
olicy Settin
managed polie setting rema
ge. To reverse tthe desired stat, the Group Penting a confiferences are un
aged Polic
ettings: managings in a GPO’
managed policiols the managepolicy setting whe user or rvice does not ngs. These poup Policy servi
policy settings.
he following
cked, so that a being disableting, then the
cted areas of t
es (computer s
es (user setting
soft\Windows\
soft\Windows\
Policy setting or example, if eased. This me
ce for the setti
gs
cy setting makains. This is oftthe effect of th
ate. Additionalolicy Managemguration that nmanaged sett
cy Settings
ged, s es. ed when
licy ce
a user cannot ced. For exampluser will see t
the registry, to
settings)
gs)
\Current Versio
\Current Versio
and the UI locyou delete a Geans that, genng is enabled.
kes a change ten called tattohe policy settinly, an unmanament Editor hiis difficult to rtings.
s
change the setle, if you confighose settings g
o which only ad
on\Policies (co
on\Policies (us
ckout are releaGPO, managederally, the sett.
that is persisteooing the regisng, you must daged policy setides unmanagevert. Many o
tting. Managegure the desktgreyed out in
dministrators h
omputer settin
ser settings)
ased if the used policy settingting resets to i
nt in the regisstry—in other deploy a changtting does not ed policy settif the settings t
d policy settintop wallpaper his or her loca
have access. T
ngs)
er or computergs that had bets previous sta
try. If the GPOwords, makingge that revertslock the UI fongs to discourthat are availa
ngs
al user
hese
r falls een ate.
O no g a s the
or that rage ble in
20410A: Installing and Configuring Windows Server® 2012 11-19
Lab: Implementing Group Policy Scenario
A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
In your role as a member of the server support team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.
Your manager has asked you to create a central store for ADMX files to ensure that everyone can edit GPOs that have been created with customized ADMX files. You also need to create a starter GPO that includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Marketing department and the IT department.
Objectives After completing this lab, you will be able to:
• Configure a Central Store.
• Create GPOs.
Lab Setup
Estimated time: 40 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-SVR1
User Name Administrator
Password Pa$$w0rd
Lab Setup Instructions
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2-3 for 20410A-LON-CL1. Do not log on until directed to do so.
11-20 Implementing Group Policy
Exercise 1: Configuring a Central Store
Scenario
A. Datum recently implemented a customized ADMX template to configure an application. A colleague obtained the ADMX files from the vendor before creating the Group Policy Object with the configurations settings. The settings were applied to the application as expected.
After implementation, you noticed that you are unable to modify the application settings in the Group Policy Object from any location other than the workstation that was originally used by your colleague. To resolve this issue, your manager has asked you to create a Central Store for administrative templates. After you create the Central Store, your colleague will copy the vendor ADMX template from the workstation into the Central Store.
The main tasks for this exercise are as follows:
1. View the location of administrative templates in a Group Policy Object (GPO).
2. Create a central store.
3. Copy administrative templates to the central store.
4. Verify the administrative template location in GPMC.
Task 1: View the location of administrative templates in a Group Policy Object (GPO) 1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. Start the Group Policy Management Console (GPMC).
3. Open the Default Domain Policy and view the location of the administrative templates.
Task 2: Create a central store 1. Open Windows Explorer and browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
2. Create a folder named PolicyDefinitions which will be used for the Central Store.
Task 3: Copy administrative templates to the central store • Copy the contents of the default PolicyDefinitions folder located at C:\Windows\PolicyDefinitions
to the new PolicyDefinitions folder located at C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.
Task 4: Verify the administrative template location in GPMC • Verify that the Group Policy Object Editor is using the ADMX files from the central PolicyDefinitions
folder, by viewing the location information text of the Administrative templates folder.
Results: After completing this exercise, you will have configured a Central Store
Exercise 2: Creating GPOs
Scenario After a recent meeting of the IT Policy committee, management has decided that A. Datum will use Group Policy to restrict access to the General page of Internet Explorer for users.
Your manager has asked you to create a starter GPO that can be used for all departments with default restriction settings for Internet Explorer. You then need to create the GPOs that will deliver the settings for members of all departments except for the IT department.
20410A: Installing and Configuring Windows Server® 2012 11-21
The main tasks for this exercise are as follows:
1. Create a Windows Internet Explorer® Restriction default starter GPO
2. Configure the Internet Explorer Restriction starter GPO
3. Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO
4. Test Application of the GPO for Domain Users
5. Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy
6. Test the GPO application for IT Department Users
7. Test Application of the GPO for other domain users
8. To prepare for the next module
Task 1: Create a Windows Internet Explorer® Restriction default starter GPO 1. Open the GPMC and create a starter GPO named Internet Explorer Restrictions.
2. Type a comment that states This GPO disables the General page in Internet Options.
Task 2: Configure the Internet Explorer Restriction starter GPO • Configure the starter GPO named Internet Explorer Restrictions to disable the General page of
Internet Options.
Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO • Create a new GPO named IE Restrictions that is based on the Internet Explorer Restrictions starter
GPO, and link it to the Adatum.com domain.
Task 4: Test Application of the GPO for Domain Users 1. Log on to LON-CL1 as Adatum\Brad, with a password of Pa$$w0rd.
2. Open the Control Panel.
3. Attempt to change your homepage.
4. Open Internet Options to verify that the General tab has been restricted.
5. Sign out of LON-CL1.
Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy • On LON-DC1, open Group Policy Management, and configure security filtering on the IE Restrictions
policy to deny access to the IT department.
Task 6: Test the GPO application for IT Department Users 1. Log on to LON-CL1 as Brad, with a password of Pa$$w0rd.
2. Open the Control Panel.
3. Attempt to change your homepage. Verify that the Internet Properties dialog opens to the General page, and all settings are available.
4. Sign out of LON-CL1.
11-22 Implementing Group Policy
Task 7: Test Application of the GPO for other domain users 1. Log on to LON-CL1 as Boris, with a password of Pa$$w0rd.
2. Open the Control Panel.
3. Attempt to change your homepage.
4. Open Internet Options to verify that the General tab has been restricted.
5. Sign out of LON-CL1.
Results: After completing this lab, you will have created a GPO.
To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1.
20410A: Installing and Configuring Windows Server® 2012 11-23
Module Review and Takeaways Review Questions
Question: What are some of the advantages and disadvantages of using site-level GPOs?
Question: You have a number of logon scripts that map network drives for users. Not all users need these drive mappings, so you must ensure that only the desired users receiving the mappings. You want to move away from using scripts. What is the best way to map network drives without using scripts for selected users?
Best Practices
The following are recommended best practices:
• Do not use the Default Domain and Default Domain Controllers policies for other uses. Instead, create new policies.
• Limit the use of security filtering and other mechanisms that make diagnostics more complex.
• Disable the User or Computer sections of policies, if they have no settings configured.
• If you have multiple administration workstations, create a Central Store.
• Add comments to your GPOs to explain what the policies are doing.
• Design your OU structure to support Group Policy application.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
A user is experiencing abnormal behavior on their workstation.
All users in a particular OU are having issues, and the OU has multiple GPOs applied.
Tools
Tool Use Where to find it
Group Policy Management Console (GPMC)
Controls all aspects of Group Policy
In Server Manager, on the Tools menu
Group Policy Object Editor Use to configure settings in GPOs
Accessed by editing any GPO
Resulting Set of Policies (RSoP)
Use to determine what settings are applying to a user or computer
In the GPMC
Group Policy Modeling Wizard
Use to test what would occur if settings were applied to users or computers, prior to actually applying the settings
In the GPMC
Local Group Policy Editor Use to configure Group Policy settings that apply only to the local computer
Accessed by creating a new Microsoft Management Console (MMC) on the local computer, and adding the Group Policy Object Editor snap-in
12-1
Module 12 Securing Windows Servers Using Group Policy Objects
Contents: Module Overview 12-1
Lesson 1: Windows Security Overview 12-2
Lesson 2: Configuring Security Settings 12-6
Lab A: Increasing Security for Server Resources 12-15
Lesson 3: Restricting Software 12-21
Lesson 4: Configuring Windows Firewall with Advanced Security 12-25
Lab B: Configuring AppLocker and Windows Firewall 12-29
Module Review and Takeaways 12-36
Module Overview
Protecting IT infrastructure has always been a priority to organizations. Many security risks are threatening companies and their critical data. Failure to have adequate security policies can lead to data loss, server unavailability, and companies losing credibility.
To protect from security threats, companies must have well-designed security policies that include many components, from organizational to IT-related. Security policies must be evaluated on a regular basis, because as security threats evolve, so IT must also evolve.
Before you start designing security policies to help protect your organization’s data, services, and IT infrastructure, you must learn how to identify security threats, how to plan your strategy to mitigate security threats, and how to secure your Windows Server® 2012 infrastructure.
Objectives
After completing this module, you will be able to:
• Describe Windows security.
• Configure security settings by using Group Policy.
• Restrict unauthorized software from running on servers and clients.
• Configure Windows Firewall® with Advanced Security.
12-2 Securing
Lesson Windo
As oinfraopeorgatoo201
WinsecuUndimp
LesAfte
•
•
•
Dis
Theidenassointereso
Revthe asso
ApInc
Youcominfraoftetechorga
Defsecudow
Windows Servers Us
1 ows Secorganizations eastructure secu
erating system anizational assls and concept2 infrastructur
ndows Server 2urity. These feaderstanding thplementation, i
sson Objectier this lesson, y
Describe secu
Describe how
Describe best
scussion: I
first step in dentifying the poociated costs. Oelligent decisioources to mitig
iew the questidiscussion to
ociated costs to
pplying Decrease Secu
u can mitigate mputer networastructure layeen used to deshnologies at danization.
ense-in-depthurity that extenwn to the appli
ing Group Policy Obj
urity Ovexpand their aurity becomesenable organ
sets in increasits that are avare.
2012 includes natures combinese features ais critical to ma
ives you will be abl
urity risks for W
w the defense-i
t practices for
dentifying
efending yourotential securitOnce you do t
ons about how gate those risk
on on the slididentify some o Windows-ba
efense-In-Durity
risks to your ok by providingers. The term dcribe the use oifferent points
h technologies nd from user pication and the
jects
verviewavailability of n
more challengizations to prongly complex ilable for impl
numerous feate to form the nd their assocaintaining a se
le to:
Windows Serve
in-depth mod
increasing Win
g Security
r systems is ty risks and thethat, you can m
to allocate s.
e and participof the risks an
ased networks
Depth to
organization’s g security at vadefense-in-depof multiple sec throughout y
include layerspolicies all the e data itself.
w network data, aging. Security
ovide better prenvironmentsementing secu
tures that provcore of Windoiated concepts
ecure environm
er 2012, and th
el addresses se
ndows Server 2
Risks and
eir make
ate in nd .
arious pth is curity your
s of way
applications, atechnologies
rotection for ths and business urity within a W
vide different ows Server 201s, as well as be
ment.
he costs associ
ecurity.
2012 security.
Costs
and systems, ein the Windowheir network rscenarios. Thi
Windows 8 an
methods for im12’s security fueing familiar w
iated with them
nsuring netwows Server 2012resources and s lesson reviewd Windows Se
mplementing unctionality. with their basic
m.
ork 2
ws the erver
c
20410A: Installing and Configuring Windows Server® 2012 12-3
Policies, Procedures, and Awareness
Security policy measures need to operate within the context of organizational policies regarding security best practices. For example, enforcing a strong user password policy is not helpful if users write their passwords down and stick them to their computer screens, so users must be taught how to protect their passwords. Another example of security best practice is ensuring that users do not leave their desktop computer without first locking the desktop or logging off from the computer. When establishing a security foundation for your organization’s network, it is a good idea to start with establishing appropriate policies and procedures and making users aware of them. Then you may progress to the other aspects of the defense-in-depth model.
Physical Security
If any unauthorized person can gain physical access to a computer on your network, then most other security measures are not useful. You must ensure that computers containing the most sensitive data, such as servers, are physically secure, and that access is granted to authorized personnel only.
Perimeter These days, no organization is an isolated enterprise. Organizations operate within the Internet, and many organization network resources are available from the Internet. This might include building a website to describe your organization’s services, or making internal services such as web conferencing and email accessible externally, so that users can work from home or from branch offices.
Perimeter networks mark the boundary between public and private networks. Providing reverse proxy servers in the perimeter network enables you to provide more secure corporate services across the public network.
Many organizations implement so-called network access quarantine control, where computers that connect to the corporate network are checked for different security criteria, such as whether the computer has the latest security updates, antivirus updates, and other company-recommended security settings. If these conditions are true, the computer is allowed to connect to corporate network. If not, the computer is placed in isolated network, called quarantine, with no access to corporate resources. Once the computer has its security settings remediated, it is removed from the quarantine network and is allowed to connect to corporate resources.
Note: A reverse proxy, such as Microsoft® Forefront® Threat Management Gateway 2010, enables you to publish services, such as email or web services, from the corporate intranet without placing the email or web servers in the perimeter, or exposing them to external users. Microsoft Forefront Threat Management acts as both reverse proxy and as a firewall solution.
Networks
Once you connect computers to a network, either internal or public, they are susceptible to a number of threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication takes place over public networks by employees who are working from home, or from remote offices. You should deploy a firewall solution, such as Microsoft Forefront Threat Management Gateway 2010, to protect from different types of network threats.
Host
The next layer of defense is the layer that is used for the host computer. You must keep computers secure with the latest security updates. You also have to configure security policies, such as password complexity, and configure host firewall and install antivirus software. Steps mentioned above contain a process that is called security hardening.
12-4 Securing
Ap
AppUpdappthatmen
Dat
Theprocon
http
http
Be
Conincr
•
•
•
•
Windows Servers Us
plication
plications are odate feature inplications mustt might allow antioned above
ta
final layer of sper use of file fidential data
Additional p://technet.mic
Additional p://technet.mic
Question: Hoorganization?
st Practice
nsider the folloreasing security
Apply all avaias possible fostrive to implas possible toprotected froMicrosoft pubknown vulnerbeen releasedvolume of mavulnerability. that you adeq
Follow the prlevels requirecredentials is modify critica
Restrict consoremotely. Thidesktop. If yoensure that e
Restrict physiunlimited accto quickly resdrive to intro
ing Group Policy Obj
only as secure Windows ope
t be tested by an external atte contain a pro
security is datauser permissiowith Encryptio
Reading: For crosoft.com/en
Reading: For crosoft.com/en
ow many layer?
es for Incre
owing best pray:
ilable security ollowing their rement security
o ensure that yom known vulnblicly releases rabilities after d, which can lealware attempHowever, you
quately test up
rinciple of leasted to complete
limited in its ial operating sy
ole logon. Logs is because so
ou allow adminnhanced secu
cal access. If socess to the datset the passwoduce malware
jects
as your latest erating systemIT security admtacker to compocess that is ca
a security. To hons by using Aon File System
the latest Micn-us/security/d
more informan-us/library/cc
rs of the defen
easing Sec
ctices for
updates as qurelease. You shy updates as so
your systems anerabilities. the details of an update has
ead to an increpting to exploitu must still enspdates before
t privilege. Proe their necessampact. It also
ystem settings.
ging on locallyome malware cnistrators to usrity features su
omeone has pa on that serverd on local ad
e.
security updatms to keep youministrators, wpromise appliclled applicatio
help ensure thAccess Control
(EFS), and per
crosoft securitydefault.aspx.
ation about coc959354.aspx .
nse-in-depth m
urity
uickly hould oon re
s eased t the ure they are appli
ovide users andry tasks. This elimits the abili
y at a console can only infectse Remote Desuch as user acc
physical access er. An unauthoministrator ac
te. You shouldr applications
whether they hacations or otheon hardening.
he protection oLists (ACLs), im
rform backups
y bulletin and
mmon types o.
model should y
ed widely with
d service accoensures that anity of users to
is a greater rist a computer bsktop Connectcount control
to your serveorized person
ccounts and all
d consistently uup-to-date. Mave any securier network com
of your networmplement the s of data regul
advisory infor
of network atta
you implemen
hin your organ
unts with the ny malware usaccidentally d
sk to a server tby using a usetion for server are enabled.
rs, that personcould use a wlow local acces
use the WindoMoreover, ity vulnerabilitmponents. Ste
rk, ensure the encryption ofarly.
mation, see
acks, see
t in your
nization.
lowest permissing those delete data or
than accessinger session at th
administratio
n has virtually wide variety of
ss, or use a US
ows
ies ps
f
sion
g data e n,
tools SB
20410A: Installing and Configuring Windows Server® 2012 12-5
Additional Reading: For more information about best practices for enterprise security, see http://technet.microsoft.com/en-us/library/cc750076.aspx.
12-6 Securing
Lesson 2Config
Oncyoulessandcon
GrocomServdom
Les
Afte
•
•
•
•
•
•
•
Co
SecumanWinvaritemcan acco
•
•
•
•
•
•
•
Windows Servers Us
2 guring Sce you have le can start confon, you will lea computers infigure passwo
up Policy has mputers. You cavices (AD DS) bmain, or Organ
sson Objecti
er completing
Describe how
Describe wha
Describe how
Describe how
Describe how
Describe how
Describe how
onfiguring
urity templatenage and confndows-based cous categories
mplates are diviconfigure eac
ording to a co
Account policlockout policy
Local policiesassignment, a
Event log: ap
Restricted gro
System servic
Registry: perm
File system: p
ing Group Policy Obj
Securityarned about sfiguring securiarn how to co your organizard policy settin
a large securitan apply securby defining secnizational Unit
ives
this lesson, yo
w to configure
at user rights a
w to configure
w to configure
w to configure
w to configure
w to configure
Security T
s are files thatfigure security computers. Des of security seided into logicch of the followmpany’s need
cies: password y, and Kerbero
s: audit policy, and security op
plication, syste
oups: member
ces: startup and
missions for re
permissions for
jects
y Settingecurity threatsity for your Winfigure securitation, you will ngs and then d
ty component rity consistentlcurity settings (OU).
ou will be able
Security temp
re and how to
Security Optio
User Account
Auditing.
Restricted Gro
Account Polic
Templates
you can use tsettings on pending on th
ettings, securitycal sections. Yowing sections s and requests
policy, accounos policy
user rights ptions
em, and securi
rship of groups
d permissions
gistry keys
r folders and fi
gs s and risks, andindows® 8 andty settings. To use Group Po
deploy them o
that you can uly across the oin a Group Po
to:
plates.
o configure the
ons.
Control.
oups.
y Settings.
to
he y ou
s:
nt
ty event log se
s that have spe
for system ser
iles
d about best pd Windows Ser
apply those seolicy. For examon multiple use
use to configuorganization inolicy Object (G
em.
ettings
ecial rights an
rvices
practices for inrver 2012 enviecurity settingple, you can uers.
ure security forn Active DirectGPO) that is ass
d permissions
creasing securronment. In th
gs to multiple uuse Group Polic
r both users anory® Domain sociated with a
rity, his users cy to
nd
a site,
Wmth
•
•
•
•
•
C
UpecoriggA
Th
•
•
Yode
Yo\WM
So
•
•
•
•
•
•
•
When you confmultiple compuhe security tem
The secedit
The Securit
The Securit
Group Polic
Security Co
Configuring
User rights assigerform actionsomputer has itght to changeranted either tdministrator.
here are two ty
Privileges ddomain resup files and
Logon righton to a comto a system
ou can configuefault.
ou can configuWindows Sett
Management C
ome examples
Add workst
Allow log o
Allow log olog on as R
Back up filea computer
Change theon the inte
Force shutdfrom a rem
Shut down allowed to
igure a securituters on the nemplates:
t.exe command
ty Templates sn
ty Configuratio
cy
ompliance Man
g User Rig
gnment refers s on the operats own set of ue the system timto the Local Sy
ypes of user ri
define access tosources. For exd directories.
ts define who imputer, and ho
m locally.
ure rights thro
ure settings fotings\SecurityConsole (GPM
s of commonly
tations to dom
on locally. Dete
on through Rememote Deskto
es and directorr.
e system time. rnal clock of th
down from a reote location o
the system. Dshut down the
ty template, yoetwork. The fo
d-line tool
nap-in
on and Analysi
nager
ghts
to the ability tating system. Euser rights, sucme. Most rightystem or to the
ghts:
o computer anxample, rights t
is authorized tow they can lo
ough Group Po
r User Rights by Settings\Lo
MC).
y used user rig
main. Determin
ermines which
mote Desktopop Services Clie
ries. Determine
Determines whe computer.
emote systemon the network
etermines whie computer.
ou can use it tollowing are a f
s Wizard
to Each ch as the ts are e
nd to back
to log og on. For exam
olicy. The defau
by accessing: Ccal Policies\U
hts (and polici
nes which users
users can log
Services. Deteent.
es which users
which users or g
. Determines wk.
ch of the user
20410A: Installin
o configure a sfew ways that
mple, logon rig
ult domain po
Computer CoUser Rights As
ies configured
s or groups ca
on the compu
ermines which
s have permiss
groups have r
which users are
rs who are logg
ng and Configuring W
single computyou can config
ghts may defin
olicy has no rig
nfiguration\Pssignment fro
by them) are:
an add worksta
uter.
h users or grou
sions to back u
ight to change
e allowed to sh
ged on locally
Windows Server® 20
ter or to configgure and distr
ne the right to
ghts defined by
Policies om the Group
:
ations to the d
ups have perm
up files and fol
e the time and
hut down a co
y to a compute
012 12-7
gure ribute
o log on
y
p Policy
domain.
ission to
lders on
d date
omputer
er are
12-8 Securing
Co
Youoptcan follo
•
•
•
•
•
•
You\Wi
The
•
•
•
•
Co
Admdegaccothe the settlogghas
Usethatcomadmactiuser
By dconstanUAC
Windows Servers Us
onfiguring
u can use Grouions. The comconfigure in s
owing:
Administrato
Access to disk
Digital data s
Driver installa
Logon promp
User account
u can also confndows Setting
following are
Interactive lolog on to the
Accounts: Reassociated wi
Accounts: Reassociated wi
Devices: Resis accessible t
onfiguring
ministrative accgree of securityount is loggedentire Windowregistry, systeings. As long aged on, the sythe potential
r Account Cont helps preven
mputer, by askiministrator credons that couldrs.
default, both stext of a stand
ndard user accC creates a mo
ing Group Policy Obj
Security O
p Policy to coputer security security option
r and Guest ac
k and CD/DVD
ignatures
ation behavior
pts
control
figure settings gs\Security Sett
examples of c
ogon: Do notcomputer dis
ename adminth the security
ename adminth the security
trict CD-ROMto both local a
User Acco
counts carry wy risk. When and on, its privilegws operating sm files, and coas an administstem is vulnerato be compro
ntrol (UAC) is at unauthorizeding the user fodentials befored potentially af
tandard users dard user. The ount to an ad
ore secure envi
jects
Options
nfigure securitsettings that y
ns include the
ccount names
D drives
for security optings\Local Po
commonly use
t display last uplays in the W
nistrator accouy identifier (SID
nistrator accouy identifier (SID
M access to locnd remote use
ount Contr
with them a hign administrativges allow accesystem, includionfiguration rative accountable to attack mised.
security featud changes to aor permission oe performing ffect the comp
and administrUAC prompt pministrator accironment in w
ty you
ptions by acceolicies\Security
ed security opt
user name. DeWindows logon
unt. DeterminD) for the acco
unt. DeterminD) for the acco
cally logged-ers simultaneo
rol
gher ve ess to ng
t is and
ure a or
puter's operati
rators access reprovides a waycount withouthich to run an
essing Computy Options from
tions:
etermines whe window.
nes whether a dount Administr
nes whether a dount Administr
on user only.ously.
on or that cha
esources and ry for a user to t logging off, snd install applic
ter Configuratm the GPMC.
ether the name
different accorator.
different accorator.
. Determines w
ange settings t
run applicatioelevate his or
switching userscations.
ion\Policies
e of the last us
unt name is
unt name is
whether a CD-
that affect mul
ns in the securr her status fros, or using Run
ser to
ROM
ltiple
rity m a n As.
20410A: Installing and Configuring Windows Server® 2012 12-9
When an application requires administrator-level permission, UAC notifies the user as follows:
• If the user is an administrator, the user confirms to elevate his or her permission level and continue. This process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2012, the built-in Administrator account does not run in Admin Approval Mode. The result is that no UAC prompts display when using the local Administrator account.
• If the user is not an administrator, then a username and password for an account that has administrative permissions needs to be entered. Providing administrative credentials temporarily gives the user administrative privileges, but only to complete the current task. After the task is complete, permissions change back to those of a standard user.
When using this process of notification and elevation to administrator account privileges, changes cannot be made to the computer without the user knowing. This can help prevent malicious software (malware) and spyware from being installed on or making changes to a computer.
UAC allows the following system-level changes to occur without prompting, even when a user is logged on as a local user:
• Install updates from Windows Update
• Install drivers from Windows Update or those that are packaged with the operating system
• View Windows operating system settings
• Pair Bluetooth devices with the computer
• Reset the network adapter, and perform other network diagnostic and repair tasks
Modifying UAC Behavior You can modify the UAC notification experience to adjust the frequency and behavior of UAC prompts. To modify UAC behavior on a single computer, access the Windows Server 2012 control panel in System and Security.
You can also configure UAC settings by accessing from the GPMC: Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options.
The following are examples of some GPO settings that you can configure for UAC:
• User Account Control: Run all administrators in Admin Approval Mode. Controls the behavior of all UAC policy settings for the computer. If this setting is disabled, UAC will not run on this computer.
• User Account Control: Administrator Approval Mode for the built-in Administrator account. When you enable this setting, the built-in Administrator account uses Admin Approval Mode.
• User Account Control: Detect application installations and prompt for elevation. This setting controls the behavior of application installation detection for the computer.
• User Account Control: Only elevate executables that are signed and validated. When you enable this setting, a Public Key Infrastructure (PKI) check is performed on the executable file to verify that it originates from a trusted source. If the file is verified, then the file is permitted to run.
Note: By default, UAC is not configured or enabled in Server Core installations of Windows Server 2012.
12-10 Securing
Co
Typorgaactivunsdataor userv
Recsecusecuthe
Afteevesecu
•
•
•
You\Po
The
•
•
•
•
http
g Windows Servers U
onfiguring
ically, one of tanization’s secvities behavioruccessful attema that is storedunsuccessful lovers.
ording these surity auditing. urity event logSecurity Event
er configuring nt logs can heurity-related d
A group adm
An employeedifferent dep
A user who iscompany comthat week, wh
u can configureolicies\Window
following are
Audit accouncomputer val
Audit accounsuch as creatior disabling a
Audit objectDirectory objmust configutype of action
Audit systemas attemptinglog size excee
Additional p://technet.mic
Using Group Policy O
Auditing
the componencurity strategy r, such as succmpts to accessd in different foogon attempts
security-relatedSecurity auditi
gs that administ Log in Event
auditing, infolp your organata by tracking
ministrator who
e within a definartments.
s trying to log mputer. You mhich means so
e security audiws Settings\S
examples of s
nt logon evenidates an acco
nting manageing, changing,a user account
t access. Deterects, such as fore system accen, such as write
m events. Deteg to change theding a config
Reading: For crosoft.com/en
bjects
nts of an is recording uessful or s business-critiolders, or succon different
d events is calling produces strators can vieViewer.
rmation in secization audit tg precisely def
o has modified
ned group that
on to his or hemight find that
me other emp
iting settings bSecurity Settin
some GPO sett
nts. Determineount’s credenti
ement. Determ renaming, or .
rmines whetheolders or files. ess control listse, read, or mod
ermines whethhe system timeurable thresho
more informan-us/library/hh
user
cal cessful
led
ew in
curity heir compliancfined activities
settings or da
t has accessed
er account repthe employee
ployee was tryi
by accessing frngs\Local Pol
tings that you
es whether theials.
mines whetherdeleting a use
er operating syBefore configs (SACLs) on fodify.
her the operatie, attempting aold warning.
ation about sech849638.aspx.
ce with imports such as:
ata on servers
d an important
peatedly withoe who owns thng to log on w
rom the GPMClicies\Audit P
can configure
e operating sys
r to audit eacher account, cha
ystem audits huring audit seolders or files t
ing system auda system startu
curity auditing
tant business-
that contain fi
t folder contain
out success froat user accounwith a differen
C: Computer CPolicy.
e for UAC:
stem audits ea
h event of accoanging a passw
have access to ettings with Groto allow audit
dits system-reup or shutdow
g, see
related and
inance informa
ning data from
m an internal nt was on a vant user account
Configuration
ach time the
ount managemword, or enab
non-Active oup Policy, yoing for a speci
lated events, swn, or the secu
ation.
m
cation t.
n
ment, ling
ou ific
such rity
C
Inmasad
YocomRePoonredo
AyoanwA
YoReA
YoC
C
Aacacyoutcopase
ImThimSeanm(O
sh
Configuring
n some cases, ymembership of s the local admddition of othe
ou can use theontrol group m
members are plestricted Grouolicy, any curren the Restricteemoved, includomain adminis
lthough you cou should use nd Schema Ad
workstations andministrators
ou cannot speestricted Groudministrators
ou can configuomputer Con
Configuring
ccount policieccounts and daccount passwoour network entilize strong paontrol the comasswords. You ettings throug
mplementinhe policy settin
mplemented aterver 2012 domnd account loc
multiple policieOU).
Note: If yhadow group, w
g Restricte
you may want certain group
ministrators groer user accoun
e Restricted Grmembership bylaced in a groups policy and ent member o
ed Groups poliding default mstrators.
an control domthis setting pr
dmins. You cannd member sergroup on all w
ecify local usersps policy contaccount is alw
ure the settingnfiguration\Po
g Account
es protect yourata by mitigat
ord brute forcenvironment reasswords. Pass
mplexity and lifcan configure
h Group Policy
ng Account ngs under Acct the domain lmain can haveckout policies, s to a user or t
you need to apwhich is a glob
ed Groups
to control theps in a domain—oup—to prevents to those gr
roups policy toy specifying wup. If you definthen refresh G
of a group thatcy members li
members such a
main groups brimarily to conn also use this rvers. For exam
workstations.
s in a domain trols will be rem
ways in the loca
gs for Restricteolicies\Windo
t Policy Se
r organization’ing the threat
e attacks. Secuequires that all sword policy sefetime of user e password poy.
Policies count policies aevel. A Windo
e multiple passwhich are call
to a global sec
pply a fine-grabal security gro
s
e —such ent the oups.
o what ne a Group t is not st is as
by assigning Renfigure membesetting to cont
mple, you can
GPO. Local usmoved. The onal Administrato
d Groups by aows Settings\
ttings
’s of ring users
ettings
licy
are ows sword led fine-grainecurity group in
ined passwordoup that is log
20410A: Installing
estricted Grouership of criticatrol the membplace the Help
ers who currennly exception tors group.
accessing from\Security Sett
ed password pn a domain, bu
d policy to usegically mapped
g and Configuring W
ups policies to al groups suchbership of builpdesk group in
ntly are in the to this is that t
m the GPMC: ings\Restricte
policies. You caut not to an or
ers of an OU, yd to an OU.
Windows Server® 201
domain controh as Enterpriset-in local grou
nto the local
local group ththe local
ed Groups.
an apply theserganizational u
you can use a
12 12-11
ollers, Admins
ups on
hat the
unit
12-12 Securing Windows Servers Using Group Policy Objects
You can configure Account policy settings by accessing from the GPMC: Computer Configuration \Policies\Windows Settings\Security Settings\Account Policies.
Account Policies Components
Account policy components include password policies, account lockout policies, and Kerberos policy.
Password Policy Password policies that you can configure are listed in the following table.
Policy Function Best Practice
Password must meet complexity requirements
Requires passwords to:
• Be at least six characters long.
• Contain a combination of at least three of the following types of characters: uppercase letters, lowercase letters, numbers, and symbols (punctuation marks).
• Must not contain the user’s user name or screen name.
Enable this setting. These complexity requirements can help ensure a strong password. Strong passwords are more difficult to decrypt than those containing simple letters or numbers.
Enforce password history
Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.
The greater number ensures better security. The default value is 24. Enforcing password history ensures that passwords that have been compromised are not used repeatedly.
20410A: Installing and Configuring Windows Server® 2012 12-13
Policy Function Best Practice
Maximum password age
Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.
By default it is 42 days; it is recommended that you set is at 90 days. Setting the number of days too high provides hackers with an extended window of opportunity to determine the password. Setting the number of days too low frustrates users who have to change their passwords too frequently, and could result in more frequent calls to the IT help desk.
Minimum password age
Sets the minimum number of days that must pass before a password can be changed.
Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help enforce other settings.
For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse the original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing the original password on the same day.
Minimum password length
Specifies the fewest number of characters that a password can have.
Set the length to between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or a common phrase.
Store passwords by using reversible encryption
Provides support for applications that require knowledge of a user password for authentication purposes.
Do not use this setting unless you use a program that requires it. Enabling this setting decreases the security of stored passwords.
12-14 Securing Windows Servers Using Group Policy Objects
Account Lockout Policy
Account Lockout Policies that you can configure are listed in the following table.
Policy Function Best Practice
Account lockout threshold
Specifies the number of failed login attempts that are allowed before the account is locked.
For example, if the threshold is set to 3, the account will be locked out after a user enters incorrect login information three times.
A setting of 50 allows for reasonable user error, and limits repeated login attempts for malicious purposes.
Account lockout duration
Allows you to specify a timeframe, in minutes, after which the account automatically unlocks and resumes normal operation. If you specify 0, then the account will be locked indefinitely until an administrator manually unlocks it.
After the threshold has been reached and the account is locked out, the account should remain locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. A duration of 30 to 90 minutes should work well in most situations.
Reset account lockout counter after
Defines a timeframe for counting the incorrect login attempts. If the policy is set for one hour, and the account lockout threshold is set for three attempts, a user can enter the incorrect login information three times within one hour. If they enter incorrect information twice, but get it correct the third time, the counter will reset after one hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at one.
Using a timeframe between 30 and 60 minutes is usually sufficient to deter automated attacks and manual attempts by an attacker to guess a password.
Kerberos Policy
This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
20410A: Installing and Configuring Windows Server® 2012 12-15
Lab A: Increasing Security for Server Resources Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.
Your manager has given you some security-related settings that need to be implemented on all member servers. You also need to implement file system auditing for a file share used by the Marketing department. Finally, you need to implement auditing for domain logons.
Objectives
After completing this lab, you will be able to:
• Use Group Policy to secure member servers.
• Audit File System Access.
• Audit Domain Logons.
Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
5. Repeat steps 2-4 for 20410A-LON-SVR1 and steps 2-3 for 20410A-LON-CL1. Do not log on to LON-CL1 until directed to do so.
Exercise 1: Using Group Policy to Secure Member Servers
Scenario
A. Datum uses the Computer Administrators group to provide administrators with permissions to administer member servers. As part of the installation process for a new server, the Computer Administrators group from the domain is added to the local Administrators group on the new server. Recently, this important step was missed when configuring several new member servers.
To ensure that the Computer Administrators group is always given permission to manage member servers, your manager has asked you to create a GPO that sets the membership of the local Administrators group on member servers to include Computer Server Administrators. . This GPO also needs to enable Admin Approval Mode for UAC.
12-16 Securing Windows Servers Using Group Policy Objects
The main tasks for this exercise are as follows:
1. Create a Member Servers Organizational Unit (OU) and move servers into it.
2. Create a Server Administrators group.
3. Create a Member Server Security Settings GPO and link it to the Member Servers OU.
4. Configure group membership for local administrators to include Server Administrators and Domain Admins.
5. Verify that Computer Administrators has been added to the local Administrators group.
6. Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally.
7. Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account.
8. Verify that a standard user cannot log on to a member server.
Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it 1. On LON-DC1, open Active Directory Users and Computers.
2. Create new OU called Member Servers OU.
3. Move servers LON-SVR1 and LON-SVR2 to Member Servers OU.
Task 2: Create a Server Administrators group • On LON-DC1, in Member Servers OU, create a new global security group called Server
Administrators.
Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU 1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new GPO with a name Member Server Security Settings.
3. In the Group Policy Management Console, link the Member Server Security Settings to Member Servers OU.
Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins 1. On LON-DC1, open Group Policy Management Console.
2. Edit the Default Domain Policy.
3. Navigate to Computer Configuration, click Policies, click Windows Settings, click Security Settings, and then click Restricted Groups.
4. Add the Server Administrators and Domain Admins groups to the Administrators group.
5. Close the Group Policy Management Editor.
20410A: Installing and Configuring Windows Server® 2012 12-17
Task 5: Verify that Computer Administrators has been added to the local Administrators group 1. Switch to LON-SVR1, and log on as Adatum\Administrator with a password of Pa$$w0rd.
2. Open a Windows PowerShell® window, and from a Windows PowerShell command prompt, type following command:
gpupdate/force
3. Open Server Manager, open the Computer Management console, and then expand Local Users and Groups.
4. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members.
5. Close the Computer Management console.
Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove Users from Allow log on locally 1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings GPO.
3. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\User Rights Assignment, and configure Allow log on locally for Domain Admins and Administrators security groups.
4. Close the Group Policy Management Editor.
Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account 1. On LON-DC1, in the Group Policy Management Console, edit the Member Server Security Settings
GPO.
2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Security Options, and enable User Account Control: Admin Approval Mode for the Built-in Administrator account.
3. Close the Group Policy Management Editor.
Task 8: Verify that a standard user cannot log on to a member server 1. Switch to LON-SVR1.
2. Open Windows PowerShell, and from a Windows PowerShell command prompt, type following command:
gpupdate/force
3. Log off of LON-SVR1.
4. Try to log back on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.
5. Verify that you cannot log on to LON-SVR1.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
12-18 Securing Windows Servers Using Group Policy Objects
Exercise 2: Auditing File System Access
Scenario
The manager of the Marketing department has concerns that there is no way to track who is accessing files that are on the departmental file share. Your manager has explained that only users with permissions are allowed to access the files. However, the manager of the Marketing department would like to try logging access to the files that are in the file share to see which users are accessing specific files.
Your manager has asked you to enable auditing for the file system that is on the Marketing department file share, and to review the results with the manager of the Marketing department.
The main tasks for this exercise are as follows:
1. Modify the Member Server Security Settings GPO to enable object access auditing.
2. Create and share a folder.
3. Enable auditing on the HR folder for Domain Users.
4. Create a new file in the file share from LON-CL1.
5. View the results in the security log on the domain controller.
Task 1: Modify the Member Server Security Settings GPO to enable object access auditing 1. On LON-DC1, in the Group Policy Management console, edit the Member Server Security Settings
GPO.
2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and enable Audit object access with both Success and Failure settings.
Task 2: Create and share a folder 1. On LON-SVR1, on drive C, create a new folder with the name HR.
2. Configure the HR folder with Read/Write sharing permissions for user Adam.
Task 3: Enable auditing on the HR folder for Domain Users 1. On LON-SVR1, in the Local Disk (C:) window, configure auditing on the HR folder, with following
settings:
o Select a principal: Domain Users
o Type: All
o Permission: Read & execute, List folder content, Read, Write
o Leave other settings with their default values.
2. Open a command prompt window and refresh Group Policy using the gpupdate /force command.
Task 4: Create a new file in the file share from LON-CL1 1. Switch to LON-CL1.
2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
3. Open a command prompt window, and type the following command:
gpupdate/force
4. Close the command prompt window.
20410A: Installing and Configuring Windows Server® 2012 12-19
5. Log off LON-CL1 and then log on again, as Adatum\Adam with a password of Pa$$w0rd.
6. Open the HR folder on LON-SVR1, by using following Universal Naming Convention (UNC) path: \\LON-SVR1\HR.
7. Create a text document with a name Employees.
8. Log off of LON-CL1.
Task 5: View the results in the security log on the domain controller 1. Switch to LON-SVR1, and start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then open Security.
3. Verify that following event and information displays:
o Source: Microsoft Windows Security Auditing
o Event ID: 4663
o Task category: File System
o An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons
Scenario
After a security review, the IT policy committee has decided to begin tracking all user logons to the domain. Your manager has asked you to enable auditing of domain logons and verify that they are working.
The main tasks for this exercise are as follows:
1. Modify the Default Domain Policy GPO.
2. Run GPUpdate.
3. Log on to LON-CL1 with an incorrect password.
4. Review event logs on LON-DC1.
5. Log on to LON-CL1 with the correct password.
6. Review event logs on LON-DC1.
Task 1: Modify the Default Domain Policy GPO 1. On LON-DC1, in the Group Policy Management Console, edit the Default Domain Policy Group
Policy Object.
2. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Local Policies\Audit Policy, and then enable Audit account logon events with both Success and Failure settings.
3. Update Group policy by using the Gpupdate /force command.
12-20 Securing Windows Servers Using Group Policy Objects
Task 2: Run GPUpdate 1. Switch to LON-CL1.
2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
3. Open the a command prompt window, and type the following command:
gpupdate/force
4. Close the command prompt window, and log off LON-CL1.
Task 3: Log on to LON-CL1 with an incorrect password • Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.
Task 4: Review event logs on LON-DC1 1. On LON-DC1, start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for the following message: “Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.”
Task 5: Log on to LON-CL1 with the correct password • Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.
Task 6: Review event logs on LON-DC1 1. On LON-DC1, start Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for the following message: “A user successfully logged on to a computer.”
Results: After completing this exercise, you should have enabled domain logon auditing.
To prepare for the next lab • To prepare for the next lab, leave the virtual machines running.
LessonRestri
Uapbuthaconp
LeA
•
•
•
•
W
InansoadanrucoG
SoWWup
R
Rucobeth
•
•
•
•
n 3 icting Ssers need accepplications oftusiness purposherefore, that sccess or spreadnly necessary srevent softwar
esson Objecfter completin
Describe hoservers and
Describe th
Describe Apservers and
Describe ho
What Are S
ntroduced in thnd the Windowoftware restrictdministrators tnd specify whiun on client coonfigured and roup Policy.
oftware RestricWindows ServeWindows Vista®
p of the follow
Rules
ules govern hoonstructs withieing run. Ruleshe application
Hash. A cry
Certificate.
Path. The lo
Zone. The I
Softwareess to the applten get installeses. Unsupportsoftware couldd computer virsoftware gets re from runnin
ctives ng this lesson, y
ow software red clients.
he purpose of A
ppLocker rulesd clients.
ow to create A
Software R
he Windows Xws Server 2003tion policies (Stools that theych application
omputers. SRP deployed to c
ction Policies pr 2012 to prov
® compatibilitywing rules and
ow SRP responin an SRP, ands can be basedin question:
yptographic fin
A software pu
ocal or UNC pa
nternet zone.
e lications that hed on client coted or unused
d be attacked aruses. Consequinstalled on al
ng that is not a
you will be ab
estriction polic
AppLocker®.
s and how to u
AppLocker rule
Restriction
P operating sy3 operating syRP) give
y can use to idens are permittesettings are
clients by using
policies are usevide Windows y. An SRP set issecurity levels
nds to an appli a group of ru
d on one of th
ngerprint of th
ublisher certific
ath to where t
help them do tmputers, whet software is noand used as anuently, it is of tl the compute
allowed or is no
le to:
ies are used to
use them to re
es.
Policies?
ystem stem,
entify ed to
g
ed in XP and s made s.
ication that is ules together de following cri
e file.
cate that is use
the file is store
20410A: Installing
their jobs. Howther unintentioot maintained n entry point fthe utmost im
ers in your orgao longer used
o restrict unau
estrict unautho
being run or idetermine howiteria that app
ed to digitally
ed.
g and Configuring W
wever, unneceonally or for mor secured by
for attackers tomportance for y
anization. It is or supported.
uthorized softw
orized software
nstalled. Rulesw an SRP respoply to the prim
sign a file.
Windows Server® 201
ssary or unwamalicious or noy the administro gain unauthoyou to ensure also vital that
.
ware from runn
e from running
s are the key onds to applicaary executable
12 12-21
nted on-rators; orized that
t you
ning on
g on
ations e file for
12-22 Securing
Sec
Eachthe
•
•
•
Usin
•
•
SoftCom\So
prot
Wh
AppWinServwhi
Appmetidenrestacceto cAppAD
ApporgaActiworapp
Usinconfiles
g Windows Servers U
curity Levels
h applied SRP application th
Disallowed. T
Basic User. A
Unrestricted
ng these three
If an administclients, the Derun can be idlevel to each
If an administon clients, therequirementsrules, which w
tware Restrictiomputer Configftware Restri
Additional tect against un
hat Is App
pLocker, whichndows 7 operaver 2008 R2, isch application
pLocker providthods for detentity of applicarict, or to whicess. AppLockecomputer objepLocker rules cDS users or gr
pLocker also coanizations preiveX® controls rkstations are splications that a
ng AppLocker trol how users
s), and DLLs.
Using Group Policy O
s
is assigned a shat is defined i
The software i
Allows the softw
d. Allows the so
settings, there
trator has a coefault Securityentified in SRPindividual app
trator does noe Default Secus. Any applicatwould use a se
on Policy settiguration\Poliction Policies
Reading: For nauthorized so
Locker?
h was introduceting system an a security setts users are allo
des administratrmining quickations that thech they may wr is applied thrcts within an O
can also be approups.
ontains optionvent unlicensefrom being in
standardized aare approved
technology, cos can access an
bjects
security level tn the rule is ru
dentified in th
ware identified
oftware identif
e are two prim
omprehensive y Level can be P rules that woplication, depe
ot have a compurity Level can ions that shoucurity level set
ngs can be fouicies\Windows.
more informaoftware, see ht
ed in the nd Windows ting that controwed to run.
tors a variety oly and concise
ey may want towant to permit rough Group POU. Individual plied to individ
ns for monitoried or maliciousnstalled. It can across the enteby the enterpr
ompanies cannd use files, su
that governs thun. The three a
he rule will not
d in the rule to
fied in the rule
mary ways to u
list of all the soset to Disallow
ould apply eithending on the
prehensive list be set to Unre
uld not be allowtting of Disallo
und in Group ws Settings\Se
ation about usittp://go.micros
rols
of ely the o
Policy
dual
ng or auditings software fromalso reduce th
erprise, and tharise.
reduce adminch as .exe files
he way that thavailable secur
t run, regardles
o run as a stan
e to run unrest
se SRPs:
oftware that swed. All applicher the Basic Usecurity requir
of the softwarestricted or Bwed to run canowed.
Policy at the foecurity Setting
ing software resoft.com/fwlin
g the applicatiom executing, ahe total cost ofat users are ru
nistrative overhs, scripts, Wind
he operating syrity level settin
ss of the acces
ndard, non-adm
tricted by SRP.
hould be allowcations that shUser or Unresrements.
re that should Basic User, depn then be iden
ollowing locatgs
estriction Policnk/?LinkId=203
on of rules. Apand can selectif ownership by
unning only th
head and helpdows Installer f
ystem reacts wngs are as follo
ss rights of the
ministrative us
.
wed to run on hould be allowtricted securit
be allowed topending on sentified by using
tion:
cies to 3296.
ppLocker can hively restrict y ensuring thae software and
p administratorfiles (.msi and
when ows:
e user.
ser.
wed to ty
o run curity g SRP
help
at d
rs .msp
Yo
•
•
•
•
Yo\W
A
•
•
•
•
•
•
•
•
ht
A
Athfil
•
•
•
•
D
Tha seno
A
Aaplisalp
ou can use Ap
Is not allow
Is no longe
Is no longe
Should be u
ou can configuWindows Sett
ppLocker is av
Windows S
Windows S
Windows S
Windows S
Windows S
Windows 7
Windows 7
Windows 8
Additionattp://technet.m
AppLocker
ppLocker definhat are derivedle. File attribut
Publisher n
Product na
File name
File version
Default Conf
he default conset of default
et of rules ensuormally are all
Allow and De
Allow and Denpplications thast of applicatiolows the execurovide a mean
ppLocker to res
wed to be used
r used or it is r
r supported in
used only by s
ure AppLockertings\Security
vailable in the
erver 2008 R2
erver 2008 R2
erver 2008 R2
erver 2008 R2
erver 2012
Ultimate ope
Enterprise op
al Reading: Fomicrosoft.com/
Rules
nes rules based from the digtes in the digit
ame
me
figuration
nfiguration for rules for each
ures that the fiowed to run.
eny Rule Ac
ny are rule actiat you configuons, and blocksution of any a
ns to identify e
strict software
d in the compa
replaced with
n the company
specific depart
r settings by by Settings\Ap
following Win
Standard ope
Enterprise op
Datacenter op
for Itanium-b
rating system
perating system
or more inform/en-us/library/
d on file attribital signature otal signature in
AppLocker corule collection
iles that are ne
ctions
ons that allowre. The Allows everything epplication excxceptions to t
that:
any.
newer version
y.
ments.
rowsing in GPpplication Con
dows operatin
erating system
erating system
perating syste
based Systems
m
mation about A/hh831409.asp
butes of the nclude:
ontains n. This ecessary for W
w or deny execuaction on rulelse. The Denyept those on ahose actions.
20410A: Installing
n.
PMC to: Compntrol Policies.
ng system edit
m
m
operating syst
AppLocker, sepx.
Windows operat
ution of applices limits execuaction on rule
a list of denied
g and Configuring W
uter Configu.
tions:
tem
e
ting systems t
cations based tion of applicaes takes the opd applications.
Windows Server® 201
ration\Policie
o run and ope
on a list of ations to an alpposite approaThese actions
12 12-23
es
erate
lowed ach and s also
12-24 Securing Windows Servers Using Group Policy Objects
You should use AppLocker when software is being used that is:
• Not allowed for use in the company. Give an example of software that can disrupt employees’ business productivity, such as social networking software, or software that streams video files or pictures that can use a large amount of network bandwidth.
• No longer used. Software that is not needed in the company is no longer maintained.
• No longer supported. Software that is not updated with security updates might pose a security risk.
Enforce or Audit Only
When AppLocker policy is set to Enforce, rules are enforced and all events are audited. When AppLocker policy is set to Audit Only, rules are evaluated and events are written in to the AppLocker Log, but no enforcement takes place.
Demonstration: Creating AppLocker Rules
In this demonstration, you will see how to:
• Create a GPO to enforce the default AppLocker Executable rules.
• Apply the GPO to the domain.
• Test the AppLocker rule.
Demonstration Steps
Create a GPO to enforce the default AppLocker Executable rules
1. On LON-DC1, open the Group Policy Management console.
2. Create a new GPO named WordPad Restriction Policy.
3. Edit the WordPad Restriction Policy’s Security Settings by using AppLocker to create a new Executable Rule.
4. Set the permission of the new rule to Deny, the condition to Publisher, and then select wordpad.exe. If prompted, click OK to create default rules.
5. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\ Application Control Policies\ AppLocker.
6. In AppLocker, configure enforcement with Enforce rules.
7. In the Group Policy Management Editor, browse to Computer Configuration\ Policies \Windows Settings\Security Settings\System Services.
8. Configure Application Identity Properties with Define this policy setting and Select service startup mode with Automatic.
Apply the GPO to the Contoso.com domain 1. Open a command prompt window, type gpupdate /force, and then press Enter.
2. Start and then log on to 20410A-LON-SVR1 as Adatum\Alan, with the password, Pa$$w0rd.
3. In the command prompt window, type gpupdate /force, and then press Enter. Wait for the policy to update.
Test the AppLocker rule
• Attempt to start WordPad, and then verify that WordPad does not start.
LessonConfi
WSemunea
Le
A
•
•
•
•
W
WhoSecothpInfrfofr
In
Ininco
Oorextrco
YoCex
C
Yo20th
n 4 guring
Windows Firewaerver 2012. Th
malware. Windonique settings ach server, or c
esson Objec
fter completin
Describe th
Describe Fi
Describe Co
Describe ho
What Is Wi
Windows Firewaost-based firewerver 2012. Thomputer and rhat computer. rovides protec
nternet, a host-om threats wh
or a host that iom LAN or Int
nbound and
nbound rules cnitiated by anoommunication
Outbound rulesr computer onxplicitly blockeraffic that is exomputer and t
ou can create ontrol Protocoxecutable netw
Connection S
ou use Connec012. When thehen use that in
Windoall with Advanis snap-in helpows Firewall wto different ty
configure them
ctives
ng this lesson, y
he features of W
rewall Profiles
onnection Sec
ow to deploy W
ndows Fir
all with Advanwall that is incis snap-in runsrestricts netwoUnlike a perim
ction only from-based firewalherever they os not behind aternet.
d Outbound
control commuother device orn is blocked ex
s control commn the network. ed by an outboplicitly allowedthe network co
inbound and ool (TCP) ports. work access, re
Security Rul
ction Security ese rules are conformation to c
ws Firewced Security is
ps to prevent swith Advanced ypes of networm centrally by
you will be ab
Windows Firew
.
urity Rules.
Windows Firew
ewall with
ced Security isluded in Winds on the local
ork access to anmeter firewall, wm threats on thl provides proriginate. For exa firewall, it pro
d Rules
unication that r computer oncept the traffic
munication thaBy default, all
ound rule. If yod, you must caommunication
outbound ruleYou can also c
egardless of th
les
Rules to configonfigured, youcreate firewall
wall wits an importantseveral differenSecurity has mrks. You can musing Group P
le to:
wall with Adva
wall rules.
h Advanced
s a dows
nd from which
he tection xample, otects
is the network,c that is explic
at is initiated b outbound coou choose to barefully catalog required by t
es based on Uscreate inbounde port numbe
gure Internet Pu can authentic
rules based o
20410A: Installing
th Advat tool for enhant security issu
multiple firewamanually configPolicy.
nced Security.
d Security
with the hostcitly allowed by
by the host commmunication block all outbog the softwarehat software.
ser Datagram d and outboun
er that is being
Protocol Securcate communin specific user
g and Configuring W
anced Sancing the secuues such as poll profiles, eacgure Windows
.
y?
computer. By y an inbound
mputer, and isis allowed excound commune that is allowe
Protocol (UDPnd rules that a
g used.
rity (IPsec) for ication betweer and compute
Windows Server® 201
ecurityurity of Windort scanning orh of which app
s Firewall rules
default, all inbrule.
s destined for aept the traffic
nication exceped to run on th
P) and Transmiallow a specific
Windows Serven computers,er accounts.
12 12-25
ows r plies on
bound
a device that is t the
hat
ission c
ver and
12-26 Securing
Ad
Winyou
WinR2,
•
•
•
•
•
•
YouComSecu
Fire
Dis
Winena
RevdiscbaseAdv
Fir
Winnetwprofnetwallonetw
Wityounetwfirewspec
g Windows Servers U
ditional Enh
ndows Firewall to perform ad
ndows Firewall and Windows
Supports filte
Provides a M
Integrates fire
Enables you t
Provides netw
Enables you t
u can configuremputer Configurity.
Note: Windwall by using t
scussion: W
ndows Firewall bled by defau
iew the discuscussion to idened firewall sucvanced Security
Question: Wbased firewalAdvanced Sec
ewall Prof
ndows Firewall work-aware apfiles to provideworks of a spews you to defiwork, a public
h Windows Fir can define a cwork; each conwall profile. Fircific firewall pr
Using Group Policy O
hancements
with Advancedvanced config
in Windows VServer 2012 h
ering for both
MC snap-in th
ewall filtering
to configure ru
work location-
to import or ex
e Windows Fireuration\Policie
dows Server 20the Windows P
Why Is a H
with Advancelt on Windows
sion question ntify the benefch as Windowsy.
hy is it importl such as Windcurity?
files
with Advancepplication thate a consistent
ecific type. Winine a network network, or a
rewall with Advconfiguration nfiguration setrewall rules arerofiles.
bjects
s
ed Security is aguration of W
Vista, Windowshas the followi
incoming and
hat you can use
and IPsec prot
ules to control
aware profiles
xport policies.
ewall settings es\Windows Se
012 introducesPowerShell co
ost-Based
ed Security is s Server 2012.
and participatits of using a h
s Firewall with
ant to use a hodows Firewall w
ed Security is at uses firewall configuration
ndows Server 2as either a domprivate netwo
vanced Securitset for each tyt is referred to e activated onl
a Microsoft Maindows Firewa
s 7, Windows 8ng enhanceme
outgoing traf
e to configure
tection setting
network traffi
.
on each compettings\Securit
the additionammand-line in
d Firewall I
te in a host-
ost-with
a
for 2012 main
ork.
ty, ype of
as a ly for
anagement Coall.
8, Windows Seents:
ffic.
e advanced set
gs.
ic.
puter individuaty Settings\Wi
al option for adnterface.
mportant?
onsoles (MMC)
erver 2008, Win
ttings.
ally, or with Grndows Firewal
dministering W
?
) snap-in that a
ndows Server
roup Policy at:ll with Advanc
Windows
allows
2008
: ed
W
Wthappe
C
A beesinencoSe
Th
•
•
•
Windows Firewa
Profile
Public
Private
Domain
Windows Servehat a multi-hompply the domaerimeter netw
Connection
connection seetween two pestablish a connnformation. Thncrypting the omputers. Winecurity uses IP
he configurab
Isolation. Aby restrictincredentials health statuimplement
Authenticatnot requirea subnet, o
Serve-to-Serule usuallyendpoints bauthenticat
all with Advan
De
Us
OtdeW
Us
A apth
Usdo
Wcacapr
r 2012 allows med server thaain firewall proork.
n Security
ecurity rule foreer computersnection and traey also securedata that is tra
ndows Firewallsec to enforce
le connection
n isolation ruleng connectionsuch as doma
us. Isolation ruan isolation st
tion Exemptione authenticatior a predefined
erver. A server-y protects connbetween whichtion that you w
ced security in
escription
se when you a
ther than domefault, the Pub
Windows 7, and
se when you a
network is catpplication idenhe Home profil
se when your comain.
Windows operaan authenticatean be placed inrofile in Windo
multiple firewaat is connected
ofile to the inte
Rules
rces authenticas before they cansmit secure
e that traffic byansmitted betw with Advance
e these rules.
security rules
e isolates coms that are base
ain membershiules allow you ttrategy for serv
n. You can use on. You can ded group such a
-to-server rulenections betweh communicatwant to use.
ncludes the fol
are connected
main networks, blic (most restrd Windows 8.
are connected
tegorized as pntifies the netwle in Windows
computer is pa
ting systems ae access to then this categoryows Vista, Wind
all profiles to bd to both the ernal network,
ation can
y ween ed
are:
puters ed on p or to vers or domai
an authenticasignate compu
as a gateway.
protects conneen servers. Wtions are prote
20410A: Installing
llowing profile
to an untruste
all networks arictive) profile
behind a firew
rivate only if awork as private Vista, Window
art of a Windo
automatically ie domain conty. This profile idows 7, and W
be active on a internal netwo and the publi
ns.
ation exemptiouters by a spec
nections betweWhen creating tected. Then de
g and Configuring W
es:
ed public netw
are categorizedis used in Win
wall.
an administratoe. This profile iws 7, and Wind
ows operating
dentify netwotroller. No oths referred to a
Windows 8.
server simultaork and the peic or private fir
on to designatcific IP address
een specific cothe rule, specif
esignate requir
Windows Server® 201
work.
d as Public. Bydows Vista,
or or an s referred to adows 8.
system
orks on which ier networks
as the Work
aneously. Thiserimeter networewall profile t
te connectionss, an IP addres
omputers. This fy the networkrements and th
12 12-27
y
as
t
means ork can to the
s that do ss range,
type of k he
12-28 Securing
•
•
Ho
Fireyoufirewand
De
Howimpappdepcan way
•
•
•
g Windows Servers U
Tunnel. With would use a t
Custom. Use aup authenticaSecurity Rule
w Firewall R
wall rules allow can create cowall. You must services; they
eploying Fi
w you deploy Wportant considepropriate methployed accurate
deploy Windoys:
Manually. Youfirewall rules environment this is labor-inmethod is typand troublesh
Using Group creating and firewall rules
Exporting andoption to impmanually contreated as a c
Using Group Policy O
a tunnel rule, tunnel rule wh
a custom rule ation rules thaWizard.
Rules and C
w traffic throuonnection secut create a firewy are applied b
irewall Rul
Windows Fireweration. Choos
hod ensures thely and with mows Firewall ru
u can individuon each servewith more thantensive and ppically used onhooting.
Policy. The pretesting a GPOto a large num
d importing firport and expornfigure firewallcomplete set a
bjects
you can proteen connecting
to authenticatt you need by
onnection S
gh the firewalurity rules. Howwall rule to do between the co
les
wall rules is an sing the at rules are
minimum efforules in the follo
ally configure r. However, in an a few serverprone to error.nly during test
eferred way to with the requ
mber of compu
rewall rules. Wrt firewall rules rules during tnd replace all
ect connectiong across the Int
te connectionsy using the oth
Security Rul
l, but do not swever, connectthis. Connecti
omputers that
t. You owing
an rs, . This ing
o distribute fireuired firewall ruuters.
Windows Firewas. You can exptroubleshootincurrently conf
s between gatternet betwee
s between twoher rules availa
les Work To
secure that tration security ruon security rumake up the t
ewall rules is bules, you can q
all with Advanport firewall rung. When you figured firewa
teway computen two security
o endpoints whable in the new
ogether
ffic. To secure ules do not alloles are not apptwo endpoints
by using Groupquickly and ac
ced Security ales to create aimport firewall rules.
ters. Typically, y gateways.
hen you cannow Connection
traffic with IPow traffic throplied to progras.
p Policy. After curately deplo
also gives you t backup beforll rules, they a
you
ot set
sec, ough a ams
oy the
the re you re
20410A: Installing and Configuring Windows Server® 2012 12-29
Lab B: Configuring AppLocker and Windows Firewall Scenario
A. Datum is a global engineering and manufacturing company with a head office based in London, England. An IT office and a data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients.
You have been working for A. Datum for several years as a desktop support specialist. In this role, you visited desktop computers to troubleshoot application and network problems. You have recently accepted a promotion to the server support team. As a new member of the team, you help to deploy and configure new servers and services into the existing infrastructure based on the instructions given to you by your IT manager.
Your manager has asked you to implement AppLocker to restrict non-standard applications from running. He also has asked you to create new Windows Firewall rules for any member servers running web-based applications.
Objectives
After completing this lab, you will be able to:
• Configure AppLocker Policies.
• Configure Windows Firewall.
Lab Setup
Estimated time: 60 minutes
Virtual Machines 20410A-LON-DC1
20410A-LON-SVR1
User Name Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20410A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2-4 for 20410A-LON-SVR1 and 20410A-LON-CL1.
12-30 Securing Windows Servers Using Group Policy Objects
Exercise 1: Configuring AppLocker® Policies
Scenario
Your manager has asked you to configure new AppLocker policies to control the use of applications on user desktops. The new configuration should allow programs to be run only from approved locations. All users must be able to run applications from the C:\Windows directory and from C:\Program Files.
You also need to add an exception to run a custom-developed application that resides in a non-standard location. The first stage of the implementation will log compliance with rules. The second stage of implementation will prevent unauthorized programs from running.
The main tasks for this exercise are as follows:
1. Create an OU for Client Computers.
2. Move LON-CL1 to the Client Computers OU.
3. Create a Software Control GPO and link it to the Client Computers OU.
4. Run GPUpdate on LON-SVR1.
5. Run app1.bat in the C:\CustomApp folder.
6. View AppLocker events in an event log.
7. Create a rule that allows software to run from C:\CustomApp.
8. Modify Software Control GPO to enforce the rules.
9. Verify that an application can still be run from C:\CustomApp.
10. Verify that an application cannot be run from the Documents folder.
Task 1: Create an OU for Client Computers 1. Switch to LON-DC1.
2. Open Active Directory Users and Computers.
3. Create new OU called Client Computers OU.
Task 2: Move LON-CL1 to the Client Computers OU • On LON-DC1, in the Active Directory Users and Computers console, move LON-CL1 to Client
Computers OU.
Task 3: Create a Software Control GPO and link it to the Client Computers OU 1. On LON-DC1, open the Group Policy Management Console.
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Software Control GPO.
3. Edit the Software Control GPO.
4. In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.
5. Create default rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged app Rules.
6. Configure the rule enforcement for Executable rules, Windows Installer Rules, Script Rules, and Packaged app Rules with Audit only option.
20410A: Installing and Configuring Windows Server® 2012 12-31
7. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity.
8. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK.
9. Close the Group Policy Management Editor.
10. In the Group Policy Management Console, link the Software Control GPO to Member Servers OU.
Task 4: Run GPUpdate on LON-SVR1 1. Switch to LON-SVR1.
2. Open a command prompt window, and type the following command:
gpupdate/force
3. Close the command prompt window and restart LON-SVR1.
Task 5: Run app1.bat in the C:\CustomApp folder 1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
2. At the command prompt, type following command:
C:\CustomApp\app1.bat
Task 6: View AppLocker events in an event log 1. On LON-SVR1, start Event Viewer.
2. In the Event Viewer window, browse to Application and Services Logs/ Microsoft/AppLocker, and review the events.
3. Click MSI and Scripts, and review the event logs for App1.bat.
Task 7: Create a rule that allows software to run from C:\CustomApp 1. On LON-DC1, edit the Software Control GPO with the following settings Computer Configuration/
Policies/ Windows Settings/ Security Settings/ Application Control Policies/ AppLocker.
2. Create an AppLocker script rule with following settings:
o Permissions: Allow
o Conditions: Path
o Path: %OSDRIVE%\CustomApp\app1.bat
o Name and Description: Custom App Rule
Task 8: Modify Software Control GPO to enforce the rules 1. Use the Enforce rules option to configure rule enforcement for Executable rules, Windows
Installer Rules, Script Rules, and Packaged app Rules.
2. Close the Group Policy Management Editor.
Task 9: Verify that an application can still be run from C:\CustomApp 1. Switch to LON-SVR1.
2. Open a command prompt window, and type the following command:
12-32 Securing Windows Servers Using Group Policy Objects
gpupdate/force
3. Close the command prompt window and restart LON-SVR1.
4. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
5. Open a command prompt and verify that you can run the app1.bat application, which is located in the C:\CustomApp folder.
6. Log off of LON-SVR1.
Task 10: Verify that an application cannot be run from the Documents folder 1. On LON-SVR1, from CustomApp folder, copy app1.bat to the Documents folder.
2. Verify that application cannot be run from Documents folder, and that the following message appears: “This program is blocked by Group Policy. For more information, contact your system administrator.”
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
Exercise 2: Configuring Windows Firewall
Scenario Your manager has asked you to configure Windows Firewall rules for a set of new application servers. These application servers have a web-based application that is listening on a non-standard port. You need to configure Windows Firewall to allow network communication through this port. You will use security filtering to ensure that the new Windows Firewall rules apply only to the application servers.
The main tasks for this exercise are as follows:
1. Create a group called Application Servers.
2. Add LON-SRV1 as a group member.
3. Create a new Application Servers GPO.
4. Link the Application Servers GPO to the Member Servers OU.
5. Use security filtering to limit the Application Server GPO to members of Application Server group.
6. Run GPUpdate on LON-SRV1.
7. View the firewall rules on LON-SRV1.
Task 1: Create a group called Application Servers • On LON-DC1, in Active Directory Users and Computers, in the Member Servers OU, create a new
global security group called Application Servers.
Task 2: Add LON-SRV1 as a group member • In the Active Directory Users and Computers console, in the Member Servers OU, open Application
Servers Properties, and then and then add LON-SVR1 as a group member.
Task 3: Create a new Application Servers GPO 1. On LON-DC1, open the Group Policy Management Console.
20410A: Installing and Configuring Windows Server® 2012 12-33
2. In the Group Policy Management Console window, in the Group Policy Objects container, create a new Group Policy Object (GPO) with a name Application Servers GPO.
3. In the Group Policy Management Editor, under In the Group Policy Management Editor window, browse to Computer Configuration/ Policies/ Windows Settings/ Security Settings / Application Control Policies/ Windows Firewall with Advanced Security.
4. Configure an inbound rule with the following settings:
o Rule Type: Custom
o Protocol type: TCP
o Specific Ports: 8080
o Scope: Any IP address
o Action: Allow the connection
o Profile: Domain
o Name: Application Server Department Firewall Rule
5. Close the Group Policy Management Editor.
Task 4: Link the Application Servers GPO to the Member Servers OU • In the Group Policy Management Console, link the Application Servers GPO to the Member
Servers OU.
Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group 1. On LON-DC1, open Group Policy Management Console, expand the Member Servers OU, and then
click Application Servers GPO.
2. In the right-hand pane, under Security Filtering, remove Authenticated Users, and configure Application Servers GPO to apply only to the Application Servers security group.
Task 6: Run GPUpdate on LON-SRV1 1. Switch to LON-SRV1.
2. Open a command prompt window, and type the following command:
gpupdate/force
3. Close the command prompt window.
4. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Task 7: View the firewall rules on LON-SRV1 1. Switch to LON-SVR1.
2. Start Windows Firewall with Advanced Security.
3. In Windows Firewall with Advanced Security window, in Inbound rules, verify that Application Server Department Firewall Rule you created using Group Policy earlier, is configured.
4. Verify that you cannot edit Application Server Department Firewall Rule, because it is configured through Group Policy.
12-34 Securing Windows Servers Using Group Policy Objects
Results: After completing this exercise, you should have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
20410A: Installing and Configuring Windows Server® 2012 12-35
To prepare for the next module When you finish the lab, revert the virtual machines to their initial state by performing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
12-36 Securing Windows Servers Using Group Policy Objects
Module Review and Takeaways Review Questions
Question: Does the defense-in-depth model prescribe specific technologies that you should use to protect Windows Server operating system servers?
Question: What setting must you configure to ensure that users are allowed only three invalid logon attempts?
Question: You want to place an application control policy on a new type of executable file. What must you do before you can create a rule for this executable code?
Question: You are creating a GPO with standardized firewall rules for the servers in your organization. You tested the rules on a stand-alone server in your test lab. The rules appear on the servers after the GPO is applied, but they are not taking effect. What is the most likely cause of this problem?
Question: Last year, your organization developed a security strategy that included all aspects of a defense-in-depth model. Based on that strategy, your organization implemented security settings and policies on the entire IT infrastructure environment. Yesterday, you read in an article that new security threats were detected on the Internet, but now you realize that your company strategy does not include a risk analysis and mitigation plan for those new threats. What should you do?
Best Practices The following are best practices:
• Always make a detailed security risk assessment before planning which security features your organization should deploy.
• Create a separate GPO for security settings that applies to different type of users in your organization, because each department might have different security needs.
• Make sure that the security settings that you configure are reasonably easy to use so that they are accepted by employees. Frequently, very strong security policies are too complex or difficult for employees to adopt.
• Always test security configurations that you plan to implement with a GPO in an isolated, non-production environment. Only deploy policies in your production environment after this testing is completed successfully.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
The user cannot log on locally to a server.
After configuring auditing, there are too many events logged in the Security Event Log in Event Viewer.
Some users complain that their business applications can no longer access resources on the server.
20410A: Installing and Configuring Windows Server® 2012 12-37
Tools
Tool Use for Where to find it
Group Policy Management Console (GPMC)
A graphical tool that you use to create, edit, and apply Group Policy Objects (GPOs).
Server Manager/Tools
AppLocker Applies security settings that control which applications are allowed to be run by users.
GPO Editor in GPMC
Windows Firewall with Advanced Security
A host-based firewall that is included as a feature in Windows Server 2012 and Windows Server 2008.
Server Manager/Tools if configured individually, or GPO Editor in GPMC for deploying with Group Policy
Security Compliance Manager
Deploying security policies based on Microsoft Security Guide recommendations and industry best practices.
Download from the Microsoft website at http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx.
13-1
Module 13 Implementing Server Virtualization with Hyper-V
Contents: Module Overview 13-1
Lesson 1: Overview of Virtualization Technologies 13-2
Lesson 2: Implementing Hyper-V 13-8
Lesson 3: Managing Virtual Machine Storage 13-15
Lesson 4: Managing Virtual Networks 13-22
Lab: Implementing Server Virtualization with Hyper-V 13-27
Module Review and Takeaways 13-33
Module Overview
Server virtualization has only been a part of the Windows Server operating system since the release of Windows Server 2008 and the introduction of the Hyper-V role. Server virtualization allows organizations to save money through server consolidation. Because of these efficiencies, server administrators need to be able to distinguish which server workloads might run effectively in virtual machines, and which server workloads must remain deployed in a more traditional server environment.
This module introduces you to the Hyper-V® role, the components of the role, how best to deploy the role, and the new features of the Hyper-V role that are introduced with Windows Server 2012.
Objectives
After completing this module, you will be able to:
• Understand and describe Microsoft's virtualization technologies.
• Implement Hyper-V.
• Manage virtual machine storage.
• Manage virtual networks.
13-2 Implemen
Lesson Overvi
YouprimAlthothe
LesAfte
•
•
•
•
•
Ser
Witvirtuthe Thecom
VirtcomusinWinhavclosmacmacYousimu
Vir
By iappcomsepamor10 tvirtuof 4
Thislocathat
nting Server Virtualiz
1 iew of Vu can deploy mmarily deployehough this moer types of virt
sson Objectier completing
Describe serv
Describe Win
Explain when
Determine th
Explain the bedeployment
rver Virtua
h server virtuaual machines, resources of ase virtual mac
mputer running
ual machine gmputers. Whenng Remote Desndows PowerShe to examine t
sely to determchine or a tradchine. Virtual mu can run multultaneously, p
tual Machin
mplementing plication does nmputer. When arate virtual mre effectively. Fto 15 percent oual machines, 40 to 60 percen
s is a simplifiedating virtual mt are hosted on
zation with Hyper-V
Virtualizmany different
d. The type ofdule is primartualization and
ives this lesson, yo
ver virtualizatio
dows® AzureTM
you would us
e components
enefits of Micr
alization w
alization, you cand run them
a single server hines are knowg Hyper-V is k
guests functionn users are loggsktop Connecthell® remote the properties ine whether it
ditionally deplomachine guestiple virtual marovided the ho
nes and Har
virtual machinnot consume mdeployed as v
machines on toFor example, ifof a host serveand then placent of the host
d example. In rachines; you hn the host hyp
zation Ttypes of virtua
f virtualization ily concerned d the situation
ou will be able
on using Hype
M.
se desktop virt
s required to i
rosoft Applicat
with Hyper
can create sepaconcurrently uoperating systwn as guests. Tnown as the h
n as normal ged on remotetion (RDC) or asession, you wof a computeis a virtual
oyed physical ts that are hostachines that arost server has e
rdware Usag
nes, you use hamore than a frirtual machine
o the same hosf you have fouer's hardware re them on theserver's hardw
real world envhave to ensurepervisor do not
Technolalization on nethat you choowith server virs in which it is
to:
r-V.
tualization.
mplement pre
tion Virtualizat
r-V
arate using tem. The ost.
ely a
would er
ted on the same using differeenough resou
ge
ardware more raction of the res, you can orgst server so thaur separate serresources, you e same hardwaware.
ironments, youe that the hardt exceed the h
ogies etworks whereose depends ortualization, in s appropriate t
esentation virtu
tion (App-V) o
me hypervisor ent operating srces.
efficiently. In resources that ganize multipleat the resourcervices and app can install the
are where on a
u must make aware resource
hypervisor’s ha
e Windows opeon what you ne this lesson yoto deploy them
ualization.
over traditiona
are independesystems on a h
most cases, a are available e services and es of that host plications that eese services anaverage, they w
adequate prepe needs of all trdware resour
erating systemeed to accomp
ou will learn abm.
al application
ent of one anohost server
service or on the host applications fserver are use
each consumend applicationswill consume a
parations befohe virtual mac
rces.
ms are plish. bout
other.
from ed e from s in a total
re co-chines
S
KetasaThon
S
Wrum20hoin
sethhomth
S
Yo
•
•
W
Wyomdasopaparapwyo
Cgsp
ervice and A
eeping one paask becomes eame server. Fohese applicatione server. Run
erver Conso
With server virtun on separate
machines on th010, SQL Serveosted within v
n place of the t
Best Pracerver on the sahat you not deosts the doma
machines and this is a support
implifying S
ou can also us
There are vMicrosoft Srather conf
You can alsservers andadministratSystem Cen
What Is Wi
Windows Azureou can purcha
machines or foratabases on SQolution, you paaying a fixed raying a monthack at a hostinrovider charge
when the serverou pay more a
loud-based carow or shrink qpecific server c
Application
articular serviceven more comr example, youons conflict whning these ap
olidation
ualization, youe hardware. Bee same host, iter 2012, and Airtual machinethree servers t
ctice: Microsofame computereploy a SQL Sein controller rohen run those ted configurat
Server Depl
e virtualization
virtual machineSystem Center figuring virtual
so create virtuad applications ation team. Younter 2012 - Ser
ndows Az
e is cloud-basese capacity, eir applications, QL Azure. As aay for capacityrate. For examphly flat rate to g provider, thees you based or is experiencinas use increase
apacity is elastiquickly as requchassis. Then, if
n Isolation in
e or applicatiomplicated if youu might need then run on theplications with
u can consolidaecause each virt is possible to
Active Directoryes. This means hat they would
ft recommendr that holds a drver 2012 dataole. Instead, dvirtual machin
tion.
oyment
n to simplify th
e templates fo2012 - Virtuall machines fro
al machine selautomatically wu create these vrvice Manager
ure?
ed platform whther for virtuasuch as SQL S
a cloud-based y you use, rathple, rather tharent a server oe cloud hostinon use. You pang minimal us
es.
ic, meaning it uired. For examf you need to
n Virtual Ma
on functioning u need to depto deploy appe same compuhin virtual mac
ate onto a singrtual machine o deploy servicy® domain cothat an organd have needed
s that you notdomain controabase engine ieploy each of nes as guests o
he process of s
r common ser Machine Manm the very be
f-service portawithout requirvirtual machin
r.
here l erver hosting er than n
on a g y less e and.
can mple, in a tradincrease capac
20410A: Installin
achines
in a reliable mploy multiple seplication A anduter, but you cachines can solv
gle host, serveon a host is iso
ces and applicaontrollers—on nization only nd in the past.
t deploy a Micoller role. Microinstance on ththese workloa
on the same se
server deploym
rver configuratnager (VMM). ginning.
als that enablering the directne self-service
itionally hostecity rapidly, yo
ng and Configuring W
manner can beervices and ap
d application Ban only affordve this problem
ers that would olated from thations—such athe same phyeeds to deploy
crosoft Exchangosoft also recoe same compu
ads on separaterver virtualiza
ment:
tions included You can confi
e end users to t intervention oportals with V
ed solution, yoou would have
Windows Server® 20
e challenging. Tpplications on tB at a branch o
enough hardwm.
otherwise neehe other virtuaas Exchange Seysical computey one physical
ge mailbox ommends uter that te virtual ation host;
with productsgure these tem
provision appof the systems
VMM and Micr
ou might choose to switch to a
012 13-3
This the
office. ware for
ed to al erver er, but l server
s such as mplates
roved s osoft
se a another
13-4 Implemen
clastimemiga clahostall w
ThisRathdemof-ccondisc
Ho
Cloudepdeprent
For are ecothis
De
Clie
YouthatEnterun CliePro procServplattrangiga
Clie
TheWinHypthe Wincom
ClieIn euser
nting Server Virtualiz
s of server hare and planning
grating to a lowass of hardwarting provider, without the co
s can be very uher than purch
monstrate a proconcept solutiocerns. This is c
carded if the p
sting Webs
ud-based platfploy the underploy both Windt the cloud-ba
a successful clmore economnomical to hodetermination
esktop Virt
ent Hyper-V
u can install thet are running Werprise operativirtual machinnt Hyper-V, thand Windowscessor requirever 2012: the ctform that supnslation (SLAT)abytes (GB) of
ent Hyper-V
Client Hyper-ndows Server 2per-V also doehost operating
ndows 7, whichmputers runnin
ent Hyper-V enterprise envirs to run previ
zation with Hyper-V
rdware, which g. Similarly if ywer class of hare that you docapacity is scamplexity of m
useful when yohase test hardwoject's feasibilon is validatedcheaper than aroject does no
ites or Prod
forms like Winlying server indows Server 20sed database
loud strategy, mical to host wi
st on premisesn, and a strate
tualization
V
e Hyper-V roleWindows 8 Proing systems. Thne guests on che Hyper-V feas 8 Enterprise, ments as Hypecomputer musports second-, and have a mrandom acces
on Window
-V role on Win2012, but doess not support g system’s Stah used Virtual ng specific edit
in enterpriseronments, Clieous versions o
would requireyour need for crdware is wort not need righ
aled automaticigration.
ou have to proware and haveity, you can qu
d, you can chooacquiring hardot go ahead or
duction App
ndows Azure afrastructure. F012 and SQL Sserver, and the
you must be aith a host provs. Many factorgy that is best
n
e on computero and Windowhis allows you lient computeature in Windohas the same er-V on Windot have an x64 level address
minimum of 4 ss memory (RA
s 8
ndows 8 suppos not support epublishing aprt menu. This wPC (Virtual PCtions of the W
e environmeent Hyper-V is of the Window
e you to migracapacity decreth the cost, or ht now—and mcally and your
ovide proof-of-e to deploy a puickly deploy aose to discard ware for a pror turns out to b
plications
lso allow you tor example, if
Server 2012, anen host the da
able to determvider, and whics that are uniqt for one organ
rs ws 8
to ers. ows 8
ows
AM).
orts many of thenterprise featplications thatwas a feature t is the client vindows 7 oper
ents often used fo
ws operating sy
te from the fireases, you wou
if your organimay or may noorganization i
-concept solutproof-of-concea cloud based it, or keep it d
oof-of-conceptbe infeasible.
to deploy appyou need a da
nd then deployatabase there.
mine correctly wch services andque to an organization may n
he features thatures such as vt are installed othat was prese
virtualization ferating system)
r developmenystem so that t
rst physical hould need to deization shouldot need in the is charged for
tions when proept solution tovirtual machin
depending on t solution whic
plications withoatabase, insteay the specific d
which servicesd applications anization are innot be approp
at are availablevirtual machineon the virtual ent in Windoweature availabl.
nt purposes, orthey can acces
st. All of this tacide whether continue to pfuture. By usinonly what you
oposing projeco that hardwarne . Once the poperational
ch may be
out having to ad of having todatabase, you
s and applicatioare more
nvolved in mariate for anoth
e with Hyper-Ve migration. Cmachine gues
ws XP Mode onle to some
r to allow specss applications
akes
pay for ng a u use,
cts. re to proof-
o can
ons
king her.
V on lient st to n
ific that
aracEn
M
Mcecopuas
htv.
V
Vhoasa fe
V
•
•
•
VInvi
P
Prvi
•
•
re incompatiblccess to a prevnterprise Desk
MED-V
MED-V is a cententrally deployompatible withublished in sucs part of the M
Additionattp://www.micaspx.
Virtual Deskt
irtual Desktoposted centrallys RDC. Using tRemote Deskt
eature in addit
DI can simplify
For all the cbacked up
The client v
In the evenother RDC
DI is also one n this scenario,rtual machine
Presentatio
resentation virrtualization in
In desktop their own vclient operavirtualizatiosessions onusers Alex asame remosessions usi
With desktorun within vvirtualizatio
le with Windowvious version oktop Virtualizat
trally managedy and manage h previous versch a way so th
Microsoft Deskt
al Reading: Focrosoft.com/en
top Infrastr
Infrastructurey as virtual mahe Add Roles atop Services inion to the Hyp
y the managem
client computeregularly.
virtual machine
t that a client methods.
method of allo workers bring that has been
on Virtualiz
rtualization dif the following
virtualization, virtual machineating system. Ion, users log o a server or seand Brad mighte desktop sering RDC.
op virtualizatiovirtual machinon, the desktop
ws 8. When laof the Windowtion (MED-V).
d form of clienvirtual machin
sions of the Wat they are acctop Optimizat
or more informn-us/windows/
ructure
e (VDI) is a formchines. Clientsand Features W
nstallation. Youper-V role, whe
ment of client
ers that are ho
es can be host
computer bre
owing organizg their own con assigned to t
zation
ffers from desk ways:
each user is ae that is runninn presentationn and run sep
ervers. For examht be logged orver, running d
on, the applicaes.With presenp and the app
rge numbers ows operating sy
nt-hosted virtunes running on
Windows client cessible througion Pack.
mation about M/enterprise/pro
m of desktop vs connect to thWizard, you cau can also instaen configuring
operating syst
osted on a sing
ted on a highly
aks, users are
zations to implmputer to thehem.
ktop
ssigned ng a n arate mple, onto the different
ations ntation lications run o
20410A: Installin
of people withystem, you sho
ualization. MEDn clients. MEDoperating systgh the Window
MED-V see: oducts-and-te
virtualization whese virtual maan configure a all the Remoteg a host server
tems in the fo
gle server, it is
y available Hyp
still able to ac
lement “Bring e office and use
on the host ser
ng and Configuring W
hin an organizaould consider d
D-V allows admD-V allows apptem, such as Wws 8 Start men
chnologies/m
where client oachines using server to supp
e Desktop Virtur to function a
llowing ways:
easier to ensu
per-V host.
ccess their virtu
Your Own Deve RDC softwar
rver.
Windows Server® 20
ation need regdeploying Mic
ministrators tolications that a
Windows XP, tonu. MED-V is a
dop/med-
perating systeclient softwareport VDI by chualization Hoss a VDI server.
ure that they a
ual machine us
vice” (BYOD) pre to connect t
012 13-5
gular rosoft
o are o be available
ms are e such hoosing st role .
re
sing
policies. to the
13-6 Implemen
On Des
•
•
•
RemRemusinfeatServthe to sservGat
Ap
AppusesClieappclienas pPacor fe
Ap
Appsystenvyouablethe can proMic
Ap
Anopartappnetw
nting Server Virtualiz
networks that ktop Services
Full Desktopand to run ap
RemoteApp applications tRemoteApp adeployment m
Remote Desklaunch Remo
mote Desktmote Desktop Gng virtual privature. Remote Dver 2012. RemRDC client witee if it is on th
ver. If it is not, eway.
pplication V
plication Virtuas special clientnt, that is insta
plications to eitnt computers.
part of the Mick, and is not aeature.
plication iso
p-V isolates theem and runs itironment. This cannot install
e to run as AppWindows 8 opalso run appli
blematic whenrosoft Office W
plication st
other useful feats of the applic
plication deplowork to the cli
zation with Hyper-V
use Windows server role. Cli
p. Clients can upplications on
applications.that run on theapplications camethods. This
ktop Web ActeApp applica
op GatewayGateway allowate network (VDesktop Gatewote Desktop Gth the addresshe organizationit routes the c
Virtualizat
alization, also kt software, knoalled on the clther run on or App-V, like M
crosoft Desktopnative Windo
olation
e application ft in a special ss means that al and run direcp-V applicatioperating systemications that mn run togetherWord simultan
reaming
ature of App-Vcation that areyment becausent computer
Server 2012, pients can acces
use a remote dthe Windows
Rather than ue host Windowan be deployedallows you to
cess. Clients ctions and Rem
y ws external clieVPN), or the Wway is a role seGateway server of Remote Denal network. If
connection to t
tion
known as Appown as the Appient to allow be streamed t
Med-V, is availap Optimization
ows Server 201
from the operaeparate virtuapplications tha
ctly on a host ons. For exampm can be run o
might be compr. For example,neously.
V is applicatione being used ase only part—n.
presentation vss presentation
desktop client sServer 2012 h
use a full desktws Server 2012d as Windowsassociate file t
an access a wemote Desktop s
ents to access Rindows 7 and
ervice that you rs are deployedesktop Gatewaf it is, it makes the Remote De
p-V, p-V
to able n 2 role
ating l at operating systele, applicationon Windows 8
patible with the, you can use A
n streaming. Wre transmitted
not all—of the
virtualization isn virtualization
such as RDC toost server.
top client like 2 server to be d
Installer (.msi)types with Rem
eb site on a spsessions from t
Remote DesktoWindows 8 op can install ond on perimeteay servers. Wha direct conne
esktop server
em, because ons written for W8 if deployed the host operatiApp-V to depl
When an applicd to the client e application m
s provided by tn in the follow
o access a full
RDC, RemoteAdisplayed on t) files using tramoteApp appl
pecially configutheir browser.
op and Remotperating system a computer r
er networks. Yoen you do thisection to the Rthrough the R
of compatibilitWindows XP thhrough App-Vng system, butloy and run dif
cation is streamcomputer. Thi
must be transm
the Remote wing ways:
desktop sessio
App allows the client comaditional softwications.
ured server an
teApp withoutms DirectAcceunning Windoou can configus, the client chRemote Deskto
Remote Deskto
ty problems, arhat cannot runV. With App-V,t may be fferent version
med only thoss speeds up
mitted across th
on
puter. ware
d
t ss
ows ure ecks op
op
re n on , you
ns of
se
he
20410A: Installing and Configuring Windows Server® 2012 13-7
Application portability
When deployed with Microsoft System Center 2012 Configuration Manager, App-V allows applications to follow users across multiple computers, without requiring a traditional installation on those client computers. For example, a user can log on to a colleague's computer and have App-V stream that application to them so that they can use it on that computer. The application is not installed locally, and when the user logs off, the application is no longer available to other users of the computer.
13-8 Implemen
Lesson 2Implem
Undservvirtucan
ThisWinintePow
Les
Afte
•
•
•
•
•
•
•
Ab
HypavaivirtuaccesoftServusin
YouServServthatsomthis and
YouFeatServinclloca
nting Server Virtualiz
2 mentingderstanding hover virtualizatioualization stratand cannot d
s lesson discusndows Server 2egration servicewerShell cmdle
sson Objecti
er completing
Install the Hy
Describe the
Describe virtu
Configure dy
Configure virt
Configure virt
Perform Hype
bout Hyper
per-V is the hailable in Windoualization provess to the hosttware virtualizaver 2005 R2, thng the operatin
u use the Hypever 2012 to funver 2012 can tt are running s
me documentacase the Wind virtual machi
u can deploy Htures Wizard. Yver 2012 Serveudes only the ally through W
zation with Hyper-V
g Hyperow Hyper-V woon in a Windowtegy using Wino.
ses Hyper-V, t2012, the diffees. It also discu
ets.
ives
this lesson, yo
per-V server ro
appropriate ha
ual machine co
namic memor
tual machine i
tual machine s
er-V resource
r-V
rdware virtualows Server 201vides virtual mt's hardware. Tation productshat provide acng system.
er-V role to connction as a hyphen host virtuasupported opetion, the virtuadows Server 20nes running o
Hyper-V to a coYou can instaler Core. There components n
Windows Power
r-V orks and how ws Server 2012ndows Server 2
he hardware rrent componeusses how to m
ou will be able
ole.
ardware for Hy
omponents.
y.
integration ser
start and stop
metering tasks
ization role 12. Hardware
machines with dThis is in contras, such as Virtucess indirectly
nfigure Windopervisor. Windal machine gu
erating systemal machine ho012 computer n the Hyper-V
omputer runnil the Hyper-V is also a Serve
necessary to horShell, or remo
virtual machin2 network env2012 as a virtu
requirements fents of a virtuameasure virtua
to:
yper-V deploy
rvices.
actions.
s.
direct ast to
ual
ows dows ests s. In st (in that is runnin
V host are refer
ing Windows Srole on both W
er Hyper Core eost virtual macotely through t
nes function is vironment. Whual machine ho
for deploying al machine andal machine reso
yment.
g Hyper-V) is rred to as child
Server 2012 byWindows Serveedition of Winchines. Virtual the Hyper-V m
critical to effehen you plan aost, you need
Hyper-V on a d the benefits oource use with
referred to as d partitions.
y using the Ader 2012 Full G
ndows Server 2machine adm
manager conso
ectively deploy server to know what
computer runof virtual mach
h Windows
the parent pa
dd Roles and UI and Windo2012, which
ministration is dole.
ying
you
nning hine
rtition
ws
done
H
Wseyo
•
•
•
•
•
V
VhaSethhacam
Vha
•
Hardware R
When deciding erver on whichou need to ens
The server supports SL
The CPU cameet the remachines.
A virtual mWindows Sof 1 TB of Rprocessors.
The server machines thoperating s
The storagemachines. Wmachines odisks (RAID
The host sethe guest vNetwork In
Virtual Mac
irtual machineardware. The herver 2012 withe virtual hardardware. For ean be mapped
mapped to an a
irtual machineardware by de
BIOS. Simuon a standavarious fact
o The bo
o From wlegacy
o Num L
Requireme
on the hardwh you will instasure the follow
must have an LAT and Data E
apacity of the hequirements o
achine hostederver 2012 can
RAM and up to
must have enohat must run csystem. The se
e subsystem peWhether deploon separate phD), solid-state d
erver's networkvirtual machineterface Card (
chine Hard
es use virtual (ohost operatingh the Hyper-Vware to media
example, a virtud to a virtual neactual network
es have the folefault:
ulates the comalone computetors on the virt
oot order for th
which device itnetwork adap
ock
ents for Hy
ware to use withll the Hyper-V
wing:
x64 platform tExecution Prev
host server muf the guest vir
on Hyper-V inn support a mao 32 virtual
ough memory concurrently, prver must have
erformance moyed locally orhysical disks, todrives (SSD), hy
k adapters mues. This may reNIC) teams for
dware
or, simulated) g system, WindV role installedate access to aual network adetwork that is k interface.
lowing simulat
puter's BIOS. Jer you can contual machine s
he virtual mac
t will boot (for pter, or floppy
yper-V
h a V role,
that vention.
ust tual
n aximum
to support thplus enough me at least 4 GB
ust meet the ir on SANs, it mo deploy a highybrid-SSD, or a
st be able to sequire installingr virtual machi
dows , uses ctual dapter in turn
ted
ust as nfigure such as:
hine's virtual h
example, fromdisk)
20410A: Installin
e memory reqmemory to run B of RAM.
input/output (may be necessah performancea combination
support the neg multiple netines that have
hardware
m a DVD drive
ng and Configuring W
quirements of a the host Wind
(I/O) needs of ary to place dife redundant an of all three.
etwork throughtwork adaptershigh network
, Integrated D
Windows Server® 20
all of the virtudows Server 20
the guest virtufferent virtual rray of indepe
hput requirems and using m
k use requirem
Drive Electronic
012 13-9
al 012
ual
endent
ments of ultiple ents.
cs (IDE),
13-10 Implementing Server Virtualization with Hyper-V
• Memory. Allows you to allocate memory resources to the virtual machine. An individual virtual machine can be allocated up to 1 TB of memory. You will learn about configuring memory later in this lesson.
• Processor. Allows you to allocate processor resources to the virtual machine. You can allocate up to 32 virtual processors to a single virtual machine.
• IDE Controller 0. A virtual machine can only support two IDE controllers and, by default, two are allocated to each virtual machine. Each IDE controller can support two devices. You can connect virtual hard disks or virtual DVD drives to an IDE controller. If booting from a hard disk drive or DVD-ROM, the boot device must be connected to an IDE controller. Use IDE controllers to connect virtual hard disks and DVD-ROMs to virtual machines that use any operating systems that do not support integration services.
• IDE Controller 1. Allows additional virtual hard drives and DVD-ROMs to be deployed to the virtual machine.
• SCSI Controller. A small computer system interface (SCSI) controller can only be used on virtual machines that you deploy with any operating systems that support integration services.
• Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You can only use synthetic network adapters with supported virtual machine guest operating systems.
• COM 1. Allows you to configure a connection through a named pipe.
• COM 2. Allows you to configure an additional connection through a named pipe.
• Diskette Drive. Allows you to map a VHD floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties and clicking on Add Hardware:
• SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
• Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters. You will learn more about synthetic network adapters in Lesson 4.
• Legacy Network Adapter. Legacy network adapters allow you to use network adapters with any operating systems that do not support integration services. You can also use legacy network adapters to allow network deployment of operating system images. A single virtual machine can have up to four legacy network adapters. You will learn more about legacy network adapters in Lesson 4.
• Fibre Channel adapter. Allows a virtual machine to connect directly to a Fibre Channel storage area network (SAN). A Fibre Channel adapter requires that the Hyper-V host have a Fibre Channel host bus adapter (HBA) that also has a Windows Server 2012 driver that supports Virtual Fibre Channel.
• RemoteFX 3D video adapter. The RemoteFX 3D video adapter allows virtual machines to display high performance graphics by leveraging DirectX and graphics processing power on the host Windows Server 2012 serve.
Additional Reading: For more information about Virtual Fibre Channel adapters see: http://technet.microsoft.com/en-us/library/hh831413.aspx.
C
InSeofspofwm
DmanadwSeDnealrem
WmSP
S
ApVthocnetomUth
Se
ht
Configuring
n the first releaerver 2008, yof memory to vpecial precautif memory that
were likely to eimemory.
ynamic Memominimum amound then to allodditional mem
was introduced ervice Pack 1 (ynamic Memoeeds. You can so choose a m
equests more mmemory.
With Windows memory values P1. You can pe
mart Paging
nother new mrovides a solutirtual machine
he past, it was ccurred—this eeded during o a virtual mac
machine needs nfortunately, S
he host server
Note: Abet-VMMemor
Additionattp://technet.m
g Dynamic
ase of Hyper-Vu could only a
virtual machineons to measurt a virtual macither under all
ory allows you unt of memoryow the virtual m
mory as neededwith Window
(SP1). Rather thory allows you choose a mini
maximum valuememory. Virtu
Server 2012, awhile the virtu
erform this tas
g
emory featuretion to the proes can require necessary to ameant that thenormal operat
chine when it iwhen it is ope
Smart Paging and other virt
out configuratry Windows Po
al Reading: Fomicrosoft.com/
c Memory
V with Windowassign a static aes. Unless you re the precise hine required,ocate or over
to allocate a y to a virtual mmachine to reqd. Dynamic Mes Server 2008 han attemptinto configure Himum value, we, which the vial machines m
n administratoual machine isk from a Virtu
e that is availaboblem of minimmore memory
allocate the mie amount of mtion. Smart Pas starting up. T
erating normalresults in loweual machines.
tion: You can cowerShell cmd
or more inform/en-us/library/
y
ws amount took amount you allocate
machine, quest emory R2 g to guess howHyper-V so tha
which will alwartual machine
must support H
or can modify running. This al Machine's s
ble in Windowmum memory y during startuinimum memo
memory allocatging uses diskThis allows yoully, rather thaner performance
configure virtudlet.
mation about Hy/hh831766.asp
20410A: Installing
w much memoat the virtual mys be allocated
e will not exceeHyper-V integr
dynamic memwas not possi
settings dialog
ws Server 2012 allocation rela
up than they reory required foted could be m
k paging to assu to allocate mn the amount te because it us
ual machine m
yper-V Dynampx.
g and Configuring W
ory a virtual mmachine is allod to the virtuaed even if the vration services
mory minimumible with Wind box.
is Smart Paginated to virtual equire during or startup, to emore than thesign additionamemory basedthat it needs dses disk resour
memory using t
mic Memory se
Windows Server® 201
machine requireocated as muchal machine. Yovirtual machinto use dynam
m and maximumdows Server 20
ng. Smart Pagmachine start
normal operatensure that sta virtual machinl temporary m on what the v
during startup.rces that are u
the
ee:
12 13-11
es, h as it u can
ne ic
m 008 R2
ing tup. tion. In rtup ne
memory virtual sed by
13-12 Implem
Co
OncservInteof bto b
Supservsuchadague
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Win
enting Server Virtual
onfiguring
ce you have inver you can useegration Servicboth the host abe integrated in
pported operatvices componeh as SCSI adappters. Hyper-V
est operating s
Windows Serv
Windows Serv
Windows Serv
Windows Serv
Windows Hom
Windows Mu
Windows Sma
Windows Serv
CentOS 6.0-6
CentOS 5.5-5
Red Hat Ente
Red Hat Ente
SUSE Linux En
SUSE Linux En
Windows 7 w
Windows Vist
Windows XP
Note: Suppndows Server 2
ization with Hyper-V
Virtual Ma
stalled guests e install Virtua
ces to improve and the guestsnto the host se
ting systems caents, and adappters and synthV supported viystems include
ver 2012
ver 2008 R2 w
ver 2008 with
ver 2003 R2 w
me Server 201
ltiPoint Server
all Business Se
ver 2003 with
6.2
5.7
rprise Linux 6.
rprise Linux 5.
nterprise Serve
nterprise Serve
with SP1
ta® with SP2
with Service P
ort for the Wi2003 and Wind
V
achine Int
onto the hostal Machine
the performas—the guest iserver.
an use integrater functionali
hetic network rtual machinee:
with SP1
Service Pack 2
with SP2
11
r 2011
erver 2011
SP2
0-6.2
5-5.7
er 11 with SP1
er 10 with Serv
ack 3 (SP3)
ndows XP opedows Server 20
egration S
nce s said
tion ity
2 (SP2)
or SP2
vice Pack 4 (SP
erating system 003 R2 expires
Services
P4)
ends in April s in July 2015.
2014. Support
t for
YoVSeau
•
•
•
•
•
C
Vcowhomcrwtha
Yoeaprig
Yo
•
•
•
Yo
•
•
•
ou can install tirtual Machineervices Setuputomatically. Y
Operating virtual mac
Time synchof time syn
Data excha
Heartbeat.
Backup (vosnapshots ovirtual mac
Configuring
irtual Machineonfigure what
with specific virost is started o
machine start aritical virtual m
whenever a Hyphey are shut doshutdown com
ou configure sach individual roperties of thght clicking on
ou can configu
Nothing. Tvirtual mac
Automaticwas runningvirtual mac
Always staV host startattempt sta
ou can configu
Save the vdisk. Allows
Turn off th
Shut downThis option
the Hyper-V ine Connection w Disk item. Yo
You can also en
system shutdhine.
hronization. Achronization.
ange. Allows t
. Allows Hyper
olume snapshof the virtual mhines' normal
g Virtual M
e start and stopsteps the Hyptual machines
or shut down. Ynd stop action
machines alwayper-V host is reown gracefullymmand.
startup and shvirtual machin
he virtual machn the virtual m
ure the followi
The virtual machine was in a r
cally start if itg when the Hyhine was runn
art this virtualts. You can conartup at the sa
ure the followi
irtual machins the virtual m
he virtual mac
n the guest opn is only availab
ntegration servwindow, and thou can then insnable the follo
down. Allows t
Allows the virtu
the Hyper-V ho
r-V to determi
hot). Allows thmachine for thoperations.
Machine St
p actions allowper-V host perf
when the HypYou can use vins to ensure thys start automaestarted, and ty if the server r
utdown settingne by editing thine. You do th
machine and cli
ing options in
chine is not starunning state w
t was runningyper-V host re
ning when the
l machine autnfigure a startume time.
ing options in
ne state. Savesachine to be r
chine. The virt
perating systeble if integratio
vices componehen in the Actstall the relevaowing virtual m
the Hyper-V s
ual machine to
ost to write da
ne if the virtua
he Volume Shae purposes of
tart and St
w you to forms per-V irtual
hat atically that receives
gs for the his by icking Settings
the Automatic
arted automatwhen the Hyp
g when the serceived the comserver suffered
tomatically. Tup delay to en
the Automatic
s the active staresumed when
tual machine is
em. The virtuaon services co
20410A: Installing
ents on an opetion menu, clicant operating smachine integr
erver to initiat
o use the host
ata to the regis
al machine has
adow Copy Serbackup opera
top Action
s.
c Start Actions
tically when thper-V host was
rvice stoppedmmand to shud a failure that
The virtual macnsure that mul
c Stop Actions
ate of the virtun the Hyper-V
s powered off
al machine is shmponents are
g and Configuring W
erating systemcking the Insersystem driversration compon
te a graceful sh
server's proce
stry of the virt
s become unre
rvice (VSS) proation, without
ns
s window:
e Hyper-V hos shut down.
d. The virtual mut down, or in t caused it to b
chine always sttiple virtual m
s window:
ual machine, inhost restarts.
with the poss
hut down in a e installed on t
Windows Server® 201
m by accessing rt Integration either manuanents:
hutdown of th
essor for the p
ual machine
esponsive.
ovider to createinterrupting th
st starts, even
machine will stthe event thatbe powered of
tarts when theachines do no
ncluding memo
ibility of data
graceful manhe virtual mac
12 13-13
the n ally or
he guest
urposes
e he
if the
tart if it t the ff.
e Hyper-ot
ory to
loss.
ner. chine.
13-14 Implem
by upara
Hy
ResoresoWinrole
Witfollomac
•
•
•
•
•
By mdepvirtupatt
YouPowcmd
•
•
•
•
http
enting Server Virtual
Note: You cusing the Set-Vameters.
yper-V Res
ource meterinource utilizationdows Server 2e installed.
h resource meowing paramechines:
Average GPU
Average phys
o Minimum
o Maximum
Maximum dis
Incoming net
Outgoing net
measuring howpartments or cuual machine. Aterns of use an
u perform resowerShell modudlets to perfor
Enable-VMR
Disable-VMR
Reset-VMRe
Measure-VM
Additional p://technet.mic
ization with Hyper-V
can also configVM cmdlet wi
source Met
g allows you ton of virtual m2012 compute
etering, you caeters on individ
use
sical memory u
m memory use
m memory use
sk space alloca
twork traffic fo
twork traffic fo
w much of theustomers base
An organizationd plan future
urce meteringle. There is nom resource me
ResourceMete
ResourceMete
esourceMeteri
M. Displays reso
Reading: For crosoft.com/en
V
gure virtual math the Autom
tering
o track the achines hostedrs with the Hy
n measure thedual Hyper-V v
use, including:
e
e
ation
or a network ad
or a network a
se resources eed on their hosn with only intexpansions.
g tasks using Wo GUI tool that etering tasks:
ering. Starts co
ering. Disable
ing. Resets virt
ource meterin
more informatn-us/library/hh
achine automamaticStartActio
d on per-V
e virtual
dapter
dapter
each virtual masted virtual maternal custome
Windows Poweallow you to p
ollecting data o
s resource met
tual machine r
g statistics for
tion about resoh831661.aspx.
atic start and aon and Autom
achine uses, anachines use, raers can also us
erShell cmdletsperform this ta
on a per virtua
tering on a pe
resource mete
a specific virtu
ource metering
automatic stopmaticStopAct
n organizationather than charse these measu
s in the Hyper-ask. You can u
al machine bas
er virtual mach
ering counters.
ual machine.
g for Hyper-V
p actions ion
can bill rging a flat feeurements to se
-V Windows use the followin
sis.
hine basis.
.
see:
e per ee
ng
LessonMana
Hfounthse
Inth
LeA
•
•
•
•
•
W
A recoanusmSeSeopsutoWdeedis a
•
•
•
•
su
n 3 aging V
yper-V providor a given situanderstand the hat consume uerver.
n this lesson, yohe benefits and
esson Objecfter completin
Explain the
Create a vir
Manage vir
Deploy diff
Use virtual
What Is a V
virtual hard depresents a traonfigure a virtn operating sysed with virtua
mount virtual herver 2008, Wierver 2012, anperating systeupports boot to configure the
Windows Serveeployed on a vditions of the Wdeployed on virtual hard d
The Hyper-
The Disk M
The diskpar
The New-V
Note: Somupport boot to
irtual Mes many differation, then youdifferent virtu
unnecessary sp
ou will learn ad limitations o
ctives ng this lesson y
purpose of vi
rtual hard disk
rtual hard disk
ferencing disks
machine snap
Virtual Har
isk is a specialditional hard dual hard disk w
ystem. Virtual hal machines, anard disks usingindows Server d Windows 8, ms. Windows to virtual hard e computer tor 2012 operativirtual hard disWindows 8 opa virtual hard isk using:
-V manger con
anagement co
rt command-li
VHD Windows
me editions ofo virtual hard d
Machinerent virtual mau can ensure tual machine stopace or that pla
bout differentf using virtual
you will be abl
rtual hard disk
k type.
s.
s to reduce sto
pshots.
rd Disk?
file format thdisk drive. Youwith partitionshard disks can nd you can alsg the Window2008 R2, Windand WindowsServer 2012 disk; this allow boot into a ing system thask, or into cert
perating systemdisk. You can
nsole.
onsole.
ine tool.
PowerShell cm
f Windows 7 andisk.
e Storagachine storagehat a virtual morage options,ace an unnece
virtual hard dmachine snap
e to:
k.
orage.
at u can and be
so ws
dows s 7
ws you
at is tain m that create
mdlet.
nd the Window
20410A: Installing
ge e options. If yomachine perfor
, you may endessary perform
disk types, diffepshots.
ws Server 2008
g and Configuring W
ou know whichrms well. Howed up deploying
mance burden o
erent virtual ha
8 R2 operating
Windows Server® 201
h option is appever, if you dog virtual hard don the host Hy
ard disk forma
g system also
12 13-15
propriate o not disks yper-V
ats, and
13-16 Implem
VH
VirtvirtuHyp
•
•
•
•
Youupgis aldisk
SM
Winaltecreaspecsharserv
http
Cre
WhechoinclDiffless
Cre
Whehardprocfragperfdevyousitudisk
enting Server Virtual
DX vs. VHD
ual hard disks ual hard disks. per-V on Wind
VHDX virtual
The VHDX virhost server su
VHDX virtual
VHDX virtual better perform
u can convert agraded a Windso possible to
ks later in this l
MB Share Sup
ndows Server 2rnative to stor
ating a virtual cify this when re must suppovers with Wind
Additional p://technet.mic
eating Virt
en you configuose between suding fixed, dyerencing diskson.
eating Fixed
en you create d disk space iscess. This has t
gmentation, whformance wheices. This has t to allocate allations. you wil
ks, you may en
ization with Hyper-V
D
use the .vhd eThe VHDX forows Server 20
hard disks can
rtual hard diskuffers an unexp
hard disk form
hard disks allomance for the
an existing VHows Server 20convert from
lesson.
pport
2012 now suppring virtual harmachine in Hychoosing the
ort SMB 3. Thisdows Server 20
Reading: For crosoft.com/en
tual Disk T
ure a virtual haseveral differenynamic, and ps will be discus
d Virtual Ha
a fixed virtual allocated durthe advantagehich improves
en hosted on trthe disadvantal space used bll not know pr
nd up allocatin
V
extension. Winrmat has the fo
008 and Windo
n be as large a
k file structure pected power
mat supports b
ow larger blocse workloads.
D file to VHDX08 or WindowVHDX format
ports virtual hard disk files onyper-V on Winvirtual hard di
s limits you to 012. Older vers
more informatn-us/library/hh
Types
ard disk, you cnt disk types, ass through.
ssed later in in
rd Disks
hard disk, all oing the creatio
e of minimizingvirtual hard d
raditional storaage of requiriny the fixed virtecisely how mg space to sto
ndows Server 2ollowing bene
ows Server 200
as 64 TB. VHD v
means that thoutage.
better alignme
k size for dyna
X format usingws Server 2008
to VHD. You w
ard disks that an internet SCSI ndows Server 2isk location or placing virtualsions of Windo
tion about Virtuh831446.aspx.
can
this
of the on g isk age
ng tual hard disk uch disk space
orage that is no
2012 introduceefits over the V08 R2:
virtual hard di
e disk is less li
ent when deplo
amic and diffe
g the Edit Virtu R2 Hyper-V swill learn more
are stored on (iSCSI) or Fibr
2012, you can attaching an e
l hard disks onows Server do
ual Hard Disk
at the time the a virtual macot actually req
es the new VHVHD format th
isks were limit
kely to becom
oyed to a large
erencing disks,
ual Hard Disk werver to Winde about conve
SMB 3 file share Channel SANspecify a netwexisting virtua
n file shares thnot support S
formats see:
at the disk is cchine needs. Ifuired.
DX format forat was used in
ed to 2 TB.
me corrupt if th
e sector disk.
which provide
wizard, if you hows Server 20
erting virtual h
ares. This is an N devices. Wh
work share. Youl hard disk. That are hosted MB 3.
created.. In maf you use fixed
r n
he
es
have 12. It ard
hen u he file on file
any hard
20410A: Installing and Configuring Windows Server® 2012 13-17
To create a fixed virtual hard disk, perform the following steps:
1. Open the Hyper-V Manager console.
2. On the Actions pane, click New, and then click Hard Disk.
3. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
4. In the New Virtual Hard Disk Wizard, on the Choose Disk Format page, click either VHD or VHDX, and then click Next.
5. On the Choose Disk Type page, click Fixed size, and then click Next.
6. On the Specify Name and Location page, enter a name for the virtual hard disk, and then specify a folder in which to host the virtual hard disk file.
7. On the Configure Disk page, choose one of the following options:
o Create a new blank virtual hard disk of the specified size.
o Copy the contents of a specified physical disk. Allows you to replicate an existing physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the disk that you have replicated. Replicating an existing physical hard disk does not alter data on the existing disk.
o Copy the contents of a specified virtual hard disk. Allows you to create a new fixed hard disk based on the contents of an existing virtual hard disk.
Note: You can create a new fixed hard disk using the New-VHD Windows PowerShell cmdlet with the -Fixed parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID volumes, or on SSDs. Improvements in Hyper-V (since it was first introduced with Windows Server 2008) also minimize the performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only uses the amount of space that needs to be allocated, and will grow as necessary. For example, if you create a new virtual machine and specify a dynamic disk, only a small amount of disk space will be allocated to the new disk. For a VHD format virtual hard disk, approximately 260 kilobytes (KB) are allocated. For a VHDX format virtual hard disk, approximately 4,096 KB are allocated.
As storage is allocated, the dynamic virtual hard disk will grow. If you delete files from a dynamically expanding virtual hard disk, the virtual hard disk file will not shrink. You can only shrink a dynamically expanding virtual hard disk file by performing a shrink operation. You will learn how to shrink virtual hard disks later in this lesson.
You perform similar steps when creating a dynamically expanding virtual hard disk to when you create a fixed virtual hard disk. The difference is that on the Choose Disk Type page, you choose the Dynamically Expanding type.
Note: You can create a new dynamic hard disk using the New-VHD Windows PowerShell cmdlet with the -Dynamic parameter.
Pass-Through Disks
Pass-through disks allow the virtual machine to access a physical disk drive, rather than to use a virtual hard disk. You can use pass-through disks to connect a virtual machine directly to an iSCSI logical unit
13-18 Implem
numtargOnc
You
1.
2.
3.
4.
diskcon
Ma
Frommaiexamdiskto aperfvirtu
•
•
•
•
Whecreafixeconthe
To c
1.
2.
3.
enting Server Virtual
mber (LUN). Wget disk. To doce the disk is o
u can attach a
Ensure that th
Use the Hype
Click on an ID
In the Hard Dthat you wan
Note: You dk to a virtual mtroller, then yo
Question: Whard disks.
Question: In expanding di
anaging V
m time to timentenance opemple you migk to free up spaanother formatform the followual hard disks:
Convert the d
Convert the d
Convert a virtVHDX.
Convert a virt
en you converated virtual had virtual hard tents of the exexisting fixed
convert a virtu
In the Hyper-
In the Edit Vir
On the Localconvert.
ization with Hyper-V
When you use p this, you mus
offline, you can
pass-through
he target hard
er-V console to
DE or SCSI con
Drive dialog bot to use as the
do not have tomachine's SCSI ou must first s
hy might you
what types ofsks.
irtual Hard
e, you will neerations on virtht want to comace, or convert as your needwing maintena
disk from fixed
disk from dyna
tual hard disk
tual hard disk
rt a virtual hardrd disk that hadisk to a dynaxisting fixed vivirtual hard di
al hard disk, p
-V Manager co
rtual Hard Disk
Virtual Hard
V
pass-through dt use the disk
n connect it to
disk by perfor
disk is offline
o edit an existi
troller, click A
ox, select Physe pass-through
o shut a virtualcontroller. If yhut down the
consider using
f situations mig
d Disks
d to perform ual hard disks
mpact a virtuart a virtual hards change. Youance operation
d to dynamic.
amic to fixed.
in VHD forma
in VHDX form
d disk, the conas the settings amic virtual hartual hard diskisk is deleted, w
perform the fo
onsole, from th
k Wizard, on t
Disk page, cl
disks, the virtuamanagement one of the vir
ming the follo
.
ng virtual mac
dd, and then c
sical Hard Dish disk.
machine dowyou want to covirtual machin
g fixed virtual
ght you encou
. For l hard d disk can
ns on
t to
at to VHD.
ntents of the exthat you haverd disk, a new
k are copied towith the new d
llowing steps:
he Actions pan
he Before You
ick Browse. Se
al machine muconsole on th
rtual machine'
owing steps:
chine's proper
click Hard Dri
k. From the dr
wn if you conneonnect to a virtne.
hard disks inst
unter difficultie
xisting virtual e chosen. For e dynamic virtu
o the new dynadynamic virtua
ne, click Edit D
u Begin page,
elect the virtua
ust have exclushe host to takes disk controll
rties.
ive.
rop-down men
ect the pass-thtual machine's
tead of dynam
es if you use dy
hard disk are example, whenual hard disk isamic virtual haal hard disk ta
Disk.
, click Next.
al hard disk th
sive access to e the disk offliners.
nu, select the d
hrough s IDE
mic virtual
ynamically
copied to a nen converting frs created, the ard disk, and tking its place.
at you want to
the ne.
disk
ewly rom a
then
o
4.
5.
6.
7.
YoexofW
Yobe
Yody
Yoex
R
DthDofatwamthpedi
Yopadi
YoAdi
To
1.
2.
3.
4.
5.
6.
. On the Cho
. On the Conformat will appropriate
. On the Conyou also wa
. On the Con
ou can also shxample, a dynaf that space. Y
Wizard.
ou cannot shriefore you can
ou can use theynamically exp
ou can also usxpanding and
Reducing S
ifferencing dishat record the ifferencing disf hard disk spat the cost of di
work well with Smount of spache disk performerformance drisk.
ou can link muarent disk. Howisk, the links to
ou can reconnctions pane ofisk of a differe
o create a diffe
. Open the H
. In the Actio
. In the New
. On the Cho
. On the Cho
. On the Spe
oose Action p
nvert Virtual Halready be sel
e format, and t
nvert Virtual Hant to convert
nfigure Disk p
rink a dynamicamic virtual haou shrink a vir
ink fixed virtuacompact the d
e resize-partitpanding virtua
e the Edit Virtfixed virtual h
Storage Ne
sks are separatchanges made
sks allow you tace consumed isk performancSSD, and wherce available onmance compenrawbacks of us
ultiple differenwever, if you mo all of the diff
nect a differencf the Hyper-V encing disk.
erencing disk,
Hyper-V Mana
ons pane, click
Virtual Hard D
oose Disk For
oose Disk Typ
ecify Name an
page, select Co
Hard Disk paglected. If you wthen click Nex
Hard Disk pagthe hard disk
page, choose t
c virtual hard dard disk mightrtual hard disk
al hard disks. Ydisk.
tion and the ral hard disk.
ual Hard Disk ard disks.
eeds with
te virtual hard e to a parent dto reduce the aby virtual har
ce. Differencinre there is a limn the host volunsates for the sing a differenc
ncing disks to amodify the parferencing disks
cing disk to thManager cons
perform the fo
ger console.
k New, and the
Disk Wizard, o
mat page, clic
pe page, click D
nd Location p
onvert, and the
ge, choose betwant to converxt. You do not
ge, choose bettype, choose t
the destination
disk that is not be allocated 6 by selecting t
You must first c
esize-vhd Win
Wizard to exp
Differenci
disks disk. amount d disks
ng disks mited me and
cing
a single rent s will fail.
e parent usingsole. You can a
ollowing steps
en click Hard D
n the Before Y
ck VHD, and th
Differencing,
page, provide t
20410A: Installing
en click Next.
tween VHD anrt between the have to chang
tween Fixed Sithe appropriat
n location for t
t using all of t60 GB on the pthe Compact o
convert a fixed
ndows PowerS
pand a disk. Yo
ng Disks
g the Inspect Dalso use the In
s:
Disk.
You Begin pa
hen click Next
and then click
the location of
g and Configuring W
nd VHDX formese two formage format.
ize and Dynamte type, and th
the disk.
he space that parent volumeoption in the E
d virtual hard d
Shell cmdlets t
ou can expand
Disk tool, whicspect Disk too
age, click Next
t.
k Next.
f the parent ha
Windows Server® 201
at. The currents, choose the
mically Expandhen click Next
it is allocated e, but only useEdit Virtual Ha
disk to dynam
to compact a
both dynamic
h is available iol to locate the
t.
ard disk.
12 13-19
t disk
ing. If t.
For e 20 GB ard Disk
mic
cally
n the e parent
13-20 Implem
Youexamc:\p
New
Us
Snaat aimathe storon tsnapmenor fcan
Youvirtusnapmem
Whedomensuvirtu
Remtimedomcom
Sna
Snahardlost
ExpYouHypsnapvirtu
Dif
Whethatyouvirtu
•
enting Server Virtual
u can create a dmple, to create
parent.vhd, use
-VHD c:\diff
ing Snapsh
pshots represe particular poige of the set omoment the s
red in either .athe virtual hardpshot of a virtnu of the Virturom the Hypehave a maxim
u can take snapual machine ispshot of a runmory.
en taking snapmain controllerures that itemsual member se
member that we. If you take a
main controllermmand.
apshots vs.
pshots are notd disks. If the v.
porting Snau can perform per-V will creatpshot was takeual machine w
fferencing D
en you create t differentiates delete snapshual hard disk. F
If you delete this space is r
ization with Hyper-V
differencing vie a new differe
e the following
-disk.vhd -P
hots
ent the state oint in time. Theof data on the snapshot is takvhd or .avhdx d disk format. ual machine fr
ual Machine Cor-V console. Ea
mum of 50 snap
pshots at any tshut down. Wning virtual m
pshots of multr and virtual ms such as comperver.
when you revera computer bar, you will need
Backups
t a replacemenvolume hostin
pshots a virtual machte full virtual hen. If you choo
will also be exp
Disk Files
a snapshot, Hys the snapshothots, this data For example:
the most recereclaimed imm
V
irtual hard diskencing disk na
g Windows Pow
ParentPath C:
of a virtual macey are a static virtual machin
ken. Snapshotsformat depenYou can take
rom the Actiononnection winach virtual mapshots.
time, even wheWhen you take
achine, the sn
iple virtual mamember server,puter account
rt to a snapshoack to a point bd to rejoin tha
nt for backupsg these files fa
hine export of ahard disks that ose to export aorted.
yper-V writes from the previs either disca
nt snapshot, thmediately rathe
k using the Neamed c:\diff-diwerShell comm
\parent.vhd
chine
ne at s are nding a n dow, chine
en a a apshot include
achines that ar, you should tapasswords are
ot, you are revbefore it had pat computer to
. Snapshot datails, both the s
a snapshot. Wrepresent the
an entire virtua
differencing dvious snapshotrded, or merge
he data is discer than when t
ew-VHD Windisk.vhd that usmand:
es the content
re part of the sake these snape synchronized
verting to a comperformed a coo the domain o
ta is stored onnapshot and t
When you perfoe state of the val machine, all
disk (.avhd, or .t, or from the ed back into t
arded. With Hhe virtual mac
dows PowerShses the virtual
ts of the virtua
same group, fopshots simultad between the
mputer’s stateomputer passwor run the netd
n the same voluthe virtual hard
orm an export virtual machinel snapshots ass
.avhdx) files, wparent virtual he previous sn
Hyper-V in Winchine is shut d
ell cmdlet. Forhard disk
al machine’s
or example a vneously. This
e virtual DC an
e at that point word change wdom resetpw
ume as the vird disk files will
of the snapshe at the time tsociated with t
which store thehard disk. Wh
napshot or par
ndows Server 2own.
r
virtual
d the
in with a
wd
rtual l be
ot, he the
e data hen rent
2012,
20410A: Installing and Configuring Windows Server® 2012 13-21
• If you delete the second most recent snapshot, the data is merged so that the earlier and latter snapshot states of the virtual machine retain their integrity.
Managing Snapshots
When you apply a snapshot, the virtual machine reverts to the configuration as it existed at the time the snapshot was taken. Reverting to a snapshot does not delete existing snapshots. If you revert to a snapshot after making a configuration change, you will be prompted to take a snapshot. It is only necessary to create a new snapshot if you want to return to that current configuration.
It is possible to create snapshot trees that have different branches. For example, if you took a snapshot of a virtual machine on Monday, Tuesday and then on Wednesday, and if on Thursday you apply the Tuesday snapshot and then made changes to the configuration of the virtual machine, you will have created a new branch that diverts from the original Tuesday snapshot. You can have multiple branches as long as you do not exceed the 50 snapshots per virtual machine limit.
13-22 Implem
Lesson 4Manag
HypV alsimitheysamensu
Les
Afte
•
•
•
•
Wh
A viswitin WtermswitbetwHypthe manmanpanon Wtype
•
•
•
Whethe Hyplogi
enting Server Virtual
4 ging Virper-V provideslows you to coilar to traditiony are only able
me Hyper-V houres that you c
sson Objecti
er completing
Describe virtu
Configure net
Manage a vir
Configure virt
hat Is a Vir
rtual switch is tch. The term v
Windows Servem virtual switchtches control hween virtual mper-V server, arest of the org
nage virtual swnager which is
ne of the HypeWindows Servees of virtual sw
External. Useteam. Windowyou have instthe Hyper-V s
Internal. Usehost, and to c
Private. Use you cannot uitself.
en configuringnetwork. This
per-V host's necal networks. T
ization with Hyper-V
rtual Ne several differeonfigure virtuanally deployede to communicst in Windowscan leverage t
ives
this lesson you
ual switches.
twork virtualiz
tual machine M
tual network a
rtual Switc
a virtual versiovirtual networker 2008, has beh in Windows how network tmachines that and between viganizational newitches throug accessible thrr-V Manager cer 2012 suppo
witches:
e this type of sws Server 2012talled the Wireserver has a co
e internal virtuacommunicate
private switchese private swit
g a virtual netwallows you to
etwork switch. Traffic can onl
V
etworksent options foal machines thd physical hostcate with a lims Server 2012. hose options t
u will be able t
zation.
MAC address p
adapters.
ch?
on of a netwok, which was ueen replaced bServer 2012. Vraffic flows are hosted on rtual machineetwork. You h the virtual sw
rough the Acticonsole. Hyperorts three diffe
witch to map 2 supports maeless local areaompatible ada
al switches to cbetween the v
es only to comtches to comm
work, you can extend existinVLANs allow yly pass from o
s r network comat communicats. It also allow
mited number oKnowing the oto best meet y
to:
pool.
rk sed
by the Virtual
the s and
witch ons r-V rent
a network to apping an exte
a network (LANpter.
communicate virtual machine
mmunicate betmunicate betwe
also configureng VLANs on thyou to partitione VLAN to an
mmunication bate with an ext
ws you to confiof other virtuaoptions availabyour organizat
a specific netwernal network tN) Service on t
between the ves and the Hyp
tween virtual meen the virtua
e a virtual LANhe external ne
on network trafnother if it pas
between virtuaternal networkigure virtual ml machines thable for Hyper-Vion's needs.
work adapter oto a wireless nthe host Hyper
virtual machinper-V host itse
machines on thl machines and
N (VLAN) ID to etwork to VLANffic, and functsses through a
l machines. Hyk in a manner
machines so thaat are hosted oV virtual netw
or network adaetwork adapter-V server, and
nes on the Hypelf.
he Hyper-V hod the Hyper-V
be associatedNs within the ion as separaterouter.
yper-
at on the orks
apter er if d if
per-V
ost; V host
with
e
Yo
•
•
ht
H
HisHFoSetoNbamneNwan
Win
•
•
Nexdi
ht
ou can configu
Microsoft captured.
Microsoft switch to b
Additionattp://technet.m
Hyper-V Ne
yper-V Netwoolate virtual myper-V host, bor example, if ervice (IaaS) too isolate their vetwork Virtuaasic traffic par
machines to sepetwork traffic. etwork Virtua
were using Hypnother organiz
When you confn the following
Customer address is coccur even separate puline window
Provider IPvisible to thvirtual mac
etwork Virtuaxample, 192.16ifferent provid
Additionattp://technet.m
ure the followi
NDIS Capture
Windows Filte filtered.
al Reading: Fomicrosoft.com/
etwork Vir
ork Virtualizatiomachines that sbut are from dyou provide a
o differing busvirtual machinlization allowstitioning by asparate VLANs You would prlization in scen
per-V to host vzation.
igure Networkg manner:
IP address. Thconfigured in sthough the vi
ublic IP networw on the virtua
P address. Thihe hosting prohine.
lization allows68.15.101—on
der IP addresse
al Reading: Fomicrosoft.com/
ing extensions
e. This extensio
tering Platfor
or more inform/en-us/library/
rtualizatio
on allows you share the sameifferent organin Infrastructurinesses, you wes from each o you to go beyssigning these as a way of isoimarily deploynarios where yvirtual machine
k Virtualization
his address is asuch a way thairtual machinerk. To display tal machine.
is address is thovider and to o
you to host mn the same Hypes.
or more inform/en-us/library/
s for each virtu
on allows for d
rm. This extens
mation about Vi/hh831452.asp
n
to e izations. re as a
will want other. yond virtual
olating y you es for
n, each guest v
assigned by that communicate might be hosthe customer I
he IP address aother hosts on
multiple machiper-V host, be
mation about N/hh831395.asp
20410A: Installing
ual switch type
data travelling
sion allows dat
irtual Switchespx.
virtual machine
e customer totion with the csted on a HypeIP address, exe
assigned by thethe physical n
nes that use thecause the virtu
etwork Virtualpx.
g and Configuring W
e:
across the vir
ta travelling ac
s see:
e has two IP a
o the virtual macustomer's inteer-V server thaecute IPCONF
e hosting provnetwork but it
he same custoual machines w
lization see:
Windows Server® 201
tual switch to
cross the virtu
ddresses that
achine. This IPernal network at is connectedFIG in a comm
vider. This addis not visible f
omer address—will be assigne
12 13-23
be
al
function
P can
d to a and-
ress is from the
—for ed
13-24 Implem
Ma
Unle(MAMAadaconMAManpoo
WhenetwnetwbecdupHypnetwthatthe
WhereseIP a
You
1.
2.
3.
4.
5.
MAshoexam
Hy
H
H
H
enting Server Virtual
anaging V
ess you specifyAC) address, HyC address to epter from a pofigure the addC Address Rannager console.ol of 255 MAC
en virtual macworks, the MAwork adaptersause the Hype
plicate MAC adper-V hosts andworks, you shot separate Hypvirtual machin
en virtual macervation, you sddress is alway
u can configure
Open the Hyp
Select the Hy
On the Action
Under Global
Specify a min
C addresses aruld consider cmples of range
yper-V Host
ost 1
ost 2
ost 3
ization with Hyper-V
irtual Mac
y a static mediyper-V dynam
each virtual maool of MAC address range of nge setting of t. By default, a addresses.
chines use privAC address that
is not likely toer-V host will eddresses are nod those compuould ensure thper-V hosts thanes that they h
chines are allochould consideys allocated to
e the MAC add
per-V Manage
yper-V host tha
ns pane, select
l Network Sett
nimum and a m
re in hexadecimhanging the ves for multiple
MAC
Min
Max
Min
Max
Min
Max
V
chine MAC
ia access contrmically allocateachine networddresses. You cthis pool fromthe Virtual SwHyper-V host
ate or internalt is allocated to be of concerensure that ot assigned to uters host virtuat each Hyperat connect to thost.
cated IP addreer using static Mo a specific MA
dress range by
er console.
at you wish to
t Virtual Switc
tings, click MA
maximum rang
mal format. Wvalues of the see Hyper-V host
C Address Ran
nimum: 00-15-
ximum: 00-15-
nimum: 00-15-
ximum: 00-15-
nimum: 00-15-
ximum: 00-15-
C Addresse
rol s a k can
m itch has a
l o
rn
different virtuual machines tr-V host uses athe same netw
esses through aMAC addresseAC address.
y performing t
configure.
ch Manager.
AC Address Ra
ge for the MAC
When configurinecond from thts.
nge
5D-0F-AB-00
-5D-0F-AB-FF
5D-0F-AC-00
-5D-0F-AC-FF
5D-0F-AD-00
-5D-0F-AD-FF
es
ual machines. Hthat use adapta different poowork do not ass
a Dynamic Hoes. A DHCP res
he following s
ange.
C address.
ng ranges for e last pair of d
However, wheters connectedol of MAC addsign the same
ost Configuratioservation ensu
steps:
multiple Hypedigits. The follo
n you have mud to external resses. This enMAC address
on Protocol (Dres that a part
er-V hosts, youowing table di
ultiple
sures es to
DHCP) ticular
u splays
C
VguviVppNsefo
•
•
•
Bo
•
•
•
•
•
Sytoac
•
Configuring
irtual networkuest operatingrtual switches irtual Switch Mroperties of a vroperties of a etwork Adapt
ettings dialog ollowing:
Virtual Swswitch the n
VLAN ID. Athat the vir
Bandwidthallocated tothe networHyper-V ho
oth synthetic n
MAC addrepool, or yoMAC addreaccess, suchaccess.
DHCP GuaDHCP servehosts virtuavirtual mac
Router Guconfigured control ove
Port Mirroanother virt
NIC Teamiserver.
ynthetic netwoo the Advancedcceleration fea
Virtual Mato the guesoperating sa network a
g Virtual N
k adapters allowg system to cothat you conf
Manager consovirtual machinnetwork adapter pane on thebox, you can c
itch. Determinnetwork adapt
Allows you to stual machine w
h Managemeno the adapter k adapter, eveost are functio
network adapt
ess allocationu can configur
ess spoofing. Th as when the
rd. Drops DHCers. This may bal machines fohines.
ard. Drops rouas unauthoriz
er the configur
oring. Allows ytual machine t
ing. Allows you
ork adapters red features listeatures:
achine Queue.st. This improvsystem to the vadapter that su
Network A
w the virtual mmmunicate usfigure using thole. You can edne to modify thter. From the e virtual machconfigure the
nes which virtuter connects to
specify a VLANwill use for com
nt. Allows you by Hyper-V. T
en when other ning at capaci
ters and legacy
n. You can conre the network
This is useful wvirtual machin
CP messages fbe necessary inr others, but d
uter advertisemzed routers. Thration of virtua
you to copy incthat you have
u to add the v
equire the gueed earlier, synt
. This feature uves performancvirtual machinupports this fe
Adapters
machine sing the e dit the he
ine's
ual o.
N ID mmunication t
to specify a mhe minimum bvirtual networty.
y network ada
figure a MAC k adapter to ushen the virtuane is running a
from virtual man scenarios whdoes not have
ment and redirhis may be necal machines.
coming and ouconfigured fo
virtual network
est operating sthetic network
uses hardware ce as the packee. Virtual Mac
eature.
20410A: Installing
that passes thr
minimum and abandwidth allork adapters on
apters support
address to be se a fixed MAC
al machine neea mobile devic
achines that ahere you are mdirect control
rection messagcessary in scena
utgoing packer monitoring.
k adapter to an
system to suppk adapters supp
packet filterinet does not nehine Queue re
g and Configuring W
rough this ada
a maximum baocation is resen virtual machi
the following
assigned fromC address. Youeds to provide ce emulator th
re functioningmanaging a Hyp
over the conf
ges from virtuarios where yo
ets from a netw
n existing team
port integratioport the follow
ng to deliver need to be copiequires that th
Windows Server® 201
apter.
andwidth to brved by Hyperines hosted on
advanced fea
m the MAC addu can also conf
specific netwoat requires net
g as unauthorizper-V server thiguration of th
al machines thou do not have
work adapter t
m on the host
on services. In awing hardware
network traffic ied from the h
he host compu
12 13-25
e r-V for n the
tures:
dress figure ork twork
zed hat hose
hat are e direct
to
Hyper-V
addition e
directly host ter has
13-26 Implementing Server Virtualization with Hyper-V
• IPsec task offloading. This feature allows calculation-intensive security association tasks to be performed by the host's network adapter. In the event that sufficient hardware resources are not available, the guest operating system performs these tasks. You can configure a maximum number of offloaded security associations between a range of 1 and 4,096. IPsec task offloading requires guest operating system and network adapter support.
• SR-IOV. Single-root I/O virtualization (SR-IOV) allows multiple virtual machines to share the same Peripheral Component Interconnect Express (PCIe) physical hardware resources. If sufficient resources are not available, then network connectivity falls back to be provided through the virtual switch. Single-root I/O virtualization (SR-IOV) requires specific hardware and special drivers to be installed on the guest operating system.
Legacy network adapters emulate common network adapter hardware. You use legacy network adapters in the following situations:
• You want to support network boot installation scenarios for virtual machines. For example, you want to deploy an operating system image from a Windows Deployment Services (Windows DS) server or through Configuration Manager.
• You need to support operating systems that do not support integration services and do not have drivers for the synthetic network adapter.
Legacy network adapters do not support the hardware acceleration features that synthetic network adapters support. You cannot configure virtual machine queue, IPsec task offloading, or Single-root I/O virtualization for legacy network adapters.
20410A: Installing and Configuring Windows Server® 2012 13-27
Lab: Implementing Server Virtualization with Hyper-V Scenario
A. Datum Corporation has an IT office and data center in London, which supports the London location and other locations. A. Datum has recently deployed a Windows Server 2012 infrastructure with Windows 8 clients. Your assignment is to configure the infrastructure service for a new branch office.
To more effectively use the server hardware that is currently available at branch offices, your manager has decided that all branch office servers will run as virtual machines. You must now configure a virtual network and a new virtual machine for these branch offices.
Objectives
After performing this lab you will be able to:
• Install the Hyper-V Server role.
• Configure virtual networking.
• Create and configure a virtual machine.
• Use virtual machine snapshots.
Lab Setup
Estimated Time: 60 minutes
Logon Information
Virtual Machines 20410A- LON-HOST1
User Name Adatum\Administrator
Password Pa$$w0rd
1. Reboot the classroom computer and choose 20410A-LON-HOST1 from the Windows Boot Manager
2. Log on to LON-HOST1 with the Administrator account and the password Pa$$w0rd.
Exercise 1: Installing the Hyper-V Server Role
Scenario The first step in migrating to a virtualized environment for the branch office is installing the Hyper-V server role on a new server.
The main tasks for this exercise are as follows:
1. Install the Hyper-V server role.
2. Complete Hyper-V role installation and verify settings.
Task 1: Install the Hyper-V server role 1. Reboot the classroom computer and from the Windows Boot Manager, choose
20410A-LON-HOST1.
2. Log onto the computer with the Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server and then configure the following network settings:
13-28 Implementing Server Virtualization with Hyper-V
o IP Address: 172.16.0.31
o Subnet mask: 255.255.0.0
o Default gateway: 172.16.0.1
o Preferred DNS server: 172.16.0.10
4. Use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1 with the following options:
o Do not create a virtual switch
o Use the Default stores locations
o Allow the server to restart automatically if required.
5. After a few minutes, the server will automatically restart. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times
Task 2: Complete Hyper-V role installation and verify settings 1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.
2. When the Hyper-V tools installation completes, click Close.
3. Open the Hyper-V Manager console and then click LON-HOST1.
4. Edit the Hyper-V settings of LON-HOST1, and configure the following settings:
o Keyboard: Use on the virtual machine
o Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
Results: After this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking
Scenario
After installing the Hyper-V server role on the new server, you need to configure the virtual network. You need to create both a network that is connected to the physical network, and a private network that can be used only for communication between virtual machines. The private network will be used once virtual machines are configured for high availability. You also need to configure a specific range of MAC addresses for the virtual machines.
The main tasks for this exercise are as follows:
1. Configure the external network.
2. Create a private network.
3. Create an internal network.
4. Configure the MAC address range.
Task 1: Configure the external network 1. Open the Hyper-V console, and then click on LON-HOST1.
2. Use the Virtual Switch Manager to create a new External virtual network switch with the following properties:
o Name: Switch for External Adapter
20410A: Installing and Configuring Windows Server® 2012 13-29
o External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)
Task 2: Create a private network 1. On LON-HOST1, open the Hyper-V Manager console.
2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
o Name: Private Network
o Connection type: Private network
Task 3: Create an internal network 1. On LON-HOST1, open the Hyper-V Manager console.
2. Use the Virtual Switch Manager to create a new virtual switch with the following properties.
o Name: Internal Network
o Connection type: Internal network
Task 4: Configure the MAC address range 1. On LON-HOST1, open the Hyper-V Manager console.
2. Use the Virtual Switch Manager to configure the following MAC Address Range settings:
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
Results: After this exercise, you will have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine
Scenario
You have been asked to deploy two virtual machines to LON-HOST1. You have copied a sysprepped VHD file that hosts a Windows Server 2012 installation.
To minimize disk space use at the cost of performance, you are going to create two differencing files based on the sysprepped VHD. You will then use these differencing files as the virtual hard disk files for the new virtual machines.
The main tasks for this exercise are as follows:
1. Create differencing disks.
2. Create virtual machines.
3. Enable resource metering.
Task 1: Create differencing disks 1. Use Windows Explorer to create the following folders:
o E:\Program Files\Microsoft Learning\Base \LON-GUEST1
o E:\Program Files\Microsoft Learning\Base \LON-GUEST2
13-30 Implementing Server Virtualization with Hyper-V
Note: The drive letter may depend upon the number of drives on the physical host machine.
2. In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o Disk Format: VHD
o Disk Type: Differencing
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
o Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
3. Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
4. Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.
5. Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files \Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
Task 2: Create virtual machines 1. On LON-HOST1, in the Hyper-V Manager console, in the Actions pane, click New, and then click
Virtual Machine.
2. Create a virtual machine with the following properties:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
o Memory: 1024 MB
o Use Dynamic Memory: Yes
o Networking: Private Network
o Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1 \lon-guest1.vhd
3. Open Windows PowerShell, import the Hyper-V module, and execute the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private Network"
4. Use the Hyper-V Manager console, edit the settings of LON-GUEST2. Configure the following:
5. Automatic Start Action: Nothing.
6. Automatic Stop Action: Shut down the guest operating system.
Task 3: Enable resource metering • At the Windows PowerShell command-line prompt, import the Hyper-V module and enter the
following commands:
Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2
20410A: Installing and Configuring Windows Server® 2012 13-31
Results: After this exercise, you will have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots
Scenario You are in the process of developing a strategy to mitigate the impact of incorrectly applied change requests. As a part of this strategy development, you are testing the speed and functionality of using virtual machine snapshots to roll back to a previously existing stable configuration.
In this exercise, you will deploy Windows Server 2012 in a virtual machine. You will create a stable configuration for that virtual machine, and then take a virtual machine snapshot. You will then modify the configuration, and then roll back to the snapshot.
The main tasks for this exercise are as follows:
1. Deploy Windows Server 2012 in a virtual machine.
2. Create a virtual machine snapshot.
3. Modify the virtual machine.
4. Revert to the existing virtual machine snapshot.
5. View resource metering data.
Task 1: Deploy Windows Server 2012 in a virtual machine 1. Use the Hyper-V Manager console to start LON-GUEST1.
2. Open the Virtual Machine Connection Window and perform the following steps to deploy Windows Server 2012 on the virtual machine:
o On the Settings page, click Skip.
o On the Settings page, select I accept the license terms for using Windows and click Accept.
o On the Settings page, click Next to accept the Region and Language settings.
o On the Settings page enter the password Pa$$w0rd twice and click Finish.
3. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.
4. Reset the name of the virtual machine to LON-GUEST1, and then restart the virtual machine.
Task 2: Create a virtual machine snapshot 1. Log on to the LON-GUEST1 virtual machine, and verify that the name of the computer is set to LON-
GUEST1.
2. Create a snapshot of LON-GUEST1, and name the snapshot Before Change.
Task 3: Modify the virtual machine 1. Log on to the LON-GUEST1 virtual machine, and use the Server Manager console to change the
computer's name to LON-Computer1.
2. Reboot the virtual machine.
3. Log on to the LON-GUEST1 virtual machine, and verify that the server name is set to LON-Computer1.
13-32 Implementing Server Virtualization with Hyper-V
Task 4: Revert to the existing virtual machine snapshot 1. Revert the virtual machine.
2. Verify that the Computer Name of the virtual machine is set to LON-GUEST1.
Task 5: View resource metering data 1. On LON-HOST1, import the Hyper-V Windows PowerShell module and issue the following command:
Measure-VM LON-GUEST1
2. Note the average CPU, average RAM, and total disk use figures and then close the PowerShell window.
Results: After this exercise, you will have used virtual machine snapshots to recover from a virtual machine misconfiguration.
Revert the virtual machines After you finish the lab, restart the computer in Windows Server 2008 R2.
1. Click on the Windows PowerShell icon on the Taskbar.
2. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3. From the Windows Boot Manager, choose Windows Server 2008 R2
20410A: Installing and Configuring Windows Server® 2012 13-33
Module Review and Takeaways Review Questions
Question: In which situations should you use a fixed memory allocation rather than dynamic memory?
Question: In which situations must you use VHDX format virtual hard disks as opposed to VHD format virtual hard disks?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a file share. What operating system must the file server be running to support this configuration?
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Cannot deploy Hyper-V on an x64 platform.
Virtual Machine does not use dynamic memory.
Best Practices
When implementing server virtualization with Hyper-V, use the following best practices:
• Ensure that the processor on the computer that will host Hyper-V supports SLAT. Servers that support the Hyper-V role on Windows Server 2008 and Windows Server 2008 R2 may not support Hyper-V on Windows Server 2012.
• Ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual machines paging the hard disk drive because they are provisioned with inadequate memory will decrease performance for all virtual machines on the Hyper-V host.
• Monitor virtual machine performance carefully. A virtual machine that uses a disproportionate amount of server resources can adversely impact the performance of all other virtual machines that are hosted on the same Hyper-V server.
Tools
You can use the following tools with Hyper-V to deploy and manage virtual machines.
Name of tool Used for Where to find it
Sysinternals disk2vhd tool
Use to convert physical hard disks to VHD format.
You can download this tool from the Microsoft TechNet website.
13-34 Implementing Server Virtualization with Hyper-V
Course Evaluation Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Deploying and Managing Windows Server 2012
Lab: Deploying and Managing Windows Server 2012 Exercise 1: Deploying Windows Server 2012
Task 1: Install the Windows Server 2012 server 1. Open the Hyper-V® Manager console.
2. Click 20410A-LON-SVR3. In the Actions pane, click Settings.
3. Under Hardware, click DVD Drive.
4. Click Image file, and then click Browse.
5. Browse to C:\Program Files\Microsoft Learning\20410\Drives, and then click Win2012_RC.ISO.
6. Click Open and then click OK.
7. In the Hyper-V Manager console, double-click 20410A-LON-SVR3 to open the Virtual Machine Connection Window.
8. In the Virtual Machine Connection Window, In the Action menu, click Start.
9. In the Windows Setup Wizard, on the Windows Server 2012 page, verify the following settings, and then click Next.
o Language to install: English (United States)
o Time and currency format: English (United States)
o Keyboard or input method: US
10. On the Windows Server 2012 page, click Install now.
11. On the Select the operating system you want to install page, select Windows Server 2012 Release Candidate Datacenter (Server with a GUI), and then click Next.
12. On the License terms page, review the operating system license terms. Select the I accept the license terms check box, and then click Next.
13. On the Which type of installation do you want?, click Custom: Install Windows only (advanced).
14. On the Where do you want to install Windows? page, verify that Drive 0 Unallocated Space has enough space for the Windows Server 2012 operating system, and then click Next.
Note: Depending on the speed of the equipment, the installation will take approximately 20 minutes. The virtual machine will restart several times during this process.
15. On the Settings page, enter the password Pa$$w0rd in both the Password and Reenter password boxes, and then click Finish.
Task 2: Change the server name 1. Log on to LON-SVR3 as Administrator with the password Pa$$w0rd.
2. In Server Manager, click Local Server.
L1-2 20410A: Installing and Configuring Windows Server® 2012
3. Click on the randomly-generated name next to Computer name. This will launch the System Properties dialog box.
4. In the System Properties dialog box, on the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter the name LON-SVR3, and then click OK.
6. In the Computer Name/Domain Changes dialog box, click OK.
7. Close the System Properties dialog box.
8. In the Microsoft Windows dialog box, click Restart Now.
Task 3: Change the date and time 1. Log on to server LON-SVR3 Administrator with the password Pa$$w0rd.
2. On the taskbar, click the time display. A pop-up window with a calendar and a clock displays.
3. On the pop-up window, click Change date and time settings.
4. In the Date and Time dialog box, click Change Time Zone.
5. In the Time Zone Settings dialog box, set the time zone to your current time zone, and then click OK.
6. In the Date and Time dialog box, click Change Date and Time.
7. Verify that the date and time that display in the Date and Time Settings dialog box match those in your classroom, and then click OK.
8. Click OK to close the Date and Time dialog box.
Task 4: Configure the network and network teaming 1. In the Server Manger console on LON-SVR3, click Local Server.
2. Next to NIC Teaming, click Disabled.
3. In the NIC Teaming dialog box, press and hold the Ctrl key, and then in the Adapters And Interfaces workspace, click both Local Area Connection and Local Area Connection 2.
4. Right-click the selected network adapters, and then click Add to New Team.
5. In the New Teaming dialog box, in the Team name field. type LON-SVR3, and then click OK.
6. Close the NIC Teaming dialog box. Refresh the Server Manager console.
7. In the Server Manager console, next to LON-SVR3, click IPv4 Address Assigned by DHCP, IPv6 Enabled.
8. In the Network Connections dialog box, right-click LON-SVR3, and then click Properties.
9. In the LON-SVR3 Properties dialog, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, enter the following IP address information, and then click OK.
o IP address: 172.16.0.101
o Subnet Mask: 255.255.0.0
o Default Gateway: 172.16.0.1
o Preferred DNS server: 172.16.0.10
Module 1: Deploying and Managing Windows Server 2012 L1-3
11. Click Close to close the LON-SVR3 Properties dialog box.
12. Close the Network Connections dialog box.
Task 5: Add the server to the domain 1. On LON-SVR3, in the Server Manager console, click Local Server.
2. Next to Workgroup, click WORKGROUP.
3. In the System Properties dialog box, on the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, in the Member Of area, click the Domain option.
5. In the Domain box, enter adatum.com, and then click OK.
6. In the Windows Security dialog box, enter the following details, and then click OK:
o Username: Administrator
o Password: Pa$$w0rd
7. In the Computer Name/Domain Changes dialog box, click OK.
8. When informed that you must restart the computer to apply changes, click OK.
9. In the System Properties dialog box, click Close.
10. In the Microsoft Windows dialog box, click Restart Now.
11. After LON-SVR3 restarts, log on as adatum\Administrator with the password Pa$$w0rd.
Results: After finishing this exercise, you will have deployed Windows Server 2012 on LON-SVR3. You also will have configured LON-SVR3 including name change, date and time, networking, and network teaming.
Exercise 2: Configuring Windows Server 2012 Server Core
Task 1: Change the server name 1. Log on to LON-CORE using the account Administrator with the password Pa$$w0rd.
2. At the command prompt, type sconfig.cmd.
3. To select Computer Name, type 2, and then press Enter.
4. Enter the computer name LON-CORE, and then press Enter.
5. In the Restart dialog box, click Yes.
6. Log on to server LON-CORE using the Administrator account.
7. At the command prompt, type hostname, and then press Enter to verify the computer’s name.
Task 2: Change the computer’s date and time 1. When logged on to server LON-CORE with the Administrator account, at the command prompt,
type sconfig.cmd, and then press Enter.
2. To select Date and Time, type 9, and then press Enter.
3. In the Date and Time dialog box, click Change time zone. Set the time zone to the same time zone that your classroom uses, and then click OK.
L1-4 20410A: Installing and Configuring Windows Server® 2012
4. In the Date and Time dialog box, click Change Date and Time, and verify that the date and time match those in your location. Click OK two times to dismiss the dialog boxes.
5. In the command prompt window, type 15, and then press Enter to exit Server Configuration.
Task 3: Configure the network 1. Ensure that you are logged on to server LON-CORE using the account Administrator and password
Pa$$w0rd.
2. At the command prompt, type sconfig.cmd, and then press Enter.
3. To configure Network Settings, type 8, and then press Enter.
4. Type the index number of the network adapter that you want to configure, and then press Enter.
5. On the Network Adapter Settings page, type 1, and then press Enter. This sets the Network Adapter Address.
6. To select static IP address configuration, type S, and then press Enter.
7. At the Enter static IP address: prompt, type 172.16.0.111, and then press Enter.
8. At the Enter subnet mask prompt, Type 255.255.0.0, and then press Enter.
9. At the Enter default gateway prompt, type 172.16.0.1, and then press Enter.
10. On the Network Adapter Settings page, type 2, and then press Enter. This configures the DNS server address.
11. At the Enter new preferred DNS server prompt, type 172.16.0.10, and then press Enter.
12. In the Network Settings dialog box, click OK.
13. Press Enter to not configure an alternate DNS server address.
14. Type 4, and then press Enter to return to the main menu.
15. Type 15, and then press Enter to exit sconfig.cmd.
16. At the command prompt, type ping lon-dc1.adatum.com to verify connectivity to the domain controller from LON-CORE.
Task 4: Add the server to the domain 1. Ensure that you are logged on to server LON-CORE using the account Administrator with password
Pa$$w0rd.
2. At the command prompt, type sconfig.cmd, and then press Enter.
3. To switch to configure Domain/Workgroup, type 1, and then press Enter.
4. To join a domain, type D, and then press Enter.
5. At the Name of domain to join prompt, type adatum.com.
6. At the Specify an authorized domain\user prompt, type adatum\administrator, and then press Enter.
7. At the Type the password associated with the domain user prompt, type Pa$$w0rd and then press Enter.
8. At the Change Computer Name prompt, click Yes.
9. At the Enter new computer name prompt, press Enter.
10. To restart the server, type 13, and then press Enter.
Module 1: Deploying and Managing Windows Server 2012 L1-5
11. In the Restart dialog box, click Yes.
12. Log on to server LON-CORE with the adatum\administrator account and the password Pa$$w0rd.
Results: After finishing this exercise, you will have configured a Windows Server 2012 Server Core deployment, and verified the server’s name.
Exercise 3: Managing Servers
Task 1: Create a server group 1. Log on to LON-DC1 with the Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click Dashboard, and then click Create a server group.
3. In the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4. In the Server group name box, type LAB-1.
5. Use the arrow to add LON-CORE and LON-SVR3 to the server group. Click OK to close the Create Server Group dialog box.
6. Click LAB-1. Press and hold the Ctrl key, and then select both LON-CORE and LON-SVR3.
7. When both are selected, scroll down and under the Performance section; select both LON-CORE and LON-SVR3.
8. Right-click LON-CORE, and then click Start Performance Counters.
Task 2: Deploy features and roles to both servers 1. In Server Manager on LON-DC1, click LAB-1.
2. Scroll to the top of the pane, right-click LON-CORE, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
5. On the Select destination server page, verify that LON-CORE.Adatum.com is selected, and then click Next.
6. On the Select server roles page, select Web Server (IIS), and then click Next.
7. On the Features page, select Windows Server Backup, and then click Next.
8. On the Web Server Role (IIS) page, click Next.
9. On the Select Role Services page, add the Windows Authentication role service, and then click Next.
10. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.
11. Click Close to close the Add Roles and Features Wizard.
12. In Server Manager, right-click LON-SVR3, and then click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation.
L1-6 20410A: Installing and Configuring Windows Server® 2012
15. On the Select destination server page, verify that LON-SVR3.Adatum.com is selected, and then click Next.
16. On the Server Roles page, click Next.
17. On the Select features page, click Windows Server Backup, and then click Next.
18. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.
19. Once the install commences, click Close.
20. In Server Manager, click the IIS node, and verify that LON-CORE is listed.
Task 3: Review services, and change a service setting 1. Log on to LON-CORE with the adatum\Administrator account and using the password Pa$$w0rd.
2. At a command prompt, type netsh.exe firewall set service remoteadmin enable ALL, and then press Enter.
3. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.
4. In Server Manager, click LAB-1.
5. Right-click LON-CORE, and then click Computer Management.
6. In the Computer Management console, expand Services and Applications, and then click Services.
7. Right-click the World Wide Web Publishing service, and then click Properties. Verify that the Startup type is set to Automatic.
8. In the World Wide Web Publishing Service dialog box, on the Log On tab, verify that the service is configured to use the Local System account.
9. In the World Wide Web Publishing Service dialog box, on the Recovery tab, configure the following settings:
o First failure: Restart the Service
o Second failure: Restart the Service
o Subsequent failures: Restart the Computer.
o Reset fail count after: 1 days
o Reset service after: 1 minute
10. In the World Wide Web Publishing Service Properties dialog box, on the Recovery tab, click the Restart Computer Options button.
11. In the Restart Computer Options dialog box, in the Restart Computer After box, type 2, and then click OK.
12. Click OK to close the World Wide Web Publishing Services Properties dialog box.
13. Close the Computer Management console.
Results: After finishing this exercise, you will have created a server group, deployed roles and features, and configured the properties of a service.
Module 1: Deploying and Managing Windows Server 2012 L1-7
Exercise 4: Using Windows PowerShell to Manage Servers
Task 1: Use Windows PowerShell® to connect remotely to servers and view information 1. Log on to LON-DC1 with the adatum\Administrator account and the password Pa$$w0rd.
2. In the Server Manager console, click LAB-1.
3. Right-click LON-CORE, and then click Windows PowerShell.
4. At the command prompt, type Import-Module ServerManager, and then press Enter.
5. Type Get-WindowsFeature to review the roles and features installed on LON-CORE.
6. Type the following command to review the running services on LON-CORE:
Get-service | where-object {$_.status -eq “Running”}
7. Type get-process, and then press Enter to view a list of processes on LON-CORE.
8. Type the following command to review the IP addresses assigned to the server:
Get-NetIPAddress | Format-table
9. Type the following command to review the most recent 10 items in the security log:
Get-EventLog Security -Newest 10
10. Close Windows PowerShell.
Task 2: Use Windows PowerShell to install new features remotely 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell command prompt, type import-module ServerManager, and then press Enter.
3. To verify that the XPS Viewer feature has not been installed on LON-SVR3, type the following command, and then press Enter:
Get-WindowsFeature -ComputerName LON-SVR3
4. To deploy the XPS Viewer feature on LON-SVR3, type the following command, and then press Enter:
Install-WindowsFeature XPS-Viewer -ComputerName LON-SVR3
5. To verify that the XPS Viewer feature has now been deployed on LON-SVR3, type the following command and then press Enter:
Get-WindowsFeature -ComputerName LON-SVR3
6. In the Server Manager console, from the Tools drop-down menu, click Windows PowerShell ISE.
7. In the Windows PowerShell ISE window, in the Untitled1.ps1 script pane, type the following, pressing Enter after each line:
Import-Module ServerManager Install-WindowsFeature WINS -ComputerName LON-SVR3 Install-WindowsFeature WINS -ComputerName LON-CORE
L1-8 20410A: Installing and Configuring Windows Server® 2012
8. Click the Save icon. Select the root of Local Disk (C:). Create a new folder named Scripts, and then save the script in that folder as InstallWins.ps1.
9. Press F5 to run the script.
Results: After finishing this exercise, you will have used Windows PowerShell to perform a remote installation of features on multiple servers.
To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, switch to the Hyper-V Manager console.
2. In the Virtual Machines list, right click 20410A-LON-DC1, and the click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CORE and 20410A-LON-SVR3.
L2-9
Module 2: Introduction to Active Directory Domain Services
Lab: Installing Domain Controllers Exercise 1: Installing a Domain Controller
Task 1: Add an Active Directory® Domain Services (AD DS) role to a member server 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, in the left column, select All Servers.
3. Right-click All Servers and then click Add Servers.
4. In the Add Servers dialog box, in the Name (CN) box, type LON-SVR1 and then click Find Now.
5. Under Name, click LON-SVR1 and then click the arrow to add the server to the Selected column.
6. Click OK to close the Add Servers dialog box.
7. In Server Manager, in the Servers window, right-click LON-SVR1, and select Add Roles and Features.
8. In the Add Roles and Features Wizard, click Next.
9. In the Select installation type window, ensure that Role-based or feature-based installation is selected, and then click Next.
10. On the Select destination server page, ensure that Select a server from the server pool is selected. In the Server Pool window, verify that LON-SVR1.Adatum.com is highlighted, and then click Next.
11. On the Select server roles page, select the Active Directory Domain Services check box, click Add Features, and then click Next.
12. On the Select features page, click Next.
13. On the Active Directory Domain Services page, click Next.
14. On the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.
15. Installation will take several minutes, when the installation is succeeded, click Close to close the Add Roles and Features Wizard.
Task 2: Configure a server as a domain controller 1. On LON-DC1, in Server Manager on the menu bar, on the left of the Manage button, click the yellow
Alert button.
2. In the Post-deployment Configuration window that appears, click Promote this server to a domain controller. The wizard continues.
3. In the Deployment Configuration page, ensure that the radio button next to Add a domain controller to an existing domain is selected, and then, beside the Domain line, click Select.
4. In the Windows Security dialog box that opens, enter Adatum\Administrator in the Username box and in the Password box, type Pa$$w0rd, and then click OK.
5. In the Select a domain from the forest window, click adatum.com, and then click OK.
6. In the Deployment Configuration window, click Next.
7. On the Domain Controller Options page, ensure that Domain Name System (DNS) server is selected, and then deselect the check box next to Global Catalog (GC).
L2-10 20410A: Installing and Configuring Windows Server® 2012
Note: You would usually want to enable the global catalog as well, but for the purpose of this lab, this is done in the next section.
8. In the Type the Directory Services Restore Mode (DSRM) password section, type Pa$$w0rd in both text boxes, and then click Next.
9. On the DNS Options page, click Next.
10. On the Additional Options page, click Next.
11. On the Paths page, accept the default folders, and then click Next.
12. On the Review Options page, click View Script, examine the Windows PowerShell® script that the wizard generates, close the Notepad window, and then click Next.
13. On the Prerequisites Check page, read any warning messages, and then click Install.
14. When the task completes successfully, click Close.
Task 3: Configure a server as a global catalog server 1. Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools and then click Active Directory Sites and Services.
3. When the Active Directory Sites and Services window opens, expand Sites, expand Default-First-Site-Name, expand Servers, and then expand LON-SVR1.
4. In the left column, right-click NTDS Settings and select Properties.
5. In the NTDS Settings Properties dialog box, select the check box next to Global Catalog.
6. Click OK and close Active Directory Sites and Services.
Results: After completing this exercise, you will have explored Server Manager and promoted a member server to be a domain controller.
Exercise 2: Installing a domain controller by using IFM
Task 1: Use the NTDSUTIL tool to generate Install from Media (IFM) 1. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
3. On the Start screen, type CMD and then press Enter.
4. In the Command Prompt window, type the following, pressing Enter after each line:
Ntdsutil Activate instance ntds Ifm Create sysvol full c:\ifm
Task 2: Add the AD DS role to the member server 1. Switch to LON-SVR2, and log on as Adatum\Administrator with the password Pa$$w0rd.
2. Hover the mouse in the lower right corner of the desktop, and when the side bar appears, click Start.
3. On the Start screen, type CMD and then press Enter.
Module 2: Introduction to Active Directory Domain Services L2-11
4. Type the following command, and then press Enter:
Net use k: \\LON-DC1\c$\IFM
5. Switch to Server Manager.
6. From the list on the left, click Local Server.
7. In the toolbar, click Manage, and then click Add Roles and Features.
8. On the Before you begin page, click Next.
9. On the Select installation type page, ensure that Role-based or feature-based installation is selected, and then click Next.
10. On the Select destination server page, verify that LON-SVR2.Adatum.com is highlighted, and then click Next.
11. On the Select server roles page, click Active Directory Domain Services, in the Add Roles and Features Wizard window, click Add Features, and then click Next.
12. In the Select Features window, click Next.
13. On the Active Directory Domain Services page, click Next.
14. On the Confirm installation selections page, click Restart the destination server automatically if required. Click Yes at the message box.
15. Click Install.
16. After the installation is succeeded, click Close.
Task 3: Use IFM to configure a member server as a new domain controller 1. On LON-SVR2, in the command prompt window, type the following command, and then press Enter:
Robocopy k: c:\ifm /copyall /s
2. Close the command prompt window.
3. In the Server Manager toolbar, to the left of the Manage button, click the yellow Alert button.
4. In the Post-deployment Configuration window, click Promote this server to a domain controller.
5. On the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and confirm that adatum.com is entered as the target domain. Click Next.
6. On the Domain Controller Options page, ensure that both Domain Name System (DNS) server and global catalog are selected. For the DSRM password, enter Pa$$w0rd in both boxes, and then click Next.
7. On the DNS Options page, click Next.
8. On the Additional Options page, select the check box next to Install from media, in the text box, type C:\ifm and then click verify.
9. When the path has been verified, click Next.
10. On the Paths page, click Next.
11. On the Review Options page, click Next, and then observe the wizard as it performs a check for prerequisites.
12. Click Install and wait while AD DS is configured. While this task is running, read the information messages that display on the screen.
L2-12 20410A: Installing and Configuring Windows Server® 2012
13. Wait for the server to restart.
Results: After completing this exercise, you will have installed an additional domain controller for the branch office by using IFM.
To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-RTR, and 20410A-LON-SVR2.
L3-13
Module 3: Managing Active Directory Domain Services Objects
Lab: Managing Active Directory Domain Services Objects Exercise 1: Delegating Administration for a Branch Office
Task 1: Delegate administration for Branch Administrators 1. Switch to LON-DC1.
2. From Server Manager, click Tools.
3. Click Active Directory Users and Computers.
4. In Active Directory Users and Computers, click Adatum.com.
5. Right-click Adatum.com, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and then click OK.
7. Right-click Branch Office 1, point to New, and then click Group.
8. In the New Object – Group dialog box, in the Group name box, type Branch 1 Help Desk, and then click OK.
9. Right-click Branch Office 1, point to New, and then click Group.
10. In the New Object – Group dialog box, in the Group name box, type Branch 1 Administrators, and then click OK.
11. Right-click Branch Office 1, point to New, and then click Group.
12. In the New Object – Group dialog box, in the Group name box, type Branch 1 Users, and then click OK.
13. In the navigation pane, click IT.
14. In the details pane, right-click Holly Dickson, and then click Move.
15. In the Move dialog box, click Branch Office 1, and then click OK.
16. In the navigation pane, click the Development organizational unit.
17. In the details pane, right-click Bart Duncan, and then click Move.
18. In the Move dialog box, click Branch Office 1, and then click OK.
19. In the navigation pane, click the Managers organizational unit.
20. In the details pane, right-click Ed Meadows, and then click Move.
21. In the Move dialog box, click Branch Office 1, and then click OK.
22. In the navigation pane, click the Marketing organizational unit.
23. In the details pane, right-click Connie Vrettos, and then click Move.
24. In the Move dialog box, click Branch Office 1, and then click OK.
25. In the navigation pane, click the Research organizational unit.
L3-14 20410A: Installing and Configuring Windows Server® 2012
26. In the details pane, right-click Barbara Zighetti, and then click Move.
27. In the Move dialog box, click Branch Office 1, and then click OK.
28. In the navigation pane, click the Sales organizational unit.
29. In the details pane, right-click Arlene Huff, and then click Move.
30. In the Move dialog box, click Branch Office 1, and then click OK.
31. In the navigation pane, click Branch Office 1.
32. In the navigation pane, click Computers.
33. In the details pane, right-click LON-CL1, and then click Move.
34. In the Move dialog box, click Branch Office 1, and then click OK.
35. Switch to LON-CL1.
36. Pause your mouse pointer in the lower-right corner of the display, and then click Settings.
37. Click Power, and then click Restart.
38. When the computer has restarted, log on as Adatum\Administrator with the password of Pa$$w0rd.
39. Switch to the LON-DC1 computer.
40. If necessary, switch to Active Directory Users and Computers.
41. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
42. On the Users or Groups page, click Add.
43. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.
44. On the Users or Groups page, click Next.
45. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next:
o Create, delete, and manage user accounts
o Reset user passwords and force password change at next logon
o Read all user information
o Create, delete and manage groups
o Modify the membership of a group
o Manage Group Policy links
46. On the Completing the Delegation of Control Wizard page, click Finish.
47. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
48. On the Users or Groups page, click Add.
49. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.
50. On the Users or Groups page, click Next.
51. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
Module 3: Managing Active Directory Domain Services Objects L3-15
52. On the Active Directory Object Type page, select Only the following objects in the folder, select the following check boxes, and then click Next:
o Computer objects
o Create selected objects in this folder
o Delete selected objects in this folder
53. On the Permissions page, select the General check box, and the Full Control check box, and then click Next.
54. On the Completing the Delegation of Control Wizard page, click Finish.
Task 2: Delegate a user administrator for the Branch Office Help Desk 1. In the navigation pane, right-click Branch Office 1, and then click Delegate Control. Click Next.
2. On the Users or Groups page, click Add.
3. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk and then click OK.
4. On the Users or Groups page, click Next.
5. On the Tasks to Delegate page, in the Delegate the following common tasks list, select the following check boxes, and then click Next:
o Reset user passwords and force password change at next logon
o Read all user information
o Modify the membership of a group
6. On the Completing the Delegation of Control Wizard page, click Finish.
Task 3: Add a member to the Branch Administrators 1. In the navigation pane, click Branch Office 1.
2. In the details pane, right-click Holly Dickson, and then click Add to a group.
3. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Administrators, and then click OK.
4. In the Active Directory Domain Services dialog box, click OK.
5. In the details pane, right-click Branch 1 Administrators, and then click Add to a group.
6. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK.
7. In the Active Directory Domain Services dialog box, click OK.
8. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
9. On LON-DC1, click Sign out.
10. Log on to LON-DC1 as Adatum\Holly with the password Pa$$w0rd. You can logon locally at a domain controller because Holly belongs, indirectly, to the Server Operators domain local group.
11. On the desktop, in the task bar click Server Manager.
12. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes.
13. From Server Manager, click Tools.
L3-16 20410A: Installing and Configuring Windows Server® 2012
14. Click Active Directory Users and Computers.
15. In Active Directory Users and Computers, expand Adatum.com.
16. In the navigation pane, click Sales.
17. In the details pane, right-click Aaren Ekelund, and then click Delete.
18. Click Yes to confirm.
19. Click OK to acknowledge that you do not have permissions to perform this task.
20. In the navigation pane, click Branch Office 1.
21. In the details pane, right-click Ed Meadows, and then click Delete.
22. Click Yes to confirm. You are successful because you have the required permissions.
Task 4: Add a member to the Branch Help Desk group 1. In the details pane, right-click Bart Duncan, and then click Add to a group.
2. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Help Desk, and then click OK.
3. In the Active Directory Domain Services dialog box, click OK.
4. Close Active Directory Users and Computers.
5. Close Server Manager. To modify the Server Operators membership list, you must have permissions beyond those available to the Branch 1 Administrators group.
6. On the desktop, click Server Manager.
7. In the User Account Control dialog box, in the User name box, type Adatum\Administrator. In the Password box, type Pa$$w0rd, and then click Yes.
8. In Server Manager, click Tools.
9. In the Tools list, click Active Directory Users and Computers.
10. In Active Directory Users and Computers, expand Adatum.com.
11. In the navigation pane, click Branch Office 1.
12. In the details pane, right-click Branch 1 Help Desk, and then click Add to a group.
13. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Server Operators, and then click OK.
14. In the Active Directory Domain Services dialog box, click OK.
15. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
16. On LON-DC1, click Sign out.
17. Log on as Adatum\Bart with the password Pa$$w0rd. You can logon locally at a domain controller because Bart belongs, indirectly, to the Server Operators domain local group.
18. On the desktop, click Server Manager.
19. In the User Account Control dialog box, in the User name box, type Bart. In the Password box, type Pa$$w0rd, and then click Yes.
20. In Server Manager, click Tools.
21. Click Active Directory Users and Computers.
22. In Active Directory Users and Computers, expand Adatum.com.
Module 3: Managing Active Directory Domain Services Objects L3-17
23. In the navigation pane, click Branch Office 1.
24. In the details pane, right-click Connie Vrettos, and then click Delete.
25. Click Yes to confirm. You are unsuccessful because you lack the required permissions. Click OK.
26. Right-click Connie Vrettos, and then click Reset Password.
27. In the Reset Password dialog box, in the New password and Confirm password boxes, type Pa$$w0rd, and then click OK.
28. Click OK to confirm the successful password reset.
29. On your host computer, in the 20410A-LON-DC1 windows, on the Action menu, click Ctrl+Alt+Delete.
30. On LON-DC1, click Sign out.
31. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
Results: After this exercise, you should have successfully created the necessary OU and delegated administration of it to the appropriate group.
Exercise 2: Creating and Configuring User Accounts in AD DS
Task 1: Create a template user for the branch office 1. On LON-DC1, on the Taskbar, click Windows Explorer.
2. Click Desktop, and then double-click Computer.
3. Double-click Local Disk (C:).
4. On the menu, click Home, and then click New folder.
5. Type branch1-userdata, and then press Enter.
6. Right-click branch1-userdata, and then click Properties.
7. In the branch1-userdata Properties dialog box, on the Sharing tab, click Advanced Sharing.
8. Select the Share this folder check box, and then click Permissions.
9. In the Permissions for branch1-userdata dialog box, select the Full Control Allow check box, and then click OK.
10. In the Advanced Sharing dialog box, click OK, and then in the branch1-userdata Properties dialog box, click Close.
11. In Server Manager, click Tools.
12. Click Active Directory Users and Computers, and then expand Adatum.com.
13. Right-click Branch Office1, point to New, and then click User.
14. In the New Object – User dialog box, in the Full name box, type _Branch_template.
15. In the User logon name box, type _Branch_template, and click Next.
16. In the Password and Confirm password boxes, type Pa$$w0rd.
17. Select the Account is disabled check box, and then click Next.
18. Click Finish.
L3-18 20410A: Installing and Configuring Windows Server® 2012
Task 2: Configure the template’s settings 1. From within the Branch Office 1 OU, right-click _Branch_template, and then click Properties.
2. In the _Branch_template Properties dialog box, on the Address tab, in the City box, type Slough.
3. Click the Member Of tab.
4. Click Add. In the Select Groups dialog box, in the Enter the object names to select (examples): box, type Branch 1 Users, and then click OK.
5. Click the Profile tab.
6. Under Home folder, click Connect, and in the To: box, type \\lon-dc1\branch1-userdata \%username%.
7. Click Apply, and then click OK.
Task 3: Create a new user for the branch office, based on the template 1. Right-click _Branch_template, and then click Copy.
2. In the New Object – User dialog box, in the First name box, type Ed.
3. In the Last name box, type Meadows.
4. In the User logon name box, type Ed, and then click Next.
5. In the Password and Confirm password boxes, type Pa$$w0rd.
6. Clear the User must change password at next logon check box.
7. Clear the Account is disabled check box, and then click Next.
8. Click Finish.
9. Right-click Ed Meadows, and then click Properties.
10. In the Ed Meadows Properties dialog box, click the Address tab. Notice that the City is configured.
11. Click the Profile tab. Notice that the home folder location is configured
12. Click the Member Of tab. Notice that Ed belongs to the Branch 1 Users group. Click OK.
13. On your host computer, in the 20410A-LON-DC1 window, on the Action menu, click Ctrl+Alt+Delete.
14. On LON-DC1, click Sign out.
Task 4: Log on as a user to test account settings 1. Switch to LON-CL1.
2. On your host computer, in the 20410A-LON-CL1 window, on the menu, click Ctrl+Alt+Delete.
3. On LON-CL1, click Sign out.
4. Log on to LON-CL1 as Adatum\Ed with the password of Pa$$w0rd.
5. On the Start screen, click Desktop.
6. On the Taskbar, click Windows Explorer.
7. In the navigation pane, click Desktop, and then in details, double-click Computer.
8. Verify that Drive Z is mapped to \\lon-dc1\branch1userdata\Ed.
9. Double-click Ed (\\lon-dc1\branch1-userdata) (Z:).
10. If you receive no errors, you have been successful.
Module 3: Managing Active Directory Domain Services Objects L3-19
11. On your host computer, in the 20410A-LON-CL1 window, on the Action menu, click Ctrl+Alt+Delete.
12. On LON-CL1, click Sign out.
Results: After this exercise, you should have successfully created and tested a user account created from a template.
Exercise 3: Managing Computer Objects in AD DS
Task 1: Reset a computer account 1. On LON-DC1, log on as Adatum\Holly with the password Pa$$w0rd.
2. On the task bar, click Server Manager.
3. In the User Account Control dialog box, in the User name box, type Holly. In the Password box, type Pa$$w0rd, and then click Yes.
4. From Server Manager, click Tools.
5. Click Active Directory Users and Computers.
6. In Active Directory Users and Computers, expand Adatum.com.
7. In the navigation pane, click Branch Office 1.
8. In the details pane, right-click LON-CL1, and then click Reset Account.
9. In the Active Directory Domain Services dialog box, click Yes.
10. In the Active Directory Domain Services dialog box, click OK.
Task 2: Observe the behavior when a client logs on 1. Switch to LON-CL1.
2. Log on as Adatum\Ed with the password Pa$$w0rd.
3. A message is displayed that explains that The trust relationship between this workstation and the primary domain failed.
4. Click OK.
Task 3: Rejoin the domain to reconnect the computer account 1. Log on to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the Start screen, right-click the display, click All apps, and in the Apps list, click Control Panel.
3. In Control Panel, in the View by list, click Large icons.
4. Click System.
5. In the navigation list, click Advanced system settings.
6. In System Properties, click the Computer Name tab.
7. Click Network ID.
8. On the Select the option that describes your network page, click Next.
9. On the Is your company network on a domain page, click Next.
10. On the You will need the following information page, click Next.
L3-20 20410A: Installing and Configuring Windows Server® 2012
11. On the Type your user name, password, and domain name for your domain account page, in the Password box, type Pa$$w0rd. The other fields are completed. Click Next.
12. In the User Account and Domain Information dialog box, click Yes.
13. On the Do you want to enable a domain user account on this computer? page, click Do not add a domain user account, and then click Next.
14. Click Finish, and then click OK.
15. In the Microsoft Windows dialog box, click Restart Now.
16. Log on as Adatum\Ed with the password of Pa$$w0rd. You are successful because the computer had been successfully rejoined.
Results: After this exercise, you should have successfully reset the trust relationship.
To prepare for the next module When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-DC1.
L4-21
Module 4: Automating Active Directory Domain Services Administration
Lab: Automating AD DS Administration by Using Windows PowerShell Exercise 1: Creating User Accounts and Groups by Using Windows PowerShell
Task 1: Create a user account by using Windows PowerShell 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell® prompt, type the following command, and then press Enter:
New-ADOrganizationalUnit LondonBranch
3. Type the following command, and then press Enter:
New-ADUser –Name Ty –DisplayName “Ty Carlson” –GivenName Ty –Surname Carlson –Path “ou=LondonBranch,dc=adatum,dc=com”
4. Type the following command, and then press Enter:
Set-ADAccountPassword Ty
5. When prompted for the current password, press Enter.
6. When prompted for the desired password, type Pa$$w0rd, and then press Enter.
7. When prompted to repeat the password, type Pa$$w0rd, and then press Enter.
8. At the Windows PowerShell prompt, type Enable-ADAccount Ty, and then press Enter.
9. On LON-CL1, log on as Ty using a password of Pa$$w0rd.
10. Verify that logon is successful and then sign out of LON-CL1.
Task 2: Create a group by using Windows PowerShell 1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press
Enter:
New-ADGroup LondonBranchUsers –Path “ou=LondonBranch,dc=adatum,dc=com” –GroupScope Global –GroupCategory Security
2. Type the following command, and then press Enter:
Add-ADGroupMember LondonBranchUsers –Members Ty
3. Type the following command, and then press Enter:
Get-ADGroupMember LondonBranchUsers
Results: After completing this exercise, you will have created user accounts and groups by using Windows PowerShell.
L4-22 20410A: Installing and Configuring Windows Server® 2012
Exercise 2: Using Windows PowerShell to Create User Accounts in Bulk
Task 1: Prepare the .csv file 1. On LON-DC1, on the taskbar, click the Windows Explorer icon.
2. In the Windows® Explorer window, expand E:, expand Labfiles, and then click Mod04.
3. Right-click LabUsers.ps1, and then click Edit.
4. In Windows PowerShell ISE, read the comments at the top of the script, and then identify the requirements for the header in the .csv file.
5. Close Windows PowerShell ISE.
6. In Windows Explorer, double-click LabUsers.csv.
7. In the How do you want to open this type of file (.csv) window, click Notepad.
8. In Notepad, type the following line at the top of the file: FirstName,LastName,Department,DefaultPassword
9. Click File, and then click Save.
10. Close Notepad.
Task 2: Prepare the script 1. On LON-DC1, in Windows Explorer, right-click LabUsers.ps1, and then click Edit.
2. In Windows PowerShell ISE, under Variables, replace C:\path\file.csv with E:\Labfiles\Mod04\LabUsers.csv.
3. Under Variables, replace “ou=orgunit,dc=domain,dc=com” with “ou=LondonBranch,dc=adatum,dc=com”.
4. Click File, and then click Save.
5. Scroll down and review the contents of the script.
6. Close Windows PowerShell ISE.
Task 3: Run the script 1. On LON-DC1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type cd E:\Labfiles\Mod04, and then press Enter.
3. Type .\LabUsers.ps1, and then press Enter.
4. Type the following command, and then press Enter:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com”
5. Close the Windows PowerShell prompt.
6. On LON-CL1, log on as Luka using a password of Pa$$w0rd.
Results: After completing this exercise, you will have used Windows PowerShell to create user accounts in bulk.
Module 4: Automating Active Directory Domain Services Administration L4-23
Exercise 3: Using Windows PowerShell to Modify User Accounts in Bulk
Task 1: Force all user accounts in LondonBranch to change password at next logon 1. On LON-DC1, on the task bar, click the Windows PowerShell icon.
2. At the Windows PowerShell Prompt, type the following command, and then press Enter:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Format-Wide DistinguishedName
3. Verify that only users from the LondonBranch organizational unit are listed.
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-ADUser –Filter * –SearchBase “ou=LondonBranch,dc=adatum,dc=com” | Set-ADUser –ChangePasswordAtLogon $true
5. Close Windows PowerShell.
Task 2: Configure the address for user accounts in LondonBranch 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, in the Navigation pane, browse to Adatum (local) > LondonBranch.
3. Click the Type column header to sort based on the object type.
4. Select all user accounts, right-click the user accounts, and then click Properties.
5. In the Multiple Users window, under Organization, select the Address check box.
6. In the Street box, type Branch Office.
7. In the City box, type London.
8. In the Country/Region box, select United Kingdom, and then click OK.
9. Close Active Directory Administrative Center.
10.
Results: After completing this exercise, you will have modified user accounts in bulk.
To prepare for the next module When you finish the lab, revert all virtual machines back to their initial state by performing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 to 3 for 20410A-LON-DC1.
L5-25
Module 5: Implementing IPv4
Lab: Implementing IPv4 Exercise 1: Identifying Appropriate Subnets
Task 1: Calculate the bits required to support the hosts on each subnet 1. How many bits are required to support 100 hosts on the client subnet?
Seven bits are required to support 100 hosts on the client subnet (27-2=126, 26-2=62).
2. How many bits are required to support 10 hosts on the server subnet?
Four bits are required to support 10 hosts on the server subnet (24-2=14,23-2=6).
3. How many bits are required to support 40 hosts on the future expansion subnet?
Six bits are required to support 40 hosts on the future expansion subnet (26-2=62, 25-2=30).
4. If all subnets are the same size, can they be accommodated?
No. If all subnets are the same size, then all subnets must use 7 bits to support 126 hosts. Only a single class C–sized address with 254 hosts has been allocated. Three subnets of 126 hosts would not fit.
5. Which feature allows a single network to be divided into subnets of varying sizes?
Variable length subnet masking allows you to define different subnet masks when subnetting. Therefore, variable length subnet masking allows you to have subnets of varying sizes.
6. How many host bits will you use for each subnet? Use the simplest allocation possible.
The client subnet is 7 host bits. This allows for up to 126 hosts and uses half of the allocated address pool. The server and future expansion subnets are 6 host bits. This allows for up to 62 hosts on each subnet and uses the other half of the address pool.
Task 2: Calculate subnet masks and network IDs 1. Given the number of host bits allocated, what is the subnet mask that you will use for the client
subnet?
• The client subnet is using 7 bits for the host ID. Therefore, you will use 25 bits for the subnet mask.
Binary Decimal
11111111.11111111.11111111.10000000 255.255.255.128
L5-26 20410A: Installing and Configuring Windows Server® 2012
2. Given the number of host bits allocated, what is the subnet mask that you will use for the server subnet?
• The server subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
3. Given the number of host bits allocated, what is the subnet mask that you will use for the future expansion subnet?
• The future expansion subnet is using 6 bits for the host ID. Therefore, you will use 26 bits for the subnet mask.
Binary Decimal
11111111.11111111.11111111.11000000 255.255.255.192
4. For the client subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the client subnet is the first subnet allocated from the available address pool.
Description Binary Decimal
Network ID 11000000.10101000.1100010.00000000 192.168.98.0
First host 11000000.10101000.1100010.00000001 192.168.98.1
Last host 11000000.10101000.1100010.01111110 192.168.98.126
Broadcast 11000000.10101000.1100010.01111111 192.168.98.127
5. For the server subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the server subnet is the second subnet allocated from the available address pool.
Description Binary Decimal
Network ID 11000000.10101000.1100010.10000000 192.168.98.128
First host 11000000.10101000.1100010.10000001 192.168.98.129
Last host 11000000.10101000.1100010.10111110 192.168.98.190
Broadcast 11000000.10101000.1100010.10111111 192.168.98.191
Module 5: Implementing IPv4 L5-27
6. For the future allocation subnet, define the network ID, first available host, last available host, and broadcast address. Assume that the future allocation subnet is the third subnet allocated from the available address pool.
Description Binary Decimal
Network ID 11000000.10101000.1100010.11000000 192.168.98.192
First host 11000000.10101000.1100010.11000001 192.168.98.193
Last host 11000000.10101000.1100010.11111110 192.168.98.254
Broadcast 11000000.10101000.1100010.11111111 192.168.98.255
Results: After completing this exercise, you will have identified the subnets required to meet the requirements of the lab scenario.
Exercise 2: Troubleshooting IPv4
Task 1: Prepare for troubleshooting 1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter.
3. Open a Windows Explorer window, and browse to \\LON-DC1\E$\Labfiles\Mod05.
4. Right-click Break.ps1 and click Run with Powershell.
5. Close Windows Explorer.
Task 2: Troubleshoot IPv4 connectivity between LON-SVR2 and LON-DC1 1. On LON-SVR2, at the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice
that the destination host is unreachable.
2. Type tracert LON-DC1, and then press Enter. Notice that the host is unable to find the default gateway, and that it is not the default gateway that is responding back.
3. Type ipconfig, and then press Enter. Notice that the default gateway is configured correctly.
4. Type ping 10.10.0.1, and then press Enter. Notice that the default gateway is responding, but that packets are not being routed there.
5. Type Get-NetRoute, and then press Enter. Notice that the entry for the default gateway (0.0.0.0) is correct, but there is an unnecessary entry for the 172.16.0.0 network.
6. Type Remove-NetRoute –DestinationPrefix 172.16.0.0/16, and then press Enter. This removes the unnecessary route to the 172.16.0.0 network. The default gateway will be used for routing instead.
7. Press Y, and then press Enter to confirm removed of the route from active routes.
8. Type ping LON-DC1, and then press Enter. Notice that the ping is now successful.
Task 3: To Prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
L5-28 20410A: Installing and Configuring Windows Server® 2012
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
Results: After completing this lab, you will have resolved an IPv4 connectivity problem.
L6-29
Module 6: Implementing DHCP
Lab: Implementing DHCP Exercise 1: Implementing DHCP
Task 1: Install DHCP server role 1. Switch to LON-SVR1.
2. In Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Next.
5. On Select destination server page, click Next.
6. On the Select server roles page, select the DHCP Server check box.
7. In the Add Roles and Features Wizard window click Add Features, and then click Next.
8. On the Select features page, click Next.
9. On the DHCP Server page, click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, wait until the following information appears – Installation succeeded on lon-svr1.adatum.com, and then click Close.
Task 2: Configure the DHCP scope and options 1. In the Server Manager Dashboard, click Tools, and then click DHCP.
2. In the DHCP console, expand lon-svr1.adatum.com.
3. Right-click lon-svr1.adatum.com, and then click Authorize.
4. In the DHCP console, right-click lon-svr1.adatum.com, and then click Refresh. Notice that the icons next to IPv4 IPv6 changes color from red to green, which means that DHCP server has been authorized in Active Directory® Domain Services (AD DS).
5. In the DHCP console, in the navigation pane, click lon-svr1.adatum.com, expand IPv4, right-click IPv4, and then click New Scope.
6. In the New Scope Wizard, click Next.
7. On the Scope Name page, in the Name box, type Branch Office, and then click Next.
8. On the IP Address Range page, complete the page using the following information:
o Start IP address: 172.16.0.100
o End IP address: 172.16.0.200
o Length: 16
o Subnet mask: 255.255.0.0, and then click Next.
9. On the Add Exclusions and Delay page, complete the page using the following information:
o Start IP address: 172.16.0.190
o End IP address: 172.16.0.200, click Add, and then click Next
10. On the Lease Duration page, click Next.
L6-30 20410A: Installing and Configuring Windows Server® 2012
11. On the Configure DHCP Options page, click Next.
12. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then click Next.
13. On the Domain Name and DNS Servers page, click Next.
14. On the WINS Servers page, click Next.
15. On the Activate Scope page, click Next.
16. On the Completing the New Scope Wizard page, click Finish.
Task 3: Configure client to use DHCP and then test the configuration 1. To configure a client, switch to the LON-CL1 computer.
2. Move the mouse on the lower right corner of the screen, click on Search icon, and then in the Search box, type Control Panel. Press Enter.
3. In Control Panel, under Network and Internet, click View Network Status and Tasks.
4. In the Network and Sharing Center window, click Change Adapter Settings.
5. In the Network Connections window, right click Local Area Connection, and then click Properties.
6. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Obtain an IP address automatically radio button, then select Obtain DNS server address automatically radio button, click OK, and then click Close.
8. Move the mouse on the lower right corner of the screen, click on Search icon, and then in Search box, type Command Prompt. Press Enter.
9. Type ipconfig /renew, and then press Enter.
10. To test the configuration, verify that LON-CL1 has received an IP address from the DHCP scope by typing in the command prompt: ipconfig /all.
This command will return information, such as IP address, subnet mask and DHCP enabled status, which should be Yes.
Task 4: Configure a lease as a reservation 1. Switch to LON-CL1.
2. In the command prompt, type ipconfig /all, and then press Enter.
3. Write down the Physical Address of LON-CL1 network adapter.
4. Switch to LON-SVR1.
5. In the Server Manager dashboard, click Tools, and then click DHCP.
6. In the DHCP console, expand lon-svr1.adatum.com, expand IPv4, expand Branch Office, right-click Reservations, and then click New Reservation.
7. In the New Reservation window:
o in the Reservation Name field, type LON-CL1
o in the IP address field, type 172.16.0.155
o in the MAC address field, type the physical address you wrote down in step 3
Module 6: Implementing DHCP L6-31
o click Add and then click Close.
8. Switch to LON-CL1.
9. In a command prompt, type ipconfig /release, and then press Enter. This causes LON-CL1 to release any currently leased IP addresses.
10. In a command prompt, type ipconfig /renew, and then press Enter. This causes LON-CL1 to lease any reserved IP addresses.
11. Verify that IP address of LON-CL1 is now 172.16.0.155.
Task 5: To prepare for the optional exercise If you are going to do the optional lab, revert the virtual machines that are no longer required. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1.
Results: After completing these tasks, you will have implemented DHCP, configured DHCP scope and options, and configured a DHCP reservation
Exercise 2: Implementing a DHCP Relay (Optional Exercise)
Task 1: Install DHCP relay 1. Switch to LON-RTR.
2. In Server Manager, click on Tools, and then click Routing and Remote Access.
3. In the navigation pane, expand LON-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol.
4. In the Routing protocols list, click DHCP Relay Agent, and then click OK.
Task 2: Configure DHCP relay 1. In the navigation pane, right-click DHCP Relay Agent and then click New Interface.
2. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.
3. In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.
4. Right-click DHCP Relay Agent and then click Properties.
5. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 172.16.0.21, click Add, and then click OK.
6. Close Routing and Remote Access
Task 3: Test DHCP relay with client
Note: In order to test how a client receives an IP address from DHCP Relay in another subnet, we need to create another DHCP scope.
L6-32 20410A: Installing and Configuring Windows Server® 2012
1. Switch to LON-SVR1.
2. In the Server Manager Dashboard, click Tools, and then click DHCP.
3. In the DHCP console, expand lon-svr1.adatum.com.
4. In the DHCP console, in the navigation pane, click lon-svr1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.
5. In the New Scope Wizard, click Next.
6. On the Scope Name page, in the Name box, type Branch Office 2, and then click Next.
7. On the IP Address Range page, complete the page using the following information, and then click Next:
o Start IP address: 10.10.0.100
o End IP address: 10.10.0.200
o Length: 16
o Subnet mask: 255.255.0.0
8. On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next:
o Start IP address: 10.10.0.190
o End IP address: 10.10.0.200
9. On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type 10.10.0.1, click Add, and then click Next.
12. On the Domain Name and DNS Servers page, click Next.
13. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Next.
15. On the Completing the New Scope Wizard page, click Finish.
16. To test the client, switch to LON-CL2.
17. On the Start screen, type Control Panel. Press Enter.
18. Under Network and Internet, click View network status and tasks.
19. In the Network and Sharing Center window, click Change Adapter Settings, right-click Local Area Connection, and then click Properties.
20. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
21. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click on Obtain IP address automatically, then click on Obtain DNS server address automatically, click OK and then click Close.
22. Navigate to the lower right corner, choose search from the right menu and then type cmd and press Enter to start Command Prompt.
23. In the command prompt, type following command: ipconfig /renew
Module 6: Implementing DHCP L6-33
24. Verify that IP address and DNS server settings on LON-CL2 are obtained from DHCP Server scope Branch Office 2 installed on LON-SVR1.
Note: IP address should be from following range: 10.10.0.100/16 to 10.10.0.200/16
Task 4: To Prepare for the next module When you are finished the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR2, 20410A-LON-RTR, and 20410A-LON-CL2.
Results: After completing these tasks, you will have implemented DHCP relay agent.
L7-35
Module 7: Implementing DNS
Lab: Implementing DNS Exercise 1: Installing and Configuring DNS
Task 1: Configure LON-SVR1 as a domain controller without installing the DNS server role 1. Log on to LON-SVR1 as Adatum\Administrator using the password of Pa$$w0rd.
2. In the Server Manager console, click Add roles and features.
3. On the Before you begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, make sure that LON-SVR1.Adatum.com is selected, and then click Next.
6. On the Select server roles page, select Active Directory Domain Services.
7. When Add Roles and Features Wizard window displays, click Add Features, and then click Next.
8. On the Select features page, click Next.
9. On the Active Directory Domain Services page, click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, when the Installation succeeded message displays, click Close.
12. In the Server Manager console, on the navigation page, click AD DS.
13. At the title bar where Configuration required for Active Directory Domain Services at LON-SVR1 displays, click More.
14. On the All Server Task Details and Notifications page, click Promote this server to a domain controller.
15. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, ensure that Add a domain controller to an existing domain is selected, and then click Next.
16. On the Domain Controller Options page, clear the Domain Name System (DNS) server check box, and leave only Global Catalog (GC) selected. Type Pa$$w0rd in both text fields, and then click Next.
17. On the Additional Options page, click Next.
18. On the Paths page, click Next.
19. On the Review Options page, click Next.
20. On the Prerequisites Check page, click Install.
Note: Server will automatically restart as part of the procedure.
21. After LON-SVR1 restarts, log on as Adatum\Administrator.
L7-36 20410A: Installing and Configuring Windows Server® 2012
Task 2: Review configuration settings on the existing DNS server to confirm root hints 1. Log on to LON-DC1 as Adatum\Administrator using the password Pa$$w0rd.
2. In the Server Manager console, click Tools.
3. Click DNS.
4. In the DNS Manager console, click and then right-click LON-DC1, and then select Properties.
5. Click the Root hints tab. Ensure that root hints servers display.
6. Click the Forwarders tab. Ensure that the list displays no entries, and that the Use root hints if no forwarders are available option is selected.
7. Click Cancel.
8. Close the DNS Manager console.
Task 3: Add the DNS server role for the branch office on the domain controller 1. On LON-SVR1, in the Server Manager console, click Add roles and features.
2. On the Before you begin page, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, ensure that LON-SVR1.Adatum.com is selected, and then click Next.
5. On the Select server roles page, select DNS Server.
6. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next.
7. On the Select Features page, click Next.
8. On the DNS Server page, click Next.
9. On the Confirm installation selections page, click Install.
10. On the Installation progress page, when the message Installation succeeded displays, click Close.
Task 4: Verify replication of the Adatum.com Active Directory–integrated zone 1. On LON-SVR1, in the Server Manager console, click Tools.
2. Select DNS.
3. In the DNS Manager console, expand LON-SVR1, and then expand Forward Lookup Zones. This container will most likely be empty.
4. Switch back to Server Manager, click Tools, and then select Active Directory Sites and Services.
5. In the Active Directory Sites and Services console, expand Sites, expand Default-First-Site-Name, expand Servers, expand LON-DC1, and then click NTDS Settings.
6. In the right pane, right-click the LON-SVR1 replication connection, and select Replicate Now.
Note: If you receive an error message, proceed to the next step and then retry this step after 3-4 minutes.
7. In the navigation pane, expand LON-SVR1, and then click NTDS Settings.
Module 7: Implementing DNS L7-37
8. In the right pane, right-click the LON-DC1 replication connection, and then select Replicate Now. Click OK.
9. Switch back to the DNS Manager console, right-click Forward Lookup Zones, and then select Refresh.
10. Ensure that both the _msdcs.Adatum.com and Adatum.com containers display.
11. Close DNS Manager.
Task 5: Use NSLookup to test non-local resolution 1. On LON-SVR1, switch to the Start screen, and type Control Panel. Press Enter.
2. In Control Panel, click View network status and tasks.
3. Click Change adapter settings.
4. Right-click Local Area connection, and then select Properties.
5. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6. In the preferred DNS server field, remove the IP address, type 127.0.0.1, click OK, and then click Close.
7. On LON-SVR1, right-click the taskbar, and select Task Manager.
8. In the Task Manager window, click More details.
9. Click the File menu, and then click Run new task.
10. In the Create new task window, type cmd, and then press Enter.
11. In the command prompt window, type nslookup, and press Enter.
12. At the nslookup prompt, type www.nwtraders.msft, and then press Enter. You will not receive any reply, because that zone does not exist on the DNS server on LON-SVR1.
13. In the command prompt window type quit, and press Enter.
14. Leave the command prompt window open.
Task 6: Configure Internet name resolution to forward to the head office 1. On LON-SVR1, open the DNS Manager console.
2. In the DNS Manager console, right-click LON-SVR1, and then click Properties.
3. Click the Forwarders tab, and then click Edit.
4. In the Edit Forwarders window, type 172.16.0.10, and then click OK two times.
Task 7: Use NSLookup to confirm name resolution 1. On LON-SVR1, switch to a command prompt window.
2. In the command prompt window, type nslookup, and then press Enter.
3. At the nslookup prompt, type www.nwtraders.msft, and then press Enter.
4. Ensure that you receive an IP address for this host as a non-authoritative answer.
5. Type quit, and then press Enter.
Results: After completing this exercise, you will have installed and configured DNS on LON-SVR1.
L7-38 20410A: Installing and Configuring Windows Server® 2012
Exercise 2: Creating Host Records in DNS
Task 1: Configure a client to use LON-SVR1 as a DNS server 1. On LON-CL1, log on as Adatum\Administrator using the password Pa$$w0rd.
2. On the Start screen, type Control Panel. Press Enter.
3. In Control Panel, click View network status and tasks.
4. Click Change adapter settings.
5. Right-click Local Area connection, and then select Properties.
6. Select Internet Protocol Version 4 (TCP/Ipv4), and then click Properties.
7. Delete the IP address for preferred DNS server. In the preferred DNS server box, type 172.16.0.21, click OK, and then click Close.
Task 2: Create several host records in the Adatum.com domain for web apps 1. On LON-DC1, in the Server Manager console, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click on Adatum.com.
3. Right-click Adatum.com, and select New Host (A or AAAA).
4. In the New Host window, configure the following settings:
a. Name: www
b. IP address: 172.16.0.100
5. Click Add Host, and then click OK.
6. In the New Host window, configure the following settings:
o Name: ftp
o IP address: 172.16.0.200
7. Click Add Host, click OK, and then click Done.
Task 3: Verify replication of new records to LON-SVR1 1. On LON-SVR1, in the Server Manager console, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-SVR1, expand Forward Lookup Zones, and then click Adatum.com.
3. Ensure that both www and ftp resource records display. (If they do not display, right-click Adatum.com, and then select Refresh). It may take a couple of minutes for the records to appear.
Task 4: Use the ping command to locate new records from LON-CL1 1. On LON-CL1, right-click the taskbar, and then select Task Manager.
2. In the Task Manager window, click More details.
3. Open the File menu, and then select Run new task.
4. In the Create new task window, type cmd, and then press Enter.
5. In the Command prompt window, type ping www.adatum.com, and then press Enter.
6. Make sure that name resolves to 172.16.0.100. ( You will not receive replies.)
7. Type ping ftp.adatum.com, and then press Enter.
Module 7: Implementing DNS L7-39
8. Ensure that name resolves to 172.16.0.200 (You will not receive replies.)
9. Close the command prompt window and the Task Manager.
Results: After completing this exercise, you will have configured DNS records.
Exercise 3: Managing the DNS Server Cache
Task 1: Use the ping command to locate Internet record from LON-CL1 1. On LON-CL1, right-click the taskbar, then and select Task Manager.
2. In the Task Manager window, click More details.
3. Open the File menu, and select Run new task.
4. In the Create new task window, type cmd, and then press Enter.
5. In the command prompt window, type ping www.nwtraders.msft, and then press Enter.
6. Ping will not work, but ensure that the name resolves to an IP address.
7. Leave the command prompt window open.
Task 2: Update Internet record to point to the LON-DC1 IP address, retry the location using ping 1. On LON-DC1, open DNS Manager.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click nwtraders.msft.
3. In the right pane, right-click www, and then select properties.
4. Change the IP address to 172.16.0.10, and then click OK.
5. Switch back to LON-CL1.
6. In the command prompt window, type ping www.nwtraders.msft, and then press Enter. Ping will not work, and the old IP address will still be displayed in command prompt window.
Task 3: Examine the content of the DNS cache 1. Switch to LON-SVR1, and in the Server Manager console, click Tools, and then click DNS.
2. Select LON-SVR1, click the View menu, and then select Advanced.
3. Expand LON-SVR1, expand the Cached Lookups node, expand .(root), expand msft, and then click nwtraders.
4. In the right pane, examine the cached content.
5. Switch to LON-CL1.
6. In the command prompt window, type ipconfig /displaydns, and then press Enter.
7. Look for cached entries.
Task 4: Clear the cache, and retry ping 1. On LON-SVR1, in the DNS Manager console, right-click LON-SVR1, and then select Clear Cache.
2. Switch to LON-CL1.
L7-40 20410A: Installing and Configuring Windows Server® 2012
3. In a command prompt window, at a command prompt, type ping www.nwtraders.msft, and then press Enter. The return will still be the old IP address.
4. In a command prompt window, type ipconfig /flushdns, and then press Enter.
5. In the command prompt window, type ping www.nwtraders.msft, and press Enter.
6. Ping now should work on address 172.16.0.10.
Task 5: To prepare for next module When you are finished the lab, revert the virtual machines to their initial state.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Results: After completing this exercise, you will have DNS Server cache examined.
L8-41
Module 8: Implementing IPv6
Lab: Implementing IPv6 Exercise 1: Configuring an IPv6 Network
Task 1: Verify IPv4 routing 1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type ping lon-dc1, and then press Enter. Notice that there are four replies from 172.16.0.10.
3. Type ipconfig, and then press Enter.
4. Verify that the only IPv6 address listed is a link-local address.
Task 2: Disable IPv6 on LON-DC1 1. On LON-DC1, in Server Manager, click Local Server.
2. In the Properties window, beside Local Area Connection, click 172.16.0.10, IPv6 enabled.
3. In the Network Connections window, right-click Local Area Connection, and then click Properties.
4. In the Local Area Connection Properties window, clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.
5. Close the Network Connections window.
6. In Server Manager, verify that Local Area Connection lists only 172.16.0.10. You may need to refresh the view.
Task 3: Disable IPv4 on LON-SVR2 1. On LON-SVR2, in Server Manager, click Local Server.
2. In the Properties window, next to Local Area Connection, click 10.10.0.24, IPv6 enabled.
3. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
4. In the Local Area Connection 2 Properties window, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK.
5. Close the Network Connections window.
6. In Server Manager, verify that Local Area Connection now lists only IPv6 enabled. You may need to refresh the view.
Task 4: Configure an IPv6 network on LON-RTR 1. On LON-RTR, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
New-NetRoute –InterfaceAlias “Local Area Connection 2” –DestinationPrefix 2001:db8:0:1::/64 –Publish Yes
3. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
Set-NetIPInterface –InterfaceAlias “Local Area Connection 2” –AddressFamily IPv6 –Advertising Enabled
L8-42 20410A: Installing and Configuring Windows Server® 2012
4. Type ipconfig, and then press Enter. Notice that Local Area Connection 2 now has an IPv6 address on the 2001:db8:0:1::/64 network.
Task 5: Verify IPv6 on LON-SVR2 • On LON-SVR2, at the Windows PowerShell prompt, type ipconfig, and then press Enter. Notice that
Local Area Connection 2 now has an IPv6 address on the on the 2001:db8:0:1::/64 network.
Results: After completing the exercise, students will have configured an IPv6–only network.
Exercise 2: Configuring an ISATAP Router
Task 1: Add an ISATAP host record to DNS 1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type ISATAP.
5. In the IP address box, type 172.16.0.1, and then click Add Host.
6. Click OK to clear the success message.
7. Click Done to close the New Host window.
8. Close DNS Manager.
Task 2: Enable the ISATAP router on LON-RTR 1. On LON-RTR, at the Windows PowerShell prompt, type the following command, and then press Enter:
Set-NetIsatapConfiguration –Router 172.16.0.1
2. Type the following command, and then press Enter:
Get-NetIPAddress | Format-Table InterfaceAlias,InterfaceIndex,IPv6Address
3. Record the InterfaceIndex of isatap interface that has an IPv6 address that includes 172.16.0.1. Interface index:
4. Type the following command, and then press Enter:
Get-NetIPInterface –InterfaceIndex IndexYouRecorded –PolicyStore ActiveStore | Format-List
5. Verify that Forwarding is enabled for the interface and that Advertising is disabled.
6. Type the following command, and then press Enter:
Set-NetIPInterface –InterfaceIndex IndexYouRecorded –Advertising Enabled
7. Type the following command, and then press Enter:
New-NetRoute –InterfaceIndex IndexYouRecorded –DestinationPrefix 2001:db8:0:2::/64 –Publish Yes
8. Type the following command, and then press Enter:
Get-NetIPAddress –InterfaceIndex IndexYouRecorded
Module 8: Implementing IPv6 L8-43
9. Verify that an IPv6 address is listed on the 2001:db8:0:2::/64 network.
Task 3: Remove ISATAP from the DNS Global Query Block List 1. On LON-DC1, at the Windows PowerShell prompt, type regedit, and then press Enter.
2. In the Registry Editor window, expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand DNS, click Parameters, and double-click GlobalQueryBlockList.
3. In the Edit Multi-String window, delete isatap, and then click OK.
4. If an error appears indicating that there was an empty string, click OK to continue.
5. Close the Registry Editor.
6. At the Windows PowerShell prompt, type Restart-Service DNS –Verbose, and then press Enter.
7. Type ping isatap, and then press Enter. The name should resolve and you should receive four request timed out messages from 172.16.0.1.
Task 4: Enable ISATAP on LON-DC1 1. On LON-DC1, at the Windows PowerShell prompt, type the following command, and then press
Enter:
Set-NetIsatapConfiguration –State Enabled
2. Type ipconfig, and then press Enter.
3. Verify that the Tunnel adapter for ISATAP has an IPv6 address on the 2001:db8:0:2/64 network. Notice that this address includes the IPv4 address of NYC-DC1.
Task 5: Test connectivity 1. On LON-SVR2, at the Windows PowerShell prompt, type the following command, and then press
Enter:
ping 2001:db8:0:2:0:5efe:172.16.0.10
2. In Server Manager, if necessary, click Local Server.
3. In the Properties window, next to Local Area Connection 2, click IPv6 enabled.
4. In the Network Connections window, right-click Local Area Connection 2, and then click Properties.
5. In the Local Area Connection 2 Properties window, click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.
6. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click Use the following DNS server addresses.
7. In the Preferred DNS server box, type 2001:db8:0:2:0:5efe:172.16.0.10, and then click OK.
8. In the Local Area Connection 2 Properties window, click Close.
9. Close the Network Connections window.
10. At the Windows PowerShell prompt, type ping LON-DC1, and then press Enter. Notice that four replies are received from LON-DC1.
L8-44 20410A: Installing and Configuring Windows Server® 2012
Task 6: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-RTR and 20410A-LON-SVR2.
Results: After completing this exercise, students will have configured an ISATAP router on LON-RTR to allow communication between an IPv6–only network and an IPv4–only network.
L9-45
Module 9: Implementing Local Storage
Lab: Implementing Local Storage Exercise 1: Installing and Configuring a New Disk
Task 1: Initialize a new disk 1. Log on to LON-SVR1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2. In Server Manager, click the Tools menu, in the Tools drop-down list, click Computer Management.
3. In the Computer Management console, under the Storage node, click Disk Management.
4. In the Disks pane, right-click Disk2, and then from drop-down list, click Online.
5. Right-click Disk2, and then click Initialize Disk.
6. In the Initialize Disk dialog box, select the Disk 2 check box, ensure that all other Disk check boxes are cleared, click GPT (GUID Partition Table), and then click OK.
Task 2: Create and format two simple volumes on the disk 1. In the Computer Management console, in Disk Management, right-click the black marked box right
of Disk 2, and then click New Simple Volume.
2. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next.
3. On the Specify Volume Size page, in the Simple volume size MB field, type 4000, and then click Next.
4. On Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that F is selected in from the drop-down menu, and then click Next.
5. On the Format Partition page, from the File system drop-down menu, click NTFS, in the Volume label text box, type Volume1, and then click Next.
6. On Completing the New Simple Volume Wizard page, click Finish.
7. in the Disk Management window, right-click the black marked box right of Disk 2, and then click New Simple Volume.
8. In the New Simple Volume Wizard, on Welcome to the New Simple Volume Wizard page, click Next.
9. On the Specify Volume Size page, in the Simple volume size in MB field, type 5000, and then click Next.
10. On the Assign Drive Letter or Path page, ensure that the Assign the following drive letter check box is selected, and that G is selected in from the drop-down list, and then click Next.
11. On the Format Partition page, from the File system drop-down menu, click ReFS, in the Volume label text box, type Volume2, and then click Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
Task 3: Verify the drive letter in a Windows® Explorer window 1. On the taskbar, open a Windows Explorer window, expand Computer, and then click Volume1 (F:).
2. In Windows Explorer, click Volume2 (G:), right-click Volume2 (G:), point to New, and then click Folder.
L9-46 20410A: Installing and Configuring Windows Server® 2012
3. In the New folder field, type Folder1, and then press Enter.
Results: After you complete this lab, you should have initialized a new disk, created two simple volumes, and formatted them. You should also have verified that the drive letters are available in Windows Explorer.
Exercise 2: Resizing Volumes
Task 1: Shrink Volume1 1. On LON-SVR1, switch to the Computer Management console.
2. In the Computer Management console, in Disk Management, in the middle-pane, right-click Volume1 (F:), and then click Shrink Volume.
3. In the Shrink F: window, in the Enter the amount of space to shrink in MB field, type 1000, and then click Shrink.
Task 2: Extend Volume2 1. On LON-SVR1, in Disk Management, in the middle-pane, right-click Volume2 (G:), and then click
Extend Volume.
2. In Extend Volume Wizard, on the Welcome to the Extended Volume Wizard page, click Next.
3. On the Select Disks page, in the Select the amount of space in MB field, type 1000, and then click Next.
4. On the Completing the Extended Volume Wizard page, click Finish.
5. In a Windows Explorer window, click Volume2 (G:), and verify that Folder1 is available on the volume.
Results: After this lab, you should have made one volume smaller, and extended another.
Exercise 3: Configuring a Redundant Storage Space
Task 1: Create a storage pool from five disks that are attached to the server 1. On LON-SVR1, on the taskbar, click the Server Manager icon.
2. In the left pane, click File and Storage Services, and then in the Servers pane, click Storage Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down menu, click New Storage Pool.
4. In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1, and then click Next.
6. On the Select physical disks for the storage pool page, click the following Physical disks, and then click Next:
o PhysicalDisk3
o PhysicalDisk4
o PhysicalDisk5
Module 9: Implementing Local Storage L9-47
o PhysicalDisk6
o PhysicalDisk7
7. On the Confirm selections page, click Create.
8. On the View results page, wait until the creation completes, then click Close.
Task 2: Create a three-way mirrored virtual disk 1. On LON-SVR1, in Server Manager, in the Storage Spaces pane, click StoragePool1.
2. In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down menu, click New Virtual Disk.
3. In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4. On the Select the server and storage pool page, click StoragePool1, and then click Next.
5. On the Specify the virtual disk name page, in the Name box, type Mirrored Disk, and then click Next.
6. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7. On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8. On the Specify the provisioning type page, click Thin, and then click Next.
9. On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click Next.
10. On the Confirm selections page, click Create.
11. On the View results page, wait until the creation completes, ensure that the Create a volume when this wizard closes check box is selected, and then click Close.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the Mirrored Disk virtual disk, and then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, ensure that H is selected in the Drive letter drop-down menu, and then click Next.
16. On the Select file system settings page, in the File system drop-down menu, select ReFS, in the Volume label box, type Mirrored Volume, and then click Next.
17. On the Confirm selections page, click Create.
18. On the Completion page, wait until the creation completes, and then click Close.
Task 3: Copy a file to the volume, and verify that it is visible in Windows Explorer 1. Click to the Start screen, type command prompt, and then press Enter.
2. In the command prompt window, type the following command, and then press Enter:
Copy C:\windows\system32\mspaint.exe H:\
3. Close the command prompt window.
4. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:).
5. Verify that mspaint.exe displays in the file list.
L9-48 20410A: Installing and Configuring Windows Server® 2012
6. Close Windows Explorer.
Task 4: Remove a physical drive 1. On Host machine, in Hyper-V Manager, in the Virtual Machines pane, right-click 20410A-LON-SVR1,
and then click Settings.
2. In Settings for 20410A-LON-SVR1, in the Hardware pane, click Hard Drive 20410A-LON-SVR1-Disk5.vhdx.
3. In the Hard Drive pane, click Remove, and then click OK. Click Continue.
Task 5: Verify that the mspaint.exe file is still accessible 1. Switch to LON-SVR1.
2. On the taskbar, click the Windows Explorer icon, and in the Windows Explorer window, click Mirrored Volume (H:).
3. In the file list pane, verify that mspaint.exe is still available.
4. Close Windows Explorer.
5. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button. Notice the warning that displays next to Mirrored Disk.
6. In the VIRTUAL DISK pane, right-click Mirrored Disk, and then click Properties.
7. In the Mirrored Disk Properties window, in the left pane, click Health. Notice that the Health Status indicates a Warning. The Operational Status should indicate Incomplete or Degraded.
8. Click OK to close the Mirrored Disk Properties window.
Task 6: Add a new disk to the storage pool 1. Switch to LON-SVR1.
2. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh “Storage Pools” button.
3. In the STORAGE POOLS pane, right-click StoragePool1, and then click Add Physical Disk.
4. In the Add Physical Disk window, click PhysicalDisk8 (LON-SVR1), and then click OK..
Results: After completing this lab, you should have created a storage pool and added five disks to it. Then you should have created a three-way mirrored, thinly provisioned virtual disk from the storage pool. You should have also copied a file to the new volume and verified that it is accessible. Next, you should have verified that the virtual disk was still available and could be accessed after removing a physical drive. Finally, you should have added another physical disk to the storage pool.
To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1.
L10-49
Module 10: Implementing File and Print Services
Lab: Implementing File and Print Services Exercise 1: Creating and Configuring a File Share
Task 1: Create the folder structure for the new share 1. Log on to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. On the taskbar, click the Windows Explorer shortcut.
3. In a Windows® Explorer window, in the navigation pane, expand Computer, and then click Allfiles (E:).
4. On the menu toolbar, click Home, click New folder, type Data, and then press Enter.
5. Double-click the Data folder.
6. On the menu toolbar, click Home, click New folder, type Development, and then press Enter.
7. Repeat Step 6 for the following new folder names:
o Marketing
o Research
o Sales
Task 2: Configure NTFS permissions on the folder structure 1. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.
2. In the Data Properties window, click Security, and then click Advanced.
3. In the Advanced Security Settings for Data window, click Disable Inheritance.
4. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object.
5. Click OK to close the Advanced Security Settings for Data window.
6. Click OK to close the Data Properties window.
7. In Windows Explorer, double-click the Data folder.
8. Right-click the Development folder, and then click Properties.
9. In the Development Properties window, click Security, and then click Advanced.
10. In the Advanced Security Settings for Development window, click Disable Inheritance.
11. In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object.
12. Remove the two permissions entries for Users (LON-SVR1\Users), and then click OK.
13. On the Security tab, click Edit.
14. In the Permissions for Development window, click Add.
15. Type Development, click Check names, and then click OK.
16. Select the check box for Allow Modify in the Permissions for Development section.
17. Click OK to close the Permissions for Development window.
L10-50 20410A: Installing and Configuring Windows Server® 2012
18. Click OK to close the Development Properties window.
19. Repeat steps 8 through 18 for the Marketing, Research, and Sales folders, assigning Modify permissions to the Marketing, Research, and Sales groups for their respective folders.
Task 3: Create the shared folder 1. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.
2. On the Data Properties window, click the Sharing tab, and then click Advanced Sharing.
3. In the Advanced Sharing Window, select the Share this folder check box, and then click Permissions.
4. In the Permissions for Data window, click Add.
5. Type Authenticated Users, click Check names, and then click OK.
6. In the Permissions for Data window, click Authenticated Users, and then select the Allow checkbox for the Change permission.
7. Click OK to close the Permissions for Data window.
8. Click OK to close the Advanced Sharing window.
9. Click Close to close the Data Properties window.
Task 4: Test access to the shared folder 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
Note: Bernard is a member of the Development group.
2. On the Start screen, click the Desktop tile.
3. On the taskbar, click the Windows Explorer icon.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
5. Double-click the Development folder.
Note: Bernard should have access to the Development folder.
6. Attempt to access the Marketing, Research, and Sales folders. NTFS permissions on these folders will prevent you from doing this.
Note: Bernard can still see the other folders, even though he does not have access to their contents.
7. Log off LON-CL1.
Task 5: Enable access-based enumeration 1. Switch to LON-SVR1.
2. On the taskbar, click the Server Manager icon.
3. In Server Manager, in the navigation pane, click File and Storage Services.
4. On the File and Storage Services page, in the navigation pane, click Shares.
Module 10: Implementing File and Print Services L10-51
5. In the Shares pane, right-click Data, and then click Properties.
6. Click Settings, and then select the Enable access-based enumeration check box.
7. Click OK to close the Data Properties window.
8. Close Server Manager.
Task 6: Test access to the share 1. Log on to LON-CL1 as Adatum\Bernard with a password of Pa$$w0rd.
2. Click the Desktop tile.
3. On the taskbar, click the Windows Explorer icon.
4. In Windows Explorer, in the address bar, type \\LON-SVR1\Data, and then press Enter.
Note: Bernard can now view only the Development folder, the folder for which he has been assigned permissions.
5. Double-click the Development folder.
Note: Bernard should have access to the Development folder.
6. Log off LON-CL1.
Task 7: Disable Offline Files for the share 1. Switch to LON-SVR1.
2. On the taskbar, click the Windows Explorer icon.
3. In Windows Explorer, navigate to drive E, right-click the Data folder, and then click Properties.
4. On the Data Properties window, click the Sharing tab, click Advanced Sharing, and then click Caching.
5. In the Offline Settings window, select No files or programs from the shared folder are available offline, and then click OK.
6. Click OK to close the Advanced Sharing window.
7. Click Close to close the Data Properties window.
Exercise 2: Configuring Shadow Copies
Task 1: Configure shadow copies for the file share 1. Switch to LON-SVR1.
2. Open Windows Explorer.
3. Navigate to drive E, right-click Allfiles (E:), and then click Configure Shadow Copies.
4. In the Shadow Copies window, click the E:\ drive, and then click Enable.
5. In the Enable Shadow Copies window, click Yes.
6. In the Shadow Copies window, click Settings.
7. In the Settings window, click Schedule.
L10-52 20410A: Installing and Configuring Windows Server® 2012
8. In the E:\ window, change Schedule Task to Daily, change Start time to 12:00 AM, and then click Advanced.
9. In the Advanced Schedule Options window, select Repeat task, and then set the frequency to every 1 hours.
10. Select Time, and change the time value to 11:59PM.
11. Click OK twice.
12. Click OK to close the Settings window.
13. Leave the Shadow Copies window open.
Task 2: Create multiple shadow copies of a file 1. On LON-SVR1, open a Windows Explorer window, and navigate to the E:\Data\Development folder.
2. On the menu toolbar, click Home, click New item, and then click Text Document.
3. Type Report, and then press Enter.
4. Switch back to the Shadow Copies window, and then click Create Now.
Task 3: Recover a deleted file from a shadow copy 1. On LON-SVR1, switch back to the Windows Explorer window.
2. Right-click Report.txt, and then click Delete.
3. In Windows Explorer, right-click on the Development folder, and then click Properties.
4. In the Development Properties window, click the Previous Versions tab.
5. Click the most recent folder version for Development , and then click Open.
6. Confirm that the Report .txt is in the folder, right-click Report.txt, and then click Copy.
7. Close the Windows Explorer window that just opened.
8. In the other Windows Explorer window, right-click on the Development folder, and then click Paste.
9. Close Windows Explorer.
10. Click OK and close all open windows.
Exercise 3: Creating and Configuring a Printer Pool
Task 1: Install the Print and Document Services server role 1. On LON-SVR1, on the taskbar, click the Server Manager shortcut.
2. In Server Manager, on the menu toolbar, click Manage, and then click Add Roles and Features.
3. Click Next, select Role-based or feature-based Installation, and then select Next again.
4. On the Select destination server page, select the server on which you want to install the Print and Document Services. The default server is the local server. Click Next.
5. On the Select Server Roles page, select the Print and Document Services check box. In the Add Roles and Features Wizard window, click Add Features, and then click Next in the Select server roles window
6. On the Select Features page, click Next.
7. On the Print and Document Services page, review the Notes for the administrator, and then click Next.
Module 10: Implementing File and Print Services L10-53
8. On the Select Role Services page, click Next until the Confirm Installation Selections page displays. Click Install to install the required role services.
9. Click Close.
Task 2: Install a printer 1. On LON-SVR1, in the Server Manager, click Tools and then click Print Management.
2. Expand Printer Servers, expand LON-SVR1, right-click Printers, and then click Add Printer.
3. Click Add a TCP/IP or Web Services Printer by IP address or hostname, and then click Next.
4. Change the Type of Device to TCP/IP Device,
5. In the Host name box, type 172.16.0.200 clear the Auto detect printer driver to use check box, and then click Next.
6. Under Device Type, click Generic Network Card, and then click Next.
7. Click Install a new driver, and then click Next.
8. Click Microsoft as the Manufacturer, under Printers, click Microsoft XPS Class Driver, and then click Next.
9. Change the Printer Name to Branch Office Printer, and then click Next.
10. Click Next two times to accept the default printer name and share name, and to install the printer.
11. Click Finish to close the Network Printer Installation Wizard.
12. In the Print Management console, right-click the Branch Office Printer, and then click Enable Branch Office Direct Printing.
13. In the Print Management console, right-click the Branch Office Printer, and then select Properties.
14. Click the Sharing tab, select the List in the directory check box, and then click OK.
Task 3: Configure printer pooling 1. In the Print Management console, right-click Ports under LON-SVR1, and then click Add Port.
2. In the Printer Ports window, select Standard TCP/IP Port, and then click New Port.
3. In the Add Standard TCP/IP Printer Port Wizard, click Next.
4. In the Printer Name or IP Address field, type 172.16.0.201, and then click Next.
5. In the Additional port information required window, click Next.
6. Click Finish to close the Add Standard TCP/IP Printer Port Wizard.
7. Click Close to close the Printer Ports window.
8. In the Print Management console, click Printers, right-click Branch Office Printer, and then click Properties.
9. On the Branch Office Printer Properties page, click the Ports tab, select the Enable printer pooling check box, and then click the 172.16.0.201 port to select it as the second port.
10. Click OK to close the Branch Office Printer Properties page.
11. Close the Print Management Console.
L10-54 20410A: Installing and Configuring Windows Server® 2012
Task 4: Install a printer on a client computer 1. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2. On LON-CL1, on the Start screen, type Contol Panel. Press Enter.
3. Under Hardware and Sound, click Add a device.
4. In the Add a device window, click on Branch Office Printer on LON-SVR1. Click Next. The device installs automatically.
Task 5: To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-SVR1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1 and 20410A-LON-DC1.
L11-55
Module 11: Implementing Group Policy
Lab: Implementing Group Policy Exercise 1: Configuring a Central Store
Task 1: View the location of administrative templates in a Group Policy Object (GPO) 1. Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console (GPMC), expand Forest: Adatum.com, expand Domains, expand Adatum.com and then expand the Group Policy Objects folder.
4. Right-click the Default Domain Policy, and then click Edit.
5. In the Group Policy Management Editor, expand the Default Domain Policy, expand User Configuration, expand Policies, and then click Administrative Templates.
6. Point your mouse over the Administrative Templates folder, and note that the location is Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.
7. Close the Group Policy Management Editor.
Task 2: Create a central store 1. On the taskbar, click the Folder icon to launch a Windows® Explorer window.
2. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, and then click Policies.
3. In the details pane, right-click on a blank area, click New, and then click Folder.
4. Name the folder PolicyDefinitions.
Task 3: Copy administrative templates to the central store 1. In Windows Explorer, navigate back to C:\Windows, and open the PolicyDefinitions folder.
2. Select the entire contents of the PolicyDefinitions folder. (Hint: click in the details pane, and then use the Ctrl+A keys to select all of the content.)
3. Right-click the selection, and then click Copy.
4. Expand Local Disk (C:), expand Windows, expand SYSVOL, expand sysvol, expand Adatum.com, Browse to C:\Windows\SYSVOL\sysvol\Adatum.com\Policies and open the PolicyDefinitions folder.
5. Right-click in the empty folder area, and then click Paste.
Task 4: Verify the administrative template location in GPMC 1. In the GPMC, right-click the Default Domain Policy, and then click Edit.
2. Expand Polices, point your mouse over the Administrative Templates folder, and view the local information text. Note that it now says Administrative Templates: Policy definitions (ADMX files) retrieved from the Central Store.
3. Close the Group Policy Management Editor.
Results: After completing this exercise, you will have configured a Central Store
L11-56 20410A: Installing and Configuring Windows Server® 2012
Exercise 2: Creating GPOs
Task 1: Create a Windows Internet Explorer® Restriction default starter GPO 1. In the GPMC right-click the Starter GPOs folder, and then click New.
2. In the New Starter GPO dialog box, in the Name field, type Internet Explorer Restrictions, and in the Comment field, type This GPO disables the General page in Internet Options, and then click OK.
Task 2: Configure the Internet Explorer Restriction starter GPO 1. Expand the Starter GPOs folder, right-click the Internet Explorer Restrictions GPO, and then click
Edit.
2. Expand User Configuration, Administrative Templates, and then click All Settings.
3. Right-click All Settings, and then click Filter Options.
4. In the Filter Options dialog box, select the Enable Keyword Filters check box.
5. In the Filter for word(s): field, type General page.
6. In the drop-down box, select Exact, and then click OK.
7. Double-click the Disable the General page setting, click Enabled, and then click OK.
8. Close the Group Policy Starter GPO Editor.
Task 3: Create a domain Internet Explorer Restrictions GPO From the Internet Explorer Restrictions starter GPO 1. In the GPMC, right-click the Adatum.com domain, and then click Create a GPO in this domain, and
link it here.
2. In the New GPO dialog box, in the Name field, type IE Restrictions.
3. Under Source Starter GPO, click the drop down box, select Internet Explorer Restrictions, and then click OK.
Task 4: Test application of the GPO for domain users 1. Log on to LON-CL1 as Adatum\Brad with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right of the desktop and in the flyout, click the Search charm.
3. In the Apps search box, type Control Panel.
4. In the Search Apps results, click Control Panel.
5. In the Control Panel window, click Network and Internet.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled.
7. Click OK to acknowledge the message.
8. Click Internet Options. Notice that in the Internet Properties dialog box the General page does not appear.
9. Close all open windows, and sign out.
Module 11: Implementing Group Policy L11-57
Task 5: Use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy 1. Switch to LON-DC1.
2. In the GPMC expand the Group Policy Objects folder, and then in the left pane, click the IE Restrictions policy.
3. In the details pane, click the Delegation tab.
4. Click the Advanced button.
5. In the IE Restrictions Security Settings dialog box, click Add.
6. In the Select Users, Computers, Service Accounts, or Groups field, type IT, and then click OK.
7. In the IE Restrictions Security Settings dialog box, click the IT (Adatum\IT) group, next to the Apply group policy permission, select the Deny check box, and then click OK.
8. Click Yes to acknowledge the Windows Security dialog box.
Task 6: Test the GPO application for IT Department Users 1. Log on to LON-CL1 as Brad with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm.
3. In the Apps search box, type Control Panel.
4. In the Apps results window, click Control Panel.
5. In the Control Panel window, click Network and Internet.
6. In the Network and Internet dialog box, click Change your homepage. The Internet Properties dialog opens to the General page, and all settings are available.
7. Close all open windows, and sign out.
Task 7: Test Application of the GPO for other domain users 1. Log on to LON-CL1 as Boris with a password of Pa$$w0rd.
2. Move your mouse to the bottom, right corner of the desktop, and in the flyout, click the Search charm.
3. In the Apps search box, type Control Panel.
4. In the Apps results window, click Control Panel.
5. In the Control Panel window, click Network and Internet.
6. In the Network and Internet dialog box, click Change your homepage. A message box appears informing you that this feature has been disabled.
7. Click OK to acknowledge the message.
8. Click Internet Options. In the Internet Properties dialog box, notice that the General page does not display.
9. Close all open windows, and sign out.
Results: After completing this lab, you will have created a GPO.
L11-58 20410A: Installing and Configuring Windows Server® 2012
To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-CL1.
L12-59
Module 12: Securing Windows Servers Using Group Policy Objects
Lab A: Increasing Security for Server Resources Exercise 1: Using Group Policy to Secure Member Servers
Task 1: Create a Member Servers Organizational Unit (OU) and move servers into it 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.
3. In the New Object - Organizational Unit window, type Member Servers OU, and then click OK.
4. In the Active Directory Users and Computers console, in the navigation pane, click Computers container.
5. Press and hold the Ctrl key. In the details pane, click LON-SVR1 and LON-SVR2, right-click the selection and then click Move.
6. In the Move window, click Member Servers OU, and then click OK.
Task 2: Create a Server Administrators group 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group.
3. In the New Object – Group window, in the Group Name field, type Server Administrators, and then click OK.
Task 3: Create a Member Server Security Settings GPO and link it to the Member Servers OU 1. On LON-DC1, in the Server Manager window, click Tools, and then click Group Policy
Management.
2. In the Group Policy Management window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Member Server Security Settings, and then click OK.
4. In the Group Policy Management Console window, right-click Member Servers OU, and then click Link an Existing GPO.
5. In the Select GPO window, in Group Policy Objects window, click Member Server Security Settings, and then click OK.
L12-60 20410A: Installing and Configuring Windows Server® 2012
Task 4: Configure group membership for local administrators to include Server Administrators and Domain Admins 1. On LON-DC1, in the Group Policy Management Console window, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
2. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click Restricted Groups.
3. Right-click Restricted Groups, and then click Add Group.
4. In the Add Group dialog box, in the Group name field, type Administrators, and then click OK.
5. In the Administrators Properties dialog box, next to Members of this group, click Add.
6. In the Add Member dialog box, type Adatum\Server Administrators, and then click OK.
7. Next to Members of this group, click Add.
8. In the Add Member dialog box, type Adatum\Domain Admins, and then click OK twice.
9. Close the Group Policy Management Editor.
Task 5: Verify that Computer Administrators has been added to the local Administrators group 1. Switch to LON-SVR1.
2. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
3. On the taskbar, click the Windows PowerShell® icon.
4. At the Windows PowerShell command prompt, type the following command:
gpupdate/force
5. In the Server Manager window, click Tools, and then click Computer Management.
6. In the Computer Management console, expand Local Users and Groups, click Groups, and then in the right pane, double-click Administrators.
7. Confirm that the Administrators group contains both ADATUM\Domain Admins and ADATUM\Server Administrators as members. Click Cancel.
8. Close the Computer Management console.
Task 6: Modify the Member Server Security Settings Group Policy Object (GPO) to remove users from Allow log on locally 1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects.
3. In the right pane, right-click Member Server Security Settings, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
5. In the right pane, right-click Allow log on locally, and then click Properties.
6. In the Allow log on locally Properties window, select the Define these policy settings check box, and then click Add User or Group.
Module 12: Securing Windows Servers Using Group Policy Objects L12-61
7. In the Add User or Group window, type Domain Admins, and then click OK.
8. Click Add User or Group.
9. In the Add User or Group window, type Administrators, and then click OK twice.
10. Close the Group Policy Management Editor.
Task 7: Modify the Member Server Security Settings GPO to enable User Account Control: Admin Approval Mode for the Build-in Administrator Account 1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
2. In the right pane, right-click Member Server Security Settings, and then click Edit.
3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
4. In the right pane, right-click User Account Control: Admin Approval Mode for the Built-in Administrator account, and then click Properties.
5. In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties window, select the Define this policy settings check box, ensure that Enabled radio button is selected, and then click OK.
6. Close the Group Policy Management Editor.
Task 8: Verify that a standard user cannot log on to a member server 1. Switch to LON-SVR1.
On the taskbar, click the Windows PowerShell icon.
2. From the Windows PowerShell command prompt, type following command:
gpupdate/force
3. Log off of LON-SVR1.
4. Try to log on to LON-SVR1 as Adatum\Adam with a password of Pa$$w0rd.
5. Verify that you cannot log on to LON-SVR1, and that a logon error message displays.
Results: After completing this exercise, you should have used Group Policy to secure Member servers.
Exercise 2: Auditing File System Access
Task 1: Modify the Member Server Security Settings GPO to enable object access auditing 1. Switch to LON-DC1.
2. On LON-DC1, in the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects.
3. In the right pane, right-click Member Server Security Settings, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, click Audit Policy, and then in the right pane, right-click Audit object access, and then click Properties.
L12-62 20410A: Installing and Configuring Windows Server® 2012
5. In the Audit object access Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.
Task 2: Create and share a folder 1. On LON-SVR1, on the taskbar, click Windows Explorer, and then, in navigation pane, click
Computer.
2. In the Computer window, double-click Local Disk (C) click Home, click New folder, and then type HR.
3. In the Computer window, right-click the HR folder, click Share with, and then click Specific people.
4. In the File Sharing window, type Adam, click Add.
5. Change the Permission Level to Read/Write and then click Share and then click Done.
Task 3: Enable auditing on the HR folder for Domain Users 1. On LON-SVR1, in the Local Disk (C:) window, right-click the HR folder, and then click Properties.
2. In the HR Properties window, click the Security tab, and then click Advanced.
3. In the Advanced Security Settings for HR window, click the Auditing tab, and then click Add.
4. In the Auditing Entry for HR window, click Select a principal.
5. In the Select User, Computer, Service Account or Group window, in the Enter the object name to select field, type Domain Users, and then click OK.
6. In the Auditing Entry for HR window, from the Type drop-down menu, select All.
7. In the Auditing Entry for HR window, under Permission list, select the Write check box, and then click OK three times.
8. Switch to the Start screen, type cmd, and then press Enter.
9. In the command prompt window, type following command:
gpupdate /force
10. Close the command prompt window.
Task 4: Create a new file in the file share from LON-CL1 1. Switch to LON-CL1.
2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
3. On the Start screen, type cmd, and then press Enter.
4. In the command prompt window, type the following command:
gpupdate /force
5. Close the command prompt window.
6. Log off LON-CL1, and then log on again as Adatum\Adam with a password of Pa$$w0rd.
7. On the Start screen, type \\LON-SVR1\HR, and then press Enter.
8. In HR window, click Home, click New item, click Text Document, in the file name field, type Employees, and then press Enter.
9. Log off of LON-CL1.
Module 12: Securing Windows Servers Using Group Policy Objects L12-63
Task 5: View the results in the security log on the domain controller 1. Switch to LON-SVR1.
2. In the Server Manager window, click Tools, and then click Event Viewer.
3. In the Event Viewer window, expand Windows Logs, and then click Security.
4. Verify that following event and information displays:
o Source: Microsoft Windows Security Auditing
o Event ID: 4663
o Task category: File System
o An attempt was made to access an object.
Results: After completing this exercise, you should have enabled file system access auditing.
Exercise 3: Auditing Domain Logons
Task 1: Modify the Default Domain Policy GPO 1. On LON-DC1, in the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, and then click Group Policy Objects.
2. In the right pane, right-click Default Domain Policy, and then click Edit.
3. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. In the right pane, right-click Audit account logon events, and then click Properties.
4. In Audit account logon events Properties window, select the Define these policy settings check box, select both the Success and Failure check boxes, and then click OK.
5. Update Group policy by using the Gpupdate /force command.
Task 2: Run GPUpdate 1. Switch to LON-CL1.
2. Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
3. On the Start screen, type cmd, and then press Enter.
4. In the command prompt window, type following command:
gpupdate/force
5. Close the command prompt window, and log off LON-CL1.
Task 3: Log on to LON-CL1 with an incorrect password • Log on to LON-CL1 as Adatum\Adam with a password of password.
Note: This password is intentionally incorrect to generate a security log which shows that that an unsuccessful login attempt has been made.
L12-64 20410A: Installing and Configuring Windows Server® 2012
Task 4: Review event logs on LON-DC1 1. On LON-DC1, in Server Manager, click Tools, and then click Event Viewer.
2. In the Event Viewer window, expand Windows Logs, and then click Security.
3. Review the event logs for following message: “Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.”
Task 5: Log on to LON-CL1 with the correct password • Log on to LON-CL1 as Adatum\Adam with a password of Pa$$w0rd.
Note: This password is correct, and you should be able to log on successfully as Adam.
Task 6: Review event logs on LON-DC1 1. Log on to LON-DC1.
2. In the Server Manager window, click Tools, and then click Event Viewer.
3. In the Event Viewer window, expand Windows Logs, and then click Security.
4. Review the event logs for the following message: “A user successfully logged on to a computer.”
Task 7: To prepare for the next lab • To prepare for the next lab, leave the virtual machines running.
Results: After completing this exercise, you should have enabled domain logon auditing.
Module 12: Securing Windows Servers Using Group Policy Objects L12-65
Lab B: Configuring AppLocker and Windows Firewall Exercise 1: Configuring AppLocker® Policies
Task 1: Create an OU for Client Computers 1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.
4. In the New Object - Organizational Unit window, type Client Computers OU, and then click OK.
Task 2: Move LON-CL1 to the Client Computers OU 1. On LON-DC1, in the Active Directory Users and Computers console, in the navigation pane, click
Computers container.
2. In the details pane, right-click LON-CL1, and then click Move.
3. In the Move window, click Client Computers OU, and then click OK.
Task 3: Create a Software Control GPO and link it to the Client Computers OU 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console window, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.
3. In New GPO window, in the Name: text box, type Software Control GPO, and then click OK.
4. In the right pane, right-click Software Control GPO, and then click Edit.
5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker.
6. Under AppLocker, right-click Executable Rules, and then click Create Default Rules.
7. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules.
8. In the navigation pane, click AppLocker, and then in the right pane, click Configure rule enforcement.
9. In the AppLocker Properties window, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only.
10. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK.
11. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, and then expand Security Settings, click System Services and then double-click Application Identity.
12. In the Application Identity Properties dialog box, select the Define this policy setting and under Select service startup mode, select Automatic, and then click OK.
13. Close the Group Policy Management Editor.
L12-66 20410A: Installing and Configuring Windows Server® 2012
14. In the Group Policy Management Console, right-click Member Servers OU, and then click Link an Existing GPO.
15. In the Select GPO window, in Group Policy Objects list, click Software Control GPO, and then click OK.
Task 4: Run GPUpdate on LON-SVR1 1. Switch to LON-SVR1.
2. Move the mouse pointer in the lower right corner, and then click Search.
3. In the Search box, type cmd, and then press Enter.
4. In command prompt window, type following command:
gpupdate/force
5. Close the command prompt window.
6. Move the mouse pointer in the lower right corner, click Settings, click Power, and then click Restart.
Task 5: Run app1.bat in the C:\CustomApp folder 1. Log on to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
2. Point the mouse pointer over the lower right corner of the screen, and then, when it appears, click Search.
3. In the Search box, type cmd, and then press Enter.
4. At the command prompt, type following command:
C:\CustomApp\app1.bat
Task 6: View AppLocker events in an event log 1. On LON-SVR1, open the Server Manager window, click Tools, and then click Event Viewer.
2. In the Event Viewer window, expand Application and Services Logs, expand Microsoft, expand Windows, and then expand AppLocker.
3. Click MSI and Scripts, and review the event logs for App1.bat.
Task 7: Create a rule that allows software to run from C:\CustomApp 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management window, in the Group Policy Objects node, edit the Software Control GPO.
3. In the console tree, double-click Application Control Policies, double-click AppLocker, right-click Script rules, and then click Create New Rule.
4. On the Before You Begin page, click Next.
5. On the Permissions page, select the Allow radio button, and then click Next.
6. On the Conditions page, click Path radio button, and then click Next.
7. On Path page, in the Path field, type the following path: %OSDRIVE%\CustomApp\app1.bat to enter the targeted folder for the applications, and then click Next.
8. On Exception page, click Next, on the Name and Description page, in the Name field, type Custom App Rule, and then click Create.
Module 12: Securing Windows Servers Using Group Policy Objects L12-67
Task 8: Modify Software Control GPO to enforce the rules 1. In the Software control GPO window, in navigation pane, click AppLocker, and then in the right
pane, click Configure rule enforcement.
2. In AppLocker Properties window, under Executable rules, select the Configured check box, and then from drop-down menu, select Enforce rules.
3. Repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules, and then click OK.
4. Close Group Policy Management Editor.
Task 9: Verify that an application can still be run from C:\CustomApp 1. Switch to LON-SVR1.
2. Move the mouse pointer in the lower right corner, and then click Search.
3. In the Search box, type cmd, and then press Enter.
4. In the command prompt window, type following command:
gpupdate/force
5. Close the command prompt window.
6. Point the mouse pointer over the lower-right corner, click Settings, click Power, and then click Restart.
7. Log on to LON-SVR1 as Adatum\Tony with a password of Pa$$w0rd.
8. Open a command prompt.
9. Verify that you can still run c:\customapp\app1.bat.
Task 10: Verify that an application cannot be run from the Documents folder 1. On LON-SVR1, on the taskbar, click on Windows Explorer, and then in navigation pane click on
Computer. In the Computer window, double-click Local Disk (C:), double-click the CustomApp folder, right-click app1.bat, and then click Copy.
2. In CustomApp window, on the navigation pane, right-click the Documents folder, and then click Paste.
3. In command prompt, type C:\Users\Tony\Documents\app1.bat.
4. Verify that application cannot be run from Documents folder, and that the following message displays: “This program is blocked by Group Policy. For more information, contact your system administrator.”
5. Close all open windows and log off.
Results: After completing this exercise, you will have configured AppLocker policies for all users whose computer accounts are located in the Client Computers OU organizational unit. The policies you configured should allow these users to run applications that are located in the folders C:\Windows and C:\Program Files, and run the custom-developed application app1.bat in the C:\CustomApp folder.
L12-68 20410A: Installing and Configuring Windows Server® 2012
Exercise 2: Configuring Windows Firewall
Task 1: Create a group called Application Servers 1. Switch to LON-DC1.
2. In the Server Manager window, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console, in the navigation pane, right-click the Member Servers OU, click New, and then click Group.
4. In the New Object – Group window, in the Group Name field, type Application Servers, and then click OK.
Task 2: Add LON-SRV1 as a group member 1. In the Active Directory Users and Computers console, in the navigation pane, click the Member
Servers OU, in the details pane right-click Application Servers group, and then click Properties.
2. In the Application Server Properties window, click Members tab, and then click Add.
3. In Select Users, Computers, Service Accounts or Groups, click Object Types, click Computers, and then click OK.
4. In Enter the object names to select, type LON-SVR1, and then click OK.
Task 3: Create a new Application Servers GPO 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forests: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name: field, type Application Servers GPO, and then click OK.
4. In the Group Policy Management Console, right-click Application Servers GPO, and then click Edit.
5. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then click Windows Firewall with Advanced Security - LDAP://CN={GUID}.
6. In the Group Policy Management Editor, click Inbound Rules.
7. Right-click Inbound Rules, and then click New Rule.
8. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next.
9. On the Program page, click Next.
10. On the Protocol and Ports page, in the Protocol type list, click TCP.
11. In the Local port list, click Specific Ports, in the text box, type 8080, and then click Next.
12. On the Scope page, click Next.
13. On the Action page, click Allow the connection, and then click Next.
14. On the Profile page, clear the Private and Public check boxes, and then click Next.
15. On the Name page, in the Name box, type Application Server Department Firewall Rule, and then click Finish.
16. Close the Group Policy Management Editor.
Module 12: Securing Windows Servers Using Group Policy Objects L12-69
Task 4: Link the Application Servers GPO to the Member Servers OU 1. On LON-DC1, In the Group Policy Management Console, right-click Member Servers OU, and then
click Link an Existing GPO.
2. In the Select GPO window, in Group Policy objects list, click Application Servers GPO, and then click OK.
Task 5: Use security filtering to limit the Application Server GPO to members of Application Server group 1. On LON-DC1, in the Group Policy Management Console, click Member Servers OU.
2. Expand the Member Servers OU, and then click the Application Servers GPO link.
3. In the Group Policy Management Console message box, click OK.
4. In the right-hand pane, under Security Filtering, click Authenticated Users, and then click Remove.
5. In the confirmation dialog box, click OK.
6. In the details pane, under Security Filtering, click Add.
7. In the Select User, Computer, or Group dialog box, type Application Servers, and then click OK.
Task 6: Run GPUpdate on LON-SRV1 1. Switch to LON-SRV1 and log on as Adatum\Administrator.
2. Move the mouse pointer in the lower right corner, and then click Search.
3. In the Search box, type cmd, and then press Enter.
4. In the command prompt window, type following command, and then press Enter:
gpupdate/force
5. Close the command prompt window.
6. Restart LON-SVR1 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Task 7: View the firewall rules on LON-SRV1 1. Switch to LON-SVR1.
2. In Server Manager, click Tools, and then click Windows Firewall with Advanced Security.
3. In the Windows Firewall with Advanced Security window, click Inbound rules.
4. In the right pane, verify that Application Server Department Firewall Rule that you created earlier using Group Policy is configured.
5. Verify that you cannot edit the Application Server Department Firewall Rule, because it is configured through Group Policy.
L12-70 20410A: Installing and Configuring Windows Server® 2012
Task 8: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state by performing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410A-LON-SVR1 and 20410A-LON-CL1.
Results: After completing this exercise, you should have used Group Policy to configure Windows Firewall with Advanced Security to create rules to allow inbound network communication through TCP port 8080.
L13-71
Module 13: Implementing Server Virtualization with Hyper-V
Lab: Implementing Server Virtualization with Hyper-V Exercise 1: Installing the Hyper-V Server Role
Task 1: Install the Hyper-V server role 1. Reboot the classroom computer and from the Windows Boot Manager, choose 20410A-LON-
HOST1.
2. Log onto LON-HOST1 with the Administrator account and the password Pa$$w0rd.
3. In Server Manager, click Local Server.
4. In the Properties pane, click the IPv4 address assigned by DHCP link.
5. In the Network Connections dialog box, right-click the network object and then click Properties.
6. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
7. On the General tab, click Use the following IP address and configure the following:
o IP Address: 172.16.0.31
o Subnet mask: 255.255.0.0
o Default gateway: 172.16.0.1
8. On the General tab, click Use the following DNS server addresses and then configure the following:
o Preferred DNS server: 172.16.0.10
9. Click OK to close the Properties dialog box.
10. Click Close.
11. Close the Network Connections dialog box.
12. In the Server Manager console, from the Manage menu, click Add Roles and Features.
13. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
14. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
15. On the Select destination server page, ensure that LON-HOST1 is selected, and then click Next.
16. On the Select server roles page, select Hyper-V.
17. In the Add Roles and Features Wizard dialog box, click Add Features.
18. On the Select server roles page, click Next.
19. On the Select features page, click Next.
20. On the Hyper-V page, click Next.
21. On the Virtual Switches page, verify that no selections have been made, and then click Next.
22. On the Virtual Machine Migration page, click Next.
L13-72 20410A: Installing and Configuring Windows Server® 2012
23. On the Default Stores page, review the location of the Default Stores, and then click Next.
24. On the Confirm installation selections page, select Restart the destination server automatically if required.
25. In the Add Roles and Features Wizard, review the message regarding automatic restarts, and then click Yes.
26. On the Confirm Installation Selections page, click Install.
27. After a few minutes, the server will restart automatically. Ensure that you restart the machine from the boot menu as 20410A-LON-HOST1. The computer will restart several times.
Task 2: Complete Hyper-V role installation and verify settings 1. Log on to LON-HOST1 using the account Administrator with the password Pa$$word.
2. When the installation of the Hyper-V tools completes, click Close to close the Add Roles and Features Wizard.
3. In the Server Manager console, click the Tools menu, and then click Hyper-V Manager.
4. In the Hyper-V Manager console, click LON-HOST1.
5. In the Hyper-V Manager console, in the Actions pane, with LON-HOST1 selected, click Hyper-V Settings.
6. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Keyboard item. Verify that the Keyboard is set to the Use on the virtual machine option.
7. In the Hyper-V Settings for LON-HOST1 dialog box, click on the Virtual Hard Disks item. Verify that the location of the default folder to store Virtual Hard Disk files is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, and then click OK.
Results: After this exercise, you should have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking
Task 1: Configure the external network 1. In the Hyper-V Manager console, click LON-HOST1.
2. From the Actions menu, click Virtual Switch Manager.
3. In the Virtual Switch Manager for LON-HOST1 dialog box, select New virtual network switch. Ensure that External is selected, and then click Create Virtual Switch.
4. In the Virtual Switch Properties area, enter the following information, and then click OK:
o Name: Switch for External Adapter
o External Network: Mapped to the host computer's physical network adapter. (This will vary depending on the host computer.)
5. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
Task 2: Create a private network 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.
2. From the Actions menu, click Virtual Switch Manager.
3. Under Virtual Switches, click New virtual network switch.
Module 13: Implementing Server Virtualization with Hyper-V L13-73
4. Under Create virtual switch, select Private, and then click Create Virtual Switch.
5. In the Virtual Switch Properties section of the Virtual Switch Manager dialog box, configure the following settings, and then click OK:
o Name: Private Network
o Connection type: Private network
Task 3: Create an internal network 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.
2. From the Actions menu, click Virtual Switch Manager.
3. Under Virtual Switches, select New virtual network switch.
4. Under Create virtual switch, select Internal and then click Create Virtual Switch.
5. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Internal Network
o Connection type: Internal network
Task 4: Configure the MAC address range 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1
2. On the Actions menu, click Virtual Switch Manager.
3. Under Global Network Settings, click MAC Address Range.
4. On MAC Address Range settings, configure the following values, and then click OK:
o Minimum: 00-15-5D-0F-AB-A0
o Maximum: 00-15-5D-0F-AB-EF
5. Close the Hyper-V Manager console.
Results: After this exercise, you should have configured virtual switch options on a physically deployed Windows Server 2012 server running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine
Task 1: Create differencing disks 1. On the taskbar, click Windows Explorer.
2. Click Computer, and then browse to the following location: E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number of drives on the physical host machine)
3. Verify that the Base12A-WS2012-RC.vhd hard disk image file is present.
4. Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click each folder and rename each folders to each name listed below:
o LON-GUEST1
o LON-GUEST2
5. Close Windows Explorer.
L13-74 20410A: Installing and Configuring Windows Server® 2012
6. In the Server Manager console, click the Tools menu and click Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning \Base\Base12A-WS2012-RC.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used with LON-GUEST2 and then press Enter:
New-VHD “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -ParentPath “E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd”
16. Close the PowerShell window.
17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base \Base12A-WS2012-RC.vhd as a parent, and then click Close.
Task 2: Create virtual machines 1. From the Tools menu, open Hyper-V Manager, and then click LON-HOST1.
2. In the Hyper-V Manager console, in the Actions pane, click New, and then click Virtual Machine.
3. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
4. On the Specify Name and Location page, select Store the virtual machine in a different location, enter the following values, and then click Next:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
5. On the Assign Memory page, enter a value of 1024 MB, select the Use Dynamic Memory for this virtual machine option, and then click Next.
6. On the Configure Networking page, for the connection, choose Private Network, and then click Next.
Module 13: Implementing Server Virtualization with Hyper-V L13-75
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click Open and then click Finish.
8. On the Taskbar, click the PowerShell icon.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
10. At the PowerShell prompt, enter the following command to create a new virtual machine named LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath “E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd” -SwitchName "Private Network"
11. Close the PowerShell window.
12. In the Hyper-V Manager console, click LON-GUEST2.
13. In the Actions pane, under LON-GUEST2, click Settings.
14. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Start Action, and set the Automatic Start Action to Nothing.
15. In the Settings for LON-GUEST2 on LON-HOST1 dialog box, click Automatic Stop Action, and set the Automatic Stop Action to Shut down the guest operating system.
16. Click OK to close the Settings for LON-GUEST2 on LON-HOST1 dialog box.
Task 3: Enable resource metering 1. On the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
3. At the Windows PowerShell prompt, enter the following commands to enable resource metering on the virtual machines:
Enable-VMResourceMetering LON-GUEST1 Enable-VMResourceMetering LON-GUEST2
Results: After this exercise, you should have deployed two separate virtual machines using a sysprepped virtual hard disk file as a parent disk for two differencing disks.
Exercise 4: Using Virtual Machine Snapshots
Task 1: Deploy Windows Server 2012 in a virtual machine 1. In the Hyper-V Manager console, click on LON-GUEST1.
2. In the Actions pane, click Start.
3. Double click LON-GUEST1 to open the Virtual Machine Connection Window.
4. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection Window, on the Settings page, click Skip.
L13-76 20410A: Installing and Configuring Windows Server® 2012
5. On the Settings page, select the I accept the license terms for using Windows check box, and then click Accept.
6. On the Settings page, click Next to accept the Region and Language settings.
7. On the Settings page, enter the password Pa$$w0rd twice, and then click Finish.
8. In the LON-GUEST1 on LON-HOST1 - Virtual Machine Connection window, from the Action menu, click Ctrl+Alt+Delete. Log on to the virtual machine using the account Administrator and the password Pa$$w0rd.
9. On the virtual machine, in the Server Manager console click Local Server, and then click the randomly assigned name next to the computer name.
10. In the System Properties dialog box, on the Computer Name tab, click Change.
11. Set the Computer Name to LON-GUEST1, and then click OK.
12. In the Computer Name/Domain Changes dialog box, click OK.
13. Click Close to close the System Properties dialog box.
14. In the Microsoft Windows dialog box, click Restart Now.
Task 2: Create a virtual machine snapshot 1. Log on to the LON-GUEST1 virtual machine using the Administrator account and the password
Pa$$w0rd.
2. In the Server Manager console, click the Local Server node, and verify that the name of the computer is set to LON-GUEST1.
3. In the Virtual Machine Connection window, from the Action menu, click Snapshot.
4. In the Snapshot Name dialog box, enter the name Before Change, and then click Yes.
Task 3: Modify the virtual machine 1. In the Server Manager console, click Local Server, and then next to Computer name, click
LON-GUEST1.
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. Set the Computer Name to LON-Computer1, and then click OK.
4. In the Computer Name/Domain Changes dialog box, click OK.
5. Close the System Properties dialog box.
6. In the Microsoft Windows dialog box, click Restart Now..
7. Log back on to the LON-GUEST1 virtual machine using the Administrator account and the password Pa$$w0rd.
8. In the Server Manager console, click Local Server, and verify that the server name is set to LON-Computer1.
Task 4: Revert to the existing virtual machine snapshot 1. In the Virtual Machine Connection window, from the Action menu, click Revert.
2. In the Revert Virtual Machine dialog box, click Revert.
3. In the Server Manager console, in the Local Server node in the Virtual Machines list, verify that the Computer Name is set to LON-GUEST1.
Module 13: Implementing Server Virtualization with Hyper-V L13-77
Task 5: View resource metering data 1. On LON-HOST1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell command-line prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
3. At the Windows PowerShell command-line prompt, enter the following command to retrieve resource metering information:
Measure-VM LON-GUEST1
4. Note the average CPU, average random access memory (RAM), and total disk usage figures.
5. Close the Windows PowerShell window.
Task 6: Revert the virtual machines 1. Click on the Windows PowerShell icon on the Taskbar.
2. In the Windows PowerShell window, enter the following command and press enter:
Shutdown /r /t 5
3. From the Windows Boot Manager, choose Windows Server 2008 R2
Results: After this exercise, you should have used virtual machine snapshots to recover from a virtual machine misconfiguration.