MS Training Material 20417A Trainer Handbook

M I C R O S O F T
20417A
L E A R N I N G
P R O D U C T
Upgrading Your Skills to MCSA

Windows Server 2012
MCT USE ONLY. STUDENT USE PROHIBITED
O F F I C I A L
Upgrading Your Skills to MCSA Windows Server 2012
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 20417A

Part Number: X18-48638
Released: 08/2012
MICROSOFT LICENSE TERMS

OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2.
INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1
Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center:

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
b. If you are a MPN Member.

i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:
You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.
d. If you are a MCT.

i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed
Content on a device you do not own or control.
ii.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4.
INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8.
LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12.
ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to

o
anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011
Acknowledgments
xi
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Stan Reimer Content Developer
Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some
of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft
Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12
years.
Damir Dizdarevic Subject Matter Expert/Content Developer
Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager
and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has
more than 17 years of experience on Microsoft platforms and he specializes in Windows Server,
Exchange Server, security, and virtualization. He has worked as a subject-matter expert and technical
reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in
various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated
speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable
Professional for Windows Server Infrastructure Management.
Gary Dunlop Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada and is a technical consultant and trainer for Broadview
Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Siegfried Jagott Content Developer
Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at
Atos Germany. He is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft
Press), and has authored and technically reviewed several Microsoft Official Curriculum (MOC) courses
on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or
Exchange Server 2007 to Exchange Server 2010 SP1. He has coauthored various books on Windows,
Microsoft System Center Virtual Machine Manager, and Exchange, and is a frequent presenter on these
topics at international conferences such as IT & Dev Connections Spring 2012 in Las Vegas. Siegfried
has planned, designed, and implemented some of the worlds largest Windows and Exchange Server
infrastructures for international customers. He received an MBA from Open University in England, and has
been an MCSE since 1997.
Orin Thomas Content Developer
Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft Press and is a contributing editor at Windows IT Pro magazine.
He has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in
Australia and around the world on Windows Server, Windows Client, System Center, and security topics.
Orin founded and runs the Melbourne System Center Users Group.
Vladimir Meloski Content Developer
xii
Vladimir is a Microsoft Certified Trainer, an MVP on Exchange Server, and consultant, providing unified
communications and infrastructure solutions based on Microsoft Exchange Server, Lync Server, and
System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft
conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and
technical expert. He has also been involved as a subject matter expert and technical reviewer for several
Microsoft Official Curriculum courses.
Contents
Module 1: Installing and Configuring Servers Based on Windows Server 2012
Lesson 1: Installing Windows Server 2012
Lesson 2: Configuring Windows Server 2012
Lesson 3: Configuring Remote Management for Windows
Server 2012 Servers
Lab: Installing and Configuring Servers Based on Windows
Server 2012
1-2
1-13
1-21
1-25
Module 2: Monitoring and Maintaining Windows Server 2012

Lesson 1: Reasons for Monitoring Servers
Lesson 2: Implementing Windows Server Backup
Lesson 3: Implementing Server and Data Recovery
Lab: Monitoring and Maintaining Windows 2012 Servers
2-2
2-11
2-15
2-19
Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0

Lesson 1: Overview of Windows PowerShell 3.0
Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS
Lesson 3: Managing Servers by Using Windows PowerShell 3.0
Lab: Managing Servers Running Windows Server 2012 by Using
Windows PowerShell 3.0
3-2
3-9
3-20
3-26
Module 4: Managing Storage for Windows Server 2012

Lesson 1: New Features in Windows Server 2012 Storage
Lesson 2: Configuring iSCSI Storage
Lesson 3: Configuring Storage Spaces in Windows Server 2012
Lab A: Managing Storage for Servers Based on Windows Server 2012
Lesson 4: Configuring BrancheCache in Windows Server 2012
Lab: Implementing BranchCache
4-2
4-12
4-18
4-23
4-25
4-36
Module 5: Implementing Network Services

Lesson 1: Implementing DNS and DHCP Enhancements
Lesson 2: Implementing IP Address Management
Lesson 3: NAP Overview
Lesson 4: Implementing NAP
Lab: Implementing Network Services
5-2
5-10
5-14
5-20
5-25
Module 6: Implementing DirectAccess

Lesson 1: Overview of DirectAccess
Lesson 2: Installing and Configuring DirectAccess Components
Lab: Implementing DirectAccess
6-2
6-14
6-24
xiii
Module 7: Implementing Failover Clustering

Lesson 1: Overview of Failover Clustering
Lesson 2: Implementing a Failover Cluster
Lesson 3: Configuring Highly Available Applications and Services
on a Failover Cluster
Lesson 4: Maintaining a Failover Cluster
Lesson 5: Implementing a Multisite Failover Cluster
Lab: Implementing Failover Clustering
7-2
7-13
7-18
7-22
7-27
7-32
Module 8: Implementing Hyper-V

Lesson 1: Configuring Hyper-V Servers
Lesson 2: Configuring Hyper-V Storage
Lesson 3: Configuring Hyper-V Networking
Lesson 4: Configuring Hyper-V Virtual Machines
Lab: Implementing Server Virtualization with Hyper-V
8-2
8-8
8-16
8-21
8-27
Module 9: Implementing Failover Clustering with Hyper-V

Lesson 1: Overview of the Integration of Hyper-V with
Failover Clustering
Lesson 2: Implementing Hyper-V Virtual Machines on Failover
Clusters
Lesson 3: Implementing Hyper-V Virtual Machine Movement
Lesson 4: Managing Hyper-V Virtual Environments by Using
System Center Virtual Machine Manager
Lab: Implementing Failover Clustering with Hyper-V
9-2
9-7
9-14
9-19
9-29
Module 10: Implementing Dynamic Access Control

Lesson 1: Overview of Dynamic Access Control
Lesson 2: Planning for a Dynamic Access Control Implementation
Lesson 3: Configuring Dynamic Access Control
Lab: Implementing Dynamic Access Control
10-2
10-8
10-13
10-22
Module 11: Implementing Active Directory Domain Services

Lesson 1: Deploying AD DS Domain Controllers
Lesson 2: Configuring AD DS Domain Controllers
Lesson 3: Implementing Service Accounts
Lesson 4: Implementing Group Policy in AD DS
Lesson 5: Maintaining AD DS
Lab: Implementing AD DS
11-2
11-11
11-16
11-19
11-28
11-35
xiv
Module 12: Implementing Active Directory Federation Services

Lesson 1: Overview of Active Directory Federation Services
Lesson 2: Deploying Active Directory Federation Services
Lesson 3: Implementing AD FS for a Single Organization
Lesson 4: Deploying AD FS in a Business-to-Business Federation
Scenario
Lab: Implementing AD FS
12-2
12-11
12-17
12-23
12-28
Lab Answer Keys

Module 1 Lab: Installing and Configuring Servers Based on Windows
Server 2012
Module 2 Lab: Monitoring and Maintaining Windows 2012 Servers
Module 3 Lab: Managing Servers Running Windows Server 2012 by
Using Windows PowerShell 3.0
Module 4 Lab A: Managing Storage for Servers Based on Windows
Server 2012
Module 4 Lab B: Implementing BrancheCache
Module 5 Lab: Implementing Network Services
Module 6 Lab: Implementing DirectAccess
Module 7 Lab: Implementing Failover Clustering
Module 8 Lab: Implementing Server Virtualization with Hyper-V
Module 9 Lab: Implementing Failover Clustering with Hyper-V
Module 10 Lab: Implementing Dynamic Access Control
Module 11 Lab: Implementing AD DS
Module 12 Lab: Implementing AD FS
L1-1
L2-7
L3-15
L4-19
L4-26
L5-31
L6-43
L7-55
L8-63
L9-71
L10-77
L11-89
L12-97
xv
About This Course
About This Course
xvii
This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
Note: This first release (A) Microsoft Official Courses (MOC) version of course 20417A has
been developed on Windows Server 2012 RC. Microsoft Learning will release a B version of
this course after the release-to-manufacturing (RTM) version of the software is available.
This course is designed primarily for people who want to upgrade their technical skills from Windows
Server 2008 and Windows Server 2008 R2 to Windows Server 2012. It presumes a high level of knowledge
about previous Windows Server versions. This course also serves as preparation for taking exam 70-417,
on the upgrade path to a new MCSA: Windows Server 2012 certification.
Audience
The primary audience for this course is Information Technology (IT) professionals who are experienced
Windows Server 2008 Server Administrators, and who carry out day-to-day management and
administrative tasks, and want to update their skills and knowledge to Windows Server 2012.
The secondary audience for this course includes candidates who hold existing credentials in Windows
Server 2008 at Technology Specialist (TS) or Professional (PRO) level, and who want to migrate their
current credentials to the new credential of Microsoft Certified Solutions Associate (MCSA) with Windows
Server 2012.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
Two or more years of experience deploying and managing Windows Server 2008
Experience with Windows networking technologies and implementation
Experience with Active Directory technologies and implementation
Experience with Windows Server 2008 server virtualization technologies and implementation
Students attending this course are expected to have passed the following exams, or have equivalent
knowledge:
Exam 70-640: Windows Server 2008 Active Directory, Configuring
Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring
Exam 70-646: Windows Server 2008, Server Administrator
About This Course
Course Objectives
After completing this course, students will be able to:
xviii
Install and configure Windows Server 2012 servers.
Monitor and maintain Windows Server 2012 servers.
Use Windows PowerShell 3.0 to manage Windows Server 2012 servers.
Configure storage on Windows Server 2012 servers.
Deploy and manage network services.
Deploy and manage a DirectAccess infrastructure.
Provide high availability for network services and applications by implementing failover clustering.
Deploy and configure virtual machines on Hyper-V.
Deploy and manage Hyper-V virtual machines in a failover cluster.
Configure Dynamic Access Control to manage and audit access to shared files.
Implement the new features in Active Directory Domain Services (AD DS) for Windows Server 2012.
Plan and implement an Active Directory Federation Services (AD FS) deployment.
Course Outline
This section provides an outline of the course:
Module 1, Installing and Configuring Servers Based on Windows Server 2012
Module 2, Monitoring and Maintaining Windows Server 2012
Module 3, Managing Windows Server 2012 by Using Windows PowerShell 3.0
Module 4, Managing Storage for Windows Server 2012
Module 5, Implementing Network Services
Module 6, Implementing DirectAccess
Module 7, Implementing Failover Clustering
Module 8, Implementing Hyper-V
Module 9, Implementing Failover Clustering with Hyper-V
Module 10, Implementing Dynamic Access Control
Module 11, Implementing Active Directory Domain Services
Module 12, Implementing Active Directory Federation Services
Exam/Course Mapping
About This Course
xix
This course, 20417A: Upgrading Your Skills to MCSA Windows Server 2012, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-417: Upgrading Your Skills to MCSA Windows
Server 2012.
The below table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will use the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab2.
Exam Objective Domains

Course Content
Exam 70-410: Installing and Configuring Windows Server 2012
Install and Configure Servers
Module Lesson
This objective may include but is not limited
Mod 1
Lesson 1/2
to: Plan for a server installation; plan for
server roles; plan for a server upgrade; install
Server Core; optimize resource utilization by
using Features on Demand; migrate roles from
Install servers.
previous versions of Windows Server
Mod 1
Lesson 2/3
to: Configure Server Core; delegate
administration; add and remove features in
offline images; deploy roles on remote
servers; convert Server Core to/from full GUI;
Configure servers.
configure services; configure NIC teaming
Mod 4
Lesson 3
to: Design storage spaces; configure basic and
dynamic disks; configure MBR and GPT disks;
manage volumes; create and mount virtual
Configure local
hard disks (VHDs); configure storage pools and
storage.
disk pools
Configure Server Roles and Features
Mod 1
Lesson 1/2/3
to: Configure WinRM; configure down-level
server management; configure servers for
Configure servers for day-to-day management tasks; configure
remote
multi-server management; configure Server
management.
Core; configure Windows Firewall
Lab
Mod 1
Ex 1
Mod 1
Ex 2/3
Mod 4
Ex 2/3
Mod 1
Ex 1/2
About This Course

Course Content
Exam 70-410: Installing and Configuring Windows Server 2012 (continued)
Configure Hyper-V
Mod 8
Lesson 1/4
Create and configure to: Configure dynamic memory; configure
virtual machine
smart paging; configure Resource Metering;
settings.
configure guest integration services
Mod 8
Lesson 2
to: Create VHDs and VHDX; configure
Create and configure differencing drives; modify VHDs; configure
virtual machine
pass-through disks; manage snapshots;
storage.
implement a virtual Fibre Channel adapter
Mod 8
Lesson 3
to: Implement Hyper-V Network
Virtualization; configure Hyper-V virtual
switches; optimize network performance;
configure MAC addresses; configure network
Create and configure isolation; configure synthetic and legacy
virtual networks.
virtual network adapters
Install and Administer Active Directory
Mod 11 Lesson 1/2
to: Add or remove a domain controller from a
domain; upgrade a domain controller; install
Active Directory Domain Services (AD DS) on a
Server Core installation; install a domain
controller from Install from Media (IFM);
Install domain
resolve DNS SRV record registration issues;
controllers.
configure a global catalog server
Exam 70-411: Administering Windows Server 2012
Deploy, Manage, and Maintain Servers
Mod 2
Lesson 1
to: Configure Data Collector Sets (DCS);
configure alerts; monitor real-time
performance; monitor virtual machines (VMs);
monitor events; configure event subscriptions;
Monitor servers.
configure network monitoring
Configure Network Services and Access
Mod 6
Lesson 1/2
to: Implement server requirements;
implement client configuration; configure DNS
Configure
for Direct Access; configure certificates for
DirectAccess.
Direct Access
xx
Mod 8
Ex 3
Mod 8
Ex 2/3
Mod 11
Ex 2/3
Mod 2
Ex 1
Mod 6
Ex
1/2/3

Course Content
Exam 70-411: Administering Windows Server 2012 (continued)
Configure a Network Policy Server Infrastructure
Mod 5
Lesson 4
to: Configure System Health Validators (SHVs);
configure health policies; configure NAP
enforcement using DHCP and VPN; configure
Configure Network
isolation and remediation of non-compliant
Access Protection
computers using DHCP and VPN; configure
(NAP).
NAP client settings
Configure and Manage Active Directory
Mod 11 Lesson 1/2
to: Configure Universal Group Membership
Caching (UGMC); transfer and seize
operations masters; install and configure a
Configure Domain
read-only domain controller (RODC); configure
Controllers.
Domain Controller cloning
Mon 11 Lesson 5
to: Back up Active Directory and SYSVOL;
manage Active Directory offline; optimize an
Active Directory database; clean up metadata;
configure Active Directory snapshots; perform
Maintain Active
object- and container-level recovery; perform
Directory.
Active Directory restore
Configure and Manage Group Policy
Mod 11 Lesson 4
to: Configure processing order and
precedence; configure blocking of inheritance;
configure enforced policies; configure security
filtering and WMI filtering; configure loopback
processing; configure and manage slow-link
Configure Group
processing; configure client-side extension
Policy processing.
(CSE) behavior
About This Course
xxi
Mod 5
Ex 3
Mod 11
Ex 1
Mod 11
Ex 2
About This Course

Course Content
Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure and Manage High Availability
Mod 7
Lesson 1/2/4
to: Configure Quorum; configure cluster
networking; restore single node or cluster
configuration; configure cluster storage;
Configure failover
implement Cluster Aware Updating; upgrade a
clustering.
cluster
Mod 7
Lesson 3/4
to: Configure role-specific settings including
continuously available shares; configure VM
Manage failover
monitoring; configure failover and preference
clustering roles.
settings
Mod 8
Lesson 4
to: Perform live migration; perform quick
Manage Virtual
migration; perform storage migration; import,
Machine (VM)
export, and copy VMs; migrate from other
movement.
platforms (P2V and V2V)
Configure File and Storage Solutions
to: Configure user and device claim types;
implement policy changes and staging;
Implement Dynamic
perform access-denied remediation; configure
Access Control (DAC). file classification
Implement Business Continuity and Disaster Recovery
to: Configure Windows Server backups;
configure Windows Online backups; configure
role-specific backups; manage VSS settings
Configure and
using VSSAdmin; create System Restore
manage backups.
snapshots
to: Configure Hyper-V Replica including HyperV Replica Broker and VMs; configure multi-site
Configure site-level
clustering including network settings,
fault tolerance.
Quorum, and failover settings
Configure Network Services
to: Configure IPAM manually or by using
Group Policy; configure server discovery;
create and manage IP blocks and ranges;
monitor utilization of IP address space;
Deploy and manage
migrate to IPAM; delegate IPAM
administration; manage IPAM collections
IPAM.
xxii
Mod 7
Ex
1/2/4
Mod 7
Ex 2
Mod 9
Lesson 3/4
Mod 9
Ex 3
Mod 10
Lesson 1/2/3 Mod 10

Ex
2/3/4/5
Mod 2
Lesson 2
Mod 2
Ex
2/3/4
Mod 9
Lesson 1/3
Mod 9
Ex 1
Mod 5
Lesson 2
Mod 5
Ex 2
About This Course
xxiii

Course Content
Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure Identity and Access Solutions
Mod 12 Lesson 1/2/3 Mod 12
to: Implement claims-based authentication
Ex
including Relying Party Trusts; configure
1/2/3/4
Claims Provider Trust rules; configure
Implement Active
attribute stores including Active Directory
Directory Federation Lightweight Directory Services (AD LDS);
Services 2.1 (AD
manage AD FS certificates; configure AD FS
FSv2.1).
proxy, Integration with Cloud Services
Important Attending this course in itself will not successfully prepare you to pass any
associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
Experience with implementing, managing and administering a Windows Server 2008 and Windows
Server 2008 R2 environment
Knowledge equivalent to the MCSA: Windows Server 2008 credential
Minimum of one to two years real world, hands-on experience Installing and configuring a Windows
Server Infrastructure
Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
About This Course
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
xxiv
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.
Course evaluation At the end of the course, you have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send email to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send email to
mcphelp@microsoft.com.
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab. For the Module 8
lab, you should leave the virtual machines running for the Module 9 lab.
The following table shows the role of each virtual machine used in this course:
Virtual machine
Role
20417A-LON-DC1
Domain controller that is running Windows Server 2012 in the Adatum.com

domain
20417A-LON-SVR1
Windows Server 2012 server, member of Adatum.com domain
20417A-LON-SVR2
20417A-LON-SVR3
20417A-LON-SVR4
20417A-LON-SVR5
Server with blank vhd
Virtual machine
Role
About This Course
xxv
20417A-LON-TMG
Threat Management Gateway server in Adatum.com domain
20417A-MUN-DC1
Domain controller that is running Windows Server 2012 in the

TreyResearch.com
20417A-LON-CL1
Client computer running Windows 8 and Office 2010 Service Pack 1 (SP1)
in the Adatum.com domain
20417A-LON-CL2
Client computer running Windows 8 and Office 2010 SP1 in the

Adatum.com domain
Software Configuration
The following software is installed on each virtual machine:
Windows Server 2012 RC
Windows 8 RP
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment

configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Hardware Level 6
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
8 GB random access memory (RAM) or higher
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers

1-1
Module 1
Installing and Configuring Servers Based on
Windows Server 2012
Contents:
Module Overview
1-1
Lesson 1: Installing Windows Server 2012
1-2
Lesson 2: Configuring Windows Server 2012
1-13
Lesson 3: Configuring Remote Management for Windows Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows Server 2012
1-25
Module Review and Takeaways
1-30
Module Overview
Knowing the capabilities of the Windows Server 2012 operating system enables you to use it effectively,
and to take complete advantage of what it can offer your organization. Some of the many improvements
to Windows Server 2012 include:
Increased scalability and performance
Virtualization features, such as Hyper-V Replica
Improved Windows PowerShell and scripting support
High performance SMB 3.0 file shares
This module introduces you to Windows Server 2012, how to install it, how to perform post-installation
configuration tasks, and how to configure it to support remote management.
Objectives
After completing this module, you will be able to:
Describe the installation requirements for Windows Server 2012.
Configure Windows Server 2012.
Configure Windows Remote Management.
Install the Windows Server 2012 operating system on servers.
Installing and Configuring Serveers Based on Window

ws Server 2012
Lesson 1
Installiing Win
ndows Server
S
2012
2
You
u must have a firm
f
understan
nding of your organization's
o
s requirementss so that you can deploy the
e
app
propriate editio
on of Windowss Server 2012. You must also
o understand w
which hardwarre configuratio
on
is ap
ppropriate for Windows Servver 2012, whetther a virtual d
deployment m
might be more suitable than a
phyysical deployment, and which
h installation source enabless you to deployy Windows Server 2012
efficciently.
1-2
Thiss lesson provid

des an overview
w of the differe
ent Windows SServer 2012 ed
ditions, hardw
ware requireme
ents,
dep
ployment optio
ons, and installlation process..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Describe the different editio

ons of Window
ws Server 20122.
Determine wh
hether a particcular hardware
e configuration
n is appropriatte for Window
ws Server 2012..
Explain how to
t perform a physical
p
or a virtual deploym
ment of Window
ws Server 2012
2.
Select an app
propriate installlation source for a Windowss Server 2012 deployment.
Determine wh
hen you can upgrade and when
w
you mustt migrate to W
Windows Serverr 2012.
Decide betwe
een a Server Core installation
n and full instaallation.
Install Windows Server 2012.
Perform post-installation co
onfiguration ta
asks.
Wiindows Server 2012 Editions

There are several editions of Wiindows Server 2012.
Org
ganizations can
n select the edition of Windo
ows
Servver 2012 that best
b
meets the
eir needs. Syste
ems
Adm
ministrators can save costs by selecting the
e
app
propriate editio
on when deplo
oying a server for a
speccific role. The editions
e
of Windows Server 2012
are listed in the fo
ollowing table..
Edittion
Win
ndows Server 2012 Standard
d edition
Description
D
Provides alll roles and fea tures available

e on the Windows
Server 20122 platform.
p to 64 socketts and up to 4 terabytes (TB)) of
Supports up
RAM.
Includes 2 vvirtual machin
ne licenses.
Edition
Windows Server 2012 Datacenter edition
Description
1-3
Provides all roles and features that are available on the

Windows Server 2012 platform.
Supports 64 sockets, up to 640 processor cores, and up

to 4 terabytes of RAM.
Includes unlimited virtual machine licenses for virtual
machines run on the same hardware.
Windows Server 2012 Foundation
edition
Allows only 15 users and cannot be joined to a domain.

Supports one processor core and up to 32 GB of RAM.
Includes limited server roles.
Windows Server 2012 Essentials
Serves as the next edition of Small Business Server.
Cannot function as a Hyper-V, failover clustering, server

core, or remote desktop services server.
Supports up to 25 users, 50 devices.
Supports 2 processor cores and 64 GB of RAM.
Must be root server in domain.
Microsoft Hyper-V Server 2012
Stand-alone Hyper-V platform for virtual machines with

no UI.
No licensing cost for host OS, virtual machines to be
licensed normally.
Supports 64 sockets and 4 TB of RAM.
Supports domain join.
Does not support other Windows Server 2012 roles other

than limited file services features.
Windows Storage Server 2012
Workgroup
Entry-level unified storage appliance.

Supports up to 50 users.
Supports one processor core, 32 GB of RAM.
Windows Storage Server 2012 Standard
Supports 64 sockets, but is licensed on a 2 socket

incrementing basis.
Supports 4 TB of RAM.
Includes 2 virtual machine licenses.
Supports some roles, including DNS and DHCP Server

roles, but does not support others, including Active
Directory Domain Services (AD DS), Active Directory
Certificate Services (AD CS), and Active Directory
Federation Services (AD FS).

ws Server 2012
Edittion
Win
ndows MultiPo
oint Server 201
12
Standard
Description
D
1-4
Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.
Supports on
ne socket, 32 G
GB of RAM and a maximum of
12 sessions .
Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others inclu
uding, AD DS, AD
CS, and AD
D FS.
Does not su
upport domain
n join.
Win
ndows MultiPo
oint Server 201
12
Pre
emium
Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.
Limited to 2 sockets, 4 TB
B of RAM and a maximum of 22
sessions.
Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others, including AD DS, AD
D FS.
CS, and AD
Supports do
omain join.
Additional Reading: For more informa

ation about thee differences b
between Windows Server
2012 editions, see
e http://www.w
windowsserverrcatalog.com/ssvvp.aspx.
Ha
ardware Re
equiremen
nts for Insttalling Win
ndows Servver 2012
Hardware requirements define the
t absolute
min
nimum required to run the se
erver software. The
actu
ual hardware requirements depend
d
on the
e
servvices that the server
s
is hostin
ng, the load on
n the
servver, and how re
esponsive you want the servver to
be.
The services and features
f
of eacch role put a unique
load
d on network, disk I/O, proce
essor, and mem
mory
reso
ources.
Virtualized deployyments of Win
ndows Server 2012
2
musst match the sa
ame hardware
e specificationss as
phyysical deployments. Windowss Server 2012 is
supported on Hyp
per-V and certain third-parrty virtualizatio
on platforms.
Upgradingg Your Skills to MCSAA Windows Server 2012
Th
he minimum hardware
h
requirements for Windows
W
Serveer 2012 are sho
own in the folllowing table.
Component
Requirement
Processor
P
architecture
x86-64
4
Processor
P
spee
ed
1.4 GH
Hz
Memory
M
(RAM)
512 MB
M
Hard
H
disk drive
e space
32 GB,, or more if thee server has m

more than 16 G
GB of RAM
Additiona
al Reading: Fo
or more inform
mation about tthe Windows SServer Virtualizzation
Validation Program, see http:///www.window
wsservercatalo
og.com/svvp.asspx.
Considerat
C
ions for Deploying Physical
P
orr Virtual M
Machines
With
W virtualization you can be
e more efficien
nt in the
way
w that you allocate resourcces to servers. Instead
I
off allocating sep
parate hardwa
are to a server that
minimally
m
uses resources, you
u can virtualize
e that
se
erver and enab
ble those minim
mally used harrdware
re
esources to be shared with other
o
virtual machines.
When
W
determin
ning whether to
o deploy a serrver
physically or virrtually, you mu
ust determine how
th
hat server usess hardware reso
ources. Consid
der
th
hese points:
1-5
Servers thatt constantly pu

ut hardware under
resource prressure are poo
or candidates for
virtualizatio
on. This is beca
ause virtual ma
achines share resources. A siingle virtual m
machine that usses a
disproportionate amountt of hypervisorr resources can
n have an adveerse effect on other virtual
machines hosted
h
on the same
s
hypervisor.
Servers thatt put minimal pressure on hardware resou

urces are good
d candidates fo
or virtualization. These
servers are unlikely to mo
onopolize the host resourcess, ensuring thaat each virtual machine hosted on
the hyperviisor can accesss enough hard
dware resourcees to perform aadequately.
Fo
or example, a particular data
abase server th
hat heavily usees disk and nettwork resource
es would be be
etter
de
eployed on a physical
p
comp
puter. If it were
e deployed as a virtual mach
hine, other virtu
ual machines o
on the
sa
ame hypervisor would have to
t compete fo
or access to tho
ose heavily-us ed disk and ne
etwork resourcces.
Alternatively, allocating a phyysical platform to a server th at requires miinimal hardware resources, ssuch as
a server running
g Certificate Se
ervices, meanss that powerfu l hardware is u
underused.
Other
O
things to consider when determining
g whether to d eploy a serverr virtually or ph
hysically are:
High Availlability. After you

y have builtt a highly availlable virtual m
machine clusterr, any virtual m
machine
deployed to
o that cluster also
a becomes highly availab
ble. This is simp
pler than settin
ng up separate
e
failover clusters for physical servers tha
at host the sam
me role.

ws Server 2012
1-6
Scalability. Moving
M
a virtua
al machine witth its associateed applicationss and data to a new host plaatform
is significantlyy simpler than migrating a physically
p
depl oyed server, itts applications, and data to a new
host platform
m. If you must quickly
q
scale-u
up capacity, yo
ou can also mi grate a virtual machine to a cloud
provider, som
mething that is far more difficult to do with
h a physically d
deployed server.
Wiindows Server 2012 Installatio

on Sourcess
Microsoft distribu
utes Windows Server
S
2012 either
on optical
o
media or in an .iso im
mage format.
You
u can install Wiindows Server 2012 by using
g
seve
eral methods, including thosse listed in the
follo
owing table.
Method
Note
es
Optical
O
media
Requires
R
that th
he computer h
has access to a DVD drive.
Optical
O
media is
i usually sloweer than USB m
media.
You
Y cannot upd
date the installlation image w
without replaccing the mediaa.
You
Y can only perform one insstallation per D
DVD at a time
e.
USB media
Requires
R
the ad
dministrator to
o perform speccial steps to prrepare USB me
edia
frrom ISO file.
All
A computers support
s
bootin
ng from USB m
media.
Im
mage can be updated
u
as new
w software up dates and drivvers become
available.
Answer
A
file can be stored on USB drive, red
ducing the inte
eraction that the
administrator must
m
perform.
Mounted
M
ISO im
mage
Virtualization
V
so
oftware enablees you to direcctly mount the
e ISO image.
Does
D
not require writing the ISO image to optical media.
Network share
Deploy
D
from installation files on network sh
hare.
Requires
R
you boot the serverr off a boot de vice (DVD or U
USB drive) and
d
in
nstall from insttallation files h
hosted on a neetwork share.
Much
M
slower th
han using Wind
dows Deploym
ment Services ((WDS).
Iff you already have
h
access to a DVD or USB
B media, it is siimpler to use
th
hose tools for operating systtem deploymeent.
Windows
W
Deplo
oyment
Se
ervices (WDS)
WDS
W let you de
eploy Window
ws Server 2012 from Window
ws Imaging Forrmat
(W
WIM) image files or speciallyy prepared VH
HD files.
You
Y can use the
e Windows Au
utomated Instaallation Kit to cconfigure liteto
ouch deploym
ment.
Method
Notes
1-7
Clients perform a Pre-Boot Execution Environment (PXE) boot to contact

the WDS server. The operating system image is then transmitted to the
server over the network.
WDS supports multiple concurrent installations of Windows Server 2012
using multicast network transmissions.
System Center
Configuration
Manager
Microsoft System Center Configuration Manager enables you to fully

automate the deployment of Windows Server 2012 to bare metal
servers.
Enables Zero Touch deployment.
Virtual Machine
Manager templates
Requires Virtual Machine Manager (VMM) in System Center.

Enables rapid deployment of Windows Server 2012 in private cloud
scenarios.
Can be used to enable self-service deployment of Windows Server 2012

virtual machines.
Microsoft distributes Windows Server 2012 either on optical media or in an .iso image format.
You can install Windows Server 2012 by using several methods, including those listed in the following
table.
Method
Optical media
Notes
Requires that the computer has access to a DVD drive.
Optical media is usually slower than USB media.
You cannot update the installation image without replacing the media.
You can only perform one installation per DVD at a time.
USB media
Requires the administrator to perform special steps to prepare USB

media from ISO file.
All computers support booting from USB media.
Image can be updated as new software updates and drivers become
available.
Answer file can be stored on USB drive, reducing the interaction that the
administrator must perform.
Mounted ISO image
Virtualization software enables you to directly mount the ISO image.

Does not require writing the ISO image to optical media.
Network share
Deploy from installation files on network share.
Requires you boot the server off a boot device (DVD or USB drive) and
install from installation files hosted on a network share.
Much slower than using Windows Deployment Services (WDS).
If you already have access to a DVD or USB media, it is simpler to use
those tools for operating system deployment.

ws Server 2012
Method
No
otes
Windows
W
Deplo
oyment
Se
ervices (WDS)
WDS let you deploy

d
Window
ws Server 2012
2 from Window
ws Imaging
Format (WIM)) image files o r specially pre pared VHD file
es.
he Windows A
Automated Insttallation Kit to
o configure lite
e You can use th
touch deploym
ment.
1-8
Clients perform a Pre-Boot Execution Envvironment (PXEE) boot to contact

the WDS serve
er. The operat ing system im age is then traansmitted to th
he
server over the network.
dows Server 20
012
WDS supportss multiple conccurrent installaations of Wind
using multicasst network tran
nsmissions.
Syystem Center
Configuration Manager
M
Microsoft Syystem Center C

Configuration M
Manager enab
bles you to fullly
automate the deployment o
of Windows Seerver 2012 to bare metal
servers.
Enables Zero Touch
T
deploym
ment.
Virtual Machine
e
Manager
M
templates
Requires Virtu
ual Machine M
Manager (VMM
M) in System Ce
enter.
of Windows Seerver 2012 in p
private cloud
Enables rapid deployment o
scenarios.
t enable self-sservice deployyment of Wind

dows Server 20
012
Can be used to
virtual machin
nes.
Op
ptions for Upgrading
U
g and Migrating to W
Windows SServer 201
12
Whe
en considering
g whether to upgrade
u
or mig
grate
a se
erver to Windo
ows Server 201
12, consider the
e
options described
d in the followiing table.
Insttallation optio
on
Upgrade
Descrip
ption
An upgrade preserve
es the files, setttings, and app
plications instaalled on the
al server. You perform an up
pgrade when yyou want to ke
eep all these ittems
origina
and want to continu
ue using the saame server harrdware. Upgrade requires an
n x64
processsor architectu
ure and an x644 edition of thee Windows Serrver operating
system
m. You can onlyy upgrade to W
Windows Servver 2012 from xx64 versions o
of
Windo
ows Server 200
03, Windows S erver 2003 R2
2, Windows Serrver 2008, and
d
Windo
ows Server 200
08 R2. You can
n only upgradee to an equivalent or a later
edition
n of Windows Server 2012. Y
You start an up
pgrade by running Setup.exe
e
from the
t original op
perating system
m.
In
nstallation opttion
Migration
M
Desccription
1-9
Use migration whe

en you migratte from an x86
6 version of Wiindows Server 2003,
ndows Server 2008. Use mig
gration when yyou
Windows Server 2003 R2, or Win
he original servver with one ru
unning an earlier edition, for
want to replace th
mple replacing
g Windows Serrver 2008 R2 EEnterprise editiion with Windows
exam
Servver 2012 Stand
dard edition. Yo
ou can use thee Windows Serrver Migration
n Tools
feature in Window
ws Server 20122 to transfer fil es and settings from compu
uters
ning the Windows Server 20 03, Windows SServer 2003 R2
2, Windows Se
erver
runn
2008
8, Windows Se
erver 2008 R2 aand Windows Server 2012 o
operating syste
ems.
Choosing
C
Between
B
Se
erver Core
e and Full Installation
Se
erver Core is a minimal insta
allation option for
Windows
W
Server 2012. With Server Core, yo
ou
pe
erform manag
gement tasks lo
ocally from the
e
co
ommand-line or remotely fro
om another
co
omputer. Serve
er Core is the default
d
installa
ation
op
ption for Wind
dows Server 20
012. Server Core has
th
he following ad
dvantages ove
er a traditional
de
eployment of Windows Servver 2012:
Reduced up
pdate requirem
ments. Because
e Server
Core installs fewer compo
onents, Server Core
deploymen
nts require the application off fewer
software up
pdates. This reduces the time
e that is
required fo
or an administrrator to service
e Server Core.
Reduced ha
ardware footprint. Server Co
ore computers require less RA
AM and less h
hard disk space
e. This
means thatt when virtualizzed, more servvers can be deeployed on thee same host.
In
ncreasing numbers of Microssoft server app
plications are d
designed to ru n on compute
ers that have SServer
Core installation
ns. Microsoft SQL
S Server 20
012 can be insttalled on com puters running
g the Server Core
ve
ersion of Wind
dows Server 20
008 R2.
Th
here are two options
o
for insttalling the Servver Core, as deescribed in thee following tab
ble.
Option
O
Descripttion
Server
S
Core
This is the standard deployment of Server Core. B

By default all g
graphical
onents are in a Removed staate. Simply statted, Removed
adminisstration compo
compon
nents occupy no
n disk space o
on the server. Server Core syystems are managed
locally by
b using comm
mand-line inte rface only, or can be manag
ged by a remotte
system using graphica
al administrati on tools. You can convert to the full versiion of
Window
ws Server 2012
2 that includes the graphical administration componentss only
if you have access to an
a installation source with aall server files, ssuch as a mou
unted
mage. Any Servver Core comp onent in a Rem
moved state caan only be insttalled
WIM im
by using
g an installatio
on source.
Server
S
Core witth
Management
M
This is also
a known as Server Core-Fu
ull Server. Thiss works the sam
me as a deployyment
of Wind
dows Server 20
012 with the g raphical comp
ponents. With this installation
option the
t graphical administration
a
n components are not in a Removed state..
Instead,, these components are avai lable (they aree located on th
he servers diskk), but
not installed into the OS. You can c onvert betweeen Server Core
e with Manage
ement
ndows Server 2012
2
with a grraphical interfaace by installin
ng the graphiccal
and Win
featuress, but without having to speccify an installaation source.
On a local connection, you can use the tools described in the following table to manage Server Core
installations of Windows Server 2012.
Tool
Function
1-10 Installing and Configuring Servers Based on Windows Server 2012
Cmd.exe
Enables you to run traditional command-line utilities, such as ping.exe,

ipconfig.exe, and netsh.exe.
PowerShell.exe
Enables you to start a Windows PowerShell session on the Server Core

deployment. You can then perform Windows PowerShell tasks as usual.
Sconfig.cmd
Command-line menu driven administrative tool that enables you to perform

most common server administrative tasks.
Notepad.exe
Enables you to use the Notepad.exe Text Editor in the Server Core environment.
Registry Editor
Provides registry access within the Server Core environment.
Msinfo32.exe
Enables you to view system information about the server core deployment.
Taskmgr.exe
Starts the Task Manager.
Note: If you accidentally close the Command Prompt window on a computer running
Server Core, you can restore it using this procedure:
1.
Press Ctrl+Alt+Delete.
2.
On the menu, click Task Manager.
3.
On the File menu, click New Task (Run).
4.
Type cmd.exe and then press Enter.
Server Core supports most, but not all, Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
1.
AD FS
2.
Application Server
3.
Network Policy and Access Services
4.
Windows Deployment Services
Even if a role is available to a computer running the Server Core installation option, a specific role service
associated with that role may not be.
Note: You can check which roles are not available on Server Core by running the following
query.
Get-WindowsFeature | where-object {$_.InstallState -eq Removed}
1-11
The Windows Server 2012 administration model focuses on managing many servers from one console
instead of the traditional method of managing each server separately. When you want to perform an
administrative task, you are more likely to manage multiple computers running the Server Core operating
system from one computer than you are to connect to each computer individually. You can enable
remote management of a computer running Server Core by using sconfig.cmd or by executing the
command:
Netsh.exe firewall set service remoteadmin enable ALL
Installation Process for Windows Server 2012
In a typical installation of Windows Server 2012, if you do not have an existing answer file, you perform
the following steps:
1.
2.
Connect to the installation source. Some options for this include:

o
Inserting a DVD-ROM that has the Windows Server 2012 installation files and booting from the
DVD-ROM.
Connecting a USB drive that is made bootable and contains a copy of the Windows Server 2012
installation files.
Performing a PXE boot from the computer that Windows Server 2012 will be installed on to, and
connecting to a WDS server.
On the first page of the Windows Setup Wizard, select the following:
o
Language to install
Time and currency format
Keyboard or input method
3.
On the second page of the Windows Setup Wizard, click Install now. You can also use this page to
select Repair Your Computer. Use this option if an installation has become corrupted and you can
no longer boot into Windows Server 2012.
4.
On the Select The Operating System You Want To Install page of the Windows Setup Wizard,
select from the available operating system installation options. The default option is Server Core
installation.
5.
On the License Terms page of the Windows Setup Wizard, review the terms of the operating system
license. You must accept the license terms before you can continue with the installation process.
6.
On the Which Type Of Installation Do You Want page of the Windows Setup Wizard, you have the
following options:
7.
Upgrade. Select this option if you have an existing Windows Server installation that you want to
upgrade to Windows Server 2012. You should start upgrades from the earlier version of Windows
Server instead of booting from the installation source.
Custom. Select this option if you want to perform a new installation.
On the Where do you want to install Windows page of the Windows Setup Wizard, select an
available disk on which to install Windows. You can also choose to repartition and reformat disks
from this page. When you click Next, the installation process will copy files and restart the computer
several times. This part of the installation can take several minutes, depending on the speed of the
platform on which you are installing Windows Server 2012.
8.
On the Settin
ngs page, provvide a passworrd for the loca l Administrato
or account. Aftter you have
provided this password, you
u can log on to the server an
nd begin perfo
orming post in
nstallation
configuration
n tasks.
Post-Installation Taskss
In earlier
e
versions of Windows operating
o
syste
ems,
the installation required you to configure network
connections, computer name, user
u
account, and
a
dom
main membersship informatio
on. The Windo
ows
Servver 2012 installlation processs reduces the
num
mber of questio
ons that you have
h
to answerr.
The only informattion that you provide
p
during
g
installation is the password thatt is used by the
e
defa
ault local Adm
ministrator acco
ount.
Afte
er it is installed
d, all the follow
wing steps can be
perfformed when you
y select the Local Server node
in th
he Server Man
nager console:
Configure the
e IP address
Set the comp

puter name
Join an Active
e Directory domain
Configure the
e time zone
Enable autom
matic updates
Add roles and

d features
Enable remotte desktop
Configure Windows Firewall settings
1-12 Installing and Configuring Serrvers Based on Windoows Server 2012
Lesson 2
Configuring Windows Server 2012
1-13
By correctly configuring a server first, you can avoid significant problems later. When planning to
configure a server, you must determine what roles to deploy. You must also assess whether roles can be
co-located on the same server or if you deploy certain roles on separate servers.
Lesson Objectives
After completing this lesson you will be able to:
Describe Windows Server 2012 server roles.
Install roles and use the Best Practice Analyzer to check role configuration.
Configure a computer running the Server Core installation option.
Switch a computer between Server Core and the full GUI installation option.
Configure networking and network interface teaming.
Demonstration: Exploring Server Manager in Windows Server 2012

In this demonstration, you will see how to use Server Manager to perform the following tasks:
Log on to Windows Server 2012.
View the Windows Server 2012 desktop.
Start the Server Manager console.
Add a server role or feature.
View role related events.
Run the Best Practice Analyzer for a role.
List the tools available from Server Manager.
Open the Start menu.
Log off the currently logged on user.
Restart Windows Server 2012.
Demonstration Steps
1.
On LON-DC1, open the Add Roles and Features Wizard from the Server Manager Console.
2.
Start the Add Roles and Features Wizard and select the following options:
o
Role-based or feature-based installation
LON-DC1
FAX Server role
BranchCache feature
3.
Use the notification area to review the messages.
4.
On the Dashboard, view DNS Events.
5.
6.
Configure the
e DNS - Eventss Detail View with
w the follow
wing settings:
o
Time perriod: 12 hours
Event Sources: All
View the DNS

S Best Practice
e Analyzer (BPA
A) with the fol lowing setting
gs:
o
Severity Levels:
L
All
7.
Use the Toolss menu to view

w the tools tha
at are installed
d on LON-DC1
1.
8.
Demonstrate log off LON-D

DC1 and then log back on.
9.
Open Window
ws PowerShell and then use the shutdown
n command to
o shut the serve
er down.
Serrver Roles in Window

ws Server 2012
Role
es and their asssociated Role Services are sttill a
prim
mary function of
o a server. Sim
milarly, if you install
the Web Server (IIS) role, Windo
ows Server 201
12 by
defa
ault only selects critical services that are
requ
uired for the ro
ole to function
n. If you want to
t
use additional com
mponents with
h the Web Servver
(IIS) role, such as Windows
W
Auth
hentication, yo
ou
musst select and in
nstall that com
mponent as a ro
ole
servvice.
Win
ndows Server 2012
2
supports the roles desccribed
in th
he following ta
able.
Role
e
Fun
nction
Acttive Directory Certificate

C
Servvices
Ena
ables the deplo
oyment of cerrtification auth
horities and rellated
role
e services.
AD
D DS
Cen
ntralized storee of informatio
on about network objects
including user an
nd computer aaccounts. Used
d for
autthentication an
nd authorization.
AD
D FS
Pro
ovides web sin gle sign-on (SSSO) and securred identify
fed
deration suppo
ort.
Acttive Directory Lightweight

Dirrectory Services (AD LDS)
Sup
pports storagee of application
n specific dataa for directory-aware application
ns that do nott require the fu
ull infrastructure of
AD
D DS.
Acttive Directory Rights Manage

ement
Serrvices(AD RMS)
Ena
ables you to p
prevent unauth
horized access to sensitive
doccuments by ap
pplying rights management policies.
Application Serve
er
Sup
pports centraliized managem
ment and hostiing of highperrformance disttributed business application
ns, such as tho
ose
buiilt with the .NEET Frameworkk 4.5 and Enterrprise Services.
DH
HCP Server
Pro
ovisions client computers on
n the network w
with temporarry IP
add
dresses.
DN
NS Server
Pro
ovides name reesolution for TTCP/IP networkks.
Role
Function
1-15
Fax Server
Supports sending and receiving of faxes. Also enables you to

manage fax resource on the network.
File and Storage Services
Supports the storage of management of shared folders,

Distributed File System, and network storage.
Hyper-V
Enables you to host virtual machines on computers running

Windows Server 2012.
Network Policy and Access Services
Authorization infrastructure for remote connections, including

Health Registration Authority for Network Access Protection.
Print and Document Services
Supports centralized management of document tasks,

including network scanners and networked printers.
Remote Access
Supports Seamless Connectivity, Always On, Always Managed

features based on DirectAccess. Also supports Remote Access
through VPN and dial-up.
Remote Desktop Services
Supports access to virtual desktops, session-based desktops,

and RemoteApp programs.
Volume Activation Services
New to Windows Server 2012. Enables you to automate and

simplify the management of volume license keys and volume
key activation. Also enables you to manage a Key
Management Service host or configure AD DS-based
activation for computers that are members of the domain.
Web Server (IIS)
The Windows Server 2012 web server component.
Windows Deployment Services
Enables you to deploy server operating systems to clients over

the network.
Windows Server Update Services
Provides a method of deploying updates for Microsoft

products to computers on the network.
When you deploy a role, Windows Server 2012 automatically configures aspects of the servers
configuration, such as firewall settings, to support the role. When you deploy a role, Windows Server 2012
automatically deploys role dependencies at the same time. For example, when you install the Windows
Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are
required to support the Web Server role.
You add and remove roles using the Add Roles and Features Wizard, available from the Server Manager
console. You can also add and remove roles using the Install-WindowsFeature and RemoveWindowsFeature Windows PowerShell cmdlets.
De
emonstration: Installing and Optimizing
O
Server Ro
oles in
Wiindows Server 2012
In th
his demonstration you will see how to insttall and optimiize a server role in Windowss Server 2012.
Dem
monstration
n Steps
1.
Use the Add Roles and Feattures Wizard to add the App
plication Serv
ver role to LON
N-DC1.
2.
View App Serrver Performan

nce.
3.
View DHCP BPA

B results.
Co
onfiguring Server Core in Wind
dows Serveer 2012
You
u must perform
m several aspeccts of postinstallation config
guration of servver core opera
ating
systems from the command-line
e. You can perrform
mosst post-installa
ation configura
ation tasks usin
ng
the menu-driven command pro
ompt utility
sconfig.cmd. By using
u
this utilitty, you minimiize
the possibility of the
t Administra
ator making syyntax
erro
ors when you use
u more complex command
d-line
utilities. You can use
u sconfig.cm
md to perform
m the
follo
owing tasks:
Configure Do
omain and Workgroup
information
Configure the
e computers name
n
Add local Adm

ministrator acccounts
Configure Remote Manage

ement
Enable Windo
ows Update
Download an
nd install updates
Enable Remote Desktop
Configure Ne
etwork Address information
Set the date and

a time
Perform Wind
dows Activatio
on
Enable the Grraphic User Intterface
Log off
Restart the se
erver
Shut down th
he server
Con
nfigure IP Address
A
Info
ormation
You
u can configure
e the IP addresss and DNS infformation by u
using sconfig..cmd or netsh
h.exe. To confiigure
IP address information by using
g sconfig.cmd
d, perform the following step
ps:
1.
Run sconfig.cmd from the command-lin

ne.
2.
Select option
n 8 to configurre Network Settings.
3.
Select the index number of the network adapter to which you want to assign an IP address.
4.
In the Network Adapter Settings area, select between one of the following options:
o
Set Network Adapter Address
Set DNS Servers
Clear DNS Server Settings
Return to Main Menu
Change Server Name
1-17
You can change the server name using the netdom command with the renamecomputer option. For
example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a server name using sconfig.cmd by performing the following steps:
1.
Run sconfig.cmd from the command-line.
2.
Select option 2 to configure the computer name.
3.
Type the new computer name and then press Enter.
You must restart a server for the configuration change to take effect.
Joining the Domain
You can join a Server Core computer to a domain using the netdom command with the join option. For
example, to join the adatum.com domain using the Administrator account, and to be prompted for a
password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*
To join a server core computer to the domain using sconfig.cmd, perform the following steps:
1.
Run sconfig.cmd from the command-line.
2.
Select option 1 to configure Domain/Workgroup.
3.
Type D and press Enter to select the Domain option.
4.
Type the name of the domain to which you want to join the computer.
5.
Provide the details of an account authorized to join the domain in domain\username format.
6.
Type the password associated with that account.
To complete a domain join operation you must restart the computer.

Note: Before joining the domain, verify that you can ping the DNS server by host name.
Add Roles and Features Using Windows PowerShell
You can add and remove roles and features to a computer running the Server Core installation option by
using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows
PowerShell cmdlets. These cmdlets are available after you load the Server Manager module.
For example, you can view a listt of roles and features

f
that aare installed byy executing the
e following
Win
ndows PowerSh
hell command
d:
Get-WindowsFeature | Where-Object {$_.I
InstallState -eq Install
led}
You
u can install a Windows
W
role or feature usin
ng the Install--WindowsFea
ature cmdlet. FFor example, to
o
install the Networrk Load Balanccing feature, exxecute the com
mmand:
Install-WindowsFeature NLB
Nott all features arre directly available for insta

allation on a co
omputer runniing the Server Core operatin
ng
system. You can determine
d
whicch features are
e not directly aavailable for in
nstallation by rrunning the
follo
owing command:
Get-WindowsFeature | Where-Object {$_.I
InstallState -eq Removed}
}
You
u can add a role or feature th
hat is not available for instal lation by using
g the -Source parameter of the
Insttall-WindowsFeature cmdle
et. You must specify
s
a sourcce location that hosts a mounted installatio
on
image that includes the full verssion of Window
ws Server 20122. You can mo
ount an installaation image ussing
the DISM.exe com
mmand promp
pt utility.
Sw
witching Be
etween Server Core, Full, and M
Minimal SServer Interface Optiions
Win
ndows Server 2012
2
offers the
e option of
swittching between Server Core and the full
installation. When
n you install Se
erver Core, the
e
necessary compon
nents to conve
ert to the full
verssion are not installed. You ca
an install these
e if
you have access to a mounted image
i
of the full
verssion of the Win
ndows Server 2012
2
installatio
on
filess.
You
u can switch fro
om Server Corre to the graph
hical
verssion of Window
ws Server 2012
2 by running the
follo
owing Window
ws PowerShell cmdlet, where
e
c:\m
mount is the ro
oot directory of
o a mounted
image that hosts the
t full version
n of the Windo
ows Server 20112 installation files:
Impo
ort-Module ServerManager
r
Install-WindowsFeature -Inc
cludeAllSubFe
eature User-I
Interfaces-In
nfra -Source c:\mount
Thiss gives you the

e option of perrforming admiinistrative taskks using the grraphical tools. You can also aadd
the graphical toolls using the sconfig.cmd me
enu-driven co mmand prompt utility.
Afte
er you have pe
erformed the necessary
n
administrative taskks, you can retturn the computer to its orig
ginal
Servver Core config
guration. You can switch a computer that has the graph
hical version off Windows Serrver
2012 to Server Co
ore by removin
ng the followin
ng features:
Graphical Ma
anagement Too
ols and Infrastructure
Server Graphical Shell
Upgrading YYour Skills to MCSA W

Windows Server 20012
1-19
Th
he Minimal Server interface differs from Se
erver Core beccause it has alll components available and does
no
ot require you to provide acccess to a mounted directoryy that containss the full versio
on of the Wind
dows
Se
erver 2012 insttallation files. You
Y can use th
he Install-Win
ndowsFeature
e command without specifying a
so
ource location when you con
nvert the Minim
mal Server inteerface to the ffull installation
n of Windows SServer
20
012. The advan
ntage of the Server Core installation optio
on over Minim al Server is thaat, even thoug
gh they
lo
ook similar, Serrver Core requ
uires a smaller amount of harrd disk space aas it does not have all components
avvailable for insstallation.
Configuring
C
g Network
king and Network
N
In
nterface Te
eaming
Configuring the
e network invo
olves setting orr
ve
erifying the servers IP addre
ess configuratio
on. By
de
efault, a newlyy-deployed serrver tries to ob
btain IP
ad
ddress informa
ation from a DHCP
D
server. Yo
ou can
view a servers IP address configuration by clicking
c
th
he Local Serve
er node in Servver Manager.
If the server hass an IPv4 addre
ess in the Auto
omatic
Prrivate Internet Protocol Addressing (APIPA
A) range
off 169.254.0.1 to
t 169.254.255
5.254, the serve
er has
no
ot been config
gured with an IP address from
ma
DHCP server. Th
his may be beccause a DHCP server
ha
as not been co
onfigured on the network, or
be
ecause there iss a problem with
w the networrk infrastructurre that blocks the adapter frrom receiving an
ad
ddress.
y are using a purely IPv6 network,
n
an IPvv4 address in tthis range is no
ot a problem,
Note: If you
an
nd IPv6 addresss information is still configu
ured automaticcally. You will learn more ab
bout
im
mplementing IPv6 in Module
e 8, Implemen
nting IPv6.
Configuratio
C
on Using Serrver Manag
ger
To
o manually configure IP add
dress information for a serve r, perform thee following step
ps:
1..
In the Serve
er Manager co
onsole, click the address nextt to the netwo
ork adapter thaat you want to
o
configure. This
T will open the Network Connections
C
w
window.
2..
Right-click the network adapter

a
that yo
ou want to con
nfigure an add
dress for, and tthen click Prop
perties.
3..
In the Adap
pter Propertie
es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
en click
Properties.
4..
In the Interrnet Protocol Version 4 (TC

CP/IPv4) Prop
perties dialog
g box, enter the following IPvv4
address info
ormation, and then click OK
K, and then clicck OK again:
o
IP addrress
Subnett Mask
Defaultt Gateway
Preferrred DNS serverr
Alterna
ative DNS servver
Command-Line IPv4 Address Configuration
You can manually set IPv4 address information from an elevated command prompt by using the
netsh.exe command from the interface ipv4 context. For example, to configure the adapter named Local
Area Connection with the IPv4 address 10.10.10.10 and subnet mask 255.255.255.0, type the following
command:
Netsh interface ipv4 set address Local Area Connection static 10.10.10.10 255.255.255.0
You can use the same context of the netsh.exe command to configure DNS configuration. For example, to
configure the adapter named Local Area Connection to use the DNS server at IP address 10.10.10.5 as
the primary DNS server, type the following command:
Netsh interface ipv4 set dnsservers Local Area Connection static 10.10.10.5 primary
Network Card Teaming
Network Card Teaming is a new feature in Windows Server 2012. With Network Card Teaming you
can increase the availability of a network resource. When you configure Network Card Teaming, a
computer uses one network address for multiple cards. If one of the cards fails, the computer continues
communicating with other hosts on the network that are using that shared address. This enables you to
provide hardware redundancy for a server's network cards. Network Card Teaming does not require that
the network cards be the same model or use the same driver.
Windows Server 2012 supports up to 32 network adapters in a team. When a computer has separate
network adapters that are not part of a team, incoming and outgoing traffic may not be balanced across
those adapters. Network Card Teaming also provides bandwidth aggregation, ensuring that traffic is
balanced across network interfaces as a way to increase effective bandwidth.
To team network cards, perform the following steps:
1.
Ensure that the server has more than one network adapter.
2.
In Server Manager, click the Local Server node.
3.
Click Disabled next to Network Adapter Teaming. This opens the NIC Teaming dialog box.
4.
In the NIC Teaming dialog box, press the Ctrl key, and then click each network adapter that you
want to add to the team.
5.
Right-click these selected network adapters, and then click Add to New Team.
6.
In the New Team dialog box, enter a name for the team, and then click OK.
Lesson
n3
Configuring Remote Mana

agemen
nt for
Windows Server 2012 Serv
vers

1-21
When
W
you wantt to perform an administratio
on task, it is m
more efficient tto manage mu
ultiple servers ffrom
a single console
e than to conn
nect to each se
erver separatelyy. You should spend time en
nsuring that ne
ewly
de
eployed serverrs are configurred so that you
u can managee them centrallly. This enables you to spend
d more
time at your desk administering those serve
ers, instead of having to trekk into the dataacenter to startt a
diirect connectio
on.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he different Wiindows Server 2012 remote management technologies.
Configure Windows
W
Serve
er 2012 to sup
pport Remote Management.
Collect servvers into Serve

er Groups.
Deploy role
es and featuress remotely.
What
W
Is Rem
mote Man
nagement??
With
W Windows Remote Management, you can
c
usse Remote She
ell, remote Win
ndows PowerS
Shell,
an
nd remote management too
ols to remotelyy
manage
m
a comp
puter. Remote Shell enables you
to
o run comman
nd-line utilities against correcctly
co
onfigured remote servers as long as the
co
ommand prom
mpt utility is prresent on the remote
r
se
erver. Remote Windows Pow
werShell lets yo
ou run
Windows
W
PowerShell comman
nds or scripts against
a
co
orrectly config
gured remote servers
s
when the
sccript is hosted on the local se
erver. Remote
Windows
W
PowerShell also letss you load Win
ndows
Po
owerShell mod
dules, such as Server Manager locally and execute the cm
mdlets availab
ble in that mod
dule
ag
gainst suitablyy configured re
emote servers. Remote Manaagement is enabled by default on computters
ru
unning Window
ws Server 2012
2.
Yo
ou can enable and disable Remote
R
Manag
gement from SServer Manageer by clicking tthe text next to
o the
Re
emote Management item when
w
you have the Local Servver node selec ted in the Servver Manager cconsole.
To
o enable remo
ote manageme
ent from the co
ommand-line, type the com
mmand WinRM
M qc. The "qc" is an
ab
bbreviation of Quick Configu
uration. You ca
an disable Rem
mote Managem
ment by using
g the same metthod
th
hat you use to enable it.
To
o disable remo
ote manageme
ent on a comp
puter running tthe Server Corre installation o
option, use
scconfig.cmd.
Rem
mote Desktop is still a necesssary Windows Server 2012 reemote manageement technology because
som
me environmen
nts have not up
pgraded their administrator 's workstations from Window
ws XP and otther
environments may have Window
ws Server 2012
2 deployed evven when the u
users in those environments
prim
marily use third
d-party operatting systems. You
Y can config
gure Remote D
Desktop on a ccomputer runn
ning
the full version off Windows Servver 2012 by pe
erforming the following step
ps:
1.
In the Server Manager conssole, click the Local

L
Server n
node.
2.
Click Disable
ed next to Rem
mote Desktop.
3.
On the Remo
ote tab of the System Prope
erties dialog b
box, select bettween one of tthe following
options:
o
default state o
Dont alllow connectio
ons to this co
omputer. The d
of remote deskktop is disabled.
Allow co
onnections fro
om computerrs running anyy version of R
Remote Desktop. Enables
Authentication
connectio
ons from Remote Desktop clients that do not support N
Network Level A
n
Allow Co
onnections on
nly from Com
mputers runni ng Remote D
Desktop with N
Network Leve
el
Authentication. Enables secure conn
nections from computers running Remote
e Desktop clien
nts
that supp
port network le
evel authentication.
You
u can enable an
nd disable Rem
mote Desktop on computerss running the SServer Core installation optio
on by
usin
ng the sconfig
g.cmd menu-d
driven comman
nd prompt uti lity.
Ho
ow Remote
e Managem
ment Worrks In Wind
dows Servver 2012
Win
ndows Remote
e Managementt (WinRM) is
a co
ollection of tecchnologies that enables
adm
ministrators to manage serve
er hardware wh
hen
logg
ged on directlyy or over the network.
n
Windows
Servver 2012 uses WinRM
W
to ena
able managem
ment
of multiple
m
compu
uters concurre
ently through a
sing
gle Server Man
nager console. Windows Rem
mote
Man
nagement includes the follow
wing components:
WS-Management protoco
ol. A SOAP-ba
ased
firewall-aware
e protocol that enables
computers to
o exchange ma
anagement
information. SOAP
S
uses XM
ML messages when
w
transmitting information.
i
WinRM Scrip
pting API. This scripting APII enables systeems to obtain d
data from rem
mote computerrs
through WS-Management protocol operrations.
Winrm.cmd. Command-lin
ne systems management too
ol that enabless you to config
gure WinRM. FFor
example, you can use this tool to enable Windows Rem
mote Managem
ment on a servver.
Winrs.exe. Tool that enables you to execcute most cmd

d.exe comman
nds on remote
e servers.
For example, to obtain the IP ad

ddress informa
ation and list o
of running taskks on server LO
ON-SVR1, issue
e the
com
mmand:
Winrs -r:lon-svr1 ipconfig;tasklist
Note: You can

c learn more
e about Windo
ows Remote M
Management att:
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/aa384291(v=
=vs.85).aspx.
You can enable Windows Remote Management by issuing the following command:
Winrm qc
Running this command does the following:

1.
Configures the WinRM service to with the Automatic startup type.
2.
Starts the WinRM service.
3.
Configures a listener that will accept WinRM requests on any IP address.
4.
Creates a firewall exception for WS-Management traffic using the HTTP protocol.
1-23
If you do not know whether a server is configured for Windows Remote Management, you can run the
following command to obtain Windows Remote Management configuration information:
Winrm get winrm/config
Additional Reading: You can learn more about configuring Windows Remote
Management by reading the following Performance Team post: http://blogs.technet.com/b
/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx.
You can use Remote Windows PowerShell to run commands against a correctly configured remote server.
There are several methods that you can use to accomplish this. You can use the Invoke-Command
cmdlet to run a command or a script. For example, to view the list of installed roles and features on
LON-SVR1 and LON-SVR2 when the ServerManager module is loaded and both are configured for
Windows Remote Management, issue the command:
Invoke-Command -Computername LON-SVR1, LON-SVR2 -scriptblock {Get-WindowsFeature | WhereObject {$_.InstallState -eq "Installed"}}
You can also start a remote Windows PowerShell session by using the Enter-PSSession cmdlet. To end
the session, run the Exit-PSSession cmdlet. For example, to start a remote Windows PowerShell session to
LON-SVR1, issue the command:
Enter-PSSession -computername LON-SVR1
Additional Reading: You can learn more about Remote Windows PowerShell at:
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx.
Demonstration: Configuring Servers for Remote Management

In this demonstration you will disable and enable Remote Management from Server Manager.
Demonstration Steps
1.
Use Server Manger on LON-DC1 to disable Remote Management.
2.
Use the winrm qc command from a Windows PowerShell prompt to re-enable remote management
on LON-DC1.
3.
Use Server Manager to verify that Remote Management is re-enabled.
Ma
anaging Se
erver Grou
ups in Serv
ver Manag
ger
Servver Manager in
n Windows Server 2012
auto
omatically groups servers byy role. This ena
ables
you to perform ro
ole-based tasks across all serrvers
thatt host that role
e in the organiization. For
exam
mple, rather th
han connecting to each DNS
S
servver in the domain to perform
m a particular task,
t
you can select the
e DNS node, se
elect all servers that
hostt DNS that you
u want to perfform the task on,
o
and then perform
m the task again
nst that selection of
servvers.
A be
enefit to administrators is th
hat servers in your
y
orga
anization are automatically
a
grouped
g
by ro
ole.
For example, all se
ervers that hosst the IIS or NA
AP roles are au
utomatically grouped underr the category
nod
des for those ro
oles in the Servver Manager console.
c
You
u can also use the
t Server Manager console to create custtom server gro
oups. A custom
m server group
p is a
userr-defined grou
up of servers ra
ather than a group of serverrs that share a specific role.
De
emonstration: Mana
aging Rem
mote Serverrs by Using
g Server M
Manager
In th
his demonstration you will see how to crea
ate a server grroup. You will then perform a remote
man
nagement task
k on both serve
ers that are members of thee group using a single action
n.
Dem
monstration
n Steps
1.
On LON-DC1
1, use Server Manager
M
to create a server grroup named L ONDON-GRO
OUP that has
LON-DC1 and
d LON-SVR4 as
a members.
2.
Use the group node as a method

m
of starting the perforrmance counteers on both servers using the
e one
action, ratherr than enabling
dividually.
g performance
e counters on eeach server ind
3.
Use the Mana

ageability colu
umn to verify that both LON -DC1 and LON
N-SVR5 are listted as Online.
1-25
Lab: Installing and Configuring Servers Based on Windows

Server 2012
Scenario
A. Datum is an engineering and manufacturing company. The organization is based in London, England.
The organization is quickly expanding the London location as well as internationally. Because the
company has expanded, some business requirements are changing as well. To address some business
requirements, A. Datum has decided to deploy Windows Server 2012 on an existing network populated
with servers running the Windows Server 2008 and Windows Server 2008 R2 operating systems.
As one of the experienced Windows Server 2008 administrators, you are responsible for implementing
many of the new features on Windows Server 2012. To become familiar with the new operating system,
you plan to install a new Windows Server 2012 server running the Server Core version and complete the
initial configuration tasks. You also plan to configure and explore the remote management features that
are available in Windows Server 2012.
Objectives
Install Windows Server 2012 server core.
Configure a Windows Server 2012 server core.
Configure remote management for Windows Server 2012 Servers.
Lab Setup
Estimated time: 60 minutes
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR5
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:

o
User name: Adatum\Administrator
Password: Pa$$w0rd
Exercise 1: Install Windows Server 2012 Server Core

Scenario
After having problems effectively deploying and configuring the Server Core version of Windows Server
2008, A. Datum is interested in using the Server Core installation of Windows Server 2012 when possible
because of the reduced hardware footprint and minimized update requirements. To become familiar with
the new operating system, you plan to install and configure a new Windows Server 2012 server running
the Server Core version as a way to determine whether the product is more easily managed than the
earlier version.
The main tasks in this exercise are:
1.
Install Windows Server 2012.
2.
Convert a Windows Server 2012 server core installation to a full installation.
3.
Convert a Windows Server 2012 full installation to a server core installation.
X Task 1: Install Windows Server 2012

1.
In the Hyper-V Manager console, open the settings for 20417A-LON-SVR5.
2.
Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This
file is located at C:\Program Files\Microsoft Learning\20417\Drives.
3.
Start 20417A-LON-SVR5. On the Windows Server 2012 page of the Windows Setup Wizard, verify
the following settings, click Next, and then click Install Now:
o
Language to install: English (United States)
Time and currency format: English (United States)
Keyboard or input method: US
4.
Select to install the Windows Server 2012 Release Candidate Datacenter (Server Core
Installation) operating system.
5.
Accept the license terms and then select Custom: Install Windows Only (Advanced).
6.
Install Windows Server 2012 on Drive 0.

o
Depending on the speed of the host computer, the installation will take approximately 20
minutes.
The virtual machine will restart several times during this process.
7.
On the log on page, click OK and then enter Pa$$w0rd in both the Password and Confirm
password boxes.
8.
Click OK to complete the installation and log on.
X Task 2: Convert a Windows Server 2012 Server Core Installation to a Full Installation
1.
On LON-SVR5 at the command prompt type:

mkdir c:\mount
2.
Issue the following command and press Enter:

dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount
/readonly
3.
Start Windows PowerShell by typing the following command:

PowerShell.exe
4.
From Windows PowerShell issue the following commands, pressing Enter after each:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra Source:c:\mount\windows
5.
When prompted, restart the server and then log on as Administrator with the password of
Pa$$w0rd to verify the presence of the full GUI components.
1-27
X Task 3: Convert a Windows Server 2012 Full Installation to a Server Core Installation
1.
Log on to LON-SVR5 and attempt to start Internet Explorer.
2.
Start Windows PowerShell and issue the following commands:

Uninstall-WindowsFeature User-Interfaces-Infra
Shutdown /r /t 5
3.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
Exercise 2: Configure a Computer Running a Server Core Installation of

Windows Server 2012
Scenario
After you install Server Core, you want to configure some basic network and firewall settings and join
computer to domain. During this initial deployment, you plan to perform these steps manually from the
command-line.
The main tasks for this exercise are as follows:
1.
Configure the network.
2.
Add the server to the domain.
3.
Configure Windows Firewall.
X Task 1: Configure the network

1.
On LON-SVR5 in the command prompt, type sconfig.
2.
Set the computer name LON-SVR5.
3.
Restart the server as prompted and log on to LON-SVR5 as Administrator with the password of
Pa$$w0rd.
4.
Use the hostname command to verify the name change.
5.
Start sconfig and configure Network Settings.
6.
Select the index number of the network adapter that you want to configure.
7.
Set the Network Adapter Address to the following:

o
IP address: 172.16.0.111.
Subnet Mask: 255.255.0.0.
Default gateway 172.16.0.1.
8.
Set the preferred DNS server to 172.16.0.10. Do not configure an alternative DNS server address.
9.
Exit sconfig and verify network connectivity to lon-dc1.adatum.com using the ping utility.
X Task 2: Add the server to the domain

1.
Use sconfig to switch to configure Domain/Workgroup.
2.
Join the domain adatum.com using account adatum\administrator and the password of
Pa$$w0rd.
3.
Restart the server.
4.
Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.
X Task 3: Configure Windows Firewall

1.
Use sconfig.cmd to Enable Remote Management.
2.
At the command prompt, type PowerShell.exe.
3.
Issue the following command to view the enabled Firewall rules that allow traffic:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property
DisplayName
4.
Issue the following command to view all disabled Firewall rules:
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Format-Table -Property

Displayname
5.
Issue the following command to view all Windows PowerShell cmdlets related to NetFirewallRule:
Get-Command -Noun NetFirewallRule
6.
View the status of the Remote Desktop inbound firewall rule by issuing the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
7.
Issue the following command to enable the Remote Desktop Inbound Firewall rule:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
8.
Issue the following command to verify that the Remote Desktop Inbound Firewall rule is enabled:
9.
Issue the following command to disable the Remote Desktop Inbound Firewall Rule:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
10. Verify that the Remote Desktop Inbound Firewall Rule is disabled.
1-29
Exercise 3: Configure Remote Management for Servers Running Windows

Server 2012
Scenario
IT management at A. Datum expects that many servers running Windows Server 2012 will be deployed
in remote offices or as part of an online services deployment. To ensure that these servers can all be
managed from a central location, you must configure the server for remote management. You must also
verify the remote management functionality, and use Server Manager to manage multiple servers.
1.
Validate the WinRM configuration.
2.
Configure Server Manager for multiple server management.
3.
Deploy a feature to the Server Core server.
4.
To prepare for next module.
X Task 1: Validate the WinRM configuration

1.
On LON-DC1 use Server Manager to disable Remote Management.
2.
Close the Server Manager console.
3.
Open Windows PowerShell and issue the command winrm qc. When you are prompted, type Y and
press Enter.
4.
Open the Server Manager console and verify that Remote Management is now enabled.
X Task 2: Configure Server Manager for multiple server management

1.
On LON-DC1 in Server Manager, create a server group named LONDON-GROUP that has LON-DC1
and LON-SVR5 as members.
2.
In the details pane, select both servers.
3.
Scroll down to the Performance section, select both listed servers, right-click LON-DC1, and then
click Start Performance Counters.
4.
Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
X Task 3: Deploy a feature to the Server Core server

1.
In the Server Manager console on LON-DC1, click LONDON-GROUP.
2.
Add the Windows Server Backup feature to LON-SVR5.
3.
In Server Manager, click the Flag and verify that the remote installation of Windows Server Backup
has occurred.
X Task 4: To prepare for next module
When you are finished with the lab, revert the virtual machines to their initial state.

Best Practices
Unless you must have a full installation to support roles and features, deploy Server Core.
Use Windows Remote Management to manage multiple servers from a single server using the Server
Manager console.
Use Windows PowerShell remoting to run remote Windows PowerShell sessions rather than logging
on locally to perform the same task.
Common Issues and Troubleshooting Tips

Common Issue
Troubleshooting Tip
Remote management connections fail
Windows PowerShell commands not

available
Cannot install GUI features on Server Core

Deployment
Unable to restart a computer running

Server Core
Unable to join the domain
Review Question
Why is the Server Core installation the default installation option for Windows Server 2012
installations?
Real-world Issues and Scenarios
Unless a particular role requires it, consider using the Server Core installation option as your default server
deployment option. You can always install the GUI later if required.
Understand what roles and features you must deploy on a server prior to deploying that server, rather
than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.

2-1
Module 2
Monitoring and Maintaining Windows Server 2012
Contents:
Module Overview
2-1
Lesson 1: Monitoring Windows Server 2012
2-2
Lesson 2: Implementing Windows Server Backup
2-11
Lesson 3: Implementing Server and Data Recovery
2-15
2-19
2-26
Module Overview
After you deploy Windows Server 2012, you must ensure that it continues to run optimally by
maintaining a healthy and stable environment. As in earlier versions of Windows Server, to maintain
a healthy and stable environment, you must monitor Windows Server 2012 performance and make
adjustments as required. Additionally, you must identify your important data and create backup copies.
Finally, you must know how to restore your important data and servers by using the backup copies that
you have created.
Objectives
Monitor Windows Server 2012.
Implement Windows Server Backup.
Restore data and servers by using Windows Server Backup.
Monitoringg and Maintaining Wiindows Server 2012
Lesson 1
Monito
oring Window
W
ws Server 2012
2-2
Whe
en a system fa
ailure or an eve
ent that affectss system perfo
ormance occurrs, you must be
e able to repair the
problem or resolvve the issue qu
uickly and efficciently. With so
o many variablles and possibilities in the m
modern
netw
work environm
ment, the abilitty to determine the cause qu
uickly frequenttly depends on
n having an
effe
ective performa
ance monitoring methodolo
ogy and tool seet.
You
u can use perfo
ormance-moniitoring tools to
o identify com
mponents that rrequire additio
onal tuning an
nd
trou
ubleshooting. By
B identifying components that
t
require ad
dditional tunin
ng, you can im
mprove the efficciency
of your
y
servers. In
n addition to monitoring
m
systtem performan
nce, Windows Server 2012 p
provides tools for
reso
ource management. In this le
esson, you will learn about t ools in Windo
ows Server 2012 that you can
n use
for performance and
a resource monitoring
m
and
d managemen
nt.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe the reasons for mo

onitoring serve
ers.
Describe the typical perform

mance bottlen
necks.
Describe the tools for moniitoring in Wind

dows Server 20012.
Create data collector

c
sets.
Describe the most common

n performance
e counters.
Describe the use of alerts.
Describe the use of event subscriptions.
Configure eve
ent subscriptio
ons.
Describe how
w to monitor a network.
Reasons for Monitorin

ng Servers
Mon
nitoring serverrs provides sevveral benefits, and
you might monito
or a Windows--based server for
f
seve
eral reasons. So
ome reasons include:
To monitor th
he health of th
he IT infrastruccture.
To monitor se
ervice-level ag
greements (SLA
As).
To plan for fu
uture requirem
ments.
To identify isssues.
IT Infrastructu
I
ure Health
The effective operration of the server infrastructure
is frequently criticcal to your organizations
business goals.
The key factors in maintaining the
t consistencyy of server opeeration includee correctly fun
nctioning and
configured hardw
ware, and sufficcient use and assignment
a
of resources.
Usin
ng performancce-monitoring tools, you can
n record perfo rmance statisttics that you caan use to dete
ermine
whe
en a server is slower at respo
onding to user requests, insteead of relying on user perce
eption of slow and
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
2-3
fa
ast response tim
mes. You can use
u these statistics to determ
mine which com
mponent or co
omponents off the
se
erver infrastruccture may be the
t source of performance-r
p
related issues.
SLA Monitorring
Many
M
organizattions maintain SLAs that dicttate the requirred availabilityy for servers an
nd server-hoste
ed
ap
pplications. Th
hese SLAs may contain stipulations about sserver availability (for examp
ple, the LON-D
DC1
se
erver must be available 99.99
95 percent of business hourss), or they mayy specify perfo
ormance-relate
ed
re
equirements (for example, th
he average que
ery time for th
his database seerver must be less than five sseconds
fo
or any given da
ay).
Frrequently, violation of an SLA
A results in red
duction of payyment for services or similar penalties. The
erefore,
yo
ou want to enssure that the SLAs
S
imposed upon your envvironment are met on a continuing basis.
Yo
ou can use performance-mo
onitoring toolss to monitor th
he specific areaas related to yyour SLAs and help
yo
ou identify issu
ues that could affect your SLLA before theyy become a pro
oblem.
Planning
P
forr Future Req
quirements
Th
he business an
nd technical ne
eeds of your organization arre subject to ch
hange. New in
nitiatives may rrequire
ne
ew servers to host
h
new applications or increased storagee within your eenvironment. Monitoring these
arreas over time enables you to
t assess effecttively how the server resourcces are being used currentlyy. Then,
yo
ou can make an
a informed de
ecision on how
w the server en
nvironment haas to grow or cchange to mee
et future
re
equirements.
Id
dentifying Issues
Trroubleshooting
g problems that arise in the server environ
nment can be tedious. Issuess that affect ussers
ha
ave to be resolved as quicklyy as possible and with minim
mal effect on th
he business ne
eeds of your
orrganization.
Trroubleshooting
g an issue onlyy on the symptoms provided
d by users or aanecdotal evidence frequenttly leads
to
o misdiagnosiss and wasted tiime and resou
urces. Monitoriing the server environment lets you take a more
in
nformed and proactive
p
appro
oach to troubleshooting. Wh
hen you have an effective m
monitoring solu
ution
im
mplemented, you
y can identiffy issues within
n your infrastru
ucture before they cause a p
problem for th
he endussers. You can also
a have more
e concrete evid
dence of repo rted issues and
d narrow the ccause of problems,
sa
aving you inve
estigative time..
Question: List four troub
bleshooting pro
ocedures that would benefitt from server m
monitoring.
Typical
T
Perrformance Bottleneccks
Analysis of yourr monitoring data
d
can reveal
problems such as
a excessive de
emand on certtain
ha
ardware resources that resullt in bottlenecks.
Causes
C
of Bo
ottlenecks
Demand on cerrtain hardware resources may
be
ecome extrem
me enough to cause
c
resource
e
bo
ottlenecks for the following reasons:
The resourcces are insufficcient, and addiitional

or upgrade
ed components are required..
The resourcces are not sha

aring workload
ds
evenly and have to be ba
alanced.
A resource is malfunction
ning and has to
o be replaced..
Monitoring and Maintaining Windows Server 2012
A program is monopolizing a particular resource. This might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
A resource is configured incorrectly and configuration settings have to be changed.
A security issue, such as viruses or Denial of Service attacks can be the reason for a bottleneck.
2-4
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune the servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Hardware
Processors
Suggestion
You may be able to overcome performance bottlenecks that occur with
processors by:
Adding processors.
Increasing the speed of processors.
Reducing or controlling process or affinity, or the number of processor cores an

application uses. Limiting an application to only some processor cores frees the
remaining cores for other applications to use.
Disks
You may be able to increase disk performance by:

Adding faster disks.
Performing routine maintenance tasks such as defragmenting.
Moving data, applications, and the page files onto separate disks.
Memory
Networks
You can improve memory bottlenecks by adding additional physical memory. If

the memory requested exceeds the physical memory, information will be written
to virtual memory, which is slower than physical memory.
However, increasing a computers virtual memory could enable applications that
consume a large amount of memory to run on a computer that has limited
physical memory.
Or, you can reduce the load on the server by reducing the number of users on
the server or through application tuning.
You can reduce network bottlenecks by:
Upgrading network infrastructure, including network adapters to support
increased network bandwidth.
Installing multiple network adapters in a server to distribute network load.
Reducing the traffic.
You should consider the limitations of network bandwidth and segment networks,
where appropriate. You can increase network throughput by tuning the network
adapter and other network devices such as switches, firewalls, and routers.
Upg
ndows Server 2
2012
Tools
T
for Monitoring
M
g in Windo
ows Serverr 2012
Se
everal tools are
e available to help you in
monitoring
m
the server environ
nment, both historical
an
nd real time. The
T following is a list of toolss to
he
elp you in mon
nitoring the se
erver environm
ment.
Tool
T
Description
n
2-5
Event Viewer
Event View
wer collects infformation thatt relates to servver operationss. This
informatio
on can help ideentify perform
mance issues on
n a server. You
u
should sea
arch for specifiic events in thee event log file
e to locate and
d
identify prroblems.
Task Manager
Task Mana
ager helps you
u monitor the rreal-time aspe
ects of the servver.
You can view informatio
on related to h
hardware perfo
ormance and the
application
ns and processses that are cu
urrently runnin
ng on the serve
er.
Resource Mon
nitor
Resource Monitor
M
helps you to look deeper into the
e real-time
performan
nce of the servver. It provides performance information re
elated
to the CPU
U, memory, ha rd disk, and neetwork compo
onents of the sserver.
Performance Monitor
Performan
nce Monitor is the most robu
ust monitoring
g tool in Windo
ows
Server 201
12. It enables b
both real-time and historicall monitoring o
of the
servers pe
erformance an d configuratio
on data.
Reliability Mo
onitor
Reliability Monitor proviides a historicaal view of the sservers reliabiilityh as event log errors and warnings.
related infformation such
Demonstra
D
ation: Crea
ating Data
a Collectorr Sets
Th
he data collecttor set is a custom set of perrformance cou
unters, event trraces, and systtem configurattion
da
ata.
A data collectorr set organizess multiple data

a-collection po
oints into a single, portable ccomponent. Yo
ou can
usse a data colle
ector set on its own, group itt with other daata collector seets, and incorp
porate it into lo
ogs, or
view it in the Pe
erformance Mo
onitor. You can configure a data collector set to generatte alerts when
n it
re
eaches thresho
olds.
Yo
ou can also co
onfigure a data
a collector set to run at a sch
heduled time, for a specific length of time,, or until
hour
it reaches a predefined size. For
F example, yo
ou can run thee data collecto
or set for ten m
minutes every h
du
uring your working hours to
o create a perfo
ormance base line. You can aalso set the daata collector to
o restart
when
w
set limits are reached so
o that a separa
ate file is creatted for each in
nterval.
After you have created a com
mbination of da
ata collectors tthat describe u
useful system iinformation, you can
sa
ave them as a data collector set, and then run the set an
nd view the ressults.
In
n this demonsttration, you will create a data
a collector set..
Dem
monstration
n Steps
Cre
eate a new data
d
collector set name
ed Windowss Server Mo
onitoring
1.
On LON-SVR1, open the Pe

erformance Mo
onitor, and creeate a data collector set nam
med Windowss
Server Monitoring.
2.
Configure the
e data collecto
or set to includ
de the Perform
mance counter data logs for Processor/%
Processor Tim
me, Memory/ Available
A
Mbyttes, and Logicaal Disk/% Freee Disk Space.
Verrify that the

e data collecctor set worrks correctly
y
1.
Start the Windows Server Monitoring

M
datta collector sett, and let it run
n for one minu
ute.
2.
M
datta collector sett, and then revview the latest report.
Stop the Windows Server Monitoring
Mo
ost Common Perform
mance Cou
unters
Specific server roles install a ran
nge of perform
mance
obje
ects and associated counterss. The common
n
perfformance coun
nters include:
2-6
Cache counteers. These coun

nters monitor the
t
file system ca
ache. The cache
e is an area off
physical mem
mory that is use
ed to store
recently-used
d data to enable access to th
he
data without having to read
d from the disk.
Memory coun
nters. These co
ounters monito
or
physical, rand
dom access me
emory (RAM),
virtual memo
ory, and disks, including
i
pagiing,
which is the movement
m
of pages
p
of code and
data between
n disk and phyysical memory.
Counters for objects.

o
These counters mon
nitor logical ob
bjects in the syystem, includin
ng threads and
d
processes.
Paging file co
ounters. Paging
g file is the rese
erved space o n the disk thatt complementts committed
physical mem
mory.
Physical disk counters. Thesse counters mo

onitor the phyysical disks such
ers or fixed driives.
h as hard drive
The drives tha
at appear in th
he Disk Manag
gement consolle are monitorred by these co
ounters. Hardw
ware
redundant array of indepen
ndent disks (RA
AID) may not b
be visible to th
hese counters.
Process countters. These cou

unters monitorr running appl ications and syystem processses. All the thre
eads
in a process share
s
the same
e address space and have ac cess to the sam
me data.
Processor cou
unters. These counters measu
ure aspects of processor actiivity. Each processor is
represented as
a an instance of the object.
Server counteers. These coun

nters measure communicatio
on between th
he local compu
uter and netwo
ork.
System countters. These cou

unters apply to
o more than on
ne instance of component p
processes on th
he
computer.
Thread countters. These counters measure

e aspects of th read behaviorr. A thread is th
he basic objectt that
runs instructio
ons on a proce
essor. All running processes have at least o
one thread.
Win
ndows Server 2012
2
uses serve
er roles to imp
prove server effficiency and ssecurity. Only tthe performan
nce
obje
ects and countters that are re
elevant to the installed serveer role are avaiilable to monittor.
2-7
You can enable missing performance objects and counters by installing additional server roles or adding
features. Additional performance objects that are installed with each server role can help with server
monitoring. The following table identifies common server roles and the performance objects that can be
monitored to assess performance.
Server role
Active Directory Domain
Services (AD DS)
Performance counters to monitor

If you notice slow write or read operations, under the Physical Disk
category, check the following disk I/O counters to see whether
many queued disk operations exist:
Avg. Disk Queue Length
Avg. Disk Read Queue Length
Avg. Disk Write Queue Length
If Local Security Authority Subsystem or lsass.exe uses lots of physical

memory, under the Database category, check the following Database
counters to see how much memory is used to cache the database for
Active Directory Domain Services:
Database Cache % Hit
Database Cache Size (MB)
File Server
File Servers are typically heavily dependent on their physical disk

systems for file read and write operations. You should measure the
following counters to ensure that the PhysicalDisk subsystem is keeping
up with server demand:
% Disk Time
Avg. Disk Queue Length
Avg. Disk Bytes/Transfer
Network performance is also a primary component of file server

performance. You should monitor the following counters to ensure that
required network bandwidth is available to the file server:
Bytes Received Per Second
Bytes Sent Per Second
Output Queue Length
Hyper-V (virtualization)
Performance troubleshooting and tuning can be difficult on virtualized

servers. Virtual hardware provides a less consistent monitoring
environment than physical hardware.
Two layers of performance monitoring are usually recommended in a
virtualized scenario. One at the physical or host server level to monitor
key physical hardware components, and one at the virtualized server
level to monitor the virtual hardware and its effect on the operating
system and applications of the virtual server.
Web Server (IIS)
Network-related performance counters are an important tool in

measuring web server performance.
Additionally, processor related counters can be helpful in identifying
issues in which web server applications are running processor intensive
processes.
The Web Service performance counters provide valuable information
about requests to the web server, bandwidth consumed, and web
serverspecific statistics like page not found errors.
Wh
hat Are Ale
erts?
Alerrt is a functionality in Windo
ows Server 201
12
thatt notifies you when
w
certain events
e
have
occu
urred or when
n certain perforrmance thresh
holds
are reached. You can configure alerts in Wind
dows
Servver 2012 as ne
etwork messages or as events that
are logged in the application evvent log. You can
c
also
o configure ale
erts to start app
plications and
perfformance logss.
You
u can configure
e alerts when you
y create datta
colle
ectors, by selecting the Perfformance Cou
unter
Alerrt type of the data
d
collector.
Whe
en you create the alert, conffigure the follo
owing
settings:
2-8
Alert when. This is the alert threshold settting for a speccific performan
nce counter.
Alert Action. This

T setting specifies whethe
er to log an en
ntry in the app lication event log, or start
another data collector set.
his setting speccifies which command task sshould be trigg

gered and whe
en alert thresh
hold is
Alert Task. Th
reached. In ad
ddition, you may
m specify com
mmand param
meters, if appliccable.
Wh
hat Are Ev
vent Subscriptions?
Event log subscrip
ptions is a featture when it is
configured, enables a single serrver to collect
copies of events from
f
multiple systems.
s
Using
g
Win
nRM and the Windows
W
Eventt Collector servvice,
you can collect evvents in the evvent logs of a
centtralized serverr, where you ca
an analyze the
em
toge
ether with the event logs of other computters
thatt are being colllected on the same central
servver.
Sub
bscriptions can be either colle
ector-initiated
d or
source computer
initiated:
Collector-initiiated. A collecttor-initiated
subscription, or a pull subsccription identiffies all the com
mputers that th
will receive even
nts
he collector w
from, and will typically pull events from these
t
computeers. In a collecttor-initiated su
ubscription, the
subscription definition
d
is sto
ored and main
ntained on thee collector com
mputer. You usse pull subscrip
ptions
when much of
o the compute
ers have to be configured to
o forward the ssame types of events to a ce
entral
location. In th
his manner, on
nly one subscription definitio
on has to be defined and spe
ecified to applly to
all computerss in the group..
Source compu
uterinitiated. In a source computerinitiatted subscriptio
on, or push sub
bscription, sou
urce
computers pu
ush events to the
t collector. In a source com
mputerinitiat ed subscriptio
on, the subscrip
ption
definition is created
c
and managed on the
e source comp
puter, which is the computerr that is sendin
ng
events to a ce
entral source. You
Y can define
e these subscr iptions manuaally, or by using Group Policyy. You
create push subscriptions when
w
each servver is forwardin
ng a different set of event th
han other servvers,
or when conttrol over the evvent forwardin
ng process hass to be maintained at the source computer;
possibly when
n frequent cha
anges have to be made to th
he subscription
n.
Event Subscription Requirements

To implement event subscriptions in your environment, several prerequisites must be met:
You must enable and configure WinRM on both the source and the collector computers by using the
following command.
winrm qc
2-9
You must start and configure the Windows Event Collector (Wecutil) service to receive events on the
collector computer. You can achieve this by running the following command.
Wecutil qc
Events that are collected by a subscription can be collected into any of the collector computers default
event logs, or they can be collected into an event log specifically created to host collected events.
Demonstration: Configuring Event Subscriptions
Event subscription is a cost-effective and customizable tool to get a consolidated view of monitored
activities and events in target servers, and timely issue alerts. In Windows Server 2012, subscribing and
forwarding events with triggers to send out alerts is a straight-forward process.
Demonstration Steps
Configure the source computer
1.
Switch to LON-SVR1.
2.
At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3.
Add the LON-DC1 computer to the local Administrators group.
Configure the collector computer

1.
Switch to LON-DC1.
2.
At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
Create a subscribed log

1.
Open Event Viewer.
2.
Create a new subscription with the following properties:

o
Computers: LON-SVR1
Name: LON-SVR1 Events
Type of subscription: Collector Initiated
Events: Critical, Warning, Information, Verbose, and Error
Logged: last 7 days
Logs: Windows Logs
Check the subscribed log

1.
Switch to LON-DC1.
2.
In Performance Monitor, check for events in the subscribed Application log.
Mo
onitoring a Network
k
Because network infrastructure services are an
n
imp
portant founda
ation of many other server-b
based
servvices, you mustt make sure th
hat they are
configured correcctly and are running optimally.
Colllecting perform
mance-related data on the
netw
work infrastruccture services benefits your
orga
anization in:
2-10 Monitorinng and Maintaining Windows

W
Server 20122
Helping to op
ptimize network infrastructure
server perform
mance. By pro
oviding
performance baseline and trend
t
data, you
can help yourr organization optimize netw
work
infrastructure
e server performance.
Troubleshootting servers. Where

W
server pe
erformance haas decreased, eeither over tim
me or during pe
eriods
of peak activiity, you can he
elp identify possible causes aand take corrective action to
o ensure that yyou
can bring the
e service back within
w
the limiits of your SLA
A.
You
u can use Perfo
ormance Monitor to collect and
a analyze th
he relevant datta.
Mo
onitoring Do
omain Nam
me System DNS
D
Dom
main Name System (DNS) prrovides name resolution
r
servvices on the neetwork. You caan monitor the
e DNS
Servver role of Win
ndows Server 2012
2
to determ
mine the follow
wing aspects o
of your DNS infrastructure:
General DNS server statisticcs, including th

he number of overall queriess and response
es that are
processed by the DNS serve
er
User Datagram Protocol (UDP) or Transm

mission Contro l Protocol (TCP
P) counters, fo
or measuring D
DNS
queries and responses that are processed
d respectively b
by using either of these tran
nsport protoco
ols
Dynamic upd
date and secure
e dynamic upd
date counters, for measuring
g registration aand update acctivity
that is genera
ated by dynam
mic clients
Memory usag
ge counters, fo
or measuring system memorry usage and m
memory allocation patterns tthat
are created by
b operating th
he server as a DNS
D
server
Recursive lookup counters, for measuring

g queries and rresponses wheen the DNS serrvice uses recu
ursion
to look up an
nd fully resolve
e DNS names on
o behalf of reequesting clien
nts
Zone transferr counters, inclluding specificc counters for m

measuring thee following: all zone transfer
(AXFR), increm
mental zone trransfer (IXFR), and DNS zonee update notiffication activityy
Mo
onitoring DH
HCP
The Dynamic Host Configuratio

on Protocol (DH
HCP) service p
provides dynam
mic IP configuration servicess on
the network. You can monitor the Windows Server
S
2012 DH
HCP Server rol e to determine the following
aspe
ects of your DHCP server:
The Average Queue Length

h indicates the current lengt h of the intern
nal message qu
ueue of the DH
HCP
server. This number represe
ents the numb
ber of unproce ssed messagess that are rece
eived by the se
erver.
A large numb
ber might indiccate heavy server traffic.
The Milliseconds per packet (Avg.) counte

er is the avera ge time in milliseconds thatt is used by
the DHCP serrver to processs each packet it
i receives. Thi s number varies, depending
g on the serverr
hardware and
d its I/O subsysstem. A spike could
c
indicatee a problem, eiither with the I/O subsystem
m
becoming slo
ower or becausse of a processsing overhead on the server..
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
Upgrrading Your Skillss to MCSA Wind

dows Server 20
012
2-11
In
n order to prottect critical datta, every organ
nization must perform a bacckup regularly.. Having a wellde
efined and tessted backup strategy ensuress that compan
nies can restoree data if there is any unexpe
ected
fa
ailures or data loss. This lesso
on describes th
he Windows Seerver Backup ffeature in Windows Server 2
2012 and
th
he Microsoft Online
O
Backup Service for Windows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he features of Windows
W
Serve
er Backup.
Describe th
he Microsoft Online
O
Backup Service.
S
Describe th
he methods forr backing up server roles run
nning Window
ws Server 2012.
Back up Wiindows Server 2012 by using

g Windows Serrver Backup.
Features off Windowss Server Ba

ackup in W
Windows 2
2012
Th
he Windows Server Backup feature
f
in Windows
Se
erver 2012 con
nsists of a Micrrosoft Manage
ement
Console (MMC)) snap-in and command-line
c
e tools.
Yo
ou can use wizzards in the Windows
W
Serverr
Ba
ackup feature to guide you through
t
running
ba
ackups and reccoveries. You can
c use Windo
ows
Se
erver Backup 2012
2
to back up:
u
Full server (all

( volumes)
Selected vo
olumes
Select specific items for backup

b
In
n addition, Win
ndows Server Backup
B
2012 le
ets you:
Perform a bare-metal
b
resstore. Bare-me
etal restore inc ludes all volum
mes that are re
equired for Windows
to run. You can use this backup
b
type to
ogether with th
he Windows R
Recovery Enviro
onment to reccover
from a hard
d disk failure, or
o if you have to recover thee whole compu
uter image to new hardware
e.
Use system state. System state is the ab

bility to use thee GUI interfacee to create a system state baackup.
Recover ind
dividual files and folders. The
e Individual fil es and folderss option enable
es you to backk up
selected file
es and folders,, instead of jusst full volumes .
Exclude sele
ected files or file
f types. For example,
e
you ccan exclude .tm
mp files.
Select from
m more storage
e locations. You can store baackups on rem
mote shares or non-dedicated
d
volumes.
Use the Miccrosoft Online Backup Servicce. The Microssoft Online Bacckup Service iss a cloud-based
backup solu
ution for Wind
dows Server 20
012 which ena bles files and ffolders to be b
backed up and
d
recovered from
f
the cloud
d to provide offf-site backup..
If there are disa

asters such as hard
h
disk failurres, you can peerform system
m recovery by u
using a full servver
ba
ackup and the
e Windows Reccovery Environ
nmentthis w ill restore yourr complete sysstem onto the new
ha
ard disk.

W
Server 20122
The ab
bility to take ju
ust a system sttate backup is not exposed i n the GUI inteerface of backu
up. If you wantt to
take ju
ust a system sttate backup, yo
ou must use th
he wbadmin.exxe utility. WBaadmin.exe is a command pro
ompt
utility..
Wha
at Is Micro
osoft Onlin
ne Backup Service?
The Microsoft
M
Onlin
ne Backup Servvice is a cloud-based backup solutiion for Window
ws Server 2012
2
manag
ged by Microssoft. You can use
u this service
e to
back up
u files and folders and reco
over them from
m the
cloud to provide offf-site protectio
on against data
a loss
caused
d by disasters. You can use this
t service to back
up and protect criticcal data from any
a location.
This se
ervice is built on
o the Window
ws Azure plattform
and uses Windows Azure
A
blob sto
orage for storin
ng
custom
mer data. Wind
dows Server 2012 uses the
downloadable Micro
osoft Online Backup Agent to
t
transfe
er file and fold
der data secure
ely to the Micrrosoft
Online
e Backup Serviice. After you install
i
the Microsoft Online Backup Agentt, the Microsofft Online Backu
up
Service Agent integrates its functionality throug
gh the familiar Windows Servver Backup intterface.
Key Features
F
The ke
ey features tha
at Windows Se
erver 2012 provides through
h the Microsoftt Online Backu
up service inclu
ude:
Simple configuration and management.

m
In
ntegration wit h the familiar Windows Servver Backup utillity
provides a seamless backup
p and recoveryy experience to
o a local disk, o
or to the cloud
d. Other features
include:
o
Simple user interface to

o configure an
nd monitor thee backups
Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud
ny server of yo
Easily reccover any data that was back
ked up onto an
our choice
Scripting capability tha

at is provided by
b the Window
ws PowerShell command-lin
ne interface
Block-level incremental bacckups. The Microsoft Online B

Backup Agentt performs incrremental backups
by tracking file and block-le
evel changes and
a only trans ferring the chaanged blocks, therefore, red
ducing
the storage and bandwidth
h usage. Differe
ent point-in-ti me versions o
of the backups use storage
efficiently by only storing th
he changed bllocks between
n these version
ns.
Data compresssion, encryptio

on and throttliing. The Micro
osoft Online Baackup Agent ensures that daata is
compressed and
a encrypted on the serverr before it is seent to the Micrrosoft Online B
Backup Service
e on
the network. Therefore, the
e Microsoft On
nline Backup Seervice only sto
ores encrypted
d data in the cloud
storage. The encryption
e
passsphrase is nott available to tthe Microsoft O
Online Backup
p Service, and
therefore, the
e data is neverr decrypted in the service. Al so, users can sset up throttlin
ng and configu
ure
how the Micrrosoft Online Backup
B
service
e uses the netw
work bandwidtth when backin
ng up or resto
oring
information.
Data integrityy verified in thee cloud. In add

dition to the seecure backups,, the backed u
up data is also
automaticallyy checked for integrity after the backup is finished. Thereefore, any corrruptions which
h may
arise because
e of data transffer can be easiily identified a nd they are fixxed in next backup automattically.
Configurable retention po
olicies for storin
ng data in the cloud. The Miccrosoft Online
e Backup Servicce
accepts and
d implements retention policcies to recycle backups that exceed the de
esired retentio
on
range, thereby meeting business
b
policie
es and manag
ging backup co
osts.
nal Reading: Windows

W
Azure
e Storage
Addition
htttp://www.windowsazure.com/en-us/home/features/sto
orage/
Methods
M
to
o Back Up Server Ro
oles
Yo
ou can back up most service
es on compute
ers
ru
unning Window
ws Server 2012
2 by performin
ng a
syystem state backup. Some se
ervices also ena
able
co
onfiguration and data backu
up from their
re
espective mana
agement console.
Th
he following ta
able lists the methods
m
that you
y can
usse to back up specific roles on
o computers
ru
unning Window
ws Server 2012
2.
Role
DHCP
Method
M
System state backup backss up all scopes and options.
ual scopes or all scopes.
DHCP console backup bac ks up individu
Certificate

dows Server 20
012
2-13
System state backup backss up whole con

nfiguration and certificate se
ervices
database.
nsole backup b
backs up certifiicate services d
data
Certification Authority con
and settings.
Internet Information
Services (IIS)
System state backup enablles the back up

p of IIS data an
nd settings.
Appcmd.exe lets you back up IIS compo nents.
Website files and folders h ave to be backked up. When backing up IISS
ed up.
components,, ensure that t he website filees and folders are also backe
These are no
ot backed up b
by a system staate backup.
Network Policcy and
Access Service
es
(NPAS)
p of NPAS con
nfiguration.
System state backup enablles the back up
DNS
System state backup backss up all DNS co

onfigurations aand zones storred on
the server.
Dnscmd.exe lets you exporrt and import zzones.
File and Print Services
System state backs up sharred folder perm

missions and ssettings.
kup enables a back up of all files and folde

ers that are loccated
Volume back
on that volum
me.
er backup baccks up contentt of shared fold
ders.
File and folde
Demonstration: Backing Up Windows Server 2012 by Using Windows

Server Backup
In this demonstration, you will see how to use the backup wizard to back up a folder.
Demonstration Steps
1.
On LON-SVR1, start Windows Server Backup.
2.
Run the Backup Once Wizard to back up the C:\HR Data folder to the remote folder,
\\LON-DC1\Backup.
2-14 Monitoring and Maintaining Windows Server 2012
Lesson
n3
Imple
ementin
ng Serve
er and Data
D
Re
ecovery

dows Server 20
012
2-15
Evvery organization might exp

perience losing
g some of its daata, because o
of reasons, such as hardware
e
fa
ailures, file systtem corruption
n, or when a user unintentio
onally deletes ccritical data. Th
herefore,
orrganizations must
m
have well-defined and tested
t
recoverry strategies th
hat will help them to bring th
heir
se
ervers and data
a back to a healthy and operational state, in the fastest time possible. This lesson de
escribes
ho
ow to restore data
d
and serve
ers by using Windows
W
Serverr Backup featu
ure in Window
ws Server 2012 and
Microsoft
M
Onlin
ne Backup Servvice in Window
ws Server 20122.
Le
esson Objecctives
Describe th
he options for server
s
recoverry.
Describe th
he option for se
erver restore.
Describe th
he consideratio
ons for data recovery.
Perform a restore
r
with Windows
W
Serverr Backup.
Describe ho
ow to perform a restore with
h online backu
up.
Options
O
forr Server Re
ecovery
Windows
W
Server Backup in Windows
W
Serverr 2012
provides the folllowing recove
ery options:
Files and fo
olders. You can back up indivvidual
files or fold
ders as long as the backup is on an
external dissk or in a remo
ote shared fold
der.
Applications and data. Yo

ou can recoverr
applications and data if the application
n has a
Volume Sha
adow Copy Se
ervice writer an
nd is
registered with
w Windows Server Backup
p.
Volumes. Restoring a volu

ume always restores
all the conttents of the vo
olume. You can
nnot
restore indiividual files or folders.
Operating system.
s
You ca
an recover the operating systtem through W
Windows Reco
overy Environm
ment
(WinRE).
Full server. You can recovver the full servver through W

WinRE.
System statte. System state creates a point-in-time baackup that you

u can use to restore a server to a
previous wo
orking state.
he Windows Server Backup Recovery

R
Wiza
ard provides seeveral options for managing
g file and folde
er
Th
re
ecovery. They are:
a
Recovery Destination. Und

der Recovery Destination,
D
yo
ou can select aany one of the
e following opttions:
o
Origina
al location. The
e original locattion restores t he data to thee location it waas backed up
origina
ally.
Anotheer location. Ano

other location restores the d
data to a differrent location.

W
Server 20122
Conflict Resollution. Restorin

ng data from a backup frequ
uently conflictss with existing versions of th
he
data. Conflictt resolution letts you determine how those conflicts will b
be handled. W
When these con
nflicts
occur, you ha
ave the following options:
o
Create co
opies and have
e both versions
Overwrite
e existing version with recovvered version
Do not re
ecover items iff they already exist in the reccovery locatio n
Security Settin
ngs. You can use
u this option to restore perrmissions to th
he data being recovered.
Op
ptions for Server
S
Resstore
You
u perform serve
er restore by starting
s
the
com
mputer from th
he Windows Se
erver 2012
installation media
a, selecting the
e computer rep
pair
option, and then selecting the full
f server resto
ore
option.
Whe
en you perform
m full server re
estore, conside
er the
follo
owing aspects::
Bare-metal reestore. Bare-metal restore is the

process durin
ng which you restore
r
an existting
server in its entirety to new
w or replaceme
ent
hardware. Wh
hen you perform a bare-mettal
restore, the re
estore proceed
ds and the servver
restarts. Laterr, the server be
ecomes operattional. In somee cases, you may have to resset the computters
Active Directo
ory account be
ecause these can
c sometimess become desyynchronized.
Same or largeer disk drives. The

T server hard
dware that yo u are restoring
g to must have
e disk drives th
hat
are the same size or larger than the drive
es of the origin
nal host server . If this is not tthe case, the re
estore
will fail. It is possible,
p
althou
ugh not advise
ed, to successffully restore to
o hosts that havve slower
processors an
nd less RAM.
Importing to Hyper-V.
H
Because server bacckup data is wrritten to the V
VHD format, wh
hich is also the
e
format that iss used for virtu
ual machine ha
ard disks, it is p
possible, with some care, to use full serverr
backup data as the basis off creating a virtual machine. Doing this givves you the op
ption of ensurin
ng
business conttinuity while so
ourcing the ap
ppropriate repllacement hard
dware.
Co
onsideratio
ons for Datta Recoverry
There are several strategies thatt you can purssue in
developing a data
a recovery procedure. Data is the
mosst frequently re
ecovered component of an IT
infra
astructure.
Con
nsider the follo
owing compon
nents in a data
reco
overy strategy::
Letting users recover their own

o
data by using
u
the earlier versions functionality (volume
e
shadow copy)
Performing a recovery to an alternative location
Performing a recovery to the original location
Performing a full volume recovery
Earlier Versions of Files: Users Recover Their Own Data
2-17
The most common form of data recovery performed by IT departments is the recovery of files and folders
that users have deleted, lost, or in some way made corrupted. The Previous Versions of Files functionality,
which you can enable on all computers running Windows Server 2012 lets users recover their own files.
After end-users are trained to do this, the IT department spends time recovering more important data.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover files that
have recently become deleted or corrupted.
Recovering Data to an Alternative Location
A common recovery problem is the unintentional replacement of important data when recovering from
backup. This can occur when recovery is performed to a location with live data, instead of to a separate
location where the necessary data can be located and the unnecessary data discarded.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material to a location where
important permissions are not applied, enabling unintended access to data for those that should not have
it.
Recovering Data to the Original Location
During some types of failures, such as data corruption or deletion, you have to restore data to the original
location, because applications or users who access those data are preconfigured with the information on
where the data is located.
Recovering Volumes
If a disk fails, the quickest way to recover the data sometimes is to do a volume recovery, instead of a
selective recovery of files and folders. When you do a volume recovery, you must check whether any
shared folders are configured for the disks, and if the quotas and File Server Resource Manager
management policies are still in effect.
Demonstration: Restoring with Windows Server Backup

In this demonstration, you will see how to use the Recovery Wizard to restore a folder.
Demonstration Steps
1.
On LON-SVR1, delete the C:\HR Data folder.
2.
In the Windows Server Backup MMC, run Recovery Wizard and specify the following information:
o
Getting Started: A backup stored on another location
Specify Location type: Remote Shared Folder
Specify Remote Folder: \\LON-DC1\Backup
Select Backup Date: Default value, Today
Select Recovery Type: Default value, Files and Folders
3.
Select Ite
ems to Recover: LON-SVR1\\Local Disk (C
C:)\HR Data
Specify Recovery
R
Optio
ons: Another Location
L
(C:)
Locate C:\ an
nd ensure that the files are re
estored.
Restoring wiith an Onliine Backup

p Solution
n
You
u can use Micro
osoft Online Backup Service only
on Windows
W
Serve
er 2012 serverrs. You do not have
to restore data on
n the same servver that you
backed up. You ca
an restore data
a on some oth
her
servver, instead.
You
u can recover files
f
and folderrs by using botth
Microsoft Online Backup MMC in Server Man
nager,
or Windows
W
Powe
erShell by perrforming the
follo
owing steps:

W
Server 20122
1.
Select the serrver where bacckup data was

originally crea
ated, that is, whether
w
it is a local
server or another server. If you
y select Ano
other
server option, you must pro
ovide your Miccrosoft Online Backup Servicce Administrattor credentials.
2.
Browse for files that have to

o be restored can
c be browseed or search fo
or them in the Microsoft Online
Backup Servicce.
3.
After you loca

ate the files, se
elect them for recovery, and select a locat ion where the files will be
restored.
4.
When restorin
ng files, select from the follo
owing options::
o
Create co
opies so that you
y have both the restored ffile and originaal file in the saame location. T
The
restored file has its nam
me in the following format: R
Recovery Datee+Copy of+Orriginal File Nam
me
Overwrite
e the existing versions with the
t recovered version
Do not re
ecover the item
ms that already exist on the recovery destiination
Afte
er you complette the restore procedure, the
e files will be rrestored on W
Windows Serverr 2012 located in
your site.
2-19

Scenario
To obtain accurate information about server usage, it is important to establish a performance baseline
with a typical load for the new Windows Server 2012 servers. In addition, to make the process of
monitoring and troubleshooting easier, IT management wants to implement centralized monitoring of
event logs.
Much of the data that is stored on the A. Datum network is very valuable to the organization. Losing this
data permanently would be a very significant loss to the organization. Also, several servers that run on the
network provide very valuable services for the organization; losing these servers for a significant time
would also result in losses to the organization. Because of the significance of the data and services, it is
important that they can be restored even if there is any disaster.
One of the options that A. Datum is considering is backing up some critical data to a cloud-based service.
A. Datum is considering this as an option for small branch offices that do not have a full data center
infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a monitoring and system recovery solution that will meet the management and business
requirements.
Objectives
After completing this lab, you will be able to:
Configure centralized monitoring for Windows 2012 servers.
Back up Windows Server 2012 Servers.
Restore files by using Windows Server Backup.
Perform an online backup and restore for Windows Server 2012 servers.
Lab Setup
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
User Name
Password
Pa$$w0rd
Virtual Machine(s)
MSL-TMG1
User Name
Administrator
Password
Pa$$w0rd
Lab Setup
1.
2.
3.
4.

a.
b.
Password: Pa$$w0rd
5.
Repeat steps 2-4 for 20417A-LON-SVR1.
6.
Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
Exercise 1: Configuring Centralized Monitoring for Windows Server 2012

servers
Scenario
The management at A.Datum has asked for a monthly report on server performance. To provide a
monthly report, you plan to establish centralized monitoring of the server. You decide to configure
Server Manager to monitor all servers from a single console. You also decide to configure performance
monitoring for some critical resources, and to collect events from several business-critical servers at a
central location.
1.
Configure Server Manager to monitor multiple servers.
2.
Configure a data collector set.
3.
Configure an event subscription.
X Task 1: Configure Server Manager to monitor multiple servers

1.
Switch to LON-SVR1.
2.
In the Server Manager console, in the navigation pane, click All Servers.
3.
In the Server Manager console add LON-DC1 as another server to be monitored.
4.
In the Actions pane, start the performance counters for both LON-SVR1 and LON-DC1.
X Task 2: Configure a data collector set

1.
On LON-SVR1, open the Performance Monitor, and create a data collector set named Windows
Server Monitoring.
2.
Configure the data collector set to include the Performance counter data logs for
Processor/% Processor Time, Memory/ Available MBytes and Logical Disk/% Free Disk Space.
3.
Start the Windows Server Monitoring data collector set, and let it run for one minute.
4.
Stop the Windows Server Monitoring data collector set, and then review the latest report.
X Task 3: Configure an event subscription
2-21
1.
Switch to LON-SVR1.
2.
At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3.
Add the LON-DC1 computer to the local Administrators group.
4.
Switch to LON-DC1.
5.
At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
6.
Open Event Viewer.
7.
Create a new subscription with the following properties:
8.
Computers: LON-SVR1
Name: LON-SVR1 Events
Type of subscription: Collector Initiated
Events: Critical, Warning, Information, Verbose, and Error
Logged: last 7 days
Logs: Windows Logs
Expand Event Viewer, expand Windows Logs, and then click Forwarded Events. Verify that events are
forwarded from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
Exercise 2: Backing up Windows Server 2012

Scenario
The LON-SVR1 server contains financial data that must be backed up regularly. This data is important to
the organization. You decide to use Windows Server Backup to back up critical data. You plan to install
this feature and configure a scheduled backup.
1.
Install the Windows Server Backup feature.
2.
Configure a scheduled backup.
3.
Complete an on-demand backup.
X Task 1: Install the Windows Server Backup feature

1.
Switch to LON-SVR1.
2.
Open Server Manager and install the Windows Server Backup role.
3.
Install the role on LON-SVR1 and then accept the default values on the Add Role wizard.
X Task 2: Configure a scheduled backup

1.
2.
Configure Backup Schedule with the following options:
3.
Backup Configuration: Full server (recommended).
Backup Time: Once a day, 1:00 AM.
Destination Type: Back up to a shared network folder
Remote Shared Folder: \\LON-DC1\Backup.
Register Backup Schedule: Username: Administrator
Password: Pa$$w0rd
Close Windows Server Backup.
X Task 3: Complete an on-demand backup
To prepare for this task, you need to create a folder on LON-SVR1, with a name Financial Data on drive
C: and within Financial Data folder you need to create a text file with a name Financial Report.txt.
To complete an on-demand backup, perform the following steps:
1.
2.
Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder,
\\LON-DC1\Backup.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
Exercise 3: Restoring files by using Windows Server Backup

Scenario
To ensure that the financial data can be restored, you must validate the procedure for restoring the data
to an alternative location. You may also have to restore different versions of the data. For this purpose,
you may have to use the Vssadmin tool to review backups.
1.
Delete a file from the file server.
2.
View the available restores by using the Vssadmin command.
3.
Restore the file from backup.
X Task 1: Delete a file from the file server
On LON-SVR1, delete the C:\Financial Data folder.
X Task 2: View the available restores by using the Vssadmin command

1.
On LON-SVR1, run Windows PowerShell.
2.
At the Windows PowerShell prompt, run Vssadmin list shadows command to list existing volume
shadow copies.
X Task 3: Restore the file from backup

1.
2.
2-23
In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
o
Getting Started: A backup stored on another location
Specify Location type: Remote Shared Folder
Specify Remote Folder: \\LON-DC1\Backup
Select Backup Date: Default value, Today
Select Recovery Type: Default value, Files and Folders
Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data
Specify Recovery Options: Another Location (C:)
Locate C:\ and ensure that the files are restored.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
Exercise 4: Implementing Microsoft Online Backup and Restore

Scenario
A. Datum has to protect critical data in small branch offices. Those offices do not have backup hardware
and full data center infrastructure. Therefore A. Datum has decided to back up the critical data in branch
offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012.
1.
Install the Microsoft Online Backup Service component.
2.
Register the server with Microsoft Online Backup.
3.
Configure an online backup.
4.
Restore files by using the online backup.
5.
Unregister the server from the Microsoft Online Backup Service.
X Task 1: Install the Microsoft Online Backup Service component

1.
On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Sign-in Assistant,
msoidcli.msi. Install the application.
2.
On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.
3.
Start the installation of Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
4.
Complete the setup by specifying the following information:

o
Installation Folder: C:\Program Files
Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
Microsoft Update Opt-In: I don't want to use Microsoft Update.
5.
Verify the installation; ensure you receive the following message: Microsoft Online Backup Service
Agent installation has completed successfully. Clear the Check for newer updates check box, and
then click Finish.
6.
On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
X Task 2: Register the server with Microsoft Online Backup
Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with the same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1.
In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
2.
Wait until YOURCITYNAME-YOURNAME is restarted, and then log on as Adatum\Administrator

with password Pa$$w0rd.
To register the server with Microsoft Online Backup, perform the following steps:
1.
In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o
Account Credentials:
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
Note: In real-life scenario, you would type username and password of your Microsoft Online
Backup Service subscription account.
o
2.
Encryption Settings:
Enter passphrase: Pa$$w0rdPa$$w0rd
Confirm passphrase: Pa$$w0rdPa$$w0rd
Verify that you receive the following message: Microsoft Online Backup Service is now available
for this server.
X Task 3: Configure an online backup

1.
Switch to the Microsoft Online Backup Service console.
2.
Configure an online backup by using the following options:
3.
Select Items to back up: C:\Financial Data
Specify Backup Time: Saturday, 1:00AM
Specify Retention Setting: Default values
In the Microsoft Online Backup Service console, start the backup by clicking Backup Now.
X Task 4: Restore files by using the online backup
1.
2.
Restore files and folders by using the Recover Data option and specify the following information:
2-25
Identify the server on which the backup was originally created: This server
Select Recovery Mode: Browse for files
Select Volume and Date: C:\ and date and time of the latest backup.
Select Items to Recover: C:\Financial Data
Specify Recovery Options: Original location and Create copies so that you have both versions
X Task 5: Unregister the server from the Microsoft Online Backup Service
1.
2.
Unregister the server from the Microsoft Online Backup Service using the following credentials:
o
Password: Pa$$w0rd
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
X Task: To prepare for next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1 and MSL-TMG1.

Review Questions
Question: Why is monitoring important?
Question: You want to create a strategy on how to back up different technologies that are
used in your organization such as DHCP, DNS, Active Directory, and SQL Server. What should
you do?
Question: How frequently should we perform backup on critical data?
Best Practices
Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.

Common Issue
During monitoring, multiple sources are
concurrently reporting different problems.
The server has suffered a major failure on

its components.
You must have a way to back up and

restore your data quickly on a different
company's locations. You do not have
backup media or backup hardware in each
site
You must restore your data because of
failure of the disk system. However, you
find that your backup media is corrupted.
Troubleshooting Tip
Your organization needs information on which data to back up, how frequently to back up different types
of data and technologies, where to store backed up data (onsite or in the cloud), and how fast they can
restore backed up data if a failure were to occur? Also, what is your suggestion to improve your
organizations ability to efficiently restore data when it is necessary?
Tools
Tool
Use for
Where to find it
2-27
Server Manager Dashboard
Monitoring multiple servers
Server Manager
Performance Monitor
Monitoring services and application and

hardware performance data
Server Manager/Tools
Resource Monitor
Controlling how your system resources are

being used by processes and services
Windows Server Backup
Performing on demand or scheduled

backup and restoring data and servers
Microsoft Online Backup

Service
Performing on demand or schedule backup

to the cloud and restoring data from the
backup located in the cloud

3-1
Module 3
Managing Windows Server 2012 by Using Windows
PowerShell 3.0
Contents:
Module Overview
3-1
Lesson 1: Overview of Windows PowerShell 3.0
3-2
Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS
3-9
Lesson 3: Managing Servers by Using Windows PowerShell 3.0
3-20
Lab: Managing Servers Running Windows Server 2012 by Using Windows

PowerShell 3.0
3-26
3-31
Module Overview
Windows PowerShell is a core feature of Windows Server 2012 that enables command line management
and configuration of the operating system. It is a standardized, task-based command-line shell and
scripting language that offers administrators more flexibility and choice in how they manage computers
running Windows.
Windows PowerShell 3.0, included in Windows Server 2012, has more functionality and features than
earlier versions. You can now use Windows PowerShell to manage all the Windows Server roles and
features. This enables administrators to quickly automate configuration tasks with a single tool, instead of
having to use multiple tools, such as batch scripts, Microsoft Visual Basic Script Edition scripts (VBScript),
and manual configuration steps.
In this module, you will learn key Windows PowerShell concepts and new Windows PowerShell 3.0
features. This module will also describe how to practically use Windows PowerShell in your daily activities.
Objectives
Describe the Windows PowerShell command-line interface.
Use Windows PowerShell to manage Active Directory Domain Service (AD DS).
Manage servers by using Windows PowerShell.
Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0
Lesson 1
Overviiew of Window
W
ws Powe
erShell 3
3.0
3-2
As a Windows Serrver administra

ator, you can use
u Windows P
PowerShell to install and con
nfigure native
Win
ndows Server 2012
2
roles and features and to administer software such as Microsoft EExchange Servver
and Microsoft Sysstem Center 20
012. Although you can use a graphical useer interface (GUI) for
adm
ministration, ussing Windows PowerShell wiith these appli cations enablees bulk adminiistration. This
provvides the abilitty to create au
utomation scrip
pts for admini stration and a ccess to config
guration optio
ons
thatt are not availa
able when you
u use a GUI. So
ome tasks thatt you can perfo
orm in Windows PowerShelll will
already be familia
ar to you, such as listing the contents of a d
directory. To u
use Windows P
PowerShell
effe
ectively, you must have a bassic understand
ding of Window
ws PowerShell.
Lessson Objectiives
Afte
ou will be able to:
Describe Windows PowerSh

hell.
Describe the Windows Pow

werShell syntaxx.
Describe cmd
dlet aliases.
Use the Wind

dows PowerShe
ell Integrated Scripting Envirronment (ISE)..
Access Help in Windows Po

owerShell.

hell modules.

hell remoting.
Describe the new features in Windows Po

owerShell 3.0.
Wh
hat Is Wind
dows Pow
werShell?
Win
ndows PowerSh
hell is a comm
mand-line
man
nagement inte
erface that you
u can use to
configure Window
ws Server 2012
2 and productss
such
h as System Ce
enter 2012, Excchange Serverr
2010, and Microso
oft SharePointt Server 2010. This
man
nagement inte
erface providess an alternative
e to
the GUI managem
ment that enab
bles administra
ators
to:
Create autom
mation scripts.
Perform batch modification

ns.
Access setting
gs that might be unavailable
e or
more difficultt to configure in the GUI.
A GUI can guide you

y through co
omplex operattions, and can help you und
derstand your cchoices and.
How
wever, a GUI ca
an be inefficient for tasks that you have to
o perform repeeatedly, such aas creating new
w user
acco
ounts. By build
ding administrrative functionality in the forrm of Window
ws PowerShell ccommands,
Microsoft lets you
u select the right method forr a given task.
As you
y become more
m
comfortable with Windows PowerSheell, you may usse it in place o
of other low-levvel
adm
ministrative too
ols that you may have used. For example, W
Windows Pow
werShell has access to the sam
me
feattures that VBSccript does, butt in many cases provides eassier ways to peerform the sam
me tasks.
Upg
ndows Server 2
2012
3-3
Windows
W
PowerShell may also
o change the way
w you use W
Windows Manaagement Instru
umentation (W
WMI).
Windows
W
PowerShell can wrap task-specificc commands a round the und
derlying WMI functionality. W
When
yo
ou use Window
ws PowerShell with WMI, your work is sim plified becausse Windows Po
owerShell provvides
ea
asy to use, task
k-based comm
mands.
Windows
W
PowerShell
P
l Syntax
Windows
W
PowerShell has rules for naming and
a
im
mplementing functions.
f
For example,
e
Wind
dows
Po
owerShell com
mmands, known as cmdlets, use
u a
na
aming convention of verb or action, follow
wed by
a hyphen and a noun or subje
ect. For examp
ple, to
re
etrieve a list off virtual machin
nes (VMs), you
u would
usse the cmdlet Get-VM. This standardizatio
on
he
elps you more
e easily learn how to perform
m
ad
dministrative tasks.
t
For exam
mple, to change
se
ettings of a VM
M, you would use
u the cmdlett
Se
et-VM.
Optionally,
O
one or more parameters can be
e used
with
w a cmdlet to
o modify its be
ehavior or specify settings. P
Parameters aree written after the cmdlet.
Ea
ach parameterr that is used iss separated byy a space, and begins with a hyphen. Not aall cmdlets use
e the
sa
ame parameters. Some cmdllets have param
meters that ar e unique to itss functionality. For example, the
Move-Item
M
cm
mdlet has the Destination
D
parrameter to speecify the locatio
on to move th
he object; whereas the
Get-ChildItem has the -Recu
urse switch parameter. Theree are several k inds of parameters, including the
fo
ollowing:
Named. Na
amed parameters are most common. Theyy are parameteers that can be
e specified and
d require
a value or modifier.
m
For example,
e
by using the Move
e-Item cmdlet,, you would sp
pecify the -Desstination
parameter along with the
e exact destina
ation to move the item.
Switch. Swittch parameterrs modify the behavior

b
of thee cmdlet, but d
do not require
e any additional
modifiers or
o values. For example,
e
you can
c specify thee -Verbose paraameter withou
ut specifying a value
of $True.
Positional. Positional
P
para
ameters are pa
arameters thatt can be omitteed and can still accept value
es based
on where th
he information
n is specified in
n the comman
nd. For example, you could rrun Get-EventtLog
-EventLog System to rettrieve information from the System event log. However,, because the
-EventLog positional
p
para
ameter acceptss values for thee first position
n, you can also
o run Get-Even
ntLog
System to get the same results. When the -EventLog
g parameter iss not present, tthe cmdlet still
accepts the
e value of Syste
em because it is the first item
m after the cm
mdlet name.
arameters thatt are common to many cmdlets include op

ptions to test tthe actions of the cmdlet or to
Pa
ge
enerate verbose information
n about the execution of cm dlet. Common
n parameters include:
-Verbose. This
T parameter displays detaiiled informatio
on about the p
performed com
mmand. You sh
hould
use this parrameter to obttain more info
ormation aboutt the executio n of the comm
mand.
-WhatIf. Th
his parameter displays
d
the ou
utcome of run ning the comm
mand without running it. This is
helpful whe
en testing a ne
ew cmdlet or script
s
and you do not want tthe cmdlet to rrun.
-Confirm. This
T parameterr displays a con
nfirmation pro
ompt before exxecuting the command. Thiss is
helpful whe
en you are run
nning scripts an
nd you want to
o prompt the user before exxecuting a spe
ecific
step in the script.
Managing Windows
W
Additional Reading: Cm
mdlet Verbs
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/ms714428(v=
=vs.85).aspx
Cm
mdlet Aliasses
Alth
hough the stan
ndard naming convention
used
d by cmdlets facilitate
f
learniing, the namess
them
mselves can be
e very long, an
nd sometimes do
not match commo
on terminolog
gy associated with
w
perfforming a task
k. For example,, you may be
fam
miliar with the dir
d command which lists the
e
contents of a dire
ectory (or folde
er). The Windo
ows
Pow
werShell cmdle
et for this task, however, is
Gett-ChildItem. To make using cmdlets easier,
Win
ndows PowerSh
hell enables aliases to be cre
eated
for cmdlets.
c
There
e is an alias cre
eated by defau
ult for
dir that points to Get-ChildItem
m.
You
u can create ne
ew aliases for your
y
common cmdlets, scrip
pts, and prograams by using the New-Aliass
cmd
dlet. Default alliases include:
cd -> Set-Location
copy -> Copy-Item
kill -> Stop-P

Process
move -> Mo
ove-Item
rm -> Remov
ve-Item
type -> Get-Content
help -> Get-Help
De
emonstration: Using
g the Wind
dows PoweerShell ISEE
3-4
The Windows Pow

werShell ISE ap
pplication is a graphical
g
tool that enables yyou to write an
nd test Windo
ows
Pow
werShell scriptss similar to the
e way a develo
oper would wriite an applicattion by using M
Microsoft Visuaal
Stud
dio. The Wind
dows PowerSh
hell ISE for Win
ndows PowerS hell 3.0 includ
des IntelliSense
e to provide
instance suggestio
ons on the corrrect script syn
ntax and availaable cmdlet paarameters. Win
ndows PowerSh
hell
ISE is divided into
o two main parrts: the Script pane
p
and the C
Console pane.
Dem
monstration
n Steps
1.
Logon to LON
N-DC1 as the domain
d
admin
nistrator.
2.
Open Window
ws PowerShell ISE as an adm
ministrator and
d review the Sccript pane and the Console p
pane.
3.
Follow the ste

eps in the follo
owing demonsstration script: E:\ModXA\D
Democode\Ussing Windowss
PowerShell ISE.ps1.
I
Upg
ndows Server 2
2012
Accessing
A
Help
H
in Wiindows Po
owerShell
Whether
W
you arre an experienced profession
nal or
ne
ew to Window
ws PowerShell, the cmdlet He
elp
do
ocumentation is rich source of information
n. To
acccess the Help documentatio
on, use the Ge
et-Help
cm
mdlet or its alias help followe
ed by the cmd
dlet
na
ame. Get-Help
p has parametters to adjust the
t
Help content th
hat is displayed
d. The parametters
arre:
3-5
-Detailed. This
T parameterr displays more
e
detailed he
elp than the de
efault option.
-Examples. This paramete

er displays onlyy the
examples fo
or using the cm
mdlet.
-Full. This parameter

p
disp
plays detailed help
h
and usag e examples.
-Online. This parameter opens

o
a Web browser
b
to thee cmdlet docum
mentation on tthe Microsoft website.
Windows
W
PowerShell 3.0 inclu
udes the abilityy to download
d the latest hel p document from Microsoftt for
usse locally. To do
d this, use the
e Update-Help cmdlet. Also
o, new in Wind
dows PowerShe
ell 3.0 is the
Sh
how-Comman
nd cmdlet. Thiis helps PowerrShell beginnin
ng users interaact with the inp
put and outpu
ut
op
ptions for a cm
mdlet by using
g a graphical in
nterface.
Th
he Get-Comm
mand cmdlet re
eturns a list off all locally avaailable cmdletss, functions, an
nd aliases. You can use
it to discover ne
ew cmdlets by using wildcard searches. Fo
or example, to return a list off all cmdlets th
hat
in
nclude VM in them, you coulld run Get-Command *VM**.
Using
U
Wind
dows Powe
erShell Mo
odules
Windows
W
PowerShell is design
ned to be exte
ensible.
Adding new cm
mdlets and funcctions in Wind
dows
Po
owerShell 3.0 is performed in part through
h
modules.
m
Note: In earlier versions of Windows
Po
owerShell, exte
ensibility was provided
p
by using
sn
nap-ins. For ba
ackward comp
patibility, Windows
Po
owerShell 3.0 continues
c
to support snap-in
ns.
Windows
W
PowerShell uses the
e
Microsoft.Powe
M
rShell.Manage
ement module
e which provid es basic functiionality. When
n you install ad
dditional
ro
oles on a serve
er, additional Windows
W
Powe
erShell modulees are installed
d and registere
ed. For examplle, you
in
nstall the Micro
osoft Hyper-V Role and also
o choose to in
nstall the Hypeer-V module fo
or Windows
Po
owerShell. To manage Hyper-V from Wind
dows PowerSh
hell, you must iimport the Hyyper-V module
e into
th
he Windows Po
owerShell session. To importt the Hyper-V module, run tthe following ccommand:
Im
mport-Module Hyper-V
Managing Windows
W
Run
n the following
g command to list all module
es that are imp
ported:
Get-Module
3-6
It is not always ne
ecessary to manually import modules. For example, the W
Windows Pow
werShell module for
Exch
hange Server 2010
2
is automatically importted during pro
oduct installatiion. However, if you cannot run
cmd
dlets for a speccific Windows Role or appliccation, it may i ndicate that yyou have to import the
app
propriate Wind
dows PowerShe
ell module.
There are two bassic module typ
pes:
Binary. A bina
ary module is created
c
by using the .NET Frramework and
d is frequently provided with
h
a product to provide Windo
ows PowerShe
ell support. Bin
nary modules m
many times ad
dd cmdlets thaat
consists of no
oun or subject types that are
e newly created
d in the AD DSS schema to su
upport the pro
oduct.
An example is the New-Ma
ailbox cmdlet of Exchange SServer 2010.
Script. A scrip
pt module is co
omposed of Windows
W
PowerrShell cmdlets that already e
exist in the
environment.. These scripts can provide additional funcctions and variables to autom
mate repetitive
e or
tedious tasks.. You may wan
nt to create your own modu le that includees functions orr variables speccific
to your enviro
onment as a tiimesaving or configuration
c
m
management m
measure.
Additional Reading: Win

ndows PowerS
Shell Modules
http
ps://msdn.micrrosoft.com/en--us/library/win
ndows/desktop
p/dd878324(vv=vs.85).aspx
Wh
hat Is Wind
dows Pow
werShell Re
emoting?
The purpose of Windows
W
PowerrShell remoting
is to
o connect to re
emote computters, to run
com
mmands on tho
ose computerss, and to directt the
resu
ults back to your local computer. This enab
bles
sing
gle-seat admin
nistration, or th
he ability to
man
nage the comp
puters on the network
n
from the
clien
nt computer, instead of haviing to physically
visitt each computter. A key goal of Windows
Pow
werShell remotting is to enable batch
adm
ministration, which lets you run commandss on a
who
ole set of remo
ote computers concurrently.
There are three main
m
ways to usse remoting:
One-to-One remoting.
r
In th
his scenario, yo
ou connect to a single remotte computer and run shell
ell
commands on it, exactly as if you had log
gged into the cconsole and o
opened a Wind
dows PowerShe
window.
One-to-Manyy remoting, or Fan-Out remo

oting. In this sccenario, you isssue a comman
nd that will be
executed on one
o or more remote computers in paralle l. You are not working with each remote
computer interactively. Insttead, your com
mmands are isssued and exec uted in a batch and the resu
ults
are returned to your compu
uter for your use.
u
Many-to-Onee remoting, or Fan-In remotin

ng. In this scen
nario, multiplee administratorrs make remotte
connections to
t a single com
mputer. Typica
ally, those adm
ministrators wil l have differen
nt permissions on
the remote co
omputer and might
m
be work
king in a restriccted runspace within the she
ell. This scenarrio
usually requirres custom devvelopment of the
t restricted runspace and will not be co
overed further in this
course.
Upg
ndows Server 2
2012
3-7
Re
emoting requiires both Wind
dows PowerShell and Windo
ows Remote M anagement (W
WinRM) utilitie
es on
yo
our local comp
puter and on any
a remote computers to wh
hich you want to connect. W
WinRM is a Miccrosoft
im
mplementation
n of Web Services for Manag
gement, or WSS-MAN, which is a set of pro
otocols that is w
widelyad
dopted across different operrating systemss. As the name implies, WS-M
MAN and WinRM use web-b
based
protocols. An ad
dvantage to th
hese protocolss is that they u se a single, deefinable port. T
This makes the
em
ea
asier to pass th
hrough firewallls than older protocols
p
that randomly seleected a port. W
WinRM commu
unicates
byy using the Hyypertext Transffer Protocol (H
HTTP). By defau
ult, WinRM an
nd Windows Po
owerShell remoting
usses TCP port 5985
5
for incom
ming connectio
ons that are no
ot encrypted a nd TCP port 5986 for incom
ming
en
ncrypted conn
nections. Applications that usse WinRM, succh as Windowss PowerShell, ccan also apply their
ow
wn encryption
n to the data th
hat is passed to
o the WinRM service. WinRM
M supports authentication and, by
de
efault, uses the
e Active Directtory native Kerrberos protoco
ol in a domain
n environment. Kerberos doe
es not
pa
ass credentialss over the netw
work and it sup
pports mutual authenticatio
on to ensure th
hat incoming
co
onnections are
e coming from
m valid computters.
Esstablishing a One-to-One
O
remoting session by using Win
ndows PowerSShell ISE is performed by cliccking
th
he New Remo
ote PowerShelll tab on the File
F menu. You
u can also establish a remote
e Windows Pow
werShell
se
ession by using
g the Enter-PS
SSession cmdllet. For examp
ple, to open a R
Remote PowerrShell session o
on a
co
omputer name
ed LON-SVR2, you would use the following
g syntax:
En
nter-PSSessio
on ComputerName LON-SVR
R2
One-to-Many
O
re
emoting is primarily perform
med by using tthe Invoke-Co
ommand cmdlet. To run the
e
Get-EventLog cmdlet against the compute
ers named LON
N-SVR1 and LO
ON-SVR2, use the following
co
ommand:
In
nvoke-Command
d -ScriptBlock { Get-EventLog System
m -Newest 5 } -Computerna
ame LON-SVR1, LONSV
VR2
Note: Un
nlike in earlier versions,
v
Wind
dows Server 20012 has Windo
ows PowerShell remoting
an
nd WinRM ena
abled by defau
ult.
What
W
Is Ne
ew in Wind
dows Powe
erShell 3.0
0?
Windows
W
PowerShell 3.0 has new features that
t
fa
acilitate manag
ging larger gro
oups of serverss
th
hrough better scaling, additional functiona
ality,
an
nd better man
nagement. Win
ndows PowerSh
hell 3.0
in
ncludes the following new fe
eatures:
Windows PowerShell Worrkflow. This enables

coordinatio
on of complex parallel and
sequenced commands.
Windows PowerShell Web

b Access. This feature
f
enables enccrypted and au
uthenticated access
a
to Windows PowerShell by
b using a Web
b
browser on
n any device.
Scheduled Jobs.
J
This featu
ure enables sch
heduling of W
Windows PowerrShell comman
nds and scriptss to
automatica
ally run administrative tasks.
Managing Windows Server 2012 by Using Windows PowerShell 3.0
3-8
Enhanced Online Help. You can now download the latest Help files from Microsoft by using the
Update-Help cmdlet and view the latest help online. This guarantees you are getting the latest
information about how to use Windows PowerShell.
Windows PowerShell ISE Autosense. Windows PowerShell ISE provides hints for cmdlets, including
valid parameters that make it easier than ever to use Windows PowerShell.
Robust Session Connectivity. These connections enable you to connect to a remote server and if
connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was
disconnected. Previously, if connection to a session was lost, all the session data, variables, and
command history would be lost.
Upg
ndows Server 2
2012
Lesson
n2
Using
g Windo
ows Pow
werShelll 3.0 to
o Manag
ge AD D
DS
3-9
Active Directoryy is the techno

ology that man
ny administrato
ors spend mosst of their time
e using, complleting
da
ay-to-day adm
ministrative tassks such as add
ding users and
d updating direectory objects.. With the num
mber
off Active Directoryfocused cmdlets in Windows Server 22012, those ad ministrators caan save time aand
en
nergy by using
g Windows Pow
werShell to au
utomate many of their more time-consuming or repetitive tasks.
Automation can
n also help imp
prove security and consisten
ncy because it is less prone to repeated hu
uman
errror than manu
ual administration. If you are
e already comffortable performing commo
on Active Direcctory
ad
dministrative tasks
t
in other tools,
t
you shou
uld quickly be able to learn tto perform eq
quivalent tasks in
Windows
W
PowerShell.
Th
his lesson will help you unde
erstand the approach used b
by the Active D
Directory cmdllets. It will help
p
yo
ou develop the
e skills that you must have to
o discover, exp
plore, learn, an
nd use other add-in commands,
whether
w
they arre included witth Windows Se
erver 2012 or w
with another M
Microsoft or th
hird-party softtware
product.
Le
esson Objecctives
After completin
ng this lesson, students
s
will be
b able to:
Describe th
he Active Direcctory modules for Windows P
PowerShell.
Describe ho
ow to use varia
ables.
Describe ho
ow to use pipe
elines and scrip
pts.
Describe ho
ow to format output
o
from a Windows Pow
werShell comm
mand.
Describe ho
ow to create and run Windo
ows PowerShel l scripts.
Describe ho
ow to use Windows PowerSh
hell loops and conditional exxpressions.
Manage AD
D DS with Windows PowerSh
hell.
Describe ho
ow to obtain the Windows PowerShell
P
histtory informatio
on from Active
e Directory
Administrattive Center.
Using
U
the Active
A
Dire
ectory Module for W
Windows P
PowerShelll
Yo
ou may be com
mfortable man
naging AD DS by
ussing the comm
mon graphical tools such as Active
A
Directory Users and Compute
ers. Another op
ption
th
hat you may no
ot be as comfo
ortable with is the
Windows
W
PowerShell cmdlets. Using the AD
D DS
cm
mdlets to perfo
orm common tasks will help
p you
le
earn how to use Windows Po
owerShell.
Th
he Active Direcctory PowerSh
hell module inccluded
in
n Windows Serrver 2012, provvides over 130
0
cm
mdlets for man
naging Active Directory obje
ects
su
uch as computter and user acccounts, group
ps,
trrusts, and policcies.
Using Windo
ows PowerrShell Variables
3-10 Managingg Windows Server 20012 by Using Window

ws PowerShell 3.0
Win
ndows PowerSh
hell enables yo
ou to retrieve,
mod
dify, and filter data from many different
sources. In some cases,
c
you mayy want to store
e
data
a for comparisson or use. Forr example, you
u
mayy want to retrie
eve a list of the members off a
partticular securityy group and th
hen modify the
e
desccription field of
o each of the users. Variable
es are
used
d to store and retrieve data in memory du
uring
a Windows
W
PowerrShell session. A variable alw
ways
beg
gins with a dolllar ($) sign and
d can then be
nam
med with descrriptive text or numbers,
n
such
h
as $Variable1,
$
$x, and $MemberList. Windowss
Pow
werShell variab
bles are typed. This means th
hat they are creeated to store a specific type
e of data whetther it
is te
ext, numbers, objects,
o
time, arrays,
a
or other defined objeect.
You
u can declare a variable in on
ne of two wayss, the first of w
which is using tthe Set-Variab
ble cmdlet. Fo
or
exam
mple to declarre a variable named $ADDS and assign it tthe object retu
urned from Ge
et-ADDomain
n by
usin
ng the Set-Varriable cmdlet, use the follow
wing command
d:
Set-Variable Name ADDS Va
alue (Get-ADD
Domain)
You
u will notice yo
ou do not speccify the $ symb
bol when you u
use the Set-Va
ariable cmdlett to declare
variables. The seco
ond way to cre
eate a variable
e is by declarin
ng it, and then
n assigning a vaalue to it. To d
do
this,, start the com
wed by an equ
mmand with the name of the
e variable follow
ual sign and th
hen the comm
mand,
com
mmands, or vallue to assign. For
F example to
o declare a varriable named $
$ADDS and assign it the object
retu
urned from Ge
et-ADDomain use the follow
wing command
d:
$ADDS = Get-ADDomain
The $ADDS variab

ble now holds a copy of the object outputt by the Get-A
ADDomain cm
mdlet. The outp
put
obje
ect takes on th
he type that is defined in the
e relevant classs and the variaable maintains that structure
e.
You
u can now read
d and manipulate the variable as similar to
o how you wou
uld a .NET obje
ect. To obtain
info
ormation about the propertie
es or to run methods, you caan use dotted notation on th
he variable.
For example, to determine the domain
d
functio
onal level repo
orted by the D
DomainMode property of
Gett-ADDomain, you can use th
he following co
ommand:
> $A
ADDS.DomainMode
Windows2008R2Domain
You
u can also acce
ess methods orr actions from a variable. Forr example, to d
determine the
e BaseType of
$AD
DDS, you can use
u the GetTyp
pe() method byy running the following com
mmand:
> $A
ADDS.GetType().BaseType
Microsoft.ActiveDirecto
ory.Managemen
nt.ADPartitio
on
Whe
en you use me
ethods, you must follow the method with () to distinguissh that it is a m
method and no
ot a
property. You can
n also use varia
ables in calcula
ations, for exam
mple, you can add the conte
ents of two
variables. To decla
are two variab
bles and then add
a them togeether, use the ffollowing com
mmands:
> $A
A = 1
> $B = 2
> $A
A + $B
3

dows Server 20
012
3-11
When
W
you use variables
v
in callculations, mak
ke sure that th
hey are typed ccorrectly because typing the
em
in
ncorrectly could lead to unexxpected resultss. For examplee, notice when variables are ttyped as string
g data
in
nstead of numb
bers:
> $C = 3
> $D = 4
> $C + $D
34
4
In
nstead of addin
ng the two values numerically, they are co
oncatenated to
ogether. When
n you mix type
es
to
ogether, there is more poten
ntial for unexpe
ected results b
because Windo
ows PowerShe
ell will automattically
ca
ast or convert some data typ
pes. For examp
ple, see how th
he data is cast in the followin
ng example:
> $A + $C
4
> $C + $A
31
1
In
n these examples, the type of the first varia
able is used to cast the other variables for the calculation. To
be
etter control how
h
data is casst, you can spe
ecify the data ttype for each vvariable. To co
ontrol how eacch
va
ariable is cast, see the follow
wing example:
> [string] $A + $C
13
3
> [int] $C + $A
$
2
Addition
nal Reading: about_Variable
es
htttp://technet.m
microsoft.com//en-us/library//dd347604.asp
px
Question: How do you declare
d
variable
es and assign vvalues to them
m?
The
T Windo
ows PowerS
Shell Pipeline
Windows
W
PowerShell is an objject-based
en
nvironment. Th
his means thatt the input and
d
ou
utputs of the cmdlets
c
are ob
bjects that can be
manipulated.
m
In
n some instancces, you may want
w
to
o take the outp
put of one cmd
dlet and pass it
to
o another cmd
dlet for additional actions. Fo
or
exxample, when you have to enable all disab
bled
AD DS accountss in the domain, you could
manually
m
list each user by using the Get-AD
DUser
cm
mdlet. Then byy using Windo
ows PowerShell, you
ca
an use the Ena
able-ADAccou
unt cmdlet forr each
lo
ocked user account. To make
e this easier, yo
ou can
diirectly pass the
e output data from one cmd
dlet into anoth
her cmdlet, wh
hich is called piping. Piping iss
pe
erformed by putting
p
the pip
pe (|) characterr between cmd
dlets. Each cmd
dlet is execute
ed from the lefft to the
rig
ght, each passsing its output to the next cm
mdlet in line. FFor example, yo
ou can get a liist of all users in the
do
omain and the
en pipe the listt to the Enable
e-ADAccountt cmdlet, by ru
unning the following commaand:
Ge
et-ADUser Fi
ilter * | Enable-ADAccount

ws PowerShell 3.0
Piping can be use

ed extensively in Windows Po
owerShell as itt is in other sheells. Windows PowerShell differs
from
m typical shellss because the data in the pip
peline is an obj
bject instead off just simple te
ext. Having an
obje
ect in the pipe
eline enables you to easily pe
ersist all the prroperties of the returned datta. The data in
n the
pipe
eline is assigne
ed to a special variable name
ed $_ which on
nly exists whilee the pipeline is executing. FFor
exam
mple, if you want to enable accounts that are disabled, yyou can use th
he Where-Objject cmdlet to
o
retu
urn only accounts are disable
ed. To do this, run the follow
wing command
d:
Get-ADUser | Where-Object {$_.Enabled eq
$false} |
Enable-ADA
Account
By piping
p
an obje
ect with a list of
o all the users, you can use tthe Where-Ob
bject cmdlet to
o filter the acccounts
thatt are disabled based on the Enabled prope
erty of the acc ount.
poses only. It eenables all thee disabled acco
ounts in the
Note: This example is forr teaching purp
dom
main and should not be perfformed in a pro
oduction envirronment because this may e
enable
acco
ounts that sho
ould remain dissabled.
Op
ptions for Formatting
F
g Window
ws PowerSh
hell Outpu
ut
Whe
en you work with
w AD DS datta, you may ha
ave
to retrieve lists of users, computters, or groupss and
have to visualize the
t data by using a tool such
h as
or you may
Microsoft Office Excel
E
m have to viiew
onlyy the specific properties
p
on screen.
s
Window
ws
Pow
werShell enable
es both such scenarios. First
form
matting data fo
or viewing on screen. There are
seve
eral default cm
mdlets available
e to control ho
ow
data
a is formatted.. These cmdletts are describe
ed in
the following tablle.
Cm
mdlet
Descriptio
on
Fo
ormat-List
This cmdlet outputs datta in a list form

mat with each property on itts
own line. You can speciify the propertties that you w
want displayed by
mdlet by using the
using the Property parrameter. You ccan call this cm
alias of FLL. This cmdlet is useful when
n you view a sm
mall number o
of
objects with
w a large num
mber of propeerties.
Fo
ormat-Table
This cmdlet outputs datta in a table fo

ormat with eacch property as its
mn. You can s pecify the pro
operties that yo
ou want displaayed
own colum
by using the
t Property parameter. Yo
ou can call thiss cmdlet by usiing
the alias of
o FT. This cmd
dlet is useful w
when you view a large numb
ber of
objects with
w a small num
mber of propeerties.
Fo
ormat-Wide
This cmdlet outputs datta in a table fo

ormat with onlly one propertty for
ect. You can sp
pecify the prop
perty that you want displaye
ed by
each obje
using the Property parrameter and th
he number of columns to dissplay
b using the column param
meter. You can call this cmdle
et by
the data by
using the alias of FW. TThis cmdlet is u
useful when yo
ou view a large
e
number of
o objects and you only need
d to see one property for each
object succh as the namee.
Cmdlet
C
Format-Custtom
Descripttion

dows Server 20
012
3-13
This cm
mdlet outputs d
data in a formaat previously d
defined by usin
ng a
PS1XML file. The settiings in this filee can specify w
which propertie
es to
show an
nd how to arraange and grou
up them. You ccan call this cm
mdlet
by using
g the alias of FFC. This cmdleet is useful whe
en you view daata
that you access frequ
uently and hav e to customize
e which prope
erties
are shown.
Another set of cmdlets

c
enable
e complex form
matting and reeporting. Thesse are listed in the following table.
Cmdlet
C
Description
Measure-Objject
Th
his cmdlet take
es the input ob
bject from the pipelines or vvariable and
pe
erforms calcula
ations on spec ified propertiees and on text in strings and files.
Ca
alculations incllude counting objects, deterrmining the avverage, minimu
um,
ma
aximum, and sum
s
of properrty values. It caan also count tthe number orr
occcurrences of words
w
and cha racters in a filee or string. It is used when yyou
ha
ave to quickly calculate
c
the n
number of useers selected as part of a querry or
de
etermining the
e memory a sett of processes is using.
Select-Objecct
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and outtputs
ob
bjects that have only the seleected properties. It can also select a subset of
ite
ems in each ob
bject by using the -First, -Lasst, -Unique, an
nd -Index param
meters,
wh
hich is valuable
e when you wo
ork large dataasets.
Sort-Object
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and sorrts the
da
ata based on th
he selected pr operties. This is helpful when you have to
provide a sorted
d list of data.
Where-Objecct
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and the
en
ap
pplies a filter th
hat is based on
n a specified q
query. The que
eries used for
filttering are encllosed in brace s and include a comparison.. This is helpfu
ul when
yo
ou have to sele
ect specific typ
pes of data.
Yo
ou can use all these cmdletss together to create customizzed output to the screen. Yo
ou can also use
e the
Out-File
O
to write the output to a text file, orr Export-Csv to
o export the d
data as a comm
ma separated vvalues
(C
CSV) file.
Creating
C
an
nd Running Window
ws PowerSh
hell Scriptts
Yo
ou can perform
m complicated
d multi-step ta
asks
byy using a pipeline and multiple cmdlets. There
may
m be times where
w
you have
e to run multip
ple
fu
unctions, make
e choices, wait for tasks to
co
omplete, or run the same co
ode repeatedlyy. In
th
hese cases, you
u can use a Windows PowerS
Shell
sccript to put all the steps toge
ether. A script is a
te
ext-based file that
t
includes at
a least one Wiindows
Po
owerShell com
mmand and savved with a .PS1
1 file
na
ame extension
n. Scripts can be
b created to take
in
nput from the command
c
line
e letting you
cu
ustomize how the script execcutes.
Execution Policy
By default, the execution policy does not enable Windows PowerShell scripts to be executed
automatically. This safeguards the computer from enabling unattended scripts to run without the
administrator from knowing. There are four execution policies that can be set and are as follows:
3-14 Managing Windows Server 2012 by Using Windows PowerShell 3.0
Restricted. This is the default policy for Windows Server 2012 and does not enable configuration
files to load, nor does it enable scripts to be run. The Restricted execution policy is perfect for any
computer for which you do not run scripts or for which you run scripts only rarely. (Be Aware That
you could always manually open the shell with a less-restrictive execution policy.)
AllSigned. This policy requires that all scripts and configuration files be signed by a trusted publisher,
including scripts created on your local computer. This execution policy is useful for environments
where you do not want to accidentally run any script unless is has an intact, trusted digital signature.
This policy is less convenient because it requires you to digitally sign every script that you write, and
re-sign each script every time that you make any changes to it.
RemoteSigned. This policy requires that all scripts and configuration files downloaded from the
Internet be signed by a trusted publisher. This execution policy is useful because it assumes that local
scripts are ones that you create yourself, and you trust them. It does not require those scripts to be
signed. Scripts that are downloaded from the Internet or received through e-mail, however, are
not trusted unless they carry an intact, trusted digital signature. You could definitely still run those
scriptsby running the shell under a lesser execution policy, for example, or even by signing the
script yourselfbut those are additional steps that you have to take, so it is unlikely that you would
be able to run such a script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must grant permission
for the script to run. The Unrestricted execution policy is not usually appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy is not
usually appropriate for production environments because it provides no protection against
accidentally or unknowingly running untrusted scripts.
You can view the execution policy for the computer by using the Get-ExecutionPolicy cmdlet. To
configure the execution policy, you must open an elevated Windows PowerShell window and run the
Set-ExecutionPolicy cmdlet. After the execution policy is configured, you can run a script by typing in
the name of the script.
Simple Scripts
Scripts are text files that have a .PS1 file name extension. These files contain one or more commands
that you want the shell to execute in a particular order. You can edit scripts by using Notepad, but the
Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively,
obtain hints on the correct command syntax, and immediately see the results. You can then paste those
results into a script for long-term use. Or you can type your commands directly into a script, highlight
each command, and press F8 to execute only the highlighted command. If you are pleased with the
results, you save the script and you are finished. Generally, there are very few differences between what
you can do in a script and what you would do on the command line. Commands work in the same
manner in a script. This means that a script can just be created by pasting commands that you have
already tested at the command line. The following is a simple script in a text file that is named
Get-LatestLogon.ps1.
# This script will return the last user who has l ogged on to the domain.
Ge
et-ADUser -Fi
ilter * -Properties lastLogon | `
So
ort-Object -P
Property lastLogon -Descending| `
Se
elect-Object -first 5 | `
Fo
ormat-Table name,
n
`
@{
{Label="LastL
Logon";Expression={[datetime]::FromF
FileTime($_.l
lastLogon)}}`
`
-AutoSize
-

dows Server 20
012
3-15
Although this sccript contains a single pipeline statement it is broken up

p by using the backtick (`) ch
haracter.
Yo
ou can break up
u long lines of
o code by usin
ng the backtic k character to make the script easier to re
ead.
Notice that the first line of this script starts with a hash m
mark (#). A line that begins w
with a hash mark will
no
ot be processe
ed. Therefore, you
y can use sttart a line with
h a hash mark aand write note
es and comme
ents
ab
bout the scriptt. To run a script, you must type
t
either thee full or the relative path of tthe script. For
exxample, to run
n the Get-Late
estLogon.ps1 script, you can
n use either off the following
g options if the
e script
in
n your current directory or se
earch path:
.\
\Get-LatestLo
ogon.ps1
E:\ModXA\Democ
code\Get-LatestLogon.ps1
If the script nam

me or path hass spaces in it yo
ou have to encclose the nam e single or double quotation
n marks
an
nd echo the na
ame to the console by using
g an ampersan d (&) characteer. The followin
ng example sh
hows
ho
ow to do this by
b using both the relative an
nd a full path.
& .\Get Lates
st Logon.ps1
& E:\ModXA\De
emocode\Get Latest Logon.ps1
Using
U
Wind
dows Powe
erShell Loo
ops and Conditional Expressio
ons
Advanced Wind
dows PowerShell scripts mayy
re
equire repeatin
ng commands a certain num
mber of
times, until a sp
pecific conditio
on is met, or on
nly if a
sp
pecific conditio
on is met. Thesse test conditio
ons are
de
efined by using comparison statements.
Boolean
B
Com
mparisons
Te
est, or comparrison statemen
nts, are used ass test
co
onditions for lo
oops and cond
ditional constructs.
Th
hese typically compare,
c
eithe
er of two or more
m
ob
bjects or two or
o more prope
erty values, and
d are
de
esigned to result in a True or
o False value. These
T
co
omparisons are
e frequently known as Booleean
co
omparisons, be
ecause they ca
an only result in one of the tw
wo Boolean vaalues, True or False. As part o
of
de
esigning a Win
ndows PowerS
Shell script usin
ng Boolean co
omparisons aree common eno
ough task: You
u might
co
ompare two co
omputer name
es to see whether they are e qual, or comp
pare a performance counter vvalue to
a predetermined threshold va
alue to see which of the two is greater. Thee comparison operators sit b
between
th
he two items th
hat you want to
t compare. Yo
ou probably reemember simp
ple comparisons from grade
e school
math
m
with comp
parisons like 10 > 4, 5 < 10, and 15 = 15. W
Windows Pow
werShell performs compariso
ons the
sa
ame way, altho
ough it has its own syntax. So
ome common comparison o
operators are aas follows:
-eq. Equal to
t
-ne. Not eq
qual to
-le. Less tha

an or equal to
-ge. Greater than or equal to
-gt. Greater than
-lt. Less than
Windows PowerShell defines two special variables for comparisons, $True, and $False, which represent
the Boolean values true and false. If a comparison is true, the expression is evaluated as $True and if the
comparison is not true, the expression is evaluated as $False. For example, the comparison 4 is greater
than 10 (4 gt 10), will produce $False as its result, whereas, 10 is equal to 10 (10 eq 10) would produce
$True. Windows PowerShell enables you to execute comparisons right on the command line. Type your
comparison and press Enter to see the result of the comparison. The real value of the Boolean
comparisons are shown when they are used in loops and conditional expressions.
There are several Windows PowerShell constructs that make use Boolean comparisons to control the
execution of code in a script. These constructs are if, switch, for, while, and foreach.
The if Statement
The if statement can be used to execute a block of code if the specified criteria are met. The basic
functionality of an if statement is shown in the following example:
if (Boolean comparison)
{
Code to complete if test expression is true
}
Another option available to allow for additional possibilities is using else and elseif statements. When you
want to execute special code if a condition exists or execute other code if it does not exist, you can use
the else. If there are additional conditions that you want to test for you could use the elseif statement
consider the following example:
$Today = Get-Date
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host $Admin.Name has an address of $Admin.StreetAddress
if ($Today.DayOfWeek eq Monday)
{
Set-ADUser Identity Administrator StreetAddress Headquarters
}
elseif ($Today.DayOfWeek eq Thursday)
{
Set-ADUser Identity Administrator StreetAddress London Office
}
else
{
Set-ADUser Identity Administrator StreetAddress Out of the Office
}
# Confirm Settings were made
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress
The switch Statement

The switch statement is closely related to how ifelse statements work. The statement enables a single
condition statement to have multiple options for execution. The switch statement has the following
syntax:
switch (Value Testing)
{
Value 1 { Code run if value 1 condition exists}
default { Code run if no other condition exists}
}
Using the previous example, you can achieve the same functionality with less work as shown in this
example:
$Today = Get-Date
# Write current settings to console
Write-Host $Admin.Name has an address of $Admin.StreetAddress
switch ($Today.DayOfWeek)
{
Monday {Set-ADUser Identity Administrator StreetAddress Headquarters}
Thursday {Set-ADUser Identity Administrator StreetAddress `
London Office}
default {Set-ADUser Identity Administrator StreetAddress `
Out of the office}
}
# Confirm Settings were made
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress
3-17
If a larger number of false statements are needed, the switch statement may be an easier option to use
and debug.
The for Loop
The for loop can be used to execute a block of code a specific number of times. This can be when multiple
items have to be requested, or created. The for statement syntax is as follows:
for (setup loop variables ; Boolean comparison ; action after each loop)
{
Code to complete while Boolean comparison is true
}
The for loop begins with settings to configure variables, the Boolean comparison, and an action to
complete after each loop. Consider the following example that creates five new computer accounts with
unique names using a for statement:
# Create a variable named $i and assign it a value of 1
# Execute the for loop for as long as $i is less than 6
# After each loop add 1 to the value of $i
for ($i = 1 ; $i lt 6 ; $i++)
{
# Create a variable with the name of the computer account
$ComputerAcct = LON-SRV + $i
New-ADComputer Name $ComputerAcct
}
The while Loop
The while loop can be used to execute a block of code while a specific condition exists and resembles the
for loop, except that it does not have built in mechanisms to set up variables and actions to run after each
loop. This enables the while statement to continue executing until a condition is met instead of a set
number of times. The while statement syntax is as follows:
while (Boolean comparison)
{
Code to complete while Boolean expression is true
}
This script prints a random number on the screen until one of the random numbers is less than
50,000,000. The $i variables value must be set before the while loop so that the while loop executes as
follows:
$i = 99999999999
while ($i -gt 50000000)
{
Write-Host Random Value: $i
$i = Get-Random
}
Also available is the do/while loop which works just as while loop however the Boolean expression is
evaluated at the end of the loop instead of the beginning. This means that the code block in a do/while
loop will always be executed at least one time. The value of $i does not have to be set before the do/while
loop because it is evaluated at the end of the loop. The following example shows a do/while loop:
do {
Write-Host Random Value: $i
$i = Get-Random
} while ($i -gt 50000000)
The foreach Statement
The foreach statement iterates through an array (collection), item by item, assigning a specifically named
variable to the current item of the collection. Then it runs the code block for that element.
foreach (item in collection)
{
Code to complete for each item in the collection.
}
Using the foreach statement can make batch modifications easier. Consider, for example, setting a
description for all users who are members of a specific group, as shown in the following example:
# Get a list of the members of the Domain Admins group
$DAdmins = Get-ADGroupMember "Domain Admins"
# Go through each member and set the Description
foreach ($user in $DAdmins)
{
Set-ADUser $user -Description In the Domain Admins Group
}
Demonstra
D
ation: Man
naging AD
D DS by Using Windo
ows PowerrShell
In
n this demonsttration, you will review how to
t manage useers and group in Windows P
PowerShell.
Demonstrati
D
ion Steps
1..
Start and lo
og on to LON-DC1. Log on as
a the domain administratorr.
2..
Open Wind
dows PowerShe
ell ISE as an ad
dministrator.
3..
Refer to the
e demonstratio
on script in virrtual machine LON-DC1 at EE:\ModXA\Dem
mocode
\Managing Users and Gro
oups.ps1.
Active
A
Dire
ectory Adm
ministrative
e Center In
ntegration
n with Win
ndows
PowerShell
P
l
Active Directoryy Administrativve Center is bu
uilt
on
n Windows Po
owerShell technology. It provvides
ad
dministrators the
t ability to perform
p
enhan
nced
da
ata manageme
ent by using a GUI. Using Acctive
Directory Administrative Centter, you can pe
erform
th
he following ta
asks:
Manage user and compu

uter accounts
Manage groups
Manage organizational units

u
(OUs)
Use build queries

q
to filterr Active Directory
information
n

dows Server 20
012
3-19
Be
ecause Active Directory Adm
ministrative Center is built on
n Windows Po
owerShell, it can expose the
Windows
W
PowerShell comman
nds that are ussed to interactt with the GUI.. These commaands can be used to
le
earn Windows PowerShell, bu
uild Active Directory manag ement scripts,, and keep tracck of changes that are
made
m
within the
e GUI.
Lesson 3
Manag
ging Serrvers by
y Using Windo
ows Pow
werShelll 3.0

ws PowerShell 3.0
As you
y become fa
amiliar with Windows PowerrShell, you can perform adm
ministrative and
d managementt tasks
with
h more ease. There
T
are advanced features in Windows P
PowerShell 3.0 which let you manage a single
servver from a loca
al console and to manage many servers fro
om a remote location. The aadvanced featu
ures
include Windows PowerShell Web
W Access, Windows PowerSShell jobs, and
d Windows Pow
werShell workfflow.
Thiss lesson introduces some mo
ndows PowerSShell 3.0 and d
ore advanced features
f
of Win
discusses how yyou
mig
ght use the features to manage servers in your
y
environm
ment.
Lessson Objectiives
Afte
er completing this lesson, stu
udents will be able to:
W
PowerShell for man
naging servers..
Describe the need to use Windows
Describe how
w to configure and use Windows PowerSheell Web Accesss.

hell jobs.

hell workflows and how theyy can be used.
Manage a serrver by using Windows

W
Powe
erShell 3.0.
Disscussion: The
T Need for
f Windo
ows PowerShell for SServer Man
nagement
Win
ndows PowerSh
hell has many features that make
m
it usseful in both la
arge and smalll environments.
Freq
quently the mo
ost difficult pa
art of using
Win
ndows PowerSh
hell is the startting point. Using
Win
ndows PowerSh
hell to perform
m tasks that yo
ou
perfform every dayy will help you
u become more
com
mfortable and more proficien
nt in using it.
Con
nsider the follo
owing question
ns:
Que
estion: Why usse Windows Po
owerShell for
servver manageme
ent?
Que
estion: What tasks
t
will you use
u Windows
Pow
werShell to perrform?
What
W
Is Windows PowerShell Web
W Accesss?
Windows
W
PowerShell Web Access is a new feature
f
in
n Windows Serrver 2012 that provides a we
ebba
ased gateway to Windows PowerShell.
P
Thiis
en
nables authorized users to administer a server
without
w
having management tools directly
in
nstalled on their client computer, or having
g to use
Re
emote Desktop to connect to
t the server. The
T
ad
dministrator only has to configure a Windows
Po
owerShell Web
b Access gatew
way, and use a web
browser to conn
nect.

dows Server 20
012
3-21
Windows
W
PowerShell Web Access gateway
re
equires the We
eb Server Interrnet Informatio
on
Se
ervices (IIS) rolle, and the .NE
ET Framework 4.5 and Windo
ows PowerSheell 3.0 to be insstalled. Many
client types are supported to access Window
ws PowerShelll Web Access aand still otherss are tested to work
su
uccessfully. In order
o
to work,, the web brow
wser must allow
w cookies, sup
pport connecting to the gate
eway by
ussing Secure So
ockets Layer (SSL), and also support
s
JavaSccript.
In
nstalling Wiindows Pow
werShell We
eb Access Ga
ateway
To
o install Windo
ows PowerShe
ell Web Access gateway:
1..
Install Wind
dows PowerSh
hell Web Accesss role.
2..
Install a SSLL certificate. An SSL certificatte is required. A self-signed certificate can

n be created ass part of
the configu
uration processs, however a trrusted third-paarty certificatee is recommended.
3..
Create or configure an IIS

S site with the Windows Pow
werShell Web A
Access Gatewaay web applicaation.
This can be
e configured byy using Interne
et Information
n Services Man
nager or by usiing the
Install-Psw
waWebApplication cmdlet.
4..
Configure Windows
W
Powe
erShell Web Access
A
authorizzation rules. Byy default, no o
one will be able
e to use
Windows PowerShell
P
Web Access until at least one a uthorization ru
ule is created. An authorizattion rule
defines whiich users and groups
g
have acccess to speciffic cmdlets and
d which computers they can
n access
from the ga
ateway. Autho
orization rules are
a added by using the Add
d-PswaAuthorrizationRule ccmdlet.
You can validate the funcctionality of th
he rules by usin
ng the Test-PsswaAuthoriza
ationRule cmd
dlet.
Authorization rules are, by
b default, storre in %windir%
%\Web\Powe
erShellWebAcccess\data
\Authoriza
ationRules.xm
ml.
5..
Configure destination
d
computer authen
ntication and aauthorization rules. You must configure th
he
destination computer seccurity settings to enable rem
mote access fro
om the gatewaay. As you assig
gn
administrattive permission
n to the targett computers, w
we recommend
d assigning only the minimally
required pe
ermissions and
d setting the ap
ppropriate exeecution policy for your envirronment.
6..
Configure additional
a
secu
urity options. As
A in any envirronment, apprropriate security best practicces
should be followed.
f
One example is as installing and monitoring a ntivirus and an
nti-malware prroducts
on all the servers. Additio
onally, passwo
ord expiration, lockout, and ccomplexity po
olicies should aalso be
implemente
ed.
Using
U
Windo
ows PowerS
Shell Web Access
A
To
o use Window
ws PowerShell Web
W Access, open a web bro
owser and con
nnect to the server by using
htttps://ServerName/pswa. The logon page lets you conneect directly to the gateway, tto another serrver on
th
he organization network, or to a custom URI.
U Using the o
optional conneection settingss on the logon
n page
ca
an specify one user account to log on to th
he gateway an
nd specify another account tto connect to tthe
servver on the orga

anization netw
work. This is useful if the acco
ount authorizeed to connect to the gatewaay
doe
es not have permissions on the internal serrver.

ws PowerShell 3.0
Afte
er you have esttablished a Wiindows PowerShell session b
by using Windo
ows PowerShe
ell Web Accesss,
you can begin using Windows PowerShell
P
cm
mdlets and execcuting scripts based on the e
execution policy
settings. Although
h most of the functionality
f
iss the same as u
using Window
ws PowerShell rremoting, therre are
som
me differences. For example, you cannot usse some shortccut keys to int eract with Win
ndows PowerSShell
Web
b Access such as Ctrl+C to copy data, or any of the funcction keys used
d for things such as comman
nd
history.
ploy Windows PowerShell W
Web Access
Additional Reading: Dep
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831611.aspx
Wh
hat Are Windows Po
owerShell Jobs?
J
A Windows
W
PowerShell backgro
ound job runs a
com
mmand or set of
o commands without intera
acting
with
h the current Windows
W
Powe
erShell session. You
can start a backgrround job by using
u
the Startt-Job
cmd
dlet and then you
y can contin
nue to work in the
sesssion. Using job
bs can be usefu
ul when you
perfform tasks that can take an extended
e
time
e to
com
mplete. You can
n also use jobss to perform th
he
sam
me task on seve
eral computerss. The following
exam
mple shows crreating a new job
j on the local
com
mputer:
Start-J
Job -ScriptBl
lock {Get-ADUser Filter
r *}
You
u can see the sttatus of the job by using the
e Get-Job cmd
dlet and use th
he Wait-Job to
o be notified
whe
en the job is co
omplete. If you
u have to remo
ove a job that has not execu
uted, you can d
do so with the
e
Rem
move-Job cmd
dlet. These job
bs are run in th
he background
d so they do no
ot return results to your Win
ndows
Pow
werShell session. If you outpu
ut data to the console in a b
background job
b, you can retu
urn those resu
ults by
usin
ng the Receive
e-Job cmdlet.
Win
ndows PowerSh
hell 3.0 introduced an impro
ovement to baackground jobs, which are kn
nown as sched
duled
jobss. These jobs can be trigged to start autom
matically or pe rformed on a recurring sche
edule. When a
sche
eduled job is created
c
it is sto
ored on disk an
nd then registeered in Task S cheduler. Whe
en a scheduled
d job
is ru
un, it creates an instance of the
t job that ca
an then be ma naged by usin
ng the common job manage
ement
cmd
dlets. The onlyy difference between scheduled jobs and b
background jobs is that sche
eduled jobs savve
theiir results on disk.
edJob cmdlett. You can speccify the ScriptB
Sche
eduled jobs arre created by using
u
the Regiister-Schedule
Block
para
ameter to run a Windows Po
owerShell com
mmand, or you can specify a script by using
g the FilePath
para
ameter. The fo
ollowing example shows how
w to register a scheduled job
b to run the Ge
etLate
estLogon.ps1
1 script.
Register-ScheduledJob Name
e LastLogonJo
ob FilePath \\LON-SVR1\S
Scripts\Mod3\
\democode\GetLastLogon.ps1

dows Server 20
012
3-23
To
o enable the scheduled job to
t run, a sched
dule or triggerr must be defin
ned. Triggers aare created byy using
th
he New-JobTrrigger cmdlet.. Using this cm
mdlet, you can use the Add-JJobTrigger ccmdlet to add the
trrigger to an alrready registere
ed scheduled job or use it to
o assign a trigg
ger when a new
w scheduled jo
ob is
re
egistered. Trigg
gers can be scheduled once,, daily, weekly,, at server starrtup, when you
u log on. The
fo
ollowing example shows crea
ating a triggerr that runs eve ry Monday an
nd Friday at 9:0
00 am and the
en
re
egisters the new scheduled jo
ob together with
w the triggerr:
$T
Trigger = New
w-JobTrigger Weekly DaysOfWeek Mon
nday,Friday
At 9:00AM
Re
egister-Sched
duledJob Name ScheduledLastLogonJob
b FilePath `
\\
\LON-SVR1\Scripts\Mod3\democode\Get-LastLogon.ps
s1 -Trigger $
$Trigger
Yo
ou can also use the Add-Job
bTrigger cmd
dlet to modify an existing sch
heduled job ass shown in the
e
fo
ollowing example:
Ad
dd-JobTrigger -Name LastLogonJob -Trigger `
(N
New-JobTrigge
er -Daily -At 9:00AM)
Sccheduled jobs can be used to automatically run task for:: creating repo
orts, verifying cconfiguration
se
ettings, perform
ming user and
d group mainte
enance, and m
many others.
In
ntroductio
on to Wind
dows Powe
erShell Wo
orkflow
Windows
W
PowerShell Workflo
ow is a new fea
ature
in
n Windows Pow
werShell 3.0. Itt enables easy to use
workflows,
w
or ta
ask sequences within the fam
miliar
Windows
W
PowerShell interface
e. A workflow
ca
an include ind
dividual Windo
ows PowerShe
ell
co
ommands or complete scriptts. The differen
nce
be
etween a work
kflow and perh
haps an intrica
ately
de
esigned script is that a work
kflow is designe
ed
to
o also be stopp
ped, paused, and resumed.
Th
he workflow ca
an wait until stteps successfully
co
omplete to con
ntinue to the next
n
workflow step.
Fo
or example, yo
ou can create a workflow tha
at
makes
m
changes to a multiple computers and waits for theem all to restarrt before continuing to the n
next
co
onfiguration sttep in the workflow.
Windows
W
PowerShell workflow
ws can be crea
ated by using a Windows Po
owerShell conssole, the Windo
ows
Po
owerShell ISE, or by using Microsoft
M
Visual Studio Worrkflow Designeer. Workflows ccreated in Visu
ual
Sttudio Workflow
w Designer are
e saved as with
h a XAML file n
name extensio
on. These workkflows are imp
ported
byy using the Im
mport-Module
e cmdlet.
Workflows
W
are run
r as Window
ws PowerShell jobs.
j
Thereforre, you can usee the same cmdlets to manage
ru
unning workflo
ows as you do jobs. A workflow is created by using the ffollowing syntaax:
Wo
orkflow Workf
flowName { Commands to execute as pa
art of the wo
orkflow }
After a workflow is created, it is executed as a cmdlet is executed. Each workflow can be executed with the
parameters that are listed in the following table.
Parameter
Description
-PSComputerName
A list of target computers for the workflow to execute on
-PSRunningTimeoutSec
Length of time to allow for the workflow to execute
-PSConnectionRetryCount
Enable the workflow to retry connections several times
-PSPersist
Toggles the workflow to checkpoint data and state after each activity
In a workflow, commands can be performed in a parallel or sequential manner. Commands that can
be run in parallel are identified by using the parallel keyword. Commands that must be performed
sequentially are identified by using the sequence keyword. The following example shows a workflow
with both keywords being used:
Workflow Get-DomainServerStats
{
# The following are executed in any order
Parallel
{
Get-Process
Get-ADUser Filter *
# The following are executed sequentially
Sequence
{
Set-AdUser Administrator Description Updated content
Get-AdUser Administrator Properties Description
}
}
}
Windows has number of built in workflows to enable configuration of multi-server deployments of

Remote Desktop Services, retrieve information about installed Windows roles, and restarting servers. To
view defined workflows use the following command:
Get-Command CommandCapability workflow
Demonstration: Managing a Server by Using Windows PowerShell 3.0

In this demonstration, you will review how to use Windows PowerShell Web Access and Windows
PowerShell jobs.
Demonstration Steps
1.
Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then log on to LON-DC1 as the
domain administrator.
2.
Open Windows PowerShell Web Access at http://LON-DC1/pswa by using the following

information:
o
User name: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
3.
Start a new job to list all Active Directory users, by using the Start-Job cmdlet.
4.
Obtain the status of the job by running Get-Job.
5.
Create a new scheduled job by running the following commands each followed by Enter:
$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM
Register-ScheduledJob Name ScheduledJob1 ScriptBlock {Get-ADUser Filter * } Trigger $Trigger
6.
Run the scheduled job immediately by using the Start-Job cmdlet.
3-25
Lab: Managing Servers Running Windows Server 2012 by

Using Windows PowerShell 3.0
Scenario
As the A. Datum network grows in size and complexity, it is becoming increasingly apparent that some IT
management processes have to be streamlined. The number of users in the organization is increasing
quickly with users distributed in many locations. Servers are also being deployed in multiple data centers
and in private and public clouds. A. Datum is deploying most new servers as virtual servers in Hyper-V. A.
Datum has to ensure that both the host computers and virtual machines are managed consistently.
To address these server and AD DS management issues, you have to gain familiarity with Windows
PowerShell. You have to understand how to run simple and complex commands and how to create scripts
that will automate many of the regular management tasks.
Objectives
Explore Windows PowerShell commands and tools.
Manage AD DS by using Windows PowerShell.
Manage local and remote servers by using Windows PowerShell.
Lab Setup
Estimated time: 30-60 minutes
Virtual Machine(s)
20417-LON-DC1
20417-LON-SVR1
20417-LON-SVR2
User Name
Password
Pa$$w0rd
Lab Setup
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2-4 for 20417A-LON-SVR1 and 20417A-LON-SVR2.
Exercise 1: Introduction to Windows PowerShell 3.0

Scenario
As a part of becoming familiar with the Windows PowerShell interface, you will explore interface and
browse through available cmdlets.
1.
Use Windows PowerShell ISE to retrieve basic information about LON-DC1.
2.
Use Windows PowerShell ISE to retrieve a list of stopped services on LON-DC1.
3.
Use a Remote Windows PowerShell session to install XPS Viewer on LON-SVR1.
3-27
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1.
Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.
1.
On LON-DC1, open Windows PowerShell ISE as an administrator.
2.
Retrieve a list of installed Windows features by using Get-WindowsFeature.
3. List the contents of the E:\ModX\Democode directory by running Get-ChildItem

E:\ModXA\Democode.
4. List the contents of C:\Windows, by running dir C:\Windows.
5.
Use tab completion to find the correct cmdlet that begins with Get-Ex to see the execution policy
setting on LON-DC1.
X Task 2: Use Windows PowerShell ISE to retrieve a list of stopped services on

LON-DC1
1.
If it is necessary, open Windows PowerShell ISE as an administrator.
2.
Retrieve a list of services by running Get-Service.
3.
Assign the results of Get-Service to the $Services variable.
4.
Use the Get-Help cmdlet to view the examples of how to use Where-Object.
5.
Use a pipeline to pipe the $Services variable to the Where-Object cmdlet to show only services that
have a status of stopped.
X Task 3: Use a Remote Windows PowerShell session to install XPS Viewer on

LON-SVR1
1.
If it is necessary, open Windows PowerShell ISE as an administrator and open a new remote
PowerShell tab.
2.
Establish a Remote PowerShell session with LON-SVR1.
3.
Retrieve a list of all installed Windows Features on LON-SVR1 by using Get-WindowsFeature.
4.
Install XPS Viewer on LON-SVR by using Add-WindowsFeature.
5.
Use command history to run Get-WindowsFeature and verify that XPS Viewer is installed.
6.
Close the Remote PowerShell session.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
Exercise 2: Managing AD DS by Using Windows PowerShell 3.0

Scenario
After you explore Windows PowerShell interface and cmdlets, you want to explore options and available
cmdlets in the Active Directory module for Windows PowerShell and begin to use it for basic tasks such as
formatting Windows PowerShell output, using variables and loops, and creating scripts.
1.
Import the Active Directory PowerShell module and view the available cmdlets.
2.
View options on how to create a report of users in the Active Directory domain.
3.
Use a script to create new users in the domain by using a CSV-based file.
4.
Create a script to modify the address of a user based on the day of the week.
X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
1.
2.
Import the Active Directory module by using the Import-Module cmdlet.
3.
Use the Get-Command cmdlet to view the cmdlets available in the Active Directory module.
X Task 2: View options on how to create a report of users in the Active Directory
domain
1.
If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2.
Use the Get-Command cmdlet to view the cmdlets available in the ActiveDirectory module.
3.
Use Windows PowerShell to view a list of all Users in the domain. Review how Format-List modifies
formatting by running the following commands by using:
Get-ADUser -Filter * | Format-List
Get-ADUser Filter * |
Format-List -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-List *
4.
Use Windows PowerShell to view a list of all Users in the domain. Review how Format-Table modifies
the formatting by running the following commands by using:
Get-ADUser -Filter * | Format-Table
Format-Table -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-Table
5.
Use Windows PowerShell to view a list of all OUs in the domain. Review how Format-Wide modifies
the formatting by running the following commands:
Get-ADOrganizationalUnit -Filter * | Format-Wide
Get- ADOrganizationalUnit Filter * |
Format-Wide column 3
6.
3-29
Use Windows PowerShell to adjust the formatting of the users report. Review how the Sort-Object
cmdlet modified the output, by running the following:
Get-ADUser -Filter * | Sort-Object| Format-Wide
Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID
7.
Run the following commands to see how to use the Measure-Object cmdlet:
Get-ADUser -Filter * | Measure-Object
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1.
On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2.
Use Notepad.exe to view E:\ModXA\Democode\LabUsers.csv. You will need to change the file type
to all files.
3.
Use Windows PowerShell ISE to open the script that is located at

E:\ModXA\Democode\LabUsers.ps1
4.
On line 13, modify the $OU variable to read: $OU = ou=sales, dc=adatum,dc=com
5.
Run the LabUsers.ps1 script.
6.
Use Get-ADUser Filter * SearchBase OU=Sales,DC=Adatum,DC=com to confirm Luka Abrus,

Marcel Truempy, Andy Brauninger, and Cynthia Cary were created were created.
X Task 4: Create a script to modify the address of a user based on the day of the week
1.
module.
2.
Use Windows Powershell ISE to open the script that is located at E:\ModXA\Democode
\Using If Statements.ps1
3.
Verify that line 9 reads:

$Admin = Get-ADUser identity Administrator Properties StreetAddress
4.
Review each section of the script and then run the script. Run the script a second time to view the
changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
Exercise 3: Managing Servers by Using Windows PowerShell 3.0

Scenario
Because of plans for remote server management, you want to explore possibilities to use Windows
PowerShell for remote management. You want to test remote connections in Windows PowerShell and
Windows PowerShell Web Access.
1.
1. Install and configure Windows PowerShell Web Access.
2.
2. Verify Windows PowerShell Web Access configuration.
X Task 1: Install and configure Windows PowerShell Web Access

1. Install Windows PowerShell Web Access on LON-DC1 by using the following command:
Install-WindowsFeature Name WindowsPowerShellWebAccess -ComputerName LON-DC1 IncludeManagementTools Restart
2.
Configure Windows PowerShell Web Access by running Install-PswaWebApplication

UseTestCertificate.
3.
Create a Windows PowerShell Web Access Authorization Rule that only enables the administrator to
access the gateway by using the Add-PSWaAuthorizationRule.
X Task 2: Verify Windows PowerShell Web Access configuration

1.
Open Internet Explorer and navigate to https://LON-DC1/pswa.
2.
Sign in to Windows PowerShell Web Access by using the following information:
3.
User: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
Verify that you can retrieve information from LON-SVR1 by retrieving the five newest System events.
Run the following command:
Get-EventLog System Newest 5
4.
Obtain the same information from LON-SVR2 and LON-DC1 by running the following command:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LONDC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
X To prepare for the next module

When you are finished the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR2 and 20417A-LON-DC1.

Review Questions
Question: Which cmdlet will display the content of a text file?
Question: Which cmdlet will move a file to another directory?
Question: Which cmdlet will rename a file?
Question: Which cmdlet will create a new directory?
Question: Which cmdlet do you think would retrieve information from the event log?
Question: Which cmdlet do you think would start a stopped VM?
Best Practices
3-31
Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable with working with Windows PowerShell and will equip you for using it to
resolve more difficult problems.
Save the commands that you have used to resolve problems in a script file for later reference.
Use Windows PowerShell ISE to help write scripts and ensure you have the correct syntax.

Common Issue
Administrators cannot find the correct
Windows PowerShell cmdlet for a task.
Administrator cannot connect to a server

by using remote Windows PowerShell.
Get-Help does not provide any help for

cmdlets.
An administrator is new to Windows

PowerShell and is uncomfortable with the
command-line.
Troubleshooting Tip
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool
Description
Windows PowerShell Integrated

Script Editor (ISE)
Windows PowerShell ISE provides a simple, yet powerful

interface to create and test scripts, and discover new
cmdlets.
Microsoft Visual Studio Workflow

Designer
This is a development tool that is used to create

Windows PowerShell workflows.
Powershell.exe
This is the Windows PowerShell executable.
Active Directory Administrative

Center
This tool enables you to perform common Active

Directory management tasks such as creating and
modifying user and computer accounts. All the changes
that you made by using this management tool are
logged in the Windows PowerShell History pane.
Many common tools can be replaced with Windows PowerShell cmdlets. The following table gives some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012.
Old Command
Windows PowerShell Equivalent
ipconfig /a
Get-NetIPConfiguration
Shutdown.exe
Restart-Computer
Net Start
Start-Service (Restart-Service)
Net Stop
Stop-Service (Restart-Service)
Net Use
New-SmbMapping
Netstat
Get-NetTCPConnection
Netsh advfirewall add
New-NetFirewallRule
Route Print
Get-NetRoute

4-1
Module 4
Managing Storage for Windows Server 2012
Contents:
Module Overview
4-1
Lesson 1: New Features in Windows Server 2012 Storage
4-2
Lesson 2: Configuring iSCSI Storage
4-12
Lesson 3: Configuring Storage Spaces in Windows Server 2012
4-18
Lab A: Managing Storage for Servers Based on Windows Server 2012
4-23
Lesson 4: Configuring BranchCache in Windows Server 2012
4-25
Lab B: Implementing BranchCache
4-36
4-40
Module Overview
Storage space requirements have been increasing ever since the invention of server-based file shares. The
Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk
space that is required and to effectively manage physical disks: data deduplication and storage spaces.
This module provides an overview of these features and explains the steps required to configure them.
Another concern in storage is the connection between the storage and the remote disks. Internet small
computer system interface (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps
create a connection between the servers and the storage. To implement iSCSI storage in Windows Server
2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. Also,
in organizations that have branch offices, you have to consider slow links and how to use these links
efficiently when data is sent between your offices. The BranchCache feature in Windows Server 2012 helps
address the problem of slow connectivity. This module explains the BranchCache feature and the steps to
configure BranchCache.
Objectives
Describe the new features in Windows Server 2012 storage.
Configure iSCSI storage.
Configure storage spaces.
Configure BranchCache.
Managing Storage for Windowss Server 2012
Lesson 1
New Featuress in Win

ndows Server
S
2
2012 Sto
orage
4-2
The storage dema

and on serverss is ever-increa
asing, and storaage comprisess a larger part of an IT
dep
partments bud
dget. Larger vo
olumes are req
quired on flexib
ble disks that ccan be added or removed
dynamically. Wind
dows Server 20
012 includes changes to the storage area tthat will help aadministratorss to
ease
e the managem
ment of physiccal disks and provide
p
techno
ologies to redu
uce disk space consumption..
Lessson Objectiives
Afte
ou will be able to:
Describe the File and Storag

ge Services in Windows Servver 2012.
Describe the data deduplication process.
Configure data deduplicatio

on.
Describe the capabilities off thin provision

ning and trim sstorage.
Describe the new features in File Server Resource

R
Manaager.
Describe basic and dynamicc disks.
Describe Resilient File Syste

em (ReFS) and its advantage s.
Describe removed and dep

precated featurres.
File
e and Storrage Servicces in Windows Servver 2012
File and Storage Services
S
includes technologie
es
thatt help you set up and manag
ge one or morre file
servvers. File serverrs are servers that
t
act as central
loca
ations on the network
n
where
e you can store
e files
and optionally, sh
hare them with
h users.
Win
ndows Server 2012
2
offers the
e following new
w file
and storage servicces features:
Multiterabytee volumes. You can use this

feature to deploy multiterabyte NTFS file
e
system volum
mes, which support consolida
ation
scenarios and
d maximizes storage use. The
e
Chkdsk tool introduces a ne
ew approach that
t
prioritizes vollume availabiliity and allows for the detecttion of corrupttion while the volume remains
online with data available.
Data dedupliccation. You can

n use this featu
ure to save dissk space by sto
oring a single ccopy of identiccal
data on the volume.
v
iSCSI target seerver. You can use this featu

ure to block sto
orage to otherr servers and aapplications on
n the
network by using the iSCSI standard.
Storage spacees and storage pools. You can

n use this feat ure to virtualizze storage by g
grouping indu
ustrystandard disk
ks into storage pools, and the
en create storaage spaces fro
om the available capacity in the
storage poolss.
Upg
ndows Server 2
2012
4-3
Unified rem
mote managem
ment of File and
d Storage Serviices in Server M
Manager. You can use this fe
eature
to remotelyy manage multiple file servers, including th
heir role servicces and storag
ge, all from a siingle
window.
Windows PowerShell cm
mdlets for File and
a Storage Seervices. You can
n use the Wind
dows PowerSh
hell
cmdlets forr performing most
m
administrration tasks forr file and storaage servers.
Addition
nal Reading: File
F and Storage Services oveerview
htttp://technet.m
microsoft.com//en-us/library//hh831487(d=
=lightweight,v=
=ws.11)
Question: Are
A you curren
ntly implemen
nting volumes that are 10 terrabytes or larg
ger? What are
the problem
ms with volum
mes of that size
e?
What
W
Is Data Deduplication?
Data deduplicattion is a role se
ervice of Wind
dows
Se
erver 2012. Da
ata deduplicatiion identifies and
a
re
emoves duplica
ations within data
d
without
co
ompromising its
i integrity to achieve the ultimate
go
oal of storing more data while concurrently
ussing less physical disk space..
Data integrity and recoverability are mainta

ained
in
n a process tha
at involves evaluating checkssum
re
esults and othe
er algorithms. Data dedupliccation
is highly scalablle, resource effficient, and
no
onintrusive. It can run on do
ozens of large
vo
olumes of prim
mary data conccurrently witho
out
afffecting other workloads on the server. Low
w impact on t he server workkloads is maintained by thro
ottling
th
he CPU and me
emory resourcces that are consumed. Using
g data deduplication jobs, you can schedu
ule
when
w
data dedu
uplication should run, speciffy the resourcees to deduplicaate, and tune ffile selection.
When
W
combined with BranchCache, the sam
me optimizatio
on techniques are applied to
o data that is
trransferred over the wide area
a network (WA
AN) to a brancch office. This rresults in faste
er file downloaad times
an
nd reduced ba
andwidth consumption.
Volume
V
Requ
uirements for
f Data Ded
duplication
n
After the featurre is installed, you

y can enable
e data dedupl ication on a peer volume bassis. Each volum
me must
meet
m
the follow
wing requireme
ents:
Volumes must
m
not be a syystem or boott volume. Dedu
uplication is no
ot supported o
on volumes where the
operating system
s
is installled.
Volumes may
m be partition
ned by using master
m
boot reecord (MBR) or GUID partitio
on table (GPT) format,
and must be
b formatted by
b using the NT
TFS file system
m. The new Ressilient File Systtem (ReFS) file system
is not supported for use on
o a data dedu
uplication volu
ume.
Volumes must
m
be expose
ed to Windowss as non-removvable drives, that is, no USB or floppy drivves.
Volumes ca
an be on share
ed storage, succh as a Fibre C hannel or Serial Attached SC
CSI (SAS) arrayy, or an
iSCSI storag
ge area network (SAN).
Cluster Shared Volumes (CSV)

(
volumes are not suppo
orted.
Managing Storage for Windows Server 2012
The Data Deduplication Process
4-4
When you enable data deduplication on a volume, a background task runs with low-priority that
processes the files on the volume. That is, the background task segments all file data on the volume into
small, variable sized chunks (32 to 128 KB). Then, it identifies chunks that have one or more duplicates on
the volume. All duplicate chunks are then replaced (erased from disk) with a reference to a single copy of
that chunk. Finally, all remaining chunks are compressed so that even more disk space is saved.
When to Use Data Deduplication
Data deduplication is designed to be installed on primary (and not logically extended) data volumes
without adding any additional dedicated hardware. You can install and use the feature without affecting
the primary workload on the server. The default settings are non-intrusive because only files older than
30 days are processed. The implementation is designed for low memory and CPU priority. However, if
memory use becomes high, deduplication backs off and waits for available resources. You can schedule
deduplication based on the type of data involved and the frequency and volume of changes that occur to
the volume or particular file types.
You should consider using deduplication for the following areas:
File shares. This includes group content publication or sharing, user home folders, and profile
redirection (offline files). You may be able to save approximately 3050 percent disk space.
Software deployment shares. This includes software binaries, images, and updates. You may be able to
save approximately 7080 percent space.
Virtual hard disk (VHD) libraries. This includes VHD file storage for provisioning to hypervisors. You
may be able to save approximately 8095 percent space.
Note: Use the deduplication evaluation tool (DDPEval.exe) to analyze a volume about
expected savings that you would get when enabling deduplication. This utility is automatically
installed to \\Windows\System32\ of the local computer when data deduplication is enabled.
When data deduplication is enabled, and the data is optimized, the volume contains the following:
Unoptimized files. These are skipped files. For example, system state files, encrypted files, files with
extended attributes, files smaller than 32KB, and reparse point filespreviously optimized files that
contain pointers to the respective chunks in the chunk store needed to build the file.
Optimized files. These are stored as reference points to the chunk store.
Chunk store. This is the optimized file data.
Additional Reading:
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602
Introduction to Data Deduplication in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-inwindows-server-2012.aspx
Question: On which of your shares can you use data deduplication?
Upg
ndows Server 2
2012
Demonstra
D
ation: Configuring Data
D
Dedu plication
In
n this demonsttration, you will see how to add
a the data d
deduplication rrole service an
nd enable dataa
de
eduplication on
o drive E.
Demonstrati
D
ion Steps
Add
A
the Data Deduplication
D
n role service
4-5
1..
Log on to LON-DC1
L
with a username of
o Adatum\Ad
dministrator aand the passw
word of Pa$$w
w0rd.
2..
In Server Manager,
M
start the
t Add Roless and Feature
es Wizard, insttall the following roles and ffeatures
to the locall server and acccept the defau
ult values:
o
File An
nd Storage Se
ervices (Installed)\File and iSCSI Service
es\Data Deduplication
En
nable Data De
eduplication on E: Drive
1..
On LON-DC
C1, in Server Manager,
M
in the
e navigation p
pane, click File
e and Storage Services, and
d then
click Volum
mes.
2..
In the Volumes pane, righ

ht-click E:, and
d select Config
gure Data Ded
duplication.
3..
Configure data
d
deduplica
ation with the following sett ings:
o
Enable data dedupliccation: Enabled

d
Deduplicate files older than (in dayys): 3
Set Ded
duplication Schedule: Enablle throughputt optimizatio n
Start time: current tim

me
What
W
Are Thin
T
Provissioning an
nd Trim Sto
orage?
Windows
W
Server 2012 introdu
uces two new storage
s
co
oncepts. They are:
Thin provisiioning. This is a functionalityy that

you can use
e to allocate sttorage space on
o a
just-in-time
e basis and is available
a
with storage
spaces or virtual disks. Ussing traditional disk
provisioning methods, a volume
v
would
d
immediatelly consume all the disk space
e it was
sized for. For
F example, a 2 GB volume would
occupy 2 GB
G of disk space. Even if the data
d
inside that volume is less than 2 GB, tha
at
entire stora
age amount is reserved on th
he disk.
Similar to a dynamically expanding
e
VHD, a virtual dissk configured as thin provisioning would o
only use
the space from a storage pool on as-ne
eeded basis. Th
he virtual disk is only allocatted space on the
volume as data
d
is added. This also lets you
y create virttual disks that have a larger maximum size
e than
the free spa
ace in the storage pool. For example, with thin provision
ning, you can ccreate a 1 teraabyte
virtual disk even though your
y
storage pool
p
only has 5500 GB of freee space availab
ble.
4-6
Trim storage. This is a functtionality that you

y can use to reclaim storag
ge that is no lo
onger needed.. The
file system ca
an inform an underlying physical storage d
device that thee contents of specified sectors are
no longer important. There
efore, these secctors can be ussed by anotheer volume in a storage pool. Trim
requests to a mounted VHD
D or inside Hyper-V are now
w propagated
d to the underllying storage
device.
Thin
n provisioning and trim stora
age are availab
ble by default in Windows S erver 2012; no
o feature or ro
ole has
to be
b installed.
Thin
n provisioning and trim stora
age in Window
ws Server 20122 provides thee following cap
pabilities:
d method to d
detect and identify thinlyIdentification. Windows Servver 2012 uses a standardized
provisioned virtual
v
disks, th
hereby enabling additional ccapabilities delivered by the storage stack. The
storage stack
k is provided in
n the operating
g system and iis available thrrough storage management
applications.
Notification. When
W
the conffigured physiccal storage usee thresholds are reached, Windows Server 2012
notifies the ad
dministrator th
hrough eventss. This enables the administrator to take ap
ppropriate acttion as
soon as possible. These eve
ents can also sttart automated
d actions from
m sophisticated
d managementt
applications, such as Microssoft System Ce
enter.
Optimization.. Windows Server 2012 provvides a new AP

PI that enables applications rreturn storage when
it is no longer needed. NTFFS issues trim notifications
n
in
n real time, wh en appropriate. Additionallyy, trim
notifications are
a issued as part
p of storage
e consolidation
n (optimization
n), which is performed regularly
on a schedule
ed basis.
Additional Reading: Thin Provisioning

g and Trim Sto
orage Overview
w
http
n-us/library/hh
h831391.aspx
Wh
hats New in File Serrver Resou
urce Manag
ger?
You
u can use the File
F Server Reso
ource Manage
er
to manage
m
and classify data tha
at is stored on file
servvers. File Server Resource Ma
anager include
es the
follo
owing featuress:
File classificattion infrastructture. This featu

ure
automates the data classificcation process. You
can dynamica
ally apply acce
ess policies to files
f
based on their classification
n. Example pollicies
include Dynamic Access Co
ontrol for restriicting
access to filess, file encryptio
on, and file
expiration. Yo
ou can classify files automatiically
by using file classification
c
ru
ules, or manua
ally
by modifying the propertie
es of a selected
d file or folder..
File managem
ment tasks. You
u can use this feature
f
to app
ply a condition
nal policy or acction to files,
based on their classification
n. The conditio
ons of a file maanagement tassk include the file location, tthe
classification properties, the
e date the file was created, tthe last modifi ed date of the
e file, or the lasst
time that the file was accessed. The actions that a file m
management ttask can take in
nclude the abiility to
expire files, encrypt files, orr run a custom command.
4-7
Quota management. You can use this feature to limit the space allowed for a volume or folder.
Quotas can be automatically applied to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that does not enable files that have an MP3 extension to be stored in personal
shared folders on a file server.
Storage reports. You can use this feature to identify trends in disk usage and how your data is
classified, and monitor attempts by a selected group of users to save unauthorized files.
You can configure and manage the File Server Resource Manager by using the File Server Resource
Manager Microsoft Management Console (MMC) console or by using Windows PowerShell.
The following features of the File Server Resource Manager are new and are added in Windows Server
2012:
Dynamic Access Control. Dynamic Access Control uses file classification infrastructure to help you
centrally control and audit access to files on your file servers.
Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
Access-denied assistance. You can use access-denied assistance to customize the access denied error
message that users see in Windows 8 Consumer Preview when they do not have access to a file or a
folder.
File management tasks. The updates to file management tasks include Active Directory Rights
Management Services (AD RMS) file management tasks, continuous file management tasks, and
dynamic namespace for file management tasks.
Automatic classification. The updates to automatic classification enable you to get more precise
control on how data is classified on your file servers, including continuous classification, using
Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Additional Reading: What's new in File Server Resource Manager

http://technet.microsoft.com/en-us/library/hh831746.aspx
Question: Are you currently using the File Server Resource Manager in Windows Server 2008
R2? If yes, what areas do you use it for?
Wh
hat Are Ba
asic and Dy
ynamic Dissks?
Win
ndows Server 2012
2
continuess to support basic
disk
ks and dynamicc disks.
Bassic Disk
Basiic storage usess typical partition tables
supported by MS--DOS, and all versions
v
of the
e
Win
ndows operatin
ng system. A disk
d initialized
for basic storage is
i called a basiic disk. A basicc
disk
k contains basic partitions, su
uch as primaryy
parttitions and an extended parttition. An extended
parttition can be subdivided into
o logical drivess.
4-8
By default,
d
when you
y initialize a disk in Windo
ows,
the disk is configu
ured as a basicc disk. Basic dissks can easily b
be converted tto dynamic dissks without an
ny loss
of data.
d
However, when you con
nvert a dynam
mic disk to basi c disk, all dataa on the disk w
will be lost.
Som
me applications such as the storage
s
spacess feature in Wi ndows Server 2012 cannot u
use dynamic disks.
In addition, there is no performance gain by converting
c
bassic disks to dyn
namic disks. Fo
or these reasons,
mosst administrato
ors do not con
nvert basic disk
ks to dynamic disks unless th
hey have to use some additio
onal
volu
ume configuration options available
a
with dynamic
d
disks..
Dyn
namic Disk
Dyn
namic storage is supported in
n all Windows operating sysstems including
g the Window
ws XP operating
g
Win
systems and the Microsoft
M
ndows NT Servver 4.0 operatiing system. A d
disk initialized for dynamic
storrage is called a dynamic disk
k. A dynamic disk contains dyynamic volum
mes. With dynamic storage, yyou
can perform disk and volume management
m
without
w
the neeed to restart W
Windows.
Whe
en you configu
ure dynamic disks,
d
you creatte volumes insstead of partitiions. A volume
e is a storage u
unit
mad
de from free sp
pace on one or
o more disks. It
I can be form atted with a fiile system and can be assign
ned a
drivve letter or con
nfigured with a mount point.
The dynamic volu
umes include:
Simple volum
mes. A simple vo
olume uses fre
ee space from a single disk. It can be a single region on a disk
or consist of multiple,
m
concatenated regio
ons. A simple vvolume can bee extended witthin the same disk
or onto addittional disks. If a simple volum
me is extended
d across multip
ple disks, it beccomes a spann
ned
volume.
Spanned volu
umes. A spanne
ed volume is created
c
from frree disk space that is linked from multiple
disks. You can
n extend a spa
anned volume onto a maxim
mum of 32 diskks. A spanned vvolume canno
ot be
mirrored and is not fault-to
olerant. Thereffore if you losee one disk, you
u lose all the sp
panned volum
me.
Striped volum
mes. A striped volume
v
is a volume whose d
data is spread aacross two or m
more physical disks.
The data on this
t type of volume is allocatted alternatelyy and evenly to
o each of the p
physical disks. A
striped volum
me cannot be mirrored
m
or exttended and is not fault-tolerant, again me
eaning the losss of
one disk will cause
c
the loss of data immediately. Stripin
ng is also know
wn as redundant array of
independent disks (RAID)-0
0.
Mirrored volu
umes. A mirrored volume is a fault-tolerantt volume whose data is duplicated on two
o
physical diskss. All the data on
o one volume is copied to another disk tto provide data redundancy.. If
one of the dissks fails, the da
ata can still be
e accessed from
m the remainin
ng disk. A mirrrored volume
cannot be exttended. Mirrorring is also kno
own as RAID-11.
Upg
ndows Server 2
2012
4-9
RAID-5 volu
umes. A RAID--5 volume is a fault-tolerant volume whosee data is stripe
ed across a minimum
of three or more disks. Pa
arity (a calculated value thatt can be used tto reconstruct data after a faailure) is
also striped
d across the dissk array. If a physical disk faiils, the portion
n of the RAID-5
5 volume that was on
that failed disk
d can be re--created from the remaining
g data and thee parity. A RAID
D-5 volume caannot be
mirrored orr extended.
Required
R
Dissk Volumes
Re
egardless of which
w
type of disk
d that you use, you must cconfigure a sysstem volume aand a boot volume on
on
ne of the hard
d disks in the se
erver:
System volu
umes. The system volume co
ontains the harrdware-specific files that are
e needed to loaad
Windows (ffor example, Bootmgr, BOOT
TSECT.bak, and
d BCD). The syystem volume can be, but do
oes not
have to be, the same as the
t boot volum
me.
mes. The boot volume

v
contain
ns the Window
ws operating system files thaat are located in the
Boot volum
%Systemroot% and %Sysstemroot%'Sysstem32 folderss. The boot vollume can be, b
but does not h
have to
be, the sam
me as the system volume.
Note: Wh
hen you installl the Windowss 8 operating ssystem or Wind
dows Server 2012 in a
on, a separate system
s
volume
e is created to enable encryp
pting the boott volume by
clean installatio
ussing BitLocker.
Addition
nal Reading:
How Basic Diskss and Volumess Work
htttp://go.microsoft.com/fwlin
nk/?LinkID=199648
Dynamic Disks and
a Volumes
htttp://go.microsoft.com/fwlin
nk/?LinkID=199649
What
W
Is the
e Resilient File System?
Re
esilient File Sysstem (ReFS) is a new file systtem
provided in Win
ndows Server 2012.
2
ReFS is based
b
on
n the NTFS file
e system and provides
p
the
fo
ollowing advan
ntages:
Metadata in
ntegrity with checksums
c
Integrity strreams providin

ng optional usser data
integrity
o write transa
actional mode
el for
Allocation on
robust disk updates (also known as cop
py on
write)
me, file, and diirectory sizes

Large volum
Storage pooling and virtu

ualization mak
king file system
m creation and
d managementt easy
ng for perform
mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
Data stripin
Disk scrubb
bing for protecction against la
atent disk erro
ors
Resiliency to
t corruptions with salvage for
f maximum vvolume availab
bility in every case
Shared storrage pools acro

oss computerss for additionaal failure toleraance and load balancing
ReFS inherits the features

f
from NTFS including BitLocker en
ncryption, acceess-control listts for security,
Upd
date Sequence
e Number (USN
N) journal, cha
ange notificatio
ons, symbolic links, junction points, mount
poin
nts, reparse po
oints, volume snapshots,
s
file IDs, and oploccks.
4-10 Managingg Storage for Window

ws Server 2012
Because ReFS uses a subset of features from NTFS,

N
it is desi gned to mainttain backward compatibility with
its older
o
counterp
part. Therefore, Windows 8 clients
c
or earlieer can read and
d write to ReFS hard-drive
parttitions and sha
ares on a serve
er, just as they can with thosee running NTFFS. But, as implied in its nam
me, the
new
w file system offfers more resiiliency, meanin
ng better data verification, eerror correction
n, and scalability.
Beyond its greater resiliency, Re
eFS also surpassses NTFS by o
offering larger maximum size
es for individu
ual
filess, directories, disk
d volumes, and
a other item
ms, as listed in tthe following ttable.
Atttribute
Limit
Maximum
M
size of
o a single file
264-1 b
bytes (18.446.7
744.073.709.55
51.616 bytes)
Maximum
M
size of
o a single volu
ume
278 byytes with 16KB cluster size (2

264 * 16 * 210)
Windo
ows stack addressing allows 264 bytes
Maximum
M
number of files in a directory
264
Maximum
M
number of directorries in a volum
me
264
Maximum
M
file name
n
length
32K u nicode characcters
Maximum
M
path length
32K
Maximum
M
size of
o any storage
e pool
4 petaabyte
Maximum
M
number of storage
e pools in a sysstem
No lim
mit
Maximum
M
number of spaces in a storage po
ool
No lim
mit
Removed and Depreca

ated Featu
ures
The following storage-related fe
eatures are
rem
moved and dep
precated from Windows Servver
2012:
The Storage Manager

M
for SA
ANs snap-in fo
or
MMC is remo
oved. Instead, you
y can manage
storage with Windows
W
Pow
werShell cmdletts
and Server Manager.
The Storage Explorer

E
snap--in for MMC is
removed.
The SCSIport host-bus adap

pter driver is
removed. Insttead, you can either use a
Storport drive
er or a differen
nt host-bus adapter.
The File Serve

er Resource Manager command-line toolss such as dirqu
uota.exe, filescrrn.exe, and
storrept.exe are
a removed. This
T functionality is availablee in Windows P
PowerShell.
The File Repliication Service

e (FRS) is replacced by DFS Reeplication.
The Share and Storage Management snap-in is replaced by the File and Storage Services role in
Server Manager.
The Shared Folders snap-in is replaced by the File and Storage Services role in Server Manager.
The Virtual Disk Service (VDS) provider is replaced by the Storage Management APIs and storage
provider or the Storage Management Initiative Specification (SMI-S) standard and a compliant
storage provider.
4-11
Lesson 2
Config
guring iSCSI Sto
orage

ws Server 2012
In th
his lesson, you
u will learn how
w to create a connection bettween servers and iSCSI storage. You will
d simple way tto
perfform these tassks by using IP-based iSCSI storage. iSCSI sstorage is an in
nexpensive and
configure a conne
ection to remo
ote disks. Manyy application rrequirements d
dictate that remote storage
connections mustt be redundantt in nature for fault toleranc e or high availability. For this purpose, you will
also
o learn how to create both single and redu
undant connecctions to an iSC
CSI target. You
u will do so byy using
the iSCSI initiator software that is available in Windows Servver 2012.
Lessson Objectiives
Afte
ou will be able to:
SI and its comp

ponents.
Describe iSCS
Describe the iSCSI target se

erver and the iSCSI initiator.
Describe how
w to configure high-availability and locate iSCSI storage.
Configure iSC
CSI target.
Connect to th
he iSCSI storag
ge.
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem
mote,
SCSI-based storag
ge devices ove
er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP
P
netw
works to facilittate data transsfers over intra
anets
and to manage sttorage over lon
ng distances. You
Y
can use iSCSI to trransmit data over
o
LANs, WA
ANs,
or even
e
over the larger Internett.
iSCS
SI relies on standard Etherne
et networking
arch
hitecture, and use of specialiized hardware such
as a host bus adap
pter (HBA) or network switch
hes is
optional. iSCSI use
es TCP/IP (typiically, TCP porrt
3260). This meanss that, iSCSI sim
mply enables two
t
or example) and then
hostts to negotiate
e (session establishment, flow
w control, and
d packet size, fo
exch
hange SCSI commands by ussing an existin
ng Ethernet nettwork. By doin
ng this, iSCSI taakes a popularr,
high
h performance
e, local storage
e bus subsystem architecturee and emulatees it over LANs and WANs,
crea
ating a SAN. Unlike some SA
AN protocols, iSCSI requires n
no specialized cabling; it can
n be run over
existing switching
g and IP infrasttructure. Howe
ever, the perfo
ormance of an iSCSI SAN dep
ployment can be
seve
erely decreased if not operatted on a dediccated networkk or subnet, as best practices recommend.
e you can use a standard Eth
hernet networrk adapter to cconnect the server to the
Note: While
iSCS
SI storage deviice, you can also use dedicatted HBAs.
An iSCSI SAN de
eployment inccludes the follo
owing:

dows Server 20
012
4-13
IP network. You can use standard

s
network interface aadapters and sstandard Etherrnet protocol n
network
switches to connect the servers
s
to the storage
s
devicee. To provide s ufficient perfo
ormance, the n
network
should provvide speeds off at least 1 gigabit per secon
nd (Gbps), and should provid
de multiple paths to
the iSCSI ta
arget. We recommend a ded
dicated physicaal and logical n
network in ord
der to achieve fast,
reliable thro
oughput.
iSCSI targetts. This is another way to refer to the netw

work interface o
of the storage device to gain
n access
to the stora
age. iSCSI targets present or advertise storrage, similar to
o controllers fo
or hard disk drrives of
locally attacched storage. However, this storage is acccessed over a n
network, insteaad of locally. M
Many
storage ven
ndors impleme
ent hardware level iSCSI targ
gets as part of their storage d
devices hardw
ware.
Other devicces or appliancces, such as Windows
W
Storag
ge Server devicces, implemen
nt iSCSI targetss by
using a softtware driver to
ogether with at least one Eth
hernet adapterr. Windows Server 2012 provvides
the iSCSI ta
arget serverw
which is effectiively a driver ffor the iSCSI prrotocolas a role service.
iSCSI initiattors. The iSCSI target displayys storage to th

he iSCSI initiator (also known
n as the client)), which
acts as a loccal disk contro
oller for the rem
mote disks. Al l versions of W
Windows Serve
er starting from
m
Windows Server 2008 incclude the iSCSII initiator and can connect to
o iSCSI targetss.
iSCSI Qualiffied Name (IQN). IQNs are unique

u
identifieers that are ussed to address initiators and targets
on an iSCSI network. Whe
en you configu
ure an iSCSI taarget, you musst configure th
he IQN for the iSCSI
initiators th
hat will be connecting to the
e target. iSCSI iinitiators also use IQNs to co
onnect to the iSCSI
targets. Ho
owever, if name resolution on
o the iSCSI neetwork is a posssible issue, iSC
CSI endpoints ((both
target and initiator) can always
a
be iden
ntified by theirr IP addresses.
Question: Can you use your
y
organizatiions internal I P network to p
provide iSCSI??
iS
SCSI Targe
et Server and iSCSI In
nitiator
Th
he iSCSI initiattor service is a standard part ever
since Windows Server 2008. Before
B
Window
ws
Se
erver 2012, the
e iSCSI Software Target, how
wever,
ne
eeded to be downloaded an
nd installed
op
ptionally. Now
w, it is integrate
ed as role servvice
in
nto Windows Server
S
2012. Th
he new feature
es in
Windows
W
Server 2012 include
e:
Authenticattion. You can enable

e
Challen
ngeHandshake Authenticatio
on Protocol (CH
HAP) to
authenticatte initiator con
nnections or en
nable
reverse CHA
AP to allow the initiator to
authenticatte the iSCSI tarrget.
Query initia
ator computer for ID. This is only
o
supported
d with Window
ws 8 or Windo
ows Server 201
12.
iSCSI Target Server
4-14 Managing Storage for Windows Server 2012
The iSCSI target server role service provides for software-based and hardware-independent iSCSI disk
subsystem. You can use the iSCSI target server to create iSCSI targets and iSCSI virtual disks. You can then
use the Server Manager to manage these iSCSI targets and virtual disks.
The iSCSI target server included in Windows Server 2012 provides the following functionality:
Network/diskless boot. By using boot-capable network adapters or a software loader, you can use
iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to
90 percent of the storage space for the operating system images. This is ideal for large deployments
of identical operating system images, such as a Hyper-V server farm or High Performance Computing
(HPC) clusters.
Server application storage. Some applications such as for example, Hyper-V and Exchange Server
require block storage. The iSCSI target server can provide these applications with continuously
available block storage. Because the storage is remotely accessible, it can also combine block storage
for central or branch office locations.
Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on Windows, so
you can share storage on Windows Servers in mixed environments.
Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a
network-accessible block storage device. This is useful in situations such as when you want to test
applications before deployment on SAN storage.
Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.
No additional hardware is needed. If high availability is an important criterion, consider setting up a high
availability cluster. With a high availability cluster, you will need shared storage for the clustereither
hardware Fibre Channel storage or a serial attached SCSI (SAS) storage array. iSCSI target server is directly
integrated into the failover cluster feature as a cluster role.
iSCSI Initiator
The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service and installed by default.
To connect your computer to an iSCSI target, you just have to start the service and configure it.
Additional Reading: Introduction of iSCSI Target in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windowsserver-2012.aspx
Question: When would you consider implementing diskless booting from iSCSI targets?
Advanced
A
iSCSI
i
Conffiguration Options
In
n addition to configuring the
e basic iSCSI ta
arget
se
erver and iSCSI initiator settings, you can
in
ntegrate these services into more
m
advanced
d
co
onfigurations.
Lo
ocating iSCSI Storage
Th
here are two common
c
appro
oaches for loca
ating
sttorage that is exposed
e
to a network
n
by an iSCSI
Ta
arget.

dows Server 20
012
4-15
Th
he first approa
ach is through the use of the
e
iS
SCSI SendTarge
ets command. This functiona
ality
is available with
hin the iSCSI In
nitiator wizard of
Windows
W
Server. Using SendT
Targets in the iSCSI
i
Initiator retrieves a list of available taargets from a ttarget
de
evice. To use this
t command,, you must kno
ow both the IP
P address of th
he storage devvice that is hostting the
ta
argets, and whether the deviice is suitable for
f your storag
ge needs. The iSCSI SendTarrgets command is only
workable
w
in sma
aller iSCSI environments beccause as the nu
umber of iSCSI targets increases in your
co
ompany, the more
m
complex this approach is.
Th
he second app
proach is for la
arge networks. On large netw
works, locating
g storage can b
be more difficult. One
so
olution that can help you is the
t Internet Sttorage Name SService (iSNS), which is a Win
ndows Server 2012
fe
eature similar to
t Domain Name System (DNS) and lets yo
ou locate a tarrget on severaal target device
es.
iS
SNS contains th
hree distinct se
ervices:
Name Regisstration Service. This service enables initiattors and targets to register aand query the iSNS
server direcctory for inform
mation about initiator and taarget IDs and addresses.
Network Zo
oning and Logo
on Control Serrvice. You can u
use this servicee to restrict iSN
NS initiators to
o
zones so th
hat iSCSI initiattors do not disscover any targ
get devices outside their own zone or disccovery
domains. This prevents in
nitiators from accessing
a
storaage devices th
hat are not inte
ended for their use.
Logon conttrol enables targets to determine which in itiators can acccess them.
State Chang
ge Notification
n Service. This service
s
enablees iSNS to notiffy clients of ch
hanges in the n
network,
such as the addition or re
emoval of targ
gets, or changees in zoning m
membership. Only initiators that you
register to receive notifications will gett these packetss, which reduc es random bro
oadcast traffic on the
network.
Configuring
C
iSCSI for Hiigh Availability
Creating a singlle connection to iSCSI storag

ge makes that storage availaable. However,, it does not m
make
th
hat storage hig
ghly available. Losing the con
nnection resullts in the serveer losing accesss to its storage
e.
Th
herefore, mostt iSCSI storage
e connections are
a made redu
undant throug
gh one of two high-availabiliity
te
echnologies: Multiple
M
Conne
ections per Session (MCS) an d Multipath I//O (MPIO).
Although simila
ar in the result they achieve, these two tech
hnologies use different apprroaches to ach
hieve
hiigh availabilityy for iSCSI storage connectio
ons.
MCS
M is a feature
e of the iSCSI protocol
p
that:
Enables mu
ultiple TCP/IP connections
c
from the initiato
or to the targeet for the same
e iSCSI session.
Supports au
utomatic failovver. If a failure
e were to occurr, all outstandiing iSCSI comm
mands are reassigned
to another connection au
utomatically.
Requires exxplicit support by iSCSI SAN devices, altho ugh the iSCSI target server rrole supports iit.
MPIO is a different way to provide redundancy that:
Requires a device specific module (DSM) if you want to connect to a third SAN device such as HPs
EVA SAN connected to the iSCSI initiator. Windows includes a default MPIO DSM, installed as the
Multipath I/O feature within Server Manager.
Is widely supported. Many SANs can use the default DSM without any additional software, while
others require a specialized DSM from the manufacturer.
Is more complex to configure and not as fully automated during failover as MCS.
Demonstration: Configuring iSCSI Target
In this demonstration, you will add an iSCSI target server role service and create an iSCSI virtual disk and
iSCSI target on LON-DC1.
Demonstration Steps
Add the iSCSI Target Server role service
1.
On LON-DC1, in Server Manager, click the Dashboard button.
2.
In the Add Roles and Features Wizard, install the following roles and features to the local server and
accept the default values:
o
File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Create two iSCSI virtual disks and an iSCSI target on LON-DC1

1.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has the following settings:
o
Name: iSCSIDisk1
Disk size: 5 GB
iSCSI target: New
Target name: LON-SVR2
Access servers: 172.16.0.22
3.
On the View results page, wait until the creation is completed, and then close the View Results
page.
4.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has these settings:
5.
Name: iSCSIDisk2
Disk size: 5 GB
iSCSI target: LON-SVR2
On the View Results page, wait until the creation is completed, and then close the View Results
page.
Demonstration: Connecting to the iSCSI Storage

In this demonstration, you will connect LON-SVR2 to the iSCSI target and verify the presence of the
iSCSI drive.
Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1.
Log on to LON-SVR2 with username of Adatum\Administrator and password of Pa$$w0rd.
2.
In Server Manager on the Tools menu, open iSCSI Initiator.
3.
In the iSCSI Initiator Properties dialog box, configure the following:

o
Quick Connect: LON-DC1
Discover targets: iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target
Verify the presence of the iSCSI drive

1.
In Server Manager, on the Tools menu, open Computer Management.
2.
In the Computer Management console, under Storage, access Disk Management.

Notice that the new disks are added. They all are currently offline and not formatted.
4-17
Lesson 3
Config
guring Storage
S
Spacess in Win
ndows SServer 2
2012

ws Server 2012
Man
naging physica
al disks attache
ed directly to a server proveed to be a tedious task for th
he administrato
ors.
To overcome
o
this problem, man
ny organizations used SANs that basically grouped physsically disks
toge
ether.
and sometimees special hard

How
wever, SANs re
equire special configuration
c
dware and are therefore
expensive. To ove
ercome these isssues, storage spaces in Win
ndows Server 2
2012 is a feature that pools d
disks
toge
ether and pressents them to the operating system as a siingle disk. Thiss lesson explains how to con
nfigure
and implement sttorage spaces.
Lessson Objectiives
Afte
ou will be able to:
Describe the use of storage

e spaces.
Describe the features of sto

orage spaces.
Configure a storage
s
space.
Implement re
edundant stora
age spaces.
Wh
hat Are Sto
orage Spacces?
A sttorage space iss a storage virttualization
capability built intto Windows Se
erver 2012 and
d
Win
ndows 8. You can
c use storage
e spaces to ad
dd
phyysical disks of any
a type and size to a storag
ge
poo
ol and create highly-available
h
e virtual disks from
it. The primary advantage of sto
orage spaces iss that
you do not manag
ge single diskss any longer, but
b
man
nage them as one
o unit.
To create
c
a highlyy-available virttual disk, you must
m
have the following
g:
Disk drive. Th
his is a volume that you can
access from your
y
OS. For exxample, using a
drive letter.
Virtual disk (o
or storage spacce). This resem
mbles a physicaal disk from thee perspective o
of users and
applications. However, virtu
ual disks are more
m
flexible beecause it inclu des thin provisioning or justt-intime allocatio
ons and resilien
ncy to physical disk failures w
with built-in fu
unctionality su
uch as mirrorin
ng.
Storage pool. A storage poo

ol is a collectio
on of one or m
more physical d
disks that you ccan use to create
virtual disks. You
Y can add to
o a storage po
ool any availab
ble physical dissk that is not formatted or
attached to another storage pool.
Physical disk. These are con

nnected physiccal disks such aas SAS disks atttached to you
ur server. If you
u
want to add them
t
to a storage pool, theyy have to satisffy the followin
ng requirements:
o
One physsical drive is re

equired to crea
ate a storage p
pool; a minimu
um of two phyysical drives is
required to create a ressilient mirror virtual
v
disk.
A minimu
um of three ph
hysical drives are
a required to
o create a virtu
ual disk with re
esiliency throu
ugh
parity.
Three-w
way mirroring requires at lea
ast five physic al drives.
Drives must be blank

k and unforma
atted, no volum
me must exist on them.
ed using differrent bus interffaces including

g iSCSI, SAS, Se
erial Advanced
d
Drives can be attache
Techno
ology Attachm
ment (SATA), SC
CSI, and USB. Y
You cannot use SATA, USB o
or SCSI disks in
na
failover cluster.

dows Server 20
012
4-19
ReFS volumes that can provide redundanccy and

A storage space
e is a feature available for bo
oth NTFS and R
po
ooled storage for many internal and exterrnal drives of d
different sizes aand interfaces.
Storage Spaces Featu

ures
To
o configure sto
orage spaces as
a per your
re
equirements, you
y must have to consider th
he
fe
eatures describ
bed in the follo
owing table be
efore
yo
ou implement virtual disks.
Feature
Sttorage layout
Descrip
ption
This de
efines the num
mber of disks frrom the storag
ge pool that arre allocated. V
Valid
options are:
Simp
ple. A simple space has data striping but n
no redundancyy. In data striping,
logiccally sequentia
al data is segm
mented across aall disks in a w
way that accesss to
these sequential se
egments can b
be made to diffferent physicaal storage drives.
Strip
ping makes it possible
p
to acccess multiple seegments of daata at the same
e time.
Do not
n host imporrtant data on a simple volum
me, because it provides no faailover
capa
abilities when the
t disk wheree the data is sttored on fails.
Two-way and three-way mirrors.. Mirror spaces maintain two

o or three copies of
the data
d
they hostt (two data cop
pies for two-w
way mirrors and
d three data co
opies
for three-way mirrrors). Duplicatiion happens w
with every write
e to ensure all data
copies are always current.
c
Mirro r spaces also sstripe the data across multip
ple
physsical drives. Miirror spaces aree attractive beecause of theirr greater data
throughput and lo
ower access lattency. They alsso do not intro
oduce a risk off
corru
upting at-rest data and do n
not require thee additional jo
ournaling stage
e when
writing data.
ace resembles a simple spacce. Data, along with parity
Paritty. A parity spa
inforrmation, is striped across mu
ultiple physical drives. Parityy enables storage
spacces to continue
e to service reaad and write reequests even w
when a drive h
has
failed. Parity is alw
ways rotated accross availablee disks to enab
ble IO optimizaation.
A sto
orage space re
equires a minim
mum of three physical drives for parity spaaces.
Paritty spaces have
e increased res iliency throug h journaling.
Feature
Description
Disk sector size
A storage pool's sector size is set the moment it is created. If the list of drives
being used contains only 512 and 512e drives, the pool is defaulted to 512e.
However, if the list contains at least one 4-KB drive, the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size
that all contained spaces in the pool will inherit. After an administrator defines
this, Windows will only enable addition of drives that have a compliant sector size,
that is: 512 or 512e for a 512e storage pool and 512, 512e, or 4 KB for a 4-KB
pool.
Cluster disk
requirement
Failover clustering prevents interruption to workloads or data if there is a

computer failure. For a pool to support failover, clustering all assigned drives must
support a multi-initiator protocol, such as SAS.
Drive allocation
This defines how the drive is allocated to the pool. Options are:
Data-store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store drives
for both storage space creation and just-in-time allocation.
Manual. Administrators can choose to specify manual as the usage type for
drives added to a pool. A manual drive is not automatically used as part of a
storage space unless it is specifically selected at the creation of that storage
space. This usage property lets administrators specify particular types of drives
for use by only certain storage spaces.
Hot-Spare. Drives added as Hot-Spares to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that is
hosting columns of a storage space, a reserve drive is called on to replace the
failed drive.
Provisioning
schemes
You can provision a virtual disk by using two schemes:
Thin provisioning space. Thin provisioning is a mechanism that enables storage

to be easily allocated on a just-enough and just-in-time basis. Storage capacity
in the pool is organized into provisioning slabs that are not allocated until the
point in time when datasets grow to actually require the storage. Instead of
the traditional fixed storage allocation method, where large pools of storage
capacity are allocated but may remain unused, thin provisioning optimizes use
of available storage. Organizations are also able to save on operating costs such
as electricity and floor space associated with keeping unused drives spinning.
Fixed provisioning space. In storage spaces, fixed provisioned spaces also use the
flexible provisioning slabs. The difference here is that the storage capacity is
allocated up front, at the time that the space is created.
Note: Storage spaces allows for the creation of both thin and fixed provisioning virtual
disks within the same storage pool. Having both provisioned types in the same storage pool is
very convenient especially when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
Demonstration: Configuring a Storage Space

In this demonstration, you will create a storage pool and create a simple virtual disk and a volume.
Demonstration Steps
Create a storage pool
4-21
1.
On LON-SVR2, in Server Manager, navigate to File and Storage Services, and Storage Pools.
2.
In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and then add all
available disks.
Create a simple virtual disk and a volume

1.
In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o
Storage pool: StoragePool1
Disk name: Simple vDisk
Storage layout: Simple
Provisioning type: Thin
Size: 2 GB
2.
On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3.
In the New Volume Wizard, create a volume with these settings:

o
Virtual disk: Simple vDisk
File system: ReFS
Volume label: Simple Volume
Demonstration: Implementing Redundant Storage Spaces
In this demonstration, you will create a redundant virtual disk and a volume, simulate a drive failure, and
test volume access.
Demonstration Steps
Create a redundant virtual disk and a volume
1.
2.
On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk and create a virtual disk with these settings:
o
Disk name: Mirrored vDisk
Storage layout: Mirror
Size: 5 GB
3.

o
Virtual disk: Mirrored vDisk
File system: ReFS
Volume label: Mirrored Volume
4.
On the Completion page, wait until the creation is completed, and then click Close.
5.
On the Start screen, type command prompt and then press Enter.
6.
At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\write.exe F:\
7.
In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select
Computer Management.
8.
In the Computer Management console, under Storage, click Disk Management.

Notice that the two volumes E: and F: are available.
Simulate a drive failure and test volume access

1.
On LON-DC1, in Server Manager, in the left pane, click File and Storage Services.
2.
In the File and Storage Services pane, click iSCSI.
3.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4.
Switch to LON-SVR2.
5.
In the Computer Management console, under Storage, right-click Disk Management, and then in
drop-down list, select Rescan Disks.
Notice that the Simple Volume (E:) is not available and the Mirrored Volume (F:) is available.
6.
On the taskbar, open Windows Explorer and then click Mirrored Volume (F:). You should now see
write.exe in the file list.
7.
In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button. Notice the warning that appears right next to Mirrored vDisk.
8.
In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
9.
In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Notice the Health Status that should indicate Unknown. The Operational Status should indicate
Detached. This means that the disk is not available on this computer any longer.
10. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
11. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete or Degraded.
4-23
Lab A: Managing Storage for Servers Based on Windows

Server 2012
Scenario
With the growth in A. Datum, the requirements for managing storage and shared file access has also
expanded. Although the cost of storage has decreased significantly over the last few years, the data
produced by the A. Datum business groups has increased even more. The organization is considering
alternative ways to reduce the cost of storing data on the network in addition to the options for
optimizing data access for both physical and virtual servers. Also, to meet some requirements for high
availability, the organization is exploring options for making storage highly available.
As one of the senior network administrators at A. Datum, you are responsible for implementing some new
file storage technologies for the organization. You will implement iSCSI storage to provide a less complex
option for deploying large amounts of storage in the organization. You will also implement the storage
spaces on the Windows Server 2012 servers to simplify storage access and to provide redundancy at the
storage level.
Objectives
Configure iSCSI storage for Windows Server 2012 servers.
Configure a redundant storage space.
Lab Setup
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR2
User Name
Password
Pa$$w0rd
Lab Setup
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2 to 4 for 20417A-LON-SVR2.
For this lab, on 20417A-LON-SVR2, disable Routing and Remote Access. In Server Manager, click Tools,
and then click Routing and Remote Access. In the Routing and Remote Access console, right-click
LON-SVR2 and then click Disable Routing and Remote Access.
Exercise 1: Configuring iSCSI Storage

Scenario
In order to reduce the cost and complexity of configuring centralized storage, A. Datum is exploring the
option of using iSCSI to provide storage. To get started, you will install and configure the iSCSI targets,
and configure access to the targets by configuring the iSCSI initiators.
1.
Install the iSCSI Target feature.
2.
Configure the iSCSI targets.
3.
Configure MPIO.
4.
Connect to and configure the iSCSI targets.
X Task 1: Install the iSCSI Target feature

1.
Log on to LON-DC1 with username of Adatum\Administrator and the password of Pa$$w0rd.
2.
In Server Manager, start the Add Roles and Features Wizard, install the following roles and features
to the local server and accept the default values:
o
File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
X Task 2: Configure the iSCSI targets

1.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2.
Create a virtual disk with these settings:

o
Storage location: C:
Disk name: iSCSIDisk1
Size: 5 GB
iSCSI target: New
Target name: lon-svr2
Access servers: 172.16.0.22 and 131.107.0.2
3.
On the View results page, wait until the creation is completed, and then click Close.
4.
Create a New iSCSI Virtual Disk with these settings:
5.
Size: 5 GB
iSCSI target: lon-svr2

o
Size: 5 GB
6.
7.

o
Size: 5 GB

o
Size: 5 GB
X Task 3: Configure MPIO
1.
Log on to LON-SVR2.
2.
In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.
3.
In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
4.
Enable the iSCSI Initiator service
Quick Connect to target: LON-DC1
In Server Manager, on the Tools menu, open MPIO, and configure the following:
o
5.
Enable Add support for iSCSI devices on Discover Multi-paths
After the computer restarts, log on to LON-SVR2, on the Tools menu in Server Manager, open MPIO
and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
X Task 4: Connect to and configure the iSCSI targets

1.
On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator.
2.
In the iSCSI Initiator Properties dialog box, perform the following steps:
a.
Disconnect all Targets.
b.
Connect and Enable multi-path.
c.
Set Advanced options as follows:
d.
3.
4-25
Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 172.16.0.22
Target Portal IP: 172.16.0.10 / 3260
Connect to another target, enable multi-path, and configure the following Advanced settings:
Local Adapter: Microsoft iSCSI Initiator
Initiator IP: 131.107.0.2
Target Portal IP: 131.107.0.1 / 3260
In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, access

the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify
that two paths are listed by looking at the IP addresses of both network adapters.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring a Redundant Storage Space

Scenario
After you have configured the iSCSI components, you want to take advantage of the storage pools to
simplify the configuration of storage on the Windows Server 2012 servers. To meet some requirements for
high availability, you decided to evaluate redundancy features in storage spaces. Also, you want to test
provisioning of new disks to the storage pool.
1.
Create a storage pool by using the iSCSI disks attached to the server.
2.
Create a 3-way mirrored disk.
3.
Copy a file to the volume and verify visibility in Windows Explorer.
4.
Disconnect an iSCSI disk.
5.
Verify that the file is still accessible and check the health of the virtual disk.
6.
Add a new iSCSI virtual disk.
7.
Add the new disk to the storage pool and extend the virtual disk.
X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1.
On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2.
In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3.
Create a storage pool with the following settings:

o
4.
Name: StoragePool1
On the View results page, wait until the creation is completed, then click Close.
X Task 2: Create a 3-way mirrored disk

1.
On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with these
settings:
o
Name: Mirrored vDisk
Storage Layout: Mirror
Resiliency settings: Three-way mirror
Virtual disk size: 10 GB
2.
3.
4.
Virtual disk: Mirrored vDisk
Drive letter: E
File system: ReFS
Volume label: Mirrored Volume
On the Completion page, wait until the creation is completed, and then click Close.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1.
On the Start screen, type command prompt and then press ENTER.
2.
Type the following command:

Copy C:\windows\system32\write.exe E:\
3.
4-27
Use Windows Explorer and access Mirrored Volume (E:). You should now see write.exe in the file list.
X Task 4: Disconnect an iSCSI disk

1.
Switch to LON-DC1.
2.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, disable the iSCSI Virtual Disk named
iSCSIDisk1.vhd.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
1.
Switch to LON-SVR2.
2.
Use Windows Explorer and open E:\write.exe to make sure access to the volume is still available.
3.
Pools button. Notice the warning that appears right next to Mirrored vDisk.
4.
In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
5.
In Mirrored vDisk Properties window, in the Health pane, notice that the Health Status indicates a
Warning. The Operational Status should indicate Degraded.
X Task 6: Add a new iSCSI virtual disk

1.
Switch to LON-DC1.
2.
In Server Manager, in the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New iSCSI Virtual Disk.
3.
Create a NEW iSCSI Virtual Disk with these settings:

o
Size: 5 GB
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1.
Switch to LON-SVR2.
2.
Pools button.
3.
In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk, and add PhysicalDisk1 (LON-SVR2).
4.
In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk and extend the disk to 15 GB.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
X To prepare for the next lab
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR2.
Lesson
n4
Configuring Branch
hCache in
i Wind
dows Se
erver 20
012

dows Server 20
012
4-29
Brranch offices have

h
unique management
m
ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netw
work and limite
ed infrastructure for securing
g servers. Ther efore, the challenge is being
g able to
provide efficient access to nettwork resource
es for users in branch officess. The BranchC
Cache feature h
helps
yo
ou overcome these
t
problem
ms by caching files
f
so they do
o not have to b
be transferred over the netw
work
ag
gain.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow BranchCache works.
Describe th
he BranchCache requirementts.
Configure the
t BranchCacche server settiings.
Configure the
t BranchCacche client settin
ngs.
Configure BranchCache.
B
Describe ho
ow to monitorr BranchCache.
How
H
Does BranchCacche Work??
Th
he BranchCach
he feature introduced with
Windows
W
Server 2008 R2 and Windows 7 re
educes
th
he network use
e on WAN con
nnections betw
ween
branch offices and
a the headquarters by loca
ally
ca
aching frequen
ntly used files on computers in the
branch office.
BrranchCache im
mproves the pe
erformance of
ap
pplications tha
at use one of the following
protocols:
HTTP or HT
TTPS protocols.. These protoccols are
used by we
eb browsers an
nd other appliccations.
Server messsage block (SM

MB), including signed
s
SMB tra
affic protocol. TThis protocol iis used for accessing
shared fold
ders.
Background
d Intelligent Trransfer Service (BITS). A Wind
dows componeent that distrib
butes content from a
server to clients by using only idle netw
work bandwidtth.
BrranchCache re
etrieves data frrom a server when
w
the clientt requests the data. Because BranchCache is a
pa
assive cache, itt will not incre
ease WAN use.. BranchCache only caches the read reque
ests and will no
ot
in
nterfere when a user saves a file.
BrranchCache im
mproves the re
esponsiveness of
o common neetwork applicaations that acccess intranet se
ervers
accross slow WA
AN links. Because BranchCach
he does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by de
eploying Windo
ows 7 or 8 to cclient computers and Windo
ows
Se
erver 2012 to servers,
s
and byy enabling the
e BranchCachee feature.
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end Internet Protocol Security (IPsec). You can use BranchCache to reduce the
network bandwidth use and improve application performance, even if the content is encrypted.
You can configure BranchCache to use Hosted Cache mode or Distributed Cache mode:
Hosted Cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or later versions as a hosted cache server in the branch office. Client computers are configured with
the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from
the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is
retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that
the successive client requests can get it from there.
Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices without requiring a server. In this mode, local client computers running Windows 7 or
Windows 8 keep a copy of the content and make it available to other authorized clients that request
the same data. This eliminates the need to have a server in the branch office. However, unlike the
Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who
hibernate or disconnect from the network cannot provide content to other requesting clients.
BranchCache in Windows Server 2012 is improved in the following ways:
More than one hosted cache servers per location to allow for scale.
New underlying database that uses the Extensible Storage Engine (ESE) database technology from
Microsoft Exchange Server. This enables a hosted cache server to store significantly more data (in the
order of terabytes).
The deployment is made much simpler such that you do not require a Group Policy Object (GPO) for
each location. A single GPO that contains the settings is all that is required to deploy BranchCache.
How Client Computer Retrieves Data by Using BranchCache

When BranchCache is enabled on the client computer and the server, the client computer performs the
following process to retrieve data when using the HTTP, HTTPS, or SMB protocol:
1.
The client computer that is running Windows 7 connects to a content server that is running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2.
The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3.
The content server in the head office returns identifiers or hashes of the requested content to the
client computer instead of sending the content itself. The content server sends that data over the
same connection that the content would have typically been sent.
4.
Using retrieved identifiers, the client computer does the following:
5.
If you configure it to use Distributed Cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
If you configure it to use Hosted Cache, the client computer searches for the content on the
configured Hosted Cache.
If the content is available in the branch office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from the branch office and ensures that the data is updated
and has not been tampered with or corrupted.
6..

dows Server 20
012
4-31
If the conte
ent is not available in the rem
mote office, th
he client comp uter retrieves the content diirectly
from the se
erver across the
e WAN link. Th
he client comp
puter then eith
her makes it avvailable on the
e local
network to other requestting client com
mputers (Distrib
buted Cache m
mode) or sends it to the Hossted
Cache, whe
ere it is made available
a
to other client com
mputers.
BranchCach
B
he Require
ements
BrranchCache op
ptimizes trafficc flow between
n head
offfice and brancch offices. Win
ndows Server 2008
2
R2
2, Windows Se
erver 2012, and
d clients based
d on
client computerrs running Win
ndows 7 or Windows
8 Enterprise Edition can only benefit from
BrranchCache. The earlier verssions of Windo
ows
op
perating systems do not ben
nefit from this
fe
eature. You can
n cache only th
he content tha
at is
sttored on file se
ervers or web servers
s
running
g
Windows
W
Server 2008 R2 or Windows
W
Serve
er 2012
byy using Branch
hCache.
Requirement
R
ts for Using
g BranchCacche
To
o use BranchC
Cache, you musst perform the
e following tas ks:
Install the BranchCache

B
fe
eature or the BranchCache
B
ffor Network Fiiles role service
e on the serve
er
running Wiindows Server 2012 that is hosting the datta.
Configure client
c
compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
If you want to use

u BranchCache for caching
g content from
m the web servver, you must install the
BrranchCache fe
eature on the web
w server. Ad
dditional config
gurations are n
not needed. If you want to u
use
BrranchCache to
o cache conten
nt from the file
e server, you m
must install thee BranchCache
e for the Netwo
ork Files
ro
ole service on the
t file server, configure hassh publication for BranchCacche, and create
e BranchCache
een
nabled file sha
ares.
BrranchCache is supported on Full Installatio
on of Windowss Server 2012 and on Serverr Core.
Requirement
R
ts for Distributed Cach
he and Hoste
ed Cache M
Modes
In
n the Distribute
ed Cache mod
de, BranchCach
he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu
uted Cache mo
ode, any clientt computer ca n search locallly for the computer
th
hat has alreadyy downloaded and cached th
he content by using a multiccast protocol ccalled WS-Disccovery.
In
n the Distribute
ed Cache mod
de, content serrvers across thee WAN link m ust run Windo
ows Server 200
08 R2 or
la
ater versions, and the clients in the branch must run at leeast Windows 7 or Windowss Server 2008 R
R2. You
sh
hould configurre the client firrewall to enable incoming trraffic, HTTP, an
nd WS-Discove
ery.
In
n the Hosted Cache
C
mode, th
he client comp
puters are conffigured with th
he FQDN of th
he host server to
re
etrieve contentt from the Hossted Cache. Th
herefore, the B
BranchCache h ost server musst have a digital
ce
ertificate, whicch is used to en
ncrypt commu
unication with client computters. In the Hossted Cache mo
ode,
co
ontent servers across the WA
AN link must run Windows SServer 2008 R2
2 or later versio
ons. Hosted Caache in
th
he branch musst run Window
ws Server 2008 R2 or later verrsions and thee client in the b
branch must ru
un at
le
east Windows 7.
7 You must co
onfigure a firew
wall to enable incoming HTTTP traffic from
m the Hosted C
Cache
se
erver. In both cache
c
modes, BranchCache uses the HTTP
P protocol for d
data transfer b
between clientt
co
omputers and the computerr that is hosting
g the cached d
data.
Additional Reading: Win

ndows Server 2008
2
R2
http
p://go.microso
oft.com/fwlink//?LinkID=2148
828&clcid=0x4409
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conte
ent,
which is delivered
d by HTTP or HTTPS.
H
You can
n also
use BranchCache to cache share
ed folder content,
which is delivered
d by the SMB protocol.
p
By
defa
ault, BranchCa
ache is not insttalled on Wind
dows
Servver 2012.
The following table lists the servvers that you can
c
configure for Bran
nchCache.
Se
erver
Desccription

ws Server 2012
Web
W server or Background
B
In
ntelligent Transsfer Service (BITS)
se
erver
To configure
c
a W indows Serverr 2012 web serrver or an
app
plication serverr that uses the BITS protocoll, install the
Bran
nchCache featture. Ensure th
hat the BranchC
Cache service has
starrted. Then, con
nfigure clients who will use tthe BranchCache
featture; no additio
onal configuraation of the we
eb server is
needed.
File server
The BranchCache for the Netwo

ork Files role service of the FFile
Servvices server ro le has to be in
nstalled before
e you can enab
ble
Bran
nchCache for aany file sharess. After you insstall the
Bran
nchCache for tthe Network FFiles role servicce, use Group
Policy to enable B
BranchCache o
on the server. FFinally, you mu
ust
have
configure each fil e share to enaable BranchCacche. You also h
c
clien
nts who will usee the BranchCache feature.
to configure
Hosted Cache server
For the Hosted Caache mode, yo

ou must add th
he BranchCach
he
featture to the Win
ndows Server 2012 server th
hat you are
configuring as a H
Hosted Cache server.
h
secure co
ommunication,, client computers use Transport
To help
Laye
er Security (TLLS) when comm
municating witth the Hosted
Cache server. To ssupport authentication, the Hosted Cache
e
servver must be prrovisioned with
h a certificate tthat is trusted by
clien
nts and is suitaable for serverr authenticatio
on.
By default,
d
Branch
hCache allocattes five percen
nt of disk space
e on
the active partitio
on for hosting cache data. Ho
owever, you caan
change this valuee by using Grou
up Policy or th
he netsh tool.
Configuring
C
g BranchC
Cache Clien
nt Settingss
Yo
ou do not havve to install the
e BranchCache
e
fe
eature because
e BranchCache
e is already included
if the client runss Windows 7 or
o Windows 8.
However, BrancchCache is disa
abled by defau
ult on
client computerrs. To enable and
a configure
BrranchCache, you must perfo
orm the following
stteps:
1..
Enable Bran
nchCache
2..
Enable the Distributed Ca

ache mode or Hosted
Cache mod
de
3..
Configure the
t client firew
wall To enable
BranchCach
he protocols
Enabling Bra
anchCache

dows Server 20
012
4-33
If you enable th
he Distributed Cache or Hostted Cache mod
de without enabling the ove
erall BranchCache
fe
eature, the BranchCache featture will still be
e disabled on the client com
mputers. However, you can e
enable
th
he BranchCach
he feature on a client compu
uter without en
nabling the Distributed Cach
he mode or the
Hosted Cache mode.
m
In this configuration, the
t client com
mputer uses only the local cache and does not
atttempt to dow
wnload from otther BranchCache clients on the same sub net or from a Hosted Cache
e server.
Th
herefore, multiple users of a single compu
uter can benefiit from a shareed local cache in this local caaching
mode.
m
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can enable the BranchCa
ache feature on
n client compu
uters by using Group Policy or the netsh
branchcache se
et service com
mmand.
To
o configure BrranchCache setttings by using
g Group Policyy, perform the following step
ps for a domaiinba
ased GPO:
1..
Open the Group

G
Policy Management
M
console.
2..
Browse to C:\Computer
C
Configuration\
C
\Policies\Admi nistrative Tem
mplates\Network, and then click
BranchCach
he.
3..
Turn on Bra
anchCache and
d set either the
e Distributed C
Cache or the H
Hosted Cache mode.
To
o configure BrranchCache setttings by using
g the netsh braanchcache sett service comm
mand, perform the
fo
ollowing steps::
1..
Use the folllowing netsh syntax

s
for the Distributed Caache mode:
netsh bra
anchcache set
t service mode=distribut
ted
2..
Use the folllowing netsh syntax

s
for the hosted
h
mode:
netsh bra
anchcache set
t service mode=hostedcli ent location
n=<Hosted Cac
che server>
Configuring the Client Firewall To Enable BranchCache Protocols

In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between
client computers and the WS-Discovery protocol (WSD) for cached content discovery. You should
configure the client firewall to enable the following incoming rules:
BranchCacheContent Retrieval (Uses HTTP)
BranchCachePeer Discovery (Uses WSD)
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses HTTP).
Additional Configuration Tasks for BranchCache

After you configure BranchCache, clients can access the cached data in BranchCache-enabled content
servers, available locally in the branch office, and not across a slow WAN link. You can modify
BranchCache settings and perform additional configuration tasks, such as:
Setting the cache size
Setting the location of the Hosted Cache server
Clearing the cache
Creating and replicating a shared key for using in a server cluster
Demonstration: How to Configure BranchCache
In this demonstration, you will add BranchCache for the Network Files role service, configure BranchCache
in Local Group Policy Editor, and enable BranchCache for a file share.
Demonstration Steps
Add BranchCache for the Network Files role service
1.
Log on to LON-DC1 and open Server Manager.
2.
In the Add Roles and Features Wizard, install the following roles and features to the local server:
o
File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
Enable BranchCache for the server

1.
On the Start screen, type gpedit.msc, and press ENTER.
2.
Browse to Computer Configuration\Administrative Templates\Network\Lanman Server and do

the following:
o
Enable Hash Publication for BranchCache
Select Allow hash publication only for shared folder on which BranchCache is enabled
Enable BranchCache for a file share

1.
Open Windows Explorer and create a folder named Share on C:\.
2.
Configure the Share folder properties as follows:

o
Enable Share this folder
Check Enable BranchCache in Offline Settings
Monitoring
M
g BranchCa
ache
After the initial configuration,, you might wa
ant to
ve
erify that BranchCache is con
nfigured corre
ectly
an
nd functioning
g correctly. You
u can use the netsh
branchcache sh
how status all command to
o
diisplay the Bran
nchCache service status. On client
an
nd Hosted Cacche servers, ad
dditional inform
mation
su
uch as the loca
ation of the loccal cache, the size of
th
he local cache, and the status of the firewa
all rules
fo
or HTTP and WS-Discovery
W
protocols
p
that
BrranchCache usses is shown.
Yo
ou can also use the following tools to mon
nitor
BrranchCache:

dows Server 20
012
4-35
e this tool to monitor

m
Branch
hCache eventss in Event View
wer.
Event Vieweer. You can use
Performancce counters. Yo
ou can use thiss tool to monittor BranchCac he work and p
performance b
by using
the BranchC
Cache perform
mance monitorr counters. BraanchCache perrformance monitor counterss are
useful debu
ugging tools fo
or monitoring BranchCache effectiveness and health. Yo
ou can also use
e
BranchCach
he performancce monitor for determining tthe bandwidth
h savings in the Distributed C
Cache
mode or in the Hosted Cache mode. If you have Systtem Center Op
perations Manager 2007 SP2
2 or
later versions implemente
ed in the envirronment, you can use Windo
ows BranchCache Managem
ment
Pack for Op
perations Manager 2007

Scenario
A. Datum has deployed a new branch office. This office has a single server. To support branch staff
requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN use
out to the branch office, you must configure BranchCache for these data.
Objectives
Perform initial configuration tasks for BranchCache.
Configure BranchCache clients.
Configure BranchCache on the branch server.
Lab Setup
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
User Name
Password
Pa$$w0rd
Lab Setup
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Do not start 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2 until directed to do so.
Exercise 1: Performing Initial Configuration Tasks for BranchCache

Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the
network components.
1.
Configure LON-DC1 to use BranchCache.
2.
Simulate slow link to the branch office.
3.
Enable a file share for BranchCache.
4.
Configure client firewall rules for BranchCache.
X Task 1: Configure LON-DC1 to use BranchCache

1.
Switch to LON-DC1.
2.
Open Server Manager and install the BranchCache for network files role service.
3.
Open the Local Group Policy Editor (gpedit.msc).
4.
Navigate to and open Computer Configuration/Administrative Templates/Network

/Lanman Server/Hash Publication for BranchCache. Enable this setting and then select Allow
hash publication only for shared folders on which BranchCache is enabled.
X Task 2: Simulate slow Link to the branch office

1.
Navigate to Computer Configuration\Windows Settings\Policy-based QoS.
2.
Create a new policy with the following settings:

o
Name: Limit to 100Kbps
Specify Outbound Throttle Rate: 100
Note: This task is required to simulate a slow network connection in a test environment
where all the computers are connected by a fast network connection.
X Task 3: Enable a file share for BranchCache

1.
In Windows Explorer, create a new folder named C:\Share.
2.
Share this folder with the following properties:
3.
Sharename: Share
Permissions: default
Caching: Enable BranchCache
Copy C:\Windows\System32\mspaint.exe to the C:\Share folder.
X Task 4: Configure client firewall rules for BranchCache
4-37
1.
On LON-DC1, open Group Policy Management.
2.
Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy. Open the policy

for editing.
3.
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows

Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
4.
5.
Create a new inbound firewall rule with the following properties:

o
Rule type: predefined
Use BranchCache Content Retrieval (Uses HTTP)
Action: Allow
Create a new inbound firewall rule with the following properties:

o
Rule type: predefined
Use BranchCache Peer Discovery (Uses WSD)
Action: Allow
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring BranchCache Client Computers

Scenario
After you have configured the network components, you must now make sure the client computers are
configured correctly. This is a preparatory task to be able to use BranchCache.
The main task for this exercise is to configure client computers to use BranchCache in the Hosted Cache
mode.
X Task: Configure client computers to use BranchCache in the Hosted Cache mode
1.
On LON-DC1, in Group Policy Management Editor, and configure the following at Computer
Configuration\Policies\Administrative Templates\Network\BranchCache:
o
Turn on BranchCache: Enable
Set BranchCache Hosted Cache mode: Enable
Type the name of the hosted Cache server: LON-SVR1.adatum.com
Configure BranchCache for network files: Enable
Type the maximum round trip network latency value (milliseconds) after which caching begins: 0
2.
Start the 20417A-LON-CL1, open a Command Prompt window, and refresh the Group Policy settings
(gpupdate /force).
3.
At the command prompt, type netsh branchcache show status all, and then press Enter.
4.
Start the 20417A-LON-CL2, open the Command Prompt window, and refresh the Group Policy
settings (gpupdate /force).
5.
At the command prompt, type netsh branchcache show status all, and then press Enter.
Note: To test BranchCache in a test lab, you should deploy two client computers. This
enables you to request a file from one of the client computers, and then verify that the file is
retrieved from the local cache on the second client computer.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 3: Configuring BranchCache on the Branch Server

Scenario
4-39
The next step you must perform is to configure a file server for the BranchCache feature. You will install
the BranchCache feature and configure it as BranchCache Host Server.
1.
Install the BranchCache Feature on LON-SVR1.
2.
Start the BranchCache Host Server.
X Task 1: Install the BranchCache feature on LON-SVR1

1.
Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
2.
Open Server Manager and add the BranchCache for Network Files role service.
3.
Add the BranchCache feature.
X Task 2: Start the BranchCache host server

1.
On, LON-DC1, open Active Directory Users and Computers. Create a new OU called
BranchCacheHost and move LON-SVR1 into this OU.
2.
Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.
3.
Switch to LON-SVR1 and restart the computer. Log on as Adatum\Administrator with the password
of Pa$$w0rd
4.
Open Windows PowerShell by clicking the icon on the taskbar and run the following cmdlets:
Enable-BCHostedServer RegisterSCP
Get-BCStatus
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-LON-CL2.

Question: How does BranchCache differ from DFS?
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of the Distributed Cache mode?
Question: Is the storage spaces feature also available on Windows 8?
Question: Can you configure data deduplication on a boot volume?
Tools
Tool
Use
Where to find it
iSCSI target server
Configure iSCSI targets
In Server Manager, under File

and Storage Servers
iSCSI initiator
Configure a client to connect to

an iSCSI target virtual disk
In Server Manager, in the Tools

drop-down list
Deduplication Evaluation tool

(DDPEval.exe)
Analyze a volume on the

potential saving when enabling
data deduplication
C:\windows\system32

5-1
Module 5
Implementing Network Services
Contents:
Module Overview
5-1
Lesson 1: Implementing DNS and DHCP Enhancements
5-2
Lesson 2: Implementing IP Address Management
5-10
Lesson 3: NAP Overview
5-14
Lesson 4: Implementing NAP
5-20
5-25
5-31
Module Overview
As seasoned administrators are aware, network services such as Domain Name System (DNS) provide
critical support for name resolution of network and Internet resources. With Dynamic Host Configuration
Protocol (DHCP) you can manage and distribute IP addresses to client computers. DHCP is essential in
managing IP-based networks. DHCP failover can prevent client computers from losing access to the
network if there is a DHCP server failure. IP Address Management provides a unified means of controlling
IP addressing. With Network Access Protection (NAP), administrators can control which computers have
access to corporate networks based on the computers adherence to corporate security policies.
This module introduces DNS and DHCP improvements, what is new in IP address management, and
describes how to implement these features. It also provides an overview and implementation guidance for
NAP.
Objectives
Implement DHCP and DNS enhancements.
Implement IP address management.
Describe NAP.
Implement NAP.
Implementing Network Servicess
Lesson 1
Implem
menting
g DNS and
a DHCP Enhanceme
ents
5-2
In TCP/IP
T
network
ks of any size, certain service
es are required
d. DNS is one o
of the most im
mportant netwo
ork
servvices. Many oth
her application
ns and servicess, including Acctive Directoryy Domain Services (AD DS), rely
on DNS
D
to resolve
e resource nam
mes to IP addre
esses. Withoutt DNS availability user authe
entications can
n fail,
and network base
ed resources an
nd application
ns can becomee inaccessible. TTo prevent thiis, DNS has to be
prottected. Windo
ows Server 2012 implementts DNS Securityy Extensions (D
DNSSEC) to prrotect the
auth
henticity of DN
NS responses.
DHC
CP has long be
een used to ea
ase the distribu
ution of IP add
dresses to netw
work client com
mputers. Wind
dows
Servver 2012 impro
oves the functionality of DHCP by providin
ng failover cap
pabilities.
Lessson Objectiives
Afte
ou will be able to:
Describe the new DNS features in Windows Server 201 2.
Configure DN
NSSEC.
Describe the new DHCP fea

atures in Windows Server 20012.
Configure failover for DHCP.
Wh
hat's New in DNS in Windowss Server 20
012
DNS
SSEC and Glob
bal Name Zone
es are two feattures
thatt continue to be
b available in Windows Servver
2012. However, th
he DNSSEC implementation has
been simplified in
n Windows Serrver 2012.
DN
NSSEC
Inte
ercepting and tampering
t
with an organizattions
DNS
S query respon
nse is a common attack method.
If an
n attacker can alter the respo
onse from a DNS
D
servver, or send a spoofed
s
response to point client
com
mputers to theiir own servers,, they can gain
n
acce
ess to sensitive
e information. This is known as a
man
n-in-the-middle attack. Any service that re
elies
on DNS
D
for the initial connectio
on, such as e-commerce web
b servers and eemail servers aare vulnerable.
DNS
SSEC is intended to protect clients
c
that are
e making DNSS queries from accepting falsse DNS respon
nses.
New
w Resource
e Records
Validation of DNS
S responses is achieved
a
by asssociating a prrivate/public kkey pair (generrated by the
adm
ministrator) witth a DNS zone and defining additional DN
NS resource reccords to sign aand publish ke
eys.
Reso
ource records distribute the public key wh
hile the privatee key remains o
on the server. When the clie
ent
requ
uests validation, DNSSEC adds data to the response thatt enables the cclient to authe
enticate the
resp
ponse.
Windows Server 2012 defines the new resource records in the following table.
Resource Record
Purpose
DNSKEY
This record publishes the public key for the zone. It checks the
authority of a response against the private key held by the DNS
server. These keys require periodic replacement. This is known as
key rollovers. Windows Server 2012 supports automated key
rollovers.
DS
This is a delegation record that contains the hash of the public key
of a child zone. This record is signed by the parent zones private
key. If a child zone of a signed parent is also signed, the DS records
from the child must be manually added to the parent so a chain of
trust can be created.
RRSIG
This record holds a signature for a set of DNS records. It is used to

check the authority of a response.
NSEC
When the DNS response has no data to provide to the client this
record authenticates that the host does not exist.
Trust Anchors
5-3
A trust anchor is an authoritative entity represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone. In DNS the trust anchor is the DNSKEY
or DS resource record. Client computers use these records to build trust chains. A trust anchor from the
zone must be configured on every domain DNS server in order to validate responses from that signed
zone. If the DNS server is a domain controller then Active Directory integrated zones can distribute the
trust anchors.
Name Resolution Policy Table (NRPT)
The NRPT contains rules that control the DNS client behavior for sending DNS queries and processing
the responses from those queries. For example, a DNSSEC rule prompts the client computer to check for
validation of the response for a particular DNS domain suffix. Group policy is the preferred method of
configuring the NRPT. If there is no NRPT present the client computer does not validate responses.
Considerations when implementing DNSSEC

Consider the following before you implement DNSSEC:
The zone replication scope or type cannot be changed while a zone is signed.
DNS response messages are larger.
DNS traffic increases are caused by queries for DNSKEY records.
Zone files are larger.
The client computer has to spend more time authenticating responses.
There is an added level of administration to maintain.
GlobalNames Zones
GlobalNames zones address a problem in multiple DNS domain environments. GlobalName zones are
used when you must maintain a list of DNS search suffixes on client computers to resolve names among
these multiple DNS domains. For example, if an organization supports two DNS domains, such as
Widgets.com and Corp.com, users in the Widgets.com DNS domain have to use the fully qualified domain
name (FQDN) to locate the servers in corp or the domain administrator has to add a DNS search suffix for
Corp.com on all the systems in the Widgets.com domain. In other words, if users in the Widgets.com
5-4
dom
main want to lo
ocate a server named Data in the Corp.com
m domain, theey would have
e to search for the
FQD
DN of Data.Corp.com to loca
ate that server. If they just seearch for the s erver name Daata, then the search
wou
uld fail.
Global names are based on crea
ating Canonica
al Name (CNA
AME) records (o
or aliases) in a special forward
look
kup zone that use single nam
mes to point to
o FQDNs. Glob
balNames zones enables clie
ents in any DN
NS
dom
main to use a single
s
label name, such as Da
ata, to locate a server whosee FQDN is Dataa.corp.com witthout
having to use the FQDN.
Cre
eating Globa
alNames Zo
ones
To create
c
GlobalN
Names zones:
Use the Dnscmd utility to enable

e
GlobalN
Names zones f unctionality.
Create a new forward looku

up zone named GlobalNamees (not case-seensitive). Do no
ot enable dynaamic
updates for th
his zone.
Manually crea
ate CNAME re
ecords that poiint to records tthat already exxist in the othe
er zones hoste
ed on
your DNS servers.
For example, you could create a CNAME reco

ord in the Glob
balNames zonee for Data thatt points to
Data.corp.com. Th
his enables clie
ents from any DNS domain iin the organizaation to find th
his server by th
he
sing
gle label name of Data.
Ho
ow to Conffigure DNS
SSEC
Alth
hough DNSSEC
C was supporte
ed in Windowss
Servver 2008 R2, most
m
of the con
nfigurations an
nd
adm
ministration we
ere performed manually, and
d
zones were signed
d when they were
w
offline.
Win
ndows Server 2012
2
includes a DNSSEC wiza
ard
to simplify the configuration an
nd signing proccess,
and enables onlin
ne signing.
Dep
ploying DNSSEC
To deploy
d
DNSSEC:
1.
Install Windows Server 2012 in the

environment and assign the
e server the DNS
role. Typicallyy a domain con
ntroller also accts as the DNSS server. Howevver, that is nott a requiremen
nt.
2.
Sign the DNS

S zone by using
g the DNSSEC configuration
n wizard in the DNS Manage
er console.
3.
Configure tru
ust anchor distribution points.
4.
Configure the
e NRPT on the
e client computers.
Asssign the DN
NS Server Ro
ole
To add
a the DNS server role, from
m the Server Manager
M
Dash board, use thee Add Roles an
nd Features W
Wizard.
You
u can also add this role can when
w
you add the AD DS rolle. Configure tthe primary zo
ones on the DN
NS
servver. After a zon
ne is signed, an
ny new DNS se
ervers on Wind
dows Server 20
012 automaticcally receives the
DNS
SSEC paramete
ers.
Sign the Zone
5-5
To access the DNSSEC zone signing wizard, right-click the primary zone. You can sign zones on any
Windows Server 2012 that hosts a primary DNS zone. You cannot configure DNSSEC on secondary zones.
The wizard guides you through all the configuration steps required to sign the zone.
The following signing options are available:
The Configure the zone signing parameters option guides you through the steps and enables you
to set all values for the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
The Sign the zone with parameters of an existing zone option enables you to keep the same
values and options as another signed zone.
The Use recommended settings option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface.
Configure Trust Anchor Distribution Points
If the zone is Active Directory Integrated, you should select to distribute the trust anchors to all the servers
in the forest. If trust anchors are required on computers that are not joined to the domain, for example, a
DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet), then
you should enable automated key rollover.
Configure NRPT on Client Computers
The DNS client computer only performs DNSSEC validation on domain names where it is configured to
do so by the NRPT. A client computer running Windows 7 is DNSSEC aware, but does not perform
validation. It relies on the security aware DNS server to perform validation on its behalf.
Demonstration: Configuring DNSSEC
In this demo you will see how to use the wizard in the DNS management console to configure DNSSEC.
Demonstration Steps
1.
Log on to LON-DC1 as Adatum\Administrator.
2.
Start the DNS Management console.
3.
Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
4.
Verify the DNSKEY resource records were created in the Trust Points zone.
5.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6.
Close all open Windows.
Wh
hats New in DHCP in
i Window
ws Server 2
2012
DHC
CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c
compute
ers
losin
ng connectivitty to the netwo
ork and all its
reso
ources if there is DHCP serve
er failure.
Ano
other new feature in Window
ws Server 2012
2
is DHCP name pro
otection. Nam
mes that are
regiistered in DNS
S by DHCP on behalf of syste
ems
musst be protected
d from being overwritten
o
byy nonMicrosoft systemss that have the
e same name. For
exam
mple, a Unix based
b
system named
n
Client1
could potentially overwrite the DNS address that
t
was assigned and registered by DHCP on beh
half of
a Windows-based
W
d system also named
n
Client1. DHCP name protection addresses this isssue.
DH
HCP Failoverr
5-6
DHC
CP client comp
puters renew their
t
lease on their
t
IP addresss at regular, configurable in
ntervals. If the DHCP
servver service failss, then leases time-out,
t
and eventually clieent computers no longer havve IP addresses. In
the past, DHCP failover was nott possible beca
ause DHCP serrvers were indeependent and unaware of one
ano
other. Configuring two separate DHCP servers to distribu
ute IP addressses within the ssame pool cou
uld
lead
d to duplicate address assign
nment if the ad
dministrator in
ncorrectly conffigured overlapping ranges. The
DHC
CP server failover feature enables an altern
native DHCP s erver to distrib
bute IP addressses and associated
option configurattion to the sam
me subnet or sccope. Lease in formation is reeplicated betw
ween the two D
DHCP
servvers. If one of the
t DHCP servvers fails, then the other DHC
CP server serviices the client computers forr the
who
ole subnet. In Windows
W
Serve
er 2012 you ca
an configure o
one alternativee DHCP server for failover.
Add
ditionally, only IPv4 scopes and subnets are
e supported b
because IPv6 uses a differentt IP address
assignment schem
me.
Note: For more
m
information about DHC
CP options in I Pv6, see:
http
n-us/library/ccc753493.
DH
HCP Name Protection
P
Name squatting describes the

e problem whe
ere a DHCP clieent computer registers a nam
me with DNS, but
thatt name is activvely being used
d by another computer.
c
The original comp
puter then beccomes inaccesssible.
Thiss problem typically occurs be
etween non-W
Windows system
ms that have d
duplicate name
es of Windowss
systems. DHCP Na
ame Protection uses a resource record kno
own as a DHC ID to keep track of which
nd stored in D
com
mputer originally requested the
t name. Thiss record is provvided by the D
DHCP server an
DNS.
Whe
en the DHCP server
s
receivess a request to update
u
a host record that is currently asso
ociated with a
e requester is the
diffe
erent compute
er, the DHCP server
s
can veriffy the DHCID iin DNS to che ck whether the
orig
ginal owner of the name. If itt is not the sam
me computer, the record in DNS is not updated. To reso
olve
this issue, either the current hosst name ownerr must release the IP address, or the reque
ester must use
ea
diffe
erent host nam
me. You can im
mplement nam
me protection for both IPv4 and IPv6. Configuration is se
et in
the properties pag
ge at the IP ad
ddress level or the scope leveel.
How
H
to Configure Fa
ailover for DHCP
To
o configure failover of DHCP
P you must esttablish
a failover relatio
onship betwee
en the two servvers.
Yo
ou must give this
t relationshiip a unique na
ame.
Th
his name is excchanged with the failover pa
artner
du
uring the conffiguration. Thiss enables a single
DHCP server to have multiple
e failover relationships
with
w other DHC
CP servers, as lo
ong as they alll have
un
nique names. Failover is con
nfigured throug
gh a
wizard
w
that you can start on the
t shortcut menu
m
of
th
he IP node or the
t scope node.
Note: DH
HCP failover is time
t
sensitive. Time
must
m
be kept syynchronized be
etween the pa
artners in the rrelationship. If the time difference is
greater than on
ne minute the failover
f
processs will stop witth a critical errror.
Configure
C
Maximum
M
Cliient Lead Tiime
5-7
Th
he administrattor configures the Maximum
m Client Lead TTime (MCLT) parameter to determine the ttime
th
hat a DHCP serrver waits if the partner is un
navailable befo
ore assuming ccontrol of the whole addresss range.
Th
his value cannot be zero and
d the default iss one hour.
Configure
C
Fa
ailover Mod
de
Fa
ailover can be configured in one of two modes:
m
Mode
M
Characteristics
Hot
H Standby Mode
M
In this mode one server is the p

primary server and the otherr is a secondarry.
e primary serve
er actively dist ributes IP conffigurations forr the scope or
The
sub
bnet. The otherr DHCP server will only take over this role if the primaryy server
beccomes unavaila
able. A DHCP sserver can act as the primaryy for one scop
pe or
sub
bnet while it is the secondaryy for another. A
Administratorss must configu
ure a
percentage of the
e scope addressses to be assig
gned to the sttandby server. These
add
dresses are disttributed during
g the MCLT in
nterval if the prrimary server iis
dow
wn. The default value is 5 peercent of the sccope. The seco
ondary takes control
of the whole rang
ge after the MC
CLT has passed
d. Hot Standby mode is bestt
suitted to deploym
ments where a data recoveryy (DR) site is lo
ocated at a diffferent
loca
ation. Then, the DHCP serve r does not servvice client com
mputers unlesss there
is an outage of th
he main serverr.
Load
L
Sharing Mode
M
Thiss is the defaultt mode. In thiss mode both seervers concurrrently distributte IP
con
nfiguration to client
c
computeers. Which serrver responds to IP configuration
requests dependss on how the aadministrator cconfigures the
e load distributtion
ratio. The default ratio is 50:50.
Configure
C
Au
uto State Sw
witchover In
nterval
When
W
a server loses contact with
w its partnerr it goes into a communicatiion interrupted
d state. Because
th
he server cannot determine what
w
is causing
g the commun
nication loss, itt stays in this sstate until the
ad
dministrator manually
m
chang
ges it to a parttner down statte. The administrator can also enable auto
omatic
trransition to partner down sta
ate by configuring the auto state switchovver interval. Th
he default value for
th
his interval is 10
1 minutes.
Implementing Network Services
Configure Message Authentication

Windows Server 2012 enables you to authenticate the failover message traffic between the replication
partners. The administrator can establish a shared secret, much like a password, in the configuration
wizard for DHCP failover. This validates that the failover message comes from the failover partner.
Firewall Considerations
5-8
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following incoming
and outgoing firewall rules:
Microsoft-Windows-DHCP-Failover-TCP-In
Microsoft-Windows-DHCP-Failover-TCP-Out
Configure DHCP Failover
The Configuration Failover Wizard steps you through the process of creating a failover relationship. The
wizard prompts you to enter the following information:
Name of the relationship
Which scopes are selected for failover
Name of the partner server
The MCLT
The Mode
The Load Balance Percentage
The Auto State Switchover Interval
Message Authentication setting
A shared secret
The failover relationship can then be modified as required through the Failover tab in the properties
of IPv4.
Demonstration: Configuring Failover for DHCP

In the demonstration you will see how to use the DHCP console to configure DHCP failover in load
sharing mode.
Demonstration Steps
1.
Log on to LON-SVR1 as the Adatum\administrator.
2.
Start the DHCP console and view the current state of DHCP. Note the server is authorized but no
scopes are configured.
3.
Switch to LON-DC1.
4.
Open the DHCP Management console and start the Configure Failover Wizard.
5.
Configure failover replication with the following settings:
6.
Partner server = 172.16.0.21
Relationship Name = Adatum
Maximum Client Lead Time = 15 minutes
Mode = Load balance
Load Balance Percentage = 50%
State Switchover Interval = 60 minutes
Message authentication shared secret: Pa$$w0rd
Complete the wizard.
5-9
Lesson 2
Implem
menting
g IP Add
dress Managem
M
ment
5-10 Implemennting Network Services
With the development of IPv6 and

a more and more devices requiring IP aaddresses, netw
works have beccome
veryy complex and
d difficult to manage. Windows Server 201 2 has implemeented IP Addre
ess Manageme
ent
(IPA
AM) as a tool to
o manage IP addresses.
a
Lessson Objectiives
Afte
ou will be able to:
M.
Describe IPAM
Describe the IPAM architeccture.
Describe the requirements for IPAM.
Wh
hat is IP Ad
ddress Ma
anagementt?
IP management
m
iss difficult in larrge networks
because tracking IP address usa
age is largely a
man
nual operation
n. IPAM is a fra
amework for
disccovering, utilization monitoring, auditing, and
a
man
naging the IP address
a
space in a network. IPAM
enables the admin
nistration and monitoring off
DHC
CP and DNS. IP
PAM provides a comprehensive
view
w of where IP addresses
a
are used. IPAM co
ollects
info
ormation from domain contrrollers and Nettwork
Policy Servers (NP
PS) and stores that information in
the Windows Inte
ernal Database.
IPAM
M assists in the
e areas of IP administration
show
wn in the follo
owing table.
IP Administration
A
n Area
IPAM Capab
bilities
Planning
Provides a tool
t
set that caan reduce the time and expe
ense of the
planning prrocess when ch
hanges occur iin the networkk.
Ma
anaging
Provides a single
s
point off managementt and assists in optimizing
utilization and capacity pllanning for DH
HCP and DNS.
Tra
acking
Enables traccking and foreecasting of IP aaddress utilizattion.
Aud
diting
Assists with compliance reequirements, ssuch as HIPAA and Sarbanessp

reporrting for foren
nsics and chang
ge manageme
ent.
Oxley, and provides
Ben
nefits of IPA
AM
IPAM
M benefits include:
IPv4 and IPv6

6 address space
e planning and
d allocation.
IP address spa
ace utilization statistics and trend monitorring.
Static IP inven
ntory management, lifetime managementt and DHCP an
nd DNS record
d creation and
deletion.
Service and
d zone monitoring of DNS se
ervices.
IP address lease
l
and logo
on event trackiing.
Role-based access contro

ol.
Remote administration su
upport through Remote Servver Administraation Tools (RSSAT).
AM does not su
upport management and co
onfiguration off non-Microsoft network
Note: IPA
ellements.
IP
PAM Architecture
IP
PAM consists of
o four main modules,
m
as sho
own in
th
he following ta
able:
Module
M
Desccription

5-11
IPAM discoveryy
You
u use Active Directory to disccover servers rrunning Windo
ows Server 200
08 and
late
er versions thatt have DNS, D HCP, or AD DSS installed. Administrators caan
defiine the scope of
o discovery to
o a subset of d
domains in the
e forest. They ccan also
man
nually add servvers.
IP address spacce
management
m
(ASM)
You
u can use this module
m
to view
w, monitor and
d manage the IP address spaace.
You
u can dynamica
ally issue or staatically assign addresses. Yo
ou can also tracck
add
dress utilization
n and detect o
overlapping DH
HCP scopes.
Multi-server
M
management
m
and
a
monitoring
m
You
u can manage and monitor m
multiple DHCP
P servers. This e
enables tasks tto be
execcuted across multiple
m
serverrs. For examplee, you can con
nfigure and edit DHCP
properties and sco
opes and trackk the status off DHCP and sco
ope utilization
n. You
monitor the he
ealth and statu
us of
can also monitor Multiple DNS servers, and m
S zones acrosss authoritative DNS servers.
DNS
Operational
O
au
uditing
and
a IP address
tracking
You
u can track use
e the auditing ttools to track potential conffiguration prob
blems.
You
u can also colle
ect, manage, a nd view detaills of configuraation changes from
man
naged DHCP servers.
s
You caan also collect address lease tracking from DHCP
leasse logs, and co
ollect logon evvent informatio
on from Netwo
ork Policy Servvers
(NP
PS) and domain
n controllers.
The IPAM server can

c only mana
age one Active
e Directory foreest. IPAM is deeployed in one
e of three
topo
ologies:
Distributed An IPAM server is deployed to every sitee in the forest.
Centralized Only one IPA

AM server is de
eployed in thee forest.
Hybrid A ce
entral IPAM se
erver is deployyed together w
with a dedicateed IPAM server in each site.
Note: IPAM
M servers do no
ot communicatte with one an
nother or sharee database information.
If yo
ou deploy multiple IPAM serrvers, you musst customize th
he discovery sccope of each sserver.
IPAM
M has two main componentts:
IPAM Serverr performs th

he data collecttion from the m
managed serveers. It also man
nages the Win
ndows
Internal Database and provvides role base
ed access contrrol.
IPAM Client provides the

e client compu
uter user interfface and interaacts with the IP
PAM server an
nd
invokes Powe
erShell to perfo
orm DHCP con
nfiguration tassks, DNS monittoring and rem
mote managem
ment.
Requirementts for IPAM

M Implementation
You
u must meet se
everal prerequisites to ensure
ea
succcessful IPAM deployment:
d
The IPAM serrver must be a domain member,

but cannot be
e a domain co
ontroller.
The IPAM serrver should be a single purpo

ose
server. Do no
ot install other network roles such
as DHCP or DNS
D
on the sam
me server.
To manage th
he IPv6 addresss, space IPv6 must
m
be enabled on the IPAM se
erver.
e IPAM server with

w a domain
n
Log on to the
account, not a local accoun
nt.
You must be a member of the

t correct IPA
AM local securrity group on tthe IPAM serve
er.
Ensure that lo
ogging of acco
ount logon eve
ents is enabled
d on DC and N
NPS servers forr the IP Addresss
Tracking and auditing featu
ure of IPAM.
Hardware and sofftware requirem

ments:
Dual core pro

ocessor of 2.0 GHZ
G
or higherr
Windows Servver 2012 operating system
4 GB of RAM or more
80 GB of free hard disk space
Demonstration: Implementing IPAM
5-13
In this demonstration you will see how to install IPAM. You will also see how to create the related GPOs
and begin server discovery.
Demonstration Steps
1.
Log on to LON-SVR1 as Adatum\Administrator.
2.
In Server Manager add the IPAM feature and all required supporting features.
3.
From the IPAM Overview pane provision the IPAM server by using Group Policy.
4.
Enter IPAM as the GPO name prefix and provision IPAM.
5.
From the IPAM Overview pane configure server discovery for the Adatum domain.
6.
From the IPAM Overview pane start the server discovery process.
Lesson 3
NAP Overview
O
w
NAP
P is a policy-en
nforcement pla
atform that is built into the W
Windows XP w
with Service Paack 3 (SP3) and
d
later operating syystems, and intto Windows Se
erver 2008 and
d later operatin
ng systems. NA
AP enables you
to protect
p
networrk assets by enforcing complliance with sysstem-health reequirements. N
NAP provides tthe
necessary softwarre componentss to help ensurre that compu
uters that are cconnected or cconnecting to the
netw
work remain manageable
m
so
o that they do not become a security risk tto the networkk and other
atta
ached compute
ers.
Lessson Objecctives
Afte
ou will be able to:
Describe NAP
P.
Describe NAP
P architecture.
Describe scen
narios for using
g NAP.
Describe the considerationss for using NA

AP.
Wh
hat is NAP
P?
NAP
P enforces client computer health
h
before it
enables client com
mputers to acccess the netwo
ork.
Client health can be based on characteristics
such
c
as antivirus
a
softwa
are status, Win
ndows Firewall
status, or the insta
allation of secu
urity updates. The
mon
nitored characcteristics are ba
ased on which
system health age
ents are installed.
NAP
P enables you to create solutions for valida
ating
com
mputers that co
onnect to yourr networks, in
add
dition to provid
ding needed updates or acce
ess to
needed health up
pdate resources, and limiting
g the
acce
ess or commun
nication of noncompliant
com
mputers.
You
u can integrate
e NAPs enforcement feature
es with softwarre from other vvendors or witth custom
prog
grams. You can customize th
he health-main
ntenance soluttion that deveelopers within your organization
mig
ght develop an
nd deploy, whe
ether for monitoring the com
mputers accesssing the netwo
ork for health policy
com
mpliance, autom
matically upda
ating compute
ers with softwaare updates to meet health p
policy requirem
ments,
or liimiting the acccess to a restricted network of computers that do not m
meet health policy requireme
ents.
NAP
P does not pro
otect a network from malicio
ous users. Insteead, it enables you maintain the health of
hich in turn heelps maintain tthe networks
your organization
ns networked computers auttomatically, wh
overall integrity. For
F example, iff a computer has
h all the softw
ware and conffiguration settings that the h
health
policy requires, th
he computer iss compliant and has unlimiteed network acccess. NAP does not prevent an
auth
horized user who
w has a compliant computter from uploaading a malicio
ous program to
o the network or
eng
gaging in otherr unsuitable be
ehavior.
Also
o, unless config
gured specifica
ally, NAP cann
not determine whether a clieent computer iis free of viruse
es,
troja
ans, rootkits or malware. Default behaviorr is to check fo
or compliance in having current antivirus
softtware and conffigurations.
Fe
eatures of NAP
N
NAP has three important and
d distinct features:

5-15
Health statte validation: When a clientt computer tri es to connect to the networrk, NAP validattes the
computerss health state against
a
the hea
alth-requiremeent policies that the adminisstrator definess. You
can also de
efine what to do
d if a computer is not comp
pliant. In a mo nitoring-only environment, all
computers have their hea
alth state evalu
uated and the compliance sttate of each co
omputer is log
gged for
analysis. In a limited acce
ess environmen
nt, computers that comply w
with the health
h-requirement policies
have unlimited network access.
a
Compu
uters that do n
not comply witth health-requirement policies
could find their
t
access lim
mited to a restricted networkk.
Health pollicy compliance: You can he

elp ensure com
mpliance with health-require
ement policiess
omatically with missing software updates
by choosing
g to update no
oncompliant computers
c
auto
Microsoft Systtem Center
or configurration changess through man
nagement softw
ware, such as M
Configuratiion Manager. In
I a monitorin
ng-only environ
nment, compu
uters have netw
work access be
efore
they are up
pdated with req
quired update
es or configuraation changes. In a limited acccess environm
ment,
noncomplia
ant computerss have limited access until th
he updates and
d configuration changes are
completed.. In both enviro
onments, com
mputers that arre compatible w
with NAP can become comp
pliant
automatica
ally and you ca
an define excep
ptions for com
mputers that arre not NAP compatible.
Limited Acccess: You can protect your networks by li miting the acccess of noncom
mpliant compu
uters.
You can base limited netw
work access on
n a specific tim
me, or on the rresources that the noncompliant
computer can
c access. In the
t latter case,, you define a restricted netw
work that conttains health up
pdate
resources, and
a the limited
d access lasts until
u
the nonco
ompliant computer comes into compliancce. You
can also configure excepttions so that computers thatt are incompattible with NAP
P do not have limited
network access.
Whats
W
New
w for NAP in Windows Server 2012
Support for Windows
W
PowerShell
Yo
ou can now usse Windows Po
owerShell to
au
utomate the in
nstallation of the Network Po
olicy
an
nd Access Servvices server rolle. You can also use
Windows
W
PowerShell to deplo
oy and configu
ure
so
ome aspects off Network Poliicy Server.
Removed
R
Functionality
In
n Windows Serrver 2008 R2 and Windows Server
S
20
008, Network Policy and Acccess Services in
ncluded
th
he Routing and
d Remote Acce
ess Service role
e
se
ervice. In Wind
dows Server 20
012, RRAS is no
ow a role servi ce in the Rem ote Access serrver role
NA
AP Architecture
The following table describes th
he NAP
com
mponents.
Com
mponents
NA
AP Clients
Desccription
Com
mputers that su
upport the NA
AP platform forr system health
h-validated
netw
work access or communicatio
on. Client arch
hitecture consists of:
NAP enforcement client (EC
C): ECs monito
or attempts to connect to the
e
ne
etwork. Differe
ent EC compon
nents exist for different type
es of network
acccess.
Sy
ystem health agents (SHA)): SHAs report on one or mo
ore elements o
of
syystem health. For
F example, th
here might bee an SHA for ch
hecking antivirrus
de
efinitions and another for ch
hecking Windo
ows updates. T
The SHA return
ns a
sta
atement of he
ealth (SoH) to tthe NAP agentt which passess that to the NAP
he
ealth policy server for evaluaation.
NAP agent: Collects and storres SoHs from the SHAs and supplies it to tthe
Cs when reque
ested.
EC
NA
AP enforcemen
nt
poiints
NAP
P enforcement points are com
mputers or neetwork-access devices that use
NAP
P to evaluate a NAP client co
omputers hea lth state. NAP enforcement
poin
nts rely on poliicies from a Neetwork Policy Server (NPS) to perform that
evaluation and determine wheth
her network acccess or comm
munication is
enab
bled, and the set
s of remediaation actions th
hat a noncomp
pliant NAP clie
ent
com
mputer must pe
erform.
NAP
P enforcement points can incclude:
Health Registra
ation Authoriity (HRA) is a server running
g Windows Se
erver
20
012 with Intern
net Informatio
on Services (IIS)) installed thatt obtains healtth
ce
ertificates from
m a certification
n authority (CA
A) for compliaant computers..
VP
PN server is a Windows 20112 server that runs Routing aand Remote
Acccess, and thatt enables remo
ote access VPN
N intranet connections throu
ugh
re
emote access.
DHCP server is a Windows 20012 server tha t runs the DHC
CP Server servvice.
Network access devices are Ethernet switcches or wirelesss access pointts
hat support IEE
EE 802.1X auth
hentication.
th

5-17
Components
De
escription
NAP
N health policy
servers
Windows
W
2012 servers
s
run thee NPS service aand store health-requiremen
nt
po
olicies and pro
ovide health-sttate validation for NAP. NPS replaces the
Intternet Authentication Servicce (IAS), and th
he Remote Autthentication D
Dial-In
Usser Service (RA
ADIUS) server aand proxy thatt Windows Serrver 2003 provvides.
Th
he NAP health policy server has the follow
wing componen
nts:
NPS service: Receives RADIIUS requests aand extracts the System State
e of
dministration sserver compon
nent.
Health (SSoH)) and passes it to the NAP ad
er: Makes Com
mmunication EEasier between
n the
NAP Adminisstration Serve
NPS service an
nd the SHVs.
h
System Healtth Validators (SHV): You deefine SHVs forr system health
elements and match them tto an SHA. An example of th
hese would be a SHV
for an antiviru
us software thaat tracks the laatest version of the antivirus
definition file..
PS also acts as an authenticaation, authorizzation, and acccounting (AAA

A)
NP
se
erver for netwo
ork access. Wh en acting as an AAA server or NAP health
h policy
se
erver, NPS typiccally runs on a separate servver for centralized configuration of
ne
etwork access and
a health-req
quirement pollicies. The NPSS service also runs on
Windows
W
Serverr 2012-based N
NAP enforcem
ment points thaat do not have
ea
bu
uilt-in RADIUS client computter, such as an
n HRA or DHCP
P server. Howe
ever, in
these configurattions, the NPS service acts ass a RADIUS proxy to exchange
RA
ADIUS messages with a NAP
P health policy server.
AD
A DS
Restricted
R
netw
work
AD
D DS stores account credenttials and propeerties, and storres Group Policy
se
ettings. Althoug
gh not requireed for health-sstate validation
n, Active Direcctory is
required for IPSe
ec-protected ccommunicatio
ons, 802.1X-autthenticated
co
onnections, and
d remote acceess VPN conneections.
Th
his is a separate logical or ph
hysical networkk that has the following
co
omponents:
Remediation servers
s
that co
ontain health u
update resourcces, such as an
ntivirus
definition disttribution pointts and Window
ws software up
pdate servers, w
which
NAP client computers can aaccess to remeedy their nonco
ompliant state
e.
have limited a ccess are adde
ed on the restrricted
NAP client computers that h
network when
n they do not ccomply with h
health-requirem
ment policies.
Scenarios for Using NAP

N
NAP provides a solution for th
he common sccenarios
de
escribed in this section. Depending on you
ur
ne
eeds, you can configure a so
olution to addrress
an
ny of these sce
enarios for you
ur network.
Roaming
R
Porrtable comp
puters
Po
ortability and flexibility are two
t
primary po
ortable
co
omputer advan
ntages, but the
ese features allso
present a system
m health threa
at. Users freque
ently
co
onnect their po
ortable compu
uters to other
ne
etworks. When
n users are awa
ay from your
orrganization, th
heir portable computers mig
ght not
re
eceive the mosst recent softw
ware updates or
o
configuration changes. Addition

nally, exposure
e to unprotectted networks, ssuch as the Intternet, could
intro
oduce securityy-related threa
ats to the porta
able computerrs. NAP lets yo
ou check any p
portable comp
puters
health state when
n it reconnects to the organizzations netwo
ork, whether th
hrough a VPN,, DirectAccess
connection, or the
e workplace ne
etwork connecction.
Dessktop Comp
puters
Alth
hough desktop
p computers arre usually not taken out of t he company b
building, they sstill can presen
nt a
thre
eat to the netw
work. To minim
mize this threatt, you must maaintain these ccomputers with the most reccent
upd
dates and requ
uired software. Otherwise, these computerss are at risk off infection from
m websites, em
mail,
filess from shared folders,
f
and otther publicly available resou rces. NAP enaables you to au
utomate health
h
state checks to ve
erify each desk
ktop computerrs compliance with health-reequirement po
olicies. You can
n
check log files to determine which computerss do not comp
ply. Additionallly, by using maanagement
softtware enables you
y to generate automatic reports
r
and au
utomatically up
pdate noncom
mpliant computers.
Whe
en you change
e health-requirement policie
es, computers can be provisiioned automattically with the
e
mosst recent upda
ates.
Visiting Portab
ble Computters
Org
ganizations freq
quently have to
t enable conssultants, busineess partners, aand guests to cconnect to the
eir
privvate networks. The portable computers
c
tha
at these visitorrs bring into yo
our organizatio
on might not meet
system health req
quirements and
d can present health risks. N AP enables yo
ou to determin
ne which visitin
ng
porttable compute
ers are noncom
mpliant and lim
mit their accesss to restricted networks. Typ
pically, you wo
ould
not require or pro
ovide any upda
ates or configu
uration changees for visiting portable comp
puters. You can
configure Internett access for vissiting portable
e computers, b
but not for other organizatio
onal computerss that
have limited access.
Unmanaged Home
H
Comp
puters
Unm
managed home computers that
t
are not a member
m
of thee companys A
Active Directorry domain can
connect to a managed company network thro
ough VPN. Un
nmanaged hom
me computers provide an
add
ditional challen
nge because yo
ou cannot phyysically access tthese computeers. Lack of ph
hysical access m
makes
enfo
orcing complia
ance with health requiremen
ntssuch as th
he use of antivvirus software
more difficult.
How
wever, NAP enables you to verify
v
the healtth state of a ho
ome computer every time th
hat it makes a VPN
connection to the
e company nettwork, and to limit
l
its access to a restricted
d network until it meets systtem
health requiremen
nts.
Co
onsideratio
ons for NA
AP
Befo
ore you implem
ment NAP, you
u must conside
er the
follo
owing points.
Con
nsiderations for NAP Client
C
Comp
puter
Dep
ployment
Befo
ore you can usse NAP on client computers, you
musst configure th
he NAP setting
gs. Although yo
ou
can use the Netsh
h commands to
o configure alll
aspe
ects of the NA
AP client computer, Group Po
olicy
is th
he preferred method
m
of deplloying client
com
mputer settingss. The NAP Clie
ent Configurattion
console and NAP client computter configuration
settings in the Gro
oup Policy Management Console
provvide a graphiccal user interface for configuring NAP clien
nt computer seettings.
Consideration for a NAP Enforcement Type

Deciding on the best enforcement type for your organization is very important.
NAP provides four mechanisms:
5-19
VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client
computer and performs the validation. This method requires a computer certificate to perform PEAPbased user or computer authentication.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client computer's
compliance.
IPsec: enforces the policy and configures the systems out of compliance with a limited access local IP
security policy for remediation. This method requires a computer certificate to perform PEAP-based
user or computer authentication.
802.1X: authenticates over an 802.1X authenticated network and is the best solution when
integrating hardware from other vendors.
Considerations for a Remediation Network
You can provide a remediation network as a location for client computers that are out of compliance to
resolve issues and then gain access to the network. It is important to make the remediation network a
place where client computers can gain the required updates or definitions without help desk intervention.
Administrative Effort and Support

NAP is not a simple solution to implement and requires a good level of understanding and ongoing
support.
Lesson 4
Implem
menting
g NAP
There are differen

nt NAP procedures, depending on the typee of enforcement you are im
mplementing. T
This
lesson describes the main requirements for ea
ach of the NAP
P enforcementt methods.
Lessson Objectiives
Afte
u will be able to:
t
Describe the requirements for implementting NAP.
Describe the requirements for NAP with VPN.

V
Describe the requirements for NAP with IPsec.

I
Describe the requirements for NAP DHCP

P.
Describe the requirements for NAP with 802.1X.

8
Requirementts for Implementing

g NAP
All NAP
N enforcem
ment methods require that
the NAP Agent se
ervice is runnin
ng on the clien
nt
com
mputer and tha
at at least one enforcement client
com
mputer is enabled. Depending on the desirred
enfo
orcement method there mayy be other servvices
and settings required.
A Network Policy Server (NPS) is required to create
c
and enforce organ
nization-wide network accesss
policies for client computer hea
alth, connectio
on
requ
uest authentication and auth
horization. The
e NPS
can also act as a RADIUS
R
server.. The NPS evalluates
the statements off health (SoH) sent
s
by NAP client
com
mputers.
Systtem Health Validators (SHVs) are required to determine what the systeem health poliicy checks for. SHVs
can check for Win
ndows Firewall settings, antivvirus and spyw
ware protection
n, Windows Up
pdates, and so
o on.
Hea
alth policies co
ompare the sta
ate of a client computers
c
he alth according
g to SHVs that are defined b
by
corp
porate requirements and determine wheth
her the client ccomputer is co
ompliant or no
oncompliant w
with
the corporate policy. A health policy
p
can be defined
d
to checck one of the ffollowing:
Client passes all SHV checks
Client fails all SHV checks
Client passes one or more SHV

S
checks
Client fails on
ne or more SHV
V checks
Network policies are

a required to
o determine what
w
happens iif the client co
omputer reque
esting networkk
acce
ess is complian
nt or noncomp
pliant. These policies determ
mine what levell of access, if aany, the client
com
mputer will receive to the nettwork.
A ce
ertification autthority (CA) is required to isssue computer certificates to validate comp
puter identity if
Prottected EAP (PE
EAP) is used fo
or authenticatio
on. This may b
be an enterprisse CA or a thirrd-party CA.

5-21
Re
emediation ne
etworks are no
ot an absolute requirement, b
but can provid
de a means forr a client comp
puter
to
o become com
mpliant. For exa
ample, a netwo
ork policy can direct a nonco
ompliant clien
nt computer to
oa
ne
etwork segment that contain
ns a Web site from
f
which th e client computer can obtain current viruss
de
efinitions or Windows
W
Updates.
NAP
N
with VPN
V
NAP enforceme
ent for VPN me
ethod works by
b using
a set of remote access IP pack
ket filters to lim
mit the
trraffic of a nonccompliant VPN
N client compu
uter
so
o that it can on
nly reach the resources
r
on th
he
re
estricted netwo
ork. Compliantt client compu
uters will
be
e granted full access. VPN se
ervers can enfo
orce the
he
ealth policy fo
or computers th
hat are considered to
be
e noncomplian
nt by applying
g the filters.
Note: Site
eto-site VPN connections do
d not
su
upport NAP he
ealth evaluatio
on.
To
o deploy NAP with VPN you
u must:
Install RRAS
S as a VPN servver and config
gure the NPS aas the primary RADIUS serve
er.
Configure the
t VPN servers as RADIUS client
c
computeers in the NPS..
Configure a connection request

r
policy with the sourcce set to the V
VPN server.
Configure SHVs
S
to test fo
or health conditions.
Create com
mpliant health policies to passs selected SHV
Vs and a noncompliant health policy to fail
selected SH
HVs.
Configure a network policy with the source set to thee VPN server. FFull access willl be granted to
o
compliant computers
c
and
d limited accesss to noncomp
pliant computeers.
Enable the NAP Remote Access

A
and EA
AP enforcemen
nt clients on cl ient computerrs. You can do this by
using Group Policy or loccal policy settin
ngs.
Enable the NAP agent service on clientt computers.
Issue comp
puter certificate
es to use PEAP
P authenticatio
on.
NA
AP with IPssec
NAP
P IP security (IPsec) enforcem
ment provides
the strongest and most flexible method for
maintaining clientt computer co
ompliance with
h
netw
work health re
equirements.
To implement NA
AP with IPsec you
y must:
Configure a certification
c
au
uthority (CA) to
o
issue health certificates:
c
the
e System Healtth
Authenticatio
on template must be issued and
a
the HRA must be granted permission
p
to enroll
e
the certificate
e.
Install Health Registration Authority

A
(HRA
A): the
HRA is a component of NA
AP that is central to IPsec enfforcement. Thee HRA obtains health certificcates
on behalf of NAP
N client com
mputers when they are com pliant with nettwork health rrequirements. T
These
health certificcates authenticcate NAP clien
nt computers ffor IPsec-proteected commun
nications with o
other
NAP client co
omputers on an intranet. If a NAP client co
omputer does not have a health certificate
e, the
IPsec peer authentication fa
ails.
Select authen
ntication requirements: the HRA
H can provid
de health certiificate to authenticated dom
main
users only, orr optionally pro
ovide health certificates to aanonymous us ers.
Configure the
e NPS server with
w the require
ed health policcies.
Configure NA
AP client comp
puters for IPsecc NAP enforceement: NAP ag
gent must be rrunning and th
he
NAP IPsec EC
C must be runn
ning. You can do
d this throug h Group Polic y or local policcy or Netsh
commands.
Use IPsec policies to create logical netwo

orks: IPsec enfo
orcement divid
des a physical network into tthree
logical netwo
orks. A computer is a member of only onee logical netwo
ork at any time
e. The logical
networks are::
o
Secure ne
etwork - Comp
puters on the secure networrk have health certificates an
nd require thatt
incoming
g communication is authentiicated by using
g these certificcates.
Boundaryy network - Co
omputers on the boundary n
network have health certificaates, but do no
ot
require IP
Psec authenticcation of incom
ming commun ication attemp
pts.
Restricted
d network - Co
omputers on the
t restricted n
network do no
ot have health certificates.
NA
AP with DH
HCP
NAP
P enforcementt can be integrrated with DHCP
so that NAP policies can be enfo
orced when a client
com
mputer tries to lease or renew
w its DHCP add
dress.
The NPS server usses health policies and SHVs to
evaluate client computer health
h. Based on the
e
evaluation the NP
PS tells the DHCP server to
provvide full access to compliantt computers an
nd
to restrict access to
t noncomplia
ant computers.
Th
he componentts listed in the following table must be deffined on the N
NPS.
Component
C
Description

5-23
Radius client
computers
Iff DHCP is insta

alled on a sepaarate computeer, the NAP DH
HCP server must be
configured as a RADIUS clien
nt computer in
n NPS. You mu
ust also select
RADIUS
R
client computer
c
is NA
AP-capable.
Network policcy
Source
S
must be
e set to DHCP server. Both ccompliant and noncompliantt
policies
p
are set to grant accesss.
Connection re
equest
policy
Source
S
is set to
o DHCP server.. The policy au
uthenticates re
equests on thiss
server.
Health policie
es
Must
M
be config
gures to pass SSHVs in the com
mpliant policyy and fail SHVss in the
noncompliant
n
policy.
p
SHVs
Health
H
checks are
a configured
d on the NPS sserver.
NAP agent
Must
M
be runnin
ng on the clien
nt computer.
IP address
configuration
n
Must
M
be config
gured to use D
DHCP. Clients t hat have staticc IP address caannot
be
b evaluated.
Demonstra
D
ation: Imp
plementing
g NAP with
h DHCP
Be
ecause you are
e configuring NPS on the DH
HCP server you
u do not have to designate the DHCP servver as a
RA
ADIUS client computer.
c
Yo
ou will configu
ure the policy for all scopes.
Demonstrati
D
ion Steps
1..
Install Netw
work Policy and Access Serrvices on LON
N-DC1.
2..
Use the Configure NAP Wizard

W
to creatte a DHCP enfforcement poliicy.
3..
Configure DHCP
D
to enable Network Acccess Protectio
on for all scopees.
Network
N
Access Prottection witth 802.1X
Yo
ou can provide
e NAP enforce
ement to an IEEE
80
02.1X-capable
e device, such as
a a wireless acccess
po
oint, authenticcating switch, or
o other netwo
ork
de
evice. NAP enfforcement occcurs when clien
nt
co
omputers try to access the network
n
throug
gh these
de
evices.
NAP with 802.1x has the follo
owing characte
eristics:
Radius clien
nt computers must
m
be added
d in the
NPS console and are iden
ntified by host name
or IP address.
A shared se
ecret must be configured
c
in the
NPS server and the device to identify th
he radius clien
nt computer.
5-24 Implementing Network Services
Server certificates must be installed and client computers must trust these certificates.
Network authentication must use EAP authentication methods secure passwords, smart cards or
other certificates.
If your access points support VLANs, you can configure that information for NPS. For example, the
restricted network may be a VLAN.
When you create network policies and connection request policies, the type of network access server
should be set to Unspecified.
Connection request policies must be configured to use PEAP authentication in the policy.

Scenario
5-25
A. Datum has grown quickly over the last few years in several ways. The company has deployed several
new branch offices, it has significantly increased the number of users in the organization, and it has
expanded the number of partner organizations and customers who are accessing A. Datum websites and
applications. This expansion has resulted in increasing complexity of the network infrastructure at A.
Datum, and has also meant that the organization has to be much more aware of network level security.
IT management and the security group at A. Datum are also concerned with the level of compliance for all
client computers on the network. A. Datum plans to implement NAP for all client computers and all client
computer connections, but is starting with a pilot program to enable NAP for VPN users.
As one of the senior network administrators at A. Datum, you are responsible for implementing the
new features in the Windows Server 2012 environment. You will implement some new DHCP and DNS
features, and then implement IPAM to simplify the process for managing the IP infrastructure. You will
also implement NAP for external VPN users.
Objectives
Configure new features in DNS and DHCP.
Configure IP Address Management.
Configure NAP for VPN client computers.
Verify the NAP deployment.
Lab Setup
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-CL1
User Name
Password
Pa$$w0rd
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2 - 4 for 20417A-LON-SVR1, 20417A-LON-SVR2 and 20417A-LON-CL1.
Exercise 1: Configure new features in DNS and DHCP

Scenario
To increase security in your network, you want to implement new security features in DNS and DHCP.
Also, you want to achieve high availability for IP addressing system. Therefore, you decided to implement
DHCP Failover.
1.
Configure DNSSEC.
2.
Configure DHCP Name Protection.
3.
Configure DHCP Failover.
X Task 1: Configure DNSSEC

1.
On LON-DC1, start the DNS Management console.
2.
Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
3.
Verify the DNSKEY resource records were created in the Trust Points zone.
4.
Close the DNS Management console.
5.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6.
Close the Group Policy Management Editor and Group Policy Management console.
X Task 2: Configure DHCP Name Protection

1.
Start the DHCP Management console.
2.
Configure Name Protection for the IPv4 node.
X Task 3: Configure DHCP Failover

1.
On LON-SVR1, start the DHCP console and view the current state of DHCP. Note the server is
authorized but no scopes are configured.
2.
On LON-DC1, in the DHCP Management console, start the failover wizard.
3.
Configure failover replication with the following settings:

o
Partner server = 172.16.0.21
Relationship Name = Adatum
Maximum Client Lead Time = 15 minutes
Mode = Load balance
Load Balance Percentage = 50%
State Switchover Interval = 60 minutes
Message authentication shared secret is Pa$$w0rd
Complete the wizard
4.
Switch to LON-SVR1 and notice that the IPv4 node is active and the Adatum scope is configured.
5.
Close the DHCP console on both LON-DC1 and LON-SVR1.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
Exercise 2: Configuring IP Address Management

Scenario
A. Datum is evaluating solutions for simplifying IP management. Because you implemented Windows
Server 2012, you decide to implement IPAM.
1.
Install the IPAM Feature.
2.
Configure IPAM Related GPOs.
3.
Configure IP Management Server Discovery.
4.
Configure Managed Servers.
5.
Configure and Verify a New DHCP Scope with IPAM.
X Task 1: Install the IPAM Feature
On LON-SVR2, in Server Manager, add the IPAM feature and all required supporting features.
X Task 2: Configure IPAM Related GPOs

1.
On LON-SVR2, in Server Manager, click IPAM.
2.
From the IPAM Overview pane provision the IPAM server.
3.
Enter IPAM as the GPO name prefix.
X Task 3: Configure IP Management Server Discovery

1.
From the IPAM Overview pane, configure server discovery for the Adatum domain.
2.
From the IPAM Overview pane, start the server discovery process.
3.
In the yellow banner, click the More link to determine the discovery status.
X Task 4: Configure Managed Servers

1.
From the IPAM Overview pane, add the servers to manage. Verify that IPAM access is currently
blocked for LON-DC1.
2.
Start Windows PowerShell and grant the IPAM server permission. Use the following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn
LON-SVR2.adatum.com
5-27
3.
In the IPAM console, for LON-SVR1 and LON-DC1, set the manageability status to be Managed.
4.
Switch to LON-DC1 and refresh Group Policy.
5.
Switch to LON-SVR1, and refresh Group Policy.
6.
Switch back to LON-SVR2 and refresh the IPAM console view.
7.
Switch back to LON-SVR2, and in the IPAM console, configure LON-SVR1 to be Managed.
8.
Refresh the Server Access Status and refresh the console view until LON-DC1 and LON-SVR1 shows an
IPAM Access Status Unblocked. This may take 10-15 minutes to complete.
9.
From the IPAM Overview pane retrieve data from the managed server.
X Task 5: Configure and Verify a New DHCP Scope with IPAM

1.
Use IPAM to create a new DHCP scope called TestScope with the following parameters:
o
The scope start address will be 10.0.0.50.
The scope end address will be 10.0.0.100.
The subnet mask will be 255.0.0.0.
The default gateway will be 10.0.0.1.
2.
On LON-DC1, verify the TestScope in the DHCP MMC.
3.
Right-click the TestScope and then click Deactivate. Click Yes.
4.
Close the DHCP console.
5.
On LON-SVR2, close all open windows.
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
Exercise 3: Configuring NAP

Scenario
A. Datum has identified that remote client computers who connect through VPN have inconsistent
security configuration. Because these client computers are accessing important data, it is important for all
client computers to comply with company security policy. To increase security of your network and better
manage client computers who establish remote connection, you decide to implement NAP for all VPN
connections.
1.
Configure Server and Client Certificate Requirements.
2.
Install the Network Policy Server Role.
3.
Configure Health Policies.
4.
Configure Network Policies for Compliant and Noncompliant Computers.
5.
Configure Connection Request Policies for VPN.
X Task 1: Configure Server and Client Certificate Requirements

1.
On LON-SVR2, create a new management console for Certificates focused on the local computer.
2.
Enroll a Computer certificate for LON-SVR2.
3.
Switch to LON-CL1 and log on as Adatum\administrator with the password of Pa$$w0rd.
4.
Create a new management console for Certificates focused on the local computer.
5.
Enroll a Computer certificate for LON-CL1.
X Task 2: Install the Network Policy Server Role
On LON-SVR2, add the Network Policy Server role service.
X Task 3: Configure Health Policies
5-29
1.
On LON-SVR2, open the Network Policy Server console.
2.
Configure the Windows Security Health Validator to only validate that the Windows Firewall is
enabled.
3.
Create two new Health Policies. One for compliant computers that pass all SHV checks and one for
noncompliant computers that fail one or more SHV checks.
X Task 4: Configure Network Policies for Compliant and Noncompliant Computers

1.
Configure a network policy for compliant computers in such a way that the health policy allows them
full network access. Name the policy Compliant Full-Access.
2.
Configure a network policy for noncompliant computers in such a way that the health policy enables
them to exchange packets with LON-DC1 at 172.16.0.10 only. Name the policy NoncompliantRestricted.
X Task 5: Configure Connection Request Policies for VPN

1.
Disable the two default connection request policies.
2.
Configure a new Connection Request Policy called VPN connections.
3.
Add conditions for Point to Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP),
and Layer 2 Tunneling Protocol (L2TP).
4.
Ensure requests are authenticated on this server and will override network policy authentication.
5.
Add Protected Extensible Authentication Protocol (PEAP) and edit it to enforce network access
protection.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
Exercise 4: Verifying the NAP Deployment

Scenario
After you implemented NAP infrastructure and configured policies, you want to test NAP with VPN client
computer.
1.
Configure Security Center.
2.
Enable a Client NAP Enforcement Method.
3.
Allow Ping on LON-SVR2.
4.
Move the Client to the Internet and Establish a VPN Connection.
5.
X Task 1: Configure Security Center

1.
Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2.
Use gpedit.msc to open Local Group Policy and turn on the Security Center.
X Task 2: Enable a Client NAP Enforcement Method

1.
Use the NAP Client Configuration MMC to enable the EAP Quarantine Enforcement Client on
LON-CL1.
2.
Enable and start the NAP agent service.
X Task 3: Allow Ping on LON-SVR2
On LON-SVR2, open Windows Firewall with Advanced Security.
Configure a new inbound rule that allows ICMPv4 echo packets through the firewall.
X Task 4: Move the Client to the Internet and Establish a VPN Connection
1.
Configure LON-CL1 with the following IP address settings:

o
IP address: 131.107.0.20
Subnet Mask: 255.255.0.0
2.
In Hyper-V Manager, right-click 20417A-LON-CL1 and then click Settings.
3.
Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
4.
Verify that you can ping 131.107.0.1.
5.
Create a VPN on LON-CL1 with the following settings:

o
Name: Adatum VPN
Internet address: 131.107.0.2
6.
Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
7.
Under Authentication, click Use Extensible Authentication Protocol (EAP).
8.
In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
9.
Ensure that the Verify the servers identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box and then select the Enforce Network Access Protection check box.
10. Test the VPN connection.
X To prepare for next module
Revert virtual machines to their initial state.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.

Best Practices
Ensure that IPv6 is enabled on the IPAM server in order to manage IPv6 address spaces.
Use Group Policy to configure NRPT tables for DNSSEC client computers.
Disable authentication protocols that you are not using.
Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.

Common Issue
Troubleshooting Tip
Unable to connect to the IPAM server.
Noncompliant NAP client computers are

being denied network access instead of
being sent to the restricted network
Review Question
Question: What is a major drawback of IPAM?
5-31
Scenario: Tailspin Toys wants to implement IPsec NAP enforcement. What infrastructure components
have to be in place to support this method?
Scenario: You have implemented DNSSEC, but now you have to disable DNSSEC. How will you disable
DNSSEC?
Tools
Tool
Use
Where to find it
DNS Management Console
Configure all aspects of DNS
In Server Manager under the Tools

drop-down list.
DHCP Management
Console
Configure all aspects of DHCP

drop-down list.
Remote Access
Management Console
Configure remote access such

as VPN

drop-down list.
NAP configuration wizard
Configure the NAP

Enforcement Point
Open the NPS (Local) console. In

Getting Started, under Standard
Configuration, select Network Access
Protection (NAP), and then click
Configure NAP.

6-1
Module 6
Implementing DirectAccess
Contents:
Module Overview
6-1
Lesson 1: Overview of DirectAccess
6-2
Lesson 2: Installing and Configuring DirectAccess Components
6-14
6-24
6-33
Module Overview
Introduced in Windows Server 2008 R2, the DirectAccess feature is a technology that enables users to
securely connect to data and resources in corporate networks without using traditional virtual private
network (VPN) technology. In Windows Server 2012, DirectAccess is now one of three component
technologies (DirectAccess, Routing, and Remote Access) that is integrated with a single, unified server
role called Windows Server 2012 Remote Access. DirectAccess seamlessly integrates and coexists with
what was formerly called Routing and Remote Access service (RRAS). Direct Access itself is expanded to
add features such as integrated accounting, express setup for small and medium deployments, and
multiple domain support.
In this module, you will learn how DirectAccess works for internal and external clients. You will also learn
the new DirectAccess features introduced in Windows Server 2012 and Windows 8. In addition, you will
learn how to install and configure DirectAccess in different scenarios.
Objectives
Describe the DirectAccess functionality in Windows Server 2012 and Windows 8.
Install and configure DirectAccess in Windows Server 2012 and Windows 8.
Lesson 1
Overviiew of DirectAc
D
ccess
6-2
Dire
ectAccess enab
bles remote ussers to securelyy access corpo
orate resourcess, such as email servers,
sharred folders, or internal websites without co
onnecting to a VPN. Also, D irectAccess pro
ovides increased
prod
ductivity for a mobile workfo
orce by offerin
ng the same co
onnectivity exp
perience both inside and ou
utside
the office. With th
he new unified
d managementt experience, yyou can config
gure DirectAccess and older VPN
connections from one location. Other enhanccements in DireectAccess inclu
ude simplified
d deployment, and
imp
proved perform
mance and scalability. This le
esson providess an overview of the DirectA
Access architeccture
and components.
Lessson Objectiives
Afte
ou will be able to:
Discuss the problems with remote

r
connections.
Describe the use of DirectA

Access.
Describe the new features of

o DirectAccess in Windows Server 2012.
Describe the DirectAccess components.

c
Describe the use of the Nam

me Resolution Policy Table.
Describe how
w DirectAccess works for inte
ernal clients.
Describe how
w DirectAccess works for exte
ernal clients.
Pro
oblems with Remote
e Connections
Org
ganizations often rely on trad
ditional VPN
connections to prrovide remote users with seccure
acce
ess to data and
d resources on
n the corporate
e
netw
work. VPN con
nnections need
d to be configu
ured
mosst of the time manually. Thiss sometimes
pressent interoperability issues in
n situations wh
hen
the users are using multiple diffferent VPN clie
ents.
Add
ditionally, VPN connections face
f
the follow
wing
problems:
The user musst initiate the VPN

V
connectio
on.
The connectio
on requires sevveral steps and
d the
connection process takes att least several
seconds, or evven more.
The connectio
on could require additional configuration on the corporrate firewall. Iff not properly
configured on
n the firewall, VPN connectio
ons usually en
nable remote aaccess to the entire corporatte
network.
Troubleshootting failed VPN

N connections can make up a significant p
portion of Help
p Desk calls forr
many organizzations.
Morreover, organizzations cannott effectively manage

m
remotee computers u nless they are connected. VP
PNbase
ed remote clie
ent computers present a challenge to IT prrofessionals beecause these computers mig
ght
not connect to the internal netw
work for weekss at a time, preeventing them
m from downlo
oading Group Policy
obje
ects (GPOs) an
nd software up
pdates.
Upg
ndows Server 2
2012
6-3
Also, if the orga

anization does not require ad
dditional healtth checks in orrder to establissh a network V
VPN
co
onnection, com
mputers that are not updated and protect ed on a regulaar basis may co
ontain malwarre. This
malware
m
could attempt to sprread inside the
e corporate neetwork throug h e-mail, share
ed folders, or
au
utomated netw
work attacks.
DirectAccess
D
s Extends th
he Network to the Rem
motely-Conn
nected Computers and Users
To
o overcome th
hese limitations in traditional VPN connecttions, organizaations can imp
plement DirectAccess
to
o provide a sea
amless connecction between the internal neetwork and the remote com
mputer on the IInternet.
With
W DirectAcce
ess, organizatio
ons can effortlessly manage remote comp
puters because
e they are alwaays
co
onnected.
What
W
Is DirrectAccesss?
Th
he DirectAccesss feature in Windows
W
Server 2012
en
nables seamlesss remote acce
ess to intranet
re
esources witho
out first establishing a user-in
nitiated
VPN connection
n. The DirectAccess feature also
a
en
nsures seamlesss connectivityy to the applica
ation
in
nfrastructure fo
or internal users and remote
e users.
Unlike traditional VPNs that require
r
user
in
ntervention to initiate a conn
nection to an
in
ntranet, DirectA
Access enabless any IPv6-cap
pable
ap
pplication on the
t client computer to have
co
omplete access to intranet re
esources.
DirectAccess alsso enables you
u to specify ressources
an
nd client-side applications th
hat are restrictted for remotee access.
Organizations
O
benefit
b
from DirectAccess be
ecause remote computers caan be managed
d as if they are
e local
co
omputers. Usin
ng the same management
m
and update serv
rvers, you can eensure they arre always up-to
o-date
an
nd in complian
nce with security and system
m health policiees. You can alsso define more
e detailed acce
ess
co
ontrol policies for remote acccess when com
mpared with d
defining accesss control policies in VPN solu
utions.
DirectAccess offfers the follow
wing features:
Connects automatically to
o corporate in
ntranet when cconnected to tthe Internet
Uses variou
us protocols, in
ncluding HTTPS, to establish IPv6 connectiivityHTTPS iss typically allowed
through fire
ewalls and pro
oxy servers
Supports se
elected server access and end-to-end Interrnet Protocol SSecurity (IPsecc) authenticatio
on with
intranet nettwork servers
Supports en
nd-to-end autthentication an
nd encryption with intranet network serve
ers
Supports management
m
of remote client computers
Allows remote users to co

onnect directlyy to intranet seervers
DirectAccess provides the following benefitts:
Always-on connectivity. Whenever

W
the user
u
connects the client com
mputer to the IInternet, the client
computer is also connectted to the intra
anet. This conn
nectivity enablles remote clie
ent computers to
access and update appliccations more easily. It also m
makes intranet resources alwaays available, aand
enables use
ers to connect to the corpora
ate intranet fro
om anywhere and anytime, thereby impro
oving
their produ
uctivity and performance.
6-4
Seamless connectivity. DirecctAccess provides a consiste nt connectivityy experience w

whether the cliient
computer is local or remote
e. This allows users
u
to focus more on prod
ductivity and le
ess on connecttivity
options and process.
p
This co
onsistency can
n reduce traini ng costs for users, with fewe
er support inciidents.
Bidirectional access.
a
You can configure DiirectAccess in a way that thee DirectAccess clients have aaccess
to intranet resources and yo
ou can also ha
ave access from
m the intranet to those DirecctAccess clientts.
Therefore, DirectAccess can
n be bidirectional. This ensurres that the client computers are always
updated with
h recent securitty updates, the
e domain Grou
up Policy is en
nforced, and th
here is no diffe
erence
whether the users
u
are on th
he corporate in
ntranet or on tthe public netw
work. This bidirectional acce
ess
also results in
n:
o
Decrease
ed update time
e
Increased
d security
Decrease
ed update misss rate
Improved
d compliance monitoring
d provides the
Manage-out Support.
S
This feature
f
is new in Windows Seerver 2012 and
e ability to
enable only remote management functio
onality in the D
DirectAccess cl ient. This new sub-option off
the DirectAcccess client conffiguration wiza
ard automatess the deploym ent of policiess that are used
d for
oes not implem
managing the
e client compu
uter. Manage-out support do
ment any policcy options thaat
allow users to
o connect to th
he network forr file or applicaation access. M
Manage-out su
upport is
unidirectional, incoming on
nly access for administration
a
purposes onlyy.
Improved secu
urity. Unlike trraditional VPNs, DirectAcces s offers many levels of accesss control to
network resources. This tigh
hter degree off control allow
ws security arch
hitects to preciisely control re
emote
users who acccess specified resources. You
u can use a graanular policy to specifically d
define which u
user
can use DirecctAccess, and the location fro
om which the user can accesss it. IPsec encryption is used
d for
protecting DirectAccess traffic so that use
ers can ensuree that their com
mmunication is safe.
Integrated sollution. DirectA

Access fully inte
egrates with Seerver and Dom
main Isolation and Network
Access Protecction (NAP) solutions, resulting in the seam
mless integration of security,, access, and h
health
requirement policies betwe
een the intrane
et and remote computers.
Wh
hats New in DirectA
Access in Windows
W
SServer 2012
In Windows
W
Serve
er 2012, DirectAccess has
seve
eral enhancem
ments, especially in regards to
o
byp
passing some common
c
techn
nology issues such
s
as re
equirements fo
or public key infrastructure (PKI)
(
and public IP addresses.
Imp
proved Dire
ectAccess Management
M
t
Dire
ectAccess in Windows
W
Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:
DirectAccess and
a RRAS coexxistence.
Windows Servver 2012 DirecctAccess and RRAS
R
unified serverr role solve the
e problems of
interoperabiliity of Denial of Service Prote
ection (DoSP) aand Internet K
Key Exchange vversion 2 (IKEvv2).
6-5
Rich monitoring of clients. You can view the health of user computers and servers along with
deployment monitoring and diagnostics in a single console in DirectAccess. Using the dashboard,
you can have top-level information about Remote Access servers and client activity. User and client
computer monitoring can provide you with information on which resources are accessed by the
clients.
Integrated accounting and reporting. Accounting and reporting is now integrated in the console and
provides the ability to measure specific metrics. It also enables administrators to generate rich usage
reports on various user and server statistics.
Windows PowerShell and Server Core support. Windows Server 2012 provides full Windows
PowerShell support for the setup, configuration, management, monitoring, and troubleshooting of
the Remote Access Server Role.
Unified management wizard and tools. You can use a single wizard and console for DirectAccess
configuration, management, and monitoring.
Works with existing infrastructure. You do not need to upgrade your existing domain controllers to
Windows Server 2012.
IPv6 for internal network is no longer required. This is because transition technologies such as network
address translation 64 (NAT64) and Domain Name System 64 (DNS64) allow access to internal
resources that are run only on IPv4 computers. Previously, this functionality was only possible to
achieve with deployments that included Microsoft Unified Access Gateway Server.
Single network adapter. You can implement your DirectAccess server behind a NAT with a single
network adapter.
Single IP address. In certain deployment scenarios, you can even use a single IP address for the
DirectAccess server. This makes deployment easier in comparison to the DirectAccess deployment
in Windows Server 2008.
Simplified DirectAccess Deployment
The DirectAccess deployment has been simplified. Windows Server 2012 provides Express Setup for small
and medium deployment. Express Setup includes the following characteristics:
PKI deployment is optional, because the wizard creates a self-signed certificate without the need
for certificate revocation lists (CRL) lists. This functionality is achieved by the using the HTTPS-based
Kerberos proxy (built into Windows Server 2012) which accepts client authentication requests and
sends them to domain controllers on behalf of the client.
Single IPsec tunnel configuration.
Single factor authentication only; no support for smart card integration or using one-time
password (OTP).
Works only with client computers running Windows 8.
Performance and Scalability Improvements

DirectAccess includes the following improved features in performance and scalability:
Support for high availability and external load balancers. Windows Server 2012 supports network load
balancing (NLB) to achieve high availability and scalability for both DirectAccess and RRAS. The setup
process also provides integrated support for third party external hardware-based load balancer
solutions.
Improved sup
pport for Receivve Site Scaling (RSS). DirectA
Access providess support for R
RSS and suppo
orts
running DirecctAccess in virttual machines with increased
d density:
6-6
IP-HTTPS
S interoperabiliity and perform
mance improveements. Windo
ows Server 201
12 DirectAccesss
implementation removves double enccryption when using IP-HTTP
PS. Also, it reduces the time for
duplicate
e address detection, resulting
g in a significaant performancce improveme
ent.
Lower ba
andwidth utiliza
ation. Window
ws Server 2012 reduces the o
overhead assocciated with
establishing of connecttivity methodss, optimizes baatched send beehavior, and re
eceives bufferss,
which ressult in overall lower bandwid
dth utilization.. Additionally W
Windows Servver 2012
DirectAcccess receives site scaling with User Datagraam Protocol (U
UDP).
New
w Deploym
ment Scenariios
The new DirectAcccess deployme
ent scenarios in
i Windows Seerver 2012 incllude:
Deploying mu
ultiple endpoin
nts. When you implement Di rectAccess on multiple serve
ers in differentt
network locattions, the Wind
dows 8 device
e automaticallyy chooses the cclosest endpoint. (For the
Windows 7 operating system, you have to
o specify the eendpoint manu
ually). This also
o works for
distributed fille system (DFS
S) shares that are
a redirected to an approprriate Active Dirrectory site.
Multiple domain support. Th

his feature is in
ntegrated with
h Windows Serrver 2012.
Deploy a servver behind a NA

AT. You can de
eploy Window
ws Server 2012 DirectAccess behind a NAT
T
device, with the
t support for a single or multiple
m
interfa ces, removing the prerequissite for a public
address. In th
his configuratio
on, only IP ove
er HTTPS (IP-H
HTTPS) is deplo
oyed which allo
ows secure IP
tunnel to be established
e
byy using a securre HTTP conneection.
Support for OTP

O and virtuall smart cards. This
T feature reequires a PKI d
deployment. If the option is
selected in th
he DirectAccesss Setup Wizard
d, the Use com
mputer certificaates option is automatically
selected. Also
o, DirectAccesss can use the Trusted
T
Platforrm Module (TP
PM)based virttual smart card
d
which use TPM of a client computer
c
to acct as a virtual ssmart card forr two-factor au
uthentication.
Offload netwo
ork adapters with
w support forr network team
ming. Networkk teaming in W
Windows Server
2012 is fully supported
s
with
hout the need for third-partyy drivers.
Off-premise provisioning.
p
With
W the new djjoin tool, you can easily pro
ovision non-do
omain compute
er
with an Active
e Directory blo
ob, so that the
e computer can
n be joined in a domain with
hout the need to be
ever connecte
ed in your inte
ernal premises.
DirrectAccesss Compone
ents
To deploy
d
and configure DirectA
Access, your
orga
anization must support the following
f
infra
astructure com
mponents:
DirectAccess server
DirectAccess clients
Network loca
ation server
Internal resou
urces
Active Directo
ory domain
Group Policy
nal network)
PKI (Optional for the intern
DNS server
NAP server
DirectAccess Server
6-7
DirectAccess server can be any Windows Server 2012 joined in a domain, which accepts connections
from DirectAccess clients and establishes communication with intranet resources. This server provides
authentication services for DirectAccess clients and acts as an IPsec tunnel mode endpoint for external
traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium organizations, by removing the need for
full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the
physical adapter that is connected to the Internet. In Windows Server 2012, the wizard detects the actual
implementation state of the DirectAccess server, and automatically selects the best deployment; thereby,
hiding from the administrator the complexity of configuring manually IPv6 transition technologies.
DirectAccess Clients
DirectAccess clients can be any domain-joined computer running Windows 8, Windows 7 Enterprise
Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
Network Location Server
DirectAccess clients use the network location server (NLS) to determine their location. If the client
computer can connect with HTTPS, then the client computer assumes it is on the intranet and disables
DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS
server is installed with the web server role.
Note: The URL for the NLS is distributed by using GPO.
Internal Resources
You can configure any IPv6-capable application which is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers not based on Windows and
have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64)
and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for
the internal servers.
Note: As done in the past, this functionality can also be achieved with Microsoft
Forefront Unified Access Gateway Server. Likewise, as in past versions, these translation services
do not support sessions initiated by internal devices; rather they support requests originating
from ipv6 DirectAccess clients only.
Active Directory Domain
6-8
You must deploy at least one Active Directory domain, running at a minimum Windows Server 2008 R2
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support
which allows client computers from different domains to access resources that may be located in different
trusted domains.
Group Policy
Group Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. Windows Server 2012
DirectAccess enables client authentication requests to be sent over a HTTPS based Kerberos proxy
service running on the DirectAccess server. This eliminates the need for establishing a second IPsec
tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to
domain controllers on behalf of the client.
However, for a full DirectAccess configuration, that allows NAP integration, two-factor authentication,
and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or later, or a
third-party DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. Windows Server 2012
DirectAccess provides the ability to configure NAP health check directly from the setup user interface
instead of manual editing of GPO as it was in Windows Server 2008 R2 DirectAccess.
Additional Reading: The DNS server does not listen on the ISATAP interface on a
Windows Server 2008-based computer
http://go.microsoft.com/fwlink/?LinkID=159951
IPv6 - Technology Overview
Upg
ndows Server 2
2012
Name
N
Reso
olution Pollicy Table
To
o separate Inte
ernet traffic fro
om intranet tra
affic in
DirectAccess, Windows
W
Serverr 2012 and Windows
8 include the Name Resolutio
on Policy Table
e
(N
NRPT), a featurre that allows DNS
D
servers to
o be
de
efined per DNS namespace, rather than pe
er
in
nterface.
Th
he NRPT stores a list of ruless. Each rule defines a
DNS namespace
e and configurration settingss that
de
escribe the DN
NS clients behavior for that
na
amespace.
When
W
a DirectA
Access client is on the Interne
et, each
na
ame query req
quest is compa
ared against th
he
na
amespace rule
es stored in the
e NRPT:
If a match is found, the re

equest is proce
essed accordin
ng to the settin
ngs in the NRP
PT rule.
If a name query
q
request does
d
not matcch a namespacce listed in the NRPT, the req
quest is sent to
o the
DNS servers configured in the TCP/IP settings for thee specified network interface
e.
DNS settings arre configured depending

d
on the client locaation:
For a remotte client comp

puter, the DNS servers are tyypically the Inteernet DNS servvers configure
ed
through the
e Internet Servvice Provider (ISP).
For a DirecttAccess client on the intrane

et, the DNS serrvers are typicaally the intrane
et DNS serverss
configured through Dyna
amic Host Con
nfiguration Pro
otocol (DHCP)..
6-9
Siingle-label nam
mes, for examp
ple, http://inte
ernal, typically have configurred DNS search suffixes appe
ended
to
o the name before they are checked
c
against the NRPT.
If no DNS search suffixes are configured,

c
an
nd the single-laabel name doees not match aany other sing
gle-label
na
ame entry in the NRPT, the request
r
is sentt to the DNS seervers specified in the clients TCP/IP settin
ngs.
Namespaces, fo
or example, intternal.adatum.com, are ente red into the N
NRPT, followed by the DNS servers
to
P address is en
o which requessts matching that namespace should be diirected. If an IP
ntered for the DNS
se
erver, all DNS requests
r
are se
ent directly to the DNS serveer over the DirrectAccess con
nnection. You n
need
no
ot specify any additional seccurity for such configuration s. However, if a name is specified for the D
DNS
se
erver, such as dns.adatum.co
d
om in the NRPT
T, the name m
must be publiclly resolvable w
when the clientt
qu
ueries the DNS
S servers specified in its TCP//IP settings.
Th
he NRPT allow
ws DirectAccesss clients to use
e intranet DNSS servers for naame resolution
n of internal re
esources
an
nd Internet DN
NS for name re
esolution of otther resources.. Dedicated DN
NS servers are not required ffor
na
ame resolution
n. DirectAccesss is designed to
t prevent the exposure of yyour intranet n
namespace to tthe
In
nternet.
So
ome names ne
eed to be treatted differently with regards tto name resol ution; these naames should n
not be
re
esolved by usin
ng intranet DN
NS servers. To ensure
e
that th ese names aree resolved with
h the DNS servvers
sp
pecified in the clients TCP/IP
P settings, you must add theem as NRPT exxemptions.
NRPT is controlled through Group
G
Policy. When
W
the comp
puter is config
gured to use N
NRPT, the name
e
re
esolution mech
hanism uses th
he following in
n order:
The local na
ame cache
The hosts file
NRPT
6-10 Implemennting DirectAccess
Then, the name re

esolution mech
hanism finally sends the queery to the DNSS servers speciffied in the TCP
P/IP
settings.
ow can you be
enefit from NR
RPT?
Question: Ho
Question: Ho
ow can you be
enefit by using connection seecurity rules fo
or Direct Accesss?
Ho
ow DirectA
Access Worrks for Inte
ernal Clien
nt Computters
An NLS is an interrnal network se
erver that hostts
an HTTPS-based
H
URL.
U
DirectAcccess clients try to
acce
ess a NLS URL to determine if they are located
on the
t intranet orr on a public network.
n
The
Dire
ectAccess serve
er can also be the NLS. In so
ome
orga
anizations whe
ere DirectAcce
ess is a businessscritical service, the
e NLS should be
b highly available.
Gen
nerally, the web server on the
e NLS does no
ot
have to be dedica
ated just for su
upporting
Dire
ectAccess clien
nts.
It is critical that th
he NLS is availa
able from each
h
com
mpany location
n, because the behavior of th
he
Dire
ectAccess clien
nt depends on the response from the NLS. Branch locatio
ons may need a separate NLLS at
each
h branch locattion to ensure that the NLS remains
r
accesssible even wheen there is a lin
nk failure betw
ween
bran
nches.
How DirectAcccess Works for Internal Clients

The DirectAccess connection prrocess happenss automaticallyy, without requiring user inttervention.
Dire
ectAccess clien
nts use the follo
owing processs to connect to
o intranet reso
ources:
1.
The DirectAcccess client tries to resolve the fully qualifieed domain nam
me (FQDN) of the NLS URL.
Because the FQDN

F
of the NLS
N URL corressponds to an eexemption rulee in the NRPT, the DirectAcccess
client instead sends the DN
NS query to a lo
ocally-configu
ured DNS serveer (an intranet-based DNS se
erver).
The intranet-based DNS server resolves the name.
2.
The DirectAcccess client acce

esses the HTTP
PS-based URL of the NLS, du
uring which prrocess it obtain
ns the
certificate of the NLS.
3.
Based on the CRL distribution points field

d of the NLSs certificate, thee DirectAccess client checks the
CRL revocatio
on files in the CRL
C distributio
on point to dettermine if the NLSs certificaate has been
revoked.
4.
Based on an HTTP
H
200 Succcess of the NLS URL (successsful access and
d certificate au
uthentication aand
revocation ch
heck), the DirecctAccess clientt switches to d
domain firewall profile and ig
gnores the
DirectAccess rules in the NR
RPT for the rem
mainder of thee session.
5.
The DirectAcccess client com

mputer attemp
pts to locate an
nd log on to th
he Active Direcctory Domain
Services (AD DS) domain byy using its com
mputer accoun
nt.
c
no longe
er references any
a DirectAcceess rules in thee NRPT for the rest of the
Because the client
connected se
ession, all DNS queries are se
ent through intterface-config ured DNS servvers (intranet-based
DNS servers).
With the com
mbination of ne
etwork location detection an
nd computer d
domain logon,, the DirectAcccess
client configu
ures itself for normal
n
intranet access.
6..

dows Server 20
012
6-11
Based on th
he computers successful log
gon to the dom
main, the DirecctAccess clientt assigns the domain
(firewall network) profile to the attache
ed network.
Byy design the DirectAccess

D
Co
onnection Security tunnel ru
ules are scoped
d for the public and private firewall
profiles, they arre disabled from the list of acctive connectio
on security rulles.
Th
he DirectAccesss client has su
uccessfully determined that iit is connected
d to its intranet and does no
ot use
DirectAccess setttings (NRPT rules or Connection Security tunnel rules). The DirectAcccess client can access
in
ntranet resourcces normally. Itt can also acce
ess Internet ressources throug
gh normal means, such as a proxy
se
erver.
How
H
DirecttAccess Works for Ex
xternal Client Comp
puters
When
W
a DirectA
Access client starts, the DirectAccess
client assumes that
t
it is not co
onnected to th
he
in
ntranet by tryin
ng to reach the
e URL address
sp
pecified for NLLS. Because the
e client compu
uter
ca
annot commun
nicate with NLLS, it starts to use
u
NRPT and conn
nection securityy rules. The NR
RPT
ha
as DirectAccesss-based rules for name reso
olution,
an
nd connection
n security rules define DirectA
Access
IP
Psec tunnels fo
or communicattion with intranet
re
esources. Internet-connected
d DirectAccess clients
usse the followin
ng process to connect
c
to intrranet
re
esources.
Th
he DirectAccesss client first atttempts to acccess the NLS. TThen, the client attempts to locate a domaain
co
ontroller. Afterrwards, the clie
ent attempts to access intran
net resources aand internet re
esources.
DirectAccess
D
s Client Atte
empts To Acccess the Ne
etwork Loca
ation Server
Th
he DirectAccesss client attem
mpts to access the
t NLS as foll ows:
1..
The client tries

t
to resolve
e the FQDN of the NLS URL. Because the FQDN of the N
NLS URL corresponds
to an exem
mption rule in the NRPT, the DirectAccess cclient does nott send the DNSS query to a lo
ocallyconfigured DNS server (a
an Internet-bassed DNS serveer). An eternal Internet-based
d DNS server w
would
not be able
e to resolve the
e name.
2..
The DirectA
Access client processes the name
n
resolutio
on request as d
defined in the DirectAccess
exemption rules in the NRPT.
3..
Because the
e NLS is not fo
ound on the sa
ame network aas the DirectAcccess client is ccurrently locatted on,
the DirectA
Access client ap
pplies a public or private fireewall network profile to the attached netw
work.
4..
The Connecction Security tunnel rules fo

or DirectAccesss, scoped for tthe public and
d private profiles,
provide the
e public or privvate firewall ne
etwork profile..
Th
he DirectAccesss client uses a combination of NRPT ruless and connection security rules to locate and
acccess intranet resources acro
oss the Interne
et through the DirectAccess sserver.
DirectAccess Client Attempts To Locate a Domain Controller
6-12 Implementing DirectAccess
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel or infrastructure tunnel by using the IPsec
tunnel mode and Encapsulating Security Payload (ESP) to the DirectAccess server. The process is as
follows:
1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS
name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NT LAN
Manager (NTLM) credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based

authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol
negotiation and usage of multiple sets of credentials for authentication.
4.
The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts To Access Intranet Resources

The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following process occurs:
1.
The application or process that attempts to communicate constructs a message or payload and hands
it off to the TCP/IP stack for sending.
2.
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts To Access Internet Resources
6-13
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet web server), the following process occurs:
1.
The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the
IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
2.
3.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries, with the differences of the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established
(intranet tunnel).
Lesson 2
Installiing and
d Config
guring DirectAc
D
ccess Co
omponents
In order
o
to install and configure
e DirectAcess in your organizzation, you neeed to meet a n
number of
requ
uirements perttaining to Active Directory configuration,
c
DNS configuraation, and certtificate services.
Afte
er these requirrements are met, you then in
nstall and conffigure the DireectAccess role. Finally, you
configure client co
omputers, and
d verify that DiirectAccess is ffunctional wheen connecting from both the
e
inte
ernal network and
a the Internet.
In th
his lesson, you
u will learn abo
out DirectAccess requiremen
nts, how to pla n the DirectAcccess solution, and
the process of installation and deployment
d
off DirectAccess.. You will also learn about th
he new feature
es for
imp
plementing DirrectAcess in Windows
W
8.
Lessson Objectiives
Afte
ou will be able to:
Describe the prerequisites for

f implementting DirectAcceess.
Describe the process of con

nfiguring DirecctAccess.
Configure AD
D DS services fo
or DirectAccesss.
Install and co
onfigure DirecttAccess Server..
Configure the
e DirectAccess clients.
Describe the differences in DirectAccess between

b
Wind
dows 7 and Wiindows 8.
Pre
erequisitess for Imple
ementing DirectAcceess
To deploy
d
DirectA
Access, the Dire
ectAccess servver,
the client computter, and infrasttructure should
d
mee
et certain requ
uirements.
Req
quirements for DirectA
Access Serve
er
In order
o
to deployy DirectAccess, you need to
ensu
ure that the se
erver meets the
e hardware an
nd
netw
work requirem
ments:
The server mu
ust be joined to
t an Active
Directory dom
main.
The server mu
ust have Wind
dows Server 20
012 or
Windows Servver 2008 R2 operating system
installed.
The Windowss Server 2012 that

t
will be insstalled as the D
DirectAccess Seerver can have
e a single netw
work
adapter installed which is connected to th
he intranet an d published over Microsoft Forefront Thre
eat
Managementt Gateway 2010 (TMG) or Miicrosoft Forefrront Unified Acccess Gatewayy 2010 (UAG) ffor
Internet conn
nection. In the deployment scenario
s
wheree DirectAccess is installed on
n an Edge server, it
needs to have
e two network
k adapters, one
e connected to
o the internal n
network and the other conn
nected
to the externa
al network.
Note: An Ed
dge server is any
a server thatt resides on thee edge betweeen two or morre
works, typicallyy a private nettwork and Inte
ernet.
netw
6-15
Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter. However, to achieve two-factor
authentication with smart card or OTP deployment, DirectAccess server will still need two public
IP addresses.
You can even deploy Windows Server 2012 DirectAccess behind a NAT device, with support for a
single or multiple interfaces, thereby circumnavigating the need for an additional public address. In
this configuration, only IP over HTTPS (IP-HTTPS) is deployed which allows a secure IP tunnel to be
established using a secure HTTP connection.
On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and monitor the status of the DirectAccess server. The Remote
Access wizard provides you with the option to configure only DirectAccess, only VPN, or both
scenarios on the same server running Windows Server 2012. This was not possible in Windows Server
2008 R2 deployment of DirectAccess.
For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) to
achieve high availability and scalability for both DirectAccess and RRAS.
Requirements for DirectAccess Client
To deploy DirectAccess, you also need to ensure that the client computer meets certain requirements:
The client computer should be joined to an Active Directory domain.
With the new 2012 DirectAccess scenario it is possible to offline provision computers for domain
membership without the need for the computer to be on premises.
The client computer can be loaded with Windows 8, Windows 7 Enterprise Edition, Windows 7
Ultimate Edition, Windows Server 2012, or Windows Server 2008 R2 operating system.
You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or other earlier
versions of the Windows operating systems.
Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:
Active Directory. You must deploy at least one Active Directory domain. Workgroups are not
supported.
Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.
DNS and domain controller. You must have at least one domain controller and DNS server running
Windows Server 2012, or Windows Server 2008 SP2 or Windows Server 2008 R2.
PKI. You need to use PKI to issue computer certificates for authentication and health certificates
only when NAP is deployed. You do not need external certificates. The SSL certificate installed on
the DirectAccess server must have a CRL distribution point that is reachable from the Internet. The
certificate Subject field must contain the FQDN that can be resolved to a public IPv4 address assigned
to the DirectAccess server by using the Internet DNS.
IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.
Internet Control Message Prrotocol Version

n 6 (ICMPv6) EEcho Request ttraffic. You must create separate
inbound and outbound rule
es that allow ICMPv6 Echo R
Request messaages. The inbound rule is req
quired
to allow ICMP
Pv6 Echo Requ
uest messages and is scoped
d to all profiless. The outboun
nd rule to allow
w
ICMPv6 Echo Request messsages is scoped
d to all profile s and is only rrequired if the Outbound blo
ock is
turned on. DirectAccess clie
ents that use Teredo
T
for IPv66 connectivity to the intrane
et use the ICMP
Pv6
message whe
en establishing
g communication.
IPv6 and tran

nsition technolo
ogies. IPv6 and
d the transition
n technologiess such as ISATA
AP, Teredo, an
nd
6to4 must be
e available for use on the DirrectAccess servver. For each D
DNS server run
nning Window
ws
Server 2008 or
o Windows Se
erver 2008 R2, you need to rremove the ISA
ATAP name fro
om the global query
block list.
Question: Yo
ou have Windo
ows Server 200
03 Certificate A
Authority serveer in your dom
main. Can
you use the existing
e
PKI inffrastructure forr DirectAccess or should you
u set up the ne
ew
Certificate Au
uthority server on Windows Server
S
2008 R22?
Pro
ocess of Co
onfiguring
g DirectAcccess
To configure
c
DirectAccess, perfo
orm the follow
wing
step
ps:
1.
2.
Configure AD DS and DNS requiremen

nts
o
Create a security group

p in Active
Directoryy and add all client compute
er
accounts that will be acccessing intran
net
through DirectAccess.
Configure both interna

al and externall DNS
servers with
w appropriatte host names and
IP addressses.
Configure th
he PKI environ
nment
o
3.
Add and configure the Certificate Au

uthority server role, create th
he certificate template and C
CRL
distribution point, publish the CRL lisst, and distribu
ute the compu
uter certificatess.
Configure DirectAccess Se
erver
o
Install Windows Server 2012 on a serrver computer with one or tw

wo physical ne
etwork adapte
ers
(dependss on DirectAcccess design sce
enario).
Join the DirectAccess

D
server to an Acctive Directory domain.
Install the
e Remote Acce
ess role and co
onfigure the D
DirectAccess seerver so that it is either one o
of the
following
g:
The DirectAccess server

s
is on the
e perimeter neetwork with on
ne network adaapter connecte
ed to
p
netw
work and at lea
ast one other network adapter connected to the intrane
et. In
the perimeter
this deployment
d
sccenario, DirecttAccess server is placed betw
ween a front-end firewall and
d
back
k-end firewall.

s
is published by using IIPsec Gatewayy (TMG or UAG
G). In this
ess is placed b
behind a front--end firewall and it has one
deployment scenario, DirectAcce
work adapter connected to in
nternal networrk.
netw

s
is installe
ed on an Edgee server (typicaally front end ffirewall) with o
one
work adapter connected to th
he Internet an
nd at least one other network adapter
netw
conn
nected to the intranet.
6-17
An alternative design is that the DirectAccess server has only one, and not two, network interface. For
this design, perform the following steps:
4.
Verify that the ports and protocols needed for DirectAccess and Internet Control Message
Protocol (ICMP) Echo Request are enabled in the firewall exceptions and opened on the
perimeter and Internet-facing firewalls.
The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to publish that address in your
externally-facing DNS server.
If you have disabled IPv6 on clients and servers, enable IPv6 because it is required for
DirectAccess.
Install a web server on the DirectAccess server to enable DirectAccess clients and determine if
they are inside or outside the intranet. You can install this web server on a separate internal
server for determining the network location.
Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters) or publish the
DirectAccess server which is deployed behind NAT for Internet access.
On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.
Configure the DirectAccess clients and test intranet and Internet access
o
Verify that DirectAccess group policy has been applied and certificates have been distributed to
client computers:
Test whether you can connect to DirectAccess server from an intranet.
Test whether you can connect to DirectAccess server from the Internet.
Demonstration: Configuring AD DS and Network Services for DirectAccess

In this demonstration, you will see how to:
Create a security group for DirectAccess computers.
Configure firewall rules for ICMPv6 traffic.
Create required DNS records.
Configure the PKI environment.
Demonstration Steps
Create a security group for DirectAccess client computers
1.
On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit with the name DA_Clients OU and inside that organizational unit, create a Global Security group
with the name DA_Clients.
2.
Add LON-SVR3 to the DA_Clients security group.
3.
Close the Active Directory Users and Computers console.

Question: Why did you create the DA_Clients group?
Configure firewall rules GPO for ICMPv6 traffic

1.
Open the Group Policy Management console, and then right-click Default Domain Policy.
2.
In the console tree of the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.
3.
Create a new inbound rule with the following settings:
4.
5.
Rule Type: Custom
Protocol type: ICMPv6
Specific ICMP types: Echo Request
Name: Inbound ICMPv6 Echo Requests
Create a new outbound rule with the following settings:

o
Rule Type: Custom
Action: Allow the connection
Name: Outbound ICMPv6 Echo Requests
Close the Group Policy Management Editor and Group Policy Management consoles.
Create required DNS records

1.
2.
Open the DNS Manager console and then create two new host records with the following settings:
o
Name: nls; IP Address: 172.16.0.22
Name: crl; IP Address: 172.16.0.22
Close the DNS Manager console.

Question: What is the purpose of the nls.adatum.com DNS host record that you associated
with an internal IP address?
Configure the PKI environment

1.
Switch to LON-DC1.
2.
Open the Certification Authority console.
3.
Configure the AdatumCA certification authority with the following extension settings:
o
Add Location: http://crl.adatum.com/crld/
Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates
Do not restart Certificate Services.
Add Location: \\lon-svr2\crldist$\
Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed
Location: .crl
Select Publish CRLs to this location and Publish Delta CRLs to this location
4.
Restart Certificate Services.
5.
Close the Certificate Authority console.
Configure permissions on the web server certificate template

Note: Users require the Enroll permission on the certificate.
6-19
1.
Right-click Certificate Template in the Certification Authority console and then click manage.
2.
In the Certificate Template console, in Web Server template Properties, configure security settings
for Authenticated Users to be allowed to Enroll for a certificate.
3.
Close the Certificate Templates console.
Configure computer certificate auto-enrollment

1.
On LON-DC1, open Group Policy Management console.
2.
In the console tree, expand Forest: Adatum.co\Domains\Adatum.com.
3.
Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4.
At Automatic Certificate Request Settings, configure Automatic Certificate Request with a

Computer.
5.
On the Certificate Template page, click Computer, click Next, and then click Finish.
6.
Close the Group Policy Management Editor and close the Group Policy.
Demonstration: Configuring the DirectAccess Server

In this demonstration, you will see how to:
Obtain certificates for IPsec.
Configure DirectAccess.
Demonstration Steps
Obtain the required certificates for LON-SVR2
1.
Switch to LON-SVR2.
2.
Open Microsoft Management Console by typing the mmc command, and then add the Certificates
snap-in for Local computer.
3.
In the Certificates snap-in, in the Microsoft Management Console, request a new certificate with the
following settings:
4.
Certificate template: Web Server
Common name: 131.107.0.2
Verify that a new certificate with the name 131.107.0.2 has been issued with Intended Purposes of
Server Authentication.
5.
For the 131.107.0.2 certificate, in Properties, specify the Friendly Name as IP-HTTPS Certificate,
and then click OK.
6.
In the Certificates console, right-click the certificate with the name lon-svr2.adatum.com, and then
click delete.
7.
Close the Certificates snap-in console without saving it.
8.
Close the console.
Complete the DirectAccess setup wizard on LON-SVR2

1.
Open the Server Manager console.
2.
In the Server Manager console, open the Remote Access Management console.
3.
Click Configuration; the Enable Direct Access Wizard will start automatically.
4.
Click Next. Wait until the DirectAccess prerequisites page completes loading.
5.
Complete the Enable Direct Access Wizard by using the following settings:
o
DirectAccess Client Setup page; Enter the object names to select: DA_clients
Remote Access Server setup page,
Network Topology: Edge
Type the public name or IPv4 address used by clients to connect to the Remote Access
server: 131.107.0.2
Note: On this page, you might notice that you are using IP address of the Edge server
instead of FQDN. This is because in this lab environment there is no public DNS server, as it
would exist in real-life scenario.
Infrastructure Server Setup page: Accept default values
Configure Remote Access page: Accept default values
6.
Wait until Enable DirectAccess Wizard Apply completes, and then click Close.
7.
At the command prompt, type the following command:

GPUpdate /force
8.
Demonstration: Configuring the DirectAccess Client
To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:
Configure the DirectAccess client.
Verify that DirectAccess clients have the computer certificate that is required for DirectAccess
authentication. This should have been distributed with Group Policy.
Verify that the client can connect to intranet resources.
Demonstration Steps
Configure the DirectAccess client
1.
Switch to LON-SVR3.
2.
Open the Command Prompt window and type gpupdate/force to force apply Group Policy on
LON-SVR3.
3.
At command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-SVR3, and then
repeat step 2 on LON-SVR3.
4.
6-21
Verify that DNS Effective Name Resolution Policy Table Settings is applied by typing the following
command at the command prompt:
netsh name show effectivepolicy
5.
Verify that DNS Effective Name Resolution Policy Table Settings is displayed in the Command
Prompt window.
6.
Simulate moving the client computer LON-SVR3 out of the corporate network, that is to the Internet,
by changing the network adapter settings with external IP address to the following values:
o
IP address: 131.107.0.10
Subnet mask: 255.255.0.0
Default gateway: 131.107.0.2
7.
Disable and then again enable the Local Area Connection network adapter.
8.
In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network.
Verify connectivity to the internal network resources

1.
Move the mouse to the lower-left part of screen, click Start, and then click the Internet Explorer
icon.
2.
In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3.
Leave the Internet Explorer window open.
4.
Click Start, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the
Files shared folder appears.
5.
In the Files shared folder window, double-click the example.txt file. The content of the example.txt
file is displayed.
6.
Close all open windows.
7.
Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click
search, and in the search box, type cmd.
8.
At the command prompt, type ipconfig.
9.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
Verrify connecttivity to the

e DirectAcce
ess server
1.
At the command prompt, type the follow

wing command
d:
Netsh name show effectivepolicy
Verify that DN
NS Effective Name
N
Resoluttion Policy Taable Settings present two e
entries for
adatum.com
m and Directacccess-NLS.Ada
atum.com.
2.
At the PowerShell prompt, type the follow

wing comman
nd, and then press Enter.
Get-DAClientExperienceConfiguratio
on
Notice the DirectAccess

D
cllient settings.
Verrify client co
onnectivity on DirectA
Access Serve
er
1.
Switch to LON
N-SVR2.
2.
In the Remote Access Mana

agement conso
ole pane, clickk Remote Clie
ent Status.
Notice that Client
C
is connected via IPHtttps. In the Con
nnection Detaiils pane, in the
e bottom rightt of
the screen, no
ote the use of Kerberos for the
t Machine a nd the User.
3.
Close all open

n programs.
Question: Ho
ow will you configure IPv6 ad
ddress for Win
ndows 8 to usee DirectAccesss?
Wiindows 7 Client
C
vs. Windows
W
8 Client Im
mplementaation
Users working witth DirectAccess in the Windo
ows 8
ope
erating system will have a be
etter user
experience than those working in Windows 7.
In Windows
W
8, the
e DirectAccess solution is
com
mpletely transp
parent for the user. Howeverr, in
Win
ndows 7, it is hard to trouble
eshoot the netw
work
connectivity problems. Usually, when problem
ms
start, there are no
o native tools that
t
can easily track
the network beha
avior and so ad
dministrators often
o
use network monitoring tools to
o get informattion
rega
arding connecctivity issues.
Win
ndows 8 Cliient Implem
mentation
Windows 8 in
ncludes an in-b
box user interfface for DirectA
Access clients that help userrs understand
network conn
nectivity experrience. Simplified user interfaace that run ab
bove the Wind
dows PowerSh
hell
commands provide basic in
nformation reg
garding conne ctivity.
s
Users caan even customize the look of the interfacce
Users can eassily check theirr connectivity status.
providing add
ditional inform
mation such as support emai l addresses.
Users might choose

c
the site
e that they want to connect to in the multtisite environm
ment and even
choose not to
o be connected
d to any site.
6-23
Remediation options for actionable problems are presented clearly to the user. Instead of using other
tools, remediation and problem solving can be done in the same user interface for DirectAccess.
Typical problems that can be flagged for remediation are:
o
Credentials (Smartcard, TPM, and OTP)
NAP
Proxy authentication issue
Proxy configuration issue
Lack of Internet connectivity
Users can easily send customized logs to their helpdesk by using the properties of Network
Connectivity Assistance. Users can manually select the DirectAccess entry point that should be used.
They can collect logs (HTML plus custom logs) and send these logs to already configured email
addresses.
When using Windows 7 in a multi-site deployment, you need to create multiple GPOs with different
settings. However, in Windows 8, clients can easily select the closest DirectAccess server in a multisite
deployment.
Easy setup of DirectAccess automatically configures Windows 8 computers to participate in a

DirectAccess scenario without the need for additional configuration.
The receive side scaling concept for UDP traffic helps in improving performance in enterprise
deployment.

Scenario
Because A. Datum has expanded, many of the employees are now frequently out of the office, either
working from home or traveling. A. Datum wants to implement a remote access solution for its employees
so they can connect to the corporate network while they are away from the office. Although the VPN
solution implemented with NAP provides a high level of security, business management is concerned
about the complexity of the environment for end users. Also IT management is concerned that they are
not able to manage the remote clients effectively.
To address these issues, A. Datum has decided to implement DirectAccess on client computers running
Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment and validate that the client computers can connect to
the internal network when operating remotely.
Objectives
Configure the server infrastructure to deploy DirectAccess.
Configure the DirectAccess clients.
Validate the DirectAccess implementation.
Lab Setup
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-SVR3
User Name
Password
Pa$$w0rd
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR2, and 20417A-LON-SVR3.
Exercise 1: Configuring the DirectAccess Infrastructure

Scenario
You decided to implement DirectAccess as a solution for remote client computers that are not able to
connect through VPN. Also, you want to address management problems, such as GPO application for
remote client computers. For this purpose, you will configure the prerequisite components of
DirectAccess, and configure the DirectAccess server.
1.
Configure the AD DS and DNS requirements.
2.
Configure certificate requirements.
3.
Configure the internal resources for DirectAccess.
4.
Configure DirectAccess server.
X Task 1: Configure the AD DS and DNS requirements

1.
2.
Create a security group for DirectAccess client computers by performing the following steps:
a.
Switch to LON-DC1.
b.
Open the Active Directory Users and Computers console, and create an Organizational Unit
named DA_Clients OU, and within that organizational unit, create a Global Security group
named DA_Clients.
c.
Modify the membership of the DA_Clients group to include LON-SVR1.
d.
Configure firewall rules for ICMPv6 traffic by performing the following steps:
a.
Open the Group Policy Management console, and then open Default Domain Policy.
b.
In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security.
c.
Create a new inbound rule with the following settings:
d.
e.
Rule Type: Custom
Name: Inbound ICMPv6 Echo Requests
Create a new outbound rule with the following settings:
Rule Type: Custom
Action: Allow the connection
Name: Outbound ICMPv6 Echo Requests
6-25
3.
Create required DNS records by performing the following steps:

a.
b.
4.
Open the DNS Manager console, and then create new host records with the following settings:
Name: nls; IP Address: 172.16.0.21
Name: crl; IP Address: 172.16.0.22
Remove ISATAP from the DNS global query block list by performing the following steps:
a.
Open the Command Prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
Ensure that the Command completed successfully message appears.
b.
5.
Close the Command Prompt window.
Configure the DNS suffix on LON-SVR2 by performing the following steps:

a.
Switch to LON-SVR2, and in the Local Area Connection Properties dialog box, in the Internet
Protocol Version 4 (TCP/IPv4) dialog box, add the Adatum.com DNS suffix.
b.
Close the Local Area Connection Properties dialog box.
X Task 2: Configure certificate requirements

1.
2.
Configure the CRL distribution settings by performing the following steps:

a.
Switch to LON-DC1 and open the Certification Authority console.
b.
Configure Adatum-LON-DC1-CA certification authority with the following extension settings:
Add Location: http://crl.adatum.com/crld/
Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
Do not restart Certificate Services.
Add Location: \\lon-svr2\crldist$\.
Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
Restart Certificate Services.
Close the Certificate Authority console.
To duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.
In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:
Template display name: Adatum Web Server Certificate
Request Handling: Allow private key to be exported
Authenticated Users permissions: under Allow, click Enroll
3.
c.
In the Certification Authority console, choose to issue a New Certificate Template and select the
Adatum Web Server Certificate template.
d.
Close the Certification Authority console.
Configure computer certificate auto-enrollment by performing the following steps:

a.
On LON-DC1, open the Group Policy Management console.
b.
In the console tree, navigate to Forest: Adatum.com, Domains, and Adatum.com.
c.
Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor,
navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
d.
Under Automatic Certificate Request Settings, configure Automatic Certificate Request to

issue the Computer certificate.
e.
Close the Group Policy Management Editor and close the Group Policy Management console.
To request a certificate for LON-SVR1 by performing the following steps:

a.
On LON-SVR1, open a command prompt, type the following command, and then press Enter.
gpupdate /force
b.
At the command prompt, type the following command, and then press Enter.
mmc
c.
Add the Certificates snap-in for Local computer.
d.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates, request a new certificate, and then under Request Certificates, select
Adatum Web Server Certificate with the following setting:
2.
Subject name: Under Common name, type nls.adatum.com
e.
In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
f.
Close the console window. When you are prompted to save settings, click No.
To change the HTTPS bindings, perform the following steps:

a.
Open Internet Information Services (IIS) Manager.
b.
In the console tree of Internet Information Services (IIS), navigate to and click Default Web site.
c.
Configure Site Bindings by selecting nls.adatum.com for SSL Certificate.
d.
Close the Internet Information Services (IIS) Manager console.
X Task 4: Configure DirectAccess server.

1.
6-27
b.
X Task 3: Configure the internal resources for DirectAccess

1.
Obtain required certificates for LON-SVR2 by performing the following steps:

a.
Switch to LON-SVR2.
b.
Open a command prompt and refresh group policy by typing gpupdate /force.
c.
Open Microsoft Management Console by typing mmc command, and then add the Certificates
snap in for Local computer.
d.
In the Certificates snap-in, in the mmc console, request a new certificate with the following
settings:
e.
2.
3.
Certificate template: Adatum Web Server Certificate
Common name: 131.107.0.2
Friendly name: IP-HTTPS Certificate
Close the console.
Create CRL distribution point on LON-SVR2 by performing the following steps:

a.
Switch to Server Manager
b.
In Internet Information Services (IIS) Manager, create new virtual directory CRLD and assign
c:\crldist as a home directory.
Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click
Properties, and grant Full Share and NTFS permission.
4.
Publish the CRL to LON-SVR2 by performing the following steps:

Note: This step makes the CRL available on the edge server for Internet-based
DirectAccess clients.
5.
a.
Switch to LON-DC1.
b.
Start the Certification Authority console.
c.
In the console tree, open ADATUMCA, right-click Revoked Certificates, point to All Tasks, and
then click Publish.
Complete DirectAccess setup wizard on LON-SVR2 by performing the following steps:

a.
On LON-SVR2, open the Server Manager console.
b.
In the Server Manager console, start the Remote Access Management console, click
Configuration, and start the Enable Direct Access Wizard with following settings:
Select Groups: DA_Clients
Network Topology: Edge is selected, and verify that 131.107.0.2 is used by clients to
connect to the Remote Access server.
Infrastructure Server Setup page, click Next
Configure Remote Access page, click Next
In Summary, click Finish, to apply DirectAccess Settings
Note: Since the server you already configured is a VPN server, you can only
use the getting started wizard which generates self-signed certificate for DirectAccess
communication. Next steps will modify default DirectAccess settings to include already
deployed certificates from the internal Certification Authority.
c.
In the details pane of the Remote Access Management console, under Step 2, click Edit.
6-29
d.
On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.
e.
On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to

authenticate IP-HTTPS connection.
f.
On the Authentication page, select Use computer certificates, click Browse, and then select
Adatum Lon-Dc1 CA.
g.
On the VPN Configuration page, click Finish.
h.
In details pane of the Remote Access Management console, under Step 3, click Edit.
i.
On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
j.
Ensure that URL is validated.
k.
On the DNS page, examine the values, and then click Next.
l.
In the DNS Suffix Search List, select Next.
m. On the Management page, click Finish.
6.
n.
In details pane of the Remote Access Management console, review the setting for Step 4.
o.
In Remote Access Review, click Apply.
p.
Under Applying Remote Access Setup Wizard Settings, click Close.
Update Group Policy settings on LON-SVR2 by performing the following step:

Open the command prompt, and type the following commands:
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter
IPHTTPSInterface starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients

Scenario
After you configured the DirectAccess server and the required infrastructure, you must configure
DirectAccess clients. You decide to use Group Policy mechanism to apply DirectAccess settings to the
clients and for certificate distribution.
1.
Configure Group Policy to configure client settings for DirectAccess.
2.
Verify client computer certificate distribution.
3.
Verify IP address configuration.
X Task 1: Configure Group Policy to configure client settings for DirectAccess.
1.
Switch to LON-SVR3.
2.
Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Open the Command Prompt window and then type the following commands:
gpupdate /force
gpresult /R
3.
Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
X Task 2: Verify client computer certificate distribution.

1.
On LON-SVR3, open the Certificates MMC.
2.
Verify that a certificate with the name LON-SVR3.adatum.com is present with Intended Purposes
of Client Authentication and Server Authentication.
3.
Close the console window without saving it.

Question: Why did you install a certificate on the client computer?
X Task 3: Verify IP address configuration.

1.
On LON-SVR3, open Internet Explorer and go to http://lon-svr1.adatum.com/. The default IIS 8

web page for LON-SVR1 appears.
2.
In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1
appears.
3.
Open Windows Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder
window with the contents of the Files shared folder.
4.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration

Scenario
When client configuration is completed, it is important to verify that DirectAccess works. You do this by
moving the DirectAccess client to the Internet and trying to access internal resources.
1.
Move the client computer to the Internet virtual network.
2.
Verify connectivity to the DirectAccess server.
3.
Verify connectivity to the internal network resources.
X Task 1: Move the client computer to the Internet virtual network

Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
1.
Switch to LON-SVR3.
2.
Change the network adapter configuration with the following settings:

o
IP address: 131.107.0.10
3.
Disable and then again enable the Local Area Network network adapter.
4.
Close the Network Connections window.
5.
In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
X Task 2: Verify connectivity to the DirectAccess server

1.
On LON-SVR3, open a command prompt, and type the following command:

ipconfig
2.
Notice the IP address that starts with 2002. This is IP-HTTPS address.
3.
4.
powershell
5.
At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
X Task 3: Verify connectivity to the internal network resources

1.
Open Internet Explorer and go to http://lon-svr1.adatum.com/. You should see the default IIS 8
web page for LON-SVR1.
2.
Open Windows Explorer, type \\LON-SVR1\Files, and then press Enter.
3.
You should see a folder window with the contents of the Files shared folder.
4.
At the command prompt, type the following command:

ping lon-dc1.adatum.com
Verify that you are receiving replies from lon-dc1.adatum.com.

5.
gpupdate /force
6.
6-31
7.
Switch to LON-SVR2.
8.
Start the Remote Access Management console and review the information on Remote Client
Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
9.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-SVR2, and 20410A-LON-SVR3.

Review Questions
Question: What are the main benefits of using DirectAccess for providing remote
connectivity?
Question: How do you configure a DirectAccess server?
Question: How do you configure DirectAccess clients?
Question: How does the DirectAccess client determine if it is connected to the intranet or
the Internet?
Question: What is the use of an NRPT?
Best Practices
Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 edition, Windows 8
introduces new features for improved manageability, ease of deployment, and improved scale and
performance.
6-33
Monitoring of the environment is now much easier with support of PowerShell, Windows Management
Instrumentation (WMI), GUI monitoring, along with Network Connectivity Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network and your
servers do not need to have IP6 addresses to be exposed through DirectAccess, because your DirectAccess
server acts as a proxy.
For ease of deployment you do not need to have IP addresses on the Internet-facing network. Therefore,
this is a good scenario for proof of concept. However, if you are concerned about security and if you want
to integrate with NAP, you still need two public addresses.
Consider integrating DirectAccess with your existing Remote Access solution because Windows Server
2012 can implement DirectAccess server behind the NAT device which is the most common Remote
Access Server (RAS) solution for companies.

Common Issue
Troubleshooting Tip
You have configured DirectAcess, but users

are complaining about connectivity issues.
You want to troubleshoot those issues
more efficiently.
The DirectAccess client tries to connect to

the DirectAccess server by using IPv6 and
IPsec with no success.

You are considering implementing DirectAccess in your organization. You are planning to implement
Windows Server 2012 servers. What are the other considerations that you should be aware of?
Tools
Tool
Use for
Where to find it
Express Setup, Remote Access

Configuration
A graphical tool that simplifies

the configuration of DirectAccess
Dnscmd.exe
A command-line tool used for

DNS management
Run from command-line
Services.msc
Helps in managing Windows

services
Gpedit.msc
Helps in editing the Local Group

Policy
IPconfig.exe
A command-line tool that

displays current TCP/IP network
configuration
DNS Manager console
Helps in configuring name

resolution
Mmc.exe
Helps in the creation and

management of the Management
Console
Gpupdate.exe
Helps in managing Group Policy

application
Active Directory Users and

Computers
Is useful in configuring group

membership for client computers
that will be configured with
DirectAccess

7-1
Module 7
Implementing Failover Clustering
Contents:
Module Overview
7-1
Lesson 1: Overview of Failover Clustering
7-2
Lesson 2: Implementing a Failover Cluster
7-13
Lesson 3: Configuring Highly-Available Applications and Services on a

Failover Cluster
7-18
Lesson 4: Maintaining a Failover Cluster
7-22
Lesson 5: Implementing a Multi-Site Failover Cluster
7-27
7-32
7-37
Module Overview
Providing high availability is very important for any organization that wants to provide continuous
services to its users. Failover Clustering is one of the main technologies in Windows Server 2012 that can
provide high availability for various applications and services. In this module, you will learn about Failover
Clustering, Failover Clustering components, and implementation techniques.
Objectives
Describe Failover Clustering.
Implement a failover cluster.
Configure highly-available applications and services.
Maintain a failover cluster.
Implement multi-site Failover Clustering.
Implementing Failover Clusterinng
Lesson 1
Overviiew of Failover
F
r Clusterring
7-2
Failo
over clusters in
n Windows Server 2012 provvide a high-avvailability soluttion for many sserver roles an
nd
app
plications. By im
mplementing failover
f
clusterrs, you can maaintain applicattion or service
e availability if one
or more
m
compute
ers in the failovver cluster fail. Before you im
mplement Failo
over Clustering
g, you should b
be
fam
miliar with gene
eral high-availa
ability conceptts. You must u
understand clu
ustering termin
nology and also
how
w failover clusters work.
Also
o, it is important to be familiiar with new cllustering featu
ures in Window
ws Server 2012
2.
Lessson Objectiives
Afte
ou will be able to:
Describe availability.
Describe Failo
over Clustering
g improvemen
nts in Windowss Server 2012.
Describe failo
over cluster components.
Define failove
er and failback
k.
Describe failo
over cluster networks.
Describe failo
over cluster sto
orage.
Describe a qu
uorum.
Describe quorum modes.
Describe Clusster Shared Vo

olumes (CSVs).
Wh
hat Is Avaiilability?
Availability refers to a level of se
ervice that
app
plications, serviices, or system
ms provide, and
d is
expressed as the percentage
p
of time that a se
ervice
or system is availa
able. Highly-avvailable system
ms
have minimal dow
wntimewhetther planned or
o
unp
plannedand are available more
m
than 99
perccent of the tim
me, depending on the needs and
the budget of the
e organization.. For example, a
system that is una
available for 8.75 hours per year
y
wou
uld have a 99.9
9 percent availlability rating.
To improve availa
ability, you must implement faulttole
erance mechan
nisms that massk or minimize
e how
failu
ures of the servvices compon
nents and depe
endencies affeect the system. You can achie
eve fault toleraance
by implementing redundancy to
o single pointss of failure.
Availability requirrements must be
b expressed so
s that there aare no misundeerstandings ab
bout the
imp
plications. Misccommunication
n about service level expectaations betwee n the custome
er and the IT
orga
anization can result in poor business decissions, such as u
unsuitable inveestment levelss and customer
dissatisfaction.
Upg
ndows Server 2
2012
7-3
Th
he availability measurement period can alsso have a sign
nificant effect o
on the definitio
on of availability.
Fo
or example, a requirement fo
or 99.9 percen
nt availability o
over a one-yeaar period allow
ws for 8.75 hou
urs of
do
owntime, whereas a requirem
ment for 99.9 percent availaability over a ro
olling four-we
eek window allows for
on
nly 40 minutess of downtime
e per period.
Yo
ou also have to
o identify and negotiate planned outages maintenance activities, servvice pack updaates,
an
nd software up
pdates. These are
a scheduled outages, and typically are n
not included as downtime w
when
ca
alculating the systems availa
ability. You typ
pically calculatte availability b
based on unplaanned outage
es only.
However, you have
h
to negotia
ate exactly which planned o utages you co
onsider as dow
wntime.
Failover Clu
ustering Im
mproveme
ents in Win
ndows Serrver 2012
Fa
ailover Clustering has not sig
gnificantly changed
since Windows Server 2008 R2. However, th
here are
so
ome new featu
ures and techn
nologies in Win
ndows
Se
erver 2012 tha
at help increase
e scalability an
nd
cluster storage availability, an
nd provide better and
ea
asier managem
ment and faste
er failover.
Th
he important new
n
features in
n Windows Server
20
012 Failover Clustering inclu
ude:
Increased sccalability. In Windows

W
Server 2012,
failover cluster can have 64
6 physical no
odes
and can run
n 4,000 virtual machines on each
cluster. Thiss is a significan
nt improvemen
nt over
Windows Server 2008 R2 which supporrts only 16 phyysical nodes an
nd 1,000 virtuaal machines pe
er
cluster. Each cluster you create
c
is now available
a
from Server Manag
ger console. Se
erver Managerr in
Windows Server 2012 can
n discover and
d manage all c lusters created
d in an Active Directory Do
omain
Services (AD
D DS) domain.. If the cluster is deployed in
n multi-site sceenario, the adm
ministrator can
n now
control whiich nodes in a cluster have votes
v
for estab lishing quorum
m. Failover Clu
ustering scalab
bility is
also improvved for virtual machines thatt are running o
on clusters. Th
his will be discu
ussed in more detail
in Module 8:
8 Implementin
ng Hyper-V.
Improved Cluster
C
Shared Volumes (CSV
Vs) volumes. Th
his technology was introduce
ed in Windowss Server
2008 R2, an
nd it became very
v
popular fo
or providing viirtual machinee storage. In W
Windows Server 2012,
CSV volume
es appear as CSV
C File System
m and it suppo
orts server messsage block (SM
MB) version2.2
2
storage for Hyper-V and other applicattions. Also, CSV
V can use SMB
B multichannel and SMB Dire
ect to
enable trafffic to stream across
a
multiple
e networks in a cluster. For a dditional secu
urity, you can u
use
BitLocker Drive
D
Encryptio
on for CSV disk
ks, and you can
n also make C SV storage visible only to a ssubset
of nodes in
n a cluster. For reliability, CSV
V volumes can be scanned a nd repaired w
with zero offline
e time.
Cluster-awa
are updating. Updating
U
clustter nodes requ
uired a lot of p
preparation and planning in earlier
versions of Windows Servver, to minimizze or avoid do
owntime. Also, procedure of updating clustter
nodes was mostly manua
al, which cause
ed additional aadministrative effort. In Wind
dows Server 20
012, a
new techno
ology is introduced for this purpose.
p
This ttechnology is ccalled Cluster--Aware Updating. This
technologyy automaticallyy updates clustter nodes with
h Windows Up date hotfix, byy keeping the cluster
online, and minimizing downtime. This technology w
will be explaineed in more dettail in Lesson 4
4:
Maintaining
g a Failover Clluster.
Active Direcctory integrattion improvem

ments. Because Windows Servver 2008, Failo
over Clustering
g is
integrated in Active Direcctory Domain Services (AD D
DS). In Window
ws Server 2012
2, this integratiion is
improved. Administrators
A
s can create cluster computeer objects in taargeted organizational units (OUs),
or by defau
ult in the same
e OUs as the cluster nodes. TThis aligns failo
over cluster de
ependencies on
n AD DS
with the delegated domain

n administratio
on model that is used in man
ny IT organizattions. Also, now
w
failover cluste
ers can be dep
ployed with acccess only to reead-only domaain controllers.
7-4
Managemeent improvemeents. Although Failover Clusttering in Windows Server 2012 still uses almost
the same management
m
console and the
e same admin istrative techn
niques, it bring
gs some imporrtant
manageme
ent improveme
ents. Validation
n wizard is imp
proved in whicch the validation speed for large
failover clusters is improvved and new te
ests for CSVs, tthe Hyper-V ro
ole, and virtuaal machines are
e
added. Also
o, new Window
ws PowerShell cmdlets are a vailable for managing cluste
ers, monitoring
g
clustered virtual machine
e applications, and creating h
highly availablle iSCSI target.
Rem
moved and Deprecated
d Features
In Windows
W
Serve
er 2012 clusterring, some feattures are remo
oved or depreccated. If you are moving from an
olde
er version of Failover Clusterring, you should be aware off these featurees:
precated. How
wever, it can bee optionally insstalled with th
he
The Cluster.exxe command-line tool is dep
Failover Clusttering Tools. Fa
ailover Clusterring Windows PowerShell cm
mdlets provide
e a functionalitty that
is generally th
he same as Clu
uster.exe comm
mands.
The Cluster Automation

A
Server (MSClus) COM interfacee is deprecated
d, but it can be
e optionally
installed with the Failover Clustering
C
Tools.
The Support for

f 32-bit cluster resource DLLs
D
is deprecaated, but 32-biit DLLs can be optionally
installed. Clusster resource DLLs
D
should be
e updated to 664 bit.
The Print Servver role is removed from the

e High Availab
bility Wizard, and it cannot b
be configured iin
Failover Clustter Manager.
The Add-ClussterPrintServerrRole cmdlet iss deprecated, aand it is not su

upported in W
Windows Serverr
2012.
Faiilover Clusster Components

A fa
ailover cluster is a group of in
ndependent
com
mputers that work
w
together to
t increase the
e
avaiilability of app
plications and services.
s
Physiccal
cables and softwa
are connect the
e clustered serrvers,
kno
own as nodes. If one of the clluster nodes fa
ails,
ano
other node beg
gins to provide
e service. This
proccess is known as failover. With failover, use
ers
experience a miniimum of servicce disruptions.
A Fa
ailover Clustering solution co
onsists of seve
eral
com
mponents, whicch include:
Nodes. These are computerrs that are

members of a failover clustter. These
computers ru
un cluster service and resourcces and appliccations associaated to cluster..
Network. Thiss is a network across

a
which cluster
c
nodes ccan communiccate with one aanother and w
with
clients. There are three type
es of networkss that can be u
used in a clusteer. These networks are discusssed
in more detaiil in the Failovver Cluster Nettworks sectio n.
Resource. Thiss is an entity that is hosted by

b a node. It iss managed by the Cluster service the Clustter
service and ca
an be started, stopped, and moved to ano
other node.
Upg
ndows Server 2
2012
7-5
Cluster storrage. This is a storage

s
system
m that is usuallyy shared betw
ween cluster no
odes. In some
scenarios, such
s
as clusterss of servers run
nning Microso
oft Exchange Server, shared
d storage is no
ot
required.
Clients. The
ese are computers (or users) that are using
g the Cluster seervice.
Service or application.
a
Thiis is a software
e entity that is presented to clients and use
ed by clients.
Witness. Th
his can be a file
e share or disk
k which is used
d to maintain q
quorum. Ideallyy the witness sshould
be located a network that is both logically and physiccally separate from those ussed by the failo
over
cluster. Ho
owever, the wittness must rem
main accessiblee by all clusterr node membe
ers. The conce
epts of
quorum and how the witness comes into play will bee examined mo
ore closely in tthe coming lesssons of
this module
e.
n a failover cluster, each node in the cluste

er:
In
nnectivity and communicatio

on with the ot her nodes in tthe cluster.
Has full con
Is aware wh
hen another no
ode joins or le
eaves the clusteer.
puters can acccess the cluster.

Is connecte
ed to a network through whiich client comp
Is connecte
ed through a shared bus or iSCSI connectio
on to shared sstorage.
Is aware of the services or applications that are runniing locally, and

d the resource
es that are runn
ning on
all other clu
uster nodes.
Cluster storage usually refers to logical devicestypicallyy hard disk drivves or logical u
unit numbers ((LUN)
th
hat all the clustter nodes attach to, through
h a shared bus . This bus is seeparate from th
he bus that co
ontains
th
he system and boot disks. Th
he shared diskss store resourcces such as app
plications and file shares thaat the
cluster will man
nage.
A failover cluste
er typically deffines at least tw
wo data comm
munications neetworks: one network enable
es the
cluster to comm
municate with clients, and the second, isolaated network eenables the clu
uster node me
embers
to
o communicate
e directly with one another. If a directly-co
onnected sharred storage is n
not being used
d, then
a third network segment (for iSCSI or Fibre Channel) can exist between
n the cluster no
odes and a datta
sttorage network
k.
Most
M
clustered applications and their associated resourcees are assigned
d to one cluste
er node at a tim
me. The
no
ode that proviides access to those cluster resources
r
is thee active node. If the nodes d
detect the failu
ure of
th
he active node
e for a clustered application, or if the activee node is taken offline for m
maintenance, th
he
clustered appliccation is started on another cluster
c
node. TTo minimize th
he impact of th
he failure, clien
nt
re
equests are immediately and
d transparentlyy redirected to
o the new clustter node.
What
W
Are Failover
F
an
nd Failback
k?
Fa
ailover transfers the responsibility of providing
acccess to resourrces in a cluste
er from one no
ode to
an
nother. Failove
er can occur when
w
an administrator
in
ntentionally mo
oves resourcess to another no
ode for
maintenance,
m
or when unplan
nned downtim
me of
on
ne node happens because of
o hardware faiilure or
otther reasons. Also,
A
service failure on an acttive
no
ode can initiatte failover to another node.
A fa
ailover attemptt consists of th
he following stteps:
7-6
1.
The Cluster se
ervice takes alll the resourcess in the instancce offline in an
n order that is determined b
by
the instancess dependency hierarchy. Tha
at is, dependen
nt resources firrst, followed b
by the resource
es on
which they de
epend. For exa
ample, if an ap
pplication depeends on a phyysical disk resource, the Clustter
service the Cluster service takes the application offline first, which en
nables the application to writte
changes to th
he disk before the disk is tak
ken offline.
2.
After all the resources

r
are offline,
o
the Cluster service atttempts to tran
nsfer the instan
nce to the nod
de
that is listed next
n
on the insstances list of preferred own
ners.
3.
If the Cluster service successsfully moves the instance to

o another nodee, it attempts tto bring all the
e
resources online. This time, it starts at the
e lowermost paart of the depeendency hieraarchy. Failover is
complete whe
en all the reso
ources are onlin
ne on the new
w node.
The Cluster service can failback instances thatt were originallly hosted on tthe offline nod
de, after the offfline
nod
de becomes acctive again. Wh
hen the Cluster service fails b
back an instance, it uses the same procedu
ures
thatt it performs during failover. That is, the Cluster service ttakes all the reesources in the
e instance offline,
movves the instancce, and then brings all the re
esources in thee instance backk online.
Faiilover Clusster Netwo

orks
Network and netw
work adapters are importantt
partts of each clustter implementtation. You can
nnot
configure a cluste
er without conffiguring the
netw
works that the
e cluster will usse. A network can
c
perfform one of th
he following ro
oles in a cluster:
Private netwo
ork. A private network
n
carriess
internal cluste
er communica
ation. By using this
network, cluster nodes exch
hange heartbe
eats
and check forr another node
e or nodes. The
failover cluste
er authenticate
es all internal
communication. However, administrators
a
s who
are especiallyy concerned ab
bout security may
m
want to restrict internal com
mmunication to
t physically seecure networkks.
Public networrk. A public network provide

es client system
ms with access to cluster app
plication servicces. IP
address resou
urces are creatted on network
ks that providee clients with aaccess to the C
Cluster service..
Public-and-prrivate networkk. A public-and

d-private netwo
ork (also know
wn as a mixed network) carries
internal cluste
er communica
ation and conn
nects clients to
o cluster appliccation services..
Whe
en you configu
ure networks in failover clusters, you mustt also dedicatee a network to connect to th
he
sharred storage. If you use iSCSI for the shared
d storage conn
nection, the neetwork will use
e an IP-based
Ethe
ernet commun
nications network. However, you should no
ot use this nettwork for node
e or client
com
mmunication. Sharing the iSCSI network in
n this manner may result in ccontention and
d latency issue
es
for both users and
d for the resou
urce that is beiing provided b
by the cluster.
Tho
ough not a besst practice, you
u can use the private
p
and pu
ublic networks for both client and
nod
de communications. Preferab
bly, you should
d dedicate an iisolated netwo
ork for the privvate node
com
mmunication. The
T reasoning for this is similar using a sep
parate Etherneet network for iSCSI namelyy to
avoid issues resou
urce bottleneck and contention issues. Thee public netwo
ork is configurred to allow client
connections to the failover clustter. Although the
t public nettwork can provvide backup fo
or the private
netw
work, a better design practicce is to define alternative ne tworks for thee primary privaate and public
netw
works or at lea
ast team the ne
etwork interfaces used for th
hese networkss.
Upg
ndows Server 2
2012
Th
he networking
g features in Windows
W
Serverr 2012based clusters includ
de the followin
ng:
7-7
The nodes transmit and receive

r
heartbe
eats by using U
User Datagram
m Protocol (UD
DP) unicast, insstead of
UDP broadcast (which wa
as used in lega
acy clusters). T he messages aare sent on po
ort 3343.
You can incclude clustered

d servers on diifferent IP subn
nets, which red
duces the com
mplexity of settting up
multi-site clusters.
c
The Failove
er Cluster Virtu
ual Adapter is a hidden devicce that is addeed to each nod
de when you in
nstall
the Failover Clustering fe
eature. The ada
apter is assigneed a media access control (M
MAC) address based
on the MAC
C address thatt is associated with the first eenumerated ph
hysical networrk adapter in the
node.
Failover clu
usters fully support IPv6 for both
b
node-to--node and nod
de-to-client co
ommunication..
You can use

e Dynamic Ho
ost Configuratio
on Protocol (D
DHCP) to assig
gn IP addressess, or assign staatic
IP addresse
es to all nodes in the cluster. However, if so
ome nodes have static IP addresses and yo
ou
configure others
o
to use DHCP,
D
the Valid
date a Configu
uration Wizard
d will raise an e
error. The clusster
IP address resources
r
are obtained
o
based on the confiiguration of th
he network interface supporting
that clusterr network.
Faiilover Clusster Storag

ge
Mosst Failover Clusstering scenarios require sha
ared
storrage to provide
e consistent da
ata to a highlyyavaiilable service or
o application after failover. There
T
are three shared storage
s
option
ns for a failover
cluster:
Shared seria
al attached SC
CSI (SAS). Share
ed
serial attach
hed SAS is the lowest cost option.
However, itt is not very fle
exible for deplo
oyment
because the
e two cluster nodes
n
must be
e
physically close
c
together.. In addition, the
shared storrage devices th
hat are supporrting
SAS have a limited numb
ber of connections for
cluster nodes.
Internet SCS
SI (iSCSI). iSCS
SI is a type of storage area neetwork (SAN) tthat transmits SCSI comman
nds
over IP netw
works. Perform
mance is accep
ptable for mostt scenarios wh
hen 1 gigabit p
per second (Gb
bps)
or 10 Gbps Ethernet is ussed as the physsical medium ffor data transm
mission. This tyype of SAN is fairly
inexpensive
e to implemen
nt because no specialized
s
nettworking hard
dware is requirred. In Window
ws
Server 2012
2, you can imp
plement iSCSI target
t
softwaree on any serveer, and presentt local storage
e over
iSCSI interfa
ace to clients.
Fibre chann
nel. Fibre channel SANs typiccally have bettter performancce than iSCSI SSANs, but are m
much
more expen
nsive. Specializzed knowledge
e and hardwarre are required
d to implemen
nt a fibre channel SAN.
Note: The Microsoft iSC

CSI Software Target
T
is now aan integrated ffeature in Win
ndows Server
20
012. It can pro
ovide storage from
f
a server over
o
a TCP/IP n
network, inclu ding shared sttorage for
ap
pplications tha
at are hosted in a failover clu
uster. Also, in W
Windows Serveer 2012, a high
hly-available
iS
SCSI Target Serrver can be configured as a clustered
c
role by using Failo
over Cluster Maanager or
Windows
W
PowerShell.
Sto
orage Requirements
Afte
er you choose the type of sto
orage, you sho
ould also be aw
ware of the following storag
ge requirementts:
7-8
ative disk supp

port included in
n Failover Clusstering, use baasic disks and n
not dynamic d
disks.
To use the na
We recomme
end that you fo
ormat the parttitions with NTTFS. For the dissk witness, the
e partition musst be
NTFS, becausse FAT is not su
upported.
For the partition style of the disk, you can

n use either m aster boot reccord (MBR) or GUID partition
n
table (GPT).
Because imprrovements in failover

f
clusterrs require that the storage reespond correcttly to specific SSCSI
commands, the storage mu
ust follow the SCSI
S
Primary C
Commands-3 ((SPC-3) standaard. In particular,
the storage must
m
support Persistent
P
Reservations, as sp
pecified in the SPC-3 standarrd.
The miniport driver used fo

or the storage must work witth the Microso
oft Storport sto
orage driver.
Storport offerrs a higher perrformance arch
hitecture and better Fiber C hannel compaatibility in Windows
systems.
You must isollate storage de

evices. That is, one cluster peer device. Servvers from diffe
erent clusters m
must
be unable to access the sam
me storage devvices. In most cases, a logicaal unit numberr (LUN) that is used
for one set off cluster serverrs should be isolated from alll other serverss through LUN
N masking or
zoning.
Consider usin
ng multipath I//O software. In
n a highly-avaiilable storage ffabric, you can
n deploy failovver
clusters with multiple host bus adapters by
b using multi path I/O softw
ware. This provvides the highe
est
level of redun
ndancy and avvailability. For Windows
W
Serveer 2012, your multipath solu
ution must be based
on Microsoft Multipath I/O
O (MPIO). Your hardware ven
ndor usually su
upplies an MPIO device-speccific
module (DSM
M) for your harrdware, although Windows SServer 2012 inccludes one or more DSMs ass part
of the operating system.
Wh
hat Is Quo
orum?
Quo
orum is the number of eleme
ents that mustt be
online for a cluste
er to continue running. In efffect,
each
h element can cast one votee to determine
whe
ether the cluste
er continues to
o run. Each clu
uster
nod
de is an elemen
nt that has one
e vote. In case,
therre is an even number
n
of nod
des, then an
add
ditional elemen
nt, which is kno
own as a witneess is
assigned to the cluster. The witn
ness element can
c
be either
e
a disk orr a file share. Each
E
voting
elem
ment contains a copy of the cluster
configuration; and
d the Cluster service
s
works to
keep all copies synchronized at all times.
The cluster will sto

op providing failover
f
protection if most off the nodes faiil or if there is a problem witth
com
m, each set off nodes could
mmunication between
b
the clu
uster nodes. Without
W
a quorrum mechanism
continue to opera
ate as a failove
er cluster. This results in a paartition within tthe cluster. Qu
uorum preventts two
or more
m
nodes fro
om concurrenttly operating a failover clusteer resource. If a clear majority is not achie
eved
betw
ween the node
e members, th
hen the vote off the witness b
becomes cruciaal to maintain the validity off the
clusster. Concurren
nt operation co
ould occur wh
hen network prroblems preveent one set of n
nodes from
com
mmunicating with
w another se
et of nodes. Th
hat is, a situatio
on might occu
ur where more than one nod
de
triess to control access to a resou
urce. If that ressource is, for eexample, a dattabase applicattion, damage could
resu
ult. Imagine the consequence if two or mo
ore instances o
of the same dattabase are maade available o
on the
network, or if data was accessed and written to a target from more than one source at a time. If the
application itself is not damaged, the data could easily become corrupted.
7-9
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster can
calculate the number of votes that are required for the cluster to continue providing failover protection.
If the number of votes drops below the majority, the cluster stops running. That is, it will not provide
failover protection if there is a node failure. Nodes will still listen for the presence of other nodes, in case
another node appears again on the network, but the nodes will not function as a cluster until a majority
consensus or quorum is achieved.
Note: The full functioning of a cluster depends not just on quorum, but on the capacity of
each node to support the services and applications that fail over to that node. For example, a
cluster that has five nodes could still have quorum after two nodes fail, but each remaining
cluster node would continue serving clients only if it has enough capacity (such as disk space,
processing power, network bandwidth, RAM) to support the services and applications that failed
over to it. An important part of the design process is planning each nodes failover capacity. A
failover node must be able to run its own load and also the load of additional resources that
might failover to it.
The Process of Achieving Quorum
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster
software on each node stores information about how many votes constitute a quorum for that cluster. If
the number drops below the majority, the cluster stops providing services. Nodes will continue listening
for incoming connections from other nodes on port 3343, in case they appear again on the network, but
the nodes will not begin to function as a cluster until quorum is achieved.
There are several phases a cluster must complete to achieve quorum. As a given node comes up, it
determines whether there are other cluster members that can be communicated with. This process
may be in progress on multiple nodes at the same time. After communication is established with other
members, the members compare their membership views of the cluster until they agree on one view
(based on timestamps and other information). A determination is made whether this collection of
members has quorum; or has enough members the total of which creates sufficient votes so that a
split scenario cannot exist. A split scenario means that another set of nodes that are in this cluster are
running on a part of the network inaccessible to these nodes. Therefore, more than one node could be
actively trying to provide access to the same clustered resource. If there are not enough votes to achieve
quorum, the voters (the currently recognized members of the cluster) wait for more members to appear.
After at least the minimum vote total is attained, the Cluster service the Cluster service begins to bring
cluster resources and applications into service. With quorum attained, the cluster becomes fully functional.
Qu
uorum Modes in Win
ndows Serrver 2012 FFailover Cllustering
Sam
me quorum mo
odes from Win
ndows Server 2008
2
are also present in
n Windows Serrver 2012. As
befo
ore, a majorityy of votes dete
ermines whethe
er
a clu
uster achieves quorum. Nod
des can vote, and
whe
ere appropriate, either a disk
k in cluster storage
(kno
own as a disk witness)
w
or a file share (know
wn
as a file share witn
ness) can vote.. There is also a
quo
orum mode called No Majority: Disk Only,
which functions like the disk-ba
ased quorum in
n
Win
ndows Server 2003.
2
Other than that mode,,
therre is no single point of failurre with the quo
orum
mod
des, because only
o
the number of votes is
imp
portant and no
ot whether a pa
articular eleme
ent is availablee to vote.
Thiss quorum mod
de is flexible. You
Y can choose
e the mode beest suited to yo
our cluster.
7-10 Implemennting Failover Clusterring
Be aware
a
that, mo
ost of the time
e, it is best to use
u the quorum
m mode selectted by the clusster software. IIf you
run the Quorum Configuration
C
Wizard, the qu
uorum mode tthat the wizard
d lists as reco
ommended is the
quo
orum mode chosen by the cluster software
e. We recomm end changing the quorum cconfiguration o
only if
you have determined that the change
c
is apprropriate for yo ur cluster.
There are four quorum modes:
Node Majority
ty. Each node that
t
is available and in comm
munication can
n vote. The clu
uster functionss only
with a majority of the votess. That is, more
e than half. Th is model is preeferred when tthe cluster con
nsists
of an odd number of serverr nodes (no wiitness is needeed to maintain
n or achieve qu
uorum).
Node and Dissk Majority. Each node plus a designated d

disk in the clusster storage, th
he disk witnesss, can
vote, when th
hey are availab
ble and in com
mmunication. TThe cluster fun ctions only witth a majority o
of the
e to
votes. That is,, more than ha
alf. This model is based on a n even numbeer of server no
odes being able
communicate
e with one ano
other in the clu
uster in additio
on to the disk witness.
Node and Filee Share Majoriity. Each node plus a designaated file share created by the administrato
or,
which is the file
f share witne
ess, can vote when
w
they are aavailable and in communicaation. The clustter
functions onlyy with a majorrity of the vote
es. That is, morre than half. Th
his model is baased on an eve
en
number of se
erver nodes being able to communicate wiith one anotheer in the cluste
er, in addition to the
file share witn
ness.
No Majority: Disk Only. The

e cluster has qu
uorum if one n
node is availab
ble and in com
mmunication w
with a
specific disk in the cluster storage. Only the nodes thatt are also in co
ommunication with that disk can
join the cluste
er.
Exce
ept for the No
o Majority: Disk
k Only mode, all
a quorum mo
odes in Windo
ows Server 201
12 failover clusters
are based on a sim
mple majority vote model. As
A long as a maajority of the vvotes are availaable, the cluste
er
continues to function. For exam
mple, if there arre five votes in
n the cluster, th
he cluster continues to functtion
as lo
ong as there are at least thre
ee available vo
otes. The sourcce of the votess is not relevan
ntthe vote co
ould
be a node, a disk witness, or a file share witne
ess. The clusterr will stop funcctioning if a m
majority of vote
es is
not available.
In th
he No Majorityy: Disk Only mode,
m
the quorrum-shared dissk can veto alll other possible votes. In thiss
mod
de, the cluster will continue to function as long as the q uorum-shared
d disk and at le
east one node are
avaiilable. This typ
pe of quorum also
a prevents more
m
than onee node from asssuming the p
primary role.
Note: If the
t quorum-sh
hared disk is no
ot available, th
he cluster will sstop functioning, even if all
no
odes are still available.
a
In thiis mode, the quorum-shared
d disk is a sing le point of faillure, so this
mode
m
is not reccommended.
When
W
you configure a failove
er cluster in Wiindows Server 2012, the Insttallation Wizarrd automatically
se
elects one of tw
wo default con
nfigurations. By
B default, Failo
over Clustering
g selects:
Node Majo
ority if there is an odd number of nodes in the cluster.
Node and Disk

D Majority if there is an evven number o
of nodes in thee cluster.

dows Server 20
012
7-11
Modify
M
this settting only if you
u determine th
hat a change iss appropriate ffor your cluste
er, and ensure that
yo
ou understand
d the implicatio
ons of making the change.
In
n addition to planning
p
your quorum
q
mode
e, you should aalso consider tthe capacity off the nodes in your
cluster, and their ability to sup
pport the services and appliccations that m
may fail over to
o that node. Fo
or
exxample, a clustter that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if you
u have several applications or services dep loyed on the ccluster, each re
emaining clustter
no
ode may not have
h
the capaccity to provide
e services.
What
W
Are Cluster
C
Sha
ared Volum
mes?
In
n a classic failover cluster dep
ployment, onlyy a
single node at a time controlss an LUN on th
he
sh
hared storage. This means th
hat the other nodes
n
ca
annot see shared storage, until each nod
de
be
ecomes an acttive node. CSV
V is a technolog
gy
in
ntroduced in Windows
W
Serve
er 2008 R2 which
en
nables multiple nodes to con
ncurrently share a
single LUN. Each node obtain
ns exclusive acccess to
in
ndividual files on
o the LUN insstead of the whole
w
LU
UN. In other words,
w
CSVs pro
ovide a distributed
fille access solution so that mu
ultiple nodes in
n the
cluster can simu
ultaneously acccess the same NTFS
fille system.
In
n Windows Serrver 2008 R2, CSVs
C
were designed only forr hosting virtuaal machines ru
unning on a Hyyper-V
se
erver in a failovver cluster. This enabled adm
ministrators to
o have a single LUN that hosts multiple virttual
machines
m
in a fa
ailover cluster.. Multiple clustter nodes havee access to thee LUN, but eacch virtual mach
hine
ru
uns only on on
ne node at a tim
me. If the node on which thee virtual mach
hine was runnin
ng fails, CSV le
ets
th
he virtual mach
hine to be resttarted on a different node in
n the failover ccluster. Additio
onally, this pro
ovides
simplified disk management
m
for
f hosting virttual machines compared to each virtual m
machine requirring a
se
eparate LUN.
In
n Windows Serrver 2012, CSV
Vs have been additionally enh
o use CSVs for other
hanced. It is now possible to
ro
oles, and not ju
ust Hyper-V. For example, yo
ou can now co
onfigure file seerver role in a ffailover clusterr in a
Sccale-Out File Server
S
scenario
o. The Scale-Ou
ut File Server i s designed to provide scale--out file sharess that
he
arre continuously available forr file-based serrver applicatio
on storage. Scaale-out file shaares provides th
ab
bility to share the same folde
er from multip
ple nodes of th
he same clusteer. In this conte
ext, CSVs in W
Windows
Se
erver 2012 intrroduces suppo
ort for a read cache,
c
which caan significantl y improve perrformance in ccertain
sccenarios. Also, a CSV File System (CSVFS) can
c perform CH
HKDSK withou
ut affecting applications with
h open
ha
andles on the file system.
Other important improvements in Cluster Shared Volumes in Windows Server 2012 are:
7-12 Implementing Failover Clustering
CSVFS benefits. In Disk Management, CSV volumes now appear as CSVFS. However, this is not a
new file system. The underlying technology is still the NTFS file system, and CSVFS volumes are still
formatted with NTFS. However, because volumes appear as CSVFS, applications can discover that they
are running on CSVs, which helps improves compatibility. And because of a single file namespace, all
files have the same name and path on any node in a cluster.
Multisubnet support for CSVs. CSVs have been enhanced to integrate with SMB Multichannel to help
achieve faster throughput for CSV volumes.
Support for BitLocker drive encryption. Windows Server 2012 support BitLocker volume encryption for
both traditional clustered disks and CSVs. Each node performs decryption by using the computer
account for the cluster itself.
Support for SMB 3.0 storage. CSVs in Windows Server 2012 provide support for SMB 3.0 storage for
Hyper-V and applications such as Microsoft SQL Server.
Integration with SMB Multichannel and SMB Direct. This allows CSV traffic to stream across multiple
networks in the cluster and to take advantage of network adapters that support Remote Direct
Memory Access (RDMA).
Integration with the Storage Spaces feature in Windows Server 2012. This can provide virtualized
storage on clusters of inexpensive disks.
Ability to scan and repair volumes. CSVs in Windows Server 2012 support the ability to scan and repair
volumes with zero offline time.
Implementing Cluster Shared Volumes
You can configure a CSV only when you create a failover cluster. After you create the failover cluster, you
can enable the CSV for the cluster, and then add storage to the CSV.
Before you can add storage to the CSV, the LUN must be available as shared storage to the cluster. When
you create a failover cluster, all the shared disks configured in Server Manager are added to the cluster,
and you can add them to a CSV. If you add more LUNs to the shared storage, you must first create
volumes on the LUN, add the storage to the cluster, and then add the storage to the CSV.
As a best practice, you should configure CSV before you make any virtual machines highly available.
However, you can convert from regular disk access to CSV after deployment. The following considerations
apply:
When you convert from regular disk access to CSV, the LUNs drive letter or mount point is removed.
This means that you must re-create all virtual machines that are stored on the shared storage. If you
must retain the same virtual machine settings, consider exporting the virtual machines, switching to
CSV, and then importing the virtual machines in Hyper-V.
You cannot add shared storage to CSV if it is in use. If you have a running virtual machine that is
using a cluster disk, you must shut down the virtual machine, and then add the disk to CSV.
Additional Reading:
Server Message Block overview
Storage Spaces Overview
Lesson
n2
Imple
ementin
ng a Failover Cluster

dows Server 20
012
7-13
Fa
ailover clusterss Windows Serrver 2012 have
e specific recom
mmended harrdware and sofftware configu
urations
th
hat enable Miccrosoft to supp
port the cluster. Failover clussters are intend
ded to provide
e a higher leve
el of
se
ervice than stand-alone serve
ers. Therefore,, cluster hardw
ware requiremeents are freque
ently stricter th
han
re
equirements fo
or stand-alone
e servers.
Th
his lesson desccribes how to prepare
p
for clu
uster impleme ntation and allso discusses th
he hardware, n
network,
sttorage, infrastrructure, and so
oftware require
ements for Wi ndows Server 2012 failover clusters. This lesson
also outlines the
e steps for usin
ng the Validate a Configurattion Wizard to
o ensure correcct cluster
co
onfiguration.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow to prepare for implemen
nting Failover C
Clustering.
Describe ha
ardware requirrements for Fa
ailover Clusteri ng.
Describe ne
etwork require
ements for Failover Clusterin
ng.
Describe infrastructure re
equirements fo
or Failover Clusstering.
Describe so
oftware require
ements for Failover Clusterin
ng.
Validate an
nd configure a cluster.
Preparing
P
for
f Implem
menting Fa
ailover Clu
ustering
Be
efore you implement Failove
er Clustering
te
echnology, you
u must identifyy services and
ap
pplications tha
at you want to make highly
avvailable. Failovver clustering cannot
c
be app
plied to
all applications. Also, you should be aware that
t
Fa
ailover Clustering does not provide
p
improvved
sccalability by ad
dding nodes. You
Y can only obtain
o
sccalability by scaling up and using
u
more po
owerful
ha
ardware for th
he individual no
odes. Thereforre, you
sh
hould only use
e Failover Clusttering when yo
our
go
oal is high ava
ailability, instea
ad of scalability.
Fa
ailover clusteriing is best suited for statefull
ap
pplications tha
at are restricted
d to a single se
et of data. On e example of ssuch an appliccation is a dataabase.
Data is stored in
n a single location and can only
o
be used b
by one databasse instance. Yo
ou can also use
e
Fa
ailover Clustering for Hyper--V virtual mach
hines.
Fa
ailover clusteriing uses only IP-based proto
ocols and is, th
herefore, suited
d only to IP-baased applicatio
ons.
Bo
oth IP version 4 (IPv4) and IP
P version 6 (IPvv6) are supporrted.
Th
he best resultss for Failover Clustering
C
occu
ur when the cliient can do recconnecting to the applicatio
on
au
utomatically affter failover. Iff the client doe
es not reconneect automaticaally, then the u
user must restaart the
client applicatio
on.
Con
nsider the follo
owing guidelines when plann
ning node cap
pacity in a failo
over cluster:
Spread out th
he highly-available applicatio
ons from a failled node. Wheen all nodes in
n a failover clusster
are active, the
e highly-availa
able services or applications from a failed node should b
be spread out
among the re
emaining node
es to prevent a single node ffrom being ovverloaded.
Ensure that each node has sufficient idle capacity to se rvice the highly-available se
ervices or
applications that
t
are allocatted to it when another nodee fails. This idlee capacity should be a sufficcient
buffer to avoid nodes running at near cap
pacity after a ffailure event. FFailure to adeq
quately plan
resource utilizzation can resu
ult in decrease
e in performan
nce following n
node failure.
Use hardware
e with similar capacity
c
for all nodes in a clu
uster. This sim plifies the plan
nning process for
failover becau
use the failove
er load will be evenly distribu
uted among th
he surviving no
odes.
Use standby servers

s
to simp
plify capacity planning.
p
Wheen a passive no
ode is included
d in the clusterr, then
all highly-ava
ailable services or application
ns from a failed
d node can bee failed over to
o the passive n
node.
This avoids th
he need for complex capacity planning. If tthis configurattion is selected
d, it is importaant
that the stand
dby server has sufficient capacity to run th
he load from m
more than one node failure.
u should also examine

e
all cluster configuration componeents to identifyy single points of failure. You
u can
You
rem
medy many sing
gle points of fa
ailure with sim
mple solutions, such as addin
ng storage con
ntrollers to sep
parate
and stripe disks, or
o teaming nettwork adapterss, and using m
multipathing so
oftware. These solutions redu
uce
the probability that a failure of a single device
e causing a faiilure in the clu
uster. Typically,, server class
com
mputer hardwa
are has optionss for multiple power
p
suppliees for power reedundancy, and for creating
redu
undant array of
o independen
nt disks (RAID) sets for disk d
data redundanccy.
Ha
ardware Re
equiremen
nts for Failo
over Clustter Implem
mentation
It is very importan
nt to make goo
od decisions when
w
you select hardwa
are for cluster nodes. Failove
er
clussters have to sa
atisfy the following criteria to
mee
et availability and
a support re
equirements:
All hardware that you selecct for a failoverr

cluster should
d meet the Ce
ertified for
Windows Servver 2012 logo
o requirements.
Hardware tha
at has this logo
o was
independentlly tested to me
eet the highest
technical bar for reliability, availability,
stability, security, and platfo
orm compatib
bility.
Also, this mea
ans that officia
al support optiions
exist in case malfunctions
m
arise.
a
You should in
nstall the same
e or similar harrdware on eac h failover clus ter node. For e
example, if you
choose a speccific model of network adap
pter, you shoul d install this adapter on eacch of the cluste
er
nodes.
If you are usin

ng Serial Attacched SCSI or Fiber Channel sstorage conne ctions, the maass-storage devvice
controllers that are dedicatted to the clustter storage sho
ould be identical in all cluste
ered servers. T
They
should also use the same firmware versio
on.
If you are usin

ng iSCSI storag
ge connections, each clusterred server musst have one or more networkk
adapters or host
h
bus adapters dedicated to the cluster storage. The n
network that yyou use for iSC
CSI
storage connections should
d not be used for
f network co
ommunication
n. In all clustere
ed servers, the
e
network adap
pters that you use to connecct to the iSCSI storage targett should be ide
entical, and we
e
recommend that
t
you use Gigabit
G
Etherne
et or more.

dows Server 20
012
7-15
After you configure the servers with the

e hardware, al l tests provideed in the Validate a Configurration
Wizard must be passed before
b
the cluster is considerred a configuraation that is su
upported by
Microsoft.
Network
N
Re
equiremen
nts for Faillover Clustter Implem
mentation
Fa
ailover cluster network comp
ponents must have
th
he Certified forr Windows Serrver 2012 logo
o and
also pass the tests in the Valid
date a Configu
uration
Wizard.
W
Additio
onally:
The networrk adapters in each node sho

ould
be identical and have the
e same IP proto
ocol
version, spe
eed, duplex, an
nd flow contro
ol
capabilities that are availa
able.
The networrks and network equipment to

which you connect
c
the no
odes should be
redundant so that even a single failure allows
for the nod
des to continue
e communicating
with one an
nother. You ca
an use network
k adapter team
ming to provid e single netwo
ork redundanccy.
We recomm
mend multiple
e networks to provide
p
multip
ple paths betw
ween nodes forr inter-node
communica
ation; otherwisse, a warning will
w be generatted during thee validation pro
ocess.
The networrk adapters in a cluster netw

work must havee the same IP aaddress assign
nment method
d, which
means either that they all use static IP addresses
a
or t hat they all usse DHCP.
y connect cluster nodes with

w a single neetwork, the nettwork passes tthe
Note: If you
re
edundancy req
quirement in th
he Validate a Configuration
C
Wizard. Howeever, the reporrt from the
wizard
w
will inclu
ude a warning that the network should no
ot have single p
points of failurre.
In
nfrastructu
ure Requirrements fo
or Failoverr Cluster
Fa
ailover clusterss depend on in
nfrastructure services.
Ea
ach server nod
de must be in the
t same Activve
Directory doma
ain, and if you use Domain Name
N
Syystem (DNS), the
t nodes shou
uld use the sam
me
DNS servers forr name resolution.
We
W recommend
d that you install the same
Windows
W
Server 2012 feature
es and roles on
n each
no
ode. Inconsiste
ent configuration on cluster nodes
ca
an cause instab
bility and perfo
ormance issue
es. In
ad
ddition, you sh
hould not insta
all the AD DS role
r
on
an
ny of the cluster nodes because AD DS hass its
ow
wn fault-tolera
ance mechanissm. If you insta
all the
AD DS role on one
o of the nod
des, you must install it on all nodes.
You
u must have the following ne
etwork infrastrructure for a faailover cluster:
Network settings and IP add

dresses. When you use identtical network aadapters for a network, also use
identical com
mmunication se
ettings on thosse adapters su ch as speed, d
duplex mode, fflow control, and
media type. Also,
A
compare the settings between the neetwork adapteer and the switch it connects to,
and ensure th
hat no settingss are in conflict. Otherwise, n
network congeestion or frame
e loss might occur
which could adversely
a
affecct how the clusster nodes com
mmunicate am
mong themselvves, with clientts or
with storage systems.
Unique subneets. If you have

e private netwo
orks that are n
not routed to tthe rest of the network
infrastructure
e, ensure that each
e
of these private
p
networrks uses a uniq
que subnet. Th
his is necessaryy even
if you give ea
ach network ad
dapter a uniqu
ue IP address. FFor example, iff you have a ccluster node in a
central office that uses one physical netw
work, and anot her node in a branch office that uses a sep
parate
physical netw
work; do not sp
pecify 10.0.0.0//24 for both n etworks, even if you give eaach adapter a
unique IP add
dress. This avoids routing loo
ops and other network com munications p
problems if, forr
example, the segments are accidentally configured
c
into
o the same colllision domain because of
incorrect vLAN assignments.
DNS. The servvers in the clusster typically use

u DNS for naame resolution
n. DNS dynamiic update prottocol
is a supported
d configuration.
Domain role. All servers in the

t cluster mu
ust be in the saame Active Dirrectory domain
n. As a best
practice, all clustered servers should have
e the same dom
main role (eith
her member se
erver or domaiin
controller). Th
he recommend
ded role is member server b
because AD DSS inherently inccludes its own
failover prote
ection mechanism.
Account for administering th

he cluster. When you first crreate a cluster or add serverss to it, you must be
logged on to the domain with
w an accoun
nt that has adm
ministrator righ
hts and permisssions on all se
ervers
in that clusterr. The accountt does not have to be a Dom
main Admins acccount, but caan be a Domain
Users account that is in the Administrators group on eaach clustered sserver. In addittion, if the acccount
is not a Doma
ain Admins acccount, the acccount (or the g
group that the account is a m
member of) mu
ust be
given the Cre
eate Computerr Objects perm
mission in the d
domain.
In Windows
W
Serve
er 2012, there is no cluster se
ervice accountt. Instead, the C
Cluster service
e the Cluster se
ervice
auto
omatically runs in a special context
c
that prrovides the speecific permissions and crede
entials that are
e
necessary for the service (similar to the local system
s
contextt, but with red
duced credentiials). When a
failo
over cluster is created
c
and a corresponding
g computer ob
bject is created
d in AD DS, that object is
configured to pre
event accidenta
al deletion. Alsso, the cluster Network Nam
me resource haas additional health
check logic, which
h periodically checks
c
the hea
alth and propeerties of the co
omputer objecct that represents
the Network Nam
me resource.
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failo
over clusters re
equire that each cluster nod
de
musst run the same edition of Windows
W
Serverr
2012. The edition can be either Windows Servver
2012 Enterprise or Windows Server 2012
Datacenter. The nodes
n
should also
a have the
sam
me software up
pdates and servvice packs.
Dep
pending on the
e role that will be clustered,
a Se
erver Core installation may also
a meet the
softtware requirem
ments. Howeve
er, you cannot
install Server Core
e and full editions in the sam
me
clusster.
7-17
It is also very important that the same version of service packs or any operating system updates, exist on
all nodes that are parts of a cluster.
Note: Windows Server 2012 provides Cluster-Aware Updating technology that can help
you maintain updates on cluster nodes. This feature will be discussed in more detail in Lesson 4:
Maintaining a Failover Cluster.
Each node must run the same processor architecture. This means that each node must have the same
processor family, which might be the Intel Xeon processor family with Extended Memory 64Technology,
the AMD Opteron AMD64 family, or the Intel Itaniumbased processor family.
Demonstration: Validating and Configuring a Failover Cluster
The Validate a Configuration Wizard runs tests that confirm if the hardware and hardware settings are
compatible with Failover Clustering. Using the wizard, you can run the complete set of configuration tests
or a subset of the tests. We recommend that you run the tests on servers and storage devices before you
configure the failover cluster, and again after any major changes are made to the cluster. You can access
the test results in the %windir%\cluster\Reports directory.
Demonstration Steps
1.
Start Failover Cluster Manager on the LON-SVR3 machine.
2.
Start the Validate Configuration Wizard. Add LON-SVR3 and LON-SVR4 as cluster nodes.
3.
Review the report.
4.
Create a new cluster. Add LON-SVR3 and LON-SVR4 as cluster nodes.
5.
Name the cluster as Cluster1.
6.
Use 172.16.0.125 as IP address.
Lesson 3
Config
guring Highly-A
H
Available Applicationss and Se
ervices on
a Failo
over Cluster
Afte
er you have co
onfigured clusttering infrastru
ucture, you sho
ould configuree specific role o
or service to b
be
high
hly available. Not
N all roles ca
an be clustered
d. Therefore, y ou should firstt identify the rresource that yyou
wan
nt to put in a cluster
c
and che
eck whether it is supported. In this lesson, you will learn about configu
uring
role
es and applicattions in clusterrs as well as ab
bout configurin
ng cluster settings.
Lessson Objectiives
Afte
ou will be able to:
er resources an
nd services.
Describe and identify cluste
Describe the process for clu

ustering serverr roles.
Configure a cluster
c
role.
Describe how
w to configure cluster properrties.
Describe how
w to manage clluster nodes.
Describe how
w to configure application failover settings .
Ide
entifying Cluster
C
Ressources an
nd Servicess
A clustered service that contains an IP address
reso
ource and a ne
etwork name resource (and other
o
reso
ources) is published to a client on the netw
work
und
der a unique se
erver name. Be
ecause this gro
oup
of re
esources is dissplayed as a sin
ngle logical server
to clients,
c
it is called a cluster in
nstance.
Users access appliications or servvices on an
instance in the same manner th
hey would if the
app
plications or services were on
n a nonclustere
ed
servver. Usually, ap
pplications or users
u
do not kn
now
thatt they are conn
necting to a cluster and the node
theyy are connecte
ed to.
Reso
ources are phyysical or logica
al entities, such
h as a file sharee, disk, or IP ad
ddress that the
e failover clustter
man
nages. Resourcces may provid
de a service to clients or mayy be an importtant part of th
he cluster. Reso
ources
are the most basicc and smallest configurable unit. At any tim
me, a resourcee can run only on a single no
ode in
a clu
uster, and it is online on a no
ode when it provides its servvice to that specific node.
Serrver Cluster Resources

A cluster resource
e is any physica
al or logical co
omponent thatt has the follow
wing characteristics:
It can be brou
ught online an
nd taken offline.
It can be man
naged in a servver cluster.
It can be hostted (owned) by only one nod

de at a time.

dows Server 20
012
7-19
To
o manage reso
ources, the Clu
uster service co
ommunicates tto a resource D
DLL through a resource mon
nitor.
When
W
the Cluster service mak
kes a request of
o a resource, tthe resource m
monitor calls th
he appropriate
e entrypo
oint function in the resource
e DLL to check
k and control tthe resource sttate.
Dependent
D
Resources
R
A dependent re
esource is one that requires another
a
resourrce to operatee. For example,, a network naame
must
m
be associa
ated with an IP
P address. Beca
ause of this req
quirement, a n
network name resource depe
ends
on
n an IP addresss resource. De
ependent resou
urces are take n offline beforre the resource
es upon which
h they
de
epend are take
en offline; similarly, they are
e brought onlin
ne after the reesources on wh
hich they depe
end
arre brought online. A resourcce can specify one
o or more reesources on w
which it is depe
endent. Resourrce
de
ependencies also
a determine
e bindings. For example, clien
nts will be bou
und to the parrticular IP addrress that
a network name
e resource dep
pends on.
When
W
you creatte resource de
ependencies, co
onsider the facct that, althou gh some depe
endencies are strictly
re
equired, otherss are not requiired but are re
ecommended. For example, a file share thaat is not a Disttributed
wever, if the d
File System (DFS
S) root has no required depe
endencies. How
disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible
e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the
t disk resourrce.
A resource can also specify a list of nodes on
o which it can
n run. Possible nodes and de
ependencies arre
im
mportant considerations whe
en administrattors organize rresources into groups.
The
T Process for Clusttering Serv
ver Roles
Fa
ailover clusteriing supports th
he clustering of
o
se
everal Window
ws Server roles,, such as File Services,
DHCP, and Hyp
per-V. To imple
ement clusterin
ng for
a server role, orr for external applications such as
SQ
QL Server or Exchange Serve
er, perform the
e
fo
ollowing proce
edure:
1..
Install the Failover

F
Clustering feature. Use
U
Server Man
nager or Ocsetup to install th
he
Failover Clu
ustering featurre on all computers
that will be cluster memb
bers.
2..
Verify confiiguration and create a cluste

er with
the approp
priate nodes. Use the Failover
Cluster Man
nagement snap-in to first va
alidate a config
guration, and tthen create a ccluster with se
elected
nodes.
3..
Install the role

r
on all cluster nodes. Use
e Server Manag
ger to install t he server role that you wantt to use
in the cluster.
4..
Create a clu
ustered applica
ation by using the Failover C
Clustering Man
nagement snap-in.
5..
Configure the
t application
n. Configure options on the application th
hat is being use
ed in the cluster.
6..
Test failove
er. Use the Failover Cluster Management
M
sn
nap-in to test failover by inttentionally mo
oving
the service from one nod
de to another.
After the cluster is created, yo

ou can monitor its status by using the Failo
over Cluster M
Management co
onsole,
an
nd manage avvailable options.
De
emonstration: Cluste
ering a File
e Server Role
Dem
monstration
n Steps
1.
Open Failover Cluster Mana

ager and verifyy that three Clluster Disks aree available.
2.
Start the Configure Role Wizard and Configure the File

e Server as clu
ustered role.
3.
For the Clientt Access Point,, use the name

e AdatumFS aand the IP address of 172.16
6.0.130.
4.
Select Cluster Disk 2 as the

e storage for the File Server role.
Faiilover Clusster Manag

gement Ta
asks
You
u can perform several failove
er cluster
man
nagement task
ks. These tasks range from
add
ding and removving cluster no
odes to modifyying
the quorum settin
ngs. Some of the most frequently
used
d configuration tasks include
e:
Managing clu
uster nodes for
f each node
in a cluster, you can stop cluster service
temporary, pa
ause it, initiate
e remote deskttop
to the node or
o evict node from
f
the cluste
er
Managing clu
uster networkss You can add
or remove clu
uster networkss and you can also
configure nettworks that will be dedicated
d just
for inter-clustter communica
ation
Managing pe
ermissions Byy managing pe
ermission you delegate rightts to administe
er cluster
Configuring cluster
c
quorum
m settings Byy configuring q
quorum setting
gs you determ
mine the way how
quorum is achieved as well as who can ha
ave vote in a ccluster
Migrating serrvices and app

plications to a cluster
c
You ccan implementt existing serviices to the clusster
and make the
em highly avaiilable
Configuring new
n
services and application
ns to work in a cluster You can implemen
nt new services to
the cluster
Removing a cluster
c
You
u can perform most of these administrative
e tasks by usin
ng the Failoverr Cluster Manaagement conso
ole.
Managing
M
Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, you
u might have to
t manage cluster
no
odes occasionally.
Th
here are three aspects to ma
anaging cluster
no
odes:

dows Server 20
012
7-21
n established failover
f
You can add a node to an
cluster by selecting
s
Add Node
N
in the Fa
ailover
Cluster Man
nagement Acttions pane. The
e Add
Node Wizard prompts yo
ou for informattion
a
nod
de.
about the additional
You can pause a node to prevent resou

urces from bei ng failed over or moved to tthe node. You
ause a node wh
hen a node is undergoing m
maintenance orr troubleshootting.
typically pa
You can evict a node, which is an irreve

ersible processs for a cluster n
node. After yo
ou evict the node, it
must be re--added to the cluster. You evvict nodes wheen a node is d
damaged beyo
ond repair or iss no
longer need
ded in the clusster. If you evicct a damaged node, you can
n repair or reb
build it, and the
en add
it back to th
he cluster by using
u
the Add Node Wizard..
Yo
ou can manag
ge cluster node
es by using the
e Failover Clus ter Managemeent console.
Configuring
C
g Applicattion Failov
ver Setting
gs
Yo
ou can adjust the failover settings, includin
ng
preferred owners and failback
k settings, to control
c
ho
ow the cluster responds whe
en the applicattion or
se
ervice fails. You
u can configurre these setting
gs on
th
he property sheet for the clu
ustered service or
ap
pplication (on the General ta
ab or on the Fa
ailover
ta
ab). The follow
wing table provvides exampless that
sh
how how these
e settings work
k.
Settiing
Resu
ult
Exam
mple 1:
Gen
neral tab, Prefe
erred owner: Node1
N
Failo
over tab, Failback setting: Allow
failb
back (Immediately)
pplication failss over from No

ode1 to Node2
2, when
If the service or ap
de1 is again avvailable, the service or appliccation will fail b
back to
Nod
Nod
de1.
Exam
mple 2:
Failo
over tab, Maximum failures in the
speccified period: 2
Failo
over tab, Perio
od (hours): 6
od, if the appli cation or serviice fails no mo

ore than two
In a six-hour perio
es, it will be resstarted or faileed over every ttime. If the application or
time
service fails a third
d time in the s ix-hour period
d, it will be leftt in the
faile
ed state.
The default value for the maxim
mum number o
of failures is n-1, where n
is th
he number of n
nodes. You can
n change the vvalue, but we rrecommend
a faiirly low value sso that if mult iple node failu
ures occur, the application
or se
ervice will not be moved bettween nodes indefinitely.
Lesson 4
Mainta
aining a Failover Clustter
Whe
en cluster infra
astructure is up and running
g, it is very imp
portant to estaablish monitoriing to preventt
possible failures. Also,
A
it is impo
ortant to have backup and reestore procedu
ures for clusterr configuration
n. In
Win
ndows Server 2012,
2
there is a new technolo
ogy that lets yyou update clu
uster nodes witthout downtim
me. In
this lesson, you will learn about monitoring, backup,
b
and reestore and abo
out updating ccluster nodes.
Lessson Objectiives
Afte
ou will be able to:
Describe how
w to monitor fa
ailover clusterss.
Describe how
w to back up an
nd restore clusster configurattion.
Describe how
w to troublesho
oot failover clu
usters.
Describe Clusster-Aware Updating.
Configure Clu
uster-Aware Updating.
Mo
onitoring Failover
F
Cllusters
Man
ny tools are avvailable to help
p you monitor
failo
over clusters. You
Y can use sta
andard Windo
ows
Servver tools, such as the Event Viewer
V
and the
e
Perfformance and Reliability Mo
onitor snap-in,
to review cluster event
e
logs, and
d performance
e
mettrics. You can also
a use Cluste
er.exe and
Traccerpt.exe to exxport data for analysis.
Add
ditionally, you can use the MHTML-format
M
tted
clusster configuration reports an
nd the Validate
ea
Con
nfiguration Wizzard to trouble
eshoot problems
with
h the cluster co
onfiguration and hardware
changes.
Eve
ent Viewer
Whe
en problems arise
a
in the clusster, use the Evvent Viewer to
o view events w
with a Critical, Error, or Warn
ning
seve
erity level. Add
ditionally, inforrmational leve
el events are lo
ogged to the FFailover Clusterring Operation
ns log,
which can be foun
nd in the Even
nt Viewer in the
e Applicationss and Services Logs\Microsofft\Windows fo
older.
Info
ormational-leve
el events are usually
u
commo
on cluster operrations, such aas cluster node
es leaving and
joining the clusterr, or resources going offline or coming on line.
In previous
p
Windo
ows Server verrsions, event lo
ogs were repliccated to each node in the cluster. This
w all event log
simplified cluster troubleshootin
ng, because yo
ou could review
gs on a single cluster node.
Win
ndows Server 2012
2
does not replicate the event
e
logs bettween nodes. H
However, the FFailover Cluste
er
Man
nagement snap-in has a Cluster Events option that enab
bles you to view
w and filter evvents across all
clusster nodes. This feature is helpful in correla
ating events accross cluster nodes.
The Failover Clustter Manageme

ent snap-in also provides a R
Recent Cluster Events option
n that will querry all
the Error and Warrning events frrom all the cluster nodes in tthe last 24 hou
urs.
You
u can access ad
dditional logs, such as the De
ebug and Ana lytic logs, in th
he Event Viewe
er. To display tthese
logss, modify the view
v
on the top menu by selecting the Sho
ow Analytic an
nd Debug Logss options.
Windows
W
Eve
ent Tracing

dows Server 20
012
7-23
Windows
W
event tracing is a ke
ernel compone
ent that is avaiilable early aftter startup, and
d late into shutdown.
It is designed to
o allow for fastt tracing and delivery
d
of eve nts to trace files and to conssumers. Because it is
de
esigned to be fast, it enabless only basic in-process filteriing of events b
based on even
nt attributes.
Th
he event trace log contains a comprehensive accounting
g of the failoveer cluster actio
ons. Depending on
ho
ow you want to
t view the datta, use either Cluster.exe
C
or TTracerpt.exe to
o access the in
nformation in tthe
evvent trace log.
Trracerpt.exe willl parse the eve

ent trace logs only on the no
ode on which it is run. All th
he individual lo
ogs are
co
ollected in a ce
entral location
n. To transform
m the XML file into a text file or an HTML ffile that can be
e
op
pened in Interrnet Explorer, you can parse
e the XML-bassed file by usin
ng the Microso
oft XSL parsing
g
co
ommand prom
mpt utility msxsl.exe, and an XSL style sheeet.
Performance
P
e and Reliab
bility Monito
or Snap-In
Th
he Performancce and Reliability Monitor sn
nap-in lets you
u:
Trend application perform

mance on each
h node. To dettermine how aan application is performing, you
can view an
nd trend speciffic information
n on system reesources that aare being used
d on each node
e.
Trend application failuress and stability on each nodee. You can pinp
point when application failurres
occur and match
node.
m
the app
plication failure
es with other eevents on the n
Modify tracce log settings. You can startt, stop, and adj
djust trace logss, including the
eir size and loccation.
Backing
B
Up
p and Restoring Failo
over Clusteer Configu
uration
Cluster configurration can be a time-consum
ming
process with ma
any details, and so backup of
o
cluster configurration is very im
mportant. You
u
ca
an perform backup and resto
ore of cluster
co
onfiguration with
w Windows Server
S
Backup or
a third-party ba
ackup tool.
When
W
you back
k up the cluster configuration
n, be
aw
ware of the following:
You must te
est your backu
up and recovery
process, be
efore putting a cluster into
production.
You must fiirst add the Windows

W
Serverr Backup featu re, if you decid
de to use it. Yo
ou can do thiss by
using Serve
er Manager.
Windows
W
Server Backup is the
e built-in back
kup and recoveery software fo
or Windows Se
erver 2012. To
co
omplete a succcessful backup
p, consider the following:
For a backu
up to succeed in a failover clluster, the clusster must be ru
unning and mu
ust have quoru
um. In
other words, enough nod
des must be ru
unning and com
mmunicating (perhaps with a witness diskk or
witness file share, depend
ding on the qu
uorum configu
uration,) that t he cluster has achieved quorum.
You must back

b
up all clusstered applicattions. If you cl uster a Microssoft SQL Server database, yyou must
have a back
kup plan for th
he databases and
a configurattion outside th
he cluster conffiguration.
If applicatio
on data must be
b backed up, the disks that you store thee data on mustt be made available to
the backup
p software. You
u can achieve this
t by running
g the backup ssoftware from the cluster no
ode that
owns the disk resource, or
o by running a backup again
nst the clusterred resource ovver the network.
The cluster se
ervice keeps tra
ack of which cluster
c
configu
uration is the m
most recent, an
nd it replicatess that
configuration
n to all cluster nodes. If the cluster
c
has a w
witness disk, thee Cluster servicce the Cluster
service also re
eplicates the configuration to
t the witness disk.
Resstoring a Cluster
There are two typ
pes of restore:
Non-authoritative restore. Use

U a non-auth
horitative resto
ore when a sin
ngle node in th
he cluster is
damaged or rebuilt,
r
and the rest of the cluster is operaating correctly.. Perform a no
on-authoritativve
restore by resstoring the sysstem recovery (system state) information t o the damage
ed node. When
n you
restart that no
ode, it will join
n the cluster an
nd receive thee latest cluster configuration automaticallyy.
Authoritative restore. Use an authoritative

e restore when
n the cluster co
onfiguration m
must be rolled back
to a previous point in time. For example, you would usee an authoritaative restore if an administrator
accidentally removed
r
cluste
ered resourcess or modified o
other cluster seettings. Perforrm the authoritative
restore by sto
opping the cluster resource on
o each node, and then perfforming a systtem recovery
(system state)) on a single node by using the
t command -line Windowss Server Backu
up interface. Affter
the restored node
n
restarts the
t cluster servvice, the rema ining cluster n
nodes can also start the clustter
service.
Tro
oubleshoo
oting Failov
ver Clusters
Alth
hough cluster validation
v
imp
plemented in
Win
ndows Server 2012
2
Failover Clustering
C
prevvents
miscconfigurationss and non-worrking clusters, in
som
me cases, you have
h
to perform
m cluster
trou
ubleshooting.
To troubleshoot
t
a failover cluste
er, follow these
guid
delines:
Use the Validate a Configurration Wizard to

highlight con
nfiguration issu
ues that might
cause cluster problems.
Review cluste
er events and trace
t
logs to
identify application or hard
dware issues th
hat might causse an unstable cluster.
Review hardw
ware events an
nd logs to help
p pinpoint speccific hardware components tthat might cau
use an
unstable clustter.
Review SAN components,

c
switches,
s
adaptters, and storaage controllerss to help identify any potenttial
problems.
Whe
en troubleshooting failover clusters, you must:
m
Identify the perceived

p
prob
blem by collectting and docu menting the s ymptoms of th
he problem.
Identify the scope of the prroblem so thatt you can undeerstand what is being affecte
ed by the prob
blem,
and what imp
pact that effect has on the application and
d the clients.
Collect inform
mation so that you can accurrately understaand and pinpo
oint the possib
ble problem. A
After
you identify a list of possible problems, you can prioritiize them by prrobability, or tthe impact of a
repair. If the problem
p
canno
ot be pinpointted, you shoul d attempt to rre-create the p
problem.

dows Server 20
012
7-25
Create a schedule for rep

pairing the pro
oblem. For exam
mple, if the prroblem only afffects a small ssubset of
users, you can
c delay the repair
r
to an offf-peak time so
o that you can
n schedule dow
wntime.
Complete and
a test each repair
r
one at a time so that yyou can identiify the fix.
To
o troubleshoott SAN issues, start
s
by checking physical co
onnections and
d each of the h
hardware component
lo
ogs. Additionallly, run the Vallidate a Config
guration Wizarrd to verify thaat the current cluster configu
uration
is still supportab
ble. When you
u run the Validate a Configurration Wizard, ensure that th
he storage testts that
yo
ou select can be
b run on an online
o
failover cluster. Severaal of the storag
ge tests cause loss of service
e on the
clustered disk when
w
the tests are run.
Troubleshoo
oting Group and Resource Failuress
To
o troubleshoott group and re
esource failure
es:
Use the Dependency View

wer in the Failover Cluster M
Management snap-in to iden
ntify dependen
nt
resources.
Check the Event

E
Viewer and
a trace logs for errors from
m the dependeent resources.
Determine whether the problem

p
only happens
h
on a sspecific node, or nodes, by ttrying to re-cre
eate the
problem on
n different nod
des.
What
W
Is Clu
uster-Awarre Updatin
ng?
Applying operating system up
pdates to node
es in a
cluster requires special attention. If you wan
nt to
provide zero do
owntime for a clustered role,, you
must
m
manually update clusterr nodes one affter
an
nother, and yo
ou must manua
ally move reso
ources
from the node being
b
updated
d to another node.
Th
his procedure can be very tim
me-consuming
g. In
Windows
W
Server 2012, Microssoft has implem
mented
a new feature fo
or automatic update
u
of clustter
no
odes.
Cluster-Aware Updating
U
(CAU
U) is a feature that
t
le
ets administrators automatica
ally update clu
uster
no
odes with little
e or no loss in availability du
uring the upda te process. Du
uring an updatte procedure, C
CAU
trransparently ta
akes each clustter node offline, installs the u
updates and aany dependentt updates, perfforms a
re
estart if necessary, brings the
e node back on
nline, and then
n moves to up
pdate the next node in a clusster.
Fo
or many cluste
ered roles, this automatic up
pdate process ttriggers a plan
nned failover, aand it can causse a
trransient service
e interruption for connected
d clients. Howeever, for contin
nuously availab
ble workloads in
Windows
W
Server 2012, such as Hyper-V with
h live migratio
on or file server with SMB Traansparent Failo
over,
CA
AU can orchesstrate cluster updates
u
with no effect on thee service availaability.
Cluster Updating Modes

CAU can orchestrate the complete cluster updating operation in two modes:
Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or
Windows 8, is called and configured as an orchestrator. To configure a computer as a CAU
orchestrator, you must install Failover Clustering administrative tools on it. The orchestrator computer
is not a member of the cluster that is updated during the procedure. From the orchestrator computer,
the administrator triggers on-demand updating by using a default or custom Updating Run profile.
Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for
clusters that are running on Server Core installations of Windows Server 2012.
Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates ondemand in this mode, or use the remote-updating approach if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the Failover Clustering feature in Windows Server 2012 and create a failover
cluster. The components that support CAU functionality are automatically installed on each cluster node.
You must also install the CAU tools, which are included in the Failover Clustering Tools (which are also
part of the Remote Server Administration Tools, or RSAT). The CAU tools consist of the CAU UI and the
CAU Windows PowerShell cmdlets. The Failover Clustering Tools are installed by default on each cluster
node when you install the Failover Clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8 and that has network connectivity
to the failover cluster.
Demonstration: Configuring Cluster-Aware Updating

Demonstration Steps
1.
Make sure that the cluster is configured and running on LON-SVR3 and LON-SVR4.
2.
Add the Failover Clustering Feature to LON-DC1.
3.
Run Cluster-Aware Updating on LON-DC1 and configure it to connect to Cluster1.
4.
Preview updates that are available for nodes LON-SVR3 and LON-SVR4.
5.
Review available options for the Updating Run Profile.
6.
Apply available updates to Cluster1 from LON-DC1.
7.
After updates are applied, configure Cluster self-updating options on LON-SVR3.
Lesson
n5
Imple
ementin
ng a Mu
ulti-Site
e Failove
er Clustter

dows Server 20
012
7-27
In
n some scenarios, you have to
t deploy clustter nodes on d
different sites. Usually, you d
do this when yo
ou build
diisaster-recoverry solutions. In
n this lesson, yo
ou will learn a bout deployin
ng multi-site cllusters.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe a multi-site cluster.
us replication.
Describe syynchronous and asynchronou
Describe ho
ow to choose a quorum mod
de for multi-si te clusters.
Describe th
he challenges for
f implementing multi-site clusters.
Describe th
he consideratio
ons for deploying multi-site clusters.
What
W
Is a Multi-Site
M
Cluster?
C
A multi-site clusster provides highly-availabl
h
le
se
ervices in more
e than one location. Multi-site
clusters can solvve several speccific problems..
However, they also
a present sp
pecific challeng
ges.
In
n a multi-site cluster,
c
each sitte usually has a
se
eparate storage system with replication be
etween
th
he sites. Multi-site cluster sto
orage replicatio
on
en
nables each sitte to be independent, and provides
p
fa
ast access to th
he local disk. With
W separate storage
s
syystems, you cannot share a single
s
disk betw
ween
sittes.
A multi-site clusster has three main advantag
ges in a
fa
ailover site com
mpared to a re
emote server:
When a site
e fails, a multi--site cluster au
utomatically fa ils over the clu
ustered service
e or application to
another site
e.
Because the
e cluster config
guration is auttomatically rep
plicated to eacch cluster node
e in a multi-sitte
cluster, there is less administrative overrhead than a ccold standby seerver, which re
equires you to
manually re
eplicate chang
ges.
The automa
ated processess in a multi-site cluster reducce the possibillity of human error, which iss present
in manual processes.
p
Be
ecause of incre
eased cost and
d complexity of
o a multi-site ffailover cluster, it might not be an ideal so
olution
fo
or every appliccation or business. When you
u are consideriing whether to
o deploy a mu
ulti-site cluster,, you
sh
hould evaluate
e the importan
nce of the appllications to thee business, thee type of applications, and any
alternative soluttions. Some ap
pplications can
n provide multti-site redundaancy easily with log shipping
g or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
co
omplexity.
Th
he complexity of a multi-site
e cluster requirres better arch
hitectural and hardware plan
nning. It also re
equires
yo
ou to develop business processes to routin
nely test the clluster function
nality.
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph
hically-disperse
ed
failo
over cluster to use shared sto
orage between
n
phyysical locations. Wide area ne
etwork (WAN)
links are too slow and have too much latencyy to
support shared storage. Geogra
aphically-dispe
ersed
failo
over clusters must
m
synchronize data betwe
een
loca
ations by using
g specialized hardware.
h
Multti-site
data
a replication ca
an be either syynchronous orr
asyn
nchronous:
When you use synchronouss replication, the

host receives a write comp
plete response
e
from the prim
mary storage after the data iss
written successfully on both
h storage syste
ems. If the dat a is not written successfully to both storag
ge
systems, the application
a
mu
ust attempt to write to the d
disk again. With synchronouss replication, b
both
storage systems are identical.
When you use asynchronou

us replication, the node receeives a write co
omplete respo
onse from the
storage after the data is written successfu
ully on the prim
mary storage. The data is wrritten to the
secondary sto
orage on a diffferent schedule, depending on the hardwaare or software
e vendors
implementatiion. Asynchron
nous replicatio
on can be storaage-based, ho
ost-based, or evven applicatio
onbased. Howevver, not all forms of asynchro
onous replicattion are sufficieent for a multi-site cluster. FFor
example, Disttributed File Syystem Replicattions (DFS-R) p
provides file-leevel asynchron
nous replication.
However, it does not suppo
ort multi-site Failover
F
Cluste ring replicatio
on. This is because DFS-R
replicates sma
aller documen
nts that are nott held open co
ontinuously. Th
herefore, it waas not designed
d for
high-speed, open-file
o
repliccation.
Wh
hen to Use Synchronou
S
us or Asynch
hronous Rep
plication
Use synchronous replication wh

hen data loss cannot
c
be tolerrated. Synchro
onous replication solutions
requ
uire low-disk write
w
latency, because
b
the ap
pplication waitts for both storage solutionss to acknowled
dge
the data writes. Th
he requiremen
nt for low laten
ncy disk writess also limits thee distance betw
ween the storaage
systems because increased
i
dista
ance can cause
e higher latenccy. If the disk l atency is high, the performaance
and even the stab
bility of the application can be
b affected.
Asynchronous rep
plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by repro
oducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep
plication writess to the remote
e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d
loss durin
ng a failure is increased.
Choosing
C
a Quorum Mode for Multi-Sitee Clusters
Fo
or a geographically-disperse
ed cluster, you cannot
usse quorum con
nfigurations th
hat require a sh
hared
diisk, because ge
eographically--dispersed clussters do
no
ot use shared disks. Both the
e Node and Diisk
Majority,
M
and No
N Majority: Disk Only quoru
um
modes
m
require a shared witne
ess disk to provvide a
vo
ote for determ
mining quorum
m. You should only
o
usse these two quorum
q
modess if the hardwa
are
ve
endor specifica
ally recommen
nds and suppo
orts
th
hem.
To
o use the Node and Disk Ma
ajority and No
Majority:
M
Disk Only
O
modes in a multi-site cluster,
th
he shared disk requires that:

dows Server 20
012
7-29
You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
You replicate the witness disk in real-time synchrono

ous mode acro
oss all sites.
Be
ecause multi-ssite clusters can have WAN failures
f
in addiition to node aand local netw
work failures, N
Node
Majority
M
and No
ode and File Share Majority are better solu
utions for multi-site clusters. If there is a W
WAN
fa
ailure that causses the primaryy and seconda
ary sites to losee communicattion, a majorityy must still be
avvailable to con
ntinue operatio
ons.
If there are an odd

o number of nodes, then use the Node Majority quorrum. If there is an even number of
no
odes, which is typical in a ge
eographically-d
dispersed clus ter, you can use the Node M
Majority with FFile
Sh
hare quorum.
If you are using Node Majoritty and the sites lose commu nication, you n
need a mechanism to determ
mine
which
w
nodes sta
ay up, and whiich nodes drop
p out of clusteer membership
p. The second ssite requires another
vo
ote to obtain quorum
q
after a failure. To ob
btain another vvote for quoru
um, you must jjoin another n
node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File
F Share Majo
ority mode can
n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a single
e-site failure and enable auttomatic failoveer, the file sharre witness mig
ght have
to
o exist at a thirrd site. In a mu
ulti-site clusterr, a single serveer can host thee file share wittness. However, you
must
m
create a se
eparate file sha
are for each clluster.
Yo
ou must use th
hree locations to enable auto
omatic failoveer of a highly-aavailable servicce or applicatio
on.
Lo
ocate one nod
de in the prima
ary location tha
at runs the hig
ghly-available service or app
plication. Locatte a
se
econd node in a disaster-reccovery site, and
d locate the th
hird node for t he file share w
witness in another
lo
ocation.
Th
here must be direct
d
network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W
Servver 2008 R2, ad
dministrators ccould configurre the quorum
m to include
no
odes. However, if the quorum configuratio
on included no
odes, all nodess were treated equally
acccording to their votes. In Windows
W
Serverr 2012, clusterr quorum settin
ngs can be adjjusted so
th
hat when the cluster
c
determines whether it has quorum,, some nodes h
have a vote an
nd some do
no
ot. This adjustm
ment, can be useful,
u
when so
olutions are im
mplemented accross multiple sites.
Challenges fo
or Implem
menting a Multi-Site
M
Cluster
Imp
plementation of
o multi-site clu
usters is more
com
mplex than imp
plementation of
o single-site
clussters, and can also
a present se
everal challeng
ges
to the administrattor. Most impo
ortant challeng
ges
whe
en you implem
ment multi-site
e clusters are
related to storage
e and network..
age
In a multi-site cluster, there is no shared stora
thatt the cluster no
ode uses. This means that no
odes
on each
e
site mustt have its own storage instan
nce.
On the other hand
d, Failover Clustering does not
n
include any built-in functionalitty to replicate data
betw
ween sites. The
ere are three options
o
for
repllicating data: block
b
level hardware-based replication,
r
sofftware-based file replication
n installed on tthe
hostt, or applicatio
on-based replication.
Mullti-site data rep

plication can be
b either synch
hronous or asyynchronous. Syynchronous re
eplication doess
not acknowledge data changes that are made
e in, for examp
ple, Site A untiil the data is su
uccessfully written
to Site
S B. With asyynchronous replication, data
a changes thatt are made in SSite A are even
ntually written to
Site B.
Whe
en you deployy a multi-site cluster and run
n the Validate a Configuratio
on Wizard, the disk tests will not
find
d any shared sttorage, and will therefore no
ot run. Howeveer, you can still create a clustter. If you follo
ow
the hardware man
nufacturers re
ecommendatio
ons for Window
ws Server Failo
over Clustering
g hardware,
Microsoft will sup
pport the solution.
Win
ndows Server 2012
2
enables cluster
c
nodes to exist on diffeerent IP subneets, which enab
bles a clustered
app
plication or servvice to change
e its IP addresss based on thee IP subnet. DN
NS updates the
e clustered
app
plications DNS
S record so tha
at clients can lo
ocate the IP ad
ddress change. Because clien
nts rely on DNS to
find
d a service or application afte
er a failover, yo
ou might havee to adjust thee DNS records Time to Live, and
the speed at whicch DNS data is replicated. Ad
dditionally, wh en cluster nod
des are in multtiple sites, netw
work
latency might require you to modify the interr-node commu
unication (heartbeat) delay aand time-out
thre
esholds.
De
eploying Consideratiions for a Multi-Sitee Cluster
Mullti-site clusterss are not appro
opriate for eve
ery
app
plication or eve
ery business. When
W
you desig
gn
a multi-site solutio
on with a hard
dware vendor,
clea
arly identify the
e business requirements and
d
expectations. Nott every scenario
o that involvess
morre than one location is appro
opriate for mu
ultisite cluster.
Mullti-site clustering is a high-avvailability strattegy

thatt primarily focu
uses on hardw
ware platform
avaiilability. However, specific multi-site
m
cluste
er
configuration and
d deployment have availabiliity
ram
mifications, rang
ging from the ability of userrs to
connect to the ap
pplication to th
he quality of performance off the applicatio
on. Multi-site cclustering can be a
pow
werful solution in dealing witth planned and
d unplanned d
downtime, butt its benefits m
must be examin
ned
against all the dim
mensions of ap
pplication availability.
7-31
Multi-site clusters do require some more overhead than local clusters. Instead of a local cluster, in which
each node of the cluster is attached to the mass storage device, each site of a multi-site cluster must have
comparable storage. In addition, you will also have to consider vendors to set up your data replication
schemes between cluster sites, possibly pay for additional network bandwidth between sites, and develop
the management resources within your organization to efficiently administer your multi-site cluster.
Additionally, carefully consider the quorum mode that you will use, and the location of the available
cluster votes.

Scenario
As A. Datums business grows, it is becoming increasingly important that many of the applications and
services on the network are available at all times. A. Datum has many services and applications that have
to be available to internal and external users who work in different time zones around the world. Many of
these applications cannot be made highly available by using Network Load Balancing. Therefore, you have
to use a different technology to make these applications highly available.
As one of the senior network administrators at A. Datum, you will be responsible for implementing
Failover Clustering on the Windows Server 2012 servers in order to provide high availability for network
services and applications. You will also be responsible for planning the Failover Cluster configuration, and
deploying applications and services on the Failover Cluster.
Objectives
Configure a failover cluster.
Deploy and configure a highly-available file server.
Validate the deployment of the highly-available file server.
Configure Cluster-Aware Updating on the failover cluster.
Lab Setup
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR3
20417A-LON-SVR4
User Name
Password
Pa$$w0rd
Virtual Machine(s)
MSL-TMG1
User Name
Administrator
Password
Pa$$w0rd
1.
2.
3.
4.

a.
b.
Password: Pa$$w0rd
5.
Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR3, and 20417A-LON-SVR4.
6.
Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
Exercise 1: Configuring a Failover Cluster

Scenario
7-33
A. Datum has important applications and services that they want to make highly available. Some of these
services cannot use Network Load Balancing. Therefore, you decided to implement Failover clustering.
Because iSCSI storage is set up, you decided to use the iSCSI storage for Failover Clustering. First, you will
implement the core components for Failover Clustering, validate the cluster, and then create the failover
cluster.
1.
Connect clients to the iSCSI targets.
2.
Install the Failover Clustering feature.
3.
Validate the servers for Failover Clustering.
4.
Create the Failover Cluster.
X Task 1: Connect clients to the iSCSI targets

1.
On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21.
2.
Connect to the discovered target in the Targets list.
3.
Repeat steps 1 and 2 on LON-SVR4.
4.
Open Disk Management on LON-SVR3.
5.
Bring online and initialize the three new disks.
6.
Make a simple volume on each disk and format it with NTFS.
7.
On LON-SVR4, open Disk Management, and bring online and initialize the three new disks.
X Task 2: Install the Failover Clustering feature

1.
On LON-SVR3, install the Failover Clustering feature by using Server Manager.
2.
On LON-SVR4, install the Failover Clustering feature by using Server Manager.
X Task 3: Validate the servers for Failover Clustering

1.
On LON-SVR3, open the Failover Cluster Manager console.
2.
Start the Validate a Configuration Wizard.
3.
Use LON-SVR3 and LON-SVR4 as nodes for test.
4.
Review report.
X Task 4: Create the Failover Cluster

1.
On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard.
2.
Use LON-SVR3 and LON-SVR4 as cluster nodes.
3.
Specify Cluster1 as the Access Point name.
4.
Specify the IP address as 172.16.0.125.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
Exercise 2: Deploying and Configuring a Highly-Available File Server

Scenario
In A. Datum, File Services is one of the important services that must be highly available. After you have
created a cluster infrastructure, you decided to configure a highly-available file server and implement
settings for failover and failback.
1.
Add the File Server application to the failover cluster.
2.
Add a shared folder to a highly-available file server.
3.
Configure failover and failback settings.
X Task 1: Add the File Server application to the failover cluster

1.
Add the File Server role service to LON-SVR3 and LON-SVR4.
2.
On LON-SVR3, open the Failover Cluster Manager console.
3.
In the Storage node, click Disks and verify that three cluster disks are online.
4.
Add File Server as a cluster role.
5.
Specify AdatumFS as Client Access Name.
6.
Specify 172.16.0.130 as the IP address for the cluster role.
7.
Select Cluster Disk 2 as the storage disk for AdatumFS role.
X Task 2: Add a shared folder to a highly-available file server

1.
On LON-SVR4, open Failover Cluster Manager.
2.
Start the New Share Wizard and add a new shared folder to the AdatumFS cluster role.
3.
Specify the File share profile as SMB Share Quick.
4.
Name the shared folder as Docs.
X Task 3: Configure failover and failback settings
1.
On LON-SVR4, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.
2.
Enable failback between 4 and 5 hours.
3.
Select both LON-SVR3 and LON-SVR4 as the preferred owners.
4.
Move LON-SVR4 to be first in the Preferred Owners list.
Results: After this exercise, you will have configured a highly-available file server.
Exercise 3: Validate the Deployment of the Highly-Available File Server

Scenario
In the process of implementing failover cluster, you want to perform failover and failback tests.
1.
Validate the highly-available file server deployment.
2.
Validate the failover and quorum configuration for the File Server role.
X Task 1: Validate the highly-available file server deployment
7-35
1.
On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure
that you can access the Docs folder.
2.
Create a test text document inside this folder.
3.
On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.
4.
On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1.
On LON-SVR3, determine the current owner for the AdatumFS role.
2.
Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3.
Verify that AdatumFS has moved to another node and that the \\AdatumFS\ location is still
available.
4.
Start the Cluster service on the node in which you stopped it in step 2.
5.
Browse to the Disks node, and take the disk witness offline.
6.
Verify that AdatumFS is still available.
7.
Bring the disk witness online.
Results: After this exercise, you will have tested the failover scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Scenario
Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable
seamless and zero downtime cluster updating, you want to implement the Cluster-Aware Updating
feature and test updates for cluster nodes.
1.
Configure Cluster-Aware Updating.
2.
Update the failover cluster and configure self-updating.
X Task 1: Configure Cluster-Aware Updating

1.
On LON-DC1, install the Failover Clustering feature.
2.
From Server Manager, open Cluster-Aware Updating.
3.
Connect to Cluster1.
4.
Preview the updates available for nodes in Cluster1.
X Task 2: Update the failover cluster and configure self-updating

1.
On LON-DC1, start the update process for Cluster1.
2.
After the process is complete, configure self-updating for Cluster1, to be performed weekly, on
Sundays at 4A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating.
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR3, MSL-TMG1 and 20417A-LONSVR4.

Review Questions
Question: Why is using a Disk-Only quorum configuration generally not a good idea?
Question: What is the purpose of Cluster-Aware Updating?
Question: What is the main difference between synchronous and asynchronous replication
in a multi-site cluster scenario?
Question: What is an enhanced feature in multi-site clusters in Windows Server 2012?
Best Practices
Try to avoid using quorum model that depends just on disk
Use Cluster Shared Volumes for Hyper-V high availability or Scale Out File server
Do regular backups of cluster configuration
Be sure that, in case of one node failure, other nodes can handle the load
Carefully plan multi-site clusters

Common Issue
Troubleshooting Tip
Cluster Validation wizard reports and error
Create cluster wizard reports that not all

nodes support desired clustered role
You cant create Print Server cluster
7-37
Your organization is considering the use of a geographically-dispersed cluster that includes an alternative
data center. Your organization has only a single physical location together with an alternative data center.
Can you provide an automatic failover in this configuration?
Tools
The tools for implementing fail-over clustering include:
Failover Cluster Manager console
Cluster-Aware Updating console
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management

8-1
Module 8
Implementing Hyper-V
Contents:
Module Overview
8-1
Lesson 1: Configuring Hyper-V Servers
8-2
Lesson 2: Configuring Hyper-V Storage
8-8
Lesson 3: Configuring Hyper-V Networking
8-16
Lesson 4: Configuring Hyper-V Virtual Machines
8-21
8-27
8-33
Module Overview
Although server virtualization was deployed rarely on corporate networks only a decade ago, today it is a
core networking technology. Server administrators must be able to distinguish which server workloads
might run effectively in virtual machines and which need to remain in a traditional, physical deployment.
This module introduces you to the new features of the Hyper-V role, the components of the role, and
the best practices for deploying the role.
Objectives
Configure Hyper-V servers.
Configure Hyper-V storage.
Configure Hyper-V networking.
Configure Hyper-V virtual machines.
Lesson 1
Config
guring Hyper-V
H
V Serverrs
8-2
The Hyper-V role has undergon

ne a substantia
al change in W
Windows Serverr 2012. New ffeatures, such as
netw
work utilization and Resourcce Metering, provide you witth the ability tto manage virttual machines
effe
ectively with Hyyper-V version
n 3.0. In this lesson, you will learn about th
he new feature
es in Hyper-V, as
welll as Hyper-V In
ntegration Servvices and the factors
f
that yo
ou need to con
nsider when yo
ou are configu
uring
Hyp
per-V hosts.
Lessson Objectiives
Afte
ou will be able to:
Describe the new features in Hyper-V 3.0

0.
Describe the hardware requ

uirements for Hyper-V
H
3.0.
Configure Hyyper-V settingss.
Describe Hyp
per-V Integratio
on services.
Describe the best practices for configurin

ng Hyper-V ho
osts.
Wh
hat's New in Hyper-V 3.0?
The Hyper-V role first became available
a
after the
rele
ease of Window
ws Server 2008
8. New feature
es
were added to the
e role, both in Windows Servver
2008 R2 and Wind
dows Server 20
008 R2 Service
e
Pack 1 (SP1).
Hyp
per-V in Windo
ows Server 201
12, also known
n as
Hyp
per-V 3.0, inclu
udes the follow
wing major
imp
provements:
Virtual machine replication
Hyper-V Pow
werShell support
Quality of Serrvice (QoS) bandwidth

managementt
Non-Uniform
m Memory Acce
ess (NUMA) su
upport
Memory improvements
Virtual Machin
ne Replication
You
u can use Hype
er-V replica to perform contiinuous replicattion of importtant virtual maachines from a host
servver to a replica
a server. In the event that the
e host server faails, you can c onfigure failovver to the replica
servver. For more information on
n Hyper-V repllicas, visit Mod
dule 9: Implem
menting Failove
er Clustering w
with
Hyp
per-V.
Hyper-V Powe
erShell supp
port
Win
ndows Server 2012
2
introduce
es extensive Windows
W
PowerrShell supporrt for Hyper-V through the
Hyp
per-V PowerSh
hell module. Yo
ou can manage all aspects o
of Hyper-V, inccluding creatin
ng virtual hard disks,
virtu
ual switches, and virtual macchines.
Quality of Service (QoS) Bandwidth Management
8-3
Hyper-V administrators can use Quality of Service (QoS) bandwidth management to converge multiple
traffic types through a virtual-machine network adapter, which allows a predictable service level for each
traffic type. You also can allocate minimum and maximum bandwidth allocations on a per-virtual machine
basis.
Non-Uniform Memory Access (NUMA) Support
Hyper-V 3.0 includes NUMA support. NUMA is a multiprocessor architecture that automatically groups
RAM and processors. This leads to performance improvements for virtual machines that are hosted on
servers that have multiple processors and large amounts of random access memory (RAM).
Memory Improvements
Dynamic memory is a feature that lets virtual machine memory to be allocated as necessary, rather than
as a fixed amount. For example, rather than setting a virtual machine with a fixed 4 gigabytes (GB) of
memory, which Hyper-V allocates to the virtual machine, an administrator can use dynamic memory to
allocate a minimum and maximum amount. In this scenario, the virtual machines requests only what it
needs. Although Windows Server 2008 R2 SP1 included the ability for virtual machines to use dynamic
memory, you had to make any adjustments to these settings after you shut down the server. Hyper-V 3.0
enables administrators to adjust dynamic memory settings on virtual machines that are running. You can
use smart paging to configure startup memory, which differs from the minimum and maximum memory
allocations. When you use smart paging, the Hyper-V host uses memory paging to ensure that a virtual
machine can start when there is not enough memory resources available to support startup, but enough
to support the virtual machine's minimum memory allocation.
Other improvements to Hyper-V include:
Resource Metering. Resource Metering allows administrators to track resource utilization of individual
virtual machines. You can enable resource metering on a per-virtual machine basis. Use PowerShell to
perform resource-metering operations.
Virtual Fibre Channel. Virtual Fibre Channel enables virtual machines to use a virtual Fibre Channel
host bus adapter (HBA) to connect to Fibre Channel resources on storage area networks (SANs). To
use Virtual Fibre Channel, the host Hyper-V server must have a compatible Fibre Channel HBA.
Live migration without shared storage. Hyper-V 3.0 supports live migration of virtual machines
between Hyper-V hosts, without requiring access to shared storage. For more information on live
migration, visit Module 9: Implementing Failover Clustering with Hyper-V.
New virtual hard disk format. Hyper-V 3.0 introduces the VHDX format. This disk format supports
larger virtual hard disks. It also includes a format that minimizes the chances of data loss during
unexpected power outages.
Server message block 3.0 (SMB 3.0) storage. Hyper-V 3.0 virtual machines can use virtual hard disks
stored on normal shared folders, as long as the folders are hosted on a server that supports the SMB
3.0 protocol.
Network virtualization. Network virtualization enables virtual machines to retain a static IP address
configuration when migrated to different Hyper-V hosts.
Pre
erequisitess for Installling Hype
er-V
Hyp
per-V on Windows Server 20
012 requires th
hat
the host compute
er has an x64 processor,
p
whicch
supports Second Level Address Translation (SLAT).
SLA
AT is a special technology
t
tha
at allows a
proccessor to addrress memory more
m
efficientlyy.
The server that ho
osts the Hyper-V role needs a
min
nimum of 4 GB
B of RAM. A virrtual machine
hostted on Hyper--V in Windowss Server 2012 can
c
support a maximu
um of 1 terabyyte of RAM and
d up
to 32
3 virtual proce
essors.
Whe
en deciding on
n the server ha
ardware in which
you plan to install the Hyper-V role, you need
d to
ensu
ure the following:
8-4
The server mu
ust have enough memory to
o support the m
memory requirements of all of the virtual
machines that must run con
ncurrently. The
e server also m
must have eno ugh memory tto run the host
Windows Servver 2012 operating system.
The storage subsystem

s
perfformance musst meet the I/O
O needs of thee guest virtual machines. It m
may be
necessary to place differentt virtual machiines on separaate physical dissks to deploy a high perform
mance
redundant array of indepen
ndent disks (RA
AID), Solid Statte Drives (SSD
D), hybrid-SSD, or a combination
of all three.
The CPU capa

acity of the ho
ost server mustt meet the req uirements of tthe guest virtu
ual machines.
The host servver's network adapters

a
must be able to sup
pport the netw
work throughp
put requiremen
nts of
the guest virttual machines. This may requ
uire installing m
multiple netwo
ork adapters aand using multtiple
network interrface card (NIC
C) teams for virtual machiness that have hig
gh network-usse requirementts.
De
emonstration: Configuring Hy
yper-V Setttings
It is necessary to start
s
a traditionally deployed
d server to run
n this demonsttration because
e you cannot rrun
Hyp
per-V from within a virtual machine.
m
Dem
monstration
n Steps
1.
Log on to LON-HOST1.
2.
Open the Hyp

per-V Manage
er console.
3.
In the Hyper-V Settings dialog box, review the followiing settings:

o
Virtual Hard Disks
Virtual Machines
M
Physical GPUs
G
NUMA Spanning
Upg
ndows Server 2
2012
Hyper-V
H
Integration Services
Hyper-V Integra
ation Services are a series off
se
ervices that you can use with
h supported virtualmachine
m
guest operating systtems. Supporte
ed
op
perating systems can use Inttegration Services
co
omponents an
nd functionalityy like Small
Computer Syste
em Interface (S
SCSI) adapters and
syynthetic netwo
ork adapters.
Th
he virtual-macchine guest op
perating system
ms that
Hyper-V supports include:
Windows Server 2012
Windows Server 2008 R2 with SP1
Windows Server 2008 witth Service Pack

k 2 (SP2)
Windows Server 2003 R2 with SP2
Windows Home
H
Server 20
011
Windows MultiPoint
M
Servver 2011
Windows Small Business Server 2011
Windows Server 2003 witth Service Pack

k2
CentOS 6.0
0-6.2
CentOS 5.5-5.7
Red Hat Enterprise Linux 6.0-6.2
Red Hat Enterprise Linux 5.5-5.7
SUSE Linux Enterprise Serrver 11 with Se

ervice Pack 1 o
or Service Packk 2
SUSE Linux Enterprise Serrver 10 with Se

ervice Pack 4
Windows 7 with Service Pack

P
1
Windows Vista
V with Servvice Pack 2
Windows XP
X with Service
e Pack 3
Addition
nal Reading: Note
N
that the Hyper-V
H
suppo
ort for the Win
ndows XP operrating system
en
nds in April 20
014, and suppo
ort for Window
ws Server 20033 and Window
ws Server 2003 R2 expires in
Ju
uly 2015. When
n available, a link will be pro
ovided here to the list of sup
pported Hyperr-V virtualmachine
m
guest operating systtems on Windo
ows Server 20112.
8-5
Yo
ou can install the
t Integration
n Services com
mponents on a n operating syystem by clickiing the Insert
In
ntegration Servvices Setup Dissk item on the Action menu in the Virtual Machine Conn
nection windo
ow. After
th
his is done, you
u can install th
he relevant ope
erating-system
m drivers either manually or automatically..
You
u can enable th
he following viirtual-machine
e integration c omponents:
8-6
his componen
Operating sysstem shutdown
n. The Hyper-V
V server uses th
nt to initiate a g
graceful shutd
down
of the guest virtual
v
machine.
Time synchronization. The virtual

v
machine
e uses this com
mponent to usse the host serrver's processo
or to
conduct time
e synchronization.
Data Exchang
ge. The Hyper--V host uses th
his componentt to write data to the virtual machines reg
gistry.
Heartbeat. Hyyper-V uses this component to determine if the virtual m

machine has become
unresponsive.
me snapshot). The provider of

o the Volumee Shadow Copyy Service (VSS)) uses this
Backup (volum
component to
o create virtua
al-machine sna
apshots for ba ckup operatio
ons, without intterrupting the
e
virtual machin
nes' normal op
peration.
Best Practice
es for Conffiguring Hyper-V Ho
osts
There are several best practices that you shou
uld
consider when pro
ovisioning Win
ndows Server 2012
2
to function as a Hyper-V
H
host:
Provision the host with ade

equate hardwa
are
Deploy virtua
al machines on
n separate disk
ks
Do not colloccate other servver roles
Manage Hype
er-V remotely
Run Hyper-V by using the Server

S
Core
configuration
n
Run the Best Practices Analyzer and Reso

ource
Metering
Pro
ovision the Host
H
with Adequate
A
Ha
ardware
Perh
haps the most important best practice is to
o ensure that tthe Hyper-V h
host is provisio
oned with adeq
quate
hard
dware. You sho
ould ensure th
hat there is app
propriate proccessing capacitty, an approprriate amount o
of
RAM
M, and fast and
d redundant sttorage. You sh
hould ensure th
hat the Hyper -V host is provvisioned with
mulltiple network cards that you
u configure as a team. If the Hyper-V host is not provisio
oned adequate
ely
with
h hardware, this has an effecct on the perfo
ormance of all virtual machin
nes that are ho
osted on the se
erver.
Dep
ploy Virtuall Machines on Separate
e Disks
You
u should use se
eparate disks to host virtual-machine files rather than haaving virtual-m
machine files
storred on the sam
me disk as the host
h
operating
g-system files. This minimizees contention aand ensures th
hat
read
d/write operattions occurring
g on virtual ma
achine files do not conflict w
with read/write
e operations
occu
urring at the host
h
operating-system level. It also minimizzes the chancee that the virtu
ual-machine
hard
d disks will gro
ow to consume
e all available space on the o
operating-systtem volume. Performance
considerations are
e lessened if yo
ou deploy to a disk that use s striping, such
h as a RAID 1+
+0 array. If you
u are
usin
ng shared stora
age, you can provision
p
multiiple virtual maachines on the same Logical Unit Number (LUN)
if yo
ou utilize Clustter Shared Volumes. Howeve
er, choosing beetween separaate LUNs for each virtual maachine
or a shared LUN depends
d
heavily on virtual machine
m
worklo
oad and SAN h
hardware.
Do Not Colocate Other Server Roles
8-7
You should ensure that Hyper-V is the only server role deployed on the server. You should not colocate
the Hyper-V role with other roles, such as the Domain Controller or File Server role. Each role that you
deploy on a server requires resources, and when deploying Hyper-V, you want to ensure that the virtual
machines have access to as much of a host server's resources as possible. If it is necessary to locate these
roles on the same hardware, deploy these roles as virtual machines rather than installing them on the
physical host.
Manage Hyper-V Remotely
When you log on locally to a server, your logon session consumes server resources. By configuring a
Hyper-V server to be managed remotely and not performing administrative tasks by logging on locally,
you ensure that all possible resources on the Hyper-V host are available to the hosted virtual machines.
You also should restrict access to the Hyper-V server, so that only administrators responsible for the
management of virtual machines can make connections. A configuration error on a Hyper-V host can
cause downtime to all hosted virtual machines.
Run Hyper-V by Using the Server Core Configuration
There are two main reasons to run Hyper-V using the Server Core configuration. The first reason is that
running Windows Server 2012 in the server core configuration minimizes hardware-resource utilization for
the host operating-system. Running the server in server core configuration means that there are more
hardware resources for the hosted virtual machines.
The second reason to run the Hyper-V server in server core configuration is that server core requires fewer
software updates, which in turn means fewer reboots. When you restart a Hyper-V host, all virtual
machines that the server hosts become unavailable when it is unavailable. Because a Hyper-V host can
host many critical servers as virtual machines, you want to ensure that you minimize downtime.
Run the Best Practices Analyzer and Use Resource Metering
If you have enabled performance counters on the Hyper-V host, you can use the Best Practices Analyzer
to determine if there are any specific configuration issues that you should address. Enabling performance
counters does incur a slight cost to performance, so you should enable these only during periods when
you want to monitor server performance, rather than leaving them on permanently.
You can use Resource Metering, a new feature of Hyper-V 3.0, to monitor how hosted virtual machines
utilize server resources. You can use Resource Metering to determine if specific virtual machines are using
a disproportionate amount of a host server's resources. If the performance characteristics of one virtual
machine are having a deleterious effect on the performance of other virtual machines hosted on the same
server, you should consider migrating that virtual machine to another Hyper-V host.
Additional Reading: 7 Best Practices for Physical Servers Hosting Hyper-V Roles
http://technet.microsoft.com/en-us/magazine/dd744830.aspx
Lesson 2
Config
guring Hyper-V
H
V Storag
ge
8-8
Hyp
per-V provides many differen
nt virtual mach
hine storage o
options. If you know which o
option is appro
opriate
for a given situation, you can en
nsure that a virtual machine performs welll. But if you do
o not understaand
the different virtual-machine sto
orage options,, you may end
d up deploying
g virtual hard d
disks that conssume
unn
necessary space
e or that place
e an unnecessa
ary performan ce burden on the host Hype
er-V server.
Thiss lesson describ
bes about diffe
erent virtual hard disk typess, different virtual hard disk fformats, and th
he
ben
nefits and limitations of using
g virtual machine snapshots..
Lessson Objectiives
Afte
ou will be able to:
v
hard dissks in Hyper-V
V 3.0.
Describe the properties of virtual
Select a virtua
al hard disk type.
Convert betw
ween virtual hard disk types.
Maintain virtu
ual hard disks.
Determine wh
here to deployy virtual hard disks.
d
Describe the requirements for storing Hyyper-V data on

n SMB file sharres.
Implement virtual machine snapshots.
Describe the requirements of providing Fibre

F
Channel ssupport within
n virtual machines.
Virrtual Hard Disks in Hyper-V

H
3.0
A virtual hard disk
k is a special file format that
reprresents a traditional hard-dissk drive. You can
c
configure a virtua
al hard disk witth partitions an
nd an
ope
erating system.. Additionally, you can use virtual
v
hard
d disks with virrtual machiness and you also
o can
mou
unt virtual hard disks by usin
ng the Window
ws
Servver 2008, Wind
dows Server 20
008 R2, Windo
ows
8 and
Servver 2012, and Windows
W
a Windows 7
ope
erating systemss. Windows Se
erver 2012 supports
boo
oting to virtual hard disks. Yo
ou can use thiss
featture to configu
ure the compu
uter to start intto a
Win
ndows Server 2012
2
operating
g system or some
edittions of the Wiindows Server 8 operating syystem that aree deployed on a virtual hard disk. You can
crea
ate a virtual ha
ard disk by usin
ng:
The Hyper-V manger conso

ole.
The Disk Man

nagement console.
The diskpart command-line

c
e utility.
The New-VH
HD Windows PowerShell cmd
dlet.
Note: Some
e editions of Windows
W
7 and
d the Windowss Server 2008 R2 operating ssystem also
support booting to
t virtual hard disk.
Upg
ndows Server 2
2012
Comparing
C
VHDX
V
and VHD
V
8-9
Virtual hard disks use the .vhd

d extension. Windows
W
Serverr 2012 introdu
uces the new V
VHDX format ffor
virtual hard disk
2008
ks. In comparisson to the VHD
D format that was used in H yper-V on Win
ndows Server 2
an
nd Windows Server 2008 R2, the VHDX format has the ffollowing beneefits:
VHDX virtual hard disks can

c be as large
e as 64 terabyttes. VHD virtuaal hard disks w
were limited to
o 2 TB.
The VHDX virtual

v
hard disk file structurre minimizes th
he chance that the disk will become corru
upt if the
host server suffers an une
expected powe
er outage.
VHDX virtual hard disk fo

ormat supportss better alignm
ment when dep
ployed to large sector disk.
VHDX allow
ws larger block
k size for dynamic and differrencing disks, w
which provides better perforrmance
for these workloads.
w
graded a Windows Server 2008 or Window

ws Server 2008 R2 Hyper-V server to Windows
If you have upg
erver 2012, you can convert an existing VH
HD file to VHD
DX format by u
using the Edit D
Disk tool. It alsso is
Se
po
ossible to convvert from VHD
DX format to VHD.
V
Addition
nal Reading: Hyper-V
H
Virtua
al Hard Disk Fo
ormat Overview
w
htttp://technet.m
microsoft.com//en-us/library//hh831446.asp
px
Disk
D Types
When
W
you configure a virtual hard disk, you
u can
ch
hoose one of the
t following disk
d types:
Fixed
Dynamic
Pass-throug
gh
Differencing
Fixed Virtuall Hard Disk
When
W
you creatte a fixed virtu
ual hard disk, all
a
off the hard-disk
k space is alloccated during th
he
crreation process. This has the advantage off
minimizing
m
frag
gmentation, wh
hich improves virtual hard d
disk performan
nce when they are hosted on
n
trraditional stora
age devices. However, a disa
advantage is th
hat it requires all of the spacce that the virtual
ha
ard disk poten
ntially can use to be allocated
d on the host partition. In m
many situationss, you will not know
precisely how much
m
disk spacce a virtual machine needs. Iff you use fixed
d hard disks, yo
ou may end up
allocating space
e to storage th
hat is not actua
ally required.
To
o create a fixed
d virtual hard disk, perform the following steps:
1..
Open the Hyper-V

H
Manager console.
2..
In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.
3..
On the Beffore You Begin page of the New Virtual H

Hard Disk Wizaard, click Nextt.
4..
On the Cho
oose Disk Format page, sele
ect VHD or VH
HDX, and then
n click Next.
5..
On the Cho
oose Disk Typ
pe page, click Fixed
F
size, and
d then click N ext.
6..
On the Spe
ecify Name an
nd Location page,
p
enter a n
name for the viirtual hard disk, and then sp
pecify a
folder to ho
ost the virtual hard-disk file.
7.
On the Configure Disk page, select one of the following options:
8-10 Implementing Hyper-V
Create a new blank virtual hard disk of the specified size.
Copy the contents of a specified physical disk. You can use this option to replicate an existing
physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the
disk that you have replicated. Replicating an existing physical hard disk does not alter data on the
existing disk.
Copy the contents of a specified virtual hard disk. You can use this option to create a new fixed
hard disk based on the contents of an existing virtual hard disk.
You can create a new fixed hard disk by using the New-VHD Windows PowerShell cmdlet with the -Fixed
parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes or on SSDs. Hyper-V improvements, since it was first introduced in Windows Server
2008, also minimize performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and it grows as necessary. For example, if you create
a new virtual machine, and specify a dynamic disk, only a small amount of disk space is allocated to the
new disk.
This space is as follows:
Approximately 260 kilobytes (KB) for a VHD format virtual hard disk
Approximately 4096 KB for a VHDX format virtual hard disk
As storage is allocated, such as when you deploy the operating system, the dynamic hard disk grows. If
you delete files from a dynamically expanding virtual hard disk, the virtual hard-disk file does not shrink.
You can only shrink a dynamically expanding virtual hard-disk file by performing a shrink operation.
Creating a dynamically expanding virtual hard disk is similar to creating a fixed disk. In the New Virtual
Hard Disk Wizard, on the Choose Disk Type page, select Dynamically expanding size instead of Fixed.
You can create a new dynamic hard disk by using the New-VHD Windows PowerShell cmdlet with the Dynamic parameter.
Pass-Through Disks
Virtual machines use the pass-through disks to access a physical disk drive, rather than use a virtual hard
disk. You can use pass-through disks to connect a virtual machine directly to an Internet SCSI (iSCSI) LUN.
When you use pass-through disks, the virtual machine must have exclusive access to the target disk. To do
this, you must use the hosts disk management console to take the disk offline. After the disk is offline,
you can connect it to one of the virtual machine's disk controllers.
You can attach a pass-through disk by performing the following steps:
1.
Ensure that the target hard disk is offline.
2.
Use the Hyper-V Manager console to edit an existing virtual machine's properties.
3.
Click an Integrated Drive Electronics (IDE) or SCSI controller, click Add, and then click Hard Drive.
4.
In the Hard Drive dialog box, select Physical Hard Disk. In the drop-down list, select the disk that
you want to use as the pass-through disk.
Note: You do not have

e to shut down
n a virtual mac hine if you con
nnect the passs-through
diisk to a virtual machine's SCSI controller. However,
H
if you
u want to con nect to a virtual machine's
ID
DE controller, it is necessary to
t shut down the
t virtual ma chine.
Differencing
D
g disks

dows Server 20
012
8-11
Differencing dissks record the changes made

e to a parent d
disk. You can u
use differencin
ng disks to reduce
th
he amount of hard
h
disk space that virtual hard
h
disks con
nsume, but thaat comes at the
e cost of disk
pe
erformance. Differencing
D
dissks work well with
w SSD wherre there is limitted space available on the d
drive and
th
he performancce of the disk compensates
c
fo
or the perform
mance drawbaccks of using a differencing d
disk.
Differencing dissks have the fo
ollowing prope
erties:
You can link multiple diffferencing diskss to a single paarent disk.
When you modify the parent disk, all linked differenccing disks fail.
Yo
ou can reconn
nect a differenccing disk to the parent by ussing the Inspecct Disk tool, avvailable in the actions
pa
ane of the Hyp
per-V Manage
er console. You
u also can use the Inspect Disk tool to locaate a differencing
diisks parent dissk.
To
o create a diffe
erencing disk, follow these steps:
1..
Open the Hyper-V

H
Manager console.
2..
In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.
3..
On the Beffore You Begin page of the New Virtual H

Hard Disk Wizaard, click Nextt.
4..
On the Cho
oose Disk Format page, sele
ect VHD, and then click Nex
xt.
5..
On the Cho
oose Disk Typ
pe page, selectt Differencing
g, and then clicck Next.
6..
On the Spe
ecify Name an
nd Location page,
p
provide tthe location off the parent haard disk, and then
click Finish
h.
Yo
ou can create a differencing hard disk by using
u
the New
w-VHD Windo
ows PowerShell cmdlet. For e
example,
to
o create a new
w differencing disk
d named c:\\diff-disk.vhd tthat uses the vvirtual hard dissk c:\parent.vh
hd, run
th
he following Windows
W
PowerShell comman
nd:
Ne
ew-VHD c:\dif
ff-disk.vhd -ParentPath C:\parent.vh
hd
Converting
C
g Disks
Frrom time to tim
me, it is necesssary to perform
m
maintenance
m
op
perations on virtual hard disks.
Yo
ou can perform
m the following maintenance
op
perations on virtual
v
hard dissks:
Convert the
e disk from fixed to dynamicc.
Convert the
e disk from dyynamic to fixed
d.
Convert a virtual
v
hard dissk in VHD form
mat
to VHDX.
Convert a virtual
v
hard dissk in VHDX forrmat
to VHD.
When you convert a hard disk, the contents of the existing virtual hard disk are copied to a new virtual
hard disk that has the properties that you have chosen. To convert a virtual hard disk, perform the
following steps:
1.
In the Actions pane of the Hyper-V Manager console, click Edit Disk.
2.
On the Before You Begin page of the Edit Virtual Hard Disk Wizard, click Next.
3.
On the Local Virtual Hard Disk page, click Browse. Select the virtual hard disk that you wish to
convert.
4.
On the Choose Action page, select Convert, and then click Next.
5.
On the Convert Virtual Hard Disk page, select VHD or VHDX format. By default, the current disk
format is selected. Click Next.
6.
If you want to convert the disk from fixed to dynamic or dynamic to fixed, on the Convert Virtual
Hard Disk page, select Fixed Size or Dynamically Expanding. If you want to convert the hard disk
type, choose the appropriate type, and then click Next.
7.
On the Configure Disk page, select the destination location for the disk, click Next, and then click
Finish.
You can shrink a dynamic virtual hard disk that is not taking up all the space that is allocated to it. For
example, a dynamic virtual hard disk might be 60 GB on the parent volume, but only use 20 GB of that
space. You shrink a virtual hard disk by choosing the Compact option in the Edit Virtual Hard Disk Wizard.
You cannot shrink fixed virtual hard disks. You must convert a fixed virtual hard disk to dynamic before
you can compact the disk. You can use the resize-partition and the resize-vhd Windows PowerShell
cmdlets to compact a dynamically expanding virtual hard disk.
You also can use the Edit Virtual Hard Disk Wizard to expand a disk. You can expand both dynamically
expanding and fixed virtual hard disks.
Demonstration: Managing Virtual Hard Disks in Hyper-V

In this demonstration, you create a differencing disk based on an existing disk by using both Hyper-V
Manager and PowerShell.
Demonstration Steps
1.
Use Windows Explorer to create the following folders on the physical host drive:
o
E:\Program Files\Microsoft Learning\Base \LON-GUEST1
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.
In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o
Disk Format: VHD
Disk Type: Differencing
Name: LON-GUEST1.vhd
Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
3..
Open Wind
dows PowerShe
ell, import the
e Hyper-V mod
dule, and then run the follow
wing command
d:
New-VHD E:\Program
Files\Microsoft Learning
g\Base\LON-GU
UEST2\LON-GUE
EST2.vhd
-ParentPa
ath E:\Program Files\Microsoft Lear
rning\Base\Ba
ase12A-WS2012
2-RC.vhd

dows Server 20
012
8-13
4..
Inspect disk
k E:\Program Files\Microso
oft Learning\\Base\LON-GU
UEST2\LON-G
GUEST2.vhd.
5..
Verify that LON-GUEST2

2.vhd is configured as a diffeerencing virtuaal hard disk with E:\Program
m Files
\Microsoftt Learning\Ba
ase\Base12A-W
WS2012-RC.v
vhd as a paren
nt.
Location Co
onsiderations of Virttual Hard Disks
A key factor wh
hen provisionin
ng virtual mach
hines
is ensuring that virtual hard disks
d
are placed
d
co
orrectly. Virtua
al hard-disk pe
erformance can
n affect
virtual machine performance dramatically. Servers
S
th
hat are otherw
wise well provissioned with RA
AM and
processor capaccity can still exxperience bad
pe
erformance if the storage syystem is
ovverwhelmed.
Consider the following factors when planning the
lo
ocation of virtu
ual hard-disk fiiles:
High-perfo
ormance conn
nection to the
e
storage
You can loccate virtual harrd-disk files on

n local or remo
ote storage. W
When you locatte them on rem
mote
storage, you need to ensure that there is adequate b
bandwidth and
d minimal laten
ncy between the host
and the rem
mote storage. Slow network connections to
o storage, or cconnections w
where there is laatency,
result in po
oor virtual-macchine performa
ance.
Redundantt storage
The volume
e that the virtu
ual hard-disk files are stored on should be fault-tolerantt. This should aapply if
the virtual hard
h
disk is sto
ored on a local disk or a rem
mote SAN devicce. It is not uncommon for h
hard
disks to fail. Therefore, th
he virtual mach
hine and the H
Hyper-V host should remain in operation aafter a
disk failure.. Replacementt of failed diskss also should n
not affect the o
operation of th
he Hyper-V ho
ost or
virtual machines.
High-perfo
ormance storage
The storage
e device on wh
hich you store virtual hard-d
disk files should
d have excelle
ent I/O charactteristics.
Many enterrprises use SSD
D hybrid drivess in RAID 1+0 arrays to achieeve maximum performance and
redundancyy. Multiple virttual machines that are runni ng simultaneo
ously on the saame storage caan place
a tremendo
ous I/O burden
n on a disk sub
bsystem. Thereefore, you nee d to ensure th
hat you choose
e highperformancce storage. If you
y do not, virtual machine p
performance ssuffers.
Adequate growth space

e
If you have configured virtual hard disk

ks to grow auttomatically, en
nsure that there
e is adequate space
into which the files can grow. Also, care
efully monitor growth so thaat you are not shocked when
na
virtual hard
d disk fills the volume
v
that yo
ou allocated to
o host it. If you
u configure virrtual hard diskks to
grow autom
matically, place
e each virtual machine's
m
virtu
ual hard disk o
on a separate vvolume. This w
way, the
virtual hard
d disks of multiple virtual ma
achines are nott affected if th
he volumes capacity is excee
eded.
Sto
orage on SMB
S
3 File Shares
Hyp
per-V supportss storing virtua
al machine datta,
such
h as virtual-ma
achine configu
uration files,
snap
pshots, and virrtual hard-disk
k files, on SMB 3
file shares.
The file share musst support SMB 3. This limitss
placcement of virtu
ual hard disks on file shares
thatt are hosted on
n file servers th
hat are running
Win
ndows Server 2012.
2
Earlier Windows
W
Serverr
verssions do not su
upport SMB 3.
You
u must ensure that
t
network connectivity
c
to
o the
file share is 1 GB or
o more.
8-14 Implemennting Hyper-V
SMB
B file share pro
ovides an alterrnative to storing virtual-macchine files on iSCSI or Fibre Channel SAN
devices. When cre
eating a virtual machine in Hyper-V
H
on Wiindows Server 2012, you can
n specify a netw
work
sharre when choossing the virtual machine loca
ation and the vvirtual hard-diisk location. Yo
ou also can atttach
disk
ks stored on SM
MB 3 file share
es. You can use
e both VHD an
nd VHDX diskss with SMB file
e shares.
Additional Reading: Serrver Message Block
B
overview
w
http
n-us/library/hh
h831795.aspx
Sna
apshot Ma
anagemen
nt in Hyperr-V
Snapshot is an important technology that
provvides administtrators with the
e ability to ma
ake
a re
eplica of a virtu
ual machine att a specific time.
You
u can take snap
pshots when a virtual machin
ne is
shutt down or running. Howeverr, when you ta
ake a
snap
pshot of a virtual machine th
hat is running, the
snap
pshot includess the contents of the virtual
macchines memorry.
Tak
king a Snapshot
You
u can take a snapshot on the
e Actions pane of
the Virtual Machin
ne Connection
n window or in
n the
Hyp
per-V Managerr console. Each
h virtual machine
can have a maxim
mum of 50 snap
pshots.
Whe
en taking snap
pshots of multiple virtual ma
achines, you sh
hould take theem at the same
e time. This ensures
syncchronization of
o items such as computer-acccount passwo
ords. Remember that when yyou revert to a
snap
pshot, you are
e reverting to a computers state at that sp
pecific time. If yyou take a com
mputer back to
oa
poin
nt before it pe
erformed a com
mputer-passwo
ord change wiith a domain ccontroller, you will need to re
ejoin
thatt computer to the domain.
Snapshots Do Not Repla

ace Backupss

dows Server 20
012
8-15
Sn
napshots are not
n a replacem
ment for backups. Snapshot d
data is stored o
on the same vvolume as the vvirtual
ha
ard disks. If the
e volume hostting these files fails, both thee snapshot and
d the virtual haard disk files are lost.
Yo
ou can perform
m a virtual machine export of
o a snapshot. When you exp
port the snapsshot, Hyper-V ccreates
fu
ull virtual hard disks that represent the statte of the virtuaal machine at tthe time that yyou took the
sn
napshot. If you
u choose to export an entire virtual machin
ne, all snapsho
ots associated with the virtuaal
machine
m
also arre exported.
Avhd
A
files
When
W
you creatte a snapshot, Hyper-V write
es avhd files th
hat store the data that differentiates the sn
napshot
from either the previous snap
pshot or the pa
arent virtual haard disk. When
n you delete snapshots, this data is
diiscarded or me
erged into the
e previous snap
pshot or paren
nt virtual hard disk. For exam
mple, if you delete the
most
m
recent sna
apshot of a virttual machine, the data is disscarded. If you delete the seccond to last sn
napshot
ta
aken of a virtua
al machine, the data is merg
ged so that thee earlier and laatter snapshot states of the vvirtual
machine
m
retain their integrity.
Managing
M
Sn
napshots
When
W
you applyy a snapshot, the
t virtual macchine reverts tto the configuration as it existed at the tim
me that
th
he snapshot wa
as taken. Reve
erting to a snap
pshot does no t delete any exxisting snapshots. If you reve
ert to a
sn
napshot after making
m
a configuration chan
nge, you are p rompted to taake a snapshott. It only is neccessary
to
o create a new
w snapshot if yo
ou want to return to that cu rrent configurration.
branches. For example, if yo
It is possible to create snapshot trees that have
h
different b
ou took a snapshot of
a virtual machin
ne on Mondayy, Tuesday, and
d Wednesday, applied the Tu
uesday snapsh
hot, and then m
made
ch
hanges to the virtual machin
nes configurattion, you creatte a new brancch that diverts from the original
Tu
uesday snapsh
hot. You can ha
ave multiple branches
b
as lon
ng as you do n
not exceed the
e 50-snapshot limit
pe
er virtual mach
hine.
Fibre Channel Suppo

ort in Hype
er-V
Hyper-V virtual Fibre Channel is a virtual ha
ardware
co
omponent that you can add to a virtual machine,
an
nd which enab
bles the virtual machine to access
Fibre Channel storage on SAN
Ns. To deploy a
virtual Fibre Cha
annel:
You must configure

c
the Hyper-V
H
host with
w a
Fibre Chann
nel HBA.
The Fibre Channel

C
HBA must
m
have a driver
that supports virtual Fibre
e Channel.
The virtual machine mustt support virtual

machine exxtensions.
Virtual Fibre Ch
hannel adapterrs support portt virtualization
n by exposing HBA ports in tthe guest operrating
syystem. This allo
ows the virtuall machine to access the SAN
N by using a staandard World Wide Name (W
WWN)
asssociated with the virtual ma
achine.
Yo
ou can deployy up to four virrtual Fibre Cha
annel adapterss to each virtuaal machine.
Addition
H
Virtua
al Fibre Channeel Overview
htttp://technet.m
px
Lesson 3
Config
guring Hyper-V
H
V Netwo
orking
Hyp
per-V provides several differe
ent options for allowing netw
work commun
nication betwe
een virtual
macchines. You can use Hyper-V
V to configure virtual machin
nes that comm
municate with aan external nettwork
in a manner simila
ar to physical hosts
h
that you deploy tradit ionally. You also can use Hyyper-V to confiigure
virtu
ual machines that
t
are able to
o communicatte only with a limited numbeer of other virttual machines
hostted on the sam
me Windows Server
S
2012 Hyyper-V host. Th
his lesson desccribes the vario
ous options
avaiilable for Hype
er-V virtual networks, which you can leveraage to best meet your organ
nization's need
ds.
Lessson Objectiives
Afte
ou will be able to:
Describe the new features in Hyper-V nettworking.
Describe virtu
ual switches.
Configure a public
p
and privvate switch.
Describe netw
work virtualization.
Describe the best practices for configurin

ng virtual netw
works.
Wh
hat's New in Hyper-V Network
king?
There are several new features in
i Hyper-V 3.0
0
netw
working that im
mprove the ne
etwork
perfformance of a large numberr of virtual
macchines in private and public cloud
environments. In most cases, yo
ou should use the
t
defa
ault settings in
n small scale de
eployments.
The new features in Hyper-V 3.0
0 networking
include:
Network virtu
ualization. This feature enables
IP addresses to
t be virtualize
ed in hosting
environmentss so that virtua
al machines
migrated to the
t host can ke
eep their original IP
address rathe
er than being allocated
a
an IP
P address on th
he Hyper-V server's networkk.
Bandwidth management. Yo
ou can use this feature to sp
pecify a minim
mum and a maxximum bandw
width
to be allocate
ed to the adap
pter by Hyper-V
V. Hyper-V resserves the min
nimum bandwiidth allocation
n for
the network adapter,
a
even when other virtual network adapters on vvirtual machine
es hosted on th
he
Hyper-V hostt are functionin
ng at capacity..
Dynamic Host Configuration

n Protocol (DH
HCP) guard. Th
his feature drops DHCP messsages from virttual
machines that are functioning as unautho
orized DHCP sservers. This m ay be necessary in scenarioss
where you are managing a Hyper-V serve
er that hosts vvirtual machinees for others, b
but in which yo
ou do
not have dire
ect control ove
er the virtual machines
m
confiiguration.
Router guard.. This feature drops

d
router advertisement aand redirectio
on messages from virtual
machines con
nfigured as unauthorized rou
uters. This mayy be necessaryy in scenarios w
where you do not
have direct co
ontrol over the
e configuration of virtual maachines.

dows Server 20
012
8-17
Port mirroriing. You can use

u this feature
e to copy incom
ming and outg
going packets from a netwo
ork
adapter to another virtua
al machine that you have co nfigured for m
monitoring.
ng. You can use

e this feature to
t add the virttual network a dapter to an e
existing team o
on the
NIC teamin
host Hyper-V server.
Virtual Macchine Queue. This

T feature req
quires that thee host computter has a netwo
ork adapter th
hat
supports th
he feature. Virttual Machine Queue
Q
uses ha rdware packett filtering to de
eliver networkk traffic
directly to the
t guest. Thiss improves perrformance beccause the packket does not ne
eed to be copied
from the ho
ost operating system
s
to the virtual machin
ne. Only syntheetic network a
adapters suppo
ort these
feature.
IP security (IPsec)
(
task offfloading. This feature
f
requirees that the gueest operating ssystem and network
adapter are
e supported. This feature ena
ables the hosts network adaapter to perforrm calculationintensive se
ecurity-associa
ation tasks. If sufficient hardw
ware resourcess are not availaable, the guestt
operating system
s
perform
ms these tasks.. You can conffigure a maxim
mum number o
of offloaded se
ecurity
associations between a ra
ange of one an
nd 4,096. This feature is supp
ported only on
n synthetic nettwork
adapters.
Single-root I/O virtualizattion (SR-IOV). This

T feature reequires specificc hardware and special drive
ers to be
installed on
n the guest operating system
m. SR-IOV enab
bles multiple vvirtual machine
es to share the
e same
Peripheral Component
C
In
nterconnect Exxpress (PCIe) p hysical hardwaare resources. If sufficient re
esources
are not ava
ailable, network connectivity falls back so tthat the virtual switch provid
des it. This featture is
only supported on synthe
etic network adapters.
What
W
Is a Hyper-V
H
Viirtual Switch?
Virtual switchess are virtual de
evices that you can
manage
m
throug
gh the Virtual Switch
S
Manage
er,
which
w
enables you
y to create three
t
types of virtual
sw
witches. The virtual switches control how the
ne
etwork traffic flows
f
between
n virtual machines
ho
osted on the Hyper-V
H
serverr, as well as ho
ow the
ne
etwork traffic flows
f
between
n virtual machines
an
nd the rest of the
t organizational network.
Hyper-V on Win
ndows Server 2012
2
supportss the
th
hree types of virtual
v
switchess that the follo
owing
ta
able details.
Type
T
Descriptio
on
External
You use th
his type of swittch to map a n
network to a specific networrk adapter or
network-a
adapter team. Windows Servver 2012 suppo
orts mapping an external ne
etwork
to a wirele
ess network ad
dapter, if you h
have installed the Wireless LLAN Service on
n the
host Hype
er-V server, and the Hyper-V
V server has a ccompatible ad
dapter.
Internal
You use in
nternal virtual switches to co
ommunicate beetween the virrtual machiness on the
Hyper-V host
h
and to communicate beetween the virttual machines and the Hype
er-V
host itself.
Private
You use private

p
switches only to comm
municate betw
ween virtual m
machines on the
e
Hyper-V host.
h
You cann
not use privatee switches to co
ommunicate b
between the viirtual
machines and the Hyper-V host.
Whe
en configuring
g a virtual netw
work, you can also configuree a virtual LAN
N (VLAN) ID to be associated
with
h the network. You can use this
t to extend existing VLAN
Ns on the exterrnal network to
o VLANs within
the Hyper-V host''s network swittch. You can use
u VLANs to p
partition netwo
ork traffic. VLA
ANs function as
sepa
arate logical networks. Traffiic can pass only from one VLLAN to anotheer if it passes through a routter.
You
u can configure
e the following
g extensions fo
or each virtual switch type:
Microsoft Nettwork Driver In

nterface Specifiication (NDIS) Capture. This extension allo
ows the capture
e of
data travelling across the viirtual switch.
Microsoft Win
ndows Filtering
g Platform. This extension alllows filtering o
of data travelling across the
virtual switch.
per-V Virtual Switch

S
Overvieew
Additional Reading: Hyp
n-us/library/hh
h831452.aspx
http
De
emonstration: Configuring Hy
yper-V Nettworking
In th
his demonstration, you will see
s how to cre
eate two types of virtual netw
work switches..
Dem
monstration
n Steps
1.
2.
In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew External virtual networkk
switch with th
he following properties:
o
Name: Co
orporate Network
External Network: Map

pped to the ho
ost computer's physical netw
work adapter. W
Will vary depen
nding
on host computer
c
In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew virtual swittch with the
following pro
operties.
o
Name: Prrivate Network
Connection type: Priva

ate network
Wh
hat Is Netw
work Virtu
ualization?
You
u can use netw
work virtualization to isolate
virtu
ual machines from
f
different organizations,
even if they share
e the same Hyp
per-V host. Forr
exam
mple, you mig
ght be providin
ng an Infrastru
ucture
as a Service (IaaS) to competing
g businesses. You
Y
can use network virtualization
v
to go beyond
assigning these virtual machines to separate
VLA
ANs as a way of
o isolating network traffic.
Network virtualiza
ation is a techn
nology that yo
ou
wou
uld deploy prim
marily in scena
arios where yo
ou use
Hyp
per-V to host virtual
v
machine
es for third-party
orga
anizations. Network virtualizzation has the
advantage that yo
ou can configu
ure all network
k isolation on tthe Hyper-V host. With VLANs, it also is
necessary to configure switchess with the apprropriate VLAN IDs.

dows Server 20
012
8-19
When
W
you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses, which
h work
ass follows:
P address. The
e customer assiigns this IP add
dress to the viirtual machine
e. You can conffigure
Customer IP
this IP addrress so that communication with the custo
omer's internall network can occur even though
the virtual machine
m
migh
ht be hosted on
n a Hyper-V seerver that is co
onnected to a separate public IP
network. Ussing the ipcon
nfig command
d on the virtuaal machine sho
ows the custom
mer IP address..
Provider IP address. The hosting

h
provider assigns thiss IP address, w
which is visible to the hosting
g
provider an
nd to other hosts on the phyysical network. This IP addresss is not visible
e from the virttual
machine.
Yo
ou can use nettwork virtualizzation to host multiple
m
mach
hines that use tthe same custo
omer address, such as
19
92.168.15.101,, on the same Hyper-V host. When you do
o this, the virtu
ual machines are assigned diifferent
IP
P addresses by the hosting provider, thoug
gh this addresss will not be ap
pparent from w
within the virtual
machine.
m
Yo
ou manage ne
etwork virtualizzation by using
g PowerShell ccmdlets. All Neetwork Virtualization cmdletts are in
th
he NetWNV Po
owerShell mod
dule. Tenants gain
g
access to virtual machin
nes that take aadvantage of n
network
virtualization th
hrough routing
g and remote access.
a
They m
make a tunneleed connection from their nettwork
th
hrough to the virtualized nettwork on the Hyper-V
H
serverr.
H
Netwo
ork Virtualizatiion Overview
Addition
htttp://technet.m
px
Best
B
Practicces for Configuring Virtual Neetworks
Be
est practices with
w respect to configuring virtual
v
ne
etworks typica
ally revolve aro
ound ensuring that
virtual machines are provision
ned with adequate
ba
andwidth. You
u do not want to have the
pe
erformance on
n all virtual ma
achines affecte
ed if a
ba
andwidth-inte
ensive operatio
on, such as a la
arge file
co
opy or website
e traffic spike, occurs
o
on one
e virtual
machine
m
on the
e same host.
Th
he following general
g
best prractices apply to
t
co
onfiguring virttual networks:
Consideratiions for NIC te

eaming. You sh
hould
deploy mulltiple network adapters to th
he
Hyper-V ho
ost, and then configure
c
those
e adapters as part of a team
m. This ensures that network
connectivityy will be retain
ned if the indivvidual networkk cards fail. Co
onfigure multip
ple teams conn
nected
to differentt switches to ensure that con
nnectivity remaains if a hardw
ware switch faills.
Consideratiions for bandw

width managem
ment. You can
n use bandwidtth manageme
ent to allocate a
minimum and
a a maximum
m bandwidth allocation
a
on a per-virtual-n
network adapter basis. You sshould
configure bandwidth
b
allo
ocation to guarantee that ea ch virtual macchine has a minimum bandw
width
allocation. This
T ensures th
hat if another virtual machin
ne hosted on the same Hype
er-V server
experiencess a traffic spike
e, other virtuall machines aree able to comm
municate with the network
normally.
Considerations for Virtual Machine Queue. You should provision the Hyper-V host with an adapter
that supports Virtual Machine Queue. Virtual Machine Queue uses hardware-packet filtering to
deliver network traffic directly to the virtual machine. This improves performance because the packet
does not need to be copied from the host operating system to the virtual machine. When you do not
configure virtual machines to support Virtual Machine Queue, the host operating system can become
a bottleneck when it processes large amounts of network traffic.
Considerations for network virtualization. Network virtualization is complicated to configure, but

has an advantage over VLAN. That is, it is not necessary to configure VLANs on all of the switches that
are connected to the Hyper-V host. You can perform all necessary configurations when you need to
isolate servers on the Hyper-V host without needing to involve the network team. If you are hosting
large numbers of virtual machines, and need to isolate them, use Network Virtualization rather than
VLANs.
Lesson
n4
Configuring Hyper--V Virtu

ual Mach
hines

dows Server 20
012
8-21
When
W
planning a server-virtualization strate
egy, you need to know whatt you can and cannot accom
mplish
when
w
you are using Windowss Server 2012 as
a a virtual maachine host.
In
n this lesson, yo
ou will learn about Hyper-V,, the hardwaree requirementss required for deploying Hyp
per-V
on
n a computer running Windows Server 2012, the differeent components of a virtual machine, and the
be
enefits of virtu
ual machine Integration Servvices. You also will learn how
w to measure vvirtual machine
e
re
esource use with Windows PowerShell cmd
dlets.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he hardware an
nd manageme
ent options in vvirtual machin
ne settings.
Describe ho
ow dynamic memory
m
works in Hyper-V.
Create a virrtual machine.
Import, exp
port, and move
e virtual machines in Hyper--V.
Describe th
he best practice
es for configurring virtual nettworks.
Overview
O
of
o Virtual Machine
M
Se
ettings
Virtual machine
e settings are grouped
g
into two
ge
eneral areas: Hardware
H
and Management..
Hardware
H
Virtual machine
es use simulate
ed hardware. The
T
hyypervisor uses this virtual ha
ardware to med
diate
acccess to actuall hardware. For example, you
u can
map
m a virtual ne
etwork adapte
er to a virtual network
n
th
hat, in turn, ma
aps to an actua
al network inte
erface.
Virtual machine
es have the following hardwa
are, by
de
efault:
BIOS. This virtual

v
hardware simulates th
he
computer'ss BIOS. You can
n configure the virtual mach
hine so that Nu
um Lock is switched on or offf. You
also can choose the boott order for the virtual machin
ne's virtual harrdware. You caan start a machine
from a DVD
D drive, integra
ated device ele
ectronics (IDE)) device, legacy network adaapter, or a flop
ppy disk.
Memory. Yo
ou can allocate
e memory reso
ources to the vvirtual machin
ne. An individual virtual mach
hine can
allocate as much as 1 tera
abyte of memory.
Processor. You
Y can allocate processor re
esources to th
he virtual mach
hine. You can aallocate up to 32
virtual proccessors to a sin
ngle virtual ma
achine.
IDE Controlller. A virtual machine

m
can su
upport only tw
wo IDE controllers. By default, two IDE controllers
are allocate
ed to the virtua
al machine. Th
hese are: IDE C
Controller 0 and IDE Controlller 1. Each IDEE
controller can
c support tw
wo devices. You
u can connect virtual disks o
or virtual DVD drives to an ID
DE
controller. If
I starting from
m a hard disk drive
d
or DVD-R
ROM, the boott device must be connected to an
IDE controller. Use IDE co
ontrollers to co
onnect virtual hard disks and
d DVD-ROMS to virtual machines
that use op
perating system
ms that do not support Integ
gration Servicees.
SCSI Controller. You can use SCSI controllers only on virtual machines that you deploy with operating
systems that support Integration Services.
Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual-machine guest operating systems.
COM port.Com port enables connections to a simulated serial port on the virtual machine.
Diskette Drive. You can map a .vhd floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties, and
clicking on Add Hardware:
SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters.
Legacy network adapter. Legacy network adapters allow network adapters to be used with operating
systems that do not support Integration Services. You also can use legacy network adapters to allow
network deployment of operating-system images. A single virtual machine can have up to four legacy
network adapters.
Fibre Channel Adapter. Allows a virtual machine to connect directly to a Fibre Channel SAN. This
requires that the Hyper-V host have a Fibre Channel HBA that also has a Windows Server 2012 driver
that supports Virtual Fibre Channel.
RemoteFX 3D Adapter. The RemoteFX 3D Adapter allows virtual machines to take advantage of
DirectX and graphics processing power on the host Windows Server 2012 server to display high
performance graphics.
Management
You can use Management settings to configure how the virtual machine behaves on the Hyper-V host.
You can configure the following virtual-machine management settings:
Name. You can use this setting to configure the virtual machine's name on the Hyper-V host. This
does not alter the virtual machine's hostname.
Integration Services. You can use this setting to configure which virtual-machine integration settings
are enabled.
Snapshot File Location. You can use this setting to specify a location for storing virtual-machine
snapshots.
Smart Paging File Location. The location used when smart paging is required to start the virtual
machine.
Automatic Start Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is powered on.
Automatic Stop Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is gracefully shut down.
How
H
Dynam
mic Memo
ory Works in Hyper-V
In
n the first relea
ase of Hyper-V
V with Window
ws
Se
erver 2008, virtual machines only could be
e
asssigned a staticc amount of memory.
m
Unless you
to
ook special pre
ecautions to measure
m
the pre
ecise
am
mount of mem
mory that a virttual machine
re
equires, you we
ere likely to un
nder-allocate or
o
ovver-allocate memory.
m

dows Server 20
012
8-23
Windows
W
Server 2008 R2 SP1 introduced
dyynamic memo
ory, which you can use to allo
ocate
a minimum amo
ount of memo
ory to a virtual
machine.
m
You th
hen can allow the virtual ma
achine
to
o use request additional
a
mem
mory, as necesssary.
Ra
ather than atte
empting to gu
uess how much
h memory a vi rtual machine requires, dynaamic memory allows
yo
ou to configurre Hyper-V so that the virtua
al machine is aallocated as mu
uch as it needss. You can cho
oose a
minimum
m
value
e, which will alw
ways be alloca
ated to the virttual machine. Y
You can choosse a maximum
m value,
which
w
the virtua
al machine will not exceed, even
e
if more m
memory is requ
uested. Virtual machines mu
ust
su
upport Hyper-V Integration Services to be able to use dyynamic memo
ory.
With
W Windows Server 2012, you
y can modifyy dynamic mem
mory settings while the virtu
ual machine is
ru
unning. This wa
as not possible
e in Windows Server 2008 R 2 SP1.
Smart Paging
g
Another new memory feature

e available in Windows
W
Serveer 2012 is sma rt paging. Smaart paging pro
ovides
a solution to the
n, as it relates to virtual macchine startup. V
e problem of minimum
m
mem
mory allocation
Virtual
machines
m
can re
equire more memory
m
during
g startup than they would reequire during n
normal operation.
In
n the past, it was necessary to
o allocate the minimum req uired for startup to ensure tthat startup occcurred
evven though that value could
d be more than
n the virtual m
machine needed
d during norm
mal operation.
Sm
mart paging uses disk paging for additional temporary m
memory when
n additional memory beyond
d the
minimum
m
alloca
ated is required to restart a virtual
v
machin
ne. This providees you with the ability to allo
ocate
a minimum amo
ount of memo
ory based on th
he amount ne eded when the virtual mach
hine is operatin
ng
no
ormally, ratherr than the amo
ount required during startup
p. One drawbaack of smart paaging is a decrrease
in
n performance during virtuall-machine resttarts.
Yo
ou can configu
ure virtual macchine memoryy by using the Set-VMMemo
ory Windows PowerShell cm
mdlet.
Addition
H
Dynam
mic Memory
htttp://technet.m
px
Demonstra
D
ation: Crea
ating a Virrtual Mach
hine
In
n this demonsttration, you will see how to create
c
a virtuall machine by u
using the tradiitional method
d of
ussing the Hyperr-V Manager console.
c
You also will see ho
ow you can auttomate the pro
ocess by using
g
Windows
W
PowerShell.
Dem
monstration
n Steps
1.
2.
Use the Hype

er-V Manager console
c
to create a virtual m
machine with th
he following p
properties:
o
Name: LO
ON-GUEST1
Location:: E:\Program Files\Microso

oft Learning\B
Base\LON-GU
UEST1\
Memory:: 1024 MB
Use Dyna
amic Memory: Yes
Networking: Private Network

N
Connect Virtual Hard Disk:

D
E:\Progra
am Files\Micrrosoft Learnin
ng\Base\LON-GUEST1\lon
nguest1.v
vhd
Open Window
ws PowerShell, import the Hyper-V
H
modulle, and then ru
un the followin
ng command:
New-VM -Name LON-GUEST
T2 -MemorySta
artupBytes 10
024MB -VHDPat
th E:\Progra
am
Files\Microsoft Learning\Base\LON-GUEST2\LON-G
GUEST2.vhd -SwitchName "
"Private
Network"
3.
Use the Hype

er-V Manager console
c
and edit the setting
gs of LON-GUEEST2. Configurre the following:
o
Automatic Start Action

n: Nothing
Automatic Stop Action: Shut down the

t guest ope
erating system
m
Importing, Exporting,
E
and Movin
ng Virtual Machiness in Hyper--V
You
u can use the im
mport and exp
port functionalities
in Hyper-V
H
to tran
nsfer virtual machines betwe
een
Hyp
per-V hosts and
d create pointt-in-time backu
ups
of virtual
v
machine
es.
Imp
porting Virttual Machin
nes
The virtual machin
ne import featture in Window
ws
Servver 2012 provides more deta
ailed informatiion
than
n previous Hyp
per-V versions featured. You
u
can use this inform
mation to iden
ntify configuration
problems such as missing hard disks or virtual
swittches. This wass more difficultt to determine
e in
Win
ndows Server 2008
2
and Wind
dows Server 20
008
R2.
In Hyper-V
H
3.0, yo
ou can import virtual machin
nes from copiees of virtual maachine configu
uration, snapsh
hot,
and virtual hard-d
disk files rather than speciallyy exported virttual machines. This is benefiicial in recoverry
situations where the
t operating--system volume might have failed but the virtual machin
ne files remain
n
intact.
To import a virtua
al machine by using Hyper-V
V Manager, peerform the follo
owing generall steps:
1.
In the Actionss pane of the Hyper-V

H
Mana
ager console, cclick Import V
Virtual Machin
ne.
2.
On the Beforre You Begin page of the Im

mport Virtual M
Machine wizar d, click Next.
3.
On the Locatte Folder page

e, specify the folder
f
that hossts the virtual m
machine files, and then
click Next.
8-25
4.
On the Select Virtual Machine page, select the virtual machine that you want to import, and then
click Next.
5.
On the Choose Import Type page, choose from the following options:
o
Register the virtual machine in-place (use the existing unique ID)
Restore the virtual machine (use the existing unique ID)
Copy the virtual machine (create a new unique ID)
You can import virtual machines by using the Import-VM cmdlet.
Exporting Virtual Machines

When performing an export, you can select one of the following options:
Export a snapshot. You can do this by right-clicking the snapshot in the Hyper-V manager console,
and then selecting Export. This enables you to create an exported virtual machine as it existed at the
point that the snapshot was created. The exported virtual machine will have no snapshots.
Export Virtual Machine with Snapshot. You can do this by selecting the virtual machine, and then
clicking Export. This exports the virtual machine and all snapshots associated with the virtual
machine.
Exporting a virtual machine does not affect the existing virtual machine. However, you cannot import
the virtual machine again unless you use the Copy the Virtual Machine option, which creates a new
unique ID.
You can export virtual machines by using the Export-VM cmdlet.
Moving Virtual Machines
You can perform two types of moves by using the Hyper-V move function: a live migration and a move of
the actual virtual machine.
You can move virtual machines from one Hyper-V 3.0 server to another if you have enabled live
migrations. Live migration of virtual machines occurs when you move a virtual machine from one host
to another while keeping the virtual machine online and available to clients. For more information on
migrating virtual machines, visit Module 9: Implementing Failover Clustering with Hyper-V.
You can use the move functionality to move some or all of the virtual-machine files to a different location.
For example, if you want to move the virtual machines from one volume to an SMB share, while keeping
the virtual machine hosted in the same location, you have the following options:
Move all the virtual machine's data to a single location. This moves all configuration files, snapshots,
and virtual hard-disk files to the destination location.
Move the virtual machine's data to different locations. This moves the virtual machines configuration
files, snapshots, and virtual hard disks to separate locations.
Move the virtual machine's virtual hard disks. This moves the hard disks to a separate location, while
keeping the snapshot and configuration files in the same location.
You can move virtual machines in PowerShell by using the Move-VM cmdlet.
Best Practice
es for Conffiguring Virtual Macchines
Whe
en creating ne
ew virtual machines, keep the
follo
owing best pra
actices in mind
d:
Use dynamic memory. The only time you

should avoid dynamic mem
mory is if you have
h
an application
n that does no
ot support it. For
example, som
me Microsoft Exxchange 2010 roles
keep requesting memory, iff it is available
e. In
such cases, se
et static memo
ory limits. You
should monittor memory uttilization, and
set the minim
mum memory to
t the server's
minimum me
emory utilizatio
on. Also, set a
maximum am
mount of memory. The defau
ult
maximum is more
m
memoryy than most ho
ost servers havee available.
Avoid differen
ncing disks. Diffferencing disk
ks reduce the aamount of spaace required, b
but decrease
performance as multiple virrtual machiness access the saame parent virttual hard disk file.
Use multiple synthetic

al virtual switcches. Configure
s
netw
work adapters connected
c
to di
different externa
e
virtual machin
nes to use multiple virtual network adapteers that are connected to ho
ost NICs, which
h in
turn are conn
nected to separate physical switches.
s
This m
means that neetwork connecttivity is retaine
ed if a
NIC fails or a switch fails.
Store virtual machine

m
files on
o its own volu
ume. This minim
mizes the chan
nce that one vvirtual machine
e's
virtual hard disk
d growth afffects the otherr virtual machi nes on the sam
me server.

Scenario
IT management at A. Datum is concerned about the low utilization for many of the physical servers
deployed in the London data center. Also, A. Datum is exploring options for expanding into multiple
branch offices, and deploying servers in public and private clouds. For this purpose, the company is
exploring the use of virtual machines.
8-27
As one of the senior network administrators at A. Datum, you are responsible for implementing Hyper-V
in the London data center. You will deploy the Hyper-V server role, configure virtual machine storage and
networking, and deploy the virtual machines.
Objectives
After performing this lab you will be able to:
Install the Hyper-V Server role.
Configure virtual networking.
Configure a virtual machine.
Lab Setup
Virtual Machine(s)
20417A-LON-HOST1
Or
20417A-LON-HOST2
User Name
Password
Pa$$w0rd
Lab Setup Instructions

1.
Restart the classroom computer and in Windows Boot Manager, select 20417A-LON-HOST1 or
20417A-LON-HOST2. Your instructor will specify which host to log on to.
2.
Log on to LON-HOST1 or LON-HOST2 server with the following credentials:

o
Account: Adatum\Administrator
Password: Pa$$w0rd
Exercise 1: Install the Hyper-V Server Role

Scenario
The first step in migrating to a virtualized environment is to install the Hyper-V server role on a new
server.
1.
Configure network settings on LON-HOST1 and LON-HOST2.
2.
Install the Hyper-V server role.
3.
Complete Hyper-V role installation and verify settings.
X Task 1: Configure network settings on LON-HOST1 and LON-HOST2

1.
Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2.
3.
Log on to the server by using the following credentials:

o
Account: Adatum\Administrator
Password: Pa$$w0rd
In Server Manager, click Local Server, and then configure the following network settings:
o
LON-HOST1: 172.16.0.31
LON-HOST2: 172.16.0.32
Preferred DNS server: 172.16.0.10
X Task 2: Install the Hyper-V server role

1.
2.
In Server Manager, use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1
or LON-HOST2 with the following options:
o
Do not create a virtual switch
Use the Default stores locations
Allow the server to restart automatically if required.
After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
X Task 3: Complete Hyper-V role installation and verify settings

1.
Log on to LON-HOST1 or LON-HOST2 by using Adatum\Administrator with the password

Pa$$w0rd.
2.
When the installation of the Hyper-V tools completes, click Close.
3.
Open the Hyper-V Manager console, and then click LON-HOST1 or LON-HOST2.
4.
Open the Hyper-V settings, and then configure or verify the following settings:
5.
Keyboard: Use on the virtual machine
Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
Question: What additional features are required to support the Hyper-V role?
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

Scenario
8-29
After installing the Hyper-V server role on the new server, you need to configure the virtual networks you
are your manager specifies. You need to create a network that connects to the physical network and a
private network that you can use only for communication between virtual machines. The private network
is used when virtual machines are configured for high availability. You also need to configure a specific
range of media access control (MAC) addresses for the virtual machines.
1.
Configure the external network.
2.
Create a private network.
3.
Create an internal network.
X Task 1: Configure the external network

1.
In Hyper-V Manager, use the Virtual Switch Manager to create a new External virtual network
switch with the following properties:
o
2.
Name: Corporate Network
External Network: Mapped to the host computer's physical network adapter. Will vary depending on
host computer.
X Task 2: Create a private network
In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties.
o
Name: Private Network
Connection type: Private network
X Task 3: Create an internal network
In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties:
o
Name: Internal Network
Connection type: Internal network
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

Scenario
You have been asked to deploy two virtual machines and to import a third virtual machine. You have
copied a sysprepped VHD file that hosts a Windows Server 2012 Hyper-V host.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You use these differencing files as the hard-disk files for the new virtual
machines.
You also will import a specially prepared virtual machine.

1.
Configure virtual machine storage.
2.
Create virtual machines.
3.
Configure VLANs and network bandwidth settings.
4.
Import a virtual machine.
5.
Configure virtual machine dynamic memory.
6.
Configure and test virtual machine snapshots.
X Task 1: Configure virtual machine storage

1.
Use Windows Explorer to create the following folders on the physical host drive:
o
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.
3.
In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o
Disk Format: VHD
Disk Type: Differencing
Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
4.
Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.
5.
Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
X Task 2: Create virtual machines

1.
Use the Hyper-V Manager console to create a virtual machine with the following properties:
o
Name: LON-GUEST1
Memory: 1024 MB
Use Dynamic Memory: Yes
Networking: Private Network
Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\longuest1.vhd
2.
Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private
Network"
3.
Use the Hyper-V Manager console, and then edit the settings of LON-GUEST2. Configure the
following:
o
Automatic Start Action: Nothing
Automatic Stop Action: Shut down the guest operating system
X Task 3: Configure VLANs and network bandwidth settings
8-31
1.
In Hyper-V Manager, use Virtual Switch Manager to configure the Internal Network virtual switch
to use a VLAN ID of 4.
2.
Configure the following properties for the network adapter on LON-GUEST2:

o
Virtual Switch: Internal Network
VLAN ID: 4
Enable DHCP guard
Enable router advertisement guard
Question: What kind of switch would you create if you added a new physical network
adapter to the Hyper-V host and wanted to keep this separate from the existing networks
you create during this exercise?
X Task 4: Import a virtual machine

1.
2.
Perform the following task:

o
If you are using LON-HOST1, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-DC1-B.
If you are using LON-HOST2, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-SVR1-B.
When importing, select the Register the virtual machine in-place option.
X Task 5: Configure virtual machine dynamic memory.
Edit the properties of virtual machine LON-GUEST2, and then configure the following settings:
o
Startup RAM: 1024 MB
Enable Dynamic Memory
Minimum RAM: 512 MB
Maximum RAM: 2048 MB
X Task 6: Configure and test virtual machine snapshots

1.
If you are using LON-HOST1, start and then log on to 20417A-LON-DC1-B. If you are using LONHOST2, log on to virtual machine 20417A-LON-SVR1-B.
2.
On the desktop of the virtual machine, create the following folders:

o
Sydney
Melbourne
Brisbane
3.
Create a snapshot of the virtual machine named Before Change.
4.
Delete the following folders on the desktop:

o
Sydney
Brisbane
5.
Revert the virtual machine.
6.
Verify that the following folders are present on the desktop:
7.
Sydney
Melbourne
Brisbane
Delete all three folders from the desktop.

Question: What state must the virtual machine be in to configure dynamic memory when
using Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a
host?
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.

Review Questions
Question: In which situations, should you use a fixed-memory allocation rather than
dynamic memory?
Question: In which situations must you use virtual hard disks in VHDX format as opposed to
virtual hard disks in VHD format?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?

Common Issue
Troubleshooting Tip
Cannot deploy Hyper-V on x64 processor
Virtual machine does not use dynamic

memory
You have 10 servers that run Windows Server 2008 with Hyper-V. You are planning to upgrade these
servers to Windows Server 2012 and want them to continue to run the Hyper-V role. What technology
should you verify that the processor supports before performing the upgrade?
Tools
Tool
Used for
Where to find it?
The Sysinternals disk2vhd

tool
Convert physical hard disks

to VHD format
Microsoft TechNet website

http://technet.microsoft.com/en-us
/sysinternals/bb842062
Virtual Machine Manager

2012
Manage virtual machines

across multiple Hyper-V
servers
Microsoft TechNet website

http://technet.microsoft.com/en-us
/library/gg610610.aspx
Perform online physical

to virtual conversions
8-33

9-1
Module 9
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview
9-1
Lesson 1: Overview of the Integration of Hyper-V with Failover Clustering
9-2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters
9-7
Lesson 3: Implementing Hyper-V Virtual Machine Movement
9-14
Lesson 4: Managing Hyper-V Virtual Environments by Using

System Center Virtual Machine Manager
9-19
9-29
9-33
Module Overview
One benefit of implementing server virtualization is the opportunity to provide high availability, both
for applications or services that have built-in high availability functionality, and for applications or
services that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V
technology, failover clustering, and Microsoft System Center 2012 Virtual Machine Manager (VMM), you
can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for virtual environment. You will also learn about basic features of virtual machine.
Objectives
Describe how Hyper-V integrates with failover clustering.
Implement Hyper-V virtual machines on failover clusters.
Implement Hyper-V virtual machine movement.
Manage a Hyper-V virtual environment by using VMM.
Implementing Failover Clusterinng with Hyper-V
Lesson 1
Overviiew of the
t Inte
egration
n of Hyp
per-V w
with Failover
Clustering
9-2
Failo
over clustering
g is a Windowss Server 2012 feature
f
that en
nables you to make applicattions or service
es
high
hly available. To
T make virtua
al machines hig
ghly available in Hyper-V en
nvironment, yo
ou must implem
ment
failo
over clustering
g on the Hyperr-V host computers.
Thiss lesson summarizes the high

h availability options
o
for Hyp
per-V based viirtual machine
es, and then focuses
on how
h
failover cllustering work
ks, and how to design and im
mplement failo
over clustering for Hyper-V.
Lessson Objectiives
Afte
ou will be able to:
Describe options for making virtual mach

hines highly avvailable.
Describe how
w failover cluste
ering works with Hyper-V no
odes.
Describe new
w features of fa
ailover clusterin
ng for Hyper-V
V.
Describe bestt practices for implementing

g high availabillity in a virtuall environment..
Op
ptions for Making
M
Viirtual Machines High
hly Availab
ble
Mosst organization
ns have some applications th
hat
are business critical and must be highly availa
able.
To make
m
an appliccation highly available,
a
you
musst deploy it in an environment that provides
redu
undancy for alll components that the
app
plication requirres. For virtual machines to
be highly
h
available, you can cho
oose between
seve
eral options. You can implem
ment virtual
macchine as a clustered role (hosst clustering), you
y
can implement clu
ustering inside
e virtual machiines
(gue
est clustering) or you can use Network Loa
ad
Bala
ancing (NLB) in
nside virtual machines.
m
Host Clusterin
ng
Hosst clustering en
nables you to configure
c
a faiilover cluster b
by using the Hyper-V host se
ervers. When yyou
configure host clu
ustering for Hyyper-V, you co
onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen
nted at the hosst server level. This means th
hat the guest o
operating syste
em
and applications that
t
are runnin
ng within the virtual
v
machin e do not havee to be cluster--aware. Howevver,
the virtual machin
ne is still highlyy available. So
ome examples of non-clusteer-aware appliccations are a
File Server or Print Server, or pe
erhaps a proprietary networkk-based appliccation, such as an accounting
g
app
plication. Should the host node that contro
ols the virtual m
machine unexpectedly beco
ome unavailablle, the
seco
ondary host no
ode takes conttrol and restarts the virtual m
machine as quickly as possib
ble. You can alsso
movve the virtual machine
m
from one node in the cluster to aanother in a co
ontrolled mann
ner. For example,
you could move the
t virtual macchine from one
e node to anotther while pattching the Hosst operating syystem.
, and the applications or service
es that are runn
ning in the virt
rtual machine, do not have to be compatib
ble
with
h failover clustering nor are they
t
aware tha
at virtual mach
hine is clustereed. Because the failover is att the
virtu
ual machine le
evel, there are no dependenccies on softwa re that is instaalled inside the
e virtual machiine.
Guest Clustering
9-3
Guest failover clustering is configured very similarly to physical server failover clustering, except that
the cluster nodes must include multiple virtual machines. In this scenario, you create two or more virtual
machines, and enable failover clustering within the guest operating system. The application or service is
then enabled for high availability between the virtual machines by using failover clustering in each virtual
machine. Because failover clustering is implemented within each virtual machine nodes guest operating
system, you can locate the virtual machines on a single host. This can be a quick and cost-effective
configuration in a test or staging environment.
For production environments however, you can more robustly protect the application or service if
you deploy the virtual machines on separate failover clustering enabled Hyper-V host computers. With
failover clustering implemented both at the host and virtual machine levels, the resource can be restarted
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual
machines running mission-critical applications in a production environment.
You should consider several factors when you implement guest clustering:
The application or service must be failover cluster-aware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and
Microsoft Exchange Server.
Hyper-V virtual machines can use fiber channel-based connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement iSCSI connections from the virtual
machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
you should dedicate a network connection to the iSCSI connection (if you are using this method to
connect to storage), to the private network between the hosts, and to the network connection that the
client computers use.
Network Load Balancing
NLB works with virtual machines in the same manner that it works with physical hosts. It distributes IP
traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the
NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to
access the cluster by using a virtual Host Name or a virtual IP addresses. From the client computers point
of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic
increases, you can add another server into the cluster.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications would be web-based front ends to database
applications or Exchange Server Client Access Servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the network load balancing feature in Windows Server
2012 within each virtual machines guest operating system (not on the Hyper-V hosts), and then
configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, so that
the Guest operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across
Hosts, the NLB resource typically benefits from overall increased I/O performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier versions of Windows Server, you should not implement NLB and
failover clustering within the same operating system because the two technologies conflict with
one another.
How Does a Failover Cluster Work with Hyper-V Nodes?
9-4
When you implement failover clustering and configure virtual machines as highly available resources, the
failover cluster treats the virtual machines like any other application or service. Namely, if there is host
failure, failover clustering will act to restore access to the virtual machine as quickly as possible on another
host in the cluster. Only one node at a time runs the virtual machine. However, you can also move the
virtual machine to any other node in the same cluster.
The failover process transfers the responsibility of providing access to resources in a cluster from one node
to another. Failover can occur when an administrator intentionally moves resources to another node for
maintenance or other reasons, or when unplanned downtime of one node occurs because of hardware
failure or other reasons.
The failover process consists of the following steps:
1.
The node where the virtual machine is running owns the clustered instance of the virtual machine,
controls access to the shared bus or iSCSI connection to the cluster storage, and has ownership of any
disks, or Logical Unit Numbers (LUNs), assigned to the virtual machine. All the nodes in the cluster use
a private network to send regular signals, known as heartbeat signals, to one another. The heartbeat
signals that a node is functioning and communicating on the network. The default heartbeat
configuration specifies that each node send a heartbeat over TCP/UDP port 3343 each second (or
1000 milliseconds).
2.
Failover starts when the node hosting the virtual machine does not send regular heartbeat signals
over the network to the other nodes. By default, this is five consecutively missed heartbeats (or 5000
milliseconds elapses). Failover may occur because of a node failure or network failure.
3.
When heartbeat signals stop arriving from the failed node, one of the other nodes in the cluster
begins taking over the resources that the virtual machines use. You define the node(s) that could take
over by configuring the Preferred and Possible Owners properties. The Preferred Owner specifies
the hierarchy of ownership if there is more than one possible failover node for a resource. By default
all nodes are members of Possible Owners. Therefore, removing a node as a Possible Owner
absolutely excludes it from taking over the resource in a failure situation. Suppose that a failover
cluster is implemented by using four nodes. However, only two nodes are configured as Possible
Owners. In a failover event, the resource might still be taken over by the third node if neither of the
Preferred Owners is online. Although the fourth node is not configured as a Preferred Owner, as
long as it remains a member of Possible Owners, the failover cluster uses it to restore access to the
resource if necessary. Resources are brought online in order of dependency. For example, if the virtual
machine references an iSCSI LUN, access to the appropriate host bus adapters (HBAs), network(s) and
LUNs will be stored in that order. Failover is complete when all the resources are online on the new
node. For clients interacting with the resource, there is a short service interruption, which most users
might not notice.
4.
You can also configure the cluster service to fail back to the offline node after it again becomes
active. When the cluster service fails back, it uses the same procedures that it performs during
failover. This means that the cluster service takes all the resources associated with that instance
offline, moves the instance, and then brings all the resources in the instance back online.
9-5
Whats
W
New
w in Failov
ver Clusterring for Hyyper-V in W
Windows S
Server 201
12?
In
n Windows Serrver 2012, failo
over clustering is
much
m
improved
d with respect to Hyper-V clu
usters.
So
ome of the mo
ost important improvementss are:
Failover clu
ustering now su
upports up to 4,000
virtual machines, and the
e improved Failover
Cluster Man
nager snap-in simplifies man
naging
many virtua
al machines.
Administrattors can now perform

p
multisselect
actions to queue
q
live mig
grations of multiple
virtual machines, instead of doing it on
ne by
one, as in earlier
e
versionss.
Administrattors can also configure

c
virtual machine priiority attributee to control the order in which
virtual machines are startted. Priority is also used to e nsure that low
wer-priority virrtual machines
automatica
ally release reso
ources if they are needed byy higher prioritty virtual mach
hines.
The Clusterr Shared Volum

me (CSV) featu
ure, which simp
plifies the conffiguration and
d operation of virtual
machines, is improved for more securitty and perform
mance. It now ssupports scalable file-based server
application storage, incre
eased backup and
a restore an
nd single consiistent file namespace. Also, yyou can
now protecct CSV volumes by using BitLLocker Drive Encryption and configuring them to make
e
storage visiible to only a subset
s
of node
es.
Virtual macchine application monitoring

g. You can now
w monitor servvices running o
on clustered viirtual
machines. In clusters runn
ning Windowss Server 2012, administratorss can configure
e monitoring o
of
services on clustered virtu
ual machines that
t
are also ru
unning Windo
ows Server 2012. This functio
onality
extends the
e high-level monitoring of virtual machinees that is impleemented in Wiindows Server 2008
R2 failover clusters.
It is now po
ossible to store
e virtual machiines on SMB fiile shares in a file server clusster. This is a new way
to provide high availability for virtual machines.
m
Insteead of making a cluster betw
ween Hyper-V nodes,
you can now have Hyper-V nodes out of
with virtual machine files on
o cluster but w
n a highly available
file share. To
T make this work,
w
you should deploy a filee server clusteer in a scale-ou
ut file server m
mode.
Scale-out fiile servers can also use Clustter Shared Volu
umes for storaage.
Best
B
Practicces for Imp
plementin
ng High Avvailability in a Virtuaal Environm
ment
After you determine which ap
pplications
arre deployed on
n highly availa
able failover
clusters, you pla
an and deploy the failover
clustering environment. Applyy the following
g
re
ecommendatio
ons when you implement the
e
fa
ailover cluster:
Use Window
ws Server 2012
2 as the Hyperr-V
host. Windo
ows Server 201
12 provides
enhanceme
ents such as Hyyper-V 3.0, improved
CSVs, virtua
al machine mig
grations, and other
o
features tha
at improve flexxibility and
performancce when you im
mplement hosst
failover clustering.
9-6
Plan for failover scenarios. When you design the hardware requirements for the Hyper-V hosts, make
sure that you include the hardware capacity required when hosts fail. For example, if you deploy a sixnode cluster, you must determine the number of host failures that you want to accommodate. If you
decide that the cluster must sustain the failure of two nodes, then the four remaining nodes must
have the capacity to run all the virtual machines in the cluster.
Plan the network design for failover clustering. To optimize the failover cluster performance and
failover, you should dedicate a fast network connection for internode communication. As with earlier
versions, this network should be logically and physically separate from the network segment(s) used
for clients to communicate with the cluster. You can also use this network connection to transfer
virtual machine memory during a Live Migration. If you are using iSCSI for any virtual machines,
dedicate a network connection to the iSCSI network connection also.
Plan the shared storage for failover clustering. When you implement failover clustering for Hyper-V,
the shared storage must be highly available. If the shared storage fails, the virtual machines will all
fail, even if the physical nodes are functional. To ensure the storage availability, plan for redundant
connections to the shared storage and redundant array of independent disks (RAID) redundancy on
the storage device.
Use the recommended failover cluster quorum mode. If you deploy a cluster with an even number
of nodes, and shared storage is available to the cluster, the Failover Cluster Manager automatically
selects Node and Disk Majority quorum mode. If you deploy a cluster with an odd number of nodes,
the Failover Cluster Manager selects the Node Majority quorum mode. You should not modify the
default configuration unless you understand the implications of doing this.
Deploy standardized Hyper-V hosts. To simplify the deployment and management of the failover
cluster and Hyper-V nodes, develop a standard server hardware and software platform for all nodes.
Develop standard management practices. When you deploy multiple virtual machines in a
failover cluster, you increase the risk that a single mistake may shut down a large part of the server
deployment. For example, if an administrator accidentally configures the failover cluster incorrectly,
and the cluster fails, all virtual machines in the cluster will be offline. To avoid this, develop and
thoroughly test standardized instructions for all administrative tasks.
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
9-7
Im
mplementation
n of highly ava
ailable virtual machines
m
is so mewhat differrent from implementing other roles
in
n a failover clusster. Failover clustering
c
in Windows
W
Serverr 2012 providees many featurres for Hyper-V
V
clustering in addition to toolss for virtual ma
achine high avvailability manaagement. In th
his lesson, you will
le
earn about how
w to implemen
nt highly availa
able virtual maachines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe co
omponents of Hyper-V cluster.
Describe prrerequisites for Hyper-V failo

over cluster im
mplementation
n.
Implement Hyper-V virtu

ual machines in
n a cluster.
Configure CSVs.
C
Implement highly availab

ble virtual machines on SMB 3.0 file sharess
Describe co
onsiderations for
f implementing Hyper-V vvirtual machinees in a cluster.
Componen
C
nts of Hype
er-V Cluste
ers
Hyper-V as a ro
ole has some sp
pecific require
ements
fo
or cluster comp
ponents. To fo
orm a Hyper-V
V cluster,
yo
ou must have at least two ph
hysical nodes.
Whereas
W
other clustered roless (such as DHC
CP, file
se
erver, and so on)
o allow for no
odes to be virttual
machines,
m
Hype
er-V nodes mu
ust be compose
ed of
physical hosts. You
Y cannot run Hyper-V as a virtual
machine
m
on a Hyper-V
H
host.
In
n addition to having
h
nodes, you
y must also
ha
ave physical an
nd virtual netw
works. Failoverr
clustering requiires a network for internal cluster
co
ommunication
n, and also a ne
etwork for clie
ents.
Yo
ou can also im
mplement a sto
orage network separately, deepending of tyype of storage being used. A
Again,
sp
pecific to Hype
er-V role, you should also co
onsider virtual networks for cclustered virtual machines. Itt is very
im
mportant to cre
eate the same virtual networks on all physsical hosts thatt participate in
n one cluster. FFailing
to
o do this cause
es a virtual macchine to lose network
n
conneectivity when m
moved from one host to ano
other.
Sttorage is an im
mportant comp
ponent of virtu
ual machine clu
ustering. You ccan use any tyype of storage that is
su
upported by Windows
W
Server 2012 failover clustering. W
We recommend
ded that you cconfigure storaage as a
CSV. This is disccussed in a following topic.
es are components of a Hype

er-V cluster. In
n Failover Clustter Manager yyou can create new
Virtual machine
hiighly available
e virtual machines, or you can make existin
ng virtual mach
hines highly avvailable. In botth cases,
th
he virtual mach
hine storage lo
ocation must be
b on shared sstorage that caan be accessed
d to both node
es. You
might
m
not wantt to make all viirtual machine
es highly availaable. In Failoveer Cluster Man
nager you can select
which
w
virtual machines are pa
art of a cluster configuration
n.
Prerequisites for Implementing Hyper-V Clusters

To deploy Hyper-V on a failover cluster, you must make sure that you meet the hardware, software,
account, and network infrastructure requirements that the following sections detail.
Hardware Requirements for Failover Clustering with Hyper-V

You must have the following hardware for a two-node failover cluster:
9-8
Server hardware: Hyper-V requires an x64-based processor, hardware-assisted virtualization, and

hardware-enforced Data Execution Prevention (DEP). As a best practice, the servers should have very
similar hardware. If you are using Windows Server 2008, the processors on the servers must be the
same version. If you are using Windows Server 2008 R2 or Windows Server 2012, the processors must
use the same architecture.
Note: Microsoft supports a failover cluster solution only if all the hardware features are
marked as Certified for Windows Server. Additionally, the complete configuration (servers,
network, and storage) must pass all tests in the Validate This Configuration wizard, which is
included in the Failover Cluster Manager snap-in.
Network adapters: The network hardware, just as other features in the failover cluster solution, must
be marked as Certified for Windows Server. To provide network redundancy, you can connect
cluster nodes to multiple, distinct networks, or you can connect the nodes to one network that uses
teamed network adapters, redundant switches, redundant routers, or similar hardware to remove
single points of failure. We recommended that you configure multiple network adapters on the host
computer that you configure as a cluster node. One network adapter should be connected to the
private network that the inter-host communications uses.
Storage adapters: If you use Serial Attached SCSI (SAS) or fiber channel, the mass-storage device
controllers in all clustered servers should be identical and should use the same firmware version.
If you are using iSCSI, each clustered server should have one or more network adapters that are
dedicated to the cluster storage. The network adapters that you use to connect to the iSCSI storage
target should be identical, and you should use Gigabit Ethernet or a faster network adapter.
Storage: You must use shared storage that is compatible with Windows Server 2008 R2. If you deploy
a failover cluster that uses a witness disk, the storage must contain at least two separate volumes
(LUNs). One volume functions as the witness disk, and additional volumes contain the virtual machine
files that are shared between the cluster nodes. Storage considerations and recommendations include
the following:
o
Use basic disks, not dynamic disks. Format the disks with the NTFS file system.
Use either master boot record (MBR) or GUID partition table (GPT).
If you are using a storage area network (SAN), the miniport driver that the storage uses must
work with the Microsoft Storport storage driver.
Consider using multipath input/output (I/O) software: If your SAN uses a highly available network
design with redundant components, you can deploy failover clusters with multiple host bus
adapters by using multipath I/O software. This provides the highest level of redundancy and
availability. For Windows Server 2008 R2 and 2012, your multipath solution must be based on
Microsoft Multipath I/O (MPIO).
Software Req
quirements for Using Hyper-V
H
and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
9-9
er cluster mustt run the x64-b

based version of Windows Server 2012 Entterprise
All the servvers in a failove
or Datacenter Edition. The nodes in a single failover ccluster cannott run different versions.
All the servvers should havve the same so

oftware updatees and service packs.
All servers must

m
be eitherr a full installattion or a Serveer Core installaation. You cann
not mix the full
installation and Server Co
ore installation
n.
Network
N
Infrrastructure Requirements
Th
he following network
n
infrasttructure is requ
uired for a failo
over cluster an
nd an administtrative account with
th
he following do
omain permisssions:
Network se
ettings and IP addresses.
a
Use
e identical com
mmunication seettings on all n
network adaptters,
including th
he speed, duplex mode, flow
w control, and media type seettings. Ensure
e that all netwo
ork
hardware supports the sa
ame settings.
If you use private

p
networrks that are nott routed to yo
our whole netw
work infrastruccture for
communica
ation between cluster nodes, ensure that eeach of these p
private networrks uses a uniq
que
subnet.
DNS. The se
ervers in the cluster must use Domain Nam
me System (DN
NS) for name rresolution. You
u should
use the DNS dynamic upd
date protocol..
Domain rolle. All servers in the cluster must

m
be in the same Active D
Directory dom
main. As a bestt
practice, alll clustered servvers should ha
ave the same d
domain role (either member server or dom
main
controller). The recomme
ended role is member
m
serverr.
Account for administering the cluster. When

W
you firstt create a clustter or add servvers to it, you must be
logged on to the domain
n with an accou
unt that has ad
dministrator riights and perm
missions on all the
clusters serrvers. Addition
nally, if the acccount is not a D
Domain Admin
ns account, the account musst have
the Create Computer Objjects permissio
on in the domaain.
Im
mplementting Hyperr-V Virtual Machiness on Failovver Clusterr
To
o implement failover clustering for Hyper--V, you
must
m
complete the following high-level steps:
1..
Install and configure

c
the required versions of
Windows Server 2012. Affter you compllete the
installation,, configure the
e network settings,
join the com
mputers to an Active Directo
ory
domain, an
nd configure th
he connection to the
shared storrage.
2..
Configure the
t shared storage. You musst use
Disk Manag
ger to create disk
d partitions on the
shared storrage.
3..
Install the Hyper-V

H
and fa
ailover clusteriing features on
n the host servvers. You can u
use Server Manager in
MMC or Windows PowerrShell for this.
9-10 Implemennting Failover Clusterring with Hyper-V
4.
Validate the cluster

c
configu
uration. Validatte This Clusterr wizard checkks all the prereq
quisite compo
onents
that are required to create a cluster, and provides warn
nings or errors if any components do not m
meet
the cluster requirements. Be
efore you conttinue, resolve any issues tha t the Validate This Cluster W
Wizard
identifies.
5.
Create the clu

uster. When th
he components pass the Valiidate This Clusster wizard, you can create a
cluster. When
n you configurre the cluster, assign
a
a clusteer name and an
n IP address. A computer account
for the cluster name is created in Active Directory
D
dom
main and the IP
P address is reg
gistered in DNS.
c enable Clu
ustered Shared
d Storage for th
he cluster onlyy after you con
nfigure the
Note: You can
clusster. If you wan
nt to use Cluster Shared Volu
umes (CSV), yo
ou should conffigure CSV beffore you
movve to the next step.
6.
ual machine on
n one of the cluster nodes. W
When you creaate the virtual machine, ensu
ure
Create a virtu
that all files associated with
h the virtual machine, includ ing both the vvirtual hard dissk and virtual
machine conffiguration filess, are stored on
n the shared sttorage. You caan create and manage virtuaal
machines in either
e
Hyper-V
V Manager or Failover
F
Clusteer Manager. W
When you creatte a virtual machine
by using Failo
over Cluster Manager, the virtual machine is automaticaally made highly available.
7.
Make the virttual machine highly

h
available
e. To make thee virtual mach ine highly available, in the
Failover Clustter Manager, select to make a new service or application
n highly available. Failover C
Cluster
Manager then
n presents a lisst of services and
a application
ns that can be made highly available. Whe
en
you select the
e option to ma
ake virtual macchines highly aavailable, you can select the
e virtual machine
that you created on shared storage.
Note: When
n you make a virtual
v
machin
ne highly availaable, you see a list of all virtu
ual
n
includin
ng virtual macchines that are not stored on
n the
macchines hosted on all cluster nodes,
sharred storage. If you make a virtual machine
e that is not loccated on shareed storage hig
ghly
avaiilable, you rece
eive a warning
g, but Hyper-V
V adds the virtu
ual machine to
o the services aand
app
plications list. However,
H
when
n you try to migrate the virtu
ual machine to
o a different host, the
mig
gration will fail.
8.
m
failove
er. After you make
m
the virtuaal machine hig hly available, yyou can migraate the
Test virtual machine
computer to another node in the cluster. If you are run
nning Window
ws Server 2008 R2 or Window
ws
Server 2012, you
y can selectt to perform a Quick Migrati on or a Live M
Migration.
Co
onfiguring Clustered Shared Vo
olumes
You
u do not have to
t configure and use CSV wh
hen
you implement hiigh availabilityy for virtual
macchines in Hype
er-V. You can cluster
c
Hyper-V
V by
usin
ng the regular approach. How
wever, we
reco
ommend that you
y use CSV because
b
of the
follo
owing advanta
ages:
Reduced LUN
Ns for the diskss. You can use CSV
to reduce the
e number of LU
UNs that your
virtual machin
nes require. When
W
you confiigure
a CSV, you ca
an store multip
ple virtual macchines
on a single LU
UN and multip
ple host compu
uters
can access the same LUN co
oncurrently.

9-11
Better use of
o disk space. Instead of placcing each .vhd
d file on a sepaarate disk with empty space so that
the .vhd file
e can expand, you can overssubscribe disk space by storing multiple .vhd files on the
e same
LUN.
Virtual macchine files are in

i a single logical location. Y
You can track tthe paths of .vvhd files and other
files that virrtual machiness use. Instead of
o using drive letters or Glob
bally Unique Id
dentifiers (GUIIDs)
to identify disks,
d
you can specify the pa
ath names. Wh
hen you implement CSV, all added storage
e
appears in the \ClusterSto
orage folder. The
T \ClusterSto
orage folder iss created on th
he cluster node
es
system fold
der, and you ca
annot move it.. This means th
hat all Hyper-V
V hosts that arre members off the
cluster musst use the same
e drive letter as
a their system
m drive, or virtu
ual machine faailovers will faill.
No specific hardware requirements. There are no speecific hardwaree requirementss to implemen

nt CSV.
You can implement CSV on
o any supporrted disk confiiguration, and on either fibe
er channel or iSSCSI
SANs.
Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one
e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the CSV traffic th
hrough an inta
act part of thee SAN or netwo
ork.
Im
mplementin
ng CSV
Yo
ou can configu
ure CSV only when
w
you create a failover clluster that hossts highly available virtual machines.
After you create
e the failover cluster,
c
you can enable CSV for the clusterr, and then add
d storage to th
he CSV.
Be
efore you can add storage to
o the CSV, the
e LUN must bee available as s hared storage
e to the clusterr. When
yo
ou create a failover cluster, all
a the shared disks
d
configureed in Server M
Manager are ad
dded to the clu
uster,
an
nd you can add them to a CSV. If you add more LUNs to
o the shared sttorage, you must first create
e
vo
olumes on the
e LUN, add the
e storage to the
e cluster, and tthen add the sstorage to the
e CSV.
As a best practice, you should

d configure CSV before you make any virtu
ual machines h
highly availablle.
However, you can convert fro
om regular disk
k access to CSV
V after deployyment. The folllowing conside
erations
ap
pply:
The LUNs drive

d
letter or mount point is removed wh
hen you convert from regulaar disk access tto CSV.
This means that you must re-create all virtual machin
nes that are sto
ored on the sh
hared storage. If you
must keep the same virtu
ual machine se
ettings, consideer exporting th
he virtual machines, switchin
ng to
CSV, and th
hen importing the virtual ma
achines in Hyp
per-V.
You cannott add shared sttorage to CSV if it is used. Iff you have a ru
unning virtual machine that is using
a cluster dissk, you must shut down the virtual machin
ne, and then a dd the disk to
o CSV.
Im
mplementting Highly
y Available
e Virtual M
Machines o
on an SMB
B 3.0 File Share
In
n Windows Serrver 2012, it is possible to use one
more
m
technique
es to make virttual machines highly
avvailable. Instea
ad of using host or guest clustering,
virtual machine files can now be stored on a
hiighly available
e SMB 3.0 file share.
s
By using
g this
ap
pproach, high availability is achieved
a
not by
b
clustering Hype
er-V nodes, but by file serverrs that
ho
ost virtual macchine files on their
t
file shares. With
th
his new capability, Hyper-V can
c store all virtual
machine
m
files, in
ncluding config
guration, virtu
ual hard
diisk (VHD) files,, and snapshotts, on highly avvailable
SM
MB file shares..
To implement thiss technology, the

t following requirements must be met:
One or more computers running Window

ws Server 20122 with the Hyp
per-V role instaalled.
ws Server 20122 with the File and Storage SServices role

One or more computers running Window
installed.
A common Active
A
Directoryy infrastructure
e. The servers running Activee Directory Do
omain Servicess (AD
DS) do not ne
eed to run Win
ndows Server 2012.
2
Befo
ore you implem
ment virtual machines
m
on an
n SMB file sharre, you should set up a file se
erver cluster. T
To do
thatt, you should have
h
at least tw
wo cluster nod
des with File Seervices and Faiilover Clusterin
ng installed. In
n the
failo
over clustering
g console, you should create a scale-out fille server clusteer. After you co
onfigure the cluster,
you deploy the ne
ew SMB file sh
hare for applica
ations. This shaare is used to store virtual m
machine files. W
When
the share is create
ed, you can use Hyper-V Ma
anager consolee to deploy new virtual mach
hines on the SMB
file share, or you can
c migrate exxisting VMs to the SMB file sshare by using
g the storage m
migration meth
hod.
Co
onsideratio
ons for Imp
plementing Hyper-V
V Clusters
By implementing host failover clustering,
c
you can
mak
ke virtual mach
hines highly avvailable. Howe
ever,
imp
plementing hosst failover clusstering also adds
sign
nificant cost an
nd complexity to a Hyper-V
dep
ployment. You must invest in
n additional server
hard
dware to provide redundanccy, and you should
imp
plement or havve access to a shared
s
storage
e
infra
astructure.
Use the following recommendations to ensure
thatt the failover clustering
c
strategy meets the
e
orga
anizations req
quirements:
Identify the applications or services that

require high availability.
a
If you
y were to assk the people w
who use the o
organizations aapplications, m
most
of them woulld probably say that they wa
ant all applicattions to be hig
ghly available. However, unle
ess
you have the option of mak
king all virtual machines hig hly available, yyou must deve
elop priorities for
which applica
ations will be made
m
highly avvailable.
Identify the components th

hat must be hig
ghly available to make the aapplications highly available.. In
some cases, the application
n might run on
n a single serveer, and making
g that server highly available
e is all
that you have
e to do. Other applications may
m require th
hat several servvers, and otherr components,, such
as storage or the network, be
b highly available.
Identify the application cha

aracteristics. Yo
ou must underrstand several things about tthe application
n:
o
Is virtualizing the serve

er that is running the applicaation an option
n? Some applications are no
ot
supporte
ed or recomme
ended in a virtual environmeent.
What opttions are availa

able for makin
ng the applicattion highly avaailable? You caan make some
e
applicatio
ons highly ava
ailable through
h options otheer than host clu
ustering. If oth
her options are
e
available, evaluate the benefits and disadvantages
d
of each optio n.
What are
e the performa
ance requireme
ents for each aapplication? C ollect perform
mance informattion
on the se
ervers currentlyy running the applications to
o gain an understanding of the hardware
requirem
ments that are required
r
when
n you virtualizee the server.
9-13
What capacity is required to make the Hyper-V virtual machines highly available? As soon as you
identify all the applications that must be highly available by using host clustering, you can start to
design the actual Hyper-V deployment. By identifying the performance requirements, and network
and storage requirements, for applications, you can define the hardware that you have to implement
all the applications in a highly available environment.
Live Migration is one of the most important aspects of Hyper-V clustering. When you implement Live
Migration, consider the following:
Verify basic requirements. The basic requirements for Live Migration are that all hosts must be part of
a Windows Server 2008 R2 failover cluster, and host processors must be from the same manufacturer.
All hosts in the cluster must have access to shared storage.
Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure a network adapter for this network that has a capacity of one gigabits per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks and File and Printer Sharing for
Microsoft Networks components for the network adapter that you want to use for the private
network.
Use similar host hardware. All failover cluster nodes must use the same hardware for connecting to
shared storage, and all cluster nodes must have processors from the same manufacturer. Whereas you
can enable failover for virtual machines on a host with different processor versions by configuring
processor compatibility settings, the failover experience and performance is more consistent if all
servers have very similar hardware.
Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can keep the same IP address after Live Migration. Also, the IP
addresses assigned to the private network on all nodes must be on the same logical subnet, which
means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet
that spans a wide area network (WAN) connection.
Manage Live Migrations. Each node in the failover cluster can perform only one Live Migration at a
time. If you try to start a second Live Migration before the first one finishes, the migration fails. If you
start additional Live Migrations from Virtual Machine Manager (VMM), it queues the Live Migration,
and retries it for 15 minutes. If the migration cannot be initiated in 15 minutes, the migration is
canceled.
Lesson 3
Implem
menting
g Hyperr-V Virtual Macchine M
Moveme
ent
Movving virtual ma
achines from one
o location to
o another is a ffairly common
n procedure in
n the administrration
of Hyper-V
H
enviro
onments. Mostt of the moving techniques iin previous Wiindows Server versions required
dow
wntime. Windo
ows Server 201
12 introduces new
n
technolog
gies to enable seamless virtu
ual machine
movvement. In thiss lesson, you will
w learn aboutt virtual machiine movementt and migratio
on options.
Lessson Objectiives
Afte
ou will be able to:
Describe migration optionss for virtual ma

achines.
Describe Storrage Migration

n.
Describe Live Migration.
Describe and configure a Hyper-V

H
replica
a.
Virrtual Mach
hine Migra
ation Optio
ons
There are several scenarios whe
ere you would want
to migrate
m
virtual machine from
m one location to
ano
other. For exam
mple, you migh
ht want to movve a
virtu
ual machine viirtual hard disk
k from one physical
drivve to another on
o the same ho
ost. Another
exam
mple is moving a virtual macchine from one
nod
de in a cluster to
t another, or just moving a
com
mputer from on
ne host server to another ho
ost
servver without the
e hosts being members
m
of a
clusster. Compared
d with Window
ws Server 2008
8 R2,
Win
ndows Server 2012
2
provides significant
enhancements in addition to sim
mplified proce
edures
for this
t process.
In Windows
W
Serve
er 2012, you ca
an perform migration of virt ual machines by using these
e methods:
Virtual mach
hine and stora
age migration
n. With this meethod, you mo
ove a powered
d on virtual maachine
from one loca
ation to anoth
her (or from on
ne host to anotther) by using a wizard in Hyper-V Manag
ger.
Virtual machine and storage migration do
o not require ffailover clustering or any other high availaability
technology to
o work. Shared
d storage is no
ot required wh en you move jjust the virtual machine.
008. It require
Quick Migration. This metthod is also available in Wind
dows Server 20
es failover clusttering
to be installed
d and configured. It.
Live Migratio
on. This impro
ovement over Quick
Q
Migratio
on is also availlable in Windo
ows Server 200
08 R2.
It enables you
u to migrate a virtual machin
ne from one h
host to anothe r without dow
wntime.
Hyper-V rep
plica. This new feature in Win
ndows Server 22012 enables yyou to replicatte a virtual maachine
to another ho
ost, instead of move the virtu
ual machine, aand to synchro
onize all virtual machine changes
from the prim
mary host to th
he host that ho
olds the replicaa.
Exporting an
nd importing virtual machine. This is an established m
method of movving virtual
machines without using a cluster.
c
You export a virtual m
machine on on
ne host, and th
hen physically move
exported filess to another ho
ost by perform
ming an importt operation. Th
his is a very tim
me-consuming
g
operation. It requires
r
that a virtual machine is turned o
off during expo
ort and importt. In Windows

9-15
Server 2012
2 this migratio
on method is im
mproved. You can import a vvirtual machin
ne to a Hyper-V
V host
without exp
porting it befo
ore import. Win
ndows Server 22012 Hyper-V
V is now capable of configuriing all
the necessa
ary settings du
uring the impo
ort operation.
How
H
Does Virtual Ma
achine and
d Storage Migration
n Work?
Th
here are manyy cases in which an administrrator
might
m
want to move
m
the virtu
ual machine file
es to
an
nother location. For example
e, if the disk where
w
a
virtual machine hard disk resides runs out of
o
sp
pace, you mustt move the virrtual machine to
t
an
nother drive or volume. Also
o, moving a virrtual
machine
m
to ano
other host is a very
v
common
procedure.
In
n earlier versions of Windowss Server, such as
Windows
W
Server 2008 or Wind
dows Server 2008 R2,
moving
m
a virtua
al machine resu
ulted in downttime
be
ecause it had to
t be turned off.
o If you moved a
virtual machine between two hosts, then yo
ou also had to perform expo
ort and import operations fo
or that
sp
pecific virtual machine.
m
Expo
ort operations can
c be time-co
onsuming, dep
pending on th
he size of the vvirtual
machine
m
hard disks.
d
In
n Windows Serrver 2012, Virtu
ual Machine and Storage Miigration enables you to movve a virtual maachine
to
o another locattion on the same host or on another host computer wit hout turning o
off the virtual
machine.
m
Le
et's examine how storage migration actually works.
To
o copy a virtua
al hard disk, an
n administrato
or starts live sto
orage migratio
on by using the Hyper-C con
nsole or
Windows
W
PowerShell, and com
mpletes the wiizard (or speci fies parameterrs in Windows PowerShell). A new
virtual hard disk
k is created on
n destination lo
ocation and th
he copy processs starts. During the copy pro
ocess,
th
he virtual mach
hine is fully fun
nctional. Howe
ever, all chang
ges that occur during copyin
ng are written tto both
th
he source and destination location. Read operations
o
are performed on
nly from the so
ource location.. As
so
oon as the disk
k copy processs is complete, Hyper-V
H
switc hes virtual maachines to run on the destinaation
virtual hard disk
k. Also, if the virtual
v
machine
e is moved to aanother host, the computer configuration
n
is copied and th
he virtual mach
hine is associatted with anoth
her host. If a faailure were to occur on the
de
estination side
e, there is always a fail back option
o
to run back again on
n the source directory. After the
virtual machine is successfullyy migrated and
d associated to
o a new locatio
on, the process deletes the ssource
VHDs.
Th
he time that iss required to move
m
a virtual machine depeends on the source and destination locatio
on, the
sp
peed of hard disks
d
or storage
e, and the size
e of the virtual hard disks. Th
he moving pro
ocess is speede
ed up if
so
ource and desttination locatio
ons are on storage, and storrage supports O
Offloaded Datta Transfer (OD
DX).
When
W
you move a virtual macchines vhds to
o another loca tion, a wizard presents three
e available opttions:
Move all th
he virtual mach
hines data to a single locatio
on: You specifyy one single destination locaation,
such as disk
k file, configurration, snapsho
ot, and smart p
paging.
Move the virtual

v
machine
es data to a different locatio
on: You specifyy individual loccations for eacch
virtual machine item.
Move only the virtual ma

achines virtual hard disk: You
u move only the virtual hard
d disk file.
How Live Migration Works?
9-16 Implementing Failover Clustering with Hyper-V
Live Migration enables you to move running virtual machines from one failover cluster node to another
node in the same cluster. With Live Migration, users who are connected to the virtual machine should
experience almost no server outage.
Note: Whereas you can also do live migration of virtual machine by using Virtual Machine
and Storage migration described in previous topic, you should be aware that live migration is
based on a different technology (failover clustering). Unlike the storage migration scenario, Live
Migration can be performed only if a virtual machine is highly available.
You can start a Live Migration through one of the following:
The Failover Cluster Management console.
The VMM Administrator console, if you use VMM to manage your physical hosts.
A Windows Management Instrumentation (WMI) or Windows PowerShell script.
Note: Live Migration enables you to reduce the perceived outage of a virtual machine
significantly during a planned failover. During a planned failover, you start the failover manually.
Live Migration does not apply during an unplanned failover, such as when the node hosting the
virtual machine fails.
Live Migration Process

The Live Migration process consists of four steps:
1.
Migration setup. When the administrator starts the failover of the virtual machine, the source node
creates a TCP connection with the target physical host. This connection is used to transfer the virtual
machine configuration data to the target physical host. Live Migration creates a temporary virtual
machine on the target physical host, and allocates memory to the destination virtual machine. The
migration preparation also checks to determine whether a virtual machine can be migrated.
2.
Guest-memory transfer. The guest memory is transferred iteratively to the target host while the
virtual machine is still running on the source host. Hyper-V on the source physical host monitors the
pages in the working set. As the system modifies memory pages, it tracks and marks them as being
modified. During this phase of the migration, the migrating virtual machine continues to run. HyperV iterates the memory copy process several times, and every time that a smaller number of modified
pages are copied to the destination physical computer. A final memory copy process copies the
remaining modified memory pages to the destination physical host. Copying stops as soon as the
number of dirty pages drops below a threshold or after 10 iterations are complete.
3.
State transfer. To actually migrate the virtual machine to the target host, Hyper-V stops the source
partition, transfers the state of the virtual machine (including the remaining dirty memory pages) to
the target host, and then restores the virtual machine on the target host. The virtual machine has to
be paused during the final state transfer.
4.
Clean up. The cleanup stage finishes the migration by tearing down the virtual machine on the
source host, terminating the worker threads, and signaling the completion of the migration.
How
H
Does Hyper-V Replica
R
Wo
ork?
In
n some cases, you
y might wan
nt to have a sp
pare
co
opy of one virttual machine that
t
you can ru
un if
th
he original virtual machine fa
ails. By implem
menting
hiigh availabilityy, you have one instance of a virtual
machine.
m
High availability
a
doe
es not preventt
co
orruption of so
oftware runnin
ng inside the VM.
V One
way
w to address the issue of co
orruption is to copy
th
he VM. You can also back up
p the virtual machine
an
nd its storage. Although thiss solution achie
eves
th
he desired resu
ult it is resourcce intensive and time
co
onsuming.

9-17
To
o resolve this problem,
p
and to
t enable
ad
dministrators to
t have an up--to-date copy of a single virttual machine, Microsoft has implemented
Hyper-V replica
a technology in
n Windows Server 2012. Thiss technology eenables virtual machines run
nning
att a primary site
e (can also be location or ho
ost) to be efficiiently replicateed to a second
dary site (location
orr host) across a WAN or LAN
N link. Hyper-V
V replica enablles you to havee two instance
es of a single vvirtual
machine
m
residin
ng on differentt hosts, one as the primary (llive) copy and the other as a replica (offlin
ne)
co
opy. These cop
pies are synchrronized, and you can failoveer at any time. In the event o
of a failure at a
primary site (e.g
g. fire, natural disaster, powe
er outage, servver failure etc
), an administtrator can use
Hyper-V Replica
a to execute a failover of pro
oduction workkloads to replicca servers at a secondary loccation
within
w
minutes, thus incurring
g minimal dow
wntime.
Th
he site configu
urations do not have to use the
t same serveer or storage h
hardware. Hyp
per-V Replica e
enables
an
n administrato
or to restore virtualized work
kloads to a poiint in time dep
pending on the
e Recovery Hisstory
se
elections for th
he virtual mach
hine.
Hyper-V replica
a technology consists of seve
eral componen
nts:
Replication
n Engine: This component is the core of Hyper-V Repliica. It manage
es the replication
configuratio
on details and handles initia
al replication, d
delta replicatio
on, failover, an
nd test-failoverr
operations. It also tracks virtual
v
machin
ne and storagee mobility even
nts and takes aappropriate acctions as
needed (i.e. it pauses replication eventss until migratio
on events com
mplete and the
en resumes where they
left off).
Change Tracking: This component

c
tra
acks changes tthat are happeening on primaary copy of virrtual
machine. It is designed to
o make the sce
enario work reegardless of wh
here the virtuaal machine VHD file(s)
resides.
Network Module:
M
The Networking
N
Mo
odule providess a secure and
d efficient way to transfer virtual
machine re
eplicas between
n primary hostt and replica h
host. Data com
mpression is en
nabled by default. This
communica
ation is also se
ecure as it relie
es on HTTPS an
nd certification
n-based authe
entication.
Hyper-V Replica
R
Brokerr role: This is new role impleemented in W
Windows Serverr 2012. It is
configured in Failover Clu
ustering, and it enables you to have Hyper-V replica fun
nctionality even
when the virtual machine
e being replica
ated is highly aavailable and ccan move from
m one cluster n
node to
another. Th
he Hyper-V Replica Broker re
edirects all virttual machine sspecific events to the approp
priate
node in the
e replica cluste
er. The Broker queries the clu
uster databasee to determine
e which node sshould
handle which events. Thiss ensures all evvents are redirrected to the ccorrect node in
n the cluster in
n the
event that a Quick Migration, Live Migration, or Storaage Migration
n process was e
executed.
Co
onfiguring Hyper-V Replica
R
Befo
ore you implem
ment Hyper-V
V replica
tech
hnology, ensurre that these prerequisites
p
arre
mett:
ardware suppo
orts the Hyper--V
The server ha
role on Windows Server 2012.
Sufficient storage exists on both the prim

mary
and replica se
ervers to host the
t files that are
a
used by repliccated virtual machines.
m
Network conn
nectivity existss between the
locations hosting the prima
ary and replica
a
servers. This can
c be a WAN or LAN link.
Firewall rules are correctly configured

c
to enable replicaation between the Primary and Replica site
es
(default traffic is going over TCP port 80 or 443).
An X.509v3 ce
ertificate exists to support Mutual
M
Authen tication with ccertificates (if yyou want).
You
u do not have to
t install Hype
er-V replica sep
parately becau
use it is not a W
Windows Serve
er role or featu
ure.
Hyp
per-V Replica is implemented
d as part of the Hyper-V Rolle. It can be ussed on Hyper-V
V servers that are
stan
nd-alone or servers that are part of a Failovver Cluster (in which case, yo
ou should con
nfigure Hyper-V
Rep
plica Broker). Unlike
U
failover clustering,
c
a Hyper-V
H
role is not dependen
nt on Active D
Directory Domaain
Servvices (AD DS). You can use itt with Hyper-V
V servers that aare stand-alone, or that are m
members of
diffe
erent Active Directory doma
ains (except in case when serrvers are part o
of a failover cluster).
To enable
e
Hyper-V replica technology, you sh
hould first con figure Hyper-V
V server settin
ngs. In the
Rep
plication Config
guration group
p of options, you
y should enaable Hyper-V sserver as a rep
plica server, and you
should also selectt authentication and port op
ptions. You sho
ould also confi gure authorizaation options. You
can choose to ena
able replication from any serrver that succeessfully authen
nticates (which
h is convenientt in
scen
narios where all
a servers are part
p of same domain), or you
u can type fullly qualified do
omain names
(FQDNs) of serverrs that you acccept as replica servers. Also, yyou must conffigure the locaation for replicca
filess. These setting
gs should be configured on each server th
hat will serve ass replica server.
Afte
er you configure options on server level, yo
ou should enaable replication
n on a virtual m
machine. Durin
ng
this configuration
n, you must spe
ecify replica se
erver name, as well as option
ns for connection. You can select
which virtual hard
d disk drives yo
ou replicate (in
n case when viirtual machinee has more than one VHD), aand
you can also conffigure Recoveryy History as well as initial rep
plication meth
hod. After you have configurred
thesse options then you can starrt replication.
Lesson
n4

9-19
Mana
aging Hyper-V Virtual Environmentss by Using Systtem
Cente
er Virtual Mach
hine Ma
anager
Syystem Center Virtual

V
Machin
ne Manager 20
012 is a part off the System C
Center 2012 family of produccts. It is
a successor of Virtual
V
Machine Manager 2008 R2. Its main
n purpose is to
o extend manaagement functtionality
fo
or Hyper-V hossts and virtual machines and
d to provide deeployment and
d provisioning
g for virtual maachines
an
nd services. In this lesson, yo
ou will learn th
he basics of VM
MM.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe Syystem Center VMM.

V
Describe Prrerequisites forr Installing VM

MM.
Describe prrivate cloud infrastructure co

omponents.
Describe ho
ow VMM Manage Hosts and
d Host Clusterss with VMM.
Describe ho
ow to manage
e Virtual Machiines with VMM
M.
Describe Se
ervices and Serrvice Template
es.
Describe Ph
hysical to Virtu
ual and Virtual to Virtual Mig
grations.
Describe co
onsiderations for
f deploying a highly availaable VMM Servver.
What
W
Is VM
MM?
VMM is a mana
agement solutiion for a virtua
alized
da
ata center. VM
MM enables yo
ou to create an
nd
de
eploy virtual machines
m
and services
s
to privvate
clouds by config
guring and ma
anaging your
virtualization ho
ost, networking
g, and storage
e
re
esources.
VMM is a comp
ponent of Micrrosoft System Center
C
20
012 that discovers, captures,, and aggregattes
kn
nowledge of th
he virtualizatio
on infrastructu
ure.
VMM also mana
ages policies, and
a processes,, and
be
est practices with
w automatio
ons by discovering,
ca
apturing and aggregating
a
kn
nowledge of
virtualization infrastructure.
VMM succeeds VMM 2008 R2

2 and is a key component in
n enabling privvate cloud infraastructure, wh
hich
he
elps transition enterprise IT from
f
an infrastructure-focussed deploymen
nt model into a service-oriented,
usser-centric envvironment.
VMM architectu
ure consists of several interre
elated compon
nents. These components arre:
VMM server. The VMM server is the co

omputer on w
which the VMM
M service runs. The VMM server
processes commands
c
and
d controls com
mmunications w
with the VMM
M database, the
e library serverr, and
the virtual machine
m
hostss. The VMM se
erver is the hub
b of a VMM deeployment thrrough which all other
VMM comp
ponents intera
act and commu
unicate. The V
VMM server alsso connects to a Microsoft
SQL Server database (VM
MM database) that
t
stores all V
VMM configuration informaation.
Database. VM
MM uses a SQL Server datab
base to store th
he information
n that you view
w in the VMM
managementt console, such
h as managed virtual
v
machin
nes, virtual macchine hosts, virtual machine
libraries, jobs, and other virrtual machine--related data.
Managemen
nt console. The managemen
nt console is a program that you use to co
onnect to a VM
MM
managementt server, to view
w and manage
e physical and virtual resources, including virtual machin
ne
hosts, virtual machines, servvices, and libra
ary resources. V
Virtual Machin
ne Manager lib
brary
Library. A lib
brary is a catalo
og of resource
es (for examplee, virtual hard disks, templates, and profile
es),
hat
that are used to deploy virttual machines and services. A library server also hosts sh
hared folders th
store file-base
ed resources. The
T VMM man
nagement servver is always th
he default libraary server, butt you
can add addittional library servers
s
later.
Command sh
hell. Windowss PowerShell is the command
d-line interfacee in which you
u execute cmdlets
that perform all available VMM
V
functionss. You can use these VMMsspecific cmdletts to manage aall the
actions in a VMM
V
environm
ment.
Self-Service Portal. The Se

elf-Service Porrtal is a web sitte that users w
who are assigne
ed to a self-service
user role can use to deployy and manage their own virtu
ual machines.
Pre
erequisitess for Installling VMM
M
Befo
ore you deployy VMM and itss components,,
you should be cerrtain that yourr system meetss
hard
dware and softtware requirem
ments. While
softtware requirem
ments do not change
c
based
on the
t number off hosts that VM
MM manages,
hard
dware prerequ
uisites may varry. In addition, not
all VMM
V
components have the same hardwarre
and software requ
uirements. How
wever, Window
ws
Servver 2008 R2 an
nd Windows Se
erver 2012 are
e the
onlyy supported op
perating systems for VMM 2012.
2
VM
MM Server
In addition to havving Windows Server 2008 R2

R or
Win
ndows Server 2012
2
installed, you have to ensure
e
that thee following sofftware is installed on the servver
thatt will run the VMM
V
server:
Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or laater versions
Windows Auttomated Installation Kit (AIK

K)
Windows Pow
werShell 2.0 (iff the VMM management con
nsole will run o
on the same se
erver)
Windows Rem
mote Managem
ment 2.0 (this is installed by default in Win
ndows Server 2
2008 R2, so yo
ou
should just ve
erify that the service is running)
SQL Server 20
008 SP2 (Stand
dard or Enterp
prise) or SQL Seerver 2008 R2 SP1 Standard,, Enterprise, orr
Datacenter. This
T is necessarry only when you
y install the VMM manageement server aand SQL Server on
same computter.
Hardware requirements vary, de

epending on number
n
of hossts, and have th
he following liimits:
CPU: Single core CPU 2 gigahertz (GHz), Dual core CPU

U 2.8 GHz
Random acce
ess memory (RAM): 4 8 gig
gabytes (GB)

9-21
Disk space: 40 GB 150 GB

G (depending
g on whether a SQL Server d
database is insttalled on the ssame
server. In ad
ddition, if the library is on th
he same serverr, then disk spaace will also de
epend on libraary
content.)
VMM
V
Databa
ase
Th
he VMM datab
base stores all VMM configu
uration informaation, which yo
ou can access and modify
byy using the VM
MM management console. The
T VMM data base requires SQL Server 20
008 SP2 or late
er.
Be
ecause of this, the base hard
dware requirem
ments for the V
VMM databasee are equal to the minimum
m system
re
equirements fo
or installing SQ
QL Server. Additionally, if you
u are managin
ng more than 1
150 hosts, you
u should
ha
ave at least 4 GB
G of RAM on the database server. Softwaare requiremen
nts for the VM
MM Database aare the
sa
ame as for SQLL Server.
VMM
V
Library
y
Th
he VMM librarry is the serverr that hosts ressources for buiilding virtual m
machines, services and busin
ness unit
clouds. In smaller environmen
nts, you usuallyy install the VM
MM library on the VMM Maanagement Serrver. If
th
his is the case, the hardware and software requirements are the same aas for the VMM
M Management
Se
erver. In largerr and more complex environ
nments, we reccommend thatt you have VM
MM library on sseparate
se
erver in highly available conffiguration. If you want to deeploy another V
VMM library sserver, the servver
sh
hould fulfill following require
ements:
Supported operating systtem: Windows Server 2008 o

or Windows Seerver 2008 R2
Hardware management:
m
Windows Rem
mote Managem
ment 2.0
CPU: at leasst 2.8 GHz
RAM: at lea
ast 2 GB
Hard disk space: varies ba

ased on the nu
umber and sizee of files that aare stored
Private
P
Cloud Infrastructure Co
omponentts in VMM
Th
he key architecctural conceptt in VMM is private
cloud infrastruccture. Similar to
o public cloud
so
olutions, such as
a in Windowss Azure, priva
ate
cloud infrastruccture in VMM is
i an abstractio
on layer
th
hat shields the underlying technical complexities,
an
nd lets you ma
anage defined resource pools of
se
ervers, network
king, and stora
age in the ente
erprise
in
nfrastructure.
Th
his concept is presented exxplicitly in the VMM
management
m
co
onsole user intterface. With VMM,
V
yo
ou can create a private cloud
d from Hyper--V,
VMware ESX, an
nd Citrix XenSe
erver hosts, an
nd
be
enefit from clo
oud computing
g attributes, in
ncluding self-seervicing, resou
urce pooling, aand elasticity.
Yo
ou can configu
ure the followiing resources from
f
the VMM
M managemen
nt console Fabrric workspace:
Servers. In the Servers no

ode, you can configure
c
and manage severral types of serrvers. Host gro
oups
contain virttualization hossts, which are the
t destination
ns for where you can deployy virtual machiines.
Library servvers are the rep
positories of building
b
blocksssuch as imaages, .iso files, and templatessfor
creating virrtual machiness.
Networkin
ng. In the VMM
M managemen
nt console, thee Networking n
node is where you can defin
ne
logical netw
works, assign pools
p
of static IPs and mediaa access contro
ol (MAC) addre
esses, and inte
egrate
load balancerrs. Logical netw

works are userr-defined grou
upings of IP subnets and virtual local area
networks (VLA
ANs) to organize and simplify network asssignments. Log
gical networkss provide an
abstraction of the underlyin
ng physical inffrastructure, an
nd enable an aadministrator tto provision an
nd
isolate netwo
ork traffic based on selected criteria such aas connectivityy properties an
nd service levell
agreements (SLAs).
ng the VMM 2012

2
admin console, an adm
ministrator can discover, classsify, and provission
Storage. Usin
remote storag
ge on supported storage arrrays. VMM 20112 uses the Miicrosoft Storag
ge Management
Service (which
h is enabled by default durin
ng the installattion of VMM 2
2012), to comm
municate with
external arrayys.
Ma
anaging Hosts and Host
H
Group
ps with VM
MM
In addition to virtual machine management,
m
VMM
V
can also manage and deploy Hyyper-V hosts. In
VMM you can use
e technologiess such as Windows
Dep
ployment Serviices to deploy Hyper-V hosts on
bare
e metal machines and then manage
m
it with
h
VMM. When hosts are associate
ed with VMM,
you can configure
e several optio
ons, such as ho
ost
rese
erves, quotas, permissions,
p
clloud membersship,
and so on VMM can
c also manag
ge Hyper-V failover
clussters.
VMM provides tw
wo new feature
es that help
optimize power and resource usage on hosts
man
naged by VMM
M: dynamic op
ptimization and
d power optim
mization. Dynamic optimization balances the
virtu
ual machine lo
oad within a ho
ost cluster, while power optiimization enab
bles VMM to e
evacuate balan
nced
clusster hosts, and then turn them off to save power.
p
The recommende
ed way to orga
anize hosts in VMM
V
is to creaate host group
ps. This greatlyy simplifies
man
nagement task
ks. A host grou
up enables you
u to apply sett ings to multip
ple hosts with a single action. By
defa
ault, there is a single host grroup in VMM named
n
All Hossts. However, i f necessary, yo
ou can create
add
ditional groupss for your environment.
Hosst groups are hierarchical.

h
When
W
you create a new child host group, it inherits the se
ettings from th
he
w parent host group, the ch
pare
ent host group
p. When a child
d host group moves
m
to a new
hild host group
p
maintains its origiinal settings exxcept for Perfo
ormance and R
Resource Optim
mization (PRO
O) settings, whiich
are managed sepa
arately. When the settings in
n a parent hos t group chang
ge, you can ap
pply those chan
nges
to child
c
host grou
ups.
You
u would use ho
ost groups in the following scenarios:
Providing bassic organizatio

on when you are managing l ots of hosts an
nd virtual macchines. You can
n
create custom
m views within the Hosts view
w and Virtual M
Machines view
w to provide eaasy monitoring
g
and access to
o a host. For exxample, you might
m
create a h
host group forr each branch office in your
organization.
Reserving resources for use

e by hosts. Hosst reserves are useful when p
placing virtual machines on a
host. Host resserves determiine the CPU, memory,
m
disk s pace, disk I/O capacity, and network capaacity
that are contiinuously availa
able to the hosst operating syystem.
Use the Host group properties action for the root host group All Hossts, to set default host reservves for
all hosts that VMM manage
es. If you wantt to use more o
of the resourcees on some ho
osts instead of on
other hosts, you
y can set host reserves diffferently for ea ch host group
p.

9-23
Designating
g hosts on whiich users can create
c
and opeerate their own
n virtual mach
hines. When a V
VMM
administrattor adds self-se
ervice user role
es, one part off role creation is to identify tthe hosts on w
which
self-service users or groups in that role can create, op
perate, and maanage their ow
wn virtual macchines.
We recomm
mend that you
u designate a specific host grroup for this p
purpose.
Deploying
D
Virtual Ma
achines wiith VMM
One
O of the adva
antages of usin
ng a virtualized
en
nvironment that is managed
d by VMM is th
he
fle
exibility that itt provides to create and dep
ploy new
virtual machines quickly.
Using VMM, you can manuallly create a new
w virtual
machine
m
with new configuration settings an
nd a
ne
ew hard disk. You
Y can then deploy
d
the new
w
virtual machine from one of following
f
sourcces:
d (.vhd) file (blank

(
An existing virtual hard disk
or preconfigured)
ate
A virtual machine templa
A VMM librrary
ou can create new virtual ma

achines either by converting
g an existing p
physical compu
uter, or by clon
ning an
Yo
exxisting virtual machine.
m
Creating
C
a New
N
Virtual Machine fro
om an Existting VHD
Yo
ou can create a new virtual machine
m
based
d on either a b
blank VHD, or on a preconfig
gured VHD thaat
co
ontains a guesst operating syystem. VMM prrovides two bl ank VHD temp
plates that you
u can use to crreate
ne
ew disks:
Blank Disk Small
Blank Disk Large
ou can also use a blank VHD

D when you wa
ant to use an o
operating systeem with a PXEE. Or, you can p
place an
Yo
IS
SO image on a virtual DVD-R
ROM, and then
n install an opeerating system
m from scratch.. This is an effe
ective
way
w to build a virtual
v
machine
es source image, which you
u can then use as a future tem
mplate. To insttall the
op
perating system on such a virtual machine
e, you can use an ISO image file from the llibrary or from
m local
diisk, then map a physical drivve from the ho
ost computer, o
or start the gu
uest operating system setup through
a network servicce boot.
If you have a lib
brary of VHDs that you wantt to use in you r VMM enviro nment, you caan create a virttual
machine
m
from an
a existing VHD. You can also select existin
ng VHDs when
n you deploy aany operating system
from which VMM cannot crea
ate a template
e, such as an op
perating system that is not W
Windows base
ed.
When
W
you creatte a new virtua
al machine using an existing
g VHD, you aree basically creaating a new virrtual
machine
m
configuration that iss associated with the VHD fil e. VMM will crreate a copy o
of the source V
VHD so
th
hat you do nott have to move
e or modify the original.
In
n this scenario, the source VH
HD must meett the following
g requirementss:
Leave the Administrator

A
password
p
blan
nk on the VHD
D as part of thee System Prepaaration Tool (SSysprep)
process.
V
Machine Additions on
n the virtual m
machine.
Install the Virtual
Use Sysprep
p to prepare th
he operating system
s
for dup
plication.
Dep
ploying from a Templa
ate
Thiss method creattes a new virtu

ual machine ba
ased on a tem plate from thee VMM library. The template
e is a
libra
ary resource, which
w
links to a virtual hard disk
d drives thaat has a generaalized operatin
ng system, hardware
settings, and guesst operating syystem settings. You use the g
guest operatin
ng system settiings to configu
ure
ope
erating system settings such as computer name,
n
local ad ministrator paassword, and d
domain
mem
mbership.
The deployment process
p
does not
n modify the
e template, wh
hich you can reeuse multiple ttimes. If you arre
crea
ating virtual machines in the
e Self-Service Portal,
P
you mu st use a templlate.
The following requirements app
ply if you wantt to deploy a n
new virtual maachine from a ttemplate:
You must insttall a supporte

ed operating syystem on the V
VHD.
he VHD as parrt of the Sysprep process.

You must leavve the Administrator passwo
ord blank on th
However, you
u do not have to leave blank
k the Administ rator password
d for the guest operating syystem
profile.
For customize
ed templates, you must prep
pare the operaating system o
on the VHD by removing
computer ide
entity informattion. For Windows operating
g systems, you can prepare tthe VHD by using
Sysprep.
Dep
ploying from the VMM
M Library
If yo
ou deploy a virrtual machine from the libra
ary, the virtual machine is rem
moved from th
he library, and
d then
placced on the sele
ected host. Wh
hen you use th
his method, yo
ou must provid
de the followin
ng details in th
he
Dep
ploy Virtual Ma
achine wizard:
The host for deployment.

d
The
T template that you use prrovides a list o
of potential hosts and their
ratings.
The path of the virtual macchine files on the host.
he virtual mach
hine. You are p
presented with
h a list of existing virtual networks
The virtual networks used for th
on the
t host.
Wh
hat Are Services and
d Service Templates??
Servvices are a new
w concept in VMM.
V
You musst
und
derstand servicces fully before
e you deploy a
privvate cloud infra
astructure.
Tra
aditional Serrvices Scena
ario
Whe
en we think ab
bout services, we
w usually refe
er to
an application
a
or set of applicattions that provvide
som
me service to end-users. For example,
e
we can
dep
ploy various typ
pes of web-based services, but
b
we can
c also imple
ement a service
e such as email. In a
non
n-cloud compu
uting scenario, deployment of
o any
type
e of service usually requires users, develop
pers,
and administratorrs to work toge
ether through the
phases of creating
g a service, dep
ploying a service, testing thee service, and maintaining th
he service.
9-25
A service frequently includes several computers that must work together to provide a service to end-users.
For example, a web-based service is usually an application that deploys on a web server, connects to a
database server (which can be hosted on another computer), and performs authentication on an Active
Directory domain controller. Enabling this application requires three roles, and possibly three computers:
a web server, a database server, and a domain controller. Deploying a test environment for a service such
as this can be time and resource consuming. Ideally, developers work with IT administrators to create an
environment where they can deploy and test their web application.
Concept of a Service in a Private Cloud Scenario
With the concept of a private cloud, how you deal with services can change significantly. You can prepare
the environment for a service, and then let developers deploy it by using a self-service application such as
App Controller.
In VMM, a service is a set of one or more virtual machines that you deploy and manage together as
a single entity. You configure these machines to run together to provide a service. In VMM in Windows
Server 2008, users were able to deploy new virtual machines by using Self Service Portal. In VMM,
end-users can deploy new services. By deploying a service, users are actually deploying the whole
infrastructure, including the virtual machines, network connections, and applications that are required
to make the service work.
However, you can use services to deploy only a single virtual machine without any specific purpose.
Instead of deploying virtual machines in the historic way, you can now create a service that will deploy
a virtual machine withfor exampleWindows Server 2008 R2, and with several roles and features
preinstalled and joined to domain. This simplifies the process of creating and later updating new virtual
machines.
Deploying a new service requires a high level of automation and predefined components, and requires
management software support. This is why VMM provides service templates. A service template is a
template that encapsulates everything required to deploy and run a new instance of an application.
Just as a private cloud user can create new virtual machines on demand, the user can also use service
templates to install and start new applications on demand.
Process for Deploying a New Service

Follow this procedure when you use service templates in VMM to deploy a new service/application:
1.
The system administrator creates and configures service templates in VMM by using Service Template
Designer.
2.
The end-user application owner (for example, a developer who has to deploy the application
environment) opens the App Controller console, and requests a new service deployment based
on available service templates that he or she can access. The developer can deploy the service to a
private cloud where a user has access. As an alternative to App Controller, the user can also use the
VMM Manager console.
3.
A request is submitted and evaluated by the VMM Server. VMM searches for available resources in
the private cloud, then calculates the user quota and verifies that the cloud is capable for the
requested service deployment.
4.
Whereas the service is created automatically, the virtual machines and applications (if any) are
deployed on the host selected by VMM.
5.
The user application owner gains control over service virtual machines through the App Controller
console, or by RDP.
6.
If you need manual approval for resource creation, you can use Microsoft System Center 2012 Service Manager to create workflows for this purpose.
Info
ormation In
ncluded in the
t Service Template
T
The service template includes in

nformation abo
out the virtuall machines thaat are deployed
d as part of th
he
servvice, which app
plications to in
nstall on the virtual machiness, and the netw
working config
guration needed
for the
t service (inccluding the usse of a load balancer). The seervice templat e can use existting virtual maachine
tem
mplates. You ca
an define the service withoutt using any exiisting virtual m
machine templates. Howeverr, it is
mucch easier to bu
uild a template
e if you have already created
d virtual machine templates. After you create
the service templa
ate, you config
gure it for deployment using
g the Configurre Deploymentt option.
Physical to Virtual
V
and
d Virtual to
o Virtual M
Migrations
Man
ny organizatio
ons have physiccal servers that
theyy do not use fu
ully. VMM can convert existing
phyysical computers into virtual machines thro
ough
a prrocess known as
a physical-to--virtual (P2V)
conversion. VMM simplifies P2V
V by providing
a task-based wizard to automatte much of the
e
conversion processs. Because the
e P2V process
is sccriptable, you can
c start large
e-scale P2V
conversions throu
ugh the Windo
ows PowerShell
(Pow
wershell.exe) command
c
line..
VMM converts an
n operating sysstem that is running
on physical
p
hardw
ware to an ope
erating system that
is ru
unning in a virttual machine in Hyper-V envvironment. VM
MM provides a conversion w
wizard, which
auto
omates much of the converssion process.
Durring a P2V conversion processs, VMM make

es disk images of the hard disks on the physical computer. It
crea
ates VHD files for the new virtual machine,, using the dis k images as a basis. Also, it ccreates a hardware
configuration for the virtual ma
achine similar to,
t or the samee as, the hardw
ware in the physical computer.
The new virtual machine
m
has the
e same compu
uter identity ass the physical computer on w
which it is based.
Because of that, we
w do not reco
ommend that you
y use both a physical com
mputer and its virtual replica
concurrently. Afte
er the P2V conversion is finisshed, you typiccally disconnecct the physicall computer fro
om
the network and decommission
d
n it.
P2V
V conversion is finished in On
nline or Offline
e mode. In On line mode, thee source operaating system
is ru
unning during the conversion process. In Offline
O
mode, tthe operating system is not running, and
conversion occurss through the Windows
W
Prein
nstallation Envvironment (Windows PE). Latter topics in th
his
lesson describe th
hese modes an
nd their specifics.
In addition to con
nverting underrused physical computers, VM
ment, migration
n
MM supports the managem
and conversions of
o other virtual machines tha
at you create in
u can convert
n VMware envvironment. You
thesse virtual mach
hines to Hyperr-V virtual macchines, place th
hem on Hyperr-V hosts, and then manage them
und
der the VMM Administrator
A
Console.
C
Also, VMM and Hy per-V supportt migrating virtual machines from
one
e host to anoth
her with minim
mal or zero dow
wntime.
VMM 2012 allowss you to conve
ert existing VM
Mware virtual m
machines to virrtual machiness running on the
Hyp
per-V platform
m. This process is known as a V2V conversio
on. With V2V cconversion, ad
dministrators can
easiily and quicklyy consolidate a virtual enviro
onment that is running various virtual platfforms without
rebu
uilding virtual machines from
m scratch or moving
m
data.

9-27
VMM allows you to copy existing VMware virtual

v
machin es and create Hyper-V virtual machines. Y
You can
co
MM library, orr on a Window
opy VMware virtual
v
machine
es that are on an ESX Server host, in the VM
ws share.
Although V2V is called a convversion, V2V iss a read-only o
operation that does not dele
ete or affect th
he
orriginal source virtual machin
ne. Also, the te
erm conversion
n is dedicated only to the process of conve
erting
VMware virtual machines. The
e term migration is used for Virtual Serverr machines.
onverts the VM
Mware .vmdk ffiles to .vhd file
es, and makes the
During the convversion processs, the VMM co
op
perating system on the virtu
ual machine co
ompatible with
h Microsoft virttualization tecchnologies. The
e virtual
machine
m
that th
he wizard creattes matches VMware virtual machine prop
perties, including name, desccription,
memory,
m
and disk-to-bus assiignment.
Considerat
C
ions for Deploying a Highly A
Available V
VMM Serve
er
MM
M now suppo
orts a highly avvailable VMM Server.
Yo
ou can use faillover clustering to achieve high
h
avvailability for VMM,
V
because
e VMM is now a
cluster-aware application. However, you sho
ould
co
onsider several things before
e you deploy a VMM
cluster.
Be
efore you begin the installattion of a highlyy
avvailable VMM management server, ensure
e the
fo
ollowing:
You have in
nstalled and co
onfigured a faiilover
cluster thatt is running Wiindows Server 2008
R2, Window
ws Server 2008
8 R2 SP1, or Windows
W
Server 2012
2.
All computers on which you

y install the highly availab
ble VMM manaagement serve
er meet the miinimum
hardware re
equirements, and
a all prerequ
uisite softwaree is installed on
n all computerrs.
You have created a doma

ain account to be used by th
he VMM servicce. You must u
use a domain u
user
account forr a highly availlable VMM ma
anagement serrver.
You are pre

epared to use distributed keyy managemen
nt to store encryption keys in
n AD DS. You must
use distribu
uted key mana
agement for a highly availab
ble VMM manaagement serve
er.
You have a computer witth a supported

d SQL Server veersion installed
d and running
g. Unlike VMM 2008
R2, VMM will
w not automa
atically install a SQL Server EExpress edition
n.
Highly
H
Availa
able Databa
ases and Lib
brary Serverrs
To
o achieve full redundancy,
r
we
w recommend
d that you use a highly availaable SQL Serve
er. You should
d install
a highly availab
ble SQL Server on a separate failover clusteer from the fai lover cluster o
on which you aare
in
nstalling the highly available VMM manage
ement server. Similarly, we aalso recommen
nd that you usse a
hiighly available
e file server forr hosting your library shares.
Self Service Portal

P
and Clustered
C
VMM Server
Fo
or best practices, do not insttall the VMM Self-Service
S
Po
ortal on the sam
me computer as the highly
avvailable VMM management server. If yourr VMM Self-Se rvice Portal cu
urrently residess on the same
co
omputer as the
e VMM server,, we recomme
end that you u ninstall the VM
MM Self-Servicce Portal for VMM
20
008 R2 SP1 be
efore upgrading to VMM. We
e also recomm
mend that you install the VM
MM Self-Service
e Portal
on
n a highly available web servver to achieve redundancy aand load balan
ncing.
Failover Cluster Manager
You cannot perform a planned failover (for example, to install a security update or do maintenance on a
cluster node) by using the VMM console. Instead, to perform a planned failover, use the Failover Cluster
Manager console.
During a planned failover, ensure that there are no tasks actively running on the VMM management
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available VMM management server from the VMM console or the VMM SelfService Portal will also be lost during a failover. However, the VMM console can reconnect automatically
to the highly available VMM management server after a failover if it was opened before you performed
failover to another VMM server.

Scenario
9-29
The initial deployment of virtual machines on Hyper-V is very successful for A. Datum. As a next step in
the deployment, A. Datum is now considering ways to ensure that the services and applications deployed
on the virtual machines are highly available. As part of the implementation of high availability for most
network services and applications, A. Datum is also considering options for making the virtual machines
that run on Hyper-V highly available.
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with
failover clustering in order to ensure that the virtual machines deployed on Hyper-V are highly available.
You are responsible for planning the virtual machine and storage configuration, and for implementing the
virtual machines as highly available services on the Failover Cluster. Also, you are considering some other
techniques for virtual machines high availability such as Hyper-V replica.
Lab Setup
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
User Name
Password
Pa$$w0rd
This lab should be performed with a partner. To perform this lab, you must boot the host computers
to Windows Server 2012. The host computers should be in this state from the previous lab in Module 8.
Make sure that you and your partner have booted into different hosts (one should boot to LON-Host1
and the other should boot to LON-Host2). Also, make sure that LON-DC1 is imported on LON-Host1 and
LON-SVR1 is imported on LON-Host2, and that these VMs are started.
Exercise 1: Configuring Hyper-V Replicas

Scenario
Before you start with cluster deployment, you decided to evaluate new technology in Hyper-V 3.0, for
replicating virtual machines between hosts. You want to be able to manually mount a copy of virtual
machine on another host if active copy (or host) fails.
1.
Import LON-CORE virtual machine on LON-HOST1.
2.
Configure a replica on both host machines.
3.
Configure replication for LON-CORE virtual machine.
4.
Validate a planned failover to the replica site.
X Task 1: Import LON-CORE virtual machine on LON-HOST1
On LON-HOST1, open Hyper-V Manager and import the 20417A-LON-CORE virtual machine.
o
Use path E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-CORE
Accept default values.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
X Task 2: Configure a replica on both host machines

1.
2.
On LON-HOST1 and LON-HOST2 configure each server to be Hyper-V replica server.

o
Use Kerberos (HTTP) for authentication.
Enable replication from any authenticated server.
Create and use folder E:\VMReplica as a default location to store replica files.
Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
X Task 3: Configure replication for LON-CORE virtual machine

1.
2.
On LON-HOST1 enable replication for the 20417A-LON-CORE virtual machine.

o
Use Kerberos (HTTP)
Select to have only latest recovery point available
Start replication immediately.
Wait for initial replication to finish and make sure that 20417A-LON-CORE VM has appeared in
Hyper-V Manager console on LON-HOST2.
X Task 4: Validate a planned failover to the replica site
1.
On LON-HOST2, view replication health for 20417A-LON-CORE.
2.
On LON-HOST1, perform planned failover to LON-HOST2. Verify that 20417A-LON-CORE is running

on LON-HOST2.
3.
On LON-HOST1, remove replication for 20417A-LON-CORE.
4.
On LON-HOST2, shut down 20417A-LON-CORE.
Results: After completing this exercise you will have Hyper-V replica configured.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Scenario
A. Datum has several virtual machines that are hosting important services that must be highly available.
Because these services are not cluster-aware, A. Datum decided to implement Failover cluster on the
Hyper-V host level. You plan to use iSCSI drives as storage for these virtual machines.
1.
Connect to iSCSI target from both host machines.
2.
Configure failover clustering on both host machines.
3.
Configure disks for failover cluster.
X Task 1: Connect to iSCSI target from both host machines

1.
On LON-HOST1, start iSCSI initiator.
2.
Use 172.16.0.21 address to discover and connect to iSCSI target.
3.
On LON-HOST2, start iSCSI initiator.
4.
Use 172.16.0.21 address to discover and connect to iSCSI target.
5.
On LON-HOST2, open Disk Management and initialize and bring online all iSCSI drives
6.
Format the first drive and name it ClusterDisk
Format the second drive and name it ClusterVMs
Format the third drive and name it Quorum
On LON-HOST1, open Disk Management and bring online all three iSCSI drives.
X Task 2: Configure failover clustering on both host machines

1.
On LON-HOST1 and LON-HOST2, install the failover clustering feature.
2.
On LON-HOST1, create a failover cluster:

o
Add Lon-host1 and Lon-Host2
Name it VMCluster
Assign the 172.16.0.126 address
Deselect the option to Add all eligible storage to the cluster
X Task 3: Configure disks for failover cluster

1.
In Failover Cluster Manager on LON-HOST1, add all three iSCSI disks to the cluster.
2.
Verify that all three iSCSI disks appear available for cluster storage.
3.
Add the disk with the volume name of ClusterVMs to Cluster Shared Volumes.
4.
From the VMCluster.adatum.com node, select More Actions and then configure the Cluster
Quorum Settings to use typical settings.
Exercise 3: Configuring a Highly Available Virtual Machine

Scenario
After you have configured the Hyper-V failover cluster, you want to add virtual machines as Highly
Available resources. Also, you want to evaluate Live migration as well as test storage migration.
1.
Move Virtual Machine Storage to iSCSI Target.
2.
Configure the Virtual Machine as Highly Available.
3.
Perform a Live Migration for the Virtual Machine.
4.
Perform a Storage Migration for the Virtual Machine.
5.
To Prepare for Next Module.
9-31
X Task 1: Move Virtual Machine Storage to iSCSI Target
1.
Make sure that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk
to LON-HOST1.
2.
On LON-HOST1, open Windows Explorer and browse to E:\Program Files\Microsoft Learning

\20417\Drives\20410A-LON-CORE\Virtual Hard Disks and move the 20417A-LON-CORE.vhd
virtual hard drive file to the C:\ClusterStorage\Volume1 location.
X Task 2: Configure the Virtual Machine as Highly Available

1.
2.
In Failover Cluster Manager, click the Roles node, and then start the New Virtual Machine wizard.
o
Select LON-Host2 as the cluster node.
Name the computer as TestClusterVM.
Store the file at C:\ClusterStorage\Volume1.
Assign 1536MB of RAM to the TestClusterVM.
Connect machine to existing virtual hard disk drive 20417A-LON-CORE.vhd located at

C:\ClusterStorage\Volume1.
From the Roles node, start the virtual machine.
X Task 3: Perform a Live Migration for the Virtual Machine

1.
On LON-HOST2, in Failover Cluster Manager, start Live Migration failover of TestClusterVM from
Lon-Host2 to Lon-host1.
2.
Connect to TestClusterVM and make sure that you can operate it.
X Task 4: Perform a Storage Migration for the Virtual Machine

1.
On LON-HOST1, open Hyper-V Manager and start LON-GUEST1.
2.
Perform a Move operation on LON-GUEST1. Move the VM from its current location to C:\GUEST1.
3.
Check whether machine is operational during move process.
4.
When complete, shut down all running virtual machines.
X To prepare for Next Module
Restart both host machines, and select to boot to Windows Server 2008 R2. Log on to the host
machines as directed by your instructor.

Best Practices
9-33
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To make sure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSV volumes.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.

Common Issue
Troubleshooting Tip
Virtual machine failover fails after I

implement CSV and migrate the shared
storage to CSV.
A virtual machine fails over to another

node in the host cluster, but loses all
network connectivity.
Four hours after restarting a Hyper-V host

that is a member of a host cluster, there
are still no virtual machines running on the
host.
Review Question
Do you have to implement CSV in order to provide high availability for virtual machines in VMM in
Windows Server 2008 R2?

10-1
Module 10
Implementing Dynamic Access Control
Contents:
Module Overview
10-1
Lesson 1: Overview of Dynamic Access Control
10-2
Lesson 2: Planning for a Dynamic Access Control Implementation
10-8
Lesson 3: Implementing and Configuring Dynamic Access Control
10-13
10-22
10-31
Module Overview
Windows Server 2012 introduces Dynamic Access Control for enhancing access control for file- and
folder-based resources. Dynamic Access Control extends regular New Technology File System (NTFS)based access control by enabling administrators to use claims, resource properties, rules and conditional
expressions to manage access. In this module you will learn about Dynamic Access Control and how to
plan for and implement it.
Objectives
Describe Dynamic Access Control and its components.
Plan for Dynamic Access Control implementation.
Configure Dynamic Access Control.
Lesson 1
Overviiew of Dynami
D
c Accesss Contrrol
10-2 Implemennting Dynamic Access Control
Dyn
namic Access Control
C
is a new
w technology for access man
nagement in W
Windows Serve
er 2012. It offe
ers a
new
w way of contro
olling access to
o resources. Be
efore you imp
plement this teechnology, you
u should learn how
it works and which componentss it uses. This le
esson presentss an overview of Dynamic Acccess Control.
Lessson Objectiives
Afte
ou will be able to:
mic Access Con

ntrol.
Define Dynam
Describe the foundation tecchnologies forr Dynamic Acccess Control.
Compare Dyn
C
with alternative or siimilar technolo
ogies, such as NTFS permissions
and Active Diirectory Rightss Managementt Services (AD RMS).
Define identitty.
Define claim and claim type

es.
Define Centra
al Access Policy.
Wh
hat Is Dyna
amic Acce
ess Controll?
Because most of the
t data in an organization is
i
storred on file servvers, IT adminisstrators must help
h
provvide security and
a access con
ntrol to file servver
reso
ources. In prevvious versions of
o Windows Se
erver,
mosst access contrrol to file serve
er resources wa
as
controlled by usin
ng NTFS permiissions and acccess
control lists.
Dyn
C
in Wind
dows Server 2012
is a new access co
ontrol mechanism for file-sysstem
reso
ources. It enables administrators to define
centtral file-accesss policies that can
c apply to every
file server in the organization.
o
Dynamic
D
Accesss
Con
ntrol helps imp
plement security over file serrvers, in additio
on to any existting share and
d NTFS permisssions.
Dyn
C
ensures that regardle
ess of how thee share and NTTFS permission
ns might chang
ge,
this central overriding policy is still enforced. What Dynami c Access Control does is com
mbining multip
ple
crite
eria into the acccess decision.. This is something that NTF S permissions cant achieve.
Dyn
C
provide
es:
Data identifiication. You can use automa

atic and manu
ual classificatio
on of files to taag data in file
servers acrosss the organizattion.
Access contrrol to files. Ce

entral access policies enable organizationss to define (forr example, who
o can
access health information within
w
the orga
anization).
Auditing of access
a
to filess. Central audiit policies for ccompliance re porting and fo
orensic analysis. For
example, you can identify who
w accessed highly
h
sensitivve information.
Optional RM
MS protection integration. Automatic Rig
ghts Managem
ment Services (RMS) encryption for
sensitive Micrrosoft Office documents. Fo
or example, yo
ou can configu
ure RMS to enccrypt all docum
ments
containing He
ealth Insurance Portability and Accountab
bility Act (HIPA
AA) information.
Dynamic Accesss Control focuses on four ma

ain end-to-end
d scenarios:

10-3
Central acccess policy fo

or access to filles. Enable org
ganizations to set safety net policies that rreflect
the businesss and regulato
ory compliance.
Auditing for compliance and analysiis. Enable targ eted auditing across file servvers for compliance
reporting and forensic an
nalysis.
Protecting
g sensitive information. Ide
entify and prottect sensitive information bo
oth in a Windo
ows
Server 2012
2 environmentt and when it leaves the Win
ndows Server 2
2012 environm
ment.
he helpdesk lo
Access den
nied remediattion. Improve the access de nied experiencce to reduce th
oad and
incident tim
me for troublesshooting.
Dynamic Accesss Control provvides a flexible way to apply and manage aaccess and aud
diting to domaainba
ased file servers. Dynamic Acccess Control uses claims in the authenticaation token, re
esource properties on
th
he resource, an
nd conditional expressions within
w
permissi on and auditin
ng entries. Witth this combin
nation of
fe
eatures, you ca
an now grant access
a
to files and
a folders baased on Active Directory attrributes.
Foundation
n Technolo
ogies for Dynamic
D
A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Se
erver 2012 technologies to provide
p
a robu
ust,
fle
exible, and gra
anular authorizzation and aud
diting
exxperience. Dyn
C
uses th
hese
fu
undamental technologies:
Network protocols,
p
succh as TCP/IP,
Remote Prrocedure Call (RPC), Serverr
Message Block
B
(SMB), and
a Lightweig
ght
Directory Access
A
Protoccol (LDAP). Fo
or
network co
ommunicationss between hosts,
interaction with file system and directo
ory
lookups, respectively.
Domain Na
ame System (DNS).
(
For host name resolu
ution.
Active Dire
ectory Domaiin Services (A
AD DS) and itss dependent ttechnologies.. For enterprise
e
network ma
anagement.
The Microssoft Kerbeross v5 implementation includ

ding FAST Search and Com
mpound Identtity. For
secure auth
hentication.
Windows Security
S
(loca
al security autthority [LSA], Netlogon). FFor secure logo
on transactions.
File Classiffications. For file

f categorization.
Auditing. For
F secure monitoring and accountability.
a
Se
everal compon
nents and tech
hnologies were
e updated in W
Windows Serveer 2012 to support Dynamic Access
Control. The mo
ost important updates are:
A new Wind
dows authorizzation and aud
dit engine that can process cconditional exp
pressions and ccentral
policies.
Kerberos au
uthentication support
s
for user claims and device claims.
Improved File
e Classification
n Infrastructure
e.
Optional Righ
hts Manageme
ent Services (RMS) extensibillity support so
o that partners can provide
solutions thatt encrypt non--Office files.
Dy
ynamic Acccess Contrrol Versus Alternativ
A
ve Technologies
Dyn
C
is a new
w technology for
controlling accesss to file based resources. It does
not overlap with older
o
well-kno
own technologies
with
h similar purpo
ose. Instead, Dynamic Accesss
Con
ntrol extends the functionalitty of older
tech
hnologies for controlling
c
file
e-based resourrce
acce
ess.
In previous
p
versions of Window
ws Server, the basic
b
mecchanism for file
e and folder access control was
w
NTFFS permissions. By using NTFFS permissionss and
theiir Access Contrrol Lists (ACLs)), administrato
ors
can control accesss to resources, based on use
er
nam
me or group membership,
m
an
nd the level of access, such aas Read-only, C
Change, Full C
Control, etc.
How
wever, once yo
ou provide som
meone with, fo
or example, Re ad-only acces s to a docume
ent, you canno
ot
prevvent that perso
on from copying the conten
nt of that docu
ument into a new document or printing th
he
doccument. By imp
plementing AD
D RMS, you can establish an additional levvel of control. U
Unlike, NTFS
perm
missions, which are not appllication aware,, AD RMS sets a policy that ccan control do
ocument accesss
insid
de the application that is being used to op
pen it. By impl ementing AD RMS, you enaable users to
add
ditionally prote
ect documentss within applica
ations.
How
wever, you can
nnot set condittional access to
o files by using
g NTFS and AD
D RMS. For exaample, you cannot
set NTFS permissions in a way that users can access
a
a docum
ment if they are a member o
of some speciffic
group and have the attribute Em
mployeeType set to FTE. Or, you might waant to set perm
missions so thaat only
userrs that have a department atttribute populated with the same value ass the departme
ent attribute fo
or the
reso
ource can acce
ess the contentt. You can acco
omplish this byy using condittional expressions.
For these scenario
os, in Windowss Server 2012, you can use D
Dynamic Accesss Control. In ssimple terms,
Dyn
C
enable
es you to countt attribute valu
ues on users o
or resource objjects, when
provviding or denyying access.
Wh
hat Is an Id
dentity?
We usually define
e identity as a set
s of data tha
at
uniq
quely describe
es a person or a thing (somettimes
refe
erred to as subj
bject or entity) and contains
info
ormation about the subject's relationships to
othe
er entities. Identity is usuallyy proved by ussing
som
me trusted sourrce of information. For exam
mple,
whe
en you go to th
he airport, you
u show your
passsport. Your passport contain
ns your name,
add
dress, date of birth,
b
and phottograph. Each item
of personal
p
inform
mation is a claiim that is made
abo
out you by the country issuin
ng your passpo
ort.
You
ur country ensu
ures the inform
mation publish
hed in

10-5
a passport is acccurate for the passport owner. Since you u

usually use thee passport outsside of your
co
ountry of resid
dence, other co
ountries must also trust the iinformation in
n your passporrt. They must trust the
orrganization that issued yourr passport and consider it relliable. Based o
on that trust, other countriess grant
yo
ou access theirr territory (whiich can be con
nsidered as a reesource).
In
n other words, to access reso
ources in otherr countries, eacch person is reequired to havve a documentt
(p
passport) that is
i issued by a reliable
r
and trusted source aand that contaains some criticcal claims thatt
de
escribe the person.
Th
he Windows operating
o
syste
em uses a simillar concept of identity. An ad
dministrator creates a user
acccount for person in AD DS. The domain controller
c
publlishes user account informattion, such as a
se
ecurity identifier, and group membership attributes.
a
Win
ndows creates an authorization token whe
en a
usser accesses a resource.
he passport. Each unique pie

To
o continue the
e analogy, you are the user. The
T authorizattion token is th
ece
off information in
i the authorizzation token iss a claim madee about your u
user account. D
Domain contro
ollers
pu
ublish these claims. Domain-joined compu
uters and dom
main users trustt domain conttrollers to provvide
au
uthoritative infformation.
We
W can then say that Identityy, with respect to authenticattion and autho
orization, is sim
mply informatiion
pu
ublished about an entity from a trusted so
ource. The info
ormation is con
nsidered autho
oritative becau
use the
so
ource is trusted
d.
Ea
arlier versions of Windows Server used the
e security identtifier (SID) to rrepresent iden
ntity of a user o
or
co
omputer. Users authenticate
e to the domain with a speciffic user name and password. The unique logon
na
ame translatess into the SID. The domain controller valid ates the passw
word and publishes the SID o
of the
se
ecurity principa
al and the SIDs of all the gro
oup of which tthe principal iss a member. Th
he domain con
ntroller
"cclaims" the use
er's SID is valid
d and should be
b used as the identity of thee user. All dom
main members trust
th
he domain con
ntroller; therefo
ore, the respon
nse is treated aas authoritativve.
Id
dentity is not limited to the user's
u
SID. App
plications can u
use any inform
mation about the user as a fo
orm
off identity, provvided that the application trusts the sourcee of the inform
mation to be authoritative. FFor
exxample, many applications im
mplement role
e-based accesss control. Rolee-based access control limits access
to
o resources based on whethe
er the user is a member of a specific role. SharePoint Server is good exxample
off software thatt implements role-based
r
seccurity. Window
ws Server 2012 can also take advantage of these
op
ptions to exten
nd and enhancce the way ide
entity is determ
mined for a seccurity principaal.
What
W
Is a Claim?
C
Windows
W
Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se
ervices
(A
AD FS). In this context,
c
claimss are statemen
nts
made
m
about use
ers (for examp
ple, name, iden
ntity,
ke
ey, group, privvilege, or capab
bility), which are
a
un
nderstood by both partners in an AD FS
fe
ederation. AD FS also introdu
uced AD DS-based
claims and the ability
a
to convvert AD DS-bassed
claim data into Secure Application Markup
La
anguage (SAM
ML) format. In previous
p
versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and
d directly incorporated into a claim
was
w SID informa
ation for user and
a group acccounts. All oth er claim inform
mation was de
efined within and
re
eferenced from
m a separate da
atabase, know
wn as an attribu
ute store. New
w in Windows SServer 2012 is the
capability to read and use any attribute

a
directtly from AD DSS. It is not neccessary to use a separate AD FS
attribute store to hold this type of information for Active D irectory-based
d computer orr user accountss.
By definition,
d
a cla
aim is somethiing that AD DS
S states about specific objecct (usually a user or compute
er).
A claim provides some
s
informattion from trustted source abo
out an entity. SSome example
es of claims are
e the
SID of a user or co
omputer, the department
d
cla
assification of a file, and thee health state o
of a computer.. All
thesse claims state
e something ab
bout a specific object. In mo
ore technical laanguage, claim
ms state the vallue of
a sp
pecific attribute
e of a user or computer
c
obje
ect.
An entity
e
can contain more than one claim. When
W
configur ing resource aaccess, any com
mbination of those
claim
ms can be used to authorize
e access to reso
ources.
In Windows
W
Serve
er 2012, authorization mecha
anism is exten ded so that yo
ou can use claiims for
auth
horization on files
f
and folders, besides using just NTFS p
permissions, baased on users SID or group SIDs.
By using
u
claims, you
y can now ba
ase your accesss control not o
only on SID, b
but also on oth
her attribute vaalues.
Because SID is also an attribute of a user or co
omputer objecct, we can say that older autthorization
mecchanisms are, in
i a way, subse
ets of claims-b
based authorizzation.
Win
ndows Server 2012
2
introduce
es two new typ
pes of claims: u
user claims and device claim
ms. Windows Se
erver
2012 continues to
o enable you to
o use group membership
m
fo
or authorization decisions.
Use
er Claim
A usser claim is infformation provvided by a Win

ndows Server 22012 domain ccontroller abo
out a user. Windows
Servver 2012 doma
ain controllers can use most AD DS user atttributes as claaim informatio
on. This provides
adm
ministrators witth wide range of possibilitiess to configure and use claim
ms for access co
ontrol.
Dev
vice Claim
A de
evice claim is information
i
prrovided by a Windows
W
Serveer 2012 domai n controller ab
bout a device
reprresented by a computer acco
ount in AD DS
S. As with a useer claim, a devvice claim, ofte
en called a
com
mputer claim, can
c use most of
o the AD DS attributes
a
that are applicablee to computer objects.
Wh
hat is a Central Acce
ess Policy?
One
e of the fundam
mental compo
onents in Dyna
amic
Access Control tecchnology is Ce
entral Access Policy.
P
It is a feature in Windows
W
Server 2012 that en
nables
adm
ministrators to create a policyy that is applie
ed to
one
e or more file servers.
s
This po
olicy is created
d in
Actiive Directory Administrative
A
Center, stored
d in
AD DS, and applie
ed by using Grroup Policy. Ce
entral
Access Policy conttains one or more
m
Central Access
Policy rules. Each rule contains settings
s
that
dete
ermine applica
ability and perrmissions.
Befo
ore you create
e Central Accesss Policy, it is
man
ndatory that yo
ou create at le
east one Central
Access Rule. Central Access Rule
e defines all pa
arameters and
d conditions th
hat control access to specific
reso
ource.
A central access rule has three configurable parts:
10-7
Name: For each Central Access Rule you should configure descriptive name.
Target resources: A condition that defines which data the policy applies to. This is defined by
specifying an attribute and its value. For example, a particular central policy might apply to any data
classified as Sensitive. You can also choose to apply rule to all resources where Central Access Policy
applies.
Permissions: A list of one or more access control entries (ACEs) that define who can access the data.
For example, you can specify Full Control Access to a user with attribute EmployeeType populated
with FTE. This is the key component of each Central Access rule. You can combine and group
conditions that you place in central access rule. You can set permission as proposed (for staging
purposes) or current.
After you configure one or more central access rules, you then place these rules in Central Access Policy
which is applied to the resources.
Central Access Policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central policy that is applied to the file restricts access to the
same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but
the DACL does not allow access, then the user cannot obtain access to the file.
Before you implement Central Access Policy, you should perform these steps:
1.
Create claims and connect it with attributes on user or computer objects.
2.
Create file property definitions.
3.
Create one or more Central Access Rules
4.
Create a Central Access Policy object and place rules in it.
5.
Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
Central Access Policy exists in AD DS.
On the file server, apply that policy to a specific shared folder.
Lesson 2
Planning for a Dynam

mic Acccess Con
ntrol Im
mplemen
ntation
Dyn
C
is a tecchnology that requires detai led planning b
before implem
mentation. You
should identify reasons to imple
ement Dynamic Access Conttrol, as well as plan for Centrral Access Policy,
file classifications, auditing and access denied
d assistance. In this lesson, yo
ou will learn ab
bout planning
Dyn
namic Access Control.
C
Lessson Objectiives
Afte
ou will be able to:
Describe reassons for implem

menting Dynamic Access Co
ontrol.
Plan for Central Access Poliicy.
C
Plan for File Classifications.
Plan for File Access

A
Auditing.
Plan for Access Denied Assiistance.
Plan for policcy changes.
Reasons for Implemen

nting Dyna
amic Accesss Control
Befo
ore you implem
ment Dynamicc Access Contrrol
you should clearlyy identify the reasons
r
for
imp
plementation. This
T technolog
gy should be well
w
desiigned before implementatio
on, so it is very
imp
portant to have
e business case
e that requiress
imp
plementation of
o Dynamic Acccess Control. An
A
imp
properly planne
ed implementation can resu
ult in
som
me users being denied accesss to data they need,
while other users are inappropriately granted
acce
ess to data to which
w
they sho
ould otherwise
e be
restricted.
The most common reason to im

mplement Dyna
amic
Access Control is to
t extend funcctionality of an
n existing mod
del for access ccontrol manag
gement. Most
com
mpanies use NT
TFS and share permissions to
o implement aaccess control for file and folder resourcess. In
mosst cases, NFTS is sufficient, but in some sce
enarios it doess not work. Forr example, you
u cannot use N
NFTS
ACLL to protect a resource
r
on a file
f server so that a user musst be memberr of two groups at the same time
to access
a
the reso
ource. This relatively simple scenario
s
requirres a new tech
hnology.
In general,
g
you must use Dynam
mic Access Con
ntrol instead o
of traditional m
methods for im
mplementing acccess
control when you want to use more
m
specific in
nformation fo r authorization
n purposes. NT
TFS and share
perm
missions use only
o
user or gro
oup objects, but if you wantt to implementt more comple
ex access control
scen
narios, you sho
ould use Dynamic Access Co
ontrol.
Planning
P
fo
or Central Access Po
olicy
Im
mplementing Central
C
Access Policy is not
mandatory
m
for Dynamic
D
Access Control. Ho
owever,
fo
or consistent co
onfiguration of
o access contrrol on
all file servers, we
w recommend
ded implemen
nting
Central Access Policy.
P
By doin
ng that, you en
nable all
fille servers to usse Central Access Policy whe
en
protecting conttent in shared folders.
If you decide to
o implement Central Access
Po
olicy, you shou
uld make a dettailed plan beffore
im
mplementation
n. When planning Central Acccess
Po
olicy you mustt clearly identify and understtand
th
he business req
quirements forr implementing
Central Access Policy
P
and Dyn
C

10-9
Yo
ou should firstt identify the resources that you want to p
protect. If all th
hese resources are on one file
se
erver or in just one folder, th
hen you might not have to im
mplement Cen
ntral Access Po
olicy. Instead, yyou
ca
an configure conditional acccess on the fold
ders ACL. If reesources are distributed acro
oss several servvers or
fo
olders, then yo
ou can benefit from deployin
ng Central Acccess Policy. Exaamples of dataa that might re
equire
protecting are payroll
p
recordss, medical histo
ory data, emp loyee personaal information, company custtomer
lissts, and so on. You can also use targeting within
w
central access rules to
o identify reso
ources where yyou want
to
o apply centrall access policy.
After you identiify resources, you
y should deffine criteria fo r protection. TThis is usually d
defined by bussiness
re
equirements. Some
S
examples are:
All docume
ents that have property conffidentiality set to high must be available only to manage
ers.
Marketing documents fro

om each counttry should be aaccessible onlyy to marketing
g people from the
same counttry.
Only full tim

me employees should be able to access te chnical docum
mentation from
m previous pro
ojects.
A central accesss policy is targeted to provid

de an easy inteerpretation from a business rrequirement laanguage
to
o an authorizattion language.
Th
he next step in
n the planning process is to translate
t
the p
policies you req
quire into expressions. In the
e case
off Dynamic Acccess Control, exxpressions are attributes ass ociated with b
both the resou
urces (files and folders)
an
nd the user or device that se
eeks access to the resources. These expresssions state add
ditional identiffication
re
equirements th
hat must be met in order to access protectted data. Valuees associated w
with any expre
essions
on
n the resource
e obligates the
e user or device
e to produce tthe same valuee
Next, you shoulld break down
n the expressio
ons that you crreated and dettermine what cclaim types, re
esource
properties, and device claims you must crea
ate to deploy yyour policies. IIn other wordss, you must ide
entify
th
he attributes fo
or access filteriing.
Note: You
u are not required to use use
er claims to deeploy central aaccess policies.. You can use
se
ecurity groups to represent user
u
identities.
Implementing Dynamic Acceess Control
Pla
anning File
e Classifica
ations
Whe
en planning im
mplementation
n of Dynamic
Access Control, yo
ou should inclu
ude File
Classsifications in complete
c
scenarios. Althoug
gh
file classifications are not mandatory for Dyna
amic
Access Control, th
hey can greatlyy enhance the
auto
omation of the
e entire processs. For example, if
you require that all
a documents with classificattion
Con
nfidentiality: High must be acccessible to to
op
man
nagement onlyy, regardless of
o the server on
n
which the documents exist, you should first assk
yourself how you identify these documents, and
a
how
w to classify the
em appropriattely.
10-10
File Classification Infrastructure uses classification rules to aautomatically sscan files and cclassify them
acco
ording to the contents
c
of the
e file. Classifica
ation propertiees are defined
d centrally in A
AD DS so that
thesse definitions can
c be shared across file servvers in the org
ganization. You
u can create cllassification ru
ules
thatt scan files for a standard strring or for a strring that matcches a pattern (regular expre
ession). When a
configured classification parame
eter is found in a file, that fille is classified as configured in the classificcation
rule
e.
Whe
en planning fo
or file classifica
ations, you sho
ould do follow ing:
Identify which
h classification
n or classificatio
ons you want to apply on do
ocuments.
Determine the method to identify docum

ments for classiification.
Determine the schedule forr automatic cla

assifications.
Establish a revview of classifiication successs.
You
u configure file
e classificationss in the File Server Resource Manager console.
Whe
en you have a defined the classifications, you
y can plan tthe implementtation of Dynaamic Access Co
ontrol
by defining
d
conditional expressions that enab
ble you to conttrol access to h
high confidenttial documents
base
ed on particula
ar user attributes.
Pla
anning File
e Access Auditing
A
In Windows
W
Serve
er 2008 R2 and
d Windows Serrver
2012, you can use
e new advance
ed audit policie
es
to im
mplement more detailed and more precise
e
auditing on file syystem. In Wind
dows Server 20
012,
you can also implement auditin
ng together witth
Dyn
C
to take
e advantage off the
new
w Windows Seccurity auditing
g capabilities. By
B
usin
ng conditional expressions, you
y can configure
auditing to be implemented on
nly in specific cases.
c
For example, you want to audit attempts to open
o
sharred folders only by users located in countrries
othe
er than the country where th
he shared folder is
loca
ated.
10-11
With Global Object Access Auditing, administrators can define computer SACLs per object type for either
the file system or registry. The specified SACL is then automatically applied to every object of that type.
You can use a Global Object Access Audit Policy to enforce the object access audit policy for a computer,
file share, or registry without configuring and propagating conventional SACLs. Configuring and
propagating SACLs is a more complex administrative task and it is difficult to verify, particularly if you
must verify to an auditor that security policy is being enforced.
Auditors can prove that every resource in the system is protected by an audit policy by just viewing the
contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access
Auditing policy to log all activity for a specific user and enabling the Access Failures audit policies in a
resource (file system, registry) can help administrators quickly identify which object in a system is denying
a user access.
You should make an audit plan before you implement any auditing. In the auditing plan you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore it can be valuable
to track changes to user or machine attributes. Users and machine objects live in AD and therefore
changes to their attributes can be tracked using Directory Service Access Auditing.
Get more information from user logon events. In Windows Server 2012, user logon event (4624)
contains information about the attributes of the file that was accessed. You can take advantage of this
additional information by using audit log management tools to correlate user logon events with
object access events, and enabling event filtering based on both file attributes and user attributes.
Provide more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012 File Access events (4656, 4663) now contain information about the attributes of the file
that was accessed. This additional information can be used by event log filtering tools to help you
identify the most relevant audit events.
Track changes to Central Access Policies, Central Access Rules and Claims. These objects define the
central policy that you can use to control access to critical resources. Tracking changes to these could
be important for the organization. Since all of these objects are stored in AD DS you can audit them
just as any other securable object in Active Directory by using the Directory Service Access Auditing.
Tracking changes to file attributes. File attributes determine which Central Access Policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for File Systems. Event 4911 has been introduced to differentiate this
event from other Authorization policy change events.
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users to
dete
ermine the rea
ason why they cannot accesss a
reso
ource. It also helps IT staff to
o properly diag
gnose
a prroblem and prroperly direct the
t resolution.
Win
ndows Server 2012
2
enables you
y to customiize
messsages about access
a
denied as
a well as to
provvide users with
h ability to req
quest access wiithout
contacting help desk or IT team
m. In combinatiion
with
h DAC, Access Denied Assista
ance can inforrm
the file administra
ator of the use
er and resource
e
claim
ms, enabling him
h to make ed
ducated decisions
to adjust
a
policies or fix user attrributes (e.g. if
dep
partment is written as HR insttead of Human Resources).
Whe
en planning fo
or Access Denied Assistance, you should in
nclude the follo
owing:
10-12
Plan for messsage that userss see when the

ey try to accesss resource wheere they do no
ot have access
rights. It is im
mportant that the message is informal and easy to underrstand.
Create the em
mail text that users
u
use to req
quest access. I f you allow ussers to requestt access for
resources, you can prepare text that is ad
dded to the en
nd of their emaail message.
Determine the recipients fo

or access reque
est email messsages. You can
n choose that e
email is sent to
o
folder ownerss, file server ad
dministrators, or
o any other sp
pecified recipi ent. It is important that messsages
are always dirrected to the proper
p
person. If you have a help desk too
ol or monitorin
ng solution wh
hich
allows emails, you can also direct those emails
e
to autom
matically geneerate user requ
uests in your
helpdesk solu
ution.
Plan the targe

et operating syystems. Accesss Denied Assisttance only wo
orks with Windows 8 or
Windows Servver 2012.
Pla
anning Pollicy Chang
ges
Afte
er you implement a Dynamicc Access Contrrol
infra
astructure you
u might have to
o implement
changes. For exam
mple, you migh
ht have to cha
ange
som
me conditional expression, orr you might wa
ant to
change claims. Yo
ou must carefu
ully plan any ch
hange
to Dynamic
D
Accesss Control com
mponents.
Win
ndows Server 2012
2
enables you
y to stage po
olicy
changes. A change to Central Access
A
Policy ca
an
seve
erely affect acccess control. Fo
or example, a
change could pottentially grant more access than
desiired, or, an ove
erly restrictive change in pollicy
could generate an
n excessive number of helpd
desk
callss. It is thereforre important to
o test changes before implem
mentation. For this purpose,, Windows Serrver
2012 introduces the concept off staging. Stagiing enables ussers to verify th
heir proposed policy change
es
befo
ore enforcing them.
t
To use policy
p
staging,, proposed po licies are deplo
oyed along with the enforce
ed
policies but do no
ot actually gran
nt or deny perrmissions. Insteead Windows logs an audit e
event (4818) aany
time
e the result of the access che
eck using the staged
s
policy iis different fro
om the result o
of an access ch
heck
usin
ng the enforced policy.
Lesson
n3
Imple
ementin
ng and Configu
C
uring Dyynamicc Accesss Contro
ol
Upgrading Yoour Skills to MCSA W

10-13
To
o implement and
a configure Dynamic Acce
ess Control you
u must perform
m several steps and configurre
se
everal objects. In this lesson, you will learn about implem
menting and co
onfiguring Dynamic Access Control.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe Prrerequisites forr Implementing Dynamic Acccess Control.
Enable Support in AD DS for Dynamic Access

A
Contro
ol.
Implement claims and resource properrty objects.
Implement Central Accesss Policy.
Implement File Access Au

uditing.
Implement Access Denied

d Assistance.
Implement File Classificattions.
Implement Dynamic Acce

ess Control.
Prerequisit
P
es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
ecause Dynam
mic Access Control is a new
te
echnology in Windows
W
Serve
er 2012, you must
m
en
nsure that certtain prerequisites are fulfilled
d
be
efore impleme
entation.
To
o implement claims-based
c
authorization
a
for
re
esource access, you must imp
plement the
fo
ollowing:
Windows Server 2012 insstalled on the

file server that hosts the resources
r
bein
ng
protected with
w Dynamic Access
A
Contro
ol.
The file servver hosting the
e share must be
b a
Windows Server 2012 file
e server to read
d claims
and device authorization data from a Kerberos
K
tickett, translate tho
ose SIDs and claims from the
e ticket
into an authentication token, and comp
pare the autho
orization data in the token aagainst conditiional
expressionss in the securitty descriptor.
At least one
e Windows Server 2012 dom
main controllerr accessible byy the Windows client computter in
the user's domain.
d
The ne
ew authorization and auditin
ng mechanism
m requires exte
ensions to AD DS.
These new extensions build the Window
ws claim dictio
onary, which iss where Windo
ows stores claims for
an Active Directory
D
forestt. Claims autho
orization also rrelies on the K
Kerberos Key D
Distribution Ce
enter
(KDC). The Windows Servver 2012 KDC contains
c
Kerbeeros enhancem
ments required
d to transport claims
within a Kerberos ticket and
a Compound
d Identity. Win
ndows Server 2
2012 KDC also
o includes an
enhanceme
ent to support Kerberos arm
moring. Kerbero
os armoring is an implementation of Flexible
Authenticattion Secure Tu
unneling (FAST
T). It provides a protected ch
hannel between the LSA, Ne
etlogon
KDC.
Windows Server 2012 domain controlle

ers in each dom
main when using claims acro
oss a forest tru
ust.
Windows 8 cllient (required when using device

d
claims). Older desktop
p operating systems do not
support devicce claims.
10-14
Alth
hough Window
ws Server 2012
2 domain controller is requirred, there is no
o requirement for having a
Win
ndows Server 2012
2
domain and
a forest funcctional level, u nless you wan
nt to use claims across forestt trust.
Thiss means that you can also ha
ave domain co
ontrollers on W
Windows Serveer 2008 and Windows Serverr 2008
R2 with
w forest fun
nctional level on
o Windows Se
erver 2008.
Note: Imple
ementing Dyna
amic Access Control in a mu
ultiple forest sccenario has ad
dditional
setu
up requiremen
nts.
Ena
abling Sup
pport in AD DS for Dynamic
D
A
Access Con
ntrol
Afte
er fulfilling softtware requirem
ments for enab
bling
Dyn
C
supporrt, you must en
nable
claim
m support for the Windows Server 2012 KDC.
K
Kerb
beros support for Dynamic Access
A
Controll
provvides a mechanism for including user claim
m and
device authorizatiion informatio
on in a Window
ws
auth
hentication tok
ken. Access ch
hecks on resources,
such
h as files a fold
ders, use this authorization
info
ormation to verify identity.
You
u should first use Group Policcy to enable AD
A DS
for Dynamic Acce
ess Control. Beccause this setting is
speccific to domain
n controllers, you
y can create
ea
new
w Group Policyy object (GPO) and link it to Domain Contrrollers Organizzational Unit (O
OU), or by editting
Defa
ault Domain Controllers
C
GPO
O that is alread
dy linked to th
hat OU.
Whichever metho
od you choose you should op
pen Group Po licy Object Editor and navigate to Compu
uter
Con
nfiguration\Policies\Administtrative Templa
ates\System\KD
DC. In this nod
de, open a settting called Sup
pport
Dyn
namic Access Control and Kerberos arm
moring.
You
u can configure
e this policy se
etting by choosing one of th
he four listed o
options:
Do not suppo
ort Dynamic Access Control and Kerberos armoring
Support Dyna
amic Access Co
ontrol and Kerrberos armorin
ng
Always provid
de claims and FAST RFC behavior
Also fail unarmored authen

ntication reque
ests
Claims and Kerberos armoring support

s
are disabled by defaault, which is tthe same as if tthis policy settting is
not configured, or configured as
a Do not supp
port Dynamicc Access Conttrol and Kerberos armoring.
The policy setting
g Support Dyn
namic Access Control and Kerberos arm
moring configu
ures Dynamic
Access Control an
nd Kerberos armoring in a mix-mode
m
envirronment, when
n there is a miixture of Windows
Servver 2012 doma
ain controllers and domain controllers
c
run
nning earlier veersions of Windows Server.
You
u use the remaining policy se
ettings when all
a the domain controllers aree Windows Server 2012 dom
main
controllers and th
he domain funcctional level is configured to
o Windows Serrver 2012. The Always prov
vide
claims and FAST RFC behavio
or policy settin
ng and the Alsso fail unarmo
ored authentiication reque
ests
policy setting ena
able Dynamic Access
A
Controll and Kerbeross armoring forr the domain. H
However, the llatter
policy setting requires all Kerbe
eros Authentica
ation Service (A
(AS) and Tickett-Granting Serrvice (TGS)
com
mmunication to
o use Kerbeross armoring.

10-15
Windows
W
Server 2012 domain
n controllers re
ead this config
guration while other domain
n controllers ig
gnore
th
his setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acce
ess
Control in AD DS,
D you next crreate and conffigure
claims and resource property objects.
Creating
C
and
d Configurin
ng Claim Ty
ypes
Th
he primary me
ethod to create
e and configurre
claims is to use the Active Dirrectory Adminiistrative
Center (ADAC) console. You use
u ADAC to create
atttribute-based claims, which are the most
co
ommon. Howe
ever, you can also
a use Active
e
Directory Modu
ule for Window
ws PowerShell to
crreate certificate-based claims. All claims arre
sttored in the co
onfiguration pa
artition of AD DS.
Be
ecause this partition is forestt wide, all dom
mains within th
hat forest sharee the claim dicctionary, and d
domain
co
ontrollers from
m those respective domain isssue claim info
ormation durin
ng user and computer
au
uthentication.
If you want to create

c
attribute
e based claimss in ADAC, you
u should navig
gate to the Dyn
namic Access C
Control
no
ode, and then open the Claim Types conta
ainer. By defau
ult, no claim tyypes are define
ed here.
In
n the Actions pane,
p
when yo
ou click Create
e Claim Type, you see the list of attributess. These attributes (for
usser or computer objects) are
e used to sourcce values for c laims. When yyou create a claaim, you assocciate the
claim to the spe
ecific attribute. The value of that attribute is populated aas a claim valu
ue. It is therefo
ore
im
mportant that information co
ontained in Acctive Directoryy attributes thaat are used to ssource claim tyypes
co
ontain accurate information,, or remain bla
ank.
When
W
you selecct the attribute
e that you wan
nt to use to creeate a claim, yo
ou also must p
provide a nam
me for
th
he claim. The suggested
s
nam
me for the claim
m is always thee same as sele cted attribute name. Howevver, you
ca
an also provide
e an alternate or more mean
ningful name ffor the claim. O
Optionally, you can also pro
ovide
su
uggested value
es for a claim. This is not ma
andatory, but iff you do it, yo
ou can reduce tthe possibility for
making
m
mistake
es.
Note: Claim types are sourced from AD
A DS attributtes. That is whyy you must configure
atttributes for yo
our computer and user accounts in AD DS with the inforrmation that iss correct for
th
he respective user
u
or computter. Windows Server
S
2012 do
omain controllers do not isssue a claim
fo
or an attribute-based claim type
t
when the attribute for tthe authenticaating principal is empty.
Depending on the
t configuration of the data
a files Resourcce Property O bject attribute
es, a null
va
alue in a claim may result in the user being
g denied accesss to DAC-pro
otected data.
Creating
C
and
d Configurin
ng Resource
e Propertiess
Although evaluating resource

e properties is the very core of Dynamic Acccess Control, you should
im
mplement it after user and device claims have been defin
ned. Keep in m
mind that if a claim does no
ot
match
m
the specified resource property value
e, then access to the data is denied. To revverse the orde
er of
users from datta that they ottherwise should
im
mplementation
n, then, would risk inadvertently blocking u
be
e able to accesss. When you use claims to control
c
access to files and fo
olders, you must also provide
e
ad
dditional information on the
ese resources. You
Y do this byy configuring R
Resource Prop
perty objects. Y
You
10-16
man
nage Resource
e Property obje
ects in the Resource Propertties container iin the Dynamic Access Control
nod
de in ADAC. Yo
ou can create your
y
own resource propertiees or you can u
use one of pre
econfigured
properties, such as
a Country, Department, Fold
der Usage, etc.. All predefineed Resource Prroperty objectss are
disa
abled by defau
ult. If you wantt to use any of them, you sho
ould first enab
ble it. If you waant to create yyour
own
n Resource Pro
operty object, you
y can speciffy the propertyy type and allo
owed or sugge
ested values.
Whe
en you create Resource Prop
perty objects you
y can select properties to include on the
e files and fold
ders.
Win
ndows uses the
e values in these properties with
w the value s from user an
nd device claim
ms when evaluating
file authorization and auditing.
er you have co
onfigured user and device cla
aims and resou
urce propertiees, you must th
hen protect the
e
Afte
file and folders ussing conditiona
al expressions that evaluate user and devicce claims against values with
hin
reso
ource propertie
es, or constantt values. You can
c do this in ttwo ways. If yo
ou want to focus on specific
fold
ders, you can use
u the advancced security setttings editor to
o create condiitional expresssions directly in
n the
secu
urity descriptor. Alternativelyy, to cover several (or all) filee servers, you ccan create Cen
ntral Policy rules
and link those rules to Central Policy
P
objects. You can then deploy Centraal Policy objeccts to file serve
ers
usin
ng Group Policcy and configu
ure the share to
o use the Centtral Policy objeect. Using Central Access Policies
is th
he most efficient and preferrred method for securing filess and folders. It is discussed in the next topic. If
you want to cover certain files with
w a common set of propeerties across vaarious folders o
or files, you can also
use file classification.
You
u can use claim
m and resource
e property obje
ects together iin conditional expressions. W
Windows Serve
er
2012 and Window
ws 8 support one
o or more co
onditional exprressions within
n a permission entry. Conditional
expressions simplyy add anotherr applicable layyer to the perm
mission entry. The results of all conditional
expressions must evaluate to tru
ue for Window
ws to grant thee permission entry for autho
orization. For
exam
mple, if you de
efine claim De
epartment for a user (with a source attribu te department), and defined
d
reso
ource propertyy object called Dept, you can
n define condittional expressiion that says: U
User can accesss a
fold
der (with applie
ed resource prroperty objectss) only if user aattribute depaartment value is equal to value
of property
p
Dept on the folder. Note, howeve
er, that if the reesource propeerty of Dept haas not been ap
pplied
to the file(s) in qu
uestion, or if De
ept is a null va
alue, then the u
user will be grranted access tto the data. To
o be
clea
ar access is co
ontrolled not by
b the claim, but
b by the Reso
ource Object. The claim must provide the
corrrect value corrresponding to the requireme
ents set by thee Resource Objject. If the Resource Object d
does
not involve a partticular attribute
e, then additio
onal or extra c laim attributess associated w
with the user orr
device are ignored
d.
Implementin
ng Central Access Ru
ules and Po
olicy
Cen
ntral Access Po
olicy enables yo
ou manage an
nd
dep
ploy consistentt authorization
n throughout the
ente
erprise through Central Acce
ess Rules and
Cen
ntral Access Po
olicy objects.
Cen
ntral Access Po
olicy helps act as
a a security net
thatt an organizatiion applies acrross its servers. You
use Group Policy to deploy Cen
ntral Access Po
olicy,
and you apply Central Access Policy to all file
servvers that will use Dynamic Acccess Control.
Cen
ntral Access Po
olicy is not man
ndatory for usiing
Dyn
C
It just enables you to
o
dep
ploy a consistent configuratio
on to several file
servvers.
10-17
The main component of Central Access Policy is Central Access Rule. In fact, Central Access Policy objects
represent a collection of Central Access Rule objects that you apply to Windows Server 2012 file servers
using Group Policy. You should create a Central Access Rule before you create Central Access Policy
because a Central Access Rule contains multiple criteria that Windows uses when evaluating access. A
Central Access Rule can use conditional expressions to target specific files and folders. Each Central
Access Rule has multiple permission entry lists that you use to manage the rule's current permission
entries, or proposed permission entries, or return the rule's current permission entry list to its last known
list of permission entries. Each Central Access Rule can be a member of one or more Central Access Policy
objects.
Configuring Central Access Rules

You typically create and configure Central Access Rules in Active Directory Administrative Center.
However, you can also use PowerShell to do the same thing.
When you start to create a new Central Access rule, you must first provide a name and description for the
rule. You can also choose to protect the rule against accidental deletion.
Next, you configure Target Resources. You use the Target Resource section to create a scope of
applicability for the access rule. You create the scope by using resource properties within one or more
conditional expressions. To make it simple, you can keep the default value (All resources), but usually you
apply some resource filtering. You can join these conditional expressions using logical operators, such as
AND and OR. Additionally, you can group conditional expressions together to combine the result of two
or more joined conditional expression. The Targeted Resource box displays the currently configured
conditional expression that is used to control the rule's applicability.
Finally, you configure permissions. There are two choices for permissions:
Use following permissions as proposed permissions
Use this option to add the permission entries in the permission list to the list of proposed permission
entries for the newly created Central Access Rule. You use the proposed permission list combined
with file system auditing, to model the effective access users have to the resource without changing
the permission entries in the current permissions list. Proposed permissions write a special audit event
to the event log that describes the proposed effective access for the user.
Use following permissions as current permissions
Use this option to add the permission entries in the permission list to the list of current permissions
entries for the newly created Central Access Rule. The current permissions list represents the
additional permissions Windows considers when the Central Access Rule is deployed to a file server.
Central Access Rules do not replace the existing security. When making authorization decisions,
Windows evaluates permission entries from Central Access Rule's current permissions list, NTFS, and
share permissions lists.
Implementin
ng File Acccess Auditiing
10-18
The Global Objectt Access Auditing feature in

Win
ndows 8 and Windows
W
Serve
er 2012 enables you
to configure
c
objecct access auditting for every file
and folder in the file
f system on the computerr. You
use this policy settting to centrally manage and
configure Window
ws to monitor every file and
fold
der on the com
mputer. To enable object access
auditing in previo
ous versions off Windows Servver,
you had to config
gure this option in basic audit
policies (in GPOs), and also turn
n on auditing for
f a
speccific security principal
p
in the System Accesss
Con
ntrol List (SACLL) of the objectt. Sometimes this
t
app
proach did not easily reconcile with compa
any policies succh as Log all administrative
e write activity on
ot turn on objject access aud
servvers containing
g Finance inforrmation, beca
ause you canno
dit logging on the
servver level but on
nly on the obje
ect level.
The new audit cattegory in Wind

dows Server 20
008 R2 and Wiindows Server 2012 enables administratorrs to
man
nage object acccess auditing using a much wider scope.
Dyn
C
enable
es you to create
e targeted aud
dit policies usi ng expressions based on use
er,
com
mputer and ressource claims. For example, you
y could creaate an audit po
olicy to track aall Read and
Writte operations on files classifiied as High Co
onfidential by eemployees wh
ho do not have
e a High Securrity
Clea
arance attributte populated with
w the appro
opriate value. Y
You can autho
or expression-b
based audit po
olicies
dire
ectly on a file or
o folder or cen
ntrally via Group Policy using
g Global Objeect Access Auditing. By using
g this
app
proach you do not prevent unauthorized access, but reg ister attempts to access the content by
unauthorized peo
ople.
Global Object Acccess Auditing includes the File system and registry subcaategory.
You
u configure Glo
obal Object Acccess Auditing when you enaable Object Acccess auditing and Global Object
puter that app
Access Auditing. Enabling
E
Objecct Auditing turrns on auditing
g for the comp
plies the policyy
setting. However, enabling auditing alone does not always generate audiiting events. The resource, in
n this
instance files and folders, must contain audit entries.
We recommend configuring
c
Glo
obal Object Acccess Auditing
g for the enterp
prise by using the security p
policy
of a domain-base
ed GPO. The tw
wo security policy settings reequired to enabled Global O
Object Access
Aud
diting are locatted at these lo
ocations:
Computer Co
onfiguration\W
Windows Settin
ngs\Security Seettings\Advancced Audit Policcy\Audit Policies
\Object Accesss\Audit File Syystem
Computer Co
onfiguration\W
Windows Settin
ngs\Security Seettings\Advancced Audit Policcy\Audit Policy
\Global Objecct Access Audiiting\File Syste
em
Note: If botth a file or fold

der SACL and a Global Objecct Access Auditing policy (orr a single
regiistry setting SA
ACL and a Glob
bal Object Acccess Auditing p
policy) are con
nfigured on a ccomputer,
the effective SACLL is derived fro
om combining the file or fold
der SACL and the Global Ob
bject Access
Aud
diting policy. This
T means that an audit event is generated
d if an activityy matches eithe
er the file
or fo
older SACL or the Global Ob
bject Access Au
uditing policy..
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w
they try to
o access a file or folder on a remote
fille server is an access denied error. Usually,, this
errror occurs wh
hen a user triess to access reso
ource
without
w
having proper permisssion or becau
use of
in
ncorrectly conffigured permisssions or resou
urce
acccess control liist (ACL). If you
u are using Dyynamic
Access Control, things can be even more
co
omplicated. Ussers, who migh
ht have permisssions,
bu
ut for example
e a relevant atttribute in theirr
acccount is missp
pelled, will nott be granted access.

10-19
When
W
users receive this kind of
o error, they usually
u
trry to contact th
he administrattor to obtain access. Howeveer, administrat ors usually do not approve aaccess
to
o resources, so
o users are then
n redirected to
o someone els e for approvall.
In
n Windows Serrver 2012 there
e is a new tech
hnology to hellp both users aand administraators in such
sittuations. This technology
t
is called Access Denied Assistaance. It helps u
users respond to access deniied
issues without involving IT sta
aff by providing information about the pro
oblem and directing users to
o the
proper person.
Access-denie
A
ed Remediation
Th
he Access Den
nied Assistance
e technology in
n Windows Se rver 2012 provvides three waays for
trroubleshooting
g issues with access denied errors:
e
Self-remed
diation. Windo
ows Server 201
12 provides a way to create customized acccess-denied
messages that are authorred by the servver administrattor. By using tthe information in these messsages,
users can trry to self-reme
ediate access-d
denied cases. FFor example, the user may b
be directed to ffirst
map to a co
omputer using
g a particular drive
d
letter. Th e message can
n also include URLs to directt the
users to self-remediation websites that are provided by the organizzation. For exaample, the URL might
direct the user
u
to change
e their passworrd to an appliccation or down
nload a refresh
hed copy of cliientside software.
Remediatio
on by the datta owner. In Windows
W
Serveer 2012, admin
nistrators can d
define owners for
shared fold
ders. This enables users to send an email to
o the data own
ners to requestt access. . For
example, if the user was accidentally
a
left off a securitty group mem bership, the data owner mayy be
able to add
d the user to th
he group. If th
he data owner does not kno w how to help
p the user get access,
he or she ca
an forward thiis information to the approp
priate IT admin
nistrator. This iis helpful becaause the
number of user support requests
r
escala
ated to the sup
pport desk sho
ould be limited
d to special, diifficultto-resolve cases.
c
Remediatio
on by Help Desk
D
and file server
s
adminiistrators. If thee user cannot self-remediate
e the
issue or the
e data owner cannot
c
help, Windows
W
Serve r 2012 providees a user interfface where
administrattors can view the
t effective pe
ermission for u
users for a file or folder so th
hat it is easier to
troubleshoo
ot access issue
es. An example
e of when an aadministrator sshould be invo
olved are casess where
attributes either claims and/or resourrce objects h
have been inco
orrectly defined
d or contain in
ncorrect
information
n, or when the
e data itself see
ems to be corrrupted.
10-20
You
u enable Access Denied Assisstance by using
g group policyy. You open Grroup Policy Ob
bject editor an
nd
navigate to Comp
puter Configurration\Policies\\Administrativve Templates\SSystem\Access-Denied Assisttance.
In th
his node, you can
c enable Access Denied Assistance,
A
and also, you can provide custo
omized messag
ges
for users. Alternattively, you can also use File Server
S
Resourcce Manager co
onsole to enab
ble access-deniied
assistance. Howevver, if this featu
ure is enabled in Group Policcy, the approp
priate settings in File Server
Reso
ource Manage
er console are disabled for co
onfiguration.
Implementin
ng File Classsifications
To effectively
e
imp
plement Dynam
mic Access Con
ntrol
tech
hnology, you must
m
have welll-defined claim
ms
and resource prop
perties. Althou
ugh claims are
defiined by attribu
utes for user or a device, reso
ource
properties are mo
ost often manu
ually created and
defiined. File Classsifications enab
ble administrators
to define
d
automattic proceduress for defining a
desiired property on
o the file, bassed on condition
speccified in classiffication rule. For example, yo
ou
can set the property Confidentiality to High on
o
all documents
d
wh
hose content co
ontains the wo
ord
seccret. You can then use this property
p
in
Dyn
C
to speccify, for examp
ple, that only eemployees with
h attribute em
mployeetype se
et to
Man
nager can acce
ess those docu
uments that are classified witth high confid
dentiality.
In Windows
W
Serve
er 2008 R2 and
d Windows Serrver 2012, Classsification Man
nagement and File Managem
ment
task
ks enable administrators to manage
m
group
ps of files based
d on various fiile and folder aattributes. Witth
Classsification Man
nagement and File Managem
ment tasks, you
u can automatte file and fold
der maintenance
task
ks, such as clea
aning up stale data or proteccting sensitive information.
Classsification Man
nagement is de
esigned to easse the burden and managem
ment of data th
hat is spread o
out in
the organization. Files can be classified in a va
ariety of ways.. In most scenaarios, classificaation is perform
med
man
nually. The File
e Classification
n infrastructure
e in Windows SServer 2008 R2
2 enables orgaanizations to
convert these manual processess into automatted policies. Ad
dministrators ccan specify file
e management
policies based on a files classificcation and app
ply corporate requirements for managing data based on
n
business value.
You
u can use file classification to
o perform the following
f
actio
ons:
1.
Define classification properrties and value

es, which can b
be assigned to files by runnin
ng classificatio
on
rules.
2.
Create, updatte, and run classification rule

es. Each rule asssigns a singlee predefined property and vaalue
to files within
n a specified diirectory based on installed cclassification pllug-ins.
3.
When running a classificatio

on rule, reevalluate files thatt are already cllassified. You ccan choose to
overwrite exissting classification values or add the valuee to properties that support multiple value
es. You
can also use this
t to de-classsify files that are not in classsification criterria anymore.
Demonstration: Implementing Central Access Rules and Policies

Demonstration Steps
1.
In the Active Directory Administrative Center, create claims for department and employeetype
attributes.
2.
Enable Resource Type for department.
3.
Create Central Access rule to enable members of IT group to access resources if user department
attribute matches resource department.
4.
Create a Central Access Policy.
10-21

Scenario
10-22
The Research team at A. Datum performs some highly confidential work that provides much value to the
business. Managers and Research departments at A. Datum frequently store files that contain businesscritical information on the company file servers. The security department wants to ensure that these
confidential files are only accessible to suitably authorized personnel and that all access to these files be
audited.
As one of the senior network administrators at A. Datum, you are responsible for addressing these security
requirements by implementing Dynamic Access Control on the file servers. You plan to work closely with
the business groups and the security department in identifying which files must be secured, and who
should have access to these files. Then you plan to implement Dynamic Access Control based on the
company requirements.
Objectives
Plan Dynamic Access Control Deployment and prepare AD DS for Dynamic Access Control.
Configure user and device claims.
Configure resource properties and file classifications.
Configure central access rules and policies.
Configure and validate access remediation.
Lab Setup
Virtual machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
User Name
Password
Pa$$w0rd
1.
2.
3.
4.

a.
b.
Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2.
6.
Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd. Do not log on to

LON-CL1 or LON-CL2 until instructed to do so.
Exercise 1: Planning the Dynamic Access Control Implementation and

Preparing AD DS for Dynamic Access Control
Scenario
10-23
A. Datum must ensure that documents used by the Research department and managers are secured.
Most of the files used by these departments are stored in shared folders dedicated to these departments,
but sometimes confidential documents appear in other shared folders. Folders that belong to Research
department should be accessed and modified only by members of Research department. Also, documents
that are classified as highly confidential should only be accessed by Managers. The security department
is also concerned that users in the Managers department are accessing the files using their home
computers, which may not be highly secure. You must create a plan for securing the documents
regardless of where they are located and ensure that the documents can only be accessed from
authorized computers. Authorized computers for Managers are members of the security group
ManagersWks.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a technology that helps users to better understand error messages as well
as enable them to automatically request access.
First, you will plan for Dynamic Access Control deployment. Then you must prepare your AD DS to
support Dynamic Access Control.
1.
Plan the Dynamic Access Control Deployment Based on the Security and Business Requirements.
2.
Prepare AD DS to support Dynamic Access Control.
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
Describe how you will design Dynamic Access Control to fulfill requirements for access control,
described in the scenario.
X Task 2: Prepare AD DS to support Dynamic Access Control

1.
On the LON-DC1, from Server Manager open Active Directory Users and Computers.
2.
Make new organizational unit named Test.
3.
Move LON-CL1, LON-CL2 and LON-SVR1 computer objects into Test OU.
4.
On LON-DC1, from Server Manager, open the Group Policy Management console.
5.
Remove the Block Inheritance setting applied to the Managers OU. (This setting has been applied and
used in a later module of the course.)
6.
Edit the Default Domain Controllers Policy GPO.
7.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8.
Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting.
9.
Select Supported in Options section.
10. On LON-DC1, refresh Group Policy.
11. Open Active Directory Users and Computers and create a security group called ManagersWKS in
Users container.
12. Add LON-CL1 to ManagersWKS group.

13. Verify that user Aidan Delaney is a member of Managers department and Allie Bellew is the
member of the Research department.
10-24
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Scenario
The first step in implementing Dynamic Access Control is to configure the claims for the users and devices
that access the files. In this exercise, you will review the default claims and create new claims based on the
department and computer description attributes. For users, you will create a claim for department
attribute. For computers, you will create claim for description attribute.
1.
Review the Default Claim Types.
2.
Configure Claims for Users.
3.
Configure Claims for Devices.
X Task 1: Review the Default Claim Types

1.
On LON-DC1, in Server Manager, open the Active Directory Administrative Center.
2.
Click the Dynamic Access Control node in Active Directory Administrative Center.
3.
Open the Claim Types container and verify that there is no default claims defined.
4.
Open the Resource Properties container and note that all properties are disabled by default.
5.
Open Resource Property Lists container and then open the properties of the Global Resource
Property List.
6.
In the Resource Properties section review available resource properties.
7.
Click Cancel.
X Task 2: Configure Claims for Users

1.
In the Active Directory Administrative Center, in the navigation pane click Dynamic Access
Control.
2.
Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
o
Source Attribute: Department
Display name: Company Department
X Task 3: Configure Claims for Devices
10-25
1.
In the Active Directory Administrative Center, in the Tasks pane click New and select Claim Type.
2.
Create a new claim type for computers using the following settings:
o
Source Attribute: description
Display name: description
Results: After completing this exercise you will have configured user and device claims.
Exercise 3: Configuring Resource Properties and File Classifications

Scenario
The second step in implementing Dynamic Access Control is to configure the resource property lists and
resource property definitions. After you do this, you should make a new classification rule that classify all
files that contain the word secret in the body. These files should be assigned a value of High for attribute
Confidentiality. You should also assign department property to the folder that belongs to Research
department.
1.
Configure Resource Property Definitions.
2.
Classify files.
3.
Assign properties to folder.
X Task 1: Configure Resource Property Definitions

1.
In the Active Directory Administrative Center, click Dynamic Access Control and then open the
Resource Properties container.
2.
Enable the Department and Confidentiality Resource Properties.
3.
Open Properties for Department property.
4.
Add Research as suggested value.
5.
Open the Global Resource Property List and make sure that Department and Confidentiality are
included in the list.
6.
Click Cancel.
7.
Close the Active Directory Administrative Center.
X Task 2: Classify files

1.
On LON-SVR1, in Server Manager, add the File Server Resource Manager.
2.
Open File Server Resource Manager.
3.
Refresh Classification Properties. Verify that Confidentiality and Department properties are in the
list.
4.
Create a Classification rule with following values:

o
Name: Set Confidentiality
Scope: C:\Docs
Classification method: Content Classifier
Property: Confidentiality
Value: High
Classification Parameters: String secret
Select Re-evaluate existing property values, and then click Overwrite the existing value.
5.
Run the classification rule.
6.
Open Windows Explorer and open Properties for files Doc1.txt, Doc2.txt and Doc3.txt in C:\Docs
folder.
7.
Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
X Task 3: Assign properties to folder

1.
On LON-SVR1 open Windows Explorer.
2.
Browse to C:\Research and open its properties.
3.
On the Classification tab, set the Department value to Research.
Results: After this exercise, you will have configured resource properties and file classifications.
Exercise 4: Configuring Central Access Rules and Policies

Scenario
10-26
Now that you have configured claims, resource properties, and file classifications, you want to create and
configure central access rules and policies.
1.
Configure Central Access Policy Rules.
2.
Create Central Access Policy.
3.
Publish Central Access Policy with Group Policy.
4.
Apply Central Access Policy to resources.
5.
Configure access denied remediation settings.
X Task 1: Configure Central Access Policy Rules

1.
On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2.
Click Dynamic Access Control and then open the Central Access Rules container.
3.
Create a new Central Access Rule with following values :

o
Name: Department Match
Target Resource: use condition Resource-Department-Equals-Value-Research
Permissions: Remove Administrators, and then add Authenticated Users, Modify, with condition
User-Company Department-Equals-Resource-Department
4.
Create another Central Access Rule with following values :

o
Name: Access Confidential Docs
Target Resource: use condition Resource-Confidentiality-Equals-Value-High
Permissions:
Set first condition to be: User-Group-Member of each-Value-Managers
Set second condition to be: Device-Group-Member of each-Value-ManagersWKS
X Task 2: Create Central Access Policy

1.
2.
3.
On LON-DC1 in Active Directory Administrative Center, create a new Central Access Policy with
following values:
o
Name: Protect confidential docs
Rules included: Access Confidential Docs
Create another Central Access Policy with following values:

o
Name: Department Match
Rules included: Department Match
Close the Active Directory Administrative Center.
X Task 3: Publish Central Access Policy with Group Policy

1.
On LON-DC1, from the Server Manager, open the Group Policy Management console.
2.
Create new GPO named DAC Policy and link it to organizational unit Test.
3.
Edit the DAC Policy and browse to Computer Configuration/Policies/Windows Settings

/Security Settings/File System, and then right-click Central Access Policy.
4.
Click Manage Central Access Policies.
5.
Click both Department Match and Protect confidential docs, and then click Add. Click OK.
6.
Close the Group Policy Management Editor and the Group Policy Management console.
X Task 4: Apply Central Access Policy to resources

1.
On LON-SVR1, start Windows PowerShell.
2.
Refresh Group Policy on LON-SVR1.
3.
Open Windows Explorer, and browse to the C:\Docs folder.
4.
Apply the Protect confidential docs Central Policy to the C:\Docs folder.
5.
Browse to the C:\Research folder.
6.
Apply the Department Match Central Policy to the C:\Research folder.
X Task 5: Configure access denied remediation settings
10-27
1.
On LON-DC1, open the Group Policy Management console.
2.
Edit the DAC Policy.
3.
Under Computer Configuration node, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
4.
In the right pane double-click Customize Message for Access Denied errors.
5.
In the Customize Message for Access Denied errors window click Enabled.
10-28
6.
In the Display the following message to users who are denied access text box type: You are denied
access because of permission policy. Please request access.
7.
Select check box Enable users to request assistance. Click OK.
8.
Double-click Enable access-denied assistance on client for all file types and enable it.
9.
Click OK and close the Group Policy Management Editor and the Group Policy Management console.
10. Switch to LON-SVR1, and refresh Group Policy.
Results: After completing this exercise you will have configured central access rules and policies.
Exercise 5: Validating and Remediating Access Control

Scenario
To ensure that the Dynamic Access Control settings are configured correctly, you plan to test various
scenarios for users to access the files. You plan to try both approved users and devices and unapproved
users and devices. You also plan to validate the access remediation configuration.
1.
Verify Dynamic Access Control functionality.
2.
Configure staging for Dynamic Access Policy.
3.
Configure staging permissions.
4.
Verify staging.
5.
Use effective permissions to test Dynamic Access Control.
6.
X Task 1: Verify Dynamic Access Control functionality

1.
Log on to LON-CL1 as Adatum\April with password Pa$$w0rd.
2.
Click the Desktop tile and then open Windows Explorer.
3.
Browse to \\LON-SVR1\Docs. Verify that you can only open Doc3.
4.
Try to access \\LON-SVR1\Research. You should be unable to access it.
5.
Log off of LON-CL1.
6.
Log on to LON-CL1 Adatum\Allie with the password of Pa$$w0rd.
7.
Open Windows Explorer and try to access \\LON-SVR1\Research.

Note: You should be able to access it as well as open files in it.
8.
Log off of LON-CL1.
9.
Log on to LON-CL1 as Adatum\Aidan with the password of Pa$$w0rd.
10. Open Windows Explorer and try to access \\LON-SVR1\Docs.

Note: You should be able to open all files in this folder.
11. Log off of LON-CL1.

12. Log on to LON-CL2, as Adatum\Aidan with the password of Pa$$w0rd.
13. Open Windows Explorer and try to access \\LON-SVR1\Docs.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
X Task 2: Configure staging for Dynamic Access Policy
10-29
1.
On LON-DC1, open Group Policy Management.
2.
Edit the DAC Policy GPO.
3.
In the Group Policy Management Editor, browse to Computer Configuration/Policies

/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies.
4.
Select Object Access.
5.
Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
6.
Double-click Audit File System. Select all three check boxes then click OK.
7.
X Task 3: Configure staging permissions

1.
On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2.
Open the Properties for the Department Match Central Access Rule
3.
In the Proposed permissions section, configure a condition for Authenticated users as follows:
User-Company Department-Equals-Value-Marketing.
4.
Switch to LON-SVR1 and refresh Group Policy.
X Task 4: Verify staging

1.
Log on to LON-CL1 as Adatum\Adam with the password of Pa$$w0rd.
2.
Open Windows Explorer and attempt to access \\LON-SVR1\Research. You will be unsuccessful.
Click Close.
3.
Switch to LON-SVR1.
4.
From Server Manager, open Event Viewer and select the Security log. Look for events with Event
ID 4818.
X Task 5: Use effective permissions to test Dynamic Access Control

1.
On LON-SVR1, open properties for C:\Research.
2.
Open Advanced options for Security.
3.
Click the Effective access tab.
4.
Click select a user.
5.
In Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
6.
Click View effective access.
7.
Review results. April should not have access to this folder.
8.
Click Include a user claim.
9.
Select Company Department from the drop-down list.
10. Type Research in Value text box.

11. Click View Effective access. April should have access now.
When you are finished the lab, revert the virtual machines to their initial state.
Results: After this exercises you will have validated Dynamic Access Control functionality.
10-30

Best Practices
Use Central Access Policies instead of configuring conditional expressions on resources.
Enable Access Denied Assistance settings.
Always stage changes to Central Access Rules and Policies before implementation.
Use file classifications to assign properties to files.

Common Issue
Claims are not populated with appropriate
values
Conditional expression does not enable

access
Review Questions
What is a claim?
What is the purpose of Central Access Policy?
What is Access Denied Assistance?
Tools
Active Directory Administrative Center
Troubleshooting Tip
10-31

11-1
Module 11
Implementing Active Directory Domain Services
Contents:
Module Overview
11-1
Lesson 1: Deploying AD DS Domain Controllers
11-2
Lesson 2: Configuring AD DS Domain Controllers
11-11
Lesson 3: Implementing Service Accounts
11-16
Lesson 4: Implementing Group Policy in AD DS
11-19
Lesson 5: Maintaining AD DS
11-28
11-35
11-40
Module Overview
Active Directory Domain Services (AD DS) is the central location for configuration information,
authentication requests, and information about all the objects that are stored in an Active Directory forest.
Using AD DS, you can efficiently manage users, computers, groups, printers, and other directory-enabled
objects from one secure, central location. Windows PowerShell has become the single engine for
configuration and maintenance from both graphical and command-line interfaces. This module discusses
deployment and configuration of domain controllers, service accounts in AD DS, Group Policy, and
maintenance of AD DS.
Objectives
After completing this module you will be able to:
Deploy domain controllers.
Configure domain controllers.
Implement service accounts.
Implement Group Policy.
Maintain AD DS.
Lesson 1
Deploy
ying AD
D DS Do
omain Controll
C
lers
11-2 Implemennting Active Directoryy Domain Services
To establish
e
the Active
A
Directoryy forest and th
he first domain
n in the forest,, you must create at least on
ne
dom
main controllerr. In this lesson
n, you will learn about the neew features off AD DS in Win
ndows Server 2012
and the various methods
m
for de
eploying doma
ain controllers..
Lessson Objectiives
Afte
u will be able to:
t
ats new in AD DS in Window

ws Server 2012 .
Describe wha
Deploy doma
ain controllers..
Deploy doma
ain controllers on a Server Co
ore installation
n of Windows Server 2012.
Deploy doma
ain controllers using the Install From Medi a feature.
Clone virtual domain contro

ollers.
Upgrade to AD
A DS in Windows Server 2012.
Troubleshoott domain contrroller deploym

ment.
Wh
hats New in AD DS in Window
ws Server 2
2012?
Win
ndows Server 2012
2
has severral new feature
es
for AD
A DS. Windo
ows PowerShell command-lin
ne
inte
erface is the un
nderlying comp
ponent behind
d
installations and configurations
c
. It enables full
scrip
pting and auto
omation and new
n
graphical user
inte
erfaces for prevvious comman
nd-line-only
activvities.
Som
me new feature
es are describe
ed in the follow
wing
tablle.
Fe
eature
Deployment
Im
mprovement
Server Manager now enab

bles installation
n of the AD DSS role on remo
ote as
he Active Direcctory Domain Services
well as local computers. Th
Configuration Wizard replaaces Active Di rectory Installaation Wizard (also
omo).
called DCPro
Deployment now uses Win
ndows PowerS hell in the bacckground.
When you in
nstall Active Di rectory on thee member servver, Windows
Server 2012 performs prereequisite checkks that validate
e domain and
forest readiness.
Siimplified
ad
dministration
Im
mprovements to configure aand monitor A
AD DS through
h the Server
Manager
M
conso
ole include:
A graphical user
u
interface ffor the Active Directory Recyycle Bin.
A graphical user
u
interface tto implement fine-grained p
passwords.
Feature
Improvementt
Group Poliicy health mon
nitoring.
AD DS-spe
ecific performaance monitorin
ng and best prractice analysiss.
Active Dire
ectory manageement tools, w
which you can o
open from the
e
Server Man
nager console..
Support for Virtualized

V
Domain Conttrollers
Improveme
ents in the virttual environmeent include:
Cloning do
omain controlllers is now a su
upported option to enable
automated
d deployment and rollback p
protection

11-3
Restoration
n of domain co
ontroller snapshots does no
ot disrupt the A
AD DS
environme
ent.
Active Directo
ory Module
for Windows PowerShell
The Active Directory modu

ule has new cm
mdlets for repliication topology
o
managementt, Dynamic Acccess Control, aand other operations. It is no
longer necessary to use Acctive Directory Installation W
Wizard (also callled
o create a dom
main controllerr. When you usse Windows
DCPromo) to
PowerShell to
o install AD DSS, Active Direcctory Installatio
on Wizard
functionality is now includeed in the cmdlet.
Windows Pow
werShell
History Viewe
er
When admin
nistrators use th
he Active Direectory Adminisstrative Center, they
can now view
w the underlyin
ng Windows P
PowerShell com
mmands that aare
executed. This helps reducee the time req
quired to learn the Windows
PowerShell commands.
Active Directo
ory
Federated Serrvices (AD
FS)
AD FS is now
w included as a server role wiith Windows SServer 2012. Th
his
version proviides a less com
mplex trust setu
up and manag
gement processs, an
ability to exte
end the claimss attribute storre and a broad
der scope for
defining claim
ms. AD FS servvices are frequently required
d for hybrid clo
oud
deploymentss.
Active Directo
ory Based
Activation (AD
D BA)
Key Managem
ment Servers ((KMS) are no longer required to activate
computers ru
unning Window
ws 8 Activatin
ng the
ws Server 201 2 and Window
initial custom
mer-specific vo
olume license kkey (CSVLK) re
equires a one-ttime
contact with Microsoft actiivation over th
he Internet.
Deploying
D
AD DS Do
omain Controllers
With
W Windows Server 2008, you
y could deploy a
do
omain controller by installing the AD DS role
r
to
o add the binary files and the
en using Activve
Directory Installlation Wizard to
t install AD DS.
D
In
n Windows Serrver 2012 you deploy a domain
co
ontroller by ussing Server Ma
anager to add the
AD DS role. You
u use a separatte wizard to
co
onfigure AD DS
D within Serve
er Manager.
Yo
ou can add the
e AD DS role binaries
b
using these
fo
our methods:
nager.
The graphiccal Server Man
The Server Manager mod

dule.
Dism.exe.
Active Directo
ory Installation
n Wizard (also called DCProm
mo)
Usiing Server Manager

M
You
u can use the graphical
g
wizarrd in Server Ma
anager to instaall the binary ffiles and perfo
orm all the required
configuration of a domain controller. The dep
ployment wizaard uses a sing le expanding d
dialog box and
d can
do the
t following:
Install AD DS remotely.
Install DNS byy default.
Configure the
e domain conttroller as a global catalog byy default.
Display advan
nced mode setttings.
Prepare schem
ma extension and
a domain preparation auttomatically in the backgroun
nd.
Note: These
e new featuress are not backw
ward compatib
ble with Windo
ows Server 200
08 R2 or
earlier versions off Windows Servver. For more information, rrefer to Underrstand and Tro
oubleshoot
AD DS Simplified Administration in Windows Server 8 Beta..docx from
http
p://www.micro
osoft.com/en-u
us/download/d
details.aspx?id =29019.
Usiing Window
ws PowerShe
ell
You
u can add AD DS
D binaries using the Active Directory mod
dule for local o
or remote installations.
Usiing DISM
The Deployment Image Servicin
ng and Management (DISM)) tool is part off the Windowss Automated
Adm
ministration Kitt (WAIK). It is more
m
complexx than, and nott as flexible as,, Windows Pow
werShell. DISM
M is
usua
ally associated
d with creating
g deployment images
i
for Wi ndows Deployyment Servicess.
Usiing Active Directory

D
Installation Wizard
W
Actiive Directory In
nstallation Wizzard (also calle
ed DCPromo) n
no longer has a GUI and is o
only supported
d with
the Unattend option. It is no lon
nger recomme
ended.
nts to install Windows
W
Serverr 2012 are uncchanged from Windows
Note: System requiremen
Servver 2008 R2.
De
eploying AD
A DS Dom
main Contrrollers on SServer Corre
Servver Core is a ve
ersion of Wind
dows Server 20
012
thatt has no graph
hical interface. Server Core
provvides a minima
al environmen
nt for running
servver roles. It red
duces disk spacce usage and
maintenance, and
d presents a sm
maller attack
surfface.
You
u can now insta
all AD DS on Server
S
Core by
usin
ng Windows Po
owerShell for a local or remo
ote
installation. Or yo
ou can use the
e GUI in Serverr
Man
nager on a rem
mote system to
o perform the
installation.
In
nstalling the
e AD DS Role Locally
To
o Install the AD
D DS Role loca
ally:

11-5
1..
Install the AD
A DS binary files.
f
At the loccal Windows P
PowerShell com
mmand promp
pt, type the cm
mdlet
Install Win
ndowsfeature
e -name AD-D
Domain-Servicces, and then press Enter.
2..
Configure AD
A DS. At the Windows Pow
werShell comm
mand prompt, ttype the cmdle
et
Install-ADD
DSDomainCo
ontroller dom
mainname Ad
datum.com, with other arg
guments as re
equired,
and then press Enter.
Windows
W
Po
owerShell Re
emote Insta
allation
Yo
ou can run Windows PowerS
Shell cmdlets against
a
remotee servers. Startt by installing tthe AD DS bin
nary
filles. Then use the invoke-com
mmand cmdlett. For examplee:
in
nvoke-comma
and {install-ad
ddsdomainco
ontroller dom
mainname Ad
datum.com ccredential (ge
etcrredential) co
omputername
e NYC-DC3
Note: Guidance for usin
ng Windows PowerShell to eestablish a Win
ndow Server 2012 AD DS
en
nvironment ca
an be found he
ere: http://technet.microsoftt.com/en-us/liibrary
/h
hh472162#BKM
MK_PSForest.
Server Mana
ager Remote
e Installatio
on
To
o use Server Manager
M
to insttall AD DS Role remotely, peerform these h
high-level step
ps:
1..
Add the Server Core com

mputer as anoth
her computer to manage.
2..
Create a server group con

ntaining the Se
erver Core com
mputer.
3..
Use the Add Roles and Fe

eatures Wizard
d to install AD DS.
4..
Complete the
t configuratiion by running
g the Active Diirectory Domaain Services Co
onfiguration W
Wizard.
Deploying
D
AD DS Do
omain Controllers byy using Insstall From Media (IFM
M)
Another method for installing
g AD DS is to install
from an installation media cre
eated by using
g the
Ntdsutil.exe utillity. Installation
n media is crea
ated
from an existing
g domain conttroller in the fo
orm
off a backup. The advantage of
o installing fro
om
media
m
is that it reduces the directory replica
ation
trraffic required to synchronize
e the new dom
main
co
ontroller. By de
efault, a new domain
d
contro
oller
re
eplicates all the
e data for all Directory
D
partittions
th
hat it hosts from other doma
ain controllers.. When
yo
ou use IFM the
e new domain controller hass most
off the AD DS da
ata. It only rep
plicates update
es that
ha
ave occurred since
s
the backup media was created.
Creating the IFM media
11-6 Implementing Active Directory Domain Services
Windows Server 2012 has two new options that enable you to create IFM media without first performing
an online defrag of the exported NTDS.DIT database file. The Ntdsutil.exe can now create six types of
installation media as described in the following table.
Type of installation
media
Parameter
Description
Full (or writable)

domain controller
Create Full PathToMediaFolder
Creates installation media for a writable

domain controller instance in the folder
that is identified in the path.
Read-only domain
controller (RODC)
Create RODC
PathToMediaFolder
Creates installation media for an RODC in

the folder that is identified in the path.
Full (or writable)

domain controller
with SYSVOL
Create Sysvol Full

PathToMediaFolder
Creates installation media for a writable

domain controller with SYSVOL in the folder
that is identified in the path.
Note: Does not work on Windows
Server 2012
RODC with SYSVOL
Create Sysvol RODC

PathToMediaFolder
Creates installation media for an RODC with

SYSVOL in the folder that is identified in the
path.
Note: Does not work on Windows
Server 2012
Create Full
NoDefrag
Create Full NoDefrag %s
Create installation media without

defragmenting for a full Active Directory
domain controller or an Active Directory
Lightweight Directory Services (AD LDS)
instance into folder %s.
Create Sysvol Full

NoDefrag
Create Sysvol Full NoDefrag %s
Create installation media with SYSVOL

without defragmenting for a full Active
Directory domain controller or an AD/LDS
instance into folder %s.
Steps to Create IFM Media

To create IFM media, perform the following steps on an existing domain controller that is running the
same operating system as the destination computer:
1.
Enter the ntdsutil context. At the Windows command prompt type NTDSUTIL, and then press Enter.
2.
At the NTDSUTIL: prompt type Activate instance NTDS, and then press Enter.
3.
Type IFM.
4.
At the IFM: prompt, type the command for the type of installation media you want to create. For
example, to create media for a writable domain controller with SYSVOL to a folder named Media,
type Create Sysvol Full C:\Media.
To use IFM to create additional domain controllers in the domain, you can refer to a shared folder or
removable media where you store the installation media on the Install from Media page in the Active
Directory Domain Services Installation Wizard or by using the /ReplicationSourcePath parameter during
an unattended installation.
In
nstall From Media Charracteristics
IFFM has the following charactteristics:

11-7
d
not work across differen
nt operating syystem versionss. You must ge
enerate
Installation from media does
media from
m an existing Windows
W
Serve
er 2012 domain
n controller to
o install AD DSS on a compute
er
running Wiindows Server 2012.
When the Active

A
Directorry Recycle Bin is enabled, an
ny installation m
media that waas created befo
ore the
Active Directory Recycle Bin was enable
ed is no longeer valid. Createe new installation media while
Active Directory Recycle Bin is enabled.
To create th
he IFM you mu
ust have permissions to makke a backup on
n a domain co
ontroller.
Deploying
D
AD DS Rea
ad-Only Domain
D
Co
ontrollers
Th
he read-only domain
d
contro
oller (RODC) was
in
ntroduced with
h Windows Serrver 2008. An RODC
R
ho
osts read-onlyy partitions of the
t AD DS dattabase.
Th
his means thatt no AD DS cha
ange requests are
made
m
directly to
o the database
e copy stored by
RO
ODC. Instead, AD DS modifications are forrwarded
to
o RODCs throu
ugh replication
n with a writab
ble
do
omain controller. All RODC AD
A DS replicattion
usses a one-way, in-coming on
nly connection
n from
a domain controller that has a writable AD DS
da
atabase copy.
RO
ODCs are prim
marily designed
d for branch office
de
eployments where you cann
not guarantee the physical seecurity of the A
AD DS compu
uters. By deployying
an
n RODC in a branch office, you
y can give users a local do
omain controlleer to facilitate efficient AD D
DS log
n
on
n and Group Policy
P
application, even if the
e WAN link to the main officce (where read
d/write domain
co
ontrollers are located) is not available. A lo
ocally based RO
ODC configureed to cache paasswords of local
ussers ensures fa
aster logons co
ompared to log
gging on acro
oss a slow netw
work connectio
on to authenticcate
with
w a remote domain
d
contro
oller.
Characteristi
C
ics of RODC
C
RO
ODCs have the
e following characteristics:
Server Core
e installations support
s
RODC
Cs.
An RODC cannot
c
hold an
n operations master
m
role.
An RODC cannot
c
be a site bridgehead server.
RODCs onlyy support inco

oming replicatiion.
Caching of credentials off users and com

mputers can b e explicitly enaabled or denie
ed. This can be
e
configured in the Active Directory Conffiguration Wizzard. By defaullt, no user cred
dentials are cached.
Users can be
b delegated administrative
a
rights to a speecific RODC wiithout being g
granted rights tto AD
DS. This can
n be configure
ed in the Active Directory Co
onfiguration W
Wizard.
RODCs support read-onlyy Domain Nam

me System (DN
NS).
RODC can use the IFM fe

eature for deployment.
Pre
eparing to In
nstall RODC
C
Seve
eral prerequisiites must be in
n place before you install and
d RODC. Theyy are:
Forest functio
onal level mustt be at least 20
003. The Wind
dows Server 20
012 Active Dire
ectory
Configuration
n Wizard does not let you co
ontinue if the d
domain is not able to suppo
ort an RODC.
There must be a writable do

omain controller running W
Windows 2008 o
or later version
ns in the same
e
domain.
The domain must

m
be prepa
ared with the Adprep.exe
A
/rrodcprep com
mmand. Windo
ows Server 201
12
performs this step automattically when yo
ou install a writtable domain controller.
Installing the RODC

R
You
u can install an RODC throug
gh the Active Directory
D
Conffiguration Wizaard. On the Ad
dditional Dom
main
Con
ntroller Optio
ons page, selecct the check bo
ox for Read-o nly domain controller (RO
ODC).
Clo
oning Virtu
ual AD DS Domain Controllers
C
s
Win
ndows Server 2012
2
introduce
es virtualized
dom
main controllerr cloning. Clon
ning a virtualizzed
dom
main controllerr presents challlenges. For
exam
mple, two dom
main controllers cannot coexxist in
the same forest with
w the same name,
n
invocatiion
ID, and
a security id
dentifier. In verrsions of Wind
dows
earlier than Windows Server 2012, you create
ed
virtu
ualized domain controllers by
b deploying a
Sysp
prepped base server image and
a manually
promoting it to be a domain co
ontroller. Wind
dows
Servver 2012 provides specific virtualization
capabilities to AD
D DS Virtualized
d Domain
Con
ntrollers (VDCss) to resolve those issues.
Win
ndows Server 2012
2
VDCs havve two new capabilities:
Domain controllers can be safely cloned to

t deploy add
ditional capacitty and save co
onfiguration tim
me.
Accidental restoration of do
omain controller snapshots d
does not disru
upt the AD DS environment.
Saffe Cloning
A cloned domain controller automatically syspreps (based o
on settings in DefaultDCClon
neAllowList.xm
ml)
and promotes witth the existing local AD DS data
d
as installattion media.
Saffe Backup and Restore
Rolling back to a previous snapshot of a VDC is problematicc because Act ive Directory u
uses multi-masster
repllication that re
elies on transacctions being assigned numeeric values calleed Update Seq
quence Numbe
ers
(USNs). The VDC tries
t
to assign USNs to prior transactions tthat have alreaady been assig
gned to valid
tran
nsactions. This causes inconsistencies in the
e Active Directtory database.. Windows Servver 2012
imp
plements a pro
ocess that is known as USN ro
ollback protecction. With thiss in place the V
VDC does replicate
and must be forcibly demoted or
o manually re
estored non-au
uthoritatively.
Win
ndows Server 2012
2
now dete
ects rollbacks and
a non-autho
oritatively syncchronizes the d
delta of chang
ges
betw
ween a domain controller an
nd its partners for AD DS and
d SYSVOL. You
u can now use
e snapshots witthout
risk of permanenttly disabling do
omain controllers and requirring manually forced demottion, metadataa
clea
anup, and re-p
promotion.
Creating
C
a VDC Clone
To
o create a VDC
C clone in Windows Server 2012,
2
perform the following high level step
ps:

1..
Create a DccCloneConfig.xxml file that co

ontains the un ique server co
onfiguration.
2..
Copy this fiile into the loccation of the AD

A Ds databasee (C:\Windowss\NTDS by deffault).
3..
Take the VD
DC offline and
d export or cop
py it.
4..
Create a ne
ew virtual machine by imporrting the exporrted one. This virtual machin
ne is automaticcally
promoted as
a a unique do
omain controller.
Note: The
ere is no graph
hical interface to create the ccloning xml filles. However, tthere is a
Windows
W
PowerShell script in developmentt for out of ban
nd release, and
d the XML sch
hema is
in
ncluded.
Upgrading
U
to Windo
ows Server 2012 AD DS
Yo
ou can upgrad
de an existing domain contro
oller
to
o Windows Serrver 2012. You can only upgrade a
do
omain controller created in Windows Servver 2008
x6
64 or Windowss Server 2008 R2. You canno
ot
pe
erform an in-p
place upgrade on Windows Server
S
20
003.
11-9
To
o perform an in-place
i
upgra
ade of a computer
th
hat has the AD
D DS role installed, you must first
usse Adprep.exe /forestprep and Adprep.exe
e
/d
domainprep to
o prepare the forest
f
and dom
main.
An in-place ope
erating system upgrade doess not
pe
erform automatic schema an
nd domain
preparation. Ad
dprep.exe is inccluded on the installation m edia in the \Su
upport\Adprep
p folder. There
e are no
ad
dditional confiiguration stepss after that point and you caan continue to
o running the O
OS upgrade.
Note: We
e recommend a clean installa
ation.
Troublesho
T
ooting AD DS Domain Controlller Deployyments
If you encounte
er errors when you create a domain
d
co
ontroller, you can
c use troublleshooting too
ols and
methodologies
m
to resolve the
e problem. The
ere are
also logs and uttilities available.
Logging Options
11-10
The built-in logs are the most important tool for troubleshooting issues with domain controller promotion
and demotion. There are many logs created during the installation and promotion of a domain controller,
as shown in the following table.
Phase
Log
Server Manager or AD DS
Deployment Windows
PowerShell operations
%systemroot%\debug\dcpromoui.log
Installation/Promotion of the
domain controller
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui*.log
%systemroot%\debug\dcpromo*.log
Event viewer\Windows logs\System
Event viewer\Windows logs\Application
Event viewer\Applications and services logs\Directory Service
Event viewer\Applications and services logs\File Replication Service

Event viewer\Applications and services logs\DFS Replication
Tools and Commands for Troubleshooting Domain Controller Configuration

If the logs do not provide enough information, you can use the following tools for troubleshooting:
Dcdiag.exe. Runs multiple tests to assess the overall health of AD DS.
Repadmin.exe Assists administrators in diagnosing replication problems between Windows domain

controllers.
AutoRuns.exe Shows you what programs are configured to run during system bootup or logon, and
shows you the entries in the order Windows processes them.
Task Manager Provides detailed information about how to run applications, processes, and services
and provides performance and networking statistics.
MSInfo32.exe Displays a comprehensive view of your hardware, system components, and software
environment.
Network Monitor Enables capturing and protocol analysis of network traffic.
Methodology for Troubleshooting

Many errors are easy to correct. Check these items first:
Is this a syntax error? Check the naming, credentials, and syntax of Windows PowerShell.
Did the prerequisite check fail? Resolve the issue and try again.
Did the error occur during the promotion phase? Examine the logs. Use Dcdiag and Repadmin to
validate Active Directory health.
Check for third-party software that may be preventing the promotion and remove it.
Lesson
n2
Configuring AD DS Domain Contrrollers

11-11
After you install AD DS and crreate new dom

main controllerrs, you must address several Active Directo
ory
co
onfiguration isssues. You can address some
e of these issuees, such as creaating a global catalog, durin
ng or
affter the promo
otion. You address others aftter the promottion.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Configure the
t global cata
alog.
Configure universal
u
group membership
p caching.
Configure operations
o
masters.
Manage
M
domain and forest fu
unctional levels.
Configuring
C
g the Glob
bal Catalog
g
Th
he global catalog is a special partition of Active
A
Directory that stores informattion about all Active
A
Directory objectts. It does not contain all atttributes
off all objects, bu
ut instead con
ntains a subset of
atttributes that are
a useful for searching.
s
The
global catalog mainly
m
occurs in a multi-dom
main
en
nvironment. It enables searches across dom
main
bo
oundaries to find objects in Active Directo
ory. The
global catalog acts
a as an inde
ex of Active Directory.
Certain applicattions rely on th
he global catalog,
su
uch as Exchang
ge Server.
Global
G
Catalo
og Characte
eristics
Global catalogs are unique to
o Active Directo
ory and have tthe following ccharacteristics:
The global catalog can only exist on a domain

d
contro
oller.
At least one
e global catalo
og must exist in every forest..
It is possible and frequen

ntly desirable to
o have multip le global catal ogs. For exam
mple, have a glo
obal
catalog in each
e
AD DS sitte so that user authenticatio n occurs in a ttimely, efficien
nt manner.
Global cata
alogs can be crreated during the promotion
n process or att any time afte
er.
Global cata
alogs can affecct replication trraffic.
Global cata
alogs listen on ports 3268/32
269 by default .
Creating
C
a Global Catalo
og
Th
he first domain
n controller in the forest is a global catalo g because at l east one global catalog is re
equired
pe
er forest. You can remove th
he domain con
ntrollers desig nation as a glo
obal catalog laater after you have
crreated other global catalogss.
Fo
or each additio
onal domain controller, you can create a g
global catalog by ensuring th
hat you select the
ch
heck box in the
e Active Directtory Configura
ation Wizard d
during the pro motion. By de
efault, all domain
co
ontrollers are assumed
a
to be
e global catalo
ogs.
Implementing Active Directoory Domain Services
11-12
You
u can also add or remove the
e global catalo
og from a dom
main controllerr by using Activve Directory Sites
and Services MMC
C and editing the
t propertiess of the NTDS Settings node of the domain
n controller.
Alte
ernatively, you can use the Active
A
Directoryy module of W
Windows PoweerShell to enab
ble a global cattalog.
Co
onfiguring Universal Group Me
embership
p Caching
Univversal groups include users and
a groups fro
om
mulltiple domains in a forest. Th
he membership
p of
univversal groups is
i replicated in
n the global catalog.
Whe
en a user logs on, the users universal grou
up
mem
mbership is ob
btained from a global catalog
servver. If a global catalog is not available then
n
univversal group membership
m
is not available.
Con
nfiguring unive
ersal group me
embership cacching
add
dresses this pro
oblem.
Note: This problem
p
does not arise when
n
every domain con
ntroller is a glo
obal catalog.
u can alleviate denial of authentication by enabling Univversal Group M

Membership Caaching on
You
the local AD DS siite. With this enabled,
e
by default all doma in controllers in that site ob
btain universal
group membership information
n from a global catalog for a user when the user first log
gs on to the sitte.
The domain contrroller caches th
hat informatio
on indefinitely, as long as it ccan update universal group
mem
mbership inforrmation every eight hours. Iff the local dom
main controllerr cannot contaact a global catalog,
then
n the cached group
g
membership informattion is conside red invalid after seven days.. This value is ccalled
the staleness inte
erval and is sett in the registrry. If a networkk outage of lesss than seven d
days prevents the
loca
al domain conttroller from co
ontacting the global
g
catalog,, the user is stiill authenticate
ed successfullyy by
usin
ng the cached group informa
ation.
Ena
abling Unive
ersal Group
p Membersh
hip Caching
You
u can also enab
ble Universal Group
G
Membership Caching on a domain controller by u
using Active
Dire
ectory Sites and Services MM
MC, and editing
g the propertiees of the NTD S Settings nod
de of the domaain
controller.
u can also use the
t Active Dire
ectory module
e for Windows PowerShell to
o enable Unive
ersal Group
You
Mem
mbership Cach
hing.
Configuring
C
g Operatio
ons Masters
In
n any replicated database, su
uch as AD DS, some
s
ta
asks must be performed
p
by only
o
one AD DS
D
re
eplica holder because
b
they are impractical to
pe
erform in a mu
ulti-master ma
anner. For exam
mple,
on
nly one domaiin controller ca
an be in charg
ge of
syynchronizing the time acrosss the domain. In an
Active Directoryy domain, operations masterrs, also
kn
nown as flexible single maste
er operations, or
FS
SMO, are dom
main controllerss that addition
nally
provide a speciffic function. Th
here are five sp
pecific
op
perations master roles that must
m
be filled. Any
do
omain controller that meets the prerequissites can
pe
erform these roles.
r
Note: A RODC
R
cannot host
h
any opera
ation master ro
oles because, b
by design, it caannot
diirectly modify the copy of AD DS it holds.

11-13
Tw
wo of the operations masterr roles only exist one time fo
or the whole fo
orest. These tw
wo roles exist o
only in
th
he Forest Root Domain and are
a shown in the
t following ttable.
Ro
ole
Descripttion
Domain
D
Namin
ng Operations
Master
M
You use
e the domain n
naming role wh
hen you add o
or remove dom
mains
in the fo
orest. When yo
ou add or rem ove a domain,, the domain
naming master must b
be available, o
or the operatio
on fails.
Schema
S
Operations Master
The dom
main controlle r holding the sschema maste
er role is responsible
for making any chang
ges to the forests schema. A
All other domain
of the schema. If you want to
o
controllers hold read--only replicas o
t schema orr install an app
plication that m
modifies the scchema,
modify the
try to do
o it directly on
n the domain ccontroller hold
ding the schem
ma
master role.
r
Otherwisee, the changess that you requ
uest must be ssent
to the scchema masterr to be written into the schem
ma. If the Sche
ema
Master is
i inaccessible,, all attempts tto modify the schema will faail.
Th
hese roles can be transferred
d to other dom
main controllerrs if required. If a domain co
ontroller that iss
cu
urrently holdin
ng a role shoulld stop functio
oning, the role can be forcib ly seized by an
nother domain
n
co
ontroller.
The other three roles exist in every domain in the forest. They are shown in the following table.
Role
Relative Identifier (RID)
Operations Master
Description
11-14
The SID of a security principal must be unique. Any read/write domain

controller in a domain can create accounts, and therefore, issue SIDs.
Active Directory domain controllers generate SIDs by incorporating a
unique RID into the domain SID. The RID master for the domain allocates
pools of unique RIDs to each domain controller in its domain. In the past
it was possible to for a domain to reach the limit of the RID issuance
(maximum possible of 230 or 1,073,741,823). New safeguards were put
into place for Windows Server 2012 RID Masters, which include issuing
warnings in Event logs when overall RIDs allocated are approaching 10%
of usage. You can also increment the number of RIDs allocated to 231
(grand total of 2,147,483,648 SIDs).
Note: This is the only one of the five FSMO roles that was improved
in Windows Server 2012. All other roles retain same functionality as earlier
versions.
Infrastructure
Operations Master
In a multi-domain environment, it is common for a local object to

reference security principals in other domains. For example, a group can
include members from another domain. If the security principal in the
other domain is moved or renamed, the infrastructure master in the same
domain as the local group updates each remote group members attribute
accordingly.
PDC Emulator
Operations Master
Emulates a Primary Domain Controller (PDC) and is probably the most

important FSMO role for day-to-day functionality.
Password handling. When passwords are changed, the PDC emulator is
updated immediately.
Focus of Group Policy. When Group Policy objects (GPOs) are being
created or edited the action is being performed, by default, on the PDC
emulator.
Time source for the domain. The PDC emulator provides the time
source for all computers joined to AD DS to synchronize to.
Domain Master Browser. When you open the Network window and see
the list of computers, you are seeing a list that is created by the browser
service.
These roles can be transferred to any domain controller in the domain. They do not all have to run on the
same domain controller. For example, one domain controller might hold the PDC Emulator role while
another holds the RID Master role. If a domain controller that is currently holding a role should stop
functioning, the role can be forcibly seized by another domain controller.
Managing
M
Domain an
nd Forest Functionaal Levels
Byy raising the fu
unctional levells, you can ena
able
fu
unctionality offfered by new versions
v
of Windows.
New features arre not backward-compatible
e with
ollder version off Windows Serrver. Similarly, until all
do
omain controllers are runnin
ng Windows Se
erver
20
008, or 2008 R2
R or Windowss Server 2012 you
y
ca
annot impleme
ent its improve
ements to AD DS.
Th
here are two major
m
requirem
ments for raisin
ng the
fu
unctional level:
ust run the correct

All domain controllers mu
version of Windows
W
Serve
er.
You must ra
aise functional levels manua
ally.
Note: The
e operating system version of
o the domain controller dettermines the fu
unctional
evels. Member servers can be
e running any version of Win
ndows Server eexcept for Win
ndows NT
le
4..0. If you raise the functional level to Wind
dows Server 20008, Windows NT 4.0 can no
o longer be a
do
omain membe
er.

11-15
Ra
aising the funcctional level off either the do
omain or the fo
orest is a one-w
way operation
n. You can neve
er lower
a functional level. Therefore, after
a
you have
e raised the do
omain function
nal level to Win
ndows Server 2
2008,
fo
or example, yo
ou cannot at a later date add
d a domain con
ntroller runnin
ng at Windowss Server 2003 tto the
sa
ame domain.
A forest can havve domains that run at different functionaal levels, but affter the forest functional leve
el is
ra
aised, you cann
not add a dom
main controllerr running a low
wer version of Windows to any domain in the
fo
orest.
Windows
W
Server 2012 forest functional
f
leve
el and domain functional levvel do not implement new fe
eatures
from Windows 2008 R2 functional level.
Lesson 3
Implem
menting
g Servicce Accounts
11-16
One
e common issu
ue that most organizations
o
fa
ace is how to ssecurely manaage accounts that are used for
netw
work services. Many applicattions use services that requirre an account for service staartup and
auth
hentication. Ass with typical user
u
accounts, you must also
o effectively m
manage service accounts to e
ensure
secu
urity and reliab
bility.
Lessson Objectiives
Afte
u will be able to:
t
Describe man
naged service accounts.
a
Describe grou
up managed service accountts.
Configure ma
anaged service
e accounts.
Manage serviice principle na

ames.
Wh
hat Are Ma
anaged Se
ervice Acco
ounts
App
plications are frequently
f
configured to exe
ecute
non
n-interactively on servers tha
at use the security
auth
hentication context of the Lo
ocal Service,
Network Service, or Local System
m accounts.
Because these acccounts are typically shared by
b
man
ny applicationss and processe
es, you cannott
isola
ate their crede
entials. That is to say, you cannot
custtomize the seccurity settings of these accou
unts
with
hout also affeccting all applications and
proccesses that are
e mapped to th
hem. A Manag
ged
Servvice Account provides
p
an application with its
own
n unique servicce account. In Windows Servver
2012, administrators no longer have to manually administeer the credentiaals for this acccount.
Man
naged service accounts in Windows
W
Serverr 2012 offer th
he following beenefits:
Automatic pa
assword manag
gement. A managed service account automatically main
ntains its own
password including passwo
ord changes. Th
his can better isolate servicees from other sservices on the
e
computer.
Simplified Serrvice Principal Name (SPN) management.

m
SPN managem
ment can be automatically
managed if th
he AD DS dom
main is configured at the Win
ndows Server 2
2008 R2 domaain functional level.
For example, if the samAccountName pro
operty of the ccomputer is ch
hanged, or if th
he DNS host n
name
property is modified,
m
the managed
m
servicce account SPN
N automaticallly changes from the old nam
me to
the new name for all managed service acccounts on thee computer.
Req
quirements for Using Managed
M
Se
ervice Accou
unts
To use
u a managed
d service accou
unt, the serverr that runs the service or app
plication must run Windows
Servver 2008 R2 orr later versionss. You must alsso ensure that the .NET Fram
mework 3.5.x, aand the Active
Dire
ectory Module
e for Windows PowerShell are both installeed on the serveer.
Note: In versions
v
of Win
ndows earlier than Windowss Server 2012, Managed servvice accounts
co
ould not be sh
hared between multiple computers. Each M
Managed Serviice Account haad to be
un
nique to the computer wherre the applicattion was run. TThis type of serrvice account iis known as a
Sttandalone Man
naged Service Account. New
w in Windows SServer 2012 is the ability to create
Managed
M
Servicce Accounts th
hat can be shared with moree than one com
mputer (for exaample, for a
clustered set of servers). These types of Man
naged Service Accounts are called Group Managed
Se
ervice accountts. They are disscussed in the next lesson.
Managing
M
Service Principle Na
ames
Se
ervice Principle
e Names (SPNs) represent th
he
acccounts in who
ose security co
ontext a service
e
exxecutes. SPNs support mutual authenticatiion
be
etween a clien
nt application and
a a service. SPNs
arre built either from informattion that a client
co
omputer know
ws about a servvice or from a trusted
th
hird-party, such as Active Dirrectory. SPNs are
a
asssociated with accounts and an account ca
an have
a different SPN for each servicce it is used to
o
au
uthenticate an
nd execute.
Th
he basic syntaxx of a SPN is as follows.
< service type
e >/< instance name >:< port number >/< service name >
Th
he elements of the syntax ha
ave the meanings described in the following table.
Ellement
De
escription

11-17
Service
S
type
Th
he type of servvice, such as ww
ww for World Wide Web serrvice.
In
nstance name
Th
he name of the
e instance of th
he service. Eith
her the host naame or IP address of
the server that iss running the service.
Port
P
number
Po
ort number tha
at is used by th
he host for thee service if it differs from the
e default.
Service
S
name
Th
his may be the DNS name off the host, or o
of a replicated service, or of a domain;
orr it can be the distinguished name of a serrvice connectio
on point objecct or of a
remote procedu
ure call (RPC) sservice object.
If service name and instance name

n
are the same,
s
as they are for most h
host-based servvices, then you
u can
ab
bbreviate a serrvice principal name to two components, aas follows.
< service type
e >/< instance name>
Service Names in Active

e Directory
Th
he syntax for service
s
names in Active Direcctory includes the distinguis hed name of tthe instance off the
se
ervice. The syntax is as follow
ws.
< service type
e >/< host name >:< port number >/< distinguishe
ed name >
Wh
hat Are Grroup Mana
aged Service Accoun
nts?
As discussed
d
in th
he previous lesson, Standalon
ne
Man
naged Service Accounts are managed dom
mainbase
ed accounts (that now includ
de automatic
passsword manage
ement and sim
mplified SPN
man
nagement for the service acccount) for sing
gle
servvers. Group Ma
anaged Service
e Accounts pro
ovide
the same function
nality but for multiple
m
serverrs.
Whe
en you connecct to a service hosted on a se
erver
farm
m, such as the Network Load
d Balance (NLB
B)
servvice, all compu
uters that are running an insttance
of that service mu
ust use the sam
me security
prin
ncipal. When a Group Manag
ged Service
Account is used as the service principal,
p
the Window
W
Serverr 2012 AD DS m
manages the p
password for the
acco
ount instead of
o relying on th
he administrator to manage the password.
Note: Group Managed Se
ervice Accountts can only be configured an
nd administere
ed on
com
mputers that arre running Win
ndows Server 2012.
2
11-18
The group Manag

ged Service Acccount has feattures to deal ccorrectly with h
hosts that are kept offline fo
or an
exte
ended time pe
eriod. This mea
ans that you ca
an deploy a seerver farm thatt uses a single Group Manag
ged
Secu
urity Account identity to which existing cliient computerrs can authentiicate without kknowing the
instance of the service to which they are conn
necting.
W
Serve
er 2012, the Windows PowerrShell cmdlets default to managing the
Note: For Windows
group Managed Service
S
Accoun
nts instead of the
t original staandalone Man
naged Service Accounts.
De
emonstration: Configuring Group Manaaged Service Accoun
nts
In th
his demonstration you will see how to crea
ate a group m
managed servicce account and
d associate the
e
acco
ount with a server.
Dem
monstration
n Steps
1.
Log on to LON-DC1 as Adm

ministrator.
2.
DS root key using the New-K

KdsRootKey cm
mdlet. Make th
he effective tim
me minus 10 hours
Create the KD
so the key is effective
e
imme
ediately.
3.
Create the ne
ew service acco
ount named Webservice
W
for the host LON-DC1.
4.
Associate the Webservice managed

m
accou
unt with Lon-D
DC1.
5.
Verify the gro

oup managed service accoun
nt was created
d by using the Get-ADService
eAccount cmd
dlet.
Lesson
n4
Imple
ementin
ng Grou
up Policcy in AD
D DS

11-19
Group Policy ha
as become the
e major tool for controlling tthe computing
g environment in an organization.
Th
his lesson poin
nts out the new
w features for Windows Servver 2012 and d
describes some
e management
te
echniques for controlling
c
use
ers and compu
uters.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he new feature
es in Group Policy.
Manage Grroup Policy obj

bjects (GPOs).
Configure Group
G
Policy processing.
p
Describe Grroup Policy client-side exten

nsions.
Troublesho
oot Group Policcy.
Describe be
est practices fo
or Group Policy implementa tion.
Whats
W
New
w in Group
p Policy in Windowss Server 20
012?
Group Policy wa
as introduced in Windows 2000.
Ea
ach successive Windows verssion has introd
duced
ne
ew tools or ma
anagement fea
atures, such ass the
Group Policy Management Co
onsole (GPMC
C).
Group Policy in Windows Servver 2012 includes
th
he following ne
ew features.
Graphical
G
Usser Interface
e for Manag
ging
Fine-Grained
d Password Policy
New in Window
ws Server 2012 is the ability to
t
manage
m
this GP
PO object set from
f
the conso
ole
off the Active Directory Admin
nistrative Center.
Managing
M
domain user accou
unt password policy
p
byy group memb
bership was an
n option since the initial releease of Window
ws Server 2008
8. When it is enabled,
an
ny password policy
p
associate
ed with the use
ers group me mbership takees precedence over the default of
th
he domain account policy. However,
H
in earrlier versions o
of Windows Seerver there wass no single inte
erface
fo
or implementin
ng and manag
ging type of GP
PO. The new G
GUI simplifies u
using this featu
ure.
Group
G
Policy
y Infrastructture Status
Th
he Group Policcy Infrastructure Status tool is a new tab in
n the GPMC. Itt displays the sstatus of Active
e
Directory and SYSVOL replication as it relates to Group Po
olicy. This featture enables yo
ou to detect th
he
cu
urrent status by
b comparing the
t replication
n status of all d
domain contro
ollers.
Remote
R
Policcy Refresh
Yo
ou can now usse GPMC to target an organizational unit ((OU) and forcee Group Policyy refresh on all its
co
omputers and their currentlyy logged-on users. Right-clicck any organizzational unit in
n the GPMC, an
nd then
click Group Pollicy Update. The
T update occcurs within 10 minutes (rand
domized on eaach targeted
co
omputer) to prrevent overwh
helming a dom
main controller .
11-20
Also
o, a new Windo
ows PowerShe
ell cmdlet, nam
med Invoke-G pUpdate, funcctions in the same manner aas the
com
mmand line Gp
pUpdate utilityy.
New
w RSOP Log
gging Data
Whe
en you use the
e Group Policyy Results wizard or GpResult /H command line tool to ge
enerate an HM
MTL
Resu
ultant Set of Policy
P
(RSOP) re
eport, you now
w see an updaated Summary section that p
provides inform
mation
such
h as network speed
s
and whe
ether a policy is
i functioning correctly or no
ot.
Note: Remo
ote RSOP logging and Group
p Policy refres h require you to open firewaall ports on
the targeted computers. This means enabling incoming com
mmunication ffor RPC, WMI//DCOM,
event logs, and sccheduled taskss.
Ma
anaging GPOs
You
u must manage
e group policie
es as any other
obje
ect in Active Directory.
D
Group Policy must be
crea
ated, edited, applied to conttainers, and ba
acked
up. The GPMC is the
t main tool for managing
Group Policy.
Cre
eating, Editiing, and Lin
nking Policie
es
Group Policy man
nagement has the following
characteristics:
Create GPOs in the Group Policy

P
Objects
folder in the GPMC.
G
You must have
administrative
e rights in the domain or
membership in the Group Policy
P
Creator Owners group
p to create GP
POs.
Edit GPOs by using the Gro

oup Policy Man
nagement Edittor. You can usse policies to cconfigure and apply
thousands of settings.
You can link GPOs

G
to conta
ainers by using
g the GPMC. Yo
ou can link a ssingle GPO to multiple contaainers.
Baccking Up an
nd Restoring
g GPOs
You
u should back up
u Group Policcies regularly. The first time that you backk up a GPO, yo
ou must specifyy the
loca
ation of the ba
ackup folder.
To back
b
up GPOs in the GPMC, use the follow
wing procedurees:
To back up in
ndividual GPOss, right-click th
he GPO, and th
hen click Back
k Up.
To back up alll GPOs, right-click the GPO folder, and th en click Back Up All.
To restore
r
an existing GPO to an earlier versio
on of the GPO :
1.
Open the Gro

oup Policy Objjects folder.
2.
Right-click the GPO that yo

ou want to resttore.
3.
Click Restore
e from Backup
p.
To restore
r
a deletted GPO:
1.
Right-click the Group Policcy Objects folder.
2.
Click Manage
e Backups.
3..
Click the po
olicy that you want
w
to restorre from the ba ckup folder.
4..
Click Resto
ore.
Copy
C
or Import GPOs

11-21
Byy using the import and copyy operations in

n the GPMC, yo
ou can transfeer GPOs across domains and across
fo
orests. This is useful
u
if you maintain separate test and pro
oduction envirronments and want to repliccate the
co
ontent from on
ne environmen
nt to the other. The GPMC eenables you to
o modify certaiin settings as p
part of
th
he import or co
opy operation. Specifically, you
y can modiffy references to
o security prin
ncipals, such ass users,
groups, and com
mputers, and to
t Universal Naming Conven
ntion (UNC) paaths that exist in the GPO. You can
modify
m
security principals and
d UNC paths in
n the destinatiion GPO by ussing a migratio
on table with the
im
mport or copy operation. Forr example, the
e test environm
ment might usee a different U
UNC path for fo
older
re
edirection than
n the productio
on environment. You can usse a migration table to map the test enviro
onment
UNC path of the production UNC
U
path.
A copy operatio
on uses an exissting GPO as itts source and ccreates a new GPO as the de
estination. The
e
ad
dministrator ca
an choose to preserve
p
the exxisting permisssions or use th
he default GPO
O permissions. To
co
opy an existing
g GPO:
1..
Right-click the GPO.
2..
Click Copy..
3..
Paste the GPO

G
into the Group
G
Policy Object folder.
Th
he import ope
eration transferrs settings into
o an existing G
GPO in Active D
Directory using
g a backed up GPO
ass the source. Im
mporting doess not modify th
he permissionss or links assocciated with the
e destination G
GPO.
Im
mporting does not merge wiith any existing
g settings in th
he destination GPO, but will overwrite all ssettings.
To
o import a GPO
O:
1..
Right-click the GPO you are

a importing settings into.
2..
Click Import Settings.
3..
Follow the steps in the Im

mport Settings Wizard.
Configuring
C
g Group Policy
P
Proccessing
When
W
you link a Group Policyy to a containe
er, the
se
ettings affect all
a users, group
ps, or compute
ers in
th
hat container and
a all child co
ontainers unde
er that
pa
arent. For exam
mple, a GPO linked to the do
omain
co
ontainer inherits down to all child containe
ers in
th
he domain. Beccause you can link GPOs dire
ectly
to
o the site, dom
main, or OU con
ntainers, there
e is the
po
otential for setttings in differrent GPOs to conflict.
Fo
or example, a setting
s
in a GP
PO at the dom
main
le
evel might be enabled
e
while the same setting in
a GPO linked to
o an OU may be
b disabled. Th
his
co
onflict is resolvved through precedence. GP
PO
se
ettings are app
plied in the following order:
1..
Local policies
2..
Site linked GPOs
3..
Domain linked GPOs
4.
OU linked GPOs
5.
Child OU linked GPOs
11-22
Policy settings inherit down and merge so that objects receive the cumulative effect of all GPOs. If you
link multiple GPOs to the same container then they are applied in the order in which they were linked.
However, you can set precedence to control the order of application to that container. If there is a conflict
in GPO settings, the last GPO applied has precedence and is the effective one. In other words, the user or
computer receives all the GPO settings in the path of their container and linked directly to their container,
but if there is a conflict, the latest setting is the one in effect.
Group Policy provides mechanisms to modify the way GPO settings are processed. You can block
inheritance and enforce policies.
Blocking Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This option blocks all
inherited Group Policy settings from GPOs linked to parents in the Group Policy hierarchy. You cannot use
it to block only selected inherited policies. It does not block GPOs that are linked directly to the container.
You should use the Block Inheritance option sparingly. When you block inheritance, you make it more
difficult to evaluate Group Policy precedence and inheritance.
Enforcing a GPO Link
You can set a GPO link to be Enforced. When you set a GPO link to Enforced, that GPO takes the highest
level of precedence. Policy settings in that GPO then prevail over any conflicting policy settings in other
GPOs. In addition, a link that is enforced applies to child containers even when those containers are set
to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. The
Enforced setting causes policies to override any conflicting policies and applies regardless of any other
settings.
Loopback Processing
By default a user receives the settings from GPOs inherited by, and linked to, the OU where their user
account resides. There are situations, however, in which you might want to configure a user differently,
depending on the computer that is being used. For example, you might want to lock down and
standardize user desktops when users log on to computers in closely managed environments, such as
conference rooms, reception areas, laboratories, classrooms, and kiosks. You might also want to apply
specific settings for virtual desktop infrastructure (VDI) scenarios. This includes remote virtual machines
and Remote Desktop Services (RDS), known as Terminal Services in earlier versions.
The loopback setting a users typical GPO settings to be disregarded and applies the user settings
associated with the GPO instead.
The loopback setting is located in the Computer Configuration\Policies\Administrative Templates\System

\Group Policy folder in the GPO.
Note: There is an option in the loopback setting to merge the loopback user settings with
their typical settings. But the default is to replace their typical settings with the settings in the
loopback GPO.
Security Filte
ering

11-23
Ea
ach GPO has a Discretionaryy Access Contro
ol List (DACL) that defines p
permissions to the GPO. You must
ap
pply two perm
missions, Allow Read and Allo
ow Apply Grou
up Policy, to a user or compu
uter. By default,
Authenticated Users
U
have the
e Allow Apply Group
G
Policy p
permission on each new GPO
O. This means that by
de
efault, all userss and compute
ers are affected by the GPOss settings. Therefore, by adju
usting the perm
missions
on
n the GPO you
u can control who
w receives them. There aree two approacches to do thiss.
To apply th
he GPO to onlyy some users, groups
g
or com
mputers:
1.
Removve the Authentticated Users group

g
from thee DACL.
2.
Add th
he users, group
ps or computers you want to
o receive the p
policies.
3.
Grant them
t
Read and
d Apply Group
p Policy permisssions.
To prevent some users, groups or comp

puters from reeceiving the GP
PO settings:
4.
hem to the DAC

CL.
Add th
5.
Deny them the Applyy Group Policyy permission.
ou access the DACL from the

e Delegation,, Advanced taab of the GPO..
Yo
WMI
W
Filterin
ng
Yo
ou can also use Windows Management Instrumentation
n (WMI) to con
ntrol the scope
e of GPO application,
de
epending on attributes
a
of th
he destination computer. Yo u can use WM
MI queries to ch
heck for hardw
ware or
so
oftware condittions that mustt exist for settings to be app
plied. For exam
mple, a WMI qu
uery may checck for an
op
perating system version, make or model, or
o the RAM in the system to determine wh
hether GPO se
ettings
sh
hould be applied. WMI filters can query fo
or hundreds off different paraameters.
Group
G
Policcy Client Side
S
Extensions
Th
he Group Policcy Client servicce determines
which
w
GPOs to apply to the client. This servvice
do
ownloads any GPOs that are
e not already cached.
c
Th
hen, a series of processes called client-side
e
exxtensions interrpret the settin
ngs in a GPO and
a
make
m
appropria
ate changes to
o the local com
mputer
orr to the curren
ntly logged-on
n user. There are
client-side exten
nsions for each
h major catego
ory of
po
olicy setting. For
F example, th
here is a security
client-side exten
nsion that app
plies security ch
hanges,
a client-side exttension that exxecutes startup
p and
lo
ogon scripts, a client-side exttension that in
nstalls
so
oftware, and a client-side exttension that makes
m
changes to registry keeys and values. Each new version of
Windows
W
has ad
dded client-sid
de extensions to
t extend the functional reaach of Group P
Policy. There arre
se
everal dozen client-side exte
ensions now in Windows.
W
XP to
o accept Group
p Policy Preferrences the
Note: Forr client computers running Windows
client-side exten
nsions for Win
ndows XP prefe
erences must b
be downloadeed and installed
d on each
client computerr.
11-24
Group Policy is applied at the client computer side at startup for computer settings and when users log on
for user settings. Group Policy is also refreshed on the client computer at regular, configurable intervals.
The default interval is 90 minutes. The Group Policy client pulls the GPOs from the domain, triggering the
client-side extensions to apply settings locally. Group Policy is not a push technology.
Note: You can manually refresh Group Policy from the GPMC in Windows Server 2012 or
by using the GpUpdate command prompt utility on the client workstation.
Policies remain in force on the client even if the client is not connected to the corporate LAN. For
example, mobile laptop users continue to have the GPO settings enforced because those settings are
cached on the client. But mobile laptop users receive no changes to policy settings until they reconnect to
the LAN.
Note: If client computers use cached credentials to speed up the logon process, then the
user does not see the effect of several GPO settings until after two logons.
Policies are not re-applied on the client systems unless a change in a policy setting is detected. An
important exception to the default policy processing settings is settings managed by the security clientside extension. Security settings are reapplied every 16 hours even if a GPO has not changed.
Note: You can configure client-side extensions to reapply policy settings at background
refresh even if the GPO has not changed. To do this, define the settings in the
Computer Configuration\Policies\Administrative Templates\System\ Group Policy node. To
configure a client-side extension:
1.
Open its policy processing policy setting, such as Registry Policy Processing for the Registry client-side
extension.
2.
Click Enabled.
3.
Select the Process even if the Group Policy objects have not changed check box.
Group Policies over Slow Links
If a slow network connection is detected then certain client-side extensions do not process GPO settings.
For example, installing software is not practical across a slow network. By default, a slow connection is
defined as 500 KBPS. However, you can configure this value in Group Policy. Also, you can configure each
client-side extension in Group Policy to process even if a slow connection is detected.
These settings are always applied, even across a slow connection:
Security settings
Administrative Templates
IPsec
Encrypting File System (EFS)
These settings are not applied across a slow connection:
Quotas
Internet Explorer Maintenance
Folder Redirection
Scripts
Wireless Ne
etwork settings
Software in
nstallations
Note: Old
der clients, succh as Windowss XP, use Ping tto determine n
network speed
d. If you
block Internet Control
C
Messag
ge Protocol (IC
CMP) traffic, th
he connection always appears as a slow
co
onnection. Clie
ents that are ru
unning Windo
ows Vista or latter versions us e Network Loccation
Aw
wareness to de
etermine conn
nection speed.
Troublesho
T
ooting Gro
oup Policy
Th
here may be tiimes when you
u must trouble
eshoot
Group Policy. There are two main
m
issues tha
at can
occcur with Grou
up Policy proce
essing:
Policies are
e not being applied to the client
computer.
Policies are
e applied, but the
t results are
inconsistent or incorrect.
Th
hese two issue
es might arise for
f the following
re
easons:
AD DS replication issues may prevent all

a
domain con
ntrollers from receiving policcies or
policy upda
ates.
GPOs may be linked inco

orrectly to conttainers.
Slow netwo
ork conditions may exist.
Policy filterring may be se

et.
Inheritance
e or enforceme
ent settings ma
ay be applied.
The loopba
ack setting mayy be turned on
n.
Local comp
puter policies may
m affect the results.

11-25
Sttart to troubleshoot by determining the sccope of the iss ue. For examp
ple, is the issue
e widespread, o
or only
afffecting a single client? If the
e issue affects a single clientt, you should ccheck for physical issues, succh as
in
ncorrect config
gurations. Thesse issues are ussually easy to d
diagnose.
Check Event Vie
ewer entries, Windows
W
logs, and applicatio
on and service logs. These caan provide valuable
in
nformation abo
out the cause of
o issues. Log entries freque ntly direct you
u to the area in
n which to beg
gin an
in
nvestigation.
Most
M
Group Policy issues are caused by:
Inheritance
e
Filtering
Replication
Troubleshooting Inheritance
11-26
If none of the users or computers in an OU or child OUs receive policies that were linked to higher levels,
it may be because of inheritance blocking. The GPMC displays a blue exclamation mark when inheritance
is blocked. RSOP lists the GPOs that are being applied, and the GPOs that are being blocked. You can
generate Group Policy results at the destination computer or from the GPMC through the Group Policy
Results Wizard.
Troubleshooting Filtering
GPO filtering may result from:
Security filtering
WMI filtering
Symptoms of filtering issues may appear as inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they do not receive policies that other users in the same OU
receive.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If
there is a link to a non-existent WMI filter, the GPO with that link is not processed until the link is
removed or the filter is restored.
Troubleshooting Replication
Group Policy information takes time to propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections and long replication latency.
You can use the new Status tab in the GPMC on Windows Server 2012 to determine the replication health
of the GPO. If replication is an issue, you must determine whether the problem is with the File Replication
Service (FRS) or with AD DS replication. There are two simple tests that you can use to determine the
issue:
For SYSVOL replication, put a small test file into the SYSVOL directory. See whether it replicates to
other domain controllers.
For AD DS replication, create a test object, such as an OU. See whether it replicates to other domain
controllers.
Troubleshooting Policy Refresh
Some users rarely restart or even log off their systems. Several Group Policy settings cannot be refreshed
during a typical refresh cycle. Some settings require a logoff or a restart to be applied. In fact, because of
cached credentials, many settings require two logons for the user to see the effect of the setting. If some
users do not receive the policy settings, ensure that they restart or log off and on two times to rule out
the effect of cached credentials.
Best
B
Practicces for Imp
plementin
ng Group P
Policy
Group Policy is a very powerfful tool, but yo
ou must
ap
pply it correctlly. Implementing a Group Po
olicy
so
olution involve
es planning, de
esigning, deplo
oying,
an
nd maintaining
g the solution.. There are som
me best
practices that yo
ou should follo
ow.
Plan
P
Your De
eployment
Define the scop
pe of applicatio
on of Group Po
olicy.
Define what typ
pes of settings are global to all
ussers and comp
puters and design or modify the
OU
O structure to
o accommodatte Group Policyy
ap
pplication. You
u should desig
gn the OU structure
with
w Group Poliicy in mind and enhance the
e
in
nherited nature
e of Group Policy settings byy grouping obj
bjects in a hieraarchy that enables that flow of
Group Policy se
ettings.
Create
C
Stand
dard Deskto
op Configura
ations

11-27
One
O of the goals of controllin
ng the computting environmeent is to provid
de consistencyy. Standard de
esktop
co
onfigurations for
f various use
er types or dep
partments can make system repair or replaacement a sim
mpler
ta
ask if many of the configurattion settings are delivered byy using Group
p Policy.
Do
D Not Use the
t Default Domain Po
olicy or Defa
ault Domain
n Controllerrs Policy forr
Other
O
Purposes
Th
hese two default policies pro
ovide basic setttings for the d
domain, such aas password po
olicies, and forr
do
omain controllers, such as au
uditing setting
gs. If you wantt to apply otheer configuratio
on settings to tthe
do
omain or to do
omain controllers, create new policies. Usee the default p
policies for passsword, auditin
ng and
se
ecurity settingss only.
Use
U Inheritan
nce Modificcations and Filtering Sp
paringly
Heavy use of blocking and en

nforcing of pollicies make tro
oubleshooting more difficultt. Also try to avvoid
se
ecurity and WM
MI filtering unless it is requirred.
Use
U Loopbacck Processin
ng for Special Case Scen
narios
Lo
oopback can solve issues witth desktop standardization ffor scenarios w
where the syste
em users log o
on to
sp
pecial purpose
e systems, such
h as Remote De
esktop Servicees or kiosk com
mputers.
Im
mplement a Change Re
equest Process
Limit changes to
o Group Policyy settings to a small group o
of administrato
ors. All change
es should be ap
pproved
an
nd documente
ed. Consider ussing the Advan
nced Group Po
olicy Managem
ment (AGPM) ttool available with the
Microsoft
M
Deskttop Optimizatiion Pack (MDO
OP).
Lesson 5
Mainta
aining AD
A DS
Maintaining the health
h
of the AD
A DS is an imp
portant aspectt of an administrators job. In
n this lesson,
you will learn how
w to use Windo
ows Server Bacckup to effectiively backup aand restore AD
D DS and domaain
controllers. You will
w also learn how
h
to optimizze and protectt your directorry service so th
hat if a domain
n
controller does fail, you can resttore it as quick
kly as possiblee.
Lessson Objectiives
Afte
er completing this module, you
y will be able to:
Describe options for backin

ng up AD DS.
Describe options for restoriing AD DS.
Describe the Active Directo

ory Recycle Bin
n.
Describe AD DS snapshots.
Optimize the AD DS databa

ase.
Op
ptions for AD
A DS Bacckup
Win
ndows Server Backup
B
was inttroduced in
Win
ndows Server 2008.
2
It enable
es you to back
up and
a restore a server,
s
its roless, and its data.
Win
ndows Server Backup
B
is installed as a feature in
Servver Manager.
W
Serve
er Backup MM
MC
Note: The Windows
app
pears on the To
ools list in Servver Manager even
thou
ugh the featurre is not actually installed un
ntil
you manually add
d the feature.
11-28
ndows Server Backup

B
provide
es a snap-in ad
dministrative ttool and the W
WBAdmin command line too
ol
Win
(Wb
badmin.exe). Both the snap-iin and the com
mmand line en
nable you to perform manuaal or automaticc
backups to an inte
ernal or extern
nal disk volume, a remote sh
hare, or optica l media. Backing up to tape is no
long
ger supported by Windows Server
S
Backup.
In earlier
e
versions of Windows, backing
b
up Acctive Directory involved crea ting a backup of the System
mState.
In Windows
W
Server 2012, the SystemState
S
still
s exists, but it is physicallly larger in sizze. Because off
inte
erdependencie
es between servver roles, physsical configura tion, and Activve Directory, the SystemStatte is
now
w a subset of a Full Server ba
ackup and, in some
s
configurrations, might be just as large as a full servver
backup. To back up
u a domain controller, you must back up
p all critical volumes fully.
Win
ndows Server Backup
B
enables you to perfo
orm one of thee following typ
pes of backupss:
Full server
Selected volu
umes
System State
Individual file
es or folders

11-29
When
W
you use Windows
W
Serve
er Backup to back
b
up the criitical volumes on a domain ccontroller, the
e backup
in
ncludes all data
a that resides on
o the volume
es that host thee:
Boot files, which

w
consist of
o the Bootmg
gr file and the Boot Configurration Data (BC
CD) store.
Windows operating
o
syste
em and the reg
gistry.
SYSVOL tre
ee.
Active Directory database

e (Ntds.dit).
Active Directory database

e log files.
To
o perform a ba
ackup, you mu
ust first install the
t Windows SServer Backup
p feature. You ccan then use tthe
Windows
W
Server Backup console to create backup
b
jobs. T he Actions pa ne in the Wind
dows Server Baackup
uled backup o
co
onsole enabless you to start a wizard to perform a schedu
or a one-time b
backup job. Th
he
wizard
w
promptss for a backup type, backup selection, backkup destinatio
on and schedule (if performin
ng a
sccheduled job).
Options
O
forr AD DS Re
estore
When
W
a domain
n controller or its directory iss
co
orrupted, damaged, or failed
d, you can resttore the
syystem by using
g several optio
ons.
Th
he first option is called typiccal restore or
no
onauthoritativve restore. In a normal restorre
op
peration, you restore a back
kup of Active
Directory as of a known good
d date. Effectivvely,
yo
ou roll the dom
main controller back in time. When
AD DS restarts on
o the domain
n controller, th
he
do
omain controller contacts itss replication partners
an
nd requests alll subsequent updates.
u
The domain
d
co
ontroller catches up" with the rest of the domain
byy using standa
ard replication mechanisms. Normal restorre is useful when the directo
ory on a domaiin
co
ontroller was damaged
d
or co
orrupted, but the
t problem h
has not spread to other domain controllerss. This is
no
ot a method th
hat works if yo
ou are trying to
o restore a delleted object an
nd the deletion has replicate
ed to
th
he other doma
ain controllers.
If the typical resstore does nott work, you can
n perform an aauthoritative rrestore. In an aauthoritative re
estore,
yo
ou restore the known good version
v
of Active Directory j ust as you do in a typical resstore. Howeve
er,
be
efore restarting the domain controller, you
u mark the obj
bjects that you want to recovver (the deleted
ob
bjects) as auth
horitative so th
hat they replica
ate from the reestored domaiin controller to
o its replication
pa
artners. Behind
d the scenes, when
w
you mark objects as au
uthoritative, W
Windows increm
ments the verssion
nu
umber of all object attribute
es to be so high that the verssion is guarantteed to be hig
gher than the vversion
nu
umber of the deleted
d
objectt on all other domain
d
contro
ollers. When yo
ou restart the rrestored domaain
co
ontroller, it rep
plicates from itts replication partners
p
all chaanges that aree made to the directory. It also
no
otifies its partn
ners that it hass changes, and
d the version n
numbers of thee changes ensu
ure that partne
ers take
th
he changes and
d replicate the
em throughout the directoryy service.
Th
he third option
n for restoring
g the directory service is to reestore the who
ole domain co
ontroller. You d
do this
byy booting to the Windows Recovery
R
Enviro
onment and reestoring a full server backup
p of the domain
co
ontroller. By de
efault, this is a typical restore. If you must also mark objjects as authorritative, you must
re
estart the serve
er in the Directtory Services Restore
R
Mode and set those objects as autthoritative befo
ore
sttarting the dom
main controller into typical operation.
o
11-30
Fina
ally, you can re
estore a backup of the SystemState to an aalternative locaation. This enaables you to
exam
mine files and,, potentially, to
o mount the NTDS.dit
N
file ass described in the previous lesson. You sho
ould
not copy the files from an altern
native restore location over the production versions of tthose files. Do not
do a piecemeal re
estore of Active
e Directory. Th
his option is al so used if you want to use the Install From
m
Med
dia option for creating a new
w domain conttroller.
Ho
ow does th
he Active Directory
D
Recycle
R
Bin
n Work?
The Active Directo
ory Recycle Bin
n was introducced
in Windows
W
2008 R2. You could
d only access th
his
featture by using Windows
W
Powe
erShell cmdletts and
the Ldp.exe LDAP
P utility.
W
Serve
er 2012 you can now access
In Windows
the Active Directo
ory Recycle Bin
n from the Active
Dire
ectory Adminisstrative Centerr. This simplifie
es
the recovery of Acctive Directoryy objects that were
w
erro
oneously deleted. It lets adm
ministrators ena
able
the Recycle Bin an
nd locate or re
estore deleted
obje
ects in the dom
main. It is no lo
onger required
d to
use Windows Pow
werShell or Ldp
p.exe to enable
e the
recyycle bin or resttore objects in domain partittions.
Acttive Directo
ory Recycle Bin
B Charactteristics
The Active Directo
ory Recycle Bin
n has the following characteeristics:
It must be ma
anually enable
ed. As soon as it is enabled, yyou cannot dissable it.
The Active Directory Recyclle Bin cannot restore

r
sub-treees of objects in a single action. For examp
ple, if
you delete an
n OU with nestted OUs, users, groups, and computers, restoring the baase OU does no
ot
restore the ch
hild objects. Th
hat must be do
one in a subseequent operation.
Active Directo
ory Recycle Bin
n requires at le
east Windows Server 2008 R
R2 Forest Functtional Level.
You must be a member of the

t Enterprise Admin group
p to use the Acctive Directory Recycle Bin.
The recycle bin increases th

he size of the Active
A
Directorry database (N
NTDS.DIT) on e
every domain
controller in the
t forest. Disk
k space that is used by the reecycle bin con
ntinues to incre
ease over time
e as it
preserves objects and all atttribute data.
Objects are preserved

p
in the recycle bin for
f an amount of time to maatch the tombsstone lifetime of the
forest. This is 180 days by default.
d
After the Actiive Directory Recycle

R
Bin is enabled,
e
deleteed restorable o
objects can be
e viewed in the
e
Deleted Obje
ects folder.
Ena
abling the Active
A
Direcctory Recycle Bin
To enable
e
the Acttive Directory Recycle
R
Bin:
1.
From the Servver Manager Tools

T
menu access the Activee Directory Ad
dministrative C
Center.
2.
In the navigattion pane sele

ect the domain
n that you wan
nt to manage.
3.
In the Tasks (right side) pan

ne click Enable
e Recycle Bin..
4.
Acknowledge
e the warning dialog
d
boxes to
t complete th
he action.
Restoring Active Directory Objects
11-31
Because many objects are intentionally deleted in typical Active Directory operations, the Active Directory
Administrative Center has advanced filtering criteria, making targeted restoration easier in large
environments that have many deleted objects. The restore operation supports all the standard filter
criteria options as any other search. Multiple search criteria can be combined. Common search criteria
include:
Object is user/inetorgperson/computer/group/organization unit
Name
When deleted
Employee ID
First name
Last name
Job title
City
As soon as you locate the object to be restored, right-click the object, and then click Restore.
To restore the object to its original location, in the Tasks pane, click Restore.
To restore an object to a different location, click Restore To.
You can restore multiple objects as long as they are all restored to the same location.
Demonstration: Restoring AD DS Objects Using the Active Directory

Recycle Bin
In this demonstration you will see how to:
Enable the Active Directory Recycle Bin
Use the recycle bin to restore a deleted object
Demonstration Steps
1.
Enable the Active Directory Recycle Bin.
2.
Delete a current user.
3.
Restore the user.
Wh
hat are AD
D DS Snapsshots?
A sn
napshot captures the exact state
s
of the
dire
ectory service at
a the time of the
t snapshot.
Unliike a backup, you
y cannot use a snapshot
to restore data. However, you can use tools to
o
explore the conte
ents of the snapshot to exam
mine
the state of the diirectory service
e at the time the
snap
pshot was mad
de.
Cre
eating a Sna
apshot
You
u use the NTDS
SUtil to create and mount
snap
pshots for view
wing. To create
e a snapshot:
11-32
1.
Open an elevvated comman

nd prompt.
2.
Type ntdsutil, and then pre

ess Enter.
3.
Type activate
e instance ntd
ds, and then press
p
Enter.
4.
Type snapsho
ot, and then press
p
Enter.
5.
Type create, and

a then presss Enter.
6.
The command returns a me

essage indicatiing that the sn
napshot set waas generated successfully.
The GUID tha
D or, alternativvely,
at is displayed is important fo
or commands in later tasks. Note the GUID
copy it to the
e Clipboard.
7.
Type quit and

d then press Enter.
Usiing the Data

abase Moun
nting Tool to
t Mount a Snapshot
The Active Directo

ory database mounting
m
tool (Dsamain.exee) can improve recovery proccesses for the
orga
anization. It en
nables you to compare
c
data as it exists in ssnapshots or b
backups that aare taken at
diffe
erent times so that you can better decide which data to restore after d
data loss. This eliminates the
e need
to restore multiple backups to compare
c
Activve Directory daata.
To view
v
the conte
ents of a snapsshot, you mustt mount the sn
napshot as a neew instance off AD DS. This is also
acco
omplished with NTDSUtil. To
o mount a snapshot:
1.
Open an elevvated comman

nd prompt.
2.
Type ntdsutil, and then pre

ess Enter.
3.
Type activate
e instance ntd
ds, and then press
p
Enter.
4.
Type snapsho
ot, and then press
p
Enter.
5.
Type list all, and

a then press Enter.
The command returns a listt of all snapsho
ots.
6.
Type mount {GUID}, where GUID is the GUID

G
returned
d by the createe snapshot com
mmand, and then
press Enter.
7.
Type quit, an
nd then press Enter.
E
8.
Type quit, an
nd then press Enter.
E
9.
Type dsamain -dbpath c:\\$snap_datetime_volumec$

$\windows\n
ntds \ntds.dit -ldapport 50
0000,
and then presss Enter (you can
c use any avvailable port nu
umber).
10. Do not close the Command

d Prompt wind
dow and leave the command
d that you justt ran, Dsamain.exe,
running while
e you continue
e to the next sttep.
Viewing
V
the Snapshot
After you have mounted the snapshot,
s
you can use tools to connect to and explore tthe snapshot,
in
ncluding Active
e Directory Use
ers and Computers.
To
o connect to a snapshot with
h Active Directtory Users and
d Computers:

11-33
1..
Open Activ
ve Directory Users
U
and Com
mputers.
2..
Right-click the root node

e, and then click Change Do
omain Contro
oller.
3..
Click <Type a Directory Server name

e[:port] here>
> and enter thee name of the domain contrroller
and the port number that was used in the
t previous sttep. For example, LON-DC1
1:50000 and th
hen
press Enter.
4..
Click OK.
To
o unmount the
e snapshot:
1..
Switch to th
he command prompt
p
in which the snapsh ot is mounted
d.
2..
Press Ctrl+C
C to stop DSA
AMain.exe.
3..
Type ntdsu
util, and then press
p
Enter.
4..
Type activa
ate instance ntds,
n
and then
n press Enter.
5..
Type snapsshot, and then

n press Enter.
6..
Type unmo
ount GUID, wh
here GUID is th
he GUID of thee snapshot, an
nd then press EEnter.
7..
Type quit, and then press Enter.
8..
Type quit, and then press Enter.
AD
A DS Data
abase Maintenance
Th
he Active Direcctory database
e is stored as a file
na
amed NTDS.diit. When you install and configure
AD DS, you can specify the lo
ocation of the file.
f
Th
he default loca
ation is %syste
emroot%\NTDS. In
th
he NTDS folder, there are oth
her files that support
th
he Active Direcctory database
e. They are:
EDB.log fille. The Edb.log

g file is the
transaction log for Active
e Directory. Wh
hen
you must make
m
a change
e to the directo
ory, it
is first written to the log file.
f The chang
ge is
committed to the directo
ory as a transacction.
If the transa
action fails, it can
c be rolled back.
b
EDB.chk. The
T EDB.chk file
e functions like a bookmarkk into the log files, marking tthe location be
efore
which transsactions are su
uccessfully com
mmitted to thee database, and
d after which ttransactions re
emain to
be committted.
Edbres000
01.jrs and Edb
bres0002.jrs. These
T
two filess are empty filees of 10MB each. If the disk the
database re
esides on shou
uld run out of space,
s
these fi les provide thee domain conttroller with the
e space
to write pending transacttions before sa
afely shutdown
n AD DS servicces and dismou
unting the dattabase.
11-34
The Active Directory database is self-maintaining. Every 12 hours, by default, each domain controller
runs a process that is known as garbage collection. Garbage collection does two things. First, it removes
deleted objects that have outlived their tombstone lifetime, which is 180 days by default. Second, the
garbage collection process performs online defragmentation. Online defragmentation reorganizes the
sectors rows of the database so that the blank rows are contiguous, very much like disk fragmentation
reorganizes sectors of a disk so that free space is contiguous. However, this process does not reduce the
file size of the database. It optimizes the internal order of the database. In most organizations, this will be
sufficient.
To reduce the physical size of the NTDS.dit, perform offline defragmentation. To perform an offline
defragmentation you must stop the AD DS. Then use the NTDSUtil to compact the database to a different
location. Then replace the original NTDS.dit with the compacted version.
Note: Do not delete the original NTDS.dit, you only have to rename it.
Scenario
11-35
A. Datum is an engineering and manufacturing company. The organization is based in London, England,
but is quickly expanding the London location as well as internationally. As the company has expanded,
some business requirements are changing as well. To address some business requirements, A. Datum had
decided to deploy Windows Server 2012.
As the company expands, they must also expand their Active Directory infrastructure. You are assigned to
implement new domain controllers and also to consider implementation of RODCs, where appropriate.
Also, there are reports that Group Policies are not being applied on some computers, so you must
troubleshoot. The company also wants to centralize management of all accounts that are being used for
services, and to stop usage of local accounts for that purpose. Also, you must evaluate available
techniques for AD DS maintenance.
Objectives
Deploy an RODC
Implement Group Policy
Configure and validate service accounts
Maintain AD DS
Lab Setup
Virtual machines
20417A-LON-DC1
20417A-LON-SVR3
20417A-LON-CL1
User Name
Password
Pa$$w0rd
1.
2.
3.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20417A-LON-SVR3, and 20417A-LON-CL1. Do not log on to LON-SVR3 or
LON-CL1 until instructed to do so.
Exercise 1: Deploying a Read-Only Domain Controller

Scenario
11-36
As company business expands, you must add domain controllers to new locations. Some locations do not
have required physical security for server rooms so you decide to implement read-only domain controllers
for these locations. Those servers are already in place at the branch location performing local file and print
duties. You plan to install the RODC role remotely by using Server Manager from head office. You also
plan to configure the RODC to cache passwords locally for members of the Managers group and assign
administrative access to the server to the IT group.
1.
Add LON-SVR3 as a Server to Manage.
2.
Create a New Server Group.
3.
Install the RODC Role Remotely.
4.
Configure the Password Replication Policy and Administrative Access.
X Task 1: Add LON-SVR3 as a Server to Manage

1.
Log on to LON-DC1 as Administrator with a password of Pa$$w0rd.
2.
Use the Server Manager Dashboard to add LON-SVR3 as a server to manage.
X Task 2: Create a New Server Group

1.
Use the Server Manager Dashboard to create a server group named DCs.
2.
Add both LON-SVR3 and LON-DC1 to the group.
X Task 3: Install the RODC Role Remotely

1.
Use the Server Manager Dashboard to Add the Active Directory Domain Services role to
LON-SVR3.
2.
Open the notifications and complete the Post-deployment Configuration to promote LON-SVR3 to
be a Read only domain controller (RODC) in the existing domain.
3.
Set the Directory Services Restore Mode (DSRM) password to be Pa$$w0rd.
4.
Accept the defaults for all other settings.
X Task 4: Configure the Password Replication Policy and Administrative Access

1.
Use Active Directory Users and Computers to configure the password caching options of LON-SVR3
in such a way that passwords are cached on the RODC for members of the Managers group.
2.
Configure the IT group to have administrative access to LON-SVR3.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
Exercise 2: Troubleshooting Group Policy

Scenario
Support technicians report that some Group Policy settings are not being applied as they should.
Company Policy requires that:
All domain users should not have access to change their desktop background.
All domain users except the IT group should be unable to access Registry Editor.
11-37
Currently, there are some problems in the way the GPOs that deliver those settings are being applied.
You have to investigate, troubleshoot and resolve this problem.
1.
Troubleshoot Group Policy Issues.
2.
Correct Issues with Group Policy Application.
3.
Verify Policies Are Being Applied.
X Task 1: Troubleshoot Group Policy Issues
Determine the issue by logging on to LON-CL1 as an IT group user and a Manager group user. Check
whether the policies are being applied correctly.
1.
Log on as Brad with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
2.
Use GPResult to determine the RSOP and then log off of LON-CL1.
3.
Log on as Bill with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
4.
Use GPResult to determine the RSOP.
5.
Analyze the RSOP results to determine the problem.
6.
Log off of LON-CL1.
X Task 2: Correct Issues with Group Policy Application

1.
2.
Use the Group Policy Management console to investigate and correct the issues.
3.
Check the current status of the Managers OU.
4.
Remove the block inheritance setting from the Managers OU to resolve the issue.
5.
Think of a way to ensure that the Prohibit Registry Tools GPO will not be applied to IT group users.
6.
Use Security Filtering to deny access to the policy to the IT security group.
7.
Close the Group Policy Management console.
X Task 3: Verify Policies Are Being Applied

1.
Log on to LON-CL1 as Bill with a password of Pa$$w0rd and run the GPResults utility.
2.
Log off of LON-CL1.
3.
Log on to LON-CL1 as Brad with a password of Pa$$w0rd and run the GPResult utility.
4.
Log off of LON-CL1.
11-38
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
Exercise 3: Implementing Service Accounts in AD DS

Scenario
To this point, there was no consistent policy about accounts that were used for services. On some servers,
local accounts were used, while others were using domain accounts. Also, password management for
these accounts was not consistent. Some of them were having non-expiring passwords, while others were
updated with new passwords manually. You decide to implement Managed Service Accounts to replace
all these techniques. You will create the account and assign the account to the Web service
DefaultAppPool.
1.
Create and Associate a Managed Service Account.
2.
Configure the Web Server Application Pool to Use the Group Managed Service Account.
X Task 1: Create and Associate a Managed Service Account

1.
2.
Create the KDS root key using the New-KdsRootKey cmdlet. Make the effective time minus 10 hours
so the key will be effective immediately.
3.
Create the new service account named Webservice for the host LON-DC1.
4.
Associate the Webservice managed account with Lon-DC1.
5.
Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
6.
Install the Webservice service account.
X Task 2: Configure the Web Server Application Pool to Use the Group Managed
Service Account
1.
On LON-DC1, configure the DefaultAppPool to use the Webservice$ account as the identity.
2.
Stop and start the application pool.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
Scenario
11-39
As a part of maintenance plan, you are assigned with task to evaluate possibilities to quickly restore
accidentally deleted objects. You decided to enable and test Active Directory snapshots and the AD DS
Recycle Bin.
1.
Create and View Active Directory Snapshots.
2.
Enable the Active Directory Recycle Bin.
3.
Delete a test user.
4.
Restore the Deleted User.
5.
To Prepare for the Next Module.
X Task 1: Create and View Active Directory Snapshots

1.
Switch to LON-DC1.
2.
Start a command prompt using elevated credentials.
3.
Run the following commands:

o
Ntdsutil
Snapshot
Activate instance ntds
Create
4.
Mount the snapshot as a new instance of AD DS by running the Mount {GUID} command.
5.
Close ntdsutil.
6.
Use the dsamain command to expose the snapshot to LDAP port 50000.
7.
Use Active Directory Users and Computers to delete Allie Bellew from the Research OU.
8.
Use Active Directory Users and Computers to connect LON-DC1 to the snapshot instance at port
50000.
X Task 2: Enable the Active Directory Recycle Bin
Use the Active Directory Administration Center to enable the Recycle Bin.
X Task 3: Delete a test user
Delete Aidan Delaney from the Managers OU.
X Task 4: Restore the Deleted User
Restore the deleted user from the Deleted Object folder.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.

Best Practices
11-40
When cloning VDCs, delete snapshots before copying or exporting VDCs.
When cloning VDCs, we recommend copying disks manually if there is only one drive. We
recommend Export for VMs with more than one drive or other complex customizations such as
multiple NICs.
At least one global catalog should exist in every site.
AD DS should be at the minimum Windows Server 2008 R2 level to provide fully automatic password
and SPN management for managed service accounts.
GPOs should be backed up after any changes are made.
Do not use volumes that contain backups of GPOs or AD DS data for other uses.

Common Issue
Troubleshooting Tip
Domain controller promotion fails
Group Policy is not being applied correctly
You have to restore a version of AD DS

and do not know which backup to restore
from
Review Question
You have a mixture of client computers running Windows XP and Windows 8. After you configure several
settings in the Administrative Templates and Preferences of a GPO, Windows XP users report that some
settings are being applied while others are not.

You have a large company with multiple branch offices. Some branch offices have fast, redundant
connections while others have slow, unreliable connections.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
What if security is a concern?
What can you do to help prevent network interruptions from preventing users from logging on?
Tools
Tool
Use
Location
11-41
Server Manager
A central location for all aspects

of server management
Open by default on logon or

can be accessed from the task
bar
Active Directory Users and

Computers
Active Directory Sites and
Services
Active Directory Domains and
Trusts
Control all aspects of Active

Directory management
Can be accessed from the Tools

drop-down menu in Server
Manager
GPMC
Control all aspects of Group

Policy management
Can be accessed from the Tools

drop-down menu in Server
Manager
Active Directory Best Practices

Analyzer
Can detect best practices

violations and provide help
implement best practices.
Server Manager Dashboard
Active Directory Recycle Bin
Restore object that were

deleted in error from AD DS.
Can be accessed from the Active

Directory Administration Center

12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Module Overview
12-1
Lesson 1: Overview of Active Directory Federation Services
12-2
Lesson 2: Deploying Active Directory Federation Services
12-11
Lesson 3: Implementing AD FS for a Single Organization
12-17
Lesson 4: Deploying AD FS in a Business to Business Federation Scenario
12-23
12-28
12-36
Module Overview
Active Directory Federation Services (AD FS) in Windows Server 2012 provides flexibility for
organizations that want to enable their users to log on to applications that may be located on a local
network, at a partner company, or in an online service. AD FS enables an organization to manage its own
user accounts, and users only have to remember one set of credentials. However, those credentials can be
used to provide access to a variety of applications, located in a variety of locations.
This module provides an overview of AD FS, and details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
Describe the identity-federation business scenarios, and how you can use AD FS to address
the scenarios.
Configure the AD FS prerequisites, and deploy the AD FS services.
Implement AD FS to enable SSO in a single organization.
Implement AD FS to enable SSO between federated partners.
Lesson 1
Overviiew of Active
A
Director
D
ry Federration SServicess
12-2 Implemennting Active Directoryy Federation Servicess
AD FS is the Micro
osoft implem
mentation of an
n identity fedeeration framew
work that enab
bles organizatio
ons to
esta
with
ablish federatio
on trusts and share
s
resource
es across organ
nizational boun
ndaries. AD FSS is compliant w
com
mmon web-serrvices standard
ds to enable interoperability with other ideentity federatio
on
imp
plementations.
AD FS is designed
d to address a variety
v
of busiiness scenarioss, where the tyypical authentiication mechanisms
used
d in a single organization do
o not work. This lesson proviides an overvieew of the conccepts and stan
ndards
thatt are implemen
nted in AD FS, and also provvides an overviiew of the bussiness scenario
os that you can
n
add
dress with AD FS.
F
Lessson Objectiives
Afte
ou will be able to:
Describe iden
ntify federation
n.
Describe claim
ms-based auth
hentication.
Describe web
b services.
Describe AD FS.
Explain how AD
A FS enables SSO within a single organizzation.
Explain how AD
A FS enables SSO between business part ners.
Explain how AD
A FS enables SSO between on-premises aand cloud-bassed services.
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
iden
ntification, authentication, an
nd authorization
acro
oss organizatio
onal and platfo
orm boundarie
es.
You
u can implement identity fed
deration within
na
sing
gle organizatio
on to enable acccess to diversse
web
b applications, or between tw
wo organizatio
ons
thatt have a relatio
onship of trustt between them
m.
To establish
e
an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
ong
going business relationship, and
a enables th
he
orga
anizations to implement bussiness processe
es
iden
ntified in the business
b
relatio
onship.
Note: A fed
derated trust iss not the same as a forest tru
ust that organiizations can co
onfigure
betw
ween forests in
n Active Directtory Domain Services (AD D
DS). In a federaated trust, the AD FS
servvers in two org
ganizations nevver have to communicate di rectly with eacch other.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
orga
anization, and how to enable access to the
e resources. Fo
or example, to
o update a sale
es forecast, a saales
reprresentative ma
ay need to colllect informatio
on from a supp
plier's databasse that is hoste
ed on the supp
plier's
ne
etwork. The do
omain adminisstrator for the sales represen
ntative is respo
onsible for ensuring that the
e
ap
ppropriate sale
es representatives are memb
bers of the gro
oup that requirres access to the suppliers
da
atabase. The administrator
a
of
o the organiza
ation in which the database is located is re
esponsible for
en
nsuring that th
he partners em
mployees only have access to
o the data tha t they require.

12-3
In
n an identity fe
ederation soluttion, user identities and thei r associated crredentials are stored, owned
d, and
managed
m
by the
e organization
n in which the user is located
d. As part of th
he identity federation trust, e
each
orrganization alsso defines how
w the user iden
ntities are sharred securely to
o restrict access to resources.. Each
pa
artner must de
efine the servicces that it mak
kes available to
o trusted partn
ners and custo
omers, and also
o define
which
w
other org
ganizations and users it trustts, what types of credentials and requests it accepts, and
d its
privacy policies,, to ensure tha
at private inforrmation is not accessible acrross the trust.
What
W
is Cla
aims-Based
d Identity??
Claims-based authentication addresses issues with
exxtending typiccal authentication and autho
orization
mechanisms
m
outside the boun
ndaries associa
ated
with
w that mecha
anism. For example, in most
orrganizations, users
u
are authe
enticated by an
AD DS domain controller whe
en they log on
n to the
ne
etwork. If the user
u
provides the
t right crede
entials
to
o the domain controller,
c
the user is granted a
se
ecurity token. Applications
A
th
hat are running
on
n servers in the same AD DS
S environment
trrust the securitty tokens that the AD DS domain
co
ontrollers provvide. This is because the servvers can
co
ommunicate with
w the same domain
d
contro
ollers where th
he users authe nticated.
Th
he problem wiith this authen
ntication is that it does not eextend easily o
outside the bou
undaries of the
e AD DS
fo
orest. Although
h it is possible to implementt Kerberos or N
NTLM-based trrusts between two AD DS fo
orests,
se
ervers on both sides of the trrust must com
mmunicate with
h domain conttrollers in the o
other forest to
o make
au
uthentication and
a authorizattion decisions.. The problem becomes even
n more complicated when u
users
ha
ave to access resources
r
hostted in cloud-ba
ased systems, such as Microsoft Azure or Microsoft Offfice
36
65.
Claims-based authentication provides a me
echanism for seeparating userr authenticatio
on and authoriization
from individual applications. With
W claims-ba
ased authenticcation, users caan authenticatte to a directo
ory
se
ervice in their organization,
o
and
a be granted a claim baseed on that auth
hentication. Th
he claim then can
be
e presented to
o an applicatio
on that is runniing in a differeent organizatio
on. The applicaation is design
ned to
en
nable user access to the info
ormation or fea
atures based o
on the claims p
presented.
Th
he claim used in claims base
ed authenticatiion is just a staatement aboutt a user that iss defined in on
ne
orrganization or technology and trusted in another
a
organ ization or tech
hnology. The cclaim could incclude a
va
ariety of inform
mation. For exa
ample, the claim could defin
ne the users e-mail address,, user principal name
(U
UPN), and information aboutt all of the gro
oups to which tthe user belon
ngs. This inform
mation is colle
ected
from the authen
ntication mech
hanism when the
t user autheenticates succeessfully.
he organizatio
on that manages the applicattion defines w
what types of c laims the appllication will accept.
Th
Fo
or example, the application may require th
he users emai l address to veerify the user id
dentity, and also use
th
he group mem
mbership presented inside the claim to deteermine what leevel of access the user should have
within
w
the appliication.
We
eb Services Overview
w
For claims-based authentication
n to work,
orga
anizations havve to agree on the format for
exch
hanging claims. Rather than have each business
defiine this formatt, a set of specifications have
e
been developed that
t
any organ
nization can usse if it
wan
nts to impleme
ent a federated
d identity soluttion.
Thiss set of specificcations is identtified broadly as
web
b services.
Web
b services are the
t set of speccifications
thatt an enterprise
e uses for build
ding connected
d
app
plications and services,
s
whose
e functionalityy and
inte
erfaces are exp
posed to poten
ntial users through
web
b-technology standards.
s
The
ese standards can
c include Exttensible Marku
up Language ((XML), Simple
Object Access Pro
otocol (SOAP), Web Services Description Laanguage (WSD
DL), and HTTP.. The goal for
crea
ating web applications by ussing web servicces is to simpliify interoperab
bility for appliccations across
mulltiple developm
ment platforms, technologie
es, and networ ks.
To enhance
e
intero
operability, a set of industry standards deffines web serviices, which are
e based on the
e
follo
owing standards:
Most web serrvices use XMLL to transmit data through H

HTTP. XML enaables develope
ers to create th
heir
own customizzed tags, enab
bling the definition, transmisssion, validation, and interpre
etation of dataa
between applications and organizations.
o
Web services expose usefull functionality to web users tthrough a stan

ndard web pro
otocol. In mostt
cases, the pro
otocol used is SOAP.
S
SOAP iss the commun ications proto
ocol for XML w
web services. SO
OAP
is a specification that define
es the XML forrmat for messaages. Essentially, it describess what a valid X
XML
document loo
oks like.
Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with th
he service. Thi s description is usually provided in an XML
document called a WSDL document. In other
n XML document that descrribes
o
words, a WSDL file is an
a set of SOAP
P messages and
d how the messages are excchanged.
Web services are registered

d so that poten
ntial users can find them eassily. This is don
ne with Universal
Discovery Description and Integration
I
(UDDI). A UDDI directory entryy is an XML file that describe
es a
business and the services it offers.
WS
S-* Security Specificatio
ons
There are many co

omponents inccluded in web
b-services spec ifications (also
o known as W
WS-* specifications).
How
wever, the mosst relevant spe
ecifications for an AD FS envvironment are tthe WS-Securiity specificatio
ons.
The specificationss that are part of the Web Se
ervice Security specificationss include the fo
ollowing:
WS-Security. WS-Security describes

d
enhancements to SSOAP messagin
ng to provide quality of
protection through messag
ge integrity, me
essage confideentiality, and ssingle message
e authenticatio
on.
WS-Security also
a provides a general-purp
pose, but exten
nsible, mechan
nism for associating securityy
tokens with messages
m
and how
h
to encode
e binary secur ity tokenssp
pecifically X.50
09 certificates aand
Kerberos ticketsin SOAP messages.
WS-Trust. WS
S-Trust definess extensions th
hat build on W
WS-Security to rrequest and issue security to
okens
and manage trust relationships.
WS-Federatio
on. WS-Federation defines mechanisms
m
thaat WS Securityy can use to en
nable identity,
attribute, authentication, an
nd authorizatio
on federation across differen
nt trust realmss.

12-5
WS-Federation Passive Re
equestor Profile. This WS-Seecurity extensio
on describes h
how passive clients,
such as web
b browsers, can be authenticcated and auth
horized, and h
how the clientss can submit claims in
a federation scenario. Passsive requestors of this profi le are limited to the HTTP o
or HTTPS proto
ocol.
WS-Federation Active Requestor Profile

e. This WS-Seccurity extension describes ho
ow active clien
nts, such
as SOAP-ba
ased mobile de
evice applicatiions, can be au
uthenticated aand authorized
d, and how the
e clients
can submit claims in a fed
deration scena
ario.
Security Asse
ertion Mark
kup Languag
ge
Th
he Security Asssertion Markup Language (S
SAML) is an XM
ML-based standard for exchaanging claims
be
etween an identity provider and a service or application
n provider. SAM
ML assumes th
hat a user has b
been
au
uthenticated by
b an identity provider,
p
and that
t
the identiity provider haas populated tthe appropriate
claim informatio
on in the security token. Wh
hen the user is authenticated
d, the Identity Provider passe
es
a SAML assertio
on to the servicce provider. On the basis of this assertion, the service prrovider can maake
au
uthorization an
nd personaliza
ation decisionss within an app
plication. The communicatio
on between fed
derated
se
ervers is based around an XM
ML document storing the X.5509 certificate for token-sign
ning, and the SAML
1..1 token.
What
W
Is AD
D FS?
AD FS is the Miccrosoft implem
mentation of an
id
dentity-federattion solution th
hat can use cla
aims
ba
ased authenticcation. AD FS provides
p
the
mechanisms
m
to implement bo
oth the identifyyprovider and se
ervice-providerr components in
an
n identity-fede
eration deployyment.
AD FS provides the following features:
Enterprise claims
c
provide
er for claims-ba
ased
applications: You can con
nfigure an AD FS
server as a claims provide
er, which mean
ns
that the serrver can issue claims
c
about
authenticatted users. This enables an
organizatio
on to provide its users with access
a
to claim
ms-aware appliccations in another organizattion by
using SSO.
Federation Service for ide

entity federatio
on across dom
mains: This servvice offers fede
erated web SSO
across dom
mains. This enhances security and reduces o
overhead for IT administrato
ors.
Note: The
e Windows Serrver 2012 version of AD FS iss built on AD FFS version 2.0, which was
th
he second generation of AD FS that Microssoft released. TThe first versio
on, AD FS 1.0, required
AD FS web agen
nts to be installed on all web
b servers that w
were using AD
D FS, and provided both
claims aware an
nd NT token-b
based authenticcation. AD FS 1.0 did not support active clients or
SA
AML.
AD
A FS Featurres
Th
he following are some of the
e key AD FS fe
eatures:
Web SSO. Many

M
organiza
ations have deployed AD DSS. After authen
nticating to AD
D DS through
authenticattion that integrates with Win
ndows users caan access all otther resourcess that they havve
permission to access with
hin the AD DS forest boundaaries. AD FS exxtends this cap
pability to Interrnetfacing applications, enabling customerss, partners, an d suppliers to have a similarr, streamlined user
experience when they acccess an organiizations web-b
based applicattions.
Web Services interoperabiliity. AD FS is co

ompatible with
h the web servvices specifications. AD FS
employs the federation
f
spe
ecification of WS-*,
W
called W S-Federation. WS-Federation makes it posssible
for environments that do not use the Win
ndows identityy model to fed
derate with Windows
environmentss.
Passive and smart client sup

pport. Because
e AD FS is baseed on the WS--* architecture, it supports
federated com
mmunications between any WS-enabled eendpoints, including commu
unications betw
ween
servers and passive
p
clients, such as browssers. AD FS on Windows Servver 2012 also e
enables accesss for
SOAPbased smart clients, such as serverrs, mobile phon
nes, personal d
digital assistan
nts (PDAs), and
d
desktop applications. AD FS
S implements the WS-Federaation Passive R
Requestor Profile and WSFederation Acctive Requesto
or Profile stand
dards for clientt support.
Extensible arcchitecture. AD FS provides an extensible arrchitecture thaat supports various security ttoken
types, including SAML and Kerberos auth
hentication, as well as the ab
bility to perform
m custom claim
ms
transformatio
ons. For examp
ple, AD FS can convert from one token typ
pe to another o
or add custom
m
business logicc as a variable in an access re
equest. Organ
nizations can use this extensiibility to modiffy
AD FS to coexxist with their current securitty infrastructu re and businesss policies.
Enhanced seccurity. AD FS also increases the security of federated solu

utions by delegating
responsibilityy of account management to
o the organizattion closest to the user. Each
h individual
organization in a federation
n continues to
o manage its ow
wn identities, and is capable
e of securely sh
haring
and accepting
g identities and credentials from
f
other meembers sourcees.
Additional Reading: For information on

o the differen
nt identity fedeeration produccts that can
inte
eroperate with AD FS, and fo
or step by step guides on how
w to configuree the productss, see the
AD FS 2.0 Step-byy-Step and How To Guides, located
l
at http
p://technet.miccrosoft.com/en-us
/librrary/adfs2-step
p-by-step-guid
des%28v=ws.1
10%29.aspx.
Ho
ow AD FS Enables
E
SS
SO in a Sing
gle Organ
nization
For many organizzations, configu
uring access to
o
app
plications and services
s
may not
n require an
AD FS deploymen
nt. If all users are
a members of
o
the same AD DS forest,
f
and if all applications are
runn
ning on serverrs that are mem
mbers of the same
fore
est, you typicallly can use AD DS authentica
ation
to provide
p
applica
ation access. However,
H
there
e are
seve
eral scenarios in which you can
c use AD FS, and
enable SSO, to op
ptimize the use
er experience,
including:
The applicatio
ons may not be
b running on
Windows servvers or on any servers that
support AD DS
D authentication. The appliccations may reequire SAML o
or web servicess for authentication
and authoriza
ation.
Large organizzations frequently have multtiple domains and forests that may be the
e results of mergers
and acquisitio
ons. Users in multiple
m
forestss might requiree access to thee same applicaations.
Users from ou
utside the officce might require access to a pplications thaat are running
g on internal se
ervers.
The external users may be logging
l
on to the applicatio
ons from comp
puters that are not part of th
he
internal doma
ain.
Note: Implementing AD FS does not necessarily mean that users are not prompted
for authentication when they access applications. Depending on the scenario, users may be
prompted for their credentials. However, the key point is that users always authenticate by using
their internal credentials. They never have to remember alternate credentials for the application.
12-7
Organizations can use AD FS to enable SSO in these scenarios. Because all users and the application are
in the same organization, the organization only has to deploy a single federation server. This server can
operate as the claims provider so that it authenticates user requests and issues the claims. The same server
also is the relying provider, or the consumer of the claims to provide authorization for application access.
Note: The slide and the following description use the terms Federation Server and
Federation Service Proxy to describe AD FS server roles. The Federation Server is responsible for
issuing claims, and in this scenario, also is responsible for consuming the claims. The Federation
Service Proxy is a proxy component that we recommend is used in a deployment where users
outside the network need to access the AD FS environment. The next lesson covers these
components in more detail.
The following steps describe the communication flow in this scenario:
1.
The client computer, which is located outside the network, must access a web-based application on
the web server. The client computer sends an HTTPS request to the web server.
2.
The web server receives the request, and identifies that the client computer does not have a claim.
The web server redirects the client computer to the Federation Service proxy.
3.
The client computer sends an HTTPS request to the Federation Service proxy. Depending on the
scenario, the Federation Service proxy may prompt the user for authentication or use Windows
Integrated authentication to collect the user credentials.
4.
The Federation Service proxy passes the request and the credentials to Federation Server.
5.
The Federation Server uses AD DS to authenticate the user.
6.
If authentication is successful, the federation server collects AD DS information about the user, which
is used to generate the users claims.
7.
If the authentication is successful, the authentication information and other information is collected in
a security token and passed back to the client computer, through the Federation Service proxy.
8.
The client presents the token to the web server. The web resource receives the request, validates the
signed tokens, and uses the claims in the users token to provide access to the application.
Ho
ow AD FS Enables
E
SS
SO in a Bussiness-to B
Business-Fe
ederation
One
e of the most common
c
scena
arios for deplo
oying
AD FS is to provid
de SSO in a business-to-business
(B2B
B) federation. In the scenario
o, the organiza
ation
thatt requires acce
ess to another organizationss
app
plication or servvice can mana
age their own user
acco
ounts, and deffine their own authentication
n
mecchanisms. The other organization can define
wha
at applications and services are
a exposed to
o
userrs outside the organization and
a what claim
ms it
acce
epts to provide
e application access.
a
To enable
app
plication or servvice sharing in
n this scenario,, the
orga
anizations justt have to estab
blish a federation
trusst, and then de
efine the rules for exchange claims betweeen the two org
ganizations.
The slide above sh

hows the flow of traffic in a federated
f
B2B
B scenario usin
ng a claims-aw
ware web
app
plication. In this scenario, use
ers at Trey Rese
earch have to access a web--based applicaation at A. Datu
um.
The AD FS authen
ntication proce
ess follows these steps:
1.
A user at Treyy Research, usiing a web brow

wser, establish
hes an HTTPS cconnection to the web serve
er at A.
Datum.
2.
The web application receive

es the request, and then verrifies that the u
user does not have a valid to
oken
stored in a we
eb browser cookie. Because the user is nott authenticateed, the web application redirrects
the client to the
t federation server at A. Datum, by using
g an HTTP 302
2 redirect message.
3.
The client com

mputer sends an HTTPS requ
uest to the A. Datums federration server. T
The federation
n
server determ
mines the users home realm.. In this case, tthe home realm
m is Trey Research.
4.
The client com

mputer is redirrected again to
o the federatio
on server in th
he users home
e realm, Trey
Research.
5.
The client com

mputer sends an HTTPS requ
uest to the Treey Research fed
deration serve
er.
6.
If the client co
omputer is log
gged on to the
e domain alreaady, the federaation server caan take the use
ers
Kerberos ticket, and then re
equest authentication from A
AD DS on the users behalf, by using Wind
dows
Integrated Au
uthentication.
7.
The AD DS do
omain controller authenticattes the user, an
ge back to the
e
nd sends the ssuccess messag
federation server, along witth other inform
mation about tthe user that tthe federation server can use
e to
generate the users claims.
8.
The federatio
on server create
es the claim fo
or the user bassed on the rulees defined for the federation
n
partner. The claims
c
data is placed
p
in a dig
gitally signed ssecurity token,, and then sen
nt to the client
computer. Th
he client computer then postts it back to th
he A. Datums ffederation servver.
9.
A. Datums fe
ederation serve
er validates tha
at the securityy token came ffrom a trusted federation partner.
10. A. Datums fe
ederation serve
er creates and signs a new to
oken, which it sends to the cclient compute
er. The
client computter then sendss the token bacck to the origi nal URL requeested.
11. The applicatio
on on the web
b server receive
es the request,, and validatess the signed to
okens. The web
b
server issues the
t client a sesssion cookie th
hat indicates t hat it has auth
henticated succcessfully. The
federation server issues a file-based persiistent cookie (g
good for 30 days by defaultt) to eliminate the
home-realm discovery step
p during the co
ookie lifetime. The applicatio
on then provid
des access to th
he
application, based
b
on the claims that the user providess.
How
H
AD FS
S Enables SSO
S
with Online
O
Servvices
As organization
ns move service
es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have
e some way to
simplify the autthentication an
nd authorizatio
on
exxperience for their
t
users as they
t
consume the
cloud-based serrvices. Cloud-b
based services add
an
nother level off complexity to
o the IT enviro
onment,
ass those service
es are located outside
o
the dirrect
ad
dministrative control
c
of the IT administrato
ors, and
th
he services mayy be running on
o many differrent
platforms.

12-9
Yo
ou can use AD
D FS to provide
e an SSO experrience
to
o users across the
t various clo
oud-based plattforms availab
ble. For example, once users are authenticaated
with
w AD DS cred
dentials, they then
t
could acccess Microsoft Online Servicees, such as hossted Microsoftt
Exxchange Onlin
ne or Microsoftt SharePoint Online, by usin
ng those dom ain credentialss. AD FS also p
provides
single sign-on to
t non-Microso
oft cloud provviders. Becausee AD FS is baseed on open staandards, AD FSS can
in
nteroperate witth any complia
ant claims-bassed system
Th
he process for accessing a cloud-based ap
pplication is qu
uite similar to tthe B2B scenario. One example
off a cloud-base
ed service that uses AD FS for authenticatio
on is a hybrid Exchange Online deployment. In
th
his type of dep
ployment, an organization
o
ha
as deployed so
ome or all of t heir mailboxess in an Office 3
365
n manages all of their user aaccounts in the
Exxchange Onlin
ne environmen
nt. However, th
he organization
eir
on
n-premises AD
D DS environm
ment. The deplo
oyment uses t he Microsoft O
Online Services Directory
Syynchronization
n tool to synch
hronize user-acccount inform ation from thee on-premises deployment tto
th
he Exchange Online
O
deploym
ment.
When
W
users try to log on to th
heir Exchange Online mailbo
ox, the user m ust be authenticated by usin
ng their
in
nternal AD DS credentials. If the user tries to
t logon direcctly to the Exch
hange Online e
environment, tthey are
re
edirected back
k to the interna
al AD FS deplo
oyment to auth
henticate befo
ore the user is g
given access.
Th
he following stteps describe how
h
a user trie
es to access th
heir online maiilbox by using a web browse
er:
1..
The user op
pens a web bro
owser, and the
en sends an HTTTPS request tto the Exchang
ge Online Outllook
Web App server.
2..
The Outloo
ok Web App se
erver receives the
t request, an
nd then verifiees that the user is part of a h
hybrid
Exchange Server
S
deploym
ment. If this is the
t case, the s erver redirectss the client com
mputer to the
Microsoft Online
O
federatiion server.
3..
The client computer

c
send
ds an HTTPS re
equest to the M
Microsoft Online federation server.
4..
The client computer

c
is redirected again
n to the on-preemises federattion server.
5..
The client computer

c
send
ds an HTTPS re
equest to the o
on-premises feederation serve
er.
6..
If the clientt computer is logged on to the

t domain alrready, the fedeeration server can take the u
users
Kerberos ticcket, and then
n request authe
entication from
m AD DS on th
he users behalf, by using Wiindows
Integrated Authentication
n. If the user iss logging on frrom outside th
he network, orr from a computer
that is not a member of the
t internal do
omain, the use r is prompted for credentials.
7..
The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou
ut the user thatt can be used to generate th
he users
claims.
12-10
8.
The federation server creates the claim for the user, based on the rules that are defined during the
AD FS server setup. The claims data is placed in a digitally signed security token, and then sent to the
client computer. The client computer then posts it back to the Microsoft Online federation server.
9.
The Microsoft Online federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange environment.
10. The Microsoft Online federation server creates and signs a new token, which it sends to the client
computer. The client computer then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie, which indicates that it has successfully authenticated. The user then is
granted access to their Exchange server mailbox.
Lesson
n2
Deplo
oying Active
A
Directory
y Federaation Se
ervices

12-11
Now that you have

h
an undersstanding of ho
ow AD FS workks, the next steep is deploying
g the service. B
Before
de
eploying AD FS,
F you must understand the components tthat you deplo
oy, and the pre
erequisites thaat you
must
m
meet, espe
ecially with reg
gards to certificates. This lessson provides aan overview off deploying the AD FS
se
erver role in Windows
W
Serverr 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he componentss that an AD FS
F deploymentt can include.
List the pre

erequisites for an
a AD FS deployment.
Describe th
he Public Key Infrastructure (PKI)
(
and certifficate requirem
ments for an A
AD FS deploym
ment.
Describe th
he AD FS federration server ro
oles.
Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r
in Window
ws
Se
erver 2012. Ho
owever, there are
a many diffe
erent
co
omponents tha
at you can insttall and config
gure in
an
n AD FS deployment. The following table lists
l
the
AD FS compone
ents.
Component
What does it do?
Federation
F
Servver
The fe
ederation servver issues, man
nages, and valid
dates requestss that involve iidentity
claims. All impleme
entations of AD
D FS require att least one Fed
deration Servicce.
Federation
F
Servver
Proxy
P
The Federation Servver proxy is an

n optional com
mponent that typically is dep
ployed
p
netw
work. The Fedeeration Server p
ot add any
in a perimeter
proxy does no
functiionality to the AD FS deployyment, but is d
deployed just tto provide a layer of
security for connecttions from thee Internet to th
he Federation SServer.
Claims
C
A claim is a stateme
ent that one o bject makes about another object, such ass a user.
er factor that m
might
The claim could incclude the user s name, job tittle, or any othe
entication scen
nario.
be used in an authe
Claim
C
Rules
Claim
m rules determiine how federaation servers p
process claims.. For example, a claim
rule may
m state that an email addrress is accepted
d as a valid claaim, or that a g
group
name
e from one org
ganization is trranslated into aan application
n-specific role in the
other organization. The rules usu ally are processsed in real tim
me, as claims aare
made
e.
Implementing Active Directoory Federation Services
Com
mponent
What do
oes it do?
12-12
Atttribute Store
An attribute store is used

u
by AD FS to look up claaim values. AD
D DS is a comm
mon
default if AD FS is installed o
on a domain-jo
oined
attribute store, and is available by d
server.
Cla
aims Providers
A claims provider ena

ables one side of the AD FS aauthentication
n and authorizaation
ges the user au
uthentication, and then issue
es the
process. The claims prrovider manag
t
the user presents
p
to a reelying party.
claims that
Relying Parties
The relyying party enables the secon

nd side of the A
AD FS authenttication and
authorizzation processs. The relying p
party is a web service that co
onsumes claim
ms
from the claims provider. The relyin
ng party serverr must have th
he Windows Identity
Foundation (WIF) insttalled or use A
AD FS 1.0s clai ms-aware age
ent.
Cla
aims Provider
Tru
ust
This is configuration
c
data
d
that defin
nes rules under which a clien
nt may requestt
claims from
f
a claims provider
p
and ssubsequently ssubmit them to
o a relying parrty.
The trusst consists of various
v
identifiiers, such as naames, groups aand various ru
ules.
Relying Party Tru

ust
This is the AD FS conffiguration dataa that is used tto provide claiims about a usser or
o a relying parrty. It consists o
of various iden
ntifiers, such ass names, groups,
client to
and various rules.
Cerrtificates
AD FS uses
u
digital cerrtificates when
n communicating over SSL or as part of the
e
token-isssuing processs, the token-reeceiving processs, and the me
etadata-publishing
process.
End
dpoints
Endpoin
nts are mechan
nisms that enaable access to the AD FS tech
hnologies,
includin
ng token issuan
nce and metad
data publishin
ng. AD FS come
es with built-in
n
endpoin
nts that are ressponsible for a specific functtionality.
Note: Manyy of these com

mponents are described
d
in m ore detail in th
he remainder of this
mod
dule.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure
thatt your internal network meetts some basic
prerrequisites. The
e configuration
n of the following
netw
work services is
i critical for a successful AD FS
dep
ployment:
Network conn
nectivity: TCP//IP connectivity
must exist between:
o
The clien
nt computer
A domain
n controller
Federatio
on Service servver
Federatio
on Service Proxxy server (whe
en applicable)
An appliccation server that is integrated with AD FSS
Web servver running the

e AD FS Web Agent
A
(AD FS vv1 only)

12-13
AD DS: AD DS is a criticall piece of AD FS.

F Domain co ntrollers shoulld be running Windows Servver 2003
Service Pacck 1 (SP1) at a minimum. In both
b
AD FS v1 and AD FS, feederation serve
ers must be joined to
an AD DS domain.
d
The Fe
ederation Servvice proxy doess not have to b
be domain-joiined. In fact, w
we
recommend
d that this com
mponent be installed on a w
workgroup-join
ned computer as a security b
best
practice. Although you ca
an install AD FS
F on a domain
n controller, w
we do not recommend this due to
security implications.
Attribute sttores. AD FS usses an attribute store to buil d claim inform

mation. The atttribute store co
ontains
information
n about users this informattion is extracteed from the sto
ore by the AD FS server afte
er the
user has be
een authenticated. AD FS sup
pports the follo
owing attributte stores:
o
Active Directory App

plication Mode
e (ADAM) in W
Windows Serverr 2003
Active Directory Ligh

htweight Directory Services ((AD LDS) in Wiindows Server 2008, Window
ws
Server 2008 R2, and Windows Servver 2012
Microsoft SQL Serverr 2005 (all edittions)
Microsoft SQL Serverr 2008 (all edittions)
A custo
om attribute sttore
Note: AD
D DS can be use
ed both as the
e authenticatio
on provider an
nd as an attribu
ute store.
a an attributte store. In AD
D FS v1, you caan use AD LDSS as an
AD FS also can use AD LDS as
uthentication store,
s
but in th
he current verssion of AD FS, you only can use AD LDS ass an attribute
au
sttore.
ame System (D
DNS): Name ressolution allow
ws clients to find federation servers. The clie
ent
Domain Na
computers must resolve the
t DNS name
es for all federaation servers t hat they connect to, as well as the
web applica
ations that the
e client compu
uter is trying to
o use. If the cli ent computer is external to the
network, th
he client computer must reso
olve the DNS n
name for the ffederation servvice proxy, nott the
internal fed
deration serverr. The Federation Service pro
oxy must resol ve the name o
of the internal
federation server. If intern
nal users have to access the internal federration server directly, and external
users have to connect thrrough the Federation Serverr proxy, you reequire a split D
DNS.
Operating-system prereq
quisites: You ca
an only deployy the Windowss Server 2012 vversion of AD FS as a
server role on a Windowss Server 2012 server.
s
AD FS 22.0, which is allmost identical to the Windo
ows
Server 2012
2 version, can be installed on
n Windows Se rver 2008 Servvice Pack 2 (SP
P2) or Window
ws Server
2008 R2.
PKI
P and Certificate Re
equiremen
nts
AD FS is designed to enable computers
c
to
co
ommunicate se
ecurely, even though
t
they may
m be
lo
ocated in differrent locations. In this scenariio, most
off the communications betwe
een computerss passes
th
hrough the Internet. To provvide security fo
or the
ne
etwork traffic, all communications are protected
byy using SSL. Th
his factor mean
ns that it is important
to
o choose and assign
a
SSL certtificates correcctly to
th
he AD FS serve
ers. To provide SSL security, AD
A FS
se
ervers use certificates in the following thre
ee ways.
Service Communication Certificates
12-14
This certificate is used to secure SSL communications to the websites running on the AD FS server and is
bound to the default web site on the AD FS server. You can choose which certificate to use when you
configure the AD FS server role on the server, and can change the assigned certificate after deployment
by using the AD FS management console. This certificate also is called a server authentication certificate.
Token-Signing Certificates
The token-signing certificate is used to sign every token issued a federation server. This certificate is
critical in an AD FS deployment, because the token signature indicates which federation server issued the
token. The claims provider uses this certificate to identify itself, and also by the Replying Party to verify
that the token is coming from a trusted Federation partner.
The relying party also requires a token-signing certificate to sign the tokens that it prepares for other
AD FS components, such as web applications and clients. These tokens must be signed by the relying
partys token-signing certificate in order for the destination applications to validate them.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-signing
certificate. Because no other parties trust the self-signed certificate, it is important that you replace the
self-signed certificate with a trusted certificate. You can configure multiple token-signing certificates on
the federation server, but only the primary certificate is used to sign tokens.
Token-Decrypting Certificates
Token-decrypting certificates encrypt the entire user token before transmitting the token across the
network. To provide this functionality, the relying party federation server sends the certificate to the
claims provider federation server. The certificate is sent without the private key. The claims provider
server uses the public key from the certificate to encrypt the user token. When the token is returned to
the relying party federation server, it uses the private key from the certificate to decrypt the token. This
provides an extra layer of security when transmitting the certificates across the Internet.
When you configure a Federation Server, the server assigns a self-signed certificate as the tokendecrypting certificate. Because no other parties have to trust this certificate, it is possible to continue to
use this certificate without replacing it with a trusted certificate.
Note: Federation server proxies only require a service communication certificate. The
certificate is used to enable SSL communication for all client connection. Since the federation
server proxy does not issue any tokens, it does not need the other two types of certificates. Web
servers that are deployed as part of an AD FS deployment also should be configured with SSL
server certificates to enable secure communications with client computers.
Choosing a Certification Authority
AD FS federation servers can use self-signed certificates, certificates from an internal, private certification
authority (CA), or certificates that have been purchased from an external public CA.
The most important factor when choosing the certificates in most AD FS deployments is that the
certificates be trusted by all parties involved. This means that if you are configuring an AD FS deployment
that interacts with other organizations, you are almost certainly going to use a public CA, because all
partners trust the certificates issued by the public CA automatically.
If you are deploying AD FS just for your organization, and all servers and client computers are under
your control, you can consider using a certificate from an internal private CA. If you deploy an enterprise
CA on Windows Server 2012, you can use Group Policy to ensure that all computers in the organization
automatically trust the certificates that the internal CA issues. Using an internal CA can decrease the cost
of the certificates significantly.
Note: Deploying an inte

ernal CA using
g Active Directtory Certificatee Services is ve
ery easy, but
it is critical that you plan and implement the deploymentt carefully.

12-15
When
W
you insta
all the AD FS se
erver role, the server is confi gured with self-signed certificates. These
ce
ertificates are not
n trusted byy any other systems, so you m
must replace t he server com
mmunications
ce
ertificate and the
t token-sign
ning certificate
es with a trusteed certificate. I t is not criticall that you replace
th
he token-decryypting certifica
ate with a trustted certificate..
Federation Server Ro
oles
When
W
you deploy the AD FS server
s
role, and
co
onfigure the se
erver, you can choose which
h role
th
he server playss in an AD FS deployment.
d
Yo
ou can
co
onfigure an AD
D FS server in one
o of three ro
oles:
Claims Provvider. A claimss provider is a

federation server that pro
ovides signed
tokens conttaining claims to users. Claim
ms
provider federation serve
ers are deploye
ed
in organizations where usser accounts are
located. Wh
hen a user requests a token, the
claims provvider federation server verifie
es the
user authen
ntication by ussing AD DS, an
nd then
collects info
ormation from
m an attribute store,
s
such as A
AD DS or AD LLDS, to populaate the user claaim with
the attributtes required byy the partner organization.
o
TThe server issu
ues tokens in th
he Security Assertion
Markup Lan
nguage (SAMLL) format. The claims provideer federation sserver also pro
otects the conttents of
security tok
kens in transit by signing and
d optionally en
ncrypting them
m.
Relying Parrty. A relying party

p
is a federration server th
hat receives seecurity tokens ffrom a trusted
d claims
provider. Th
he relying partty federation servers
s
are dep
ployed in orgaanizations thatt provide application
access to claims provider organizationss. The relying p
party accepts aand validates tthe claim, and then
issues new security token
ns that the web
b server can usse to provide aappropriate acccess to the
application.
Note: A single AD FS se
erver can operate as both a cclaims provideer and a relying
g party, even
with
w the same partner
p
organizzations. The AD
A FS server fu nctions as a cllaims providerr when it is
au
uthenticating users
u
and provviding tokens for
f another orrganization, bu
ut also can acccept tokens
from the same or
o another org
ganization in a relying party role.
Federation Server Proxy. A federation server

s
proxy prrovides an ext ra level of secu
urity for AD FSS traffic
coming from the Internett to the internal AD FS federration servers. Federation server proxies caan be
deployed in
n both the claiims provider and relying parrty organizatio
ons. On the claaims provider sside,
the proxy collects
c
the autthentication in
nformation fro m client comp
puters and passses it to the cllaims
provider federation serve
er for processin
ng. The federaation server issues a security token to the p
proxy,
which sends it to the relyying party proxxy. The relying party federation server proxy accepts the
ese
tokens, and
d then passes them
t
on to the
e internal fedeeration server. The relying paarty federation
n server
issues a seccurity token for the web app
plication, and t hen sends thee token to the proxy, which tthen
forwards th
he token to the
e client. The fe
ederation serveer proxy does not provide an
ny tokens or create
nal AD FS servvers.
claims. It on
nly forwards re
equests from clients
c
to intern
Note: You cannot configure a federation server proxy as a claims provider or a Relying
Provider. The claims provider and Relying Provider must be members of an AD DS domain. You
must configure the federation server proxy as a member of a workgroup, and then deploy it in a
perimeter network.
Demonstration: Installing the AD FS Server Role

In this demonstration, you will see how to install and complete the initial configuration of the AD FS
server role in Windows Server 2012. The instructor will install the server role, and then run the AD FS
Federation Server Configuration Wizard to configure the server as a standalone federation server.
Demonstration Steps
1.
On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
2.
Run the AD FS Federation Server Configuration Wizard by using the following parameters:
3.
a.
Create a new federation services
b.
Create a stand-alone deployment
c.
Use the LON-DC1.Adatum certificate
d.
Choose a service name of LON-DC1.Adatum.com
Open Windows Internet Explorer, and then connect to

https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml.
12-16
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation

12-17
Th
he simplest de
eployment scen
nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
se
erver can operate both as the claims provider and as thee Relying Prov ider. All users in this scenario
o are
in
nternal to the organization,
o
as
a is the appliccation that thee users are acceessing.
Th
his lesson provvides details on
n the components that are rrequired to co nfigure in a sin
ngle organizattion
de
eployment of AD FS. These components
c
in
nclude configu
uring claims, c laim rules, claiims provider trrusts,
an
nd relying partty trusts.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe AD
D FS claims.
Describe AD
D FS claim rule
es.
Describe cla
aims provider trusts.
Describe re
elying providerr trusts.
Configure claims
c
provide
er and relying provider
p
trustss.
What
W
are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and Re
elying Provider roles in an AD FS
de
eployment. Th
he claims proviider creates the
claims and the Relying
R
Provid
der consumes the
t
claims. AD FS claims provide a standards-ba
ased
an
nd flexible wayy for claims provider organizzations
to
o provide very specific inform
mation about users
u
in
n their organiza
ations, and a way
w for Relying
g
Prroviders to deffine exactly wh
hat information they
re
equire to proviide application
n access.
An AD FS claim is a statementt made about a

pa
articular subject (such as a user)
u
by a trustted
en
ntity (such as a claims provid
der). The claim
m information p
provides the d
details that the
e application re
equires
to
o enable access to claims-aw
ware applicatio
ons.
Claim
C
Types
Ea
ach AD FS claim has a claim type, such as Email Addresss, UPN, or Last Name. Users ccan be issued claims
ba
ased on any defined claim tyype. So a user might be issu ed a claim witth a type of Last Name and a value
off Weber. AD FS provides sevveral built-in cllaim types, or yyou can createe new ones baased on the
orrganization req
quirements.
Note: In AD
A FS 1.0, you could configu
ure claims as id
dentity claims,, group claims or custom
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
Each
h AD FS claim type is identiffied by a Unifo
orm Resource IIdentifier (URI)) that uniquelyy identifies
the claim type. Th
his information
n is provided as part of the A
AD FS server m
metadata. For e
example, if the
e
claim
ms provider orrganization an
nd the Relying Provider orgaanization decid
de to use a claim type of
AccountNumber, both organiza
ations must configure a claim
m type with th
his name. The cclaim type is
pub
blished, and the claim type URI
U must be ide
entical on bot h AD FS servers.
How Claim Values are Pop

pulated
12-18
The claims issued by a claims prrovider contain

n the informattion that is req
quired by the rrelying party to
o
enable appropriatte application access. One off the first step s in planning aan AD FS deployment is to d
define
exacctly what inforrmation the ap
pplications must have about each user to p
provide that application access.
Oncce this informa
ation is defined
d, the claims are defined on the claims pro
ovider federatiion server. The
e
info
ormation required to populate the claim ca
an be obtained
d in several waays:
The claim can

n be retrieved from an attrib
bute store. Freq
quently, the in
nformation req
quired for the
claim is alread
dy stored in an
n attribute store that is avail able to the fed
deration serve
er. For example
e, an
organization might decide that the claim should includ
de the users U
UPN, email add
dress, and grou
up
membershipss. This information is alreadyy stored in AD DS, so the fed
deration serverr can just retrie
eve
this informatiion from AD DS
D when creating the claim. SSince AD FS caan use AD DS, AD LDS, Micro
osoft
SQL Server, a third-party Lightweight Directory Access Protocol (LDA
AP) directory, o
or a custom
attribute store to populate claims, you ca
an define almo
ost any value w
within the claim
m.
The claim can

n be calculated
d based on colllected informaation claims provider fede
eration servers can
also calculate
e information based
b
on inforrmation gatherred from an atttribute store. For example, yyou
may want to provide inform
mation about a persons salaary within a claaim. This inform
mation is likelyy
stored in a Hu
uman Resourcces database, but
b the actual vvalue may be considered co
onfidential. You
u
can define a claim
c
that cate
egorizes salarie
es within an orrganization, an
nd then have tthe AD FS servver
calculate whicch category a specific user belongs
b
to. In tthis way, the cclaim only inclu
udes the salaryy
category info
ormation, not the
t actual userr salary.
The claim can

n be transform
med from one value
v
to anoth
her. In some caases, the inform
mation stored in
an attribute store
s
does not exactly match
h the informatiion that the ap
pplication requ
uires when maaking
authorization
n information. For example, the
t application
n may have diffferent user ro
oles defined that
do not directly match the attributes
a
store
ed in any attrib
bute store. How
wever, the app
plication role m
may
correlate to AD
A DS group membership.
m
For example, ussers in the Salees group may correlate to one
application ro
ole, while userss in the Sales Management
M
g
group may correlate to a diffferent applicaation
role. To estab
blish the correlation in AD FS
S, you can con figure a claimss transformatio
on that takes tthe
value that the
e claims provid
der provides, and
a translates the value to a claim that is u
useful to the re
elying
partys appliccation.
Wh
hat Are AD
D FS Claim
m Rules?
Claims rules defin
ne how AD FS servers
s
send and
consume claims. Claims
C
rules de
efine the busin
ness
logic that is applie
ed to claims th
hat claims provviders
provvide, and to claims that the relying partiess
acce
ept. You can use claim rules to:
Define which incoming claims are accepted

from one or more
m
claims prroviders.
Define which outbound claims are provid

ded to
one or more relying partiess.

12-19
Apply authorization ruless to enable acccess to a speciffic relying partty for one or m
more users or g
groups
of users.
Yo
ou can define two types of claim
c
rules:
Claim rules for a claims provider

p
trust. A claims provi der trust is thee AD FS trust rrelationship
configured between an AD
A FS server an
nd a claims pro
ovider. You caan configure claim rules to define
how the cla
aims provider processes and issues claims.
Claim rules for a relying party

p
trust. A relying
r
party trrust is the AD FS trust relatio
onship configu
ured
between an
n configure claaim rules that define how th
n AD FS serverr and a relying party. You can
he
relying partty accepts claims from the claims providerr.
ms provider arre all considereed acceptancee transform rulles. These ruless

Claims rules on an AD FS claim
de
etermine whatt types of claim
ms are accepte
ed from the claaims provider and then sent to a relying p
party
trrust. When con
nfiguring AD FS within a sing
gle organizatio
on, there is a d
default claims p
provider trust
co
onfigured with
h the local AD DS domain, so
o this rule set d
defines the claaims that are aaccepted from AD DS.
Th
here are three types of claim
m rules for a relying party tru
ust:
Issuance Transform Ruless: These rules define

d
the claim
ms that are se nt to the relyin
ng party that h
has
been define
ed in the relyin
ng party trust.
Issuance Au
uthorization Ru
ules: These rules define whicch users are peermitted or de
enied access to
o the
relying partty that has bee
en defined in the
t relying parrty trust. This rrule set can incclude rules thaat
explicitly pe
ermit access to
o a relying parrty, and/or rulees that explicittly deny accesss to a relying p
party.
Delegation Authorization
n Rules: These rules define th
he claims that specify which users can act on
behalf of otther users whe
en accessing th
he relying partty. This rule set can include rrules that explicitly
permit dele
egates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
hat you canno

ot create
A single claim rule associated with a single federated trusst relationship.. This means th
d then reuse th
hose rules for other trusts th
hat you configure on your
a set of rules for one trust and
ederation serve
er.
fe
AD FS servers are preconfigurred with a set of
o default rulees, as well as seeveral default ttemplates thatt you
ca
an use to creatte the most co
ommon claims rules. You can
n also create custom claim ru
ules by using tthe AD
FS
S claim rule lan
nguage.
What
W
Is a Claims
C
Prov
vider Trust?
Yo
ou configure a claims provid
der trust on the
e
re
elying party fed
deration serve
er. The claims provider
p
trrust identifies the
t claims provvider, and also
o
de
escribes how the
t relying parrty consumes the
t
claims that the claims provide
er issues. You must
m
co
onfigure a claims provider trrust for each claims
provider.
Byy default, an AD
A FS server is configured wiith a
claims provider trust named Active
A
Directorry.
Th
his trust define
es the claim ru
ules, which are all
accceptance tran
nsform rules th
hat define how
w the
AD FS server accepts AD DS credentials.
c
Forr
exxample, the de
efault claim rules on the claims provider trrust include rules that pass the user namess, SIDs,
an
nd group SIDs to the relying
g party. In a sin
ngle-organizattion AD FS dep
ployment, whe
ere AD DS
au
uthenticates all users, the de
efault claims provider trust m
may be the onlly required claims provider ttrust.
12-20
Whe
en you expand
d the AD FS de
eployment to include
i
other o
organizations,, you must create additional
claim
ms provider trusts for each federated
f
orga
anization. You have three op
ptions when co
onfiguring a cllaims
provvider trust:
Import data about

a
the claim
ms provider through the fed
deration metad
data. If the AD FS federation
server or fede
eration proxy server
s
is accesssible through tthe network frrom your AD FFS federation sserver,
you can enter the host nam
me or URL for the
t partner fed
deration server. Your AD FS connects to th
he
partner server, and downloads the federa
ation metadataa from the servver. The federation metadatta
includes all in
nformation req
quired to configure the claim
ms provider tru
ust. As part of tthe federation
n
metadata dow
wnload, your federation
f
servver also downlloads the SSL ccertificate thatt the partner
federation server uses.
Import data about

a
the claim
ms provider fro
om a file. Use tthis option if tthe partner fed
deration server is
not directly accessible from
m your federation server, butt where the partner organizaation has expo
orted
its configuration, and then provided you the informatio
on in a file. Th e configuratio
on file must incclude
the configura
ation informatiion for the parrtner organizattion, as well ass the SSL certifficate that the
partner federration server usses.
Manually con
nfigure the claiims provider trrust. Use this o
option if you w
want to configure all of the
settings for th
he claims provvide trust direcctly. When you
u choose this o
option, you mu
ust provide the
e
features that the claims pro
ovider supports, as well as th
he URL used to
o access the claaims provider AD FS
servers. Furthermore, you must
m
add the SSL
S certificate tthat the partner organizatio
on uses.
Wh
hat Is a Relying Party
y Trust?
A re
elying party tru
ust is defined on
o the claims
provvider federatio
on server. The relying party trust
t
iden
ntifies the relyiing party, and also defines the
claim
ms rules that define
d
how the
e relying partyy
acce
epts and proce
ess claims from
m the claims
provvider.
In a single-organization scenario, the relying party

trusst defines how the AD FS servver interacts with
w
the applications deployed
d
within the application.
Whe
en you configu
ure the relying
g party trust in
na
sing
gle organizatio
on, you provide
e the URL for the
t
inte
ernal applicatio
on and configu
ure settings such
whe
ether the appliication supporrts SAML 2.0 or whether it reequires AD FS 1.0 tokens, the
e SSL certificatte and
URLL used by the web
w server, and the applications issuance--authorization
n rules.
The process for co
onfiguring relyying party trust is very similaar to the claimss provider trusst. When you
expand the AD FS
S deployment to
t include other organizatio
ons, you must ccreate additional relying parrty
trussts for each fed
derated organiization. You ha
ave three optio
ons when conffiguring a relyying party trustt:
Import data about

a
the relyiing party throu
ugh the federaation metadataa. If the AD FSS federation se
erver
or federation proxy server is
i accessible th
hrough the nettwork from yo
our AD FS fede
eration server, you
can enter the
e host name orr URL for the partner
p
federattion server. Yo
our AD FS conn
nects to the paartner
server, and do
ownloads the federation me
etadata from th
he server. The federation me
etadata includes all
the information required to
o configure the
e relying partyy trust. As part of the federattion metadata
download, yo
our federation server also do
ownloads the SSSL certificate tthat the partner federation sserver
uses.
12-21
Import data about the relying party from a file. Use this option if the partner federation server is not
directly accessible from your federation server, but where the partner organization has exported its
configuration and provided you the information in a file. The configuration file must include the
configuration information for the partner organization, as well as the SSL certificate that the partner
federation server uses.
Manually configure the claims provider trust. Use this option if you want to configure all of the settings
for the claims provide trust directly.
Demonstration: Configuring Claims Provider and Relying Party Trusts
In this demonstration, you will see how to configure claims provider trusts and relying party trusts. The
instructor will show how to edit the default Active Directory claims provider trust, and will create a new
relying party trust and show how to configure the trust.
Demonstration Steps
1.
In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2.
In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, start
the Add Transform Claim Rule Wizard, and complete the wizard with the following settings:
3.
Under Claim rule template select Send LDAP Attributes as Claims.
Name the claim rule Outbound LDAP Attribute Rule.
Choose Active Directory as the Attribute Store.
In the Mapping of LDAP attributes to outgoing claim types, select the following values:
o
E-Mail-Addresses to E-Mail Address
User-Principal-Name to UPN
4.
On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility.
5.
Complete the wizard with the following settings:
6.
Point to the web.config file of the WIF sample application by pointing to

C:\Inetpub\wwwroot\AdatumTestApp\web.config.
Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
Select Use an existing STS, and enter a path

Disable certificate chain validation.
Select No encryption.
In the AD FS 2.0 Management console, in the middle pane, click Required: Add a trusted relying
party.
7.
Complete the Add relying party Wizard with the following settings:
12-22
Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
Specify a Display name of ADatum Test App.
Select Permit all users to access this relying party.
Select Permit access for all users.
Select to open the Edit Claims Rules for WIF Sample Claims App check box when the wizard is
complete.
Lesson
n4
Deplo
oying AD
A FS in a Busin
ness to Businesss Federation
Scena
ario

12-23
A second comm
mon scenario fo
or implementiing AD FS is in
n a B2B federattion scenario. In this scenario
o,
ussers in one org
ganization havve to be able to
o access an ap
pplication in an
nother organizzation. AD FS iin this
sccenario enable
es SSO. Users always
a
log on to
t their home AD DS environ
nment, but are
e granted acce
ess to
th
he partner app
plication based
d on the claimss acquired from
m their local A
AD FS server.
Configuring AD
D FS in a B2B fe
ederation scen
nario is quite siimilar to configuring AD FS in a single
ovider trusts aand the relying
orrganization sce
enario. The primary difference is that now
w the claims pro
g
provider trusts refer
r
to extern
nal organizatio
ons rather than
n internal AD D
DS or application.
Th
his lesson desccribes how to configure
c
AD FS
F in a B2B sceenario.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Configure the
t account pa
artner in a B2B
B federation sccenario.
Configure the
t resource partner
p
in a B2B
B federation sccenario.
Describe ho
ow claims transformations work.
w
Describe ho
ow home-realm
m discovery works.
w
Configure claims
c
rules.
Configuring
C
g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t
ussed
to
o describe the parties involve
ed in the AD FS
F
de
eployment cha
anges slightly. In this scenario,
th
he claims provider organization is also called the
acccount partnerr organization. An account partner
p
orrganization is the organization in which th
he user
acccounts are sto
ored in an attrribute store. An
n
acccount partnerr handles the following
f
taskss:
Gathering credentials
c
from users by usiing a
web-based service, and then authentica
ating
those crede
entials.
Building up
p claims for use
ers, and then
packaging the claims into
o security toke
ens. The token s can then be presented acrross a federatio
on trust
to gain access to federatiion resources located
l
at the resource partner organization.
e account partner organization to prepare for federation

n involves the following step
ps:
Configuring the
1..
Implement the physical topology for th

he account parrtner deploym
ment. This step could include
deciding on
n the number of federation servers and fe deration serveer proxies to deploy, the locaations
where these
e will be deplo
oyed and configuring the req
quired DNS reecords and cerrtificates.
2..
Add an attrribute store. Use the AD FS management

m
cconsole to add
d the attribute store. In mostt cases,
you use the
e default Active Directory atttribute store, w
which also must be used for authentication.
However, you
y also can ad
dd other attrib
bute stores, if n
necessary, to b
build user claim
ms.
12-24
3.
Connect to a resource partn

ner organizatio
on by creating
g a relying parrty trust. The easiest way to d
do
this is to use the
t federation
n metadata UR
RL that the reso
ource partner organization p
provides. With this
option, your AD
A FS server automatically
a
collects
c
the infformation thatt the relying paarty trust requ
uires.
4.
Add a claim description.

d
Th
he claim description lists the claims that yo
our organizatio
on provides to
o the
relying partne
er. This inform
mation may include user nam
mes, email addrresses, group m
membership
information, or
o other identifying information about a u
user.
5.
Prepare clientt computers fo

or federation. This
T may invollve two steps:
o
Add the account partner federation server

s
to the t rusted sites lisst in the browsser of client
compute
ers. By adding the
t account pa
artner federat ion server to tthe trusted site
es list on the client
compute
ers, you enable
e Windows Inte
egrated Autheentication, which means thatt users are not
prompted for authentication if they are
a already log
gged into the domain. You ccan use Group
p
Policy ob
bjects (GPOs) to assign the URL
U to the trustted site.
Configure certificate trusts. This is an

n optional step
p that is requireed only if one more of the servers
accessed by the clients do not have trusted
t
certificcates. The clien
nt computer m
may have to co
onnect
to the account federatiion servers, ressource federattion servers or federation proxy servers, an
nd the
destinatio
on web servers. If any of the
ese certificates are not from a trusted publlic CA, you maay
have to add
a the appropriate certifica
ate or root certtificate to the certificate storre on the clien
nts.
You can do this by usin
ng GPOs.
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to acco
ount partner
orga
anizations. The
e resource parrtner handles
the following task
ks:
Accepts and validates

v
securrity tokens tha
at the
account-partner federation
n server producces.
Consumes the
e claims from the security to
okens,
and then provvides new claims to its web
servers after making
m
an autthorization deccision.
m
have Win
ndows Identity Framework (W
WIF) installed o
or have the AD
D FS 1.x ClaimssThe web servers must
are Web Agent role services installed to exxternalize the iidentity logic aand accept claaims.
Awa
osoft offers WIIF to provide a set of consisttent developm
ment tools that enable
Note: Micro
developers to inte
egrate claims-b
based authenttication and au
uthorization in
nto their appliccations.
WIFF also includes a Software De
evelopment Kit (SDK) and saample applicattions. You use a WIF
sam
mple application in the lab fo
or this module..
Con
nfiguring the re
esource partne
er organization is similar to cconfiguring th
he account parrtner organization,
and consists of the following ste
eps:
1.
Implement th
he physical top
pology for the resource partn
ner deployme nt. The planning and
implementatiion steps are the same as the
e account parttner, with the addition of plaanning the we
eb
server locatio
on and configu
uration.

12-25
2..
Add an attrribute store. On

O the resource
e partner, the aattribute storee is used to po
opulate the claims that
are offered to the client, which
w
presentts them to the web server.
3..
Connect to an account pa
artner organizzation by creatting a claims p
provider trust.
4..
Create claim
m rule sets for the claims pro
ovider trust.
Configuring
C
g Claims Rules
R
for Business
B
to
o Business Scenarios
In
n a single organization deplo
oyment of AD FS, it
may
m be quite ea
asy to design and
a implemen
nt claims
ru
ules. In many cases,
c
you mayy need to just provide
p
th
he user name or
o group name
e collected fro
om the
claim to the web server. In a B2B
B scenario, it
i is
more
m
likely thatt you have to configure
c
more
co
omplicated cla
aims rules to define user acce
ess
be
etween widelyy varying systems.
Claim rules define how account partners (cllaims
providers) creatte claims, and how resource
pa
artners (relying
g parties) conssume claims. AD
A FS
provides several templates that you can use
e when
co
onfiguring claiim rules:
Send LDAP
P Attribute ass Claims rule template.
t
Use tthis template w
when you sele
ect specific attrributes
in an LDAP attribute store to populatte claims. You
u can configu re multiple LD
DAP attributes as
individual claims
c
in a sing
gle claim rule created
c
from tthis template. For example, yyou can create
e a rule
that extractts the displayN
Name and giv
venName AD DS attributes from all authe
enticated userss, and
then send these
t
values ass outgoing claims to be sentt to a relying p
party.
Send Grou
up Membership as a Claim rule template . Use this temp
plate to send a particular claaim type
and associa
ated claim valu
ue based on th
he users AD D S security grou
up membership. For examplle, you
might use this
t template to
t create a rule
e that sends a group claim tyype with a value of SalesAd
dmin if
the user is a member of the
t Sales Mana
ager security g
group within th
heir AD DS do
omain. This rule
e only
issues a sing
gle claim, base
ed on the AD DS
D group thatt you select as a part of the ttemplate.
Pass Throu
ugh or Filter an
a Incoming Claim
C
rule tem
mplate. Use thiis template to set additional
restrictions on which claim
ms are submitted to relying parties. For exxample, you m
might want to u
use a
user email address
a
as a cllaim, but only forward the e mail address iff the domain ssuffix on the email
address is adatum.com.
a
When
W
using this template, yo
ou can either p
pass through w
whatever claim
m you
extract from
m the attribute
e store, or you can configuree rules that filt er whether the
e claim passes
through ba
ased on various criteria.
Transform
m an Incoming
g Claim rule te
emplate. Use th
his template to
o map the valu
ue of an attrib
bute
in the claim
ms provider atttribute store to
o a different vaalue in the relyying party attribute store. Fo
or
example, yo
ou may want to
t provide all members
m
of th
he Marketing d
department att A. Datum limited
access to a purchasing ap
pplication at Trey Research. A
At Trey Researrch, the attribu
ute used to de
efine
the limited access level may
m have an atttribute of Lim
mitedPurchase
er. To address this scenario, yyou can
configure a claims rule th
hat transforms an outgoing cclaim where th
he Department value is Markketing
to an incom
ming claim whe
ere the AppliccationAccess attribute is Lim
mitedPurchasser. Rules created
from this te
emplate must have a one-to-one relationsship between tthe claim at th
he claims provider and
the claim at the relying partner.
p
12-26
Permit or De
eny Users bassed on an Inco
oming Claim rule template.. This template
e is available o
only
when you are
e configuring Issuance Autho
orization Ruless or Delegation
n Authorizatio
on Rules on a rrelying
party Trust. Use
U this templa
ate to create ru
ules that enab le or deny acccess by users to
o a relying parrty,
based on the type and valu
ue of an incom
ming claim. Thiss claim rule template allows you to perform
an authorizattion check on the
t claims provider before cclaims are even
n sent to a relyying party. Forr
example, you can use this rule
r
template to
t create a rulee that only perrmits users fro
om the Sales group
to access a re
elying party, au
uthentication requests
r
from members of o
other groups are not even se
ent to
the relying pa
arty.
If no
one of the built-in claim rule
e templates prrovide the funcctionality that you are lookin
ng for, you can
n
crea
ate more comp
plex rules using the AD FS Claim Rule Lang
guage. By creaating a custom
m rule, you can
n
extrract claims info
ormation from
m multiple attribute stores an
nd also combin
ne claim types into a single cclaim
rule
e.
Ho
ow Home Realm
R
Disccovery Wo
orks
Som
me resource pa
artner organiza
ations
hostting claims-aw
ware applicatio
ons may want to
t
enable multiple account partners to access th
he
app
plications. In th
his scenario, wh
hen users conn
nect
to the web application, there must
m
be some
mecchanism for directing the use
ers to the AD FS
fede
eration server in their home domain rather
than
n to another organizations
o
federation
f
servver.
The process for diirecting clientss to the appropriate
acco
ount partner iss called home realm discove
ery.
Hom
me realm disco
overy occurs after the client
connects to the re
elying parties web
w site and the
clien
nt has been re
edirected to the relying partyys federation sserver. At this point, the relyying partys
fede
eration server must redirect the client to th
he Federation Server in the cclients home realm, so that the
userr can be authe
enticated. If the
ere are multiple claims provviders configurred on the relyying party
fede
eration server, it has to know
w to which federation serverr to redirect the client.
At a high level, there are three main
m
ways imp
plement homee realm discoveery:
1.
Ask users to select

s
their hom
me realm. With this option, when the userr is redirected to the relying
partys federa
ation server, th
he federation server
s
can disp
play a web pag
ge that requests that the use
er
priate compan
identify the company they work for. Once
e the user seleects the approp
ny, the federattion
server uses th
hat information
n to redirect th
he client comp
puter to the ap
ppropriate hom
me federation
server for autthentication.
2.
Modify the lin

nk for the web
b application to
o include a W
Whr string tha t specifies the users home
realm. The relying partys Federation Servver uses this sttring to autom
matically redirect the user to the
appropriate home
h
realm. This means thatt the user doe s not have to be prompted to select the h
home
realm, becausse the Whr string in the UR
RL that the useer clicks relays the needed in
nformation to the
relying partys Federation Server.
S
The mo
odified link mig
ght look someething like
https://www.a
adatum.com/O
OrderApp/?wh
hr=urn:federattion:TreyResea rch.
3.
12-27
If the remote application is SAML 2.0-compliant, users can use a SAML profile called IdPInitiated SSO.
This SAML profile configures users to access their local claims provider first, which can prepare the
users token with the claims required to access the partner web application. This process changes the
normal process for accessing the web application by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user successfully authenticates, a home-realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This homerealm discovery cookie expires after a month, unless the cookie cache is cleared sooner.
Demonstration: Configuring Claims Rules
In this demonstration, you will see how to configure claims rules. You will see how to configure claims
rules on a relying party trust that forwards a group name as part of the claim. You will also see how to
configure a claims rule that limits access to the application only to members of a particular group.
Demonstration Steps
1.
On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule
that passes through or filters an incoming claim. Name the rule Send Group Name rule, and
configure the rule to use an incoming claim type of group.
2.
Delete the Issuance Authorization Rule that grants access to all users.
3.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim.
4.
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5.
Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
Scenario
12-28
A. Datum has set up a variety of business relationships with other companies and customers. Some of
these partner companies and customers must access business applications that are running on the A.
Datum network. The business groups at A. Datum want to provide a maximum level of functionality and
access to these companies. The security and operations departments want to ensure that the partners and
customers can only access the resources to which they require access, and that implementing the solution
does not significantly increase the workload for the operations team.
A. Datum is also working on migrating some parts of their network infrastructure to online services,
including Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement single sign on for internal users accessing an application on a
web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey
Research users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims aware application, and then configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
Configure the AD FS prerequisites.
Install and configure AD FS.
Configure and validate SSO for single organization.
Configure and validate SSO for a business federation scenario.
Lab Setup
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-MUN-DC1
User Name
Password
Pa$$w0rd
1.
2.
3.
4.
5.

a.
b.
Password: Pa$$w0rd
Repeat steps 2 to 4 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-MUN-DC1.
12-29
a.
Do not log on to 20417A-LON-CL1 at this point.
b.
On 20417A-MUN-DC1, log in as TreyResearch\Administrator with the password Pa$$w0rd.
Exercise 1: Configuring AD FS Prerequisites

Scenario
To deploy AD FS at A. Datum, you must verify that all required components are configured. You plan to
verify that AD CS is deployed in the organization, and then configure the certificates required for AD FS
on the AD FS server and on the web servers. You also plan to configure the DNS forwarders to enable
communication between Adatum.com and TreyResearch.com.
1.
Configure DNS forwarders.
2.
Exchange root certificates to enable certificate trusts.
3.
Request and install a certificate for the web server.
4.
Bind the certificate to the claims aware application on the web server and verify application access.
X Task 1: Configure DNS forwarders

1.
On LON-DC1, create a new conditional forwarder for the TreyResearch.com domain, by using the
DNS server IP address of 172.16.10.10.
2.
On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, by using the DNS
server IP address of 172.16.0.10.
X Task 2: Exchange root certificates to enable certificate trusts

1.
On LON-DC1, copy the MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1-CA.crt from

\\MUN-DC1.treyresearch.com\certenroll to the Documents folder.
2.
Create a new Microsoft Management Console (MMC), and then add the Group Policy Management
Editor.
3.
Edit the Default Domain Policy Group Policy Object, and import the copied root certificate to the
Trusted Root Certification Authorities folder.
4.
On MUN-DC1, copy the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt from

\\LON-DC1.Adatum.com\certenroll to the Documents folder.
5.
Create a new MMC, and then add the Certificates snap-in focused on the Local Computer.
6.
Import the copied root certificate to the Trusted Root Certification Authorities folder.
X Task 3: Request and install a certificate for the web server

1.
On LON-SVR1, open the Internet Information Services (IIS) Manager.
2.
Request a new Domain Certificate for the server by using the following parameters:
o
Common name: LON-SVR1.adatum.com
Organization: A. Datum
3.
Organization unit: IT
City/locality: London
State/province: England
Country/region: GB
Request the certificate from the default CA.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
12-30
1.
On LON-SVR1, in Internet Information Services, create a new HTTPS site binding, and then select the
newly created certificate.
2.
On LON-DC1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com

/adatumtestapp.
3.
Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
4.
Close Internet Explorer.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Scenario
To start the AD FS implementation, you plan to install AD FS on the A. Datum domain controller, and then
configure the server as a standalone federation server. You also plan to configure the server to use a CAsigned token-signing certificate.
1.
Install and configure AD FS 2.0.
2.
Create a stand-alone Federation Server by using the AD FS Federation Server Configuration Wizard.
3.
Verify that FederationMetaData.xml is present and contains valid data.
X Task 1: Install and configure AD FS 2.0
On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
X Task 2: Create a stand-alone Federation Server by using the AD FS Federation Server

Configuration Wizard
On LON-DC1, run the AD FS Federation Server Configuration Wizard using the following parameters:
a.
Create a new federation service.
b.
Create a standalone deployment.
c.
Use the LON-DC1.Adatum certificate.
d.
Choose a service name of LON-DC1.Adatum.com
X Task 3: Verify that FederationMetaData.xml is present and contains valid data

1.
On LON-CL1, log on as Adatum\Brad, using the password Pa$$w0rd.
2.
Open Internet Explorer.
3.
Open Internet Options, and then add https://LON-DC1.Adatum.com and

https://LON-SVR1.adatum.com to the Local intranet zone.
4.
Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5.
Verify that the xml file opens successfully, and then scroll through its contents.
6.
12-31
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configure AD FS for a Single Organization

Scenario
The first scenario for implementing the proof-of-concept AD FS application is to ensure that internal
users can use SSO to access the web application. You plan to configure the AD FS server and the web
application to enable this scenario. You also want to verify that internal users can access the application.
1.
Configure a Token Signing Certificate for LON-DC1.Adatum.com.
2.
Configure the Active Directory Claims Provider Trust.
3.
Configure the claims application to trust incoming claims by running the WIF Federation Utility.
4.
Configure a relying party trust for the claims aware application.
5.
Configure claim rules for the relying party trust.
6.
Test the access to the claims aware application.
X Task 1: Configure a Token Signing Certificate for LON-DC1.Adatum.com

1.
On LON-DC1, use the set-ADFSProperties AutoCertificateRollover $False command to enable

modification of the assigned certificates.
2.
In the AD FS Management console, add the LON-DC1.Adatum.com certificate as a new token

signing certificate.
Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is listed under the
Subject when you add the certificate, delete the certificate, and then add the next certificate in the
list.
3.
Make the new certificate the primary certificate, and then remove the old certificate.
X Task 2: Configure the Active Directory Claims Provider Trust
12-32
1.
In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2.
In the Edit Claim Rules for Active Directory dialog box on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard, and then complete the wizard with the following
settings:
a.
Select Send LDAP Attributes as Claims under Claim rule template.
b.
Name the claim rule Outbound LDAP Attribute Rule.
c.
Choose Active Directory as the Attribute Store.
d.
In the Mapping of LDAP attributes to outgoing claim types, select the following values:
E-Mail-Addresses to E-Mail Address
User-Principal-Name to UPN
Display-Name to Name
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1.
On LON-SVR1, launch the WIF Federation Utility from the Start screen.
2.
Complete the wizard with the following settings:

o
Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\
AdatumTestApp \web.config.
Specify an Application URI box by typing

https://lon-svr1.adatum.com/AdatumTestApp/.
Select to Use an existing STS, and then enter a path

Select No encryption.
X Task 4: Configure a relying party trust for the claims aware application
1.
In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle
pane.
2.
Complete the Add relying party Wizard with the following settings:
o
Choose to Import data about the relying party published online or on a local network and
type https://lon-svr1.adatum.com/adatumtestapp.
Specify a Display name of ADatum Test App.
Choose to Permit all users to access this relying party.
Choose to Permit access for all users.
Select the option to open the Edit Claims Rules for WIF Sample Claims App when the wizard is
complete.
X Task 5: Configure claim rules for the relying party trust
12-33
1.
In the Edit Claim Rules for WIF Sample Claims App properties dialog box, choose to Add a Rule
on the Issuance Transform Rules tab.
2.
Complete the Add Transform Claim Rule Wizard with the following settings:
o
Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list.
Name the claim rule Pass Through Windows Account Name.
Select Windows account name in the incoming claim type drop-down list.
Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
X Task 6: Test the access to the claims aware application

1.
On LON-CL1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com

/AdatumTestApp/
2.
Verify that you can access the application.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
Exercise 4: Configure AD FS for Federated Business Partners

Scenario
The second deployment scenario is to enable Trey Research users to access the web application. You plan
to configure the integration of AD FS at Trey Research with AD FS at A. Datum, and then verify that Trey
Research users can access the application. You also want to confirm that you can configure access based
on user groups. You must ensure that all users at A. Datum, but only users in the Production group at Trey
Research, can access the application.
1.
Add a claims provider trust for the TreyResearch.com AD FS server.
2.
Configure a relying party trust on MUN-DC1 for A. Datums claim aware application.
3.
Verify access to the A. Datum Test Application for Trey Research users.
4.
Configure claim rules for the claim provider trust and the relying party trust to allow access only for a
certain group.
5.
Verify restrictions and accessibility to the claims aware application.
6.
To shut down the virtual machines.
X Task 1: Add a claims provider trust for the TreyResearch.com AD FS server

1.
On LON-DC1, in the ASDFS 2.0 Management console, go to Trust Relationships, go to claims

provider Trusts, and then choose to Add claims provider Trust.
2.
Complete the Add claims provider Trust Wizard with the following settings:
o
Choose Import data about the claims provider published online or on a local network and
enter https://mun-dc1.treyresearch.com as the data source.
In Display Name enter mun-dc1.treyresearch.com.
3.
4.
In the Edit Claim Rules for the mun-dc1.treyresearch.com properties dialog, use the following
values:
o
Add a Rule to the Acceptance Transform Rules.
Choose Pass Through or Filter an Incoming claim in the Claim rule template list.
Use Pass through Windows account name rule as the claim rule name.
Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
Complete the rule.
On LON-DC1, run the following command in Windows PowerShell:

Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com
SigningCertificateRevocationCheck None
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datums claim aware
application
1.
2.
12-34
On MUN-DC1, in the AD FS Management console, open the Add relying party Trust Wizard, and then
complete it with the following settings:
o
Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com.
Specify a Display name of Adatum TestApp.
Choose to Permit all users to access this relying party.
Select to open the Edit Claim Rules for lon-dc1.adatum.com when the wizard is complete
check box.
In the Edit Claim Rules for lon-dc1.adatum.com properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o
Choose Pass Through or Filter an Incoming claim in claim rule template list.
In the Claim rule name box, type Pass through Windows account name rule.
Choose Windows account name in Incoming claim type.
Choose to Pass through all claim values.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1.
On MUN-DC1, open Internet Explorer, and then connect to https://lon-svr1.adatum.com

/adatumtestapp/.
2.
Select mun-dc1.treyresearch.com as the home realm, and then logon as TreyResearch\April, with
the password Pa$$w0rd.
3.
Verify that you can access the application.
4.
Close Internet Explorer, and then connect to the same web site. Verify that you are not prompted for
a home realm this time.
You are not prompted for a home realm again. Once users have selected a home realm and been
authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party
Federation Server. The default lifetime for the cookie is 30 days. Therefore, for us to log on multiple times,
we should delete that cookie after each logon attempt to return to a clean state.
12-35
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1.
On MUN-DC1, in the AD FS Management Console, access the lon-dc1.adatum.com relying party trust.
2.
Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the Users Group as Production, configure the
Outgoing claim type as Group, and the Outgoing claim value as Production.
3.
On LON-DC1, in the AD FS Management Console, edit the mun-dc1.treyresearch.com claims provider

Rule, creating a new rule that passes through or filters an incoming claim with the rule name of Send
Production Group Rule. Configure the rule with an incoming claim type of Group.
4.
Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name rule, and
configure the rule to use an incoming claim type of group.
5.
Delete the Issuance Authorization Rule that grants access to all users.
6.
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
7.
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value of @adatum.com, and select the option to Permit access to users with this incoming claim,
and then click Finish.
8.
Edit the Temp rule, and then copy the claim rule language into the clipboard.
9.
Delete the Temp rule.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule
11. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~
"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value =
PermitUsersWithClaim);
X Task 5: Verify restrictions and accessibility to the claims aware application

1.
On MUN-DC1, verify that TreyResearch\April no longer has access to the A. Datum test app.
2.
Clear the browsing history in Internet Explorer.
3.
Verify that TreyResearch\morgan does have access to the A. Datum test app. Morgan is a member of
the Production group.
X To shut down the virtual machines
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.

Common Issue
Troubleshooting Tip
Certificate errors on the federation server
Certificate errors on the client
Client application failed to authenticate

with AD FS
Question: What are the benefits of deploying AD FS with a cloud-based application or service?
Question: Under what circumstances, would you choose to deploy a federation proxy server?
Under what circumstances, do you not have to deploy a federation proxy server?
12-36
1.
Tailspin Toys is deploying a new claims-based web application. The web application needs to be
accessible to both Tailspin Toys users and to Trey Research users. What AD FS components will you
need to deploy at Tailspin Toys to enable this level of access?
2.
Fabrikam is examining the requirements for AD FS. The company wants to use a federation proxy
server for maximum security. Currently, Fabrikam has an internal network with internal DNS servers.
Their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting
companys DNS servers for DNS resolution. What must the company do to prepare for the
deployment?
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
12-37
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.

L1-1
Module 1: Installing and Configuring Servers Based on

Windows Server 2012
Lab: Installing and Configuring Servers

Based on Windows Server 2012
Exercise 1: Install Windows Server 2012 Server Core
X Task 1: Install Windows Server 2012
1.
On the host machine, open the Hyper-V Manager console.
2.
Click 20417A-LON-SVR5. In the Actions pane click Settings.
3.
Under Hardware, click DVD Drive.
4.
Click Image file, and then click Browse.
5.
Browse to C:\Program Files\Microsoft Learning\20417\Drives, and then click Win2012_RC.ISO.
6.
Click Open and then click OK.
7.
In the Hyper-V Manager console, double-click 20417A-LON-SVR5; this will open the Virtual Machine
Connection window. From the Action menu, click Start.
8.
On the Windows Server 2012 page of the Windows Setup Wizard, verify the following settings, and
then click Next:
9.
Language to install: English (United States)
Time and currency format: English (United States)
Keyboard or input method: US
On the Windows Server 2012 page of the Windows Setup Wizard, click Install now.
10. On the Select the operating system you want to install page of the Windows Setup Wizard, select
Windows Server 2012 Release Candidate Datacenter (Server Core Installation), and then click
Next.
11. On the License terms page of the Windows Setup Wizard, review the operating system license terms.
Select the I accept the license terms check box, and then click Next.
12. On the Which type of installation do you want? page of the Windows Setup Wizard, click Custom:
Install Windows Only (Advanced).
13. On the Where do you want to install Windows? page of the Windows Setup Wizard, verify that
Drive 0 Unallocated Space has sufficient space for the Windows Server 2012 operating system, and
then click Next:
o
Depending on the speed of the host computer, the installation will take approximately 20
minutes.
The virtual machine will restart several times during this process.
14. Click OK, and then in both the Password and Confirm password boxes type Pa$$w0rd, and then
click OK.
L1-2 Upgrading Your Skills to MCSA Windows Server 2012
X Task 2: Convert a Windows Server 2012 Server Core installation to a full installation
1.
If necessary, log on to LON-SVR5 using the Administrator account with the password Pa$$w0rd.
2.
At the command prompt type and press Enter:

mkdir c:\mount
3.
Issue the following command and press Enter to mount the Windows Server 2012 full installation
image:
dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount
/readonly
4.
Start Windows PowerShell by issuing the command:

PowerShell.exe
5.
Load the ServerManager module by issuing the command and pressing Enter:
6.
Install the Windows Server 2012 GUI components of server core by issuing the following command
and pressing Enter:
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra Source:c:\mount\windows
7.
When prompted, restart the server by issuing the following command and pressing Enter.
Shutdown /r /t 5
8.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify the presence of
the full GUI components.
X Task 3: Convert a Windows Server 2012 full installation to a Server Core installation
1.
If necessary, log on to LON-SVR5 and verify that the full graphic environment is present.
2.
Click Internet Explorer.
3.
Click Close to close the message informing you that you cannot open Internet Explorer with the builtin Administrator account.
4.
On the Start screen, click Windows PowerShell.
5.
Enter the following command and press Enter:

6.
Enter the following command and press Enter:

Uninstall-WindowsFeature User-Interfaces-Infra
7.
Enter the following command to restart LON-SVR5:

Shutdown /r /t 5
8.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
Exercise 2: Configure a Computer Running a Server Core Installation of

Windows Server 2012
X Task 1: Configure the network
1.
If necessary, log on to LON-SVR5 using the account Administrator with password Pa$$w0rd.
2.
At the command prompt, type sconfig.
3.
Type 2 and press Enter to select Computer Name:
4.
Enter the computer name LON-SVR5 and press Enter.
5.
On the Restart dialog box, click Yes.
6.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd.
7.
At the command prompt, type hostname and press Enter to verify the computers name.
8.
At the command prompt, type sconfig and press Enter.
9.
To configure Network Settings, type 8 and press Enter.
10. Type the index number of the network adapter that you want to configure and press Enter.
11. To set the Network Adapter Address, on the Network Adapter Settings page, type 1 and
press Enter.
12. To select static IP address configuration, type S and press Enter.
13. At the Enter static IP address: prompt, type 172.16.0.111 and press Enter.
14. At the Enter subnet mask prompt, type 255.255.0.0 and press Enter.
15. At the Enter default gateway prompt, type 172.16.0.1 and press Enter.
L1-3
16. To configure the DNS server address, on the Network Adapter Settings page, type 2 and press Enter.
17. At the Enter new preferred DNS server prompt, type 172.16.0.10 and press Enter.
18. In the Network Settings dialog box, click OK.
19. To not configure an alternative DNS server address, press Enter.
20. To return to the main menu, type 4 and press Enter.
21. To exit sconfig, type 15 and press Enter.
22. To verify connectivity to the domain controller from LON-SVR5, type ping lon-dc1.adatum.com and
press Enter.
X Task 2: Add the server to the domain

1.
Ensure that you are logged on to LON-SVR5 using the account Administrator with password
Pa$$w0rd.
2.
At the command prompt, type sconfig and press Enter.
3.
To switch to configure Domain/Workgroup, type 1 and press Enter.
4.
To join a domain, type D and press Enter.
5.
At the Name of domain to join prompt, type adatum.com and press Enter.
6.
At the Specify an authorized domain\user prompt, type adatum\administrator and press Enter.
7.
At the Type the password associated with the domain user prompt, type Pa$$w0rd and
press Enter.
8.
At the Change Computer Name prompt, click Yes.
9.
At the Enter new computer name prompt, press Enter.
10. To restart the server, type 13 and press Enter.

11. In the Restart dialog box, click Yes.
12. Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.
X Task 3: Configure Windows Firewall

1.
Ensure that you are logged on to LON-SVR5 using the account Adatum\Administrator with
password Pa$$w0rd.
2.
At the command prompt, type sconfig.cmd and press Enter.
3.
To switch to Configure Remote Management, type 4 and press Enter.
4.
To enable Remote Management, type 1 and press Enter.
5.
On the Configure Remote Management dialog box, click OK.
6.
To return to the main menu, type 4 and press Enter.
7.
To return to the command prompt, type 15 and press Enter.
8.
At the command prompt, type PowerShell.exe and then press Enter.
9.
To view the enabled Firewall rules on LON-SVR5 that allow traffic, at the Windows PowerShell
prompt, type the following command:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property
DisplayName
10. To view all disabled Firewall rules on LON-SVR5, type the following command:
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Format-Table -Property

Displayname
11. To view all NetFirewallRule related Windows PowerShell cmdlets, type the following command:
Get-Command -Noun NetFirewallRule
12. To view the status of the Remote Desktop inbound firewall rule, type the following command:
13. To enable the Remote Desktop Inbound Firewall rule, type the following command:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
14. To verify that the Remote Desktop Inbound Firewall rule is enabled, type the following command:
15. To disable the Remote Desktop Inbound Firewall Rule, type the following command:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
16. To verify that the Remote Desktop Inbound Firewall Rule is disabled, type the following command:
L1-5
Exercise 3: Configure Remote Management for servers running Windows

Server 2012
X Task 1: Validate the WinRM configuration
1.
Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2.
In the Server Manager console, click Local Server, and then click Enabled next to Remote
Management.
3.
On the Configure Remote Management dialog box, clear the check next to Enable remote
management of this server from other computers, and then click OK.
4.
5.
Open Windows PowerShell from the Taskbar.
6.
At the Windows PowerShell prompt issue the command winrm qc. When you are prompted, type Y
and press Enter.
7.
Open the Server Manager console. Click Local Server. Verify that Remote Management is now
enabled.
X Task 2: Configure Server Manager for multiple server management

1.
Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2.
In the Server Manager console, click Dashboard, and then click Create a server group.
3.
On the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4.
Click LON-DC1 and then press and hold the Ctrl key, and then click LON-SVR5. To add them to a
server group click the Arrow.
5.
Set the Server Group Name to LONDON-GROUP, and then click OK.
6.
In Server Manager click LONDON-GROUP.
7.
In the details pane, select both LON-DC1 and LON-SVR5.
8.
Scroll down to the Performance section.
9.
Click LON-DC1. Press and hold the Ctrl key, and then click LON-SVR5.
10. While both servers are selected, right-click LON-DC1, and then click Start Performance Counters.
11. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
X Task 3: Deploy a feature to the Server Core server

1.
On LON-DC1, in the Server Manager console, click LONDON-GROUP.
2.
In the Servers list, right-click LON-SVR5, and then click Add Roles and Features.
3.
On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4.
On the Select installation type page of the Add Roles and Features Wizard, select Role-based or
feature-based installation, and then click Next.
5.
On the Select destination server page of the Add Roles and Features Wizard, ensure that
LON-SVR5.Adatum.com is selected, and then click Next.
6.
On the Select server roles page of the Add Roles and Features Wizard, click Next.
7.
On the Select features page of the Add Roles and Features Wizard, select Windows Server Backup,
and then click Next.
8.
On the Confirm installation selections page of the Add Roles and Features Wizard, click Install.
9.
To dismiss the Add Roles and Features Wizard, click Close.
10. In Server Manager, click the Flag and verify that the installation of the Windows Server Backup feature
succeeded on LON-SVR5.

1.
2.
3.
4.

L2-7
Module 2: Monitoring and Maintaining Windows Server

2012
Lab: Monitoring and Maintaining Windows

2012 Servers
Exercise 1: Configuring Centralized Monitoring for Windows Server 2012
Servers
X Task 1: Configure Server Manager to monitor multiple servers
1.
Switch to LON-SVR1.
2.
In the Server Manager console, in the navigation pane, click All Servers.
3.
In the Server Manager console, in the navigation pane, right-click All Servers, and then click Add
Servers.
4.
In the Add Servers dialog box, click Find Now.
5.
In the details pane of the Add Servers dialog box, click LON-DC1, click the right-arrow button, and
then click OK.
6.
In Server Manager, hold down the Ctrl key, click LON-DC1, and then click LON-SVR1 to select both
the machines.
7.
In Server Manager, scroll down to the Performance section; select both LON-DC1 and LON-SVR1.
Right-click the selected servers, and then click Start Performance Counters.
X Task 2: Configure a data collector set

1.
On LON-SVR1, in Server Manager, click Tools, and then click Performance Monitor.
2.
In the navigation pane, expand Data Collector Sets, and then click User Defined.
3.
Click the Action menu, click New, and then click Data Collector Set.
4.
In the Create new Data Collector Set Wizard, in the Name box, type Windows Server Monitoring,
select Create manually (Advanced), and then click Next.
5.
On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
6.
In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Windows Server Monitoring, click the Action menu, click New, and then click Data
Collector.
7.
In the Create New Data Collector Wizard, in the Name box, type Base Windows Server Monitoring,
select Performance counter data collector, click Next, and then click Add.
8.
In the Available counters object list, expand Processor, and then click % Processor Time. Click
Add.
9.
In the Available counters object list, expand Memory, and then click Available Mbytes. Click Add.
10. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
11. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
12. In the Performance Monitor, in the navigation pane, click Windows Server Monitoring, click the
Action menu, and then click Start.
13. Wait at least one minute, click the Action menu, and then click Stop.
14. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
15. Close the Performance Monitor.
X Task 3: Configure an event subscription
1.
Switch to LON-SVR1.
2.
Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
3.
At the command prompt, type winrm quickconfig and then press Enter.
4.
In Server Manager, click Tools, and then click Computer Management.
5.
In the Computer Management console, expand Local Users and Groups, and then click Groups.
6.
In the details pane, double-click Administrators.
7.
Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
8.
In the Object Types dialog box, select the Computers check box, and then click OK.
9.
In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK.
10. In the Administrators Properties dialog box, click OK.

11. Switch to LON-DC1.
12. Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
13. At the command prompt, type wecutil qc and then press Enter.
14. When you are prompted, type Y and then press Enter.
15. In Server Manager, click Tools, and then click Event Viewer.
16. In the Event Viewer, in the navigation pane, click Subscriptions.
17. Right-click Subscriptions, and then click Create Subscription.
18. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
19. Click Collector Initiated, and then click Select Computers.
20. In the Computers dialog box, click Add Domain Computers.
21. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK.
22. In the Computers dialog box, click OK.
23. In the Subscription Properties LON-SVR1 Events dialog box, click Select Events.
24. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
25. In the Logged list, click Last 7 days.
L2-9
26. In the Event logs list, select Windows Logs. Click inside the Query Filter dialog box, and then click
OK.
27. In the Subscription Properties LON-SVR1 Events dialog box, click OK.
28. In Event Viewer, in the navigation pane, expand Windows Logs.
29. Click Forwarded Events, and check for events from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
Exercise 2: Backing up Windows Server 2012

X Task 1: Install the Windows Server Backup feature
1.
Switch to LON-SVR1.
2.
In Server Manager, on the Dashboard, click Add Roles and Features.
3.
In the Add Roles and Features Wizard, click Next.
4.
On the Select Installation Type page, click Next.
5.
On the Select Destination Server page, select LON-SVR1 and then click Next.
6.
On the Select server roles page, click Next.
7.
On the Select features page, select Windows Server Backup, and then click Next.
8.
On the Confirm installation selections page, click Install.
9.
On the Installation progress page, wait until the Installation succeeded on

LON-SVR1.adatum.com text appears, and then click Close.
X Task 2: Configure a scheduled backup

1.
Switch to LON-SVR1.
2.
On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
3.
Click Local Backup, and then in the Actions pane, click Backup Schedule.
4.
On the Getting Started page of the Backup Schedule Wizard, click Next.
5.
On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6.
On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7.
On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8.
On the Specify Remote Shared Folder page, in the Path box, type \\LON-DC1\Backup, and then
click Next.
9.
In the Register Backup Schedule dialog box, in the Username box, type Administrator, in the
Password box, type Pa$$w0rd, and then click OK. Click Finish, and then click Close.
X Task 3: Complete an on-demand backup
L2-10
To prepare for this task, you need to create a folder on LON-SVR1 with a name Financial Data on drive C:
and within Financial Data folder you need to create a text file with a name Financial Report.txt.
1.
On LON-SVR1, on the Taskbar, click on Windows Explorer.
2.
In the Windows Explorer window, in navigation pane, click on Local Disk (C:).
3.
In the Windows Explorer window, in the menu, click Home, click New Folder, and then in the New
Folder icon in details pane, type Financial Data.
4.
In the Windows Explorer window, double-click Financial Data folder, right click in details pane, click
New, click Text Document, and in New Text Document icon, type Financial Report.
To complete an on-demand backup, perform the following steps:

1.
On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2.
In the wbadmin [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup, and then in the Actions pane, click Backup Once.
3.
On the Backup Options page of the Backup Once Wizard, click Different options, and then click
Next.
4.
On the Select Backup Configuration page, click Custom, and then click Next.
5.
On the Select Items for Backup page, click Add Items.
6.
Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7.
On the Specify Destination Type page, click Remote shared folder, and then click Next.
8.
On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
9.
On the Confirmation page, click Backup.
10. On the Backup Progress page, click Close after the backup is complete.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
Exercise 3: Restoring files by using Windows Server Backup

X Task 1: Delete a file from the file server
1.
On LON-SVR1, on the Taskbar, click on Windows Explorer, and then in navigation pane, click on
Local Disk (C:).
2.
In Windows Explorer in details pane, right-click Financial Data folder, and then click Delete.
X Task 2: View the available restores by using the Vssadmin command

1.
On LON-SVR1, on the Taskbar click Windows Powershell.
2.
At the Windows Powershell prompt, run the following command:

vssadmin list shadows
The command should display the existing shadow copy from the backup performed previously.
X Task 3: Restore the file from backup
L2-11
1.
In the Windows Server Backup console, in the Actions pane, click Recover.
2.
On the Getting Started page, click A backup stored on another location, and then click Next.
3.
On the Specify Location type page, click Remote shared folder, and then click Next.
4.
On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
5.
On the Select Backup Date page, click Next.
6.
On the Select Recovery Type page, click Next.
7.
On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:) drive, and on the
right pane, select Financial Data, and then click Next.
8.
On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
9.
On the Confirmation page, click Recover.
10. On the Recovery Progress page, click Close.

11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
Exercise 4: Implementing Microsoft Online Backup and Restore

X Task 1: Install the Microsoft Online Backup Service component
1.
On LON-SVR1, on the taskbar, click Windows Explorer.
2.
In the Windows Explorer window, in the navigation pane, click Allfiles (E:), and in the details pane
double-click msoidcli.msi. Click Run.
3.
On the Microsoft Software License Terms page, click I accept the terms in the License Agreement
and Privacy Statement, and then click Install. Click Finish.
4.
In Allfiles (E:), in the details pane double-click OBSInstaller.exe. Click Run.
5.
In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
6.
On the Prerequisites Check page, click Next.
7.
On the Installation Settings page, specify the settings (if not default), and then click Next:
o
Installation Folder: C:\Program Files
Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
8.
On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
9.
On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message is displayed. Clear the Check for newer updates check box, and
then click Finish.
L2-12
10. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service.
11. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service Shell.
X Task 2: Register the server with Microsoft Online Backup
Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with a same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1.
In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this
local server.
2.
In the Server Manager window, on the Local Server page, click LON-SVR1.
3.
In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAMEYOURNAME, click OK twice, and then click Close.
4.
In a window that displays the message that you should restart your computer, click Restart Now.
5.
Wait until YOURCITYNAME-YOURNAME is restarted, and then log on as Adatum\Administrator

with password Pa$$w0rd.
To register the server with Microsoft Online Backup, perform the following steps:
1.
Start the Microsoft Online Backup Service console, and then click Register Server.
2.
In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, and in the Password box, type Pa$$w0rd. Click
Next.
Note: In real-life scenario, you would type username and password of your Microsoft
Online Backup Service subscription account.
3.
On the Proxy Configuration page, click Next.
4.
On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
5.
On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message is displayed, and then click Close.
X Task 3: Configure an online backup

1.
Switch to the Microsoft Online Backup Service console, and then click Schedule Backup.
2.
On the Getting started page, click Next.
3.
On the Select Items to back up page, click Add Items.
4.
In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
5.
On the Specify Backup Time page, select Saturday, click 1:00AM, click Add, and then click Next.
6.
On the Specify Retention Setting page, accept the default settings, and then click Next.
7.
On the Confirmation page, click Finish.
8.
On the Modify Backup Progress page, click Close.
9.
In the Microsoft Online Backup Service console, click Back Up Now.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
L2-13
11. On the Backup progress page, wait until Backup is successfully completed message appears, and
then click Close.
X Task 4: Restore files by using the online backup

1.
On the taskbar, click Windows Explorer, and then in the navigation pane, click Local Disk (C:).
2.
In the Local Disk (C:) window, right-click the Financial Data folder, and then click Delete.
3.
Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4.
In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5.
On the Select Recovery Mode page, select Browse for files, and then click Next.
6.
On the Select Volume and Date page, in the Select the volume drop-down list, select C:\. In the
calendar, click the date when you performed the backup, in the Time drop-down list, click the time
when you performed backup, and then click Next.
7.
On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8.
On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
9.
On the Confirmation page, click Recover.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
appears, and then click Close.
11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
X Task 5: Unregister the server from the Microsoft Online Backup Service
1.
Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2.
On the Getting started page, click Unregister this server, and then click Next.
3.
On the Account Credentials page, provide the following credentials:

o
Password: Pa$$w0rd
4.
Click Unregister.
5.
On the Server Unregistration page, click Close.
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
X Task: To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1 and MSL-TMG1.
L2-14

L3-15
Module 3: Managing Windows Server 2012 by Using

Windows PowerShell 3.0
Lab: Managing Servers Running

Windows Server 2012 by Using Windows
PowerShell 3.0
Exercise 1: Introduction to Windows PowerShell 3.0
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1.
Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.
2.
On LON-DC1, browse to the Start screen, type Windows PowerShell ISE and then right-click
Windows PowerShell ISE. In the pop-up banner, click Run as administrator.
3.
In the Console pane, type Get-WindowsFeature and then press Enter.
4.
In the Console pane, type Get-ChildItem E:\ModXA\Democode, and then press Enter.
5.
In the Console pane, type dir C:\Windows, and then press Enter.
6.
In the Console pane, type Get-E, press the Tab key until Get-ExecutionPolicy is shown, and then
press the Enter key.
X Task 2: Use Windows PowerShell ISE to retrieve a list of stopped services on

LON-DC1
1.
If necessary, open Windows PowerShell ISE as an administrator.
2.
In the Console pane, type Get-Service and then press Enter.
3.
In the Console pane, type $Services = Get-Service and then press Enter.
4.
In the Console pane, type Get-Help Where-Object examples and then press Enter. Click No to
update help.
5.
In the Console pane, type $Services | Where-Object {$_.Status eq Stopped} and then press
Enter.
X Task 3: Use a Remote Windows PowerShell session to install XPS Viewer on

LON-SVR1
1.
In Windows PowerShell ISE, click File, and then click New Remote PowerShell Tab.
2.
In the New Remote PowerShell Tab window, in the Computer box, type LON-SVR1 and then click
Connect.
3.
In the Console pane, type Get-WindowsFeature and then press Enter.
4.
In the Console pane, type Add-WindowsFeature XPS-Viewer and then press Enter.
5.
Press the Up Arrow key two times or until Get-WindowsFeature appears. Press Enter to execute.
6.
On the LON-SVR1 Remote PowerShell tab, click Close.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
Exercise 2: Managing AD DS by Using Windows PowerShell 3.0

X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
1.
2.
In the Console pane, type Import-Module ActiveDirectory and then press Enter.
3.
In the Console pane, type Get-Command Module ActiveDirectory and then press Enter.
X Task 2: View options on how to create a report of users in the Active Directory
domain
L3-16
1.
module.
2.

Get-Command Module ActiveDirectory
3.

Get-ADUser -Filter * | Format-List
Format-List -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-List *
4.

Get-ADUser -Filter * | Format-Table
Format-Table -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-Table
5.

Get-ADOrganizationalUnit -Filter * | Format-Wide
Get- ADOrganizationalUnit Filter * |
Format-Wide column 3
6.

Get-ADUser -Filter * | Sort-Object| Format-Wide
Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID
7.

Get-ADUser -Filter * | Measure-Object
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1.
On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2.
In the Notepad window, on the File menu, click Open. Locate E:\ModXA\Democode
\LabUsers.Csv. You will need to change the file type to All Files.
3.
Close Notepad.
4.
In Windows PowerShell ISE, click File and then click Open. Locate
E:\ModXA\Democode\LabUsers.ps1. Click Open.
Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0
L3-17
5.
On line 13, modify the $OU variable to read:

$OU = ou=sales, dc=adatum,dc=com
6.
Press F5 to run the LabUsers.ps1 script.
7.
In the Console pane, type the following to verify that Luka Abrus, Marcel Truempy, Andy Brauninger,
and Cynthia Cary were created:
Get-ADUser Filter * SearchBase OU=Sales,DC=Adatum,DC=com
X Task 4: Create a script to modify the address of a user based on the day of the week
1.
module.
2.
In Windows PowerShell ISE, on the File menu, click Open. Locate E:\ModXA\Democode
\Using If Statements.ps1. Click Open.
3.
Verify that line 9 reads:

$Admin = Get-ADUser identity Administrator Properties StreetAddress
4.
Press F5 to run the script. Run the script a second time to view the changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
Exercise 3: Managing Servers by Using Windows PowerShell 3.0

X Task 1: Install and configure Windows PowerShell Web Access
1.
On LON-DC1, open Windows PowerShell ISE, in the Console pane type the following, and then press
Enter.
Install-WindowsFeature Name WindowsPowerShellWebAccess -ComputerName LON-DC1 IncludeManagementTools Restart
2.
In the Console pane, type Install-PswaWebApplication UseTestCertificate and the press Enter.
3.
In the Console pane, type Add-PswaAuthorizationRule UserName Adatum

\Administrator -ComputerName * -ConfigurationName * and then press Enter.
X Task 2: Verify Windows PowerShell Web Access configuration

1.
Browse to the Start screen and then click Internet Explorer.
2.
In the Address bar, type the following URL and then press Enter:
https://LON-DC1/pswa
3.
Click Continue to this website.
4.
Sign in to Windows PowerShell Web Access by using the following information:
User: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
L3-18
5.
In the Windows PowerShell Web Access command shell, type Get-EventLog System Newest 5 and
then press Enter.
6.
Type the following in the Windows PowerShell Web Access command shell:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LONDC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.

When you are finished the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR2 and 20417A-LON-DC1.

L4-19
Module 4: Managing Storage for Windows Server 2012
Lab A: Managing Storage for Servers Based

on Windows Server 2012
Exercise 1: Configuring iSCSI Storage
X Task 1: Install the iSCSI Target feature
1.
2.
In Server Manager, click Add roles and features.
3.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4.
On the Select installation type page, click Next.
5.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6.
On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7.
On the Select features page, click Next.
8.
9.
When installation is complete, click Close.
X Task 2: Configure the iSCSI targets

1.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
2.
3.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
4.
In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5.
On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk1, and then click
Next.
6.
On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
7.
On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8.
On the Specify target name page, in the Name box, type lon-svr2, and then click Next.
9.
On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 172.16.0.22, and then
click OK.
11. On the Specify access servers page, click Add.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 131.107.0.2, and then
click OK.
13. On the Specify access servers page, click Next.

14. On the Enable Authentication page, click Next.
15. On the Confirm selections page, click Create.
16. On the View results page, wait until the creation is completed, and then click Close.
17. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
L4-20
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
19. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk2, and then click
Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
21. On the Assign iSCSI target page, click lon-svr2, and then click Next.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
Next.
31. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
Next.
38. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
Module 4: Managing Storage for Windows Server 2012 L4-21
Next.
X Task 3: Configure MPIO

1.
Log on to LON-SVR2 with username of Adatum\Administrator and the password of Pa$$w0rd.
2.
In Server Manager, click Add roles and features.
3.
4.
5.
6.
7.
On the Select features page, click Multipath I/O, and then click Next.
8.
9.
10. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI
Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
12. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1,
and then click Quick Connect. In the Quick Connect box, click Done.
13. Click OK to close the iSCSI Initiator Properties dialog box.
14. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
15. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
16. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
17. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
18. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
19. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
20. Click OK to close the MPIO Properties dialog box.
X Task 4: Connect to and configure the iSCSI targets
L4-22
1.
On LON-SVR2, in Server Manager, on the menu bar, click Tools and then in the Tools drop-down list,
select iSCSI Initiator.
2.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
3.
In the Disconnect From All Sessions dialog box, click Yes.
4.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5.
In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6.
In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
7.
In the Advanced Settings dialog box, click OK.
8.
In the Connect to Target window, click OK.
9.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
12. In the Advanced Settings dialog box, click OK.
13. In the Connect to Target window, click OK.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, and then click
Devices.
18. In the Devices dialog box, click the MPIO button.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
23. Click OK to close the Device Details dialog box.
24. Click OK to close the Devices dialog box.
25. Close the iSCSI Initiator Properties dialog box.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring a Redundant Storage Space

X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1.
On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2.
In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3.
In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4.
In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5.
On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
6.
On the Select physical disks for the storage pool page, click all five physical disks, and then click
Next.
7.
On the Confirm selections page, click Create.
8.
On the View results page, wait until the creation is completed, then click Close.
X Task 2: Create a 3-way mirrored disk

1.
On LON-SVR2, in Server Manager, in the STORAGE POOLS pane, click StoragePool1.
2.
In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down list click New Virtual
Disk.
3.
In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4.
On the Select the server and storage pool page, click StoragePool1, and then click Next.
5.
On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
6.
On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7.
On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8.
On the Specify the provisioning type page, click Thin, and then click Next.
9.
On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.
11. On the View results page, wait until the creation is completed, make sure Create a volume when
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the virtual disk that is called
Mirrored vDisk, and then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, make sure E is selected in the Drive letter dropdown list, and then click Next.
16. On the Select file system settings page, in the File system drop-down list, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.

18. On the Completion page, wait until the creation is completed, and then click Close.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1.
On the Start screen, type command prompt and then press Enter.
2.
Copy C:\windows\system32\write.exe E:\
3.
Close the command prompt.
4.
On the taskbar, open Windows Explorer and then click Mirrored Volume (E:). You should now see
write.exe in the file list.
5.
Close Windows Explorer.
X Task 4: Disconnect an iSCSI disk

1.
Switch to LON-DC1.
2.
In Server Manager, in the navigation pane, click File and Storage Services.
3.
4.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
5.
In the Disable iSCSI Virtual Disk warning message box, click Yes.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
L4-24
1.
Switch to LON-SVR2.
2.
On the taskbar, open Windows Explorer, and then click Mirrored Volume (E:).
3.
In the file list pane, double-click write.exe to make sure access to the volume is still available.
4.
Close the Document - WordPad window.
5.
6.
In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh Storage Pools
button. Wait until all panes are refreshed. Notice the warning that appears right next to Mirrored
vDisk.
7.
In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
8.
In the Mirrored vDisk Properties window, in the navigation pane, click Health. Notice that the Health
Status indicates a Warning. The Operational Status should indicate Degraded.
9.
Click OK to close the window.
X Task 6: Add a new iSCSI virtual disk

1.
Switch to LON-DC1.
2.
In Server Manager, in the navigation pane, click File and Storage Services.
3.
4.
In the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select
New iSCSI Virtual Disk.
5.
In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, in the Storage
location pane, click C:, and then click Next.
6.
On the Specify iSCSI virtual disk name page, type iSCSIDisk6, and then click Next.
7.
On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
8.
On the Assign iSCSI target page, click lon-svr2, and then click Next.
9.
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1.
Switch to LON-SVR2.
2.
In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh Storage Pools
button.
3.
In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk.
4.
In the Add Physical Disk window, click PhysicalDisk1 (LON-SVR2), and then click OK.
5.
In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk.
6.
In the Extend Virtual Disk window, in the New size box, type 15, and then click OK.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
X To prepare for the next lab
steps:
1.
2.
3.
4.

Exercise 1: Performing Initial Configuration Tasks for BranchCache
X Task 1: Configure LON-DC1 to use BranchCache
1.
2.
Open Server Manager by clicking the icon on the taskbar.
3.
Click Add roles and features.
4.
5.
6.
7.
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
8.
9.
10. After the installation has succeeded, click Close.

11. Click to the Start screen, type gpedit.msc and then press Enter.
12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Administrative Templates, expand Network, and then click Lanman Server.
L4-26
13. In the Setting list in the Lanman Server result pane, right-click Hash Publication for BranchCache,
and then click Edit.
14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
X Task 2: Simulate slow link to the branch office

1.
In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.
2.
On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type
Limit to 100 KBps, click Specify Outbound Throttle Rate check box, type 100, and then click Next.
3.
On the This QoS policy applies to page, click Next.
4.
On the Specify the source and destination IP addresses page, click Next.
5.
On the Specify the protocol and port numbers page, click Finish.
6.
Close the Local Group Policy Editor.
X Task 3: Enable a file share for BranchCache

1.
Open Windows Explorer by clicking the icon on the taskbar.
2.
In the Computer window, browse to Local Disk (C:).
3.
On the menu, on the Home tab, click New Folder.
4.
Type Share and then press Enter.
5.
Right-click Share and then click Properties.
6.
On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.
7.
Select the Share this folder check box and then click Caching.
8.
In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.
9.
In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close.

11. Click to the Start screen, type command prompt and then press Enter.
12. At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\mspaint.exe c:\share
13. Close the command prompt.

14. Close Windows Explorer.
X Task 4: Configure client firewall rules for BranchCache

1.
On LON-DC1, open Server Manager by clicking the icon on the taskbar.
2.
In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
3.
In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, right-click Default Domain Policy, and then click Edit.
4.
In the navigation pane of the Group Policy Management Editor console, under Computer
Configuration expand Policies, expand Windows Settings, expand Security Settings, and then
expand Windows Firewall with Advanced Security.
5.
In the navigation pane, under Windows Firewall with Advanced Security, expand Windows
Firewall with Advanced Security, and then click Inbound Rules.
6.
On the Action menu of the Group Policy Management Editor console, click New Rule.
7.
On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Content Retrieval (Uses HTTP), and then click Next.
8.
On the Predefined Rules page, click Next.
9.
On the Action page, click Finish to create the firewall inbound rule.
10. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console,
select New Rule.
11. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Peer Discovery (Uses WSD), and then click Next.
12. On the Predefined Rules page, click Next.
13. On the Action page, click Finish.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
Exercise 2: Configuring BranchCache Client Computers

X Task 1: Configure client computers to use BranchCache in the Hosted Cache mode
L4-28
1.
On LON-DC1, in the navigation pane of the Group Policy Management Editor console, under
Computer Configuration, expand Policies, expand Administrative Templates, expand Network,
and then click BranchCache.
2.
In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click
Edit.
3.
In the Turn on BranchCache dialog box, click Enabled and then click OK.
4.
In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode
and then click Edit.
5.
In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Type the name of
the hosted Cache server, type LON-SVR1.adatum.com, and then click OK.
6.
In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network
files and then click Edit.
7.
In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency value (milliseconds) after which caching begins box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
8.
Close the Group Policy Management Editor console.
9.
Close the Group Policy Management console.
10. Start 20417A-LON-CL1. After the computer starts, log on as Adatum\Administrator with the
11. On the Start screen, type command prompt and then press Enter.
12. At the command prompt , type the following command and then press Enter:
gpupdate /force
netsh branchcache show status all
14. Start 20417A-LON-CL2. After the computer starts, log on as Adatum\Administrator with the
15. On the Start screen, type command prompt and then press Enter.
gpupdate /force
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 3: Configuring BranchCache on the Branch Server

X Task 1: Install the BranchCache feature on LON-SVR1
1.
Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
2.
Open Server Manager by clicking the icon on the taskbar.
3.
4.
5.
6.
7.
iSCSI Services, click BranchCache for Network Files check box.
8.
9.
On the Select features page, click BranchCache, and then click Next.
10. On the Confirm installation selections page, click Install.

11. Close Server Manager.
X Task 2: Start the BranchCache host server

1.
Switch to LON-DC1.
2.
In Server Manager, on the menu bar, click Tools and then select Active Directory Users and
Computers from the Tools drop-down list.
3.
Right-click Adatum.com, point to New, and then click Organizational Unit.
4.
In the New Object - Organization Unit window, type BranchCacheHost and then click OK.
5.
Click the Computers container.
6.
Click LON-SVR1 and drag it to BranchCacheHost.
7.
Click Yes to clear the warning about moving objects.
8.
Close Active Directory Users and Computers.
9.
In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
10. Under Domains, expand Adatum.com, right-click BranchCacheHost, and then click Block
Inheritance.
11. On LON-DC1, close all open windows.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password of Pa$$w0rd.
13. Open Windows PowerShell by clicking the icon on the taskbar.
14. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer RegisterSCP
15. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
16. Close the Windows PowerShell.

Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
L4-30
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-LON-CL2.

L5-31

Exercise 1: Configure new features in DNS and DHCP
X Task 1: Configure DNSSEC
1.
On LON-DC1, in Server Manager, click Tools, and then click DNS on the drop-down list.
2.
Expand LON-DC1, expand Forward Lookup Zones, and then select and right-click Adatum.com.
3.
On the shortcut menu, click DNSSEC > Sign the Zone.
4.
In the Zone Signing Wizard, click Next.
5.
Select Customize zone signing parameters, and then click Next.
6.
On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
7.
On the Key Signing Key (KSK) screen, click Next.
8.
On the Key Signing Key (KSK) screen, click Add.
9.
On the New Key Signing Key (KSK) screen, click OK.
10. On the Key Signing Key (KSK) screen, click Next.

11. On the Zone Signing Key (ZSK) screen, click Next.
12. On the Zone Signing Key (ZSK) screen, click Add.
13. On the New Zone Signing Key (ZSK) screen, click OK.
14. On the Zone Signing Key (ZSK) screen, click Next.
15. On the Next Secure (NSEC) screen, click Next.
16. On the Trust Anchors screen, check Enable the distribution of trust anchors for this zone.
Click Next.
17. On the Signing and Polling Parameters screen, click Next.
18. On the DNS Security Extensions (DNSSEC) screen, click Next.
19. Click Finish.
20. Expand Trust Points, expand com, and click Adatum. Ensure that the DNSKEY resource records exist
and that their status is valid.
21. Close the DNS Manager console.
22. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
23. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
24. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
25. To apply the rule to the suffix of the namespace, in the Create Rules section, in the Suffix field, type
Adatum.com.
26. On the DNSSEC tab, click Enable DNSSEC in this rule.
L5-32
27. Check Require DNS clients to check that the name and address data has been validated by the
DNS server, and then click Create.
28. Close the Group Policy Management Editor and Group Policy Management console.
X Task 2: Configure DHCP Name Protection

1.
In Server Manager, click Tools, and then on the drop-down list, click DHCP.
2.
Expand Lon-DC1.adatum.com.
3.
Select and then right-click IPv4, and then click Properties.
4.
Click the DNS tab.
5.
In the Name Protection section, click Configure.
6.
Check Enable Name Protection, and then click OK.
7.
To close the Properties dialog box, click OK.
X Task 3: Configure DHCP Failover

1.
On LON-SVR1, in Server Manager, click Tools, and then on the drop-down list, click DHCP. Note the
server is authorized but no scopes are configured.
2.
Switch to LON-DC1.
3.
In the DHCP Management console right-click the IPv4 node, and then click Configure Failover.
4.
In the Configuration Failover Wizard, click Next.
5.
On the Specify a partner server to use for failover screen, enter 172.16.0.21 in the Partner Server
field, and then click Next.
6.
On the Create a new failover relationship screen, in the Relationship Name field, type Adatum.
7.
In the Maximum Client Lead Time field, set the hours to zero, and set the minutes to 15.
8.
Ensure the Mode field is set to Load balance.
9.
Ensure the Load Balance Percentage is set to 50%.
10. Check State Switchover Interval.

11. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd and then click Next
and then click Finish.
12. Click Close.
13. Switch to LON-SVR1. Notice that the IPv4 node is active.
14. Expand the IPv4 node and expand the Adatum Scope.
15. Click the Address Pool node. Notice that the address pool is configured.
16. Click the Scope Options node. Notice that the scope options are configured.
17. Close the DHCP console on both LON-DC1 and LON-SVR1.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
Exercise 2: Configuring IP Address Management

X Task 1: Install the IPAM Feature
L5-33
1.
On LON-SVR2, in Server Manager, click Add roles and features.
2.
3.
On the Select installation type screen, click Next.
4.
On the Select destination server screen, click Next.
5.
On the Select server roles screen, click Next.
6.
On the Select features screen, check IP Address Management (IPAM) Server.
7.
In the Add features that are required for IP Address Management (IPAM) Server pop-up, click
Add Features, and then click Next.
8.
On the Confirm installation selections, click Install.
9.
Close the wizard when completed.
X Task 2: Configure IPAM Related GPOs

1.
On LON-SVR2, in the Server Manager, click IPAM.
2.
In the IPAM Overview pane, after step 1 shows that LON-SVR2 is connected, click Provision the
IPAM server.
3.
In the Provision IPAM Wizard, click Next.
4.
On the Select provisioning method screen, select the Group Policy Based method, type IPAM in the
GPO name prefix field, and then click Next.
5.
On the Confirm the Settings screen, click Apply.
6.
When provisioning has completed, click Close.
X Task 3: Configure IP Management Server Discovery

1.
On the IPAM Overview pane, click Configure server discovery.
2.
To add the Adatum.com domain, in the Configure Server Discovery dialog box, click Add, and then
click OK.
3.
On the IPAM Overview pane, click Start server discovery.
4.
In the yellow banner, to determine the discovery status, click the More link. Discovery will take a few
minutes to complete.
5.
To return to the IPAM pane, close the Overview Tasks Details dialog box.
X Task 4: Configure Managed Servers

1.
From the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
2.
On the task bar click the Windows PowerShell icon.
3.
Type the following command at the PowerShell prompt and then press Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn
LON-SVR2.adatum.com
L5-34
4.
When you are prompted to confirm the action, press Enter. It will take a few moments to complete.
5.
Return to Server Manager.
6.
In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
7.
In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
8.
Repeat steps 6 and 7 to configure LON-SVR1 to be managed.
9.
Switch to LON-DC1.
10. On the task bar click Windows PowerShell.

11. Type gpupdate /force, and then press Enter.
12. Switch to LON-SVR1.
13. On the task bar click Windows PowerShell.
14. Type gpupdate /force, and then press Enter.
15. Switch back to LON-SVR2 and right-click LON-DC1, then click Refresh Server Access Status. This
may take a few minutes to complete.
16. Repeat step 15 to refresh the status for LON-SVR1.
17. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
18. From the IPAM Overview pane, click retrieve data from managed servers. This action will take
several moments to complete.
X Task 5: Configure and Verify a New DHCP Scope with IPAM

1.
In the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers.
Refresh the console pane until all objects show Running.
2.
In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role.
3.
On the shortcut menu, click Create DHCP Scope.
4.
In the Create DHCP Scope dialog box, in the Scope Name field, type TestScope.
5.
Type 10.0.0.10 in the Start IP address field.
6.
Type 10.0.0.100 in the End IP address field.
7.
In the Create details pane click Options.
8.
In the Configure options pane, click the drop-down arrow of the Option field, and then select option
003 Router.
9.
In the Values section click into the IP Address field and type 10.0.0.1, click Add to list, and then
click OK.
10. Switch to LON-DC1.

11. In the Server Manager toolbar, click Tools and then click DHCP.
12. In the DHCP console expand LON-DC1.Adatum.com and then expand IPv4 and confirm the
TestScope exists.
13. Right-click the TestScope and then click Deactivate. Click Yes.
14. Close the DHCP console.
15. On LON-SVR2, close all open windows.
L5-35
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
Exercise 3: Configuring NAP

X Task 1: Configure Server and Client Certificate Requirements
1.
On LON-SVR2, move the mouse to the lower right corner, click the Search icon on the flyout menu,
type MMC .EXE, and press Enter.
2.
In the Console1 window, click File, and then click Add/Remove Snap-in.
3.
In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
4.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
5.
In the Select Computer dialog box, click Finish, and then click OK.
6.
In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
7.
In the Certificate Enrollment dialog box, click Next.
8.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
9.
Select the Computer check box and then click Enroll.
10. Verify the status of certificate installation as Succeeded and then click Finish.
11. Close the Console1 window. When you are prompted to save console settings, click No.
12. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
13. Move the mouse to the lower right corner and then click the Search icon on the flyout menu, type
MMC, and press Enter.
14. In the Console1 window click File and then click Add/Remove Snap-in.
15. In the Add or Remove Snap-ins dialog box click Certificates and then click Add.
16. In the Certificates snap-in dialog box select Computer account and then click Next.
17. In the Select Computer dialog box click Finish and then click OK.
18. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate
19. In the Certificate Enrollment dialog box appears click Next.
20. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
21. Select the Computer check box and then click Enroll.
then click Next.
26. Select the Computer check box, and then click Enroll.
29. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
30. On the Start screen, type MMC and press Enter.
31. In the Console1 window click File and then click Add/Remove Snap-in.
32. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
33. In the Certificates snap-in dialog box, select Computer account and then click Next
34. In the Select Computer dialog box, click Finish and then click OK.
then click Next
38. Select the Computer check box and then click Enroll.
X Task 2: Install the Network Policy Server Role

1.
On LON-SVR2, switch to Server Manager.
2.
3.
4.
5.
On the Select destination server page, click Next.
6.
On the Select server roles page, check Network Policy and Access Services.
7.
In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.
8.
9.
On the Network Policy and Access Services page, click Next.
10. On the Select role services page, check Network Policy Server. Click Next.
11. On the Confirm installation selections page, click Install.
12. When the installation is succeeded click Close.
L5-36
X Task 3: Configure Health Policies
L5-37
1.
On LON-SVR2, in Server Manager, click Tools and then click Network Policy Server.
2.
Expand Network Access Protection, expand System Health Validators, expand Windows Security
Health Validator, and then click Settings.
3.
In the right pane under Name, double-click Default Configuration.
4.
On the Windows 8 Release Preview/Windows 7/Windows Vista selection, clear all check boxes
except the A firewall is enabled for all network connections check box, and then click OK.
5.
Expand Policies.
6.
Right-click Health Policies and then click New.
7.
In the Create New Health Policy dialog box, under Policy name, type Compliant.
8.
Under Client SHV checks, verify that Client passes all SHV checks is selected.
9.
Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
10. Right-click Health Policies, and then click New.

11. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
12. Under Client SHV checks, select Client fails one or more SHV checks.
13. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
X Task 4: Configure Network Policies for Compliant and Noncompliant Computers

1.
Under Policies click Network Policies.
2.
Disable the two default policies found under Policy Name by right-clicking the policies and then
clicking Disable.
3.
Right-click Network Policies and then click New.
4.
In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Compliant-Full-Access and then click Next.
5.
In the Specify Conditions window, click Add.
6.
In the Select condition dialog box, scroll down and double-click Health Policies.
7.
In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
8.
In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Compliant and then click Next.
9.
In the Specify Access Permission window, verify that Access granted is selected.
10. Click Next three times.
11. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is
selected and then click Next.
12. In the Completing New Network Policy window, click Finish.
13. Right-click Network Policies and then click New.
14. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Noncompliant-Restricted and then click Next.
15. In the Specify Conditions window, click Add.
16. In the Select condition dialog box, scroll down and double-click Health Policies.
L5-38
17. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.
18. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a
value of Noncompliant and then click Next.
19. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant client computers are
granted full network access. It specifies that the policy should continue to evaluate the client
computers that match these conditions.
20. Click Next three times.
21. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and clear the
Enable auto-remediation of client computers check box.
22. In the Configure Settings window, click IP Filters.
23. Under IPv4, click Input Filters and then click New.
24. In the Add IP Filter dialog box, select Destination network. Type 172.16.0.10 next to IP address
and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from
noncompliant client computers can reach only LON-DC1.
25. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below
in the Inbound Filters dialog box and then click OK.
26. Under IPv4, click Output Filters and then click New.
27. In the Add IP Filter dialog box, select Source network. Type 172.16.0.10 next to IP address and
then type 255.255.255.255 next to Subnet mask.
28. Click OK to close the Add IP Filter dialog box and then in the Outbound Filters dialog box select
Permit only the packets listed below. This step ensures that only traffic from LON-DC1 can be sent
to noncompliant client computers.
29. To close the Outbound Filters dialog box, click OK.
30. In the Configure Settings window click Next and then click Finish.
X Task 5: Configure Connection Request Policies for VPN

1.
Click Connection Request Policies.
2.
Disable the default Connection Request policy named Use Windows authentication for all users by
right-clicking the policy and then clicking Disable.
3.
Disable the default RRAS policy by right-clicking the Microsoft Routing and Remote Access Service
Policy and then click Disable.
4.
Right-click Connection Request Policies and then click New.
5.
In the Specify Connection Request Policy Name and Connection Type window, under Policy name,
type VPN Connections.
6.
Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click
Next.
7.
In the Specify Conditions window, click Add.
L5-39
8.
In the Select Condition window, scroll down and double-click Tunnel Type, select PPTP, SSTP, and
L2TP. Click OK and then click Next.
9.
In the Specify Connection Request Forwarding window, verify that Authenticate requests on this
server is selected and then click Next.
10. In the Specify Authentication Methods window, select Override network policy authentication
settings.
11. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Protected EAP (PEAP) and then click OK.
12. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
13. Verify that Enforce Network Access Protection is selected and then click OK.
14. Click Next two times and then click Finish.
15. Close the Network Policy Server.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
Exercise 4: Verifying the NAP Deployment

X Task 1: Configure Security Center
1.
Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.
2.
Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
3.
In the Search box, type gpedit.msc, click Apps, and press Enter.
4.
In the Local Group Policy Editor console tree, expand Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components/Security Center.
5.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
6.
Close the Local Group Policy Editor.
X Task 2: Enable a Client NAP enforcement method

1.
ON LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2.
In the Search box type napclcfg.msc and press Enter.
3.
In the console tree, click Enforcement Clients.
4.
In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.
5.
Close the NAP Client Configuration console.
6.
Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
7.
In the Search box type Services.msc and press Enter.
8.
In the Services list, double-click Network Access Protection Agent.
9.
In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic and then click Start.
10. Wait for the NAP Agent service to start and then click OK.
11. Close the Services console.
X Task 3: Allow ping on LON-SVR2
L5-40
1.
On LON-SVR2 click Tools in Server Manager, and then click Windows Firewall with Advanced
Security.
2.
Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
3.
Select Custom and then click Next.
4.
Select All programs and then click Next.
5.
In the Protocol type field, click the drop-down arrow and select ICMPv4 and then click Customize.
6.
Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
7.
Click Next to accept the default scope.
8.
In the Action window, verify that Allow the connection is selected and then click Next.
9.
Click Next to accept the default profile.
10. In the Name windows, type Allow Ping and then click Finish.
11. Close the Windows Firewall with Advanced Security console.
X Task 4: Move the client to the Internet and establish a VPN connection
1.
On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2.
In the Search box type Control Panel and press Enter.
3.
Click Network and Internet.
4.
Click Network and Sharing Center.
5.
Click Change Adapter Settings.
6.
Right-click Local Area Connection and then click Properties.
7.
Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
8.
Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask,
type 255.255.0.0. Remove the existing Default Gateway, and do not configure the Default gateway.
9.
Click OK and then click Close to close the Local Area Connection Properties dialog box.
10. Close the Network Connections window.

11. In Hyper-V Manager, right-click 20417A-LON-CL1 and then click Settings.
12. Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
13. On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the
popout menu.
14. In the Search box type CMD and press Enter.
15. At the command prompt, type ping 131.107.0.1 and press Enter.
16. Verify that a response is received.
17. Close the command prompt.
18. Return to Control Panel and then click Network and Internet.
19. Click Network and Sharing Center.

20. Click Set up a new connection or network.
21. On the Choose a connection option page, click Connect to a workplace and then click Next.
22. On the How do you want to connect page, click Use my Internet connection (VPN).
23. Click Ill set up an Internet connection later.
L5-41
24. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2.
Next to Destination name, type Adatum VPN.
25. Select the Allow other people to use this connection check box and then click Create.
26. In the Network And Sharing Center window, click Change adapter settings.
27. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
28. Under Authentication, click Use Extensible Authentication Protocol (EAP).
29. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
30. Ensure that the Verify the servers identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box, and then select the Enforce Network Access Protection check box.
31. To accept these settings, click OK two times.
32. In the Network Connections window, right-click the Adatum VPN connection and then click
Connect/Disconnect.
33. In the Networks flyout menu, click Adatum VPN and then click Connect.
34. In the Network Authentication dialog box, type Administrator in the User Name field and type
Pa$$w0rd in the Password field.
35. Click OK and then click Connect.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR2 and 20417A-LON-CL1.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.

L6-43

Exercise 1: Configuring the DirectAccess Infrastructure
X Task 1: Configure the AD DS and DNS requirements
1.
Create a security group for DirectAccess client computers by performing the following steps:
a.
Switch to LON-DC1.
b.
In the Server Manager console, in the upper-right corner, click Tools, and then click Active
Directory Users and Computers.
c.
In the Active Directory Users and Computers console tree, right-click Adatum.com, click New,
and then click Organizational Unit.
d.
In New Object Organizational Unit window, in the Name box, type DA_Clients OU, and then
click OK.
e.
In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
f.
In the New Object - Group dialog box, under Group name, type DA_Clients.
g.
Under Group scope, select Global, under Group type, select Security, and then click OK.
h.
In the details pane, double-click DA_Clients.
i.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
j.
In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK.
k.
Under Enter the object names to select (examples), type LON-SVR3, and then click OK.
l.
Verify that LON-SVR3 is displayed below Members, and then click OK.
m. Close the Active Directory Users and Computers console.

2.
Configure firewall rules for ICMPv6 traffic by performing the following steps:
Note: It is important to configure firewall rules for ICMPv6 traffic to enable subsequent
testing of DirectAccess in the lab environment.
a.
In the Server Manager console, in the upper-right corner, click Tools, and then click Group
Policy Management.
b.
In the console tree, expand Forest: Adatum.com\Domains\adatum.com.
c.
In the console tree, right-click Default Domain Policy, and then click Edit.
d.
In the console tree of the Group Policy Management Editor, navigate to

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
with Advanced Security\Windows Firewall with Advanced Security.
e.
In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
f.
On the Rule Type page, click Custom, and then click Next.
g.
On the Program page, click Next.
h.
On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
i.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
j.
Click Next.
k.
On the Scope page, click Next.
l.
On the Action page, click Next.
m. On the Profile page, click Next.

n.
On the Name page, in the Name box, type Inbound ICMPv6 Echo Requests, and then click
Finish.
o.
In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New
Rule.
p.
On the Rule Type page, click Custom, and then click Next.
q.
On the Program page, click Next.
r.
On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
s.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
t.
Click Next.
u.
On the Scope page, click Next.
v.
On the Action page, click Allow the connection, and then click Next.
w. On the Profile page, click Next.
3.
L6-44
x.
On the Name page, in the Name box, type Outbound ICMPv6 Echo Requests, and then click
Finish.
y.
Create required DNS records by performing the following steps:

a.
In the Server Manager console, click Tools, and then click DNS.
b.
In the console tree of DNS Manager, expand LON-DC1\Forward Lookup Zones\adatum.com.
c.
Right-click adatum.com and then click New Host (A or AAAA).
d.
In the Name box, type nls. In the IP address box, type 172.16.0.21. Click Add Host and then
click OK.
e.
In the New Host dialog box, in the Name box, type CRL. In the IP address box, type
172.16.0.22, and then click Add Host.
f.
In the DNS dialog box informing you that the record was created, click OK.
g.
In the New Host dialog box, click Done.
h.
4.
Remove ISATAP from the DNS global query block list by performing the following steps:
Move the mouse pointer to the lower-right corner, select search on the right menu, and then
type cmd.exe to launch the Command Prompt window.
b.
In the Command Prompt window, type the following command and then press Enter:
Ensure that Command completed successfully message appears.

c.
Close the Command Prompt window.
Configure the DNS suffix on LON-SVR2 by performing the following steps:

a.
Switch to LON-SVR2.
b.
Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c.
In the Network and Sharing Center window, click Change adapter settings.
d.
In the Network Connection window, right-click Local Area Connection, and then click
Properties.
e.
In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
f.
In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced.
g.
On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click
OK.
h.
In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.
i.
In the Local Area Connection Properties dialog box, click OK.
j.
Close the Network Connections window.
X Task 2: Configure certificate requirements

1.
L6-45
a.
dnscmd /config /globalqueryblocklist wpad
5.
To configure the CRL distribution settings by performing the following steps:

a.
On LON-DC1, in Server Manager, on the Tools menu, click Certification Authority.
b.
In the details pane, right-click Adatum-LON-DC1-CA, and then click Properties.
c.
In the Adatum-LON-DC1-CA Properties dialog box, click the Extensions tab.
d.
On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/.
e.
Under Variable, click <CAName>, and then click Insert.
f.
Under Variable, click <CRLNameSuffix>, and then click Insert.
g.
Under Variable, click <DeltaCRLAllowed>, and then click Insert.
h.
In the Location box, type .crl at the end of the Location string, and then click OK.
i.
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
j.
Click Add.
k.
In the Location box, type \\lon-svr2\crldist$\.
l.
Under Variable, click <CaName>, and then click Insert.
m. Under Variable, click <CRLNameSuffix>, and then click Insert.
2.
n.
Under Variable, click <DeltaCRLAllowed>, and then click Insert.
o.
In the Location box, type .crl at the end of the string, and then click OK.
p.
Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click
OK.
q.
Click Yes to restart Active Directory Certificate Services.
Duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.
In the Certification Authority console, expand Adatum-LON-DC1-CA, right-click Certificate

Templates, and then select Manage.
Note: Users require the Enroll permission on the certificate.
3.
L6-46
b.
In the Certificate Templates console, in the content pane, right-click the Web Server template,
and then click Duplicate Template.
c.
Click the General tab and in the Template display name box, type Adatum Web Server
Certificate.
d.
Click the Request Handling tab and select Allow private key to be exported.
e.
Click the Security tab and then click Authenticated Users.
f.
In the Permissions for Authenticated Users window, under Allow, click Enroll, and then click OK.
g.
h.
In the Certification Authority console, right-click Certificate Templates, and navigate to

New/Certificate Template to Issue.
i.
Select Adatum Web Server Certificate, and then click OK.
j.
Close the Certification Authority console.
Configure computer certificate auto-enrollment by performing the following steps:

a.
On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and
then click Group Policy Management.
b.
In the console tree, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
c.
In the console tree, right-click Default Domain Policy, and then click Edit.
d.
In the console tree of the Group Policy Management Editor, navigate to

Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
e.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
f.
In the Automatic Certificate Request Setup Wizard, click Next.
g.
On the Certificate Template page, click Computer, click Next, and then click Finish.
h.
Close the Group Policy Management Editor and close the Group Policy Management console.
X Task 3: Configure the internal resources for DirectAccess

1.
To request a certificate for LON-SVR1 by performing the following steps:
L6-47
a.
On LON-SVR1, move the mouse to the lower-right corner of the screen, select Search, type cmd,
b.
At the command prompt, type the following command and then press Enter.
gpupdate /force
c.
At the command prompt, type the following command and then press Enter.
mmc
d.
Click File and then click Add/Remove Snap-in.
e.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
f.
\Personal\Certificates.
g.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h.
Click Next twice.
i.
On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j.
On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k.
In the Value box, type nls.adatum.com, and then click Add.
l.
Click OK, click Enroll, and then click Finish.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n.
2.
To change the HTTPS bindings, perform the following steps:

a.
In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. At
the Internet Information Services (IIS) Manager message box, click No.
b.
In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites,
and then click Default Web site.
c.
In the Actions pane, click Bindings. Click Add.
d.
In the Add Site Bindings dialog box, click https, in the SSL Certificate, click the certificate with
the name nls.adatum.com, click OK, and then click Close.
e.
Close the Internet Information Services (IIS) Manager console.
X Task 4: Configure DirectAccess server

1.
Obtain required certificates for LON-SVR2 by performing the following steps:

a.
Switch to LON-SVR2.
b.
Open a command prompt and type the following command, and then press Enter:
gpupdate /force
c.
Move the mouse to the lower-right corner, select Search, type mmc.exe, and then press Enter.
d.
e.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click
f.
g.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h.
Click Next twice.
i.
On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j.
On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k.
In the Value box, type 131.107.0.2, and then click Add.
l.
Click OK, click Enroll, and then click Finish.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
131.107.0.2 was issued with Intended Purposes of Server Authentication.
2.
L6-48
n.
Right-click the certificate and then click Properties.
o.
In the Friendly Name box, type IP-HTTPS Certificate, and then click OK.
p.
Close the console window. If you are prompted to save settings, click No.
Create CRL distribution point on LON-SVR2 by performing the following steps:

a.
Switch to Server Manager.
b.
Click Tools, and then click Internet Information Services (IIS) Manager.
c.
If the Internet Information Service Manager message box appears, click No.
d.
In the console tree, browse to LON-SVR2\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
e.
In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path,
click the ellipsis button.
f.
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
g.
Type CRLDist and then press Enter. In the Browse for Folder dialog box, click OK.
h.
In the Add Virtual Directory dialog box, click OK.
i.
In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,
click Enable.
j.
In the console tree, click the CRLD folder.
k.
In the middle pane of the console, double-click the Configuration Editor icon.
l.
Click the down-arrow of the Section drop-down list, and navigate to

system.webServer\security\requestFiltering.
L6-49
m. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the
value from False to True.
n.
In the details pane, click Apply.
o.
Close Internet Information Services (IIS) Manager.

Question: Why do you make the CRL available on the Edge server?
Answer: You make the CRL available on the Edge Server so that the Internet DirectAccess clients
can access the CRL.
3.
Share and secure the CRL distribution point by performing the following steps:
Note: You perform this step to assign permissions to the CRL distribution point.
a.
On the taskbar, click Windows Explorer.
b.
Double-click Local Disk (C:).
c.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click Properties.
d.
In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
e.
In the Advanced Sharing dialog box, select Share this folder.
f.
In the Share name box, add a dollar sign ($) to the end so that the share name is CRLDist$.
g.
In the Advanced Sharing dialog box, click Permissions.
h.
In the Permissions for CRLDist$ dialog box, click Add.
i.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j.
In the Object Types dialog box, select Computers, and then click OK.
k.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, and then click Check Names. Click OK.
l.
In the Permissions for CRLDist$ dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\NYC-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow. Click OK.
m. In the Advanced Sharing dialog box, click OK.

n.
In the CRLDist Properties dialog box, click the Security tab.
o.
On the Security tab, click Edit.
p.
In the Permissions for CRLDist dialog box, click Add.
q.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
r.
In the Object Types dialog box, select Computers. Click OK.
s.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, click Check Names, and then click OK.
4.
t.
In the Permissions for CRLDist dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow, and then click OK.
u.
In the CRLDist Properties dialog box, click Close.
v.
Close the Windows Explorer window.
Publish the CRL to LON-SVR2 by performing the following steps:
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess
clients.
5.
L6-50
a.
Switch to LON-DC1.
b.
In Server Manager, click Tools, and then click Certification Authority.
c.
In the console tree, expand ADATUM-LON-DC1-CA, right-click Revoked Certificates, point to

All Tasks, and then click Publish.
d.
In the Publish CRL dialog box, click New CRL, and then click OK.
e.
On the taskbar, click Windows Explorer, type \\LON-SVR2\CRLDist$, and then press Enter.
f.
In the Windows Explorer window, notice the Adatum-LON-DC1-CA files.
g.
Close the Windows Explorer window.
Complete DirectAccess setup wizard on LON-SVR2 by performing the following steps:
Note: This step configures LON-SVR2 as a DirectAccess server.

a.
On LON-SVR2, in Server Manager, on the Tools menu, click Remote Access Management.
b.
In the Remote Access Management console, click Configuration.
c.
On the Enable DirectAccess Wizard, click Next.
d.
Under Select Groups, in the details pane, click Add.
e.
In the Select Group dialog box, type DA_Clients, click OK, and then click Next.
f.
In the Network Topology, verify that Edge is selected, and verify that 131.107.0.2 is the public
name used by clients to connect to the Remote Access server. Click Next.
g.
On Infrastructure Server Setup page, click Next.
h.
On Configure Remote Access page, click Next.
i.
In Summary, click Finish, to apply DirectAccess Settings.
j.
When the configuration is complete, click Close.
Note: Because the server you already configured is a VPN server, you can only use getting
started wizard which generate self-signed certificate for DirectAccess communication. Next steps
will modify default DirectAccess settings to include already deployed certificates from the internal
Certification Authority
k.
In the Remote Access Management console, under Step 2, click Edit.
l.
On the Network Topology page, verify that Edge is selected, and then type 131.107.0.2
m. Click Next.
L6-51
n.
On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to

authenticate IP-HTTPS connections, and then click Next.
o.
On the Authentication page, select Use computer certificates, click Browse, select Adatum
LON-DC1 CA, click OK, and then Next.
p.
On the VPN Configuration page, click Finish.
q.
In the Remote Access Setup pane, under Step 3, click Edit.
r.
On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
s.
Ensure that URL is validated.
t.
Click Next, and then on the DNS page, examine the values, and then click Next.
u.
In the DNS Suffix Search List, select Next.
v.
On the Management page, click Finish.
w. Under Step 4, click Edit. On the DirectAccess Application Server Setup page, click Finish.
6.
x.
Click Finish to apply the changes.
y.
In Remote Access Review, click Apply.
z.
Under Applying Remote Access Setup Wizard Settings, click Close.
Update Group Policy settings on LON-SVR2 by performing the following steps:

a.
Move the mouse pointer on the lower-right corner and on the menu bar, click Search, type cmd,
b.
At the command prompt, type the following commands and then press Enter.
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Exercise 2: Configuring the DirectAccess Clients

X Task 1: Configure Group Policy to configure client settings for DirectAccess
1.
Switch to LON-SVR3.
2.
Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd. This is to ensure that the LON-SVR3 computer connects to the domain as a member of
the DA_Clients security group.
3.
Move the mouse pointer to the lower-right corner, select Search on the right menu, and then type
cmd to open the Command Prompt window.
4.
gpupdate /force
5.
At the command prompt, type the following command, and then press Enter:
gpresult /R
6.
L6-52
Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Note: If the policy is not being applied, run the gpupdate /force command again. If the
policy is still not being applied, restart the computer. After the computer restarts, log on as
Adatum\Administrator and run the Gpresult R command again.
X Task 2: Verify client computer certificate distribution

1.
On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
type mmc.exe, and then press Enter
2.
3.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
4.
5.
In the details pane, verify that a certificate with the name Lon-SVR3.adatum.com is present with
Intended Purposes of Client Authentication and Server Authentication.
6.
Question: Why did you install a certificate on the client computer?
Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess
server.
X Task 3: Verify IP address configuration

1.
On LON-SVR3, switch to the Start screen and click the Internet Explorer tile.
2.
In the Address bar, type http://lon-svr1.adatum.com/ and then press Enter. The default IIS 8 web
3.
In the Address bar, type https://nls.adatum.com/ and then press Enter. The default IIS 8 web page
for LON-SVR1 appears.
4.
5.
On the taskbar, click Windows Explorer, type \\Lon-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears.
6.
Results: After completing this exercise, you will have configured the DirectAccess clients.
Exercise 3: Verifying the DirectAccess Configuration

X Task 1: Move the client computer to the Internet virtual network
Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
L6-53
1.
Switch to LON-SVR3.
2.
On LON-SVR3, move the mouse pointer to the lower-right end of the screen, click Settings, select
Control Panel, and then click Network and Internet.
3.
Click Network and Sharing Center.
4.
Click Change Adapter Settings.
5.
Right-click Local Area Connection and then click Properties.
6.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
7.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address. Fill in the following information, and then click OK.
IP address: 131.107.0.10
8.
In the Local Area Connection Properties dialog box, click OK.
9.
In the Network Connections window, right-click Local Area Connection, and then click Disable.
10. In the Network Connections window, right-click Local Area Connection, and then click Enable.
11. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
X Task 2: Verify connectivity to the DirectAccess server

1.
On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
and then type cmd and then press Enter to open the command prompt.
2.
ipconfig
3.
Notice the IP address that start with 2002. This is an IP-HTTPS address.
4.
5.
powershell
6.
At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
X Task 3: Verify connectivity to the internal network resources

1.
Switch to the Start screen and then click the Internet Explorer tile.
2.
In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
3.
4.
On the taskbar, click Windows Explorer, type \\LON-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears
5.
Switch to the Command Prompt window.
6.
ping lon-dc1.adatum.com
Verify that you are receiving replies from lon-dc1.adatum.com.

7.
gpupdate /force
8.
9.
Switch to LON-SVR2.
10. On the Start screen, click Remote Access Management.

11. In the Console pane, click Remote Client Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
12. Close all open windows.
Results: After completing this exercise, you will have verified the DirectAccess configuration.

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-SVR2, and 20410A-LON-SVR3.
L6-54

L7-55

Exercise 1: Configuring a Failover Cluster
X Task 1: Connect clients to the iSCSI targets
1.
On LON-SVR3, in Server Manager, click Tools, and then click iSCSI Initiator.
2.
In the Microsoft iSCSI dialog box, click Yes.
3.
Click the Discovery tab.
4.
Click Discover Portal.
5.
In the IP address or DNS name box, type 172.16.0.21, and then click OK.
6.
Click the Targets tab.
7.
Click Refresh.
8.
In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click

Connect.
9.
Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
12. Click the Discovery tab.
13. Click Discover Portal.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
15. Click the Targets tab.
16. Click Refresh.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click
Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
20. Expand Storage, and then click Disk Management.
21. Right-click Disk 1, and then click Online.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
L7-56
29. Repeat steps 22 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
30. Close the Computer Management window.
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
33. Right-click Disk Management, and then click Refresh.
37. Close the Computer Management window.
X Task 2: Install the Failover Clustering feature

1.
On LON-SVR3, if it is not opened, click the Server Manager icon to open Server Manager.
2.
3.
On the Before you begin page, click Next.
4.
5.
6.
7.
On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
8.
9.
When installation is complete (you get the message Installation succeeded on LON-SVRx), click Close.
10. Repeat steps 1 through 9 on LON-SVR4.
X Task 3: Validate the servers for Failover Clustering

1.
On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager.
2.
In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
3.
In the Validate a Configuration Wizard, click Next.
4.
In the Enter Name box, type LON-SVR3, and then click Add.
5.
In the Enter Name box, type LON-SVR4.
6.
Click Add, and then click Next.
7.
Verify that Run all tests (recommended) is selected, and then click Next.
8.
On the Confirmation page, click Next.
9.
Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page,
click View Report.
10. Verify that all tests completed without errors. Some warnings are expected.
11. Close Internet Explorer.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
X Task 4: Create the Failover Cluster
L7-57
1.
On LON-SVR3, in Failover Cluster Manager, in the center pane, under Management, click Create
Cluster.
2.
In the Create Cluster Wizard on the Before You Begin page, read the information.
3.
Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
4.
Verify the entries, and then click Next.
5.
In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
6.
Under Address, type 172.16.0.125, and then click Next.
7.
In the Confirmation dialog box, verify the information, and then click Next.
8.
On the Summary page, click Finish to return to the Failover Cluster Manager.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
Exercise 2: Deploying and Configuring a Highly-Available File Server

X Task 1: Add the File Server application to the failover cluster
1.
On LON-SVR3, in Server Manager, click Dashboard and then click Add roles and features.
2.
On the before your begin page click Next.
3.
On the Select installation type page click Next.
4.
On the Select destination server page click Next.
5.
On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI services and select File Server.
6.
Click Next two times.
7.
On the Confirmation page, click Install.
8.
When installation succeeded message appears click Close.
9.
Repeat steps 1-8 on LON-SVR4.
10. On LON-SVR3, in the Failover Cluster Manager expand Cluster1.adatum.com.

11. Expand Storage, and click Disks.
12. Make sure that three disks are present and online (with names Cluster Disk 1, Cluster Disk 2 and
Cluster Disk 3).
13. Right-click Roles, and then select Configure Role.
14. On the Before You Begin page, click Next.
15. On the Select Role page, select File Server, and then click Next.
16. On the File Server Type page, click File Server for general use, and then click Next.
17. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and in the
Address box, type 172.16.0.130, and then click Next.
18. On the Select Storage page, click Cluster Disk 2, and then click Next.
19. On the Confirmation page, click Next.

20. On the Summary page, click Finish.
X Task 2: Add a shared folder to a highly-available file server

1.
On LON-SVR4, in the Server Manager console, click Tools and open Failover Cluster Manager.
2.
Expand Cluster1.Adatum.com, and then click Roles.
3.
Right-click AdatumFS, and then select Add File Share.
4.
In the New Share Wizard, on the Select the profile for this share page, click SMB Share Quick,
5.
On the Select the server and the path for this share page, click Next.
6.
On the Specify share name page, in the Share name box, type Docs, and then click Next.
7.
On the Configure share settings page, review available options, and then click Next.
8.
On the Specify permissions to control access page, click Next.
9.
10. On the View results page click Close.
X Task 3: Configure failover and failback settings

1.
On LON-SVR4, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click
Properties.
2.
Click the Failover tab and then click Allow failback.
3.
Click Failback between, and set values to 4 and 5 hours.
4.
Click the General tab.
5.
Select both LON-SVR3 and LON-SVR4 as preferred owners.
6.
Move LON-SVR4 up.
7.
Click OK.
Results: After this exercise, you will have configured a highly-available file server.
Exercise 3: Validate the Deployment of the Highly-Available File Server

X Task 1: Validate the highly-available file server deployment
1.
On LON-DC1, open Windows Explorer, and in the Address bar, type \\AdatumFS\, and then press
Enter.
2.
Verify that you can access the location and that you can open the Docs folder. Create a test text
document inside this folder.
3.
On LON-SVR3, open the Failover Cluster Manager.
4.
Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS. (Note:
You can view the owner in the Owner node column. It will be either LON-SVR3 or LON-SVR4).
5.
Right-click AdatumFS, and then click Move, and then click Select Node.
6.
In the Move Clustered Role dialog box, click OK.
L7-58
7.
Verify that AdatumFS has moved to a new owner.
8.
Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
L7-59
1.
On LON-SVR3, in the Failover Cluster Manager, click Roles.
2.
Verify the current owner for the AdatumFS role. (Note: You can view the owner in the Owner node
column. It will be either LON-SVR3 or LON-SVR4).
3.
Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4.
Right-click the node, select More Actions, and then click Stop Cluster Service. Click Yes when
prompted.
5.
Verify that AdatumFS has moved to another node. To do this, click the other node and verify that
AdatumFS is running.
6.
Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7.
Switch to the LON-SVR3 computer, on the Failover Cluster Manager, and right-click the stopped
node, select More Actions, and then click Start Cluster Service.
8.
Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in Quorum (Note: you can view this in the Assigned to column.)
9.
Click Take Offline, and then click Yes.
10. Switch to LON-DC1 and verify that you can still access the \\AdatumFS\ location. By doing this, you
verified that the cluster is still running even if the witness disk is offline.
11. Switch to the LON-SVR3 computer and in Failover Cluster Manager, expand Storage, click Disks,
right-click the disk that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

X Task 1: Configure Cluster-Aware Updating
1.
On LON-DC1, in Server Manager, click Add roles and features.
2.
3.
4.
5.
6.
On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.
7.
8.
9.
Switch to LON-SVR3. Open Server Manager, click Tools and then click Windows Firewall with
Advanced Security.
10. In Windows Firewall with Advanced Security window, click Inbound Rules.
L7-60
11. In the rules list, find the rule Inbound Rule for Remote Shutdown (RPC-EP-In). Right click the rule
and select Enable Rule.
12. In the rules list, find the rule Inbound Rule for Remote Shutdown (TCP-In). Right click the rule and
select Enable Rule.
13. Close Windows Firewall with Advanced Security window.
14. Switch to LON-SVR4 and repeat steps 9 to 13.
15. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
16. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
17. In the Cluster Actions pane, click Preview updates for this cluster.
18. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
X Task 2: Update the failover cluster and configure self-updating

1.
On LON-DC1, in the Cluster-Aware Updating console, click Apply updates to this cluster.
2.
On the Getting Started page, click Next.
3.
On the Advanced options page, review the options for updating, and then click Next.
4.
On the Additional Update Options page, click Next.
5.
On the Confirmation page, click Update, and then click Close.
6.
In the Cluster nodes pane, you can review the progress of updating. (Note: Remember that one node
of the cluster is in Waiting state and the other node is restarting after it is updated).
7.
Wait until the process is finished (Note: This may require a restart of both the nodes.). Process is
finished when both nodes have Succeeded in Last Run status column.
8.
Log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd.
9.
On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
12. On the Getting Started page, click Next.
13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
15. On the Advanced Options page, click Next.
16. On the Additional Update Options page, click Next.
17. On the Confirmation page, click Apply.

18. After the clustered role is added successfully, click Close.
Results: After this exercise, you will have configured Cluster-Aware Updating.
L7-61
steps:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR3, MSL-TMG1, and

20417A-LON-SVR4.

L8-63
Lab: Implementing Server Virtualization

with Hyper-V
Exercise 1: Install the Hyper-V Server Role
X Task 1: Configure network settings on LON-HOST1 and LON-HOST2
1.
Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2.
Log onto the server with the Adatum\Administrator account and the password Pa$$w0rd.
3.
In Server Manager, click Local Server.
4.
In the Properties pane, click the IPv4 address assigned by DHCP link.
5.
In the Network Connections dialog box, right-click the network object, and then click Properties.
6.
In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) , and then click
Properties.
7.
On the General tab, click Use the following IP address, and then configure the following:
8.
LON-HOST1: 172.16.0.31
LON-HOST2: 172.16.0.32
On the General tab, click Use the following DNS server addresses, and then configure the
following:
9.
Preferred DNS server: 172.16.0.10
Click OK to close the Properties dialog box.
10. Click OK on the Microsoft TCP/IP dialog box.

11. Click Close.
12. Close the Network Connections dialog box.
X Task 2: Install the Hyper-V server role

1.
In the Server Manager console, on the Manage menu, click Add Roles and Features.
2.
On the Before you begin page of the Add Roles and Features Wizard, click Next.
3.
On the Select installation type page, select Role-based or feature-based installation, and then
click Next.
4.
On the Select destination server page, ensure that LON-HOST1.Adatum.com or

LON-HOST2.Adatum.com is selected, and then click Next.
5.
On the Server Roles page, select Hyper-V.
6.
In the Add Roles and Features Wizard dialog box, click Add Features.
7.
On the Select Server Roles page of the Add Roles and Features Wizard, click Next.
8.
9.
On the Hyper-V page, click Next.
L8-64
10. On the Create Virtual Switches page, verify that no selections have been made, and then click Next.
11. On the Virtual Machine Migration page, click Next.
12. On the Default Stores page, review the location of Default Stores, and then click Next.
13. On the Confirm Installation Selections page, select Restart the destination server automatically
if required.
14. In the Add Roles and Features Wizard dialog box, review the message about automatic restarts, and
then click Yes.
15. On the Confirm Installation Selections page, click Install.
16. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
X Task 3: Complete Hyper-V role installation and verify settings

1.
Log on to LON-HOST1 or LON-HOST2 by using the username Adatum\Administrator and the

password Pa$$w0rd.
2.
When the installation of the Hyper-V tools complete, click Close to close the Add Roles and Features
Wizard.
3.
Click the Tools menu, and then click Hyper-V Manager.
4.
In the Hyper-V Manager console, click the Hyper-V host server name (LON-HOST1 or LON-HOST2).
5.
In the Actions pane, click Hyper-V Settings.
6.
In the Hyper-V Settings dialog box, click the Keyboard item. Verify that the Keyboard is set to use
the Use on the virtual machine option.
7.
In the Hyper-V Settings dialog box, click the Virtual Hard Disks item. Verify the location of the
default folder is configured to use the Virtual Hard Disk folder, and then click OK.
Question: What additional features are required to support the Hyper-V role?
Answer: No additional features are required to support the Hyper-V role.
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
Exercise 2: Configuring Virtual Networking

X Task 1: Configure the external network
1.
In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
2.
In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and then click Create Virtual Switch.
3.
4.
In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
L8-65
Name: Corporate Network
External Network: Mapped to the host computer's physical network adapter. Will vary depending
on host computer
In the Apply Networking Changes dialog box, review the warning, and then click Yes.
X Task 2: Create a private network

1.
2.
Under Virtual Switches, select New virtual network switch.
3.
Under Create virtual switch, select Private, and then click Create Virtual Switch.
4.
In the Virtual Switch Properties section, configure the following settings, and then click OK:
o
Name: Private Network
Connection type: Private network
X Task 3: Create an internal network

1.
2.
Under Virtual Switches, select New virtual network switch.
3.
Under Create virtual switch, select Internal, and then click Create Virtual Switch.
4.
In the Virtual Switch Properties section, configure the following settings, and then click OK:
o
Name: Internal Network
Connection type: Internal network
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
Exercise 3: Creating and Configuring a Virtual Machine

X Task 1: Configure virtual machine storage
1.
On the taskbar, click Windows Explorer.
2.
Click Computer, and then browse to the following location:

E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number
of drives on the physical host machine)
3.
Verify that the Base12A-WS2012-RC.vhd hard disk image file is present.
4.
Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder, and then rename each folders to each name listed below:
a.
LON-GUEST1
b.
LON-GUEST2
5.
6.
Switch to the Hyper-V Manager.
7.
In the Actions pane, click New, and then click Hard Disk.
8.
On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9.
On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
a.
b.
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning
\Base\Base12A-WS2012-RC.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter:
Import-Module Hyper-V
L8-66
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
16. Close the PowerShell window.

17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
X Task 2: Create virtual machines

1.
In the Hyper-V Manager, on the Actions pane, click New and then click Virtual Machine.
2.
On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3.
On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next.
a.
Name: LON-GUEST1
b.
4.
On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and click Next.
5.
On the Configure Networking page of the New Virtual Machine Wizard, choose Private Network
6.
On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
7.
On the Taskbar, click the PowerShell icon.
8.
At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
9.
L8-67
At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private
Network"
10. Close the PowerShell window.
11. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
12. On the Settings for LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action to Nothing.
13. On the Settings for LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action to Shut down the guest operating system.
14. Click OK to close the Settings for the LON-GUEST2 dialog box.
X Task 3: Configure VLANs and network bandwidth settings

1.
In the Hyper-V Manager console, on the Actions pane, click Virtual Switch Manager.
2.
Click Internal Network.
3.
Select the Enable virtual LAN identification for management operating system check box.
4.
In the VLAN ID box, type 4, and then click OK.
5.
Click LON-GUEST2, and click Settings.
6.
Click Network Adapter.
7.
Change the Virtual switch to Internal Network, and click Enable virtual LAN identification.
8.
In the VLAN identifier box, type 4.
9.
Expand Network Adapter, click Advanced Features, enable the following options, and then click
OK:
o
Enable DHCP guard
Enable router advertisement guard
Question: What kind of switch would you create if you added a new physical network adapter to the
Hyper-V host and wanted to keep this separate from the existing networks you create during this
exercise?
Answer: You should create an external switch. External switches map to external network adapters.
X Task 4: Import a virtual machine

1.
In the Actions pane of the Hyper-V Manager console, click Import Virtual Machine.
2.
On the Before You Begin page of the Import Virtual Machine wizard, click Next.
3.
4.
On the Locate Folder page, perform the following task, and then click Next:
o
If you are using LON-HOST1, type the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-DC1-B
If you are using LON-HOST2, enter the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-SVR1-B
On the Select Virtual machine page:

o
If you are using LON-HOST1, select 20417A-LON-DC1-B.
If you are using LON-HOST2, select 20417A-LON-SVR1-B.
L8-68
5.
On the Choose Import Type page, select Register the virtual machine in-place (use the existing
unique ID), and then click Next.
6.
On the Summary page, click Finish.
X Task 5: Configure virtual machine dynamic memory

1.
In the Hyper-V Manager console, right-click LON-GUEST2, and then click Settings.
2.
In the Settings for LON-GUEST2 dialog box, click Memory.
3.
In the Memory page, configure the Startup RAM as 1024 MB.
4.
On the Memory page, select the Enable Dynamic Memory option.
5.
Set the following dynamic memory settings:
6.
Minimum RAM: 512 MB
Maximum RAM: 2048 MB
Click OK to close the Settings for LON-GUEST2 dialog box.
X Task 6: Configure and test virtual machine snapshots

1.
If you are using LON-HOST1, start and connect to 20417A-LON-DC1-B.
2.
Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
3.
If you are using LON-HOST2, start and connect to 20417A-LON-SVR1-B.
4.
Log on to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
5.
Minimize the Server Manager console.
6.
Right-click the desktop of the virtual machine, click New, and then click Folder. Name the folder
Sydney.
7.
Repeat step 6, and then create a second folder Melbourne.
8.
Repeat step 6, and then create a third folder Brisbane.
9.
On the Action menu of the Virtual Machine Connection window, click Snapshot.
10. In the Snapshot Name dialog box, in the Name box, type Before Change, and then click Yes.
11. Drag the Sydney folder to the Recycle Bin.
12. Drag the Brisbane folder to the Recycle Bin.
13. Right-click the Recycle Bin, and then click Empty Recycle Bin.
14. In the Delete Multiple Items dialog box, click Yes.
15. On the Action menu of the Virtual Machine Connection window, click Revert.
16. In the Revert Virtual Machine dialog box, click Revert.

17. Verify that the following folders are present on the desktop:
o
Sydney
Melbourne
Brisbane
18. Delete all three folders from the desktop.

Question: What state must the virtual machine be in to configure dynamic memory when using
Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a host?
L8-69
Answer: The virtual machine must be powered off to configure dynamic memory. In Windows Server
2012, you can configure dynamic memory while the virtual machine is powered on.
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.

L9-71
Lab: Implementing Failover Clustering with

Hyper-V
Exercise 1: Configuring Hyper-V Replicas
X Task 1: Import LON-CORE virtual machine on LON-HOST1
1.
Log on to LON-HOST1 as Adatum\Administrator with the password Pa$$w0rd.
2.
On LON-HOST1 open the Hyper-V Manager console.
3.
In the Actions pane, click Import Virtual Machine.
4.
On the Before You Begin page in Import Virtual Machine Wizard, click Next.
5.
On Locate Folder page click Browse.
6.
Browse to folder E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-CORE. Click

Select Folder and then click Next.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
7.
On Select Virtual Machine page, select 20417A-LON-CORE and then click Next.
8.
On the Choose Import Type page click Next.
9.
On the Summary page click Finish.
X Task 2: Configure a replica on both host machines

1.
On LON-HOST2, open the Hyper-V Manager console.
2.
In Hyper-V Manager, right-click LON-HOST2 and select Hyper-V Settings
3.
In Hyper-V Settings for LON-HOST2, click Replication Configuration.
4.
In Replication Configuration pane, click Enable this computer as a Replica server.
5.
In the Authentication and ports section select Use Kerberos (HTTP).
6.
In the Authorization and storage section click Allow replication from any authenticated server
and then click Browse.
7.
Click on Computer, then double click Local Disk (E) and then click New folder. Type VMReplica for
folder name and press Enter. Select E:\VMReplica\ folder and then click Select Folder.
8.
In Hyper-V Settings for LON-HOST2, click OK.
9.
In the Settings window, read the notice and click OK.
10. Click to the Start screen and then click Control Panel.
11. In the Control Panel, click System and Security, and then click Windows Firewall.
12. Click Advanced settings.
13. Click Inbound Rules.
L9-72
14. In the right pane, in the rule list, find the rule Hyper-V Replica HTTP Listener (TCP-In). Right-click
the rule and click Enable Rule.
15. Close the Windows Firewall with Advanced Security console and then close Windows Firewall.
16. Repeat steps 1-15 on LON-HOST1.
X Task 3: Configure replication for LON-CORE virtual machine

1.
On LON-HOST1, open Hyper-V Manager. Click LON-HOST1, and then right-click

20417A-LON-CORE.
2.
Click Enable Replication.
3.
On the Before You Begin page, click Next.
4.
On the Specify Replica Server page, click Browse.
5.
In the Select Computer window type LON-HOST2 and then click Check Names and then click OK.
Click Next.
6.
On the Specify Connection Parameters page, review settings, and make sure that Use Kerberos
authentication (HTTP) is selected. Click Next.
7.
On the Choose Replication VHDs page, make sure that 20410A-LON-CORE.vhd is selected and
then click Next.
8.
On the Configure Recovery History page, select Only the latest recovery point and then click
Next.
9.
On the Choose Initial Replication Method page, click Send initial copy over the network and
select Start replication immediately, and then click Next.
10. On the Completing the Enable Replication wizard page, click Finish.
11. Wait 10-15 minutes. You can monitor the progress of initial replication in the Status column in
Hyper-V Manager console. When it completes (progress reaches 100%) make sure that
20417A-LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
X Task 4: Validate a planned failover to the replica site

1.
On LON-HOST2 in Hyper-V Manager, right-click 20417A-LON-CORE.
2.
Select Replication and then click View Replication Health.
3.
Review content of the window that appears and make sure that there are not errors.
4.
Click Close.
5.
On LON-HOST1, open Hyper-V Manager and verify that 20417A-LON-CORE is turned off.
6.
Right-click 20417A-LON-CORE, select Replication, and then click Planned Failover.
7.
In the Planned Failover window, make sure that option Start the Replica virtual machine after
failover is selected and then click Fail Over.
8.
In the Planned Failover window click Close.
9.
On LON-HOST2, in Hyper-V Manager, make sure that 20417A-LON-CORE is running.
10. On LON-HOST1, right-click 20417A-LON-CORE, point to Replication and then click Remove
replication.
11. In the Remove replication dialog box, click Remove Replication.
L9-73
12. On LON-HOST2, right-click 20417A-LON-CORE and select Shut Down. In the Shut Down Machine
dialog box, click Shut Down.
Results: After completing this exercise you will have Hyper-V replica configured.
Exercise 2: Configuring a Failover Cluster for Hyper-V

X Task 1: Connect to iSCSI target from both host machines
1.
On LON-HOST1, open Server Manager, click Tools, and then click iSCSI Initiator. At the Microsoft
iSCSI prompt, click Yes.
2.
Click the Discovery tab.
3.
Click Discover Portal.
4.
In the IP address or DNS name box, type 172.16.0.21, and then click OK.
5.
Click the Targets tab.
6.
Click Refresh.
7.
In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click

Connect.
8.
Select Add this connection to the list of Favorite Targets, and then click OK.
9.
Click OK to close iSCSI Initiator Properties.
10. On LON-HOST2, open Server Manager, click Tools, and then click iSCSI Initiator.
12. Click the Discovery tab.
13. Click Discover Portal.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
15. Click the Targets tab.
16. Click Refresh.
17. In the Discovered targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and

then click Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK. Click OK to close
iSCSI Initiator Properties.
19. On LON-HOST2, in the Server Manager window, click Tools, and then click Computer Management.
22. Right-click Disk 2, and then click Initialize Disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume label box, type ClusterDisk. Select the Perform a
quick format check box, and then click Next.
28. Click Finish.
29. Repeat steps 21 through 28 for Disk 3 and Disk 4. In step 27, provide name ClusterVMs for Disk 3
and Quorum for Disk 4.
30. On LON-HOST1 in Server Manager, click Tools, and then click Computer Management.
32. Right-click Disk Management, and then click Refresh.
X Task 2: Configure failover clustering on both host machines
L9-74
1.
On LON-HOST1, on the taskbar, click the Server Manager icon to open Server Manager.
2.
From the Dashboard, click Add roles and features.
3.
4.
5.
6.
7.
On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for failover clustering prompt, click Add Features, and then click Next.
8.
9.
10. Repeat steps 1 through 9 on LON-HOST2.

11. On LON-HOST1, in the Server Manager console, click Tools and then click Failover Cluster
Manager.
12. In Failover Cluster Manager, in the center pane, under Management, click Create Cluster.
13. In the Create Cluster Wizard on the Before You Begin page, read the information. Click Next.
14. In the Enter server name box, type LON-HOST1, and then click Add. Type LON-HOST2, and then
click Add.
15. Verify the entries, and then click Next.
16. On the Validation Warning page, click No. I dont require support from Microsoft for this
cluster and click Next.
17. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
18. Under Address, in the IP address name box, type 172.16.0.126, and then click Next.
19. In the Confirmation dialog box, verify the information, remove the checkmark next to Add all
eligible storage to the cluster, and then click Next.
20. In the Create Cluster Wizard Summary page, click Finish.
X Task 3: Configure disks for failover cluster
L9-75
1.
On LON-HOST1, in the Failover Cluster Manager console, expand VMCluster.Adatum.com, expand

Storage and right-click Disks.
2.
Click Add Disk.
3.
In the Add Disks to Cluster dialog box, verify that all disks are selected, and then click OK.
4.
Verify that all disks appear available for cluster storage in Failover Cluster Manager.
5.
Select the disk that displays the Volume name of ClusterVMs. Right-click the ClusterVMs disk and
select Add to Cluster Shared Volumes.
6.
Right-click VMCluster.adatum.com, select More Actions and then click Configure Cluster Quorum
Settings. Click Next.
7.
On the Select Quorum Configuration Option page, click Use typical settings and then click Next.
8.
On the Confirmation page click Next.
9.
On the Summary page, click Finish.
Exercise 3: Configuring a Highly Available Virtual Machine

X Task 1: Move virtual machine storage to iSCSI target
Note: Make sure that LON-HOST1 is the owner of the ClusterVMs disk in Failover Cluster
Manager. If it is not, then move the ClusterVMs resource to LON-HOST1 before doing this
procedure.
On LON-HOST1, open Windows Explorer and browse to

E:\Program Files\Microsoft Learning\20417\Drives\20410A-LON-CORE\Virtual Hard Disks and
move the 20417A-LON-CORE.vhd virtual hard drive file to the C:\ClusterStorage\Volume1
location.
X Task 2: Configure the virtual machine as Highly Available

1.
In the Failover Cluster Manager console click Roles and then in the Actions pane, click Virtual
Machines.
2.
Click New Virtual Machine.
3.
Select LON-Host2 as the cluster node and then click OK.
4.
In the New Virtual Machine Wizard, click Next.
5.
On the Specify Name and Location page, type TestClusterVM for the Name and then click Store
the virtual machine in a different location and then click Browse.
6.
Browse to and select C:\ClusterStorage\Volume1 and then click Select Folder.
7.
Click Next.
8.
On the Assign Memory page, type 1536 and then click Next.
9.
On the Configure Networking page click select Corporate Network and then click Next.
10. On the Connect Virtual Hard Disk page click Use an existing virtual hard disk and then click
Browse.
11. Locate C:\ClusterStorage\Volume1 and select 20417A-LON-CORE.vhd and then click Open.
12. Click Next and then click Finish.

13. On the Summary page of the High Availability Wizard click Finish.
14. Right-click the TestClusterVM and then click Start.
15. Make sure that the machine successfully starts.
X Task 3: Perform a Live Migration for the virtual machine

1.
Open Failover Cluster Manager on LON-HOST2.
2.
Expand VMCluster.Adatum.com, and then click Roles.
3.
Right-click TestClusterVM and select Move, then select Live Migration and then click Select
Node.
4.
Click LON-Host1 and then click OK.
5.
Right-click TestClusterVM and then click Connect.
6.
Make sure that you can access and operate virtual machine while it is migrating to another host.
7.
Wait until migration is finished.
X Task 4: Perform a Storage Migration for the virtual machine
L9-76
1.
On Lon-host1, open Hyper-V Manager.
2.
In the central pane click LON-GUEST1.
3.
In the Actions pane, click Start. Wait until the virtual machine is fully started.
4.
Switch back to Hyper-V Manager console, and in the Actions pane click Move.
5.
On the Before You Begin page click Next.
6.
On the Choose Move Type page select Move the virtual machine's storage and then click Next.
7.
On the Choose Options for Moving Storage page, select Move all of the virtual machines data
to a single location and then click Next.
8.
On the Choose a new location for virtual machine page, click Browse.
9.
Locate C:\ and then create a new folder called Guest1. Click Select Folder.
10. Click Next.
11. On the Summary page click Finish. Wait for move process to finish. While virtual machine is moving
you can connect to it, and verify that it is fully operational.
12. Shut down all running virtual machines.

1.
Restart LON-HOST1.
2.
When you are prompted with the boot menu select Windows Server 2008 R2 and press Enter.
3.
Log on to the host machine as directed by your instructor.
4.
Repeat steps 1-3 on LON-HOST2.
L10-77

Exercise 1: Planning the Dynamic Access Control Implementation and
Preparing AD DS for Dynamic Access Control
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
Scenario requires the following:
1.
Folders that belong to Research department can be accessed and modified only by employees that
belong to Research department.
2.
Files classified with classification High should be accessible only to Managers.
3.
Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
Note: You can meet these requirements by implementing claims, resource properties, and
file classifications, used together in Dynamic Access Control. To implement this, you should first
create appropriate claims for users and devices. User claim uses department as its source
attribute, while device claim uses description as source attribute. After that, you should configure
resource property for Research department. When you have these objects prepared, you should
configure Central Access Rules and Central Access Policies to protect resources. At the same time,
you should configure file classification for confidential documents. Finally, you should apply
Central Access Policy to folders where files for Research and Managers are located.
4.
As a solution for users that receive error messages, you should implemented Access Denied
Assistance.
X Task 2: Prepare AD DS to support Dynamic Access Control

1.
On LON-DC1, in the Server Manager, click Tools and then click Active Directory Users and
Computers.
2.
In the Active Directory Users and Computers console, right-click Adatum.com and select New, and
then click Organizational Unit.
3.
In the New Object Organizational Unit, in the Name field, type Test and then click OK.
4.
Click the Computers container.
5.
Press the Ctrl key and click the LON-SVR1, LON-CL1 and LON-CL2 computers. Right-click and select
Move.
6.
In the Move window, click Test and then click OK.
7.
8.
On LON-DC1, in the Server Manager, click Tools, and then click Group Policy Management.
9.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com.
10. Right-click the Managers OU and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
11. Click the Group Policy Objects container.
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
L10-78
13. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, and in the Options section, click the drop-down list and select Supported. Click OK.
16. Close the Group Policy Management Editor and Group Policy Management console.
17. Open Windows Power Shell, by clicking its icon on the task bar, and type gpupdate /force and press
Enter. After Group Policy is updated, close Windows PowerShell.
18. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
19. Expand Adatum.com, right-click Users, click New, and then click Group.
20. Type ManagersWKS for the Group name, and then click OK.
21. Click the Test container.
22. Right-click LON-CL1, and then click Properties.
23. Click the Member Of tab and then click Add.
24. In the Select Groups window, type ManagersWKS. click Check Names, click OK, and then click OK
again.
25. Click Managers organization unit.
26. Right-click Aidan Delaney and select Properties.
27. Click the Organization tab. Make sure that the Department field is populated with the value
Managers. Click Cancel.
28. Click the Research organization unit.
29. Right-click Allie Bellew and select Properties.
30. Click the Organization tab. Make sure that the Department field is populated with the value
Research. Click Cancel.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

X Task 1: Review the Default Claim Types
1.
Center.
2.
In the Active Directory Administrative Center console, in navigation pane, click Dynamic Access
Control.
3.
In the central pane double-click Claim Types.
4.
Verify that there are no default claims defined.
5.
In the navigation pane, click Dynamic Access Control and then double-click Resource Properties.
6.
Review the default resource properties.
Note: Note that all properties are disabled by default.
L10-79
7.
In the navigation pane, click Dynamic Access Control and then double-click Resource Property
Lists.
8.
In the central pane right-click Global Resource Property List, and then click Properties.
9.
In the Global Resource Property List, in the Resource Properties, section review available resource
properties.
10. Click Cancel.
X Task 2: Configure Claims for Users

1.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access
Control.
2.
Double-click Claim Types.
3.
In the Tasks pane, click New and then click Claim Type.
4.
In the Create Claim Type window, in the Source Attribute section, select department.
5.
In the Display name text box type Company Department.
6.
Select both User and Computer check boxes.
7.
Click OK.
X Task 3: Configure Claims for Devices

1.
In the Active Directory Administrative Center, in the Tasks pane, click New and select Claim Type.
2.
In the Create Claim Type window, in the Source Attribute section, select description.
3.
Clear the User check box and select the Computer check box.
4.
Click OK.
Results: After completing this exercise you will have configured user and device claims.
Exercise 3: Configuring Resource Properties and File Classifications

X Task 1: Configure Resource Property definitions
1.
In the Active Directory Administrative Center, click Dynamic Access Control.
2.
In the central pane, double-click Resource Properties.
3.
In the Resource Properties list, locate Department.
4.
Right-click Department, and then click Enable.
5.
In the Resource Properties list, locate Confidentiality.
6.
Right-click Confidentiality, and then click Enable.
7.
Make sure that both Department and Confidentiality properties are enabled in the list.
8.
Double-click Department.
9.
Scroll down to the Suggested Values section, and then click Add.
10. In the Add a suggested value window, type Research in both Value and Display name text boxes,
and then click OK two times.
11. Click Dynamic Access Control and then double-click Resource Property Lists.
12. In the central pane, double-click Global Resource Property List.
L10-80
13. Make sure that both Department and Confidentiality appear in Resource Properties list. If they do
not, then click Add and add these two properties, and then click OK (or Cancel if you did not make
any changes).
14. Close the Active Directory Administrative Center.
X Task 2: Classify files

1.
On LON-SVR1, in Server Manager, click Add roles and features.
2.
In the Add Roles and Features Wizard click Next three times.
3.
On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI Service (Installed) and select File Server Resource Manager.
4.
When prompted, click Add Features.
5.
Click Next two times and then click Install. After installation finishes, click Close.
6.
In Server Manager, click Tools, and then click File Server Resource Manager.
7.
In the File Server Resource Manager console, expand Classification Management.
8.
Select and then right-click Classification Properties and click Refresh.
9.
Verify that Confidentiality and Department properties are in the list.
10. Click Classification Rules.

11. In the Actions pane, click Create Classification Rule.
12. In the Create Classification Rule window, enter Set Confidentiality for the Rule name.
13. Click the Scope tab. Click Add.
14. In the Browse For Folder dialog box, expand Local Disk (C:) and select the Docs folder, and then
click OK.
15. Click the Classification tab.
16. Make sure that following settings are set:
o
Classification method: Content Classifier
Property: Confidentiality
Value: High
17. Click Configure.
18. In the Classification Parameters dialog box, click the Regular expression drop-down list and select
String.
19. In the Expression field (next to the word String) type secret.
20. Click OK.
21. Click the Evaluation Type tab. Select Re-evaluate existing property values, and then click
Overwrite the existing value.
22. Click OK.
L10-81
23. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
24. Select Wait for classification to complete, and then click OK.
25. After the classification is complete, you are presented with a report. Verify that two files were
classified.
Note: You can see this in the Report Totals section.

26. Close the report.
27. Open Windows Explorer, and browse to the C:\Docs folder.
28. Right-click Doc1.txt and select Properties.
29. Click the Classification tab. Verify that Confidentiality is set to High.
30. Repeat steps 28 and 29 on files Doc2.txt and Doc3.txt.
Note: Doc2.txt should have the same confidentiality as Doc1.txt while Doc3.txt should have
no value. This is because only Doc1 and Doc2 have the word secret in their content.
X Task 3: Assign properties to folder

1.
On LON-SVR1, open Windows Explorer, and browse to Local Disk (C:).
2.
Right-click the Research folder and then click Properties.
3.
Click Classification tab.
4.
Click Department.
5.
In the Value section click Research. Click Apply.
6.
Click OK.
Results: After this exercise, you will have configured resource properties and file classifications.
Exercise 4: Configuring Central Access Rules and Policies

X Task 1: Configure Central Access Policy Rules
1.
Center.
2.
In the Active Directory Administrative Center console, in the navigation pane, click Dynamic Access
Control.
3.
Double-click Central Access Rules.
4.
In the Tasks pane, click New, and then click Central Access Rule.
5.
In the Central Access Rule dialog box, type Department Match for the Name.
6.
In the Target Resources section click Edit.
7.
In the Central Access Rule dialog box, click Add a condition.
8.
Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
9.
In the Permissions section, click Use the following permissions as current permissions.
10. In the Permissions section, click Edit.

11. Remove permission for Administrators.
12. In Advanced Security Settings for Permissions, click Add.
13. In Permission Entry for Permissions, click Select a principal.
14. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
15. In the Basic permissions section select Modify, Read and Execute, Read and Write.
16. Click Add a condition.
17. Click the Group drop-down list, and select Company Department.
18. On the Value drop-down list, and select Resource.
19. In the last drop-down box, select Department.
Note: As a result, you should have: User-Company Department-Equals-ResourceDepartment.

20. Click OK three times.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. For the name of rule type Access Confidential Docs.
23. In the Target Resources section click Edit.
24. In the Central Access Rule window click Add a condition.
25. In the last drop-down box select High.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-ValueHigh.

26. Click OK.
27. In the Permissions section, click Use the following permissions as current permissions.
28. In the Permissions section, click Edit.
29. Remove permission for Administrators.
30. In Advanced Security Settings for Permissions, click Add.
31. In the Permission Entry for Permissions, click Select a principal.
32. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click
Check Names, and then click OK.
33. In the Basic permissions section, select Modify, Read and Execute, Read and Write.
34. Click Add a condition.
35. Set first condition to:
User-Group-Member of each-Value-Managers. Click Add a condition.
L10-82
L10-83
36. Set second condition to: Device-Group-Member of each-Value-ManagersWKS.
Note: If you cant find ManagersWKS in the last drop-down box, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS and click
Check Names. Click OK.
X Task 2: Create Central Access Policy

1.
On LON-DC1, in Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2.
In the Tasks pane, click New, and then click Central Access Policy.
3.
For the Name, type Protect confidential docs.
4.
Click Add.
5.
Click the Access Confidential Docs rule, and then click >>.
6.
Click OK twice.
7.
In the Tasks pane, click New, and then click Central Access Policy.
8.
For the Name, type Department Match.
9.
Click Add.
10. Click the Department Match rule and then click >>.
11. Click OK twice.
12. Close the Active Directory Administrative Center.
X Task 3: Publish Central Access Policy with Group Policy

1.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
Under Domains, expand Adatum.com, and then right-click Test and click Create a GPO in this
domain, and link it here.
3.
Type DAC Policy, and then click OK.
4.
Right-click DAC Policy, and then click Edit.
5.
Browse to Computer Configuration/Policies/Windows Settings/Security Settings/File System,

and then right-click Central Access Policy.
6.
Click Manage Central Access Policies.
7.
Click both Department Match and Protect confidential docs, and then click Add.
8.
Click OK.
9.
Close the Group Policy Management Editor.
10. Close the Group Policy Management console.
X Task 4: Apply Central Access Policy to resources

1.
On LON-SVR1, start Windows PowerShell.
2.
Type gpupdate /force and press Enter. Close the Command Prompt window.
3.
Open Windows Explorer, browse to Drive C and right-click the Docs folder, and select Properties.
4.
Click Security tab.
5.
Click Advanced.
6.
In the Advanced Security Settings for Docs window, click the Central Policy tab.
7.
Click Change.
8.
On the drop-down list, select Protect confidential docs.
9.
Click OK two times.
10. Right-click the Research folder and select Properties.

11. Click Security tab.
12. Click Advanced.
13. In the Advanced Security Settings for Research window, click the Central Policy tab.
14. Click Change.
15. In drop-down box, select Department Match.
16. Click OK two times.
X Task 5: Configure access denied remediation settings

1.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com.
3.
Click Group Policy objects.
4.
Right-click DAC Policy and select Edit.
5.
Under Computer Configuration, expand Policies, expand Administrative Templates, expand

System, and then click Access-Denied Assistance.
6.
In the right pane, double-click Customize Message for Access Denied errors.
7.
In the Customize Message for Access Denied errors window, click Enabled.
8.
In the Display the following message to users who are denied access text box, type: You are
denied access because of permission policy. Please request access.
9.
Select the Enable users to request assistance check box.
10. Review other options, do not make any changes, and then click OK.
L10-84
11. In the right pane of Group Policy Management Editor, double-click Enable access-denied assistance
on client for all file types.
12. Click Enabled, and then click OK.
13. Close the Group Policy Management Editor and close the Group Policy Management console.
14. Switch to LON-SVR1, open Windows PowerShell and type gpupdate /force and press Enter.
Results: After completing this exercise you will have configured central access rules and policies.
Exercise 5: Validating and Remediating Access Control

X Task 1: Verify Dynamic Access Control functionality
1.
Log on to LON-CL1 as Adatum\April with password Pa$$w0rd.
2.
Click Desktop and then open Windows Explorer by clicking its icon on the task bar.
3.
In the address bar, type \\LON-SVR1\Docs, and then press Enter.
4.
Try to open Doc3. You should be able to open that document.
5.
In the address bar of Windows Explorer, type \\LON-SVR1\Research and press Enter.
Note: You should be unable to access folder.

6.
Click Request assistance. Review options for sending messages, and then click Close.
7.
Log off of LON-CL1.
8.
Log on to LON-CL1 as Adatum\Allie with the password of Pa$$w0rd.
9.
Open Windows Explorer.
10. In the address bar, type \\LON-SVR1\Research and press Enter.
Note: You should be able to access this folder and open documents inside because Allie is
in Research department.
12. Log on to LON-CL1 as Adatum\Aidan with the password of Pa$$w0rd.
13. Open Windows Explorer.
14. In the address bar, type \\LON-SVR1\Docs.
15. You should be able to open all files in this folder.
17. Log on to LON-CL2 as Adatum\Aidan with the password of Pa$$w0rd.
18. Open Windows Explorer
19. In the address bar, type \\LON-SVR1\Docs.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
X Task 2: Configure staging for Dynamic Access Policy
L10-85
1.
On LON-DC1, in Server Manager, click Tools and then click Group Policy Management.
2.
In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
3.
Right-click DAC Policy and click Edit.
4.
In the Group Policy Management Editor, browse to Computer Configuration/Policies

/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Polices.
L10-86
5.
Select Object Access.
6.
Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
7.
Double-click Audit File System. Select all three check boxes, then click OK.
8.
X Task 3: Configure staging permissions

1.
On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2.
In the navigation pane, click Dynamic Access Control.
3.
Double-click Central Access Rules.
4.
Right-click Department Match and select Properties.
5.
Scroll down to Proposed Permissions.
6.
Click Enable permission staging configuration.
7.
Click Edit.
8.
Click Authenticated Users, and then click Edit.
9.
Change the condition to: User-Company Department-Equals-Value-Marketing.

11. Switch to LON-SVR1 and open Windows PowerShell.
12. Type gpupdate /force and press Enter.
13. Close the Windows PowerShell window.
X Task 4: Verify staging

1.
Log on to LON-CL1 as Adatum\Adam with the password of Pa$$w0rd.
2.
Open Windows Explorer, and then in the address bar type \\LON-SVR1\Research. Attempt to open
the folder. You will be unsuccessful. Click Close.
3.
Switch to LON-SVR1.
4.
In Server Manager, click Tools and select Event Viewer.
5.
Expand Windows Logs, and then click Security.
6.
Look for Events with ID 4818.
7.
Read the content of these logs.
X Task 5: Use effective permissions to test Dynamic Access Control

1.
On LON-SVR1, open Windows Explorer and locate the C:\Research folder.
2.
Right-click the folder and click Properties.
3.
Click Security tab.
4.
Click Advanced, and then click Effective Access.
5.
Click select a user.
6.
In the Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
7.
Click View effective access.
8.
Review results. April should not have any access to this folder.
9.
Click Include a user claim.
10. On the drop-down list, select Company Department.

11. In the Value text box type Research.
12. Click View Effective access. April should have access now.
13. Close all windows.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2.
Results: After this exercises you will have validated Dynamic Access Control functionality.
L10-87
L11-89
Exercise 1: Deploying a Read-Only Domain Controller
X Task 1: Add LON-SVR3 as a server to manage
1.
2.
In Server Manager Dashboard, click Add other servers to manage.
3.
In the Add Servers dialog box, in the Name (CN) field, type LON-SVR3, and then click Find Now.
4.
Select the LON-SVR3 server in the details pane, and then click the arrow to move it to the Selected
pane.
5.
Click OK.
X Task 2: Create a new Server Group

1.
In the Server Manager Dashboard, click Create a server group.
2.
In the Create Server Group dialog box, in the Server group name field, type DCs.
3.
Select both LON-SVR3 and LON-DC1, click the arrow to move them to the Selected pane, and then
click OK.
X Task 3: Install the RODC role remotely

1.
In the Server Manager Dashboard, click Add roles and features.
2.
3.
4.
On the Select Destination Server page, select LON-SVR3.Adatum.com, and then click Next.
5.
On the Select server role page, click the check box for Active Directory Domain Services, click
Add Features in the Add features that are required for Active Directory Domain Services dialog
box, and then click Next.
6.
7.
On the Active Directory Domain Services, page click Next.
8.
On the Confirm installation selections page, click the check box to Restart the destination server
automatically if required, and then click Install. The installation will take several minutes.
9.
When the installation is complete, click Close.
10. In Server Manager Dashboard, click the notification icon (the flag icon or yellow triangle) on the
menu bar.
11. Locate the Post-deployment Configuration task, and then click Promote this server to a domain
controller.
12. In the Active Directory Domain Services Configuration Wizard, ensure that Add a domain controller
to an existing domain is selected.
13. In the Supply the credentials to perform this operation section, click Change.
14. In the Windows Security dialog box, type Adatum\Administrator in the user name field and in the
password field type Pa$$w0rd.
15. Click OK, and then click Next.

16. On the Domain Controller Options page, select the check box for Read only domain controller
(RODC).
L11-90
17. Type and confirm the Directory services Restore Mode (DSRM) password to be Pa$$w0rd, and then
click Next.
18. On the RODC Options page, click Next.
Note: You will configure these options in the next exercise.

19. On the Additional Options page click Next.
20. On the Paths page click Next.
21. On the Review Options page click Next.
22. On the Prerequisites Check page, click Install.
Note: The installation will take several minutes and LON-SVR3 will automatically restart to
complete the promotion.
23. When the promotion is completed click Close. Note that LON-SVR3 is restarting.
X Task 4: Configure the Password Replication policy and administrative access

1.
On LON-DC1, in Server Manager, on the Tools menu, click Active Directory Users and Computers.
2.
Expand Adatum.com, and then click the Domain Controllers OU.
3.
In the details pane, right-click LON-SVR3, and then click Properties.
4.
In the LON-SVR3 Properties dialog box, click the Password Replication Policy tab.
5.
Click Add.
6.
In the Add Groups, Users and Computers dialog box, click Allow passwords for the account to
replicate to this RODC, and then click OK.
7.
In the Select Users, Computers, Services Accounts, or Groups dialog box, type Managers, and
then click OK.
8.
Click the Managed By tab, and then click Change.
9.
In the Select User or Group dialog box, type IT, and then click OK.
10. Click OK to close the LON-SVR3 Properties dialog box.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
Exercise 2: Troubleshooting Group Policy

X Task 1: Troubleshoot Group Policy issues
1.
Log on to LON-CL1 as Brad with a password of Pa$$word. Brad is a member of the IT group.
2.
At the Start screen, type Control Panel.
3.
In the Apps results field click Control Panel.
4.
In Control Panel under Appearance and Personalization, click Change desktop background.
Question: What is the result?
Answer: A message explains that this feature is disabled.
Question: Is this in line with company policy?
Answer: Yes, this is in line with company policy.
L11-91
5.
Close Control Panel.
6.
Point to the lower right corner of the desktop, click the Search charm and in the Apps search field,
type Run.
7.
In the Apps results field click Run.
8.
In the Run box type Regedit, and then click OK.

Answer: A message explains that this feature is disabled.
Answer: No, this is against company policy.
9.
To close the dialog box, click OK.
10. Point to the lower right corner of the desktop, click the Search charm and then in the Apps search
field, type Command Prompt.
11. In the Apps results field, click Command Prompt.
12. In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied in User Settings?
Answer: The Prohibit Desktop Background policy and the Prohibit Registry Tools GPOs are being
applied.
Answer: No, this is against company policy. The Prohibit Registry Tools policy should not be applied
to an IT group user.
13. Sign out of LON-CL1.
14. Log on to LON-CL1 as Bill with a password of Pa$$word. Bill is a member of the Managers group.
15. On the Start screen, type Control Panel.
16. In the Apps results field, click Control Panel.
17. In Control Panel under Appearance and Personalization, click Change desktop background.
Answer: The Desktop Background dialog box appears and provides access to change the desktop
background.
18. Close Control Panel.
19. Point to the lower right corner of the desktop, click the Search charm, and then type Run.
20. In the Apps results field, click Run.
21. In the Run box, type Regedit, and then click OK.
Answer: The Registry Editor application starts.
22. Close the Registry Editor.
L11-92
23. Point to the lower right corner of the desktop, click the Search charm, and type Command Prompt
in the Apps search field.
24. Click Command Prompt in the Apps results field.
25. In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied?
Answer: No GPOs are being applied.
Question: Is this correct?
Answer: No, both GPOs are supposed to be applied.
26. Sign Out of LON-CL1.
X Task 2: Correct issues with Group Policy application

1.
2.
In Server Manager, on the Tools menu, click Group Policy Management.
3.
If required, expand Forest: Adatum.com, expand Domains, expand Adatum.com.

Question: What GPOs are linked to the Adatum.com domain?
Answer: Default Domain Policy, Prohibit Registry Tools and Prohibit Desktop Background. This
confirms the policies are linked to the correct container.
Question: What is the current status of the Managers OU?
Answer: The Managers OU has blue circle with a white exclamation mark. This indicates the
inheritance is being blocked. You must remove the inheritance block to resolve the issue with the
Managers OU.
4.
L11-93
Right-click the Managers OU and clear the check mark next to Block Inheritance.
Question: How will you ensure that the Prohibit Registry Tools GPO will not be applied to the IT
group users?
Answer: There are multiple ways that you could resolve this. For example, you could create a GPO
that specifically reverses the Prevent access to registry editing tools setting and link it directly to the
IT OU.
5.
Expand the Group Policy Objects folder.
6.
Click the Prohibit Registry Tools GPO.
7.
In the details pane, click the Delegation tab.
8.
Click Advanced.
9.
In the Prohibit Registry Tools Security Settings dialog box, click Add.
10. In the Select Users, Computers, Service Accounts, or Groups dialog box type IT, and then click
OK.
11. Click the IT (Adatum\IT) group in the Security list.
12. In the Permissions for IT section, locate the Apply Group Policy permission, and then click Deny.
13. Click OK.
14. If the Windows Security dialog box appears, click Yes to acknowledge the message.
15. Close the Group Policy Management console.
X Task 3: Verify policies are being applied

1.
Log on to LON-CL1 as Bill with a password of Pa$$w0rd.
2.
On the Start screen, type Command Prompt.
3.
In the Apps results field, click Command Prompt.
4.
In the Command Prompt window, type GPResult /R and examine the results.
Answer: The Prohibit Desktop Background and the Prohibit Registry Tools.
Question: Is this correct?
Answer: Yes. The system is now in line with the company policy.
5.
Sign Out of LON-CL1.
6.
Log on to LON-CL1 as Brad with a password of Pa$$w0rd.
7.
On the Start screen, type Command Prompt.
8.
In the Apps results field, click Command Prompt.
9.
In the Command Prompt window, type GPResult /R and examine the results.
Answer: The Prohibit Desktop Background GPO is being applied.
Question: What GPOs are being filtered out?
Answer: Prohibit Registry Tools is being denied.
10. Sign Out of LON-CL1.
L11-94
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
Exercise 3: Implementing Service Accounts in AD DS

X Task 1: Create and associate a Managed Service account
1.
2.
Right-click Windows PowerShell on the Taskbar and click Run as Administrator.
3.
In the Windows PowerShell command window, type Add-KdsRootKey EffectiveTime ((getdate).addhours(-10)) at the prompt and press Enter.
4.
Type New-ADServiceAccount Name Webservice DNSHostName LON-DC1

PrincipalsAllowedToRetrieveManagedPassword LON-DC1$ and press Enter.
5.
Type Add-ADComputerServiceAccount identity LON-DC1 ServiceAccount Webservice and

press Enter.
6.
Type Get- ADServiceAccount -Filter * and press Enter to verify the account. Note the output of the
command.
7.
Type Install-ADServiceAccount Identity Webservice and press Enter.
8.
Minimize the Windows PowerShell command window.
X Task 2: Configure the Web Server Application Pool to use the Group Managed
Service account
1.
On LON-DC1, in Server Manager, click the Tools menu and click Internet Information Services (IIS)
Manager.
2.
In the Internet Information Services (IIS) Manager console, expand LON-DC1

(Adatum\Administrator) and click Application Pools.
3.
In the details pane, right-click the DefaultAppPool and click Advanced Settings.
4.
In the Advanced Settings dialog box, click Identity and click the ellipses.
5.
In the Application Pool Identity dialog box, click Custom Account and click Set.
6.
In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field and click OK
three times.
7.
In the Actions pane, click Stop to stop the application pool.
8.
Click Start to start the application pool.
9.
Close the Internet Information Services (IIS) Manager.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
X Task 1: Create and view Active Directory snapshots
1.
Switch to LON-DC1.
2.
Move your mouse to the bottom right corner and click the Search charm.
3.
In the Apps search box, type CMD.
4.
In the Apps Results for CMD pane, right-click Command Prompt and then click Run as
administrator.
5.
In the command window, type Ntdsutil and then press Enter.
6.
Type Snapshot and then press Enter.
7.
Type Activate instance ntds and then press Enter.
8.
Type Create and then press Enter.
Note: The GUID that is displayed is important for commands in later tasks. Make note of
the GUID or, alternatively, copy it to the clipboard.
9.
Mount the snapshot as a new instance of AD DS by running the following command:

Mount {GUID} where {GUID} is the GUID returned by the create snapshot command.
10. Type Quit twice.
L11-95
11. Expose the snapshot by typing dsamain dbpath

c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000, and then press Enter.
Note: Hint: Copy and paste the $snap_datetime from the previous command. (The port
number can be any open, unique TCP port). Leave the Command Window open and the
command running while you perform the next tasks.
12. In Server Manager, click the Tools menu and then click Active Directory Users and Computers.
13. Expand Adatum.com and then click Research.
14. In the details pan,e right-click Allie Bellew and then click Delete. Click Yes to confirm in the message
box.
15. Right click the Active Directory Users and Computers root node and then click Change Domain
Controller.
16. Click <Type a Directory Server name[:port] here> and type LON-DC1:50000 and then press Enter.
17. Click OK.
18. Expand Adatum.com and click Research.
Note: Notice that the user Allie Bellew exists in the snapshot because it was taken before
the user was deleted.
19. Close Active Directory Users and Computers and close the command window.
X Task 2: Enable the Active Directory recycle bin

1.
In Server Manager, on the Tools menu, click Active Directory Administrative Center.
2.
In the navigation pane, click Adatum (local).
3.
In the Tasks pane, click Enable Recycle Bin.
4.
In the Enable Recycle Bin Confirmation dialog box, click OK.
5.
In the Active Directory Administrative Center dialog box, click OK.
6.
On the menu bar, click the Refresh icon.
Note: Notice a Deleted Object container now appears.
X Task 3: Delete a test user

1.
In the center pane, double-click the Managers OU.
2.
Ensure that the Aidan Delaney user account is selected, and then in the tasks pane, click Delete.
3.
In the Delete Confirmation dialog box, click Yes.
4.
Click Adtaum (local) in the navigation pane to return to the main tree.
X Task 4: Restore the deleted user

1.
In the center pane, double-click the Deleted Objects folder.
2.
In the Tasks pane, click Restore. In the navigation pane under Adatum (local), click Managers.
Note: Note that the Aidan Delaney account is restored.
X Task 5: To prepare for the next module

1.
2.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-CL1 and 20417A-LON-SVR3.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
L11-96
L12-97
Module 12: Implementing Active Directory Federation

Services
Exercise 1: Configuring AD FS Prerequisites
X Task 1: Configure DNS forwarders
1.
On LON-DC1, in Server Manager, click Tools, and then click DNS.
2.
Expand LON-DC1, and click Conditional Forwarders.
3.
Right-click Conditional Forwarders, and click New Conditional Forwarder.
4.
In the DNS Domain box, type TreyResearch.com.
5.
Click in the IP address column, and then type 172.16.10.10. Press Enter, and then click OK.
6.
Close the DNS Manager.
7.
On MUN-DC1, in Server Manager, click Tools, and then click DNS.
8.
Expand MUN-DC1, and then click Conditional Forwarders.
9.
Right-click Conditional Forwarders, and then click New Conditional Forwarder.
10. In the DNS Domain box, type Adatum.com.

11. Click in the IP address column, and then type 172.16.0.10. Press Enter, and then click OK.
12. Close the DNS Manager.
X Task 2: Exchange root certificates to enable certificate trusts

1.
On LON-DC1, access the Search page.
2.
In the Search box, type \\MUN-DC1.treyresearch.com\certenroll, and then press Enter.
3.
In the CertEnroll window, right-click the MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1CA.crt file, and then click Copy.
4.
In the left pane, click Documents, and then paste the file into the Documents folder.
5.
Open a Windows PowerShell command prompt, type MMC and then press Enter.
6.
In the Console1 window, click File, and click Add/Remove Snap-in.
7.
Click Group Policy Management Editor, and then click Add.
8.
In Select Group Policy Object, click Browse.
9.
Click Default Domain Policy, and then click OK.
10. Click Finish, and then click OK.

11. Double-click Default Domain Policy. In the console tree, expand the following path:
Computer Configuration > Policies > Windows Settings > Security Settings >
Public Key Policies > Trusted Root Certification Authorities.
12. Right-click Trusted Root Certification Authorities, and then click Import.
13. On the Welcome to the Certificate Import Wizard page, click Next.
14. On the File to Import page, click Browse.
15. In the Open window, click MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1-CA.crt, click

Open, and then click Next.
16. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
18. Close the Group Policy Management Editor without saving changes.
19. On MUN-DC1, access the Search page.
20. In the Search box, type \\LON-DC1.adatum.com\certenroll, and then press Enter.
L12-98
21. In the CertEnroll window, right-click the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt file, and

then click Copy.
22. In the left pane, click Documents, and then paste the file into the Documents folder.
23. Open a Windows PowerShell command prompt, type MMC, and then press Enter.
24. In the Console1 window, click File, and then click Add/Remove Snap-in.
25. Click Certificates, and click Add.
26. Click Computer Account, and then click Next.
27. Verify that Local computer is selected, click Finish, and then click OK.
28. Expand Certificates, and then click Trusted Root Certification Authorities.
29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.
30. On the Welcome to the Certificate Import Wizard page, click Next.
31. On the File to Import page, click Browse.
32. In the open window, click LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt, click Open, and then
click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
35. Close Console1 without saving changes.
X Task 3: Request and install a certificate for the web server

1.
On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2.
In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message.
3.
In middle pane, double-click Server Certificates.
4.
In the Actions pane, click Create Domain Certificate.
5.
On the Distinguished Name Properties page, enter the settings as listed below, and then click
Next:
o
Common name: LON-SVR1.adatum.com
Organization: A. Datum
Organization unit: IT
City/locality: London
State/province: England
Country/region: GB
L12-99
6.
On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a CA server in the domain.
7.
Select Adatum-LON-DC1-CA, and then click OK.
8.
In Friendly name, type LON-SVR1.adatum.com, and then click Finish.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1.
On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
2.
In the Site Bindings dialog box, click Add.
3.
In the Add Site Binding dialog box, under Type select https, and under Port, verify that 443 is
selected
4.
In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
5.
Click Close, and then close Internet Information Services (IIS) Manager.
6.
On LON-DC1, open Internet Explorer.
7.
Connect to https://lon-svr1.adatum.com/adatumtestapp.
8.
Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
9.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

X Task 1: Install and configure AD FS 2.0
1.
On the LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.
2.
3.
4.
On the Select destination server page, click Next.
5.
On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
6.
7.
On the Active Directory Federation Services (AD FS) page, click Next.
8.
On the Select role services page, click Next.
9.
On the Confirm installation selections page, click Install, and then wait for the installation to finish.
Do not close the window.
L12-100
X Task 2: Create a stand-alone Federation Server by using the AD FS Federation Server

Configuration Wizard
1.
On the Installation progress page, click Run the AD FS Management snap-in.
2.
In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3.
On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4.
On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5.
On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LONDC1.Adatum.com, the Port is 443, and the Federation Service name is
LON-DC1.Adatum.com. Click Next.
6.
On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7.
Wait for the configuration to finish, and then click Close.
X Task 3: Verify that FederationMetaData.xml is present and contains valid data

1.
Log on to the LON-CL1 virtual machine as Adatum\Brad using the password Pa$$w0rd.
2.
Click the Desktop tile, and then open Internet Explorer.
3.
Click the Settings icon in the top-right corner, and then click Internet options.
4.
On the Security tab, click Local intranet.
5.
Click Sites, and then clear the Automatically detect intranet network check box.
6.
Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
7.
Type https://lon-svr1.adatum.com, click Add, and then click Close.
8.
Click OK twice.
9.
Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and then scroll through its contents.
11. Close Internet Explorer.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configure AD FS for a Single Organization

X Task 1: Configure a Token Signing Certificate for LON-DC1.Adatum.com
1.
On the LON-DC1 virtual machine, in Server Manager, click Tools, and then click Windows
PowerShell.
2.
At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.
3.
Close the Windows PowerShell window.
L12-101
4.
Click Tools, and click AD FS Management.
5.
In the AD FS console, in the left pane, expand Service, and then click Certificates.
6.
Right-click Certificates, and then click Add Token-Signing Certificate.
7.
In the Select a token signing certificate dialog box, click LON-DC1.Adatum.com, and then click
OK.
8.
In the AD FS Management warning, click OK.
Note: Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is

listed under the Subject when you add the certificate, delete the certificate, and then add the
next certificate in the list.
9.
Right-click the newly added certificate, and then click Set as Primary. Note the warning message,
and then click Yes.
10. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
X Task 2: Configure the Active Directory Claims Provider Trust

1.
In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
2.
In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
4.
The Add Transform Claim Rule Wizard appears.
5.
On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as
Claims, and then click Next.
6.
On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7.
In the Attribute store drop-down list, select Active Directory.
8.
In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
9.
E-Mail-Addresses = E-Mail Address
User-Principal-Name = UPN
Display-Name = Name
Click Finish, and then click OK.
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1.
On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
2.
On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the WIF sample application.
3.
In Application URI, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path to

the sample application that will trust the incoming claims from the federation server. Click Next to
continue.
L12-102
4.
On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue. In the warning, click
Yes.
5.
On the Security token encryption page, select No encryption, and then click Next.
6.
On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7.
On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8.
Click OK.
X Task 4: Configure a relying party trust for the claims aware application
1.
On LON-DC1, in the AD FS Management console, click AD FS.
2.
In the middle pane, click Required: Add a trusted relying party.
3.
On the Welcome page of the Add relying party Trust Wizard, click Start.
4.
On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
5.
Click Next to continue.
Note: This action prompts the wizard to check for the MetaData of the application that the
web server role hosts.
6.
On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7.
On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9.
On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
X Task 5: Configure claim rules for the relying party trust

1.
In the Edit Claim Rules for WIF Sample Claims App window, on the Issuance Transform Rules tab,
click Add Rule. The Add Transform Claim Rule Wizard opens.
2.
On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
Note: This action passes an incoming claim through to the user by means of Windows
Integrated Authentication.
3.
On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
4.
Click Add Rule.
L12-103
5.
6.
On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
7.
Click Add Rule.
8.
9.
On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming
claim type drop-down list, select UPN, and then click Finish.
10. Click Add Rule.
11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming
claim type drop-down list, select Name, and then click Finish.
13. Click Apply, and then click OK.
X Task 6: Test the access to the claims aware application

1.
On LON-CL1, open Internet Explorer.
2.
Connect to https://lon-svr1.adatum.com/AdatumTestApp/.
Note: Note: Ensure that you type the trailing /

3.
If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and then you see the claims that were processed to allow access to the web
site.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
Exercise 4: Configure AD FS for Federated Business Partners

X Task 1: Add a claims provider trust for the TreyResearch.com AD FS server
1.
On LON-DC1, if required, in Server Manager, click Tools, and click AD FS Management.
2.
In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
3.
In the Actions pane, click Add claims provider Trust.
4.
On the Welcome page, click Start.
5.
On the Select Data Source page, select Import data about the claims provider published online
or on a local network, type https://mun-dc1.treyresearch.com, and then click Next.
6.
On the Specify Display Name page, click Next.
7.
On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
8.
On the Finish page, click Close to close the wizard. The Edit Claim Rules for
mun-dc1.treyresearch.com window appears.
9.
On the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
14. Click OK, and then close the AD FS console.
15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.
16. At the prompt, type the following command, and then press Enter:
Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.com
SigningCertificateRevocationCheck None
17. Close the Windows PowerShell window.
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datums claim aware
application
L12-104
1.
On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2.
In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
3.
On the Welcome page, click Start.
4.
On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5.
On the Specify Display Name page, in the Display name box, type Adatum TestApp, and then
click Next.
6.
On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8.
On the Finish page, click Close to close the wizard. The Edit Claim Rules for Adatum TestApp window
appears.
9.
On the Issuance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming Claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish.
14. Click OK, and then close the AD FS console.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1.
On MUN-DC1, open Internet Explorer, and connect to https://lon-svr1.adatum.com

/adatumtestapp/.
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears, and you must select an authority.
L12-105
2.
On the Sign In page, select mun-dc1.treyresearch.com, and then click Continue to Sign in.
3.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
4.
5.
Open Internet Explorer, and then connect to https://lon-svr1.adatum.com/adatumtestapp/ again.
6.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
7.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by
the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, for
us to log on multiple times, we should delete that cookie after each logon attempt to return to a
clean state.
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1.
On MUN-DC1, in the AD FS console, expand Trust Relationships, and then click relying party Trusts.
2.
Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3.
On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4.
On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5.
On the Configure Rule page, in Claim rule name, type Permit Production Group Rule.
6.
Beside Users Group, click Browse, type Production and click OK.
7.
Under Outgoing claim type, click Group.
8.
Under Outgoing claim value, type Production, click Finish and then click OK.
9.
On LON-DC1, if required, open the AD FS Management console.
10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts.
11. Select mun-dc1.treyresearch.com, and in the Actions pane, click Edit Claim Rules.
12. On the Acceptance Transform Rules tab, click Add Rule.
13. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop down list, click Group, and click Finish. Click Yes and then click
OK.
16. In the AD FS console, under Trust Relationships, click relying party Trusts.
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
18. On the Issuance Transform Rules tab, click Add Rule.
L12-106
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop down list, click Group. Click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With
no rules, no users are permitted access.
23. On the Issuance Authorization Rules tab, click Add Rule.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in Claim rule name type Temp, in the Incoming claim type dropdown list, select UPN. In Incoming claim value, type @adatum.com, select the option to Permit
access to users with this incoming claim, and then click Finish.
29. Click the Temp rule, and click Edit Rule.
30. In the Edit Rule Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard. Click OK.
32. Click Cancel.
33. Click the Temp rule, click Remove Rule, and then click Yes.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, type ADatum User Access Rule as the Claim rule name.
37. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~
"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Note: This rule enables access to anyone who presents a claim that includes the UPN of
@adatum.com. The Value line in the first URL defines the attribute that much be matched in the
claim. In this line, ^ indicates the beginning of the string to match, (?i) means that the text is case
insensitive, .+ means that one or more characters will be added, and $ means the end of the
string.
38. Click OK to close the property page and save the changes to the relying party trust.
X Task 5: Verify restrictions and accessibility to the claims aware application
L12-107
1.
On MUN-DC1, open Internet Explorer, connect to On MUN-DC1, launch Internet Explorer, and then
connect to https://lon-svr1.adatum.com/adatumtestapp/.
2.
When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter.
Note: April is not a member of the Production group, so she should not be able to access
the application.
3.
4.
Open Internet Explorer, click the Settings icon in the top-right corner, and then click Internet
options.
5.
Under Browsing history, click Delete, click Delete again, and then click OK.
6.
Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7.
Select mun-dc1.treyresearch.com on the Sign In page, and then click Continue to Sign in.
8.
When prompted for credentials, type TreyResearch\Morgan with the password Pa$$w0rd, and then
press Enter.
Note: Morgan is a member of the Production group, so she should be able to access the
application.
9.
X Task 6: To shut down the virtual machines

1.
2.
In the Virtual Machines list, right-click 20417A-MUN-DC1, and then click Revert.
3.
4.
Repeat steps 2 and 3 for 20417A-LON-CL1, 20417A-LON-SVR1 and 20417A-LON-DC1.
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.

MS Training Material 20417A Trainer Handbook

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

MS Training Material 20417A Trainer Handbook

Încărcat de

Drepturi de autor:

Formate disponibile

M I C R O S O F T

Upgrading Your Skills to MCSA

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

Product Number: 20417A

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS

MCT USE ONLY. STUDENT USE PROHIBITED

a. If you are a Authorized Learning Center:

MCT USE ONLY. STUDENT USE PROHIBITED

b. If you are a MPN Member.

MCT USE ONLY. STUDENT USE PROHIBITED

d. If you are a MCT.

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable

MCT USE ONLY. STUDENT USE PROHIBITED

survive this agreement.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

This limitation applies to

Upgrading Your Skills to MCSA Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Stan Reimer Content Developer

Damir Dizdarevic Subject Matter Expert/Content Developer

Gary Dunlop Subject Matter Expert

Siegfried Jagott Content Developer

Orin Thomas Content Developer

Upgrading Your Skills to MCSA Windows Server 2012

Vladimir Meloski Content Developer

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2: Monitoring and Maintaining Windows Server 2012

Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0

Module 4: Managing Storage for Windows Server 2012

Module 5: Implementing Network Services

Module 6: Implementing DirectAccess

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Upgrading Your Skills to MCSA Windows Server 2012

Module 7: Implementing Failover Clustering

Module 8: Implementing Hyper-V

Module 9: Implementing Failover Clustering with Hyper-V

Module 10: Implementing Dynamic Access Control

Module 11: Implementing Active Directory Domain Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module 12: Implementing Active Directory Federation Services

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Experience with Windows networking technologies and implementation

Experience with Active Directory technologies and implementation

Exam 70-640: Windows Server 2008 Active Directory, Configuring

Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring

Exam 70-646: Windows Server 2008, Server Administrator

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Install and configure Windows Server 2012 servers.

Monitor and maintain Windows Server 2012 servers.