Documente Academic
Documente Profesional
Documente Cultură
20417A
L E A R N I N G
P R O D U C T
O F F I C I A L
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2.
INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1
Below are four separate sets of installation and use rights. Only one set of rights apply to you.
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4.
INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8.
LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12.
ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011
Acknowledgments
xi
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some
of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft
Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12
years.
Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager
and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has
more than 17 years of experience on Microsoft platforms and he specializes in Windows Server,
Exchange Server, security, and virtualization. He has worked as a subject-matter expert and technical
reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in
various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated
speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable
Professional for Windows Server Infrastructure Management.
Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at
Atos Germany. He is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft
Press), and has authored and technically reviewed several Microsoft Official Curriculum (MOC) courses
on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or
Exchange Server 2007 to Exchange Server 2010 SP1. He has coauthored various books on Windows,
Microsoft System Center Virtual Machine Manager, and Exchange, and is a frequent presenter on these
topics at international conferences such as IT & Dev Connections Spring 2012 in Las Vegas. Siegfried
has planned, designed, and implemented some of the worlds largest Windows and Exchange Server
infrastructures for international customers. He received an MBA from Open University in England, and has
been an MCSE since 1997.
Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft Press and is a contributing editor at Windows IT Pro magazine.
He has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in
Australia and around the world on Windows Server, Windows Client, System Center, and security topics.
Orin founded and runs the Melbourne System Center Users Group.
xii
Vladimir is a Microsoft Certified Trainer, an MVP on Exchange Server, and consultant, providing unified
communications and infrastructure solutions based on Microsoft Exchange Server, Lync Server, and
System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft
conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and
technical expert. He has also been involved as a subject matter expert and technical reviewer for several
Microsoft Official Curriculum courses.
Contents
Module 1: Installing and Configuring Servers Based on Windows Server 2012
Lesson 1: Installing Windows Server 2012
Lesson 2: Configuring Windows Server 2012
Lesson 3: Configuring Remote Management for Windows
Server 2012 Servers
Lab: Installing and Configuring Servers Based on Windows
Server 2012
1-2
1-13
1-21
1-25
2-2
2-11
2-15
2-19
3-2
3-9
3-20
3-26
4-2
4-12
4-18
4-23
4-25
4-36
5-2
5-10
5-14
5-20
5-25
6-2
6-14
6-24
xiii
7-2
7-13
7-18
7-22
7-27
7-32
8-2
8-8
8-16
8-21
8-27
9-2
9-7
9-14
9-19
9-29
10-2
10-8
10-13
10-22
11-2
11-11
11-16
11-19
11-28
11-35
xiv
12-2
12-11
12-17
12-23
12-28
L1-1
L2-7
L3-15
L4-19
L4-26
L5-31
L6-43
L7-55
L8-63
L9-71
L10-77
L11-89
L12-97
xv
xvii
This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
Note: This first release (A) Microsoft Official Courses (MOC) version of course 20417A has
been developed on Windows Server 2012 RC. Microsoft Learning will release a B version of
this course after the release-to-manufacturing (RTM) version of the software is available.
This course is designed primarily for people who want to upgrade their technical skills from Windows
Server 2008 and Windows Server 2008 R2 to Windows Server 2012. It presumes a high level of knowledge
about previous Windows Server versions. This course also serves as preparation for taking exam 70-417,
on the upgrade path to a new MCSA: Windows Server 2012 certification.
Audience
The primary audience for this course is Information Technology (IT) professionals who are experienced
Windows Server 2008 Server Administrators, and who carry out day-to-day management and
administrative tasks, and want to update their skills and knowledge to Windows Server 2012.
The secondary audience for this course includes candidates who hold existing credentials in Windows
Server 2008 at Technology Specialist (TS) or Professional (PRO) level, and who want to migrate their
current credentials to the new credential of Microsoft Certified Solutions Associate (MCSA) with Windows
Server 2012.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
Two or more years of experience deploying and managing Windows Server 2008
Experience with Windows Server 2008 server virtualization technologies and implementation
Students attending this course are expected to have passed the following exams, or have equivalent
knowledge:
Course Objectives
After completing this course, students will be able to:
xviii
Provide high availability for network services and applications by implementing failover clustering.
Configure Dynamic Access Control to manage and audit access to shared files.
Implement the new features in Active Directory Domain Services (AD DS) for Windows Server 2012.
Plan and implement an Active Directory Federation Services (AD FS) deployment.
Course Outline
This section provides an outline of the course:
Module 1, Installing and Configuring Servers Based on Windows Server 2012
Module 2, Monitoring and Maintaining Windows Server 2012
Module 3, Managing Windows Server 2012 by Using Windows PowerShell 3.0
Module 4, Managing Storage for Windows Server 2012
Module 5, Implementing Network Services
Module 6, Implementing DirectAccess
Module 7, Implementing Failover Clustering
Module 8, Implementing Hyper-V
Module 9, Implementing Failover Clustering with Hyper-V
Module 10, Implementing Dynamic Access Control
Module 11, Implementing Active Directory Domain Services
Module 12, Implementing Active Directory Federation Services
Exam/Course Mapping
xix
This course, 20417A: Upgrading Your Skills to MCSA Windows Server 2012, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-417: Upgrading Your Skills to MCSA Windows
Server 2012.
The below table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will use the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab2.
Lab
Mod 1
Ex 1
Mod 1
Ex 2/3
Mod 4
Ex 2/3
Mod 1
Ex 1/2
xx
Mod 8
Ex 3
Mod 8
Ex 2/3
Mod 11
Ex 2/3
Mod 2
Ex 1
Mod 6
Ex
1/2/3
xxi
Mod 5
Ex 3
Mod 11
Ex 1
Mod 11
Ex 2
xxii
Mod 7
Ex
1/2/4
Mod 7
Ex 2
Mod 9
Lesson 3/4
Mod 9
Ex 3
Mod 10
Mod 2
Lesson 2
Mod 2
Ex
2/3/4
Mod 9
Lesson 1/3
Mod 9
Ex 1
Mod 5
Lesson 2
Mod 5
Ex 2
xxiii
The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:
Experience with implementing, managing and administering a Windows Server 2008 and Windows
Server 2008 R2 environment
Minimum of one to two years real world, hands-on experience Installing and configuring a Windows
Server Infrastructure
There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.
Course Materials
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
xxiv
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.
Course evaluation At the end of the course, you have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Role
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-SVR3
20417A-LON-SVR4
20417A-LON-SVR5
Virtual machine
Role
xxv
20417A-LON-TMG
20417A-MUN-DC1
20417A-LON-CL1
Client computer running Windows 8 and Office 2010 Service Pack 1 (SP1)
in the Adatum.com domain
20417A-LON-CL2
Software Configuration
The following software is installed on each virtual machine:
Windows 8 RP
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Hardware Level 6
DVD drive
Network adapter
Module 1
Installing and Configuring Servers Based on
Windows Server 2012
Contents:
Module Overview
1-1
1-2
1-13
Lesson 3: Configuring Remote Management for Windows Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows Server 2012
1-25
1-30
Module Overview
Knowing the capabilities of the Windows Server 2012 operating system enables you to use it effectively,
and to take complete advantage of what it can offer your organization. Some of the many improvements
to Windows Server 2012 include:
This module introduces you to Windows Server 2012, how to install it, how to perform post-installation
configuration tasks, and how to configure it to support remote management.
Objectives
After completing this module, you will be able to:
Lesson 1
Installiing Win
ndows Server
S
2012
2
You
u must have a firm
f
understan
nding of your organization's
o
s requirementss so that you can deploy the
e
app
propriate editio
on of Windowss Server 2012. You must also
o understand w
which hardwarre configuratio
on
is ap
ppropriate for Windows Servver 2012, whetther a virtual d
deployment m
might be more suitable than a
phyysical deployment, and which
h installation source enabless you to deployy Windows Server 2012
efficciently.
1-2
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Determine wh
hether a particcular hardware
e configuration
n is appropriatte for Window
ws Server 2012..
Explain how to
t perform a physical
p
or a virtual deploym
ment of Window
ws Server 2012
2.
Select an app
propriate installlation source for a Windowss Server 2012 deployment.
Determine wh
hen you can upgrade and when
w
you mustt migrate to W
Windows Serverr 2012.
Decide betwe
een a Server Core installation
n and full instaallation.
Perform post-installation co
onfiguration ta
asks.
Edittion
Win
ndows Server 2012 Standard
d edition
Description
D
Edition
Windows Server 2012 Datacenter edition
Description
1-3
Edittion
Win
ndows MultiPo
oint Server 201
12
Standard
Description
D
1-4
Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.
Supports on
ne socket, 32 G
GB of RAM and a maximum of
12 sessions .
Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others inclu
uding, AD DS, AD
CS, and AD
D FS.
Does not su
upport domain
n join.
Win
ndows MultiPo
oint Server 201
12
Pre
emium
Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.
Limited to 2 sockets, 4 TB
B of RAM and a maximum of 22
sessions.
Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others, including AD DS, AD
D FS.
CS, and AD
Supports do
omain join.
Ha
ardware Re
equiremen
nts for Insttalling Win
ndows Servver 2012
Hardware requirements define the
t absolute
min
nimum required to run the se
erver software. The
actu
ual hardware requirements depend
d
on the
e
servvices that the server
s
is hostin
ng, the load on
n the
servver, and how re
esponsive you want the servver to
be.
The services and features
f
of eacch role put a unique
load
d on network, disk I/O, proce
essor, and mem
mory
reso
ources.
Virtualized deployyments of Win
ndows Server 2012
2
musst match the sa
ame hardware
e specificationss as
phyysical deployments. Windowss Server 2012 is
supported on Hyp
per-V and certain third-parrty virtualizatio
on platforms.
Th
he minimum hardware
h
requirements for Windows
W
Serveer 2012 are sho
own in the folllowing table.
Component
Requirement
Processor
P
architecture
x86-64
4
Processor
P
spee
ed
1.4 GH
Hz
Memory
M
(RAM)
512 MB
M
Hard
H
disk drive
e space
Additiona
al Reading: Fo
or more inform
mation about tthe Windows SServer Virtualizzation
Validation Program, see http:///www.window
wsservercatalo
og.com/svvp.asspx.
Considerat
C
ions for Deploying Physical
P
orr Virtual M
Machines
With
W virtualization you can be
e more efficien
nt in the
way
w that you allocate resourcces to servers. Instead
I
off allocating sep
parate hardwa
are to a server that
minimally
m
uses resources, you
u can virtualize
e that
se
erver and enab
ble those minim
mally used harrdware
re
esources to be shared with other
o
virtual machines.
When
W
determin
ning whether to
o deploy a serrver
physically or virrtually, you mu
ust determine how
th
hat server usess hardware reso
ources. Consid
der
th
hese points:
1-5
Fo
or example, a particular data
abase server th
hat heavily usees disk and nettwork resource
es would be be
etter
de
eployed on a physical
p
comp
puter. If it were
e deployed as a virtual mach
hine, other virtu
ual machines o
on the
sa
ame hypervisor would have to
t compete fo
or access to tho
ose heavily-us ed disk and ne
etwork resourcces.
Alternatively, allocating a phyysical platform to a server th at requires miinimal hardware resources, ssuch as
a server running
g Certificate Se
ervices, meanss that powerfu l hardware is u
underused.
Other
O
things to consider when determining
g whether to d eploy a serverr virtually or ph
hysically are:
1-6
Scalability. Moving
M
a virtua
al machine witth its associateed applicationss and data to a new host plaatform
is significantlyy simpler than migrating a physically
p
depl oyed server, itts applications, and data to a new
host platform
m. If you must quickly
q
scale-u
up capacity, yo
ou can also mi grate a virtual machine to a cloud
provider, som
mething that is far more difficult to do with
h a physically d
deployed server.
Method
Note
es
Optical
O
media
Requires
R
that th
he computer h
has access to a DVD drive.
Optical
O
media is
i usually sloweer than USB m
media.
You
Y cannot upd
date the installlation image w
without replaccing the mediaa.
You
Y can only perform one insstallation per D
DVD at a time
e.
USB media
Requires
R
the ad
dministrator to
o perform speccial steps to prrepare USB me
edia
frrom ISO file.
All
A computers support
s
bootin
ng from USB m
media.
Im
mage can be updated
u
as new
w software up dates and drivvers become
available.
Answer
A
file can be stored on USB drive, red
ducing the inte
eraction that the
administrator must
m
perform.
Mounted
M
ISO im
mage
Virtualization
V
so
oftware enablees you to direcctly mount the
e ISO image.
Does
D
not require writing the ISO image to optical media.
Network share
Deploy
D
from installation files on network sh
hare.
Requires
R
you boot the serverr off a boot de vice (DVD or U
USB drive) and
d
in
nstall from insttallation files h
hosted on a neetwork share.
Much
M
slower th
han using Wind
dows Deploym
ment Services ((WDS).
Iff you already have
h
access to a DVD or USB
B media, it is siimpler to use
th
hose tools for operating systtem deploymeent.
Windows
W
Deplo
oyment
Se
ervices (WDS)
WDS
W let you de
eploy Window
ws Server 2012 from Window
ws Imaging Forrmat
(W
WIM) image files or speciallyy prepared VH
HD files.
You
Y can use the
e Windows Au
utomated Instaallation Kit to cconfigure liteto
ouch deploym
ment.
Method
Notes
1-7
Virtual Machine
Manager templates
Microsoft distributes Windows Server 2012 either on optical media or in an .iso image format.
You can install Windows Server 2012 by using several methods, including those listed in the following
table.
Method
Optical media
Notes
Requires that the computer has access to a DVD drive.
Optical media is usually slower than USB media.
You cannot update the installation image without replacing the media.
You can only perform one installation per DVD at a time.
USB media
Answer file can be stored on USB drive, reducing the interaction that the
administrator must perform.
Mounted ISO image
Network share
Requires you boot the server off a boot device (DVD or USB drive) and
install from installation files hosted on a network share.
Much slower than using Windows Deployment Services (WDS).
If you already have access to a DVD or USB media, it is simpler to use
those tools for operating system deployment.
Method
No
otes
Windows
W
Deplo
oyment
Se
ervices (WDS)
1-8
Virtual Machine
e
Manager
M
templates
Requires Virtu
ual Machine M
Manager (VMM
M) in System Ce
enter.
of Windows Seerver 2012 in p
private cloud
Enables rapid deployment o
scenarios.
Op
ptions for Upgrading
U
g and Migrating to W
Windows SServer 201
12
Whe
en considering
g whether to upgrade
u
or mig
grate
a se
erver to Windo
ows Server 201
12, consider the
e
options described
d in the followiing table.
Insttallation optio
on
Upgrade
Descrip
ption
An upgrade preserve
es the files, setttings, and app
plications instaalled on the
al server. You perform an up
pgrade when yyou want to ke
eep all these ittems
origina
and want to continu
ue using the saame server harrdware. Upgrade requires an
n x64
processsor architectu
ure and an x644 edition of thee Windows Serrver operating
system
m. You can onlyy upgrade to W
Windows Servver 2012 from xx64 versions o
of
Windo
ows Server 200
03, Windows S erver 2003 R2
2, Windows Serrver 2008, and
d
Windo
ows Server 200
08 R2. You can
n only upgradee to an equivalent or a later
edition
n of Windows Server 2012. Y
You start an up
pgrade by running Setup.exe
e
from the
t original op
perating system
m.
In
nstallation opttion
Migration
M
Desccription
1-9
Choosing
C
Between
B
Se
erver Core
e and Full Installation
Se
erver Core is a minimal insta
allation option for
Windows
W
Server 2012. With Server Core, yo
ou
pe
erform manag
gement tasks lo
ocally from the
e
co
ommand-line or remotely fro
om another
co
omputer. Serve
er Core is the default
d
installa
ation
op
ption for Wind
dows Server 20
012. Server Core has
th
he following ad
dvantages ove
er a traditional
de
eployment of Windows Servver 2012:
Reduced up
pdate requirem
ments. Because
e Server
Core installs fewer compo
onents, Server Core
deploymen
nts require the application off fewer
software up
pdates. This reduces the time
e that is
required fo
or an administrrator to service
e Server Core.
Reduced ha
ardware footprint. Server Co
ore computers require less RA
AM and less h
hard disk space
e. This
means thatt when virtualizzed, more servvers can be deeployed on thee same host.
In
ncreasing numbers of Microssoft server app
plications are d
designed to ru n on compute
ers that have SServer
Core installation
ns. Microsoft SQL
S Server 20
012 can be insttalled on com puters running
g the Server Core
ve
ersion of Wind
dows Server 20
008 R2.
Th
here are two options
o
for insttalling the Servver Core, as deescribed in thee following tab
ble.
Option
O
Descripttion
Server
S
Core
Server
S
Core witth
Management
M
This is also
a known as Server Core-Fu
ull Server. Thiss works the sam
me as a deployyment
of Wind
dows Server 20
012 with the g raphical comp
ponents. With this installation
option the
t graphical administration
a
n components are not in a Removed state..
Instead,, these components are avai lable (they aree located on th
he servers diskk), but
not installed into the OS. You can c onvert betweeen Server Core
e with Manage
ement
ndows Server 2012
2
with a grraphical interfaace by installin
ng the graphiccal
and Win
featuress, but without having to speccify an installaation source.
On a local connection, you can use the tools described in the following table to manage Server Core
installations of Windows Server 2012.
Tool
Function
Cmd.exe
PowerShell.exe
Sconfig.cmd
Notepad.exe
Enables you to use the Notepad.exe Text Editor in the Server Core environment.
Registry Editor
Msinfo32.exe
Enables you to view system information about the server core deployment.
Taskmgr.exe
Note: If you accidentally close the Command Prompt window on a computer running
Server Core, you can restore it using this procedure:
1.
Press Ctrl+Alt+Delete.
2.
3.
4.
Server Core supports most, but not all, Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
1.
AD FS
2.
Application Server
3.
4.
Even if a role is available to a computer running the Server Core installation option, a specific role service
associated with that role may not be.
Note: You can check which roles are not available on Server Core by running the following
query.
Get-WindowsFeature | where-object {$_.InstallState -eq Removed}
1-11
The Windows Server 2012 administration model focuses on managing many servers from one console
instead of the traditional method of managing each server separately. When you want to perform an
administrative task, you are more likely to manage multiple computers running the Server Core operating
system from one computer than you are to connect to each computer individually. You can enable
remote management of a computer running Server Core by using sconfig.cmd or by executing the
command:
Netsh.exe firewall set service remoteadmin enable ALL
In a typical installation of Windows Server 2012, if you do not have an existing answer file, you perform
the following steps:
1.
2.
Inserting a DVD-ROM that has the Windows Server 2012 installation files and booting from the
DVD-ROM.
Connecting a USB drive that is made bootable and contains a copy of the Windows Server 2012
installation files.
Performing a PXE boot from the computer that Windows Server 2012 will be installed on to, and
connecting to a WDS server.
On the first page of the Windows Setup Wizard, select the following:
o
Language to install
3.
On the second page of the Windows Setup Wizard, click Install now. You can also use this page to
select Repair Your Computer. Use this option if an installation has become corrupted and you can
no longer boot into Windows Server 2012.
4.
On the Select The Operating System You Want To Install page of the Windows Setup Wizard,
select from the available operating system installation options. The default option is Server Core
installation.
5.
On the License Terms page of the Windows Setup Wizard, review the terms of the operating system
license. You must accept the license terms before you can continue with the installation process.
6.
On the Which Type Of Installation Do You Want page of the Windows Setup Wizard, you have the
following options:
7.
Upgrade. Select this option if you have an existing Windows Server installation that you want to
upgrade to Windows Server 2012. You should start upgrades from the earlier version of Windows
Server instead of booting from the installation source.
On the Where do you want to install Windows page of the Windows Setup Wizard, select an
available disk on which to install Windows. You can also choose to repartition and reformat disks
from this page. When you click Next, the installation process will copy files and restart the computer
several times. This part of the installation can take several minutes, depending on the speed of the
platform on which you are installing Windows Server 2012.
8.
On the Settin
ngs page, provvide a passworrd for the loca l Administrato
or account. Aftter you have
provided this password, you
u can log on to the server an
nd begin perfo
orming post in
nstallation
configuration
n tasks.
Post-Installation Taskss
In earlier
e
versions of Windows operating
o
syste
ems,
the installation required you to configure network
connections, computer name, user
u
account, and
a
dom
main membersship informatio
on. The Windo
ows
Servver 2012 installlation processs reduces the
num
mber of questio
ons that you have
h
to answerr.
The only informattion that you provide
p
during
g
installation is the password thatt is used by the
e
defa
ault local Adm
ministrator acco
ount.
Afte
er it is installed
d, all the follow
wing steps can be
perfformed when you
y select the Local Server node
in th
he Server Man
nager console:
Configure the
e IP address
Join an Active
e Directory domain
Configure the
e time zone
Enable autom
matic updates
Lesson 2
1-13
By correctly configuring a server first, you can avoid significant problems later. When planning to
configure a server, you must determine what roles to deploy. You must also assess whether roles can be
co-located on the same server or if you deploy certain roles on separate servers.
Lesson Objectives
After completing this lesson you will be able to:
Install roles and use the Best Practice Analyzer to check role configuration.
Switch a computer between Server Core and the full GUI installation option.
Demonstration Steps
1.
On LON-DC1, open the Add Roles and Features Wizard from the Server Manager Console.
2.
Start the Add Roles and Features Wizard and select the following options:
o
LON-DC1
BranchCache feature
3.
4.
5.
6.
Configure the
e DNS - Eventss Detail View with
w the follow
wing settings:
o
Severity Levels:
L
All
7.
8.
9.
Open Window
ws PowerShell and then use the shutdown
n command to
o shut the serve
er down.
Fun
nction
Ena
ables the deplo
oyment of cerrtification auth
horities and rellated
role
e services.
AD
D DS
Cen
ntralized storee of informatio
on about network objects
including user an
nd computer aaccounts. Used
d for
autthentication an
nd authorization.
AD
D FS
Pro
ovides web sin gle sign-on (SSSO) and securred identify
fed
deration suppo
ort.
Sup
pports storagee of application
n specific dataa for directory-aware application
ns that do nott require the fu
ull infrastructure of
AD
D DS.
Ena
ables you to p
prevent unauth
horized access to sensitive
doccuments by ap
pplying rights management policies.
Application Serve
er
Sup
pports centraliized managem
ment and hostiing of highperrformance disttributed business application
ns, such as tho
ose
buiilt with the .NEET Frameworkk 4.5 and Enterrprise Services.
DH
HCP Server
Pro
ovisions client computers on
n the network w
with temporarry IP
add
dresses.
DN
NS Server
Pro
ovides name reesolution for TTCP/IP networkks.
Role
Function
1-15
Fax Server
Hyper-V
Remote Access
When you deploy a role, Windows Server 2012 automatically configures aspects of the servers
configuration, such as firewall settings, to support the role. When you deploy a role, Windows Server 2012
automatically deploys role dependencies at the same time. For example, when you install the Windows
Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are
required to support the Web Server role.
You add and remove roles using the Add Roles and Features Wizard, available from the Server Manager
console. You can also add and remove roles using the Install-WindowsFeature and RemoveWindowsFeature Windows PowerShell cmdlets.
De
emonstration: Installing and Optimizing
O
Server Ro
oles in
Wiindows Server 2012
In th
his demonstration you will see how to insttall and optimiize a server role in Windowss Server 2012.
Dem
monstration
n Steps
1.
Use the Add Roles and Feattures Wizard to add the App
plication Serv
ver role to LON
N-DC1.
2.
3.
Co
onfiguring Server Core in Wind
dows Serveer 2012
You
u must perform
m several aspeccts of postinstallation config
guration of servver core opera
ating
systems from the command-line
e. You can perrform
mosst post-installa
ation configura
ation tasks usin
ng
the menu-driven command pro
ompt utility
sconfig.cmd. By using
u
this utilitty, you minimiize
the possibility of the
t Administra
ator making syyntax
erro
ors when you use
u more complex command
d-line
utilities. You can use
u sconfig.cm
md to perform
m the
follo
owing tasks:
Configure Do
omain and Workgroup
information
Configure the
e computers name
n
Enable Windo
ows Update
Download an
nd install updates
Configure Ne
etwork Address information
Perform Wind
dows Activatio
on
Log off
Restart the se
erver
Shut down th
he server
Con
nfigure IP Address
A
Info
ormation
You
u can configure
e the IP addresss and DNS infformation by u
using sconfig..cmd or netsh
h.exe. To confiigure
IP address information by using
g sconfig.cmd
d, perform the following step
ps:
1.
2.
Select option
n 8 to configurre Network Settings.
3.
Select the index number of the network adapter to which you want to assign an IP address.
4.
In the Network Adapter Settings area, select between one of the following options:
o
1-17
You can change the server name using the netdom command with the renamecomputer option. For
example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne
You can change a server name using sconfig.cmd by performing the following steps:
1.
2.
3.
You must restart a server for the configuration change to take effect.
You can join a Server Core computer to a domain using the netdom command with the join option. For
example, to join the adatum.com domain using the Administrator account, and to be prompted for a
password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*
To join a server core computer to the domain using sconfig.cmd, perform the following steps:
1.
2.
3.
4.
Type the name of the domain to which you want to join the computer.
5.
Provide the details of an account authorized to join the domain in domain\username format.
6.
You can add and remove roles and features to a computer running the Server Core installation option by
using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows
PowerShell cmdlets. These cmdlets are available after you load the Server Manager module.
You
u can install a Windows
W
role or feature usin
ng the Install--WindowsFea
ature cmdlet. FFor example, to
o
install the Networrk Load Balanccing feature, exxecute the com
mmand:
Install-WindowsFeature NLB
You
u can add a role or feature th
hat is not available for instal lation by using
g the -Source parameter of the
Insttall-WindowsFeature cmdle
et. You must specify
s
a sourcce location that hosts a mounted installatio
on
image that includes the full verssion of Window
ws Server 20122. You can mo
ount an installaation image ussing
the DISM.exe com
mmand promp
pt utility.
Sw
witching Be
etween Server Core, Full, and M
Minimal SServer Interface Optiions
Win
ndows Server 2012
2
offers the
e option of
swittching between Server Core and the full
installation. When
n you install Se
erver Core, the
e
necessary compon
nents to conve
ert to the full
verssion are not installed. You ca
an install these
e if
you have access to a mounted image
i
of the full
verssion of the Win
ndows Server 2012
2
installatio
on
filess.
You
u can switch fro
om Server Corre to the graph
hical
verssion of Window
ws Server 2012
2 by running the
follo
owing Window
ws PowerShell cmdlet, where
e
c:\m
mount is the ro
oot directory of
o a mounted
image that hosts the
t full version
n of the Windo
ows Server 20112 installation files:
Impo
ort-Module ServerManager
r
Install-WindowsFeature -Inc
cludeAllSubFe
eature User-I
Interfaces-In
nfra -Source c:\mount
Afte
er you have pe
erformed the necessary
n
administrative taskks, you can retturn the computer to its orig
ginal
Servver Core config
guration. You can switch a computer that has the graph
hical version off Windows Serrver
2012 to Server Co
ore by removin
ng the followin
ng features:
Graphical Ma
anagement Too
ols and Infrastructure
1-19
Th
he Minimal Server interface differs from Se
erver Core beccause it has alll components available and does
no
ot require you to provide acccess to a mounted directoryy that containss the full versio
on of the Wind
dows
Se
erver 2012 insttallation files. You
Y can use th
he Install-Win
ndowsFeature
e command without specifying a
so
ource location when you con
nvert the Minim
mal Server inteerface to the ffull installation
n of Windows SServer
20
012. The advan
ntage of the Server Core installation optio
on over Minim al Server is thaat, even thoug
gh they
lo
ook similar, Serrver Core requ
uires a smaller amount of harrd disk space aas it does not have all components
avvailable for insstallation.
Configuring
C
g Network
king and Network
N
In
nterface Te
eaming
Configuring the
e network invo
olves setting orr
ve
erifying the servers IP addre
ess configuratio
on. By
de
efault, a newlyy-deployed serrver tries to ob
btain IP
ad
ddress informa
ation from a DHCP
D
server. Yo
ou can
view a servers IP address configuration by clicking
c
th
he Local Serve
er node in Servver Manager.
If the server hass an IPv4 addre
ess in the Auto
omatic
Prrivate Internet Protocol Addressing (APIPA
A) range
off 169.254.0.1 to
t 169.254.255
5.254, the serve
er has
no
ot been config
gured with an IP address from
ma
DHCP server. Th
his may be beccause a DHCP server
ha
as not been co
onfigured on the network, or
be
ecause there iss a problem with
w the networrk infrastructurre that blocks the adapter frrom receiving an
ad
ddress.
y are using a purely IPv6 network,
n
an IPvv4 address in tthis range is no
ot a problem,
Note: If you
an
nd IPv6 addresss information is still configu
ured automaticcally. You will learn more ab
bout
im
mplementing IPv6 in Module
e 8, Implemen
nting IPv6.
Configuratio
C
on Using Serrver Manag
ger
To
o manually configure IP add
dress information for a serve r, perform thee following step
ps:
1..
In the Serve
er Manager co
onsole, click the address nextt to the netwo
ork adapter thaat you want to
o
configure. This
T will open the Network Connections
C
w
window.
2..
3..
In the Adap
pter Propertie
es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
en click
Properties.
4..
IP addrress
Subnett Mask
Defaultt Gateway
Alterna
ative DNS servver
You can manually set IPv4 address information from an elevated command prompt by using the
netsh.exe command from the interface ipv4 context. For example, to configure the adapter named Local
Area Connection with the IPv4 address 10.10.10.10 and subnet mask 255.255.255.0, type the following
command:
Netsh interface ipv4 set address Local Area Connection static 10.10.10.10 255.255.255.0
You can use the same context of the netsh.exe command to configure DNS configuration. For example, to
configure the adapter named Local Area Connection to use the DNS server at IP address 10.10.10.5 as
the primary DNS server, type the following command:
Netsh interface ipv4 set dnsservers Local Area Connection static 10.10.10.5 primary
Network Card Teaming is a new feature in Windows Server 2012. With Network Card Teaming you
can increase the availability of a network resource. When you configure Network Card Teaming, a
computer uses one network address for multiple cards. If one of the cards fails, the computer continues
communicating with other hosts on the network that are using that shared address. This enables you to
provide hardware redundancy for a server's network cards. Network Card Teaming does not require that
the network cards be the same model or use the same driver.
Windows Server 2012 supports up to 32 network adapters in a team. When a computer has separate
network adapters that are not part of a team, incoming and outgoing traffic may not be balanced across
those adapters. Network Card Teaming also provides bandwidth aggregation, ensuring that traffic is
balanced across network interfaces as a way to increase effective bandwidth.
To team network cards, perform the following steps:
1.
Ensure that the server has more than one network adapter.
2.
3.
Click Disabled next to Network Adapter Teaming. This opens the NIC Teaming dialog box.
4.
In the NIC Teaming dialog box, press the Ctrl key, and then click each network adapter that you
want to add to the team.
5.
Right-click these selected network adapters, and then click Add to New Team.
6.
In the New Team dialog box, enter a name for the team, and then click OK.
Lesson
n3
1-21
When
W
you wantt to perform an administratio
on task, it is m
more efficient tto manage mu
ultiple servers ffrom
a single console
e than to conn
nect to each se
erver separatelyy. You should spend time en
nsuring that ne
ewly
de
eployed serverrs are configurred so that you
u can managee them centrallly. This enables you to spend
d more
time at your desk administering those serve
ers, instead of having to trekk into the dataacenter to startt a
diirect connectio
on.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he different Wiindows Server 2012 remote management technologies.
Configure Windows
W
Serve
er 2012 to sup
pport Remote Management.
Deploy role
es and featuress remotely.
What
W
Is Rem
mote Man
nagement??
With
W Windows Remote Management, you can
c
usse Remote She
ell, remote Win
ndows PowerS
Shell,
an
nd remote management too
ols to remotelyy
manage
m
a comp
puter. Remote Shell enables you
to
o run comman
nd-line utilities against correcctly
co
onfigured remote servers as long as the
co
ommand prom
mpt utility is prresent on the remote
r
se
erver. Remote Windows Pow
werShell lets yo
ou run
Windows
W
PowerShell comman
nds or scripts against
a
co
orrectly config
gured remote servers
s
when the
sccript is hosted on the local se
erver. Remote
Windows
W
PowerShell also letss you load Win
ndows
Po
owerShell mod
dules, such as Server Manager locally and execute the cm
mdlets availab
ble in that mod
dule
ag
gainst suitablyy configured re
emote servers. Remote Manaagement is enabled by default on computters
ru
unning Window
ws Server 2012
2.
Yo
ou can enable and disable Remote
R
Manag
gement from SServer Manageer by clicking tthe text next to
o the
Re
emote Management item when
w
you have the Local Servver node selec ted in the Servver Manager cconsole.
To
o enable remo
ote manageme
ent from the co
ommand-line, type the com
mmand WinRM
M qc. The "qc" is an
ab
bbreviation of Quick Configu
uration. You ca
an disable Rem
mote Managem
ment by using
g the same metthod
th
hat you use to enable it.
To
o disable remo
ote manageme
ent on a comp
puter running tthe Server Corre installation o
option, use
scconfig.cmd.
Rem
mote Desktop is still a necesssary Windows Server 2012 reemote manageement technology because
som
me environmen
nts have not up
pgraded their administrator 's workstations from Window
ws XP and otther
environments may have Window
ws Server 2012
2 deployed evven when the u
users in those environments
prim
marily use third
d-party operatting systems. You
Y can config
gure Remote D
Desktop on a ccomputer runn
ning
the full version off Windows Servver 2012 by pe
erforming the following step
ps:
1.
2.
Click Disable
ed next to Rem
mote Desktop.
3.
On the Remo
ote tab of the System Prope
erties dialog b
box, select bettween one of tthe following
options:
o
default state o
Dont alllow connectio
ons to this co
omputer. The d
of remote deskktop is disabled.
Allow co
onnections fro
om computerrs running anyy version of R
Remote Desktop. Enables
Authentication
connectio
ons from Remote Desktop clients that do not support N
Network Level A
n
Allow Co
onnections on
nly from Com
mputers runni ng Remote D
Desktop with N
Network Leve
el
Authentication. Enables secure conn
nections from computers running Remote
e Desktop clien
nts
that supp
port network le
evel authentication.
You
u can enable an
nd disable Rem
mote Desktop on computerss running the SServer Core installation optio
on by
usin
ng the sconfig
g.cmd menu-d
driven comman
nd prompt uti lity.
Ho
ow Remote
e Managem
ment Worrks In Wind
dows Servver 2012
Win
ndows Remote
e Managementt (WinRM) is
a co
ollection of tecchnologies that enables
adm
ministrators to manage serve
er hardware wh
hen
logg
ged on directlyy or over the network.
n
Windows
Servver 2012 uses WinRM
W
to ena
able managem
ment
of multiple
m
compu
uters concurre
ently through a
sing
gle Server Man
nager console. Windows Rem
mote
Man
nagement includes the follow
wing components:
WS-Management protoco
ol. A SOAP-ba
ased
firewall-aware
e protocol that enables
computers to
o exchange ma
anagement
information. SOAP
S
uses XM
ML messages when
w
transmitting information.
i
WinRM Scrip
pting API. This scripting APII enables systeems to obtain d
data from rem
mote computerrs
through WS-Management protocol operrations.
Winrm.cmd. Command-lin
ne systems management too
ol that enabless you to config
gure WinRM. FFor
example, you can use this tool to enable Windows Rem
mote Managem
ment on a servver.
You can enable Windows Remote Management by issuing the following command:
Winrm qc
2.
3.
4.
Creates a firewall exception for WS-Management traffic using the HTTP protocol.
1-23
If you do not know whether a server is configured for Windows Remote Management, you can run the
following command to obtain Windows Remote Management configuration information:
Winrm get winrm/config
Additional Reading: You can learn more about configuring Windows Remote
Management by reading the following Performance Team post: http://blogs.technet.com/b
/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx.
You can use Remote Windows PowerShell to run commands against a correctly configured remote server.
There are several methods that you can use to accomplish this. You can use the Invoke-Command
cmdlet to run a command or a script. For example, to view the list of installed roles and features on
LON-SVR1 and LON-SVR2 when the ServerManager module is loaded and both are configured for
Windows Remote Management, issue the command:
Invoke-Command -Computername LON-SVR1, LON-SVR2 -scriptblock {Get-WindowsFeature | WhereObject {$_.InstallState -eq "Installed"}}
You can also start a remote Windows PowerShell session by using the Enter-PSSession cmdlet. To end
the session, run the Exit-PSSession cmdlet. For example, to start a remote Windows PowerShell session to
LON-SVR1, issue the command:
Enter-PSSession -computername LON-SVR1
Additional Reading: You can learn more about Remote Windows PowerShell at:
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx.
Demonstration Steps
1.
2.
Use the winrm qc command from a Windows PowerShell prompt to re-enable remote management
on LON-DC1.
3.
Ma
anaging Se
erver Grou
ups in Serv
ver Manag
ger
Servver Manager in
n Windows Server 2012
auto
omatically groups servers byy role. This ena
ables
you to perform ro
ole-based tasks across all serrvers
thatt host that role
e in the organiization. For
exam
mple, rather th
han connecting to each DNS
S
servver in the domain to perform
m a particular task,
t
you can select the
e DNS node, se
elect all servers that
hostt DNS that you
u want to perfform the task on,
o
and then perform
m the task again
nst that selection of
servvers.
A be
enefit to administrators is th
hat servers in your
y
orga
anization are automatically
a
grouped
g
by ro
ole.
For example, all se
ervers that hosst the IIS or NA
AP roles are au
utomatically grouped underr the category
nod
des for those ro
oles in the Servver Manager console.
c
You
u can also use the
t Server Manager console to create custtom server gro
oups. A custom
m server group
p is a
userr-defined grou
up of servers ra
ather than a group of serverrs that share a specific role.
De
emonstration: Mana
aging Rem
mote Serverrs by Using
g Server M
Manager
In th
his demonstration you will see how to crea
ate a server grroup. You will then perform a remote
man
nagement task
k on both serve
ers that are members of thee group using a single action
n.
Dem
monstration
n Steps
1.
On LON-DC1
1, use Server Manager
M
to create a server grroup named L ONDON-GRO
OUP that has
LON-DC1 and
d LON-SVR4 as
a members.
2.
3.
1-25
A. Datum is an engineering and manufacturing company. The organization is based in London, England.
The organization is quickly expanding the London location as well as internationally. Because the
company has expanded, some business requirements are changing as well. To address some business
requirements, A. Datum has decided to deploy Windows Server 2012 on an existing network populated
with servers running the Windows Server 2008 and Windows Server 2008 R2 operating systems.
As one of the experienced Windows Server 2008 administrators, you are responsible for implementing
many of the new features on Windows Server 2012. To become familiar with the new operating system,
you plan to install a new Windows Server 2012 server running the Server Core version and complete the
initial configuration tasks. You also plan to configure and explore the remote management features that
are available in Windows Server 2012.
Objectives
Lab Setup
Estimated time: 60 minutes
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR5
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
After having problems effectively deploying and configuring the Server Core version of Windows Server
2008, A. Datum is interested in using the Server Core installation of Windows Server 2012 when possible
because of the reduced hardware footprint and minimized update requirements. To become familiar with
the new operating system, you plan to install and configure a new Windows Server 2012 server running
the Server Core version as a way to determine whether the product is more easily managed than the
earlier version.
The main tasks in this exercise are:
1.
2.
3.
2.
Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This
file is located at C:\Program Files\Microsoft Learning\20417\Drives.
3.
Start 20417A-LON-SVR5. On the Windows Server 2012 page of the Windows Setup Wizard, verify
the following settings, click Next, and then click Install Now:
o
4.
Select to install the Windows Server 2012 Release Candidate Datacenter (Server Core
Installation) operating system.
5.
Accept the license terms and then select Custom: Install Windows Only (Advanced).
6.
Depending on the speed of the host computer, the installation will take approximately 20
minutes.
The virtual machine will restart several times during this process.
7.
On the log on page, click OK and then enter Pa$$w0rd in both the Password and Confirm
password boxes.
8.
X Task 2: Convert a Windows Server 2012 Server Core Installation to a Full Installation
1.
2.
3.
4.
From Windows PowerShell issue the following commands, pressing Enter after each:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra Source:c:\mount\windows
5.
When prompted, restart the server and then log on as Administrator with the password of
Pa$$w0rd to verify the presence of the full GUI components.
1-27
X Task 3: Convert a Windows Server 2012 Full Installation to a Server Core Installation
1.
2.
3.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
After you install Server Core, you want to configure some basic network and firewall settings and join
computer to domain. During this initial deployment, you plan to perform these steps manually from the
command-line.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
3.
Restart the server as prompted and log on to LON-SVR5 as Administrator with the password of
Pa$$w0rd.
4.
5.
6.
Select the index number of the network adapter that you want to configure.
7.
IP address: 172.16.0.111.
8.
Set the preferred DNS server to 172.16.0.10. Do not configure an alternative DNS server address.
9.
Exit sconfig and verify network connectivity to lon-dc1.adatum.com using the ping utility.
2.
Join the domain adatum.com using account adatum\administrator and the password of
Pa$$w0rd.
3.
4.
2.
3.
Issue the following command to view the enabled Firewall rules that allow traffic:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property
DisplayName
4.
5.
Issue the following command to view all Windows PowerShell cmdlets related to NetFirewallRule:
Get-Command -Noun NetFirewallRule
6.
View the status of the Remote Desktop inbound firewall rule by issuing the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
7.
Issue the following command to enable the Remote Desktop Inbound Firewall rule:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
8.
Issue the following command to verify that the Remote Desktop Inbound Firewall rule is enabled:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
9.
Issue the following command to disable the Remote Desktop Inbound Firewall Rule:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
10. Verify that the Remote Desktop Inbound Firewall Rule is disabled.
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
1-29
IT management at A. Datum expects that many servers running Windows Server 2012 will be deployed
in remote offices or as part of an online services deployment. To ensure that these servers can all be
managed from a central location, you must configure the server for remote management. You must also
verify the remote management functionality, and use Server Manager to manage multiple servers.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
2.
3.
Open Windows PowerShell and issue the command winrm qc. When you are prompted, type Y and
press Enter.
4.
Open the Server Manager console and verify that Remote Management is now enabled.
On LON-DC1 in Server Manager, create a server group named LONDON-GROUP that has LON-DC1
and LON-SVR5 as members.
2.
3.
Scroll down to the Performance section, select both listed servers, right-click LON-DC1, and then
click Start Performance Counters.
4.
Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
2.
3.
In Server Manager, click the Flag and verify that the remote installation of Windows Server Backup
has occurred.
When you are finished with the lab, revert the virtual machines to their initial state.
Unless you must have a full installation to support roles and features, deploy Server Core.
Use Windows Remote Management to manage multiple servers from a single server using the Server
Manager console.
Use Windows PowerShell remoting to run remote Windows PowerShell sessions rather than logging
on locally to perform the same task.
Troubleshooting Tip
Review Question
Why is the Server Core installation the default installation option for Windows Server 2012
installations?
Unless a particular role requires it, consider using the Server Core installation option as your default server
deployment option. You can always install the GUI later if required.
Understand what roles and features you must deploy on a server prior to deploying that server, rather
than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.
Module 2
Monitoring and Maintaining Windows Server 2012
Contents:
Module Overview
2-1
2-2
2-11
2-15
2-19
2-26
Module Overview
After you deploy Windows Server 2012, you must ensure that it continues to run optimally by
maintaining a healthy and stable environment. As in earlier versions of Windows Server, to maintain
a healthy and stable environment, you must monitor Windows Server 2012 performance and make
adjustments as required. Additionally, you must identify your important data and create backup copies.
Finally, you must know how to restore your important data and servers by using the backup copies that
you have created.
Objectives
After completing this module, you will be able to:
Lesson 1
Monito
oring Window
W
ws Server 2012
2-2
Whe
en a system fa
ailure or an eve
ent that affectss system perfo
ormance occurrs, you must be
e able to repair the
problem or resolvve the issue qu
uickly and efficciently. With so
o many variablles and possibilities in the m
modern
netw
work environm
ment, the abilitty to determine the cause qu
uickly frequenttly depends on
n having an
effe
ective performa
ance monitoring methodolo
ogy and tool seet.
You
u can use perfo
ormance-moniitoring tools to
o identify com
mponents that rrequire additio
onal tuning an
nd
trou
ubleshooting. By
B identifying components that
t
require ad
dditional tunin
ng, you can im
mprove the efficciency
of your
y
servers. In
n addition to monitoring
m
systtem performan
nce, Windows Server 2012 p
provides tools for
reso
ource management. In this le
esson, you will learn about t ools in Windo
ows Server 2012 that you can
n use
for performance and
a resource monitoring
m
and
d managemen
nt.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Configure eve
ent subscriptio
ons.
Describe how
w to monitor a network.
To monitor th
he health of th
he IT infrastruccture.
To monitor se
ervice-level ag
greements (SLA
As).
To plan for fu
uture requirem
ments.
To identify isssues.
IT Infrastructu
I
ure Health
The effective operration of the server infrastructure
is frequently criticcal to your organizations
business goals.
The key factors in maintaining the
t consistencyy of server opeeration includee correctly fun
nctioning and
configured hardw
ware, and sufficcient use and assignment
a
of resources.
Usin
ng performancce-monitoring tools, you can
n record perfo rmance statisttics that you caan use to dete
ermine
whe
en a server is slower at respo
onding to user requests, insteead of relying on user perce
eption of slow and
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
2-3
fa
ast response tim
mes. You can use
u these statistics to determ
mine which com
mponent or co
omponents off the
se
erver infrastruccture may be the
t source of performance-r
p
related issues.
SLA Monitorring
Many
M
organizattions maintain SLAs that dicttate the requirred availabilityy for servers an
nd server-hoste
ed
ap
pplications. Th
hese SLAs may contain stipulations about sserver availability (for examp
ple, the LON-D
DC1
se
erver must be available 99.99
95 percent of business hourss), or they mayy specify perfo
ormance-relate
ed
re
equirements (for example, th
he average que
ery time for th
his database seerver must be less than five sseconds
fo
or any given da
ay).
Frrequently, violation of an SLA
A results in red
duction of payyment for services or similar penalties. The
erefore,
yo
ou want to enssure that the SLAs
S
imposed upon your envvironment are met on a continuing basis.
Yo
ou can use performance-mo
onitoring toolss to monitor th
he specific areaas related to yyour SLAs and help
yo
ou identify issu
ues that could affect your SLLA before theyy become a pro
oblem.
Planning
P
forr Future Req
quirements
Th
he business an
nd technical ne
eeds of your organization arre subject to ch
hange. New in
nitiatives may rrequire
ne
ew servers to host
h
new applications or increased storagee within your eenvironment. Monitoring these
arreas over time enables you to
t assess effecttively how the server resourcces are being used currentlyy. Then,
yo
ou can make an
a informed de
ecision on how
w the server en
nvironment haas to grow or cchange to mee
et future
re
equirements.
Id
dentifying Issues
Trroubleshooting
g problems that arise in the server environ
nment can be tedious. Issuess that affect ussers
ha
ave to be resolved as quicklyy as possible and with minim
mal effect on th
he business ne
eeds of your
orrganization.
Trroubleshooting
g an issue onlyy on the symptoms provided
d by users or aanecdotal evidence frequenttly leads
to
o misdiagnosiss and wasted tiime and resou
urces. Monitoriing the server environment lets you take a more
in
nformed and proactive
p
appro
oach to troubleshooting. Wh
hen you have an effective m
monitoring solu
ution
im
mplemented, you
y can identiffy issues within
n your infrastru
ucture before they cause a p
problem for th
he endussers. You can also
a have more
e concrete evid
dence of repo rted issues and
d narrow the ccause of problems,
sa
aving you inve
estigative time..
Question: List four troub
bleshooting pro
ocedures that would benefitt from server m
monitoring.
Typical
T
Perrformance Bottleneccks
Analysis of yourr monitoring data
d
can reveal
problems such as
a excessive de
emand on certtain
ha
ardware resources that resullt in bottlenecks.
Causes
C
of Bo
ottlenecks
Demand on cerrtain hardware resources may
be
ecome extrem
me enough to cause
c
resource
e
bo
ottlenecks for the following reasons:
A resource is malfunction
ning and has to
o be replaced..
A program is monopolizing a particular resource. This might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
A security issue, such as viruses or Denial of Service attacks can be the reason for a bottleneck.
2-4
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune the servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Hardware
Processors
Suggestion
You may be able to overcome performance bottlenecks that occur with
processors by:
Adding processors.
Increasing the speed of processors.
Memory
Networks
You should consider the limitations of network bandwidth and segment networks,
where appropriate. You can increase network throughput by tuning the network
adapter and other network devices such as switches, firewalls, and routers.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Tools
T
for Monitoring
M
g in Windo
ows Serverr 2012
Se
everal tools are
e available to help you in
monitoring
m
the server environ
nment, both historical
an
nd real time. The
T following is a list of toolss to
he
elp you in mon
nitoring the se
erver environm
ment.
Tool
T
Description
n
2-5
Event Viewer
Event View
wer collects infformation thatt relates to servver operationss. This
informatio
on can help ideentify perform
mance issues on
n a server. You
u
should sea
arch for specifiic events in thee event log file
e to locate and
d
identify prroblems.
Task Manager
Task Mana
ager helps you
u monitor the rreal-time aspe
ects of the servver.
You can view informatio
on related to h
hardware perfo
ormance and the
application
ns and processses that are cu
urrently runnin
ng on the serve
er.
Resource Mon
nitor
Resource Monitor
M
helps you to look deeper into the
e real-time
performan
nce of the servver. It provides performance information re
elated
to the CPU
U, memory, ha rd disk, and neetwork compo
onents of the sserver.
Performance Monitor
Performan
nce Monitor is the most robu
ust monitoring
g tool in Windo
ows
Server 201
12. It enables b
both real-time and historicall monitoring o
of the
servers pe
erformance an d configuratio
on data.
Reliability Mo
onitor
Reliability Monitor proviides a historicaal view of the sservers reliabiilityh as event log errors and warnings.
related infformation such
Demonstra
D
ation: Crea
ating Data
a Collectorr Sets
Th
he data collecttor set is a custom set of perrformance cou
unters, event trraces, and systtem configurattion
da
ata.
Yo
ou can also co
onfigure a data
a collector set to run at a sch
heduled time, for a specific length of time,, or until
hour
it reaches a predefined size. For
F example, yo
ou can run thee data collecto
or set for ten m
minutes every h
du
uring your working hours to
o create a perfo
ormance base line. You can aalso set the daata collector to
o restart
when
w
set limits are reached so
o that a separa
ate file is creatted for each in
nterval.
After you have created a com
mbination of da
ata collectors tthat describe u
useful system iinformation, you can
sa
ave them as a data collector set, and then run the set an
nd view the ressults.
In
n this demonsttration, you will create a data
a collector set..
Dem
monstration
n Steps
Cre
eate a new data
d
collector set name
ed Windowss Server Mo
onitoring
1.
2.
Configure the
e data collecto
or set to includ
de the Perform
mance counter data logs for Processor/%
Processor Tim
me, Memory/ Available
A
Mbyttes, and Logicaal Disk/% Freee Disk Space.
2.
M
datta collector sett, and then revview the latest report.
Stop the Windows Server Monitoring
Mo
ost Common Perform
mance Cou
unters
Specific server roles install a ran
nge of perform
mance
obje
ects and associated counterss. The common
n
perfformance coun
nters include:
2-6
Memory coun
nters. These co
ounters monito
or
physical, rand
dom access me
emory (RAM),
virtual memo
ory, and disks, including
i
pagiing,
which is the movement
m
of pages
p
of code and
data between
n disk and phyysical memory.
Paging file co
ounters. Paging
g file is the rese
erved space o n the disk thatt complementts committed
physical mem
mory.
Processor cou
unters. These counters measu
ure aspects of processor actiivity. Each processor is
represented as
a an instance of the object.
Win
ndows Server 2012
2
uses serve
er roles to imp
prove server effficiency and ssecurity. Only tthe performan
nce
obje
ects and countters that are re
elevant to the installed serveer role are avaiilable to monittor.
2-7
You can enable missing performance objects and counters by installing additional server roles or adding
features. Additional performance objects that are installed with each server role can help with server
monitoring. The following table identifies common server roles and the performance objects that can be
monitored to assess performance.
Server role
Active Directory Domain
Services (AD DS)
Wh
hat Are Ale
erts?
Alerrt is a functionality in Windo
ows Server 201
12
thatt notifies you when
w
certain events
e
have
occu
urred or when
n certain perforrmance thresh
holds
are reached. You can configure alerts in Wind
dows
Servver 2012 as ne
etwork messages or as events that
are logged in the application evvent log. You can
c
also
o configure ale
erts to start app
plications and
perfformance logss.
You
u can configure
e alerts when you
y create datta
colle
ectors, by selecting the Perfformance Cou
unter
Alerrt type of the data
d
collector.
Whe
en you create the alert, conffigure the follo
owing
settings:
2-8
Alert when. This is the alert threshold settting for a speccific performan
nce counter.
Wh
hat Are Ev
vent Subscriptions?
Event log subscrip
ptions is a featture when it is
configured, enables a single serrver to collect
copies of events from
f
multiple systems.
s
Using
g
Win
nRM and the Windows
W
Eventt Collector servvice,
you can collect evvents in the evvent logs of a
centtralized serverr, where you ca
an analyze the
em
toge
ether with the event logs of other computters
thatt are being colllected on the same central
servver.
Sub
bscriptions can be either colle
ector-initiated
d or
source computer
initiated:
Collector-initiiated. A collecttor-initiated
subscription, or a pull subsccription identiffies all the com
mputers that th
will receive even
nts
he collector w
from, and will typically pull events from these
t
computeers. In a collecttor-initiated su
ubscription, the
subscription definition
d
is sto
ored and main
ntained on thee collector com
mputer. You usse pull subscrip
ptions
when much of
o the compute
ers have to be configured to
o forward the ssame types of events to a ce
entral
location. In th
his manner, on
nly one subscription definitio
on has to be defined and spe
ecified to applly to
all computerss in the group..
Source compu
uterinitiated. In a source computerinitiatted subscriptio
on, or push sub
bscription, sou
urce
computers pu
ush events to the
t collector. In a source com
mputerinitiat ed subscriptio
on, the subscrip
ption
definition is created
c
and managed on the
e source comp
puter, which is the computerr that is sendin
ng
events to a ce
entral source. You
Y can define
e these subscr iptions manuaally, or by using Group Policyy. You
create push subscriptions when
w
each servver is forwardin
ng a different set of event th
han other servvers,
or when conttrol over the evvent forwardin
ng process hass to be maintained at the source computer;
possibly when
n frequent cha
anges have to be made to th
he subscription
n.
You must enable and configure WinRM on both the source and the collector computers by using the
following command.
winrm qc
2-9
You must start and configure the Windows Event Collector (Wecutil) service to receive events on the
collector computer. You can achieve this by running the following command.
Wecutil qc
Events that are collected by a subscription can be collected into any of the collector computers default
event logs, or they can be collected into an event log specifically created to host collected events.
Event subscription is a cost-effective and customizable tool to get a consolidated view of monitored
activities and events in target servers, and timely issue alerts. In Windows Server 2012, subscribing and
forwarding events with triggers to send out alerts is a straight-forward process.
Demonstration Steps
Configure the source computer
1.
Switch to LON-SVR1.
2.
At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3.
Switch to LON-DC1.
2.
At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
2.
Computers: LON-SVR1
Switch to LON-DC1.
2.
Mo
onitoring a Network
k
Because network infrastructure services are an
n
imp
portant founda
ation of many other server-b
based
servvices, you mustt make sure th
hat they are
configured correcctly and are running optimally.
Colllecting perform
mance-related data on the
netw
work infrastruccture services benefits your
orga
anization in:
Helping to op
ptimize network infrastructure
server perform
mance. By pro
oviding
performance baseline and trend
t
data, you
can help yourr organization optimize netw
work
infrastructure
e server performance.
You
u can use Perfo
ormance Monitor to collect and
a analyze th
he relevant datta.
Mo
onitoring Do
omain Nam
me System DNS
D
Dom
main Name System (DNS) prrovides name resolution
r
servvices on the neetwork. You caan monitor the
e DNS
Servver role of Win
ndows Server 2012
2
to determ
mine the follow
wing aspects o
of your DNS infrastructure:
Dynamic upd
date and secure
e dynamic upd
date counters, for measuring
g registration aand update acctivity
that is genera
ated by dynam
mic clients
Memory usag
ge counters, fo
or measuring system memorry usage and m
memory allocation patterns tthat
are created by
b operating th
he server as a DNS
D
server
Mo
onitoring DH
HCP
Lesson
n2
Imple
ementin
ng Wind
dows Se
erver Baackup
2-11
In
n order to prottect critical datta, every organ
nization must perform a bacckup regularly.. Having a wellde
efined and tessted backup strategy ensuress that compan
nies can restoree data if there is any unexpe
ected
fa
ailures or data loss. This lesso
on describes th
he Windows Seerver Backup ffeature in Windows Server 2
2012 and
th
he Microsoft Online
O
Backup Service for Windows Server 2012.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he features of Windows
W
Serve
er Backup.
Describe th
he Microsoft Online
O
Backup Service.
S
Describe th
he methods forr backing up server roles run
nning Window
ws Server 2012.
Selected vo
olumes
In
n addition, Win
ndows Server Backup
B
2012 le
ets you:
Perform a bare-metal
b
resstore. Bare-me
etal restore inc ludes all volum
mes that are re
equired for Windows
to run. You can use this backup
b
type to
ogether with th
he Windows R
Recovery Enviro
onment to reccover
from a hard
d disk failure, or
o if you have to recover thee whole compu
uter image to new hardware
e.
Recover ind
dividual files and folders. The
e Individual fil es and folderss option enable
es you to backk up
selected file
es and folders,, instead of jusst full volumes .
Exclude sele
ected files or file
f types. For example,
e
you ccan exclude .tm
mp files.
Select from
m more storage
e locations. You can store baackups on rem
mote shares or non-dedicated
d
volumes.
Use the Miccrosoft Online Backup Servicce. The Microssoft Online Bacckup Service iss a cloud-based
backup solu
ution for Wind
dows Server 20
012 which ena bles files and ffolders to be b
backed up and
d
recovered from
f
the cloud
d to provide offf-site backup..
The ab
bility to take ju
ust a system sttate backup is not exposed i n the GUI inteerface of backu
up. If you wantt to
take ju
ust a system sttate backup, yo
ou must use th
he wbadmin.exxe utility. WBaadmin.exe is a command pro
ompt
utility..
Wha
at Is Micro
osoft Onlin
ne Backup Service?
The Microsoft
M
Onlin
ne Backup Servvice is a cloud-based backup solutiion for Window
ws Server 2012
2
manag
ged by Microssoft. You can use
u this service
e to
back up
u files and folders and reco
over them from
m the
cloud to provide offf-site protectio
on against data
a loss
caused
d by disasters. You can use this
t service to back
up and protect criticcal data from any
a location.
This se
ervice is built on
o the Window
ws Azure plattform
and uses Windows Azure
A
blob sto
orage for storin
ng
custom
mer data. Wind
dows Server 2012 uses the
downloadable Micro
osoft Online Backup Agent to
t
transfe
er file and fold
der data secure
ely to the Micrrosoft
Online
e Backup Serviice. After you install
i
the Microsoft Online Backup Agentt, the Microsofft Online Backu
up
Service Agent integrates its functionality throug
gh the familiar Windows Servver Backup intterface.
Key Features
F
The ke
ey features tha
at Windows Se
erver 2012 provides through
h the Microsoftt Online Backu
up service inclu
ude:
Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud
ny server of yo
Easily reccover any data that was back
ked up onto an
our choice
Configurable retention po
olicies for storin
ng data in the cloud. The Miccrosoft Online
e Backup Servicce
accepts and
d implements retention policcies to recycle backups that exceed the de
esired retentio
on
range, thereby meeting business
b
policie
es and manag
ging backup co
osts.
Methods
M
to
o Back Up Server Ro
oles
Yo
ou can back up most service
es on compute
ers
ru
unning Window
ws Server 2012
2 by performin
ng a
syystem state backup. Some se
ervices also ena
able
co
onfiguration and data backu
up from their
re
espective mana
agement console.
Th
he following ta
able lists the methods
m
that you
y can
usse to back up specific roles on
o computers
ru
unning Window
ws Server 2012
2.
Role
DHCP
Method
M
System state backup backss up all scopes and options.
ual scopes or all scopes.
DHCP console backup bac ks up individu
Certificate
2-13
Internet Information
Services (IIS)
Website files and folders h ave to be backked up. When backing up IISS
ed up.
components,, ensure that t he website filees and folders are also backe
These are no
ot backed up b
by a system staate backup.
Network Policcy and
Access Service
es
(NPAS)
p of NPAS con
nfiguration.
System state backup enablles the back up
DNS
Demonstration Steps
1.
2.
Run the Backup Once Wizard to back up the C:\HR Data folder to the remote folder,
\\LON-DC1\Backup.
Lesson
n3
Imple
ementin
ng Serve
er and Data
D
Re
ecovery
2-15
Le
esson Objecctives
Describe th
he options for server
s
recoverry.
Describe th
he option for se
erver restore.
Describe th
he consideratio
ons for data recovery.
Perform a restore
r
with Windows
W
Serverr Backup.
Describe ho
ow to perform a restore with
h online backu
up.
Options
O
forr Server Re
ecovery
Windows
W
Server Backup in Windows
W
Serverr 2012
provides the folllowing recove
ery options:
Files and fo
olders. You can back up indivvidual
files or fold
ders as long as the backup is on an
external dissk or in a remo
ote shared fold
der.
Operating system.
s
You ca
an recover the operating systtem through W
Windows Reco
overy Environm
ment
(WinRE).
Origina
al location. The
e original locattion restores t he data to thee location it waas backed up
origina
ally.
Create co
opies and have
e both versions
Overwrite
e existing version with recovvered version
Do not re
ecover items iff they already exist in the reccovery locatio n
Security Settin
ngs. You can use
u this option to restore perrmissions to th
he data being recovered.
Op
ptions for Server
S
Resstore
You
u perform serve
er restore by starting
s
the
com
mputer from th
he Windows Se
erver 2012
installation media
a, selecting the
e computer rep
pair
option, and then selecting the full
f server resto
ore
option.
Whe
en you perform
m full server re
estore, conside
er the
follo
owing aspects::
Importing to Hyper-V.
H
Because server bacckup data is wrritten to the V
VHD format, wh
hich is also the
e
format that iss used for virtu
ual machine ha
ard disks, it is p
possible, with some care, to use full serverr
backup data as the basis off creating a virtual machine. Doing this givves you the op
ption of ensurin
ng
business conttinuity while so
ourcing the ap
ppropriate repllacement hard
dware.
Co
onsideratio
ons for Datta Recoverry
There are several strategies thatt you can purssue in
developing a data
a recovery procedure. Data is the
mosst frequently re
ecovered component of an IT
infra
astructure.
Con
nsider the follo
owing compon
nents in a data
reco
overy strategy::
2-17
The most common form of data recovery performed by IT departments is the recovery of files and folders
that users have deleted, lost, or in some way made corrupted. The Previous Versions of Files functionality,
which you can enable on all computers running Windows Server 2012 lets users recover their own files.
After end-users are trained to do this, the IT department spends time recovering more important data.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover files that
have recently become deleted or corrupted.
A common recovery problem is the unintentional replacement of important data when recovering from
backup. This can occur when recovery is performed to a location with live data, instead of to a separate
location where the necessary data can be located and the unnecessary data discarded.
When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material to a location where
important permissions are not applied, enabling unintended access to data for those that should not have
it.
During some types of failures, such as data corruption or deletion, you have to restore data to the original
location, because applications or users who access those data are preconfigured with the information on
where the data is located.
Recovering Volumes
If a disk fails, the quickest way to recover the data sometimes is to do a volume recovery, instead of a
selective recovery of files and folders. When you do a volume recovery, you must check whether any
shared folders are configured for the disks, and if the quotas and File Server Resource Manager
management policies are still in effect.
Demonstration Steps
1.
2.
In the Windows Server Backup MMC, run Recovery Wizard and specify the following information:
o
3.
Select Ite
ems to Recover: LON-SVR1\\Local Disk (C
C:)\HR Data
Specify Recovery
R
Optio
ons: Another Location
L
(C:)
Locate C:\ an
nd ensure that the files are re
estored.
1.
2.
3.
4.
When restorin
ng files, select from the follo
owing options::
o
Create co
opies so that you
y have both the restored ffile and originaal file in the saame location. T
The
restored file has its nam
me in the following format: R
Recovery Datee+Copy of+Orriginal File Nam
me
Overwrite
e the existing versions with the
t recovered version
Do not re
ecover the item
ms that already exist on the recovery destiination
Afte
er you complette the restore procedure, the
e files will be rrestored on W
Windows Serverr 2012 located in
your site.
2-19
To obtain accurate information about server usage, it is important to establish a performance baseline
with a typical load for the new Windows Server 2012 servers. In addition, to make the process of
monitoring and troubleshooting easier, IT management wants to implement centralized monitoring of
event logs.
Much of the data that is stored on the A. Datum network is very valuable to the organization. Losing this
data permanently would be a very significant loss to the organization. Also, several servers that run on the
network provide very valuable services for the organization; losing these servers for a significant time
would also result in losses to the organization. Because of the significance of the data and services, it is
important that they can be restored even if there is any disaster.
One of the options that A. Datum is considering is backing up some critical data to a cloud-based service.
A. Datum is considering this as an option for small branch offices that do not have a full data center
infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a monitoring and system recovery solution that will meet the management and business
requirements.
Objectives
After completing this lab, you will be able to:
Perform an online backup and restore for Windows Server 2012 servers.
Lab Setup
Estimated time: 75 minutes
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
User Name
Adatum\Administrator
Password
Pa$$w0rd
Virtual Machine(s)
MSL-TMG1
User Name
Administrator
Password
Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
b.
Password: Pa$$w0rd
5.
6.
Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
2.
3.
Switch to LON-SVR1.
2.
In the Server Manager console, in the navigation pane, click All Servers.
3.
4.
In the Actions pane, start the performance counters for both LON-SVR1 and LON-DC1.
On LON-SVR1, open the Performance Monitor, and create a data collector set named Windows
Server Monitoring.
2.
Configure the data collector set to include the Performance counter data logs for
Processor/% Processor Time, Memory/ Available MBytes and Logical Disk/% Free Disk Space.
3.
Start the Windows Server Monitoring data collector set, and let it run for one minute.
4.
Stop the Windows Server Monitoring data collector set, and then review the latest report.
2-21
1.
Switch to LON-SVR1.
2.
At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.
3.
4.
Switch to LON-DC1.
5.
At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.
6.
7.
8.
Computers: LON-SVR1
Expand Event Viewer, expand Windows Logs, and then click Forwarded Events. Verify that events are
forwarded from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
The LON-SVR1 server contains financial data that must be backed up regularly. This data is important to
the organization. You decide to use Windows Server Backup to back up critical data. You plan to install
this feature and configure a scheduled backup.
The main tasks for this exercise are as follows:
1.
2.
3.
Switch to LON-SVR1.
2.
Open Server Manager and install the Windows Server Backup role.
3.
Install the role on LON-SVR1 and then accept the default values on the Add Role wizard.
2.
3.
Password: Pa$$w0rd
To prepare for this task, you need to create a folder on LON-SVR1, with a name Financial Data on drive
C: and within Financial Data folder you need to create a text file with a name Financial Report.txt.
To complete an on-demand backup, perform the following steps:
1.
2.
Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder,
\\LON-DC1\Backup.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
To ensure that the financial data can be restored, you must validate the procedure for restoring the data
to an alternative location. You may also have to restore different versions of the data. For this purpose,
you may have to use the Vssadmin tool to review backups.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
At the Windows PowerShell prompt, run Vssadmin list shadows command to list existing volume
shadow copies.
2.
2-23
In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
o
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
A. Datum has to protect critical data in small branch offices. Those offices do not have backup hardware
and full data center infrastructure. Therefore A. Datum has decided to back up the critical data in branch
offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Sign-in Assistant,
msoidcli.msi. Install the application.
2.
On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.
3.
Start the installation of Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.
4.
5.
Verify the installation; ensure you receive the following message: Microsoft Online Backup Service
Agent installation has completed successfully. Clear the Check for newer updates check box, and
then click Finish.
6.
On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.
Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with the same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1.
In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.
2.
To register the server with Microsoft Online Backup, perform the following steps:
1.
In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o
Account Credentials:
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
Note: In real-life scenario, you would type username and password of your Microsoft Online
Backup Service subscription account.
o
2.
Encryption Settings:
Verify that you receive the following message: Microsoft Online Backup Service is now available
for this server.
2.
3.
In the Microsoft Online Backup Service console, start the backup by clicking Backup Now.
1.
2.
Restore files and folders by using the Recover Data option and specify the following information:
2-25
Identify the server on which the backup was originally created: This server
Select Volume and Date: C:\ and date and time of the latest backup.
Specify Recovery Options: Original location and Create copies so that you have both versions
X Task 5: Unregister the server from the Microsoft Online Backup Service
1.
2.
Unregister the server from the Microsoft Online Backup Service using the following credentials:
o
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Best Practices
Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.
Troubleshooting Tip
Your organization needs information on which data to back up, how frequently to back up different types
of data and technologies, where to store backed up data (onsite or in the cloud), and how fast they can
restore backed up data if a failure were to occur? Also, what is your suggestion to improve your
organizations ability to efficiently restore data when it is necessary?
Tools
Tool
Use for
Where to find it
2-27
Server Manager
Performance Monitor
Server Manager/Tools
Resource Monitor
Server Manager/Tools
Server Manager/Tools
Server Manager/Tools
Module 3
Managing Windows Server 2012 by Using Windows
PowerShell 3.0
Contents:
Module Overview
3-1
3-2
3-9
3-20
3-26
3-31
Module Overview
Windows PowerShell is a core feature of Windows Server 2012 that enables command line management
and configuration of the operating system. It is a standardized, task-based command-line shell and
scripting language that offers administrators more flexibility and choice in how they manage computers
running Windows.
Windows PowerShell 3.0, included in Windows Server 2012, has more functionality and features than
earlier versions. You can now use Windows PowerShell to manage all the Windows Server roles and
features. This enables administrators to quickly automate configuration tasks with a single tool, instead of
having to use multiple tools, such as batch scripts, Microsoft Visual Basic Script Edition scripts (VBScript),
and manual configuration steps.
In this module, you will learn key Windows PowerShell concepts and new Windows PowerShell 3.0
features. This module will also describe how to practically use Windows PowerShell in your daily activities.
Objectives
After completing this module, you will be able to:
Use Windows PowerShell to manage Active Directory Domain Service (AD DS).
Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0
Lesson 1
Overviiew of Window
W
ws Powe
erShell 3
3.0
3-2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe cmd
dlet aliases.
Wh
hat Is Wind
dows Pow
werShell?
Win
ndows PowerSh
hell is a comm
mand-line
man
nagement inte
erface that you
u can use to
configure Window
ws Server 2012
2 and productss
such
h as System Ce
enter 2012, Excchange Serverr
2010, and Microso
oft SharePointt Server 2010. This
man
nagement inte
erface providess an alternative
e to
the GUI managem
ment that enab
bles administra
ators
to:
Create autom
mation scripts.
Access setting
gs that might be unavailable
e or
more difficultt to configure in the GUI.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
3-3
Windows
W
PowerShell may also
o change the way
w you use W
Windows Manaagement Instru
umentation (W
WMI).
Windows
W
PowerShell can wrap task-specificc commands a round the und
derlying WMI functionality. W
When
yo
ou use Window
ws PowerShell with WMI, your work is sim plified becausse Windows Po
owerShell provvides
ea
asy to use, task
k-based comm
mands.
Windows
W
PowerShell
P
l Syntax
Windows
W
PowerShell has rules for naming and
a
im
mplementing functions.
f
For example,
e
Wind
dows
Po
owerShell com
mmands, known as cmdlets, use
u a
na
aming convention of verb or action, follow
wed by
a hyphen and a noun or subje
ect. For examp
ple, to
re
etrieve a list off virtual machin
nes (VMs), you
u would
usse the cmdlet Get-VM. This standardizatio
on
he
elps you more
e easily learn how to perform
m
ad
dministrative tasks.
t
For exam
mple, to change
se
ettings of a VM
M, you would use
u the cmdlett
Se
et-VM.
Optionally,
O
one or more parameters can be
e used
with
w a cmdlet to
o modify its be
ehavior or specify settings. P
Parameters aree written after the cmdlet.
Ea
ach parameterr that is used iss separated byy a space, and begins with a hyphen. Not aall cmdlets use
e the
sa
ame parameters. Some cmdllets have param
meters that ar e unique to itss functionality. For example, the
Move-Item
M
cm
mdlet has the Destination
D
parrameter to speecify the locatio
on to move th
he object; whereas the
Get-ChildItem has the -Recu
urse switch parameter. Theree are several k inds of parameters, including the
fo
ollowing:
Named. Na
amed parameters are most common. Theyy are parameteers that can be
e specified and
d require
a value or modifier.
m
For example,
e
by using the Move
e-Item cmdlet,, you would sp
pecify the -Desstination
parameter along with the
e exact destina
ation to move the item.
Positional. Positional
P
para
ameters are pa
arameters thatt can be omitteed and can still accept value
es based
on where th
he information
n is specified in
n the comman
nd. For example, you could rrun Get-EventtLog
-EventLog System to rettrieve information from the System event log. However,, because the
-EventLog positional
p
para
ameter acceptss values for thee first position
n, you can also
o run Get-Even
ntLog
System to get the same results. When the -EventLog
g parameter iss not present, tthe cmdlet still
accepts the
e value of Syste
em because it is the first item
m after the cm
mdlet name.
-Verbose. This
T parameter displays detaiiled informatio
on about the p
performed com
mmand. You sh
hould
use this parrameter to obttain more info
ormation aboutt the executio n of the comm
mand.
-WhatIf. Th
his parameter displays
d
the ou
utcome of run ning the comm
mand without running it. This is
helpful whe
en testing a ne
ew cmdlet or script
s
and you do not want tthe cmdlet to rrun.
-Confirm. This
T parameterr displays a con
nfirmation pro
ompt before exxecuting the command. Thiss is
helpful whe
en you are run
nning scripts an
nd you want to
o prompt the user before exxecuting a spe
ecific
step in the script.
Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0
Additional Reading: Cm
mdlet Verbs
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/ms714428(v=
=vs.85).aspx
Cm
mdlet Aliasses
Alth
hough the stan
ndard naming convention
used
d by cmdlets facilitate
f
learniing, the namess
them
mselves can be
e very long, an
nd sometimes do
not match commo
on terminolog
gy associated with
w
perfforming a task
k. For example,, you may be
fam
miliar with the dir
d command which lists the
e
contents of a dire
ectory (or folde
er). The Windo
ows
Pow
werShell cmdle
et for this task, however, is
Gett-ChildItem. To make using cmdlets easier,
Win
ndows PowerSh
hell enables aliases to be cre
eated
for cmdlets.
c
There
e is an alias cre
eated by defau
ult for
dir that points to Get-ChildItem
m.
You
u can create ne
ew aliases for your
y
common cmdlets, scrip
pts, and prograams by using the New-Aliass
cmd
dlet. Default alliases include:
cd -> Set-Location
move -> Mo
ove-Item
rm -> Remov
ve-Item
De
emonstration: Using
g the Wind
dows PoweerShell ISEE
3-4
Dem
monstration
n Steps
1.
Logon to LON
N-DC1 as the domain
d
admin
nistrator.
2.
Open Window
ws PowerShell ISE as an adm
ministrator and
d review the Sccript pane and the Console p
pane.
3.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Accessing
A
Help
H
in Wiindows Po
owerShell
Whether
W
you arre an experienced profession
nal or
ne
ew to Window
ws PowerShell, the cmdlet He
elp
do
ocumentation is rich source of information
n. To
acccess the Help documentatio
on, use the Ge
et-Help
cm
mdlet or its alias help followe
ed by the cmd
dlet
na
ame. Get-Help
p has parametters to adjust the
t
Help content th
hat is displayed
d. The parametters
arre:
3-5
-Detailed. This
T parameterr displays more
e
detailed he
elp than the de
efault option.
Windows
W
PowerShell 3.0 inclu
udes the abilityy to download
d the latest hel p document from Microsoftt for
usse locally. To do
d this, use the
e Update-Help cmdlet. Also
o, new in Wind
dows PowerShe
ell 3.0 is the
Sh
how-Comman
nd cmdlet. Thiis helps PowerrShell beginnin
ng users interaact with the inp
put and outpu
ut
op
ptions for a cm
mdlet by using
g a graphical in
nterface.
Th
he Get-Comm
mand cmdlet re
eturns a list off all locally avaailable cmdletss, functions, an
nd aliases. You can use
it to discover ne
ew cmdlets by using wildcard searches. Fo
or example, to return a list off all cmdlets th
hat
in
nclude VM in them, you coulld run Get-Command *VM**.
Using
U
Wind
dows Powe
erShell Mo
odules
Windows
W
PowerShell is design
ned to be exte
ensible.
Adding new cm
mdlets and funcctions in Wind
dows
Po
owerShell 3.0 is performed in part through
h
modules.
m
Note: In earlier versions of Windows
Po
owerShell, exte
ensibility was provided
p
by using
sn
nap-ins. For ba
ackward comp
patibility, Windows
Po
owerShell 3.0 continues
c
to support snap-in
ns.
Windows
W
PowerShell uses the
e
Microsoft.Powe
M
rShell.Manage
ement module
e which provid es basic functiionality. When
n you install ad
dditional
ro
oles on a serve
er, additional Windows
W
Powe
erShell modulees are installed
d and registere
ed. For examplle, you
in
nstall the Micro
osoft Hyper-V Role and also
o choose to in
nstall the Hypeer-V module fo
or Windows
Po
owerShell. To manage Hyper-V from Wind
dows PowerSh
hell, you must iimport the Hyyper-V module
e into
th
he Windows Po
owerShell session. To importt the Hyper-V module, run tthe following ccommand:
Im
mport-Module Hyper-V
Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0
Run
n the following
g command to list all module
es that are imp
ported:
Get-Module
3-6
It is not always ne
ecessary to manually import modules. For example, the W
Windows Pow
werShell module for
Exch
hange Server 2010
2
is automatically importted during pro
oduct installatiion. However, if you cannot run
cmd
dlets for a speccific Windows Role or appliccation, it may i ndicate that yyou have to import the
app
propriate Wind
dows PowerShe
ell module.
There are two bassic module typ
pes:
Binary. A bina
ary module is created
c
by using the .NET Frramework and
d is frequently provided with
h
a product to provide Windo
ows PowerShe
ell support. Bin
nary modules m
many times ad
dd cmdlets thaat
consists of no
oun or subject types that are
e newly created
d in the AD DSS schema to su
upport the pro
oduct.
An example is the New-Ma
ailbox cmdlet of Exchange SServer 2010.
Script. A scrip
pt module is co
omposed of Windows
W
PowerrShell cmdlets that already e
exist in the
environment.. These scripts can provide additional funcctions and variables to autom
mate repetitive
e or
tedious tasks.. You may wan
nt to create your own modu le that includees functions orr variables speccific
to your enviro
onment as a tiimesaving or configuration
c
m
management m
measure.
Wh
hat Is Wind
dows Pow
werShell Re
emoting?
The purpose of Windows
W
PowerrShell remoting
is to
o connect to re
emote computters, to run
com
mmands on tho
ose computerss, and to directt the
resu
ults back to your local computer. This enab
bles
sing
gle-seat admin
nistration, or th
he ability to
man
nage the comp
puters on the network
n
from the
clien
nt computer, instead of haviing to physically
visitt each computter. A key goal of Windows
Pow
werShell remotting is to enable batch
adm
ministration, which lets you run commandss on a
who
ole set of remo
ote computers concurrently.
There are three main
m
ways to usse remoting:
One-to-One remoting.
r
In th
his scenario, yo
ou connect to a single remotte computer and run shell
ell
commands on it, exactly as if you had log
gged into the cconsole and o
opened a Wind
dows PowerShe
window.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
3-7
Re
emoting requiires both Wind
dows PowerShell and Windo
ows Remote M anagement (W
WinRM) utilitie
es on
yo
our local comp
puter and on any
a remote computers to wh
hich you want to connect. W
WinRM is a Miccrosoft
im
mplementation
n of Web Services for Manag
gement, or WSS-MAN, which is a set of pro
otocols that is w
widelyad
dopted across different operrating systemss. As the name implies, WS-M
MAN and WinRM use web-b
based
protocols. An ad
dvantage to th
hese protocolss is that they u se a single, deefinable port. T
This makes the
em
ea
asier to pass th
hrough firewallls than older protocols
p
that randomly seleected a port. W
WinRM commu
unicates
byy using the Hyypertext Transffer Protocol (H
HTTP). By defau
ult, WinRM an
nd Windows Po
owerShell remoting
usses TCP port 5985
5
for incom
ming connectio
ons that are no
ot encrypted a nd TCP port 5986 for incom
ming
en
ncrypted conn
nections. Applications that usse WinRM, succh as Windowss PowerShell, ccan also apply their
ow
wn encryption
n to the data th
hat is passed to
o the WinRM service. WinRM
M supports authentication and, by
de
efault, uses the
e Active Directtory native Kerrberos protoco
ol in a domain
n environment. Kerberos doe
es not
pa
ass credentialss over the netw
work and it sup
pports mutual authenticatio
on to ensure th
hat incoming
co
onnections are
e coming from
m valid computters.
Esstablishing a One-to-One
O
remoting session by using Win
ndows PowerSShell ISE is performed by cliccking
th
he New Remo
ote PowerShelll tab on the File
F menu. You
u can also establish a remote
e Windows Pow
werShell
se
ession by using
g the Enter-PS
SSession cmdllet. For examp
ple, to open a R
Remote PowerrShell session o
on a
co
omputer name
ed LON-SVR2, you would use the following
g syntax:
En
nter-PSSessio
on ComputerName LON-SVR
R2
One-to-Many
O
re
emoting is primarily perform
med by using tthe Invoke-Co
ommand cmdlet. To run the
e
Get-EventLog cmdlet against the compute
ers named LON
N-SVR1 and LO
ON-SVR2, use the following
co
ommand:
In
nvoke-Command
d -ScriptBlock { Get-EventLog System
m -Newest 5 } -Computerna
ame LON-SVR1, LONSV
VR2
Note: Un
nlike in earlier versions,
v
Wind
dows Server 20012 has Windo
ows PowerShell remoting
an
nd WinRM ena
abled by defau
ult.
What
W
Is Ne
ew in Wind
dows Powe
erShell 3.0
0?
Windows
W
PowerShell 3.0 has new features that
t
fa
acilitate manag
ging larger gro
oups of serverss
th
hrough better scaling, additional functiona
ality,
an
nd better man
nagement. Win
ndows PowerSh
hell 3.0
in
ncludes the following new fe
eatures:
Scheduled Jobs.
J
This featu
ure enables sch
heduling of W
Windows PowerrShell comman
nds and scriptss to
automatica
ally run administrative tasks.
3-8
Enhanced Online Help. You can now download the latest Help files from Microsoft by using the
Update-Help cmdlet and view the latest help online. This guarantees you are getting the latest
information about how to use Windows PowerShell.
Windows PowerShell ISE Autosense. Windows PowerShell ISE provides hints for cmdlets, including
valid parameters that make it easier than ever to use Windows PowerShell.
Robust Session Connectivity. These connections enable you to connect to a remote server and if
connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was
disconnected. Previously, if connection to a session was lost, all the session data, variables, and
command history would be lost.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Lesson
n2
Using
g Windo
ows Pow
werShelll 3.0 to
o Manag
ge AD D
DS
3-9
Le
esson Objecctives
After completin
ng this lesson, students
s
will be
b able to:
Describe th
he Active Direcctory modules for Windows P
PowerShell.
Describe ho
ow to use varia
ables.
Describe ho
ow to use pipe
elines and scrip
pts.
Describe ho
ow to format output
o
from a Windows Pow
werShell comm
mand.
Describe ho
ow to create and run Windo
ows PowerShel l scripts.
Describe ho
ow to use Windows PowerSh
hell loops and conditional exxpressions.
Manage AD
D DS with Windows PowerSh
hell.
Describe ho
ow to obtain the Windows PowerShell
P
histtory informatio
on from Active
e Directory
Administrattive Center.
Using
U
the Active
A
Dire
ectory Module for W
Windows P
PowerShelll
Yo
ou may be com
mfortable man
naging AD DS by
ussing the comm
mon graphical tools such as Active
A
Directory Users and Compute
ers. Another op
ption
th
hat you may no
ot be as comfo
ortable with is the
Windows
W
PowerShell cmdlets. Using the AD
D DS
cm
mdlets to perfo
orm common tasks will help
p you
le
earn how to use Windows Po
owerShell.
Th
he Active Direcctory PowerSh
hell module inccluded
in
n Windows Serrver 2012, provvides over 130
0
cm
mdlets for man
naging Active Directory obje
ects
su
uch as computter and user acccounts, group
ps,
trrusts, and policcies.
Using Windo
ows PowerrShell Variables
Win
ndows PowerSh
hell enables yo
ou to retrieve,
mod
dify, and filter data from many different
sources. In some cases,
c
you mayy want to store
e
data
a for comparisson or use. Forr example, you
u
mayy want to retrie
eve a list of the members off a
partticular securityy group and th
hen modify the
e
desccription field of
o each of the users. Variable
es are
used
d to store and retrieve data in memory du
uring
a Windows
W
PowerrShell session. A variable alw
ways
beg
gins with a dolllar ($) sign and
d can then be
nam
med with descrriptive text or numbers,
n
such
h
as $Variable1,
$
$x, and $MemberList. Windowss
Pow
werShell variab
bles are typed. This means th
hat they are creeated to store a specific type
e of data whetther it
is te
ext, numbers, objects,
o
time, arrays,
a
or other defined objeect.
You
u can declare a variable in on
ne of two wayss, the first of w
which is using tthe Set-Variab
ble cmdlet. Fo
or
exam
mple to declarre a variable named $ADDS and assign it tthe object retu
urned from Ge
et-ADDomain
n by
usin
ng the Set-Varriable cmdlet, use the follow
wing command
d:
Set-Variable Name ADDS Va
alue (Get-ADD
Domain)
You
u will notice yo
ou do not speccify the $ symb
bol when you u
use the Set-Va
ariable cmdlett to declare
variables. The seco
ond way to cre
eate a variable
e is by declarin
ng it, and then
n assigning a vaalue to it. To d
do
this,, start the com
wed by an equ
mmand with the name of the
e variable follow
ual sign and th
hen the comm
mand,
com
mmands, or vallue to assign. For
F example to
o declare a varriable named $
$ADDS and assign it the object
retu
urned from Ge
et-ADDomain use the follow
wing command
d:
$ADDS = Get-ADDomain
You
u can also acce
ess methods orr actions from a variable. Forr example, to d
determine the
e BaseType of
$AD
DDS, you can use
u the GetTyp
pe() method byy running the following com
mmand:
> $A
ADDS.GetType().BaseType
Microsoft.ActiveDirecto
ory.Managemen
nt.ADPartitio
on
Whe
en you use me
ethods, you must follow the method with () to distinguissh that it is a m
method and no
ot a
property. You can
n also use varia
ables in calcula
ations, for exam
mple, you can add the conte
ents of two
variables. To decla
are two variab
bles and then add
a them togeether, use the ffollowing com
mmands:
> $A
A = 1
> $B = 2
> $A
A + $B
3
3-11
When
W
you use variables
v
in callculations, mak
ke sure that th
hey are typed ccorrectly because typing the
em
in
ncorrectly could lead to unexxpected resultss. For examplee, notice when variables are ttyped as string
g data
in
nstead of numb
bers:
> $C = 3
> $D = 4
> $C + $D
34
4
In
nstead of addin
ng the two values numerically, they are co
oncatenated to
ogether. When
n you mix type
es
to
ogether, there is more poten
ntial for unexpe
ected results b
because Windo
ows PowerShe
ell will automattically
ca
ast or convert some data typ
pes. For examp
ple, see how th
he data is cast in the followin
ng example:
> $A + $C
4
> $C + $A
31
1
In
n these examples, the type of the first varia
able is used to cast the other variables for the calculation. To
be
etter control how
h
data is casst, you can spe
ecify the data ttype for each vvariable. To co
ontrol how eacch
va
ariable is cast, see the follow
wing example:
> [string] $A + $C
13
3
> [int] $C + $A
$
2
Addition
nal Reading: about_Variable
es
htttp://technet.m
microsoft.com//en-us/library//dd347604.asp
px
Question: How do you declare
d
variable
es and assign vvalues to them
m?
The
T Windo
ows PowerS
Shell Pipeline
Windows
W
PowerShell is an objject-based
en
nvironment. Th
his means thatt the input and
d
ou
utputs of the cmdlets
c
are ob
bjects that can be
manipulated.
m
In
n some instancces, you may want
w
to
o take the outp
put of one cmd
dlet and pass it
to
o another cmd
dlet for additional actions. Fo
or
exxample, when you have to enable all disab
bled
AD DS accountss in the domain, you could
manually
m
list each user by using the Get-AD
DUser
cm
mdlet. Then byy using Windo
ows PowerShell, you
ca
an use the Ena
able-ADAccou
unt cmdlet forr each
lo
ocked user account. To make
e this easier, yo
ou can
diirectly pass the
e output data from one cmd
dlet into anoth
her cmdlet, wh
hich is called piping. Piping iss
pe
erformed by putting
p
the pip
pe (|) characterr between cmd
dlets. Each cmd
dlet is execute
ed from the lefft to the
rig
ght, each passsing its output to the next cm
mdlet in line. FFor example, yo
ou can get a liist of all users in the
do
omain and the
en pipe the listt to the Enable
e-ADAccountt cmdlet, by ru
unning the following commaand:
Ge
et-ADUser Fi
ilter * | Enable-ADAccount
$false} |
Enable-ADA
Account
By piping
p
an obje
ect with a list of
o all the users, you can use tthe Where-Ob
bject cmdlet to
o filter the acccounts
thatt are disabled based on the Enabled prope
erty of the acc ount.
poses only. It eenables all thee disabled acco
ounts in the
Note: This example is forr teaching purp
dom
main and should not be perfformed in a pro
oduction envirronment because this may e
enable
acco
ounts that sho
ould remain dissabled.
Op
ptions for Formatting
F
g Window
ws PowerSh
hell Outpu
ut
Whe
en you work with
w AD DS datta, you may ha
ave
to retrieve lists of users, computters, or groupss and
have to visualize the
t data by using a tool such
h as
or you may
Microsoft Office Excel
E
m have to viiew
onlyy the specific properties
p
on screen.
s
Window
ws
Pow
werShell enable
es both such scenarios. First
form
matting data fo
or viewing on screen. There are
seve
eral default cm
mdlets available
e to control ho
ow
data
a is formatted.. These cmdletts are describe
ed in
the following tablle.
Cm
mdlet
Descriptio
on
Fo
ormat-List
Fo
ormat-Table
Fo
ormat-Wide
Cmdlet
C
Format-Custtom
Descripttion
3-13
This cm
mdlet outputs d
data in a formaat previously d
defined by usin
ng a
PS1XML file. The settiings in this filee can specify w
which propertie
es to
show an
nd how to arraange and grou
up them. You ccan call this cm
mdlet
by using
g the alias of FFC. This cmdleet is useful whe
en you view daata
that you access frequ
uently and hav e to customize
e which prope
erties
are shown.
Description
Measure-Objject
Th
his cmdlet take
es the input ob
bject from the pipelines or vvariable and
pe
erforms calcula
ations on spec ified propertiees and on text in strings and files.
Ca
alculations incllude counting objects, deterrmining the avverage, minimu
um,
ma
aximum, and sum
s
of properrty values. It caan also count tthe number orr
occcurrences of words
w
and cha racters in a filee or string. It is used when yyou
ha
ave to quickly calculate
c
the n
number of useers selected as part of a querry or
de
etermining the
e memory a sett of processes is using.
Select-Objecct
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and outtputs
ob
bjects that have only the seleected properties. It can also select a subset of
ite
ems in each ob
bject by using the -First, -Lasst, -Unique, an
nd -Index param
meters,
wh
hich is valuable
e when you wo
ork large dataasets.
Sort-Object
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and sorrts the
da
ata based on th
he selected pr operties. This is helpful when you have to
provide a sorted
d list of data.
Where-Objecct
Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and the
en
ap
pplies a filter th
hat is based on
n a specified q
query. The que
eries used for
filttering are encllosed in brace s and include a comparison.. This is helpfu
ul when
yo
ou have to sele
ect specific typ
pes of data.
Yo
ou can use all these cmdletss together to create customizzed output to the screen. Yo
ou can also use
e the
Out-File
O
to write the output to a text file, orr Export-Csv to
o export the d
data as a comm
ma separated vvalues
(C
CSV) file.
Creating
C
an
nd Running Window
ws PowerSh
hell Scriptts
Yo
ou can perform
m complicated
d multi-step ta
asks
byy using a pipeline and multiple cmdlets. There
may
m be times where
w
you have
e to run multip
ple
fu
unctions, make
e choices, wait for tasks to
co
omplete, or run the same co
ode repeatedlyy. In
th
hese cases, you
u can use a Windows PowerS
Shell
sccript to put all the steps toge
ether. A script is a
te
ext-based file that
t
includes at
a least one Wiindows
Po
owerShell com
mmand and savved with a .PS1
1 file
na
ame extension
n. Scripts can be
b created to take
in
nput from the command
c
line
e letting you
cu
ustomize how the script execcutes.
Execution Policy
By default, the execution policy does not enable Windows PowerShell scripts to be executed
automatically. This safeguards the computer from enabling unattended scripts to run without the
administrator from knowing. There are four execution policies that can be set and are as follows:
Restricted. This is the default policy for Windows Server 2012 and does not enable configuration
files to load, nor does it enable scripts to be run. The Restricted execution policy is perfect for any
computer for which you do not run scripts or for which you run scripts only rarely. (Be Aware That
you could always manually open the shell with a less-restrictive execution policy.)
AllSigned. This policy requires that all scripts and configuration files be signed by a trusted publisher,
including scripts created on your local computer. This execution policy is useful for environments
where you do not want to accidentally run any script unless is has an intact, trusted digital signature.
This policy is less convenient because it requires you to digitally sign every script that you write, and
re-sign each script every time that you make any changes to it.
RemoteSigned. This policy requires that all scripts and configuration files downloaded from the
Internet be signed by a trusted publisher. This execution policy is useful because it assumes that local
scripts are ones that you create yourself, and you trust them. It does not require those scripts to be
signed. Scripts that are downloaded from the Internet or received through e-mail, however, are
not trusted unless they carry an intact, trusted digital signature. You could definitely still run those
scriptsby running the shell under a lesser execution policy, for example, or even by signing the
script yourselfbut those are additional steps that you have to take, so it is unlikely that you would
be able to run such a script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must grant permission
for the script to run. The Unrestricted execution policy is not usually appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy is not
usually appropriate for production environments because it provides no protection against
accidentally or unknowingly running untrusted scripts.
You can view the execution policy for the computer by using the Get-ExecutionPolicy cmdlet. To
configure the execution policy, you must open an elevated Windows PowerShell window and run the
Set-ExecutionPolicy cmdlet. After the execution policy is configured, you can run a script by typing in
the name of the script.
Simple Scripts
Scripts are text files that have a .PS1 file name extension. These files contain one or more commands
that you want the shell to execute in a particular order. You can edit scripts by using Notepad, but the
Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively,
obtain hints on the correct command syntax, and immediately see the results. You can then paste those
results into a script for long-term use. Or you can type your commands directly into a script, highlight
each command, and press F8 to execute only the highlighted command. If you are pleased with the
results, you save the script and you are finished. Generally, there are very few differences between what
you can do in a script and what you would do on the command line. Commands work in the same
manner in a script. This means that a script can just be created by pasting commands that you have
already tested at the command line. The following is a simple script in a text file that is named
Get-LatestLogon.ps1.
# This script will return the last user who has l ogged on to the domain.
Ge
et-ADUser -Fi
ilter * -Properties lastLogon | `
So
ort-Object -P
Property lastLogon -Descending| `
Se
elect-Object -first 5 | `
Fo
ormat-Table name,
n
`
@{
{Label="LastL
Logon";Expression={[datetime]::FromF
FileTime($_.l
lastLogon)}}`
`
-AutoSize
-
3-15
Using
U
Wind
dows Powe
erShell Loo
ops and Conditional Expressio
ons
Advanced Wind
dows PowerShell scripts mayy
re
equire repeatin
ng commands a certain num
mber of
times, until a sp
pecific conditio
on is met, or on
nly if a
sp
pecific conditio
on is met. Thesse test conditio
ons are
de
efined by using comparison statements.
Boolean
B
Com
mparisons
Te
est, or comparrison statemen
nts, are used ass test
co
onditions for lo
oops and cond
ditional constructs.
Th
hese typically compare,
c
eithe
er of two or more
m
ob
bjects or two or
o more prope
erty values, and
d are
de
esigned to result in a True or
o False value. These
T
co
omparisons are
e frequently known as Booleean
co
omparisons, be
ecause they ca
an only result in one of the tw
wo Boolean vaalues, True or False. As part o
of
de
esigning a Win
ndows PowerS
Shell script usin
ng Boolean co
omparisons aree common eno
ough task: You
u might
co
ompare two co
omputer name
es to see whether they are e qual, or comp
pare a performance counter vvalue to
a predetermined threshold va
alue to see which of the two is greater. Thee comparison operators sit b
between
th
he two items th
hat you want to
t compare. Yo
ou probably reemember simp
ple comparisons from grade
e school
math
m
with comp
parisons like 10 > 4, 5 < 10, and 15 = 15. W
Windows Pow
werShell performs compariso
ons the
sa
ame way, altho
ough it has its own syntax. So
ome common comparison o
operators are aas follows:
-eq. Equal to
t
-ne. Not eq
qual to
Windows PowerShell defines two special variables for comparisons, $True, and $False, which represent
the Boolean values true and false. If a comparison is true, the expression is evaluated as $True and if the
comparison is not true, the expression is evaluated as $False. For example, the comparison 4 is greater
than 10 (4 gt 10), will produce $False as its result, whereas, 10 is equal to 10 (10 eq 10) would produce
$True. Windows PowerShell enables you to execute comparisons right on the command line. Type your
comparison and press Enter to see the result of the comparison. The real value of the Boolean
comparisons are shown when they are used in loops and conditional expressions.
There are several Windows PowerShell constructs that make use Boolean comparisons to control the
execution of code in a script. These constructs are if, switch, for, while, and foreach.
The if Statement
The if statement can be used to execute a block of code if the specified criteria are met. The basic
functionality of an if statement is shown in the following example:
if (Boolean comparison)
{
Code to complete if test expression is true
}
Another option available to allow for additional possibilities is using else and elseif statements. When you
want to execute special code if a condition exists or execute other code if it does not exist, you can use
the else. If there are additional conditions that you want to test for you could use the elseif statement
consider the following example:
$Today = Get-Date
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host $Admin.Name has an address of $Admin.StreetAddress
if ($Today.DayOfWeek eq Monday)
{
Set-ADUser Identity Administrator StreetAddress Headquarters
}
elseif ($Today.DayOfWeek eq Thursday)
{
Set-ADUser Identity Administrator StreetAddress London Office
}
else
{
Set-ADUser Identity Administrator StreetAddress Out of the Office
}
# Confirm Settings were made
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress
Using the previous example, you can achieve the same functionality with less work as shown in this
example:
$Today = Get-Date
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
# Write current settings to console
Write-Host $Admin.Name has an address of $Admin.StreetAddress
switch ($Today.DayOfWeek)
{
Monday {Set-ADUser Identity Administrator StreetAddress Headquarters}
Thursday {Set-ADUser Identity Administrator StreetAddress `
London Office}
default {Set-ADUser Identity Administrator StreetAddress `
Out of the office}
}
# Confirm Settings were made
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress
3-17
If a larger number of false statements are needed, the switch statement may be an easier option to use
and debug.
The for loop can be used to execute a block of code a specific number of times. This can be when multiple
items have to be requested, or created. The for statement syntax is as follows:
for (setup loop variables ; Boolean comparison ; action after each loop)
{
Code to complete while Boolean comparison is true
}
The for loop begins with settings to configure variables, the Boolean comparison, and an action to
complete after each loop. Consider the following example that creates five new computer accounts with
unique names using a for statement:
# Create a variable named $i and assign it a value of 1
# Execute the for loop for as long as $i is less than 6
# After each loop add 1 to the value of $i
for ($i = 1 ; $i lt 6 ; $i++)
{
# Create a variable with the name of the computer account
$ComputerAcct = LON-SRV + $i
New-ADComputer Name $ComputerAcct
}
The while loop can be used to execute a block of code while a specific condition exists and resembles the
for loop, except that it does not have built in mechanisms to set up variables and actions to run after each
loop. This enables the while statement to continue executing until a condition is met instead of a set
number of times. The while statement syntax is as follows:
while (Boolean comparison)
{
Code to complete while Boolean expression is true
}
This script prints a random number on the screen until one of the random numbers is less than
50,000,000. The $i variables value must be set before the while loop so that the while loop executes as
follows:
$i = 99999999999
while ($i -gt 50000000)
{
Write-Host Random Value: $i
$i = Get-Random
}
Also available is the do/while loop which works just as while loop however the Boolean expression is
evaluated at the end of the loop instead of the beginning. This means that the code block in a do/while
loop will always be executed at least one time. The value of $i does not have to be set before the do/while
loop because it is evaluated at the end of the loop. The following example shows a do/while loop:
do {
Write-Host Random Value: $i
$i = Get-Random
} while ($i -gt 50000000)
The foreach statement iterates through an array (collection), item by item, assigning a specifically named
variable to the current item of the collection. Then it runs the code block for that element.
foreach (item in collection)
{
Code to complete for each item in the collection.
}
Using the foreach statement can make batch modifications easier. Consider, for example, setting a
description for all users who are members of a specific group, as shown in the following example:
# Get a list of the members of the Domain Admins group
$DAdmins = Get-ADGroupMember "Domain Admins"
# Go through each member and set the Description
foreach ($user in $DAdmins)
{
Set-ADUser $user -Description In the Domain Admins Group
}
Demonstra
D
ation: Man
naging AD
D DS by Using Windo
ows PowerrShell
In
n this demonsttration, you will review how to
t manage useers and group in Windows P
PowerShell.
Demonstrati
D
ion Steps
1..
Start and lo
og on to LON-DC1. Log on as
a the domain administratorr.
2..
Open Wind
dows PowerShe
ell ISE as an ad
dministrator.
3..
Refer to the
e demonstratio
on script in virrtual machine LON-DC1 at EE:\ModXA\Dem
mocode
\Managing Users and Gro
oups.ps1.
Active
A
Dire
ectory Adm
ministrative
e Center In
ntegration
n with Win
ndows
PowerShell
P
l
Active Directoryy Administrativve Center is bu
uilt
on
n Windows Po
owerShell technology. It provvides
ad
dministrators the
t ability to perform
p
enhan
nced
da
ata manageme
ent by using a GUI. Using Acctive
Directory Administrative Centter, you can pe
erform
th
he following ta
asks:
Manage groups
3-19
Be
ecause Active Directory Adm
ministrative Center is built on
n Windows Po
owerShell, it can expose the
Windows
W
PowerShell comman
nds that are ussed to interactt with the GUI.. These commaands can be used to
le
earn Windows PowerShell, bu
uild Active Directory manag ement scripts,, and keep tracck of changes that are
made
m
within the
e GUI.
Lesson 3
Manag
ging Serrvers by
y Using Windo
ows Pow
werShelll 3.0
As you
y become fa
amiliar with Windows PowerrShell, you can perform adm
ministrative and
d managementt tasks
with
h more ease. There
T
are advanced features in Windows P
PowerShell 3.0 which let you manage a single
servver from a loca
al console and to manage many servers fro
om a remote location. The aadvanced featu
ures
include Windows PowerShell Web
W Access, Windows PowerSShell jobs, and
d Windows Pow
werShell workfflow.
Thiss lesson introduces some mo
ndows PowerSShell 3.0 and d
ore advanced features
f
of Win
discusses how yyou
mig
ght use the features to manage servers in your
y
environm
ment.
Lessson Objectiives
Afte
er completing this lesson, stu
udents will be able to:
W
PowerShell for man
naging servers..
Describe the need to use Windows
Describe how
w to configure and use Windows PowerSheell Web Accesss.
Disscussion: The
T Need for
f Windo
ows PowerShell for SServer Man
nagement
Win
ndows PowerSh
hell has many features that make
m
it usseful in both la
arge and smalll environments.
Freq
quently the mo
ost difficult pa
art of using
Win
ndows PowerSh
hell is the startting point. Using
Win
ndows PowerSh
hell to perform
m tasks that yo
ou
perfform every dayy will help you
u become more
com
mfortable and more proficien
nt in using it.
Con
nsider the follo
owing question
ns:
Que
estion: Why usse Windows Po
owerShell for
servver manageme
ent?
Que
estion: What tasks
t
will you use
u Windows
Pow
werShell to perrform?
What
W
Is Windows PowerShell Web
W Accesss?
Windows
W
PowerShell Web Access is a new feature
f
in
n Windows Serrver 2012 that provides a we
ebba
ased gateway to Windows PowerShell.
P
Thiis
en
nables authorized users to administer a server
without
w
having management tools directly
in
nstalled on their client computer, or having
g to use
Re
emote Desktop to connect to
t the server. The
T
ad
dministrator only has to configure a Windows
Po
owerShell Web
b Access gatew
way, and use a web
browser to conn
nect.
3-21
Windows
W
PowerShell Web Access gateway
re
equires the We
eb Server Interrnet Informatio
on
Se
ervices (IIS) rolle, and the .NE
ET Framework 4.5 and Windo
ows PowerSheell 3.0 to be insstalled. Many
client types are supported to access Window
ws PowerShelll Web Access aand still otherss are tested to work
su
uccessfully. In order
o
to work,, the web brow
wser must allow
w cookies, sup
pport connecting to the gate
eway by
ussing Secure So
ockets Layer (SSL), and also support
s
JavaSccript.
In
nstalling Wiindows Pow
werShell We
eb Access Ga
ateway
To
o install Windo
ows PowerShe
ell Web Access gateway:
1..
Install Wind
dows PowerSh
hell Web Accesss role.
2..
3..
4..
Configure Windows
W
Powe
erShell Web Access
A
authorizzation rules. Byy default, no o
one will be able
e to use
Windows PowerShell
P
Web Access until at least one a uthorization ru
ule is created. An authorizattion rule
defines whiich users and groups
g
have acccess to speciffic cmdlets and
d which computers they can
n access
from the ga
ateway. Autho
orization rules are
a added by using the Add
d-PswaAuthorrizationRule ccmdlet.
You can validate the funcctionality of th
he rules by usin
ng the Test-PsswaAuthoriza
ationRule cmd
dlet.
Authorization rules are, by
b default, storre in %windir%
%\Web\Powe
erShellWebAcccess\data
\Authoriza
ationRules.xm
ml.
5..
Configure destination
d
computer authen
ntication and aauthorization rules. You must configure th
he
destination computer seccurity settings to enable rem
mote access fro
om the gatewaay. As you assig
gn
administrattive permission
n to the targett computers, w
we recommend
d assigning only the minimally
required pe
ermissions and
d setting the ap
ppropriate exeecution policy for your envirronment.
6..
Configure additional
a
secu
urity options. As
A in any envirronment, apprropriate security best practicces
should be followed.
f
One example is as installing and monitoring a ntivirus and an
nti-malware prroducts
on all the servers. Additio
onally, passwo
ord expiration, lockout, and ccomplexity po
olicies should aalso be
implemente
ed.
Using
U
Windo
ows PowerS
Shell Web Access
A
To
o use Window
ws PowerShell Web
W Access, open a web bro
owser and con
nnect to the server by using
htttps://ServerName/pswa. The logon page lets you conneect directly to the gateway, tto another serrver on
th
he organization network, or to a custom URI.
U Using the o
optional conneection settingss on the logon
n page
ca
an specify one user account to log on to th
he gateway an
nd specify another account tto connect to tthe
Afte
er you have esttablished a Wiindows PowerShell session b
by using Windo
ows PowerShe
ell Web Accesss,
you can begin using Windows PowerShell
P
cm
mdlets and execcuting scripts based on the e
execution policy
settings. Although
h most of the functionality
f
iss the same as u
using Window
ws PowerShell rremoting, therre are
som
me differences. For example, you cannot usse some shortccut keys to int eract with Win
ndows PowerSShell
Web
b Access such as Ctrl+C to copy data, or any of the funcction keys used
d for things such as comman
nd
history.
ploy Windows PowerShell W
Web Access
Additional Reading: Dep
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831611.aspx
Wh
hat Are Windows Po
owerShell Jobs?
J
A Windows
W
PowerShell backgro
ound job runs a
com
mmand or set of
o commands without intera
acting
with
h the current Windows
W
Powe
erShell session. You
can start a backgrround job by using
u
the Startt-Job
cmd
dlet and then you
y can contin
nue to work in the
sesssion. Using job
bs can be usefu
ul when you
perfform tasks that can take an extended
e
time
e to
com
mplete. You can
n also use jobss to perform th
he
sam
me task on seve
eral computerss. The following
exam
mple shows crreating a new job
j on the local
com
mputer:
Start-J
Job -ScriptBl
lock {Get-ADUser Filter
r *}
You
u can see the sttatus of the job by using the
e Get-Job cmd
dlet and use th
he Wait-Job to
o be notified
whe
en the job is co
omplete. If you
u have to remo
ove a job that has not execu
uted, you can d
do so with the
e
Rem
move-Job cmd
dlet. These job
bs are run in th
he background
d so they do no
ot return results to your Win
ndows
Pow
werShell session. If you outpu
ut data to the console in a b
background job
b, you can retu
urn those resu
ults by
usin
ng the Receive
e-Job cmdlet.
Win
ndows PowerSh
hell 3.0 introduced an impro
ovement to baackground jobs, which are kn
nown as sched
duled
jobss. These jobs can be trigged to start autom
matically or pe rformed on a recurring sche
edule. When a
sche
eduled job is created
c
it is sto
ored on disk an
nd then registeered in Task S cheduler. Whe
en a scheduled
d job
is ru
un, it creates an instance of the
t job that ca
an then be ma naged by usin
ng the common job manage
ement
cmd
dlets. The onlyy difference between scheduled jobs and b
background jobs is that sche
eduled jobs savve
theiir results on disk.
edJob cmdlett. You can speccify the ScriptB
Sche
eduled jobs arre created by using
u
the Regiister-Schedule
Block
para
ameter to run a Windows Po
owerShell com
mmand, or you can specify a script by using
g the FilePath
para
ameter. The fo
ollowing example shows how
w to register a scheduled job
b to run the Ge
etLate
estLogon.ps1
1 script.
Register-ScheduledJob Name
e LastLogonJo
ob FilePath \\LON-SVR1\S
Scripts\Mod3\
\democode\GetLastLogon.ps1
3-23
To
o enable the scheduled job to
t run, a sched
dule or triggerr must be defin
ned. Triggers aare created byy using
th
he New-JobTrrigger cmdlet.. Using this cm
mdlet, you can use the Add-JJobTrigger ccmdlet to add the
trrigger to an alrready registere
ed scheduled job or use it to
o assign a trigg
ger when a new
w scheduled jo
ob is
re
egistered. Trigg
gers can be scheduled once,, daily, weekly,, at server starrtup, when you
u log on. The
fo
ollowing example shows crea
ating a triggerr that runs eve ry Monday an
nd Friday at 9:0
00 am and the
en
re
egisters the new scheduled jo
ob together with
w the triggerr:
$T
Trigger = New
w-JobTrigger Weekly DaysOfWeek Mon
nday,Friday
At 9:00AM
Re
egister-Sched
duledJob Name ScheduledLastLogonJob
b FilePath `
\\
\LON-SVR1\Scripts\Mod3\democode\Get-LastLogon.ps
s1 -Trigger $
$Trigger
Yo
ou can also use the Add-Job
bTrigger cmd
dlet to modify an existing sch
heduled job ass shown in the
e
fo
ollowing example:
Ad
dd-JobTrigger -Name LastLogonJob -Trigger `
(N
New-JobTrigge
er -Daily -At 9:00AM)
Sccheduled jobs can be used to automatically run task for:: creating repo
orts, verifying cconfiguration
se
ettings, perform
ming user and
d group mainte
enance, and m
many others.
In
ntroductio
on to Wind
dows Powe
erShell Wo
orkflow
Windows
W
PowerShell Workflo
ow is a new fea
ature
in
n Windows Pow
werShell 3.0. Itt enables easy to use
workflows,
w
or ta
ask sequences within the fam
miliar
Windows
W
PowerShell interface
e. A workflow
ca
an include ind
dividual Windo
ows PowerShe
ell
co
ommands or complete scriptts. The differen
nce
be
etween a work
kflow and perh
haps an intrica
ately
de
esigned script is that a work
kflow is designe
ed
to
o also be stopp
ped, paused, and resumed.
Th
he workflow ca
an wait until stteps successfully
co
omplete to con
ntinue to the next
n
workflow step.
Fo
or example, yo
ou can create a workflow tha
at
makes
m
changes to a multiple computers and waits for theem all to restarrt before continuing to the n
next
co
onfiguration sttep in the workflow.
Windows
W
PowerShell workflow
ws can be crea
ated by using a Windows Po
owerShell conssole, the Windo
ows
Po
owerShell ISE, or by using Microsoft
M
Visual Studio Worrkflow Designeer. Workflows ccreated in Visu
ual
Sttudio Workflow
w Designer are
e saved as with
h a XAML file n
name extensio
on. These workkflows are imp
ported
byy using the Im
mport-Module
e cmdlet.
Workflows
W
are run
r as Window
ws PowerShell jobs.
j
Thereforre, you can usee the same cmdlets to manage
ru
unning workflo
ows as you do jobs. A workflow is created by using the ffollowing syntaax:
Wo
orkflow Workf
flowName { Commands to execute as pa
art of the wo
orkflow }
After a workflow is created, it is executed as a cmdlet is executed. Each workflow can be executed with the
parameters that are listed in the following table.
Parameter
Description
-PSComputerName
-PSRunningTimeoutSec
-PSConnectionRetryCount
-PSPersist
Toggles the workflow to checkpoint data and state after each activity
In a workflow, commands can be performed in a parallel or sequential manner. Commands that can
be run in parallel are identified by using the parallel keyword. Commands that must be performed
sequentially are identified by using the sequence keyword. The following example shows a workflow
with both keywords being used:
Workflow Get-DomainServerStats
{
# The following are executed in any order
Parallel
{
Get-Process
Get-ADUser Filter *
# The following are executed sequentially
Sequence
{
Set-AdUser Administrator Description Updated content
Get-AdUser Administrator Properties Description
}
}
}
Demonstration Steps
1.
Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then log on to LON-DC1 as the
domain administrator.
2.
Password: Pa$$w0rd
Computer: LON-DC1
3.
Start a new job to list all Active Directory users, by using the Start-Job cmdlet.
4.
5.
Create a new scheduled job by running the following commands each followed by Enter:
$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM
Register-ScheduledJob Name ScheduledJob1 ScriptBlock {Get-ADUser Filter * } Trigger $Trigger
6.
3-25
As the A. Datum network grows in size and complexity, it is becoming increasingly apparent that some IT
management processes have to be streamlined. The number of users in the organization is increasing
quickly with users distributed in many locations. Servers are also being deployed in multiple data centers
and in private and public clouds. A. Datum is deploying most new servers as virtual servers in Hyper-V. A.
Datum has to ensure that both the host computers and virtual machines are managed consistently.
To address these server and AD DS management issues, you have to gain familiarity with Windows
PowerShell. You have to understand how to run simple and complex commands and how to create scripts
that will automate many of the regular management tasks.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 30-60 minutes
Virtual Machine(s)
20417-LON-DC1
20417-LON-SVR1
20417-LON-SVR2
User Name
Adatum\Administrator
Password
Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
2.
3.
3-27
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1.
1.
2.
Use tab completion to find the correct cmdlet that begins with Get-Ex to see the execution policy
setting on LON-DC1.
2.
3.
4.
Use the Get-Help cmdlet to view the examples of how to use Where-Object.
5.
Use a pipeline to pipe the $Services variable to the Where-Object cmdlet to show only services that
have a status of stopped.
If it is necessary, open Windows PowerShell ISE as an administrator and open a new remote
PowerShell tab.
2.
3.
4.
5.
Use command history to run Get-WindowsFeature and verify that XPS Viewer is installed.
6.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
After you explore Windows PowerShell interface and cmdlets, you want to explore options and available
cmdlets in the Active Directory module for Windows PowerShell and begin to use it for basic tasks such as
formatting Windows PowerShell output, using variables and loops, and creating scripts.
The main tasks for this exercise are as follows:
1.
Import the Active Directory PowerShell module and view the available cmdlets.
2.
View options on how to create a report of users in the Active Directory domain.
3.
Use a script to create new users in the domain by using a CSV-based file.
4.
Create a script to modify the address of a user based on the day of the week.
X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
1.
2.
3.
Use the Get-Command cmdlet to view the cmdlets available in the Active Directory module.
X Task 2: View options on how to create a report of users in the Active Directory
domain
1.
If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2.
Use the Get-Command cmdlet to view the cmdlets available in the ActiveDirectory module.
3.
Use Windows PowerShell to view a list of all Users in the domain. Review how Format-List modifies
formatting by running the following commands by using:
Get-ADUser -Filter * | Format-List
Get-ADUser Filter * |
Format-List -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-List *
4.
Use Windows PowerShell to view a list of all Users in the domain. Review how Format-Table modifies
the formatting by running the following commands by using:
Get-ADUser -Filter * | Format-Table
Get-ADUser Filter * |
Format-Table -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-Table
5.
Use Windows PowerShell to view a list of all OUs in the domain. Review how Format-Wide modifies
the formatting by running the following commands:
Get-ADOrganizationalUnit -Filter * | Format-Wide
Get- ADOrganizationalUnit Filter * |
Format-Wide column 3
6.
3-29
Use Windows PowerShell to adjust the formatting of the users report. Review how the Sort-Object
cmdlet modified the output, by running the following:
Get-ADUser -Filter * | Sort-Object| Format-Wide
Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID
7.
Run the following commands to see how to use the Measure-Object cmdlet:
Get-ADUser -Filter * | Measure-Object
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1.
On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2.
Use Notepad.exe to view E:\ModXA\Democode\LabUsers.csv. You will need to change the file type
to all files.
3.
4.
On line 13, modify the $OU variable to read: $OU = ou=sales, dc=adatum,dc=com
5.
6.
X Task 4: Create a script to modify the address of a user based on the day of the week
1.
If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2.
Use Windows Powershell ISE to open the script that is located at E:\ModXA\Democode
\Using If Statements.ps1
3.
4.
Review each section of the script and then run the script. Run the script a second time to view the
changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
Because of plans for remote server management, you want to explore possibilities to use Windows
PowerShell for remote management. You want to test remote connections in Windows PowerShell and
Windows PowerShell Web Access.
The main tasks for this exercise are as follows:
1.
2.
2.
3.
Create a Windows PowerShell Web Access Authorization Rule that only enables the administrator to
access the gateway by using the Add-PSWaAuthorizationRule.
2.
3.
User: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
Verify that you can retrieve information from LON-SVR1 by retrieving the five newest System events.
Run the following command:
Get-EventLog System Newest 5
4.
Obtain the same information from LON-SVR2 and LON-DC1 by running the following command:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LONDC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
2.
In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
3.
4.
Best Practices
3-31
Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable with working with Windows PowerShell and will equip you for using it to
resolve more difficult problems.
Save the commands that you have used to resolve problems in a script file for later reference.
Use Windows PowerShell ISE to help write scripts and ensure you have the correct syntax.
Troubleshooting Tip
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool
Description
Powershell.exe
Many common tools can be replaced with Windows PowerShell cmdlets. The following table gives some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012.
Old Command
ipconfig /a
Get-NetIPConfiguration
Shutdown.exe
Restart-Computer
Net Start
Start-Service (Restart-Service)
Net Stop
Stop-Service (Restart-Service)
Net Use
New-SmbMapping
Netstat
Get-NetTCPConnection
New-NetFirewallRule
Route Print
Get-NetRoute
Module 4
Managing Storage for Windows Server 2012
Contents:
Module Overview
4-1
4-2
4-12
4-18
4-23
4-25
4-36
4-40
Module Overview
Storage space requirements have been increasing ever since the invention of server-based file shares. The
Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk
space that is required and to effectively manage physical disks: data deduplication and storage spaces.
This module provides an overview of these features and explains the steps required to configure them.
Another concern in storage is the connection between the storage and the remote disks. Internet small
computer system interface (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps
create a connection between the servers and the storage. To implement iSCSI storage in Windows Server
2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. Also,
in organizations that have branch offices, you have to consider slow links and how to use these links
efficiently when data is sent between your offices. The BranchCache feature in Windows Server 2012 helps
address the problem of slow connectivity. This module explains the BranchCache feature and the steps to
configure BranchCache.
Objectives
After completing this module, you will be able to:
Configure BranchCache.
Lesson 1
4-2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
File
e and Storrage Servicces in Windows Servver 2012
File and Storage Services
S
includes technologie
es
thatt help you set up and manag
ge one or morre file
servvers. File serverrs are servers that
t
act as central
loca
ations on the network
n
where
e you can store
e files
and optionally, sh
hare them with
h users.
Win
ndows Server 2012
2
offers the
e following new
w file
and storage servicces features:
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
4-3
Unified rem
mote managem
ment of File and
d Storage Serviices in Server M
Manager. You can use this fe
eature
to remotelyy manage multiple file servers, including th
heir role servicces and storag
ge, all from a siingle
window.
Windows PowerShell cm
mdlets for File and
a Storage Seervices. You can
n use the Wind
dows PowerSh
hell
cmdlets forr performing most
m
administrration tasks forr file and storaage servers.
Addition
nal Reading: File
F and Storage Services oveerview
htttp://technet.m
microsoft.com//en-us/library//hh831487(d=
=lightweight,v=
=ws.11)
Question: Are
A you curren
ntly implemen
nting volumes that are 10 terrabytes or larg
ger? What are
the problem
ms with volum
mes of that size
e?
What
W
Is Data Deduplication?
Data deduplicattion is a role se
ervice of Wind
dows
Se
erver 2012. Da
ata deduplicatiion identifies and
a
re
emoves duplica
ations within data
d
without
co
ompromising its
i integrity to achieve the ultimate
go
oal of storing more data while concurrently
ussing less physical disk space..
When
W
combined with BranchCache, the sam
me optimizatio
on techniques are applied to
o data that is
trransferred over the wide area
a network (WA
AN) to a brancch office. This rresults in faste
er file downloaad times
an
nd reduced ba
andwidth consumption.
Volume
V
Requ
uirements for
f Data Ded
duplication
n
Volumes must
m
not be a syystem or boott volume. Dedu
uplication is no
ot supported o
on volumes where the
operating system
s
is installled.
Volumes may
m be partition
ned by using master
m
boot reecord (MBR) or GUID partitio
on table (GPT) format,
and must be
b formatted by
b using the NT
TFS file system
m. The new Ressilient File Systtem (ReFS) file system
is not supported for use on
o a data dedu
uplication volu
ume.
Volumes must
m
be expose
ed to Windowss as non-removvable drives, that is, no USB or floppy drivves.
Volumes ca
an be on share
ed storage, succh as a Fibre C hannel or Serial Attached SC
CSI (SAS) arrayy, or an
iSCSI storag
ge area network (SAN).
4-4
When you enable data deduplication on a volume, a background task runs with low-priority that
processes the files on the volume. That is, the background task segments all file data on the volume into
small, variable sized chunks (32 to 128 KB). Then, it identifies chunks that have one or more duplicates on
the volume. All duplicate chunks are then replaced (erased from disk) with a reference to a single copy of
that chunk. Finally, all remaining chunks are compressed so that even more disk space is saved.
Data deduplication is designed to be installed on primary (and not logically extended) data volumes
without adding any additional dedicated hardware. You can install and use the feature without affecting
the primary workload on the server. The default settings are non-intrusive because only files older than
30 days are processed. The implementation is designed for low memory and CPU priority. However, if
memory use becomes high, deduplication backs off and waits for available resources. You can schedule
deduplication based on the type of data involved and the frequency and volume of changes that occur to
the volume or particular file types.
You should consider using deduplication for the following areas:
File shares. This includes group content publication or sharing, user home folders, and profile
redirection (offline files). You may be able to save approximately 3050 percent disk space.
Software deployment shares. This includes software binaries, images, and updates. You may be able to
save approximately 7080 percent space.
Virtual hard disk (VHD) libraries. This includes VHD file storage for provisioning to hypervisors. You
may be able to save approximately 8095 percent space.
Note: Use the deduplication evaluation tool (DDPEval.exe) to analyze a volume about
expected savings that you would get when enabling deduplication. This utility is automatically
installed to \\Windows\System32\ of the local computer when data deduplication is enabled.
When data deduplication is enabled, and the data is optimized, the volume contains the following:
Unoptimized files. These are skipped files. For example, system state files, encrypted files, files with
extended attributes, files smaller than 32KB, and reparse point filespreviously optimized files that
contain pointers to the respective chunks in the chunk store needed to build the file.
Optimized files. These are stored as reference points to the chunk store.
Additional Reading:
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602
Introduction to Data Deduplication in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-inwindows-server-2012.aspx
Question: On which of your shares can you use data deduplication?
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Demonstra
D
ation: Configuring Data
D
Dedu plication
In
n this demonsttration, you will see how to add
a the data d
deduplication rrole service an
nd enable dataa
de
eduplication on
o drive E.
Demonstrati
D
ion Steps
Add
A
the Data Deduplication
D
n role service
4-5
1..
Log on to LON-DC1
L
with a username of
o Adatum\Ad
dministrator aand the passw
word of Pa$$w
w0rd.
2..
In Server Manager,
M
start the
t Add Roless and Feature
es Wizard, insttall the following roles and ffeatures
to the locall server and acccept the defau
ult values:
o
File An
nd Storage Se
ervices (Installed)\File and iSCSI Service
es\Data Deduplication
En
nable Data De
eduplication on E: Drive
1..
On LON-DC
C1, in Server Manager,
M
in the
e navigation p
pane, click File
e and Storage Services, and
d then
click Volum
mes.
2..
3..
Configure data
d
deduplica
ation with the following sett ings:
o
Set Ded
duplication Schedule: Enablle throughputt optimizatio n
What
W
Are Thin
T
Provissioning an
nd Trim Sto
orage?
Windows
W
Server 2012 introdu
uces two new storage
s
co
oncepts. They are:
4-6
Thin
n provisioning and trim stora
age are availab
ble by default in Windows S erver 2012; no
o feature or ro
ole has
to be
b installed.
Thin
n provisioning and trim stora
age in Window
ws Server 20122 provides thee following cap
pabilities:
d method to d
detect and identify thinlyIdentification. Windows Servver 2012 uses a standardized
provisioned virtual
v
disks, th
hereby enabling additional ccapabilities delivered by the storage stack. The
storage stack
k is provided in
n the operating
g system and iis available thrrough storage management
applications.
Notification. When
W
the conffigured physiccal storage usee thresholds are reached, Windows Server 2012
notifies the ad
dministrator th
hrough eventss. This enables the administrator to take ap
ppropriate acttion as
soon as possible. These eve
ents can also sttart automated
d actions from
m sophisticated
d managementt
applications, such as Microssoft System Ce
enter.
Wh
hats New in File Serrver Resou
urce Manag
ger?
You
u can use the File
F Server Reso
ource Manage
er
to manage
m
and classify data tha
at is stored on file
servvers. File Server Resource Ma
anager include
es the
follo
owing featuress:
File managem
ment tasks. You
u can use this feature
f
to app
ply a condition
nal policy or acction to files,
based on their classification
n. The conditio
ons of a file maanagement tassk include the file location, tthe
classification properties, the
e date the file was created, tthe last modifi ed date of the
e file, or the lasst
time that the file was accessed. The actions that a file m
management ttask can take in
nclude the abiility to
expire files, encrypt files, orr run a custom command.
4-7
Quota management. You can use this feature to limit the space allowed for a volume or folder.
Quotas can be automatically applied to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.
File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that does not enable files that have an MP3 extension to be stored in personal
shared folders on a file server.
Storage reports. You can use this feature to identify trends in disk usage and how your data is
classified, and monitor attempts by a selected group of users to save unauthorized files.
You can configure and manage the File Server Resource Manager by using the File Server Resource
Manager Microsoft Management Console (MMC) console or by using Windows PowerShell.
The following features of the File Server Resource Manager are new and are added in Windows Server
2012:
Dynamic Access Control. Dynamic Access Control uses file classification infrastructure to help you
centrally control and audit access to files on your file servers.
Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.
Access-denied assistance. You can use access-denied assistance to customize the access denied error
message that users see in Windows 8 Consumer Preview when they do not have access to a file or a
folder.
File management tasks. The updates to file management tasks include Active Directory Rights
Management Services (AD RMS) file management tasks, continuous file management tasks, and
dynamic namespace for file management tasks.
Automatic classification. The updates to automatic classification enable you to get more precise
control on how data is classified on your file servers, including continuous classification, using
Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.
Wh
hat Are Ba
asic and Dy
ynamic Dissks?
Win
ndows Server 2012
2
continuess to support basic
disk
ks and dynamicc disks.
Bassic Disk
Basiic storage usess typical partition tables
supported by MS--DOS, and all versions
v
of the
e
Win
ndows operatin
ng system. A disk
d initialized
for basic storage is
i called a basiic disk. A basicc
disk
k contains basic partitions, su
uch as primaryy
parttitions and an extended parttition. An extended
parttition can be subdivided into
o logical drivess.
4-8
By default,
d
when you
y initialize a disk in Windo
ows,
the disk is configu
ured as a basicc disk. Basic dissks can easily b
be converted tto dynamic dissks without an
ny loss
of data.
d
However, when you con
nvert a dynam
mic disk to basi c disk, all dataa on the disk w
will be lost.
Som
me applications such as the storage
s
spacess feature in Wi ndows Server 2012 cannot u
use dynamic disks.
In addition, there is no performance gain by converting
c
bassic disks to dyn
namic disks. Fo
or these reasons,
mosst administrato
ors do not con
nvert basic disk
ks to dynamic disks unless th
hey have to use some additio
onal
volu
ume configuration options available
a
with dynamic
d
disks..
Dyn
namic Disk
Dyn
namic storage is supported in
n all Windows operating sysstems including
g the Window
ws XP operating
g
Win
systems and the Microsoft
M
ndows NT Servver 4.0 operatiing system. A d
disk initialized for dynamic
storrage is called a dynamic disk
k. A dynamic disk contains dyynamic volum
mes. With dynamic storage, yyou
can perform disk and volume management
m
without
w
the neeed to restart W
Windows.
Whe
en you configu
ure dynamic disks,
d
you creatte volumes insstead of partitiions. A volume
e is a storage u
unit
mad
de from free sp
pace on one or
o more disks. It
I can be form atted with a fiile system and can be assign
ned a
drivve letter or con
nfigured with a mount point.
The dynamic volu
umes include:
Simple volum
mes. A simple vo
olume uses fre
ee space from a single disk. It can be a single region on a disk
or consist of multiple,
m
concatenated regio
ons. A simple vvolume can bee extended witthin the same disk
or onto addittional disks. If a simple volum
me is extended
d across multip
ple disks, it beccomes a spann
ned
volume.
Spanned volu
umes. A spanne
ed volume is created
c
from frree disk space that is linked from multiple
disks. You can
n extend a spa
anned volume onto a maxim
mum of 32 diskks. A spanned vvolume canno
ot be
mirrored and is not fault-to
olerant. Thereffore if you losee one disk, you
u lose all the sp
panned volum
me.
Striped volum
mes. A striped volume
v
is a volume whose d
data is spread aacross two or m
more physical disks.
The data on this
t type of volume is allocatted alternatelyy and evenly to
o each of the p
physical disks. A
striped volum
me cannot be mirrored
m
or exttended and is not fault-tolerant, again me
eaning the losss of
one disk will cause
c
the loss of data immediately. Stripin
ng is also know
wn as redundant array of
independent disks (RAID)-0
0.
Mirrored volu
umes. A mirrored volume is a fault-tolerantt volume whose data is duplicated on two
o
physical diskss. All the data on
o one volume is copied to another disk tto provide data redundancy.. If
one of the dissks fails, the da
ata can still be
e accessed from
m the remainin
ng disk. A mirrrored volume
cannot be exttended. Mirrorring is also kno
own as RAID-11.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
4-9
RAID-5 volu
umes. A RAID--5 volume is a fault-tolerant volume whosee data is stripe
ed across a minimum
of three or more disks. Pa
arity (a calculated value thatt can be used tto reconstruct data after a faailure) is
also striped
d across the dissk array. If a physical disk faiils, the portion
n of the RAID-5
5 volume that was on
that failed disk
d can be re--created from the remaining
g data and thee parity. A RAID
D-5 volume caannot be
mirrored orr extended.
Required
R
Dissk Volumes
Re
egardless of which
w
type of disk
d that you use, you must cconfigure a sysstem volume aand a boot volume on
on
ne of the hard
d disks in the se
erver:
System volu
umes. The system volume co
ontains the harrdware-specific files that are
e needed to loaad
Windows (ffor example, Bootmgr, BOOT
TSECT.bak, and
d BCD). The syystem volume can be, but do
oes not
have to be, the same as the
t boot volum
me.
Note: Wh
hen you installl the Windowss 8 operating ssystem or Wind
dows Server 2012 in a
on, a separate system
s
volume
e is created to enable encryp
pting the boott volume by
clean installatio
ussing BitLocker.
Addition
nal Reading:
How Basic Diskss and Volumess Work
htttp://go.microsoft.com/fwlin
nk/?LinkID=199648
Dynamic Disks and
a Volumes
htttp://go.microsoft.com/fwlin
nk/?LinkID=199649
What
W
Is the
e Resilient File System?
Re
esilient File Sysstem (ReFS) is a new file systtem
provided in Win
ndows Server 2012.
2
ReFS is based
b
on
n the NTFS file
e system and provides
p
the
fo
ollowing advan
ntages:
Metadata in
ntegrity with checksums
c
o write transa
actional mode
el for
Allocation on
robust disk updates (also known as cop
py on
write)
ng for perform
mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
Data stripin
Disk scrubb
bing for protecction against la
atent disk erro
ors
Resiliency to
t corruptions with salvage for
f maximum vvolume availab
bility in every case
Limit
Maximum
M
size of
o a single file
264-1 b
bytes (18.446.7
744.073.709.55
51.616 bytes)
Maximum
M
size of
o a single volu
ume
Maximum
M
number of files in a directory
264
Maximum
M
number of directorries in a volum
me
264
Maximum
M
file name
n
length
Maximum
M
path length
32K
Maximum
M
size of
o any storage
e pool
4 petaabyte
Maximum
M
number of storage
e pools in a sysstem
No lim
mit
Maximum
M
number of spaces in a storage po
ool
No lim
mit
The Share and Storage Management snap-in is replaced by the File and Storage Services role in
Server Manager.
The Shared Folders snap-in is replaced by the File and Storage Services role in Server Manager.
The Virtual Disk Service (VDS) provider is replaced by the Storage Management APIs and storage
provider or the Storage Management Initiative Specification (SMI-S) standard and a compliant
storage provider.
4-11
Lesson 2
Config
guring iSCSI Sto
orage
In th
his lesson, you
u will learn how
w to create a connection bettween servers and iSCSI storage. You will
d simple way tto
perfform these tassks by using IP-based iSCSI storage. iSCSI sstorage is an in
nexpensive and
configure a conne
ection to remo
ote disks. Manyy application rrequirements d
dictate that remote storage
connections mustt be redundantt in nature for fault toleranc e or high availability. For this purpose, you will
also
o learn how to create both single and redu
undant connecctions to an iSC
CSI target. You
u will do so byy using
the iSCSI initiator software that is available in Windows Servver 2012.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe how
w to configure high-availability and locate iSCSI storage.
Configure iSC
CSI target.
Connect to th
he iSCSI storag
ge.
Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem
mote,
SCSI-based storag
ge devices ove
er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP
P
netw
works to facilittate data transsfers over intra
anets
and to manage sttorage over lon
ng distances. You
Y
can use iSCSI to trransmit data over
o
LANs, WA
ANs,
or even
e
over the larger Internett.
iSCS
SI relies on standard Etherne
et networking
arch
hitecture, and use of specialiized hardware such
as a host bus adap
pter (HBA) or network switch
hes is
optional. iSCSI use
es TCP/IP (typiically, TCP porrt
3260). This meanss that, iSCSI sim
mply enables two
t
or example) and then
hostts to negotiate
e (session establishment, flow
w control, and
d packet size, fo
exch
hange SCSI commands by ussing an existin
ng Ethernet nettwork. By doin
ng this, iSCSI taakes a popularr,
high
h performance
e, local storage
e bus subsystem architecturee and emulatees it over LANs and WANs,
crea
ating a SAN. Unlike some SA
AN protocols, iSCSI requires n
no specialized cabling; it can
n be run over
existing switching
g and IP infrasttructure. Howe
ever, the perfo
ormance of an iSCSI SAN dep
ployment can be
seve
erely decreased if not operatted on a dediccated networkk or subnet, as best practices recommend.
e you can use a standard Eth
hernet networrk adapter to cconnect the server to the
Note: While
iSCS
SI storage deviice, you can also use dedicatted HBAs.
An iSCSI SAN de
eployment inccludes the follo
owing:
4-13
iS
SCSI Targe
et Server and iSCSI In
nitiator
Th
he iSCSI initiattor service is a standard part ever
since Windows Server 2008. Before
B
Window
ws
Se
erver 2012, the
e iSCSI Software Target, how
wever,
ne
eeded to be downloaded an
nd installed
op
ptionally. Now
w, it is integrate
ed as role servvice
in
nto Windows Server
S
2012. Th
he new feature
es in
Windows
W
Server 2012 include
e:
Query initia
ator computer for ID. This is only
o
supported
d with Window
ws 8 or Windo
ows Server 201
12.
The iSCSI target server role service provides for software-based and hardware-independent iSCSI disk
subsystem. You can use the iSCSI target server to create iSCSI targets and iSCSI virtual disks. You can then
use the Server Manager to manage these iSCSI targets and virtual disks.
The iSCSI target server included in Windows Server 2012 provides the following functionality:
Network/diskless boot. By using boot-capable network adapters or a software loader, you can use
iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to
90 percent of the storage space for the operating system images. This is ideal for large deployments
of identical operating system images, such as a Hyper-V server farm or High Performance Computing
(HPC) clusters.
Server application storage. Some applications such as for example, Hyper-V and Exchange Server
require block storage. The iSCSI target server can provide these applications with continuously
available block storage. Because the storage is remotely accessible, it can also combine block storage
for central or branch office locations.
Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on Windows, so
you can share storage on Windows Servers in mixed environments.
Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a
network-accessible block storage device. This is useful in situations such as when you want to test
applications before deployment on SAN storage.
Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.
No additional hardware is needed. If high availability is an important criterion, consider setting up a high
availability cluster. With a high availability cluster, you will need shared storage for the clustereither
hardware Fibre Channel storage or a serial attached SCSI (SAS) storage array. iSCSI target server is directly
integrated into the failover cluster feature as a cluster role.
iSCSI Initiator
The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service and installed by default.
To connect your computer to an iSCSI target, you just have to start the service and configure it.
Additional Reading: Introduction of iSCSI Target in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windowsserver-2012.aspx
Question: When would you consider implementing diskless booting from iSCSI targets?
Advanced
A
iSCSI
i
Conffiguration Options
In
n addition to configuring the
e basic iSCSI ta
arget
se
erver and iSCSI initiator settings, you can
in
ntegrate these services into more
m
advanced
d
co
onfigurations.
Lo
ocating iSCSI Storage
Th
here are two common
c
appro
oaches for loca
ating
sttorage that is exposed
e
to a network
n
by an iSCSI
Ta
arget.
4-15
Th
he first approa
ach is through the use of the
e
iS
SCSI SendTarge
ets command. This functiona
ality
is available with
hin the iSCSI In
nitiator wizard of
Windows
W
Server. Using SendT
Targets in the iSCSI
i
Initiator retrieves a list of available taargets from a ttarget
de
evice. To use this
t command,, you must kno
ow both the IP
P address of th
he storage devvice that is hostting the
ta
argets, and whether the deviice is suitable for
f your storag
ge needs. The iSCSI SendTarrgets command is only
workable
w
in sma
aller iSCSI environments beccause as the nu
umber of iSCSI targets increases in your
co
ompany, the more
m
complex this approach is.
Th
he second app
proach is for la
arge networks. On large netw
works, locating
g storage can b
be more difficult. One
so
olution that can help you is the
t Internet Sttorage Name SService (iSNS), which is a Win
ndows Server 2012
fe
eature similar to
t Domain Name System (DNS) and lets yo
ou locate a tarrget on severaal target device
es.
iS
SNS contains th
hree distinct se
ervices:
Name Regisstration Service. This service enables initiattors and targets to register aand query the iSNS
server direcctory for inform
mation about initiator and taarget IDs and addresses.
Network Zo
oning and Logo
on Control Serrvice. You can u
use this servicee to restrict iSN
NS initiators to
o
zones so th
hat iSCSI initiattors do not disscover any targ
get devices outside their own zone or disccovery
domains. This prevents in
nitiators from accessing
a
storaage devices th
hat are not inte
ended for their use.
Logon conttrol enables targets to determine which in itiators can acccess them.
State Chang
ge Notification
n Service. This service
s
enablees iSNS to notiffy clients of ch
hanges in the n
network,
such as the addition or re
emoval of targ
gets, or changees in zoning m
membership. Only initiators that you
register to receive notifications will gett these packetss, which reduc es random bro
oadcast traffic on the
network.
Configuring
C
iSCSI for Hiigh Availability
Although simila
ar in the result they achieve, these two tech
hnologies use different apprroaches to ach
hieve
hiigh availabilityy for iSCSI storage connectio
ons.
MCS
M is a feature
e of the iSCSI protocol
p
that:
Enables mu
ultiple TCP/IP connections
c
from the initiato
or to the targeet for the same
e iSCSI session.
Supports au
utomatic failovver. If a failure
e were to occurr, all outstandiing iSCSI comm
mands are reassigned
to another connection au
utomatically.
Requires exxplicit support by iSCSI SAN devices, altho ugh the iSCSI target server rrole supports iit.
Requires a device specific module (DSM) if you want to connect to a third SAN device such as HPs
EVA SAN connected to the iSCSI initiator. Windows includes a default MPIO DSM, installed as the
Multipath I/O feature within Server Manager.
Is widely supported. Many SANs can use the default DSM without any additional software, while
others require a specialized DSM from the manufacturer.
Is more complex to configure and not as fully automated during failover as MCS.
In this demonstration, you will add an iSCSI target server role service and create an iSCSI virtual disk and
iSCSI target on LON-DC1.
Demonstration Steps
Add the iSCSI Target Server role service
1.
2.
In the Add Roles and Features Wizard, install the following roles and features to the local server and
accept the default values:
o
File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has the following settings:
o
Name: iSCSIDisk1
Disk size: 5 GB
3.
On the View results page, wait until the creation is completed, and then close the View Results
page.
4.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has these settings:
5.
Name: iSCSIDisk2
Disk size: 5 GB
On the View Results page, wait until the creation is completed, and then close the View Results
page.
Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1.
2.
3.
2.
4-17
Lesson 3
Config
guring Storage
S
Spacess in Win
ndows SServer 2
2012
Man
naging physica
al disks attache
ed directly to a server proveed to be a tedious task for th
he administrato
ors.
To overcome
o
this problem, man
ny organizations used SANs that basically grouped physsically disks
toge
ether.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Configure a storage
s
space.
Implement re
edundant stora
age spaces.
Wh
hat Are Sto
orage Spacces?
A sttorage space iss a storage virttualization
capability built intto Windows Se
erver 2012 and
d
Win
ndows 8. You can
c use storage
e spaces to ad
dd
phyysical disks of any
a type and size to a storag
ge
poo
ol and create highly-available
h
e virtual disks from
it. The primary advantage of sto
orage spaces iss that
you do not manag
ge single diskss any longer, but
b
man
nage them as one
o unit.
To create
c
a highlyy-available virttual disk, you must
m
have the following
g:
Disk drive. Th
his is a volume that you can
access from your
y
OS. For exxample, using a
drive letter.
Virtual disk (o
or storage spacce). This resem
mbles a physicaal disk from thee perspective o
of users and
applications. However, virtu
ual disks are more
m
flexible beecause it inclu des thin provisioning or justt-intime allocatio
ons and resilien
ncy to physical disk failures w
with built-in fu
unctionality su
uch as mirrorin
ng.
A minimu
um of three ph
hysical drives are
a required to
o create a virtu
ual disk with re
esiliency throu
ugh
parity.
Three-w
way mirroring requires at lea
ast five physic al drives.
4-19
Feature
Sttorage layout
Descrip
ption
This de
efines the num
mber of disks frrom the storag
ge pool that arre allocated. V
Valid
options are:
Simp
ple. A simple space has data striping but n
no redundancyy. In data striping,
logiccally sequentia
al data is segm
mented across aall disks in a w
way that accesss to
these sequential se
egments can b
be made to diffferent physicaal storage drives.
Strip
ping makes it possible
p
to acccess multiple seegments of daata at the same
e time.
Do not
n host imporrtant data on a simple volum
me, because it provides no faailover
capa
abilities when the
t disk wheree the data is sttored on fails.
Feature
Description
A storage pool's sector size is set the moment it is created. If the list of drives
being used contains only 512 and 512e drives, the pool is defaulted to 512e.
However, if the list contains at least one 4-KB drive, the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size
that all contained spaces in the pool will inherit. After an administrator defines
this, Windows will only enable addition of drives that have a compliant sector size,
that is: 512 or 512e for a 512e storage pool and 512, 512e, or 4 KB for a 4-KB
pool.
Cluster disk
requirement
Drive allocation
This defines how the drive is allocated to the pool. Options are:
Data-store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store drives
for both storage space creation and just-in-time allocation.
Manual. Administrators can choose to specify manual as the usage type for
drives added to a pool. A manual drive is not automatically used as part of a
storage space unless it is specifically selected at the creation of that storage
space. This usage property lets administrators specify particular types of drives
for use by only certain storage spaces.
Hot-Spare. Drives added as Hot-Spares to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that is
hosting columns of a storage space, a reserve drive is called on to replace the
failed drive.
Provisioning
schemes
Fixed provisioning space. In storage spaces, fixed provisioned spaces also use the
flexible provisioning slabs. The difference here is that the storage capacity is
allocated up front, at the time that the space is created.
Note: Storage spaces allows for the creation of both thin and fixed provisioning virtual
disks within the same storage pool. Having both provisioned types in the same storage pool is
very convenient especially when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.
Demonstration Steps
Create a storage pool
4-21
1.
On LON-SVR2, in Server Manager, navigate to File and Storage Services, and Storage Pools.
2.
In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and then add all
available disks.
In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o
Size: 2 GB
2.
On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3.
In this demonstration, you will create a redundant virtual disk and a volume, simulate a drive failure, and
test volume access.
Demonstration Steps
Create a redundant virtual disk and a volume
1.
2.
On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk and create a virtual disk with these settings:
o
Size: 5 GB
On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3.
4.
On the Completion page, wait until the creation is completed, and then click Close.
5.
On the Start screen, type command prompt and then press Enter.
6.
At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\write.exe F:\
7.
In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select
Computer Management.
8.
On LON-DC1, in Server Manager, in the left pane, click File and Storage Services.
2.
3.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4.
Switch to LON-SVR2.
5.
In the Computer Management console, under Storage, right-click Disk Management, and then in
drop-down list, select Rescan Disks.
Notice that the Simple Volume (E:) is not available and the Mirrored Volume (F:) is available.
6.
On the taskbar, open Windows Explorer and then click Mirrored Volume (F:). You should now see
write.exe in the file list.
7.
In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button. Notice the warning that appears right next to Mirrored vDisk.
8.
In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
9.
In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Notice the Health Status that should indicate Unknown. The Operational Status should indicate
Detached. This means that the disk is not available on this computer any longer.
10. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
11. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete or Degraded.
4-23
With the growth in A. Datum, the requirements for managing storage and shared file access has also
expanded. Although the cost of storage has decreased significantly over the last few years, the data
produced by the A. Datum business groups has increased even more. The organization is considering
alternative ways to reduce the cost of storing data on the network in addition to the options for
optimizing data access for both physical and virtual servers. Also, to meet some requirements for high
availability, the organization is exploring options for making storage highly available.
As one of the senior network administrators at A. Datum, you are responsible for implementing some new
file storage technologies for the organization. You will implement iSCSI storage to provide a less complex
option for deploying large amounts of storage in the organization. You will also implement the storage
spaces on the Windows Server 2012 servers to simplify storage access and to provide redundancy at the
storage level.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 40 minutes
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR2
User Name
Adatum\Administrator
Password
Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
For this lab, on 20417A-LON-SVR2, disable Routing and Remote Access. In Server Manager, click Tools,
and then click Routing and Remote Access. In the Routing and Remote Access console, right-click
LON-SVR2 and then click Disable Routing and Remote Access.
In order to reduce the cost and complexity of configuring centralized storage, A. Datum is exploring the
option of using iSCSI to provide storage. To get started, you will install and configure the iSCSI targets,
and configure access to the targets by configuring the iSCSI initiators.
The main tasks for this exercise are as follows:
1.
2.
3.
Configure MPIO.
4.
2.
In Server Manager, start the Add Roles and Features Wizard, install the following roles and features
to the local server and accept the default values:
o
File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.
2.
Storage location: C:
Size: 5 GB
3.
On the View results page, wait until the creation is completed, and then click Close.
4.
5.
Storage location: C:
Size: 5 GB
Storage location: C:
Size: 5 GB
6.
7.
Storage location: C:
Size: 5 GB
Storage location: C:
Size: 5 GB
1.
Log on to LON-SVR2.
2.
In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.
3.
In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:
4.
In Server Manager, on the Tools menu, open MPIO, and configure the following:
o
5.
After the computer restarts, log on to LON-SVR2, on the Tools menu in Server Manager, open MPIO
and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
2.
In the iSCSI Initiator Properties dialog box, perform the following steps:
a.
b.
c.
d.
3.
4-25
Connect to another target, enable multi-path, and configure the following Advanced settings:
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
After you have configured the iSCSI components, you want to take advantage of the storage pools to
simplify the configuration of storage on the Windows Server 2012 servers. To meet some requirements for
high availability, you decided to evaluate redundancy features in storage spaces. Also, you want to test
provisioning of new disks to the storage pool.
The main tasks for this exercise are as follows:
1.
Create a storage pool by using the iSCSI disks attached to the server.
2.
3.
4.
5.
Verify that the file is still accessible and check the health of the virtual disk.
6.
7.
Add the new disk to the storage pool and extend the virtual disk.
X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1.
2.
In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3.
4.
Name: StoragePool1
On the View results page, wait until the creation is completed, then click Close.
On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with these
settings:
o
2.
On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
3.
4.
Drive letter: E
On the Completion page, wait until the creation is completed, and then click Close.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1.
On the Start screen, type command prompt and then press ENTER.
2.
3.
4-27
Use Windows Explorer and access Mirrored Volume (E:). You should now see write.exe in the file list.
Switch to LON-DC1.
2.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, disable the iSCSI Virtual Disk named
iSCSIDisk1.vhd.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
1.
Switch to LON-SVR2.
2.
Use Windows Explorer and open E:\write.exe to make sure access to the volume is still available.
3.
In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button. Notice the warning that appears right next to Mirrored vDisk.
4.
In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
5.
In Mirrored vDisk Properties window, in the Health pane, notice that the Health Status indicates a
Warning. The Operational Status should indicate Degraded.
Switch to LON-DC1.
2.
In Server Manager, in the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New iSCSI Virtual Disk.
3.
Storage location: C:
Size: 5 GB
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1.
Switch to LON-SVR2.
2.
In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button.
3.
In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk, and add PhysicalDisk1 (LON-SVR2).
4.
In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk and extend the disk to 15 GB.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Lesson
n4
Configuring Branch
hCache in
i Wind
dows Se
erver 20
012
4-29
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow BranchCache works.
Describe th
he BranchCache requirementts.
Configure the
t BranchCacche server settiings.
Configure the
t BranchCacche client settin
ngs.
Configure BranchCache.
B
Describe ho
ow to monitorr BranchCache.
How
H
Does BranchCacche Work??
Th
he BranchCach
he feature introduced with
Windows
W
Server 2008 R2 and Windows 7 re
educes
th
he network use
e on WAN con
nnections betw
ween
branch offices and
a the headquarters by loca
ally
ca
aching frequen
ntly used files on computers in the
branch office.
BrranchCache im
mproves the pe
erformance of
ap
pplications tha
at use one of the following
protocols:
HTTP or HT
TTPS protocols.. These protoccols are
used by we
eb browsers an
nd other appliccations.
Background
d Intelligent Trransfer Service (BITS). A Wind
dows componeent that distrib
butes content from a
server to clients by using only idle netw
work bandwidtth.
BrranchCache re
etrieves data frrom a server when
w
the clientt requests the data. Because BranchCache is a
pa
assive cache, itt will not incre
ease WAN use.. BranchCache only caches the read reque
ests and will no
ot
in
nterfere when a user saves a file.
BrranchCache im
mproves the re
esponsiveness of
o common neetwork applicaations that acccess intranet se
ervers
accross slow WA
AN links. Because BranchCach
he does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by de
eploying Windo
ows 7 or 8 to cclient computers and Windo
ows
Se
erver 2012 to servers,
s
and byy enabling the
e BranchCachee feature.
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end Internet Protocol Security (IPsec). You can use BranchCache to reduce the
network bandwidth use and improve application performance, even if the content is encrypted.
You can configure BranchCache to use Hosted Cache mode or Distributed Cache mode:
Hosted Cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or later versions as a hosted cache server in the branch office. Client computers are configured with
the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from
the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is
retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that
the successive client requests can get it from there.
Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices without requiring a server. In this mode, local client computers running Windows 7 or
Windows 8 keep a copy of the content and make it available to other authorized clients that request
the same data. This eliminates the need to have a server in the branch office. However, unlike the
Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who
hibernate or disconnect from the network cannot provide content to other requesting clients.
More than one hosted cache servers per location to allow for scale.
New underlying database that uses the Extensible Storage Engine (ESE) database technology from
Microsoft Exchange Server. This enables a hosted cache server to store significantly more data (in the
order of terabytes).
The deployment is made much simpler such that you do not require a Group Policy Object (GPO) for
each location. A single GPO that contains the settings is all that is required to deploy BranchCache.
The client computer that is running Windows 7 connects to a content server that is running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2.
The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.
3.
The content server in the head office returns identifiers or hashes of the requested content to the
client computer instead of sending the content itself. The content server sends that data over the
same connection that the content would have typically been sent.
4.
5.
If you configure it to use Distributed Cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.
If you configure it to use Hosted Cache, the client computer searches for the content on the
configured Hosted Cache.
If the content is available in the branch office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from the branch office and ensures that the data is updated
and has not been tampered with or corrupted.
6..
4-31
If the conte
ent is not available in the rem
mote office, th
he client comp uter retrieves the content diirectly
from the se
erver across the
e WAN link. Th
he client comp
puter then eith
her makes it avvailable on the
e local
network to other requestting client com
mputers (Distrib
buted Cache m
mode) or sends it to the Hossted
Cache, whe
ere it is made available
a
to other client com
mputers.
BranchCach
B
he Require
ements
BrranchCache op
ptimizes trafficc flow between
n head
offfice and brancch offices. Win
ndows Server 2008
2
R2
2, Windows Se
erver 2012, and
d clients based
d on
client computerrs running Win
ndows 7 or Windows
8 Enterprise Edition can only benefit from
BrranchCache. The earlier verssions of Windo
ows
op
perating systems do not ben
nefit from this
fe
eature. You can
n cache only th
he content tha
at is
sttored on file se
ervers or web servers
s
running
g
Windows
W
Server 2008 R2 or Windows
W
Serve
er 2012
byy using Branch
hCache.
Requirement
R
ts for Using
g BranchCacche
To
o use BranchC
Cache, you musst perform the
e following tas ks:
Configure client
c
compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.
Requirement
R
ts for Distributed Cach
he and Hoste
ed Cache M
Modes
In
n the Distribute
ed Cache mod
de, BranchCach
he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu
uted Cache mo
ode, any clientt computer ca n search locallly for the computer
th
hat has alreadyy downloaded and cached th
he content by using a multiccast protocol ccalled WS-Disccovery.
In
n the Distribute
ed Cache mod
de, content serrvers across thee WAN link m ust run Windo
ows Server 200
08 R2 or
la
ater versions, and the clients in the branch must run at leeast Windows 7 or Windowss Server 2008 R
R2. You
sh
hould configurre the client firrewall to enable incoming trraffic, HTTP, an
nd WS-Discove
ery.
In
n the Hosted Cache
C
mode, th
he client comp
puters are conffigured with th
he FQDN of th
he host server to
re
etrieve contentt from the Hossted Cache. Th
herefore, the B
BranchCache h ost server musst have a digital
ce
ertificate, whicch is used to en
ncrypt commu
unication with client computters. In the Hossted Cache mo
ode,
co
ontent servers across the WA
AN link must run Windows SServer 2008 R2
2 or later versio
ons. Hosted Caache in
th
he branch musst run Window
ws Server 2008 R2 or later verrsions and thee client in the b
branch must ru
un at
le
east Windows 7.
7 You must co
onfigure a firew
wall to enable incoming HTTTP traffic from
m the Hosted C
Cache
se
erver. In both cache
c
modes, BranchCache uses the HTTP
P protocol for d
data transfer b
between clientt
co
omputers and the computerr that is hosting
g the cached d
data.
Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conte
ent,
which is delivered
d by HTTP or HTTPS.
H
You can
n also
use BranchCache to cache share
ed folder content,
which is delivered
d by the SMB protocol.
p
By
defa
ault, BranchCa
ache is not insttalled on Wind
dows
Servver 2012.
The following table lists the servvers that you can
c
configure for Bran
nchCache.
Se
erver
Desccription
Web
W server or Background
B
In
ntelligent Transsfer Service (BITS)
se
erver
To configure
c
a W indows Serverr 2012 web serrver or an
app
plication serverr that uses the BITS protocoll, install the
Bran
nchCache featture. Ensure th
hat the BranchC
Cache service has
starrted. Then, con
nfigure clients who will use tthe BranchCache
featture; no additio
onal configuraation of the we
eb server is
needed.
File server
Configuring
C
g BranchC
Cache Clien
nt Settingss
Yo
ou do not havve to install the
e BranchCache
e
fe
eature because
e BranchCache
e is already included
if the client runss Windows 7 or
o Windows 8.
However, BrancchCache is disa
abled by defau
ult on
client computerrs. To enable and
a configure
BrranchCache, you must perfo
orm the following
stteps:
1..
Enable Bran
nchCache
2..
3..
Configure the
t client firew
wall To enable
BranchCach
he protocols
Enabling Bra
anchCache
4-33
If you enable th
he Distributed Cache or Hostted Cache mod
de without enabling the ove
erall BranchCache
fe
eature, the BranchCache featture will still be
e disabled on the client com
mputers. However, you can e
enable
th
he BranchCach
he feature on a client compu
uter without en
nabling the Distributed Cach
he mode or the
Hosted Cache mode.
m
In this configuration, the
t client com
mputer uses only the local cache and does not
atttempt to dow
wnload from otther BranchCache clients on the same sub net or from a Hosted Cache
e server.
Th
herefore, multiple users of a single compu
uter can benefiit from a shareed local cache in this local caaching
mode.
m
Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can enable the BranchCa
ache feature on
n client compu
uters by using Group Policy or the netsh
branchcache se
et service com
mmand.
To
o configure BrranchCache setttings by using
g Group Policyy, perform the following step
ps for a domaiinba
ased GPO:
1..
2..
Browse to C:\Computer
C
Configuration\
C
\Policies\Admi nistrative Tem
mplates\Network, and then click
BranchCach
he.
3..
Turn on Bra
anchCache and
d set either the
e Distributed C
Cache or the H
Hosted Cache mode.
To
o configure BrranchCache setttings by using
g the netsh braanchcache sett service comm
mand, perform the
fo
ollowing steps::
1..
2..
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses HTTP).
In this demonstration, you will add BranchCache for the Network Files role service, configure BranchCache
in Local Group Policy Editor, and enable BranchCache for a file share.
Demonstration Steps
Add BranchCache for the Network Files role service
1.
2.
In the Add Roles and Features Wizard, install the following roles and features to the local server:
o
File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files
2.
Select Allow hash publication only for shared folder on which BranchCache is enabled
2.
Monitoring
M
g BranchCa
ache
After the initial configuration,, you might wa
ant to
ve
erify that BranchCache is con
nfigured corre
ectly
an
nd functioning
g correctly. You
u can use the netsh
branchcache sh
how status all command to
o
diisplay the Bran
nchCache service status. On client
an
nd Hosted Cacche servers, ad
dditional inform
mation
su
uch as the loca
ation of the loccal cache, the size of
th
he local cache, and the status of the firewa
all rules
fo
or HTTP and WS-Discovery
W
protocols
p
that
BrranchCache usses is shown.
Yo
ou can also use the following tools to mon
nitor
BrranchCache:
4-35
Performancce counters. Yo
ou can use thiss tool to monittor BranchCac he work and p
performance b
by using
the BranchC
Cache perform
mance monitorr counters. BraanchCache perrformance monitor counterss are
useful debu
ugging tools fo
or monitoring BranchCache effectiveness and health. Yo
ou can also use
e
BranchCach
he performancce monitor for determining tthe bandwidth
h savings in the Distributed C
Cache
mode or in the Hosted Cache mode. If you have Systtem Center Op
perations Manager 2007 SP2
2 or
later versions implemente
ed in the envirronment, you can use Windo
ows BranchCache Managem
ment
Pack for Op
perations Manager 2007
A. Datum has deployed a new branch office. This office has a single server. To support branch staff
requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN use
out to the branch office, you must configure BranchCache for these data.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 40 minutes
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
User Name
Adatum\Administrator
Password
Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
2.
3.
4.
Switch to LON-DC1.
2.
Open Server Manager and install the BranchCache for network files role service.
3.
4.
2.
Note: This task is required to simulate a slow network connection in a test environment
where all the computers are connected by a fast network connection.
2.
3.
Sharename: Share
Permissions: default
4-37
1.
2.
3.
4.
5.
Action: Allow
Action: Allow
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
The main task for this exercise is to configure client computers to use BranchCache in the Hosted Cache
mode.
X Task: Configure client computers to use BranchCache in the Hosted Cache mode
1.
On LON-DC1, in Group Policy Management Editor, and configure the following at Computer
Configuration\Policies\Administrative Templates\Network\BranchCache:
o
Type the maximum round trip network latency value (milliseconds) after which caching begins: 0
2.
Start the 20417A-LON-CL1, open a Command Prompt window, and refresh the Group Policy settings
(gpupdate /force).
3.
At the command prompt, type netsh branchcache show status all, and then press Enter.
4.
Start the 20417A-LON-CL2, open the Command Prompt window, and refresh the Group Policy
settings (gpupdate /force).
5.
At the command prompt, type netsh branchcache show status all, and then press Enter.
Note: To test BranchCache in a test lab, you should deploy two client computers. This
enables you to request a file from one of the client computers, and then verify that the file is
retrieved from the local cache on the second client computer.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
4-39
The next step you must perform is to configure a file server for the BranchCache feature. You will install
the BranchCache feature and configure it as BranchCache Host Server.
The main tasks for this exercise are as follows:
1.
2.
Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
2.
Open Server Manager and add the BranchCache for Network Files role service.
3.
On, LON-DC1, open Active Directory Users and Computers. Create a new OU called
BranchCacheHost and move LON-SVR1 into this OU.
2.
Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.
3.
Switch to LON-SVR1 and restart the computer. Log on as Adatum\Administrator with the password
of Pa$$w0rd
4.
Open Windows PowerShell by clicking the icon on the taskbar and run the following cmdlets:
Enable-BCHostedServer RegisterSCP
Get-BCStatus
Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Tools
Tool
Use
Where to find it
iSCSI initiator
C:\windows\system32
Module 5
Implementing Network Services
Contents:
Module Overview
5-1
5-2
5-10
5-14
5-20
5-25
5-31
Module Overview
As seasoned administrators are aware, network services such as Domain Name System (DNS) provide
critical support for name resolution of network and Internet resources. With Dynamic Host Configuration
Protocol (DHCP) you can manage and distribute IP addresses to client computers. DHCP is essential in
managing IP-based networks. DHCP failover can prevent client computers from losing access to the
network if there is a DHCP server failure. IP Address Management provides a unified means of controlling
IP addressing. With Network Access Protection (NAP), administrators can control which computers have
access to corporate networks based on the computers adherence to corporate security policies.
This module introduces DNS and DHCP improvements, what is new in IP address management, and
describes how to implement these features. It also provides an overview and implementation guidance for
NAP.
Objectives
After completing this module, you will be able to:
Describe NAP.
Implement NAP.
Lesson 1
Implem
menting
g DNS and
a DHCP Enhanceme
ents
5-2
In TCP/IP
T
network
ks of any size, certain service
es are required
d. DNS is one o
of the most im
mportant netwo
ork
servvices. Many oth
her application
ns and servicess, including Acctive Directoryy Domain Services (AD DS), rely
on DNS
D
to resolve
e resource nam
mes to IP addre
esses. Withoutt DNS availability user authe
entications can
n fail,
and network base
ed resources an
nd application
ns can becomee inaccessible. TTo prevent thiis, DNS has to be
prottected. Windo
ows Server 2012 implementts DNS Securityy Extensions (D
DNSSEC) to prrotect the
auth
henticity of DN
NS responses.
DHC
CP has long be
een used to ea
ase the distribu
ution of IP add
dresses to netw
work client com
mputers. Wind
dows
Servver 2012 impro
oves the functionality of DHCP by providin
ng failover cap
pabilities.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Configure DN
NSSEC.
Wh
hat's New in DNS in Windowss Server 20
012
DNS
SSEC and Glob
bal Name Zone
es are two feattures
thatt continue to be
b available in Windows Servver
2012. However, th
he DNSSEC implementation has
been simplified in
n Windows Serrver 2012.
DN
NSSEC
Inte
ercepting and tampering
t
with an organizattions
DNS
S query respon
nse is a common attack method.
If an
n attacker can alter the respo
onse from a DNS
D
servver, or send a spoofed
s
response to point client
com
mputers to theiir own servers,, they can gain
n
acce
ess to sensitive
e information. This is known as a
man
n-in-the-middle attack. Any service that re
elies
on DNS
D
for the initial connectio
on, such as e-commerce web
b servers and eemail servers aare vulnerable.
DNS
SSEC is intended to protect clients
c
that are
e making DNSS queries from accepting falsse DNS respon
nses.
New
w Resource
e Records
Validation of DNS
S responses is achieved
a
by asssociating a prrivate/public kkey pair (generrated by the
adm
ministrator) witth a DNS zone and defining additional DN
NS resource reccords to sign aand publish ke
eys.
Reso
ource records distribute the public key wh
hile the privatee key remains o
on the server. When the clie
ent
requ
uests validation, DNSSEC adds data to the response thatt enables the cclient to authe
enticate the
resp
ponse.
Windows Server 2012 defines the new resource records in the following table.
Resource Record
Purpose
DNSKEY
This record publishes the public key for the zone. It checks the
authority of a response against the private key held by the DNS
server. These keys require periodic replacement. This is known as
key rollovers. Windows Server 2012 supports automated key
rollovers.
DS
This is a delegation record that contains the hash of the public key
of a child zone. This record is signed by the parent zones private
key. If a child zone of a signed parent is also signed, the DS records
from the child must be manually added to the parent so a chain of
trust can be created.
RRSIG
NSEC
When the DNS response has no data to provide to the client this
record authenticates that the host does not exist.
Trust Anchors
5-3
A trust anchor is an authoritative entity represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone. In DNS the trust anchor is the DNSKEY
or DS resource record. Client computers use these records to build trust chains. A trust anchor from the
zone must be configured on every domain DNS server in order to validate responses from that signed
zone. If the DNS server is a domain controller then Active Directory integrated zones can distribute the
trust anchors.
The NRPT contains rules that control the DNS client behavior for sending DNS queries and processing
the responses from those queries. For example, a DNSSEC rule prompts the client computer to check for
validation of the response for a particular DNS domain suffix. Group policy is the preferred method of
configuring the NRPT. If there is no NRPT present the client computer does not validate responses.
The zone replication scope or type cannot be changed while a zone is signed.
GlobalNames Zones
GlobalNames zones address a problem in multiple DNS domain environments. GlobalName zones are
used when you must maintain a list of DNS search suffixes on client computers to resolve names among
these multiple DNS domains. For example, if an organization supports two DNS domains, such as
Widgets.com and Corp.com, users in the Widgets.com DNS domain have to use the fully qualified domain
name (FQDN) to locate the servers in corp or the domain administrator has to add a DNS search suffix for
Corp.com on all the systems in the Widgets.com domain. In other words, if users in the Widgets.com
5-4
dom
main want to lo
ocate a server named Data in the Corp.com
m domain, theey would have
e to search for the
FQD
DN of Data.Corp.com to loca
ate that server. If they just seearch for the s erver name Daata, then the search
wou
uld fail.
Global names are based on crea
ating Canonica
al Name (CNA
AME) records (o
or aliases) in a special forward
look
kup zone that use single nam
mes to point to
o FQDNs. Glob
balNames zones enables clie
ents in any DN
NS
dom
main to use a single
s
label name, such as Da
ata, to locate a server whosee FQDN is Dataa.corp.com witthout
having to use the FQDN.
Cre
eating Globa
alNames Zo
ones
To create
c
GlobalN
Names zones:
Manually crea
ate CNAME re
ecords that poiint to records tthat already exxist in the othe
er zones hoste
ed on
your DNS servers.
Ho
ow to Conffigure DNS
SSEC
Alth
hough DNSSEC
C was supporte
ed in Windowss
Servver 2008 R2, most
m
of the con
nfigurations an
nd
adm
ministration we
ere performed manually, and
d
zones were signed
d when they were
w
offline.
Win
ndows Server 2012
2
includes a DNSSEC wiza
ard
to simplify the configuration an
nd signing proccess,
and enables onlin
ne signing.
Dep
ploying DNSSEC
To deploy
d
DNSSEC:
1.
2.
3.
Configure tru
ust anchor distribution points.
4.
Configure the
e NRPT on the
e client computers.
Asssign the DN
NS Server Ro
ole
To add
a the DNS server role, from
m the Server Manager
M
Dash board, use thee Add Roles an
nd Features W
Wizard.
You
u can also add this role can when
w
you add the AD DS rolle. Configure tthe primary zo
ones on the DN
NS
servver. After a zon
ne is signed, an
ny new DNS se
ervers on Wind
dows Server 20
012 automaticcally receives the
DNS
SSEC paramete
ers.
5-5
To access the DNSSEC zone signing wizard, right-click the primary zone. You can sign zones on any
Windows Server 2012 that hosts a primary DNS zone. You cannot configure DNSSEC on secondary zones.
The wizard guides you through all the configuration steps required to sign the zone.
The following signing options are available:
The Configure the zone signing parameters option guides you through the steps and enables you
to set all values for the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
The Sign the zone with parameters of an existing zone option enables you to keep the same
values and options as another signed zone.
The Use recommended settings option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface.
If the zone is Active Directory Integrated, you should select to distribute the trust anchors to all the servers
in the forest. If trust anchors are required on computers that are not joined to the domain, for example, a
DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet), then
you should enable automated key rollover.
The DNS client computer only performs DNSSEC validation on domain names where it is configured to
do so by the NRPT. A client computer running Windows 7 is DNSSEC aware, but does not perform
validation. It relies on the security aware DNS server to perform validation on its behalf.
In this demo you will see how to use the wizard in the DNS management console to configure DNSSEC.
Demonstration Steps
1.
2.
3.
Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
4.
Verify the DNSKEY resource records were created in the Trust Points zone.
5.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6.
Wh
hats New in DHCP in
i Window
ws Server 2
2012
DHC
CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c
compute
ers
losin
ng connectivitty to the netwo
ork and all its
reso
ources if there is DHCP serve
er failure.
Ano
other new feature in Window
ws Server 2012
2
is DHCP name pro
otection. Nam
mes that are
regiistered in DNS
S by DHCP on behalf of syste
ems
musst be protected
d from being overwritten
o
byy nonMicrosoft systemss that have the
e same name. For
exam
mple, a Unix based
b
system named
n
Client1
could potentially overwrite the DNS address that
t
was assigned and registered by DHCP on beh
half of
a Windows-based
W
d system also named
n
Client1. DHCP name protection addresses this isssue.
DH
HCP Failoverr
5-6
DHC
CP client comp
puters renew their
t
lease on their
t
IP addresss at regular, configurable in
ntervals. If the DHCP
servver service failss, then leases time-out,
t
and eventually clieent computers no longer havve IP addresses. In
the past, DHCP failover was nott possible beca
ause DHCP serrvers were indeependent and unaware of one
ano
other. Configuring two separate DHCP servers to distribu
ute IP addressses within the ssame pool cou
uld
lead
d to duplicate address assign
nment if the ad
dministrator in
ncorrectly conffigured overlapping ranges. The
DHC
CP server failover feature enables an altern
native DHCP s erver to distrib
bute IP addressses and associated
option configurattion to the sam
me subnet or sccope. Lease in formation is reeplicated betw
ween the two D
DHCP
servvers. If one of the
t DHCP servvers fails, then the other DHC
CP server serviices the client computers forr the
who
ole subnet. In Windows
W
Serve
er 2012 you ca
an configure o
one alternativee DHCP server for failover.
Add
ditionally, only IPv4 scopes and subnets are
e supported b
because IPv6 uses a differentt IP address
assignment schem
me.
Note: For more
m
information about DHC
CP options in I Pv6, see:
http
p://technet.miccrosoft.com/en
n-us/library/ccc753493.
DH
HCP Name Protection
P
How
H
to Configure Fa
ailover for DHCP
To
o configure failover of DHCP
P you must esttablish
a failover relatio
onship betwee
en the two servvers.
Yo
ou must give this
t relationshiip a unique na
ame.
Th
his name is excchanged with the failover pa
artner
du
uring the conffiguration. Thiss enables a single
DHCP server to have multiple
e failover relationships
with
w other DHC
CP servers, as lo
ong as they alll have
un
nique names. Failover is con
nfigured throug
gh a
wizard
w
that you can start on the
t shortcut menu
m
of
th
he IP node or the
t scope node.
Note: DH
HCP failover is time
t
sensitive. Time
must
m
be kept syynchronized be
etween the pa
artners in the rrelationship. If the time difference is
greater than on
ne minute the failover
f
processs will stop witth a critical errror.
Configure
C
Maximum
M
Cliient Lead Tiime
5-7
Th
he administrattor configures the Maximum
m Client Lead TTime (MCLT) parameter to determine the ttime
th
hat a DHCP serrver waits if the partner is un
navailable befo
ore assuming ccontrol of the whole addresss range.
Th
his value cannot be zero and
d the default iss one hour.
Configure
C
Fa
ailover Mod
de
Fa
ailover can be configured in one of two modes:
m
Mode
M
Characteristics
Hot
H Standby Mode
M
Load
L
Sharing Mode
M
Thiss is the defaultt mode. In thiss mode both seervers concurrrently distributte IP
con
nfiguration to client
c
computeers. Which serrver responds to IP configuration
requests dependss on how the aadministrator cconfigures the
e load distributtion
ratio. The default ratio is 50:50.
Configure
C
Au
uto State Sw
witchover In
nterval
When
W
a server loses contact with
w its partnerr it goes into a communicatiion interrupted
d state. Because
th
he server cannot determine what
w
is causing
g the commun
nication loss, itt stays in this sstate until the
ad
dministrator manually
m
chang
ges it to a parttner down statte. The administrator can also enable auto
omatic
trransition to partner down sta
ate by configuring the auto state switchovver interval. Th
he default value for
th
his interval is 10
1 minutes.
Firewall Considerations
5-8
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following incoming
and outgoing firewall rules:
Microsoft-Windows-DHCP-Failover-TCP-In
Microsoft-Windows-DHCP-Failover-TCP-Out
The Configuration Failover Wizard steps you through the process of creating a failover relationship. The
wizard prompts you to enter the following information:
The MCLT
The Mode
A shared secret
The failover relationship can then be modified as required through the Failover tab in the properties
of IPv4.
Demonstration Steps
1.
2.
Start the DHCP console and view the current state of DHCP. Note the server is authorized but no
scopes are configured.
3.
Switch to LON-DC1.
4.
Open the DHCP Management console and start the Configure Failover Wizard.
5.
6.
5-9
Lesson 2
Implem
menting
g IP Add
dress Managem
M
ment
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
M.
Describe IPAM
Wh
hat is IP Ad
ddress Ma
anagementt?
IP management
m
iss difficult in larrge networks
because tracking IP address usa
age is largely a
man
nual operation
n. IPAM is a fra
amework for
disccovering, utilization monitoring, auditing, and
a
man
naging the IP address
a
space in a network. IPAM
enables the admin
nistration and monitoring off
DHC
CP and DNS. IP
PAM provides a comprehensive
view
w of where IP addresses
a
are used. IPAM co
ollects
info
ormation from domain contrrollers and Nettwork
Policy Servers (NP
PS) and stores that information in
the Windows Inte
ernal Database.
IPAM
M assists in the
e areas of IP administration
show
wn in the follo
owing table.
IP Administration
A
n Area
IPAM Capab
bilities
Planning
Provides a tool
t
set that caan reduce the time and expe
ense of the
planning prrocess when ch
hanges occur iin the networkk.
Ma
anaging
Provides a single
s
point off managementt and assists in optimizing
utilization and capacity pllanning for DH
HCP and DNS.
Tra
acking
Aud
diting
Ben
nefits of IPA
AM
IPAM
M benefits include:
IP address spa
ace utilization statistics and trend monitorring.
Static IP inven
ntory management, lifetime managementt and DHCP an
nd DNS record
d creation and
deletion.
Service and
d zone monitoring of DNS se
ervices.
IP address lease
l
and logo
on event trackiing.
Remote administration su
upport through Remote Servver Administraation Tools (RSSAT).
AM does not su
upport management and co
onfiguration off non-Microsoft network
Note: IPA
ellements.
IP
PAM Architecture
IP
PAM consists of
o four main modules,
m
as sho
own in
th
he following ta
able:
Module
M
Desccription
5-11
IPAM discoveryy
You
u use Active Directory to disccover servers rrunning Windo
ows Server 200
08 and
late
er versions thatt have DNS, D HCP, or AD DSS installed. Administrators caan
defiine the scope of
o discovery to
o a subset of d
domains in the
e forest. They ccan also
man
nually add servvers.
IP address spacce
management
m
(ASM)
You
u can use this module
m
to view
w, monitor and
d manage the IP address spaace.
You
u can dynamica
ally issue or staatically assign addresses. Yo
ou can also tracck
add
dress utilization
n and detect o
overlapping DH
HCP scopes.
Multi-server
M
management
m
and
a
monitoring
m
You
u can manage and monitor m
multiple DHCP
P servers. This e
enables tasks tto be
execcuted across multiple
m
serverrs. For examplee, you can con
nfigure and edit DHCP
properties and sco
opes and trackk the status off DHCP and sco
ope utilization
n. You
monitor the he
ealth and statu
us of
can also monitor Multiple DNS servers, and m
S zones acrosss authoritative DNS servers.
DNS
Operational
O
au
uditing
and
a IP address
tracking
You
u can track use
e the auditing ttools to track potential conffiguration prob
blems.
You
u can also colle
ect, manage, a nd view detaills of configuraation changes from
man
naged DHCP servers.
s
You caan also collect address lease tracking from DHCP
leasse logs, and co
ollect logon evvent informatio
on from Netwo
ork Policy Servvers
(NP
PS) and domain
n controllers.
Hybrid A ce
entral IPAM se
erver is deployyed together w
with a dedicateed IPAM server in each site.
Note: IPAM
M servers do no
ot communicatte with one an
nother or sharee database information.
If yo
ou deploy multiple IPAM serrvers, you musst customize th
he discovery sccope of each sserver.
IPAM
M has two main componentts:
To manage th
he IPv6 addresss, space IPv6 must
m
be enabled on the IPAM se
erver.
Ensure that lo
ogging of acco
ount logon eve
ents is enabled
d on DC and N
NPS servers forr the IP Addresss
Tracking and auditing featu
ure of IPAM.
4 GB of RAM or more
5-13
In this demonstration you will see how to install IPAM. You will also see how to create the related GPOs
and begin server discovery.
Demonstration Steps
1.
2.
In Server Manager add the IPAM feature and all required supporting features.
3.
From the IPAM Overview pane provision the IPAM server by using Group Policy.
4.
5.
From the IPAM Overview pane configure server discovery for the Adatum domain.
6.
From the IPAM Overview pane start the server discovery process.
Lesson 3
NAP Overview
O
w
NAP
P is a policy-en
nforcement pla
atform that is built into the W
Windows XP w
with Service Paack 3 (SP3) and
d
later operating syystems, and intto Windows Se
erver 2008 and
d later operatin
ng systems. NA
AP enables you
to protect
p
networrk assets by enforcing complliance with sysstem-health reequirements. N
NAP provides tthe
necessary softwarre componentss to help ensurre that compu
uters that are cconnected or cconnecting to the
netw
work remain manageable
m
so
o that they do not become a security risk tto the networkk and other
atta
ached compute
ers.
Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:
Describe NAP
P.
Describe NAP
P architecture.
Describe scen
narios for using
g NAP.
Wh
hat is NAP
P?
NAP
P enforces client computer health
h
before it
enables client com
mputers to acccess the netwo
ork.
Client health can be based on characteristics
such
c
as antivirus
a
softwa
are status, Win
ndows Firewall
status, or the insta
allation of secu
urity updates. The
mon
nitored characcteristics are ba
ased on which
system health age
ents are installed.
NAP
P enables you to create solutions for valida
ating
com
mputers that co
onnect to yourr networks, in
add
dition to provid
ding needed updates or acce
ess to
needed health up
pdate resources, and limiting
g the
acce
ess or commun
nication of noncompliant
com
mputers.
You
u can integrate
e NAPs enforcement feature
es with softwarre from other vvendors or witth custom
prog
grams. You can customize th
he health-main
ntenance soluttion that deveelopers within your organization
mig
ght develop an
nd deploy, whe
ether for monitoring the com
mputers accesssing the netwo
ork for health policy
com
mpliance, autom
matically upda
ating compute
ers with softwaare updates to meet health p
policy requirem
ments,
or liimiting the acccess to a restricted network of computers that do not m
meet health policy requireme
ents.
NAP
P does not pro
otect a network from malicio
ous users. Insteead, it enables you maintain the health of
hich in turn heelps maintain tthe networks
your organization
ns networked computers auttomatically, wh
overall integrity. For
F example, iff a computer has
h all the softw
ware and conffiguration settings that the h
health
policy requires, th
he computer iss compliant and has unlimiteed network acccess. NAP does not prevent an
auth
horized user who
w has a compliant computter from uploaading a malicio
ous program to
o the network or
eng
gaging in otherr unsuitable be
ehavior.
Also
o, unless config
gured specifica
ally, NAP cann
not determine whether a clieent computer iis free of viruse
es,
troja
ans, rootkits or malware. Default behaviorr is to check fo
or compliance in having current antivirus
softtware and conffigurations.
Fe
eatures of NAP
N
NAP has three important and
d distinct features:
5-15
Health statte validation: When a clientt computer tri es to connect to the networrk, NAP validattes the
computerss health state against
a
the hea
alth-requiremeent policies that the adminisstrator definess. You
can also de
efine what to do
d if a computer is not comp
pliant. In a mo nitoring-only environment, all
computers have their hea
alth state evalu
uated and the compliance sttate of each co
omputer is log
gged for
analysis. In a limited acce
ess environmen
nt, computers that comply w
with the health
h-requirement policies
have unlimited network access.
a
Compu
uters that do n
not comply witth health-requirement policies
could find their
t
access lim
mited to a restricted networkk.
Limited Acccess: You can protect your networks by li miting the acccess of noncom
mpliant compu
uters.
You can base limited netw
work access on
n a specific tim
me, or on the rresources that the noncompliant
computer can
c access. In the
t latter case,, you define a restricted netw
work that conttains health up
pdate
resources, and
a the limited
d access lasts until
u
the nonco
ompliant computer comes into compliancce. You
can also configure excepttions so that computers thatt are incompattible with NAP
P do not have limited
network access.
Whats
W
New
w for NAP in Windows Server 2012
Support for Windows
W
PowerShell
Yo
ou can now usse Windows Po
owerShell to
au
utomate the in
nstallation of the Network Po
olicy
an
nd Access Servvices server rolle. You can also use
Windows
W
PowerShell to deplo
oy and configu
ure
so
ome aspects off Network Poliicy Server.
Removed
R
Functionality
In
n Windows Serrver 2008 R2 and Windows Server
S
20
008, Network Policy and Acccess Services in
ncluded
th
he Routing and
d Remote Acce
ess Service role
e
se
ervice. In Wind
dows Server 20
012, RRAS is no
ow a role servi ce in the Rem ote Access serrver role
NA
AP Architecture
The following table describes th
he NAP
com
mponents.
Com
mponents
NA
AP Clients
Desccription
Com
mputers that su
upport the NA
AP platform forr system health
h-validated
netw
work access or communicatio
on. Client arch
hitecture consists of:
NAP enforcement client (EC
C): ECs monito
or attempts to connect to the
e
ne
etwork. Differe
ent EC compon
nents exist for different type
es of network
acccess.
Sy
ystem health agents (SHA)): SHAs report on one or mo
ore elements o
of
syystem health. For
F example, th
here might bee an SHA for ch
hecking antivirrus
de
efinitions and another for ch
hecking Windo
ows updates. T
The SHA return
ns a
sta
atement of he
ealth (SoH) to tthe NAP agentt which passess that to the NAP
he
ealth policy server for evaluaation.
NAP agent: Collects and storres SoHs from the SHAs and supplies it to tthe
Cs when reque
ested.
EC
NA
AP enforcemen
nt
poiints
NAP
P enforcement points are com
mputers or neetwork-access devices that use
NAP
P to evaluate a NAP client co
omputers hea lth state. NAP enforcement
poin
nts rely on poliicies from a Neetwork Policy Server (NPS) to perform that
evaluation and determine wheth
her network acccess or comm
munication is
enab
bled, and the set
s of remediaation actions th
hat a noncomp
pliant NAP clie
ent
com
mputer must pe
erform.
NAP
P enforcement points can incclude:
Health Registra
ation Authoriity (HRA) is a server running
g Windows Se
erver
20
012 with Intern
net Informatio
on Services (IIS)) installed thatt obtains healtth
ce
ertificates from
m a certification
n authority (CA
A) for compliaant computers..
VP
PN server is a Windows 20112 server that runs Routing aand Remote
Acccess, and thatt enables remo
ote access VPN
N intranet connections throu
ugh
re
emote access.
DHCP server is a Windows 20012 server tha t runs the DHC
CP Server servvice.
Network access devices are Ethernet switcches or wirelesss access pointts
hat support IEE
EE 802.1X auth
hentication.
th
5-17
Components
De
escription
NAP
N health policy
servers
Windows
W
2012 servers
s
run thee NPS service aand store health-requiremen
nt
po
olicies and pro
ovide health-sttate validation for NAP. NPS replaces the
Intternet Authentication Servicce (IAS), and th
he Remote Autthentication D
Dial-In
Usser Service (RA
ADIUS) server aand proxy thatt Windows Serrver 2003 provvides.
Th
he NAP health policy server has the follow
wing componen
nts:
NPS service: Receives RADIIUS requests aand extracts the System State
e of
dministration sserver compon
nent.
Health (SSoH)) and passes it to the NAP ad
er: Makes Com
mmunication EEasier between
n the
NAP Adminisstration Serve
NPS service an
nd the SHVs.
h
System Healtth Validators (SHV): You deefine SHVs forr system health
elements and match them tto an SHA. An example of th
hese would be a SHV
for an antiviru
us software thaat tracks the laatest version of the antivirus
definition file..
Restricted
R
netw
work
AD
D DS stores account credenttials and propeerties, and storres Group Policy
se
ettings. Althoug
gh not requireed for health-sstate validation
n, Active Direcctory is
required for IPSe
ec-protected ccommunicatio
ons, 802.1X-autthenticated
co
onnections, and
d remote acceess VPN conneections.
Th
his is a separate logical or ph
hysical networkk that has the following
co
omponents:
Remediation servers
s
that co
ontain health u
update resourcces, such as an
ntivirus
definition disttribution pointts and Window
ws software up
pdate servers, w
which
NAP client computers can aaccess to remeedy their nonco
ompliant state
e.
have limited a ccess are adde
ed on the restrricted
NAP client computers that h
network when
n they do not ccomply with h
health-requirem
ment policies.
Roaming
R
Porrtable comp
puters
Po
ortability and flexibility are two
t
primary po
ortable
co
omputer advan
ntages, but the
ese features allso
present a system
m health threa
at. Users freque
ently
co
onnect their po
ortable compu
uters to other
ne
etworks. When
n users are awa
ay from your
orrganization, th
heir portable computers mig
ght not
re
eceive the mosst recent softw
ware updates or
o
Dessktop Comp
puters
Alth
hough desktop
p computers arre usually not taken out of t he company b
building, they sstill can presen
nt a
thre
eat to the netw
work. To minim
mize this threatt, you must maaintain these ccomputers with the most reccent
upd
dates and requ
uired software. Otherwise, these computerss are at risk off infection from
m websites, em
mail,
filess from shared folders,
f
and otther publicly available resou rces. NAP enaables you to au
utomate health
h
state checks to ve
erify each desk
ktop computerrs compliance with health-reequirement po
olicies. You can
n
check log files to determine which computerss do not comp
ply. Additionallly, by using maanagement
softtware enables you
y to generate automatic reports
r
and au
utomatically up
pdate noncom
mpliant computers.
Whe
en you change
e health-requirement policie
es, computers can be provisiioned automattically with the
e
mosst recent upda
ates.
Visiting Portab
ble Computters
Org
ganizations freq
quently have to
t enable conssultants, busineess partners, aand guests to cconnect to the
eir
privvate networks. The portable computers
c
tha
at these visitorrs bring into yo
our organizatio
on might not meet
system health req
quirements and
d can present health risks. N AP enables yo
ou to determin
ne which visitin
ng
porttable compute
ers are noncom
mpliant and lim
mit their accesss to restricted networks. Typ
pically, you wo
ould
not require or pro
ovide any upda
ates or configu
uration changees for visiting portable comp
puters. You can
configure Internett access for vissiting portable
e computers, b
but not for other organizatio
onal computerss that
have limited access.
Unmanaged Home
H
Comp
puters
Unm
managed home computers that
t
are not a member
m
of thee companys A
Active Directorry domain can
connect to a managed company network thro
ough VPN. Un
nmanaged hom
me computers provide an
add
ditional challen
nge because yo
ou cannot phyysically access tthese computeers. Lack of ph
hysical access m
makes
enfo
orcing complia
ance with health requiremen
ntssuch as th
he use of antivvirus software
more difficult.
How
wever, NAP enables you to verify
v
the healtth state of a ho
ome computer every time th
hat it makes a VPN
connection to the
e company nettwork, and to limit
l
its access to a restricted
d network until it meets systtem
health requiremen
nts.
Co
onsideratio
ons for NA
AP
Befo
ore you implem
ment NAP, you
u must conside
er the
follo
owing points.
Con
nsiderations for NAP Client
C
Comp
puter
Dep
ployment
Befo
ore you can usse NAP on client computers, you
musst configure th
he NAP setting
gs. Although yo
ou
can use the Netsh
h commands to
o configure alll
aspe
ects of the NA
AP client computer, Group Po
olicy
is th
he preferred method
m
of deplloying client
com
mputer settingss. The NAP Clie
ent Configurattion
console and NAP client computter configuration
settings in the Gro
oup Policy Management Console
provvide a graphiccal user interface for configuring NAP clien
nt computer seettings.
5-19
VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client
computer and performs the validation. This method requires a computer certificate to perform PEAPbased user or computer authentication.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client computer's
compliance.
IPsec: enforces the policy and configures the systems out of compliance with a limited access local IP
security policy for remediation. This method requires a computer certificate to perform PEAP-based
user or computer authentication.
802.1X: authenticates over an 802.1X authenticated network and is the best solution when
integrating hardware from other vendors.
You can provide a remediation network as a location for client computers that are out of compliance to
resolve issues and then gain access to the network. It is important to make the remediation network a
place where client computers can gain the required updates or definitions without help desk intervention.
Lesson 4
Implem
menting
g NAP
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Systtem Health Validators (SHVs) are required to determine what the systeem health poliicy checks for. SHVs
can check for Win
ndows Firewall settings, antivvirus and spyw
ware protection
n, Windows Up
pdates, and so
o on.
Hea
alth policies co
ompare the sta
ate of a client computers
c
he alth according
g to SHVs that are defined b
by
corp
porate requirements and determine wheth
her the client ccomputer is co
ompliant or no
oncompliant w
with
the corporate policy. A health policy
p
can be defined
d
to checck one of the ffollowing:
Client fails on
ne or more SHV
V checks
5-21
Re
emediation ne
etworks are no
ot an absolute requirement, b
but can provid
de a means forr a client comp
puter
to
o become com
mpliant. For exa
ample, a netwo
ork policy can direct a nonco
ompliant clien
nt computer to
oa
ne
etwork segment that contain
ns a Web site from
f
which th e client computer can obtain current viruss
de
efinitions or Windows
W
Updates.
NAP
N
with VPN
V
NAP enforceme
ent for VPN me
ethod works by
b using
a set of remote access IP pack
ket filters to lim
mit the
trraffic of a nonccompliant VPN
N client compu
uter
so
o that it can on
nly reach the resources
r
on th
he
re
estricted netwo
ork. Compliantt client compu
uters will
be
e granted full access. VPN se
ervers can enfo
orce the
he
ealth policy fo
or computers th
hat are considered to
be
e noncomplian
nt by applying
g the filters.
Note: Site
eto-site VPN connections do
d not
su
upport NAP he
ealth evaluatio
on.
To
o deploy NAP with VPN you
u must:
Install RRAS
S as a VPN servver and config
gure the NPS aas the primary RADIUS serve
er.
Configure the
t VPN servers as RADIUS client
c
computeers in the NPS..
Configure SHVs
S
to test fo
or health conditions.
Create com
mpliant health policies to passs selected SHV
Vs and a noncompliant health policy to fail
selected SH
HVs.
Configure a network policy with the source set to thee VPN server. FFull access willl be granted to
o
compliant computers
c
and
d limited accesss to noncomp
pliant computeers.
Issue comp
puter certificate
es to use PEAP
P authenticatio
on.
NA
AP with IPssec
NAP
P IP security (IPsec) enforcem
ment provides
the strongest and most flexible method for
maintaining clientt computer co
ompliance with
h
netw
work health re
equirements.
To implement NA
AP with IPsec you
y must:
Configure a certification
c
au
uthority (CA) to
o
issue health certificates:
c
the
e System Healtth
Authenticatio
on template must be issued and
a
the HRA must be granted permission
p
to enroll
e
the certificate
e.
Select authen
ntication requirements: the HRA
H can provid
de health certiificate to authenticated dom
main
users only, orr optionally pro
ovide health certificates to aanonymous us ers.
Configure the
e NPS server with
w the require
ed health policcies.
Configure NA
AP client comp
puters for IPsecc NAP enforceement: NAP ag
gent must be rrunning and th
he
NAP IPsec EC
C must be runn
ning. You can do
d this throug h Group Polic y or local policcy or Netsh
commands.
Secure ne
etwork - Comp
puters on the secure networrk have health certificates an
nd require thatt
incoming
g communication is authentiicated by using
g these certificcates.
Boundaryy network - Co
omputers on the boundary n
network have health certificaates, but do no
ot
require IP
Psec authenticcation of incom
ming commun ication attemp
pts.
Restricted
d network - Co
omputers on the
t restricted n
network do no
ot have health certificates.
NA
AP with DH
HCP
NAP
P enforcementt can be integrrated with DHCP
so that NAP policies can be enfo
orced when a client
com
mputer tries to lease or renew
w its DHCP add
dress.
The NPS server usses health policies and SHVs to
evaluate client computer health
h. Based on the
e
evaluation the NP
PS tells the DHCP server to
provvide full access to compliantt computers an
nd
to restrict access to
t noncomplia
ant computers.
Th
he componentts listed in the following table must be deffined on the N
NPS.
Component
C
Description
5-23
Radius client
computers
Network policcy
Source
S
must be
e set to DHCP server. Both ccompliant and noncompliantt
policies
p
are set to grant accesss.
Connection re
equest
policy
Source
S
is set to
o DHCP server.. The policy au
uthenticates re
equests on thiss
server.
Health policie
es
Must
M
be config
gures to pass SSHVs in the com
mpliant policyy and fail SHVss in the
noncompliant
n
policy.
p
SHVs
Health
H
checks are
a configured
d on the NPS sserver.
NAP agent
Must
M
be runnin
ng on the clien
nt computer.
IP address
configuration
n
Must
M
be config
gured to use D
DHCP. Clients t hat have staticc IP address caannot
be
b evaluated.
Demonstra
D
ation: Imp
plementing
g NAP with
h DHCP
Be
ecause you are
e configuring NPS on the DH
HCP server you
u do not have to designate the DHCP servver as a
RA
ADIUS client computer.
c
Yo
ou will configu
ure the policy for all scopes.
Demonstrati
D
ion Steps
1..
Install Netw
work Policy and Access Serrvices on LON
N-DC1.
2..
3..
Configure DHCP
D
to enable Network Acccess Protectio
on for all scopees.
Network
N
Access Prottection witth 802.1X
Yo
ou can provide
e NAP enforce
ement to an IEEE
80
02.1X-capable
e device, such as
a a wireless acccess
po
oint, authenticcating switch, or
o other netwo
ork
de
evice. NAP enfforcement occcurs when clien
nt
co
omputers try to access the network
n
throug
gh these
de
evices.
NAP with 802.1x has the follo
owing characte
eristics:
Radius clien
nt computers must
m
be added
d in the
NPS console and are iden
ntified by host name
or IP address.
A shared se
ecret must be configured
c
in the
NPS server and the device to identify th
he radius clien
nt computer.
Server certificates must be installed and client computers must trust these certificates.
Network authentication must use EAP authentication methods secure passwords, smart cards or
other certificates.
If your access points support VLANs, you can configure that information for NPS. For example, the
restricted network may be a VLAN.
When you create network policies and connection request policies, the type of network access server
should be set to Unspecified.
Connection request policies must be configured to use PEAP authentication in the policy.
5-25
A. Datum has grown quickly over the last few years in several ways. The company has deployed several
new branch offices, it has significantly increased the number of users in the organization, and it has
expanded the number of partner organizations and customers who are accessing A. Datum websites and
applications. This expansion has resulted in increasing complexity of the network infrastructure at A.
Datum, and has also meant that the organization has to be much more aware of network level security.
IT management and the security group at A. Datum are also concerned with the level of compliance for all
client computers on the network. A. Datum plans to implement NAP for all client computers and all client
computer connections, but is starting with a pilot program to enable NAP for VPN users.
As one of the senior network administrators at A. Datum, you are responsible for implementing the
new features in the Windows Server 2012 environment. You will implement some new DHCP and DNS
features, and then implement IPAM to simplify the process for managing the IP infrastructure. You will
also implement NAP for external VPN users.
Objectives
Lab Setup
Estimated time: 75 minutes
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-CL1
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
To increase security in your network, you want to implement new security features in DNS and DHCP.
Also, you want to achieve high availability for IP addressing system. Therefore, you decided to implement
DHCP Failover.
The main tasks for this exercise are as follows:
1.
Configure DNSSEC.
2.
3.
2.
Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.
3.
Verify the DNSKEY resource records were created in the Trust Points zone.
4.
5.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.
6.
Close the Group Policy Management Editor and Group Policy Management console.
2.
On LON-SVR1, start the DHCP console and view the current state of DHCP. Note the server is
authorized but no scopes are configured.
2.
3.
4.
Switch to LON-SVR1 and notice that the IPv4 node is active and the Adatum scope is configured.
5.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
2.
3.
4.
5.
On LON-SVR2, in Server Manager, add the IPAM feature and all required supporting features.
2.
3.
From the IPAM Overview pane, configure server discovery for the Adatum domain.
2.
From the IPAM Overview pane, start the server discovery process.
3.
In the yellow banner, click the More link to determine the discovery status.
From the IPAM Overview pane, add the servers to manage. Verify that IPAM access is currently
blocked for LON-DC1.
2.
Start Windows PowerShell and grant the IPAM server permission. Use the following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn
LON-SVR2.adatum.com
5-27
3.
In the IPAM console, for LON-SVR1 and LON-DC1, set the manageability status to be Managed.
4.
5.
6.
7.
Switch back to LON-SVR2, and in the IPAM console, configure LON-SVR1 to be Managed.
8.
Refresh the Server Access Status and refresh the console view until LON-DC1 and LON-SVR1 shows an
IPAM Access Status Unblocked. This may take 10-15 minutes to complete.
9.
From the IPAM Overview pane retrieve data from the managed server.
Use IPAM to create a new DHCP scope called TestScope with the following parameters:
o
2.
3.
4.
5.
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
A. Datum has identified that remote client computers who connect through VPN have inconsistent
security configuration. Because these client computers are accessing important data, it is important for all
client computers to comply with company security policy. To increase security of your network and better
manage client computers who establish remote connection, you decide to implement NAP for all VPN
connections.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
On LON-SVR2, create a new management console for Certificates focused on the local computer.
2.
3.
4.
Create a new management console for Certificates focused on the local computer.
5.
5-29
1.
2.
Configure the Windows Security Health Validator to only validate that the Windows Firewall is
enabled.
3.
Create two new Health Policies. One for compliant computers that pass all SHV checks and one for
noncompliant computers that fail one or more SHV checks.
Configure a network policy for compliant computers in such a way that the health policy allows them
full network access. Name the policy Compliant Full-Access.
2.
Configure a network policy for noncompliant computers in such a way that the health policy enables
them to exchange packets with LON-DC1 at 172.16.0.10 only. Name the policy NoncompliantRestricted.
2.
3.
Add conditions for Point to Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP),
and Layer 2 Tunneling Protocol (L2TP).
4.
Ensure requests are authenticated on this server and will override network policy authentication.
5.
Add Protected Extensible Authentication Protocol (PEAP) and edit it to enforce network access
protection.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
After you implemented NAP infrastructure and configured policies, you want to test NAP with VPN client
computer.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
2.
Use gpedit.msc to open Local Group Policy and turn on the Security Center.
Use the NAP Client Configuration MMC to enable the EAP Quarantine Enforcement Client on
LON-CL1.
2.
Configure a new inbound rule that allows ICMPv4 echo packets through the firewall.
X Task 4: Move the Client to the Internet and Establish a VPN Connection
1.
IP address: 131.107.0.20
2.
3.
Click Legacy Network Adapter and then under Network select Private Network 2, click OK.
4.
5.
6.
Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
7.
8.
In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
9.
Ensure that the Verify the servers identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box and then select the Enforce Network Access Protection check box.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.
Ensure that IPv6 is enabled on the IPAM server in order to manage IPv6 address spaces.
Use Group Policy to configure NRPT tables for DNSSEC client computers.
Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.
Troubleshooting Tip
Review Question
Question: What is a major drawback of IPAM?
5-31
Scenario: Tailspin Toys wants to implement IPsec NAP enforcement. What infrastructure components
have to be in place to support this method?
Scenario: You have implemented DNSSEC, but now you have to disable DNSSEC. How will you disable
DNSSEC?
Tools
Tool
Use
Where to find it
DHCP Management
Console
Remote Access
Management Console
Module 6
Implementing DirectAccess
Contents:
Module Overview
6-1
6-2
6-14
6-24
6-33
Module Overview
Introduced in Windows Server 2008 R2, the DirectAccess feature is a technology that enables users to
securely connect to data and resources in corporate networks without using traditional virtual private
network (VPN) technology. In Windows Server 2012, DirectAccess is now one of three component
technologies (DirectAccess, Routing, and Remote Access) that is integrated with a single, unified server
role called Windows Server 2012 Remote Access. DirectAccess seamlessly integrates and coexists with
what was formerly called Routing and Remote Access service (RRAS). Direct Access itself is expanded to
add features such as integrated accounting, express setup for small and medium deployments, and
multiple domain support.
In this module, you will learn how DirectAccess works for internal and external clients. You will also learn
the new DirectAccess features introduced in Windows Server 2012 and Windows 8. In addition, you will
learn how to install and configure DirectAccess in different scenarios.
Objectives
After completing this module, you will be able to:
Implementing DirectAccess
Lesson 1
Overviiew of DirectAc
D
ccess
6-2
Dire
ectAccess enab
bles remote ussers to securelyy access corpo
orate resourcess, such as email servers,
sharred folders, or internal websites without co
onnecting to a VPN. Also, D irectAccess pro
ovides increased
prod
ductivity for a mobile workfo
orce by offerin
ng the same co
onnectivity exp
perience both inside and ou
utside
the office. With th
he new unified
d managementt experience, yyou can config
gure DirectAccess and older VPN
connections from one location. Other enhanccements in DireectAccess inclu
ude simplified
d deployment, and
imp
proved perform
mance and scalability. This le
esson providess an overview of the DirectA
Access architeccture
and components.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe how
w DirectAccess works for inte
ernal clients.
Describe how
w DirectAccess works for exte
ernal clients.
Pro
oblems with Remote
e Connections
Org
ganizations often rely on trad
ditional VPN
connections to prrovide remote users with seccure
acce
ess to data and
d resources on
n the corporate
e
netw
work. VPN con
nnections need
d to be configu
ured
mosst of the time manually. Thiss sometimes
pressent interoperability issues in
n situations wh
hen
the users are using multiple diffferent VPN clie
ents.
Add
ditionally, VPN connections face
f
the follow
wing
problems:
The connectio
on requires sevveral steps and
d the
connection process takes att least several
seconds, or evven more.
The connectio
on could require additional configuration on the corporrate firewall. Iff not properly
configured on
n the firewall, VPN connectio
ons usually en
nable remote aaccess to the entire corporatte
network.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
6-3
DirectAccess
D
s Extends th
he Network to the Rem
motely-Conn
nected Computers and Users
To
o overcome th
hese limitations in traditional VPN connecttions, organizaations can imp
plement DirectAccess
to
o provide a sea
amless connecction between the internal neetwork and the remote com
mputer on the IInternet.
With
W DirectAcce
ess, organizatio
ons can effortlessly manage remote comp
puters because
e they are alwaays
co
onnected.
What
W
Is DirrectAccesss?
Th
he DirectAccesss feature in Windows
W
Server 2012
en
nables seamlesss remote acce
ess to intranet
re
esources witho
out first establishing a user-in
nitiated
VPN connection
n. The DirectAccess feature also
a
en
nsures seamlesss connectivityy to the applica
ation
in
nfrastructure fo
or internal users and remote
e users.
Unlike traditional VPNs that require
r
user
in
ntervention to initiate a conn
nection to an
in
ntranet, DirectA
Access enabless any IPv6-cap
pable
ap
pplication on the
t client computer to have
co
omplete access to intranet re
esources.
DirectAccess alsso enables you
u to specify ressources
an
nd client-side applications th
hat are restrictted for remotee access.
Organizations
O
benefit
b
from DirectAccess be
ecause remote computers caan be managed
d as if they are
e local
co
omputers. Usin
ng the same management
m
and update serv
rvers, you can eensure they arre always up-to
o-date
an
nd in complian
nce with security and system
m health policiees. You can alsso define more
e detailed acce
ess
co
ontrol policies for remote acccess when com
mpared with d
defining accesss control policies in VPN solu
utions.
DirectAccess offfers the follow
wing features:
Connects automatically to
o corporate in
ntranet when cconnected to tthe Internet
Uses variou
us protocols, in
ncluding HTTPS, to establish IPv6 connectiivityHTTPS iss typically allowed
through fire
ewalls and pro
oxy servers
Supports se
elected server access and end-to-end Interrnet Protocol SSecurity (IPsecc) authenticatio
on with
intranet nettwork servers
Supports en
nd-to-end autthentication an
nd encryption with intranet network serve
ers
Supports management
m
of remote client computers
Implementing DirectAccess
6-4
Bidirectional access.
a
You can configure DiirectAccess in a way that thee DirectAccess clients have aaccess
to intranet resources and yo
ou can also ha
ave access from
m the intranet to those DirecctAccess clientts.
Therefore, DirectAccess can
n be bidirectional. This ensurres that the client computers are always
updated with
h recent securitty updates, the
e domain Grou
up Policy is en
nforced, and th
here is no diffe
erence
whether the users
u
are on th
he corporate in
ntranet or on tthe public netw
work. This bidirectional acce
ess
also results in
n:
o
Decrease
ed update time
e
Increased
d security
Decrease
ed update misss rate
Improved
d compliance monitoring
d provides the
Manage-out Support.
S
This feature
f
is new in Windows Seerver 2012 and
e ability to
enable only remote management functio
onality in the D
DirectAccess cl ient. This new sub-option off
the DirectAcccess client conffiguration wiza
ard automatess the deploym ent of policiess that are used
d for
oes not implem
managing the
e client compu
uter. Manage-out support do
ment any policcy options thaat
allow users to
o connect to th
he network forr file or applicaation access. M
Manage-out su
upport is
unidirectional, incoming on
nly access for administration
a
purposes onlyy.
Improved secu
urity. Unlike trraditional VPNs, DirectAcces s offers many levels of accesss control to
network resources. This tigh
hter degree off control allow
ws security arch
hitects to preciisely control re
emote
users who acccess specified resources. You
u can use a graanular policy to specifically d
define which u
user
can use DirecctAccess, and the location fro
om which the user can accesss it. IPsec encryption is used
d for
protecting DirectAccess traffic so that use
ers can ensuree that their com
mmunication is safe.
Wh
hats New in DirectA
Access in Windows
W
SServer 2012
In Windows
W
Serve
er 2012, DirectAccess has
seve
eral enhancem
ments, especially in regards to
o
byp
passing some common
c
techn
nology issues such
s
as re
equirements fo
or public key infrastructure (PKI)
(
and public IP addresses.
Imp
proved Dire
ectAccess Management
M
t
Dire
ectAccess in Windows
W
Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:
DirectAccess and
a RRAS coexxistence.
Windows Servver 2012 DirecctAccess and RRAS
R
unified serverr role solve the
e problems of
interoperabiliity of Denial of Service Prote
ection (DoSP) aand Internet K
Key Exchange vversion 2 (IKEvv2).
6-5
Rich monitoring of clients. You can view the health of user computers and servers along with
deployment monitoring and diagnostics in a single console in DirectAccess. Using the dashboard,
you can have top-level information about Remote Access servers and client activity. User and client
computer monitoring can provide you with information on which resources are accessed by the
clients.
Integrated accounting and reporting. Accounting and reporting is now integrated in the console and
provides the ability to measure specific metrics. It also enables administrators to generate rich usage
reports on various user and server statistics.
Windows PowerShell and Server Core support. Windows Server 2012 provides full Windows
PowerShell support for the setup, configuration, management, monitoring, and troubleshooting of
the Remote Access Server Role.
Unified management wizard and tools. You can use a single wizard and console for DirectAccess
configuration, management, and monitoring.
Works with existing infrastructure. You do not need to upgrade your existing domain controllers to
Windows Server 2012.
IPv6 for internal network is no longer required. This is because transition technologies such as network
address translation 64 (NAT64) and Domain Name System 64 (DNS64) allow access to internal
resources that are run only on IPv4 computers. Previously, this functionality was only possible to
achieve with deployments that included Microsoft Unified Access Gateway Server.
Single network adapter. You can implement your DirectAccess server behind a NAT with a single
network adapter.
Single IP address. In certain deployment scenarios, you can even use a single IP address for the
DirectAccess server. This makes deployment easier in comparison to the DirectAccess deployment
in Windows Server 2008.
The DirectAccess deployment has been simplified. Windows Server 2012 provides Express Setup for small
and medium deployment. Express Setup includes the following characteristics:
PKI deployment is optional, because the wizard creates a self-signed certificate without the need
for certificate revocation lists (CRL) lists. This functionality is achieved by the using the HTTPS-based
Kerberos proxy (built into Windows Server 2012) which accepts client authentication requests and
sends them to domain controllers on behalf of the client.
Single factor authentication only; no support for smart card integration or using one-time
password (OTP).
Support for high availability and external load balancers. Windows Server 2012 supports network load
balancing (NLB) to achieve high availability and scalability for both DirectAccess and RRAS. The setup
process also provides integrated support for third party external hardware-based load balancer
solutions.
Implementing DirectAccess
Improved sup
pport for Receivve Site Scaling (RSS). DirectA
Access providess support for R
RSS and suppo
orts
running DirecctAccess in virttual machines with increased
d density:
6-6
IP-HTTPS
S interoperabiliity and perform
mance improveements. Windo
ows Server 201
12 DirectAccesss
implementation removves double enccryption when using IP-HTTP
PS. Also, it reduces the time for
duplicate
e address detection, resulting
g in a significaant performancce improveme
ent.
Lower ba
andwidth utiliza
ation. Window
ws Server 2012 reduces the o
overhead assocciated with
establishing of connecttivity methodss, optimizes baatched send beehavior, and re
eceives bufferss,
which ressult in overall lower bandwid
dth utilization.. Additionally W
Windows Servver 2012
DirectAcccess receives site scaling with User Datagraam Protocol (U
UDP).
New
w Deploym
ment Scenariios
The new DirectAcccess deployme
ent scenarios in
i Windows Seerver 2012 incllude:
Deploying mu
ultiple endpoin
nts. When you implement Di rectAccess on multiple serve
ers in differentt
network locattions, the Wind
dows 8 device
e automaticallyy chooses the cclosest endpoint. (For the
Windows 7 operating system, you have to
o specify the eendpoint manu
ually). This also
o works for
distributed fille system (DFS
S) shares that are
a redirected to an approprriate Active Dirrectory site.
Offload netwo
ork adapters with
w support forr network team
ming. Networkk teaming in W
Windows Server
2012 is fully supported
s
with
hout the need for third-partyy drivers.
Off-premise provisioning.
p
With
W the new djjoin tool, you can easily pro
ovision non-do
omain compute
er
with an Active
e Directory blo
ob, so that the
e computer can
n be joined in a domain with
hout the need to be
ever connecte
ed in your inte
ernal premises.
DirrectAccesss Compone
ents
To deploy
d
and configure DirectA
Access, your
orga
anization must support the following
f
infra
astructure com
mponents:
DirectAccess server
DirectAccess clients
Network loca
ation server
Internal resou
urces
Active Directo
ory domain
Group Policy
nal network)
PKI (Optional for the intern
DNS server
NAP server
DirectAccess Server
6-7
DirectAccess server can be any Windows Server 2012 joined in a domain, which accepts connections
from DirectAccess clients and establishes communication with intranet resources. This server provides
authentication services for DirectAccess clients and acts as an IPsec tunnel mode endpoint for external
traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium organizations, by removing the need for
full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the
physical adapter that is connected to the Internet. In Windows Server 2012, the wizard detects the actual
implementation state of the DirectAccess server, and automatically selects the best deployment; thereby,
hiding from the administrator the complexity of configuring manually IPv6 transition technologies.
DirectAccess Clients
DirectAccess clients can be any domain-joined computer running Windows 8, Windows 7 Enterprise
Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
DirectAccess clients use the network location server (NLS) to determine their location. If the client
computer can connect with HTTPS, then the client computer assumes it is on the intranet and disables
DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS
server is installed with the web server role.
Note: The URL for the NLS is distributed by using GPO.
Internal Resources
You can configure any IPv6-capable application which is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers not based on Windows and
have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64)
and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for
the internal servers.
Note: As done in the past, this functionality can also be achieved with Microsoft
Forefront Unified Access Gateway Server. Likewise, as in past versions, these translation services
do not support sessions initiated by internal devices; rather they support requests originating
from ipv6 DirectAccess clients only.
Implementing DirectAccess
6-8
You must deploy at least one Active Directory domain, running at a minimum Windows Server 2008 R2
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support
which allows client computers from different domains to access resources that may be located in different
trusted domains.
Group Policy
Group Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. Windows Server 2012
DirectAccess enables client authentication requests to be sent over a HTTPS based Kerberos proxy
service running on the DirectAccess server. This eliminates the need for establishing a second IPsec
tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to
domain controllers on behalf of the client.
However, for a full DirectAccess configuration, that allows NAP integration, two-factor authentication,
and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or later, or a
third-party DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. Windows Server 2012
DirectAccess provides the ability to configure NAP health check directly from the setup user interface
instead of manual editing of GPO as it was in Windows Server 2008 R2 DirectAccess.
Additional Reading: The DNS server does not listen on the ISATAP interface on a
Windows Server 2008-based computer
http://go.microsoft.com/fwlink/?LinkID=159951
IPv6 - Technology Overview
http://technet.microsoft.com/en-us/library/hh831730.aspx
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Name
N
Reso
olution Pollicy Table
To
o separate Inte
ernet traffic fro
om intranet tra
affic in
DirectAccess, Windows
W
Serverr 2012 and Windows
8 include the Name Resolutio
on Policy Table
e
(N
NRPT), a featurre that allows DNS
D
servers to
o be
de
efined per DNS namespace, rather than pe
er
in
nterface.
Th
he NRPT stores a list of ruless. Each rule defines a
DNS namespace
e and configurration settingss that
de
escribe the DN
NS clients behavior for that
na
amespace.
When
W
a DirectA
Access client is on the Interne
et, each
na
ame query req
quest is compa
ared against th
he
na
amespace rule
es stored in the
e NRPT:
If a name query
q
request does
d
not matcch a namespacce listed in the NRPT, the req
quest is sent to
o the
DNS servers configured in the TCP/IP settings for thee specified network interface
e.
6-9
Siingle-label nam
mes, for examp
ple, http://inte
ernal, typically have configurred DNS search suffixes appe
ended
to
o the name before they are checked
c
against the NRPT.
Th
he NRPT allow
ws DirectAccesss clients to use
e intranet DNSS servers for naame resolution
n of internal re
esources
an
nd Internet DN
NS for name re
esolution of otther resources.. Dedicated DN
NS servers are not required ffor
na
ame resolution
n. DirectAccesss is designed to
t prevent the exposure of yyour intranet n
namespace to tthe
In
nternet.
So
ome names ne
eed to be treatted differently with regards tto name resol ution; these naames should n
not be
re
esolved by usin
ng intranet DN
NS servers. To ensure
e
that th ese names aree resolved with
h the DNS servvers
sp
pecified in the clients TCP/IP
P settings, you must add theem as NRPT exxemptions.
NRPT is controlled through Group
G
Policy. When
W
the comp
puter is config
gured to use N
NRPT, the name
e
re
esolution mech
hanism uses th
he following in
n order:
The local na
ame cache
NRPT
Ho
ow DirectA
Access Worrks for Inte
ernal Clien
nt Computters
An NLS is an interrnal network se
erver that hostts
an HTTPS-based
H
URL.
U
DirectAcccess clients try to
acce
ess a NLS URL to determine if they are located
on the
t intranet orr on a public network.
n
The
Dire
ectAccess serve
er can also be the NLS. In so
ome
orga
anizations whe
ere DirectAcce
ess is a businessscritical service, the
e NLS should be
b highly available.
Gen
nerally, the web server on the
e NLS does no
ot
have to be dedica
ated just for su
upporting
Dire
ectAccess clien
nts.
It is critical that th
he NLS is availa
able from each
h
com
mpany location
n, because the behavior of th
he
Dire
ectAccess clien
nt depends on the response from the NLS. Branch locatio
ons may need a separate NLLS at
each
h branch locattion to ensure that the NLS remains
r
accesssible even wheen there is a lin
nk failure betw
ween
bran
nches.
The DirectAcccess client tries to resolve the fully qualifieed domain nam
me (FQDN) of the NLS URL.
3.
4.
Based on an HTTP
H
200 Succcess of the NLS URL (successsful access and
d certificate au
uthentication aand
revocation ch
heck), the DirecctAccess clientt switches to d
domain firewall profile and ig
gnores the
DirectAccess rules in the NR
RPT for the rem
mainder of thee session.
5.
c
no longe
er references any
a DirectAcceess rules in thee NRPT for the rest of the
Because the client
connected se
ession, all DNS queries are se
ent through intterface-config ured DNS servvers (intranet-based
DNS servers).
With the com
mbination of ne
etwork location detection an
nd computer d
domain logon,, the DirectAcccess
client configu
ures itself for normal
n
intranet access.
6..
6-11
Based on th
he computers successful log
gon to the dom
main, the DirecctAccess clientt assigns the domain
(firewall network) profile to the attache
ed network.
How
H
DirecttAccess Works for Ex
xternal Client Comp
puters
When
W
a DirectA
Access client starts, the DirectAccess
client assumes that
t
it is not co
onnected to th
he
in
ntranet by tryin
ng to reach the
e URL address
sp
pecified for NLLS. Because the
e client compu
uter
ca
annot commun
nicate with NLLS, it starts to use
u
NRPT and conn
nection securityy rules. The NR
RPT
ha
as DirectAccesss-based rules for name reso
olution,
an
nd connection
n security rules define DirectA
Access
IP
Psec tunnels fo
or communicattion with intranet
re
esources. Internet-connected
d DirectAccess clients
usse the followin
ng process to connect
c
to intrranet
re
esources.
Th
he DirectAccesss client first atttempts to acccess the NLS. TThen, the client attempts to locate a domaain
co
ontroller. Afterrwards, the clie
ent attempts to access intran
net resources aand internet re
esources.
DirectAccess
D
s Client Atte
empts To Acccess the Ne
etwork Loca
ation Server
Th
he DirectAccesss client attem
mpts to access the
t NLS as foll ows:
1..
2..
The DirectA
Access client processes the name
n
resolutio
on request as d
defined in the DirectAccess
exemption rules in the NRPT.
3..
Because the
e NLS is not fo
ound on the sa
ame network aas the DirectAcccess client is ccurrently locatted on,
the DirectA
Access client ap
pplies a public or private fireewall network profile to the attached netw
work.
4..
Th
he DirectAccesss client uses a combination of NRPT ruless and connection security rules to locate and
acccess intranet resources acro
oss the Interne
et through the DirectAccess sserver.
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel or infrastructure tunnel by using the IPsec
tunnel mode and Encapsulating Security Payload (ESP) to the DirectAccess server. The process is as
follows:
1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS
name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NT LAN
Manager (NTLM) credentials, respectively.
The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
The application or process that attempts to communicate constructs a message or payload and hands
it off to the TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
6-13
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet web server), the following process occurs:
1.
The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the
IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries, with the differences of the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established
(intranet tunnel).
Lesson 2
Installiing and
d Config
guring DirectAc
D
ccess Co
omponents
In order
o
to install and configure
e DirectAcess in your organizzation, you neeed to meet a n
number of
requ
uirements perttaining to Active Directory configuration,
c
DNS configuraation, and certtificate services.
Afte
er these requirrements are met, you then in
nstall and conffigure the DireectAccess role. Finally, you
configure client co
omputers, and
d verify that DiirectAccess is ffunctional wheen connecting from both the
e
inte
ernal network and
a the Internet.
In th
his lesson, you
u will learn abo
out DirectAccess requiremen
nts, how to pla n the DirectAcccess solution, and
the process of installation and deployment
d
off DirectAccess.. You will also learn about th
he new feature
es for
imp
plementing DirrectAcess in Windows
W
8.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Configure AD
D DS services fo
or DirectAccesss.
Install and co
onfigure DirecttAccess Server..
Configure the
e DirectAccess clients.
Pre
erequisitess for Imple
ementing DirectAcceess
To deploy
d
DirectA
Access, the Dire
ectAccess servver,
the client computter, and infrasttructure should
d
mee
et certain requ
uirements.
Req
quirements for DirectA
Access Serve
er
In order
o
to deployy DirectAccess, you need to
ensu
ure that the se
erver meets the
e hardware an
nd
netw
work requirem
ments:
The server mu
ust be joined to
t an Active
Directory dom
main.
The server mu
ust have Wind
dows Server 20
012 or
Windows Servver 2008 R2 operating system
installed.
Note: An Ed
dge server is any
a server thatt resides on thee edge betweeen two or morre
works, typicallyy a private nettwork and Inte
ernet.
netw
6-15
Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter. However, to achieve two-factor
authentication with smart card or OTP deployment, DirectAccess server will still need two public
IP addresses.
You can even deploy Windows Server 2012 DirectAccess behind a NAT device, with support for a
single or multiple interfaces, thereby circumnavigating the need for an additional public address. In
this configuration, only IP over HTTPS (IP-HTTPS) is deployed which allows a secure IP tunnel to be
established using a secure HTTP connection.
On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and monitor the status of the DirectAccess server. The Remote
Access wizard provides you with the option to configure only DirectAccess, only VPN, or both
scenarios on the same server running Windows Server 2012. This was not possible in Windows Server
2008 R2 deployment of DirectAccess.
For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) to
achieve high availability and scalability for both DirectAccess and RRAS.
To deploy DirectAccess, you also need to ensure that the client computer meets certain requirements:
With the new 2012 DirectAccess scenario it is possible to offline provision computers for domain
membership without the need for the computer to be on premises.
The client computer can be loaded with Windows 8, Windows 7 Enterprise Edition, Windows 7
Ultimate Edition, Windows Server 2012, or Windows Server 2008 R2 operating system.
You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or other earlier
versions of the Windows operating systems.
Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:
Active Directory. You must deploy at least one Active Directory domain. Workgroups are not
supported.
Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.
DNS and domain controller. You must have at least one domain controller and DNS server running
Windows Server 2012, or Windows Server 2008 SP2 or Windows Server 2008 R2.
PKI. You need to use PKI to issue computer certificates for authentication and health certificates
only when NAP is deployed. You do not need external certificates. The SSL certificate installed on
the DirectAccess server must have a CRL distribution point that is reachable from the Internet. The
certificate Subject field must contain the FQDN that can be resolved to a public IPv4 address assigned
to the DirectAccess server by using the Internet DNS.
IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.
Pro
ocess of Co
onfiguring
g DirectAcccess
To configure
c
DirectAccess, perfo
orm the follow
wing
step
ps:
1.
2.
Configure th
he PKI environ
nment
o
3.
Configure DirectAccess Se
erver
o
Install the
e Remote Acce
ess role and co
onfigure the D
DirectAccess seerver so that it is either one o
of the
following
g:
6-17
An alternative design is that the DirectAccess server has only one, and not two, network interface. For
this design, perform the following steps:
4.
Verify that the ports and protocols needed for DirectAccess and Internet Control Message
Protocol (ICMP) Echo Request are enabled in the firewall exceptions and opened on the
perimeter and Internet-facing firewalls.
The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to publish that address in your
externally-facing DNS server.
If you have disabled IPv6 on clients and servers, enable IPv6 because it is required for
DirectAccess.
Install a web server on the DirectAccess server to enable DirectAccess clients and determine if
they are inside or outside the intranet. You can install this web server on a separate internal
server for determining the network location.
Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters) or publish the
DirectAccess server which is deployed behind NAT for Internet access.
On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.
Configure the DirectAccess clients and test intranet and Internet access
o
Verify that DirectAccess group policy has been applied and certificates have been distributed to
client computers:
Test whether you can connect to DirectAccess server from the Internet.
Demonstration Steps
Create a security group for DirectAccess client computers
1.
On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit with the name DA_Clients OU and inside that organizational unit, create a Global Security group
with the name DA_Clients.
2.
3.
Open the Group Policy Management console, and then right-click Default Domain Policy.
2.
In the console tree of the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.
3.
4.
5.
Close the Group Policy Management Editor and Group Policy Management consoles.
2.
Open the DNS Manager console and then create two new host records with the following settings:
o
Switch to LON-DC1.
2.
3.
Configure the AdatumCA certification authority with the following extension settings:
o
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates
Location: .crl
Select Publish CRLs to this location and Publish Delta CRLs to this location
4.
5.
6-19
1.
Right-click Certificate Template in the Certification Authority console and then click manage.
2.
In the Certificate Template console, in Web Server template Properties, configure security settings
for Authenticated Users to be allowed to Enroll for a certificate.
3.
2.
3.
Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4.
5.
On the Certificate Template page, click Computer, click Next, and then click Finish.
6.
Close the Group Policy Management Editor and close the Group Policy.
Configure DirectAccess.
Demonstration Steps
Obtain the required certificates for LON-SVR2
1.
Switch to LON-SVR2.
2.
Open Microsoft Management Console by typing the mmc command, and then add the Certificates
snap-in for Local computer.
3.
In the Certificates snap-in, in the Microsoft Management Console, request a new certificate with the
following settings:
4.
Verify that a new certificate with the name 131.107.0.2 has been issued with Intended Purposes of
Server Authentication.
5.
For the 131.107.0.2 certificate, in Properties, specify the Friendly Name as IP-HTTPS Certificate,
and then click OK.
6.
In the Certificates console, right-click the certificate with the name lon-svr2.adatum.com, and then
click delete.
7.
8.
2.
In the Server Manager console, open the Remote Access Management console.
3.
Click Configuration; the Enable Direct Access Wizard will start automatically.
4.
Click Next. Wait until the DirectAccess prerequisites page completes loading.
5.
Complete the Enable Direct Access Wizard by using the following settings:
o
DirectAccess Client Setup page; Enter the object names to select: DA_clients
Type the public name or IPv4 address used by clients to connect to the Remote Access
server: 131.107.0.2
Note: On this page, you might notice that you are using IP address of the Edge server
instead of FQDN. This is because in this lab environment there is no public DNS server, as it
would exist in real-life scenario.
6.
Wait until Enable DirectAccess Wizard Apply completes, and then click Close.
7.
8.
To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:
Verify that DirectAccess clients have the computer certificate that is required for DirectAccess
authentication. This should have been distributed with Group Policy.
Demonstration Steps
Configure the DirectAccess client
1.
Switch to LON-SVR3.
2.
Open the Command Prompt window and type gpupdate/force to force apply Group Policy on
LON-SVR3.
3.
At command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-SVR3, and then
repeat step 2 on LON-SVR3.
4.
6-21
Verify that DNS Effective Name Resolution Policy Table Settings is applied by typing the following
command at the command prompt:
netsh name show effectivepolicy
5.
Verify that DNS Effective Name Resolution Policy Table Settings is displayed in the Command
Prompt window.
6.
Simulate moving the client computer LON-SVR3 out of the corporate network, that is to the Internet,
by changing the network adapter settings with external IP address to the following values:
o
IP address: 131.107.0.10
7.
Disable and then again enable the Local Area Connection network adapter.
8.
In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network.
Move the mouse to the lower-left part of screen, click Start, and then click the Internet Explorer
icon.
2.
In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3.
4.
Click Start, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the
Files shared folder appears.
5.
In the Files shared folder window, double-click the example.txt file. The content of the example.txt
file is displayed.
6.
7.
Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click
search, and in the search box, type cmd.
8.
9.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
Verify that DN
NS Effective Name
N
Resoluttion Policy Taable Settings present two e
entries for
adatum.com
m and Directacccess-NLS.Ada
atum.com.
2.
Verrify client co
onnectivity on DirectA
Access Serve
er
1.
Switch to LON
N-SVR2.
2.
3.
Wiindows 7 Client
C
vs. Windows
W
8 Client Im
mplementaation
Users working witth DirectAccess in the Windo
ows 8
ope
erating system will have a be
etter user
experience than those working in Windows 7.
In Windows
W
8, the
e DirectAccess solution is
com
mpletely transp
parent for the user. Howeverr, in
Win
ndows 7, it is hard to trouble
eshoot the netw
work
connectivity problems. Usually, when problem
ms
start, there are no
o native tools that
t
can easily track
the network beha
avior and so ad
dministrators often
o
use network monitoring tools to
o get informattion
rega
arding connecctivity issues.
Win
ndows 8 Cliient Implem
mentation
Windows 8 in
ncludes an in-b
box user interfface for DirectA
Access clients that help userrs understand
network conn
nectivity experrience. Simplified user interfaace that run ab
bove the Wind
dows PowerSh
hell
commands provide basic in
nformation reg
garding conne ctivity.
s
Users caan even customize the look of the interfacce
Users can eassily check theirr connectivity status.
providing add
ditional inform
mation such as support emai l addresses.
6-23
Remediation options for actionable problems are presented clearly to the user. Instead of using other
tools, remediation and problem solving can be done in the same user interface for DirectAccess.
Typical problems that can be flagged for remediation are:
o
NAP
Users can easily send customized logs to their helpdesk by using the properties of Network
Connectivity Assistance. Users can manually select the DirectAccess entry point that should be used.
They can collect logs (HTML plus custom logs) and send these logs to already configured email
addresses.
When using Windows 7 in a multi-site deployment, you need to create multiple GPOs with different
settings. However, in Windows 8, clients can easily select the closest DirectAccess server in a multisite
deployment.
The receive side scaling concept for UDP traffic helps in improving performance in enterprise
deployment.
Because A. Datum has expanded, many of the employees are now frequently out of the office, either
working from home or traveling. A. Datum wants to implement a remote access solution for its employees
so they can connect to the corporate network while they are away from the office. Although the VPN
solution implemented with NAP provides a high level of security, business management is concerned
about the complexity of the environment for end users. Also IT management is concerned that they are
not able to manage the remote clients effectively.
To address these issues, A. Datum has decided to implement DirectAccess on client computers running
Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment and validate that the client computers can connect to
the internal network when operating remotely.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 90 minutes
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-SVR3
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
You decided to implement DirectAccess as a solution for remote client computers that are not able to
connect through VPN. Also, you want to address management problems, such as GPO application for
remote client computers. For this purpose, you will configure the prerequisite components of
DirectAccess, and configure the DirectAccess server.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
2.
Create a security group for DirectAccess client computers by performing the following steps:
a.
Switch to LON-DC1.
b.
Open the Active Directory Users and Computers console, and create an Organizational Unit
named DA_Clients OU, and within that organizational unit, create a Global Security group
named DA_Clients.
c.
d.
Configure firewall rules for ICMPv6 traffic by performing the following steps:
a.
Open the Group Policy Management console, and then open Default Domain Policy.
b.
In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security.
c.
d.
e.
Close the Group Policy Management Editor and Group Policy Management consoles.
6-25
3.
b.
4.
Open the DNS Manager console, and then create new host records with the following settings:
Remove ISATAP from the DNS global query block list by performing the following steps:
a.
Open the Command Prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
Ensure that the Command completed successfully message appears.
b.
5.
Switch to LON-SVR2, and in the Local Area Connection Properties dialog box, in the Internet
Protocol Version 4 (TCP/IPv4) dialog box, add the Adatum.com DNS suffix.
b.
2.
b.
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
Location: .crl
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates
To duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.
In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:
3.
c.
In the Certification Authority console, choose to issue a New Certificate Template and select the
Adatum Web Server Certificate template.
d.
b.
c.
Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor,
navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.
d.
e.
Close the Group Policy Management Editor and close the Group Policy Management console.
On LON-SVR1, open a command prompt, type the following command, and then press Enter.
gpupdate /force
b.
At the command prompt, type the following command, and then press Enter.
mmc
c.
d.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates, request a new certificate, and then under Request Certificates, select
Adatum Web Server Certificate with the following setting:
2.
e.
In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
f.
Close the console window. When you are prompted to save settings, click No.
b.
In the console tree of Internet Information Services (IIS), navigate to and click Default Web site.
c.
d.
6-27
b.
Switch to LON-SVR2.
b.
Open a command prompt and refresh group policy by typing gpupdate /force.
c.
Open Microsoft Management Console by typing mmc command, and then add the Certificates
snap in for Local computer.
d.
In the Certificates snap-in, in the mmc console, request a new certificate with the following
settings:
e.
2.
3.
b.
In Internet Information Services (IIS) Manager, create new virtual directory CRLD and assign
c:\crldist as a home directory.
Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click
Properties, and grant Full Share and NTFS permission.
4.
5.
a.
Switch to LON-DC1.
b.
c.
In the console tree, open ADATUMCA, right-click Revoked Certificates, point to All Tasks, and
then click Publish.
b.
In the Server Manager console, start the Remote Access Management console, click
Configuration, and start the Enable Direct Access Wizard with following settings:
Network Topology: Edge is selected, and verify that 131.107.0.2 is used by clients to
connect to the Remote Access server.
Note: Since the server you already configured is a VPN server, you can only
use the getting started wizard which generates self-signed certificate for DirectAccess
communication. Next steps will modify default DirectAccess settings to include already
deployed certificates from the internal Certification Authority.
c.
In the details pane of the Remote Access Management console, under Step 2, click Edit.
6-29
d.
On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.
e.
f.
On the Authentication page, select Use computer certificates, click Browse, and then select
Adatum Lon-Dc1 CA.
g.
h.
In details pane of the Remote Access Management console, under Step 3, click Edit.
i.
On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
j.
k.
On the DNS page, examine the values, and then click Next.
l.
6.
n.
In details pane of the Remote Access Management console, review the setting for Step 4.
o.
p.
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter
IPHTTPSInterface starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
2.
3.
1.
Switch to LON-SVR3.
2.
Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Open the Command Prompt window and then type the following commands:
gpupdate /force
gpresult /R
3.
Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
2.
Verify that a certificate with the name LON-SVR3.adatum.com is present with Intended Purposes
of Client Authentication and Server Authentication.
3.
2.
In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1
appears.
3.
Open Windows Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder
window with the contents of the Files shared folder.
4.
Results: After completing this exercise, you will have configured the DirectAccess clients.
2.
3.
Switch to LON-SVR3.
2.
IP address: 131.107.0.10
3.
Disable and then again enable the Local Area Network network adapter.
4.
5.
In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
2.
Notice the IP address that starts with 2002. This is IP-HTTPS address.
3.
At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
4.
At the command prompt, type the following command, and then press Enter.
powershell
5.
At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Open Internet Explorer and go to http://lon-svr1.adatum.com/. You should see the default IIS 8
web page for LON-SVR1.
2.
3.
You should see a folder window with the contents of the Files shared folder.
4.
At the command prompt, type the following command, and then press Enter.
gpupdate /force
6.
6-31
7.
Switch to LON-SVR2.
8.
Start the Remote Access Management console and review the information on Remote Client
Status.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
9.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3.
4.
Best Practices
Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 edition, Windows 8
introduces new features for improved manageability, ease of deployment, and improved scale and
performance.
6-33
Monitoring of the environment is now much easier with support of PowerShell, Windows Management
Instrumentation (WMI), GUI monitoring, along with Network Connectivity Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network and your
servers do not need to have IP6 addresses to be exposed through DirectAccess, because your DirectAccess
server acts as a proxy.
For ease of deployment you do not need to have IP addresses on the Internet-facing network. Therefore,
this is a good scenario for proof of concept. However, if you are concerned about security and if you want
to integrate with NAP, you still need two public addresses.
Consider integrating DirectAccess with your existing Remote Access solution because Windows Server
2012 can implement DirectAccess server behind the NAT device which is the most common Remote
Access Server (RAS) solution for companies.
Troubleshooting Tip
Tools
Tool
Use for
Where to find it
Server Manager/Tools
Dnscmd.exe
Services.msc
Server Manager/Tools
Gpedit.msc
IPconfig.exe
Server Manager/Tools
Mmc.exe
Gpupdate.exe
Server Manager/Tools
Module 7
Implementing Failover Clustering
Contents:
Module Overview
7-1
7-2
7-13
7-18
7-22
7-27
7-32
7-37
Module Overview
Providing high availability is very important for any organization that wants to provide continuous
services to its users. Failover Clustering is one of the main technologies in Windows Server 2012 that can
provide high availability for various applications and services. In this module, you will learn about Failover
Clustering, Failover Clustering components, and implementation techniques.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Failover
F
r Clusterring
7-2
Failo
over clusters in
n Windows Server 2012 provvide a high-avvailability soluttion for many sserver roles an
nd
app
plications. By im
mplementing failover
f
clusterrs, you can maaintain applicattion or service
e availability if one
or more
m
compute
ers in the failovver cluster fail. Before you im
mplement Failo
over Clustering
g, you should b
be
fam
miliar with gene
eral high-availa
ability conceptts. You must u
understand clu
ustering termin
nology and also
how
w failover clusters work.
Also
o, it is important to be familiiar with new cllustering featu
ures in Window
ws Server 2012
2.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe availability.
Describe Failo
over Clustering
g improvemen
nts in Windowss Server 2012.
Describe failo
over cluster components.
Define failove
er and failback
k.
Describe failo
over cluster networks.
Describe failo
over cluster sto
orage.
Describe a qu
uorum.
Wh
hat Is Avaiilability?
Availability refers to a level of se
ervice that
app
plications, serviices, or system
ms provide, and
d is
expressed as the percentage
p
of time that a se
ervice
or system is availa
able. Highly-avvailable system
ms
have minimal dow
wntimewhetther planned or
o
unp
plannedand are available more
m
than 99
perccent of the tim
me, depending on the needs and
the budget of the
e organization.. For example, a
system that is una
available for 8.75 hours per year
y
wou
uld have a 99.9
9 percent availlability rating.
To improve availa
ability, you must implement faulttole
erance mechan
nisms that massk or minimize
e how
failu
ures of the servvices compon
nents and depe
endencies affeect the system. You can achie
eve fault toleraance
by implementing redundancy to
o single pointss of failure.
Availability requirrements must be
b expressed so
s that there aare no misundeerstandings ab
bout the
imp
plications. Misccommunication
n about service level expectaations betwee n the custome
er and the IT
orga
anization can result in poor business decissions, such as u
unsuitable inveestment levelss and customer
dissatisfaction.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
7-3
Th
he availability measurement period can alsso have a sign
nificant effect o
on the definitio
on of availability.
Fo
or example, a requirement fo
or 99.9 percen
nt availability o
over a one-yeaar period allow
ws for 8.75 hou
urs of
do
owntime, whereas a requirem
ment for 99.9 percent availaability over a ro
olling four-we
eek window allows for
on
nly 40 minutess of downtime
e per period.
Yo
ou also have to
o identify and negotiate planned outages maintenance activities, servvice pack updaates,
an
nd software up
pdates. These are
a scheduled outages, and typically are n
not included as downtime w
when
ca
alculating the systems availa
ability. You typ
pically calculatte availability b
based on unplaanned outage
es only.
However, you have
h
to negotia
ate exactly which planned o utages you co
onsider as dow
wntime.
Failover Clu
ustering Im
mproveme
ents in Win
ndows Serrver 2012
Fa
ailover Clustering has not sig
gnificantly changed
since Windows Server 2008 R2. However, th
here are
so
ome new featu
ures and techn
nologies in Win
ndows
Se
erver 2012 tha
at help increase
e scalability an
nd
cluster storage availability, an
nd provide better and
ea
asier managem
ment and faste
er failover.
Th
he important new
n
features in
n Windows Server
20
012 Failover Clustering inclu
ude:
Improved Cluster
C
Shared Volumes (CSV
Vs) volumes. Th
his technology was introduce
ed in Windowss Server
2008 R2, an
nd it became very
v
popular fo
or providing viirtual machinee storage. In W
Windows Server 2012,
CSV volume
es appear as CSV
C File System
m and it suppo
orts server messsage block (SM
MB) version2.2
2
storage for Hyper-V and other applicattions. Also, CSV
V can use SMB
B multichannel and SMB Dire
ect to
enable trafffic to stream across
a
multiple
e networks in a cluster. For a dditional secu
urity, you can u
use
BitLocker Drive
D
Encryptio
on for CSV disk
ks, and you can
n also make C SV storage visible only to a ssubset
of nodes in
n a cluster. For reliability, CSV
V volumes can be scanned a nd repaired w
with zero offline
e time.
Cluster-awa
are updating. Updating
U
clustter nodes requ
uired a lot of p
preparation and planning in earlier
versions of Windows Servver, to minimizze or avoid do
owntime. Also, procedure of updating clustter
nodes was mostly manua
al, which cause
ed additional aadministrative effort. In Wind
dows Server 20
012, a
new techno
ology is introduced for this purpose.
p
This ttechnology is ccalled Cluster--Aware Updating. This
technologyy automaticallyy updates clustter nodes with
h Windows Up date hotfix, byy keeping the cluster
online, and minimizing downtime. This technology w
will be explaineed in more dettail in Lesson 4
4:
Maintaining
g a Failover Clluster.
7-4
Managemeent improvemeents. Although Failover Clusttering in Windows Server 2012 still uses almost
the same management
m
console and the
e same admin istrative techn
niques, it bring
gs some imporrtant
manageme
ent improveme
ents. Validation
n wizard is imp
proved in whicch the validation speed for large
failover clusters is improvved and new te
ests for CSVs, tthe Hyper-V ro
ole, and virtuaal machines are
e
added. Also
o, new Window
ws PowerShell cmdlets are a vailable for managing cluste
ers, monitoring
g
clustered virtual machine
e applications, and creating h
highly availablle iSCSI target.
Rem
moved and Deprecated
d Features
In Windows
W
Serve
er 2012 clusterring, some feattures are remo
oved or depreccated. If you are moving from an
olde
er version of Failover Clusterring, you should be aware off these featurees:
precated. How
wever, it can bee optionally insstalled with th
he
The Cluster.exxe command-line tool is dep
Failover Clusttering Tools. Fa
ailover Clusterring Windows PowerShell cm
mdlets provide
e a functionalitty that
is generally th
he same as Clu
uster.exe comm
mands.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
7-5
Clients. The
ese are computers (or users) that are using
g the Cluster seervice.
Service or application.
a
Thiis is a software
e entity that is presented to clients and use
ed by clients.
Witness. Th
his can be a file
e share or disk
k which is used
d to maintain q
quorum. Ideallyy the witness sshould
be located a network that is both logically and physiccally separate from those ussed by the failo
over
cluster. Ho
owever, the wittness must rem
main accessiblee by all clusterr node membe
ers. The conce
epts of
quorum and how the witness comes into play will bee examined mo
ore closely in tthe coming lesssons of
this module
e.
Is aware wh
hen another no
ode joins or le
eaves the clusteer.
Is connecte
ed through a shared bus or iSCSI connectio
on to shared sstorage.
Cluster storage usually refers to logical devicestypicallyy hard disk drivves or logical u
unit numbers ((LUN)
th
hat all the clustter nodes attach to, through
h a shared bus . This bus is seeparate from th
he bus that co
ontains
th
he system and boot disks. Th
he shared diskss store resourcces such as app
plications and file shares thaat the
cluster will man
nage.
A failover cluste
er typically deffines at least tw
wo data comm
munications neetworks: one network enable
es the
cluster to comm
municate with clients, and the second, isolaated network eenables the clu
uster node me
embers
to
o communicate
e directly with one another. If a directly-co
onnected sharred storage is n
not being used
d, then
a third network segment (for iSCSI or Fibre Channel) can exist between
n the cluster no
odes and a datta
sttorage network
k.
Most
M
clustered applications and their associated resourcees are assigned
d to one cluste
er node at a tim
me. The
no
ode that proviides access to those cluster resources
r
is thee active node. If the nodes d
detect the failu
ure of
th
he active node
e for a clustered application, or if the activee node is taken offline for m
maintenance, th
he
clustered appliccation is started on another cluster
c
node. TTo minimize th
he impact of th
he failure, clien
nt
re
equests are immediately and
d transparentlyy redirected to
o the new clustter node.
What
W
Are Failover
F
an
nd Failback
k?
Fa
ailover transfers the responsibility of providing
acccess to resourrces in a cluste
er from one no
ode to
an
nother. Failove
er can occur when
w
an administrator
in
ntentionally mo
oves resourcess to another no
ode for
maintenance,
m
or when unplan
nned downtim
me of
on
ne node happens because of
o hardware faiilure or
otther reasons. Also,
A
service failure on an acttive
no
ode can initiatte failover to another node.
A fa
ailover attemptt consists of th
he following stteps:
7-6
1.
The Cluster se
ervice takes alll the resourcess in the instancce offline in an
n order that is determined b
by
the instancess dependency hierarchy. Tha
at is, dependen
nt resources firrst, followed b
by the resource
es on
which they de
epend. For exa
ample, if an ap
pplication depeends on a phyysical disk resource, the Clustter
service the Cluster service takes the application offline first, which en
nables the application to writte
changes to th
he disk before the disk is tak
ken offline.
2.
3.
The Cluster service can failback instances thatt were originallly hosted on tthe offline nod
de, after the offfline
nod
de becomes acctive again. Wh
hen the Cluster service fails b
back an instance, it uses the same procedu
ures
thatt it performs during failover. That is, the Cluster service ttakes all the reesources in the
e instance offline,
movves the instancce, and then brings all the re
esources in thee instance backk online.
Private netwo
ork. A private network
n
carriess
internal cluste
er communica
ation. By using this
network, cluster nodes exch
hange heartbe
eats
and check forr another node
e or nodes. The
failover cluste
er authenticate
es all internal
communication. However, administrators
a
s who
are especiallyy concerned ab
bout security may
m
want to restrict internal com
mmunication to
t physically seecure networkks.
Whe
en you configu
ure networks in failover clusters, you mustt also dedicatee a network to connect to th
he
sharred storage. If you use iSCSI for the shared
d storage conn
nection, the neetwork will use
e an IP-based
Ethe
ernet commun
nications network. However, you should no
ot use this nettwork for node
e or client
com
mmunication. Sharing the iSCSI network in
n this manner may result in ccontention and
d latency issue
es
for both users and
d for the resou
urce that is beiing provided b
by the cluster.
Tho
ough not a besst practice, you
u can use the private
p
and pu
ublic networks for both client and
nod
de communications. Preferab
bly, you should
d dedicate an iisolated netwo
ork for the privvate node
com
mmunication. The
T reasoning for this is similar using a sep
parate Etherneet network for iSCSI namelyy to
avoid issues resou
urce bottleneck and contention issues. Thee public netwo
ork is configurred to allow client
connections to the failover clustter. Although the
t public nettwork can provvide backup fo
or the private
netw
work, a better design practicce is to define alternative ne tworks for thee primary privaate and public
netw
works or at lea
ast team the ne
etwork interfaces used for th
hese networkss.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Th
he networking
g features in Windows
W
Serverr 2012based clusters includ
de the followin
ng:
7-7
The Failove
er Cluster Virtu
ual Adapter is a hidden devicce that is addeed to each nod
de when you in
nstall
the Failover Clustering fe
eature. The ada
apter is assigneed a media access control (M
MAC) address based
on the MAC
C address thatt is associated with the first eenumerated ph
hysical networrk adapter in the
node.
Failover clu
usters fully support IPv6 for both
b
node-to--node and nod
de-to-client co
ommunication..
Shared seria
al attached SC
CSI (SAS). Share
ed
serial attach
hed SAS is the lowest cost option.
However, itt is not very fle
exible for deplo
oyment
because the
e two cluster nodes
n
must be
e
physically close
c
together.. In addition, the
shared storrage devices th
hat are supporrting
SAS have a limited numb
ber of connections for
cluster nodes.
Internet SCS
SI (iSCSI). iSCS
SI is a type of storage area neetwork (SAN) tthat transmits SCSI comman
nds
over IP netw
works. Perform
mance is accep
ptable for mostt scenarios wh
hen 1 gigabit p
per second (Gb
bps)
or 10 Gbps Ethernet is ussed as the physsical medium ffor data transm
mission. This tyype of SAN is fairly
inexpensive
e to implemen
nt because no specialized
s
nettworking hard
dware is requirred. In Window
ws
Server 2012
2, you can imp
plement iSCSI target
t
softwaree on any serveer, and presentt local storage
e over
iSCSI interfa
ace to clients.
Fibre chann
nel. Fibre channel SANs typiccally have bettter performancce than iSCSI SSANs, but are m
much
more expen
nsive. Specializzed knowledge
e and hardwarre are required
d to implemen
nt a fibre channel SAN.
Sto
orage Requirements
Afte
er you choose the type of sto
orage, you sho
ould also be aw
ware of the following storag
ge requirementts:
7-8
We recomme
end that you fo
ormat the parttitions with NTTFS. For the dissk witness, the
e partition musst be
NTFS, becausse FAT is not su
upported.
Consider usin
ng multipath I//O software. In
n a highly-avaiilable storage ffabric, you can
n deploy failovver
clusters with multiple host bus adapters by
b using multi path I/O softw
ware. This provvides the highe
est
level of redun
ndancy and avvailability. For Windows
W
Serveer 2012, your multipath solu
ution must be based
on Microsoft Multipath I/O
O (MPIO). Your hardware ven
ndor usually su
upplies an MPIO device-speccific
module (DSM
M) for your harrdware, although Windows SServer 2012 inccludes one or more DSMs ass part
of the operating system.
Wh
hat Is Quo
orum?
Quo
orum is the number of eleme
ents that mustt be
online for a cluste
er to continue running. In efffect,
each
h element can cast one votee to determine
whe
ether the cluste
er continues to
o run. Each clu
uster
nod
de is an elemen
nt that has one
e vote. In case,
therre is an even number
n
of nod
des, then an
add
ditional elemen
nt, which is kno
own as a witneess is
assigned to the cluster. The witn
ness element can
c
be either
e
a disk orr a file share. Each
E
voting
elem
ment contains a copy of the cluster
configuration; and
d the Cluster service
s
works to
keep all copies synchronized at all times.
network, or if data was accessed and written to a target from more than one source at a time. If the
application itself is not damaged, the data could easily become corrupted.
7-9
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster can
calculate the number of votes that are required for the cluster to continue providing failover protection.
If the number of votes drops below the majority, the cluster stops running. That is, it will not provide
failover protection if there is a node failure. Nodes will still listen for the presence of other nodes, in case
another node appears again on the network, but the nodes will not function as a cluster until a majority
consensus or quorum is achieved.
Note: The full functioning of a cluster depends not just on quorum, but on the capacity of
each node to support the services and applications that fail over to that node. For example, a
cluster that has five nodes could still have quorum after two nodes fail, but each remaining
cluster node would continue serving clients only if it has enough capacity (such as disk space,
processing power, network bandwidth, RAM) to support the services and applications that failed
over to it. An important part of the design process is planning each nodes failover capacity. A
failover node must be able to run its own load and also the load of additional resources that
might failover to it.
Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster
software on each node stores information about how many votes constitute a quorum for that cluster. If
the number drops below the majority, the cluster stops providing services. Nodes will continue listening
for incoming connections from other nodes on port 3343, in case they appear again on the network, but
the nodes will not begin to function as a cluster until quorum is achieved.
There are several phases a cluster must complete to achieve quorum. As a given node comes up, it
determines whether there are other cluster members that can be communicated with. This process
may be in progress on multiple nodes at the same time. After communication is established with other
members, the members compare their membership views of the cluster until they agree on one view
(based on timestamps and other information). A determination is made whether this collection of
members has quorum; or has enough members the total of which creates sufficient votes so that a
split scenario cannot exist. A split scenario means that another set of nodes that are in this cluster are
running on a part of the network inaccessible to these nodes. Therefore, more than one node could be
actively trying to provide access to the same clustered resource. If there are not enough votes to achieve
quorum, the voters (the currently recognized members of the cluster) wait for more members to appear.
After at least the minimum vote total is attained, the Cluster service the Cluster service begins to bring
cluster resources and applications into service. With quorum attained, the cluster becomes fully functional.
Qu
uorum Modes in Win
ndows Serrver 2012 FFailover Cllustering
Sam
me quorum mo
odes from Win
ndows Server 2008
2
are also present in
n Windows Serrver 2012. As
befo
ore, a majorityy of votes dete
ermines whethe
er
a clu
uster achieves quorum. Nod
des can vote, and
whe
ere appropriate, either a disk
k in cluster storage
(kno
own as a disk witness)
w
or a file share (know
wn
as a file share witn
ness) can vote.. There is also a
quo
orum mode called No Majority: Disk Only,
which functions like the disk-ba
ased quorum in
n
Win
ndows Server 2003.
2
Other than that mode,,
therre is no single point of failurre with the quo
orum
mod
des, because only
o
the number of votes is
imp
portant and no
ot whether a pa
articular eleme
ent is availablee to vote.
Thiss quorum mod
de is flexible. You
Y can choose
e the mode beest suited to yo
our cluster.
Be aware
a
that, mo
ost of the time
e, it is best to use
u the quorum
m mode selectted by the clusster software. IIf you
run the Quorum Configuration
C
Wizard, the qu
uorum mode tthat the wizard
d lists as reco
ommended is the
quo
orum mode chosen by the cluster software
e. We recomm end changing the quorum cconfiguration o
only if
you have determined that the change
c
is apprropriate for yo ur cluster.
There are four quorum modes:
Node Majority
ty. Each node that
t
is available and in comm
munication can
n vote. The clu
uster functionss only
with a majority of the votess. That is, more
e than half. Th is model is preeferred when tthe cluster con
nsists
of an odd number of serverr nodes (no wiitness is needeed to maintain
n or achieve qu
uorum).
Node and Filee Share Majoriity. Each node plus a designaated file share created by the administrato
or,
which is the file
f share witne
ess, can vote when
w
they are aavailable and in communicaation. The clustter
functions onlyy with a majorrity of the vote
es. That is, morre than half. Th
his model is baased on an eve
en
number of se
erver nodes being able to communicate wiith one anotheer in the cluste
er, in addition to the
file share witn
ness.
Exce
ept for the No
o Majority: Disk
k Only mode, all
a quorum mo
odes in Windo
ows Server 201
12 failover clusters
are based on a sim
mple majority vote model. As
A long as a maajority of the vvotes are availaable, the cluste
er
continues to function. For exam
mple, if there arre five votes in
n the cluster, th
he cluster continues to functtion
as lo
ong as there are at least thre
ee available vo
otes. The sourcce of the votess is not relevan
ntthe vote co
ould
be a node, a disk witness, or a file share witne
ess. The clusterr will stop funcctioning if a m
majority of vote
es is
not available.
In th
he No Majorityy: Disk Only mode,
m
the quorrum-shared dissk can veto alll other possible votes. In thiss
mod
de, the cluster will continue to function as long as the q uorum-shared
d disk and at le
east one node are
avaiilable. This typ
pe of quorum also
a prevents more
m
than onee node from asssuming the p
primary role.
Note: If the
t quorum-sh
hared disk is no
ot available, th
he cluster will sstop functioning, even if all
no
odes are still available.
a
In thiis mode, the quorum-shared
d disk is a sing le point of faillure, so this
mode
m
is not reccommended.
When
W
you configure a failove
er cluster in Wiindows Server 2012, the Insttallation Wizarrd automatically
se
elects one of tw
wo default con
nfigurations. By
B default, Failo
over Clustering
g selects:
Node Majo
ority if there is an odd number of nodes in the cluster.
7-11
Modify
M
this settting only if you
u determine th
hat a change iss appropriate ffor your cluste
er, and ensure that
yo
ou understand
d the implicatio
ons of making the change.
In
n addition to planning
p
your quorum
q
mode
e, you should aalso consider tthe capacity off the nodes in your
cluster, and their ability to sup
pport the services and appliccations that m
may fail over to
o that node. Fo
or
exxample, a clustter that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if you
u have several applications or services dep loyed on the ccluster, each re
emaining clustter
no
ode may not have
h
the capaccity to provide
e services.
What
W
Are Cluster
C
Sha
ared Volum
mes?
In
n a classic failover cluster dep
ployment, onlyy a
single node at a time controlss an LUN on th
he
sh
hared storage. This means th
hat the other nodes
n
ca
annot see shared storage, until each nod
de
be
ecomes an acttive node. CSV
V is a technolog
gy
in
ntroduced in Windows
W
Serve
er 2008 R2 which
en
nables multiple nodes to con
ncurrently share a
single LUN. Each node obtain
ns exclusive acccess to
in
ndividual files on
o the LUN insstead of the whole
w
LU
UN. In other words,
w
CSVs pro
ovide a distributed
fille access solution so that mu
ultiple nodes in
n the
cluster can simu
ultaneously acccess the same NTFS
fille system.
In
n Windows Serrver 2008 R2, CSVs
C
were designed only forr hosting virtuaal machines ru
unning on a Hyyper-V
se
erver in a failovver cluster. This enabled adm
ministrators to
o have a single LUN that hosts multiple virttual
machines
m
in a fa
ailover cluster.. Multiple clustter nodes havee access to thee LUN, but eacch virtual mach
hine
ru
uns only on on
ne node at a tim
me. If the node on which thee virtual mach
hine was runnin
ng fails, CSV le
ets
th
he virtual mach
hine to be resttarted on a different node in
n the failover ccluster. Additio
onally, this pro
ovides
simplified disk management
m
for
f hosting virttual machines compared to each virtual m
machine requirring a
se
eparate LUN.
In
n Windows Serrver 2012, CSV
Vs have been additionally enh
o use CSVs for other
hanced. It is now possible to
ro
oles, and not ju
ust Hyper-V. For example, yo
ou can now co
onfigure file seerver role in a ffailover clusterr in a
Sccale-Out File Server
S
scenario
o. The Scale-Ou
ut File Server i s designed to provide scale--out file sharess that
he
arre continuously available forr file-based serrver applicatio
on storage. Scaale-out file shaares provides th
ab
bility to share the same folde
er from multip
ple nodes of th
he same clusteer. In this conte
ext, CSVs in W
Windows
Se
erver 2012 intrroduces suppo
ort for a read cache,
c
which caan significantl y improve perrformance in ccertain
sccenarios. Also, a CSV File System (CSVFS) can
c perform CH
HKDSK withou
ut affecting applications with
h open
ha
andles on the file system.
Other important improvements in Cluster Shared Volumes in Windows Server 2012 are:
CSVFS benefits. In Disk Management, CSV volumes now appear as CSVFS. However, this is not a
new file system. The underlying technology is still the NTFS file system, and CSVFS volumes are still
formatted with NTFS. However, because volumes appear as CSVFS, applications can discover that they
are running on CSVs, which helps improves compatibility. And because of a single file namespace, all
files have the same name and path on any node in a cluster.
Multisubnet support for CSVs. CSVs have been enhanced to integrate with SMB Multichannel to help
achieve faster throughput for CSV volumes.
Support for BitLocker drive encryption. Windows Server 2012 support BitLocker volume encryption for
both traditional clustered disks and CSVs. Each node performs decryption by using the computer
account for the cluster itself.
Support for SMB 3.0 storage. CSVs in Windows Server 2012 provide support for SMB 3.0 storage for
Hyper-V and applications such as Microsoft SQL Server.
Integration with SMB Multichannel and SMB Direct. This allows CSV traffic to stream across multiple
networks in the cluster and to take advantage of network adapters that support Remote Direct
Memory Access (RDMA).
Integration with the Storage Spaces feature in Windows Server 2012. This can provide virtualized
storage on clusters of inexpensive disks.
Ability to scan and repair volumes. CSVs in Windows Server 2012 support the ability to scan and repair
volumes with zero offline time.
You can configure a CSV only when you create a failover cluster. After you create the failover cluster, you
can enable the CSV for the cluster, and then add storage to the CSV.
Before you can add storage to the CSV, the LUN must be available as shared storage to the cluster. When
you create a failover cluster, all the shared disks configured in Server Manager are added to the cluster,
and you can add them to a CSV. If you add more LUNs to the shared storage, you must first create
volumes on the LUN, add the storage to the cluster, and then add the storage to the CSV.
As a best practice, you should configure CSV before you make any virtual machines highly available.
However, you can convert from regular disk access to CSV after deployment. The following considerations
apply:
When you convert from regular disk access to CSV, the LUNs drive letter or mount point is removed.
This means that you must re-create all virtual machines that are stored on the shared storage. If you
must retain the same virtual machine settings, consider exporting the virtual machines, switching to
CSV, and then importing the virtual machines in Hyper-V.
You cannot add shared storage to CSV if it is in use. If you have a running virtual machine that is
using a cluster disk, you must shut down the virtual machine, and then add the disk to CSV.
Additional Reading:
Server Message Block overview
http://technet.microsoft.com/en-us/library/hh831795.aspx
Storage Spaces Overview
http://technet.microsoft.com/en-us/library/hh831739.aspx
Lesson
n2
Imple
ementin
ng a Failover Cluster
7-13
Fa
ailover clusterss Windows Serrver 2012 have
e specific recom
mmended harrdware and sofftware configu
urations
th
hat enable Miccrosoft to supp
port the cluster. Failover clussters are intend
ded to provide
e a higher leve
el of
se
ervice than stand-alone serve
ers. Therefore,, cluster hardw
ware requiremeents are freque
ently stricter th
han
re
equirements fo
or stand-alone
e servers.
Th
his lesson desccribes how to prepare
p
for clu
uster impleme ntation and allso discusses th
he hardware, n
network,
sttorage, infrastrructure, and so
oftware require
ements for Wi ndows Server 2012 failover clusters. This lesson
also outlines the
e steps for usin
ng the Validate a Configurattion Wizard to
o ensure correcct cluster
co
onfiguration.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow to prepare for implemen
nting Failover C
Clustering.
Describe ha
ardware requirrements for Fa
ailover Clusteri ng.
Describe ne
etwork require
ements for Failover Clusterin
ng.
Describe infrastructure re
equirements fo
or Failover Clusstering.
Describe so
oftware require
ements for Failover Clusterin
ng.
Validate an
nd configure a cluster.
Preparing
P
for
f Implem
menting Fa
ailover Clu
ustering
Be
efore you implement Failove
er Clustering
te
echnology, you
u must identifyy services and
ap
pplications tha
at you want to make highly
avvailable. Failovver clustering cannot
c
be app
plied to
all applications. Also, you should be aware that
t
Fa
ailover Clustering does not provide
p
improvved
sccalability by ad
dding nodes. You
Y can only obtain
o
sccalability by scaling up and using
u
more po
owerful
ha
ardware for th
he individual no
odes. Thereforre, you
sh
hould only use
e Failover Clusttering when yo
our
go
oal is high ava
ailability, instea
ad of scalability.
Fa
ailover clusteriing is best suited for statefull
ap
pplications tha
at are restricted
d to a single se
et of data. On e example of ssuch an appliccation is a dataabase.
Data is stored in
n a single location and can only
o
be used b
by one databasse instance. Yo
ou can also use
e
Fa
ailover Clustering for Hyper--V virtual mach
hines.
Fa
ailover clusteriing uses only IP-based proto
ocols and is, th
herefore, suited
d only to IP-baased applicatio
ons.
Bo
oth IP version 4 (IPv4) and IP
P version 6 (IPvv6) are supporrted.
Th
he best resultss for Failover Clustering
C
occu
ur when the cliient can do recconnecting to the applicatio
on
au
utomatically affter failover. Iff the client doe
es not reconneect automaticaally, then the u
user must restaart the
client applicatio
on.
Con
nsider the follo
owing guidelines when plann
ning node cap
pacity in a failo
over cluster:
Spread out th
he highly-available applicatio
ons from a failled node. Wheen all nodes in
n a failover clusster
are active, the
e highly-availa
able services or applications from a failed node should b
be spread out
among the re
emaining node
es to prevent a single node ffrom being ovverloaded.
Ensure that each node has sufficient idle capacity to se rvice the highly-available se
ervices or
applications that
t
are allocatted to it when another nodee fails. This idlee capacity should be a sufficcient
buffer to avoid nodes running at near cap
pacity after a ffailure event. FFailure to adeq
quately plan
resource utilizzation can resu
ult in decrease
e in performan
nce following n
node failure.
Use hardware
e with similar capacity
c
for all nodes in a clu
uster. This sim plifies the plan
nning process for
failover becau
use the failove
er load will be evenly distribu
uted among th
he surviving no
odes.
Ha
ardware Re
equiremen
nts for Failo
over Clustter Implem
mentation
It is very importan
nt to make goo
od decisions when
w
you select hardwa
are for cluster nodes. Failove
er
clussters have to sa
atisfy the following criteria to
mee
et availability and
a support re
equirements:
You should in
nstall the same
e or similar harrdware on eac h failover clus ter node. For e
example, if you
choose a speccific model of network adap
pter, you shoul d install this adapter on eacch of the cluste
er
nodes.
7-15
Network
N
Re
equiremen
nts for Faillover Clustter Implem
mentation
Fa
ailover cluster network comp
ponents must have
th
he Certified forr Windows Serrver 2012 logo
o and
also pass the tests in the Valid
date a Configu
uration
Wizard.
W
Additio
onally:
In
nfrastructu
ure Requirrements fo
or Failoverr Cluster
Fa
ailover clusterss depend on in
nfrastructure services.
Ea
ach server nod
de must be in the
t same Activve
Directory doma
ain, and if you use Domain Name
N
Syystem (DNS), the
t nodes shou
uld use the sam
me
DNS servers forr name resolution.
We
W recommend
d that you install the same
Windows
W
Server 2012 feature
es and roles on
n each
no
ode. Inconsiste
ent configuration on cluster nodes
ca
an cause instab
bility and perfo
ormance issue
es. In
ad
ddition, you sh
hould not insta
all the AD DS role
r
on
an
ny of the cluster nodes because AD DS hass its
ow
wn fault-tolera
ance mechanissm. If you insta
all the
AD DS role on one
o of the nod
des, you must install it on all nodes.
You
u must have the following ne
etwork infrastrructure for a faailover cluster:
In Windows
W
Serve
er 2012, there is no cluster se
ervice accountt. Instead, the C
Cluster service
e the Cluster se
ervice
auto
omatically runs in a special context
c
that prrovides the speecific permissions and crede
entials that are
e
necessary for the service (similar to the local system
s
contextt, but with red
duced credentiials). When a
failo
over cluster is created
c
and a corresponding
g computer ob
bject is created
d in AD DS, that object is
configured to pre
event accidenta
al deletion. Alsso, the cluster Network Nam
me resource haas additional health
check logic, which
h periodically checks
c
the hea
alth and propeerties of the co
omputer objecct that represents
the Network Nam
me resource.
Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failo
over clusters re
equire that each cluster nod
de
musst run the same edition of Windows
W
Serverr
2012. The edition can be either Windows Servver
2012 Enterprise or Windows Server 2012
Datacenter. The nodes
n
should also
a have the
sam
me software up
pdates and servvice packs.
Dep
pending on the
e role that will be clustered,
a Se
erver Core installation may also
a meet the
softtware requirem
ments. Howeve
er, you cannot
install Server Core
e and full editions in the sam
me
clusster.
7-17
It is also very important that the same version of service packs or any operating system updates, exist on
all nodes that are parts of a cluster.
Note: Windows Server 2012 provides Cluster-Aware Updating technology that can help
you maintain updates on cluster nodes. This feature will be discussed in more detail in Lesson 4:
Maintaining a Failover Cluster.
Each node must run the same processor architecture. This means that each node must have the same
processor family, which might be the Intel Xeon processor family with Extended Memory 64Technology,
the AMD Opteron AMD64 family, or the Intel Itaniumbased processor family.
The Validate a Configuration Wizard runs tests that confirm if the hardware and hardware settings are
compatible with Failover Clustering. Using the wizard, you can run the complete set of configuration tests
or a subset of the tests. We recommend that you run the tests on servers and storage devices before you
configure the failover cluster, and again after any major changes are made to the cluster. You can access
the test results in the %windir%\cluster\Reports directory.
Demonstration Steps
1.
2.
Start the Validate Configuration Wizard. Add LON-SVR3 and LON-SVR4 as cluster nodes.
3.
4.
5.
6.
Lesson 3
Config
guring Highly-A
H
Available Applicationss and Se
ervices on
a Failo
over Cluster
Afte
er you have co
onfigured clusttering infrastru
ucture, you sho
ould configuree specific role o
or service to b
be
high
hly available. Not
N all roles ca
an be clustered
d. Therefore, y ou should firstt identify the rresource that yyou
wan
nt to put in a cluster
c
and che
eck whether it is supported. In this lesson, you will learn about configu
uring
role
es and applicattions in clusterrs as well as ab
bout configurin
ng cluster settings.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
er resources an
nd services.
Describe and identify cluste
Configure a cluster
c
role.
Describe how
w to configure cluster properrties.
Describe how
w to manage clluster nodes.
Describe how
w to configure application failover settings .
Ide
entifying Cluster
C
Ressources an
nd Servicess
A clustered service that contains an IP address
reso
ource and a ne
etwork name resource (and other
o
reso
ources) is published to a client on the netw
work
und
der a unique se
erver name. Be
ecause this gro
oup
of re
esources is dissplayed as a sin
ngle logical server
to clients,
c
it is called a cluster in
nstance.
Users access appliications or servvices on an
instance in the same manner th
hey would if the
app
plications or services were on
n a nonclustere
ed
servver. Usually, ap
pplications or users
u
do not kn
now
thatt they are conn
necting to a cluster and the node
theyy are connecte
ed to.
Reso
ources are phyysical or logica
al entities, such
h as a file sharee, disk, or IP ad
ddress that the
e failover clustter
man
nages. Resourcces may provid
de a service to clients or mayy be an importtant part of th
he cluster. Reso
ources
are the most basicc and smallest configurable unit. At any tim
me, a resourcee can run only on a single no
ode in
a clu
uster, and it is online on a no
ode when it provides its servvice to that specific node.
It can be brou
ught online an
nd taken offline.
It can be man
naged in a servver cluster.
7-19
To
o manage reso
ources, the Clu
uster service co
ommunicates tto a resource D
DLL through a resource mon
nitor.
When
W
the Cluster service mak
kes a request of
o a resource, tthe resource m
monitor calls th
he appropriate
e entrypo
oint function in the resource
e DLL to check
k and control tthe resource sttate.
Dependent
D
Resources
R
A dependent re
esource is one that requires another
a
resourrce to operatee. For example,, a network naame
must
m
be associa
ated with an IP
P address. Beca
ause of this req
quirement, a n
network name resource depe
ends
on
n an IP addresss resource. De
ependent resou
urces are take n offline beforre the resource
es upon which
h they
de
epend are take
en offline; similarly, they are
e brought onlin
ne after the reesources on wh
hich they depe
end
arre brought online. A resourcce can specify one
o or more reesources on w
which it is depe
endent. Resourrce
de
ependencies also
a determine
e bindings. For example, clien
nts will be bou
und to the parrticular IP addrress that
a network name
e resource dep
pends on.
When
W
you creatte resource de
ependencies, co
onsider the facct that, althou gh some depe
endencies are strictly
re
equired, otherss are not requiired but are re
ecommended. For example, a file share thaat is not a Disttributed
wever, if the d
File System (DFS
S) root has no required depe
endencies. How
disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible
e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the
t disk resourrce.
A resource can also specify a list of nodes on
o which it can
n run. Possible nodes and de
ependencies arre
im
mportant considerations whe
en administrattors organize rresources into groups.
The
T Process for Clusttering Serv
ver Roles
Fa
ailover clusteriing supports th
he clustering of
o
se
everal Window
ws Server roles,, such as File Services,
DHCP, and Hyp
per-V. To imple
ement clusterin
ng for
a server role, orr for external applications such as
SQ
QL Server or Exchange Serve
er, perform the
e
fo
ollowing proce
edure:
1..
2..
3..
4..
Create a clu
ustered applica
ation by using the Failover C
Clustering Man
nagement snap-in.
5..
Configure the
t application
n. Configure options on the application th
hat is being use
ed in the cluster.
6..
Test failove
er. Use the Failover Cluster Management
M
sn
nap-in to test failover by inttentionally mo
oving
the service from one nod
de to another.
De
emonstration: Cluste
ering a File
e Server Role
Dem
monstration
n Steps
1.
2.
3.
4.
Managing clu
uster nodes for
f each node
in a cluster, you can stop cluster service
temporary, pa
ause it, initiate
e remote deskttop
to the node or
o evict node from
f
the cluste
er
Managing clu
uster networkss You can add
or remove clu
uster networkss and you can also
configure nettworks that will be dedicated
d just
for inter-clustter communica
ation
Managing pe
ermissions Byy managing pe
ermission you delegate rightts to administe
er cluster
Configuring cluster
c
quorum
m settings Byy configuring q
quorum setting
gs you determ
mine the way how
quorum is achieved as well as who can ha
ave vote in a ccluster
Configuring new
n
services and application
ns to work in a cluster You can implemen
nt new services to
the cluster
Removing a cluster
c
You
u can perform most of these administrative
e tasks by usin
ng the Failoverr Cluster Manaagement conso
ole.
Managing
M
Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, you
u might have to
t manage cluster
no
odes occasionally.
Th
here are three aspects to ma
anaging cluster
no
odes:
7-21
n established failover
f
You can add a node to an
cluster by selecting
s
Add Node
N
in the Fa
ailover
Cluster Man
nagement Acttions pane. The
e Add
Node Wizard prompts yo
ou for informattion
a
nod
de.
about the additional
Yo
ou can manag
ge cluster node
es by using the
e Failover Clus ter Managemeent console.
Configuring
C
g Applicattion Failov
ver Setting
gs
Yo
ou can adjust the failover settings, includin
ng
preferred owners and failback
k settings, to control
c
ho
ow the cluster responds whe
en the applicattion or
se
ervice fails. You
u can configurre these setting
gs on
th
he property sheet for the clu
ustered service or
ap
pplication (on the General ta
ab or on the Fa
ailover
ta
ab). The follow
wing table provvides exampless that
sh
how how these
e settings work
k.
Settiing
Resu
ult
Exam
mple 1:
Gen
neral tab, Prefe
erred owner: Node1
N
Failo
over tab, Failback setting: Allow
failb
back (Immediately)
Exam
mple 2:
Failo
over tab, Maximum failures in the
speccified period: 2
Failo
over tab, Perio
od (hours): 6
Lesson 4
Mainta
aining a Failover Clustter
Whe
en cluster infra
astructure is up and running
g, it is very imp
portant to estaablish monitoriing to preventt
possible failures. Also,
A
it is impo
ortant to have backup and reestore procedu
ures for clusterr configuration
n. In
Win
ndows Server 2012,
2
there is a new technolo
ogy that lets yyou update clu
uster nodes witthout downtim
me. In
this lesson, you will learn about monitoring, backup,
b
and reestore and abo
out updating ccluster nodes.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe how
w to monitor fa
ailover clusterss.
Describe how
w to back up an
nd restore clusster configurattion.
Describe how
w to troublesho
oot failover clu
usters.
Configure Clu
uster-Aware Updating.
Mo
onitoring Failover
F
Cllusters
Man
ny tools are avvailable to help
p you monitor
failo
over clusters. You
Y can use sta
andard Windo
ows
Servver tools, such as the Event Viewer
V
and the
e
Perfformance and Reliability Mo
onitor snap-in,
to review cluster event
e
logs, and
d performance
e
mettrics. You can also
a use Cluste
er.exe and
Traccerpt.exe to exxport data for analysis.
Add
ditionally, you can use the MHTML-format
M
tted
clusster configuration reports an
nd the Validate
ea
Con
nfiguration Wizzard to trouble
eshoot problems
with
h the cluster co
onfiguration and hardware
changes.
Eve
ent Viewer
Whe
en problems arise
a
in the clusster, use the Evvent Viewer to
o view events w
with a Critical, Error, or Warn
ning
seve
erity level. Add
ditionally, inforrmational leve
el events are lo
ogged to the FFailover Clusterring Operation
ns log,
which can be foun
nd in the Even
nt Viewer in the
e Applicationss and Services Logs\Microsofft\Windows fo
older.
Info
ormational-leve
el events are usually
u
commo
on cluster operrations, such aas cluster node
es leaving and
joining the clusterr, or resources going offline or coming on line.
In previous
p
Windo
ows Server verrsions, event lo
ogs were repliccated to each node in the cluster. This
w all event log
simplified cluster troubleshootin
ng, because yo
ou could review
gs on a single cluster node.
Win
ndows Server 2012
2
does not replicate the event
e
logs bettween nodes. H
However, the FFailover Cluste
er
Man
nagement snap-in has a Cluster Events option that enab
bles you to view
w and filter evvents across all
clusster nodes. This feature is helpful in correla
ating events accross cluster nodes.
You
u can access ad
dditional logs, such as the De
ebug and Ana lytic logs, in th
he Event Viewe
er. To display tthese
logss, modify the view
v
on the top menu by selecting the Sho
ow Analytic an
nd Debug Logss options.
Windows
W
Eve
ent Tracing
7-23
Windows
W
event tracing is a ke
ernel compone
ent that is avaiilable early aftter startup, and
d late into shutdown.
It is designed to
o allow for fastt tracing and delivery
d
of eve nts to trace files and to conssumers. Because it is
de
esigned to be fast, it enabless only basic in-process filteriing of events b
based on even
nt attributes.
Th
he event trace log contains a comprehensive accounting
g of the failoveer cluster actio
ons. Depending on
ho
ow you want to
t view the datta, use either Cluster.exe
C
or TTracerpt.exe to
o access the in
nformation in tthe
evvent trace log.
Performance
P
e and Reliab
bility Monito
or Snap-In
Th
he Performancce and Reliability Monitor sn
nap-in lets you
u:
Trend application failuress and stability on each nodee. You can pinp
point when application failurres
occur and match
node.
m
the app
plication failure
es with other eevents on the n
Modify tracce log settings. You can startt, stop, and adj
djust trace logss, including the
eir size and loccation.
Backing
B
Up
p and Restoring Failo
over Clusteer Configu
uration
Cluster configurration can be a time-consum
ming
process with ma
any details, and so backup of
o
cluster configurration is very im
mportant. You
u
ca
an perform backup and resto
ore of cluster
co
onfiguration with
w Windows Server
S
Backup or
a third-party ba
ackup tool.
When
W
you back
k up the cluster configuration
n, be
aw
ware of the following:
You must te
est your backu
up and recovery
process, be
efore putting a cluster into
production.
Windows
W
Server Backup is the
e built-in back
kup and recoveery software fo
or Windows Se
erver 2012. To
co
omplete a succcessful backup
p, consider the following:
For a backu
up to succeed in a failover clluster, the clusster must be ru
unning and mu
ust have quoru
um. In
other words, enough nod
des must be ru
unning and com
mmunicating (perhaps with a witness diskk or
witness file share, depend
ding on the qu
uorum configu
uration,) that t he cluster has achieved quorum.
If applicatio
on data must be
b backed up, the disks that you store thee data on mustt be made available to
the backup
p software. You
u can achieve this
t by running
g the backup ssoftware from the cluster no
ode that
owns the disk resource, or
o by running a backup again
nst the clusterred resource ovver the network.
The cluster se
ervice keeps tra
ack of which cluster
c
configu
uration is the m
most recent, an
nd it replicatess that
configuration
n to all cluster nodes. If the cluster
c
has a w
witness disk, thee Cluster servicce the Cluster
service also re
eplicates the configuration to
t the witness disk.
Resstoring a Cluster
There are two typ
pes of restore:
Tro
oubleshoo
oting Failov
ver Clusters
Alth
hough cluster validation
v
imp
plemented in
Win
ndows Server 2012
2
Failover Clustering
C
prevvents
miscconfigurationss and non-worrking clusters, in
som
me cases, you have
h
to perform
m cluster
trou
ubleshooting.
To troubleshoot
t
a failover cluste
er, follow these
guid
delines:
Review cluste
er events and trace
t
logs to
identify application or hard
dware issues th
hat might causse an unstable cluster.
Review hardw
ware events an
nd logs to help
p pinpoint speccific hardware components tthat might cau
use an
unstable clustter.
Whe
en troubleshooting failover clusters, you must:
m
Identify the scope of the prroblem so thatt you can undeerstand what is being affecte
ed by the prob
blem,
and what imp
pact that effect has on the application and
d the clients.
Collect inform
mation so that you can accurrately understaand and pinpo
oint the possib
ble problem. A
After
you identify a list of possible problems, you can prioritiize them by prrobability, or tthe impact of a
repair. If the problem
p
canno
ot be pinpointted, you shoul d attempt to rre-create the p
problem.
7-25
Complete and
a test each repair
r
one at a time so that yyou can identiify the fix.
To
o troubleshoott SAN issues, start
s
by checking physical co
onnections and
d each of the h
hardware component
lo
ogs. Additionallly, run the Vallidate a Config
guration Wizarrd to verify thaat the current cluster configu
uration
is still supportab
ble. When you
u run the Validate a Configurration Wizard, ensure that th
he storage testts that
yo
ou select can be
b run on an online
o
failover cluster. Severaal of the storag
ge tests cause loss of service
e on the
clustered disk when
w
the tests are run.
Troubleshoo
oting Group and Resource Failuress
To
o troubleshoott group and re
esource failure
es:
What
W
Is Clu
uster-Awarre Updatin
ng?
Applying operating system up
pdates to node
es in a
cluster requires special attention. If you wan
nt to
provide zero do
owntime for a clustered role,, you
must
m
manually update clusterr nodes one affter
an
nother, and yo
ou must manua
ally move reso
ources
from the node being
b
updated
d to another node.
Th
his procedure can be very tim
me-consuming
g. In
Windows
W
Server 2012, Microssoft has implem
mented
a new feature fo
or automatic update
u
of clustter
no
odes.
Cluster-Aware Updating
U
(CAU
U) is a feature that
t
le
ets administrators automatica
ally update clu
uster
no
odes with little
e or no loss in availability du
uring the upda te process. Du
uring an updatte procedure, C
CAU
trransparently ta
akes each clustter node offline, installs the u
updates and aany dependentt updates, perfforms a
re
estart if necessary, brings the
e node back on
nline, and then
n moves to up
pdate the next node in a clusster.
Fo
or many cluste
ered roles, this automatic up
pdate process ttriggers a plan
nned failover, aand it can causse a
trransient service
e interruption for connected
d clients. Howeever, for contin
nuously availab
ble workloads in
Windows
W
Server 2012, such as Hyper-V with
h live migratio
on or file server with SMB Traansparent Failo
over,
CA
AU can orchesstrate cluster updates
u
with no effect on thee service availaability.
Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or
Windows 8, is called and configured as an orchestrator. To configure a computer as a CAU
orchestrator, you must install Failover Clustering administrative tools on it. The orchestrator computer
is not a member of the cluster that is updated during the procedure. From the orchestrator computer,
the administrator triggers on-demand updating by using a default or custom Updating Run profile.
Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for
clusters that are running on Server Core installations of Windows Server 2012.
Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates ondemand in this mode, or use the remote-updating approach if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the Failover Clustering feature in Windows Server 2012 and create a failover
cluster. The components that support CAU functionality are automatically installed on each cluster node.
You must also install the CAU tools, which are included in the Failover Clustering Tools (which are also
part of the Remote Server Administration Tools, or RSAT). The CAU tools consist of the CAU UI and the
CAU Windows PowerShell cmdlets. The Failover Clustering Tools are installed by default on each cluster
node when you install the Failover Clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8 and that has network connectivity
to the failover cluster.
Make sure that the cluster is configured and running on LON-SVR3 and LON-SVR4.
2.
3.
4.
Preview updates that are available for nodes LON-SVR3 and LON-SVR4.
5.
6.
7.
Lesson
n5
Imple
ementin
ng a Mu
ulti-Site
e Failove
er Clustter
7-27
In
n some scenarios, you have to
t deploy clustter nodes on d
different sites. Usually, you d
do this when yo
ou build
diisaster-recoverry solutions. In
n this lesson, yo
ou will learn a bout deployin
ng multi-site cllusters.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
us replication.
Describe syynchronous and asynchronou
Describe ho
ow to choose a quorum mod
de for multi-si te clusters.
Describe th
he challenges for
f implementing multi-site clusters.
Describe th
he consideratio
ons for deploying multi-site clusters.
What
W
Is a Multi-Site
M
Cluster?
C
A multi-site clusster provides highly-availabl
h
le
se
ervices in more
e than one location. Multi-site
clusters can solvve several speccific problems..
However, they also
a present sp
pecific challeng
ges.
In
n a multi-site cluster,
c
each sitte usually has a
se
eparate storage system with replication be
etween
th
he sites. Multi-site cluster sto
orage replicatio
on
en
nables each sitte to be independent, and provides
p
fa
ast access to th
he local disk. With
W separate storage
s
syystems, you cannot share a single
s
disk betw
ween
sittes.
A multi-site clusster has three main advantag
ges in a
fa
ailover site com
mpared to a re
emote server:
When a site
e fails, a multi--site cluster au
utomatically fa ils over the clu
ustered service
e or application to
another site
e.
Because the
e cluster config
guration is auttomatically rep
plicated to eacch cluster node
e in a multi-sitte
cluster, there is less administrative overrhead than a ccold standby seerver, which re
equires you to
manually re
eplicate chang
ges.
The automa
ated processess in a multi-site cluster reducce the possibillity of human error, which iss present
in manual processes.
p
Be
ecause of incre
eased cost and
d complexity of
o a multi-site ffailover cluster, it might not be an ideal so
olution
fo
or every appliccation or business. When you
u are consideriing whether to
o deploy a mu
ulti-site cluster,, you
sh
hould evaluate
e the importan
nce of the appllications to thee business, thee type of applications, and any
alternative soluttions. Some ap
pplications can
n provide multti-site redundaancy easily with log shipping
g or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
co
omplexity.
Th
he complexity of a multi-site
e cluster requirres better arch
hitectural and hardware plan
nning. It also re
equires
yo
ou to develop business processes to routin
nely test the clluster function
nality.
Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph
hically-disperse
ed
failo
over cluster to use shared sto
orage between
n
phyysical locations. Wide area ne
etwork (WAN)
links are too slow and have too much latencyy to
support shared storage. Geogra
aphically-dispe
ersed
failo
over clusters must
m
synchronize data betwe
een
loca
ations by using
g specialized hardware.
h
Multti-site
data
a replication ca
an be either syynchronous orr
asyn
nchronous:
Wh
hen to Use Synchronou
S
us or Asynch
hronous Rep
plication
Choosing
C
a Quorum Mode for Multi-Sitee Clusters
Fo
or a geographically-disperse
ed cluster, you cannot
usse quorum con
nfigurations th
hat require a sh
hared
diisk, because ge
eographically--dispersed clussters do
no
ot use shared disks. Both the
e Node and Diisk
Majority,
M
and No
N Majority: Disk Only quoru
um
modes
m
require a shared witne
ess disk to provvide a
vo
ote for determ
mining quorum
m. You should only
o
usse these two quorum
q
modess if the hardwa
are
ve
endor specifica
ally recommen
nds and suppo
orts
th
hem.
To
o use the Node and Disk Ma
ajority and No
Majority:
M
Disk Only
O
modes in a multi-site cluster,
th
he shared disk requires that:
7-29
You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.
Be
ecause multi-ssite clusters can have WAN failures
f
in addiition to node aand local netw
work failures, N
Node
Majority
M
and No
ode and File Share Majority are better solu
utions for multi-site clusters. If there is a W
WAN
fa
ailure that causses the primaryy and seconda
ary sites to losee communicattion, a majorityy must still be
avvailable to con
ntinue operatio
ons.
If you are using Node Majoritty and the sites lose commu nication, you n
need a mechanism to determ
mine
which
w
nodes sta
ay up, and whiich nodes drop
p out of clusteer membership
p. The second ssite requires another
vo
ote to obtain quorum
q
after a failure. To ob
btain another vvote for quoru
um, you must jjoin another n
node to
th
he cluster, or create a file sha
are witness.
Th
he Node and File
F Share Majo
ority mode can
n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a single
e-site failure and enable auttomatic failoveer, the file sharre witness mig
ght have
to
o exist at a thirrd site. In a mu
ulti-site clusterr, a single serveer can host thee file share wittness. However, you
must
m
create a se
eparate file sha
are for each clluster.
Yo
ou must use th
hree locations to enable auto
omatic failoveer of a highly-aavailable servicce or applicatio
on.
Lo
ocate one nod
de in the prima
ary location tha
at runs the hig
ghly-available service or app
plication. Locatte a
se
econd node in a disaster-reccovery site, and
d locate the th
hird node for t he file share w
witness in another
lo
ocation.
Th
here must be direct
d
network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W
Servver 2008 R2, ad
dministrators ccould configurre the quorum
m to include
no
odes. However, if the quorum configuratio
on included no
odes, all nodess were treated equally
acccording to their votes. In Windows
W
Serverr 2012, clusterr quorum settin
ngs can be adjjusted so
th
hat when the cluster
c
determines whether it has quorum,, some nodes h
have a vote an
nd some do
no
ot. This adjustm
ment, can be useful,
u
when so
olutions are im
mplemented accross multiple sites.
Challenges fo
or Implem
menting a Multi-Site
M
Cluster
Imp
plementation of
o multi-site clu
usters is more
com
mplex than imp
plementation of
o single-site
clussters, and can also
a present se
everal challeng
ges
to the administrattor. Most impo
ortant challeng
ges
whe
en you implem
ment multi-site
e clusters are
related to storage
e and network..
age
In a multi-site cluster, there is no shared stora
thatt the cluster no
ode uses. This means that no
odes
on each
e
site mustt have its own storage instan
nce.
On the other hand
d, Failover Clustering does not
n
include any built-in functionalitty to replicate data
betw
ween sites. The
ere are three options
o
for
repllicating data: block
b
level hardware-based replication,
r
sofftware-based file replication
n installed on tthe
hostt, or applicatio
on-based replication.
Win
ndows Server 2012
2
enables cluster
c
nodes to exist on diffeerent IP subneets, which enab
bles a clustered
app
plication or servvice to change
e its IP addresss based on thee IP subnet. DN
NS updates the
e clustered
app
plications DNS
S record so tha
at clients can lo
ocate the IP ad
ddress change. Because clien
nts rely on DNS to
find
d a service or application afte
er a failover, yo
ou might havee to adjust thee DNS records Time to Live, and
the speed at whicch DNS data is replicated. Ad
dditionally, wh en cluster nod
des are in multtiple sites, netw
work
latency might require you to modify the interr-node commu
unication (heartbeat) delay aand time-out
thre
esholds.
De
eploying Consideratiions for a Multi-Sitee Cluster
Mullti-site clusterss are not appro
opriate for eve
ery
app
plication or eve
ery business. When
W
you desig
gn
a multi-site solutio
on with a hard
dware vendor,
clea
arly identify the
e business requirements and
d
expectations. Nott every scenario
o that involvess
morre than one location is appro
opriate for mu
ultisite cluster.
7-31
Multi-site clusters do require some more overhead than local clusters. Instead of a local cluster, in which
each node of the cluster is attached to the mass storage device, each site of a multi-site cluster must have
comparable storage. In addition, you will also have to consider vendors to set up your data replication
schemes between cluster sites, possibly pay for additional network bandwidth between sites, and develop
the management resources within your organization to efficiently administer your multi-site cluster.
Additionally, carefully consider the quorum mode that you will use, and the location of the available
cluster votes.
As A. Datums business grows, it is becoming increasingly important that many of the applications and
services on the network are available at all times. A. Datum has many services and applications that have
to be available to internal and external users who work in different time zones around the world. Many of
these applications cannot be made highly available by using Network Load Balancing. Therefore, you have
to use a different technology to make these applications highly available.
As one of the senior network administrators at A. Datum, you will be responsible for implementing
Failover Clustering on the Windows Server 2012 servers in order to provide high availability for network
services and applications. You will also be responsible for planning the Failover Cluster configuration, and
deploying applications and services on the Failover Cluster.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated time: 90 minutes
Virtual Machine(s)
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR3
20417A-LON-SVR4
User Name
Adatum\Administrator
Password
Pa$$w0rd
Virtual Machine(s)
MSL-TMG1
User Name
Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
b.
Password: Pa$$w0rd
5.
6.
Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.
7-33
A. Datum has important applications and services that they want to make highly available. Some of these
services cannot use Network Load Balancing. Therefore, you decided to implement Failover clustering.
Because iSCSI storage is set up, you decided to use the iSCSI storage for Failover Clustering. First, you will
implement the core components for Failover Clustering, validate the cluster, and then create the failover
cluster.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21.
2.
3.
4.
5.
6.
7.
On LON-SVR4, open Disk Management, and bring online and initialize the three new disks.
2.
2.
3.
4.
Review report.
On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard.
2.
3.
4.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
2.
3.
2.
3.
In the Storage node, click Disks and verify that three cluster disks are online.
4.
5.
6.
7.
2.
Start the New Share Wizard and add a new shared folder to the AdatumFS cluster role.
3.
4.
1.
On LON-SVR4, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.
2.
3.
4.
Results: After this exercise, you will have configured a highly-available file server.
2.
Validate the failover and quorum configuration for the File Server role.
7-35
1.
On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure
that you can access the Docs folder.
2.
3.
On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.
4.
On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
1.
2.
Stop the Cluster service on the node that is the current owner of the AdatumFS role.
3.
Verify that AdatumFS has moved to another node and that the \\AdatumFS\ location is still
available.
4.
Start the Cluster service on the node in which you stopped it in step 2.
5.
Browse to the Disks node, and take the disk witness offline.
6.
7.
Results: After this exercise, you will have tested the failover scenarios.
Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable
seamless and zero downtime cluster updating, you want to implement the Cluster-Aware Updating
feature and test updates for cluster nodes.
The main tasks for this exercise are as follows:
1.
2.
2.
3.
Connect to Cluster1.
4.
2.
After the process is complete, configure self-updating for Cluster1, to be performed weekly, on
Sundays at 4A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating.
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Best Practices
Use Cluster Shared Volumes for Hyper-V high availability or Scale Out File server
Be sure that, in case of one node failure, other nodes can handle the load
Troubleshooting Tip
7-37
Your organization is considering the use of a geographically-dispersed cluster that includes an alternative
data center. Your organization has only a single physical location together with an alternative data center.
Can you provide an automatic failover in this configuration?
Tools
The tools for implementing fail-over clustering include:
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management
Module 8
Implementing Hyper-V
Contents:
Module Overview
8-1
8-2
8-8
8-16
8-21
8-27
8-33
Module Overview
Although server virtualization was deployed rarely on corporate networks only a decade ago, today it is a
core networking technology. Server administrators must be able to distinguish which server workloads
might run effectively in virtual machines and which need to remain in a traditional, physical deployment.
This module introduces you to the new features of the Hyper-V role, the components of the role, and
the best practices for deploying the role.
Objectives
After completing this module, you will be able to:
Implementing Hyper-V
Lesson 1
Config
guring Hyper-V
H
V Serverrs
8-2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe Hyp
per-V Integratio
on services.
Wh
hat's New in Hyper-V 3.0?
The Hyper-V role first became available
a
after the
rele
ease of Window
ws Server 2008
8. New feature
es
were added to the
e role, both in Windows Servver
2008 R2 and Wind
dows Server 20
008 R2 Service
e
Pack 1 (SP1).
Hyp
per-V in Windo
ows Server 201
12, also known
n as
Hyp
per-V 3.0, inclu
udes the follow
wing major
imp
provements:
Hyper-V Pow
werShell support
Non-Uniform
m Memory Acce
ess (NUMA) su
upport
Memory improvements
Virtual Machin
ne Replication
You
u can use Hype
er-V replica to perform contiinuous replicattion of importtant virtual maachines from a host
servver to a replica
a server. In the event that the
e host server faails, you can c onfigure failovver to the replica
servver. For more information on
n Hyper-V repllicas, visit Mod
dule 9: Implem
menting Failove
er Clustering w
with
Hyp
per-V.
Hyper-V Powe
erShell supp
port
Win
ndows Server 2012
2
introduce
es extensive Windows
W
PowerrShell supporrt for Hyper-V through the
Hyp
per-V PowerSh
hell module. Yo
ou can manage all aspects o
of Hyper-V, inccluding creatin
ng virtual hard disks,
virtu
ual switches, and virtual macchines.
8-3
Hyper-V administrators can use Quality of Service (QoS) bandwidth management to converge multiple
traffic types through a virtual-machine network adapter, which allows a predictable service level for each
traffic type. You also can allocate minimum and maximum bandwidth allocations on a per-virtual machine
basis.
Hyper-V 3.0 includes NUMA support. NUMA is a multiprocessor architecture that automatically groups
RAM and processors. This leads to performance improvements for virtual machines that are hosted on
servers that have multiple processors and large amounts of random access memory (RAM).
Memory Improvements
Dynamic memory is a feature that lets virtual machine memory to be allocated as necessary, rather than
as a fixed amount. For example, rather than setting a virtual machine with a fixed 4 gigabytes (GB) of
memory, which Hyper-V allocates to the virtual machine, an administrator can use dynamic memory to
allocate a minimum and maximum amount. In this scenario, the virtual machines requests only what it
needs. Although Windows Server 2008 R2 SP1 included the ability for virtual machines to use dynamic
memory, you had to make any adjustments to these settings after you shut down the server. Hyper-V 3.0
enables administrators to adjust dynamic memory settings on virtual machines that are running. You can
use smart paging to configure startup memory, which differs from the minimum and maximum memory
allocations. When you use smart paging, the Hyper-V host uses memory paging to ensure that a virtual
machine can start when there is not enough memory resources available to support startup, but enough
to support the virtual machine's minimum memory allocation.
Other improvements to Hyper-V include:
Resource Metering. Resource Metering allows administrators to track resource utilization of individual
virtual machines. You can enable resource metering on a per-virtual machine basis. Use PowerShell to
perform resource-metering operations.
Virtual Fibre Channel. Virtual Fibre Channel enables virtual machines to use a virtual Fibre Channel
host bus adapter (HBA) to connect to Fibre Channel resources on storage area networks (SANs). To
use Virtual Fibre Channel, the host Hyper-V server must have a compatible Fibre Channel HBA.
Live migration without shared storage. Hyper-V 3.0 supports live migration of virtual machines
between Hyper-V hosts, without requiring access to shared storage. For more information on live
migration, visit Module 9: Implementing Failover Clustering with Hyper-V.
New virtual hard disk format. Hyper-V 3.0 introduces the VHDX format. This disk format supports
larger virtual hard disks. It also includes a format that minimizes the chances of data loss during
unexpected power outages.
Server message block 3.0 (SMB 3.0) storage. Hyper-V 3.0 virtual machines can use virtual hard disks
stored on normal shared folders, as long as the folders are hosted on a server that supports the SMB
3.0 protocol.
Network virtualization. Network virtualization enables virtual machines to retain a static IP address
configuration when migrated to different Hyper-V hosts.
Implementing Hyper-V
Pre
erequisitess for Installling Hype
er-V
Hyp
per-V on Windows Server 20
012 requires th
hat
the host compute
er has an x64 processor,
p
whicch
supports Second Level Address Translation (SLAT).
SLA
AT is a special technology
t
tha
at allows a
proccessor to addrress memory more
m
efficientlyy.
The server that ho
osts the Hyper-V role needs a
min
nimum of 4 GB
B of RAM. A virrtual machine
hostted on Hyper--V in Windowss Server 2012 can
c
support a maximu
um of 1 terabyyte of RAM and
d up
to 32
3 virtual proce
essors.
Whe
en deciding on
n the server ha
ardware in which
you plan to install the Hyper-V role, you need
d to
ensu
ure the following:
8-4
The server mu
ust have enough memory to
o support the m
memory requirements of all of the virtual
machines that must run con
ncurrently. The
e server also m
must have eno ugh memory tto run the host
Windows Servver 2012 operating system.
De
emonstration: Configuring Hy
yper-V Setttings
It is necessary to start
s
a traditionally deployed
d server to run
n this demonsttration because
e you cannot rrun
Hyp
per-V from within a virtual machine.
m
Dem
monstration
n Steps
1.
Log on to LON-HOST1.
2.
3.
Virtual Machines
M
Physical GPUs
G
NUMA Spanning
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Hyper-V
H
Integration Services
Hyper-V Integra
ation Services are a series off
se
ervices that you can use with
h supported virtualmachine
m
guest operating systtems. Supporte
ed
op
perating systems can use Inttegration Services
co
omponents an
nd functionalityy like Small
Computer Syste
em Interface (S
SCSI) adapters and
syynthetic netwo
ork adapters.
Th
he virtual-macchine guest op
perating system
ms that
Hyper-V supports include:
Windows Home
H
Server 20
011
Windows MultiPoint
M
Servver 2011
CentOS 6.0
0-6.2
CentOS 5.5-5.7
Windows Vista
V with Servvice Pack 2
Windows XP
X with Service
e Pack 3
Addition
nal Reading: Note
N
that the Hyper-V
H
suppo
ort for the Win
ndows XP operrating system
en
nds in April 20
014, and suppo
ort for Window
ws Server 20033 and Window
ws Server 2003 R2 expires in
Ju
uly 2015. When
n available, a link will be pro
ovided here to the list of sup
pported Hyperr-V virtualmachine
m
guest operating systtems on Windo
ows Server 20112.
8-5
Yo
ou can install the
t Integration
n Services com
mponents on a n operating syystem by clickiing the Insert
In
ntegration Servvices Setup Dissk item on the Action menu in the Virtual Machine Conn
nection windo
ow. After
th
his is done, you
u can install th
he relevant ope
erating-system
m drivers either manually or automatically..
Implementing Hyper-V
You
u can enable th
he following viirtual-machine
e integration c omponents:
8-6
his componen
Operating sysstem shutdown
n. The Hyper-V
V server uses th
nt to initiate a g
graceful shutd
down
of the guest virtual
v
machine.
Data Exchang
ge. The Hyper--V host uses th
his componentt to write data to the virtual machines reg
gistry.
Best Practice
es for Conffiguring Hyper-V Ho
osts
There are several best practices that you shou
uld
consider when pro
ovisioning Win
ndows Server 2012
2
to function as a Hyper-V
H
host:
Deploy virtua
al machines on
n separate disk
ks
Manage Hype
er-V remotely
Pro
ovision the Host
H
with Adequate
A
Ha
ardware
Perh
haps the most important best practice is to
o ensure that tthe Hyper-V h
host is provisio
oned with adeq
quate
hard
dware. You sho
ould ensure th
hat there is app
propriate proccessing capacitty, an approprriate amount o
of
RAM
M, and fast and
d redundant sttorage. You sh
hould ensure th
hat the Hyper -V host is provvisioned with
mulltiple network cards that you
u configure as a team. If the Hyper-V host is not provisio
oned adequate
ely
with
h hardware, this has an effecct on the perfo
ormance of all virtual machin
nes that are ho
osted on the se
erver.
Dep
ploy Virtuall Machines on Separate
e Disks
You
u should use se
eparate disks to host virtual-machine files rather than haaving virtual-m
machine files
storred on the sam
me disk as the host
h
operating
g-system files. This minimizees contention aand ensures th
hat
read
d/write operattions occurring
g on virtual ma
achine files do not conflict w
with read/write
e operations
occu
urring at the host
h
operating-system level. It also minimizzes the chancee that the virtu
ual-machine
hard
d disks will gro
ow to consume
e all available space on the o
operating-systtem volume. Performance
considerations are
e lessened if yo
ou deploy to a disk that use s striping, such
h as a RAID 1+
+0 array. If you
u are
usin
ng shared stora
age, you can provision
p
multiiple virtual maachines on the same Logical Unit Number (LUN)
if yo
ou utilize Clustter Shared Volumes. Howeve
er, choosing beetween separaate LUNs for each virtual maachine
or a shared LUN depends
d
heavily on virtual machine
m
worklo
oad and SAN h
hardware.
8-7
You should ensure that Hyper-V is the only server role deployed on the server. You should not colocate
the Hyper-V role with other roles, such as the Domain Controller or File Server role. Each role that you
deploy on a server requires resources, and when deploying Hyper-V, you want to ensure that the virtual
machines have access to as much of a host server's resources as possible. If it is necessary to locate these
roles on the same hardware, deploy these roles as virtual machines rather than installing them on the
physical host.
When you log on locally to a server, your logon session consumes server resources. By configuring a
Hyper-V server to be managed remotely and not performing administrative tasks by logging on locally,
you ensure that all possible resources on the Hyper-V host are available to the hosted virtual machines.
You also should restrict access to the Hyper-V server, so that only administrators responsible for the
management of virtual machines can make connections. A configuration error on a Hyper-V host can
cause downtime to all hosted virtual machines.
There are two main reasons to run Hyper-V using the Server Core configuration. The first reason is that
running Windows Server 2012 in the server core configuration minimizes hardware-resource utilization for
the host operating-system. Running the server in server core configuration means that there are more
hardware resources for the hosted virtual machines.
The second reason to run the Hyper-V server in server core configuration is that server core requires fewer
software updates, which in turn means fewer reboots. When you restart a Hyper-V host, all virtual
machines that the server hosts become unavailable when it is unavailable. Because a Hyper-V host can
host many critical servers as virtual machines, you want to ensure that you minimize downtime.
If you have enabled performance counters on the Hyper-V host, you can use the Best Practices Analyzer
to determine if there are any specific configuration issues that you should address. Enabling performance
counters does incur a slight cost to performance, so you should enable these only during periods when
you want to monitor server performance, rather than leaving them on permanently.
You can use Resource Metering, a new feature of Hyper-V 3.0, to monitor how hosted virtual machines
utilize server resources. You can use Resource Metering to determine if specific virtual machines are using
a disproportionate amount of a host server's resources. If the performance characteristics of one virtual
machine are having a deleterious effect on the performance of other virtual machines hosted on the same
server, you should consider migrating that virtual machine to another Hyper-V host.
Additional Reading: 7 Best Practices for Physical Servers Hosting Hyper-V Roles
http://technet.microsoft.com/en-us/magazine/dd744830.aspx
Implementing Hyper-V
Lesson 2
Config
guring Hyper-V
H
V Storag
ge
8-8
Hyp
per-V provides many differen
nt virtual mach
hine storage o
options. If you know which o
option is appro
opriate
for a given situation, you can en
nsure that a virtual machine performs welll. But if you do
o not understaand
the different virtual-machine sto
orage options,, you may end
d up deploying
g virtual hard d
disks that conssume
unn
necessary space
e or that place
e an unnecessa
ary performan ce burden on the host Hype
er-V server.
Thiss lesson describ
bes about diffe
erent virtual hard disk typess, different virtual hard disk fformats, and th
he
ben
nefits and limitations of using
g virtual machine snapshots..
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
v
hard dissks in Hyper-V
V 3.0.
Describe the properties of virtual
Select a virtua
al hard disk type.
Convert betw
ween virtual hard disk types.
Maintain virtu
ual hard disks.
Determine wh
here to deployy virtual hard disks.
d
The New-VH
HD Windows PowerShell cmd
dlet.
Note: Some
e editions of Windows
W
7 and
d the Windowss Server 2008 R2 operating ssystem also
support booting to
t virtual hard disk.
Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012
Comparing
C
VHDX
V
and VHD
V
8-9
VHDX allow
ws larger block
k size for dynamic and differrencing disks, w
which provides better perforrmance
for these workloads.
w
Disk
D Types
When
W
you configure a virtual hard disk, you
u can
ch
hoose one of the
t following disk
d types:
Fixed
Dynamic
Pass-throug
gh
Differencing
When
W
you creatte a fixed virtu
ual hard disk, all
a
off the hard-disk
k space is alloccated during th
he
crreation process. This has the advantage off
minimizing
m
frag
gmentation, wh
hich improves virtual hard d
disk performan
nce when they are hosted on
n
trraditional stora
age devices. However, a disa
advantage is th
hat it requires all of the spacce that the virtual
ha
ard disk poten
ntially can use to be allocated
d on the host partition. In m
many situationss, you will not know
precisely how much
m
disk spacce a virtual machine needs. Iff you use fixed
d hard disks, yo
ou may end up
allocating space
e to storage th
hat is not actua
ally required.
To
o create a fixed
d virtual hard disk, perform the following steps:
1..
2..
In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.
3..
4..
On the Cho
oose Disk Format page, sele
ect VHD or VH
HDX, and then
n click Next.
5..
On the Cho
oose Disk Typ
pe page, click Fixed
F
size, and
d then click N ext.
6..
On the Spe
ecify Name an
nd Location page,
p
enter a n
name for the viirtual hard disk, and then sp
pecify a
folder to ho
ost the virtual hard-disk file.
7.
Copy the contents of a specified physical disk. You can use this option to replicate an existing
physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the
disk that you have replicated. Replicating an existing physical hard disk does not alter data on the
existing disk.
Copy the contents of a specified virtual hard disk. You can use this option to create a new fixed
hard disk based on the contents of an existing virtual hard disk.
You can create a new fixed hard disk by using the New-VHD Windows PowerShell cmdlet with the -Fixed
parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes or on SSDs. Hyper-V improvements, since it was first introduced in Windows Server
2008, also minimize performance differences between dynamic and fixed virtual hard disks.
Dynamic Disks
When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and it grows as necessary. For example, if you create
a new virtual machine, and specify a dynamic disk, only a small amount of disk space is allocated to the
new disk.
This space is as follows:
Approximately 260 kilobytes (KB) for a VHD format virtual hard disk
As storage is allocated, such as when you deploy the operating system, the dynamic hard disk grows. If
you delete files from a dynamically expanding virtual hard disk, the virtual hard-disk file does not shrink.
You can only shrink a dynamically expanding virtual hard-disk file by performing a shrink operation.
Creating a dynamically expanding virtual hard disk is similar to creating a fixed disk. In the New Virtual
Hard Disk Wizard, on the Choose Disk Type page, select Dynamically expanding size instead of Fixed.
You can create a new dynamic hard disk by using the New-VHD Windows PowerShell cmdlet with the Dynamic parameter.
Pass-Through Disks
Virtual machines use the pass-through disks to access a physical disk drive, rather than use a virtual hard
disk. You can use pass-through disks to connect a virtual machine directly to an Internet SCSI (iSCSI) LUN.
When you use pass-through disks, the virtual machine must have exclusive access to the target disk. To do
this, you must use the hosts disk management console to take the disk offline. After the disk is offline,
you can connect it to one of the virtual machine's disk controllers.
You can attach a pass-through disk by performing the following steps:
1.
2.
Use the Hyper-V Manager console to edit an existing virtual machine's properties.
3.
Click an Integrated Drive Electronics (IDE) or SCSI controller, click Add, and then click Hard Drive.
4.
In the Hard Drive dialog box, select Physical Hard Disk. In the drop-down list, select the disk that
you want to use as the pass-through disk.
Differencing
D
g disks
8-11
When you modify the parent disk, all linked differenccing disks fail.
Yo
ou can reconn
nect a differenccing disk to the parent by ussing the Inspecct Disk tool, avvailable in the actions
pa
ane of the Hyp
per-V Manage
er console. You
u also can use the Inspect Disk tool to locaate a differencing
diisks parent dissk.
To
o create a diffe
erencing disk, follow these steps:
1..
2..
In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.
3..
4..
On the Cho
oose Disk Format page, sele
ect VHD, and then click Nex
xt.
5..
On the Cho
oose Disk Typ
pe page, selectt Differencing
g, and then clicck Next.
6..
On the Spe
ecify Name an
nd Location page,
p
provide tthe location off the parent haard disk, and then
click Finish
h.
Yo
ou can create a differencing hard disk by using
u
the New
w-VHD Windo
ows PowerShell cmdlet. For e
example,
to
o create a new
w differencing disk
d named c:\\diff-disk.vhd tthat uses the vvirtual hard dissk c:\parent.vh
hd, run
th
he following Windows
W
PowerShell comman
nd:
Ne
ew-VHD c:\dif
ff-disk.vhd -ParentPath C:\parent.vh
hd
Converting
C
g Disks
Frrom time to tim
me, it is necesssary to perform
m
maintenance
m
op
perations on virtual hard disks.
Yo
ou can perform
m the following maintenance
op
perations on virtual
v
hard dissks:
Convert the
e disk from fixed to dynamicc.
Convert the
e disk from dyynamic to fixed
d.
Convert a virtual
v
hard dissk in VHD form
mat
to VHDX.
Convert a virtual
v
hard dissk in VHDX forrmat
to VHD.
When you convert a hard disk, the contents of the existing virtual hard disk are copied to a new virtual
hard disk that has the properties that you have chosen. To convert a virtual hard disk, perform the
following steps:
1.
In the Actions pane of the Hyper-V Manager console, click Edit Disk.
2.
On the Before You Begin page of the Edit Virtual Hard Disk Wizard, click Next.
3.
On the Local Virtual Hard Disk page, click Browse. Select the virtual hard disk that you wish to
convert.
4.
On the Choose Action page, select Convert, and then click Next.
5.
On the Convert Virtual Hard Disk page, select VHD or VHDX format. By default, the current disk
format is selected. Click Next.
6.
If you want to convert the disk from fixed to dynamic or dynamic to fixed, on the Convert Virtual
Hard Disk page, select Fixed Size or Dynamically Expanding. If you want to convert the hard disk
type, choose the appropriate type, and then click Next.
7.
On the Configure Disk page, select the destination location for the disk, click Next, and then click
Finish.
You can shrink a dynamic virtual hard disk that is not taking up all the space that is allocated to it. For
example, a dynamic virtual hard disk might be 60 GB on the parent volume, but only use 20 GB of that
space. You shrink a virtual hard disk by choosing the Compact option in the Edit Virtual Hard Disk Wizard.
You cannot shrink fixed virtual hard disks. You must convert a fixed virtual hard disk to dynamic before
you can compact the disk. You can use the resize-partition and the resize-vhd Windows PowerShell
cmdlets to compact a dynamically expanding virtual hard disk.
You also can use the Edit Virtual Hard Disk Wizard to expand a disk. You can expand both dynamically
expanding and fixed virtual hard disks.
Demonstration Steps
1.
Use Windows Explorer to create the following folders on the physical host drive:
o
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.
In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o
Name: LON-GUEST1.vhd
3..
Open Wind
dows PowerShe
ell, import the
e Hyper-V mod
dule, and then run the follow
wing command
d:
New-VHD E:\Program
Files\Microsoft Learning
g\Base\LON-GU
UEST2\LON-GUE
EST2.vhd
-ParentPa
ath E:\Program Files\Microsoft Lear
rning\Base\Ba
ase12A-WS2012
2-RC.vhd
8-13
4..
Inspect disk
k E:\Program Files\Microso
oft Learning\\Base\LON-GU
UEST2\LON-G
GUEST2.vhd.
5..
Location Co
onsiderations of Virttual Hard Disks
A key factor wh
hen provisionin
ng virtual mach
hines
is ensuring that virtual hard disks
d
are placed
d
co
orrectly. Virtua
al hard-disk pe
erformance can
n affect
virtual machine performance dramatically. Servers
S
th
hat are otherw
wise well provissioned with RA
AM and
processor capaccity can still exxperience bad
pe
erformance if the storage syystem is
ovverwhelmed.
Consider the following factors when planning the
lo
ocation of virtu
ual hard-disk fiiles:
High-perfo
ormance conn
nection to the
e
storage
Redundantt storage
The volume
e that the virtu
ual hard-disk files are stored on should be fault-tolerantt. This should aapply if
the virtual hard
h
disk is sto
ored on a local disk or a rem
mote SAN devicce. It is not uncommon for h
hard
disks to fail. Therefore, th
he virtual mach
hine and the H
Hyper-V host should remain in operation aafter a
disk failure.. Replacementt of failed diskss also should n
not affect the o
operation of th
he Hyper-V ho
ost or
virtual machines.
High-perfo
ormance storage
The storage
e device on wh
hich you store virtual hard-d
disk files should
d have excelle
ent I/O charactteristics.
Many enterrprises use SSD
D hybrid drivess in RAID 1+0 arrays to achieeve maximum performance and
redundancyy. Multiple virttual machines that are runni ng simultaneo
ously on the saame storage caan place
a tremendo
ous I/O burden
n on a disk sub
bsystem. Thereefore, you nee d to ensure th
hat you choose
e highperformancce storage. If you
y do not, virtual machine p
performance ssuffers.
Sto
orage on SMB
S
3 File Shares
Hyp
per-V supportss storing virtua
al machine datta,
such
h as virtual-ma
achine configu
uration files,
snap
pshots, and virrtual hard-disk
k files, on SMB 3
file shares.
The file share musst support SMB 3. This limitss
placcement of virtu
ual hard disks on file shares
thatt are hosted on
n file servers th
hat are running
Win
ndows Server 2012.
2
Earlier Windows
W
Serverr
verssions do not su
upport SMB 3.
You
u must ensure that
t
network connectivity
c
to
o the
file share is 1 GB or
o more.
SMB
B file share pro
ovides an alterrnative to storing virtual-macchine files on iSCSI or Fibre Channel SAN
devices. When cre
eating a virtual machine in Hyper-V
H
on Wiindows Server 2012, you can
n specify a netw
work
sharre when choossing the virtual machine loca
ation and the vvirtual hard-diisk location. Yo
ou also can atttach
disk
ks stored on SM
MB 3 file share
es. You can use
e both VHD an
nd VHDX diskss with SMB file
e shares.
Additional Reading: Serrver Message Block
B
overview
w
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831795.aspx
Sna
apshot Ma
anagemen
nt in Hyperr-V
Snapshot is an important technology that
provvides administtrators with the
e ability to ma
ake
a re
eplica of a virtu
ual machine att a specific time.
You
u can take snap
pshots when a virtual machin
ne is
shutt down or running. Howeverr, when you ta
ake a
snap
pshot of a virtual machine th
hat is running, the
snap
pshot includess the contents of the virtual
macchines memorry.
Tak
king a Snapshot
You
u can take a snapshot on the
e Actions pane of
the Virtual Machin
ne Connection
n window or in
n the
Hyp
per-V Managerr console. Each
h virtual machine
can have a maxim
mum of 50 snap
pshots.
Whe
en taking snap
pshots of multiple virtual ma
achines, you sh
hould take theem at the same
e time. This ensures
syncchronization of
o items such as computer-acccount passwo
ords. Remember that when yyou revert to a
snap
pshot, you are
e reverting to a computers state at that sp
pecific time. If yyou take a com
mputer back to
oa
poin
nt before it pe
erformed a com
mputer-passwo
ord change wiith a domain ccontroller, you will need to re
ejoin
thatt computer to the domain.
8-15
Sn
napshots are not
n a replacem
ment for backups. Snapshot d
data is stored o
on the same vvolume as the vvirtual
ha
ard disks. If the
e volume hostting these files fails, both thee snapshot and
d the virtual haard disk files are lost.
Yo
ou can perform
m a virtual machine export of
o a snapshot. When you exp
port the snapsshot, Hyper-V ccreates
fu
ull virtual hard disks that represent the statte of the virtuaal machine at tthe time that yyou took the
sn
napshot. If you
u choose to export an entire virtual machin
ne, all snapsho
ots associated with the virtuaal
machine
m
also arre exported.
Avhd
A
files
When
W
you creatte a snapshot, Hyper-V write
es avhd files th
hat store the data that differentiates the sn
napshot
from either the previous snap
pshot or the pa
arent virtual haard disk. When
n you delete snapshots, this data is
diiscarded or me
erged into the
e previous snap
pshot or paren
nt virtual hard disk. For exam
mple, if you delete the
most
m
recent sna
apshot of a virttual machine, the data is disscarded. If you delete the seccond to last sn
napshot
ta
aken of a virtua
al machine, the data is merg
ged so that thee earlier and laatter snapshot states of the vvirtual
machine
m
retain their integrity.
Managing
M
Sn
napshots
When
W
you applyy a snapshot, the
t virtual macchine reverts tto the configuration as it existed at the tim
me that
th
he snapshot wa
as taken. Reve
erting to a snap
pshot does no t delete any exxisting snapshots. If you reve
ert to a
sn
napshot after making
m
a configuration chan
nge, you are p rompted to taake a snapshott. It only is neccessary
to
o create a new
w snapshot if yo
ou want to return to that cu rrent configurration.
branches. For example, if yo
It is possible to create snapshot trees that have
h
different b
ou took a snapshot of
a virtual machin
ne on Mondayy, Tuesday, and
d Wednesday, applied the Tu
uesday snapsh
hot, and then m
made
ch
hanges to the virtual machin
nes configurattion, you creatte a new brancch that diverts from the original
Tu
uesday snapsh
hot. You can ha
ave multiple branches
b
as lon
ng as you do n
not exceed the
e 50-snapshot limit
pe
er virtual mach
hine.
Virtual Fibre Ch
hannel adapterrs support portt virtualization
n by exposing HBA ports in tthe guest operrating
syystem. This allo
ows the virtuall machine to access the SAN
N by using a staandard World Wide Name (W
WWN)
asssociated with the virtual ma
achine.
Yo
ou can deployy up to four virrtual Fibre Cha
annel adapterss to each virtuaal machine.
Addition
nal Reading: Hyper-V
H
Virtua
al Fibre Channeel Overview
htttp://technet.m
microsoft.com//en-us/library//hh831413.asp
px
Lesson 3
Config
guring Hyper-V
H
V Netwo
orking
Hyp
per-V provides several differe
ent options for allowing netw
work commun
nication betwe
een virtual
macchines. You can use Hyper-V
V to configure virtual machin
nes that comm
municate with aan external nettwork
in a manner simila
ar to physical hosts
h
that you deploy tradit ionally. You also can use Hyyper-V to confiigure
virtu
ual machines that
t
are able to
o communicatte only with a limited numbeer of other virttual machines
hostted on the sam
me Windows Server
S
2012 Hyyper-V host. Th
his lesson desccribes the vario
ous options
avaiilable for Hype
er-V virtual networks, which you can leveraage to best meet your organ
nization's need
ds.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe virtu
ual switches.
Configure a public
p
and privvate switch.
Describe netw
work virtualization.
Wh
hat's New in Hyper-V Network
king?
There are several new features in
i Hyper-V 3.0
0
netw
working that im
mprove the ne
etwork
perfformance of a large numberr of virtual
macchines in private and public cloud
environments. In most cases, yo
ou should use the
t
defa
ault settings in
n small scale de
eployments.
The new features in Hyper-V 3.0
0 networking
include:
Network virtu
ualization. This feature enables
IP addresses to
t be virtualize
ed in hosting
environmentss so that virtua
al machines
migrated to the
t host can ke
eep their original IP
address rathe
er than being allocated
a
an IP
P address on th
he Hyper-V server's networkk.
Bandwidth management. Yo
ou can use this feature to sp
pecify a minim
mum and a maxximum bandw
width
to be allocate
ed to the adap
pter by Hyper-V
V. Hyper-V resserves the min
nimum bandwiidth allocation
n for
the network adapter,
a
even when other virtual network adapters on vvirtual machine
es hosted on th
he
Hyper-V hostt are functionin
ng at capacity..
8-17
IP security (IPsec)
(
task offfloading. This feature
f
requirees that the gueest operating ssystem and network
adapter are
e supported. This feature ena
ables the hosts network adaapter to perforrm calculationintensive se
ecurity-associa
ation tasks. If sufficient hardw
ware resourcess are not availaable, the guestt
operating system
s
perform
ms these tasks.. You can conffigure a maxim
mum number o
of offloaded se
ecurity
associations between a ra
ange of one an
nd 4,096. This feature is supp
ported only on
n synthetic nettwork
adapters.
What
W
Is a Hyper-V
H
Viirtual Switch?
Virtual switchess are virtual de
evices that you can
manage
m
throug
gh the Virtual Switch
S
Manage
er,
which
w
enables you
y to create three
t
types of virtual
sw
witches. The virtual switches control how the
ne
etwork traffic flows
f
between
n virtual machines
ho
osted on the Hyper-V
H
serverr, as well as ho
ow the
ne
etwork traffic flows
f
between
n virtual machines
an
nd the rest of the
t organizational network.
Hyper-V on Win
ndows Server 2012
2
supportss the
th
hree types of virtual
v
switchess that the follo
owing
ta
able details.
Type
T
Descriptio
on
External
You use th
his type of swittch to map a n
network to a specific networrk adapter or
network-a
adapter team. Windows Servver 2012 suppo
orts mapping an external ne
etwork
to a wirele
ess network ad
dapter, if you h
have installed the Wireless LLAN Service on
n the
host Hype
er-V server, and the Hyper-V
V server has a ccompatible ad
dapter.
Internal
You use in
nternal virtual switches to co
ommunicate beetween the virrtual machiness on the
Hyper-V host
h
and to communicate beetween the virttual machines and the Hype
er-V
host itself.
Private
Whe
en configuring
g a virtual netw
work, you can also configuree a virtual LAN
N (VLAN) ID to be associated
with
h the network. You can use this
t to extend existing VLAN
Ns on the exterrnal network to
o VLANs within
the Hyper-V host''s network swittch. You can use
u VLANs to p
partition netwo
ork traffic. VLA
ANs function as
sepa
arate logical networks. Traffiic can pass only from one VLLAN to anotheer if it passes through a routter.
You
u can configure
e the following
g extensions fo
or each virtual switch type:
Microsoft Win
ndows Filtering
g Platform. This extension alllows filtering o
of data travelling across the
virtual switch.
De
emonstration: Configuring Hy
yper-V Nettworking
In th
his demonstration, you will see
s how to cre
eate two types of virtual netw
work switches..
Dem
monstration
n Steps
1.
2.
In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew External virtual networkk
switch with th
he following properties:
o
Name: Co
orporate Network
In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew virtual swittch with the
following pro
operties.
o
Wh
hat Is Netw
work Virtu
ualization?
You
u can use netw
work virtualization to isolate
virtu
ual machines from
f
different organizations,
even if they share
e the same Hyp
per-V host. Forr
exam
mple, you mig
ght be providin
ng an Infrastru
ucture
as a Service (IaaS) to competing
g businesses. You
Y
can use network virtualization
v
to go beyond
assigning these virtual machines to separate
VLA
ANs as a way of
o isolating network traffic.
Network virtualiza
ation is a techn
nology that yo
ou
wou
uld deploy prim
marily in scena
arios where yo
ou use
Hyp
per-V to host virtual
v
machine
es for third-party
orga
anizations. Network virtualizzation has the
advantage that yo
ou can configu
ure all network
k isolation on tthe Hyper-V host. With VLANs, it also is
necessary to configure switchess with the apprropriate VLAN IDs.
8-19
When
W
you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses, which
h work
ass follows:
P address. The
e customer assiigns this IP add
dress to the viirtual machine
e. You can conffigure
Customer IP
this IP addrress so that communication with the custo
omer's internall network can occur even though
the virtual machine
m
migh
ht be hosted on
n a Hyper-V seerver that is co
onnected to a separate public IP
network. Ussing the ipcon
nfig command
d on the virtuaal machine sho
ows the custom
mer IP address..
Yo
ou can use nettwork virtualizzation to host multiple
m
mach
hines that use tthe same custo
omer address, such as
19
92.168.15.101,, on the same Hyper-V host. When you do
o this, the virtu
ual machines are assigned diifferent
IP
P addresses by the hosting provider, thoug
gh this addresss will not be ap
pparent from w
within the virtual
machine.
m
Yo
ou manage ne
etwork virtualizzation by using
g PowerShell ccmdlets. All Neetwork Virtualization cmdletts are in
th
he NetWNV Po
owerShell mod
dule. Tenants gain
g
access to virtual machin
nes that take aadvantage of n
network
virtualization th
hrough routing
g and remote access.
a
They m
make a tunneleed connection from their nettwork
th
hrough to the virtualized nettwork on the Hyper-V
H
serverr.
nal Reading: Hyper-V
H
Netwo
ork Virtualizatiion Overview
Addition
htttp://technet.m
microsoft.com//en-us/library//hh831395.asp
px
Best
B
Practicces for Configuring Virtual Neetworks
Be
est practices with
w respect to configuring virtual
v
ne
etworks typica
ally revolve aro
ound ensuring that
virtual machines are provision
ned with adequate
ba
andwidth. You
u do not want to have the
pe
erformance on
n all virtual ma
achines affecte
ed if a
ba
andwidth-inte
ensive operatio
on, such as a la
arge file
co
opy or website
e traffic spike, occurs
o
on one
e virtual
machine
m
on the
e same host.
Th
he following general
g
best prractices apply to
t
co
onfiguring virttual networks:
Considerations for Virtual Machine Queue. You should provision the Hyper-V host with an adapter
that supports Virtual Machine Queue. Virtual Machine Queue uses hardware-packet filtering to
deliver network traffic directly to the virtual machine. This improves performance because the packet
does not need to be copied from the host operating system to the virtual machine. When you do not
configure virtual machines to support Virtual Machine Queue, the host operating system can become
a bottleneck when it processes large amounts of network traffic.
Lesson
n4
8-21
When
W
planning a server-virtualization strate
egy, you need to know whatt you can and cannot accom
mplish
when
w
you are using Windowss Server 2012 as
a a virtual maachine host.
In
n this lesson, yo
ou will learn about Hyper-V,, the hardwaree requirementss required for deploying Hyp
per-V
on
n a computer running Windows Server 2012, the differeent components of a virtual machine, and the
be
enefits of virtu
ual machine Integration Servvices. You also will learn how
w to measure vvirtual machine
e
re
esource use with Windows PowerShell cmd
dlets.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he hardware an
nd manageme
ent options in vvirtual machin
ne settings.
Describe ho
ow dynamic memory
m
works in Hyper-V.
Import, exp
port, and move
e virtual machines in Hyper--V.
Describe th
he best practice
es for configurring virtual nettworks.
Overview
O
of
o Virtual Machine
M
Se
ettings
Virtual machine
e settings are grouped
g
into two
ge
eneral areas: Hardware
H
and Management..
Hardware
H
Virtual machine
es use simulate
ed hardware. The
T
hyypervisor uses this virtual ha
ardware to med
diate
acccess to actuall hardware. For example, you
u can
map
m a virtual ne
etwork adapte
er to a virtual network
n
th
hat, in turn, ma
aps to an actua
al network inte
erface.
Virtual machine
es have the following hardwa
are, by
de
efault:
Memory. Yo
ou can allocate
e memory reso
ources to the vvirtual machin
ne. An individual virtual mach
hine can
allocate as much as 1 tera
abyte of memory.
Processor. You
Y can allocate processor re
esources to th
he virtual mach
hine. You can aallocate up to 32
virtual proccessors to a sin
ngle virtual ma
achine.
SCSI Controller. You can use SCSI controllers only on virtual machines that you deploy with operating
systems that support Integration Services.
Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual-machine guest operating systems.
COM port.Com port enables connections to a simulated serial port on the virtual machine.
Diskette Drive. You can map a .vhd floppy disk image to a virtual diskette drive.
You can add the following hardware to a virtual machine by editing the virtual machine's properties, and
clicking on Add Hardware:
SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.
Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters.
Legacy network adapter. Legacy network adapters allow network adapters to be used with operating
systems that do not support Integration Services. You also can use legacy network adapters to allow
network deployment of operating-system images. A single virtual machine can have up to four legacy
network adapters.
Fibre Channel Adapter. Allows a virtual machine to connect directly to a Fibre Channel SAN. This
requires that the Hyper-V host have a Fibre Channel HBA that also has a Windows Server 2012 driver
that supports Virtual Fibre Channel.
RemoteFX 3D Adapter. The RemoteFX 3D Adapter allows virtual machines to take advantage of
DirectX and graphics processing power on the host Windows Server 2012 server to display high
performance graphics.
Management
You can use Management settings to configure how the virtual machine behaves on the Hyper-V host.
You can configure the following virtual-machine management settings:
Name. You can use this setting to configure the virtual machine's name on the Hyper-V host. This
does not alter the virtual machine's hostname.
Integration Services. You can use this setting to configure which virtual-machine integration settings
are enabled.
Snapshot File Location. You can use this setting to specify a location for storing virtual-machine
snapshots.
Smart Paging File Location. The location used when smart paging is required to start the virtual
machine.
Automatic Start Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is powered on.
Automatic Stop Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is gracefully shut down.
How
H
Dynam
mic Memo
ory Works in Hyper-V
In
n the first relea
ase of Hyper-V
V with Window
ws
Se
erver 2008, virtual machines only could be
e
asssigned a staticc amount of memory.
m
Unless you
to
ook special pre
ecautions to measure
m
the pre
ecise
am
mount of mem
mory that a virttual machine
re
equires, you we
ere likely to un
nder-allocate or
o
ovver-allocate memory.
m
8-23
Windows
W
Server 2008 R2 SP1 introduced
dyynamic memo
ory, which you can use to allo
ocate
a minimum amo
ount of memo
ory to a virtual
machine.
m
You th
hen can allow the virtual ma
achine
to
o use request additional
a
mem
mory, as necesssary.
Ra
ather than atte
empting to gu
uess how much
h memory a vi rtual machine requires, dynaamic memory allows
yo
ou to configurre Hyper-V so that the virtua
al machine is aallocated as mu
uch as it needss. You can cho
oose a
minimum
m
value
e, which will alw
ways be alloca
ated to the virttual machine. Y
You can choosse a maximum
m value,
which
w
the virtua
al machine will not exceed, even
e
if more m
memory is requ
uested. Virtual machines mu
ust
su
upport Hyper-V Integration Services to be able to use dyynamic memo
ory.
With
W Windows Server 2012, you
y can modifyy dynamic mem
mory settings while the virtu
ual machine is
ru
unning. This wa
as not possible
e in Windows Server 2008 R 2 SP1.
Smart Paging
g
Demonstra
D
ation: Crea
ating a Virrtual Mach
hine
In
n this demonsttration, you will see how to create
c
a virtuall machine by u
using the tradiitional method
d of
ussing the Hyperr-V Manager console.
c
You also will see ho
ow you can auttomate the pro
ocess by using
g
Windows
W
PowerShell.
Dem
monstration
n Steps
1.
2.
Name: LO
ON-GUEST1
Memory:: 1024 MB
Use Dyna
amic Memory: Yes
Open Window
ws PowerShell, import the Hyper-V
H
modulle, and then ru
un the followin
ng command:
New-VM -Name LON-GUEST
T2 -MemorySta
artupBytes 10
024MB -VHDPat
th E:\Progra
am
Files\Microsoft Learning\Base\LON-GUEST2\LON-G
GUEST2.vhd -SwitchName "
"Private
Network"
3.
Importing, Exporting,
E
and Movin
ng Virtual Machiness in Hyper--V
You
u can use the im
mport and exp
port functionalities
in Hyper-V
H
to tran
nsfer virtual machines betwe
een
Hyp
per-V hosts and
d create pointt-in-time backu
ups
of virtual
v
machine
es.
Imp
porting Virttual Machin
nes
The virtual machin
ne import featture in Window
ws
Servver 2012 provides more deta
ailed informatiion
than
n previous Hyp
per-V versions featured. You
u
can use this inform
mation to iden
ntify configuration
problems such as missing hard disks or virtual
swittches. This wass more difficultt to determine
e in
Win
ndows Server 2008
2
and Wind
dows Server 20
008
R2.
In Hyper-V
H
3.0, yo
ou can import virtual machin
nes from copiees of virtual maachine configu
uration, snapsh
hot,
and virtual hard-d
disk files rather than speciallyy exported virttual machines. This is benefiicial in recoverry
situations where the
t operating--system volume might have failed but the virtual machin
ne files remain
n
intact.
To import a virtua
al machine by using Hyper-V
V Manager, peerform the follo
owing generall steps:
1.
2.
3.
8-25
4.
On the Select Virtual Machine page, select the virtual machine that you want to import, and then
click Next.
5.
On the Choose Import Type page, choose from the following options:
o
Register the virtual machine in-place (use the existing unique ID)
Export a snapshot. You can do this by right-clicking the snapshot in the Hyper-V manager console,
and then selecting Export. This enables you to create an exported virtual machine as it existed at the
point that the snapshot was created. The exported virtual machine will have no snapshots.
Export Virtual Machine with Snapshot. You can do this by selecting the virtual machine, and then
clicking Export. This exports the virtual machine and all snapshots associated with the virtual
machine.
Exporting a virtual machine does not affect the existing virtual machine. However, you cannot import
the virtual machine again unless you use the Copy the Virtual Machine option, which creates a new
unique ID.
You can export virtual machines by using the Export-VM cmdlet.
You can perform two types of moves by using the Hyper-V move function: a live migration and a move of
the actual virtual machine.
You can move virtual machines from one Hyper-V 3.0 server to another if you have enabled live
migrations. Live migration of virtual machines occurs when you move a virtual machine from one host
to another while keeping the virtual machine online and available to clients. For more information on
migrating virtual machines, visit Module 9: Implementing Failover Clustering with Hyper-V.
You can use the move functionality to move some or all of the virtual-machine files to a different location.
For example, if you want to move the virtual machines from one volume to an SMB share, while keeping
the virtual machine hosted in the same location, you have the following options:
Move all the virtual machine's data to a single location. This moves all configuration files, snapshots,
and virtual hard-disk files to the destination location.
Move the virtual machine's data to different locations. This moves the virtual machines configuration
files, snapshots, and virtual hard disks to separate locations.
Move the virtual machine's virtual hard disks. This moves the hard disks to a separate location, while
keeping the snapshot and configuration files in the same location.
You can move virtual machines in PowerShell by using the Move-VM cmdlet.
Best Practice
es for Conffiguring Virtual Macchines
Whe
en creating ne
ew virtual machines, keep the
follo
owing best pra
actices in mind
d:
Avoid differen
ncing disks. Diffferencing disk
ks reduce the aamount of spaace required, b
but decrease
performance as multiple virrtual machiness access the saame parent virttual hard disk file.
8-27
As one of the senior network administrators at A. Datum, you are responsible for implementing Hyper-V
in the London data center. You will deploy the Hyper-V server role, configure virtual machine storage and
networking, and deploy the virtual machines.
Objectives
After performing this lab you will be able to:
Lab Setup
Estimated time: 60 minutes
Virtual Machine(s)
20417A-LON-HOST1
Or
20417A-LON-HOST2
User Name
Adatum\Administrator
Password
Pa$$w0rd
Restart the classroom computer and in Windows Boot Manager, select 20417A-LON-HOST1 or
20417A-LON-HOST2. Your instructor will specify which host to log on to.
2.
Account: Adatum\Administrator
Password: Pa$$w0rd
2.
3.
Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2.
3.
Account: Adatum\Administrator
Password: Pa$$w0rd
In Server Manager, click Local Server, and then configure the following network settings:
o
LON-HOST1: 172.16.0.31
LON-HOST2: 172.16.0.32
2.
In Server Manager, use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1
or LON-HOST2 with the following options:
o
After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
2.
3.
Open the Hyper-V Manager console, and then click LON-HOST1 or LON-HOST2.
4.
Open the Hyper-V settings, and then configure or verify the following settings:
5.
Question: What additional features are required to support the Hyper-V role?
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
8-29
After installing the Hyper-V server role on the new server, you need to configure the virtual networks you
are your manager specifies. You need to create a network that connects to the physical network and a
private network that you can use only for communication between virtual machines. The private network
is used when virtual machines are configured for high availability. You also need to configure a specific
range of media access control (MAC) addresses for the virtual machines.
The main tasks for this exercise are as follows:
1.
2.
3.
In Hyper-V Manager, use the Virtual Switch Manager to create a new External virtual network
switch with the following properties:
o
2.
External Network: Mapped to the host computer's physical network adapter. Will vary depending on
host computer.
In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties.
o
In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties:
o
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You use these differencing files as the hard-disk files for the new virtual
machines.
You also will import a specially prepared virtual machine.
2.
3.
4.
5.
6.
Use Windows Explorer to create the following folders on the physical host drive:
o
Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.
3.
In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o
Name: LON-GUEST1.vhd
Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
4.
5.
Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.
Use the Hyper-V Manager console to create a virtual machine with the following properties:
o
Name: LON-GUEST1
Memory: 1024 MB
2.
Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private
Network"
3.
Use the Hyper-V Manager console, and then edit the settings of LON-GUEST2. Configure the
following:
o
8-31
1.
In Hyper-V Manager, use Virtual Switch Manager to configure the Internal Network virtual switch
to use a VLAN ID of 4.
2.
VLAN ID: 4
Question: What kind of switch would you create if you added a new physical network
adapter to the Hyper-V host and wanted to keep this separate from the existing networks
you create during this exercise?
2.
If you are using LON-HOST1, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-DC1-B.
If you are using LON-HOST2, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-SVR1-B.
When importing, select the Register the virtual machine in-place option.
Edit the properties of virtual machine LON-GUEST2, and then configure the following settings:
o
If you are using LON-HOST1, start and then log on to 20417A-LON-DC1-B. If you are using LONHOST2, log on to virtual machine 20417A-LON-SVR1-B.
2.
Sydney
Melbourne
Brisbane
3.
4.
Sydney
Brisbane
5.
6.
7.
Sydney
Melbourne
Brisbane
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.
Troubleshooting Tip
You have 10 servers that run Windows Server 2008 with Hyper-V. You are planning to upgrade these
servers to Windows Server 2012 and want them to continue to run the Hyper-V role. What technology
should you verify that the processor supports before performing the upgrade?
Tools
Tool
Used for
8-33
Module 9
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview
9-1
9-2
9-7
9-14
9-19
9-29
9-33
Module Overview
One benefit of implementing server virtualization is the opportunity to provide high availability, both
for applications or services that have built-in high availability functionality, and for applications or
services that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V
technology, failover clustering, and Microsoft System Center 2012 Virtual Machine Manager (VMM), you
can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve
high availability for virtual environment. You will also learn about basic features of virtual machine.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of the
t Inte
egration
n of Hyp
per-V w
with Failover
Clustering
9-2
Failo
over clustering
g is a Windowss Server 2012 feature
f
that en
nables you to make applicattions or service
es
high
hly available. To
T make virtua
al machines hig
ghly available in Hyper-V en
nvironment, yo
ou must implem
ment
failo
over clustering
g on the Hyperr-V host computers.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe how
w failover cluste
ering works with Hyper-V no
odes.
Describe new
w features of fa
ailover clusterin
ng for Hyper-V
V.
Op
ptions for Making
M
Viirtual Machines High
hly Availab
ble
Mosst organization
ns have some applications th
hat
are business critical and must be highly availa
able.
To make
m
an appliccation highly available,
a
you
musst deploy it in an environment that provides
redu
undancy for alll components that the
app
plication requirres. For virtual machines to
be highly
h
available, you can cho
oose between
seve
eral options. You can implem
ment virtual
macchine as a clustered role (hosst clustering), you
y
can implement clu
ustering inside
e virtual machiines
(gue
est clustering) or you can use Network Loa
ad
Bala
ancing (NLB) in
nside virtual machines.
m
Host Clusterin
ng
Hosst clustering en
nables you to configure
c
a faiilover cluster b
by using the Hyper-V host se
ervers. When yyou
configure host clu
ustering for Hyyper-V, you co
onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen
nted at the hosst server level. This means th
hat the guest o
operating syste
em
and applications that
t
are runnin
ng within the virtual
v
machin e do not havee to be cluster--aware. Howevver,
the virtual machin
ne is still highlyy available. So
ome examples of non-clusteer-aware appliccations are a
File Server or Print Server, or pe
erhaps a proprietary networkk-based appliccation, such as an accounting
g
app
plication. Should the host node that contro
ols the virtual m
machine unexpectedly beco
ome unavailablle, the
seco
ondary host no
ode takes conttrol and restarts the virtual m
machine as quickly as possib
ble. You can alsso
movve the virtual machine
m
from one node in the cluster to aanother in a co
ontrolled mann
ner. For example,
you could move the
t virtual macchine from one
e node to anotther while pattching the Hosst operating syystem.
, and the applications or service
es that are runn
ning in the virt
rtual machine, do not have to be compatib
ble
with
h failover clustering nor are they
t
aware tha
at virtual mach
hine is clustereed. Because the failover is att the
virtu
ual machine le
evel, there are no dependenccies on softwa re that is instaalled inside the
e virtual machiine.
Guest Clustering
9-3
Guest failover clustering is configured very similarly to physical server failover clustering, except that
the cluster nodes must include multiple virtual machines. In this scenario, you create two or more virtual
machines, and enable failover clustering within the guest operating system. The application or service is
then enabled for high availability between the virtual machines by using failover clustering in each virtual
machine. Because failover clustering is implemented within each virtual machine nodes guest operating
system, you can locate the virtual machines on a single host. This can be a quick and cost-effective
configuration in a test or staging environment.
For production environments however, you can more robustly protect the application or service if
you deploy the virtual machines on separate failover clustering enabled Hyper-V host computers. With
failover clustering implemented both at the host and virtual machine levels, the resource can be restarted
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual
machines running mission-critical applications in a production environment.
You should consider several factors when you implement guest clustering:
The application or service must be failover cluster-aware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and
Microsoft Exchange Server.
Hyper-V virtual machines can use fiber channel-based connections to shared storage (this is specific
only to Microsoft Hyper-V Server 2012), or you can implement iSCSI connections from the virtual
machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally,
you should dedicate a network connection to the iSCSI connection (if you are using this method to
connect to storage), to the private network between the hosts, and to the network connection that the
client computers use.
NLB works with virtual machines in the same manner that it works with physical hosts. It distributes IP
traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the
NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to
access the cluster by using a virtual Host Name or a virtual IP addresses. From the client computers point
of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic
increases, you can add another server into the cluster.
Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read
or write requests. Examples of NLB-appropriate applications would be web-based front ends to database
applications or Exchange Server Client Access Servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the network load balancing feature in Windows Server
2012 within each virtual machines guest operating system (not on the Hyper-V hosts), and then
configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, so that
the Guest operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across
Hosts, the NLB resource typically benefits from overall increased I/O performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier versions of Windows Server, you should not implement NLB and
failover clustering within the same operating system because the two technologies conflict with
one another.
9-4
When you implement failover clustering and configure virtual machines as highly available resources, the
failover cluster treats the virtual machines like any other application or service. Namely, if there is host
failure, failover clustering will act to restore access to the virtual machine as quickly as possible on another
host in the cluster. Only one node at a time runs the virtual machine. However, you can also move the
virtual machine to any other node in the same cluster.
The failover process transfers the responsibility of providing access to resources in a cluster from one node
to another. Failover can occur when an administrator intentionally moves resources to another node for
maintenance or other reasons, or when unplanned downtime of one node occurs because of hardware
failure or other reasons.
The failover process consists of the following steps:
1.
The node where the virtual machine is running owns the clustered instance of the virtual machine,
controls access to the shared bus or iSCSI connection to the cluster storage, and has ownership of any
disks, or Logical Unit Numbers (LUNs), assigned to the virtual machine. All the nodes in the cluster use
a private network to send regular signals, known as heartbeat signals, to one another. The heartbeat
signals that a node is functioning and communicating on the network. The default heartbeat
configuration specifies that each node send a heartbeat over TCP/UDP port 3343 each second (or
1000 milliseconds).
2.
Failover starts when the node hosting the virtual machine does not send regular heartbeat signals
over the network to the other nodes. By default, this is five consecutively missed heartbeats (or 5000
milliseconds elapses). Failover may occur because of a node failure or network failure.
3.
When heartbeat signals stop arriving from the failed node, one of the other nodes in the cluster
begins taking over the resources that the virtual machines use. You define the node(s) that could take
over by configuring the Preferred and Possible Owners properties. The Preferred Owner specifies
the hierarchy of ownership if there is more than one possible failover node for a resource. By default
all nodes are members of Possible Owners. Therefore, removing a node as a Possible Owner
absolutely excludes it from taking over the resource in a failure situation. Suppose that a failover
cluster is implemented by using four nodes. However, only two nodes are configured as Possible
Owners. In a failover event, the resource might still be taken over by the third node if neither of the
Preferred Owners is online. Although the fourth node is not configured as a Preferred Owner, as
long as it remains a member of Possible Owners, the failover cluster uses it to restore access to the
resource if necessary. Resources are brought online in order of dependency. For example, if the virtual
machine references an iSCSI LUN, access to the appropriate host bus adapters (HBAs), network(s) and
LUNs will be stored in that order. Failover is complete when all the resources are online on the new
node. For clients interacting with the resource, there is a short service interruption, which most users
might not notice.
4.
You can also configure the cluster service to fail back to the offline node after it again becomes
active. When the cluster service fails back, it uses the same procedures that it performs during
failover. This means that the cluster service takes all the resources associated with that instance
offline, moves the instance, and then brings all the resources in the instance back online.
9-5
Whats
W
New
w in Failov
ver Clusterring for Hyyper-V in W
Windows S
Server 201
12?
In
n Windows Serrver 2012, failo
over clustering is
much
m
improved
d with respect to Hyper-V clu
usters.
So
ome of the mo
ost important improvementss are:
Failover clu
ustering now su
upports up to 4,000
virtual machines, and the
e improved Failover
Cluster Man
nager snap-in simplifies man
naging
many virtua
al machines.
It is now po
ossible to store
e virtual machiines on SMB fiile shares in a file server clusster. This is a new way
to provide high availability for virtual machines.
m
Insteead of making a cluster betw
ween Hyper-V nodes,
you can now have Hyper-V nodes out of
with virtual machine files on
o cluster but w
n a highly available
file share. To
T make this work,
w
you should deploy a filee server clusteer in a scale-ou
ut file server m
mode.
Scale-out fiile servers can also use Clustter Shared Volu
umes for storaage.
Best
B
Practicces for Imp
plementin
ng High Avvailability in a Virtuaal Environm
ment
After you determine which ap
pplications
arre deployed on
n highly availa
able failover
clusters, you pla
an and deploy the failover
clustering environment. Applyy the following
g
re
ecommendatio
ons when you implement the
e
fa
ailover cluster:
Use Window
ws Server 2012
2 as the Hyperr-V
host. Windo
ows Server 201
12 provides
enhanceme
ents such as Hyyper-V 3.0, improved
CSVs, virtua
al machine mig
grations, and other
o
features tha
at improve flexxibility and
performancce when you im
mplement hosst
failover clustering.
9-6
Plan for failover scenarios. When you design the hardware requirements for the Hyper-V hosts, make
sure that you include the hardware capacity required when hosts fail. For example, if you deploy a sixnode cluster, you must determine the number of host failures that you want to accommodate. If you
decide that the cluster must sustain the failure of two nodes, then the four remaining nodes must
have the capacity to run all the virtual machines in the cluster.
Plan the network design for failover clustering. To optimize the failover cluster performance and
failover, you should dedicate a fast network connection for internode communication. As with earlier
versions, this network should be logically and physically separate from the network segment(s) used
for clients to communicate with the cluster. You can also use this network connection to transfer
virtual machine memory during a Live Migration. If you are using iSCSI for any virtual machines,
dedicate a network connection to the iSCSI network connection also.
Plan the shared storage for failover clustering. When you implement failover clustering for Hyper-V,
the shared storage must be highly available. If the shared storage fails, the virtual machines will all
fail, even if the physical nodes are functional. To ensure the storage availability, plan for redundant
connections to the shared storage and redundant array of independent disks (RAID) redundancy on
the storage device.
Use the recommended failover cluster quorum mode. If you deploy a cluster with an even number
of nodes, and shared storage is available to the cluster, the Failover Cluster Manager automatically
selects Node and Disk Majority quorum mode. If you deploy a cluster with an odd number of nodes,
the Failover Cluster Manager selects the Node Majority quorum mode. You should not modify the
default configuration unless you understand the implications of doing this.
Deploy standardized Hyper-V hosts. To simplify the deployment and management of the failover
cluster and Hyper-V nodes, develop a standard server hardware and software platform for all nodes.
Develop standard management practices. When you deploy multiple virtual machines in a
failover cluster, you increase the risk that a single mistake may shut down a large part of the server
deployment. For example, if an administrator accidentally configures the failover cluster incorrectly,
and the cluster fails, all virtual machines in the cluster will be offline. To avoid this, develop and
thoroughly test standardized instructions for all administrative tasks.
Lesson
n2
Imple
ementin
ng Hype
er-V Virrtual Maachiness on Faillover
Cluste
ers
9-7
Im
mplementation
n of highly ava
ailable virtual machines
m
is so mewhat differrent from implementing other roles
in
n a failover clusster. Failover clustering
c
in Windows
W
Serverr 2012 providees many featurres for Hyper-V
V
clustering in addition to toolss for virtual ma
achine high avvailability manaagement. In th
his lesson, you will
le
earn about how
w to implemen
nt highly availa
able virtual maachines.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe co
omponents of Hyper-V cluster.
Configure CSVs.
C
Describe co
onsiderations for
f implementing Hyper-V vvirtual machinees in a cluster.
Componen
C
nts of Hype
er-V Cluste
ers
Hyper-V as a ro
ole has some sp
pecific require
ements
fo
or cluster comp
ponents. To fo
orm a Hyper-V
V cluster,
yo
ou must have at least two ph
hysical nodes.
Whereas
W
other clustered roless (such as DHC
CP, file
se
erver, and so on)
o allow for no
odes to be virttual
machines,
m
Hype
er-V nodes mu
ust be compose
ed of
physical hosts. You
Y cannot run Hyper-V as a virtual
machine
m
on a Hyper-V
H
host.
In
n addition to having
h
nodes, you
y must also
ha
ave physical an
nd virtual netw
works. Failoverr
clustering requiires a network for internal cluster
co
ommunication
n, and also a ne
etwork for clie
ents.
Yo
ou can also im
mplement a sto
orage network separately, deepending of tyype of storage being used. A
Again,
sp
pecific to Hype
er-V role, you should also co
onsider virtual networks for cclustered virtual machines. Itt is very
im
mportant to cre
eate the same virtual networks on all physsical hosts thatt participate in
n one cluster. FFailing
to
o do this cause
es a virtual macchine to lose network
n
conneectivity when m
moved from one host to ano
other.
Sttorage is an im
mportant comp
ponent of virtu
ual machine clu
ustering. You ccan use any tyype of storage that is
su
upported by Windows
W
Server 2012 failover clustering. W
We recommend
ded that you cconfigure storaage as a
CSV. This is disccussed in a following topic.
9-8
Note: Microsoft supports a failover cluster solution only if all the hardware features are
marked as Certified for Windows Server. Additionally, the complete configuration (servers,
network, and storage) must pass all tests in the Validate This Configuration wizard, which is
included in the Failover Cluster Manager snap-in.
Network adapters: The network hardware, just as other features in the failover cluster solution, must
be marked as Certified for Windows Server. To provide network redundancy, you can connect
cluster nodes to multiple, distinct networks, or you can connect the nodes to one network that uses
teamed network adapters, redundant switches, redundant routers, or similar hardware to remove
single points of failure. We recommended that you configure multiple network adapters on the host
computer that you configure as a cluster node. One network adapter should be connected to the
private network that the inter-host communications uses.
Storage adapters: If you use Serial Attached SCSI (SAS) or fiber channel, the mass-storage device
controllers in all clustered servers should be identical and should use the same firmware version.
If you are using iSCSI, each clustered server should have one or more network adapters that are
dedicated to the cluster storage. The network adapters that you use to connect to the iSCSI storage
target should be identical, and you should use Gigabit Ethernet or a faster network adapter.
Storage: You must use shared storage that is compatible with Windows Server 2008 R2. If you deploy
a failover cluster that uses a witness disk, the storage must contain at least two separate volumes
(LUNs). One volume functions as the witness disk, and additional volumes contain the virtual machine
files that are shared between the cluster nodes. Storage considerations and recommendations include
the following:
o
Use basic disks, not dynamic disks. Format the disks with the NTFS file system.
Use either master boot record (MBR) or GUID partition table (GPT).
If you are using a storage area network (SAN), the miniport driver that the storage uses must
work with the Microsoft Storport storage driver.
Consider using multipath input/output (I/O) software: If your SAN uses a highly available network
design with redundant components, you can deploy failover clusters with multiple host bus
adapters by using multipath I/O software. This provides the highest level of redundancy and
availability. For Windows Server 2008 R2 and 2012, your multipath solution must be based on
Microsoft Multipath I/O (MPIO).
Software Req
quirements for Using Hyper-V
H
and
d Failover C
Clustering
Th
he following are the softwarre requirementts for using Hyyper-V and faillover clustering:
9-9
Network
N
Infrrastructure Requirements
Th
he following network
n
infrasttructure is requ
uired for a failo
over cluster an
nd an administtrative account with
th
he following do
omain permisssions:
Network se
ettings and IP addresses.
a
Use
e identical com
mmunication seettings on all n
network adaptters,
including th
he speed, duplex mode, flow
w control, and media type seettings. Ensure
e that all netwo
ork
hardware supports the sa
ame settings.
DNS. The se
ervers in the cluster must use Domain Nam
me System (DN
NS) for name rresolution. You
u should
use the DNS dynamic upd
date protocol..
Im
mplementting Hyperr-V Virtual Machiness on Failovver Clusterr
To
o implement failover clustering for Hyper--V, you
must
m
complete the following high-level steps:
1..
2..
Configure the
t shared storage. You musst use
Disk Manag
ger to create disk
d partitions on the
shared storrage.
3..
4.
5.
c enable Clu
ustered Shared
d Storage for th
he cluster onlyy after you con
nfigure the
Note: You can
clusster. If you wan
nt to use Cluster Shared Volu
umes (CSV), yo
ou should conffigure CSV beffore you
movve to the next step.
6.
ual machine on
n one of the cluster nodes. W
When you creaate the virtual machine, ensu
ure
Create a virtu
that all files associated with
h the virtual machine, includ ing both the vvirtual hard dissk and virtual
machine conffiguration filess, are stored on
n the shared sttorage. You caan create and manage virtuaal
machines in either
e
Hyper-V
V Manager or Failover
F
Clusteer Manager. W
When you creatte a virtual machine
by using Failo
over Cluster Manager, the virtual machine is automaticaally made highly available.
7.
Note: When
n you make a virtual
v
machin
ne highly availaable, you see a list of all virtu
ual
n
includin
ng virtual macchines that are not stored on
n the
macchines hosted on all cluster nodes,
sharred storage. If you make a virtual machine
e that is not loccated on shareed storage hig
ghly
avaiilable, you rece
eive a warning
g, but Hyper-V
V adds the virtu
ual machine to
o the services aand
app
plications list. However,
H
when
n you try to migrate the virtu
ual machine to
o a different host, the
mig
gration will fail.
8.
m
failove
er. After you make
m
the virtuaal machine hig hly available, yyou can migraate the
Test virtual machine
computer to another node in the cluster. If you are run
nning Window
ws Server 2008 R2 or Window
ws
Server 2012, you
y can selectt to perform a Quick Migrati on or a Live M
Migration.
Co
onfiguring Clustered Shared Vo
olumes
You
u do not have to
t configure and use CSV wh
hen
you implement hiigh availabilityy for virtual
macchines in Hype
er-V. You can cluster
c
Hyper-V
V by
usin
ng the regular approach. How
wever, we
reco
ommend that you
y use CSV because
b
of the
follo
owing advanta
ages:
Reduced LUN
Ns for the diskss. You can use CSV
to reduce the
e number of LU
UNs that your
virtual machin
nes require. When
W
you confiigure
a CSV, you ca
an store multip
ple virtual macchines
on a single LU
UN and multip
ple host compu
uters
can access the same LUN co
oncurrently.
9-11
Better use of
o disk space. Instead of placcing each .vhd
d file on a sepaarate disk with empty space so that
the .vhd file
e can expand, you can overssubscribe disk space by storing multiple .vhd files on the
e same
LUN.
Increased resiliency. CSV increases resiliency becausee the cluster caan respond corrrectly even if
connectivityy between one
e node and the SAN is interrrupted, or partt of a networkk is down. The cluster
reroutes the CSV traffic th
hrough an inta
act part of thee SAN or netwo
ork.
Im
mplementin
ng CSV
Yo
ou can configu
ure CSV only when
w
you create a failover clluster that hossts highly available virtual machines.
After you create
e the failover cluster,
c
you can enable CSV for the clusterr, and then add
d storage to th
he CSV.
Be
efore you can add storage to
o the CSV, the
e LUN must bee available as s hared storage
e to the clusterr. When
yo
ou create a failover cluster, all
a the shared disks
d
configureed in Server M
Manager are ad
dded to the clu
uster,
an
nd you can add them to a CSV. If you add more LUNs to
o the shared sttorage, you must first create
e
vo
olumes on the
e LUN, add the
e storage to the
e cluster, and tthen add the sstorage to the
e CSV.
You cannott add shared sttorage to CSV if it is used. Iff you have a ru
unning virtual machine that is using
a cluster dissk, you must shut down the virtual machin
ne, and then a dd the disk to
o CSV.
Im
mplementting Highly
y Available
e Virtual M
Machines o
on an SMB
B 3.0 File Share
In
n Windows Serrver 2012, it is possible to use one
more
m
technique
es to make virttual machines highly
avvailable. Instea
ad of using host or guest clustering,
virtual machine files can now be stored on a
hiighly available
e SMB 3.0 file share.
s
By using
g this
ap
pproach, high availability is achieved
a
not by
b
clustering Hype
er-V nodes, but by file serverrs that
ho
ost virtual macchine files on their
t
file shares. With
th
his new capability, Hyper-V can
c store all virtual
machine
m
files, in
ncluding config
guration, virtu
ual hard
diisk (VHD) files,, and snapshotts, on highly avvailable
SM
MB file shares..
A common Active
A
Directoryy infrastructure
e. The servers running Activee Directory Do
omain Servicess (AD
DS) do not ne
eed to run Win
ndows Server 2012.
2
Befo
ore you implem
ment virtual machines
m
on an
n SMB file sharre, you should set up a file se
erver cluster. T
To do
thatt, you should have
h
at least tw
wo cluster nod
des with File Seervices and Faiilover Clusterin
ng installed. In
n the
failo
over clustering
g console, you should create a scale-out fille server clusteer. After you co
onfigure the cluster,
you deploy the ne
ew SMB file sh
hare for applica
ations. This shaare is used to store virtual m
machine files. W
When
the share is create
ed, you can use Hyper-V Ma
anager consolee to deploy new virtual mach
hines on the SMB
file share, or you can
c migrate exxisting VMs to the SMB file sshare by using
g the storage m
migration meth
hod.
Co
onsideratio
ons for Imp
plementing Hyper-V
V Clusters
By implementing host failover clustering,
c
you can
mak
ke virtual mach
hines highly avvailable. Howe
ever,
imp
plementing hosst failover clusstering also adds
sign
nificant cost an
nd complexity to a Hyper-V
dep
ployment. You must invest in
n additional server
hard
dware to provide redundanccy, and you should
imp
plement or havve access to a shared
s
storage
e
infra
astructure.
Use the following recommendations to ensure
thatt the failover clustering
c
strategy meets the
e
orga
anizations req
quirements:
What are
e the performa
ance requireme
ents for each aapplication? C ollect perform
mance informattion
on the se
ervers currentlyy running the applications to
o gain an understanding of the hardware
requirem
ments that are required
r
when
n you virtualizee the server.
9-13
What capacity is required to make the Hyper-V virtual machines highly available? As soon as you
identify all the applications that must be highly available by using host clustering, you can start to
design the actual Hyper-V deployment. By identifying the performance requirements, and network
and storage requirements, for applications, you can define the hardware that you have to implement
all the applications in a highly available environment.
Live Migration is one of the most important aspects of Hyper-V clustering. When you implement Live
Migration, consider the following:
Verify basic requirements. The basic requirements for Live Migration are that all hosts must be part of
a Windows Server 2008 R2 failover cluster, and host processors must be from the same manufacturer.
All hosts in the cluster must have access to shared storage.
Configure a dedicated network adapter for the private virtual network. When you implement failover
clustering, you should configure a private network for the cluster heartbeat traffic. You use this
network to transfer the virtual machine memory during a failover. To optimize this configuration,
configure a network adapter for this network that has a capacity of one gigabits per second (Gbps) or
higher.
Note: You must enable the Client for Microsoft Networks and File and Printer Sharing for
Microsoft Networks components for the network adapter that you want to use for the private
network.
Use similar host hardware. All failover cluster nodes must use the same hardware for connecting to
shared storage, and all cluster nodes must have processors from the same manufacturer. Whereas you
can enable failover for virtual machines on a host with different processor versions by configuring
processor compatibility settings, the failover experience and performance is more consistent if all
servers have very similar hardware.
Verify network configuration. All nodes in the failover cluster must connect through the same IP
subnet so that the virtual machine can keep the same IP address after Live Migration. Also, the IP
addresses assigned to the private network on all nodes must be on the same logical subnet, which
means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet
that spans a wide area network (WAN) connection.
Manage Live Migrations. Each node in the failover cluster can perform only one Live Migration at a
time. If you try to start a second Live Migration before the first one finishes, the migration fails. If you
start additional Live Migrations from Virtual Machine Manager (VMM), it queues the Live Migration,
and retries it for 15 minutes. If the migration cannot be initiated in 15 minutes, the migration is
canceled.
Lesson 3
Implem
menting
g Hyperr-V Virtual Macchine M
Moveme
ent
Movving virtual ma
achines from one
o location to
o another is a ffairly common
n procedure in
n the administrration
of Hyper-V
H
enviro
onments. Mostt of the moving techniques iin previous Wiindows Server versions required
dow
wntime. Windo
ows Server 201
12 introduces new
n
technolog
gies to enable seamless virtu
ual machine
movvement. In thiss lesson, you will
w learn aboutt virtual machiine movementt and migratio
on options.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Virrtual Mach
hine Migra
ation Optio
ons
There are several scenarios whe
ere you would want
to migrate
m
virtual machine from
m one location to
ano
other. For exam
mple, you migh
ht want to movve a
virtu
ual machine viirtual hard disk
k from one physical
drivve to another on
o the same ho
ost. Another
exam
mple is moving a virtual macchine from one
nod
de in a cluster to
t another, or just moving a
com
mputer from on
ne host server to another ho
ost
servver without the
e hosts being members
m
of a
clusster. Compared
d with Window
ws Server 2008
8 R2,
Win
ndows Server 2012
2
provides significant
enhancements in addition to sim
mplified proce
edures
for this
t process.
In Windows
W
Serve
er 2012, you ca
an perform migration of virt ual machines by using these
e methods:
Virtual mach
hine and stora
age migration
n. With this meethod, you mo
ove a powered
d on virtual maachine
from one loca
ation to anoth
her (or from on
ne host to anotther) by using a wizard in Hyper-V Manag
ger.
Virtual machine and storage migration do
o not require ffailover clustering or any other high availaability
technology to
o work. Shared
d storage is no
ot required wh en you move jjust the virtual machine.
008. It require
Quick Migration. This metthod is also available in Wind
dows Server 20
es failover clusttering
to be installed
d and configured. It.
Live Migratio
on. This impro
ovement over Quick
Q
Migratio
on is also availlable in Windo
ows Server 200
08 R2.
It enables you
u to migrate a virtual machin
ne from one h
host to anothe r without dow
wntime.
Hyper-V rep
plica. This new feature in Win
ndows Server 22012 enables yyou to replicatte a virtual maachine
to another ho
ost, instead of move the virtu
ual machine, aand to synchro
onize all virtual machine changes
from the prim
mary host to th
he host that ho
olds the replicaa.
Exporting an
nd importing virtual machine. This is an established m
method of movving virtual
machines without using a cluster.
c
You export a virtual m
machine on on
ne host, and th
hen physically move
exported filess to another ho
ost by perform
ming an importt operation. Th
his is a very tim
me-consuming
g
operation. It requires
r
that a virtual machine is turned o
off during expo
ort and importt. In Windows
9-15
Server 2012
2 this migratio
on method is im
mproved. You can import a vvirtual machin
ne to a Hyper-V
V host
without exp
porting it befo
ore import. Win
ndows Server 22012 Hyper-V
V is now capable of configuriing all
the necessa
ary settings du
uring the impo
ort operation.
How
H
Does Virtual Ma
achine and
d Storage Migration
n Work?
Th
here are manyy cases in which an administrrator
might
m
want to move
m
the virtu
ual machine file
es to
an
nother location. For example
e, if the disk where
w
a
virtual machine hard disk resides runs out of
o
sp
pace, you mustt move the virrtual machine to
t
an
nother drive or volume. Also
o, moving a virrtual
machine
m
to ano
other host is a very
v
common
procedure.
In
n earlier versions of Windowss Server, such as
Windows
W
Server 2008 or Wind
dows Server 2008 R2,
moving
m
a virtua
al machine resu
ulted in downttime
be
ecause it had to
t be turned off.
o If you moved a
virtual machine between two hosts, then yo
ou also had to perform expo
ort and import operations fo
or that
sp
pecific virtual machine.
m
Expo
ort operations can
c be time-co
onsuming, dep
pending on th
he size of the vvirtual
machine
m
hard disks.
d
In
n Windows Serrver 2012, Virtu
ual Machine and Storage Miigration enables you to movve a virtual maachine
to
o another locattion on the same host or on another host computer wit hout turning o
off the virtual
machine.
m
Le
et's examine how storage migration actually works.
To
o copy a virtua
al hard disk, an
n administrato
or starts live sto
orage migratio
on by using the Hyper-C con
nsole or
Windows
W
PowerShell, and com
mpletes the wiizard (or speci fies parameterrs in Windows PowerShell). A new
virtual hard disk
k is created on
n destination lo
ocation and th
he copy processs starts. During the copy pro
ocess,
th
he virtual mach
hine is fully fun
nctional. Howe
ever, all chang
ges that occur during copyin
ng are written tto both
th
he source and destination location. Read operations
o
are performed on
nly from the so
ource location.. As
so
oon as the disk
k copy processs is complete, Hyper-V
H
switc hes virtual maachines to run on the destinaation
virtual hard disk
k. Also, if the virtual
v
machine
e is moved to aanother host, the computer configuration
n
is copied and th
he virtual mach
hine is associatted with anoth
her host. If a faailure were to occur on the
de
estination side
e, there is always a fail back option
o
to run back again on
n the source directory. After the
virtual machine is successfullyy migrated and
d associated to
o a new locatio
on, the process deletes the ssource
VHDs.
Th
he time that iss required to move
m
a virtual machine depeends on the source and destination locatio
on, the
sp
peed of hard disks
d
or storage
e, and the size
e of the virtual hard disks. Th
he moving pro
ocess is speede
ed up if
so
ource and desttination locatio
ons are on storage, and storrage supports O
Offloaded Datta Transfer (OD
DX).
When
W
you move a virtual macchines vhds to
o another loca tion, a wizard presents three
e available opttions:
Move all th
he virtual mach
hines data to a single locatio
on: You specifyy one single destination locaation,
such as disk
k file, configurration, snapsho
ot, and smart p
paging.
Live Migration enables you to move running virtual machines from one failover cluster node to another
node in the same cluster. With Live Migration, users who are connected to the virtual machine should
experience almost no server outage.
Note: Whereas you can also do live migration of virtual machine by using Virtual Machine
and Storage migration described in previous topic, you should be aware that live migration is
based on a different technology (failover clustering). Unlike the storage migration scenario, Live
Migration can be performed only if a virtual machine is highly available.
You can start a Live Migration through one of the following:
The VMM Administrator console, if you use VMM to manage your physical hosts.
Note: Live Migration enables you to reduce the perceived outage of a virtual machine
significantly during a planned failover. During a planned failover, you start the failover manually.
Live Migration does not apply during an unplanned failover, such as when the node hosting the
virtual machine fails.
Migration setup. When the administrator starts the failover of the virtual machine, the source node
creates a TCP connection with the target physical host. This connection is used to transfer the virtual
machine configuration data to the target physical host. Live Migration creates a temporary virtual
machine on the target physical host, and allocates memory to the destination virtual machine. The
migration preparation also checks to determine whether a virtual machine can be migrated.
2.
Guest-memory transfer. The guest memory is transferred iteratively to the target host while the
virtual machine is still running on the source host. Hyper-V on the source physical host monitors the
pages in the working set. As the system modifies memory pages, it tracks and marks them as being
modified. During this phase of the migration, the migrating virtual machine continues to run. HyperV iterates the memory copy process several times, and every time that a smaller number of modified
pages are copied to the destination physical computer. A final memory copy process copies the
remaining modified memory pages to the destination physical host. Copying stops as soon as the
number of dirty pages drops below a threshold or after 10 iterations are complete.
3.
State transfer. To actually migrate the virtual machine to the target host, Hyper-V stops the source
partition, transfers the state of the virtual machine (including the remaining dirty memory pages) to
the target host, and then restores the virtual machine on the target host. The virtual machine has to
be paused during the final state transfer.
4.
Clean up. The cleanup stage finishes the migration by tearing down the virtual machine on the
source host, terminating the worker threads, and signaling the completion of the migration.
How
H
Does Hyper-V Replica
R
Wo
ork?
In
n some cases, you
y might wan
nt to have a sp
pare
co
opy of one virttual machine that
t
you can ru
un if
th
he original virtual machine fa
ails. By implem
menting
hiigh availabilityy, you have one instance of a virtual
machine.
m
High availability
a
doe
es not preventt
co
orruption of so
oftware runnin
ng inside the VM.
V One
way
w to address the issue of co
orruption is to copy
th
he VM. You can also back up
p the virtual machine
an
nd its storage. Although thiss solution achie
eves
th
he desired resu
ult it is resourcce intensive and time
co
onsuming.
9-17
To
o resolve this problem,
p
and to
t enable
ad
dministrators to
t have an up--to-date copy of a single virttual machine, Microsoft has implemented
Hyper-V replica
a technology in
n Windows Server 2012. Thiss technology eenables virtual machines run
nning
att a primary site
e (can also be location or ho
ost) to be efficiiently replicateed to a second
dary site (location
orr host) across a WAN or LAN
N link. Hyper-V
V replica enablles you to havee two instance
es of a single vvirtual
machine
m
residin
ng on differentt hosts, one as the primary (llive) copy and the other as a replica (offlin
ne)
co
opy. These cop
pies are synchrronized, and you can failoveer at any time. In the event o
of a failure at a
primary site (e.g
g. fire, natural disaster, powe
er outage, servver failure etc
), an administtrator can use
Hyper-V Replica
a to execute a failover of pro
oduction workkloads to replicca servers at a secondary loccation
within
w
minutes, thus incurring
g minimal dow
wntime.
Th
he site configu
urations do not have to use the
t same serveer or storage h
hardware. Hyp
per-V Replica e
enables
an
n administrato
or to restore virtualized work
kloads to a poiint in time dep
pending on the
e Recovery Hisstory
se
elections for th
he virtual mach
hine.
Hyper-V replica
a technology consists of seve
eral componen
nts:
Replication
n Engine: This component is the core of Hyper-V Repliica. It manage
es the replication
configuratio
on details and handles initia
al replication, d
delta replicatio
on, failover, an
nd test-failoverr
operations. It also tracks virtual
v
machin
ne and storagee mobility even
nts and takes aappropriate acctions as
needed (i.e. it pauses replication eventss until migratio
on events com
mplete and the
en resumes where they
left off).
Network Module:
M
The Networking
N
Mo
odule providess a secure and
d efficient way to transfer virtual
machine re
eplicas between
n primary hostt and replica h
host. Data com
mpression is en
nabled by default. This
communica
ation is also se
ecure as it relie
es on HTTPS an
nd certification
n-based authe
entication.
Hyper-V Replica
R
Brokerr role: This is new role impleemented in W
Windows Serverr 2012. It is
configured in Failover Clu
ustering, and it enables you to have Hyper-V replica fun
nctionality even
when the virtual machine
e being replica
ated is highly aavailable and ccan move from
m one cluster n
node to
another. Th
he Hyper-V Replica Broker re
edirects all virttual machine sspecific events to the approp
priate
node in the
e replica cluste
er. The Broker queries the clu
uster databasee to determine
e which node sshould
handle which events. Thiss ensures all evvents are redirrected to the ccorrect node in
n the cluster in
n the
event that a Quick Migration, Live Migration, or Storaage Migration
n process was e
executed.
Co
onfiguring Hyper-V Replica
R
Befo
ore you implem
ment Hyper-V
V replica
tech
hnology, ensurre that these prerequisites
p
arre
mett:
ardware suppo
orts the Hyper--V
The server ha
role on Windows Server 2012.
Network conn
nectivity existss between the
locations hosting the prima
ary and replica
a
servers. This can
c be a WAN or LAN link.
An X.509v3 ce
ertificate exists to support Mutual
M
Authen tication with ccertificates (if yyou want).
You
u do not have to
t install Hype
er-V replica sep
parately becau
use it is not a W
Windows Serve
er role or featu
ure.
Hyp
per-V Replica is implemented
d as part of the Hyper-V Rolle. It can be ussed on Hyper-V
V servers that are
stan
nd-alone or servers that are part of a Failovver Cluster (in which case, yo
ou should con
nfigure Hyper-V
Rep
plica Broker). Unlike
U
failover clustering,
c
a Hyper-V
H
role is not dependen
nt on Active D
Directory Domaain
Servvices (AD DS). You can use itt with Hyper-V
V servers that aare stand-alone, or that are m
members of
diffe
erent Active Directory doma
ains (except in case when serrvers are part o
of a failover cluster).
To enable
e
Hyper-V replica technology, you sh
hould first con figure Hyper-V
V server settin
ngs. In the
Rep
plication Config
guration group
p of options, you
y should enaable Hyper-V sserver as a rep
plica server, and you
should also selectt authentication and port op
ptions. You sho
ould also confi gure authorizaation options. You
can choose to ena
able replication from any serrver that succeessfully authen
nticates (which
h is convenientt in
scen
narios where all
a servers are part
p of same domain), or you
u can type fullly qualified do
omain names
(FQDNs) of serverrs that you acccept as replica servers. Also, yyou must conffigure the locaation for replicca
filess. These setting
gs should be configured on each server th
hat will serve ass replica server.
Afte
er you configure options on server level, yo
ou should enaable replication
n on a virtual m
machine. Durin
ng
this configuration
n, you must spe
ecify replica se
erver name, as well as option
ns for connection. You can select
which virtual hard
d disk drives yo
ou replicate (in
n case when viirtual machinee has more than one VHD), aand
you can also conffigure Recoveryy History as well as initial rep
plication meth
hod. After you have configurred
thesse options then you can starrt replication.
Lesson
n4
9-19
Mana
aging Hyper-V Virtual Environmentss by Using Systtem
Cente
er Virtual Mach
hine Ma
anager
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe ho
ow VMM Manage Hosts and
d Host Clusterss with VMM.
Describe ho
ow to manage
e Virtual Machiines with VMM
M.
Describe Se
ervices and Serrvice Template
es.
Describe Ph
hysical to Virtu
ual and Virtual to Virtual Mig
grations.
Describe co
onsiderations for
f deploying a highly availaable VMM Servver.
What
W
Is VM
MM?
VMM is a mana
agement solutiion for a virtua
alized
da
ata center. VM
MM enables yo
ou to create an
nd
de
eploy virtual machines
m
and services
s
to privvate
clouds by config
guring and ma
anaging your
virtualization ho
ost, networking
g, and storage
e
re
esources.
VMM is a comp
ponent of Micrrosoft System Center
C
20
012 that discovers, captures,, and aggregattes
kn
nowledge of th
he virtualizatio
on infrastructu
ure.
VMM also mana
ages policies, and
a processes,, and
be
est practices with
w automatio
ons by discovering,
ca
apturing and aggregating
a
kn
nowledge of
virtualization infrastructure.
Database. VM
MM uses a SQL Server datab
base to store th
he information
n that you view
w in the VMM
managementt console, such
h as managed virtual
v
machin
nes, virtual macchine hosts, virtual machine
libraries, jobs, and other virrtual machine--related data.
Managemen
nt console. The managemen
nt console is a program that you use to co
onnect to a VM
MM
managementt server, to view
w and manage
e physical and virtual resources, including virtual machin
ne
hosts, virtual machines, servvices, and libra
ary resources. V
Virtual Machin
ne Manager lib
brary
Library. A lib
brary is a catalo
og of resource
es (for examplee, virtual hard disks, templates, and profile
es),
hat
that are used to deploy virttual machines and services. A library server also hosts sh
hared folders th
store file-base
ed resources. The
T VMM man
nagement servver is always th
he default libraary server, butt you
can add addittional library servers
s
later.
Command sh
hell. Windowss PowerShell is the command
d-line interfacee in which you
u execute cmdlets
that perform all available VMM
V
functionss. You can use these VMMsspecific cmdletts to manage aall the
actions in a VMM
V
environm
ment.
Pre
erequisitess for Installling VMM
M
Befo
ore you deployy VMM and itss components,,
you should be cerrtain that yourr system meetss
hard
dware and softtware requirem
ments. While
softtware requirem
ments do not change
c
based
on the
t number off hosts that VM
MM manages,
hard
dware prerequ
uisites may varry. In addition, not
all VMM
V
components have the same hardwarre
and software requ
uirements. How
wever, Window
ws
Servver 2008 R2 an
nd Windows Se
erver 2012 are
e the
onlyy supported op
perating systems for VMM 2012.
2
VM
MM Server
Microsoft .NE
ET Framework 3.5 Service Pack 1 (SP1) or laater versions
Windows Pow
werShell 2.0 (iff the VMM management con
nsole will run o
on the same se
erver)
Windows Rem
mote Managem
ment 2.0 (this is installed by default in Win
ndows Server 2
2008 R2, so yo
ou
should just ve
erify that the service is running)
SQL Server 20
008 SP2 (Stand
dard or Enterp
prise) or SQL Seerver 2008 R2 SP1 Standard,, Enterprise, orr
Datacenter. This
T is necessarry only when you
y install the VMM manageement server aand SQL Server on
same computter.
Random acce
ess memory (RAM): 4 8 gig
gabytes (GB)
9-21
VMM
V
Databa
ase
Th
he VMM datab
base stores all VMM configu
uration informaation, which yo
ou can access and modify
byy using the VM
MM management console. The
T VMM data base requires SQL Server 20
008 SP2 or late
er.
Be
ecause of this, the base hard
dware requirem
ments for the V
VMM databasee are equal to the minimum
m system
re
equirements fo
or installing SQ
QL Server. Additionally, if you
u are managin
ng more than 1
150 hosts, you
u should
ha
ave at least 4 GB
G of RAM on the database server. Softwaare requiremen
nts for the VM
MM Database aare the
sa
ame as for SQLL Server.
VMM
V
Library
y
Th
he VMM librarry is the serverr that hosts ressources for buiilding virtual m
machines, services and busin
ness unit
clouds. In smaller environmen
nts, you usuallyy install the VM
MM library on the VMM Maanagement Serrver. If
th
his is the case, the hardware and software requirements are the same aas for the VMM
M Management
Se
erver. In largerr and more complex environ
nments, we reccommend thatt you have VM
MM library on sseparate
se
erver in highly available conffiguration. If you want to deeploy another V
VMM library sserver, the servver
sh
hould fulfill following require
ements:
Hardware management:
m
Windows Rem
mote Managem
ment 2.0
RAM: at lea
ast 2 GB
Private
P
Cloud Infrastructure Co
omponentts in VMM
Th
he key architecctural conceptt in VMM is private
cloud infrastruccture. Similar to
o public cloud
so
olutions, such as
a in Windowss Azure, priva
ate
cloud infrastruccture in VMM is
i an abstractio
on layer
th
hat shields the underlying technical complexities,
an
nd lets you ma
anage defined resource pools of
se
ervers, network
king, and stora
age in the ente
erprise
in
nfrastructure.
Th
his concept is presented exxplicitly in the VMM
management
m
co
onsole user intterface. With VMM,
V
yo
ou can create a private cloud
d from Hyper--V,
VMware ESX, an
nd Citrix XenSe
erver hosts, an
nd
be
enefit from clo
oud computing
g attributes, in
ncluding self-seervicing, resou
urce pooling, aand elasticity.
Yo
ou can configu
ure the followiing resources from
f
the VMM
M managemen
nt console Fabrric workspace:
Networkin
ng. In the VMM
M managemen
nt console, thee Networking n
node is where you can defin
ne
logical netw
works, assign pools
p
of static IPs and mediaa access contro
ol (MAC) addre
esses, and inte
egrate
Ma
anaging Hosts and Host
H
Group
ps with VM
MM
In addition to virtual machine management,
m
VMM
V
can also manage and deploy Hyyper-V hosts. In
VMM you can use
e technologiess such as Windows
Dep
ployment Serviices to deploy Hyper-V hosts on
bare
e metal machines and then manage
m
it with
h
VMM. When hosts are associate
ed with VMM,
you can configure
e several optio
ons, such as ho
ost
rese
erves, quotas, permissions,
p
clloud membersship,
and so on VMM can
c also manag
ge Hyper-V failover
clussters.
VMM provides tw
wo new feature
es that help
optimize power and resource usage on hosts
man
naged by VMM
M: dynamic op
ptimization and
d power optim
mization. Dynamic optimization balances the
virtu
ual machine lo
oad within a ho
ost cluster, while power optiimization enab
bles VMM to e
evacuate balan
nced
clusster hosts, and then turn them off to save power.
p
The recommende
ed way to orga
anize hosts in VMM
V
is to creaate host group
ps. This greatlyy simplifies
man
nagement task
ks. A host grou
up enables you
u to apply sett ings to multip
ple hosts with a single action. By
defa
ault, there is a single host grroup in VMM named
n
All Hossts. However, i f necessary, yo
ou can create
add
ditional groupss for your environment.
Use the Host group properties action for the root host group All Hossts, to set default host reservves for
all hosts that VMM manage
es. If you wantt to use more o
of the resourcees on some ho
osts instead of on
other hosts, you
y can set host reserves diffferently for ea ch host group
p.
9-23
Designating
g hosts on whiich users can create
c
and opeerate their own
n virtual mach
hines. When a V
VMM
administrattor adds self-se
ervice user role
es, one part off role creation is to identify tthe hosts on w
which
self-service users or groups in that role can create, op
perate, and maanage their ow
wn virtual macchines.
We recomm
mend that you
u designate a specific host grroup for this p
purpose.
Deploying
D
Virtual Ma
achines wiith VMM
One
O of the adva
antages of usin
ng a virtualized
en
nvironment that is managed
d by VMM is th
he
fle
exibility that itt provides to create and dep
ploy new
virtual machines quickly.
Using VMM, you can manuallly create a new
w virtual
machine
m
with new configuration settings an
nd a
ne
ew hard disk. You
Y can then deploy
d
the new
w
virtual machine from one of following
f
sourcces:
ate
A virtual machine templa
A VMM librrary
Creating
C
a New
N
Virtual Machine fro
om an Existting VHD
Yo
ou can create a new virtual machine
m
based
d on either a b
blank VHD, or on a preconfig
gured VHD thaat
co
ontains a guesst operating syystem. VMM prrovides two bl ank VHD temp
plates that you
u can use to crreate
ne
ew disks:
V
Machine Additions on
n the virtual m
machine.
Install the Virtual
Use Sysprep
p to prepare th
he operating system
s
for dup
plication.
Dep
ploying from a Templa
ate
For customize
ed templates, you must prep
pare the operaating system o
on the VHD by removing
computer ide
entity informattion. For Windows operating
g systems, you can prepare tthe VHD by using
Sysprep.
Dep
ploying from the VMM
M Library
If yo
ou deploy a virrtual machine from the libra
ary, the virtual machine is rem
moved from th
he library, and
d then
placced on the sele
ected host. Wh
hen you use th
his method, yo
ou must provid
de the followin
ng details in th
he
Dep
ploy Virtual Ma
achine wizard:
he virtual mach
hine. You are p
presented with
h a list of existing virtual networks
The virtual networks used for th
on the
t host.
Wh
hat Are Services and
d Service Templates??
Servvices are a new
w concept in VMM.
V
You musst
und
derstand servicces fully before
e you deploy a
privvate cloud infra
astructure.
Tra
aditional Serrvices Scena
ario
Whe
en we think ab
bout services, we
w usually refe
er to
an application
a
or set of applicattions that provvide
som
me service to end-users. For example,
e
we can
dep
ploy various typ
pes of web-based services, but
b
we can
c also imple
ement a service
e such as email. In a
non
n-cloud compu
uting scenario, deployment of
o any
type
e of service usually requires users, develop
pers,
and administratorrs to work toge
ether through the
phases of creating
g a service, dep
ploying a service, testing thee service, and maintaining th
he service.
9-25
A service frequently includes several computers that must work together to provide a service to end-users.
For example, a web-based service is usually an application that deploys on a web server, connects to a
database server (which can be hosted on another computer), and performs authentication on an Active
Directory domain controller. Enabling this application requires three roles, and possibly three computers:
a web server, a database server, and a domain controller. Deploying a test environment for a service such
as this can be time and resource consuming. Ideally, developers work with IT administrators to create an
environment where they can deploy and test their web application.
With the concept of a private cloud, how you deal with services can change significantly. You can prepare
the environment for a service, and then let developers deploy it by using a self-service application such as
App Controller.
In VMM, a service is a set of one or more virtual machines that you deploy and manage together as
a single entity. You configure these machines to run together to provide a service. In VMM in Windows
Server 2008, users were able to deploy new virtual machines by using Self Service Portal. In VMM,
end-users can deploy new services. By deploying a service, users are actually deploying the whole
infrastructure, including the virtual machines, network connections, and applications that are required
to make the service work.
However, you can use services to deploy only a single virtual machine without any specific purpose.
Instead of deploying virtual machines in the historic way, you can now create a service that will deploy
a virtual machine withfor exampleWindows Server 2008 R2, and with several roles and features
preinstalled and joined to domain. This simplifies the process of creating and later updating new virtual
machines.
Deploying a new service requires a high level of automation and predefined components, and requires
management software support. This is why VMM provides service templates. A service template is a
template that encapsulates everything required to deploy and run a new instance of an application.
Just as a private cloud user can create new virtual machines on demand, the user can also use service
templates to install and start new applications on demand.
The system administrator creates and configures service templates in VMM by using Service Template
Designer.
2.
The end-user application owner (for example, a developer who has to deploy the application
environment) opens the App Controller console, and requests a new service deployment based
on available service templates that he or she can access. The developer can deploy the service to a
private cloud where a user has access. As an alternative to App Controller, the user can also use the
VMM Manager console.
3.
A request is submitted and evaluated by the VMM Server. VMM searches for available resources in
the private cloud, then calculates the user quota and verifies that the cloud is capable for the
requested service deployment.
4.
Whereas the service is created automatically, the virtual machines and applications (if any) are
deployed on the host selected by VMM.
5.
The user application owner gains control over service virtual machines through the App Controller
console, or by RDP.
6.
If you need manual approval for resource creation, you can use Microsoft System Center 2012 Service Manager to create workflows for this purpose.
Info
ormation In
ncluded in the
t Service Template
T
Physical to Virtual
V
and
d Virtual to
o Virtual M
Migrations
Man
ny organizatio
ons have physiccal servers that
theyy do not use fu
ully. VMM can convert existing
phyysical computers into virtual machines thro
ough
a prrocess known as
a physical-to--virtual (P2V)
conversion. VMM simplifies P2V
V by providing
a task-based wizard to automatte much of the
e
conversion processs. Because the
e P2V process
is sccriptable, you can
c start large
e-scale P2V
conversions throu
ugh the Windo
ows PowerShell
(Pow
wershell.exe) command
c
line..
VMM converts an
n operating sysstem that is running
on physical
p
hardw
ware to an ope
erating system that
is ru
unning in a virttual machine in Hyper-V envvironment. VM
MM provides a conversion w
wizard, which
auto
omates much of the converssion process.
In addition to con
nverting underrused physical computers, VM
ment, migration
n
MM supports the managem
and conversions of
o other virtual machines tha
at you create in
u can convert
n VMware envvironment. You
thesse virtual mach
hines to Hyperr-V virtual macchines, place th
hem on Hyperr-V hosts, and then manage them
und
der the VMM Administrator
A
Console.
C
Also, VMM and Hy per-V supportt migrating virtual machines from
one
e host to anoth
her with minim
mal or zero dow
wntime.
VMM 2012 allowss you to conve
ert existing VM
Mware virtual m
machines to virrtual machiness running on the
Hyp
per-V platform
m. This process is known as a V2V conversio
on. With V2V cconversion, ad
dministrators can
easiily and quicklyy consolidate a virtual enviro
onment that is running various virtual platfforms without
rebu
uilding virtual machines from
m scratch or moving
m
data.
9-27
onverts the VM
Mware .vmdk ffiles to .vhd file
es, and makes the
During the convversion processs, the VMM co
op
perating system on the virtu
ual machine co
ompatible with
h Microsoft virttualization tecchnologies. The
e virtual
machine
m
that th
he wizard creattes matches VMware virtual machine prop
perties, including name, desccription,
memory,
m
and disk-to-bus assiignment.
Considerat
C
ions for Deploying a Highly A
Available V
VMM Serve
er
MM
M now suppo
orts a highly avvailable VMM Server.
Yo
ou can use faillover clustering to achieve high
h
avvailability for VMM,
V
because
e VMM is now a
cluster-aware application. However, you sho
ould
co
onsider several things before
e you deploy a VMM
cluster.
Be
efore you begin the installattion of a highlyy
avvailable VMM management server, ensure
e the
fo
ollowing:
You have in
nstalled and co
onfigured a faiilover
cluster thatt is running Wiindows Server 2008
R2, Window
ws Server 2008
8 R2 SP1, or Windows
W
Server 2012
2.
Highly
H
Availa
able Databa
ases and Lib
brary Serverrs
To
o achieve full redundancy,
r
we
w recommend
d that you use a highly availaable SQL Serve
er. You should
d install
a highly availab
ble SQL Server on a separate failover clusteer from the fai lover cluster o
on which you aare
in
nstalling the highly available VMM manage
ement server. Similarly, we aalso recommen
nd that you usse a
hiighly available
e file server forr hosting your library shares.
Fo
or best practices, do not insttall the VMM Self-Service
S
Po
ortal on the sam
me computer as the highly
avvailable VMM management server. If yourr VMM Self-Se rvice Portal cu
urrently residess on the same
co
omputer as the
e VMM server,, we recomme
end that you u ninstall the VM
MM Self-Servicce Portal for VMM
20
008 R2 SP1 be
efore upgrading to VMM. We
e also recomm
mend that you install the VM
MM Self-Service
e Portal
on
n a highly available web servver to achieve redundancy aand load balan
ncing.
You cannot perform a planned failover (for example, to install a security update or do maintenance on a
cluster node) by using the VMM console. Instead, to perform a planned failover, use the Failover Cluster
Manager console.
During a planned failover, ensure that there are no tasks actively running on the VMM management
server. Any tasks that are executing during a failover will be stopped and will not restart automatically.
Any connections to a highly available VMM management server from the VMM console or the VMM SelfService Portal will also be lost during a failover. However, the VMM console can reconnect automatically
to the highly available VMM management server after a failover if it was opened before you performed
failover to another VMM server.
9-29
The initial deployment of virtual machines on Hyper-V is very successful for A. Datum. As a next step in
the deployment, A. Datum is now considering ways to ensure that the services and applications deployed
on the virtual machines are highly available. As part of the implementation of high availability for most
network services and applications, A. Datum is also considering options for making the virtual machines
that run on Hyper-V highly available.
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with
failover clustering in order to ensure that the virtual machines deployed on Hyper-V are highly available.
You are responsible for planning the virtual machine and storage configuration, and for implementing the
virtual machines as highly available services on the Failover Cluster. Also, you are considering some other
techniques for virtual machines high availability such as Hyper-V replica.
Lab Setup
Estimated time: 75 minutes
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
User Name
Adatum\Administrator
Password
Pa$$w0rd
This lab should be performed with a partner. To perform this lab, you must boot the host computers
to Windows Server 2012. The host computers should be in this state from the previous lab in Module 8.
Make sure that you and your partner have booted into different hosts (one should boot to LON-Host1
and the other should boot to LON-Host2). Also, make sure that LON-DC1 is imported on LON-Host1 and
LON-SVR1 is imported on LON-Host2, and that these VMs are started.
Before you start with cluster deployment, you decided to evaluate new technology in Hyper-V 3.0, for
replicating virtual machines between hosts. You want to be able to manually mount a copy of virtual
machine on another host if active copy (or host) fails.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
On LON-HOST1, open Hyper-V Manager and import the 20417A-LON-CORE virtual machine.
o
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
2.
Create and use folder E:\VMReplica as a default location to store replica files.
Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
2.
Wait for initial replication to finish and make sure that 20417A-LON-CORE VM has appeared in
Hyper-V Manager console on LON-HOST2.
1.
2.
3.
4.
Results: After completing this exercise you will have Hyper-V replica configured.
2.
3.
2.
3.
4.
5.
On LON-HOST2, open Disk Management and initialize and bring online all iSCSI drives
6.
On LON-HOST1, open Disk Management and bring online all three iSCSI drives.
2.
Name it VMCluster
In Failover Cluster Manager on LON-HOST1, add all three iSCSI disks to the cluster.
2.
Verify that all three iSCSI disks appear available for cluster storage.
3.
Add the disk with the volume name of ClusterVMs to Cluster Shared Volumes.
4.
From the VMCluster.adatum.com node, select More Actions and then configure the Cluster
Quorum Settings to use typical settings.
2.
3.
4.
5.
9-31
1.
Make sure that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk
to LON-HOST1.
2.
2.
In Failover Cluster Manager, click the Roles node, and then start the New Virtual Machine wizard.
o
On LON-HOST2, in Failover Cluster Manager, start Live Migration failover of TestClusterVM from
Lon-Host2 to Lon-host1.
2.
Connect to TestClusterVM and make sure that you can operate it.
2.
Perform a Move operation on LON-GUEST1. Move the VM from its current location to C:\GUEST1.
3.
4.
Restart both host machines, and select to boot to Windows Server 2008 R2. Log on to the host
machines as directed by your instructor.
9-33
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To make sure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSV volumes.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Troubleshooting Tip
Review Question
Do you have to implement CSV in order to provide high availability for virtual machines in VMM in
Windows Server 2008 R2?
Module 10
Implementing Dynamic Access Control
Contents:
Module Overview
10-1
10-2
10-8
10-13
10-22
10-31
Module Overview
Windows Server 2012 introduces Dynamic Access Control for enhancing access control for file- and
folder-based resources. Dynamic Access Control extends regular New Technology File System (NTFS)based access control by enabling administrators to use claims, resource properties, rules and conditional
expressions to manage access. In this module you will learn about Dynamic Access Control and how to
plan for and implement it.
Objectives
After completing this module, you will be able to:
Lesson 1
Overviiew of Dynami
D
c Accesss Contrrol
Dyn
namic Access Control
C
is a new
w technology for access man
nagement in W
Windows Serve
er 2012. It offe
ers a
new
w way of contro
olling access to
o resources. Be
efore you imp
plement this teechnology, you
u should learn how
it works and which componentss it uses. This le
esson presentss an overview of Dynamic Acccess Control.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Compare Dyn
namic Access Control
C
with alternative or siimilar technolo
ogies, such as NTFS permissions
and Active Diirectory Rightss Managementt Services (AD RMS).
Define identitty.
Define Centra
al Access Policy.
Wh
hat Is Dyna
amic Acce
ess Controll?
Because most of the
t data in an organization is
i
storred on file servvers, IT adminisstrators must help
h
provvide security and
a access con
ntrol to file servver
reso
ources. In prevvious versions of
o Windows Se
erver,
mosst access contrrol to file serve
er resources wa
as
controlled by usin
ng NTFS permiissions and acccess
control lists.
Dyn
namic Access Control
C
in Wind
dows Server 2012
is a new access co
ontrol mechanism for file-sysstem
reso
ources. It enables administrators to define
centtral file-accesss policies that can
c apply to every
file server in the organization.
o
Dynamic
D
Accesss
Con
ntrol helps imp
plement security over file serrvers, in additio
on to any existting share and
d NTFS permisssions.
Dyn
namic Access Control
C
ensures that regardle
ess of how thee share and NTTFS permission
ns might chang
ge,
this central overriding policy is still enforced. What Dynami c Access Control does is com
mbining multip
ple
crite
eria into the acccess decision.. This is something that NTF S permissions cant achieve.
Dyn
namic Access Control
C
provide
es:
Auditing of access
a
to filess. Central audiit policies for ccompliance re porting and fo
orensic analysis. For
example, you can identify who
w accessed highly
h
sensitivve information.
Optional RM
MS protection integration. Automatic Rig
ghts Managem
ment Services (RMS) encryption for
sensitive Micrrosoft Office documents. Fo
or example, yo
ou can configu
ure RMS to enccrypt all docum
ments
containing He
ealth Insurance Portability and Accountab
bility Act (HIPA
AA) information.
10-3
Auditing for compliance and analysiis. Enable targ eted auditing across file servvers for compliance
reporting and forensic an
nalysis.
Protecting
g sensitive information. Ide
entify and prottect sensitive information bo
oth in a Windo
ows
Server 2012
2 environmentt and when it leaves the Win
ndows Server 2
2012 environm
ment.
he helpdesk lo
Access den
nied remediattion. Improve the access de nied experiencce to reduce th
oad and
incident tim
me for troublesshooting.
Dynamic Accesss Control provvides a flexible way to apply and manage aaccess and aud
diting to domaainba
ased file servers. Dynamic Acccess Control uses claims in the authenticaation token, re
esource properties on
th
he resource, an
nd conditional expressions within
w
permissi on and auditin
ng entries. Witth this combin
nation of
fe
eatures, you ca
an now grant access
a
to files and
a folders baased on Active Directory attrributes.
Foundation
n Technolo
ogies for Dynamic
D
A
Access Con
ntrol
Dynamic Accesss Control combines many Windows
W
Se
erver 2012 technologies to provide
p
a robu
ust,
fle
exible, and gra
anular authorizzation and aud
diting
exxperience. Dyn
namic Access Control
C
uses th
hese
fu
undamental technologies:
Network protocols,
p
succh as TCP/IP,
Remote Prrocedure Call (RPC), Serverr
Message Block
B
(SMB), and
a Lightweig
ght
Directory Access
A
Protoccol (LDAP). Fo
or
network co
ommunicationss between hosts,
interaction with file system and directo
ory
lookups, respectively.
Domain Na
ame System (DNS).
(
For host name resolu
ution.
Active Dire
ectory Domaiin Services (A
AD DS) and itss dependent ttechnologies.. For enterprise
e
network ma
anagement.
Windows Security
S
(loca
al security autthority [LSA], Netlogon). FFor secure logo
on transactions.
Auditing. For
F secure monitoring and accountability.
a
Se
everal compon
nents and tech
hnologies were
e updated in W
Windows Serveer 2012 to support Dynamic Access
Control. The mo
ost important updates are:
A new Wind
dows authorizzation and aud
dit engine that can process cconditional exp
pressions and ccentral
policies.
Kerberos au
uthentication support
s
for user claims and device claims.
Improved File
e Classification
n Infrastructure
e.
Optional Righ
hts Manageme
ent Services (RMS) extensibillity support so
o that partners can provide
solutions thatt encrypt non--Office files.
Dy
ynamic Acccess Contrrol Versus Alternativ
A
ve Technologies
Dyn
namic Access Control
C
is a new
w technology for
controlling accesss to file based resources. It does
not overlap with older
o
well-kno
own technologies
with
h similar purpo
ose. Instead, Dynamic Accesss
Con
ntrol extends the functionalitty of older
tech
hnologies for controlling
c
file
e-based resourrce
acce
ess.
In previous
p
versions of Window
ws Server, the basic
b
mecchanism for file
e and folder access control was
w
NTFFS permissions. By using NTFFS permissionss and
theiir Access Contrrol Lists (ACLs)), administrato
ors
can control accesss to resources, based on use
er
nam
me or group membership,
m
an
nd the level of access, such aas Read-only, C
Change, Full C
Control, etc.
How
wever, once yo
ou provide som
meone with, fo
or example, Re ad-only acces s to a docume
ent, you canno
ot
prevvent that perso
on from copying the conten
nt of that docu
ument into a new document or printing th
he
doccument. By imp
plementing AD
D RMS, you can establish an additional levvel of control. U
Unlike, NTFS
perm
missions, which are not appllication aware,, AD RMS sets a policy that ccan control do
ocument accesss
insid
de the application that is being used to op
pen it. By impl ementing AD RMS, you enaable users to
add
ditionally prote
ect documentss within applica
ations.
How
wever, you can
nnot set condittional access to
o files by using
g NTFS and AD
D RMS. For exaample, you cannot
set NTFS permissions in a way that users can access
a
a docum
ment if they are a member o
of some speciffic
group and have the attribute Em
mployeeType set to FTE. Or, you might waant to set perm
missions so thaat only
userrs that have a department atttribute populated with the same value ass the departme
ent attribute fo
or the
reso
ource can acce
ess the contentt. You can acco
omplish this byy using condittional expressions.
For these scenario
os, in Windowss Server 2012, you can use D
Dynamic Accesss Control. In ssimple terms,
Dyn
namic Access Control
C
enable
es you to countt attribute valu
ues on users o
or resource objjects, when
provviding or denyying access.
Wh
hat Is an Id
dentity?
We usually define
e identity as a set
s of data tha
at
uniq
quely describe
es a person or a thing (somettimes
refe
erred to as subj
bject or entity) and contains
info
ormation about the subject's relationships to
othe
er entities. Identity is usuallyy proved by ussing
som
me trusted sourrce of information. For exam
mple,
whe
en you go to th
he airport, you
u show your
passsport. Your passport contain
ns your name,
add
dress, date of birth,
b
and phottograph. Each item
of personal
p
inform
mation is a claiim that is made
abo
out you by the country issuin
ng your passpo
ort.
You
ur country ensu
ures the inform
mation publish
hed in
10-5
Th
he Windows operating
o
syste
em uses a simillar concept of identity. An ad
dministrator creates a user
acccount for person in AD DS. The domain controller
c
publlishes user account informattion, such as a
se
ecurity identifier, and group membership attributes.
a
Win
ndows creates an authorization token whe
en a
usser accesses a resource.
We
W can then say that Identityy, with respect to authenticattion and autho
orization, is sim
mply informatiion
pu
ublished about an entity from a trusted so
ource. The info
ormation is con
nsidered autho
oritative becau
use the
so
ource is trusted
d.
Ea
arlier versions of Windows Server used the
e security identtifier (SID) to rrepresent iden
ntity of a user o
or
co
omputer. Users authenticate
e to the domain with a speciffic user name and password. The unique logon
na
ame translatess into the SID. The domain controller valid ates the passw
word and publishes the SID o
of the
se
ecurity principa
al and the SIDs of all the gro
oup of which tthe principal iss a member. Th
he domain con
ntroller
"cclaims" the use
er's SID is valid
d and should be
b used as the identity of thee user. All dom
main members trust
th
he domain con
ntroller; therefo
ore, the respon
nse is treated aas authoritativve.
Id
dentity is not limited to the user's
u
SID. App
plications can u
use any inform
mation about the user as a fo
orm
off identity, provvided that the application trusts the sourcee of the inform
mation to be authoritative. FFor
exxample, many applications im
mplement role
e-based accesss control. Rolee-based access control limits access
to
o resources based on whethe
er the user is a member of a specific role. SharePoint Server is good exxample
off software thatt implements role-based
r
seccurity. Window
ws Server 2012 can also take advantage of these
op
ptions to exten
nd and enhancce the way ide
entity is determ
mined for a seccurity principaal.
What
W
Is a Claim?
C
Windows
W
Server 2008 and Wiindows Server 2003
usse claims in Acctive Directoryy Federation Se
ervices
(A
AD FS). In this context,
c
claimss are statemen
nts
made
m
about use
ers (for examp
ple, name, iden
ntity,
ke
ey, group, privvilege, or capab
bility), which are
a
un
nderstood by both partners in an AD FS
fe
ederation. AD FS also introdu
uced AD DS-based
claims and the ability
a
to convvert AD DS-bassed
claim data into Secure Application Markup
La
anguage (SAM
ML) format. In previous
p
versio
ons of
AD FS, the only attributes that could be retrieved
from AD DS and
d directly incorporated into a claim
was
w SID informa
ation for user and
a group acccounts. All oth er claim inform
mation was de
efined within and
re
eferenced from
m a separate da
atabase, know
wn as an attribu
ute store. New
w in Windows SServer 2012 is the
By definition,
d
a cla
aim is somethiing that AD DS
S states about specific objecct (usually a user or compute
er).
A claim provides some
s
informattion from trustted source abo
out an entity. SSome example
es of claims are
e the
SID of a user or co
omputer, the department
d
cla
assification of a file, and thee health state o
of a computer.. All
thesse claims state
e something ab
bout a specific object. In mo
ore technical laanguage, claim
ms state the vallue of
a sp
pecific attribute
e of a user or computer
c
obje
ect.
An entity
e
can contain more than one claim. When
W
configur ing resource aaccess, any com
mbination of those
claim
ms can be used to authorize
e access to reso
ources.
In Windows
W
Serve
er 2012, authorization mecha
anism is exten ded so that yo
ou can use claiims for
auth
horization on files
f
and folders, besides using just NTFS p
permissions, baased on users SID or group SIDs.
By using
u
claims, you
y can now ba
ase your accesss control not o
only on SID, b
but also on oth
her attribute vaalues.
Because SID is also an attribute of a user or co
omputer objecct, we can say that older autthorization
mecchanisms are, in
i a way, subse
ets of claims-b
based authorizzation.
Win
ndows Server 2012
2
introduce
es two new typ
pes of claims: u
user claims and device claim
ms. Windows Se
erver
2012 continues to
o enable you to
o use group membership
m
fo
or authorization decisions.
Use
er Claim
Dev
vice Claim
A de
evice claim is information
i
prrovided by a Windows
W
Serveer 2012 domai n controller ab
bout a device
reprresented by a computer acco
ount in AD DS
S. As with a useer claim, a devvice claim, ofte
en called a
com
mputer claim, can
c use most of
o the AD DS attributes
a
that are applicablee to computer objects.
Wh
hat is a Central Acce
ess Policy?
One
e of the fundam
mental compo
onents in Dyna
amic
Access Control tecchnology is Ce
entral Access Policy.
P
It is a feature in Windows
W
Server 2012 that en
nables
adm
ministrators to create a policyy that is applie
ed to
one
e or more file servers.
s
This po
olicy is created
d in
Actiive Directory Administrative
A
Center, stored
d in
AD DS, and applie
ed by using Grroup Policy. Ce
entral
Access Policy conttains one or more
m
Central Access
Policy rules. Each rule contains settings
s
that
dete
ermine applica
ability and perrmissions.
Befo
ore you create
e Central Accesss Policy, it is
man
ndatory that yo
ou create at le
east one Central
Access Rule. Central Access Rule
e defines all pa
arameters and
d conditions th
hat control access to specific
reso
ource.
10-7
Name: For each Central Access Rule you should configure descriptive name.
Target resources: A condition that defines which data the policy applies to. This is defined by
specifying an attribute and its value. For example, a particular central policy might apply to any data
classified as Sensitive. You can also choose to apply rule to all resources where Central Access Policy
applies.
Permissions: A list of one or more access control entries (ACEs) that define who can access the data.
For example, you can specify Full Control Access to a user with attribute EmployeeType populated
with FTE. This is the key component of each Central Access rule. You can combine and group
conditions that you place in central access rule. You can set permission as proposed (for staging
purposes) or current.
After you configure one or more central access rules, you then place these rules in Central Access Policy
which is applied to the resources.
Central Access Policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central policy that is applied to the file restricts access to the
same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but
the DACL does not allow access, then the user cannot obtain access to the file.
Before you implement Central Access Policy, you should perform these steps:
1.
2.
3.
4.
5.
Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
Central Access Policy exists in AD DS.
Lesson 2
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
C
Plan for File Classifications.
In general,
g
you must use Dynam
mic Access Con
ntrol instead o
of traditional m
methods for im
mplementing acccess
control when you want to use more
m
specific in
nformation fo r authorization
n purposes. NT
TFS and share
perm
missions use only
o
user or gro
oup objects, but if you wantt to implementt more comple
ex access control
scen
narios, you sho
ould use Dynamic Access Co
ontrol.
Planning
P
fo
or Central Access Po
olicy
Im
mplementing Central
C
Access Policy is not
mandatory
m
for Dynamic
D
Access Control. Ho
owever,
fo
or consistent co
onfiguration of
o access contrrol on
all file servers, we
w recommend
ded implemen
nting
Central Access Policy.
P
By doin
ng that, you en
nable all
fille servers to usse Central Access Policy whe
en
protecting conttent in shared folders.
If you decide to
o implement Central Access
Po
olicy, you shou
uld make a dettailed plan beffore
im
mplementation
n. When planning Central Acccess
Po
olicy you mustt clearly identify and understtand
th
he business req
quirements forr implementing
Central Access Policy
P
and Dyn
namic Access Control.
C
10-9
Yo
ou should firstt identify the resources that you want to p
protect. If all th
hese resources are on one file
se
erver or in just one folder, th
hen you might not have to im
mplement Cen
ntral Access Po
olicy. Instead, yyou
ca
an configure conditional acccess on the fold
ders ACL. If reesources are distributed acro
oss several servvers or
fo
olders, then yo
ou can benefit from deployin
ng Central Acccess Policy. Exaamples of dataa that might re
equire
protecting are payroll
p
recordss, medical histo
ory data, emp loyee personaal information, company custtomer
lissts, and so on. You can also use targeting within
w
central access rules to
o identify reso
ources where yyou want
to
o apply centrall access policy.
After you identiify resources, you
y should deffine criteria fo r protection. TThis is usually d
defined by bussiness
re
equirements. Some
S
examples are:
All docume
ents that have property conffidentiality set to high must be available only to manage
ers.
Pla
anning File
e Classifica
ations
Whe
en planning im
mplementation
n of Dynamic
Access Control, yo
ou should inclu
ude File
Classsifications in complete
c
scenarios. Althoug
gh
file classifications are not mandatory for Dyna
amic
Access Control, th
hey can greatlyy enhance the
auto
omation of the
e entire processs. For example, if
you require that all
a documents with classificattion
Con
nfidentiality: High must be acccessible to to
op
man
nagement onlyy, regardless of
o the server on
n
which the documents exist, you should first assk
yourself how you identify these documents, and
a
how
w to classify the
em appropriattely.
10-10
File Classification Infrastructure uses classification rules to aautomatically sscan files and cclassify them
acco
ording to the contents
c
of the
e file. Classifica
ation propertiees are defined
d centrally in A
AD DS so that
thesse definitions can
c be shared across file servvers in the org
ganization. You
u can create cllassification ru
ules
thatt scan files for a standard strring or for a strring that matcches a pattern (regular expre
ession). When a
configured classification parame
eter is found in a file, that fille is classified as configured in the classificcation
rule
e.
Whe
en planning fo
or file classifica
ations, you sho
ould do follow ing:
Identify which
h classification
n or classificatio
ons you want to apply on do
ocuments.
You
u configure file
e classificationss in the File Server Resource Manager console.
Whe
en you have a defined the classifications, you
y can plan tthe implementtation of Dynaamic Access Co
ontrol
by defining
d
conditional expressions that enab
ble you to conttrol access to h
high confidenttial documents
base
ed on particula
ar user attributes.
Pla
anning File
e Access Auditing
A
In Windows
W
Serve
er 2008 R2 and
d Windows Serrver
2012, you can use
e new advance
ed audit policie
es
to im
mplement more detailed and more precise
e
auditing on file syystem. In Wind
dows Server 20
012,
you can also implement auditin
ng together witth
Dyn
namic Access Control
C
to take
e advantage off the
new
w Windows Seccurity auditing
g capabilities. By
B
usin
ng conditional expressions, you
y can configure
auditing to be implemented on
nly in specific cases.
c
For example, you want to audit attempts to open
o
sharred folders only by users located in countrries
othe
er than the country where th
he shared folder is
loca
ated.
10-11
With Global Object Access Auditing, administrators can define computer SACLs per object type for either
the file system or registry. The specified SACL is then automatically applied to every object of that type.
You can use a Global Object Access Audit Policy to enforce the object access audit policy for a computer,
file share, or registry without configuring and propagating conventional SACLs. Configuring and
propagating SACLs is a more complex administrative task and it is difficult to verify, particularly if you
must verify to an auditor that security policy is being enforced.
Auditors can prove that every resource in the system is protected by an audit policy by just viewing the
contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access
Auditing policy to log all activity for a specific user and enabling the Access Failures audit policies in a
resource (file system, registry) can help administrators quickly identify which object in a system is denying
a user access.
You should make an audit plan before you implement any auditing. In the auditing plan you should
identify resources, users, and activities that you want to track. You can implement auditing for several
scenarios, such as:
Tracking changes to user and machine attributes. As with files, users and machine objects can have
attributes, and changes to these can affect whether users can access files. Therefore it can be valuable
to track changes to user or machine attributes. Users and machine objects live in AD and therefore
changes to their attributes can be tracked using Directory Service Access Auditing.
Get more information from user logon events. In Windows Server 2012, user logon event (4624)
contains information about the attributes of the file that was accessed. You can take advantage of this
additional information by using audit log management tools to correlate user logon events with
object access events, and enabling event filtering based on both file attributes and user attributes.
Provide more information from object access auditing. In Windows Server 2008 R2 and Windows
Server 2012 File Access events (4656, 4663) now contain information about the attributes of the file
that was accessed. This additional information can be used by event log filtering tools to help you
identify the most relevant audit events.
Track changes to Central Access Policies, Central Access Rules and Claims. These objects define the
central policy that you can use to control access to critical resources. Tracking changes to these could
be important for the organization. Since all of these objects are stored in AD DS you can audit them
just as any other securable object in Active Directory by using the Directory Service Access Auditing.
Tracking changes to file attributes. File attributes determine which Central Access Policy applies to the
file. A change to the file attributes can potentially affect the access restrictions on the file. You can
track changes to file attributes on any machine by configuring Authorization Policy Change auditing
and Object Access auditing for File Systems. Event 4911 has been introduced to differentiate this
event from other Authorization policy change events.
Pla
anning Acccess Denie
ed Assistan
nce
Access Denied Assistance helps end users to
dete
ermine the rea
ason why they cannot accesss a
reso
ource. It also helps IT staff to
o properly diag
gnose
a prroblem and prroperly direct the
t resolution.
Win
ndows Server 2012
2
enables you
y to customiize
messsages about access
a
denied as
a well as to
provvide users with
h ability to req
quest access wiithout
contacting help desk or IT team
m. In combinatiion
with
h DAC, Access Denied Assista
ance can inforrm
the file administra
ator of the use
er and resource
e
claim
ms, enabling him
h to make ed
ducated decisions
to adjust
a
policies or fix user attrributes (e.g. if
dep
partment is written as HR insttead of Human Resources).
Whe
en planning fo
or Access Denied Assistance, you should in
nclude the follo
owing:
10-12
Create the em
mail text that users
u
use to req
quest access. I f you allow ussers to requestt access for
resources, you can prepare text that is ad
dded to the en
nd of their emaail message.
Pla
anning Pollicy Chang
ges
Afte
er you implement a Dynamicc Access Contrrol
infra
astructure you
u might have to
o implement
changes. For exam
mple, you migh
ht have to cha
ange
som
me conditional expression, orr you might wa
ant to
change claims. Yo
ou must carefu
ully plan any ch
hange
to Dynamic
D
Accesss Control com
mponents.
Win
ndows Server 2012
2
enables you
y to stage po
olicy
changes. A change to Central Access
A
Policy ca
an
seve
erely affect acccess control. Fo
or example, a
change could pottentially grant more access than
desiired, or, an ove
erly restrictive change in pollicy
could generate an
n excessive number of helpd
desk
callss. It is thereforre important to
o test changes before implem
mentation. For this purpose,, Windows Serrver
2012 introduces the concept off staging. Stagiing enables ussers to verify th
heir proposed policy change
es
befo
ore enforcing them.
t
To use policy
p
staging,, proposed po licies are deplo
oyed along with the enforce
ed
policies but do no
ot actually gran
nt or deny perrmissions. Insteead Windows logs an audit e
event (4818) aany
time
e the result of the access che
eck using the staged
s
policy iis different fro
om the result o
of an access ch
heck
usin
ng the enforced policy.
Lesson
n3
Imple
ementin
ng and Configu
C
uring Dyynamicc Accesss Contro
ol
10-13
To
o implement and
a configure Dynamic Acce
ess Control you
u must perform
m several steps and configurre
se
everal objects. In this lesson, you will learn about implem
menting and co
onfiguring Dynamic Access Control.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Prerequisit
P
es for Imp
plementing
g Dynamicc Access Co
ontrol
Be
ecause Dynam
mic Access Control is a new
te
echnology in Windows
W
Serve
er 2012, you must
m
en
nsure that certtain prerequisites are fulfilled
d
be
efore impleme
entation.
To
o implement claims-based
c
authorization
a
for
re
esource access, you must imp
plement the
fo
ollowing:
At least one
e Windows Server 2012 dom
main controllerr accessible byy the Windows client computter in
the user's domain.
d
The ne
ew authorization and auditin
ng mechanism
m requires exte
ensions to AD DS.
These new extensions build the Window
ws claim dictio
onary, which iss where Windo
ows stores claims for
an Active Directory
D
forestt. Claims autho
orization also rrelies on the K
Kerberos Key D
Distribution Ce
enter
(KDC). The Windows Servver 2012 KDC contains
c
Kerbeeros enhancem
ments required
d to transport claims
within a Kerberos ticket and
a Compound
d Identity. Win
ndows Server 2
2012 KDC also
o includes an
enhanceme
ent to support Kerberos arm
moring. Kerbero
os armoring is an implementation of Flexible
Authenticattion Secure Tu
unneling (FAST
T). It provides a protected ch
hannel between the LSA, Ne
etlogon
KDC.
10-14
Alth
hough Window
ws Server 2012
2 domain controller is requirred, there is no
o requirement for having a
Win
ndows Server 2012
2
domain and
a forest funcctional level, u nless you wan
nt to use claims across forestt trust.
Thiss means that you can also ha
ave domain co
ontrollers on W
Windows Serveer 2008 and Windows Serverr 2008
R2 with
w forest fun
nctional level on
o Windows Se
erver 2008.
Note: Imple
ementing Dyna
amic Access Control in a mu
ultiple forest sccenario has ad
dditional
setu
up requiremen
nts.
Ena
abling Sup
pport in AD DS for Dynamic
D
A
Access Con
ntrol
Afte
er fulfilling softtware requirem
ments for enab
bling
Dyn
namic Access Control
C
supporrt, you must en
nable
claim
m support for the Windows Server 2012 KDC.
K
Kerb
beros support for Dynamic Access
A
Controll
provvides a mechanism for including user claim
m and
device authorizatiion informatio
on in a Window
ws
auth
hentication tok
ken. Access ch
hecks on resources,
such
h as files a fold
ders, use this authorization
info
ormation to verify identity.
You
u should first use Group Policcy to enable AD
A DS
for Dynamic Acce
ess Control. Beccause this setting is
speccific to domain
n controllers, you
y can create
ea
new
w Group Policyy object (GPO) and link it to Domain Contrrollers Organizzational Unit (O
OU), or by editting
Defa
ault Domain Controllers
C
GPO
O that is alread
dy linked to th
hat OU.
Whichever metho
od you choose you should op
pen Group Po licy Object Editor and navigate to Compu
uter
Con
nfiguration\Policies\Administtrative Templa
ates\System\KD
DC. In this nod
de, open a settting called Sup
pport
Dyn
namic Access Control and Kerberos arm
moring.
You
u can configure
e this policy se
etting by choosing one of th
he four listed o
options:
Do not suppo
ort Dynamic Access Control and Kerberos armoring
Support Dyna
amic Access Co
ontrol and Kerrberos armorin
ng
Always provid
de claims and FAST RFC behavior
You
u use the remaining policy se
ettings when all
a the domain controllers aree Windows Server 2012 dom
main
controllers and th
he domain funcctional level is configured to
o Windows Serrver 2012. The Always prov
vide
claims and FAST RFC behavio
or policy settin
ng and the Alsso fail unarmo
ored authentiication reque
ests
policy setting ena
able Dynamic Access
A
Controll and Kerbeross armoring forr the domain. H
However, the llatter
policy setting requires all Kerbe
eros Authentica
ation Service (A
(AS) and Tickett-Granting Serrvice (TGS)
com
mmunication to
o use Kerbeross armoring.
10-15
Windows
W
Server 2012 domain
n controllers re
ead this config
guration while other domain
n controllers ig
gnore
th
his setting.
Im
mplementting Claimss and Reso
ource Prop
perty Obje
ects
After you enable support for Dynamic Acce
ess
Control in AD DS,
D you next crreate and conffigure
claims and resource property objects.
Creating
C
and
d Configurin
ng Claim Ty
ypes
Th
he primary me
ethod to create
e and configurre
claims is to use the Active Dirrectory Adminiistrative
Center (ADAC) console. You use
u ADAC to create
atttribute-based claims, which are the most
co
ommon. Howe
ever, you can also
a use Active
e
Directory Modu
ule for Window
ws PowerShell to
crreate certificate-based claims. All claims arre
sttored in the co
onfiguration pa
artition of AD DS.
Be
ecause this partition is forestt wide, all dom
mains within th
hat forest sharee the claim dicctionary, and d
domain
co
ontrollers from
m those respective domain isssue claim info
ormation durin
ng user and computer
au
uthentication.
In
n the Actions pane,
p
when yo
ou click Create
e Claim Type, you see the list of attributess. These attributes (for
usser or computer objects) are
e used to sourcce values for c laims. When yyou create a claaim, you assocciate the
claim to the spe
ecific attribute. The value of that attribute is populated aas a claim valu
ue. It is therefo
ore
im
mportant that information co
ontained in Acctive Directoryy attributes thaat are used to ssource claim tyypes
co
ontain accurate information,, or remain bla
ank.
When
W
you selecct the attribute
e that you wan
nt to use to creeate a claim, yo
ou also must p
provide a nam
me for
th
he claim. The suggested
s
nam
me for the claim
m is always thee same as sele cted attribute name. Howevver, you
ca
an also provide
e an alternate or more mean
ningful name ffor the claim. O
Optionally, you can also pro
ovide
su
uggested value
es for a claim. This is not ma
andatory, but iff you do it, yo
ou can reduce tthe possibility for
making
m
mistake
es.
Note: Claim types are sourced from AD
A DS attributtes. That is whyy you must configure
atttributes for yo
our computer and user accounts in AD DS with the inforrmation that iss correct for
th
he respective user
u
or computter. Windows Server
S
2012 do
omain controllers do not isssue a claim
fo
or an attribute-based claim type
t
when the attribute for tthe authenticaating principal is empty.
Depending on the
t configuration of the data
a files Resourcce Property O bject attribute
es, a null
va
alue in a claim may result in the user being
g denied accesss to DAC-pro
otected data.
Creating
C
and
d Configurin
ng Resource
e Propertiess
10-16
man
nage Resource
e Property obje
ects in the Resource Propertties container iin the Dynamic Access Control
nod
de in ADAC. Yo
ou can create your
y
own resource propertiees or you can u
use one of pre
econfigured
properties, such as
a Country, Department, Fold
der Usage, etc.. All predefineed Resource Prroperty objectss are
disa
abled by defau
ult. If you wantt to use any of them, you sho
ould first enab
ble it. If you waant to create yyour
own
n Resource Pro
operty object, you
y can speciffy the propertyy type and allo
owed or sugge
ested values.
Whe
en you create Resource Prop
perty objects you
y can select properties to include on the
e files and fold
ders.
Win
ndows uses the
e values in these properties with
w the value s from user an
nd device claim
ms when evaluating
file authorization and auditing.
er you have co
onfigured user and device cla
aims and resou
urce propertiees, you must th
hen protect the
e
Afte
file and folders ussing conditiona
al expressions that evaluate user and devicce claims against values with
hin
reso
ource propertie
es, or constantt values. You can
c do this in ttwo ways. If yo
ou want to focus on specific
fold
ders, you can use
u the advancced security setttings editor to
o create condiitional expresssions directly in
n the
secu
urity descriptor. Alternativelyy, to cover several (or all) filee servers, you ccan create Cen
ntral Policy rules
and link those rules to Central Policy
P
objects. You can then deploy Centraal Policy objeccts to file serve
ers
usin
ng Group Policcy and configu
ure the share to
o use the Centtral Policy objeect. Using Central Access Policies
is th
he most efficient and preferrred method for securing filess and folders. It is discussed in the next topic. If
you want to cover certain files with
w a common set of propeerties across vaarious folders o
or files, you can also
use file classification.
You
u can use claim
m and resource
e property obje
ects together iin conditional expressions. W
Windows Serve
er
2012 and Window
ws 8 support one
o or more co
onditional exprressions within
n a permission entry. Conditional
expressions simplyy add anotherr applicable layyer to the perm
mission entry. The results of all conditional
expressions must evaluate to tru
ue for Window
ws to grant thee permission entry for autho
orization. For
exam
mple, if you de
efine claim De
epartment for a user (with a source attribu te department), and defined
d
reso
ource propertyy object called Dept, you can
n define condittional expressiion that says: U
User can accesss a
fold
der (with applie
ed resource prroperty objectss) only if user aattribute depaartment value is equal to value
of property
p
Dept on the folder. Note, howeve
er, that if the reesource propeerty of Dept haas not been ap
pplied
to the file(s) in qu
uestion, or if De
ept is a null va
alue, then the u
user will be grranted access tto the data. To
o be
clea
ar access is co
ontrolled not by
b the claim, but
b by the Reso
ource Object. The claim must provide the
corrrect value corrresponding to the requireme
ents set by thee Resource Objject. If the Resource Object d
does
not involve a partticular attribute
e, then additio
onal or extra c laim attributess associated w
with the user orr
device are ignored
d.
Implementin
ng Central Access Ru
ules and Po
olicy
Cen
ntral Access Po
olicy enables yo
ou manage an
nd
dep
ploy consistentt authorization
n throughout the
ente
erprise through Central Acce
ess Rules and
Cen
ntral Access Po
olicy objects.
Cen
ntral Access Po
olicy helps act as
a a security net
thatt an organizatiion applies acrross its servers. You
use Group Policy to deploy Cen
ntral Access Po
olicy,
and you apply Central Access Policy to all file
servvers that will use Dynamic Acccess Control.
Cen
ntral Access Po
olicy is not man
ndatory for usiing
Dyn
namic Access Control.
C
It just enables you to
o
dep
ploy a consistent configuratio
on to several file
servvers.
10-17
The main component of Central Access Policy is Central Access Rule. In fact, Central Access Policy objects
represent a collection of Central Access Rule objects that you apply to Windows Server 2012 file servers
using Group Policy. You should create a Central Access Rule before you create Central Access Policy
because a Central Access Rule contains multiple criteria that Windows uses when evaluating access. A
Central Access Rule can use conditional expressions to target specific files and folders. Each Central
Access Rule has multiple permission entry lists that you use to manage the rule's current permission
entries, or proposed permission entries, or return the rule's current permission entry list to its last known
list of permission entries. Each Central Access Rule can be a member of one or more Central Access Policy
objects.
When you start to create a new Central Access rule, you must first provide a name and description for the
rule. You can also choose to protect the rule against accidental deletion.
Next, you configure Target Resources. You use the Target Resource section to create a scope of
applicability for the access rule. You create the scope by using resource properties within one or more
conditional expressions. To make it simple, you can keep the default value (All resources), but usually you
apply some resource filtering. You can join these conditional expressions using logical operators, such as
AND and OR. Additionally, you can group conditional expressions together to combine the result of two
or more joined conditional expression. The Targeted Resource box displays the currently configured
conditional expression that is used to control the rule's applicability.
Finally, you configure permissions. There are two choices for permissions:
Use this option to add the permission entries in the permission list to the list of proposed permission
entries for the newly created Central Access Rule. You use the proposed permission list combined
with file system auditing, to model the effective access users have to the resource without changing
the permission entries in the current permissions list. Proposed permissions write a special audit event
to the event log that describes the proposed effective access for the user.
Use this option to add the permission entries in the permission list to the list of current permissions
entries for the newly created Central Access Rule. The current permissions list represents the
additional permissions Windows considers when the Central Access Rule is deployed to a file server.
Central Access Rules do not replace the existing security. When making authorization decisions,
Windows evaluates permission entries from Central Access Rule's current permissions list, NTFS, and
share permissions lists.
Implementin
ng File Acccess Auditiing
10-18
Dyn
namic Access Control
C
enable
es you to create
e targeted aud
dit policies usi ng expressions based on use
er,
com
mputer and ressource claims. For example, you
y could creaate an audit po
olicy to track aall Read and
Writte operations on files classifiied as High Co
onfidential by eemployees wh
ho do not have
e a High Securrity
Clea
arance attributte populated with
w the appro
opriate value. Y
You can autho
or expression-b
based audit po
olicies
dire
ectly on a file or
o folder or cen
ntrally via Group Policy using
g Global Objeect Access Auditing. By using
g this
app
proach you do not prevent unauthorized access, but reg ister attempts to access the content by
unauthorized peo
ople.
Global Object Acccess Auditing includes the File system and registry subcaategory.
You
u configure Glo
obal Object Acccess Auditing when you enaable Object Acccess auditing and Global Object
puter that app
Access Auditing. Enabling
E
Objecct Auditing turrns on auditing
g for the comp
plies the policyy
setting. However, enabling auditing alone does not always generate audiiting events. The resource, in
n this
instance files and folders, must contain audit entries.
We recommend configuring
c
Glo
obal Object Acccess Auditing
g for the enterp
prise by using the security p
policy
of a domain-base
ed GPO. The tw
wo security policy settings reequired to enabled Global O
Object Access
Aud
diting are locatted at these lo
ocations:
Computer Co
onfiguration\W
Windows Settin
ngs\Security Seettings\Advancced Audit Policcy\Audit Policies
\Object Accesss\Audit File Syystem
Computer Co
onfiguration\W
Windows Settin
ngs\Security Seettings\Advancced Audit Policcy\Audit Policy
\Global Objecct Access Audiiting\File Syste
em
Im
mplementting Accesss Denied Assistance
A
One
O of the mosst common errrors that users receive
when
w
they try to
o access a file or folder on a remote
fille server is an access denied error. Usually,, this
errror occurs wh
hen a user triess to access reso
ource
without
w
having proper permisssion or becau
use of
in
ncorrectly conffigured permisssions or resou
urce
acccess control liist (ACL). If you
u are using Dyynamic
Access Control, things can be even more
co
omplicated. Ussers, who migh
ht have permisssions,
bu
ut for example
e a relevant atttribute in theirr
acccount is missp
pelled, will nott be granted access.
10-19
When
W
users receive this kind of
o error, they usually
u
trry to contact th
he administrattor to obtain access. Howeveer, administrat ors usually do not approve aaccess
to
o resources, so
o users are then
n redirected to
o someone els e for approvall.
In
n Windows Serrver 2012 there
e is a new tech
hnology to hellp both users aand administraators in such
sittuations. This technology
t
is called Access Denied Assistaance. It helps u
users respond to access deniied
issues without involving IT sta
aff by providing information about the pro
oblem and directing users to
o the
proper person.
Access-denie
A
ed Remediation
Th
he Access Den
nied Assistance
e technology in
n Windows Se rver 2012 provvides three waays for
trroubleshooting
g issues with access denied errors:
e
Self-remed
diation. Windo
ows Server 201
12 provides a way to create customized acccess-denied
messages that are authorred by the servver administrattor. By using tthe information in these messsages,
users can trry to self-reme
ediate access-d
denied cases. FFor example, the user may b
be directed to ffirst
map to a co
omputer using
g a particular drive
d
letter. Th e message can
n also include URLs to directt the
users to self-remediation websites that are provided by the organizzation. For exaample, the URL might
direct the user
u
to change
e their passworrd to an appliccation or down
nload a refresh
hed copy of cliientside software.
Remediatio
on by the datta owner. In Windows
W
Serveer 2012, admin
nistrators can d
define owners for
shared fold
ders. This enables users to send an email to
o the data own
ners to requestt access. . For
example, if the user was accidentally
a
left off a securitty group mem bership, the data owner mayy be
able to add
d the user to th
he group. If th
he data owner does not kno w how to help
p the user get access,
he or she ca
an forward thiis information to the approp
priate IT admin
nistrator. This iis helpful becaause the
number of user support requests
r
escala
ated to the sup
pport desk sho
ould be limited
d to special, diifficultto-resolve cases.
c
Remediatio
on by Help Desk
D
and file server
s
adminiistrators. If thee user cannot self-remediate
e the
issue or the
e data owner cannot
c
help, Windows
W
Serve r 2012 providees a user interfface where
administrattors can view the
t effective pe
ermission for u
users for a file or folder so th
hat it is easier to
troubleshoo
ot access issue
es. An example
e of when an aadministrator sshould be invo
olved are casess where
attributes either claims and/or resourrce objects h
have been inco
orrectly defined
d or contain in
ncorrect
information
n, or when the
e data itself see
ems to be corrrupted.
10-20
You
u enable Access Denied Assisstance by using
g group policyy. You open Grroup Policy Ob
bject editor an
nd
navigate to Comp
puter Configurration\Policies\\Administrativve Templates\SSystem\Access-Denied Assisttance.
In th
his node, you can
c enable Access Denied Assistance,
A
and also, you can provide custo
omized messag
ges
for users. Alternattively, you can also use File Server
S
Resourcce Manager co
onsole to enab
ble access-deniied
assistance. Howevver, if this featu
ure is enabled in Group Policcy, the approp
priate settings in File Server
Reso
ource Manage
er console are disabled for co
onfiguration.
Implementin
ng File Classsifications
To effectively
e
imp
plement Dynam
mic Access Con
ntrol
tech
hnology, you must
m
have welll-defined claim
ms
and resource prop
perties. Althou
ugh claims are
defiined by attribu
utes for user or a device, reso
ource
properties are mo
ost often manu
ually created and
defiined. File Classsifications enab
ble administrators
to define
d
automattic proceduress for defining a
desiired property on
o the file, bassed on condition
speccified in classiffication rule. For example, yo
ou
can set the property Confidentiality to High on
o
all documents
d
wh
hose content co
ontains the wo
ord
seccret. You can then use this property
p
in
Dyn
namic Access Control
C
to speccify, for examp
ple, that only eemployees with
h attribute em
mployeetype se
et to
Man
nager can acce
ess those docu
uments that are classified witth high confid
dentiality.
In Windows
W
Serve
er 2008 R2 and
d Windows Serrver 2012, Classsification Man
nagement and File Managem
ment
task
ks enable administrators to manage
m
group
ps of files based
d on various fiile and folder aattributes. Witth
Classsification Man
nagement and File Managem
ment tasks, you
u can automatte file and fold
der maintenance
task
ks, such as clea
aning up stale data or proteccting sensitive information.
Classsification Man
nagement is de
esigned to easse the burden and managem
ment of data th
hat is spread o
out in
the organization. Files can be classified in a va
ariety of ways.. In most scenaarios, classificaation is perform
med
man
nually. The File
e Classification
n infrastructure
e in Windows SServer 2008 R2
2 enables orgaanizations to
convert these manual processess into automatted policies. Ad
dministrators ccan specify file
e management
policies based on a files classificcation and app
ply corporate requirements for managing data based on
n
business value.
You
u can use file classification to
o perform the following
f
actio
ons:
1.
2.
3.
In the Active Directory Administrative Center, create claims for department and employeetype
attributes.
2.
3.
Create Central Access rule to enable members of IT group to access resources if user department
attribute matches resource department.
4.
10-21
10-22
The Research team at A. Datum performs some highly confidential work that provides much value to the
business. Managers and Research departments at A. Datum frequently store files that contain businesscritical information on the company file servers. The security department wants to ensure that these
confidential files are only accessible to suitably authorized personnel and that all access to these files be
audited.
As one of the senior network administrators at A. Datum, you are responsible for addressing these security
requirements by implementing Dynamic Access Control on the file servers. You plan to work closely with
the business groups and the security department in identifying which files must be secured, and who
should have access to these files. Then you plan to implement Dynamic Access Control based on the
company requirements.
Objectives
Plan Dynamic Access Control Deployment and prepare AD DS for Dynamic Access Control.
Lab Setup
Estimated time: 90 minutes
Virtual machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
b.
Password: Pa$$w0rd
5.
6.
10-23
A. Datum must ensure that documents used by the Research department and managers are secured.
Most of the files used by these departments are stored in shared folders dedicated to these departments,
but sometimes confidential documents appear in other shared folders. Folders that belong to Research
department should be accessed and modified only by members of Research department. Also, documents
that are classified as highly confidential should only be accessed by Managers. The security department
is also concerned that users in the Managers department are accessing the files using their home
computers, which may not be highly secure. You must create a plan for securing the documents
regardless of where they are located and ensure that the documents can only be accessed from
authorized computers. Authorized computers for Managers are members of the security group
ManagersWks.
The support department reports that a high number of calls are generated by users who cannot access
resources. You must implement a technology that helps users to better understand error messages as well
as enable them to automatically request access.
First, you will plan for Dynamic Access Control deployment. Then you must prepare your AD DS to
support Dynamic Access Control.
The main tasks for this exercise are as follows:
1.
Plan the Dynamic Access Control Deployment Based on the Security and Business Requirements.
2.
X Task 1: Plan the Dynamic Access Control Deployment Based on the Security and
Business Requirements
Describe how you will design Dynamic Access Control to fulfill requirements for access control,
described in the scenario.
On the LON-DC1, from Server Manager open Active Directory Users and Computers.
2.
3.
Move LON-CL1, LON-CL2 and LON-SVR1 computer objects into Test OU.
4.
On LON-DC1, from Server Manager, open the Group Policy Management console.
5.
Remove the Block Inheritance setting applied to the Managers OU. (This setting has been applied and
used in a later module of the course.)
6.
7.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
8.
Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting.
9.
11. Open Active Directory Users and Computers and create a security group called ManagersWKS in
Users container.
10-24
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
The first step in implementing Dynamic Access Control is to configure the claims for the users and devices
that access the files. In this exercise, you will review the default claims and create new claims based on the
department and computer description attributes. For users, you will create a claim for department
attribute. For computers, you will create claim for description attribute.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
Click the Dynamic Access Control node in Active Directory Administrative Center.
3.
Open the Claim Types container and verify that there is no default claims defined.
4.
Open the Resource Properties container and note that all properties are disabled by default.
5.
Open Resource Property Lists container and then open the properties of the Global Resource
Property List.
6.
7.
Click Cancel.
In the Active Directory Administrative Center, in the navigation pane click Dynamic Access
Control.
2.
Open the Claim Types container, and create a new claim type for users and computers using the
following settings:
o
10-25
1.
In the Active Directory Administrative Center, in the Tasks pane click New and select Claim Type.
2.
Create a new claim type for computers using the following settings:
o
Results: After completing this exercise you will have configured user and device claims.
The second step in implementing Dynamic Access Control is to configure the resource property lists and
resource property definitions. After you do this, you should make a new classification rule that classify all
files that contain the word secret in the body. These files should be assigned a value of High for attribute
Confidentiality. You should also assign department property to the folder that belongs to Research
department.
The main tasks for this exercise are as follows:
1.
2.
Classify files.
3.
In the Active Directory Administrative Center, click Dynamic Access Control and then open the
Resource Properties container.
2.
3.
4.
5.
Open the Global Resource Property List and make sure that Department and Confidentiality are
included in the list.
6.
Click Cancel.
7.
2.
3.
Refresh Classification Properties. Verify that Confidentiality and Department properties are in the
list.
4.
Scope: C:\Docs
Property: Confidentiality
Value: High
Select Re-evaluate existing property values, and then click Overwrite the existing value.
5.
6.
Open Windows Explorer and open Properties for files Doc1.txt, Doc2.txt and Doc3.txt in C:\Docs
folder.
7.
Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
2.
3.
Results: After this exercise, you will have configured resource properties and file classifications.
10-26
Now that you have configured claims, resource properties, and file classifications, you want to create and
configure central access rules and policies.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2.
Click Dynamic Access Control and then open the Central Access Rules container.
3.
Permissions: Remove Administrators, and then add Authenticated Users, Modify, with condition
User-Company Department-Equals-Resource-Department
4.
Permissions:
Set first condition to be: User-Group-Member of each-Value-Managers
Set second condition to be: Device-Group-Member of each-Value-ManagersWKS
2.
3.
On LON-DC1 in Active Directory Administrative Center, create a new Central Access Policy with
following values:
o
On LON-DC1, from the Server Manager, open the Group Policy Management console.
2.
Create new GPO named DAC Policy and link it to organizational unit Test.
3.
4.
5.
Click both Department Match and Protect confidential docs, and then click Add. Click OK.
6.
Close the Group Policy Management Editor and the Group Policy Management console.
2.
3.
4.
Apply the Protect confidential docs Central Policy to the C:\Docs folder.
5.
6.
10-27
1.
2.
3.
Under Computer Configuration node, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
4.
In the right pane double-click Customize Message for Access Denied errors.
5.
In the Customize Message for Access Denied errors window click Enabled.
10-28
6.
In the Display the following message to users who are denied access text box type: You are denied
access because of permission policy. Please request access.
7.
8.
Double-click Enable access-denied assistance on client for all file types and enable it.
9.
Click OK and close the Group Policy Management Editor and the Group Policy Management console.
Results: After completing this exercise you will have configured central access rules and policies.
2.
3.
4.
Verify staging.
5.
6.
2.
3.
4.
5.
6.
7.
8.
9.
10-29
1.
2.
3.
4.
5.
Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
6.
Double-click Audit File System. Select all three check boxes then click OK.
7.
Close the Group Policy Management Editor and the Group Policy Management console.
On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2.
Open the Properties for the Department Match Central Access Rule
3.
In the Proposed permissions section, configure a condition for Authenticated users as follows:
User-Company Department-Equals-Value-Marketing.
4.
2.
Open Windows Explorer and attempt to access \\LON-SVR1\Research. You will be unsuccessful.
Click Close.
3.
Switch to LON-SVR1.
4.
From Server Manager, open Event Viewer and select the Security log. Look for events with Event
ID 4818.
2.
3.
4.
5.
In Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
6.
7.
8.
9.
When you are finished the lab, revert the virtual machines to their initial state.
Results: After this exercises you will have validated Dynamic Access Control functionality.
10-30
Always stage changes to Central Access Rules and Policies before implementation.
Review Questions
What is a claim?
What is the purpose of Central Access Policy?
What is Access Denied Assistance?
Tools
Active Directory Administrative Center
Troubleshooting Tip
10-31
Module 11
Implementing Active Directory Domain Services
Contents:
Module Overview
11-1
11-2
11-11
11-16
11-19
Lesson 5: Maintaining AD DS
11-28
Lab: Implementing AD DS
11-35
11-40
Module Overview
Active Directory Domain Services (AD DS) is the central location for configuration information,
authentication requests, and information about all the objects that are stored in an Active Directory forest.
Using AD DS, you can efficiently manage users, computers, groups, printers, and other directory-enabled
objects from one secure, central location. Windows PowerShell has become the single engine for
configuration and maintenance from both graphical and command-line interfaces. This module discusses
deployment and configuration of domain controllers, service accounts in AD DS, Group Policy, and
maintenance of AD DS.
Objectives
After completing this module you will be able to:
Maintain AD DS.
Lesson 1
Deploy
ying AD
D DS Do
omain Controll
C
lers
To establish
e
the Active
A
Directoryy forest and th
he first domain
n in the forest,, you must create at least on
ne
dom
main controllerr. In this lesson
n, you will learn about the neew features off AD DS in Win
ndows Server 2012
and the various methods
m
for de
eploying doma
ain controllers..
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Deploy doma
ain controllers..
Deploy doma
ain controllers on a Server Co
ore installation
n of Windows Server 2012.
Deploy doma
ain controllers using the Install From Medi a feature.
Upgrade to AD
A DS in Windows Server 2012.
Wh
hats New in AD DS in Window
ws Server 2
2012?
Win
ndows Server 2012
2
has severral new feature
es
for AD
A DS. Windo
ows PowerShell command-lin
ne
inte
erface is the un
nderlying comp
ponent behind
d
installations and configurations
c
. It enables full
scrip
pting and auto
omation and new
n
graphical user
inte
erfaces for prevvious comman
nd-line-only
activvities.
Som
me new feature
es are describe
ed in the follow
wing
tablle.
Fe
eature
Deployment
Im
mprovement
Siimplified
ad
dministration
Im
mprovements to configure aand monitor A
AD DS through
h the Server
Manager
M
conso
ole include:
A graphical user
u
interface ffor the Active Directory Recyycle Bin.
A graphical user
u
interface tto implement fine-grained p
passwords.
Feature
Improvementt
Group Poliicy health mon
nitoring.
AD DS-spe
ecific performaance monitorin
ng and best prractice analysiss.
Active Dire
ectory manageement tools, w
which you can o
open from the
e
Server Man
nager console..
Improveme
ents in the virttual environmeent include:
Cloning do
omain controlllers is now a su
upported option to enable
automated
d deployment and rollback p
protection
11-3
Restoration
n of domain co
ontroller snapshots does no
ot disrupt the A
AD DS
environme
ent.
Active Directo
ory Module
for Windows PowerShell
Windows Pow
werShell
History Viewe
er
When admin
nistrators use th
he Active Direectory Adminisstrative Center, they
can now view
w the underlyin
ng Windows P
PowerShell com
mmands that aare
executed. This helps reducee the time req
quired to learn the Windows
PowerShell commands.
Active Directo
ory
Federated Serrvices (AD
FS)
AD FS is now
w included as a server role wiith Windows SServer 2012. Th
his
version proviides a less com
mplex trust setu
up and manag
gement processs, an
ability to exte
end the claimss attribute storre and a broad
der scope for
defining claim
ms. AD FS servvices are frequently required
d for hybrid clo
oud
deploymentss.
Active Directo
ory Based
Activation (AD
D BA)
Key Managem
ment Servers ((KMS) are no longer required to activate
computers ru
unning Window
ws 8 Activatin
ng the
ws Server 201 2 and Window
initial custom
mer-specific vo
olume license kkey (CSVLK) re
equires a one-ttime
contact with Microsoft actiivation over th
he Internet.
Deploying
D
AD DS Do
omain Controllers
With
W Windows Server 2008, you
y could deploy a
do
omain controller by installing the AD DS role
r
to
o add the binary files and the
en using Activve
Directory Installlation Wizard to
t install AD DS.
D
In
n Windows Serrver 2012 you deploy a domain
co
ontroller by ussing Server Ma
anager to add the
AD DS role. You
u use a separatte wizard to
co
onfigure AD DS
D within Serve
er Manager.
Yo
ou can add the
e AD DS role binaries
b
using these
fo
our methods:
nager.
The graphiccal Server Man
Dism.exe.
Active Directo
ory Installation
n Wizard (also called DCProm
mo)
You
u can use the graphical
g
wizarrd in Server Ma
anager to instaall the binary ffiles and perfo
orm all the required
configuration of a domain controller. The dep
ployment wizaard uses a sing le expanding d
dialog box and
d can
do the
t following:
Install AD DS remotely.
Configure the
e domain conttroller as a global catalog byy default.
Display advan
nced mode setttings.
Prepare schem
ma extension and
a domain preparation auttomatically in the backgroun
nd.
Note: These
e new featuress are not backw
ward compatib
ble with Windo
ows Server 200
08 R2 or
earlier versions off Windows Servver. For more information, rrefer to Underrstand and Tro
oubleshoot
AD DS Simplified Administration in Windows Server 8 Beta..docx from
http
p://www.micro
osoft.com/en-u
us/download/d
details.aspx?id =29019.
Usiing Window
ws PowerShe
ell
You
u can add AD DS
D binaries using the Active Directory mod
dule for local o
or remote installations.
Usiing DISM
The Deployment Image Servicin
ng and Management (DISM)) tool is part off the Windowss Automated
Adm
ministration Kitt (WAIK). It is more
m
complexx than, and nott as flexible as,, Windows Pow
werShell. DISM
M is
usua
ally associated
d with creating
g deployment images
i
for Wi ndows Deployyment Servicess.
Actiive Directory In
nstallation Wizzard (also calle
ed DCPromo) n
no longer has a GUI and is o
only supported
d with
the Unattend option. It is no lon
nger recomme
ended.
nts to install Windows
W
Serverr 2012 are uncchanged from Windows
Note: System requiremen
Servver 2008 R2.
De
eploying AD
A DS Dom
main Contrrollers on SServer Corre
Servver Core is a ve
ersion of Wind
dows Server 20
012
thatt has no graph
hical interface. Server Core
provvides a minima
al environmen
nt for running
servver roles. It red
duces disk spacce usage and
maintenance, and
d presents a sm
maller attack
surfface.
You
u can now insta
all AD DS on Server
S
Core by
usin
ng Windows Po
owerShell for a local or remo
ote
installation. Or yo
ou can use the
e GUI in Serverr
Man
nager on a rem
mote system to
o perform the
installation.
In
nstalling the
e AD DS Role Locally
To
o Install the AD
D DS Role loca
ally:
11-5
1..
Install the AD
A DS binary files.
f
At the loccal Windows P
PowerShell com
mmand promp
pt, type the cm
mdlet
Install Win
ndowsfeature
e -name AD-D
Domain-Servicces, and then press Enter.
2..
Configure AD
A DS. At the Windows Pow
werShell comm
mand prompt, ttype the cmdle
et
Install-ADD
DSDomainCo
ontroller dom
mainname Ad
datum.com, with other arg
guments as re
equired,
and then press Enter.
Windows
W
Po
owerShell Re
emote Insta
allation
Yo
ou can run Windows PowerS
Shell cmdlets against
a
remotee servers. Startt by installing tthe AD DS bin
nary
filles. Then use the invoke-com
mmand cmdlett. For examplee:
in
nvoke-comma
and {install-ad
ddsdomainco
ontroller dom
mainname Ad
datum.com ccredential (ge
etcrredential) co
omputername
e NYC-DC3
Note: Guidance for usin
ng Windows PowerShell to eestablish a Win
ndow Server 2012 AD DS
en
nvironment ca
an be found he
ere: http://technet.microsoftt.com/en-us/liibrary
/h
hh472162#BKM
MK_PSForest.
Server Mana
ager Remote
e Installatio
on
To
o use Server Manager
M
to insttall AD DS Role remotely, peerform these h
high-level step
ps:
1..
2..
3..
4..
Complete the
t configuratiion by running
g the Active Diirectory Domaain Services Co
onfiguration W
Wizard.
Deploying
D
AD DS Do
omain Controllers byy using Insstall From Media (IFM
M)
Another method for installing
g AD DS is to install
from an installation media cre
eated by using
g the
Ntdsutil.exe utillity. Installation
n media is crea
ated
from an existing
g domain conttroller in the fo
orm
off a backup. The advantage of
o installing fro
om
media
m
is that it reduces the directory replica
ation
trraffic required to synchronize
e the new dom
main
co
ontroller. By de
efault, a new domain
d
contro
oller
re
eplicates all the
e data for all Directory
D
partittions
th
hat it hosts from other doma
ain controllers.. When
yo
ou use IFM the
e new domain controller hass most
off the AD DS da
ata. It only rep
plicates update
es that
ha
ave occurred since
s
the backup media was created.
Windows Server 2012 has two new options that enable you to create IFM media without first performing
an online defrag of the exported NTDS.DIT database file. The Ntdsutil.exe can now create six types of
installation media as described in the following table.
Type of installation
media
Parameter
Description
Read-only domain
controller (RODC)
Create RODC
PathToMediaFolder
Create Full
NoDefrag
Enter the ntdsutil context. At the Windows command prompt type NTDSUTIL, and then press Enter.
2.
At the NTDSUTIL: prompt type Activate instance NTDS, and then press Enter.
3.
Type IFM.
4.
At the IFM: prompt, type the command for the type of installation media you want to create. For
example, to create media for a writable domain controller with SYSVOL to a folder named Media,
type Create Sysvol Full C:\Media.
To use IFM to create additional domain controllers in the domain, you can refer to a shared folder or
removable media where you store the installation media on the Install from Media page in the Active
Directory Domain Services Installation Wizard or by using the /ReplicationSourcePath parameter during
an unattended installation.
In
nstall From Media Charracteristics
IFFM has the following charactteristics:
11-7
d
not work across differen
nt operating syystem versionss. You must ge
enerate
Installation from media does
media from
m an existing Windows
W
Serve
er 2012 domain
n controller to
o install AD DSS on a compute
er
running Wiindows Server 2012.
To create th
he IFM you mu
ust have permissions to makke a backup on
n a domain co
ontroller.
Deploying
D
AD DS Rea
ad-Only Domain
D
Co
ontrollers
Th
he read-only domain
d
contro
oller (RODC) was
in
ntroduced with
h Windows Serrver 2008. An RODC
R
ho
osts read-onlyy partitions of the
t AD DS dattabase.
Th
his means thatt no AD DS cha
ange requests are
made
m
directly to
o the database
e copy stored by
RO
ODC. Instead, AD DS modifications are forrwarded
to
o RODCs throu
ugh replication
n with a writab
ble
do
omain controller. All RODC AD
A DS replicattion
usses a one-way, in-coming on
nly connection
n from
a domain controller that has a writable AD DS
da
atabase copy.
RO
ODCs are prim
marily designed
d for branch office
de
eployments where you cann
not guarantee the physical seecurity of the A
AD DS compu
uters. By deployying
an
n RODC in a branch office, you
y can give users a local do
omain controlleer to facilitate efficient AD D
DS log
n
on
n and Group Policy
P
application, even if the
e WAN link to the main officce (where read
d/write domain
co
ontrollers are located) is not available. A lo
ocally based RO
ODC configureed to cache paasswords of local
ussers ensures fa
aster logons co
ompared to log
gging on acro
oss a slow netw
work connectio
on to authenticcate
with
w a remote domain
d
contro
oller.
Characteristi
C
ics of RODC
C
RO
ODCs have the
e following characteristics:
Server Core
e installations support
s
RODC
Cs.
An RODC cannot
c
hold an
n operations master
m
role.
An RODC cannot
c
be a site bridgehead server.
Users can be
b delegated administrative
a
rights to a speecific RODC wiithout being g
granted rights tto AD
DS. This can
n be configure
ed in the Active Directory Co
onfiguration W
Wizard.
Pre
eparing to In
nstall RODC
C
Seve
eral prerequisiites must be in
n place before you install and
d RODC. Theyy are:
Forest functio
onal level mustt be at least 20
003. The Wind
dows Server 20
012 Active Dire
ectory
Configuration
n Wizard does not let you co
ontinue if the d
domain is not able to suppo
ort an RODC.
You
u can install an RODC throug
gh the Active Directory
D
Conffiguration Wizaard. On the Ad
dditional Dom
main
Con
ntroller Optio
ons page, selecct the check bo
ox for Read-o nly domain controller (RO
ODC).
Clo
oning Virtu
ual AD DS Domain Controllers
C
s
Win
ndows Server 2012
2
introduce
es virtualized
dom
main controllerr cloning. Clon
ning a virtualizzed
dom
main controllerr presents challlenges. For
exam
mple, two dom
main controllers cannot coexxist in
the same forest with
w the same name,
n
invocatiion
ID, and
a security id
dentifier. In verrsions of Wind
dows
earlier than Windows Server 2012, you create
ed
virtu
ualized domain controllers by
b deploying a
Sysp
prepped base server image and
a manually
promoting it to be a domain co
ontroller. Wind
dows
Servver 2012 provides specific virtualization
capabilities to AD
D DS Virtualized
d Domain
Con
ntrollers (VDCss) to resolve those issues.
Win
ndows Server 2012
2
VDCs havve two new capabilities:
Accidental restoration of do
omain controller snapshots d
does not disru
upt the AD DS environment.
Saffe Cloning
A cloned domain controller automatically syspreps (based o
on settings in DefaultDCClon
neAllowList.xm
ml)
and promotes witth the existing local AD DS data
d
as installattion media.
Rolling back to a previous snapshot of a VDC is problematicc because Act ive Directory u
uses multi-masster
repllication that re
elies on transacctions being assigned numeeric values calleed Update Seq
quence Numbe
ers
(USNs). The VDC tries
t
to assign USNs to prior transactions tthat have alreaady been assig
gned to valid
tran
nsactions. This causes inconsistencies in the
e Active Directtory database.. Windows Servver 2012
imp
plements a pro
ocess that is known as USN ro
ollback protecction. With thiss in place the V
VDC does replicate
and must be forcibly demoted or
o manually re
estored non-au
uthoritatively.
Win
ndows Server 2012
2
now dete
ects rollbacks and
a non-autho
oritatively syncchronizes the d
delta of chang
ges
betw
ween a domain controller an
nd its partners for AD DS and
d SYSVOL. You
u can now use
e snapshots witthout
risk of permanenttly disabling do
omain controllers and requirring manually forced demottion, metadataa
clea
anup, and re-p
promotion.
Creating
C
a VDC Clone
To
o create a VDC
C clone in Windows Server 2012,
2
perform the following high level step
ps:
1..
2..
3..
Take the VD
DC offline and
d export or cop
py it.
4..
Create a ne
ew virtual machine by imporrting the exporrted one. This virtual machin
ne is automaticcally
promoted as
a a unique do
omain controller.
Note: The
ere is no graph
hical interface to create the ccloning xml filles. However, tthere is a
Windows
W
PowerShell script in developmentt for out of ban
nd release, and
d the XML sch
hema is
in
ncluded.
Upgrading
U
to Windo
ows Server 2012 AD DS
Yo
ou can upgrad
de an existing domain contro
oller
to
o Windows Serrver 2012. You can only upgrade a
do
omain controller created in Windows Servver 2008
x6
64 or Windowss Server 2008 R2. You canno
ot
pe
erform an in-p
place upgrade on Windows Server
S
20
003.
11-9
To
o perform an in-place
i
upgra
ade of a computer
th
hat has the AD
D DS role installed, you must first
usse Adprep.exe /forestprep and Adprep.exe
e
/d
domainprep to
o prepare the forest
f
and dom
main.
An in-place ope
erating system upgrade doess not
pe
erform automatic schema an
nd domain
preparation. Ad
dprep.exe is inccluded on the installation m edia in the \Su
upport\Adprep
p folder. There
e are no
ad
dditional confiiguration stepss after that point and you caan continue to
o running the O
OS upgrade.
Note: We
e recommend a clean installa
ation.
Troublesho
T
ooting AD DS Domain Controlller Deployyments
If you encounte
er errors when you create a domain
d
co
ontroller, you can
c use troublleshooting too
ols and
methodologies
m
to resolve the
e problem. The
ere are
also logs and uttilities available.
Logging Options
11-10
The built-in logs are the most important tool for troubleshooting issues with domain controller promotion
and demotion. There are many logs created during the installation and promotion of a domain controller,
as shown in the following table.
Phase
Log
Server Manager or AD DS
Deployment Windows
PowerShell operations
%systemroot%\debug\dcpromoui.log
Installation/Promotion of the
domain controller
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui*.log
%systemroot%\debug\dcpromo*.log
Event viewer\Windows logs\System
Event viewer\Windows logs\Application
Event viewer\Applications and services logs\Directory Service
AutoRuns.exe Shows you what programs are configured to run during system bootup or logon, and
shows you the entries in the order Windows processes them.
Task Manager Provides detailed information about how to run applications, processes, and services
and provides performance and networking statistics.
MSInfo32.exe Displays a comprehensive view of your hardware, system components, and software
environment.
Is this a syntax error? Check the naming, credentials, and syntax of Windows PowerShell.
Did the prerequisite check fail? Resolve the issue and try again.
Did the error occur during the promotion phase? Examine the logs. Use Dcdiag and Repadmin to
validate Active Directory health.
Check for third-party software that may be preventing the promotion and remove it.
Lesson
n2
11-11
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Configure the
t global cata
alog.
Configure universal
u
group membership
p caching.
Configure operations
o
masters.
Manage
M
domain and forest fu
unctional levels.
Configuring
C
g the Glob
bal Catalog
g
Th
he global catalog is a special partition of Active
A
Directory that stores informattion about all Active
A
Directory objectts. It does not contain all atttributes
off all objects, bu
ut instead con
ntains a subset of
atttributes that are
a useful for searching.
s
The
global catalog mainly
m
occurs in a multi-dom
main
en
nvironment. It enables searches across dom
main
bo
oundaries to find objects in Active Directo
ory. The
global catalog acts
a as an inde
ex of Active Directory.
Certain applicattions rely on th
he global catalog,
su
uch as Exchang
ge Server.
Global
G
Catalo
og Characte
eristics
Global catalogs are unique to
o Active Directo
ory and have tthe following ccharacteristics:
At least one
e global catalo
og must exist in every forest..
Global cata
alogs can be crreated during the promotion
n process or att any time afte
er.
Global cata
alogs can affecct replication trraffic.
Global cata
alogs listen on ports 3268/32
269 by default .
Creating
C
a Global Catalo
og
Th
he first domain
n controller in the forest is a global catalo g because at l east one global catalog is re
equired
pe
er forest. You can remove th
he domain con
ntrollers desig nation as a glo
obal catalog laater after you have
crreated other global catalogss.
Fo
or each additio
onal domain controller, you can create a g
global catalog by ensuring th
hat you select the
ch
heck box in the
e Active Directtory Configura
ation Wizard d
during the pro motion. By de
efault, all domain
co
ontrollers are assumed
a
to be
e global catalo
ogs.
11-12
You
u can also add or remove the
e global catalo
og from a dom
main controllerr by using Activve Directory Sites
and Services MMC
C and editing the
t propertiess of the NTDS Settings node of the domain
n controller.
Alte
ernatively, you can use the Active
A
Directoryy module of W
Windows PoweerShell to enab
ble a global cattalog.
Co
onfiguring Universal Group Me
embership
p Caching
Univversal groups include users and
a groups fro
om
mulltiple domains in a forest. Th
he membership
p of
univversal groups is
i replicated in
n the global catalog.
Whe
en a user logs on, the users universal grou
up
mem
mbership is ob
btained from a global catalog
servver. If a global catalog is not available then
n
univversal group membership
m
is not available.
Con
nfiguring unive
ersal group me
embership cacching
add
dresses this pro
oblem.
Note: This problem
p
does not arise when
n
every domain con
ntroller is a glo
obal catalog.
Ena
abling Unive
ersal Group
p Membersh
hip Caching
You
u can also enab
ble Universal Group
G
Membership Caching on a domain controller by u
using Active
Dire
ectory Sites and Services MM
MC, and editing
g the propertiees of the NTD S Settings nod
de of the domaain
controller.
u can also use the
t Active Dire
ectory module
e for Windows PowerShell to
o enable Unive
ersal Group
You
Mem
mbership Cach
hing.
Configuring
C
g Operatio
ons Masters
In
n any replicated database, su
uch as AD DS, some
s
ta
asks must be performed
p
by only
o
one AD DS
D
re
eplica holder because
b
they are impractical to
pe
erform in a mu
ulti-master ma
anner. For exam
mple,
on
nly one domaiin controller ca
an be in charg
ge of
syynchronizing the time acrosss the domain. In an
Active Directoryy domain, operations masterrs, also
kn
nown as flexible single maste
er operations, or
FS
SMO, are dom
main controllerss that addition
nally
provide a speciffic function. Th
here are five sp
pecific
op
perations master roles that must
m
be filled. Any
do
omain controller that meets the prerequissites can
pe
erform these roles.
r
Note: A RODC
R
cannot host
h
any opera
ation master ro
oles because, b
by design, it caannot
diirectly modify the copy of AD DS it holds.
11-13
Tw
wo of the operations masterr roles only exist one time fo
or the whole fo
orest. These tw
wo roles exist o
only in
th
he Forest Root Domain and are
a shown in the
t following ttable.
Ro
ole
Descripttion
Domain
D
Namin
ng Operations
Master
M
You use
e the domain n
naming role wh
hen you add o
or remove dom
mains
in the fo
orest. When yo
ou add or rem ove a domain,, the domain
naming master must b
be available, o
or the operatio
on fails.
Schema
S
Operations Master
The dom
main controlle r holding the sschema maste
er role is responsible
for making any chang
ges to the forests schema. A
All other domain
of the schema. If you want to
o
controllers hold read--only replicas o
t schema orr install an app
plication that m
modifies the scchema,
modify the
try to do
o it directly on
n the domain ccontroller hold
ding the schem
ma
master role.
r
Otherwisee, the changess that you requ
uest must be ssent
to the scchema masterr to be written into the schem
ma. If the Sche
ema
Master is
i inaccessible,, all attempts tto modify the schema will faail.
Th
hese roles can be transferred
d to other dom
main controllerrs if required. If a domain co
ontroller that iss
cu
urrently holdin
ng a role shoulld stop functio
oning, the role can be forcib ly seized by an
nother domain
n
co
ontroller.
The other three roles exist in every domain in the forest. They are shown in the following table.
Role
Relative Identifier (RID)
Operations Master
Description
11-14
Note: This is the only one of the five FSMO roles that was improved
in Windows Server 2012. All other roles retain same functionality as earlier
versions.
Infrastructure
Operations Master
PDC Emulator
Operations Master
These roles can be transferred to any domain controller in the domain. They do not all have to run on the
same domain controller. For example, one domain controller might hold the PDC Emulator role while
another holds the RID Master role. If a domain controller that is currently holding a role should stop
functioning, the role can be forcibly seized by another domain controller.
Managing
M
Domain an
nd Forest Functionaal Levels
Byy raising the fu
unctional levells, you can ena
able
fu
unctionality offfered by new versions
v
of Windows.
New features arre not backward-compatible
e with
ollder version off Windows Serrver. Similarly, until all
do
omain controllers are runnin
ng Windows Se
erver
20
008, or 2008 R2
R or Windowss Server 2012 you
y
ca
annot impleme
ent its improve
ements to AD DS.
Th
here are two major
m
requirem
ments for raisin
ng the
fu
unctional level:
You must ra
aise functional levels manua
ally.
Note: The
e operating system version of
o the domain controller dettermines the fu
unctional
evels. Member servers can be
e running any version of Win
ndows Server eexcept for Win
ndows NT
le
4..0. If you raise the functional level to Wind
dows Server 20008, Windows NT 4.0 can no
o longer be a
do
omain membe
er.
11-15
Ra
aising the funcctional level off either the do
omain or the fo
orest is a one-w
way operation
n. You can neve
er lower
a functional level. Therefore, after
a
you have
e raised the do
omain function
nal level to Win
ndows Server 2
2008,
fo
or example, yo
ou cannot at a later date add
d a domain con
ntroller runnin
ng at Windowss Server 2003 tto the
sa
ame domain.
A forest can havve domains that run at different functionaal levels, but affter the forest functional leve
el is
ra
aised, you cann
not add a dom
main controllerr running a low
wer version of Windows to any domain in the
fo
orest.
Windows
W
Server 2012 forest functional
f
leve
el and domain functional levvel do not implement new fe
eatures
from Windows 2008 R2 functional level.
Lesson 3
Implem
menting
g Servicce Accounts
11-16
One
e common issu
ue that most organizations
o
fa
ace is how to ssecurely manaage accounts that are used for
netw
work services. Many applicattions use services that requirre an account for service staartup and
auth
hentication. Ass with typical user
u
accounts, you must also
o effectively m
manage service accounts to e
ensure
secu
urity and reliab
bility.
Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t
Describe man
naged service accounts.
a
Describe grou
up managed service accountts.
Configure ma
anaged service
e accounts.
Wh
hat Are Ma
anaged Se
ervice Acco
ounts
App
plications are frequently
f
configured to exe
ecute
non
n-interactively on servers tha
at use the security
auth
hentication context of the Lo
ocal Service,
Network Service, or Local System
m accounts.
Because these acccounts are typically shared by
b
man
ny applicationss and processe
es, you cannott
isola
ate their crede
entials. That is to say, you cannot
custtomize the seccurity settings of these accou
unts
with
hout also affeccting all applications and
proccesses that are
e mapped to th
hem. A Manag
ged
Servvice Account provides
p
an application with its
own
n unique servicce account. In Windows Servver
2012, administrators no longer have to manually administeer the credentiaals for this acccount.
Man
naged service accounts in Windows
W
Serverr 2012 offer th
he following beenefits:
Automatic pa
assword manag
gement. A managed service account automatically main
ntains its own
password including passwo
ord changes. Th
his can better isolate servicees from other sservices on the
e
computer.
Req
quirements for Using Managed
M
Se
ervice Accou
unts
To use
u a managed
d service accou
unt, the serverr that runs the service or app
plication must run Windows
Servver 2008 R2 orr later versionss. You must alsso ensure that the .NET Fram
mework 3.5.x, aand the Active
Dire
ectory Module
e for Windows PowerShell are both installeed on the serveer.
Note: In versions
v
of Win
ndows earlier than Windowss Server 2012, Managed servvice accounts
co
ould not be sh
hared between multiple computers. Each M
Managed Serviice Account haad to be
un
nique to the computer wherre the applicattion was run. TThis type of serrvice account iis known as a
Sttandalone Man
naged Service Account. New
w in Windows SServer 2012 is the ability to create
Managed
M
Servicce Accounts th
hat can be shared with moree than one com
mputer (for exaample, for a
clustered set of servers). These types of Man
naged Service Accounts are called Group Managed
Se
ervice accountts. They are disscussed in the next lesson.
Managing
M
Service Principle Na
ames
Se
ervice Principle
e Names (SPNs) represent th
he
acccounts in who
ose security co
ontext a service
e
exxecutes. SPNs support mutual authenticatiion
be
etween a clien
nt application and
a a service. SPNs
arre built either from informattion that a client
co
omputer know
ws about a servvice or from a trusted
th
hird-party, such as Active Dirrectory. SPNs are
a
asssociated with accounts and an account ca
an have
a different SPN for each servicce it is used to
o
au
uthenticate an
nd execute.
Th
he basic syntaxx of a SPN is as follows.
< service type
e >/< instance name >:< port number >/< service name >
Th
he elements of the syntax ha
ave the meanings described in the following table.
Ellement
De
escription
11-17
Service
S
type
Th
he type of servvice, such as ww
ww for World Wide Web serrvice.
In
nstance name
Th
he name of the
e instance of th
he service. Eith
her the host naame or IP address of
the server that iss running the service.
Port
P
number
Po
ort number tha
at is used by th
he host for thee service if it differs from the
e default.
Service
S
name
Th
his may be the DNS name off the host, or o
of a replicated service, or of a domain;
orr it can be the distinguished name of a serrvice connectio
on point objecct or of a
remote procedu
ure call (RPC) sservice object.
Th
he syntax for service
s
names in Active Direcctory includes the distinguis hed name of tthe instance off the
se
ervice. The syntax is as follow
ws.
< service type
e >/< host name >:< port number >/< distinguishe
ed name >
Wh
hat Are Grroup Mana
aged Service Accoun
nts?
As discussed
d
in th
he previous lesson, Standalon
ne
Man
naged Service Accounts are managed dom
mainbase
ed accounts (that now includ
de automatic
passsword manage
ement and sim
mplified SPN
man
nagement for the service acccount) for sing
gle
servvers. Group Ma
anaged Service
e Accounts pro
ovide
the same function
nality but for multiple
m
serverrs.
Whe
en you connecct to a service hosted on a se
erver
farm
m, such as the Network Load
d Balance (NLB
B)
servvice, all compu
uters that are running an insttance
of that service mu
ust use the sam
me security
prin
ncipal. When a Group Manag
ged Service
Account is used as the service principal,
p
the Window
W
Serverr 2012 AD DS m
manages the p
password for the
acco
ount instead of
o relying on th
he administrator to manage the password.
Note: Group Managed Se
ervice Accountts can only be configured an
nd administere
ed on
com
mputers that arre running Win
ndows Server 2012.
2
11-18
De
emonstration: Configuring Group Manaaged Service Accoun
nts
In th
his demonstration you will see how to crea
ate a group m
managed servicce account and
d associate the
e
acco
ount with a server.
Dem
monstration
n Steps
1.
2.
3.
Create the ne
ew service acco
ount named Webservice
W
for the host LON-DC1.
4.
5.
Lesson
n4
Imple
ementin
ng Grou
up Policcy in AD
D DS
11-19
Group Policy ha
as become the
e major tool for controlling tthe computing
g environment in an organization.
Th
his lesson poin
nts out the new
w features for Windows Servver 2012 and d
describes some
e management
te
echniques for controlling
c
use
ers and compu
uters.
Le
esson Objecctives
After completin
ng this lesson you
y will be able to:
Describe th
he new feature
es in Group Policy.
Configure Group
G
Policy processing.
p
Troublesho
oot Group Policcy.
Describe be
est practices fo
or Group Policy implementa tion.
Whats
W
New
w in Group
p Policy in Windowss Server 20
012?
Group Policy wa
as introduced in Windows 2000.
Ea
ach successive Windows verssion has introd
duced
ne
ew tools or ma
anagement fea
atures, such ass the
Group Policy Management Co
onsole (GPMC
C).
Group Policy in Windows Servver 2012 includes
th
he following ne
ew features.
Graphical
G
Usser Interface
e for Manag
ging
Fine-Grained
d Password Policy
New in Window
ws Server 2012 is the ability to
t
manage
m
this GP
PO object set from
f
the conso
ole
off the Active Directory Admin
nistrative Center.
Managing
M
domain user accou
unt password policy
p
byy group memb
bership was an
n option since the initial releease of Window
ws Server 2008
8. When it is enabled,
an
ny password policy
p
associate
ed with the use
ers group me mbership takees precedence over the default of
th
he domain account policy. However,
H
in earrlier versions o
of Windows Seerver there wass no single inte
erface
fo
or implementin
ng and manag
ging type of GP
PO. The new G
GUI simplifies u
using this featu
ure.
Group
G
Policy
y Infrastructture Status
Th
he Group Policcy Infrastructure Status tool is a new tab in
n the GPMC. Itt displays the sstatus of Active
e
Directory and SYSVOL replication as it relates to Group Po
olicy. This featture enables yo
ou to detect th
he
cu
urrent status by
b comparing the
t replication
n status of all d
domain contro
ollers.
Remote
R
Policcy Refresh
Yo
ou can now usse GPMC to target an organizational unit ((OU) and forcee Group Policyy refresh on all its
co
omputers and their currentlyy logged-on users. Right-clicck any organizzational unit in
n the GPMC, an
nd then
click Group Pollicy Update. The
T update occcurs within 10 minutes (rand
domized on eaach targeted
co
omputer) to prrevent overwh
helming a dom
main controller .
11-20
Also
o, a new Windo
ows PowerShe
ell cmdlet, nam
med Invoke-G pUpdate, funcctions in the same manner aas the
com
mmand line Gp
pUpdate utilityy.
New
w RSOP Log
gging Data
Whe
en you use the
e Group Policyy Results wizard or GpResult /H command line tool to ge
enerate an HM
MTL
Resu
ultant Set of Policy
P
(RSOP) re
eport, you now
w see an updaated Summary section that p
provides inform
mation
such
h as network speed
s
and whe
ether a policy is
i functioning correctly or no
ot.
Note: Remo
ote RSOP logging and Group
p Policy refres h require you to open firewaall ports on
the targeted computers. This means enabling incoming com
mmunication ffor RPC, WMI//DCOM,
event logs, and sccheduled taskss.
Ma
anaging GPOs
You
u must manage
e group policie
es as any other
obje
ect in Active Directory.
D
Group Policy must be
crea
ated, edited, applied to conttainers, and ba
acked
up. The GPMC is the
t main tool for managing
Group Policy.
Cre
eating, Editiing, and Lin
nking Policie
es
Group Policy man
nagement has the following
characteristics:
Baccking Up an
nd Restoring
g GPOs
You
u should back up
u Group Policcies regularly. The first time that you backk up a GPO, yo
ou must specifyy the
loca
ation of the ba
ackup folder.
To back
b
up GPOs in the GPMC, use the follow
wing procedurees:
To back up in
ndividual GPOss, right-click th
he GPO, and th
hen click Back
k Up.
To back up alll GPOs, right-click the GPO folder, and th en click Back Up All.
To restore
r
an existing GPO to an earlier versio
on of the GPO :
1.
2.
3.
Click Restore
e from Backup
p.
To restore
r
a deletted GPO:
1.
2.
Click Manage
e Backups.
3..
Click the po
olicy that you want
w
to restorre from the ba ckup folder.
4..
Click Resto
ore.
Copy
C
or Import GPOs
11-21
2..
Click Copy..
3..
Th
he import ope
eration transferrs settings into
o an existing G
GPO in Active D
Directory using
g a backed up GPO
ass the source. Im
mporting doess not modify th
he permissionss or links assocciated with the
e destination G
GPO.
Im
mporting does not merge wiith any existing
g settings in th
he destination GPO, but will overwrite all ssettings.
To
o import a GPO
O:
1..
2..
3..
Configuring
C
g Group Policy
P
Proccessing
When
W
you link a Group Policyy to a containe
er, the
se
ettings affect all
a users, group
ps, or compute
ers in
th
hat container and
a all child co
ontainers unde
er that
pa
arent. For exam
mple, a GPO linked to the do
omain
co
ontainer inherits down to all child containe
ers in
th
he domain. Beccause you can link GPOs dire
ectly
to
o the site, dom
main, or OU con
ntainers, there
e is the
po
otential for setttings in differrent GPOs to conflict.
Fo
or example, a setting
s
in a GP
PO at the dom
main
le
evel might be enabled
e
while the same setting in
a GPO linked to
o an OU may be
b disabled. Th
his
co
onflict is resolvved through precedence. GP
PO
se
ettings are app
plied in the following order:
1..
Local policies
2..
3..
4.
OU linked GPOs
5.
11-22
Policy settings inherit down and merge so that objects receive the cumulative effect of all GPOs. If you
link multiple GPOs to the same container then they are applied in the order in which they were linked.
However, you can set precedence to control the order of application to that container. If there is a conflict
in GPO settings, the last GPO applied has precedence and is the effective one. In other words, the user or
computer receives all the GPO settings in the path of their container and linked directly to their container,
but if there is a conflict, the latest setting is the one in effect.
Group Policy provides mechanisms to modify the way GPO settings are processed. You can block
inheritance and enforce policies.
Blocking Inheritance
You can configure a domain or OU to prevent the inheritance of policy settings. This option blocks all
inherited Group Policy settings from GPOs linked to parents in the Group Policy hierarchy. You cannot use
it to block only selected inherited policies. It does not block GPOs that are linked directly to the container.
You should use the Block Inheritance option sparingly. When you block inheritance, you make it more
difficult to evaluate Group Policy precedence and inheritance.
You can set a GPO link to be Enforced. When you set a GPO link to Enforced, that GPO takes the highest
level of precedence. Policy settings in that GPO then prevail over any conflicting policy settings in other
GPOs. In addition, a link that is enforced applies to child containers even when those containers are set
to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. The
Enforced setting causes policies to override any conflicting policies and applies regardless of any other
settings.
Loopback Processing
By default a user receives the settings from GPOs inherited by, and linked to, the OU where their user
account resides. There are situations, however, in which you might want to configure a user differently,
depending on the computer that is being used. For example, you might want to lock down and
standardize user desktops when users log on to computers in closely managed environments, such as
conference rooms, reception areas, laboratories, classrooms, and kiosks. You might also want to apply
specific settings for virtual desktop infrastructure (VDI) scenarios. This includes remote virtual machines
and Remote Desktop Services (RDS), known as Terminal Services in earlier versions.
The loopback setting a users typical GPO settings to be disregarded and applies the user settings
associated with the GPO instead.
Security Filte
ering
11-23
Ea
ach GPO has a Discretionaryy Access Contro
ol List (DACL) that defines p
permissions to the GPO. You must
ap
pply two perm
missions, Allow Read and Allo
ow Apply Grou
up Policy, to a user or compu
uter. By default,
Authenticated Users
U
have the
e Allow Apply Group
G
Policy p
permission on each new GPO
O. This means that by
de
efault, all userss and compute
ers are affected by the GPOss settings. Therefore, by adju
usting the perm
missions
on
n the GPO you
u can control who
w receives them. There aree two approacches to do thiss.
To apply th
he GPO to onlyy some users, groups
g
or com
mputers:
1.
2.
Add th
he users, group
ps or computers you want to
o receive the p
policies.
3.
Grant them
t
Read and
d Apply Group
p Policy permisssions.
5.
WMI
W
Filterin
ng
Yo
ou can also use Windows Management Instrumentation
n (WMI) to con
ntrol the scope
e of GPO application,
de
epending on attributes
a
of th
he destination computer. Yo u can use WM
MI queries to ch
heck for hardw
ware or
so
oftware condittions that mustt exist for settings to be app
plied. For exam
mple, a WMI qu
uery may checck for an
op
perating system version, make or model, or
o the RAM in the system to determine wh
hether GPO se
ettings
sh
hould be applied. WMI filters can query fo
or hundreds off different paraameters.
Group
G
Policcy Client Side
S
Extensions
Th
he Group Policcy Client servicce determines
which
w
GPOs to apply to the client. This servvice
do
ownloads any GPOs that are
e not already cached.
c
Th
hen, a series of processes called client-side
e
exxtensions interrpret the settin
ngs in a GPO and
a
make
m
appropria
ate changes to
o the local com
mputer
orr to the curren
ntly logged-on
n user. There are
client-side exten
nsions for each
h major catego
ory of
po
olicy setting. For
F example, th
here is a security
client-side exten
nsion that app
plies security ch
hanges,
a client-side exttension that exxecutes startup
p and
lo
ogon scripts, a client-side exttension that in
nstalls
so
oftware, and a client-side exttension that makes
m
changes to registry keeys and values. Each new version of
Windows
W
has ad
dded client-sid
de extensions to
t extend the functional reaach of Group P
Policy. There arre
se
everal dozen client-side exte
ensions now in Windows.
W
XP to
o accept Group
p Policy Preferrences the
Note: Forr client computers running Windows
client-side exten
nsions for Win
ndows XP prefe
erences must b
be downloadeed and installed
d on each
client computerr.
11-24
Group Policy is applied at the client computer side at startup for computer settings and when users log on
for user settings. Group Policy is also refreshed on the client computer at regular, configurable intervals.
The default interval is 90 minutes. The Group Policy client pulls the GPOs from the domain, triggering the
client-side extensions to apply settings locally. Group Policy is not a push technology.
Note: You can manually refresh Group Policy from the GPMC in Windows Server 2012 or
by using the GpUpdate command prompt utility on the client workstation.
Policies remain in force on the client even if the client is not connected to the corporate LAN. For
example, mobile laptop users continue to have the GPO settings enforced because those settings are
cached on the client. But mobile laptop users receive no changes to policy settings until they reconnect to
the LAN.
Note: If client computers use cached credentials to speed up the logon process, then the
user does not see the effect of several GPO settings until after two logons.
Policies are not re-applied on the client systems unless a change in a policy setting is detected. An
important exception to the default policy processing settings is settings managed by the security clientside extension. Security settings are reapplied every 16 hours even if a GPO has not changed.
Note: You can configure client-side extensions to reapply policy settings at background
refresh even if the GPO has not changed. To do this, define the settings in the
Computer Configuration\Policies\Administrative Templates\System\ Group Policy node. To
configure a client-side extension:
1.
Open its policy processing policy setting, such as Registry Policy Processing for the Registry client-side
extension.
2.
Click Enabled.
3.
Select the Process even if the Group Policy objects have not changed check box.
If a slow network connection is detected then certain client-side extensions do not process GPO settings.
For example, installing software is not practical across a slow network. By default, a slow connection is
defined as 500 KBPS. However, you can configure this value in Group Policy. Also, you can configure each
client-side extension in Group Policy to process even if a slow connection is detected.
These settings are always applied, even across a slow connection:
Security settings
Administrative Templates
IPsec
Quotas
Folder Redirection
Scripts
Wireless Ne
etwork settings
Software in
nstallations
Note: Old
der clients, succh as Windowss XP, use Ping tto determine n
network speed
d. If you
block Internet Control
C
Messag
ge Protocol (IC
CMP) traffic, th
he connection always appears as a slow
co
onnection. Clie
ents that are ru
unning Windo
ows Vista or latter versions us e Network Loccation
Aw
wareness to de
etermine conn
nection speed.
Troublesho
T
ooting Gro
oup Policy
Th
here may be tiimes when you
u must trouble
eshoot
Group Policy. There are two main
m
issues tha
at can
occcur with Grou
up Policy proce
essing:
Policies are
e not being applied to the client
computer.
Policies are
e applied, but the
t results are
inconsistent or incorrect.
Th
hese two issue
es might arise for
f the following
re
easons:
Slow netwo
ork conditions may exist.
Inheritance
e or enforceme
ent settings ma
ay be applied.
The loopba
ack setting mayy be turned on
n.
Local comp
puter policies may
m affect the results.
11-25
Sttart to troubleshoot by determining the sccope of the iss ue. For examp
ple, is the issue
e widespread, o
or only
afffecting a single client? If the
e issue affects a single clientt, you should ccheck for physical issues, succh as
in
ncorrect config
gurations. Thesse issues are ussually easy to d
diagnose.
Check Event Vie
ewer entries, Windows
W
logs, and applicatio
on and service logs. These caan provide valuable
in
nformation abo
out the cause of
o issues. Log entries freque ntly direct you
u to the area in
n which to beg
gin an
in
nvestigation.
Most
M
Group Policy issues are caused by:
Inheritance
e
Filtering
Replication
Troubleshooting Inheritance
11-26
If none of the users or computers in an OU or child OUs receive policies that were linked to higher levels,
it may be because of inheritance blocking. The GPMC displays a blue exclamation mark when inheritance
is blocked. RSOP lists the GPOs that are being applied, and the GPOs that are being blocked. You can
generate Group Policy results at the destination computer or from the GPMC through the Group Policy
Results Wizard.
Troubleshooting Filtering
GPO filtering may result from:
Security filtering
WMI filtering
Symptoms of filtering issues may appear as inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they do not receive policies that other users in the same OU
receive.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If
there is a link to a non-existent WMI filter, the GPO with that link is not processed until the link is
removed or the filter is restored.
Troubleshooting Replication
Group Policy information takes time to propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections and long replication latency.
You can use the new Status tab in the GPMC on Windows Server 2012 to determine the replication health
of the GPO. If replication is an issue, you must determine whether the problem is with the File Replication
Service (FRS) or with AD DS replication. There are two simple tests that you can use to determine the
issue:
For SYSVOL replication, put a small test file into the SYSVOL directory. See whether it replicates to
other domain controllers.
For AD DS replication, create a test object, such as an OU. See whether it replicates to other domain
controllers.
Some users rarely restart or even log off their systems. Several Group Policy settings cannot be refreshed
during a typical refresh cycle. Some settings require a logoff or a restart to be applied. In fact, because of
cached credentials, many settings require two logons for the user to see the effect of the setting. If some
users do not receive the policy settings, ensure that they restart or log off and on two times to rule out
the effect of cached credentials.
Best
B
Practicces for Imp
plementin
ng Group P
Policy
Group Policy is a very powerfful tool, but yo
ou must
ap
pply it correctlly. Implementing a Group Po
olicy
so
olution involve
es planning, de
esigning, deplo
oying,
an
nd maintaining
g the solution.. There are som
me best
practices that yo
ou should follo
ow.
Plan
P
Your De
eployment
Define the scop
pe of applicatio
on of Group Po
olicy.
Define what typ
pes of settings are global to all
ussers and comp
puters and design or modify the
OU
O structure to
o accommodatte Group Policyy
ap
pplication. You
u should desig
gn the OU structure
with
w Group Poliicy in mind and enhance the
e
in
nherited nature
e of Group Policy settings byy grouping obj
bjects in a hieraarchy that enables that flow of
Group Policy se
ettings.
Create
C
Stand
dard Deskto
op Configura
ations
11-27
One
O of the goals of controllin
ng the computting environmeent is to provid
de consistencyy. Standard de
esktop
co
onfigurations for
f various use
er types or dep
partments can make system repair or replaacement a sim
mpler
ta
ask if many of the configurattion settings are delivered byy using Group
p Policy.
Do
D Not Use the
t Default Domain Po
olicy or Defa
ault Domain
n Controllerrs Policy forr
Other
O
Purposes
Th
hese two default policies pro
ovide basic setttings for the d
domain, such aas password po
olicies, and forr
do
omain controllers, such as au
uditing setting
gs. If you wantt to apply otheer configuratio
on settings to tthe
do
omain or to do
omain controllers, create new policies. Usee the default p
policies for passsword, auditin
ng and
se
ecurity settingss only.
Use
U Inheritan
nce Modificcations and Filtering Sp
paringly
Use
U Loopbacck Processin
ng for Special Case Scen
narios
Lo
oopback can solve issues witth desktop standardization ffor scenarios w
where the syste
em users log o
on to
sp
pecial purpose
e systems, such
h as Remote De
esktop Servicees or kiosk com
mputers.
Im
mplement a Change Re
equest Process
Limit changes to
o Group Policyy settings to a small group o
of administrato
ors. All change
es should be ap
pproved
an
nd documente
ed. Consider ussing the Advan
nced Group Po
olicy Managem
ment (AGPM) ttool available with the
Microsoft
M
Deskttop Optimizatiion Pack (MDO
OP).
Lesson 5
Mainta
aining AD
A DS
Maintaining the health
h
of the AD
A DS is an imp
portant aspectt of an administrators job. In
n this lesson,
you will learn how
w to use Windo
ows Server Bacckup to effectiively backup aand restore AD
D DS and domaain
controllers. You will
w also learn how
h
to optimizze and protectt your directorry service so th
hat if a domain
n
controller does fail, you can resttore it as quick
kly as possiblee.
Lessson Objectiives
Afte
er completing this module, you
y will be able to:
Describe AD DS snapshots.
Op
ptions for AD
A DS Bacckup
Win
ndows Server Backup
B
was inttroduced in
Win
ndows Server 2008.
2
It enable
es you to back
up and
a restore a server,
s
its roless, and its data.
Win
ndows Server Backup
B
is installed as a feature in
Servver Manager.
W
Serve
er Backup MM
MC
Note: The Windows
app
pears on the To
ools list in Servver Manager even
thou
ugh the featurre is not actually installed un
ntil
you manually add
d the feature.
11-28
In earlier
e
versions of Windows, backing
b
up Acctive Directory involved crea ting a backup of the System
mState.
In Windows
W
Server 2012, the SystemState
S
still
s exists, but it is physicallly larger in sizze. Because off
inte
erdependencie
es between servver roles, physsical configura tion, and Activve Directory, the SystemStatte is
now
w a subset of a Full Server ba
ackup and, in some
s
configurrations, might be just as large as a full servver
backup. To back up
u a domain controller, you must back up
p all critical volumes fully.
Win
ndows Server Backup
B
enables you to perfo
orm one of thee following typ
pes of backupss:
Full server
Selected volu
umes
System State
Individual file
es or folders
11-29
When
W
you use Windows
W
Serve
er Backup to back
b
up the criitical volumes on a domain ccontroller, the
e backup
in
ncludes all data
a that resides on
o the volume
es that host thee:
Windows operating
o
syste
em and the reg
gistry.
SYSVOL tre
ee.
To
o perform a ba
ackup, you mu
ust first install the
t Windows SServer Backup
p feature. You ccan then use tthe
Windows
W
Server Backup console to create backup
b
jobs. T he Actions pa ne in the Wind
dows Server Baackup
uled backup o
co
onsole enabless you to start a wizard to perform a schedu
or a one-time b
backup job. Th
he
wizard
w
promptss for a backup type, backup selection, backkup destinatio
on and schedule (if performin
ng a
sccheduled job).
Options
O
forr AD DS Re
estore
When
W
a domain
n controller or its directory iss
co
orrupted, damaged, or failed
d, you can resttore the
syystem by using
g several optio
ons.
Th
he first option is called typiccal restore or
no
onauthoritativve restore. In a normal restorre
op
peration, you restore a back
kup of Active
Directory as of a known good
d date. Effectivvely,
yo
ou roll the dom
main controller back in time. When
AD DS restarts on
o the domain
n controller, th
he
do
omain controller contacts itss replication partners
an
nd requests alll subsequent updates.
u
The domain
d
co
ontroller catches up" with the rest of the domain
byy using standa
ard replication mechanisms. Normal restorre is useful when the directo
ory on a domaiin
co
ontroller was damaged
d
or co
orrupted, but the
t problem h
has not spread to other domain controllerss. This is
no
ot a method th
hat works if yo
ou are trying to
o restore a delleted object an
nd the deletion has replicate
ed to
th
he other doma
ain controllers.
If the typical resstore does nott work, you can
n perform an aauthoritative rrestore. In an aauthoritative re
estore,
yo
ou restore the known good version
v
of Active Directory j ust as you do in a typical resstore. Howeve
er,
be
efore restarting the domain controller, you
u mark the obj
bjects that you want to recovver (the deleted
ob
bjects) as auth
horitative so th
hat they replica
ate from the reestored domaiin controller to
o its replication
pa
artners. Behind
d the scenes, when
w
you mark objects as au
uthoritative, W
Windows increm
ments the verssion
nu
umber of all object attribute
es to be so high that the verssion is guarantteed to be hig
gher than the vversion
nu
umber of the deleted
d
objectt on all other domain
d
contro
ollers. When yo
ou restart the rrestored domaain
co
ontroller, it rep
plicates from itts replication partners
p
all chaanges that aree made to the directory. It also
no
otifies its partn
ners that it hass changes, and
d the version n
numbers of thee changes ensu
ure that partne
ers take
th
he changes and
d replicate the
em throughout the directoryy service.
Th
he third option
n for restoring
g the directory service is to reestore the who
ole domain co
ontroller. You d
do this
byy booting to the Windows Recovery
R
Enviro
onment and reestoring a full server backup
p of the domain
co
ontroller. By de
efault, this is a typical restore. If you must also mark objjects as authorritative, you must
re
estart the serve
er in the Directtory Services Restore
R
Mode and set those objects as autthoritative befo
ore
sttarting the dom
main controller into typical operation.
o
11-30
Fina
ally, you can re
estore a backup of the SystemState to an aalternative locaation. This enaables you to
exam
mine files and,, potentially, to
o mount the NTDS.dit
N
file ass described in the previous lesson. You sho
ould
not copy the files from an altern
native restore location over the production versions of tthose files. Do not
do a piecemeal re
estore of Active
e Directory. Th
his option is al so used if you want to use the Install From
m
Med
dia option for creating a new
w domain conttroller.
Ho
ow does th
he Active Directory
D
Recycle
R
Bin
n Work?
The Active Directo
ory Recycle Bin
n was introducced
in Windows
W
2008 R2. You could
d only access th
his
featture by using Windows
W
Powe
erShell cmdletts and
the Ldp.exe LDAP
P utility.
W
Serve
er 2012 you can now access
In Windows
the Active Directo
ory Recycle Bin
n from the Active
Dire
ectory Adminisstrative Centerr. This simplifie
es
the recovery of Acctive Directoryy objects that were
w
erro
oneously deleted. It lets adm
ministrators ena
able
the Recycle Bin an
nd locate or re
estore deleted
obje
ects in the dom
main. It is no lo
onger required
d to
use Windows Pow
werShell or Ldp
p.exe to enable
e the
recyycle bin or resttore objects in domain partittions.
Acttive Directo
ory Recycle Bin
B Charactteristics
The Active Directo
ory Recycle Bin
n has the following characteeristics:
It must be ma
anually enable
ed. As soon as it is enabled, yyou cannot dissable it.
Active Directo
ory Recycle Bin
n requires at le
east Windows Server 2008 R
R2 Forest Functtional Level.
Ena
abling the Active
A
Direcctory Recycle Bin
To enable
e
the Acttive Directory Recycle
R
Bin:
1.
2.
3.
4.
Acknowledge
e the warning dialog
d
boxes to
t complete th
he action.
11-31
Because many objects are intentionally deleted in typical Active Directory operations, the Active Directory
Administrative Center has advanced filtering criteria, making targeted restoration easier in large
environments that have many deleted objects. The restore operation supports all the standard filter
criteria options as any other search. Multiple search criteria can be combined. Common search criteria
include:
Name
When deleted
Employee ID
First name
Last name
Job title
City
As soon as you locate the object to be restored, right-click the object, and then click Restore.
To restore the object to its original location, in the Tasks pane, click Restore.
You can restore multiple objects as long as they are all restored to the same location.
Demonstration Steps
1.
2.
3.
Wh
hat are AD
D DS Snapsshots?
A sn
napshot captures the exact state
s
of the
dire
ectory service at
a the time of the
t snapshot.
Unliike a backup, you
y cannot use a snapshot
to restore data. However, you can use tools to
o
explore the conte
ents of the snapshot to exam
mine
the state of the diirectory service
e at the time the
snap
pshot was mad
de.
Cre
eating a Sna
apshot
You
u use the NTDS
SUtil to create and mount
snap
pshots for view
wing. To create
e a snapshot:
11-32
1.
2.
3.
Type activate
e instance ntd
ds, and then press
p
Enter.
4.
Type snapsho
ot, and then press
p
Enter.
5.
6.
7.
2.
3.
Type activate
e instance ntd
ds, and then press
p
Enter.
4.
Type snapsho
ot, and then press
p
Enter.
5.
6.
7.
Type quit, an
nd then press Enter.
E
8.
Type quit, an
nd then press Enter.
E
9.
Viewing
V
the Snapshot
After you have mounted the snapshot,
s
you can use tools to connect to and explore tthe snapshot,
in
ncluding Active
e Directory Use
ers and Computers.
To
o connect to a snapshot with
h Active Directtory Users and
d Computers:
11-33
1..
Open Activ
ve Directory Users
U
and Com
mputers.
2..
3..
4..
Click OK.
To
o unmount the
e snapshot:
1..
Switch to th
he command prompt
p
in which the snapsh ot is mounted
d.
2..
Press Ctrl+C
C to stop DSA
AMain.exe.
3..
Type ntdsu
util, and then press
p
Enter.
4..
Type activa
ate instance ntds,
n
and then
n press Enter.
5..
6..
Type unmo
ount GUID, wh
here GUID is th
he GUID of thee snapshot, an
nd then press EEnter.
7..
8..
AD
A DS Data
abase Maintenance
Th
he Active Direcctory database
e is stored as a file
na
amed NTDS.diit. When you install and configure
AD DS, you can specify the lo
ocation of the file.
f
Th
he default loca
ation is %syste
emroot%\NTDS. In
th
he NTDS folder, there are oth
her files that support
th
he Active Direcctory database
e. They are:
EDB.chk. The
T EDB.chk file
e functions like a bookmarkk into the log files, marking tthe location be
efore
which transsactions are su
uccessfully com
mmitted to thee database, and
d after which ttransactions re
emain to
be committted.
Edbres000
01.jrs and Edb
bres0002.jrs. These
T
two filess are empty filees of 10MB each. If the disk the
database re
esides on shou
uld run out of space,
s
these fi les provide thee domain conttroller with the
e space
to write pending transacttions before sa
afely shutdown
n AD DS servicces and dismou
unting the dattabase.
11-34
The Active Directory database is self-maintaining. Every 12 hours, by default, each domain controller
runs a process that is known as garbage collection. Garbage collection does two things. First, it removes
deleted objects that have outlived their tombstone lifetime, which is 180 days by default. Second, the
garbage collection process performs online defragmentation. Online defragmentation reorganizes the
sectors rows of the database so that the blank rows are contiguous, very much like disk fragmentation
reorganizes sectors of a disk so that free space is contiguous. However, this process does not reduce the
file size of the database. It optimizes the internal order of the database. In most organizations, this will be
sufficient.
To reduce the physical size of the NTDS.dit, perform offline defragmentation. To perform an offline
defragmentation you must stop the AD DS. Then use the NTDSUtil to compact the database to a different
location. Then replace the original NTDS.dit with the compacted version.
Note: Do not delete the original NTDS.dit, you only have to rename it.
Lab: Implementing AD DS
Scenario
11-35
A. Datum is an engineering and manufacturing company. The organization is based in London, England,
but is quickly expanding the London location as well as internationally. As the company has expanded,
some business requirements are changing as well. To address some business requirements, A. Datum had
decided to deploy Windows Server 2012.
As the company expands, they must also expand their Active Directory infrastructure. You are assigned to
implement new domain controllers and also to consider implementation of RODCs, where appropriate.
Also, there are reports that Group Policies are not being applied on some computers, so you must
troubleshoot. The company also wants to centralize management of all accounts that are being used for
services, and to stop usage of local accounts for that purpose. Also, you must evaluate available
techniques for AD DS maintenance.
Objectives
Deploy an RODC
Maintain AD DS
Lab Setup
Estimated time: 60 minutes
Virtual machines
20417A-LON-DC1
20417A-LON-SVR3
20417A-LON-CL1
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
a.
b.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20417A-LON-SVR3, and 20417A-LON-CL1. Do not log on to LON-SVR3 or
LON-CL1 until instructed to do so.
11-36
As company business expands, you must add domain controllers to new locations. Some locations do not
have required physical security for server rooms so you decide to implement read-only domain controllers
for these locations. Those servers are already in place at the branch location performing local file and print
duties. You plan to install the RODC role remotely by using Server Manager from head office. You also
plan to configure the RODC to cache passwords locally for members of the Managers group and assign
administrative access to the server to the IT group.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
2.
Use the Server Manager Dashboard to create a server group named DCs.
2.
Use the Server Manager Dashboard to Add the Active Directory Domain Services role to
LON-SVR3.
2.
Open the notifications and complete the Post-deployment Configuration to promote LON-SVR3 to
be a Read only domain controller (RODC) in the existing domain.
3.
4.
Use Active Directory Users and Computers to configure the password caching options of LON-SVR3
in such a way that passwords are cached on the RODC for members of the Managers group.
2.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
All domain users should not have access to change their desktop background.
All domain users except the IT group should be unable to access Registry Editor.
11-37
Currently, there are some problems in the way the GPOs that deliver those settings are being applied.
You have to investigate, troubleshoot and resolve this problem.
The main tasks for this exercise are as follows:
1.
2.
3.
Determine the issue by logging on to LON-CL1 as an IT group user and a Manager group user. Check
whether the policies are being applied correctly.
1.
Log on as Brad with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
2.
Use GPResult to determine the RSOP and then log off of LON-CL1.
3.
Log on as Bill with the password of Pa$$w0rd. Attempt to change the desktop background and
attempt to start the Registry Editor.
4.
5.
6.
2.
Use the Group Policy Management console to investigate and correct the issues.
3.
4.
Remove the block inheritance setting from the Managers OU to resolve the issue.
5.
Think of a way to ensure that the Prohibit Registry Tools GPO will not be applied to IT group users.
6.
Use Security Filtering to deny access to the policy to the IT security group.
7.
Log on to LON-CL1 as Bill with a password of Pa$$w0rd and run the GPResults utility.
2.
3.
Log on to LON-CL1 as Brad with a password of Pa$$w0rd and run the GPResult utility.
4.
11-38
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
To this point, there was no consistent policy about accounts that were used for services. On some servers,
local accounts were used, while others were using domain accounts. Also, password management for
these accounts was not consistent. Some of them were having non-expiring passwords, while others were
updated with new passwords manually. You decide to implement Managed Service Accounts to replace
all these techniques. You will create the account and assign the account to the Web service
DefaultAppPool.
The main tasks for this exercise are as follows:
1.
2.
Configure the Web Server Application Pool to Use the Group Managed Service Account.
2.
Create the KDS root key using the New-KdsRootKey cmdlet. Make the effective time minus 10 hours
so the key will be effective immediately.
3.
Create the new service account named Webservice for the host LON-DC1.
4.
5.
Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
6.
X Task 2: Configure the Web Server Application Pool to Use the Group Managed
Service Account
1.
On LON-DC1, configure the DefaultAppPool to use the Webservice$ account as the identity.
2.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
Scenario
11-39
As a part of maintenance plan, you are assigned with task to evaluate possibilities to quickly restore
accidentally deleted objects. You decided to enable and test Active Directory snapshots and the AD DS
Recycle Bin.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
Switch to LON-DC1.
2.
3.
Ntdsutil
Snapshot
Create
4.
Mount the snapshot as a new instance of AD DS by running the Mount {GUID} command.
5.
Close ntdsutil.
6.
Use the dsamain command to expose the snapshot to LDAP port 50000.
7.
Use Active Directory Users and Computers to delete Allie Bellew from the Research OU.
8.
Use Active Directory Users and Computers to connect LON-DC1 to the snapshot instance at port
50000.
Use the Active Directory Administration Center to enable the Recycle Bin.
When you are finished the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
11-40
When cloning VDCs, we recommend copying disks manually if there is only one drive. We
recommend Export for VMs with more than one drive or other complex customizations such as
multiple NICs.
AD DS should be at the minimum Windows Server 2008 R2 level to provide fully automatic password
and SPN management for managed service accounts.
Do not use volumes that contain backups of GPOs or AD DS data for other uses.
Troubleshooting Tip
Review Question
You have a mixture of client computers running Windows XP and Windows 8. After you configure several
settings in the Administrative Templates and Preferences of a GPO, Windows XP users report that some
settings are being applied while others are not.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
What if security is a concern?
What can you do to help prevent network interruptions from preventing users from logging on?
Tools
Tool
Use
Location
11-41
Server Manager
GPMC
Module 12
Implementing Active Directory Federation Services
Contents:
Module Overview
12-1
12-2
12-11
12-17
12-23
Lab: Implementing AD FS
12-28
12-36
Module Overview
Active Directory Federation Services (AD FS) in Windows Server 2012 provides flexibility for
organizations that want to enable their users to log on to applications that may be located on a local
network, at a partner company, or in an online service. AD FS enables an organization to manage its own
user accounts, and users only have to remember one set of credentials. However, those credentials can be
used to provide access to a variety of applications, located in a variety of locations.
This module provides an overview of AD FS, and details how to configure AD FS in both a single
organization scenario and in a partner organization scenario.
Objectives
Describe the identity-federation business scenarios, and how you can use AD FS to address
the scenarios.
Lesson 1
Overviiew of Active
A
Director
D
ry Federration SServicess
AD FS is the Micro
osoft implem
mentation of an
n identity fedeeration framew
work that enab
bles organizatio
ons to
esta
with
ablish federatio
on trusts and share
s
resource
es across organ
nizational boun
ndaries. AD FSS is compliant w
com
mmon web-serrvices standard
ds to enable interoperability with other ideentity federatio
on
imp
plementations.
AD FS is designed
d to address a variety
v
of busiiness scenarioss, where the tyypical authentiication mechanisms
used
d in a single organization do
o not work. This lesson proviides an overvieew of the conccepts and stan
ndards
thatt are implemen
nted in AD FS, and also provvides an overviiew of the bussiness scenario
os that you can
n
add
dress with AD FS.
F
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Describe iden
ntify federation
n.
Describe claim
ms-based auth
hentication.
Describe web
b services.
Describe AD FS.
Explain how AD
A FS enables SSO within a single organizzation.
Explain how AD
A FS enables SSO between business part ners.
Explain how AD
A FS enables SSO between on-premises aand cloud-bassed services.
Wh
hat Is Iden
ntity Federration?
Iden
ntity federation enables the distribution off
iden
ntification, authentication, an
nd authorization
acro
oss organizatio
onal and platfo
orm boundarie
es.
You
u can implement identity fed
deration within
na
sing
gle organizatio
on to enable acccess to diversse
web
b applications, or between tw
wo organizatio
ons
thatt have a relatio
onship of trustt between them
m.
To establish
e
an identity federatiion partnership
p,
both partners agrree to create a federated trust
relationship. This federated trusst is based on an
a
ong
going business relationship, and
a enables th
he
orga
anizations to implement bussiness processe
es
iden
ntified in the business
b
relatio
onship.
Note: A fed
derated trust iss not the same as a forest tru
ust that organiizations can co
onfigure
betw
ween forests in
n Active Directtory Domain Services (AD D
DS). In a federaated trust, the AD FS
servvers in two org
ganizations nevver have to communicate di rectly with eacch other.
As a part of the fe
ederated trust, each partner defines what rresources are aaccessible to tthe other
orga
anization, and how to enable access to the
e resources. Fo
or example, to
o update a sale
es forecast, a saales
reprresentative ma
ay need to colllect informatio
on from a supp
plier's databasse that is hoste
ed on the supp
plier's
ne
etwork. The do
omain adminisstrator for the sales represen
ntative is respo
onsible for ensuring that the
e
ap
ppropriate sale
es representatives are memb
bers of the gro
oup that requirres access to the suppliers
da
atabase. The administrator
a
of
o the organiza
ation in which the database is located is re
esponsible for
en
nsuring that th
he partners em
mployees only have access to
o the data tha t they require.
12-3
In
n an identity fe
ederation soluttion, user identities and thei r associated crredentials are stored, owned
d, and
managed
m
by the
e organization
n in which the user is located
d. As part of th
he identity federation trust, e
each
orrganization alsso defines how
w the user iden
ntities are sharred securely to
o restrict access to resources.. Each
pa
artner must de
efine the servicces that it mak
kes available to
o trusted partn
ners and custo
omers, and also
o define
which
w
other org
ganizations and users it trustts, what types of credentials and requests it accepts, and
d its
privacy policies,, to ensure tha
at private inforrmation is not accessible acrross the trust.
What
W
is Cla
aims-Based
d Identity??
Claims-based authentication addresses issues with
exxtending typiccal authentication and autho
orization
mechanisms
m
outside the boun
ndaries associa
ated
with
w that mecha
anism. For example, in most
orrganizations, users
u
are authe
enticated by an
AD DS domain controller whe
en they log on
n to the
ne
etwork. If the user
u
provides the
t right crede
entials
to
o the domain controller,
c
the user is granted a
se
ecurity token. Applications
A
th
hat are running
on
n servers in the same AD DS
S environment
trrust the securitty tokens that the AD DS domain
co
ontrollers provvide. This is because the servvers can
co
ommunicate with
w the same domain
d
contro
ollers where th
he users authe nticated.
Th
he problem wiith this authen
ntication is that it does not eextend easily o
outside the bou
undaries of the
e AD DS
fo
orest. Although
h it is possible to implementt Kerberos or N
NTLM-based trrusts between two AD DS fo
orests,
se
ervers on both sides of the trrust must com
mmunicate with
h domain conttrollers in the o
other forest to
o make
au
uthentication and
a authorizattion decisions.. The problem becomes even
n more complicated when u
users
ha
ave to access resources
r
hostted in cloud-ba
ased systems, such as Microsoft Azure or Microsoft Offfice
36
65.
Claims-based authentication provides a me
echanism for seeparating userr authenticatio
on and authoriization
from individual applications. With
W claims-ba
ased authenticcation, users caan authenticatte to a directo
ory
se
ervice in their organization,
o
and
a be granted a claim baseed on that auth
hentication. Th
he claim then can
be
e presented to
o an applicatio
on that is runniing in a differeent organizatio
on. The applicaation is design
ned to
en
nable user access to the info
ormation or fea
atures based o
on the claims p
presented.
Th
he claim used in claims base
ed authenticatiion is just a staatement aboutt a user that iss defined in on
ne
orrganization or technology and trusted in another
a
organ ization or tech
hnology. The cclaim could incclude a
va
ariety of inform
mation. For exa
ample, the claim could defin
ne the users e-mail address,, user principal name
(U
UPN), and information aboutt all of the gro
oups to which tthe user belon
ngs. This inform
mation is colle
ected
from the authen
ntication mech
hanism when the
t user autheenticates succeessfully.
he organizatio
on that manages the applicattion defines w
what types of c laims the appllication will accept.
Th
Fo
or example, the application may require th
he users emai l address to veerify the user id
dentity, and also use
th
he group mem
mbership presented inside the claim to deteermine what leevel of access the user should have
within
w
the appliication.
We
eb Services Overview
w
For claims-based authentication
n to work,
orga
anizations havve to agree on the format for
exch
hanging claims. Rather than have each business
defiine this formatt, a set of specifications have
e
been developed that
t
any organ
nization can usse if it
wan
nts to impleme
ent a federated
d identity soluttion.
Thiss set of specificcations is identtified broadly as
web
b services.
Web
b services are the
t set of speccifications
thatt an enterprise
e uses for build
ding connected
d
app
plications and services,
s
whose
e functionalityy and
inte
erfaces are exp
posed to poten
ntial users through
web
b-technology standards.
s
The
ese standards can
c include Exttensible Marku
up Language ((XML), Simple
Object Access Pro
otocol (SOAP), Web Services Description Laanguage (WSD
DL), and HTTP.. The goal for
crea
ating web applications by ussing web servicces is to simpliify interoperab
bility for appliccations across
mulltiple developm
ment platforms, technologie
es, and networ ks.
To enhance
e
intero
operability, a set of industry standards deffines web serviices, which are
e based on the
e
follo
owing standards:
Web services provide a wayy to describe their interfacess in enough deetail to enable a user to build
da
client application to communicate with th
he service. Thi s description is usually provided in an XML
document called a WSDL document. In other
n XML document that descrribes
o
words, a WSDL file is an
a set of SOAP
P messages and
d how the messages are excchanged.
WS
S-* Security Specificatio
ons
WS-Trust. WS
S-Trust definess extensions th
hat build on W
WS-Security to rrequest and issue security to
okens
and manage trust relationships.
WS-Federatio
on. WS-Federation defines mechanisms
m
thaat WS Securityy can use to en
nable identity,
attribute, authentication, an
nd authorizatio
on federation across differen
nt trust realmss.
12-5
WS-Federation Passive Re
equestor Profile. This WS-Seecurity extensio
on describes h
how passive clients,
such as web
b browsers, can be authenticcated and auth
horized, and h
how the clientss can submit claims in
a federation scenario. Passsive requestors of this profi le are limited to the HTTP o
or HTTPS proto
ocol.
Security Asse
ertion Mark
kup Languag
ge
Th
he Security Asssertion Markup Language (S
SAML) is an XM
ML-based standard for exchaanging claims
be
etween an identity provider and a service or application
n provider. SAM
ML assumes th
hat a user has b
been
au
uthenticated by
b an identity provider,
p
and that
t
the identiity provider haas populated tthe appropriate
claim informatio
on in the security token. Wh
hen the user is authenticated
d, the Identity Provider passe
es
a SAML assertio
on to the servicce provider. On the basis of this assertion, the service prrovider can maake
au
uthorization an
nd personaliza
ation decisionss within an app
plication. The communicatio
on between fed
derated
se
ervers is based around an XM
ML document storing the X.5509 certificate for token-sign
ning, and the SAML
1..1 token.
What
W
Is AD
D FS?
AD FS is the Miccrosoft implem
mentation of an
id
dentity-federattion solution th
hat can use cla
aims
ba
ased authenticcation. AD FS provides
p
the
mechanisms
m
to implement bo
oth the identifyyprovider and se
ervice-providerr components in
an
n identity-fede
eration deployyment.
AD FS provides the following features:
Enterprise claims
c
provide
er for claims-ba
ased
applications: You can con
nfigure an AD FS
server as a claims provide
er, which mean
ns
that the serrver can issue claims
c
about
authenticatted users. This enables an
organizatio
on to provide its users with access
a
to claim
ms-aware appliccations in another organizattion by
using SSO.
Note: The
e Windows Serrver 2012 version of AD FS iss built on AD FFS version 2.0, which was
th
he second generation of AD FS that Microssoft released. TThe first versio
on, AD FS 1.0, required
AD FS web agen
nts to be installed on all web
b servers that w
were using AD
D FS, and provided both
claims aware an
nd NT token-b
based authenticcation. AD FS 1.0 did not support active clients or
SA
AML.
AD
A FS Featurres
Th
he following are some of the
e key AD FS fe
eatures:
Extensible arcchitecture. AD FS provides an extensible arrchitecture thaat supports various security ttoken
types, including SAML and Kerberos auth
hentication, as well as the ab
bility to perform
m custom claim
ms
transformatio
ons. For examp
ple, AD FS can convert from one token typ
pe to another o
or add custom
m
business logicc as a variable in an access re
equest. Organ
nizations can use this extensiibility to modiffy
AD FS to coexxist with their current securitty infrastructu re and businesss policies.
Ho
ow AD FS Enables
E
SS
SO in a Sing
gle Organ
nization
For many organizzations, configu
uring access to
o
app
plications and services
s
may not
n require an
AD FS deploymen
nt. If all users are
a members of
o
the same AD DS forest,
f
and if all applications are
runn
ning on serverrs that are mem
mbers of the same
fore
est, you typicallly can use AD DS authentica
ation
to provide
p
applica
ation access. However,
H
there
e are
seve
eral scenarios in which you can
c use AD FS, and
enable SSO, to op
ptimize the use
er experience,
including:
The applicatio
ons may not be
b running on
Windows servvers or on any servers that
support AD DS
D authentication. The appliccations may reequire SAML o
or web servicess for authentication
and authoriza
ation.
Large organizzations frequently have multtiple domains and forests that may be the
e results of mergers
and acquisitio
ons. Users in multiple
m
forestss might requiree access to thee same applicaations.
Users from ou
utside the officce might require access to a pplications thaat are running
g on internal se
ervers.
The external users may be logging
l
on to the applicatio
ons from comp
puters that are not part of th
he
internal doma
ain.
Note: Implementing AD FS does not necessarily mean that users are not prompted
for authentication when they access applications. Depending on the scenario, users may be
prompted for their credentials. However, the key point is that users always authenticate by using
their internal credentials. They never have to remember alternate credentials for the application.
12-7
Organizations can use AD FS to enable SSO in these scenarios. Because all users and the application are
in the same organization, the organization only has to deploy a single federation server. This server can
operate as the claims provider so that it authenticates user requests and issues the claims. The same server
also is the relying provider, or the consumer of the claims to provide authorization for application access.
Note: The slide and the following description use the terms Federation Server and
Federation Service Proxy to describe AD FS server roles. The Federation Server is responsible for
issuing claims, and in this scenario, also is responsible for consuming the claims. The Federation
Service Proxy is a proxy component that we recommend is used in a deployment where users
outside the network need to access the AD FS environment. The next lesson covers these
components in more detail.
The following steps describe the communication flow in this scenario:
1.
The client computer, which is located outside the network, must access a web-based application on
the web server. The client computer sends an HTTPS request to the web server.
2.
The web server receives the request, and identifies that the client computer does not have a claim.
The web server redirects the client computer to the Federation Service proxy.
3.
The client computer sends an HTTPS request to the Federation Service proxy. Depending on the
scenario, the Federation Service proxy may prompt the user for authentication or use Windows
Integrated authentication to collect the user credentials.
4.
The Federation Service proxy passes the request and the credentials to Federation Server.
5.
6.
If authentication is successful, the federation server collects AD DS information about the user, which
is used to generate the users claims.
7.
If the authentication is successful, the authentication information and other information is collected in
a security token and passed back to the client computer, through the Federation Service proxy.
8.
The client presents the token to the web server. The web resource receives the request, validates the
signed tokens, and uses the claims in the users token to provide access to the application.
Ho
ow AD FS Enables
E
SS
SO in a Bussiness-to B
Business-Fe
ederation
One
e of the most common
c
scena
arios for deplo
oying
AD FS is to provid
de SSO in a business-to-business
(B2B
B) federation. In the scenario
o, the organiza
ation
thatt requires acce
ess to another organizationss
app
plication or servvice can mana
age their own user
acco
ounts, and deffine their own authentication
n
mecchanisms. The other organization can define
wha
at applications and services are
a exposed to
o
userrs outside the organization and
a what claim
ms it
acce
epts to provide
e application access.
a
To enable
app
plication or servvice sharing in
n this scenario,, the
orga
anizations justt have to estab
blish a federation
trusst, and then de
efine the rules for exchange claims betweeen the two org
ganizations.
2.
3.
4.
5.
6.
If the client co
omputer is log
gged on to the
e domain alreaady, the federaation server caan take the use
ers
Kerberos ticket, and then re
equest authentication from A
AD DS on the users behalf, by using Wind
dows
Integrated Au
uthentication.
7.
The AD DS do
omain controller authenticattes the user, an
ge back to the
e
nd sends the ssuccess messag
federation server, along witth other inform
mation about tthe user that tthe federation server can use
e to
generate the users claims.
8.
The federatio
on server create
es the claim fo
or the user bassed on the rulees defined for the federation
n
partner. The claims
c
data is placed
p
in a dig
gitally signed ssecurity token,, and then sen
nt to the client
computer. Th
he client computer then postts it back to th
he A. Datums ffederation servver.
9.
A. Datums fe
ederation serve
er validates tha
at the securityy token came ffrom a trusted federation partner.
10. A. Datums fe
ederation serve
er creates and signs a new to
oken, which it sends to the cclient compute
er. The
client computter then sendss the token bacck to the origi nal URL requeested.
11. The applicatio
on on the web
b server receive
es the request,, and validatess the signed to
okens. The web
b
server issues the
t client a sesssion cookie th
hat indicates t hat it has auth
henticated succcessfully. The
federation server issues a file-based persiistent cookie (g
good for 30 days by defaultt) to eliminate the
home-realm discovery step
p during the co
ookie lifetime. The applicatio
on then provid
des access to th
he
application, based
b
on the claims that the user providess.
How
H
AD FS
S Enables SSO
S
with Online
O
Servvices
As organization
ns move service
es and applica
ations to
cloud-based serrvices, it is incrreasingly impo
ortant
th
hat these organizations have
e some way to
simplify the autthentication an
nd authorizatio
on
exxperience for their
t
users as they
t
consume the
cloud-based serrvices. Cloud-b
based services add
an
nother level off complexity to
o the IT enviro
onment,
ass those service
es are located outside
o
the dirrect
ad
dministrative control
c
of the IT administrato
ors, and
th
he services mayy be running on
o many differrent
platforms.
12-9
Yo
ou can use AD
D FS to provide
e an SSO experrience
to
o users across the
t various clo
oud-based plattforms availab
ble. For example, once users are authenticaated
with
w AD DS cred
dentials, they then
t
could acccess Microsoft Online Servicees, such as hossted Microsoftt
Exxchange Onlin
ne or Microsoftt SharePoint Online, by usin
ng those dom ain credentialss. AD FS also p
provides
single sign-on to
t non-Microso
oft cloud provviders. Becausee AD FS is baseed on open staandards, AD FSS can
in
nteroperate witth any complia
ant claims-bassed system
Th
he process for accessing a cloud-based ap
pplication is qu
uite similar to tthe B2B scenario. One example
off a cloud-base
ed service that uses AD FS for authenticatio
on is a hybrid Exchange Online deployment. In
th
his type of dep
ployment, an organization
o
ha
as deployed so
ome or all of t heir mailboxess in an Office 3
365
n manages all of their user aaccounts in the
Exxchange Onlin
ne environmen
nt. However, th
he organization
eir
on
n-premises AD
D DS environm
ment. The deplo
oyment uses t he Microsoft O
Online Services Directory
Syynchronization
n tool to synch
hronize user-acccount inform ation from thee on-premises deployment tto
th
he Exchange Online
O
deploym
ment.
When
W
users try to log on to th
heir Exchange Online mailbo
ox, the user m ust be authenticated by usin
ng their
in
nternal AD DS credentials. If the user tries to
t logon direcctly to the Exch
hange Online e
environment, tthey are
re
edirected back
k to the interna
al AD FS deplo
oyment to auth
henticate befo
ore the user is g
given access.
Th
he following stteps describe how
h
a user trie
es to access th
heir online maiilbox by using a web browse
er:
1..
The user op
pens a web bro
owser, and the
en sends an HTTTPS request tto the Exchang
ge Online Outllook
Web App server.
2..
The Outloo
ok Web App se
erver receives the
t request, an
nd then verifiees that the user is part of a h
hybrid
Exchange Server
S
deploym
ment. If this is the
t case, the s erver redirectss the client com
mputer to the
Microsoft Online
O
federatiion server.
3..
4..
5..
6..
7..
The AD DS domain contrroller authenticcates the user,, and sends thee success messsage back to the
federation server, along with
w other info
ormation abou
ut the user thatt can be used to generate th
he users
claims.
12-10
8.
The federation server creates the claim for the user, based on the rules that are defined during the
AD FS server setup. The claims data is placed in a digitally signed security token, and then sent to the
client computer. The client computer then posts it back to the Microsoft Online federation server.
9.
The Microsoft Online federation server validates that the security token came from a trusted
federation partner. This trust is configured when you configure the hybrid Exchange environment.
10. The Microsoft Online federation server creates and signs a new token, which it sends to the client
computer. The client computer then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues
the client a session cookie, which indicates that it has successfully authenticated. The user then is
granted access to their Exchange server mailbox.
Lesson
n2
Deplo
oying Active
A
Directory
y Federaation Se
ervices
12-11
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he componentss that an AD FS
F deploymentt can include.
Describe th
he Public Key Infrastructure (PKI)
(
and certifficate requirem
ments for an A
AD FS deploym
ment.
Describe th
he AD FS federration server ro
oles.
Install the AD
A FS server ro
ole.
AD
A FS Com
mponents
AD FS is installe
ed as a server role
r
in Window
ws
Se
erver 2012. Ho
owever, there are
a many diffe
erent
co
omponents tha
at you can insttall and config
gure in
an
n AD FS deployment. The following table lists
l
the
AD FS compone
ents.
Component
Federation
F
Servver
The fe
ederation servver issues, man
nages, and valid
dates requestss that involve iidentity
claims. All impleme
entations of AD
D FS require att least one Fed
deration Servicce.
Federation
F
Servver
Proxy
P
Claims
C
A claim is a stateme
ent that one o bject makes about another object, such ass a user.
er factor that m
might
The claim could incclude the user s name, job tittle, or any othe
entication scen
nario.
be used in an authe
Claim
C
Rules
Claim
m rules determiine how federaation servers p
process claims.. For example, a claim
rule may
m state that an email addrress is accepted
d as a valid claaim, or that a g
group
name
e from one org
ganization is trranslated into aan application
n-specific role in the
other organization. The rules usu ally are processsed in real tim
me, as claims aare
made
e.
Com
mponent
What do
oes it do?
12-12
Atttribute Store
Cla
aims Providers
Relying Parties
Cla
aims Provider
Tru
ust
This is configuration
c
data
d
that defin
nes rules under which a clien
nt may requestt
claims from
f
a claims provider
p
and ssubsequently ssubmit them to
o a relying parrty.
The trusst consists of various
v
identifiiers, such as naames, groups aand various ru
ules.
This is the AD FS conffiguration dataa that is used tto provide claiims about a usser or
o a relying parrty. It consists o
of various iden
ntifiers, such ass names, groups,
client to
and various rules.
Cerrtificates
AD FS uses
u
digital cerrtificates when
n communicating over SSL or as part of the
e
token-isssuing processs, the token-reeceiving processs, and the me
etadata-publishing
process.
End
dpoints
Endpoin
nts are mechan
nisms that enaable access to the AD FS tech
hnologies,
includin
ng token issuan
nce and metad
data publishin
ng. AD FS come
es with built-in
n
endpoin
nts that are ressponsible for a specific functtionality.
AD
D FS Prereq
quisites
Befo
ore deploying AD FS, you must ensure
thatt your internal network meetts some basic
prerrequisites. The
e configuration
n of the following
netw
work services is
i critical for a successful AD FS
dep
ployment:
Network conn
nectivity: TCP//IP connectivity
must exist between:
o
The clien
nt computer
A domain
n controller
Federatio
on Service servver
Federatio
on Service Proxxy server (whe
en applicable)
12-13
A custo
om attribute sttore
Note: AD
D DS can be use
ed both as the
e authenticatio
on provider an
nd as an attribu
ute store.
a an attributte store. In AD
D FS v1, you caan use AD LDSS as an
AD FS also can use AD LDS as
uthentication store,
s
but in th
he current verssion of AD FS, you only can use AD LDS ass an attribute
au
sttore.
ame System (D
DNS): Name ressolution allow
ws clients to find federation servers. The clie
ent
Domain Na
computers must resolve the
t DNS name
es for all federaation servers t hat they connect to, as well as the
web applica
ations that the
e client compu
uter is trying to
o use. If the cli ent computer is external to the
network, th
he client computer must reso
olve the DNS n
name for the ffederation servvice proxy, nott the
internal fed
deration serverr. The Federation Service pro
oxy must resol ve the name o
of the internal
federation server. If intern
nal users have to access the internal federration server directly, and external
users have to connect thrrough the Federation Serverr proxy, you reequire a split D
DNS.
Operating-system prereq
quisites: You ca
an only deployy the Windowss Server 2012 vversion of AD FS as a
server role on a Windowss Server 2012 server.
s
AD FS 22.0, which is allmost identical to the Windo
ows
Server 2012
2 version, can be installed on
n Windows Se rver 2008 Servvice Pack 2 (SP
P2) or Window
ws Server
2008 R2.
PKI
P and Certificate Re
equiremen
nts
AD FS is designed to enable computers
c
to
co
ommunicate se
ecurely, even though
t
they may
m be
lo
ocated in differrent locations. In this scenariio, most
off the communications betwe
een computerss passes
th
hrough the Internet. To provvide security fo
or the
ne
etwork traffic, all communications are protected
byy using SSL. Th
his factor mean
ns that it is important
to
o choose and assign
a
SSL certtificates correcctly to
th
he AD FS serve
ers. To provide SSL security, AD
A FS
se
ervers use certificates in the following thre
ee ways.
12-14
This certificate is used to secure SSL communications to the websites running on the AD FS server and is
bound to the default web site on the AD FS server. You can choose which certificate to use when you
configure the AD FS server role on the server, and can change the assigned certificate after deployment
by using the AD FS management console. This certificate also is called a server authentication certificate.
Token-Signing Certificates
The token-signing certificate is used to sign every token issued a federation server. This certificate is
critical in an AD FS deployment, because the token signature indicates which federation server issued the
token. The claims provider uses this certificate to identify itself, and also by the Replying Party to verify
that the token is coming from a trusted Federation partner.
The relying party also requires a token-signing certificate to sign the tokens that it prepares for other
AD FS components, such as web applications and clients. These tokens must be signed by the relying
partys token-signing certificate in order for the destination applications to validate them.
When you configure a Federation Server, the server assigns a self-signed certificate as the token-signing
certificate. Because no other parties trust the self-signed certificate, it is important that you replace the
self-signed certificate with a trusted certificate. You can configure multiple token-signing certificates on
the federation server, but only the primary certificate is used to sign tokens.
Token-Decrypting Certificates
Token-decrypting certificates encrypt the entire user token before transmitting the token across the
network. To provide this functionality, the relying party federation server sends the certificate to the
claims provider federation server. The certificate is sent without the private key. The claims provider
server uses the public key from the certificate to encrypt the user token. When the token is returned to
the relying party federation server, it uses the private key from the certificate to decrypt the token. This
provides an extra layer of security when transmitting the certificates across the Internet.
When you configure a Federation Server, the server assigns a self-signed certificate as the tokendecrypting certificate. Because no other parties have to trust this certificate, it is possible to continue to
use this certificate without replacing it with a trusted certificate.
Note: Federation server proxies only require a service communication certificate. The
certificate is used to enable SSL communication for all client connection. Since the federation
server proxy does not issue any tokens, it does not need the other two types of certificates. Web
servers that are deployed as part of an AD FS deployment also should be configured with SSL
server certificates to enable secure communications with client computers.
AD FS federation servers can use self-signed certificates, certificates from an internal, private certification
authority (CA), or certificates that have been purchased from an external public CA.
The most important factor when choosing the certificates in most AD FS deployments is that the
certificates be trusted by all parties involved. This means that if you are configuring an AD FS deployment
that interacts with other organizations, you are almost certainly going to use a public CA, because all
partners trust the certificates issued by the public CA automatically.
If you are deploying AD FS just for your organization, and all servers and client computers are under
your control, you can consider using a certificate from an internal private CA. If you deploy an enterprise
CA on Windows Server 2012, you can use Group Policy to ensure that all computers in the organization
automatically trust the certificates that the internal CA issues. Using an internal CA can decrease the cost
of the certificates significantly.
12-15
When
W
you insta
all the AD FS se
erver role, the server is confi gured with self-signed certificates. These
ce
ertificates are not
n trusted byy any other systems, so you m
must replace t he server com
mmunications
ce
ertificate and the
t token-sign
ning certificate
es with a trusteed certificate. I t is not criticall that you replace
th
he token-decryypting certifica
ate with a trustted certificate..
Federation Server Ro
oles
When
W
you deploy the AD FS server
s
role, and
co
onfigure the se
erver, you can choose which
h role
th
he server playss in an AD FS deployment.
d
Yo
ou can
co
onfigure an AD
D FS server in one
o of three ro
oles:
Note: A single AD FS se
erver can operate as both a cclaims provideer and a relying
g party, even
with
w the same partner
p
organizzations. The AD
A FS server fu nctions as a cllaims providerr when it is
au
uthenticating users
u
and provviding tokens for
f another orrganization, bu
ut also can acccept tokens
from the same or
o another org
ganization in a relying party role.
Note: You cannot configure a federation server proxy as a claims provider or a Relying
Provider. The claims provider and Relying Provider must be members of an AD DS domain. You
must configure the federation server proxy as a member of a workgroup, and then deploy it in a
perimeter network.
Demonstration Steps
1.
On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
2.
Run the AD FS Federation Server Configuration Wizard by using the following parameters:
3.
a.
b.
c.
d.
12-16
Lesson
n3
Imple
ementin
ng AD FS
F for a Single O
Organizzation
12-17
Th
he simplest de
eployment scen
nario for AD FS is within a si ngle organization. In this scenario, a single AD FS
se
erver can operate both as the claims provider and as thee Relying Prov ider. All users in this scenario
o are
in
nternal to the organization,
o
as
a is the appliccation that thee users are acceessing.
Th
his lesson provvides details on
n the components that are rrequired to co nfigure in a sin
ngle organizattion
de
eployment of AD FS. These components
c
in
nclude configu
uring claims, c laim rules, claiims provider trrusts,
an
nd relying partty trusts.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe AD
D FS claims.
Describe AD
D FS claim rule
es.
Describe cla
aims provider trusts.
Describe re
elying providerr trusts.
Configure claims
c
provide
er and relying provider
p
trustss.
What
W
are AD
A FS Claim
ms?
AD FS claims prrovide the link between the claims
c
provider and Re
elying Provider roles in an AD FS
de
eployment. Th
he claims proviider creates the
claims and the Relying
R
Provid
der consumes the
t
claims. AD FS claims provide a standards-ba
ased
an
nd flexible wayy for claims provider organizzations
to
o provide very specific inform
mation about users
u
in
n their organiza
ations, and a way
w for Relying
g
Prroviders to deffine exactly wh
hat information they
re
equire to proviide application
n access.
Claim
C
Types
Ea
ach AD FS claim has a claim type, such as Email Addresss, UPN, or Last Name. Users ccan be issued claims
ba
ased on any defined claim tyype. So a user might be issu ed a claim witth a type of Last Name and a value
off Weber. AD FS provides sevveral built-in cllaim types, or yyou can createe new ones baased on the
orrganization req
quirements.
Note: In AD
A FS 1.0, you could configu
ure claims as id
dentity claims,, group claims or custom
claims. These claim types do not
n apply to AD
A FS 2.0 or latter. Essentially,, all claims are
e now
co
onsidered custtom claims.
Each
h AD FS claim type is identiffied by a Unifo
orm Resource IIdentifier (URI)) that uniquelyy identifies
the claim type. Th
his information
n is provided as part of the A
AD FS server m
metadata. For e
example, if the
e
claim
ms provider orrganization an
nd the Relying Provider orgaanization decid
de to use a claim type of
AccountNumber, both organiza
ations must configure a claim
m type with th
his name. The cclaim type is
pub
blished, and the claim type URI
U must be ide
entical on bot h AD FS servers.
12-18
Wh
hat Are AD
D FS Claim
m Rules?
Claims rules defin
ne how AD FS servers
s
send and
consume claims. Claims
C
rules de
efine the busin
ness
logic that is applie
ed to claims th
hat claims provviders
provvide, and to claims that the relying partiess
acce
ept. You can use claim rules to:
12-19
Apply authorization ruless to enable acccess to a speciffic relying partty for one or m
more users or g
groups
of users.
Yo
ou can define two types of claim
c
rules:
Issuance Au
uthorization Ru
ules: These rules define whicch users are peermitted or de
enied access to
o the
relying partty that has bee
en defined in the
t relying parrty trust. This rrule set can incclude rules thaat
explicitly pe
ermit access to
o a relying parrty, and/or rulees that explicittly deny accesss to a relying p
party.
Delegation Authorization
n Rules: These rules define th
he claims that specify which users can act on
behalf of otther users whe
en accessing th
he relying partty. This rule set can include rrules that explicitly
permit dele
egates for a relying party, or rules that exp
plicitly deny deelegates to a re
elying party.
What
W
Is a Claims
C
Prov
vider Trust?
Yo
ou configure a claims provid
der trust on the
e
re
elying party fed
deration serve
er. The claims provider
p
trrust identifies the
t claims provvider, and also
o
de
escribes how the
t relying parrty consumes the
t
claims that the claims provide
er issues. You must
m
co
onfigure a claims provider trrust for each claims
provider.
Byy default, an AD
A FS server is configured wiith a
claims provider trust named Active
A
Directorry.
Th
his trust define
es the claim ru
ules, which are all
accceptance tran
nsform rules th
hat define how
w the
AD FS server accepts AD DS credentials.
c
Forr
exxample, the de
efault claim rules on the claims provider trrust include rules that pass the user namess, SIDs,
an
nd group SIDs to the relying
g party. In a sin
ngle-organizattion AD FS dep
ployment, whe
ere AD DS
au
uthenticates all users, the de
efault claims provider trust m
may be the onlly required claims provider ttrust.
12-20
Whe
en you expand
d the AD FS de
eployment to include
i
other o
organizations,, you must create additional
claim
ms provider trusts for each federated
f
orga
anization. You have three op
ptions when co
onfiguring a cllaims
provvider trust:
Manually con
nfigure the claiims provider trrust. Use this o
option if you w
want to configure all of the
settings for th
he claims provvide trust direcctly. When you
u choose this o
option, you mu
ust provide the
e
features that the claims pro
ovider supports, as well as th
he URL used to
o access the claaims provider AD FS
servers. Furthermore, you must
m
add the SSL
S certificate tthat the partner organizatio
on uses.
Wh
hat Is a Relying Party
y Trust?
A re
elying party tru
ust is defined on
o the claims
provvider federatio
on server. The relying party trust
t
iden
ntifies the relyiing party, and also defines the
claim
ms rules that define
d
how the
e relying partyy
acce
epts and proce
ess claims from
m the claims
provvider.
12-21
Import data about the relying party from a file. Use this option if the partner federation server is not
directly accessible from your federation server, but where the partner organization has exported its
configuration and provided you the information in a file. The configuration file must include the
configuration information for the partner organization, as well as the SSL certificate that the partner
federation server uses.
Manually configure the claims provider trust. Use this option if you want to configure all of the settings
for the claims provide trust directly.
In this demonstration, you will see how to configure claims provider trusts and relying party trusts. The
instructor will show how to edit the default Active Directory claims provider trust, and will create a new
relying party trust and show how to configure the trust.
Demonstration Steps
1.
In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2.
In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, start
the Add Transform Claim Rule Wizard, and complete the wizard with the following settings:
3.
In the Mapping of LDAP attributes to outgoing claim types, select the following values:
o
User-Principal-Name to UPN
4.
On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility.
5.
6.
Select No encryption.
In the AD FS 2.0 Management console, in the middle pane, click Required: Add a trusted relying
party.
7.
Complete the Add relying party Wizard with the following settings:
12-22
Select Import data about the relying party published online or on a local network, and type
https://lon-svr1.adatum.com/adatumtestapp.
Select to open the Edit Claims Rules for WIF Sample Claims App check box when the wizard is
complete.
Lesson
n4
Deplo
oying AD
A FS in a Busin
ness to Businesss Federation
Scena
ario
12-23
A second comm
mon scenario fo
or implementiing AD FS is in
n a B2B federattion scenario. In this scenario
o,
ussers in one org
ganization havve to be able to
o access an ap
pplication in an
nother organizzation. AD FS iin this
sccenario enable
es SSO. Users always
a
log on to
t their home AD DS environ
nment, but are
e granted acce
ess to
th
he partner app
plication based
d on the claimss acquired from
m their local A
AD FS server.
Configuring AD
D FS in a B2B fe
ederation scen
nario is quite siimilar to configuring AD FS in a single
ovider trusts aand the relying
orrganization sce
enario. The primary difference is that now
w the claims pro
g
provider trusts refer
r
to extern
nal organizatio
ons rather than
n internal AD D
DS or application.
Th
his lesson desccribes how to configure
c
AD FS
F in a B2B sceenario.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Configure the
t account pa
artner in a B2B
B federation sccenario.
Configure the
t resource partner
p
in a B2B
B federation sccenario.
Describe ho
ow claims transformations work.
w
Describe ho
ow home-realm
m discovery works.
w
Configure claims
c
rules.
Configuring
C
g an Account Partne
er
In
n a B2B AD FS scenario, the terminology
t
ussed
to
o describe the parties involve
ed in the AD FS
F
de
eployment cha
anges slightly. In this scenario,
th
he claims provider organization is also called the
acccount partnerr organization. An account partner
p
orrganization is the organization in which th
he user
acccounts are sto
ored in an attrribute store. An
n
acccount partnerr handles the following
f
taskss:
Gathering credentials
c
from users by usiing a
web-based service, and then authentica
ating
those crede
entials.
Building up
p claims for use
ers, and then
packaging the claims into
o security toke
ens. The token s can then be presented acrross a federatio
on trust
to gain access to federatiion resources located
l
at the resource partner organization.
2..
12-24
3.
4.
5.
Co
onfiguring a Resourcce Partner
The resource parttner organizatiion is the relyin
ng
partty in a B2B fed
deration scenario. The resourrce
parttner organization is where th
he resources exist
and are made acccessible to acco
ount partner
orga
anizations. The
e resource parrtner handles
the following task
ks:
Consumes the
e claims from the security to
okens,
and then provvides new claims to its web
servers after making
m
an autthorization deccision.
m
have Win
ndows Identity Framework (W
WIF) installed o
or have the AD
D FS 1.x ClaimssThe web servers must
are Web Agent role services installed to exxternalize the iidentity logic aand accept claaims.
Awa
osoft offers WIIF to provide a set of consisttent developm
ment tools that enable
Note: Micro
developers to inte
egrate claims-b
based authenttication and au
uthorization in
nto their appliccations.
WIFF also includes a Software De
evelopment Kit (SDK) and saample applicattions. You use a WIF
sam
mple application in the lab fo
or this module..
Con
nfiguring the re
esource partne
er organization is similar to cconfiguring th
he account parrtner organization,
and consists of the following ste
eps:
1.
Implement th
he physical top
pology for the resource partn
ner deployme nt. The planning and
implementatiion steps are the same as the
e account parttner, with the addition of plaanning the we
eb
server locatio
on and configu
uration.
12-25
2..
3..
Connect to an account pa
artner organizzation by creatting a claims p
provider trust.
4..
Create claim
m rule sets for the claims pro
ovider trust.
Configuring
C
g Claims Rules
R
for Business
B
to
o Business Scenarios
In
n a single organization deplo
oyment of AD FS, it
may
m be quite ea
asy to design and
a implemen
nt claims
ru
ules. In many cases,
c
you mayy need to just provide
p
th
he user name or
o group name
e collected fro
om the
claim to the web server. In a B2B
B scenario, it
i is
more
m
likely thatt you have to configure
c
more
co
omplicated cla
aims rules to define user acce
ess
be
etween widelyy varying systems.
Claim rules define how account partners (cllaims
providers) creatte claims, and how resource
pa
artners (relying
g parties) conssume claims. AD
A FS
provides several templates that you can use
e when
co
onfiguring claiim rules:
Send LDAP
P Attribute ass Claims rule template.
t
Use tthis template w
when you sele
ect specific attrributes
in an LDAP attribute store to populatte claims. You
u can configu re multiple LD
DAP attributes as
individual claims
c
in a sing
gle claim rule created
c
from tthis template. For example, yyou can create
e a rule
that extractts the displayN
Name and giv
venName AD DS attributes from all authe
enticated userss, and
then send these
t
values ass outgoing claims to be sentt to a relying p
party.
Send Grou
up Membership as a Claim rule template . Use this temp
plate to send a particular claaim type
and associa
ated claim valu
ue based on th
he users AD D S security grou
up membership. For examplle, you
might use this
t template to
t create a rule
e that sends a group claim tyype with a value of SalesAd
dmin if
the user is a member of the
t Sales Mana
ager security g
group within th
heir AD DS do
omain. This rule
e only
issues a sing
gle claim, base
ed on the AD DS
D group thatt you select as a part of the ttemplate.
Pass Throu
ugh or Filter an
a Incoming Claim
C
rule tem
mplate. Use thiis template to set additional
restrictions on which claim
ms are submitted to relying parties. For exxample, you m
might want to u
use a
user email address
a
as a cllaim, but only forward the e mail address iff the domain ssuffix on the email
address is adatum.com.
a
When
W
using this template, yo
ou can either p
pass through w
whatever claim
m you
extract from
m the attribute
e store, or you can configuree rules that filt er whether the
e claim passes
through ba
ased on various criteria.
Transform
m an Incoming
g Claim rule te
emplate. Use th
his template to
o map the valu
ue of an attrib
bute
in the claim
ms provider atttribute store to
o a different vaalue in the relyying party attribute store. Fo
or
example, yo
ou may want to
t provide all members
m
of th
he Marketing d
department att A. Datum limited
access to a purchasing ap
pplication at Trey Research. A
At Trey Researrch, the attribu
ute used to de
efine
the limited access level may
m have an atttribute of Lim
mitedPurchase
er. To address this scenario, yyou can
configure a claims rule th
hat transforms an outgoing cclaim where th
he Department value is Markketing
to an incom
ming claim whe
ere the AppliccationAccess attribute is Lim
mitedPurchasser. Rules created
from this te
emplate must have a one-to-one relationsship between tthe claim at th
he claims provider and
the claim at the relying partner.
p
12-26
Permit or De
eny Users bassed on an Inco
oming Claim rule template.. This template
e is available o
only
when you are
e configuring Issuance Autho
orization Ruless or Delegation
n Authorizatio
on Rules on a rrelying
party Trust. Use
U this templa
ate to create ru
ules that enab le or deny acccess by users to
o a relying parrty,
based on the type and valu
ue of an incom
ming claim. Thiss claim rule template allows you to perform
an authorizattion check on the
t claims provider before cclaims are even
n sent to a relyying party. Forr
example, you can use this rule
r
template to
t create a rulee that only perrmits users fro
om the Sales group
to access a re
elying party, au
uthentication requests
r
from members of o
other groups are not even se
ent to
the relying pa
arty.
If no
one of the built-in claim rule
e templates prrovide the funcctionality that you are lookin
ng for, you can
n
crea
ate more comp
plex rules using the AD FS Claim Rule Lang
guage. By creaating a custom
m rule, you can
n
extrract claims info
ormation from
m multiple attribute stores an
nd also combin
ne claim types into a single cclaim
rule
e.
Ho
ow Home Realm
R
Disccovery Wo
orks
Som
me resource pa
artner organiza
ations
hostting claims-aw
ware applicatio
ons may want to
t
enable multiple account partners to access th
he
app
plications. In th
his scenario, wh
hen users conn
nect
to the web application, there must
m
be some
mecchanism for directing the use
ers to the AD FS
fede
eration server in their home domain rather
than
n to another organizations
o
federation
f
servver.
The process for diirecting clientss to the appropriate
acco
ount partner iss called home realm discove
ery.
Hom
me realm disco
overy occurs after the client
connects to the re
elying parties web
w site and the
clien
nt has been re
edirected to the relying partyys federation sserver. At this point, the relyying partys
fede
eration server must redirect the client to th
he Federation Server in the cclients home realm, so that the
userr can be authe
enticated. If the
ere are multiple claims provviders configurred on the relyying party
fede
eration server, it has to know
w to which federation serverr to redirect the client.
At a high level, there are three main
m
ways imp
plement homee realm discoveery:
1.
2.
3.
12-27
If the remote application is SAML 2.0-compliant, users can use a SAML profile called IdPInitiated SSO.
This SAML profile configures users to access their local claims provider first, which can prepare the
users token with the claims required to access the partner web application. This process changes the
normal process for accessing the web application by having the users log on to the claims provider
federation server first, and then prompting them to select which application they want to access so
that their token can be created with the appropriate information.
Note: The home realm discovery process occurs the first time the user tries to access a web
application. After the user successfully authenticates, a home-realm discovery cookie is issued to
the client so that the user does not have to go through the process the next time. This homerealm discovery cookie expires after a month, unless the cookie cache is cleared sooner.
In this demonstration, you will see how to configure claims rules. You will see how to configure claims
rules on a relying party trust that forwards a group name as part of the claim. You will also see how to
configure a claims rule that limits access to the application only to members of a particular group.
Demonstration Steps
1.
On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule
that passes through or filters an incoming claim. Name the rule Send Group Name rule, and
configure the rule to use an incoming claim type of group.
2.
Delete the Issuance Authorization Rule that grants access to all users.
3.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of
Group, an Incoming claim value of Production, and select the option to Permit access to users
with this incoming claim.
4.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an
Incoming claim value of @adatum.com, and select the option to Permit access to users with this
incoming claim, and then click Finish.
5.
Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
Lab: Implementing AD FS
Scenario
12-28
A. Datum has set up a variety of business relationships with other companies and customers. Some of
these partner companies and customers must access business applications that are running on the A.
Datum network. The business groups at A. Datum want to provide a maximum level of functionality and
access to these companies. The security and operations departments want to ensure that the partners and
customers can only access the resources to which they require access, and that implementing the solution
does not significantly increase the workload for the operations team.
A. Datum is also working on migrating some parts of their network infrastructure to online services,
including Windows Azure and Office 365.
To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the
company plans to use AD FS to implement single sign on for internal users accessing an application on a
web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey
Research users must be able to access the same application.
As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS
solution. As a proof of concept, you plan to deploy a sample claims aware application, and then configure
AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
Lab Setup
Estimated time: 90 minutes
Virtual Machines
20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-MUN-DC1
User Name
Adatum\Administrator
Password
Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
b.
Password: Pa$$w0rd
12-29
a.
b.
To deploy AD FS at A. Datum, you must verify that all required components are configured. You plan to
verify that AD CS is deployed in the organization, and then configure the certificates required for AD FS
on the AD FS server and on the web servers. You also plan to configure the DNS forwarders to enable
communication between Adatum.com and TreyResearch.com.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
Bind the certificate to the claims aware application on the web server and verify application access.
On LON-DC1, create a new conditional forwarder for the TreyResearch.com domain, by using the
DNS server IP address of 172.16.10.10.
2.
On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, by using the DNS
server IP address of 172.16.0.10.
2.
Create a new Microsoft Management Console (MMC), and then add the Group Policy Management
Editor.
3.
Edit the Default Domain Policy Group Policy Object, and import the copied root certificate to the
Trusted Root Certification Authorities folder.
4.
5.
Create a new MMC, and then add the Certificates snap-in focused on the Local Computer.
6.
Import the copied root certificate to the Trusted Root Certification Authorities folder.
2.
Request a new Domain Certificate for the server by using the following parameters:
o
Organization: A. Datum
3.
Organization unit: IT
City/locality: London
State/province: England
Country/region: GB
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
12-30
1.
On LON-SVR1, in Internet Information Services, create a new HTTPS site binding, and then select the
newly created certificate.
2.
3.
Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
4.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
To start the AD FS implementation, you plan to install AD FS on the A. Datum domain controller, and then
configure the server as a standalone federation server. You also plan to configure the server to use a CAsigned token-signing certificate.
The main tasks for this exercise are as follows:
1.
2.
Create a stand-alone Federation Server by using the AD FS Federation Server Configuration Wizard.
3.
On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
On LON-DC1, run the AD FS Federation Server Configuration Wizard using the following parameters:
a.
b.
c.
d.
2.
3.
4.
Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
5.
Verify that the xml file opens successfully, and then scroll through its contents.
6.
12-31
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
The first scenario for implementing the proof-of-concept AD FS application is to ensure that internal
users can use SSO to access the web application. You plan to configure the AD FS server and the web
application to enable this scenario. You also want to verify that internal users can access the application.
The main tasks for this exercise are as follows:
1.
2.
3.
Configure the claims application to trust incoming claims by running the WIF Federation Utility.
4.
5.
6.
2.
Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name is listed under the
Subject when you add the certificate, delete the certificate, and then add the next certificate in the
list.
3.
Make the new certificate the primary certificate, and then remove the old certificate.
12-32
1.
In the AD FS 2.0 Management console, go to the claims provider Trusts, highlight the Active
Directory store, and then go to Edit Claim Rules.
2.
In the Edit Claim Rules for Active Directory dialog box on the Acceptance Transform Rules tab,
launch the Add Transform Claim Rule Wizard, and then complete the wizard with the following
settings:
a.
b.
c.
d.
In the Mapping of LDAP attributes to outgoing claim types, select the following values:
User-Principal-Name to UPN
Display-Name to Name
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1.
On LON-SVR1, launch the WIF Federation Utility from the Start screen.
2.
Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\
AdatumTestApp \web.config.
Select No encryption.
X Task 4: Configure a relying party trust for the claims aware application
1.
In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle
pane.
2.
Complete the Add relying party Wizard with the following settings:
o
Choose to Import data about the relying party published online or on a local network and
type https://lon-svr1.adatum.com/adatumtestapp.
Select the option to open the Edit Claims Rules for WIF Sample Claims App when the wizard is
complete.
12-33
1.
In the Edit Claim Rules for WIF Sample Claims App properties dialog box, choose to Add a Rule
on the Issuance Transform Rules tab.
2.
Complete the Add Transform Claim Rule Wizard with the following settings:
o
Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list.
Select Windows account name in the incoming claim type drop-down list.
Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
2.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
The second deployment scenario is to enable Trey Research users to access the web application. You plan
to configure the integration of AD FS at Trey Research with AD FS at A. Datum, and then verify that Trey
Research users can access the application. You also want to confirm that you can configure access based
on user groups. You must ensure that all users at A. Datum, but only users in the Production group at Trey
Research, can access the application.
The main tasks for this exercise are as follows:
1.
2.
Configure a relying party trust on MUN-DC1 for A. Datums claim aware application.
3.
Verify access to the A. Datum Test Application for Trey Research users.
4.
Configure claim rules for the claim provider trust and the relying party trust to allow access only for a
certain group.
5.
6.
2.
Complete the Add claims provider Trust Wizard with the following settings:
o
Choose Import data about the claims provider published online or on a local network and
enter https://mun-dc1.treyresearch.com as the data source.
3.
4.
In the Edit Claim Rules for the mun-dc1.treyresearch.com properties dialog, use the following
values:
o
Choose Pass Through or Filter an Incoming claim in the Claim rule template list.
Use Pass through Windows account name rule as the claim rule name.
Choose Windows account name as the incoming claim type, and then choose to Pass through
all claim values.
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datums claim aware
application
1.
2.
12-34
On MUN-DC1, in the AD FS Management console, open the Add relying party Trust Wizard, and then
complete it with the following settings:
o
Choose to Import data about the relying party published online or on a local network and
type in https:// lon-dc1.adatum.com.
Select to open the Edit Claim Rules for lon-dc1.adatum.com when the wizard is complete
check box.
In the Edit Claim Rules for lon-dc1.adatum.com properties dialog box, on the Issuance Transform
Rules tab, click to add a rule with the following settings:
o
Choose Pass Through or Filter an Incoming claim in claim rule template list.
In the Claim rule name box, type Pass through Windows account name rule.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1.
2.
Select mun-dc1.treyresearch.com as the home realm, and then logon as TreyResearch\April, with
the password Pa$$w0rd.
3.
4.
Close Internet Explorer, and then connect to the same web site. Verify that you are not prompted for
a home realm this time.
You are not prompted for a home realm again. Once users have selected a home realm and been
authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party
Federation Server. The default lifetime for the cookie is 30 days. Therefore, for us to log on multiple times,
we should delete that cookie after each logon attempt to return to a clean state.
12-35
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1.
On MUN-DC1, in the AD FS Management Console, access the lon-dc1.adatum.com relying party trust.
2.
Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule
Permit Production Group Rule, configure the Users Group as Production, configure the
Outgoing claim type as Group, and the Outgoing claim value as Production.
3.
4.
Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes
through or filters an incoming claim. Name the rule Send TreyResearch Group Name rule, and
configure the rule to use an incoming claim type of group.
5.
Delete the Issuance Authorization Rule that grants access to all users.
6.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an
Incoming claim type of Group, an Incoming claim value of Production, and select the option to
Permit access to users with this incoming claim.
7.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming
claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim
value of @adatum.com, and select the option to Permit access to users with this incoming claim,
and then click Finish.
8.
Edit the Temp rule, and then copy the claim rule language into the clipboard.
9.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule
11. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~
"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value =
PermitUsersWithClaim);
On MUN-DC1, verify that TreyResearch\April no longer has access to the A. Datum test app.
2.
3.
Verify that TreyResearch\morgan does have access to the A. Datum test app. Morgan is a member of
the Production group.
When you are finished the lab, revert the virtual machines to their initial state.
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.
Troubleshooting Tip
Question: What are the benefits of deploying AD FS with a cloud-based application or service?
Question: Under what circumstances, would you choose to deploy a federation proxy server?
Under what circumstances, do you not have to deploy a federation proxy server?
12-36
1.
Tailspin Toys is deploying a new claims-based web application. The web application needs to be
accessible to both Tailspin Toys users and to Trey Research users. What AD FS components will you
need to deploy at Tailspin Toys to enable this level of access?
2.
Fabrikam is examining the requirements for AD FS. The company wants to use a federation proxy
server for maximum security. Currently, Fabrikam has an internal network with internal DNS servers.
Their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting
companys DNS servers for DNS resolution. What must the company do to prepare for the
deployment?
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
12-37
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
2.
3.
4.
5.
6.
7.
In the Hyper-V Manager console, double-click 20417A-LON-SVR5; this will open the Virtual Machine
Connection window. From the Action menu, click Start.
8.
On the Windows Server 2012 page of the Windows Setup Wizard, verify the following settings, and
then click Next:
9.
On the Windows Server 2012 page of the Windows Setup Wizard, click Install now.
10. On the Select the operating system you want to install page of the Windows Setup Wizard, select
Windows Server 2012 Release Candidate Datacenter (Server Core Installation), and then click
Next.
11. On the License terms page of the Windows Setup Wizard, review the operating system license terms.
Select the I accept the license terms check box, and then click Next.
12. On the Which type of installation do you want? page of the Windows Setup Wizard, click Custom:
Install Windows Only (Advanced).
13. On the Where do you want to install Windows? page of the Windows Setup Wizard, verify that
Drive 0 Unallocated Space has sufficient space for the Windows Server 2012 operating system, and
then click Next:
o
Depending on the speed of the host computer, the installation will take approximately 20
minutes.
The virtual machine will restart several times during this process.
14. Click OK, and then in both the Password and Confirm password boxes type Pa$$w0rd, and then
click OK.
X Task 2: Convert a Windows Server 2012 Server Core installation to a full installation
1.
If necessary, log on to LON-SVR5 using the Administrator account with the password Pa$$w0rd.
2.
3.
Issue the following command and press Enter to mount the Windows Server 2012 full installation
image:
dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount
/readonly
4.
5.
Load the ServerManager module by issuing the command and pressing Enter:
Import-Module ServerManager
6.
Install the Windows Server 2012 GUI components of server core by issuing the following command
and pressing Enter:
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra Source:c:\mount\windows
7.
When prompted, restart the server by issuing the following command and pressing Enter.
Shutdown /r /t 5
8.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify the presence of
the full GUI components.
X Task 3: Convert a Windows Server 2012 full installation to a Server Core installation
1.
If necessary, log on to LON-SVR5 and verify that the full graphic environment is present.
2.
3.
Click Close to close the message informing you that you cannot open Internet Explorer with the builtin Administrator account.
4.
5.
6.
7.
8.
Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.
If necessary, log on to LON-SVR5 using the account Administrator with password Pa$$w0rd.
2.
3.
4.
5.
6.
7.
At the command prompt, type hostname and press Enter to verify the computers name.
8.
9.
10. Type the index number of the network adapter that you want to configure and press Enter.
11. To set the Network Adapter Address, on the Network Adapter Settings page, type 1 and
press Enter.
12. To select static IP address configuration, type S and press Enter.
13. At the Enter static IP address: prompt, type 172.16.0.111 and press Enter.
14. At the Enter subnet mask prompt, type 255.255.0.0 and press Enter.
15. At the Enter default gateway prompt, type 172.16.0.1 and press Enter.
L1-3
16. To configure the DNS server address, on the Network Adapter Settings page, type 2 and press Enter.
17. At the Enter new preferred DNS server prompt, type 172.16.0.10 and press Enter.
18. In the Network Settings dialog box, click OK.
19. To not configure an alternative DNS server address, press Enter.
20. To return to the main menu, type 4 and press Enter.
21. To exit sconfig, type 15 and press Enter.
22. To verify connectivity to the domain controller from LON-SVR5, type ping lon-dc1.adatum.com and
press Enter.
Ensure that you are logged on to LON-SVR5 using the account Administrator with password
Pa$$w0rd.
2.
3.
4.
5.
At the Name of domain to join prompt, type adatum.com and press Enter.
6.
At the Specify an authorized domain\user prompt, type adatum\administrator and press Enter.
7.
At the Type the password associated with the domain user prompt, type Pa$$w0rd and
press Enter.
8.
9.
Ensure that you are logged on to LON-SVR5 using the account Adatum\Administrator with
password Pa$$w0rd.
2.
3.
4.
5.
6.
7.
8.
9.
To view the enabled Firewall rules on LON-SVR5 that allow traffic, at the Windows PowerShell
prompt, type the following command:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property
DisplayName
10. To view all disabled Firewall rules on LON-SVR5, type the following command:
11. To view all NetFirewallRule related Windows PowerShell cmdlets, type the following command:
Get-Command -Noun NetFirewallRule
12. To view the status of the Remote Desktop inbound firewall rule, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
13. To enable the Remote Desktop Inbound Firewall rule, type the following command:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
14. To verify that the Remote Desktop Inbound Firewall rule is enabled, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
15. To disable the Remote Desktop Inbound Firewall Rule, type the following command:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP
16. To verify that the Remote Desktop Inbound Firewall Rule is disabled, type the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP
L1-5
Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2.
In the Server Manager console, click Local Server, and then click Enabled next to Remote
Management.
3.
On the Configure Remote Management dialog box, clear the check next to Enable remote
management of this server from other computers, and then click OK.
4.
5.
6.
At the Windows PowerShell prompt issue the command winrm qc. When you are prompted, type Y
and press Enter.
7.
Open the Server Manager console. Click Local Server. Verify that Remote Management is now
enabled.
Log on to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2.
In the Server Manager console, click Dashboard, and then click Create a server group.
3.
On the Create Server Group dialog box, click the Active Directory tab, and then click Find Now.
4.
Click LON-DC1 and then press and hold the Ctrl key, and then click LON-SVR5. To add them to a
server group click the Arrow.
5.
Set the Server Group Name to LONDON-GROUP, and then click OK.
6.
7.
8.
9.
Click LON-DC1. Press and hold the Ctrl key, and then click LON-SVR5.
10. While both servers are selected, right-click LON-DC1, and then click Start Performance Counters.
11. Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.
2.
In the Servers list, right-click LON-SVR5, and then click Add Roles and Features.
3.
On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4.
On the Select installation type page of the Add Roles and Features Wizard, select Role-based or
feature-based installation, and then click Next.
5.
On the Select destination server page of the Add Roles and Features Wizard, ensure that
LON-SVR5.Adatum.com is selected, and then click Next.
6.
On the Select server roles page of the Add Roles and Features Wizard, click Next.
7.
On the Select features page of the Add Roles and Features Wizard, select Windows Server Backup,
and then click Next.
8.
On the Confirm installation selections page of the Add Roles and Features Wizard, click Install.
9.
10. In Server Manager, click the Flag and verify that the installation of the Windows Server Backup feature
succeeded on LON-SVR5.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Switch to LON-SVR1.
2.
In the Server Manager console, in the navigation pane, click All Servers.
3.
In the Server Manager console, in the navigation pane, right-click All Servers, and then click Add
Servers.
4.
5.
In the details pane of the Add Servers dialog box, click LON-DC1, click the right-arrow button, and
then click OK.
6.
In Server Manager, hold down the Ctrl key, click LON-DC1, and then click LON-SVR1 to select both
the machines.
7.
In Server Manager, scroll down to the Performance section; select both LON-DC1 and LON-SVR1.
Right-click the selected servers, and then click Start Performance Counters.
On LON-SVR1, in Server Manager, click Tools, and then click Performance Monitor.
2.
In the navigation pane, expand Data Collector Sets, and then click User Defined.
3.
Click the Action menu, click New, and then click Data Collector Set.
4.
In the Create new Data Collector Set Wizard, in the Name box, type Windows Server Monitoring,
select Create manually (Advanced), and then click Next.
5.
On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
6.
In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Windows Server Monitoring, click the Action menu, click New, and then click Data
Collector.
7.
In the Create New Data Collector Wizard, in the Name box, type Base Windows Server Monitoring,
select Performance counter data collector, click Next, and then click Add.
8.
In the Available counters object list, expand Processor, and then click % Processor Time. Click
Add.
9.
In the Available counters object list, expand Memory, and then click Available Mbytes. Click Add.
10. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
11. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
12. In the Performance Monitor, in the navigation pane, click Windows Server Monitoring, click the
Action menu, and then click Start.
13. Wait at least one minute, click the Action menu, and then click Stop.
14. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
15. Close the Performance Monitor.
1.
Switch to LON-SVR1.
2.
Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
3.
At the command prompt, type winrm quickconfig and then press Enter.
4.
5.
In the Computer Management console, expand Local Users and Groups, and then click Groups.
6.
7.
Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
8.
In the Object Types dialog box, select the Computers check box, and then click OK.
9.
In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK.
12. Move the mouse pointer on the lower-right corner on the screen, and then in Search box, type cmd
to open the Command Prompt.
13. At the command prompt, type wecutil qc and then press Enter.
14. When you are prompted, type Y and then press Enter.
15. In Server Manager, click Tools, and then click Event Viewer.
16. In the Event Viewer, in the navigation pane, click Subscriptions.
17. Right-click Subscriptions, and then click Create Subscription.
18. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
19. Click Collector Initiated, and then click Select Computers.
20. In the Computers dialog box, click Add Domain Computers.
21. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK.
22. In the Computers dialog box, click OK.
23. In the Subscription Properties LON-SVR1 Events dialog box, click Select Events.
24. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
25. In the Logged list, click Last 7 days.
L2-9
26. In the Event logs list, select Windows Logs. Click inside the Query Filter dialog box, and then click
OK.
27. In the Subscription Properties LON-SVR1 Events dialog box, click OK.
28. In Event Viewer, in the navigation pane, expand Windows Logs.
29. Click Forwarded Events, and check for events from LON-SVR1.
Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.
Switch to LON-SVR1.
2.
3.
4.
5.
On the Select Destination Server page, select LON-SVR1 and then click Next.
6.
7.
On the Select features page, select Windows Server Backup, and then click Next.
8.
9.
Switch to LON-SVR1.
2.
On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
3.
Click Local Backup, and then in the Actions pane, click Backup Schedule.
4.
On the Getting Started page of the Backup Schedule Wizard, click Next.
5.
On the Select Backup Configuration page, click Full server (recommended), and then click Next.
6.
On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
7.
On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
8.
On the Specify Remote Shared Folder page, in the Path box, type \\LON-DC1\Backup, and then
click Next.
9.
In the Register Backup Schedule dialog box, in the Username box, type Administrator, in the
Password box, type Pa$$w0rd, and then click OK. Click Finish, and then click Close.
L2-10
To prepare for this task, you need to create a folder on LON-SVR1 with a name Financial Data on drive C:
and within Financial Data folder you need to create a text file with a name Financial Report.txt.
1.
2.
In the Windows Explorer window, in navigation pane, click on Local Disk (C:).
3.
In the Windows Explorer window, in the menu, click Home, click New Folder, and then in the New
Folder icon in details pane, type Financial Data.
4.
In the Windows Explorer window, double-click Financial Data folder, right click in details pane, click
New, click Text Document, and in New Text Document icon, type Financial Report.
On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup.
2.
In the wbadmin [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup, and then in the Actions pane, click Backup Once.
3.
On the Backup Options page of the Backup Once Wizard, click Different options, and then click
Next.
4.
On the Select Backup Configuration page, click Custom, and then click Next.
5.
6.
Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next.
7.
On the Specify Destination Type page, click Remote shared folder, and then click Next.
8.
On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
9.
10. On the Backup Progress page, click Close after the backup is complete.
Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.
On LON-SVR1, on the Taskbar, click on Windows Explorer, and then in navigation pane, click on
Local Disk (C:).
2.
In Windows Explorer in details pane, right-click Financial Data folder, and then click Delete.
2.
The command should display the existing shadow copy from the backup performed previously.
L2-11
1.
In the Windows Server Backup console, in the Actions pane, click Recover.
2.
On the Getting Started page, click A backup stored on another location, and then click Next.
3.
On the Specify Location type page, click Remote shared folder, and then click Next.
4.
On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
5.
6.
7.
On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:) drive, and on the
right pane, select Financial Data, and then click Next.
8.
On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
9.
Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.
2.
In the Windows Explorer window, in the navigation pane, click Allfiles (E:), and in the details pane
double-click msoidcli.msi. Click Run.
3.
On the Microsoft Software License Terms page, click I accept the terms in the License Agreement
and Privacy Statement, and then click Install. Click Finish.
4.
5.
In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service
Agreement terms and conditions, and then click OK.
6.
7.
On the Installation Settings page, specify the settings (if not default), and then click Next:
o
8.
On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then
click Install.
9.
On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has
completed successfully message is displayed. Clear the Check for newer updates check box, and
then click Finish.
L2-12
10. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service.
11. On LON-SVR1, move the mouse pointer on the lower-left corner of the screen, click Start, and then
click Microsoft Online Backup Service Shell.
Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with a same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1.
In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this
local server.
2.
In the Server Manager window, on the Local Server page, click LON-SVR1.
3.
In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAMEYOURNAME, click OK twice, and then click Close.
4.
In a window that displays the message that you should restart your computer, click Restart Now.
5.
To register the server with Microsoft Online Backup, perform the following steps:
1.
Start the Microsoft Online Backup Service console, and then click Register Server.
2.
In the Register Server Wizard, on the Account Credentials page, in the Username box, type
holuser@onlinebackupservice.onmicrosoft.com, and in the Password box, type Pa$$w0rd. Click
Next.
Note: In real-life scenario, you would type username and password of your Microsoft
Online Backup Service subscription account.
3.
4.
On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type
Pa$$w0rdPa$$w0rd, and then click Register.
5.
On the Server Registration page, ensure that the Microsoft Online Backup Service is now
available for this server message is displayed, and then click Close.
Switch to the Microsoft Online Backup Service console, and then click Schedule Backup.
2.
3.
4.
In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
5.
On the Specify Backup Time page, select Saturday, click 1:00AM, click Add, and then click Next.
6.
On the Specify Retention Setting page, accept the default settings, and then click Next.
7.
8.
9.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
L2-13
11. On the Backup progress page, wait until Backup is successfully completed message appears, and
then click Close.
On the taskbar, click Windows Explorer, and then in the navigation pane, click Local Disk (C:).
2.
In the Local Disk (C:) window, right-click the Financial Data folder, and then click Delete.
3.
Switch to the Microsoft Online Backup Service console, and then click Recover Data.
4.
In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next.
5.
On the Select Recovery Mode page, select Browse for files, and then click Next.
6.
On the Select Volume and Date page, in the Select the volume drop-down list, select C:\. In the
calendar, click the date when you performed the backup, in the Time drop-down list, click the time
when you performed backup, and then click Next.
7.
On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click
Next.
8.
On the Specify Recovery Options page, select Original location and Create copies so that you
have both versions, and then click Next.
9.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message
appears, and then click Close.
11. Locate C:\ and ensure that the Financial Data folder is restored to drive C.
X Task 5: Unregister the server from the Microsoft Online Backup Service
1.
Switch to the Microsoft Online Backup Service console, and then click Unregister Server.
2.
On the Getting started page, click Unregister this server, and then click Next.
3.
Username: holuser@onlinebackupservice.onmicrosoft.com,
Password: Pa$$w0rd
4.
Click Unregister.
5.
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
L2-14
X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1.
2.
On LON-DC1, browse to the Start screen, type Windows PowerShell ISE and then right-click
Windows PowerShell ISE. In the pop-up banner, click Run as administrator.
3.
4.
In the Console pane, type Get-ChildItem E:\ModXA\Democode, and then press Enter.
5.
In the Console pane, type dir C:\Windows, and then press Enter.
6.
In the Console pane, type Get-E, press the Tab key until Get-ExecutionPolicy is shown, and then
press the Enter key.
2.
3.
In the Console pane, type $Services = Get-Service and then press Enter.
4.
In the Console pane, type Get-Help Where-Object examples and then press Enter. Click No to
update help.
5.
In the Console pane, type $Services | Where-Object {$_.Status eq Stopped} and then press
Enter.
In Windows PowerShell ISE, click File, and then click New Remote PowerShell Tab.
2.
In the New Remote PowerShell Tab window, in the Computer box, type LON-SVR1 and then click
Connect.
3.
4.
In the Console pane, type Add-WindowsFeature XPS-Viewer and then press Enter.
5.
Press the Up Arrow key two times or until Get-WindowsFeature appears. Press Enter to execute.
6.
Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.
2.
In the Console pane, type Import-Module ActiveDirectory and then press Enter.
3.
In the Console pane, type Get-Command Module ActiveDirectory and then press Enter.
X Task 2: View options on how to create a report of users in the Active Directory
domain
L3-16
1.
If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2.
3.
4.
5.
6.
7.
X Task 3: Use a script to create new users in the domain by using a CSV-based file
1.
On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.
2.
In the Notepad window, on the File menu, click Open. Locate E:\ModXA\Democode
\LabUsers.Csv. You will need to change the file type to All Files.
3.
Close Notepad.
4.
In Windows PowerShell ISE, click File and then click Open. Locate
E:\ModXA\Democode\LabUsers.ps1. Click Open.
L3-17
5.
6.
7.
In the Console pane, type the following to verify that Luka Abrus, Marcel Truempy, Andy Brauninger,
and Cynthia Cary were created:
Get-ADUser Filter * SearchBase OU=Sales,DC=Adatum,DC=com
X Task 4: Create a script to modify the address of a user based on the day of the week
1.
If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.
2.
In Windows PowerShell ISE, on the File menu, click Open. Locate E:\ModXA\Democode
\Using If Statements.ps1. Click Open.
3.
4.
Press F5 to run the script. Run the script a second time to view the changes.
Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.
On LON-DC1, open Windows PowerShell ISE, in the Console pane type the following, and then press
Enter.
Install-WindowsFeature Name WindowsPowerShellWebAccess -ComputerName LON-DC1 IncludeManagementTools Restart
2.
In the Console pane, type Install-PswaWebApplication UseTestCertificate and the press Enter.
3.
2.
In the Address bar, type the following URL and then press Enter:
https://LON-DC1/pswa
3.
4.
User: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
L3-18
5.
In the Windows PowerShell Web Access command shell, type Get-EventLog System Newest 5 and
then press Enter.
6.
Type the following in the Windows PowerShell Web Access command shell:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LONDC1,LON-SVR2
Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.
2.
In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.
3.
4.
2.
3.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4.
5.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6.
On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
7.
8.
9.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
2.
3.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
4.
In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5.
On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk1, and then click
Next.
6.
On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
7.
On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8.
On the Specify target name page, in the Name box, type lon-svr2, and then click Next.
9.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 172.16.0.22, and then
click OK.
11. On the Specify access servers page, click Add.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list, select IP Address, in the Value box, type 131.107.0.2, and then
click OK.
L4-20
18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
19. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk2, and then click
Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
21. On the Assign iSCSI target page, click lon-svr2, and then click Next.
22. On the Confirm selections page, click Create.
23. On the View results page, wait until the creation is completed, and then click Close.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
26. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk3, and then click
Next.
27. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
28. On the Assign iSCSI target page, click lon-svr2, and then click Next.
29. On the Confirm selections page, click Create.
30. On the View results page, wait until the creation is completed, and then click Close.
31. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, select New
iSCSI Virtual Disk.
32. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
33. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk4, and then click
Next.
34. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
35. On the Assign iSCSI target page, click lon-svr2, and then click Next.
36. On the Confirm selections page, click Create.
37. On the View results page, wait until the creation is completed, and then click Close.
38. In the iSCSI VIRTUAL DISKS pane, click TASKS and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
39. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage,
click C:, and then click Next.
40. On the Specify iSCSI virtual disk name page, in the Disk name box, type iSCSIDisk5, and then click
Next.
41. On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
42. On the Assign iSCSI target page, click lon-svr2, and then click Next.
43. On the Confirm selections page, click Create.
44. On the View results page, wait until the creation is completed, and then click Close.
2.
3.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4.
5.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6.
7.
On the Select features page, click Multipath I/O, and then click Next.
8.
9.
10. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI
Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
12. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1,
and then click Quick Connect. In the Quick Connect box, click Done.
13. Click OK to close the iSCSI Initiator Properties dialog box.
14. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
15. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
16. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to
reboot the computer, click Yes.
17. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and
password of Pa$$w0rd.
18. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO.
19. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device
Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
20. Click OK to close the MPIO Properties dialog box.
L4-22
1.
On LON-SVR2, in Server Manager, on the menu bar, click Tools and then in the Tools drop-down list,
select iSCSI Initiator.
2.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect.
3.
4.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
5.
In the Connect to Target window, click Enable multi-path, verify that the Add this connection to
the list of Favorite Targets check box is selected, and then click the Advanced button.
6.
In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target
Portal IP drop-down list, click 172.16.0.10 / 3260.
7.
8.
9.
In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the
list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default
to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target
Portal IP drop-down list, select 131.107.0.1 / 3260.
12. In the Advanced Settings dialog box, click OK.
13. In the Connect to Target window, click OK.
14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab.
15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto
Configure.
16. In the iSCSI Initiator Properties dialog box, click the Targets tab.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, and then click
Devices.
18. In the Devices dialog box, click the MPIO button.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following
paths, notice that two paths are listed. Select the first path and then click the Details button.
20. Note the IP address of the Source and Target portals, and then click OK.
21. Select the second path and then click the Details button.
22. Verify that the Source IP address is of the second network adapter, and then click OK.
23. Click OK to close the Device Details dialog box.
24. Click OK to close the Devices dialog box.
25. Close the iSCSI Initiator Properties dialog box.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
2.
In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.
3.
In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4.
In the New Storage Pool Wizard window, on the Before you begin page, click Next.
5.
On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
and then click Next.
6.
On the Select physical disks for the storage pool page, click all five physical disks, and then click
Next.
7.
8.
On the View results page, wait until the creation is completed, then click Close.
2.
In the VIRTUAL DISKS pane, click TASKS, and then from the TASKS drop-down list click New Virtual
Disk.
3.
In the New Virtual Disk Wizard window, on the Before you begin page, click Next.
4.
On the Select the server and storage pool page, click StoragePool1, and then click Next.
5.
On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
6.
On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
7.
On the Configure the resiliency settings page, click Three-way mirror, and then click Next.
8.
On the Specify the provisioning type page, click Thin, and then click Next.
9.
On the Specify the size of the virtual disk page, in the Virtual disk size box, type 10, and then click
Next.
11. On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.
12. In the New Volume Wizard window, on the Before you begin page, click Next.
13. On the Select the server and disk page, in the Disk pane, click the virtual disk that is called
Mirrored vDisk, and then click Next.
14. On the Specify the size of the volume page, click Next to confirm the default selection.
15. On the Assign to a drive letter or folder page, make sure E is selected in the Drive letter dropdown list, and then click Next.
16. On the Select file system settings page, in the File system drop-down list, select ReFS, in the
Volume label box, type Mirrored Volume, and then click Next.
X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1.
On the Start screen, type command prompt and then press Enter.
2.
At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\write.exe E:\
3.
4.
On the taskbar, open Windows Explorer and then click Mirrored Volume (E:). You should now see
write.exe in the file list.
5.
Switch to LON-DC1.
2.
In Server Manager, in the navigation pane, click File and Storage Services.
3.
4.
In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
5.
In the Disable iSCSI Virtual Disk warning message box, click Yes.
X Task 5: Verify that the file is still accessible and check the health of the virtual disk
L4-24
1.
Switch to LON-SVR2.
2.
On the taskbar, open Windows Explorer, and then click Mirrored Volume (E:).
3.
In the file list pane, double-click write.exe to make sure access to the volume is still available.
4.
5.
6.
In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh Storage Pools
button. Wait until all panes are refreshed. Notice the warning that appears right next to Mirrored
vDisk.
7.
In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.
8.
In the Mirrored vDisk Properties window, in the navigation pane, click Health. Notice that the Health
Status indicates a Warning. The Operational Status should indicate Degraded.
9.
Switch to LON-DC1.
2.
In Server Manager, in the navigation pane, click File and Storage Services.
3.
4.
In the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, select
New iSCSI Virtual Disk.
5.
In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, in the Storage
location pane, click C:, and then click Next.
6.
On the Specify iSCSI virtual disk name page, type iSCSIDisk6, and then click Next.
7.
On the Specify iSCSI virtual disk size page, in the Size box, type 5, make sure GB is selected in the
drop-down list, and then click Next.
8.
On the Assign iSCSI target page, click lon-svr2, and then click Next.
9.
10. On the View results page, wait until the creation is completed, and then click Close.
X Task 7: Add the new disk to the storage pool and extend the virtual disk
1.
Switch to LON-SVR2.
2.
In Server Manager, in the STORAGE POOLS pane, on the menu bar click the Refresh Storage Pools
button.
3.
In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk.
4.
In the Add Physical Disk window, click PhysicalDisk1 (LON-SVR2), and then click OK.
5.
In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk.
6.
In the Extend Virtual Disk window, in the New size box, type 15, and then click OK.
Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
2.
3.
4.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5.
6.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
7.
On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
8.
9.
L4-26
13. In the Setting list in the Lanman Server result pane, right-click Hash Publication for BranchCache,
and then click Edit.
14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication
actions list, select the Allow hash publication only for shared folders on which BranchCache is
enabled check box, and then click OK.
In the navigation pane of the Local Group Policy Editor console, under Computer Configuration,
expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.
2.
On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type
Limit to 100 KBps, click Specify Outbound Throttle Rate check box, type 100, and then click Next.
3.
4.
On the Specify the source and destination IP addresses page, click Next.
5.
On the Specify the protocol and port numbers page, click Finish.
6.
2.
3.
4.
5.
6.
On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.
7.
Select the Share this folder check box and then click Caching.
8.
In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.
9.
2.
In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
3.
4.
In the navigation pane of the Group Policy Management Editor console, under Computer
Configuration expand Policies, expand Windows Settings, expand Security Settings, and then
expand Windows Firewall with Advanced Security.
5.
In the navigation pane, under Windows Firewall with Advanced Security, expand Windows
Firewall with Advanced Security, and then click Inbound Rules.
6.
On the Action menu of the Group Policy Management Editor console, click New Rule.
7.
On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Content Retrieval (Uses HTTP), and then click Next.
8.
9.
On the Action page, click Finish to create the firewall inbound rule.
10. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console,
select New Rule.
11. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache
Peer Discovery (Uses WSD), and then click Next.
12. On the Predefined Rules page, click Next.
13. On the Action page, click Finish.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.
L4-28
1.
On LON-DC1, in the navigation pane of the Group Policy Management Editor console, under
Computer Configuration, expand Policies, expand Administrative Templates, expand Network,
and then click BranchCache.
2.
In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click
Edit.
3.
In the Turn on BranchCache dialog box, click Enabled and then click OK.
4.
In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode
and then click Edit.
5.
In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Type the name of
the hosted Cache server, type LON-SVR1.adatum.com, and then click OK.
6.
In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network
files and then click Edit.
7.
In the Configure BranchCache for network files dialog box, click Enabled, in the Type the
maximum round trip network latency value (milliseconds) after which caching begins box, type
0, and then click OK. This setting is required to simulate access from a branch office and is not
typically required.
8.
9.
10. Start 20417A-LON-CL1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
11. On the Start screen, type command prompt and then press Enter.
12. At the command prompt , type the following command and then press Enter:
gpupdate /force
13. At the command prompt, type the following command and then press Enter:
netsh branchcache show status all
14. Start 20417A-LON-CL2. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
15. On the Start screen, type command prompt and then press Enter.
16. At the command prompt, type the following command and then press Enter:
gpupdate /force
17. At the command prompt, type the following command and then press Enter:
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.
2.
3.
4.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5.
6.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
7.
On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, click BranchCache for Network Files check box.
8.
9.
On the Select features page, click BranchCache, and then click Next.
Switch to LON-DC1.
2.
In Server Manager, on the menu bar, click Tools and then select Active Directory Users and
Computers from the Tools drop-down list.
3.
4.
In the New Object - Organization Unit window, type BranchCacheHost and then click OK.
5.
6.
7.
8.
9.
In Server Manager, on the menu bar, click Tools and then select Group Policy Management from
the Tools drop-down list.
10. Under Domains, expand Adatum.com, right-click BranchCacheHost, and then click Block
Inheritance.
11. On LON-DC1, close all open windows.
12. Restart LON-SVR1 and log on as Adatum\Administrator with the password of Pa$$w0rd.
13. Open Windows PowerShell by clicking the icon on the taskbar.
14. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer RegisterSCP
15. At the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
L4-30
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
On LON-DC1, in Server Manager, click Tools, and then click DNS on the drop-down list.
2.
Expand LON-DC1, expand Forward Lookup Zones, and then select and right-click Adatum.com.
3.
4.
5.
6.
On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
7.
8.
9.
20. Expand Trust Points, expand com, and click Adatum. Ensure that the DNSKEY resource records exist
and that their status is valid.
21. Close the DNS Manager console.
22. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
23. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
24. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
25. To apply the rule to the suffix of the namespace, in the Create Rules section, in the Suffix field, type
Adatum.com.
26. On the DNSSEC tab, click Enable DNSSEC in this rule.
L5-32
27. Check Require DNS clients to check that the name and address data has been validated by the
DNS server, and then click Create.
28. Close the Group Policy Management Editor and Group Policy Management console.
In Server Manager, click Tools, and then on the drop-down list, click DHCP.
2.
Expand Lon-DC1.adatum.com.
3.
4.
5.
6.
7.
On LON-SVR1, in Server Manager, click Tools, and then on the drop-down list, click DHCP. Note the
server is authorized but no scopes are configured.
2.
Switch to LON-DC1.
3.
In the DHCP Management console right-click the IPv4 node, and then click Configure Failover.
4.
5.
On the Specify a partner server to use for failover screen, enter 172.16.0.21 in the Partner Server
field, and then click Next.
6.
On the Create a new failover relationship screen, in the Relationship Name field, type Adatum.
7.
In the Maximum Client Lead Time field, set the hours to zero, and set the minutes to 15.
8.
9.
Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.
L5-33
1.
2.
3.
4.
5.
6.
7.
In the Add features that are required for IP Address Management (IPAM) Server pop-up, click
Add Features, and then click Next.
8.
9.
2.
In the IPAM Overview pane, after step 1 shows that LON-SVR2 is connected, click Provision the
IPAM server.
3.
4.
On the Select provisioning method screen, select the Group Policy Based method, type IPAM in the
GPO name prefix field, and then click Next.
5.
6.
2.
To add the Adatum.com domain, in the Configure Server Discovery dialog box, click Add, and then
click OK.
3.
4.
In the yellow banner, to determine the discovery status, click the More link. Discovery will take a few
minutes to complete.
5.
To return to the IPAM pane, close the Overview Tasks Details dialog box.
From the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
2.
3.
Type the following command at the PowerShell prompt and then press Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn
LON-SVR2.adatum.com
L5-34
4.
When you are prompted to confirm the action, press Enter. It will take a few moments to complete.
5.
6.
In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
7.
In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
8.
9.
Switch to LON-DC1.
15. Switch back to LON-SVR2 and right-click LON-DC1, then click Refresh Server Access Status. This
may take a few minutes to complete.
16. Repeat step 15 to refresh the status for LON-SVR1.
17. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
18. From the IPAM Overview pane, click retrieve data from managed servers. This action will take
several moments to complete.
In the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers.
Refresh the console pane until all objects show Running.
2.
In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role.
3.
4.
In the Create DHCP Scope dialog box, in the Scope Name field, type TestScope.
5.
6.
7.
8.
In the Configure options pane, click the drop-down arrow of the Option field, and then select option
003 Router.
9.
In the Values section click into the IP Address field and type 10.0.0.1, click Add to list, and then
click OK.
12. In the DHCP console expand LON-DC1.Adatum.com and then expand IPv4 and confirm the
TestScope exists.
13. Right-click the TestScope and then click Deactivate. Click Yes.
14. Close the DHCP console.
15. On LON-SVR2, close all open windows.
L5-35
Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.
On LON-SVR2, move the mouse to the lower right corner, click the Search icon on the flyout menu,
type MMC .EXE, and press Enter.
2.
In the Console1 window, click File, and then click Add/Remove Snap-in.
3.
In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
4.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
5.
In the Select Computer dialog box, click Finish, and then click OK.
6.
In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
7.
8.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
9.
10. Verify the status of certificate installation as Succeeded and then click Finish.
11. Close the Console1 window. When you are prompted to save console settings, click No.
12. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
13. Move the mouse to the lower right corner and then click the Search icon on the flyout menu, type
MMC, and press Enter.
14. In the Console1 window click File and then click Add/Remove Snap-in.
15. In the Add or Remove Snap-ins dialog box click Certificates and then click Add.
16. In the Certificates snap-in dialog box select Computer account and then click Next.
17. In the Select Computer dialog box click Finish and then click OK.
18. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate
19. In the Certificate Enrollment dialog box appears click Next.
20. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
21. Select the Computer check box and then click Enroll.
22. Verify the status of certificate installation as Succeeded and then click Finish.
23. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
24. In the Certificate Enrollment dialog box appears click Next.
25. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
26. Select the Computer check box, and then click Enroll.
27. Verify the status of certificate installation as Succeeded and then click Finish.
28. Close the Console1 window. When you are prompted to save console settings, click No.
29. Log on to LON-CL1 as Adatum/Administrator with a password of Pa$$w0rd.
30. On the Start screen, type MMC and press Enter.
31. In the Console1 window click File and then click Add/Remove Snap-in.
32. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.
33. In the Certificates snap-in dialog box, select Computer account and then click Next
34. In the Select Computer dialog box, click Finish and then click OK.
35. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click
Request New Certificate.
36. In the Certificate Enrollment dialog box appears click Next.
37. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next
38. Select the Computer check box and then click Enroll.
39. Verify the status of certificate installation as Succeeded and then click Finish.
40. Close the Console1 window. When you are prompted to save console settings, click No.
2.
3.
4.
5.
6.
On the Select server roles page, check Network Policy and Access Services.
7.
In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.
8.
9.
10. On the Select role services page, check Network Policy Server. Click Next.
11. On the Confirm installation selections page, click Install.
12. When the installation is succeeded click Close.
L5-36
L5-37
1.
On LON-SVR2, in Server Manager, click Tools and then click Network Policy Server.
2.
Expand Network Access Protection, expand System Health Validators, expand Windows Security
Health Validator, and then click Settings.
3.
4.
On the Windows 8 Release Preview/Windows 7/Windows Vista selection, clear all check boxes
except the A firewall is enabled for all network connections check box, and then click OK.
5.
Expand Policies.
6.
7.
In the Create New Health Policy dialog box, under Policy name, type Compliant.
8.
Under Client SHV checks, verify that Client passes all SHV checks is selected.
9.
Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
13. Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.
2.
Disable the two default policies found under Policy Name by right-clicking the policies and then
clicking Disable.
3.
4.
In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Compliant-Full-Access and then click Next.
5.
6.
In the Select condition dialog box, scroll down and double-click Health Policies.
7.
In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.
8.
In the Specify Conditions window, verify that Health Policy is specified under Conditions with a
value of Compliant and then click Next.
9.
In the Specify Access Permission window, verify that Access granted is selected.
11. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is
selected and then click Next.
12. In the Completing New Network Policy window, click Finish.
13. Right-click Network Policies and then click New.
14. In the Specify Network Policy Name and Connection Type window, in the Policy name field, type
Noncompliant-Restricted and then click Next.
15. In the Specify Conditions window, click Add.
16. In the Select condition dialog box, scroll down and double-click Health Policies.
L5-38
17. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.
18. In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a
value of Noncompliant and then click Next.
19. In the Specify Access Permission window, verify that Access granted is selected.
Note: A setting of Access granted does not mean that noncompliant client computers are
granted full network access. It specifies that the policy should continue to evaluate the client
computers that match these conditions.
20. Click Next three times.
21. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and clear the
Enable auto-remediation of client computers check box.
22. In the Configure Settings window, click IP Filters.
23. Under IPv4, click Input Filters and then click New.
24. In the Add IP Filter dialog box, select Destination network. Type 172.16.0.10 next to IP address
and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from
noncompliant client computers can reach only LON-DC1.
25. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below
in the Inbound Filters dialog box and then click OK.
26. Under IPv4, click Output Filters and then click New.
27. In the Add IP Filter dialog box, select Source network. Type 172.16.0.10 next to IP address and
then type 255.255.255.255 next to Subnet mask.
28. Click OK to close the Add IP Filter dialog box and then in the Outbound Filters dialog box select
Permit only the packets listed below. This step ensures that only traffic from LON-DC1 can be sent
to noncompliant client computers.
29. To close the Outbound Filters dialog box, click OK.
30. In the Configure Settings window click Next and then click Finish.
2.
Disable the default Connection Request policy named Use Windows authentication for all users by
right-clicking the policy and then clicking Disable.
3.
Disable the default RRAS policy by right-clicking the Microsoft Routing and Remote Access Service
Policy and then click Disable.
4.
5.
In the Specify Connection Request Policy Name and Connection Type window, under Policy name,
type VPN Connections.
6.
Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click
Next.
7.
L5-39
8.
In the Select Condition window, scroll down and double-click Tunnel Type, select PPTP, SSTP, and
L2TP. Click OK and then click Next.
9.
In the Specify Connection Request Forwarding window, verify that Authenticate requests on this
server is selected and then click Next.
10. In the Specify Authentication Methods window, select Override network policy authentication
settings.
11. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Protected EAP (PEAP) and then click OK.
12. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
13. Verify that Enforce Network Access Protection is selected and then click OK.
14. Click Next two times and then click Finish.
15. Close the Network Policy Server.
Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.
2.
Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
3.
In the Search box, type gpedit.msc, click Apps, and press Enter.
4.
In the Local Group Policy Editor console tree, expand Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components/Security Center.
5.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
6.
ON LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2.
3.
4.
In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.
5.
6.
Move the mouse to the lower right corner and then click the Search icon on the flyout menu.
7.
8.
9.
In the Network Access Protection Agent Properties dialog box, change the Startup type to
Automatic and then click Start.
10. Wait for the NAP Agent service to start and then click OK.
11. Close the Services console.
L5-40
1.
On LON-SVR2 click Tools in Server Manager, and then click Windows Firewall with Advanced
Security.
2.
Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
3.
4.
5.
In the Protocol type field, click the drop-down arrow and select ICMPv4 and then click Customize.
6.
Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
7.
8.
In the Action window, verify that Allow the connection is selected and then click Next.
9.
10. In the Name windows, type Allow Ping and then click Finish.
11. Close the Windows Firewall with Advanced Security console.
X Task 4: Move the client to the Internet and establish a VPN connection
1.
On LON-CL1, move the mouse to the lower right corner and then click the Search icon on the flyout
menu.
2.
3.
4.
5.
6.
7.
8.
Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask,
type 255.255.0.0. Remove the existing Default Gateway, and do not configure the Default gateway.
9.
Click OK and then click Close to close the Local Area Connection Properties dialog box.
L5-41
24. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2.
Next to Destination name, type Adatum VPN.
25. Select the Allow other people to use this connection check box and then click Create.
26. In the Network And Sharing Center window, click Change adapter settings.
27. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
28. Under Authentication, click Use Extensible Authentication Protocol (EAP).
29. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.
30. Ensure that the Verify the servers identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box, and then select the Enforce Network Access Protection check box.
31. To accept these settings, click OK two times.
32. In the Network Connections window, right-click the Adatum VPN connection and then click
Connect/Disconnect.
33. In the Networks flyout menu, click Adatum VPN and then click Connect.
34. In the Network Authentication dialog box, type Administrator in the User Name field and type
Pa$$w0rd in the Password field.
35. Click OK and then click Connect.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.
Create a security group for DirectAccess client computers by performing the following steps:
a.
Switch to LON-DC1.
b.
In the Server Manager console, in the upper-right corner, click Tools, and then click Active
Directory Users and Computers.
c.
In the Active Directory Users and Computers console tree, right-click Adatum.com, click New,
and then click Organizational Unit.
d.
In New Object Organizational Unit window, in the Name box, type DA_Clients OU, and then
click OK.
e.
In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
f.
In the New Object - Group dialog box, under Group name, type DA_Clients.
g.
Under Group scope, select Global, under Group type, select Security, and then click OK.
h.
i.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
j.
In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK.
k.
Under Enter the object names to select (examples), type LON-SVR3, and then click OK.
l.
Verify that LON-SVR3 is displayed below Members, and then click OK.
Configure firewall rules for ICMPv6 traffic by performing the following steps:
Note: It is important to configure firewall rules for ICMPv6 traffic to enable subsequent
testing of DirectAccess in the lab environment.
a.
In the Server Manager console, in the upper-right corner, click Tools, and then click Group
Policy Management.
b.
c.
In the console tree, right-click Default Domain Policy, and then click Edit.
d.
e.
In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
f.
On the Rule Type page, click Custom, and then click Next.
g.
h.
On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
i.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
j.
Click Next.
k.
l.
On the Name page, in the Name box, type Inbound ICMPv6 Echo Requests, and then click
Finish.
o.
In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New
Rule.
p.
On the Rule Type page, click Custom, and then click Next.
q.
r.
On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click
Customize.
s.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request,
and then click OK.
t.
Click Next.
u.
v.
On the Action page, click Allow the connection, and then click Next.
3.
L6-44
x.
On the Name page, in the Name box, type Outbound ICMPv6 Echo Requests, and then click
Finish.
y.
Close the Group Policy Management Editor and Group Policy Management consoles.
In the Server Manager console, click Tools, and then click DNS.
b.
c.
d.
In the Name box, type nls. In the IP address box, type 172.16.0.21. Click Add Host and then
click OK.
e.
In the New Host dialog box, in the Name box, type CRL. In the IP address box, type
172.16.0.22, and then click Add Host.
f.
In the DNS dialog box informing you that the record was created, click OK.
g.
h.
4.
Remove ISATAP from the DNS global query block list by performing the following steps:
Move the mouse pointer to the lower-right corner, select search on the right menu, and then
type cmd.exe to launch the Command Prompt window.
b.
In the Command Prompt window, type the following command and then press Enter:
Switch to LON-SVR2.
b.
Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c.
In the Network and Sharing Center window, click Change adapter settings.
d.
In the Network Connection window, right-click Local Area Connection, and then click
Properties.
e.
In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
f.
g.
On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click
OK.
h.
i.
j.
L6-45
a.
5.
b.
c.
d.
On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/.
e.
f.
g.
h.
In the Location box, type .crl at the end of the Location string, and then click OK.
i.
Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
j.
Click Add.
k.
l.
2.
n.
o.
In the Location box, type .crl at the end of the string, and then click OK.
p.
Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click
OK.
q.
Duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.
3.
L6-46
b.
In the Certificate Templates console, in the content pane, right-click the Web Server template,
and then click Duplicate Template.
c.
Click the General tab and in the Template display name box, type Adatum Web Server
Certificate.
d.
Click the Request Handling tab and select Allow private key to be exported.
e.
f.
In the Permissions for Authenticated Users window, under Allow, click Enroll, and then click OK.
g.
h.
i.
j.
On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and
then click Group Policy Management.
b.
In the console tree, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
c.
In the console tree, right-click Default Domain Policy, and then click Edit.
d.
e.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
f.
g.
On the Certificate Template page, click Computer, click Next, and then click Finish.
h.
Close the Group Policy Management Editor and close the Group Policy Management console.
L6-47
a.
On LON-SVR1, move the mouse to the lower-right corner of the screen, select Search, type cmd,
and then press Enter.
b.
At the command prompt, type the following command and then press Enter.
gpupdate /force
c.
At the command prompt, type the following command and then press Enter.
mmc
d.
e.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
f.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
g.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h.
i.
On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j.
On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k.
l.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.
n.
2.
Close the console window. When you are prompted to save settings, click No.
In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. At
the Internet Information Services (IIS) Manager message box, click No.
b.
In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites,
and then click Default Web site.
c.
d.
In the Add Site Bindings dialog box, click https, in the SSL Certificate, click the certificate with
the name nls.adatum.com, click OK, and then click Close.
e.
Switch to LON-SVR2.
b.
Open a command prompt and type the following command, and then press Enter:
gpupdate /force
c.
Move the mouse to the lower-right corner, select Search, type mmc.exe, and then press Enter.
d.
e.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click
Finish, and then click OK.
f.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
g.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
h.
i.
On the Request Certificates page, click Adatum Web Server Certificate, and then click More
information is required to enroll for this certificate.
j.
On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type,
select Common name.
k.
l.
m. In the details pane of the Certificates snap-in, verify that a new certificate with the name
131.107.0.2 was issued with Intended Purposes of Server Authentication.
2.
L6-48
n.
o.
In the Friendly Name box, type IP-HTTPS Certificate, and then click OK.
p.
Close the console window. If you are prompted to save settings, click No.
b.
Click Tools, and then click Internet Information Services (IIS) Manager.
c.
If the Internet Information Service Manager message box appears, click No.
d.
In the console tree, browse to LON-SVR2\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
e.
In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path,
click the ellipsis button.
f.
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
g.
Type CRLDist and then press Enter. In the Browse for Folder dialog box, click OK.
h.
i.
In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,
click Enable.
j.
k.
In the middle pane of the console, double-click the Configuration Editor icon.
l.
L6-49
m. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the
value from False to True.
n.
o.
Answer: You make the CRL available on the Edge Server so that the Internet DirectAccess clients
can access the CRL.
3.
Share and secure the CRL distribution point by performing the following steps:
Note: You perform this step to assign permissions to the CRL distribution point.
a.
b.
c.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click Properties.
d.
In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
e.
f.
In the Share name box, add a dollar sign ($) to the end so that the share name is CRLDist$.
g.
h.
i.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
j.
In the Object Types dialog box, select Computers, and then click OK.
k.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, and then click Check Names. Click OK.
l.
In the Permissions for CRLDist$ dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\NYC-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow. Click OK.
o.
p.
q.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
r.
s.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select box, type LON-DC1, click Check Names, and then click OK.
4.
t.
In the Permissions for CRLDist dialog box, in the Group or user names list, select
LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control,
select Allow, and then click OK.
u.
v.
Note: This step makes the CRL available on the edge server for Internet-based DirectAccess
clients.
5.
L6-50
a.
Switch to LON-DC1.
b.
c.
d.
In the Publish CRL dialog box, click New CRL, and then click OK.
e.
On the taskbar, click Windows Explorer, type \\LON-SVR2\CRLDist$, and then press Enter.
f.
g.
On LON-SVR2, in Server Manager, on the Tools menu, click Remote Access Management.
b.
c.
d.
e.
In the Select Group dialog box, type DA_Clients, click OK, and then click Next.
f.
In the Network Topology, verify that Edge is selected, and verify that 131.107.0.2 is the public
name used by clients to connect to the Remote Access server. Click Next.
g.
h.
i.
j.
Note: Because the server you already configured is a VPN server, you can only use getting
started wizard which generate self-signed certificate for DirectAccess communication. Next steps
will modify default DirectAccess settings to include already deployed certificates from the internal
Certification Authority
k.
l.
On the Network Topology page, verify that Edge is selected, and then type 131.107.0.2
m. Click Next.
L6-51
n.
o.
On the Authentication page, select Use computer certificates, click Browse, select Adatum
LON-DC1 CA, click OK, and then Next.
p.
q.
r.
On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.
s.
t.
Click Next, and then on the DNS page, examine the values, and then click Next.
u.
v.
w. Under Step 4, click Edit. On the DirectAccess Application Server Setup page, click Finish.
6.
x.
y.
z.
Move the mouse pointer on the lower-right corner and on the menu bar, click Search, type cmd,
and then press Enter.
b.
At the command prompt, type the following commands and then press Enter.
gpupdate /force
Ipconfig
Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.
Switch to LON-SVR3.
2.
Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of
Pa$$w0rd. This is to ensure that the LON-SVR3 computer connects to the domain as a member of
the DA_Clients security group.
3.
Move the mouse pointer to the lower-right corner, select Search on the right menu, and then type
cmd to open the Command Prompt window.
4.
At the command prompt, type the following command and then press Enter:
gpupdate /force
5.
At the command prompt, type the following command, and then press Enter:
gpresult /R
6.
L6-52
Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.
Note: If the policy is not being applied, run the gpupdate /force command again. If the
policy is still not being applied, restart the computer. After the computer restarts, log on as
Adatum\Administrator and run the Gpresult R command again.
On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
type mmc.exe, and then press Enter
2.
3.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
4.
In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates.
5.
In the details pane, verify that a certificate with the name Lon-SVR3.adatum.com is present with
Intended Purposes of Client Authentication and Server Authentication.
6.
Close the console window. When you are prompted to save settings, click No.
Question: Why did you install a certificate on the client computer?
Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess
server.
On LON-SVR3, switch to the Start screen and click the Internet Explorer tile.
2.
In the Address bar, type http://lon-svr1.adatum.com/ and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3.
In the Address bar, type https://nls.adatum.com/ and then press Enter. The default IIS 8 web page
for LON-SVR1 appears.
4.
5.
On the taskbar, click Windows Explorer, type \\Lon-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears.
6.
Results: After completing this exercise, you will have configured the DirectAccess clients.
L6-53
1.
Switch to LON-SVR3.
2.
On LON-SVR3, move the mouse pointer to the lower-right end of the screen, click Settings, select
Control Panel, and then click Network and Internet.
3.
4.
5.
6.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
7.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address. Fill in the following information, and then click OK.
IP address: 131.107.0.10
8.
9.
In the Network Connections window, right-click Local Area Connection, and then click Disable.
10. In the Network Connections window, right-click Local Area Connection, and then click Enable.
11. In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.
On LON-SVR3, move the mouse pointer to the lower-right corner, select Search on the right menu,
and then type cmd and then press Enter to open the command prompt.
2.
At the command prompt, type the following command, and then press Enter:
ipconfig
3.
Notice the IP address that start with 2002. This is an IP-HTTPS address.
4.
At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
5.
At the command prompt, type the following command, and then press Enter:
powershell
6.
At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Switch to the Start screen and then click the Internet Explorer tile.
2.
In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.
3.
4.
On the taskbar, click Windows Explorer, type \\LON-SVR1\Files, and then press Enter. A folder
window with the contents of the Files shared folder appears
5.
6.
At the command prompt, type the following command and then press Enter:
ping lon-dc1.adatum.com
At the command prompt, type the following command, and then press Enter:
gpupdate /force
8.
9.
Switch to LON-SVR2.
Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
12. Close all open windows.
Results: After completing this exercise, you will have verified the DirectAccess configuration.
2.
In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.
3.
4.
L6-54
On LON-SVR3, in Server Manager, click Tools, and then click iSCSI Initiator.
2.
3.
4.
5.
In the IP address or DNS name box, type 172.16.0.21, and then click OK.
6.
7.
Click Refresh.
8.
9.
Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
12. Click the Discovery tab.
13. Click Discover Portal.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
15. Click the Targets tab.
16. Click Refresh.
17. In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click
Connect.
18. Select Add this connection to the list of Favorite Targets, and then click OK two times.
19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management.
20. Expand Storage, and then click Disk Management.
21. Right-click Disk 1, and then click Online.
22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick
format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
L7-56
29. Repeat steps 22 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels).
30. Close the Computer Management window.
31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management.
32. Expand Storage, and then click Disk Management.
33. Right-click Disk Management, and then click Refresh.
34. Right-click Disk 1, and then click Online.
35. Right-click Disk 2, and then click Online.
36. Right-click Disk 3, and then click Online.
37. Close the Computer Management window.
On LON-SVR3, if it is not opened, click the Server Manager icon to open Server Manager.
2.
3.
4.
5.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6.
7.
On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for Failover Clustering? window, click Add Features. Click Next.
8.
9.
When installation is complete (you get the message Installation succeeded on LON-SVRx), click Close.
On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager.
2.
In the Actions pane of the Failover Cluster Manager, click Validate Configuration.
3.
4.
In the Enter Name box, type LON-SVR3, and then click Add.
5.
6.
7.
Verify that Run all tests (recommended) is selected, and then click Next.
8.
9.
Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page,
click View Report.
10. Verify that all tests completed without errors. Some warnings are expected.
11. Close Internet Explorer.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated
nodes, click Finish.
L7-57
1.
On LON-SVR3, in Failover Cluster Manager, in the center pane, under Management, click Create
Cluster.
2.
In the Create Cluster Wizard on the Before You Begin page, read the information.
3.
Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4,
and then click Add.
4.
5.
In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1.
6.
7.
In the Confirmation dialog box, verify the information, and then click Next.
8.
On the Summary page, click Finish to return to the Failover Cluster Manager.
Results: After this exercise, you will have installed and configured the Failover Clustering feature.
On LON-SVR3, in Server Manager, click Dashboard and then click Add roles and features.
2.
3.
4.
5.
On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI services and select File Server.
6.
7.
8.
9.
On LON-SVR4, in the Server Manager console, click Tools and open Failover Cluster Manager.
2.
3.
4.
In the New Share Wizard, on the Select the profile for this share page, click SMB Share Quick,
and then click Next.
5.
On the Select the server and the path for this share page, click Next.
6.
On the Specify share name page, in the Share name box, type Docs, and then click Next.
7.
On the Configure share settings page, review available options, and then click Next.
8.
9.
On LON-SVR4, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click
Properties.
2.
3.
4.
5.
6.
7.
Click OK.
Results: After this exercise, you will have configured a highly-available file server.
On LON-DC1, open Windows Explorer, and in the Address bar, type \\AdatumFS\, and then press
Enter.
2.
Verify that you can access the location and that you can open the Docs folder. Create a test text
document inside this folder.
3.
4.
Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS. (Note:
You can view the owner in the Owner node column. It will be either LON-SVR3 or LON-SVR4).
5.
Right-click AdatumFS, and then click Move, and then click Select Node.
6.
L7-58
7.
8.
Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
X Task 2: Validate the failover and quorum configuration for the File Server role
L7-59
1.
2.
Verify the current owner for the AdatumFS role. (Note: You can view the owner in the Owner node
column. It will be either LON-SVR3 or LON-SVR4).
3.
Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
4.
Right-click the node, select More Actions, and then click Stop Cluster Service. Click Yes when
prompted.
5.
Verify that AdatumFS has moved to another node. To do this, click the other node and verify that
AdatumFS is running.
6.
Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
7.
Switch to the LON-SVR3 computer, on the Failover Cluster Manager, and right-click the stopped
node, select More Actions, and then click Start Cluster Service.
8.
Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk
Witness in Quorum (Note: you can view this in the Assigned to column.)
9.
10. Switch to LON-DC1 and verify that you can still access the \\AdatumFS\ location. By doing this, you
verified that the cluster is still running even if the witness disk is offline.
11. Switch to the LON-SVR3 computer and in Failover Cluster Manager, expand Storage, click Disks,
right-click the disk that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover scenarios.
2.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3.
4.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
5.
6.
On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features. Click Next.
7.
8.
9.
Switch to LON-SVR3. Open Server Manager, click Tools and then click Windows Firewall with
Advanced Security.
10. In Windows Firewall with Advanced Security window, click Inbound Rules.
L7-60
11. In the rules list, find the rule Inbound Rule for Remote Shutdown (RPC-EP-In). Right click the rule
and select Enable Rule.
12. In the rules list, find the rule Inbound Rule for Remote Shutdown (TCP-In). Right click the rule and
select Enable Rule.
13. Close Windows Firewall with Advanced Security window.
14. Switch to LON-SVR4 and repeat steps 9 to 13.
15. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
16. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1. Click Connect.
17. In the Cluster Actions pane, click Preview updates for this cluster.
18. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes,
updates will be shown in the list. Review updates and then click Close.
Note: An Internet connection is required for this step to complete successfully. Make sure
that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
On LON-DC1, in the Cluster-Aware Updating console, click Apply updates to this cluster.
2.
3.
On the Advanced options page, review the options for updating, and then click Next.
4.
5.
6.
In the Cluster nodes pane, you can review the progress of updating. (Note: Remember that one node
of the cluster is in Waiting state and the other node is restarting after it is updated).
7.
Wait until the process is finished (Note: This may require a restart of both the nodes.). Process is
finished when both nodes have Succeeded in Last Run status column.
8.
9.
On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list,
select Cluster1. Click Connect.
11. Click the Configure cluster self-updating options in the Cluster Actions pane.
12. On the Getting Started page, click Next.
13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM,
and then in the Day of the week box, select Sunday. Click Next.
15. On the Advanced Options page, click Next.
16. On the Additional Update Options page, click Next.
Results: After this exercise, you will have configured Cluster-Aware Updating.
L7-61
When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.
2.
Log onto the server with the Adatum\Administrator account and the password Pa$$w0rd.
3.
4.
In the Properties pane, click the IPv4 address assigned by DHCP link.
5.
In the Network Connections dialog box, right-click the network object, and then click Properties.
6.
In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) , and then click
Properties.
7.
On the General tab, click Use the following IP address, and then configure the following:
8.
LON-HOST1: 172.16.0.31
LON-HOST2: 172.16.0.32
On the General tab, click Use the following DNS server addresses, and then configure the
following:
9.
In the Server Manager console, on the Manage menu, click Add Roles and Features.
2.
On the Before you begin page of the Add Roles and Features Wizard, click Next.
3.
On the Select installation type page, select Role-based or feature-based installation, and then
click Next.
4.
5.
6.
In the Add Roles and Features Wizard dialog box, click Add Features.
7.
On the Select Server Roles page of the Add Roles and Features Wizard, click Next.
8.
9.
L8-64
10. On the Create Virtual Switches page, verify that no selections have been made, and then click Next.
11. On the Virtual Machine Migration page, click Next.
12. On the Default Stores page, review the location of Default Stores, and then click Next.
13. On the Confirm Installation Selections page, select Restart the destination server automatically
if required.
14. In the Add Roles and Features Wizard dialog box, review the message about automatic restarts, and
then click Yes.
15. On the Confirm Installation Selections page, click Install.
16. After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.
2.
When the installation of the Hyper-V tools complete, click Close to close the Add Roles and Features
Wizard.
3.
4.
In the Hyper-V Manager console, click the Hyper-V host server name (LON-HOST1 or LON-HOST2).
5.
6.
In the Hyper-V Settings dialog box, click the Keyboard item. Verify that the Keyboard is set to use
the Use on the virtual machine option.
7.
In the Hyper-V Settings dialog box, click the Virtual Hard Disks item. Verify the location of the
default folder is configured to use the Virtual Hard Disk folder, and then click OK.
Question: What additional features are required to support the Hyper-V role?
Answer: No additional features are required to support the Hyper-V role.
Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.
2.
In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and then click Create Virtual Switch.
3.
4.
In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
L8-65
External Network: Mapped to the host computer's physical network adapter. Will vary depending
on host computer
In the Apply Networking Changes dialog box, review the warning, and then click Yes.
2.
3.
Under Create virtual switch, select Private, and then click Create Virtual Switch.
4.
In the Virtual Switch Properties section, configure the following settings, and then click OK:
o
2.
3.
Under Create virtual switch, select Internal, and then click Create Virtual Switch.
4.
In the Virtual Switch Properties section, configure the following settings, and then click OK:
o
Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.
2.
3.
4.
Click the Home tab, and then click the New Folder icon twice to create two new folders. Right-click
each folder, and then rename each folders to each name listed below:
a.
LON-GUEST1
b.
LON-GUEST2
5.
6.
7.
In the Actions pane, click New, and then click Hard Disk.
8.
On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9.
On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
a.
Name: LON-GUEST1.vhd
b.
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning
\Base\Base12A-WS2012-RC.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter:
Import-Module Hyper-V
L8-66
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base
\Base12A-WS2012-RC.vhd as a parent, and then click Close.
In the Hyper-V Manager, on the Actions pane, click New and then click Virtual Machine.
2.
On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3.
On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next.
a.
Name: LON-GUEST1
b.
4.
On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and click Next.
5.
On the Configure Networking page of the New Virtual Machine Wizard, choose Private Network
and then click Next.
6.
On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open and then click Finish.
7.
8.
At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
9.
L8-67
At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private
Network"
11. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
12. On the Settings for LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action to Nothing.
13. On the Settings for LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action to Shut down the guest operating system.
14. Click OK to close the Settings for the LON-GUEST2 dialog box.
In the Hyper-V Manager console, on the Actions pane, click Virtual Switch Manager.
2.
3.
Select the Enable virtual LAN identification for management operating system check box.
4.
5.
6.
7.
Change the Virtual switch to Internal Network, and click Enable virtual LAN identification.
8.
9.
Expand Network Adapter, click Advanced Features, enable the following options, and then click
OK:
o
Question: What kind of switch would you create if you added a new physical network adapter to the
Hyper-V host and wanted to keep this separate from the existing networks you create during this
exercise?
Answer: You should create an external switch. External switches map to external network adapters.
In the Actions pane of the Hyper-V Manager console, click Import Virtual Machine.
2.
On the Before You Begin page of the Import Virtual Machine wizard, click Next.
3.
4.
On the Locate Folder page, perform the following task, and then click Next:
o
If you are using LON-HOST1, type the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-DC1-B
If you are using LON-HOST2, enter the path: E:\Program Files\Microsoft Learning
\20417\Drives\20417A-LON-SVR1-B
L8-68
5.
On the Choose Import Type page, select Register the virtual machine in-place (use the existing
unique ID), and then click Next.
6.
In the Hyper-V Manager console, right-click LON-GUEST2, and then click Settings.
2.
3.
4.
5.
6.
2.
3.
4.
5.
6.
Right-click the desktop of the virtual machine, click New, and then click Folder. Name the folder
Sydney.
7.
8.
9.
On the Action menu of the Virtual Machine Connection window, click Snapshot.
10. In the Snapshot Name dialog box, in the Name box, type Before Change, and then click Yes.
11. Drag the Sydney folder to the Recycle Bin.
12. Drag the Brisbane folder to the Recycle Bin.
13. Right-click the Recycle Bin, and then click Empty Recycle Bin.
14. In the Delete Multiple Items dialog box, click Yes.
15. On the Action menu of the Virtual Machine Connection window, click Revert.
Sydney
Melbourne
Brisbane
L8-69
Answer: The virtual machine must be powered off to configure dynamic memory. In Windows Server
2012, you can configure dynamic memory while the virtual machine is powered on.
Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.
When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.
2.
3.
4.
On the Before You Begin page in Import Virtual Machine Wizard, click Next.
5.
6.
Note: The drive letter may be different based upon the number of drives on the physical
host machine.
7.
On Select Virtual Machine page, select 20417A-LON-CORE and then click Next.
8.
9.
2.
3.
4.
5.
6.
In the Authorization and storage section click Allow replication from any authenticated server
and then click Browse.
7.
Click on Computer, then double click Local Disk (E) and then click New folder. Type VMReplica for
folder name and press Enter. Select E:\VMReplica\ folder and then click Select Folder.
8.
9.
10. Click to the Start screen and then click Control Panel.
11. In the Control Panel, click System and Security, and then click Windows Firewall.
12. Click Advanced settings.
13. Click Inbound Rules.
L9-72
14. In the right pane, in the rule list, find the rule Hyper-V Replica HTTP Listener (TCP-In). Right-click
the rule and click Enable Rule.
15. Close the Windows Firewall with Advanced Security console and then close Windows Firewall.
16. Repeat steps 1-15 on LON-HOST1.
2.
3.
4.
5.
In the Select Computer window type LON-HOST2 and then click Check Names and then click OK.
Click Next.
6.
On the Specify Connection Parameters page, review settings, and make sure that Use Kerberos
authentication (HTTP) is selected. Click Next.
7.
On the Choose Replication VHDs page, make sure that 20410A-LON-CORE.vhd is selected and
then click Next.
8.
On the Configure Recovery History page, select Only the latest recovery point and then click
Next.
9.
On the Choose Initial Replication Method page, click Send initial copy over the network and
select Start replication immediately, and then click Next.
10. On the Completing the Enable Replication wizard page, click Finish.
11. Wait 10-15 minutes. You can monitor the progress of initial replication in the Status column in
Hyper-V Manager console. When it completes (progress reaches 100%) make sure that
20417A-LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
2.
3.
Review content of the window that appears and make sure that there are not errors.
4.
Click Close.
5.
On LON-HOST1, open Hyper-V Manager and verify that 20417A-LON-CORE is turned off.
6.
7.
In the Planned Failover window, make sure that option Start the Replica virtual machine after
failover is selected and then click Fail Over.
8.
9.
10. On LON-HOST1, right-click 20417A-LON-CORE, point to Replication and then click Remove
replication.
L9-73
12. On LON-HOST2, right-click 20417A-LON-CORE and select Shut Down. In the Shut Down Machine
dialog box, click Shut Down.
Results: After completing this exercise you will have Hyper-V replica configured.
On LON-HOST1, open Server Manager, click Tools, and then click iSCSI Initiator. At the Microsoft
iSCSI prompt, click Yes.
2.
3.
4.
In the IP address or DNS name box, type 172.16.0.21, and then click OK.
5.
6.
Click Refresh.
7.
8.
Select Add this connection to the list of Favorite Targets, and then click OK.
9.
10. On LON-HOST2, open Server Manager, click Tools, and then click iSCSI Initiator.
11. In the Microsoft iSCSI dialog box, click Yes.
12. Click the Discovery tab.
13. Click Discover Portal.
14. In the IP address or DNS name box, type 172.16.0.21, and then click OK.
15. Click the Targets tab.
16. Click Refresh.
19. On LON-HOST2, in the Server Manager window, click Tools, and then click Computer Management.
20. Expand Storage, and then click Disk Management.
21. Right-click Disk 2, and then click Online.
22. Right-click Disk 2, and then click Initialize Disk. In the Initialize Disk dialog box, click OK.
23. Right-click the unallocated space next to Disk 2, and then click New Simple Volume.
24. On the Welcome page, click Next.
25. On the Specify Volume Size page, click Next.
26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume label box, type ClusterDisk. Select the Perform a
quick format check box, and then click Next.
28. Click Finish.
29. Repeat steps 21 through 28 for Disk 3 and Disk 4. In step 27, provide name ClusterVMs for Disk 3
and Quorum for Disk 4.
30. On LON-HOST1 in Server Manager, click Tools, and then click Computer Management.
31. Expand Storage, and then click Disk Management.
32. Right-click Disk Management, and then click Refresh.
33. Right-click Disk 2, and then click Online.
34. Right-click Disk 3, and then click Online.
35. Right-click Disk 4, and then click Online.
L9-74
1.
On LON-HOST1, on the taskbar, click the Server Manager icon to open Server Manager.
2.
3.
4.
5.
On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
6.
7.
On the Select features page, in the Features list, click Failover Clustering. In the Add features that
are required for failover clustering prompt, click Add Features, and then click Next.
8.
9.
14. In the Enter server name box, type LON-HOST1, and then click Add. Type LON-HOST2, and then
click Add.
15. Verify the entries, and then click Next.
16. On the Validation Warning page, click No. I dont require support from Microsoft for this
cluster and click Next.
17. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster.
18. Under Address, in the IP address name box, type 172.16.0.126, and then click Next.
19. In the Confirmation dialog box, verify the information, remove the checkmark next to Add all
eligible storage to the cluster, and then click Next.
20. In the Create Cluster Wizard Summary page, click Finish.
L9-75
1.
2.
3.
In the Add Disks to Cluster dialog box, verify that all disks are selected, and then click OK.
4.
Verify that all disks appear available for cluster storage in Failover Cluster Manager.
5.
Select the disk that displays the Volume name of ClusterVMs. Right-click the ClusterVMs disk and
select Add to Cluster Shared Volumes.
6.
Right-click VMCluster.adatum.com, select More Actions and then click Configure Cluster Quorum
Settings. Click Next.
7.
On the Select Quorum Configuration Option page, click Use typical settings and then click Next.
8.
9.
In the Failover Cluster Manager console click Roles and then in the Actions pane, click Virtual
Machines.
2.
3.
4.
5.
On the Specify Name and Location page, type TestClusterVM for the Name and then click Store
the virtual machine in a different location and then click Browse.
6.
7.
Click Next.
8.
On the Assign Memory page, type 1536 and then click Next.
9.
On the Configure Networking page click select Corporate Network and then click Next.
10. On the Connect Virtual Hard Disk page click Use an existing virtual hard disk and then click
Browse.
11. Locate C:\ClusterStorage\Volume1 and select 20417A-LON-CORE.vhd and then click Open.
2.
3.
Right-click TestClusterVM and select Move, then select Live Migration and then click Select
Node.
4.
5.
6.
Make sure that you can access and operate virtual machine while it is migrating to another host.
7.
L9-76
1.
2.
3.
In the Actions pane, click Start. Wait until the virtual machine is fully started.
4.
Switch back to Hyper-V Manager console, and in the Actions pane click Move.
5.
6.
On the Choose Move Type page select Move the virtual machine's storage and then click Next.
7.
On the Choose Options for Moving Storage page, select Move all of the virtual machines data
to a single location and then click Next.
8.
On the Choose a new location for virtual machine page, click Browse.
9.
Locate C:\ and then create a new folder called Guest1. Click Select Folder.
11. On the Summary page click Finish. Wait for move process to finish. While virtual machine is moving
you can connect to it, and verify that it is fully operational.
12. Shut down all running virtual machines.
Restart LON-HOST1.
2.
When you are prompted with the boot menu select Windows Server 2008 R2 and press Enter.
3.
4.
L10-77
Folders that belong to Research department can be accessed and modified only by employees that
belong to Research department.
2.
3.
Managers should access confidential files only from workstations that belong to the ManagersWKS
security group.
Note: You can meet these requirements by implementing claims, resource properties, and
file classifications, used together in Dynamic Access Control. To implement this, you should first
create appropriate claims for users and devices. User claim uses department as its source
attribute, while device claim uses description as source attribute. After that, you should configure
resource property for Research department. When you have these objects prepared, you should
configure Central Access Rules and Central Access Policies to protect resources. At the same time,
you should configure file classification for confidential documents. Finally, you should apply
Central Access Policy to folders where files for Research and Managers are located.
4.
As a solution for users that receive error messages, you should implemented Access Denied
Assistance.
On LON-DC1, in the Server Manager, click Tools and then click Active Directory Users and
Computers.
2.
In the Active Directory Users and Computers console, right-click Adatum.com and select New, and
then click Organizational Unit.
3.
In the New Object Organizational Unit, in the Name field, type Test and then click OK.
4.
5.
Press the Ctrl key and click the LON-SVR1, LON-CL1 and LON-CL2 computers. Right-click and select
Move.
6.
7.
8.
On LON-DC1, in the Server Manager, click Tools, and then click Group Policy Management.
9.
10. Right-click the Managers OU and then click Block Inheritance. This is to remove the block
inheritance setting used in a later module in the course.
11. Click the Group Policy Objects container.
12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
L10-78
13. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos
armoring.
15. In the KDC support for claims, compound authentication and Kerberos armoring window, select
Enabled, and in the Options section, click the drop-down list and select Supported. Click OK.
16. Close the Group Policy Management Editor and Group Policy Management console.
17. Open Windows Power Shell, by clicking its icon on the task bar, and type gpupdate /force and press
Enter. After Group Policy is updated, close Windows PowerShell.
18. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
19. Expand Adatum.com, right-click Users, click New, and then click Group.
20. Type ManagersWKS for the Group name, and then click OK.
21. Click the Test container.
22. Right-click LON-CL1, and then click Properties.
23. Click the Member Of tab and then click Add.
24. In the Select Groups window, type ManagersWKS. click Check Names, click OK, and then click OK
again.
25. Click Managers organization unit.
26. Right-click Aidan Delaney and select Properties.
27. Click the Organization tab. Make sure that the Department field is populated with the value
Managers. Click Cancel.
28. Click the Research organization unit.
29. Right-click Allie Bellew and select Properties.
30. Click the Organization tab. Make sure that the Department field is populated with the value
Research. Click Cancel.
Results: After completing this exercise you will have design for Dynamic Access Control and you will have
prepared AD DS for Dynamic Access Control implementation.
On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2.
In the Active Directory Administrative Center console, in navigation pane, click Dynamic Access
Control.
3.
4.
5.
In the navigation pane, click Dynamic Access Control and then double-click Resource Properties.
6.
L10-79
7.
In the navigation pane, click Dynamic Access Control and then double-click Resource Property
Lists.
8.
In the central pane right-click Global Resource Property List, and then click Properties.
9.
In the Global Resource Property List, in the Resource Properties, section review available resource
properties.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access
Control.
2.
3.
In the Tasks pane, click New and then click Claim Type.
4.
In the Create Claim Type window, in the Source Attribute section, select department.
5.
6.
7.
Click OK.
In the Active Directory Administrative Center, in the Tasks pane, click New and select Claim Type.
2.
In the Create Claim Type window, in the Source Attribute section, select description.
3.
Clear the User check box and select the Computer check box.
4.
Click OK.
Results: After completing this exercise you will have configured user and device claims.
2.
3.
4.
5.
6.
7.
Make sure that both Department and Confidentiality properties are enabled in the list.
8.
Double-click Department.
9.
Scroll down to the Suggested Values section, and then click Add.
10. In the Add a suggested value window, type Research in both Value and Display name text boxes,
and then click OK two times.
11. Click Dynamic Access Control and then double-click Resource Property Lists.
12. In the central pane, double-click Global Resource Property List.
L10-80
13. Make sure that both Department and Confidentiality appear in Resource Properties list. If they do
not, then click Add and add these two properties, and then click OK (or Cancel if you did not make
any changes).
14. Close the Active Directory Administrative Center.
2.
In the Add Roles and Features Wizard click Next three times.
3.
On the Select server roles page, expand File and Storage Services (Installed), expand File and
iSCSI Service (Installed) and select File Server Resource Manager.
4.
5.
Click Next two times and then click Install. After installation finishes, click Close.
6.
In Server Manager, click Tools, and then click File Server Resource Manager.
7.
8.
9.
Property: Confidentiality
Value: High
18. In the Classification Parameters dialog box, click the Regular expression drop-down list and select
String.
19. In the Expression field (next to the word String) type secret.
20. Click OK.
21. Click the Evaluation Type tab. Select Re-evaluate existing property values, and then click
Overwrite the existing value.
L10-81
23. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
24. Select Wait for classification to complete, and then click OK.
25. After the classification is complete, you are presented with a report. Verify that two files were
classified.
Note: Doc2.txt should have the same confidentiality as Doc1.txt while Doc3.txt should have
no value. This is because only Doc1 and Doc2 have the word secret in their content.
2.
3.
4.
Click Department.
5.
6.
Click OK.
Results: After this exercise, you will have configured resource properties and file classifications.
On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2.
In the Active Directory Administrative Center console, in the navigation pane, click Dynamic Access
Control.
3.
4.
In the Tasks pane, click New, and then click Central Access Rule.
5.
In the Central Access Rule dialog box, type Department Match for the Name.
6.
7.
8.
9.
In the Permissions section, click Use the following permissions as current permissions.
L10-82
L10-83
Note: If you cant find ManagersWKS in the last drop-down box, click Add items. Then in
the Select User, Computer, Service Account or Group window, type ManagersWKS and click
Check Names. Click OK.
37. Click OK three times.
On LON-DC1, in Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2.
In the Tasks pane, click New, and then click Central Access Policy.
3.
4.
Click Add.
5.
Click the Access Confidential Docs rule, and then click >>.
6.
Click OK twice.
7.
In the Tasks pane, click New, and then click Central Access Policy.
8.
9.
Click Add.
10. Click the Department Match rule and then click >>.
11. Click OK twice.
12. Close the Active Directory Administrative Center.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
Under Domains, expand Adatum.com, and then right-click Test and click Create a GPO in this
domain, and link it here.
3.
4.
5.
6.
7.
Click both Department Match and Protect confidential docs, and then click Add.
8.
Click OK.
9.
2.
Type gpupdate /force and press Enter. Close the Command Prompt window.
3.
Open Windows Explorer, browse to Drive C and right-click the Docs folder, and select Properties.
4.
5.
Click Advanced.
6.
In the Advanced Security Settings for Docs window, click the Central Policy tab.
7.
Click Change.
8.
9.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
3.
4.
5.
6.
In the right pane, double-click Customize Message for Access Denied errors.
7.
In the Customize Message for Access Denied errors window, click Enabled.
8.
In the Display the following message to users who are denied access text box, type: You are
denied access because of permission policy. Please request access.
9.
10. Review other options, do not make any changes, and then click OK.
L10-84
11. In the right pane of Group Policy Management Editor, double-click Enable access-denied assistance
on client for all file types.
12. Click Enabled, and then click OK.
13. Close the Group Policy Management Editor and close the Group Policy Management console.
14. Switch to LON-SVR1, open Windows PowerShell and type gpupdate /force and press Enter.
Results: After completing this exercise you will have configured central access rules and policies.
2.
Click Desktop and then open Windows Explorer by clicking its icon on the task bar.
3.
4.
5.
In the address bar of Windows Explorer, type \\LON-SVR1\Research and press Enter.
Click Request assistance. Review options for sending messages, and then click Close.
7.
8.
9.
Note: You should be able to access this folder and open documents inside because Allie is
in Research department.
11. Log off of LON-CL1.
12. Log on to LON-CL1 as Adatum\Aidan with the password of Pa$$w0rd.
13. Open Windows Explorer.
14. In the address bar, type \\LON-SVR1\Docs.
15. You should be able to open all files in this folder.
16. Log off of LON-CL1.
17. Log on to LON-CL2 as Adatum\Aidan with the password of Pa$$w0rd.
18. Open Windows Explorer
19. In the address bar, type \\LON-SVR1\Docs.
Note: You should be unable to see Doc1 and Doc2 since LON-CL2 is not permitted to view
secret documents.
L10-85
1.
On LON-DC1, in Server Manager, click Tools and then click Group Policy Management.
2.
In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
3.
4.
L10-86
5.
6.
Double-click Audit Central Access Policy Staging. Select all three check boxes, and then click OK.
7.
Double-click Audit File System. Select all three check boxes, then click OK.
8.
Close the Group Policy Management Editor and the Group Policy Management console.
On LON-DC1, open Server Manager, and then open Active Directory Administrative Center.
2.
3.
4.
5.
6.
7.
Click Edit.
8.
9.
2.
Open Windows Explorer, and then in the address bar type \\LON-SVR1\Research. Attempt to open
the folder. You will be unsuccessful. Click Close.
3.
Switch to LON-SVR1.
4.
5.
6.
7.
2.
3.
4.
5.
6.
In the Select User, Computer, Service Account, or Group window type April, and then click Check
Names, and then click OK.
7.
8.
Review results. April should not have any access to this folder.
9.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Results: After this exercises you will have validated Dynamic Access Control functionality.
L10-87
L11-89
Lab: Implementing AD DS
Exercise 1: Deploying a Read-Only Domain Controller
X Task 1: Add LON-SVR3 as a server to manage
1.
2.
3.
In the Add Servers dialog box, in the Name (CN) field, type LON-SVR3, and then click Find Now.
4.
Select the LON-SVR3 server in the details pane, and then click the arrow to move it to the Selected
pane.
5.
Click OK.
2.
In the Create Server Group dialog box, in the Server group name field, type DCs.
3.
Select both LON-SVR3 and LON-DC1, click the arrow to move them to the Selected pane, and then
click OK.
2.
3.
4.
On the Select Destination Server page, select LON-SVR3.Adatum.com, and then click Next.
5.
On the Select server role page, click the check box for Active Directory Domain Services, click
Add Features in the Add features that are required for Active Directory Domain Services dialog
box, and then click Next.
6.
7.
8.
On the Confirm installation selections page, click the check box to Restart the destination server
automatically if required, and then click Install. The installation will take several minutes.
9.
10. In Server Manager Dashboard, click the notification icon (the flag icon or yellow triangle) on the
menu bar.
11. Locate the Post-deployment Configuration task, and then click Promote this server to a domain
controller.
12. In the Active Directory Domain Services Configuration Wizard, ensure that Add a domain controller
to an existing domain is selected.
13. In the Supply the credentials to perform this operation section, click Change.
14. In the Windows Security dialog box, type Adatum\Administrator in the user name field and in the
password field type Pa$$w0rd.
L11-90
17. Type and confirm the Directory services Restore Mode (DSRM) password to be Pa$$w0rd, and then
click Next.
18. On the RODC Options page, click Next.
Note: The installation will take several minutes and LON-SVR3 will automatically restart to
complete the promotion.
23. When the promotion is completed click Close. Note that LON-SVR3 is restarting.
On LON-DC1, in Server Manager, on the Tools menu, click Active Directory Users and Computers.
2.
3.
4.
In the LON-SVR3 Properties dialog box, click the Password Replication Policy tab.
5.
Click Add.
6.
In the Add Groups, Users and Computers dialog box, click Allow passwords for the account to
replicate to this RODC, and then click OK.
7.
In the Select Users, Computers, Services Accounts, or Groups dialog box, type Managers, and
then click OK.
8.
9.
In the Select User or Group dialog box, type IT, and then click OK.
Results: After completing this exercise, you will have added LON-SVR3 as a server to manage, created a
server group, deployed an RODC remotely, and configured the password replication policy and
administrative assignments for the RODC.
Log on to LON-CL1 as Brad with a password of Pa$$word. Brad is a member of the IT group.
2.
3.
4.
In Control Panel under Appearance and Personalization, click Change desktop background.
Question: What is the result?
Answer: A message explains that this feature is disabled.
Question: Is this in line with company policy?
Answer: Yes, this is in line with company policy.
L11-91
5.
6.
Point to the lower right corner of the desktop, click the Search charm and in the Apps search field,
type Run.
7.
8.
9.
10. Point to the lower right corner of the desktop, click the Search charm and then in the Apps search
field, type Command Prompt.
11. In the Apps results field, click Command Prompt.
12. In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied in User Settings?
Answer: The Prohibit Desktop Background policy and the Prohibit Registry Tools GPOs are being
applied.
Question: Is this in line with company policy?
Answer: No, this is against company policy. The Prohibit Registry Tools policy should not be applied
to an IT group user.
13. Sign out of LON-CL1.
14. Log on to LON-CL1 as Bill with a password of Pa$$word. Bill is a member of the Managers group.
15. On the Start screen, type Control Panel.
16. In the Apps results field, click Control Panel.
17. In Control Panel under Appearance and Personalization, click Change desktop background.
Question: What is the result?
Answer: The Desktop Background dialog box appears and provides access to change the desktop
background.
Question: Is this in line with company policy?
Answer: No, this is against company policy.
18. Close Control Panel.
19. Point to the lower right corner of the desktop, click the Search charm, and then type Run.
20. In the Apps results field, click Run.
21. In the Run box, type Regedit, and then click OK.
Question: What is the result?
Answer: The Registry Editor application starts.
Question: Is this in line with company policy?
Answer: No, this is against company policy.
22. Close the Registry Editor.
L11-92
23. Point to the lower right corner of the desktop, click the Search charm, and type Command Prompt
in the Apps search field.
24. Click Command Prompt in the Apps results field.
25. In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied?
Answer: No GPOs are being applied.
Question: Is this correct?
Answer: No, both GPOs are supposed to be applied.
26. Sign Out of LON-CL1.
2.
3.
4.
L11-93
Right-click the Managers OU and clear the check mark next to Block Inheritance.
Question: How will you ensure that the Prohibit Registry Tools GPO will not be applied to the IT
group users?
Answer: There are multiple ways that you could resolve this. For example, you could create a GPO
that specifically reverses the Prevent access to registry editing tools setting and link it directly to the
IT OU.
5.
6.
7.
8.
Click Advanced.
9.
In the Prohibit Registry Tools Security Settings dialog box, click Add.
10. In the Select Users, Computers, Service Accounts, or Groups dialog box type IT, and then click
OK.
11. Click the IT (Adatum\IT) group in the Security list.
12. In the Permissions for IT section, locate the Apply Group Policy permission, and then click Deny.
13. Click OK.
14. If the Windows Security dialog box appears, click Yes to acknowledge the message.
15. Close the Group Policy Management console.
2.
3.
4.
In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied?
Answer: The Prohibit Desktop Background and the Prohibit Registry Tools.
Question: Is this correct?
Answer: Yes. The system is now in line with the company policy.
5.
6.
7.
8.
9.
In the Command Prompt window, type GPResult /R and examine the results.
Question: What GPOs are being applied?
Answer: The Prohibit Desktop Background GPO is being applied.
Question: What GPOs are being filtered out?
Answer: Prohibit Registry Tools is being denied.
L11-94
Results: After completing this exercise, you will be able to troubleshoot Group Policy issues, correct issues
to apply Group Policy, and verify policies are being applied.
2.
3.
In the Windows PowerShell command window, type Add-KdsRootKey EffectiveTime ((getdate).addhours(-10)) at the prompt and press Enter.
4.
5.
6.
Type Get- ADServiceAccount -Filter * and press Enter to verify the account. Note the output of the
command.
7.
8.
X Task 2: Configure the Web Server Application Pool to use the Group Managed
Service account
1.
On LON-DC1, in Server Manager, click the Tools menu and click Internet Information Services (IIS)
Manager.
2.
3.
In the details pane, right-click the DefaultAppPool and click Advanced Settings.
4.
In the Advanced Settings dialog box, click Identity and click the ellipses.
5.
In the Application Pool Identity dialog box, click Custom Account and click Set.
6.
In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field and click OK
three times.
7.
8.
9.
Results: After completing this exercise, you will have created and associated a managed service account,
installed a managed service account on a web server, and verified password change for am managed
service account.
Exercise 4: Maintaining AD DS
X Task 1: Create and view Active Directory snapshots
1.
Switch to LON-DC1.
2.
Move your mouse to the bottom right corner and click the Search charm.
3.
4.
In the Apps Results for CMD pane, right-click Command Prompt and then click Run as
administrator.
5.
6.
7.
8.
Note: The GUID that is displayed is important for commands in later tasks. Make note of
the GUID or, alternatively, copy it to the clipboard.
9.
L11-95
Note: Hint: Copy and paste the $snap_datetime from the previous command. (The port
number can be any open, unique TCP port). Leave the Command Window open and the
command running while you perform the next tasks.
12. In Server Manager, click the Tools menu and then click Active Directory Users and Computers.
13. Expand Adatum.com and then click Research.
14. In the details pan,e right-click Allie Bellew and then click Delete. Click Yes to confirm in the message
box.
15. Right click the Active Directory Users and Computers root node and then click Change Domain
Controller.
16. Click <Type a Directory Server name[:port] here> and type LON-DC1:50000 and then press Enter.
17. Click OK.
18. Expand Adatum.com and click Research.
Note: Notice that the user Allie Bellew exists in the snapshot because it was taken before
the user was deleted.
19. Close Active Directory Users and Computers and close the command window.
In Server Manager, on the Tools menu, click Active Directory Administrative Center.
2.
3.
4.
5.
6.
2.
Ensure that the Aidan Delaney user account is selected, and then in the tasks pane, click Delete.
3.
4.
Click Adtaum (local) in the navigation pane to return to the main tree.
2.
In the Tasks pane, click Restore. In the navigation pane under Adatum (local), click Managers.
2.
In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.
3.
4.
Results: After completing this exercise, you will have created and viewed Active Directory snapshots,
enabled the Active Directory Recycle Bin, deleted a user as a test, and used the Active Directory
Administrative Center to restore a deleted user account.
L11-96
L12-97
Lab: Implementing AD FS
Exercise 1: Configuring AD FS Prerequisites
X Task 1: Configure DNS forwarders
1.
2.
3.
4.
5.
Click in the IP address column, and then type 172.16.10.10. Press Enter, and then click OK.
6.
7.
8.
9.
2.
3.
In the CertEnroll window, right-click the MUN-DC1.TreyResearch.com_TreyResearch-MUN-DC1CA.crt file, and then click Copy.
4.
In the left pane, click Documents, and then paste the file into the Documents folder.
5.
Open a Windows PowerShell command prompt, type MMC and then press Enter.
6.
7.
8.
9.
L12-98
32. In the open window, click LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt, click Open, and then
click Next.
33. On the Certificate Store page, verify that Place all certificates in the following store is selected,
verify that the Trusted Root Certification Authorities store is listed, and then click Next.
34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
35. Close Console1 without saving changes.
On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2.
In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message.
3.
4.
5.
On the Distinguished Name Properties page, enter the settings as listed below, and then click
Next:
o
Organization: A. Datum
Organization unit: IT
City/locality: London
State/province: England
Country/region: GB
L12-99
6.
On the Online Certification Authority page, in Specify Online Certification Authority, click Select
to search for a CA server in the domain.
7.
8.
X Task 4: Bind the certificate to the claims aware application on the web server and
verify application access
1.
On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site,
and then in the Actions pane, click Bindings.
2.
3.
In the Add Site Binding dialog box, under Type select https, and under Port, verify that 443 is
selected
4.
In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK.
5.
Click Close, and then close Internet Information Services (IIS) Manager.
6.
7.
Connect to https://lon-svr1.adatum.com/adatumtestapp.
8.
Verify that you can connect to the site, but that you receive a 401 access denied error. This is
expected because you have not yet configured AD FS for authentication.
9.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum
and Trey Research, and you exchanged root certificates between the two organizations. You also installed
and configured a web certificate on the application server.
On the LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.
2.
3.
4.
5.
On the Select server roles page, select the Active Directory Federation Services check box, click
Add Features, and then click Next.
6.
7.
On the Active Directory Federation Services (AD FS) page, click Next.
8.
9.
On the Confirm installation selections page, click Install, and then wait for the installation to finish.
Do not close the window.
L12-100
2.
In the Overview pane, click the AD FS Federation Server Configuration Wizard link.
3.
On the Welcome page, ensure that Create a new Federation Service is selected, and then click
Next.
4.
On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and
then click Next.
5.
On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LONDC1.Adatum.com, the Port is 443, and the Federation Service name is
LON-DC1.Adatum.com. Click Next.
6.
On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and
then click Next.
7.
Log on to the LON-CL1 virtual machine as Adatum\Brad using the password Pa$$w0rd.
2.
3.
Click the Settings icon in the top-right corner, and then click Internet options.
4.
5.
Click Sites, and then clear the Automatically detect intranet network check box.
6.
Click Advanced, and in the Add this website to the zone box, type
https://lon-dc1.adatum.com, and then click Add.
7.
8.
Click OK twice.
9.
Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06
/federationmetadata.xml.
10. Verify that the xml file opens successfully, and then scroll through its contents.
11. Close Internet Explorer.
Results: In this exercise, you installed and configured the AD FS server role, and then verified a successful
installation by viewing the Federation Meta Data .xml contents.
On the LON-DC1 virtual machine, in Server Manager, click Tools, and then click Windows
PowerShell.
2.
At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press Enter.
This step is required so that you can modify the certificates that AD FS uses.
3.
L12-101
4.
5.
In the AD FS console, in the left pane, expand Service, and then click Certificates.
6.
7.
In the Select a token signing certificate dialog box, click LON-DC1.Adatum.com, and then click
OK.
8.
Right-click the newly added certificate, and then click Set as Primary. Note the warning message,
and then click Yes.
10. Select the certificate that has just been superseded, right-click the certificate, and then click Delete.
Click Yes to confirm the deletion.
In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
2.
In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
3.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
4.
5.
On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as
Claims, and then click Next.
6.
On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7.
8.
In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
9.
User-Principal-Name = UPN
Display-Name = Name
X Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1.
On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation
Utility.
2.
On the Welcome to the Federation Utility wizard page, in Application configuration location,
type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of
the WIF sample application.
3.
L12-102
4.
On the Security Token Service page, select Use an existing STS, type
https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS
WS-Federation metadata document location, and then click Next to continue. In the warning, click
Yes.
5.
On the Security token encryption page, select No encryption, and then click Next.
6.
On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
7.
On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
8.
Click OK.
X Task 4: Configure a relying party trust for the claims aware application
1.
2.
3.
On the Welcome page of the Add relying party Trust Wizard, click Start.
4.
On the Select Data Source page, select Import data about the relying party published online or
on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp.
5.
Note: This action prompts the wizard to check for the MetaData of the application that the
web server role hosts.
6.
On the Specify Display Name page, in the Display name box, type ADatum Test App, and then
click Next.
7.
On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this
relying party is selected, and then click Next.
8.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
9.
On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
In the Edit Claim Rules for WIF Sample Claims App window, on the Issuance Transform Rules tab,
click Add Rule. The Add Transform Claim Rule Wizard opens.
2.
On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
Note: This action passes an incoming claim through to the user by means of Windows
Integrated Authentication.
3.
On the Configure Rule page, in Claim rule name, type Pass through Windows Account name
rule. In the Incoming claim type drop-down list, select Windows account name, and then click
Finish.
4.
L12-103
5.
On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
6.
On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the
Incoming claim type drop-down list, select E-mail Address, and then click Finish.
7.
8.
On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
9.
On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming
claim type drop-down list, select UPN, and then click Finish.
11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming
claim type drop-down list, select Name, and then click Finish.
13. Click Apply, and then click OK.
2.
Connect to https://lon-svr1.adatum.com/AdatumTestApp/.
If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press
Enter. The page renders, and then you see the claims that were processed to allow access to the web
site.
Results: After this exercise, you configured a token signing certificate and configured a claims provider
trust for Adatum.com. You also configured the sample application to trust incoming claims and
configured a relying party trust and associated claim rules. You also tested access to the sample WIF
application in a single organization scenario.
2.
In the AD FS console, expand Trust Relationships, and then click claims provider Trusts.
3.
4.
5.
On the Select Data Source page, select Import data about the claims provider published online
or on a local network, type https://mun-dc1.treyresearch.com, and then click Next.
6.
7.
On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to
save the configuration.
8.
On the Finish page, click Close to close the wizard. The Edit Claim Rules for
mun-dc1.treyresearch.com window appears.
9.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish. Click Yes.
14. Click OK, and then close the AD FS console.
15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell.
16. At the prompt, type the following command, and then press Enter:
Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.com
SigningCertificateRevocationCheck None
X Task 2: Configure a relying party trust on MUN-DC1 for A. Datums claim aware
application
L12-104
1.
On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management.
2.
In the AD FS console, on the Overview page, click Required: Add a trusted relying party.
3.
4.
On the Select Data Source page, select Import data about the relying party published online or
on a local network, type https://lon-dc1.adatum.com, and then click Next.
5.
On the Specify Display Name page, in the Display name box, type Adatum TestApp, and then
click Next.
6.
On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
7.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save
the configuration.
8.
On the Finish page, click Close to close the wizard. The Edit Claim Rules for Adatum TestApp window
appears.
9.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click
Next.
11. In the Claim rule name box, type Pass through Windows account name rule.
12. In the Incoming Claim type drop-down list, select Windows account name.
13. Select Pass through all claim values, and then click Finish.
14. Click OK, and then close the AD FS console.
X Task 3: Verify access to the A. Datum Test Application for Trey Research users
1.
Note: The logon process has changed, and you must now select an authority that can
authorize and validate the access request. The Home Realm Discovery page (the Sign In page)
appears, and you must select an authority.
L12-105
2.
On the Sign In page, select mun-dc1.treyresearch.com, and then click Continue to Sign in.
3.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
4.
5.
6.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press
Enter. You should be able to access the application.
7.
Note: You are not prompted for a home realm again. Once users have selected a home
realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by
the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, for
us to log on multiple times, we should delete that cookie after each logon attempt to return to a
clean state.
X Task 4: Configure claim rules for the claim provider trust and the relying party trust
to allow access only for a certain group
1.
On MUN-DC1, in the AD FS console, expand Trust Relationships, and then click relying party Trusts.
2.
Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
3.
On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click
Add Rule.
4.
On the Select Rule Template page, under Claim rule template, select Send Group Membership as
a Claim, and then click Next.
5.
On the Configure Rule page, in Claim rule name, type Permit Production Group Rule.
6.
Beside Users Group, click Browse, type Production and click OK.
7.
8.
Under Outgoing claim value, type Production, click Finish and then click OK.
9.
10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts.
11. Select mun-dc1.treyresearch.com, and in the Actions pane, click Edit Claim Rules.
12. On the Acceptance Transform Rules tab, click Add Rule.
13. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an
Incoming Claim, and then click Next.
14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop down list, click Group, and click Finish. Click Yes and then click
OK.
16. In the AD FS console, under Trust Relationships, click relying party Trusts.
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules.
18. On the Issuance Transform Rules tab, click Add Rule.
L12-106
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next.
20. Under Claim rule name, type Send TreyResearch Group Name Rule.
21. In the Incoming claim type drop down list, click Group. Click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab,
select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With
no rules, no users are permitted access.
23. On the Issuance Authorization Rules tab, click Add Rule.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
25. On the Configure Rule page, in Claim rule name type Permit TreyResearch Production Group
Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type
Production, select the option to Permit access to users with this incoming claim, and then click
Finish.
26. On the Issuance Authorization Rules tab, click Add Rule.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based
on an Incoming Claim, and then click Next.
28. On the Configure Rule page, in Claim rule name type Temp, in the Incoming claim type dropdown list, select UPN. In Incoming claim value, type @adatum.com, select the option to Permit
access to users with this incoming claim, and then click Finish.
29. Click the Temp rule, and click Edit Rule.
30. In the Edit Rule Temp dialog box, click View Rule Language.
31. Press Ctrl + C to copy the rule language to the clipboard. Click OK.
32. Click Cancel.
33. Click the Temp rule, click Remove Rule, and then click Yes.
34. On the Issuance Authorization Rules tab, click Add Rule.
35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a
Custom Rule, and then click Next.
36. On the Configure Rule page, type ADatum User Access Rule as the Claim rule name.
37. Click in the Custom rule box, and then press Crtl+V to paste the clipboard contents into the box. Edit
the first URL to match the following text, and then click Finish:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~
"^(?i).+@adatum\.com$"]=> issue(Type =
http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Note: This rule enables access to anyone who presents a claim that includes the UPN of
@adatum.com. The Value line in the first URL defines the attribute that much be matched in the
claim. In this line, ^ indicates the beginning of the string to match, (?i) means that the text is case
insensitive, .+ means that one or more characters will be added, and $ means the end of the
string.
38. Click OK to close the property page and save the changes to the relying party trust.
L12-107
1.
On MUN-DC1, open Internet Explorer, connect to On MUN-DC1, launch Internet Explorer, and then
connect to https://lon-svr1.adatum.com/adatumtestapp/.
2.
When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then
press Enter.
Note: April is not a member of the Production group, so she should not be able to access
the application.
3.
4.
Open Internet Explorer, click the Settings icon in the top-right corner, and then click Internet
options.
5.
Under Browsing history, click Delete, click Delete again, and then click OK.
6.
Connect to https://lon-svr1.adatum.com/adatumtestapp/.
7.
Select mun-dc1.treyresearch.com on the Sign In page, and then click Continue to Sign in.
8.
When prompted for credentials, type TreyResearch\Morgan with the password Pa$$w0rd, and then
press Enter.
Note: Morgan is a member of the Production group, so she should be able to access the
application.
9.
2.
In the Virtual Machines list, right-click 20417A-MUN-DC1, and then click Revert.
3.
4.
Results: In this exercise, you configured a claims provider trust for Trey Research on Adatum.com and a
relying party trust for Adatum on TreyResearch.com. You verified access to the A. Datum claim-aware
application. Then you configured the application to restrict access from TreyResearc.com to specific
groups, and you verified appropriate access.