20411C-ENU-TrainerHandbook
672
MCT USE ONLY. STUDENT USE PROHIBITED OFFICIAL MICROSOFT LEARNING PRODUCT 20411C Administering Windows Server ® 2012
-
Upload
bugmenotpls -
Category
Documents
-
view
1.320 -
download
14
Transcript of 20411C-ENU-TrainerHandbook
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20411C Administering Windows Server® 2012
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDii Administering Windows Server® 2012
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.
© 2013 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Product Number: 20411C
Part Number: X19-09969
Released: May 13, 2014
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good
standing.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content, provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
ii. You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject
matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne: tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
Revised September 2012
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED Administering Windows Server® 2012 xi
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxii Administering Windows Server® 2012
Acknowledgments Microsoft Learning wants to acknowledge and thank the following for their contribution in developing this title. Their effort at various developmental stages has ensured that you have a good classroom experience.
Brian Svidergol – Content Developer Brian Svidergol specializes in Microsoft infrastructure and cloud-based solutions built around Windows®, Active Directory®, Microsoft® Exchange, Microsoft System Center, virtualization, and Microsoft Desktop Optimization Pack. He holds many Microsoft and industry certifications. Brian authored the Active Directory Cookbook, 4th Edition. He has also worked as a Subject Matter Expert, and technical reviewer on many Microsoft Official Courses and Microsoft Certification exams, and authored or reviewed related training content.
Dave Franklyn – Content Developer David M. Franklyn, Microsoft Certified Trainer, Microsoft Certified System Engineer (MCSE), Microsoft Certified Information Technology Professional, Microsoft Most Valuable Professional (MVP), Windows Expert--IT Pro, is a Senior Information Technology Trainer and Consultant at Auburn University in Montgomery, Alabama, and the owner of DaveMCT, LLC. He is also Adjunct Faculty with MyITStudy.com. He is an Eastern USA Regional Lead MCT. Dave has been a Microsoft MVP since 2011. Working with computers since 1976, Dave started out in the mainframe world and moved into the networking arena early. Before joining Auburn University in 1998, Dave spent 22 years in the US Air Force as an electronic communications and computer systems specialist. Dave is president of the Montgomery Windows Information Technology (IT) Professional Group, and a guest speaker at many events involving Microsoft products.
Erdal Ozkaya – Content Developer Erdal Ozkaya, Bachelor of Science in Information Technology (B.I.T.), MVP, Microsoft Certified Trainer, ISO27001 Consultant, Certified Ethical Hacker (CEH), Certified Ethical Instructor, is an educator at Charles Sturt University. Erdal is also completing his Doctor of Philosophy (Ph.D.) in IT security and working for Kemp technologies as Regional Director. His specialties include Windows servers and clients, security, virtualization, system management, and load balancers. He is a speaker, proctor for hands-on labs, and technical expert in worldwide conferences such as Tech Ed, Hacker Halted, Microsoft Management Summit, trade shows, and in webcasts for Microsoft and EC-Council. Erdal has also developed and consulted on Microsoft Official Exams and Courses. He shares his experiences in his blog "yourmct.com".
Gary Dunlop – Content Developer Gary Dunlop lives in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Telmo Sampaio: Content Developer Telmo Sampaio, who has a Bachelor of Science (BS) degree, is also an MCT, MCSE, Microsoft Certified Solution Developer (MCSD), and was one of the first MCT Regional Leads. Telmo has passed more than 80 Microsoft exams since his first certification in 1996. He is the “Chief Geek” for MCTrainer.NET and TechKnowLogical. Telmo specializes in Microsoft System Center, Microsoft SharePoint®, Microsoft SQL Server®, Windows Server®, and .NET, and has worked for IBM, Microsoft, and several start-ups during the past 20 years. Telmo is a trainer, consultant, author, and speaker at events such as TechEd, the Microsoft Management Summit, and the Professional Association for SQL Server. He is very active in the MCT
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED Administering Windows Server® 2012 xiii
community, and travels the world providing consulting services and attending training engagements. His home base is Miami, Florida.
Vladimir Meloski – Content Developer Vladimir is a consultant, Microsoft Certified Trainer, and an MVP on Exchange Server, who provides unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync® Server, Windows Server, and Microsoft System Center. Vladimir has 17 years of professional IT experience, and has been involved in Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has also been involved as a Subject Matter Expert and technical reviewer for Microsoft Official Course titles.
Claudia Woods: Technical Reviewer Claudia has been a LAN Administrator, IT Pro Consultant, and technical instructor for more than twenty years. She designs and implements technology solutions for an international customer base. Claudia also holds MCSE, MCSA, and MCT certifications for Microsoft, VCP, VCI, and VCI Mentor certifications for VMware, and certifications for other vendors. Her specialties include Windows Server, Active Directory, Exchange Messaging, and Virtualization technologies. She has been a Technical Reviewer for more than ten Microsoft Official Course titles.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxiv Administering Windows Server® 2012
Contents Module 1: Configuring and Troubleshooting Domain Name System
Lesson 1: Configuring the DNS Server Role 1-2 Lesson 2: Configuring DNS Zones 1-11 Lesson 3: Configuring DNS Zone Transfers 1-21 Lesson 4: Managing and Troubleshooting DNS 1-24 Lab: Configuring and Troubleshooting DNS 1-33
Module 2: Maintaining Active Directory® Domain Services Lesson 1: Overview of AD DS 2-2 Lesson 2: Implementing Virtualized Domain Controllers 2-8 Lesson 3: Implementing RODCs 2-19 Lesson 4: Administering AD DS 2-25 Lesson 5: Managing the AD DS Database 2-36 Lab: Maintaining AD DS 2-45
Module 3: Managing User and Service Accounts Lesson 1: Configuring Password Policy and User Account Lockout Settings 3-2 Lesson 2: Configuring Managed Service Accounts 3-11 Lab: Managing User and Service Accounts 3-19
Module 4: Implementing a Group Policy Infrastructure Lesson 1: Introducing Group Policy 4-2 Lesson 2: Implementing and Administering GPOs 4-11 Lesson 3: Group Policy Scope and Group Policy Processing 4-17 Lesson 4: Troubleshooting the Application of GPOs 4-33 Lab: Implementing a Group Policy Infrastructure 4-40
Module 5: Managing User Desktops with Group Policy Lesson 1: Implementing Administrative Templates 5-2 Lesson 2: Configuring Folder Redirection and Scripts 5-8 Lesson 3: Configuring Group Policy Preferences 5-13 Lesson 4: Managing Software with Group Policy 5-19 Lab: Managing User Desktops with Group Policy 5-23
Module 6: Implementing Remote Access Lesson 1: Overview of Remote Access 6-2 Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 6-9
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED Administering Windows Server® 2012 xv
Lab A: Implementing DirectAccess by Using the Getting Started Wizard 6-21 Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 6-27 Lab B: Deploying an Advanced DirectAccess Solution 6-39 Lesson 4: Implementing VPN 6-50 Lab C: Implementing VPN 6-60 Lesson 5: Implementing Web Application Proxy 6-65 Lab D: Implementing Web Application Proxy 6-71
Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Lesson 1: Installing and Configuring a Network Policy Server 7-2 Lesson 2: Configuring RADIUS Clients and Servers 7-6 Lesson 3: NPS Authentication Methods 7-12 Lesson 4: Monitoring and Troubleshooting a Network Policy Server 7-20 Lab: Installing and Configuring a Network Policy Server 7-26
Module 8: Implementing Network Access Protection Lesson 1: Overview of Network Access Protection 8-2 Lesson 2: Overview of NAP Enforcement Processes 8-7 Lesson 3: Configuring NAP 8-13 Lesson 4: Configuring IPsec Enforcement for NAP 8-18 Lesson 5: Monitoring and Troubleshooting NAP 8-27 Lab: Implementing Network Access Protection 8-31
Module 9: Optimizing File Services Lesson 1: Overview of FSRM 9-2 Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports 9-8 Lesson 3: Implementing Classification and File Management Tasks 9-18 Lab A: Configuring Quotas and File Screening Using File Server Resource Manager 9-22 Lesson 4: Overview of DFS 9-26 Lesson 5: Configuring DFS Namespaces 9-33 Lesson 6: Configuring and Troubleshooting DFS Replication 9-37 Lab B: Implementing Distributed File System 9-43
Module 10: Configuring Encryption and Advanced Auditing Lesson 1: Encrypting Drives by Using BitLocker 10-2 Lesson 2: Encrypting Files by Using EFS 10-9 Lesson 3: Configuring Advanced Auditing 10-13 Lab: Configuring Encryption and Advanced Auditing 10-21
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxvi Administering Windows Server® 2012
Module 11: Deploying and Maintaining Server Images Lesson 1: Overview of Windows Deployment Services 11-2 Lesson 2: Managing Images 11-9 Lesson 3: Implementing Deployment with Windows Deployment Services 11-16 Lesson 4: Administering Windows Deployment Services 11-22 Lab: Using Windows Deployment Services to Deploy Windows Server 2012 11-28
Module 12: Implementing Update Management Lesson 1: Overview of WSUS 12-2 Lesson 2: Deploying Updates with WSUS 12-9 Lab: Implementing Update Management 12-15
Module 13: Monitoring Windows Server 2012 Lesson 1: Monitoring Tools 13-2 Lesson 2: Using Performance Monitor 13-11 Lesson 3: Monitoring Event Logs 13-20 Lab: Monitoring Windows Server 2012 13-24
Lab Answer Keys Module 1 Lab: Configuring and Troubleshooting DNS L1-1 Module 2 Lab: Lab: Maintaining AD DS L2-9 Module 3 Lab: Managing User and Service Accounts L3-21 Module 4 Lab: Implementing a Group Policy Infrastructure L4-25 Module 5 Lab: Managing User Desktops with Group Policy L5-37 Module 6 Lab A: Implementing DirectAccess by Using the Getting Started Wizard L6-45 Module 6 Lab B: Deploying an Advanced DirectAccess Solution L6-51 Module 6 Lab C: Implementing VPN L6-66 Module 6 Lab D: Implementing Web Application Proxy L6-73 Module 7 Lab: Installing and Configuring a Network Policy Server L7-79 Module 8 Lab: Implementing Network Access Protection L8-85 Module 9 Lab A: Configuring Quotas and File Screening Using File Server Resource Manager L9-95 Module 9 Lab B: Implementing Distributed File System L9-99 Module 10 Lab: Configuring Encryption and Advanced Auditing L10-105 Module 11 Lab: Using Windows Deployment Services to Deploy Windows Server 2012 L11-113 Module 12 Lab: Implementing Update Management L12-121 Module 13 Lab: Monitoring Windows Server 2012 L13-127
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xvii
About This Course This section provides a brief description of the course—20411C: Administering Windows Server® 2012— audience, suggested prerequisites, and course objectives.
Course Description This course is part two in a series of three courses that provides the skills and knowledge necessary to implement a core Windows Server 2012 and Windows Server 2012 R2 infrastructure in an existing enterprise environment. The three courses collectively cover implementing, managing, maintaining and provisioning services and infrastructure in a Windows Server 2012 environment. Although there is some cross-over of skills and tasks across these courses, this course focuses on the administration tasks necessary to maintain a Windows Server 2012 infrastructure such as configuring and troubleshooting name resolution, user and group management with Active Directory Domain Services (AD DS) and Group Policy, implementing Remote Access solutions such as DirectAccess, VPNs and Web Application Proxy, implementing Network Policies and Network Access Protection, Data Security, deployment and maintenance of server images, as well as update management and monitoring of Windows Server 2012 environments.
Note: This release (‘C’) Microsoft Official Course (MOC) version of course 20411C was developed on General Availability (GA) software.
Audience This course is intended for Information Technology (IT) Professionals with hands on experience working in a Windows server 2008 or Windows Server 2012 environment who wish to acquire the skills and knowledge necessary to be able to manage and maintain the core infrastructure required for a Windows Server 2012 and Windows Server 2012 R2 environment. The key focus for students is to broaden the initial deployment of Windows Server 2012 services and infrastructure and provide the skills necessary to Manage and Maintain a domain based Windows Server 2012 environment, providing skills in areas such as User and Group management, Network Access and Data Security. Candidates typically interested in attending this course would be:
• Windows Server Administrators experienced in working with Windows Server 2008 or Windows Server 2012 who wish to gain skills necessary to perform daily management and maintenance tasks in a Windows Server 2012 or Windows Server 2012 R2 environment.
• IT Professionals who are looking to take the 411, Administering Windows Server 2012 exam
• IT Professional wishing to take the Microsoft Certified Solutions Expert (MCSE) exams in DataCenter, Desktop Infrastructure, Messaging, Collaboration and Communications will also be interested in taking this course as they prepare for the Microsoft Certified Solutions Associate (MCSA) exams, which are a pre-requisite for their individual specialties.
Student Prerequisites This course requires that you have the ability to meet following prerequisites:
• Install and Configure Windows Server 2012 into existing enterprise environments or as standalone installations.
• Configure local storage.
• Configure roles and features.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxviii About This Course
• Configure file and print services.
• Configure Windows Server 2012 servers for local and remote administration.
• Configure IPv4 and IPv6 addresses.
• Configure Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services.
• Configure Active Directory Domains Services (AD DS)
• Install domain controllers.
• Create and configure users, groups, computers, and organizational units (OUs).
• Create and manage Group Policies.
• Configure local security policies.
The course pre-requisites can be met by having knowledge equivalent to, or by attendance at, course 20410C: Installing and Configuring Windows Server 2012 as this course will build upon knowledge and skills covered in that course.
Course Objectives After completing this course, students will be able to:
• Configure and troubleshoot DNS, including DNS replication and caching.
• Manage domain controllers and perform maintenance on Active Directory® Domain Services (AD DS).
• Configure account and password settings for standard users and configure service accounts.
• Implement a Group Policy Object (GPO) infrastructure.
• Configure Group Policy settings and Group Policy preferences.
• Configure remote network access using Routing and Remote Access and DirectAccess.
• Implement Web Application Proxy to enable access to internal applications without DirectAccess or virtual private network (VPN).
• Install and configure Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication.
• Implement and manage Network Access Protection (NAP).
• Configure File Server Resource Manager (FSRM) and Diagnostic Policy Service (DPS) to optimize file services.
• Configure encryption and advanced auditing to increase file system security.
• Create and manage server images by using Windows Deployment Services (Windows DS).
• Use Windows Server Update Services (WSUS) to deploy updates to Windows servers and clients.
• Monitor Windows Server 2012 and troubleshoot performance issues.
Course Outline The course outline is as follows:
Module 1, “Configuring and Troubleshooting Domain Name System”
Module 2, “Maintaining Active Directory Domain Services”
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xix
Module 3, “Managing User and Service Accounts”
Module 4, “Implementing a Group Policy Infrastructure”
Module 5, “Managing User Desktops with Group Policy”
Module 6, “Implementing Remote Access”
Module 7, “Installing, Configuring, and Troubleshooting the Network Policy Server Role”
Module 8, “Implementing Network Access Protection”
Module 9, “Optimizing File Services”
Module 10, “Configuring Encryption and Advanced Auditing”
Module 11, “Deploying and Maintaining Server Images”
Module 12, “Implementing Update Management”
Module 13, “Monitoring Windows Server 2012”
Exam/Course Mapping This course, 20411C: Administering Windows Server® 2012, has a direct mapping of its content to the objective domain for the Microsoft Exam 70-411: Administering Windows Server 2012.
The table below is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
Note: The exam objectives are available online at the following URL: http://www.microsoft.com/learning/en-us/exam-70-411.aspx, under Skills Measured.
Exam Objective Domain: Exam 70-411: Administering Windows Server 2012
Course Content
1. Deploy, Manage, and Maintain Servers (16%) Module Lesson Lab
1.1 Deploy and manage server images.
This objective may include but is not limited to: Install the Windows Deployment Services (WDS) role; configure and manage boot, install, and discover images; update images with patches, hotfixes, and drivers; install features for offline images , configure driver groups and packages
Mod 11 Lesson 1/2/3
Mod 11 Ex 1/2
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxx About This Course
1.2 Implement patch management.
This objective may include but is not limited to: Install and configure the Windows Server Update Services (WSUS) role; configure group policies for updates; configure client-side targeting; configure WSUS synchronization; configure WSUS groups; manage patch management in mixed environments
Mod 12 Lesson 1/2
Mod 12 Ex 1/2/3
1.3 Monitor servers.
This objective may include but is not limited to: Configure Data Collector Sets (DCS); configure alerts; monitor real-time performance; monitor virtual machines (VMs) ; monitor events; configure event subscriptions; configure network monitoring; schedule performance monitoring
Mod 13 Lesson 1/2/3
Mod 13 EX 1/2/3
2. Configure File and Print Services (18%)
2.1 Configure Distributed File System (DFS).
This objective may include but is not limited to: Install and configure DFS namespaces; configure DFS Replication Targets; configure Replication Scheduling; configure Remote Differential Compression settings; configure staging; configure fault tolerance , clone a DFS database; recover DFS databases ; optimize DFS replication
Mod 9 Lesson 4/5/6
Mod 10 Lab B Ex 1/2/3
2.2 Configure File Server Resource Manager (FSRM).
This objective may include but is not limited to: Install the FSRM role; configure quotas; configure file screens; configure reports; configure file management tasks
Mod 9 Lesson 1/2/3
Mod 9 Lab A Ex 1/2
2.3 Configure file and disk encryption.
This objective may include but is not limited to: Configure Bitlocker encryption; configure the Network Unlock feature; configure Bitlocker policies ; configure the EFS recovery agent; manage EFS and Bitlocker certificates including backup and restore
Mod 10 Lesson 1/2
Mod 10 Ex 1/2/3
2.4 Configure advanced audit policies.
This objective may include but is not limited to: Implement auditing using Group Policy and AuditPol.exe ; create expression-based audit policies; create removable device audit policies
Mod 10 Lesson 3
Mod 10 Ex 3
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xxi
3. Configure Network Services and Access (16%)
3.1 Configure DNS zones.
This objective may include but is not limited to: Configure primary and secondary zones; configure stub zones; configure conditional forwards; configure zone and conditional forward storage in Active Directory; configure zone delegation; configure zone transfer settings; configure notify settings
Mod 1 Lesson 1/2/3/4
Mod 1 Ex 1/2/3
3.2 Configure DNS records.
This objective may include but is not limited to: Create and configure DNS Resource Records (RR) including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records; configure zone scavenging; configure record options including Time To Live (TTL) and weight; configure round robin; configure secure dynamic updates
Mod 1 Lesson 1/2/3/4
Mod 1 Ex 1/2/3
3.3 Configure VPN and routing.
This objective may include but is not limited to: Install and configure the Remote Access role; implement Network Address Translation (NAT ); configure VPN settings; configure remote dial-in settings for users; configure routing, configure Web Application proxy in pass through mode
Mod 6 Lesson 4/5
Mod 6 Lab C Ex 1/2 Lab D Ex 1/2
3.4 Configure DirectAccess.
This objective may include but is not limited to: Implement server requirements; implement client configuration; configure DNS for Direct Access; configure certificates for Direct Access
Mod 6 Lesson 1/2/3
Mod 6 Lab A Ex 1/2/3 Lab B Ex 1/2/3
4. Configure a Network Policy Server Infrastructure (20%)
4.1 Configure Network Policy Server (NPS).
This objective may include but is not limited to: Configure a RADIUS server including RADIUS proxy; configure RADIUS clients; manage NPS templates; configure RADIUS accounting; configure certificates
Mod 7 Lesson 1/2/4
Mod 7 Ex 2
4.2 Configure NPS policies.
This objective may include but is not limited to: Configure connection request policies; configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing); import and export NPS policies
Mod 7 Lesson 1/2/4
Mod 7 Lab A Ex 1/2
Mod 8 Lesson 1/2
Mod 8 Lab A Ex 1/2
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxxii About This Course
4.3 Configure Network Access Protection (NAP).
This objective may include but is not limited to: Configure System Health Validators (SHVs); configure health policies; configure NAP enforcement using DHCP and VPN; configure isolation and remediation of non-compliant computers using DHCP and VPN; configure NAP client settings
Mod 8 Lesson 1/2/4
Mod 8 Lab A Ex 1/2
5. Configure and Manage Active Directory (13%)
5.1 Configure service authentication.
This objective may include but is not limited to: Create and configure Service Accounts; create and configure Group Managed Service Accounts; configure Kerberos delegation; manage Service Principal Names (SPNs); configure virtual accounts
Mod 3 Lesson 1/2
Mod 3 Ex 1/2
5.2 Configure Domain Controllers.
This objective may include but is not limited to: Transfer and seize operations master roles; install and configure a read-only domain controller (RODC); configure Domain Controller cloning
Mod 2 Lesson 2/3/4
Mod 2 EX 1/2/4
5.3 Maintain Active Directory.
This objective may include but is not limited to: Back up Active Directory and SYSVOL; manage Active Directory offline; optimize an Active Directory database; clean up metadata; configure Active Directory snapshots; perform object- and container-level recovery; perform Active Directory restore; configure and restore objects using the Active Directory Recycle Bin
Mod 2 Lesson 1/3/4/5
Mod 2 EX 3
5.4 Configure account policies.
This objective may include but is not limited to: Configure domain and local user password policy settings; configure and apply Password Settings Objects (PSOs); delegate password settings management; configure account lockout policy settings; configure Kerberos policy settings
Mod 3 Lesson 1
Mod 3 Lab Ex 1/2
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xxiii
6. Configure and Manage Group Policy (15%)
6.1 Configure Group Policy processing.
This objective may include but is not limited to: Configure processing order and precedence; configure blocking of inheritance; configure enforced policies; configure security filtering and WMI filtering ; configure loopback processing; configure and manage slow-link processing and Group Policy caching; configure client-side extension (CSE) behavior, force Group Policy Update
Mod 4 Lesson 1/2/3
Lab Ex 1/2/3/4
6.2 Configure Group Policy settings.
This objective may include but is not limited to: Configure settings including software installation, folder redirection, scripts, and administrative template settings; import security templates ; import custom administrative template file; configure property filters for administrative templates
Mod 5 Lesson 1/2/3
Lab Ex 1/2/3
6.3 Manage Group Policy objects (GPOs).
This objective may include but is not limited to: Back up, import, copy, and restore GPOs; create and configure Migration Table ; reset default GPOs; delegate Group Policy management
Mod 4 Lesson Lab Ex 4
Mod 5 Lesson Lab Ex 1/2/3
6.4 Configure Group Policy preferences.
This objective may include but is not limited to: Configure Group Policy Preferences (GPP) settings including printers, network drive mappings, power options, custom registry settings, Control Panel settings, Internet Explorer settings, file and folder deployment, and shortcut deployment; configure item-level targeting
Mod 5 Lesson 3
Lab Ex 1/2/3
Note: Attending this course in itself will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following:
• Real-world, hands-on experience Installing and configuring a Windows Server 2012 Infrastructure
• Windows 7 or Windows 8 client configuration experience
• Additional study outside of the content in this handbook
There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en-us/exam-70-411.aspx, under Preparation options.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxxiv About This Course
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en-us/course.aspx?ID=20411C, under Overview, Audience Profile.
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xxv
Course Materials The following materials are included with your kit:
• Course Handbook: a succinct classroom learning guide that provides the critical technical information in a crisp, tightly focused format, which is essential for an effective in-class learning experience.
You may be accessing either a printed course hand book or digital courseware material via the Arvato Skillpipe reader. Your Microsoft Certified Trainer will provide specific details but both contain the following:
• Lessons: guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.
• Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.
• Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and skills retention.
• Lab Answer Keys: provide step-by-step lab solution guidance.
Course Companion content on the http://www.microsoft.com/learning/companionmoc Site: searchable, easy-to-browse digital content with integrated premium online resources that supplement the Course Handbook.
• Modules: include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
• Resources: include well-categorized additional resources that give you immediate access to the most current premium content on TechNet, MSDN®, or Microsoft Press®.
Note: For this version of the Courseware on RTM Software, Companion Content is not available. However, the Companion Content will be published when the next version, the ‘D’ version, of this course is released, and students who have taken this course will be able to download the Companion Content at that time from the http://www.microsoft.com/learning/companionmoc site. Please ask your instructor when the ‘D’ version of this course is scheduled to release to learn when you can access the Companion Content for this course.
• Course evaluation: at the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
• To provide additional comments or feedback on the course, send an email to [email protected]. To inquire about the Microsoft Certification Program, send an email to [email protected].
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDxxvi About This Course
Virtual Machine Environment This section provides the information about the lab scenario in this course.
Virtual Machine Configuration In this course, you will use virtual machines built in Microsoft® Hyper V to perform the labs
Important: At the end of each lab, you must revert the virtual machines to a snapshot. You can find the instructions for this procedure at the end of each lab. Alternatively, if you are using Microsoft Labs Online you will need to reset the virtual machines at the end of each lab.
The following table shows the role of each virtual machine used in this course.
Virtual machine Role
20411C-LON-DC1 Domain controller
20411C-LON-SVR1 Server in the adatum.com domain
20411C-LON-SVR3 No operating system installed
20411C-LON-SVR4 Server in the adatum.com domain
20411C-LON-RTR Router
20411C-LON-CL1 Client computer with the Windows® 8.1 operating system
20411C-LON-CL2 Client computer with the Windows 7 operating system
20411C-LON-CL3 Client computer with the Windows® 8.1 operating system
20411C-INET1 Internet Web and DNS server
Software Configuration The following software is installed in the virtual machines for your use in the course
• Windows Server 2012 R2
• Windows 8.1
Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.
You may be accessing the lab virtual machines in either in a hosted online environment with a web browser or by using Hyper-V on a local machine. The labs and virtual machines are the same in both scenarios however there may be some slight variations because of hosting requirements. Any discrepancies will be called out in the Lab Notes on the hosted lab platform.
You Microsoft Certified Trainer will provide details about your specific lab environment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED About This Course xxvii
Course Hardware Level Where labs are being run locally, to ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions classrooms in which Official Microsoft Learning Product courseware is taught.
Hardware Level 7
• Processor: 64-bit Intel Virtualization Technology or AMD Virtualization (AMD-V) processor, 2.8 gigahertz (GHz) dual core or better recommended
• Hard Disk: Dual 500 gigabyte (GB) hard disks 7200 revolutions per minute (RPM) Serial ATA-(SATA) labeled C drive and D drive
• RAM: 16 GB or higher
• DVD/CD: DVD; dual layer recommended.
• Network Adapter
• Sound Card with amplified speakers
• Monitor: Dual Super VGA (SVGA) monitors 17” or larger supporting 1440 × 900 minimum resolution
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 × 768 pixels, 16-bit colors
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-1
Module 1 Configuring and Troubleshooting Domain Name System
Contents: Module Overview 1-1
Lesson 1: Configuring the DNS Server Role 1-2
Lesson 2: Configuring DNS Zones 1-11
Lesson 3: Configuring DNS Zone Transfers 1-21
Lesson 4: Managing and Troubleshooting DNS 1-24
Lab: Configuring and Troubleshooting DNS 1-33
Module Review and Takeaways 1-38
Module Overview The Domain Name System (DNS) is the foundation name service in the Windows Server® 2012 operating system. DNS provides name resolution and it enables DNS clients to locate network services, such as Active Directory® Domain Services (AD DS) domain controllers, global catalog servers, and messaging servers. If you configure your DNS infrastructure poorly or it is not working correctly, these important network services will be inaccessible to your network servers and clients. Therefore, it is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service.
Objectives After completing this module, you will be able to:
• Install and configure the DNS server role.
• Create and configure DNS zones.
• Configure DNS zone transfers.
• Manage and troubleshoot DNS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-2 Configuring and Troubleshooting Domain Name System
Lesson 1 Configuring the DNS Server Role
The DNS infrastructure is the basis for name resolution on the Internet and in AD DS domains based on Windows Server 2012. This lesson provides guidance and information about what is required to configure the DNS server role and explains the basic functions of a DNS server.
Lesson Objectives After completing this lesson, you will be able to:
• List the components of a DNS solution.
• Install the DNS server role.
• Describe how various DNS queries work.
• Explain how root hints work.
• Explain how forwarding and conditional forwarding work.
• Explain how DNS server caching works.
• Explain the DNS round robin.
• Explain considerations you take when deploying the DNS server role.
Components of a DNS Solution
DNS is a name-resolution service that resolves names to IP addresses. The DNS service is a logically-partitioned, hierarchical distributed database, which enables many different servers to host a worldwide database of DNS names. In Windows Server 2012, DNS is a server role that provides a solution to ensure that client computers can find resources on the domain, local area network, and the Internet. It also facilitates user and computer authentication in the domain. The components of a DNS solution include internal DNS servers, DNS servers on the Internet, and DNS resolvers or clients.
DNS Servers A DNS server can respond to recursive and iterative DNS queries. DNS servers also can host one or more zones of a particular domain. Zones contain different resource records. DNS servers also can cache lookups to save time for common queries. DNS servers also store service locator records in the zones that enable clients to find domain controllers in AD DS. If your domain requires more domain controllers, you simply deploy more domain controllers. The domain controllers then add their service locator records to DNS, which enables clients to find them as well. In a domain-based corporate network, you need to secure and protect these DNS servers and their records. The best practice is to implement Active Directory-integrated zones, thereby combining the DNS server roles and the Active Directory role on your domain controllers. This helps enhance security and facilitates zone transfers and delegation.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-3
DNS Servers on the Internet DNS servers on the Internet host public zone information and root server information, and other common top-level domains (TLDs), such as .com, .net, and .edu. Other organizations that have their own domain names, such as companies, government agencies, and non-profit organizations, also have their own DNS servers that you can send iterative queries to through the root and TLD servers. There are millions of these DNS servers and each might host resource records of web services that your DNS servers will use to resolve names to IP addresses.
Note: Do not confuse these servers with the DNS servers that host your organization’s public namespace. These are located physically on your perimeter network. Do not store sensitive domain information such as service locator records on these DNS servers.
DNS Resolvers The DNS resolver is a service running on a client computer. A resolver generates and sends either iterative or recursive queries to a DNS server. A DNS resolver can be any computer performing a DNS lookup that requires interaction with the DNS server. DNS servers also can issue DNS requests to other DNS servers. When a DNS server responds to a name resolution request, the DNS resolver caches that information in memory, so it can access it again if required. It is stored locally rather than going back to the DNS server each time. However, each record is marked with a Time to Live (TTL) time-stamp that automatically flushes the record out of the cache when the TTL expires.
Demonstration: Installing the DNS Server Role
This demonstration shows how to install the DNS server role.
Demonstration Steps 1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Use Server Manager to install the DNS Server role.
What Are DNS Queries?
DNS clients request name resolution service to DNS servers in a process called DNS queries. There are two types of response to DNS queries: authoritative and nonauthoritative. Note that DNS servers can also send DNS queries to other DNS servers when they do not know or have a name resolution.
A DNS server can be either authoritative or nonauthoritative for the query’s namespace. A DNS server with resource records for a domain in a zone it hosts is authoritative, and any requests directed to such a server are considered authoritative queries. In this case, if a name resolution is requested and that DNS server does not have a record corresponding to that name, a “Name does not exist” response is given by that DNS server and accepted by the client resolver as authoritative. The client resolver will not ask another DNS server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-4 Configuring and Troubleshooting Domain Name System
Nonauthoritative DNS query replies are passed on and derived from other DNS servers responsible for the domain that hosts the record.
Note: Only the server with direct authority for the queried name can give an authoritative answer.
If the local DNS server is nonauthoritative for the query’s namespace, the DNS server will do one of the following:
• Check its cache, and return a cached response.
• Forward the unresolvable query to a specific server known as a forwarder.
• Use well-known addresses of multiple root servers to find an authoritative DNS server to resolve the query. This process uses root hints.
Recursive Queries A recursive query is a query made by a DNS client to a DNS server. The DNS client service waits while the DNS server retrieves the answer. There are two possible results to a recursive query:
• The recursive query returns the IP address of the requested host.
• The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. This prevents the DNS server in question from forwarding its DNS requests to another server. This can be useful when you do not want a particular DNS server communicating outside its local network.
Iterative Queries An iterative query is a query made by a DNS server from information it has either in its zone or cache. Iterative queries provide a mechanism for accessing domain-name information that resides across the DNS system, and enable servers to resolve names quickly and efficiently across many servers.
When a DNS server receives a request that it cannot answer using its local information or its cached lookups, it makes the same request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it might answer with either the IP address for the domain name if it is known, ,or with a referral to the DNS servers that are responsible for the domain being queried.
What Are Root Hints?
Root hints are the list of servers on the Internet that your DNS server uses if it cannot resolve a DNS query by using a DNS forwarder or its own cache. The root hints are the highest-level servers in the DNS hierarchy and can provide the information necessary for a DNS server to perform an iterative query to the next lowest layer of the DNS namespace.
Root hints are installed automatically when you install the DNS role. The installation program copies root hints from the cache.dns file that the DNS role setup files include. You can find root
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-5
hints in the DNS console on the DNS Server Properties page, on the Root Hints tab. You also can add root hints to a DNS server to support lookups for noncontiguous named domains within a forest. For example, if the Contoso.com domain is the forest root domain and has a tree named woodgrovebank.com, you can add the DNS server addresses for the Woodgrovebank.com tree into the root hints. However, you could also add these same DNS servers as conditional forwarders for the woodgrovebank.com tree. You will learn about conditional forwarders in the next topic.
When a DNS server communicates with a root hints server, it uses only an iterative query. If you select the Do Not Use Recursion For This Domain option, the server will not be able to perform queries on the root hints. You might set this option if you want to restrict all name resolutions to a particular network for security purposes.
If you configure the server to use a forwarder, it will attempt to send a recursive query to its forwarding server. If the forwarding server does not answer this query, the server will respond that the host could not be found.
It is important to understand that recursion on a DNS server and recursive queries are not the same thing. Recursion on a server means that the server will use its root hints and try to resolve a DNS query. The previous topic discussed iterative and recursive queries in more detail.
What Is Forwarding?
Forwarding provides a way for name spaces or resource records not contained in a DNS server’s zone to be passed on to another DNS server for resolution. For example, you may wish to send all external name resolution requests to the DNS servers of the Internet Service Provider (ISP) rather than directly to the root hints. Alternatively, you might want to send external DNS queries from a branch office DNS server to the headquarters DNS servers, which then go to the root hints to resolve the name. You also can use conditional forwarders to forward queries according to specific domain names.
A network DNS server is designated a forwarder when the network’s other DNS servers forward to it the queries that they cannot resolve. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for your network’s computers.
Best Practice: Use a central forwarding DNS server for Internet name resolution. This security best practice can improve performance and simplify troubleshooting. You can locate the forwarding DNS server on a perimeter network, which ensures that no server within the network is communicating directly to the Internet.
Conditional Forwarding A conditional forwarder is a configuration setting in the DNS server that forwards DNS queries according to the query’s DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-6 Configuring and Troubleshooting Domain Name System
Best Practice for Conditional Forwarding Use conditional forwarders if you have multiple internal namespaces. This provides faster name resolution.
How DNS Server Caching Works
DNS caching increases the performance of an organization’s DNS system by decreasing the time it takes to provide DNS lookups. When a DNS server resolves a DNS name successfully, it adds the name to its cache. Over time, this builds a cache of domain names and their associated IP addresses for the most common domains that the organization uses or accesses.
Note: The default time to cache DNS data is one hour. You can configure this by changing the Start of Authority record for the appropriate DNS zone. However, you cannot do this unless you are the administrator of the authoritative zone’s DNS server. For example, if the DNS administrator for the contoso.com zone sets the TTL to 2 hours, and you are the DNS administrator for the DNS server hosting the Fabrikam.com DNS zone, you cannot not add time to or remove time from the records for contoso.com.
A caching-only server will not host any DNS zone data; it only answers lookups for DNS clients. This is the ideal type of DNS server to use as a forwarder because it does not have an authoritative zone to scan. A caching-only server only scans cached records or sends a recursive/iterative name resolution query to other DNS servers. In this configuration, the caching-only server builds up a database for cached name resolutions, as long as the TTL is valid. This can decrease the time to resolve names, especially if clients request the same name resolutions repeatedly.
There is a particular security vulnerability in DNS caching that involves records that are placed into the cache that are purposely not correct and can lead a DNS server to provide a false name to IP resolution. This is known as DNS cache pollution. If a DNS server does not properly corroborate another DNS server’s authoritative responses, it is possible for the cached results to be invalid, and to include name resolutions to the domain of an exploiter. The DNS server delivers the address to a client, which then sends data or requests data from the exploiter’s servers. Windows Server 2003 and newer versions protects against this threat by instituting cache pollution protection, which is enabled by default. This process ensures that the name resolution replies that are returned from the queried DNS domain are from the requested authoritative DNS server. Therefore, the DNS server that is replying must be authoritative.
To see the DNS server’s cache, in the DNS Console, set the View menu to Advanced, and an additional node named Cached Lookups will appear in the console tree. You can expand this node to reveal the various TLDs of the Internet that you can expand to show the secondary level domains and cached records. Note that, as time goes by, many of the records will expire due to the TTL. At that point, another name resolution request must go out to the root hints or forwarders.
The Windows® PowerShell® cmdlet Show-DNSServerCache shows all cached DNS server resource records in the following format: Name, resource record data, and TTL. You might want to redirect the output to a text file, because the number of cached records builds up considerably over time.
The DNS client cache is a DNS cache that the DNS Client service stores on the local computer. To view the current client-side cache, run the ipconfig /displaydns command at the command prompt. If you must clear the local cache, such as when you are troubleshooting name resolution, you can use the ipconfig /flushdns command.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-7
Note: You also can use the following Windows PowerShell cmdlets:
• clear-DnsClientCache to delete the DNS resolver cache
• get-DnsClientCache to view the resolver cache
Demonstration: Configuring the DNS Server Role
This demonstration shows how to configure the DNS server properties.
Demonstration Steps
Configure DNS server properties 1. Switch to LON-DC1 and, if necessary, sign in as Adatum\Administrator with the password
Pa$$w0rd.
2. Open the DNS console.
3. Review the properties of the LON-DC1 server:
a. On the Forwarders tab, you can configure forwarding.
b. On the Advanced tab, you can configure options including securing the cache against pollution, and DNSSEC.
c. On the Root Hints tab, you can see the configuration for the root hints servers.
d. On the Debug Logging tab, you can configure debug logging options.
e. On the Event Logging tab, you can configure the level of event recording.
f. On the Monitoring tab, you can perform simple and recursive tests against the server.
g. On the Security tab, you can define permissions on the DNS infrastructure.
Configure conditional forwarding 1. From the Conditional Forwarders node, you can configure conditional forwarding:
a. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b. Click the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press Enter. Validation will fail because this is just an example configuration.
Clear the DNS cache • In the navigation pane, right-click LON-DC1, and then click Clear Cache.
Use Windows PowerShell to Configure the DNS Server Role
1. Open Windows PowerShell and use the Get-DnsServer cmdlet to observe the various DNS settings in PowerShell. Pipe the output through more to see the output one page at a time.
2. Pipe the Get-DnsServer output into an Export-Clixml file called DNSExport.xml at the root of c:\ drive. Examine the file.
3. Use the Add-DnsServerConditionalForwarderZone to create a conditional forwarder for the fabrikam.com zone with a server IP address of 131.107.5.6.
4. Use the DNS Console to verify the fabrikam.com conditional forwarder.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-8 Configuring and Troubleshooting Domain Name System
What Is DNS Round Robin?
A DNS zone can contain many records and different types of records. These records represent IP addresses of a given host name, alias names, service locator and mail exchanger, and other specialized records. Computers can have more than one IP address on separate network adapters, or several IP addresses can be bound to the same adapter. In this case, the computer’s hostname will resolve to not one IP address, but two or more, depending on how many IP addresses it has. Each of these addresses should have a host resource record in the DNS forward lookup zone so they can be resolved.
DNS round robin functionality determines which IP addresses to return for a given name. This function returns a list of all the IP addresses for a given name and then alternates IP addresses within the list for every DNS query from a unique source. If a DNS responded with a different IP each time to the same requester, the benefits of caching would be undermined, and it would be inefficient. For example, if you have a number of web servers that all have the same content and you want to load balance the http get commands sent to them, you need to create an A record for each web server with the same name. For example, you could create the following:
www.contoso.com 60 IN A 172.16.0.11
www.contoso.com 60 IN A 172.16.0.120
www.contoso.com 60 IN A 172.16.0.133
When clients send name resolutions to the DNS server for www.contoso.com, the requests will be returned as follows:
First request:
172.16.0.11
172.16.0.120
172.16.0.133
Second request:
172.16.0.120
172.16.0.133
172.16.0.11
Third request:
172.16.0.133
172.16.0.11
172.16.0.120
The requests continue to rotate through the list for all three addresses. Theoretically, every web server will receive one third of all requests, and that would load balance the three servers. You should be aware that using DNS round robin to load balance requests cannot provide any fault tolerance. If one of the three servers goes down, then approximately one third of the clients are sent to an IP address that will not respond. Once it times out, these clients can then go to the next address on the list.
Using DNS round robin also returns lists of domain controllers for client authentication. When a user attempts to sign on to a domain, the Local Security Authority Subsystem Service (LSASS) sends a name resolution request for the service locator records to the preferred DNS server found in the TCP/IP properties of the client. The DNS server searches through the service locator records and returns all of the domain controllers’ IP addresses found for that zone. This list uses a DNS round robin function similar to the www.contoso.com address shown above. This is because it returns all of the multiple IP addresses for
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-9
the domain controllers in that domain and each subsequent request for the same list is returned in a different order.
Considerations for Deploying the DNS Server Role
When you plan to deploy DNS, you must review several considerations. Some of the questions that you should ask include:
• How many DNS zones will you configure on the server and how many DNS records will each zone contain? Typically, zones map on a one-to-one basis with domains in your namespace. When you have a large number of records, it might make more sense to split the records into multiple zones.
• How many DNS clients will be communicating with the server on which you configure the DNS role? The larger the number of client resolvers, the greater is the load placed on the server. When you anticipate additional load, consider deploying additional DNS servers.
• Where will you place DNS servers? For example, will you place the servers centrally, or does it make more sense to locate DNS servers in branch offices? If there are few clients at a branch office, you could satisfy most DNS requests by using a central DNS server or by implementing a caching-only server. A branch office with a large number of users might benefit from a local DNS server with appropriate zone data.
How you answer the preceding questions will determine how many DNS servers you must deploy and where you should place them.
Active Directory Integration The Windows Server 2012 DNS role can store the DNS database in two different ways, as the following table shows.
Storage method Description
Text file The DNS server role stores the DNS entries in a text file, which you can edit with a text editor.
Active Directory The DNS server role stores the DNS entries in the Active Directory database, which replicates to other domain controllers, even if they do not run the Windows Server 2008 DNS role. You cannot use a text editor to edit DNS data that Active Directory stores.
Active Directory-integrated DNS zones are easier to manage than traditional text-based zones and they are more secure. The same Active Directory replication process transfers zone data.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-10 Configuring and Troubleshooting Domain Name System
DNS Server Placement Typically, you will deploy the DNS role on all domain controllers. If you decide to implement some other strategy, consider the following questions, and keep the answers in mind:
• How will client computers resolve names if their usual DNS server becomes unavailable?
• What will the impact on network traffic be if client computers start to use an alternate DNS server, perhaps located remotely?
• How will you implement zone transfers? Active Directory integrated zones use Active Directory replication to transfer the zone to all other domain controllers. If you implement zones without Active Directory integration, you must plan the zone transfer mechanism yourself.
Planning a DNS Namespace When you begin planning your DNS namespace, you must consider both the internal and external namespaces. The internal namespace is the one that internal clients and servers use within your private network. The external namespace is the one by which your organization is referenced on the Internet. There is no requirement that you should implement the same DNS domain name internally that you have externally.
When you implement AD DS, you must use a DNS namespace for hosting AD DS records.
Note: Consider your options carefully before selecting a namespace design for AD DS. Although it is possible to change a namespace after implementing AD DS, it is a time-consuming and complex process that has many limitations.
To determine a DNS namespace for your AD DS environment, you can choose from the following scenarios:
• Make the internal namespace the same as the public namespace. In this scenario, the internal and public namespaces are the same, but will have different records. Although this provides simplicity, which makes it a suitable choice for smaller organizations, it can be difficult to manage for larger networks. This is known as split DNS, which is covered in a subsequent topic in this lesson.
• Make the internal namespace different from the public namespace. In this scenario, the internal and public namespaces are completely different, with no link between them. This provides for obvious separation in the namespace. In complex networks, with many Internet-facing applications, use of a different name introduces some clarity when configuring these applications. For example, edge servers that are placed on a perimeter network often require multiple network interface cards, such as one connected to the private network, and one servicing requests from the public network. If each network interface card has a different domain name, it often is easier to complete the configuration of that server.
• Make the internal namespace a subdomain of the public namespace. In this scenario, the internal namespace is linked to the public namespace, but there is no overlap between them. This provides a hybrid approach. The internal name is different, which allows for separation of the namespace. However, the internal name also is related to the public name, which provides simplicity. This approach is the simplest to implement and manage. However, if you cannot use a subdomain of the public namespace for AD DS, you should use unique namespaces.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-11
Lesson 2 Configuring DNS Zones
DNS zones are an important concept in DNS infrastructure, because they enable you to logically separate and manage DNS domains. This lesson provides the foundation for understanding how zones relate to DNS domains, and provides information about the different types of DNS zones that are available in the Windows Server 2012 DNS role.
Lesson Objectives After completing this lesson, you will be able to:
• Describe DNS resource records.
• Explain what a DNS zone is.
• Explain the various DNS zone types available in Windows Server 2012.
• Explain the purpose of forward and reverse lookup zones.
• Explain the purpose of stub zones.
• Explain how to create DNS zones.
• Explain how you can use DNS zone delegation.
• Explain split DNS.
DNS Resource Records
The DNS zone file stores resource records. Resource records specify a resource type and the IP address to locate the resource. The most common resource record is an ‘A’ resource record. This is a simple record that resolves a hostname to an IP address. The host can be a workstation, server, or another network device, such as a router.
Resource records also help find resources for a particular domain. For instance, when a server running Microsoft Exchange Server needs to find the server that is responsible for delivering mail for another domain, it will request that domain’s mail exchange (MX record), which points to the ‘A’ record of the host that is running the Simple Mail Transfer Protocol (SMTP) mail service.
Resource records also can contain custom attributes. MX records, for instance, have a preference attribute, which is useful if an organization has multiple mail servers. This will inform the sending server which mail server the receiving organization prefers. Service (SRV) records also contain information regarding on which port the service is listening and the protocol that you should use to communicate with the service.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-12 Configuring and Troubleshooting Domain Name System
The following table describes the most common resource records.
DNS resource records Description
Start of Authority (SOA) resource record The record identifies the primary name server for a DNS zone, as well as other specifics, such as TTL and refresh.
Host address (A) resource record The main record that resolves a host name to an IPv4 address.
Canonical name record (CNAME) record An alias record type that maps one name to another. For example, www.microsoft.com is a CNAME of the A record microsoft.com.
MX resource record Use this record to specify an email server for a particular domain.
SRV resource record The record identifies a service that is available in the domain. Active Directory uses these records extensively.
Name server (NS) record The record identifies a name server for a domain.
AAAA The main record that resolves a host name to an IPv6 address.
Pointer resource record Use this record to look up and map an IP address to a domain name. The reverse lookup zone stores the names.
What Is a DNS Zone?
A DNS zone hosts all or a portion of a domain and its subdomains. The slide illustrates how subdomains can belong to the same zone as their parents or can be delegated to another zone. The microsoft.com domain is separated into two zones. The first zone hosts the www.microsoft.com and ftp.microsoft.com records. Example.microsoft.com is delegated to a new zone, which hosts the example.microsoft.com subdomain, and its records ftp.example.microsoft.com and www.example.microsoft.com.
Note: The zone that hosts a root of the domain (microsoft.com) must delegate the subdomain (example.microsoft.com) to the second zone. If this does not occur, example.microsoft.com will be treated as if it were part of the first zone.
Zone data can be replicated to more than one server. This adds redundancy to a zone because the information needed to find resources in the zone now exists on two or more servers. The required level of
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-13
redundancy is one reason to create zones. If you have a zone that hosts critical server resource records, it is likely that this zone will have a higher level of redundancy than a zone in which noncritical devices are defined.
Characteristics of a DNS Zone Zone data is maintained on a DNS server and is stored in one of two ways:
• In a flat zone file that contains mapping lists.
• Integrated into Active Directory.
A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses that the clients request in the zone file.
DNS Zone Types
The four DNS zone types are:
• Primary
• Secondary
• Stub
• Active Directory-integrated
Primary Zone When a zone that a DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and the DNS server stores the master copy of zone data in a local file or in AD DS. When the DNS server stores the zone in a file, the primary zone file is, by default, named zone_name.dns, and it is located in the %windir%\System32\Dns folder on the server. When the zone is not stored in AD DS, the DNS server hosting the primary zone is the only DNS server that has a writable copy of the zone file.
Secondary Zone When a zone that a DNS server hosts is a secondary zone, the DNS server is a secondary source for the zone information. The zone at this server must be obtained from another remote DNS server that also hosts the zone. This DNS server must have network access to the remote DNS server to receive updated zone information. Because a secondary zone is a copy of a primary zone that another server hosts, it cannot be stored in AD DS. Secondary zones can be useful if you are replicating data from DNS zones that are not on servers running the Windows Server operating system, or if you are running DNS on servers that are not AD DS domain controllers.
Stub Zone The Windows Server 2003 operating system introduced stub zones, which solve several problems with large DNS namespaces and multiple tree forests. A multiple tree forest is an Active Directory forest that contains two different top-level domain names. In the case of a two-tiered domain tree, we could delegate the DNS zone of the child domain from the DNS zone of the parent. A delegation record is created in the parent, and it will refer any name resolution requests for records in the child domain to the child domain’s delegated DNS servers.
However, what happens when there are several layers of parent-child domains in a tree? Given this example, the child domain might have child domains of its own. In may also be beneficial for that child
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-14 Configuring and Troubleshooting Domain Name System
domain to delegate DNS to its child domains just as its parent did for it. In this case, however, the top parent domain is not aware of its child’s children’s domain names, and would refer all name resolution to its child. You can create a stub zone in the top tree domain’s DNS zone, which is the top DNS parent. The stub zone created here only contains the start of authority, name server, and that name servers resource records of the sub-child domains. This way the parent can refer name resolution directly to those sub-child’s domains DNS servers. The child domain DNS servers replicate their stub zone information back to the parent, or other DNS servers hosting a stub zone, whenever those key records change.
Active Directory–Integrated Zone If AD DS stores the zone, DNS can take advantage of the multimaster replication model to replicate the primary zone. This enables you to edit zone data on any DNS server. Windows Server 2008 introduced a concept called a read-only domain controller (RODC). Active Directory–integrated zone data can be replicated to domain controllers, even if the DNS role is not installed on the domain controller. If the server is an RODC, a local process cannot write to the data.
What Are Active Directory Integrated Zones?
A primary zone server is a single point of failure. If it goes down, because the secondary zone servers are read-only, they can resolve names, but cannot store additional records or accept changes to records.
You can make a DNS zone fault-tolerant by integrating it into AD DS. By doing this, it makes the DNS zone an AD DS Integrated zone. A DNS server can store zone data in the AD DS database if the DNS server is a domain controller. When the DNS server stores zone data in this way, the records in the zone file are stored as AD DS objects and the various properties of these objects are considered AD DS attributes. All domain controllers hosting the DNS zone in the AD DS database are considered primary zone servers for the zone, and can accept changes to the DNS zone and then replicate those changes out to all other domain controllers. Because it uses AD DS replication, each change is sent securely via encrypted replication traffic. If a domain controller with an Active Directory-integrated DNS zone fails, as long as there are other domain controllers with the Active Directory-integrated zone, DNS functionality for that zone and the domain continue to operate correctly.
An Active Directory-integrated zone provides the following benefits:
• Multimaster updates. Active Directory-integrated zones can be written to by any writable domain controller to which the zone is replicated. This builds redundancy into the DNS infrastructure. In addition, multimaster updates are particularly important in geographically distributed organizations that use dynamic update zones, because clients can update their DNS records without having to connect to a potentially geographically distant primary server.
• Replication of DNS zone data by using AD DS replication. One of the characteristics of AD DS replication is attribute-level replication in which only changed attributes are replicated. An Active Directory–integrated zone can leverage these benefits of AD DS replication, rather than replicating the entire zone file as in traditional DNS zone transfer models.
• Secure dynamic updates. An Active Directory-integrated zone can enforce secure dynamic updates. Either primary zones can allow dynamic updates or you can turn dynamic updates off. However, you cannot dynamically update primary DNS zone data securely.
• Granular security. As with other Active Directory objects, an Active Directory-integrated zone allows you to delegate administration of zones, domains, and resource records by modifying the access control list (ACL) on the zone.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-15
Note: In most situations, computers within an AD DS domain have a primary DNS suffix that matches the DNS domain name. Occasionally, you may require these names to differ, such as following a merger or during an acquisition. When domain names differ, this is called a disjointed namespace. A disjointed namespace scenario is one in which the primary DNS suffix of a computer does not match the DNS domain name in which that computer resides. The computer with the primary DNS suffix that does not match is disjointed. Another disjointed namespace scenario occurs if the NetBIOS domain name of a domain controller does not match the DNS domain name.
Forward and Reverse Lookup Zones
Zones can be either forward or reverse. A reverse zone is sometimes known as an inverse zone.
Forward Lookup Zone The forward lookup zone resolves host names to IP addresses and hosts the common resource records: A, CNAME, SRV, MX, Start of Authority, TXT, and NS. This zone type must exist for a DNS zone to be considered authoritative. Client computers send hostnames or fully qualified domain names (FQDNs) of the DNS server’s domain to the DNS server. The DNS server uses the FQDN to look up a corresponding IP address or to find any resource record type that the client prescribes, such as a domain controller’s SRV records. The IP address or addresses are returned by the DNS server to the client in the DNS response.
Reverse Lookup Zone The reverse lookup zone resolves an IP address to a domain name, and hosts Start of Authority, NS, and pointer resource records. A reverse zone functions in the same manner as a forward zone, but the IP address is the part of the query and the host name is the returned information. Reverse zones are not always configured, but you should configure them to reduce warning and error messages. Many standard Internet protocols rely on reverse zone lookup data to validate forward zone information. For example, if the forward lookup indicates that training.contoso.com is resolved to 192.168.2.45, you can use a reverse lookup to confirm that 192.168.2.45 is associated with training.contoso.com.
Having a reverse zone is important if you have applications that rely on looking up hosts by their IP addresses. Many applications will log this information in security or event logs. If you see suspicious activity from a particular IP address, you can resolve the host by using the reverse zone information. Many email security gateways use reverse lookups to validate that the IP address that is sending messages is associated with a domain.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-16 Configuring and Troubleshooting Domain Name System
Overview of Stub Zones
A stub zone is a replicated copy of a zone that contains only those resource records necessary to identify that zone’s authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone consists of the following:
• The delegated zone’s Start of Authority resource record, NS resource records, and A resource records.
• The IP address of one or more master servers that you can use to update the stub zone.
The master servers for a stub zone are one or more DNS servers that are authoritative for the child zone, usually the DNS server that is hosting the primary zone for the delegated domain name.
Stub Zone Resolution When a DNS resolver performs a recursive query operation on a DNS server that is hosting a stub zone, the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an iterative query to the authoritative DNS servers that the stub zone’s NS resource records specify as if it were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in its stub zone, the DNS server that is hosting the stub zone attempts standard recursion by using root hints.
The DNS server will store the resource records it receives from the authoritative DNS servers that a stub zone in its cache lists, but it will not store these resource records in the stub zone itself. Only the Start of Authority, NS record, and glue A resource records returned in response to the query are stored in the stub zone. The resource records that the cache stores are cached according to the TTL value in each resource record. The Start of Authority, NS record, and glue A resource records, which are not written to cache, expire according to the expire interval that the stub zone’s Start of Authority record specifies. During the stub zone’s creation, the Start of Authority record is created. Start of Authority record updates occur during transfers to the stub zone from the original, primary zone. If the query was an iterative query, the DNS server returns a referral containing the servers that the stub zone specifies.
Communication between DNS Servers That Host Parent and Child Zones A DNS server that delegates a domain to a child zone on a different DNS server is made aware of new authoritative DNS servers for the child zone only when resource records for them are added to the parent zone that the DNS server hosts. This is a manual process that requires administrators for the different DNS servers to communicate often. Stub zones enable a DNS server that is hosting a stub zone for one of its delegated domains to obtain updates of the authoritative DNS servers for the child zone when the stub zone is updated. The update is performed from the DNS server that is hosting the stub zone, and the administrator for the DNS server that is hosting the child zone does not need to be contacted.
Contrasting Stub Zones and Conditional Forwarders There might be some confusion about when to use conditional forwarders rather than stub zones. This is because both DNS features allow a DNS server to respond to a query with a referral for, or by forwarding to, a different DNS server. However, these settings have different purposes:
• A conditional forwarder setting configures the DNS server to forward a query that it receives to a DNS server, depending on the DNS name that the query contains.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-17
• A stub zone keeps the DNS server that is hosting a parent zone aware of all the DNS servers that are authoritative for a child zone.
When to Use Conditional Forwarders If you want DNS clients on separate networks to resolve the names of each other without having to query Internet DNS servers, such as when a company merger occurs, you should configure each network’s DNS servers to forward queries for names in the other network. DNS servers in one network will forward names for clients in the other network to a specific DNS server, which builds a large information cache about the other network. This allows you to create a direct point of contact between two networks’ DNS servers, which reduces the need for recursion.
Stub zones do not provide the same server-to-server benefit, however. This is because a DNS server that is hosting a stub zone in one network replies to queries for names in the other network with a list of all authoritative DNS servers for the zone with that name, rather than the specific DNS servers that you designated to handle this traffic. This configuration complicates any security settings that you want to establish between specific DNS servers that are running in each of the networks.
When to Use Stub Zones Use stub zones when you want a DNS server to remain aware of the authoritative DNS servers for a foreign zone. A conditional forwarder is not an efficient way to keep a DNS server that is hosting a parent zone aware of the authoritative DNS servers for a child zone. This is because whenever the authoritative DNS servers for the child zone change, you have to configure the conditional forwarder setting manually on the DNS server that hosts the parent zone. Specifically, you must update the IP address for each new authoritative DNS server for the child zone.
Demonstration: Creating Zones
This demonstration shows how to:
• Create a reverse lookup zone.
• Create a forward lookup zone.
Demonstration Steps
Create a reverse lookup zone 1. Switch to LON-DC1, and then create a new reverse lookup zone for the 172.16.0.0 IPv4 subnet.
2. Enable dynamic updates on the zone.
3. Re-register LON-DC1 using the ipconfig /registerdns command.
Create a forward lookup zone 1. Switch to LON-SVR1, and then open the DNS console.
2. Create a new forward lookup zone.
3. Configure the type as secondary, and then define LON-DC1 as the Master server for this zone.
Create a forward lookup zone with Windows PowerShell
1. In Windows PowerShell, run the cmdlet Add-DnsServerPrimaryZone –Name woodgrovebank.com –DynamicUpdate Secure –ReplicationScope Domain.
2. Go to the DNS Console and verify the woodgrovebank.com forward lookup zone appears with the appropriate settings.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-18 Configuring and Troubleshooting Domain Name System
DNS Zone Delegation
DNS is a hierarchical system, and zone delegation connects the DNS layers together. A zone delegation points to the next hierarchical level down, and then identifies the name servers that are responsible for lower-level domain.
When deciding whether to divide the DNS namespace to make additional zones, consider the following scenarios in which you might use additional zones:
• You need to delegate management of a part of the DNS namespace to another organizational location or department.
• You need to divide one large zone into smaller zones so you can distribute traffic loads among multiple servers. This improves DNS name-resolution performance, and it creates a more fault-tolerant DNS environment.
• You need to extend the namespace by adding numerous subdomains immediately to accommodate the opening of a new branch or site.
Zone delegation works much the same way that a top-level domain works with a secondary level domain. The .com DNS servers refer all requests for Microsoft.com zone name resolution to the DNS servers at Microsoft. In this way, you delegate the Microsoft DNS zone from the .com zone. In a scenario where Microsoft has a very vigorous sales department with numerous computers and other devices with IP addresses, it would make sense to create a zone named Sales.Microsoft.com to handle the extensive DNS workload for the Sales department.
To create a delegation, the administrator right-clicks the Microsoft.com forward lookup zone and selects the New Delegation item, which starts the New Delegation Wizard. The wizard walks the administrator through the steps to delegate authority for a subdomain to a different zone, either on the current DNS server or on another DNS server.
What Is Split DNS?
Using the same namespace internally and externally simplifies resource access from the perspective of users, but it also increases management complexity. You should not make internal DNS records available externally, but some synchronization of records for external resources is typically required. For example, both your internal and external namespaces might use the name Contoso.com.
Using unique namespaces for the internal and public namespaces provides a clear delineation between internal and external DNS, and eliminates the need to synchronize records between the namespaces. However, in some cases, having multiple namespaces may lead to user confusion. For example, you may choose the external namespace of Contoso.com and the internal namespace of Contoso.local. Note that when you implement a unique namespace configuration, you are no longer tied to using registered domain names.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-19
Using a subdomain of the public namespace for AD DS avoids the need to synchronize records between the internal and external DNS servers. Because the namespaces are linked, users typically find this structure easy to understand. For example, if your public namespace is Contoso.com, you might choose to implement your internal namespace as the subdomain AD, or AD.Contoso.com.
Considering Split DNS As we have seen, having a matching internal and external DNS namespace can pose certain problems. However, split DNS can provide a solution to these problems. Split DNS is a configuration in which your domain has two root-server zones that contain domain-name registration information. Your internal network hosts are directed to one zone, while external hosts are directed to another for name resolution. For example, in a nonsplit DNS configuration for the domain Contoso.com, you might have a DNS zone that looks like the example in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
When a client computer on the Internet wants to access the SMTP relay by using the published name of relay.contoso.com, it queries the DNS server that returns the result 131.107.1.201. The client then establishes a connection over SMTP to that IP address.
However, the client computers on the corporate intranet also use the published name of relay.contoso.com. The DNS server returns the same result: a public IP address of 131.107.1.201. The client now attempts to establish a connection to the returned IP address by using the external interface of the publishing computer. Depending upon the client configuration, this may or may not be successful. By configuring two zones for the same domain name, one on each of the two DNS servers, you can avoid this problem.
The internal zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www CNAME Webserver1.contoso.com
Relay CNAME Exchange1.contoso.com
Webserver1 A 192.168.1.200
Exchange1 A 192.168.0.201
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-20 Configuring and Troubleshooting Domain Name System
The external zone for adatum.com would resemble the information in the following table.
Host Record type IP address
www A 131.107.1.200
Relay A 131.107.1.201
MX Relay.contoso.com
Now, client computers in the internal and external networks can resolve the name relay.contoso.com to the appropriate internal or external IP address.
In organizations that use Active Directory-integrated DNS zones, Internet users and server functions outside the firewall must not use the internal ADI-based DNS servers to resolve any names. These requests must be confined to the external non-Active Directory-integrated DNS server residing on the perimeter network. This server is a primary zone server, and therefore considers itself authoritative for the same domain name that is being used internally. Therefore, no iterative queries are ever sent beyond this point. If a name is not found in this primary zone, the authoritative external DNS server declares the name invalid and not resolvable. On the internal ADI-enabled DNS servers, for queries outside the firewall, Internet domain names are forwarded to the external DNS server in the perimeter network. You can make a firewall rule on the inside firewall that only allows the internal and external DNS servers to use User Datagram Protocol (UDP) port 53 packets between themselves. All other UDP port 53 packets will be blocked by the firewall rule.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-21
Lesson 3 Configuring DNS Zone Transfers
DNS zone transfers determine how the DNS infrastructure moves DNS zone information from one server to another. Without zone transfers, the various name servers in your organization maintain disparate copies of the zone data. You also should consider that the zone contains sensitive data, and securing zone transfers is important. This lesson covers the different methods that the DNS server role uses when transferring zones.
Lesson Objectives After completing this lesson, you will be able to:
• Describe how DNS zone transfers work.
• Explain how to configure zone transfer security.
• Explain how DNS zone transfers work.
What Is a DNS Zone Transfer?
A zone transfer occurs when you replicate the DNS zone that is on one server to another DNS server.
Zone transfers synchronize primary and secondary DNS server zones. This is how DNS builds its resilience on the Internet. DNS zones must remain updated on primary and secondary servers. Discrepancies in primary and secondary zones can cause service outages and host names that are resolved incorrectly.
Zone transfers can happen in one of three ways:
• Full zone transfer. A full zone transfer occurs when you copy the entire zone from one DNS server to another. A full zone transfer is also called an All Zone Transfer.
• Incremental zone transfer. An incremental zone transfer occurs when there is an update to the DNS server and only the resource records that were changed are replicated to the other server. This is an incremental zone transfer (IXFR).
• Fast transfer. Windows DNS servers also perform fast transfers, which is a type of zone transfer that uses compression and sends multiple resource records in each transmission.
Not all DNS server implementations support incremental and fast zone transfers. When integrating a Windows Server 2012 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure that the features you need are supported by the BIND version that is installed. BIND servers are common on UNIX-based networks. You may encounter BIND servers when setting zone transfers with your ISP.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-22 Configuring and Troubleshooting Domain Name System
The following table lists the features that various DNS servers support.
DNS server Full zone Incremental zone (IXFR) Fast transfer
BIND Older than 4.9.4 Supported Not supported Not supported
BIND 4.9.4 – 8.1 Supported Not supported Supported
BIND 8.2 Supported Supported Supported
Microsoft Windows 2000 Server Service Pack3 (SP3)
Supported Supported Supported
Windows Server 2003 (R2) Supported Supported Supported
Windows Server 2008 and R2 Supported Supported Supported
Windows Server 2012 Supported Supported Supported
Active Directory-integrated zones replicate by using multimaster AD DS replication instead of the zone transfer process. This means that any standard domain controller that also holds the DNS role can update the DNS zone information, which then replicates to all DNS servers that host the DNS zone.
DNS Notify A master server uses DNS notify to alert its configured secondary servers that zone updates are available. The secondary servers then petition their master to obtain the updates. DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur. This is useful in a time-sensitive environment, where data accuracy is important.
Configuring Zone Transfer Security
Zone information provides organizational data, so you should take precautions to ensure you protect it from access by hackers, and that it cannot be overwritten with bad data, a process that is called DNS poisoning. One way to protect the DNS infrastructure is to secure the zone transfers.
On the Zone Transfers tab in the Zone Properties dialog box of a zone, you can specify the list of allowed DNS servers by right-clicking a zone name and selecting Properties. You also can use these options to disallow zone transfer. By default, zone transfers are turned off.
Although the option that specifies the servers that might request zone data provides security by limiting the data recipients, it does not secure that data during transmissions. If the zone information is highly confidential, we recommend that you use an Internet Protocol security (IPsec) policy to secure the transmission or replicate the zone data over a virtual private network (VPN) tunnel. This prevents packet sniffing to determine information in the data transmission.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-23
Using Active Directory–integrated zones replicates the zone data as part of normal AD DS replications. The zone transfer is then secured as a part of AD DS replication.
Demonstration: Configuring DNS Zone Transfers
This demonstration shows you how to:
• Enable DNS zone transfers.
• Update the secondary zone from the master server.
• Update the primary zone, and then verify the change on the secondary zone.
Demonstration Steps
Enable DNS zone transfers 1. On LON-DC1, enable zone transfers by configuring the Allow zone transfers option.
2. Configure zone transfers to Only to servers listed on the Name Servers tab.
3. Enable Notify to Only to servers listed on the Name Servers tab.
4. Add LON-SVR1.adatum.com as a listed name server to receive transfers.
5. Windows PowerShell equivalent:
Set-DnsServerPrimaryZone -Name "adatum.com" –Notify Notify -SecondaryServers “172.16.0.21” –SecureSecondaries TransferToSecureServers.
Update the secondary zone from the master server 1. Switch to LON-SVR1 and, in the DNS Manager, select Transfer from Master. It is sometimes
necessary to perform this step a number of times before the zone transfers. Also, note that the transfer might occur automatically at any time.
2. Windows PowerShell equivalent:
Add-DnsServerSecondaryZone -Name "Adatum.com" -ZoneFile "Adatum.com.dns" -MasterServers 172.16.0.10.
3. Update the primary zone, and then verify the change on the secondary zone.
4. Switch back to LON-DC1, and then create a new alias record.
5. Switch back to LON-SVR1, and then verify that the new record is present in the secondary zone. This may require a manual Transfer from Master and a screen refresh before the record displays.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-24 Configuring and Troubleshooting Domain Name System
Lesson 4 Managing and Troubleshooting DNS
DNS is a crucial service in the Active Directory infrastructure. When the DNS service experiences problems, it is important to know how to troubleshoot them and identify the common issues that can occur in a DNS infrastructure. This lesson covers the common problems that occur in DNS, the common areas from which you can gather DNS information, and the tools that you can use to troubleshoot problems.
Lesson Objectives After completing this lesson, you will be able to:
• Explain how TTL, aging, and scavenging help you manage DNS records.
• Explain how to manage TTL, aging, and scavenging for DNS records.
• Explain how to identify problems with DNS by using DNS tools.
• Describe how to troubleshoot DNS by using DNS tools.
• Explain how to monitor DNS by using the DNS Event Log and debug logging.
TTL, Aging, and Scavenging
TTL, aging, and scavenging help manage DNS resource records in the zone files. Zone files can change over time, so there needs to be a way to manage DNS records that are updated or that are not valid because the hosts they represent are no longer on the network.
The following table describes the DNS tools that help to maintain a DNS database.
Tool Description
TTL Indicates how long a DNS record remains valid and ineligible for scavenging.
Aging Occurs when records inserted into the DNS server reach their expiration and are removed. This keeps the zone database accurate. During normal operations, aging should take care of stale DNS resource records.
Scavenging Performs DNS server resource record grooming for old records in DNS. If resource records have not been aged, an administrator can scavenge the zone database for stale records to force a database cleanup.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-25
If left unmanaged, the presence of stale resource records in zone data might cause problems. For example:
• If a large number of stale resource records remain in server zones, they eventually can use up server disk space and cause unnecessarily long zone transfers.
• A DNS server that loads zones with stale resource records might use outdated information to answer client queries, which could cause the client computers to experience name resolution or connectivity problems on the network.
• The accumulation of stale resource records on the DNS server might degrade its performance and responsiveness.
• In some cases, the presence of a stale resource record in a zone could prevent another computer or host device from using a DNS domain name.
The DNS server service can resolve these problems by doing the following:
• Time stamping, based on the current date and time that is set at the server computer, for any resource records that are added dynamically to primary-type zones. Additionally, time stamps are recorded in standard primary zones where you enable aging and scavenging.
• For resource records that you add manually, you use a time-stamp value of zero to indicate that the aging process does not affect these records and that they can remain without limitation in zone data unless you otherwise change their time stamp or delete them.
• Aging of resource records in local data, based on a specified refresh time period, for any eligible zones.
• Only primary type zones that the DNS server service loads are eligible to participate in this process.
• Scavenging for any resource records that persist beyond the specified refresh period.
When a DNS server performs a scavenging operation, it can determine that resource records have aged to the point of becoming stale, and then it can remove them from zone data. You can configure servers to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server.
Note: By default, the aging and scavenging mechanism for the DNS server service is disabled. You should enable it only when you understand all parameters fully. Otherwise, you could configure the server to delete records accidentally that you should not delete. If a record is deleted accidentally, not only will users fail to resolve queries for that record, but also any user can create the record and take ownership of it, even on zones that you configure for secure dynamic update. This is a significant security risk.
The server uses the contents of each time stamp for specific resource records and other aging and scavenging properties that you can adjust or configure to determine when it scavenges records.
Prerequisites for Aging and Scavenging Before you can use the aging and scavenging features of DNS, you must ensure the following prerequisites are satisfied:
• You must enable scavenging and aging at the DNS server and on the zone. Aging and scavenging of resource records is disabled by default.
• You must either add resource records to zones dynamically or manually modify them for use in aging and scavenging operations.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-26 Configuring and Troubleshooting Domain Name System
Typically, only those resource records that you add dynamically by using the DNS dynamic update protocol are subject to aging and scavenging. For records that you add to zones by loading a text-based zone file from another DNS server or by manually adding them to a zone, a time stamp of zero is set. This makes these records ineligible for use in aging and scavenging operations.
To change this default, you can administer these records individually to reset and permit them to use a current, or nonzero, time-stamp value. This enables these records to become aged and scavenged.
Demonstration: Managing DNS Records
This demonstration shows how to:
• Configure TTL.
• Enable and configure scavenging and aging.
Demonstration Steps
Configure TTL 1. Switch to LON-DC1, and then open the Adatum.com zone properties.
2. On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
Enable and configure scavenging and aging 1. Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure
aging and scavenging options.
2. Enable Scavenge stale resource records, and then use the default values.
Windows PowerShell equivalent:
Set-DnsServerScavenging -RefreshInterval 7.00:00:00 -Verbose –PassThru
Set-DnsServerZoneAging adatum.com -Aging $true -PassThru -Verbose
Demonstration: Testing the DNS Server Configuration
Issues can occur when you do not configure the DNS server, its zones, and its resource records properly. When resource records are causing issues, it can sometimes be more difficult to identify the issue because configuration problems are not always obvious.
The following table lists possible configuration issues that can cause DNS problems.
Issue Result
Missing records Records for a host are not in the DNS server. They might have been scavenged prematurely. This can result in workstations not being able to connect with each other.
Incomplete records Records that are missing the information required to locate the resource they represent can cause clients requesting the resource to use invalid information. For example, a service record that does not contain a needed port address is an example of an
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-27
Issue Result
incomplete record.
Incorrectly configured records Records that are pointing to an invalid IP address or have invalid information in their configuration will cause problems when DNS clients try to find resources.
The tools you can use to troubleshoot these and other configuration issues are:
• Nslookup. Use this tool to query DNS information. The tool is flexible, and it can provide valuable information about DNS server status. You also can use it to look up resource records and validate their configuration. Additionally, you can test zone transfers, security options, and MX record resolution.
Note: You can use the Windows PowerShell cmdlet Resolve-DnsName to perform similar functions to Nslookup when troubleshooting DNS.
• Windows PowerShell. You can use Windows PowerShell cmdlets to configure and troubleshoot various DNS aspects.
• Dnscmd. Manage the DNS server service with this command-line interface. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup tasks and the configuration of new DNS servers on your network.
• IPconfig. Use this command to view and modify IP configuration details that the computer uses. This utility includes additional command-line options that you can use to troubleshoot and support DNS clients. You can view the client local DNS cache by using the command ipconfig /displaydns, and you can clear the local cache using ipconfig /flushdns.
Note: You can also use the following Windows PowerShell cmdlets:
• clear-DnsClientCache deletes the DNS resolver cache.
• get-DnsClientCache displays the resolver cache.
• Monitoring tab on DNS server. In the DNS server Monitoring tab, you can configure a test that allows the DNS server to determine whether it can resolve simple local queries and perform a recursive query to ensure that the server can communicate with upstream servers. You also can schedule these tests for regular intervals.
These are basic tests, but they provide a good place to start troubleshooting the DNS service. Possible causes for a test to fail include:
• The DNS server service has failed.
• The upstream server is not available on the network.
This demonstration shows how to use Nslookup.exe to test the DNS server configuration.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-28 Configuring and Troubleshooting Domain Name System
Demonstration Steps 1. Open a command prompt, and then run the following command:
nslookup -d2 LON-DC1.Adatum.com
2. Review the information provided by nslookup.
Monitoring DNS by Using the DNS Event Log
The DNS server has its own category in the event log. As with any event log in Windows Event Viewer, you should review the event log periodically.
Common DNS Events The following table describes common DNS events.
Event ID Description
2 The DNS server has started. This message generally appears at startup when either the server computer or the DNS server service is started.
3 The DNS server has shut down. This message generally appears when either the server computer is shut down or the DNS server service is stopped manually.
408 The DNS server could not open socket for address [IPaddress]. Verify that this is a valid IP address for the server computer. To correct the problem, you can do the following:
1. If the specified IP address is not valid, remove it from the list of restricted interfaces for the server and restart the server.
2. If the specified IP address is no longer valid and was the only address enabled for the DNS server to use, the server might not have started because of this configuration error. To correct this problem, delete the following value from the registry and restart the DNS server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\ListenAddress
3. If the IP address for the server computer is valid, verify that no other application that would attempt to use the same DNS server port, such as another DNS server application, is running. By default, DNS uses TCP port 53.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-29
Event ID Description
413 • The DNS server sends requests to other DNS servers on a port other than its default port, TCP port 53.
• This DNS server is multihomed and has been configured to restrict DNS server service to only some of its configured IP addresses. For this reason, there is no assurance that DNS queries made by this server to other remote DNS servers will be sent by using one of the IP addresses that was enabled for the DNS server.
• Using a port other than port 53 might prevent query answer responses that these servers return from being received on the different DNS port that the server is configured to use. To avoid this problem, the DNS server sends queries to other DNS servers using an arbitrary non-DNS port, and the response is received regardless of the IP address used.
• If you want to limit the DNS server to using only its configured DNS port for sending queries to other DNS servers, use the DNS console to perform one of the following changes to the server properties configuration on the Interfaces tab:
• Select All IP addresses to enable the DNS server to listen on all configured server IP addresses.
• Select Only the following IP addresses to limit the IP address list to a single server IP address.
414 The server computer currently has no primary DNS suffix configured. Its DNS name currently is a single label host name. For example, its configured name is host rather than host.example.microsoft.com or another FQDN. Although the DNS server has only a single label name, default resource records created for its configured zones use only this single label name when mapping the host name for this DNS server. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name. In general, you should reconfigure the DNS server with a full DNS computer name that is appropriate for its domain or workgroup use on your network.
708 The DNS server did not detect any zones of either primary or secondary type. It will run as a caching-only server, but will not be authoritative for any zones.
3150 The DNS server wrote a new version of zone [zonename] to file [filename]. You can view the new version number by clicking the Record Data tab. This event should appear only if you configure the DNS server to operate as a root server.
6527 Zone [zonename] expired before it could obtain a successful zone transfer or update from a master server that is acting as its source for the zone. The zone has been shut down. This event ID might appear when you configure the DNS server to host a secondary copy of the zone from another DNS server that is acting as its source or master server. Verify that this server has network connectivity to its configured master server. If the problem continues, consider one or more of the following options:
1. Delete the zone and recreate it, specifying either a different master server or an updated and corrected IP address for the same master server.
2. If zone expiration continues, consider adjusting the expiration interval
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-30 Configuring and Troubleshooting Domain Name System
Monitoring DNS by Using Debug Logging
Sometimes, it might be necessary to get more details about a DNS problem than what the Event Viewer provides. In this instance, you can use debug logging to find additional information.
The following DNS debug logging options are available:
• Direction of packets. This option has the following settings:
o Send. The DNS server log file logs packets that the DNS server sends.
o Receive. The log file logs packets that the DNS server receives.
• Content of packets. This option has the following settings:
o Standard query. Specifies that packets containing standard queries, according to Request for Comments (RFC) 1034, are logged in the DNS server log file.
o Updates. Specifies that packets containing dynamic updates, according to RFC 2136, are logged in the DNS server log file.
o Notifies. Specifies that packets containing notifications, according to RFC 1996, be logged in the DNS server log file.
• Transport protocol. This option has the following settings:
o UDP. Specifies that packets sent and received over UDP be logged in the DNS server log file.
o TCP. Specifies that packets sent and received over TCP be logged in the DNS server log file.
• Type of packet. This option has the following settings:
o Request. Specifies that request packets be logged in the DNS server log file. A request packet is characterized by a query/response bit set to zero in the DNS message header.
o A query/response bit is a one-bit field that specifies whether this message is a query (0) or a response.
o Response. Specifies that response packets be logged in the DNS server log file. A response packet is characterized by a query/response bit set to 1 in the DNS message header.
• Enable filtering based on IP address. This option provides additional filtering of packets that are logged in the DNS server log file. This option allows logging of packets that are sent from specific IP addresses to a DNS server or from a DNS server to specific IP addresses.
• Log file maximum size limit. This option allows you to set the maximum file size for the DNS server log file. When the DNS server log file reaches its specified maximum size, the DNS server overwrites the oldest packet information with new information.
If you do not specify a maximum log-file size, the DNS server log file can consume a large amount of hard-disk space.
By default, all debug logging options are disabled. When you enable them selectively, the DNS server service can perform additional trace-level logging of selected types of events or messages for general troubleshooting and server debugging.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-31
Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, you should use it only on a temporary basis, when you need more detailed server-performance information.
Note: Dns.log contains debug logging activity. By default, it is located in the %systemroot%\System32\Dns folder.
Monitoring DNS with Windows PowerShell
Windows Server 2012 added several new Windows PowerShell cmdlets to configure, manage, monitor and troubleshot DNS server and services. You have already seen several of these, such as Get-DnsServer, Add-DnsServerConditionalForwarderZone, and Add-DnsServerPrimaryZone.
You can use Windows PowerShell cmdlets for DNS to create scripts that allow you to conduct repetitive tasks and other elaborate actions more easily than continuous typing and clicking in the DNS console. This has many advantages over the DNS console because you can save the scripts, and rerun and modify them as needed. You can also use variables and parameters that are called when the script is run. The dynamic ability of Windows PowerShell to perform all of these tasks provides you with a valuable tool in your DNS management toolset.
For a complete list of the DNS cmdlets for Windows PowerShell, see the following:
http://go.microsoft.com/fwlink/?LinkID=331161
Windows Server 2012 R2 has several new Windows PowerShell cmdlets. This includes enhanced zone level statistics and enhanced DNNSEC support.
The enhanced zone level statistics from the Get-DnsServerStatistics cmdlet introduced in Windows Server 2012 now has the following additional parameters:
• ZoneQueryStatistics returns information on queries.
• ZoneTransferStatistics. Returns information about full and incremental zone transfers.
• ZoneUpdateStatistics. Returns information about any dynamic updates.
To get zone-level statistics, type the following using an elevated Windows PowerShell command prompt:
$statistics = Get-DnsServerStatistics –ZoneName Adatum.com $statistics.ZoneQueryStatistics $statistics.ZoneTransferStatistics $statistics.ZoneUpdateStatistics
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-32 Configuring and Troubleshooting Domain Name System
Windows Server 2012 R2 provides the following additional cmdlets for Domain Name System Security Extensions functionality:
• Step-DnsServerSigningKeyRollover. Forces a key signing key rollover when waiting for a parent delegation signer update. If a server hosting a securely-delegated zone is unable to check if the delegation signer record in the parent has been updated, this parameter allows you to force a rollover. It expects the delegation signer record to be manually updated in the parent.
• Add-DnsServerTrustAnchor -Root. The Root parameter set permits you to retrieve trust anchors from the URL specified in the RootTrustAnchorsURL property of the DNS server. This cmdlet has the following alias: Retrieve-DnsServerRootTrustAnchor.
• RootTrustAnchorsURL. The Get-DnsServerSetting and Set-DnsServerSetting cmdlets are extended to add a new output string of RootTrustAnchorURL.
DNSSEC is a suite of extensions that adds security to the DNS protocol by adding the ability for DNS servers to validate DNS responses. With DNSSEC, digital signatures accompany resource records. These digital signatures are generated when DNSSEC is applied to a DNS zone using the zone signing process. When a resolver issues a DNS query for resource record in a signed zone, a digital signature returns a response so that DNS can perform validation. If validation is successful, the data has not been modified or tampered with in any way.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-33
Lab: Configuring and Troubleshooting DNS Scenario A. Datum is a global engineering and manufacturing company with its head office in London, United Kingdom. An Information Technology (IT) office and a data center are located in London to support the head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
Management has asked you to add several new resource records to the DNS service installed on LON-DC1. Records include a new MX record for Exchange Server 2013 and a SRV record for a Microsoft Lync® Server 2013 deployment that is occurring.
A. Datum is working with a partner organization, Contoso, Ltd. You have been asked to configure internal name resolution between the two organizations. A small branch office has reported that name resolution performance is poor. The branch office contains a Windows Server 2012 server that performs several roles. However, there is no plan to implement an additional domain controller. You have been asked to install the DNS server role at the branch office and to create a secondary zone of Adatum.com. To maintain security, you have been instructed to configure the branch office server to be on the Notify list for Adatum.com zone transfers. You also should update all branch office clients to use the new name server in the branch office.
You should configure the new DNS server role to perform standard aging and scavenging, as necessary and as specified by corporate policy. After implementing the new server, you need to test and verify the configuration by using standard DNS troubleshooting tools.
Objectives After completing this lab, you will be able to:
• Configure DNS resource records.
• Configure DNS conditional forwarding.
• Install and configure DNS zones.
• Troubleshoot DNS.
Lab Setup Estimated Time: 60 minutes
Virtual Machines: 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-34 Configuring and Troubleshooting Domain Name System
4. Sign in using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20411C-LON-SVR1 and 20411C-LON-CL1.
Exercise 1: Configuring DNS Resource Records
Scenario You have been asked to add several new resource records to the DNS service installed on LON-DC1. Records include a new MX record for Exchange Server 2010, and an SRV record required for a Lync Server 2013 deployment that is taking place currently. You have also been asked to configure a reverse lookup zone for the domain.
The main tasks for this exercise are as follows:
1. Add the Required Mail Exchange (MX Record)
2. Add the Required Microsoft Lync Server Records
3. Create the Reverse Lookup Zone
Task 1: Add the Required Mail Exchange (MX Record) 1. Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Open the DNS Manager console.
3. Create a new host record with the following properties:
o Zone: Adatum.com
o Name: Mail1
o IP address: 172.16.0.250
4. In the Adatum.com zone, add a new record with the following information:
o Type: New Mail Exchanger (MX)
o Fully qualified domain name (FQDN) of mail server: Mail1.Adatum.com
Task 2: Add the Required Microsoft Lync Server Records 1. Create a new host record with the following properties:
o Zone: Adatum.com
o Name: Lync-svr1
o IP address: 172.16.0.251
2. In the Adatum.com zone, add a new record:
o Type: Service Location (SRV)
o Service: _sipinternaltls
o Protocol: _tcp
o Port Number: 5061
o Host offering this service: Lync-svr1.adatum.com
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-35
Task 3: Create the Reverse Lookup Zone 1. Create a new reverse lookup zone with the following properties:
o Zone Type: Primary zone
o Active Directory Zone Replication Scope: Default
o Reverse Lookup Zone Name: IPv4 Reverse Lookup Zone
o Reverse Lookup Zone Name: 172.16.
o Dynamic Update: Default
Results: After this exercise, you should have configured the required messaging service records and the reverse lookup zone successfully.
Exercise 2: Configuring DNS Conditional Forwarding
Scenario You have been asked to configure internal name resolution between A. Datum Corporation and its partner organization, Contoso Ltd.
The main tasks for this exercise are as follows:
• Add the Conditional Forwarding Record for contoso.com
Task 1: Add the Conditional Forwarding Record for contoso.com • From the Conditional Forwarders node, configure conditional forwarding for Contoso.com:
o In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
o Click in the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press Enter. Validation will fail because the server cannot be contacted.
o Enable Store this conditional forwarder in Active Directory, and replicate it as follows.
Results: After this exercise, you should have successfully configured conditional forwarding.
Exercise 3: Installing and Configuring DNS Zones
Scenario A small branch office has reported that name resolution performance is poor. The branch office contains a Windows Server 2012 server that performs several roles. However, there is no plan to implement an additional domain controller.
You have been asked to install the DNS server role at the branch office, and then create a secondary zone of Adatum.com. To maintain security, you also have been instructed to configure the branch office server to be on the Notify list for Adatum.com zone transfers. You also should update all branch office clients to use the new name server in the branch office, and then configure the new DNS server role to perform standard aging and scavenging, as needed and specified by corporate policy.
The main tasks for this exercise are as follows:
1. Install the DNS Server Role on LON-SVR1
2. Create the Required Secondary Zones on LON-SVR1
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-36 Configuring and Troubleshooting Domain Name System
3. Enable and Configure Zone Transfers
4. Configure TTL, Aging, and Scavenging
5. Configure Clients to Use the New Name Server
Task 1: Install the DNS Server Role on LON-SVR1 1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Use Server Manager to install the DNS Server role.
Task 2: Create the Required Secondary Zones on LON-SVR1 1. Open a Windows PowerShell Administrator console.
2. Type the following cmdlet to create the required secondary zone:
Add-DnsServerSecondaryZone -Name "Adatum.com" -ZoneFile "Adatum.com.dns" -MasterServers 172.16.0.10
Task 3: Enable and Configure Zone Transfers 1. Switch to LON-DC1.
2. Open Windows PowerShell, and then run the following cmdlet to configure zone transfers for the Adatum.com zone:
Set-DnsServerPrimaryZone -Name "adatum.com" –Notify Notifyservers –notifyservers “172.16.0.21” -SecondaryServers “172.16.0.21” –SecureSecondaries TransferToSecureServers
3. In DNS Manager, verify the changes to the Zone Transfers settings:
a. In the navigation pane, click Adatum.com, and then, on the toolbar, click Refresh.
b. Right-click Adatum.com, and then click Properties.
c. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
d. Click Notify, and verify that the server 172.16.0.21 appears. Click Cancel.
Task 4: Configure TTL, Aging, and Scavenging 1. On LON-DC1, open the Adatum.com zone properties.
2. On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
3. Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure aging and scavenging options.
4. Enable Scavenge stale resource records, and then use the default values.
Task 5: Configure Clients to Use the New Name Server 1. Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
2. Use Network and Sharing Center to view the properties of Ethernet.
3. Reconfigure Internet Protocol Version 4 (TCP/IPv4) as follows:
Modify the Preferred DNS server: 172.16.0.21.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 1-37
Results: After this exercise, you should have successfully installed and configured Domain Name System (DNS) on LON-SVR1.
Exercise 4: Troubleshooting DNS
Scenario After implementing the new server, you need to test and verify the configuration by using standard DNS troubleshooting tools.
The main tasks for this exercise are as follows:
1. Test Simple and Recursive Queries
2. Verify Start-of-Authority Resource Records with Windows PowerShell
3. To Prepare for the Next Module
Task 1: Test Simple and Recursive Queries 1. On LON-DC1, in DNS Manager, open the LON-DC1 properties.
2. On the Monitoring tab, perform a simple query against the DNS server. This is successful.
3. Perform simple and recursive queries against this and other DNS servers. The recursive test fails because there are no forwarders configured.
4. Stop the DNS service, and then repeat the previous tests. They fail because no DNS server is available.
5. Restart the DNS service, and then repeat the tests. The simple test is successful.
6. Close the LON-DC1 Properties dialog box.
Task 2: Verify Start-of-Authority Resource Records with Windows PowerShell 1. Open Windows PowerShell LON-DC1.
2. Type the following command, and then press Enter:
resolve-dnsname –name Adatum.com –type SOA
3. View the results, and then close the Windows PowerShell prompt.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-SVR1 and 20411C-LON-CL1.
Results: After this exercise, you should have successfully tested and verified DNS.
Question: In the lab, you were required to deploy a secondary zone because you were not going to deploy any additional domain controllers. If this condition changed, that is, if LON-SVR1 was a domain controller, how would that change your implementation plan?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED1-38 Configuring and Troubleshooting Domain Name System
Module Review and Takeaways
Review Question(s)
Question: You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure be resistant to single points of failure. What must you consider while planning the DNS configuration?
Question: What is the difference between recursive and iterative queries?
Question: What must you configure before a DNS zone can be transferred to a secondary DNS server?
Question: You are the administrator of a Windows Server 2012 DNS environment. Your company recently acquired another company. You want to replicate their primary DNS zone. The acquired company is using BIND 4.9.4 to host their primary DNS zones. You notice a significant amount of traffic between the Windows Server 2012 DNS server and the BIND server. What is one possible reason for this?
Question: You must automate a DNS server configuration process so that you can automate the deployment of Windows Server 2012. What DNS tool can you use to do this?
Tools
Tool Use for Where to find it
Dnscmd.exe Configure DNS server role Command-line
Dnslint.exe Test DNS server Download from the Microsoft website and then use from the command-line
Nslookup.exe Test DNS name resolution Command-line
Ping.exe Simple test of DNS name resolution
Command-line
Ipconfig.exe Verify and test IP functionality and view or clear the DNS client resolver cache
Command-line
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-1
Module 2 Maintaining Active Directory® Domain Services
Contents: Module Overview 2-1
Lesson 1: Overview of AD DS 2-2
Lesson 2: Implementing Virtualized Domain Controllers 2-8
Lesson 3: Implementing RODCs 2-19
Lesson 4: Administering AD DS 2-25
Lesson 5: Managing the AD DS Database 2-36
Lab: Maintaining AD DS 2-45
Module Review and Takeaways 2-52
Module Overview Active Directory® Domain Services (AD DS) is the most critical component in a Windows Server® 2012 R2 domain-based network. AD DS contains important information about authentication, authorization, and resources in your environment. This module explains why you implement specific AD DS features, how important components integrate with each other, and how you can ensure that your domain-based network functions properly. You will learn about new features, such as virtualized domain controller cloning, recent features like read-only domain controllers (RODCs), and other features and tools that you can use in the AD DS environment.
Objectives After completing this module, you will be able to:
• Explain the general structure of AD DS.
• Implement virtualized domain controllers.
• Implement RODCs.
• Administer AD DS.
• Manage the AD DS database.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-2 Maintaining Active Directory® Domain Services
Lesson 1 Overview of AD DS
This lesson covers the core logical components of an AD DS deployment. The AD DS database stores information on user identity, computers, groups, services, and resources. AD DS domain controllers also host the service that authenticates user and computer accounts when they sign in to the domain. AD DS stores information about all of the domain’s objects, and all users and computers must connect to AD DS domain controllers when signing in to the network. Therefore, AD DS is the primary means by which you can configure and manage user and computer accounts on your network.
Lesson Objectives After completing this lesson, you will be able to:
• Describe AD DS components.
• Explain the structure of an AD DS forest and schema.
• Explain the structure of an AD DS domain.
• Describe how to extend an AD DS deployment with Windows AzureTM virtual machines
Overview of AD DS Components
AD DS is composed of both physical and logical components. To maintain your AD DS environment effectively you need to understand the way the components of AD DS work together.
Physical Components AD DS information is stored in a database on each domain controller’s hard disk. The following table lists some of these physical components and their storage locations.
Physical component Description
Domain controllers
Contain copies of the AD DS database. Domain-specific information can be updated from any domain controller that is member of the same domain.
Data store The files on each domain controller that store the AD DS information, such as the ntds.dit database, the EDB log files, and the system volume share, and, as it appears in File Explorer, SYSVOL.
Global catalog servers
Host the global catalog, which is a partial, read-only copy of all the objects in every domain in the forest. A global catalog speeds up searches for objects that might be stored on domain controllers in a different domain in the forest.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-3
Physical component Description
RODCs A special AD DS install in read-only format. You typically use these in branch offices where physical security may not be available and Information Technology (IT) support staff are not always available on premises compared to an enterprise’s main corporate centers.
Logical Components AD DS logical components are structures that you use to implement an Active Directory design that is appropriate for an organization. The following table describes some of the types of logical structures that an Active Directory database might contain.
Logical component Description
Partition A section of the AD DS database. You can view, manage, and replicate distinct sections of the ntds.dit database, such as partitions, or naming contexts.
Schema Defines the list of object types and attributes that all AD DS objects are derived from.
Domain A logical, administrative boundary for creating and managing AD DS objects such as users, computers, groups.
Tree A collection of domains that share a common root domain and an AD DS namespace.
Forest A collection of one or more domains that share a common AD DS.
Site Defines logical location of AD DS objects based on association with TCP/IP networks. A site is used to control AD DS replication traffic. By default, AD DS assumes that consistent, low-latency, adequate bandwidth exists between all AD DS computers. Because of this assumption, AD DS computers attempt near-immediate replication with each other constantly. If network-based constraints exist between AD DS computers, then additional AD DS sites should be defined and logically linked together in order to control AD DS replication traffic. Sites are useful in planning administrative tasks, such as replication of changes to the AD DS database.
OU Organizational units (OUs) are containers in AD DS that provide an option to logically group AD DS objects within a domain. OUs also provide a framework for delegating administrative rights and for linking Group Policy Objects (GPOs).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-4 Maintaining Active Directory® Domain Services
Understanding AD DS Forest and Schema Structure
In AD DS, forest and schema structures are important for defining the functionality and scope of your environment.
AD DS Forest Structure A forest is a collection of one or more trees. A tree is a collection of one or more domains that share a common AD DS name space. The first domain that is created in the forest is called the forest root domain. Two special groups exist in the forest root domain: the Enterprise Admins and the Schema Admins universal groups. The Enterprise Admins group has full control over every domain within the forest. The Schema Admins group has full control over changes to the AD DS schema.
The AD DS forest is a security boundary. This means that, by default, no users from outside the forest can access any resources inside the forest. One of the primary reasons why organizations deploy multiple forests is that they need to isolate administrative permissions between different parts of the organization.
The AD DS forest is also the replication boundary for the configuration and schema partitions in the AD DS database. This means that all domain controllers in the forest share the same schema. A second reason why organizations choose to deploy multiple forests is that they must deploy incompatible schemas within the same organization.
The AD DS forest is the replication boundary for the global catalog. This makes most forms of collaboration between users in different domains easier. For example, all Microsoft® Exchange Server 2013 recipients are listed in the global catalog, making it easy to send mail to any of the users in the forest, even those users in different domains.
By default, all the domains in a forest automatically trust the other domains in the same forest. This makes it easy to enable access to resources such as file shares and websites for all users in a forest, regardless of the domain in which the user account is located.
AD DS Schema Structure The AD DS schema is the AD DS component that defines all object types and attributes that AD DS uses to store data. The AD DS schema is sometimes referred to as the blueprint for AD DS. AD DS stores and retrieves information from a wide variety of applications and services. By standardizing how data is stored, AD DS can retrieve, update, and replicate data, while maintaining that the integrity of the data.
AD DS uses objects as units of storage. All object types are defined in the schema. Each time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data.
Object definitions control both the types of data that the objects can store, and the syntax of the data. Using this information, the schema ensures that all objects conform to their standard definitions. As a result, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is the original source of the data. Only data that has an existing object definition in the schema can be stored in the directory. If a new type of data needs to be stored, a new object definition for the data must first be created in the schema.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-5
In AD DS, the schema defines the following:
• Objects that are used to store data in the directory.
• Rules that define what types of objects you can create, what attributes must be defined when you create the object, and what attributes are optional.
• The structure and content of the directory itself.
You can use an account that is a member of the Schema Administrators group to modify the schema components in a graphical form. Examples of objects that are defined in the schema include user, computer, group, and site. Among the many hundreds of attributes are location, accountExpires, buildingName, company, manager, and displayName.
The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema operations master role holder, typically the first domain controller in the forest.
Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should be made only when necessary. Before making any changes, you should review the changes through a tightly-controlled process, and then implement them only after you have performed testing to ensure that the changes will not adversely affect the rest of the forest and any applications that use AD DS.
Although you might not make any change to the schema directly, some applications make changes to the schema to support additional features. For example, when you install Exchange Server 2013 into your AD DS forest, the installation program extends the schema to support new object types and attributes.
Understanding AD DS Domain Structure
An AD DS domain is a logical grouping of user, computer, and group objects for the purposes of management and security. All of these objects are stored in the AD DS database, and a copy of this database is stored on every domain controller in the AD DS domain.
There are several types of objects that can be stored in the AD DS database, including user accounts. User accounts provide a mechanism that you can use to authenticate and then authorize users to access resources on the network. Each domain-joined computer must have an account in AD DS. This enables domain administrators to also use domain group policies to manage the computers. The domain also stores groups, which are the mechanism for grouping together objects for administrative or security reasons; such as user accounts and computer accounts.
The AD DS domain is also a replication boundary. When changes are made to any object in the domain, that change is replicated automatically to all other domain controllers in the domain.
An AD DS domain is an administrative center. It contains an Administrator account and a Domain Admins group, which both have full control over every object in the domain. Unless they are in the forest root domain, however, their range of control is limited to the domain. Password and account rules are managed at the domain level by default. The AD DS domain also provides an authentication center. All user accounts and computer accounts in the domain are stored in the domain database, and users and computers must connect to a domain controller to authenticate.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-6 Maintaining Active Directory® Domain Services
A single domain can contain more than 1 million objects, so most organizations need to deploy only a single domain. Organizations that have decentralized administrative structures, or that are distributed across multiple locations, might instead implement multiple domains in the same forest.
Domain Controllers Changes to the AD DS database can be initiated on any domain controller in a domain except for RODCs. The AD DS replication service then synchronizes the changes and updates to the AD DS database to all other domain controllers in the domain. Additionally, either the file replication service (FRS), or the newer DFS Replication, replicates the SYSVOL folders. By default, DFS Replication is used on the Windows Server 2008 R2 operating system and above, although you can migrate FRS to DFS Replication on Windows Server 2003 R2 and above.
An AD DS domain should always have a minimum of two domain controllers. This way, if one of the domain controllers fails, an alternate domain controller is available to ensure continuity of the AD DS domain services. When you decide to add more than two domain controllers, consider the size of your organization and its performance requirements.
Organizational Units An OU is a container object within a domain that you can use to consolidate users, groups, computers, and other objects. There are two main reasons to create OUs:
• To configure objects contained within the OU. You can assign GPOs to the OU, and apply the settings to all objects within the OU. GPOs are policies that administrators create to manage and configure computer and user accounts. The most common way to deploy these policies is to link them to OUs.
• To delegate administrative control of objects within the OU. You can assign management permissions on an OU, thereby delegating control of that OU to a user or group within AD DS other than the administrator.
You can use OUs to represent the hierarchical, logical structures within your organization. For example, you can create OUs that represent the departments within your organization, the geographic regions within your organization, or a combination of both departmental and geographic regions. You can use OUs to manage the configuration and use of user, group, and computer accounts based on your organizational model.
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD DS, including the following:
• Domain container. The root container to the hierarchy.
• Users container. The default location for new user accounts and groups that you create in the domain. The users container also holds the administrator and guest accounts for the domain and some default groups.
• Computers container. The default location for new computer accounts that you create in the domain.
• Domain Controllers OU. The default location for the computer accounts for domain controller computer accounts. This is the only OU that is present in a new installation of AD DS.
Note: None of the default containers in the AD DS domain can have GPOs linked to them, except for the default Domain Controllers OU and the domain itself. All the others are default system-generated containers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-7
Extending the AD DS Deployment with Windows Azure Virtual Machines
Windows Azure is a Microsoft application platform for a public cloud. A public cloud is a cloud infrastructure typically owned and managed by an organization that provisions cloud services to the general public or a large group. Organizations can use the Windows Azure platform in many different ways. For web developers, Windows Azure enables the hosting of scalable websites and databases. For infrastructure administrators, Windows Azure provides capabilities that extend the organizations infrastructure, to include the AD DS, into the cloud or provide an infrastructure for cross-organizational projects. Windows Azure provides IT managers an extensible, low cost, pay-per-use service.
Windows Azure Virtual Machine is a new service that allows organizations to run virtual machines on a cloud. Windows Azure Virtual Network, makes it easy to set up networks that are separate from the networks of other customers within the same cloud. However, Windows Azure Virtual Networks allow you to connect to the corporate network infrastructure over the cloud.
Running AD DS domain controllers in Windows Azure Virtual Machines can be beneficial in various scenarios:
• Cloud-only scenarios. You can create a new AD DS forest and domain in Windows Azure, which enables you to host extranet applications. These applications require domain services without needing to communicate back to your on-premises network.
• Hybrid scenarios. Hybrid scenarios enable you to extend your AD DS infrastructure to the cloud by deploying the domain controllers of your on-premises AD DS to Windows Azure Virtual Machines. This can extend corporate applications to the cloud for business-to-business communications through the cloud, or it can serve as a component in your high availability and recovery strategies.
When deploying AD DS domain controllers in Windows Azure, you can distinguish between a cloud-only deployment and a hybrid deployment.
• Cloud-Only Deployment. Cloud-only deployments of AD DS enable you to build a new forest in the cloud. You then can enable Internet and intranet users to access resources on your cloud-only network. This might be beneficial in the following scenarios:
o Support applications that need AD DS services to be accessible from the Internet and the intranet.
o Support applications that should be isolated from corporate AD DS.
o Support extranet applications in the cloud.
• Hybrid Deployment. In a hybrid deployment, you can extend your on-premises AD DS to the cloud by deploying a virtual domain controller of your existing domain or domains to the cloud. The following scenarios are for a hybrid deployment of your AD DS domain in the cloud:
o Support applications in the cloud, such as a corporate Microsoft SharePoint® farm.
o Support Active Directory Federation Services (AD FS) in the cloud to enable business-to-business authentication.
o Serve as a substitute or failover for branch-office or headquarters domain controllers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-8 Maintaining Active Directory® Domain Services
Lesson 2 Implementing Virtualized Domain Controllers
Virtualization is a common practice in IT departments. The consolidation and performance benefits that virtualization provides are great assets to any organization. Windows Server 2012 AD DS domain controllers are now more aware of virtualization. In this lesson, you will learn the considerations for implementing virtualized domain controllers in Windows Server 2012 R2. Also you will see how you can deploy and manage these domain controllers in the AD DS environment.
Lesson Objectives After completing this lesson, you will be able to:
• Identify considerations for implementing virtualized domain controllers.
• Describe how to manage virtualized domain controller snapshots.
• Describe virtualization of domain controllers in Windows Server 2012.
• Describe the domain controller cloning process.
• Describe how to deploy a cloned virtualized domain controller.
• Identify domain controller virtualization best practices.
Considerations for Virtual Domain Controller Deployment
The Windows Server 2012 operating system is a cloud-ready operating system. During deployment, one of the most important decisions an administrator must make is whether the organization should choose to use private cloud virtualization technology or continue to use physical servers.
Virtualizing servers provides many benefits to modern IT infrastructures. Some of these benefits are
• Specifics of physical hardware are abstracted from the guest operating system in a virtual machine, which allows them to be more easily ported between virtualization hosts, such as Hyper-V® in Windows Server 2012.
• Virtual machines can be moved within clusters, and across networks between clusters or stand-alone virtualization hosts.
• Recovering machines can be performed faster and more easily.
• Redundancy of virtual machines increases service levels. This can be performed regardless of whether the application supports it or not.
• Virtual machines can be scaled on demand.
• Virtual machines can use more resources during peak hours and conserve energy when they are not needed. However Servers deployed on physical hardware generally consume the same amount of electricity whether they are busy or not.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-9
When considering whether to virtualize a domain controller or not, you must consider hardware requirements. Virtualization is very useful if you want scalable hardware. When you plan resource utilization on the host computer, remember that the host operating system requires some additional resources for running virtual machines, such as processing power, memory, network capacity, and disk space.
The following are additional considerations you should keep in mind when virtualizing domain controllers:
• Time synchronization. A Windows-based AD DS domain infrastructure loosely relies on all communicating machines being synchronized. When domain controllers and domain members have a time difference of more than five minutes, clients cannot log on or access resources on the network. To address this requirement, the Windows® operating system includes the Windows Time service, Windows Time Service. This service ensures that the time synchronizes across the domain in the following manner:
o Domain members obtain the time from their domain controller.
o Domain controllers use the primary domain controller (PDC) emulator, an operations master role, from their own domain. Operations master roles will be covered in a later lesson.
o The PDC emulator of the forest root domain should be configured with an external time source, such as an Internet time provider based on an atomic clock, by using the Network Time Protocol.
In virtualized environments, time synchronization is not as simple as on physical computers. The virtualization engine throttles the use of the virtualization hosts’ CPUs and distributes cycles among the virtual machines as needed. The operating system clock relies on stable CPU cycles, which do not exist in virtual environments. By default, virtualization engines provide time-synchronization with the guest computers. When virtualization hosts do not participate in time synchronization, it is likely that the domain time and the virtualization host time will cease to be synchronized. When physical computers participate in time synchronization, virtual machines are synchronized to the time on the virtualization host. You must configure the virtualization host to participate in time synchronization or disable synchronization with the virtual domain controllers for time synchronization to work properly.
• Domain membership of the virtualization host. When you use Hyper-V as a virtualization host, you can configure whether or not the virtualization host is a member of the AD DS domain. If all domain controllers are virtualized on Hyper-V, the operating system of the virtualization host starts and attempts to connect to the domain before the domain controllers are available. You should have a Hyper-V infrastructure joined to the domain. Failover-clustered physical machines are dependent on AD DS because versions older than Windows Server 2012 are unable to start a cluster when the domain is not available. In this case, the virtual machines do not start when AD DS is not available. This can be solved by:
o Deploying multiple virtualization clusters or deploying a cluster and additional virtualization hosts. With this, you can ensure that there is not a single domain in which all domain controllers are running on a single virtualization cluster.
o Deploying a sufficient number of physical domain controllers per domain to allow for redundancy and to ensure that the virtualization cluster can start prior to the virtual domain controllers being available.
o Maintaining a distributed AD DS infrastructure. For example, when you have domain controllers for every domain available in branch offices or remote data centers, your virtualization hosts can use those domain controllers when they start.
• Single point of failure. AD DS domain controllers are the most important pieces of your infrastructure. If they fail, users cannot sign in, access resources or applications, and certain applications or services might not run as well as other applications or services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-10 Maintaining Active Directory® Domain Services
When virtualizing domain controllers, it is very important to ensure that there is not a single point of failure for your domain controller AD DS infrastructure. Setting up all domain controllers as virtual machine nodes on the same virtualization cluster is considered a single point of failure. The same applies when you have an additional cluster with domain controllers in a separate data center that is connecting to a storage area network (SAN) which is replicating with the SAN in the first data center. Replicated SANs have been a single point of failure in some cases.
If domain controllers are distributed as mentioned in the domain membership section above, you must ensure that there is not a single point of failure. The following domain virtualization recommendations will prevent you from needing to perform a forest recovery if anything happens to your virtualization infrastructure.
• Moving AD DS to the cloud. Setting up AD DS domain controllers into the Microsoft cloud platform can help avoid single points of failure. There are different ways this can be implemented that include the following:
o Backing up domain controllers in the cloud.
o Setting up at least one virtual domain controller per domain in the cloud.
o Replicating a domain controller’s virtual machine in the cloud by using Hyper-V Replica.
How Checkpoints Affect Domain Controllers
For virtual machines on Hyper-V, a checkpoint also saves the hardware configuration information. By creating checkpoints for a virtual machine, you can restore the virtual machine to a previous state. Virtualization hosts are able to create checkpoints of virtualization guests, which are useful if you need to change something because you have an instant recovery option. Checkpoints allow virtual machines to be reverted to an earlier point in time, before a configuration change was made, or an application was installed. This makes checkpoints a good recovery tool for administrators and developers, especially when testing system configuration or software changes. However, using checkpoints can be risky on production systems, because restoring a checkpoint means all changes after that checkpoint are lost permanently.
AD DS is a distributed and redundant directory where every domain controller of a domain stores information about every object and attribute in the domain. AD DS uses replication to ensure that data is synchronized across all domain controllers in the domain. Data that is stored in the schema or configuration partition of AD DS is replicated to all domain controllers in the forest. Using checkpoints on virtualized domain controllers can corrupt the AD DS database because of the way updates are made between domain controllers.
How Domain Controllers Update and Replicate Changes to Objects AD DS uses a complex replication mechanism, and can store and service millions of objects, including user accounts. Security principals, which include user accounts, computer accounts, and group objects in AD DS, have a security identifier (SID) that is used to grant access to resources. SIDs are issued by each domain controller out of a pool of relative identifiers (RIDs).
During the replication process, a sequence of events take place to ensure that any updated attribute or object gets added to all domain controllers’ AD DS database. However, it is important to ensure that
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-11
these updates are not repeatedly sent and added to the domain controllers’ databases and therefore must be carefully tracked and identified during the replication process. Every object in AD DS consists of multiple attributes. When an attribute is changed on any domain controller, the version number of that attribute is incremented and replicated to the other domain controllers so that each domain controller has a current copy of that attribute. Additionally, every domain controller stores an update sequence number (USN). Every time an attribute is written, the current USN is stored with the attribute’s metadata, and the USN is then increased. If multiple attributes are written in the same transaction on the same server, they receive the same USN. The USN is individual and independent for each domain controller and is not replicated with the attribute. Every time an attribute is written, the domain controller updates the attributes metadata with a time stamp and the domain controller’s own invocation ID. The invocation ID is a number that is unique for every domain controller, and it identifies the domain controller and its database uniquely in the forest.
When one domain controller requests replication from another domain controller, the requesting domain controller knows what USN was last stored. The requesting domain controller and receiving domain controller are known as replication partners. Every domain controller stores the invocation ID and the last USN of the changes that replicated from its replication partners. Because of this, the requesting domain controller can ask the receiving domain controller to check for updates since the last replication. Afterward, the receiving domain controller compares the version number of every attribute to determine whether the attribute has been changed remotely by a third domain controller on the other side of its replication partner, or locally, by the replication partner itself. Usually the version number of the remote attribute is higher, so the receiving domain controller takes the change and writes it back into its database. Additionally, this domain controller applies the same version number and assigns its own USN to the change. In certain situations, the same version number might appear on both sides of the replication, such as when the attribute was changed on multiple domain controllers independently. When this is the case, the domain controller looks at the time stamp of the USN, and the most recent change is selected. Using checkpoints on virtualized domain controllers would break this replication infrastructure because it would erase all the collected USN and replication data from the check pointed domain controller.
USN Rollbacks The effects of applying previous checkpoints to virtual domain controllers are called USN rollbacks. The following example explains how USN rollbacks occur:
1. There are two domain controllers, DC01 and DC02. DC01 has a USN of 2200. DC02 has a USN of 1020.
2. They both receive changes, and they want to replicate again.
3. DC01 has a current USN of 2220. DC02 has a USN of 1040. DC01 requests the updates from DC02 from when DC02’s USN was 1020, which is the USN from the last replication from its high watermark table. DC02 requests all USNs since 2200.
4. An administrator creates a checkpoint of both domain controllers.
5. DC01 and DC02 continue to receive updates. When DC01 is at USN 2260 and DC02 is at USN 1080, they replicate again. DC01 requests all changes from DC02 since USN 1040, and DC02 requests all changes since USN 2220. DC01 and DC02 are synchronized again.
6. An administrator rolls back a checkpoint on DC02.
7. Now, DC02 is back at USN 1040 and thinks it has all updates from DC01 since USN 2220. DC01 is at USN 2260 and thinks it has all updates from DC02 since USN 1080. The next 40 changes on DC02 are not replicated to DC01.
USN rollbacks leads to an inconsistent AD DS on different domain controllers and is very difficult, if not impossible, to fix. USN rollbacks can cause several issues that can include different users receiving the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-12 Maintaining Active Directory® Domain Services
same SID, and user passwords possibly being different for different domain controllers, depending on if a domain controller with an unreplicated user password had a checkpoint restored. The secure channel between computers or even trusts between domains or forests might be affected, and replication can be inconsistent. The same groups can have different members depending on which domain controller is queried for group membership.
USN rollbacks must be avoided, but they are difficult to prevent when some administrators who have administrative access to the virtualization infrastructure are not aware of the effect that checkpoints have on domain controllers. Because checkpoints can only be used on virtual disks, in Windows Server 2008 R2 and earlier versions,, there were recommendations that virtual domain controllers should only use physical, linked volumes instead of virtual disks.
In Windows Server 2012, this issue has been directly addressed, which we will cover it in the next topic.
Domain Controller Virtualization in Windows Server 2012
In the previous topic, we addressed how snapshots affect virtual domain controllers, and how applying previous snapshots causes the AD DS infrastructure to become inconsistent because of USN rollbacks. Windows Server 2012 addresses and resolves this issue. To safeguard the virtualization of AD DS, you need the following components:
• A hypervisor that supports Virtual Machine Generation Identifier, such as Hyper-V in Windows Server 2012 and newer.
• Domain controllers as guest operating systems based on Windows Server 2012 or Windows Server 2012 R2.
Virtual Machine Generation Identifier is a new identifier that enables the virtualization host to let the virtualization guest know when changes are made. For example, this notification would take place when a checkpoint is applied. The virtual domain controller checks the Virtual Machine Generation Identifier during its startup and prior to every write request made to the database. The host places the Virtual Machine Generation Identifier into the virtual machine’s BIOS on startup of that virtual machine, which then stores the identifier in the AD DS database. If the Virtual Machine Generation Identifier stored in AD DS is the same as the version in its BIOS, then the domain controller will continue to work as usual and perform the write request. If the Virtual Machine Generation Identifiers do not match, then the domain controller will delay the write request and run the virtualization safeguards to ensure it is a valid replication partner without causing corruption.
The Virtualization Safeguards Process
There are two scenarios in which the Virtual Machine Generation Identifier is validated:
• When the virtual machine starts after a checkpoint is applied, the application of the checkpoint triggers the hypervisor host to provide a new Virtual Machine Generation Identifier to the virtual machine..
• When the domain controller tries to write to its AD DS database, and the system is rolled back by using a checkpoint, the hypervisor host provides a new Virtual Machine Generation Identifier.
The new Virtual Machine Generation Identifier is compared by the Hyper-V service to the stored Virtual Machine Generation Identifier. When these identifiers do not match, the domain controllers employ the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-13
virtualization safeguards. After the restoration is applied, the Virtual Machine Generation Identifier on the AD DS computer object is updated to match the new ID provided by the hypervisor host.
The virtual machine employs virtualization safeguards by:
• Invalidating the local RID pool, which is that domain controller’s current allotment of RIDs. RID pools will be covered in a later lesson.
• Setting a new invocation ID for the domain controller database causes the domain controller to present itself to other domain controllers as a new domain controller. It participates in replication and verifies all objects and attributes in its directory against other domain controllers.
Domain Controller Cloning
Rollout of clients and servers is a critical process. In Windows Server 2008 R2 and earlier versions, during rollout, administrators would try to limit the amount of time required to install operating systems because they took a very long time. Administrators also needed to limit the network capacity used for deployments while deploying as many standardized computers in the shortest amount of time possible. The process of preparing and deploying customized operating system installations was too complex, and not fully supported when using cloning. Administrators had to create an image of a customized installation by using tools such as System Preparation Tool (sysprep) to make certain settings unique, such as a computer’s name, IP address settings, and the computer’s SID.
The standard file-based installation was replaced in Windows Vista® and newer with an image-based installation. Windows Deployment Services on Windows Server 2008 and above uses standard Windows Server setup technologies, including Windows Preinstallation Environment (Windows® PE), .wim files, and image-based setup.
Cloud computing virtual machine services, including private, on-premises clouds created with Microsoft System Center 2012 R2 Virtual Machine Manager, needs to be highly scalable and should allow installation of new virtual machines with specific roles when needed. Cloud computing virtual machine services can quickly scale out virtual machines as needed, or shut down unused virtual machines. Cloud computing virtual machine services also deliver consistent performance regardless of the number of requests for virtual machines. You can create a virtual machine template, which is a group of virtual machine settings that are applied when the virtual machines is created. This template can be used to provision servers in the private cloud, creating a new machine from the template using the same technology as cloning. With Windows Server 2008, this was possible for many roles, but not the AD DS domain controller role.
When you use Windows Server 2012, you are able to clone domain controllers. The following scenarios benefit from virtual domain controller cloning:
• Rapid deployment of additional domain controllers in a new domain.
• Quickly restoring business continuity during disaster recovery by restoring AD DS capacity through rapid deployment of domain controllers by using cloning.
• Optimizing private cloud deployments by taking advantage of flexible provisioning of domain controllers to accommodate increased scale requirements.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-14 Maintaining Active Directory® Domain Services
• Rapid provisioning of test environments, enabling deployment and testing of new features and capabilities before production rollout.
• Quickly meeting increased capacity needs in branch offices by cloning existing domain controllers in branch offices, or by cloning them in the data center and then transferring them to branches by using Hyper-V.
Cloning domain controllers requires the following:
• A hypervisor that supports Virtual Machine Generation Identifier, such as Hyper-V in Windows Server 2012 and newer.
• Domain controllers as guest operating systems based on Windows Server 2012 or Windows Server 2012 R2.
• The domain controller that is to be cloned, or a source domain controller, that must run as a virtual machine guest on the supported hypervisor.
• The PDC emulator must run on Windows Server 2012 or newer. While it is possible to clone Windows Server 2012 domain controllers when older versions of domain controllers exist, the domain controller that is holding the PDC emulator master operations role needs to support the cloning process. The PDC emulator must be online when the virtual domain controller clones start for the first time.
To ensure that cloning virtualized domain controllers is authorized by AD DS administrators, a member of the Domain Admins group needs to prepare a computer that is to be cloned. Hyper-V administrators are unable to clone a domain controller without the support of AD DS administrators, and vice versa.
In order to clone the domain controllers, you need to perform the following steps.
Preparing the Source Virtual Domain Controller Follow these steps to prepare to deploy virtual machine controllers:
1. Add the source domain controller to the Active Directory group Cloneable Domain Controllers.
2. Verify that the applications and services on the source domain controller support the cloning process. You can do this by using the Windows PowerShell® cmdlet:
Get-ADDCCloneingExcludedApplicationList
If there are applications or services where support for cloning is unknown or not documented, you need to test them first. If they work after cloning, put the applications or services in the CustomDCCloneAllowList.xml file. You can create the CustomDCCloneAllowList.xml by using the same cmdlet as above, and appending the parameter GenerateXML. Optionally you can append the parameter –Force if an existing CustomDCCloneAllowList.xml file needs to be overwritten:
Get-ADDCCloneingExcludedApplicationList –GenerateXML [-Force]
3. Create a DCCloneConfig.xml file. You need to create this file so that the cloning process recognizes it and creates a new domain controller from the clone. By creating this file, you can specify a custom computer name, TCP/IP address settings, and the site name where the new domain controller should reside. If you do not specify one or all of these parameters, a computer name is generated automatically and IP address settings are set to dynamic. This requires a Dynamic Host Configuration Protocol (DHCP) server on the network and assumes that the domain controller clones are in the same site as the source domain controller. You can use the following Windows PowerShell cmdlet to create the DCCloneConfig.xml file:
New-ADDCCloneConfigFile [-CloneComputerName <String>] [-IPv4DNSResolver <String[]>] [-Path <String>] [-SiteName <String>]
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-15
If you want to create more than one clone and specify settings such as computer names and TCP/IP addressing information, you need to modify the DCCloneConfig.xml file, or create a new, individual one for each clone, prior to starting it for the first time.
4. Export the source virtual domain controller.
Preparing Multiple Domain Controller Clones If you want to prepare multiple domain controller clones, do not provide any additional parameters, and let the computer name be generated automatically. In addition, use DHCP to provide TCP/IP addressing information. Alternatively, you can customize each clone by creating an individual DCCloneConfig.xml file. To do this, you can:
1. Create the cloned virtual hard disks by exporting and importing the virtual computer.
2. Mount the new cloned virtual hard disks by performing one of the three following steps:
o Double-clicking them in File Explorer.
o Use Diskpart.exe with the assign command at an elevated command prompt.
o Use the Mount-DiskImage Windows PowerShell cmdlet.
3. Use the –Offline and –Path parameters with the New-ADDCCloneConfigFile cmdlet. E: needs to be changed to the drive letter you used when mounting the virtual hard disk in the previous step:
New-ADDCCloneConfigFile –CloneComputerName LON-DC3 –Offline –Path E:\Windows\NTDS
4. Unmount the virtual disk files by using Diskpart.exe or the Dismount-DiskImage Windows PowerShell cmdlet.
Dynamically Assigning Computer Names If you do not configure DCCloneConfig.xml with a static computer name—for example, to create multiple clones without an individual configuration—the computer name of the new clone is generated automatically based on the following algorithm:
• The prefix is the first eight characters of the source domain controller computer name. For example, a source computer name of SourceComputer is abbreviated into a prefix, SourceCo.
• A unique naming suffix of the format -CLnnnn is appended to the prefix where nnnn is the next available value from 0001–9999 that the PDC emulator determines is not in use currently.
Creating the Virtual Domain Controller Clones To create the virtual domain controller clones, follow these steps:
1. Ensure that the domain controller, which holds the PDC emulator operations master role, runs on Windows Server 2012 or Windows Server 2012 R2.
2. Ensure that the PDC emulator and a domain controller hosting the global catalog is online.
3. By using the DCCloneConfig.xml files from the preparation steps, use the import function to create as many clones as needed. When using Hyper-V, select Copy the virtual machines (create a new unique ID) to import multiple, individual instances of the same exported computer.
4. As required, individually configure clones following steps 1-3 outlined above.
5. Start the clones.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-16 Maintaining Active Directory® Domain Services
Finalizing Domain Controller Cloning When a new domain controller clone starts, the following steps are performed automatically:
1. The clone verifies if a Virtual Machine Generation Identifier exists. If the Virtual Machine Generation Identifier does not exist, the computer either starts up normally when no DCCloneConfig exists or renames the DCCloneConfig and restarts in Directory Services Restore Mode, which is one of the specialized boot options available to domain controllers. Starting in Directory Services Restore Mode is a safeguard, and a domain administrator needs to pay close attention and fix the issue to make the domain controller work as intended.
2. Check whether the Virtual Machine Generation Identifier changed:
o If the Virtual Machine Generation Identifier has not changed, then the starting virtual domain controller is the original source domain controller. If a DCCloneConfig exists, it is renamed. In any case, a normal start up is performed and the domain controller is functional again.
o If the Virtual Machine Generation Identifier has changed, the virtualization safeguards are triggered and the process continues.
3. Check if the DCCloneConfig exists. If it does not exist, a check for a duplicate IP address decides whether to boot normally or in Directory Services Restore Mode. If the DCCloneConfig file exists, the computer receives the new computer name and IP address settings from that file. The AD DS database is modified and initialization steps are performed so that a new domain controller is created.
Demonstration: Cloning Domain Controllers
In this demonstration, you will see how to:
• Prepare a source domain controller to be cloned.
• Export the source virtual machine.
• Create and start the cloned domain controller.
Demonstration Steps Prepare the source domain controller that you want to cloned:
1. Switch to LON-DC1.
2. Add the domain controller LON-DC1 to the Active Directory group Cloneable Domain Controllers.
3. Verify applications and services on LON-DC1 to ensure that they support cloning.
4. Create a DCCloneConfig.xml file, and then, within the file, set the cloned domain controller name to LON-DC3.
5. Shut down LON-DC1.
Export the source virtual machine
1. On the host computer, in Microsoft Hyper-V Manager, export LON-DC1.
2. Start LON-DC1.
Create and start the cloned domain controller
1. In Hyper-V Manager, import a virtual machine by using the exported files. Name the new virtual machine 20411C-LON-DC3, and then select Copy the virtual machine (create a new unique ID).
2. In Hyper-V Manager, start LON-DC3.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-17
Domain Controller Virtualization Best Practices
Virtualization provides many benefits, such as hardware independence, efficient use of resources, and scalability in private cloud scenarios. It also provides flexibility when moving virtual machines across virtualization infrastructures. In the past, virtualizing domain controllers required the administrators of the virtual infrastructure to have knowledge of the AD DS-specific requirements and to take precautions not to introduce additional risks to an AD DS infrastructure.
In Windows Server 2012, fundamental improvements provide new safeguards to the process of virtualizing domain controllers. The ability to clone virtual domain controllers was also introduced in Windows Server 2012.
When considering whether to use virtualized domain controllers, you should keep the following best practices in mind:
• Avoid single points of failure. Ensure that you have at least two virtualized domain controllers per domain on different virtualization hosts. This reduces the risk of losing all domain controllers if a single virtualization host fails. Also, use different storage networks and storage systems. Maintain domain controllers in different data centers or regions to reduce the impact of disasters.
• Ensure that all computers, including the hypervisor hosts and the domain controller guests, synchronize their time correctly.
• Keep in mind that only virtualization infrastructures that support the new Virtual Machine Generation Identifier feature support safeguards for creating checkpoints and cloning of virtual domain controllers.
• Use Windows Server 2012 or Windows Server 2012 R2 as the guest operating system for virtual domain controllers. Only these versions support the new safeguards for virtual domain controllers.
• Avoid or disable checkpoints. If the virtualization host or the guest operating systems of the domain controllers do not support the safeguards for virtualizing domain controllers, disable the possibility of creating checkpoints. For example, use a pass-through instead of a virtual disk. When the safeguards are supported, use a virtual disk to support cloning, but avoid using checkpoints.
• The virtualization administrators need to be held to the same level of trust and responsibility that the Domain Administrators are.
• Consider taking advantage of cloning. Cloning can be a deployment or recovery strategy. It provides a fast and simple way to create many domain controllers in a short time.
• Do not start more than 10 new clones at the same time because the file replication used for SYSVOL only allows 10 replication connections at the same time.
• Consider using virtualization technologies that allow you to move virtual machines across site boundaries. This can be beneficial in your deployment and recovery strategies. For example, you can create 10 clones in a central location and then move them to remote offices during off-peak hours.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-18 Maintaining Active Directory® Domain Services
• Adjust your naming strategy to allow cloning of domain controllers. For example, retain the first 8 characters of the source domain controller name, and then append a suffix of –CLnnnn.
For more information about running domain controllers in Hyper-V, go to:
http://go.microsoft.com/fwlink/?LinkID=331162
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-19
Lesson 3 Implementing RODCs
In many cases, such as at a remote branch office or a location where a server cannot be placed in a secure physical environment, RODCs can provide the functionality of a domain controller without potentially exposing your AD DS environment to unnecessary risks. This lesson will help you to better understand the methods and best practices that you can use to manage RODCs in the Windows Server 2012 R2 environment.
Lesson Objectives After completing this lesson, you will be able to:
• Explain considerations for implementing RODCs.
• Describe how to manage credential caching on an RODC.
• Identify the important aspects of managing local administration for RODCs.
• Configure credential caching on an RODC.
Considerations for Implementing RODCs
An RODC has a read-only copy of an Active Directory database which contains all of the domain’s objects, but not all of their attributes. System-critical attributes, such as passwords, do not replicate to an RODC by default. Also by default, additional attributes are prevented from being replicated to RODCs. If you need certain information to be stored on the RODC, you can mark the attribute as confidential and add it to the Filtered Attribute Set.
Understanding RODC Functionality You cannot make changes to the AD DS database on an RODC. All requests for changes are forwarded to a writable domain controller. Because no changes occur on the RODC, replication of Active Directory changes is one way only from writable domain controllers to the RODC.
Credential Caching User and computer credentials are not replicated to an RODC by default. To allow user logon requests to be processed locally by using an RODC, you need to configure a Password Replication Policy (PRP) that defines which user credentials can be cached. If the RODC is stolen, only passwords for the cached user and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC, then a writable domain controller must be contacted during the authentication process. In a typical branch office scenario, the credentials for local users and computers would be configured to be cached on an RODC. However, when RODCs are placed in a perimeter network, the credentials for users and computers typically are not cached.
Administrative Role Separation To manage a writable domain controller, you must be a member of the domain local Administrators group. Any user placed in the domain local Administrators group is given permissions to manage all
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-20 Maintaining Active Directory® Domain Services
domain controllers in the domain. However, the RODC administrator in a remote office should not be given access to the organization’s other domain controllers. The administrator of an RODC should be delegated permission to manage only that RODC, which may also be configured to provide other services such a file shares and printing.
Read-Only DNS Domain Name System (DNS) is a critical resource for a Windows network. If you configure an RODC as a DNS server, then you can replicate DNS zones through AD DS to the RODC. DNS on the RODC is read-only. DNS update requests are referred to a writable copy of DNS.
Deploying RODCs To deploy an RODC, ensure that the following activities are performed:
• Ensure that the forest functional level is Windows Server 2003 or newer. That means that all domain controllers must be Windows Server 2003 or newer, and each domain in the forest must be at the domain functional level of Windows Server 2003 or newer.
• Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow them to replicate to RODCs. This is required only if the Active Directory forest has been upgraded.
• Ensure that there is a writable domain controller running Windows Server 2008 or newer. An RODC replicates the domain partition only from these domain controllers. Therefore, each domain with RODCs must have at least one Windows Server 2008 or newer domain controller. You can replicate the Schema and Configuration partitions from Windows Server 2003.
You can also choose to deploy an RODC to Windows Azure depending on your need for a writable domain controller. In most cases, Windows Azure is a more secure environment than a typical small branch office. But using an RODC housed in Windows Azure can decrease replication traffic substantially. You can also create a customized filtered attribute set which will allow the Windows Azure-housed RODC to store some needed replicable attributes.
RODC Installation Like a writable domain controller, you can install an RODC by performing an attended or an unattended installation. If you perform an attended installation by using the graphical interface, you select the RODC as one of the additional domain controller options.
You also can delegate the RODC installation to the administrator in the remote office by performing a staged installation. In a staged installation, you need to perform the following steps:
1. Ensure that the server to be configured as the RODC is not a member of the domain.
2. A domain administrator then uses Active Directory Users and Computers to stage the RODC account in the Domain Controllers OU. The wizard for performing this process prompts the administrator for the necessary information, including the user or group that is allowed to join the RODC to the domain.
3. The administrator in the remote office runs the AD DS installation Wizard, and follows the wizard to join the domain as the staged RODC account.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-21
Managing Credential Caching on an RODC
RODCs provide the capability to store only a subset of credentials for accounts in AD DS through the implementation of credential caching. With credential caching, a PRP determines which user and computer credentials can be cached on a specific RODC. If PRP allows an RODC to cache an account’s credentials, authentication and service ticket activities of that account can be processed locally by the RODC. If an account’s credentials are not cached on the RODC, such as when the PRP has not been modified, authentication and service ticket activities are chained by the RODC to a writable domain controller.
Password Replication Policy Components The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specific accounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is on the Allowed List and a member of that group is on the Denied List, caching is not allowed for that member.
There are two domain local groups that you can use to allow or deny caching globally to all RODCs in a domain:
• Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group has no members by default.
• Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default, Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.
The Allowed List and Denied List are configured on each RODC. The Allowed List contains only the Allowed RODC Password Replication Group. The default membership of the Denied List includes Administrators, Server Operators, and Account Operators.
As a domain administrator, you will add accounts separately to each RODC, or add global groups containing accounts rather than globally allowing password caching. This allows you to limit the number of credentials cached to only those accounts commonly at that location. Domain-wide administrative accounts should not be cached on RODCs in remote offices. You should cache computer accounts to speed up authentication of computer accounts during system startup. Additionally, you should cache service accounts for services that are running at the remote office.
Best Practices for Credential Caching The following best practices should be observed to ensure the most effective use of cached credentials:
• Create separate AD DS global groups for each RODC.
• Do not cache passwords for domain-wide administrative accounts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-22 Maintaining Active Directory® Domain Services
Managing Local Administration for RODCs
The management of RODCs is separated from other domain controllers. Accordingly, you can delegate administration of RODCs to local administrators in remote offices, without giving those administrators access to writable domain controllers. You can delegate administration of an RODC in the properties of the RODC computer account on the Managed By tab.
You can specify only a single security principal on the Managed By tab of an RODC computer account. Specify a group so that you can delegate management permissions to multiple users by making them members of the group. You also can delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles option, as the following example shows:
C:\>dsmgmt Dsmgmt: local roles local roles: add Adatum\Research
You should cache the password for delegated administrators to ensure that you can perform system maintenance when a writable domain controller is unavailable.
Note: You should never access the RODC with an account that is a member of the Domain Admins global group. RODC computers are considered compromised by default, so, you should assume that by logging in to the RODC you are giving up domain administrator credentials. Thus domain administrators should have a separate server administrator type account that is delegated management access to the RODC.
Demonstration: Configuring RODC Credential Caching
In this demonstration, you will see how to:
• Configure password replication groups
• Create a group to manage password replication to the remote office RODC
• Configure a password replication policy for the remote office
• Evaluate the resulting password replication policy
• Monitor credential caching
Demonstration Steps
Verify requirements for installing an RODC 1. On LON-DC1, in Server Manager, open Active Directory Users and Computers.
2. In the properties of Adatum.com, verify that the forest functional level is set to at least Windows Server 2003.
3. On LON-SVR1, open Server Manager, and verify whether the computer is a domain member.
4. Assign LON-SVR1 to a workgroup named TEMPORARY.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-23
5. Restart LON-SVR1.
6. On LON-DC1, open Active Directory Users and Computers.
7. Delete the LON-SVR1 computer account from the Computers container.
8. In the Domain Controllers OU, precreate an RODC account by using default settings, except for the following:
o Computer name: LON-SVR1
o Delegate to: ADATUM\IT
Install an RODC 1. Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd.
2. On LON-SVR1, add the Active Directory Domain Services role.
3. Complete the Active Directory Domain Services Installation Wizard by using default options except those listed below:
o Domain: Adatum.com
o Network credentials: Adatum\April (a member of the IT group)
o Password for April: Pa$$w0rd
o Directory Services restore mode password: Pa$$w0rd
o Replicate from: LON-DC1.Adatum.com
4. When installation is complete, restart LON-SVR1.
Configure password-replication groups 1. On LON-DC1, in the Users container, view the membership of the Allowed RODC Password
Replication Group, and verify that there are no current members.
2. In the Domain Controllers OU, open the properties of LON-SVR1.
3. On the Password Replication Policy tab, verify that Allowed RODC Password Replication Group and Denied RODC Password Replication Group are listed.
Create a group to manage password replication to the remote office RODC 1. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users.
Configure a password-replication policy for the remote office RODC 1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of LON-SVR1.
2. On the Password Replication Policy tab, allow the Remote Office Users group to replicate passwords to LON-SVR1.
Evaluate the resulting password-replication policy 1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of LON-SVR1.
2. On the Password Replication Policy tab, click Advanced. On the Resultant Policy tab, add Aziz, and then confirm that Aziz’s password can be cached.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-24 Maintaining Active Directory® Domain Services
Monitor credential caching 1. Attempt to log on to LON-SVR1 as Aziz. This logon will fail because Aziz does not have permission to
logon to the RODC, but authentication is performed and the credentials are cached.
2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the properties of LON-SVR1.
3. On the Password Replication Policy tab, click Advanced.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only Domain Controller option. Notice that Aziz’s password has been cached.
Prepopulate credential caching 1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Louise and LON-CL1.
4. Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added.
5. Close all open windows on LON-DC1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-25
Lesson 4 Administering AD DS
The AD DS environment contains a large number of management tools that enable you to monitor and modify AD DS. These tools help you ensure that your organization’s domain infrastructure is serving its purpose and functioning properly. Windows Server 2012 includes a broader set of tools for working within AD DS than previous versions of the Windows operating system. Improvements to the Active Directory Administrative Center and the addition of several cmdlets to the Active Directory module for Windows PowerShell provide even greater control over your AD DS domain.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the Active Directory administrative snap-ins.
• Describe the Active Directory Administrative Center.
• Describe the Active Directory module for Windows PowerShell.
• Explain how to manage AD DS by using management tools.
• Explain how to manage operations master roles.
• Explain how to manage AD DS backup and recovery.
Overview of Active Directory Administration Snap-ins
There are a number of tools available to administer and manage your domain. Many of these tools that were found under the Administrative Tools menu item in Windows Server 2008 R2 and earlier versions, are now found in the Tools tab in Windows Server 2012 Server Manager. Additionally, you can create a Microsoft management console and add the tools to the console. The process of adding tools to the console is referred to as snapping in, and the added tools are called snap-ins. You will perform most Active Directory administration by using the following snap-ins and consoles:
• Active Directory Users and Computers. This snap-in manages most common day-to-day resources, including users, groups, and computers. This is likely to be the most heavily used snap-in for an administrator of an Active Directory environment.
• Active Directory Sites and Services. This Microsoft Management Console (MMC) snap-in manages replication, network topology, and related services.
• Active Directory Domains and Trusts. This MMC snap-in configures and maintains trust relationships on the domain and forest functional level.
• Active Directory Schema. This MMC snap-in examines and modifies the definition of Active Directory attributes and object classes. The schema is the blueprint for AD DS, and you typically do not view or change it very often. Therefore, the Active Directory Schema snap-in is not fully installed, by default.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-26 Maintaining Active Directory® Domain Services
By default, the AD DS administrative snap-ins are installed on computers hosting the domain controller role. You can add the snap-ins to other computers such as clients running the Windows 8.1 operating system and Windows Server 2012 member servers, by installing the Remote Server Administration Tools (RSAT). Follow the steps below to install the RSAT on Windows 8.1 clients:
1. Sign in to the computer you wish to run the administrative snap-ins on as a domain administrator, and then obtain and install the Remote Server Administration Tools for Windows 8.1 from the Official Microsoft Download Center. The RSAT is an .msu file, a standalone Windows Update file. 64-and 32-bit version of the .msu file are available from the Download Center. Select the version that is appropriate for your client architecture.
2. The RSAT adds all of the AD DS administrative snap-ins to the client. To verify this installation, open Control Panel, click Programs, click Programs and Features, and then click the hyperlink Turn Windows Features on or off. Scroll down to find the Remote Server Administrative Tools node, and expand it in the following order: Role Administrative Tools, AD DS and LDS Tools, AD DS Tools, AD Snap-ins.
3. On the Start screen, click the down arrow, then scroll to the right, find and then right-click Administrative Tools, and then click Pin to Taskbar.
4. In the desktop screen, click the Administrative Tools icon on the task bar. Confirm that the AD DS administrative snap-ins listed above are available.
Overview of the Active Directory Administrative Center
Windows Server 2012 provides another option for managing AD DS objects. The Active Directory Administrative Center provides a GUI built on Windows PowerShell. This enhanced interface allows you to perform Active Directory object management by using task-oriented navigation. Tasks that you can perform by using the Active Directory Administrative Center include:
• Creating and managing user, computer, and group accounts.
• Creating and managing OUs.
• Connecting to and managing multiple domains within a single instance of the Active Directory Administrative Center.
• Searching and filtering Active Directory data by building queries.
• Creating and managing fine-grained password policies.
• Recovering objects from the Active Directory Recycle Bin.
Installation Requirements You can install the Active Directory Administrative Center only on computers that are running Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, the Windows 7 operating system, or Windows 8. You can install the Active Directory Administrative Center by either:
• Installing the AD DS server role through Server Manager.
• Installing the RSAT on a Windows Server 2012 server or Windows 8 client.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-27
Note: The Active Directory Administrative Center relies on the Active Directory Web Services (ADWS) service, which you must install on at least one domain controller in the domain. The service also requires port 9389 to be open on the domain controller where ADWS is running.
New Active Directory Administrative Center Features in Windows Server 2012 The Active Directory Administrative Center includes several new features in Windows Server 2012 that enable the graphical management of AD DS functionality:
• Active Directory Recycle Bin. Active Directory Administrative Center now offers complete management of the Active Directory Recycle Bin. Administrators can use Active Directory Administrative Center to view and locate deleted objects, and to manage and restore those objects to their original or other desired location.
• Fine-Grained Password Policy. Active Directory Administrative Center also provides a GUI to create and manage password settings objects to implement fine-grained password policies in an AD DS domain.
• Windows PowerShell History Viewer. Active Directory Administrative Center functionality is built on Windows PowerShell. Any command or action that you perform within the Active Directory Administrative Center interface is executed in Windows Server 2012 through Windows PowerShell cmdlets. When an administrator performs a task within the Active Directory Administrative Center interface, the Windows PowerShell History Viewer shows the Windows PowerShell commands that were issued for the task. This enables administrators to reuse code to create reusable scripts, and allows them to become more familiar with Windows PowerShell syntax and usage.
What Is Ntdsutil?
Ntdsutil is a command-line executable that you can use to perform database maintenance, including the creation of snapshots, offline defragmentation, and the relocation of the database files.
You also can use Ntdsutil to clean up domain controller metadata. If a domain controller is removed from the domain while offline, it is unable to remove important information from the directory service. You can then use Ntdsutil to clean out the remnants of the domain controller.
Ntdsutil can also reset the password used to log on to the Directory Services Restore Mode. This password is initially configured during the configuration of a domain controller. If you forget the password, the ntdsutil set dsrm command can reset it.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-28 Maintaining Active Directory® Domain Services
Overview of the Active Directory Module for Windows PowerShell
The Active Directory module for Windows PowerShell in Windows Server 2012 consolidates a group of cmdlets that you can use to manage your Active Directory domains. Windows Server 2012 builds on the foundation provided by the Active Directory module for Windows PowerShell originally introduced in Windows Server 2008 R2, by adding an additional 60 cmdlets. These cmdlets expand the preexisting Windows PowerShell capabilities and add new capabilities to replication and resource access control.
The Active Directory module for Windows PowerShell enables management of AD DS in the following areas:
1. User management.
2. Computer management.
3. Group management.
4. OU management.
5. Password policy management.
6. Searching and modifying objects.
7. Forest and domain management.
8. Domain controller and operations-masters management.
9. Managed service account management.
10. Site-replication management.
11. Central access and claims management.
Cmdlet Examples The following are examples of cmdlets available in the Active Directory module for Windows PowerShell in Windows Server 2012:
• New-ADComputer creates a new computer object in AD DS.
• Remove-ADGroup removes an Active Directory group.
• Set-ADDomainMode sets the domain functional level for an Active Directory domain.
Installation You can install the Active Directory module by using any of the following methods:
• By default, on a Windows Server 2008 R2 or Windows Server 2012 server, when you install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server roles.
• By default, when you make a Windows Server 2008 R2 or Windows Server 2012 server a domain controller.
• As part of the RSAT feature on a Windows Server 2008 R2, Windows Server 2012, Windows 7 or Windows 8 computer.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-29
Demonstration: Managing AD DS by Using Management Tools
Each AD DS management tool has a purpose in the administration of a complete AD DS environment. This demonstration will show you the primary tools that you can use to manage AD DS and a task that you typically perform with the tool.
This demonstration shows you how to:
• Create objects in Active Directory Users and Computers.
• View object attributes in Active Directory Users and Computers.
• Navigate within the Active Directory Administrative Center.
• Perform an administrative task in the Active Directory Administrative Center.
• Use the Windows PowerShell Viewer in the Active Directory Administrative Center.
• Manage AD DS objects with Windows PowerShell.
Demonstration Steps
Active Directory Users and Computers View objects
1. On LON-DC1, open Active Directory Users and Computers.
2. Navigate the Adatum.com domain tree, viewing Containers, Organizational Units (OUs), and Computer, User, and Group objects.
Refresh the view
• Refresh the view in Active Directory Users and Computers.
Create objects
1. Create a new computer object named LON-CL4 in the Computers container.
2. To create an object in Active Directory Users and Computers, right-click a domain or a container, such as Users or Computers, or an OU, point to New, and then click the type of object that you want to create.
3. When you create an object, you are prompted to configure several of the object’s most basic properties, including the properties that the object requires.
Configure object attributes
1. In Active Directory Users and Computers, open the Properties page for LON-CL4.
2. Add LON-CL4 to the Adatum/Research group.
View all object attributes
1. Enable the Advanced Features view in Active Directory Users and Computers.
2. Open the Properties page for LON-CL4, and then view the AD DS attributes.
Active Directory Administrative Center Navigation
1. On LON-DC1, open Active Directory Administrative Center.
2. In Active Directory Administrative Center, click the Navigation nodes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-30 Maintaining Active Directory® Domain Services
3. Switch to the tree view.
4. Expand Adatum.com.
Perform administrative tasks
1. Navigate to the Overview view.
2. Reset the password for Adatum\Adam to Pa$$w0rd, without requiring the user to change the password at the next log on.
3. Use the Global Search section to find any objects that match this search string: Rex.
Use the Windows PowerShell History Viewer
1. Open the Windows PowerShell History pane.
2. View the Windows PowerShell cmdlet that you used to perform the most recent task.
Windows PowerShell Create a group
1. Open the Active Directory Module for Windows PowerShell.
2. Create a new group called SalesManagers by using the following command:
New-ADGroup –Name “SalesManagers”–GroupCategory Security –GroupScope Global –DisplayName “Sales Managers” –Path ”CN=Users,DC=Adatum,DC=com”
3. Open Active Directory Administrative Center, and confirm that the SalesManager group is present in the Users container.
Move an object to a new OU
1. At the Windows PowerShell prompt, move SalesManagers to the Sales OU by using the following command:
Move-ADObject “CN=SalesManagers,CN=Users,DC=Adatum,DC=com” –TargetPath “OU=Sales,DC=Adatum,DC=com”
2. Switch to Active Directory Administrative Center, and then confirm that the SalesManagers group has been moved to the Sales OU.
Managing Operations Master Roles
One of the major benefits of using AD DS is that the AD DS database isn’t configurable on one computer, but the database is on all domain controllers, and each domain controller’s database is writable,. This provides simple load balancing when multiple administrators and users are adding data or modifying the database. There is no single writable master domain controller that is devoted to writing changes, and all domain controllers can write changes. In an AD DS environment, multimaster replication means that all domain controllers have the same general capabilities and priorities when modifying the AD DS database. However, certain operations must be performed by only one system. In AD DS, operation masters are domain controllers that perform a specific
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-31
function within the domain environment. In other words, for these specific functions; this particular portion of the AD DS database is not a multimaster, but a single master. Only one domain controller configures the database for this data. Certain of these specific functions are applicable to the entire forest and others only to entire domains within a forest. We therefore have forest-wide and domain-wide operation master roles.
Forest-Wide Operations Master Roles The schema master and the domain-naming master must be unique in the forest. Each role is performed by only one domain controller in the entire forest. By default, the first domain controller in the forest fulfils these roles. You can change the role holder to another domain controller, but you must keep these roles in the forest root domain.
• Domain Naming Master Role
The domain-naming role is used when adding or removing domains and application partitions in the forest. When you add or remove a domain or application partition, the domain-naming master must be accessible, or the operation will fail.
• Schema Master Role
The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other domain controllers hold read-only replicas of the schema. When you need to modify the schema, the modifications must be sent to the domain controller that hosts the schema master role.
Domain-Wide Operations Master Roles Each domain maintains three single master operations: RID master, infrastructure master, and PDC Emulator. Each role is performed by only one domain controller in the domain. By default, the first domain controller in a domain fulfils these roles. You can change the role holder to another domain controller within the same domain.
• RID Master Role
The RID master plays an integral part in the generation of SIDs for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts and, therefore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are unique.
• Infrastructure Master Role
In a multidomain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the references to the object.
• PDC Emulator Role
The PDC Emulator role performs the following crucial functions for a domain:
• Participates in special password update handling for the domain. When a user's password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible.
• Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at approximately the same time, there could be conflicts between the two versions that could not be
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-32 Maintaining Active Directory® Domain Services
reconciled as the GPO replicates. To avoid this situation, the PDC emulator acts as the default focal point for all Group Policy changes.
• Provides a master time source for the domain. Many Windows components and technologies rely on time stamps, so synchronizing time across all systems in a domain is crucial. By default, the PDC emulator in the forest root domain is the time master for the entire forest. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC emulator. All other domain members synchronize their time with their preferred domain controller.
• Acts as the domain master browser. When you open The Network node in File Explorer , you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. The browser service creates these two lists, called browse lists. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.
Guidelines for Placing Operations Master Roles When you place operations master roles, follow these guidelines:
• Place the domain-level roles on a high-performance domain controller.
• Do not place the Infrastructure Master domain-level role on a global catalog server, except when your forest contains only one domain or all of the domain controllers in your forest also are global catalogs. In Windows Server 2008 and above, when the AD DS role is installed, the default option is to make that domain controller a global catalog server. Provided you do not change this default option, all domain controllers will be global catalog servers.
• Ensure that the two forest-level roles are on the same domain controller in the forest-root domain.
• If necessary, adjust the workload of the PDC emulator by offloading non-AD DS roles to other servers. The PDC emulator role is the busiest of all the operations master roles, because it handles all the password updates and pass-thru authentication requests.
Note: You can view the assignment of operations master roles by running the following command: Netdom query fsmo
Managing AD DS Backup and Recovery
In earlier versions of Windows Server, backing up AD DS involved creating a backup of the System State, which was a small collection of files that included the Active Directory database, the registry, and other select enterprise-wide system software.
Because of interdependencies between server roles, physical configuration, and AD DS, the System State is now a subset of a Full Server backup and, in some configurations, might be just as big. The System State backup captures the AD DS database and the SYSVOL, as well as all registry
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-33
settings on the computer. In other words, a System State backup is a backup of the AD DS. In Windows Server 2012, you can perform two kinds of backups: manual backups and scheduled backups. The following System State backup targets are available:
• Volume types: either the NTFS file system or Resilient File System (ReFS).
• Universal Naming Convention (UNC) path to the local server.
• UNC path to a remote server.
• Local non-critical volume.
In order to perform a System State backup, the Windows Backup feature must be installed, either from Server Manager Add Roles and Features or from the Windows PowerShell cmdlet:
Add-windowsfeature Windows-Server-Backup -IncludeAllSubfeature
You can use the Windows Backup Console or the Wbadmin command line executable to create a backup. For example, if you wanted to create a manual System State backup onto the backup drive S: you would type the following into a command prompt or Windows PowerShell window and then press enter:
Wbadmin start systemstatebackup –backuptarget:S:\ -quiet
The –quiet parameter runs the backup in the background without displaying console messages.
Restoring AD DS Data When a domain controller or its directory is corrupted, damaged, or failed, you have several options with which to restore the system.
Nonauthoritative Restore A nonauthoritative restore is a normal restore operation, where you simply restore a System State backup from a known good date. For example, suppose the domain controller crashed on Thursday, and you were making System State backups of each domain controller every night. You would then restore the system state from Wednesday night. Effectively, you roll the domain controller back in time. When AD DS restarts on the domain controller, the domain controller contacts its replication partners and requests all subsequent updates. Effectively, the domain controller catches up with the rest of the domain by using standard replication mechanisms.
Normal restore is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain controllers. What about a situation in which damage has been done, and the damage has been replicated? For example, what if you delete one or more objects, and that deletion has replicated? In such situations, a normal restore is not sufficient. If you restore a known good version of AD DS and restart the domain controller, the deletion that happened subsequent to the backup will simply replicate back to the domain controller.
Authoritative Restore When a known good copy of AD DS has been restored that contains objects that must override the existing state of objects in the AD DS database, an authoritative restore is necessary. In an authoritative restore, you restore the known good version of AD DS just as you would in a normal restore. However, before restarting the domain controller, you mark the objects that you wish to retain as authoritative so that they will replicate from the restored domain controller to its replication partners. When you mark objects as authoritative, Windows increments the version number of all object attributes to be so high that the version is virtually guaranteed to be higher than the version number on all other domain controllers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-34 Maintaining Active Directory® Domain Services
When the restored domain controller is restarted, it receives updates from its replication partners on all changes that have been made to the directory. It also notifies its partners that it has changes. The version numbers of the authoritatively restored objects ensure that partners take these changes and replicate them throughout the directory service. In forests that have the Active Directory Recycle Bin enabled in Windows Server 2008 R2 and newer, you can use the Active Directory Recycle Bin as a more simple alternative to an authoritative restore.
Other Restore Options The third option for restoring the directory service is to restore the entire domain controller. You restore the entire domain controller by booting to the Windows Recovery Environment (Windows RE), and then restoring a full server backup of the domain controller. By default, this is a normal restore. If you also need to mark objects as authoritative, you must restart the server in the Directory Services Restore Mode and set those objects as authoritative prior to starting the domain controller into normal operation.
Finally, you can restore a backup of the System State to an alternate location. This allows you to examine files and, potentially, to mount the ntds.dit file. You should not copy the files from an alternate restore location over the production versions of those files. Do not do a piecemeal restore of AD DS. You also can use this option if you want to use the Install From Media option for creating a new domain controller.
Other AD DS Tasks
Certain tasks, such as an off-line defragmentation or moving the AD DS database to another drive, require you to take AD DS off-line. To take the AD DS off-line, open a command prompt or a Windows PowerShell window, type the following command, and then press Enter:
Net stop ntds
At this point, you would use the ntdsutil command line utility to perform the various off-line activities. For example, you can optimize the Active Directory database with an off-line defragmentation. To perform the off-line defragmentation, after you take the Active Directory off-line, type the following commands, pressing Enter after each line, but do not type the lines beginning with ##:
ntdsutil activate instance NTDS files ##compact to <drive>:\<drivepath> ##For example: Compact to c:\tempAD ##Del <drive>:\<pathToLogFiles>\*.log ##For example: Del c:\windows\ntds\*.log ##Copy “<temporaryDrive>:\ntds.dit” “<originalDrive>:\<pathToOriginalDatabaseFile>\ntdis.dit” ##For example: Copy “c:\TempAD\ntds.dit” “c:\windows\ntds\ntds.dit” quit quit
At this point you can start AD DS by typing the following command, and then pressing Enter:
Net start ntds
It is possible for the AD DS to store data about itself, called metadata, such as a domain controller that failed and cannot be restored. In order to remove this metadata, you must use the ntdsutil command as well.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-35
To clean up Active Directory metadata, enter the following into a command prompt or Windows PowerShell window, and press Enter at the end of each line, but do not type the lines beginning with ##:
ntdsutil remove selected server <ServerName> ##Or remove selected server <ServerName1> on <ServerName2>
In the Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata.
quit quit
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier.
Additional ntdsutil commands are covered in detail in the next lesson.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-36 Maintaining Active Directory® Domain Services
Lesson 5 Managing the AD DS Database
At the core of the AD DS environment is the AD DS database. The AD DS database contains all the critical information required to provide AD DS functionality. Maintaining this database properly is a critical aspect of AD DS management, and there are several tools and best practices that can help you manage your AD DS database effectively. This lesson will introduce you to AD DS database management and show you the tools and methods for maintaining it.
Lesson Objectives After completing this lesson, you will be able to:
• Explain the AD DS database architecture.
• Describe Ntdsutil.
• Explain how restartable AD DS works.
• Describe how to perform AD DS database management.
• Describe how to create AD DS snapshots.
• Describe how to restore deleted objects.
• Describe how to configure the Active Directory Recycle Bin.
Understanding the AD DS Database
AD DS information is stored within the directory database. Each directory partition, also called a naming context, contains objects of a particular replication scope and purpose. There are three AD DS partitions on each domain controller, as follows:
• Domain. The Domain partition contains all the objects stored in a domain, including users, groups, computers, and Group Policy containers.
• Configuration. The Configuration partition contains objects that represent the logical structure of the forest, including information about domains, as well as the physical topology, including sites, subnets, and services.
• Schema. The Schema partition defines the object classes and their attributes for the entire directory.
Domain controllers also can host application partitions. You can use application partitions to limit replication of application-specific data to a subset of domain controllers. Active Directory-integrated DNS is a common example of an application that takes advantage of application partitions.
Each domain controller maintains a copy, or replica, of several partitions. The Configuration and the Schema are each replicated to every domain controller in the forest. The Domain partition for a domain is replicated to all domain controllers within a domain, but not to domain controllers in other domains, with the exception of global catalog servers. Therefore, each domain controller has at least three replicas: the Domain partition for its domain, Configuration, and Schema.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-37
AD DS Database Files The AD DS database is stored as a file named ntds.dit. When you install and configure AD DS, you can specify the location of the file. The default location is %systemroot%\NTDS. Within ntds.dit are all of the partitions hosted by the domain controller: the forest schema and configuration; the domain-naming context; and, depending on the server configuration, the partial attribute set and application partitions.
In the NTDS folder, there are other files that support the Active Directory database. The Edb*.log files are the transaction logs for Active Directory. When a change must be made to the directory, it is first written to the log file. The change is committed to the directory as a transaction. If the transaction fails, it can be rolled back.
The following table describes the different file level components of the AD DS database.
File Description
ntds.dit • Main AD DS database file
• Contains all AD DS partitions and objects
EDB*.log Transaction log(s)
EDB.chk Database checkpoint file
Edbres00001.jrs Edbres00002.jrs
Reserve transaction log file that allows the directory to process transactions if the server runs out of disk space
AD DS Database Modifications and Replication Under normal operations, the transaction log wraps around, with new transactions overwriting old transactions that had already been committed. However, if a large number of transactions are made within a short period of time, AD DS creates additional transaction log files, so you may see several EDB*.log files if you look in the NTDS folder of a particularly busy domain controller. Over time, those files are removed automatically. The AD DS uses circular logging, which means the older files are overwritten with the latest data as the entire set of logs are used.
The EDB.chk file acts like a bookmark for the log files, marking the location before which transactions have been successfully committed to the database, and after which transactions remain to be committed.
When a disk drive runs out of space, it is highly problematic for the server. It is even more problematic if that disk hosts the AD DS database, because transactions that may be pending cannot be written to the logs. Therefore, AD DS maintains two additional log files, edbres0001.jrs and edbres0002.jrs. These are empty files of 10 megabytes (MB) each. When a disk runs out of space for normal transaction logs, AD DS recruits the space used by these two files to write the transactions that are in a queue currently. After that, it safely shuts down AD DS services, and dismounts the database. Of course, it will be important for an administrator to remediate the issue of low disk space as quickly as possible. The file simply provides a temporary solution to prevent the directory service from refusing new transactions.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-38 Maintaining Active Directory® Domain Services
Understanding Restartable AD DS
In most scenarios where AD DS management is required, you should restart the domain controller in Directory Services Restore mode. Administrators of Windows Server 2012 can stop and start AD DS just like any other service, and without restarting a domain controller, which enables them to perform some management tasks quickly. This feature is called Restartable Active Directory Domain Services.
Restartable AD DS reduces the time required to perform certain operations. You can stop AD DS so that you can apply updates to a domain controller. Also, administrators can stop AD DS to perform tasks such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as DHCP, remain available to satisfy client requests while AD DS is stopped.
Restartable AD DS is available by default on all domain controllers that run Windows Server 2012. There are no functional-level requirements or any other prerequisites for using this feature.
Note: You cannot perform a system state restore of a domain controller while AD DS is stopped. To complete a system state restore of a domain controller, you need to start in Directory Services Restore Mode. However, you can perform an authoritative restore of Active Directory objects while AD DS is stopped by using Ntdsutil.exe
In order to start the server in Directory Service Restore Mode, you must first start the Advanced Boot options, by following these steps:
1. In the Settings charm, left-click Power, and then press and hold down the Shift key while you click Restart.
2. After the system has rebooted, a new screen named Chose an option will appear. Select Troubleshoot on this screen.
3. In the Troubleshoot screen, Select Advanced option.
4. In the Advanced options screen, select Startup Settings.
5. In the Startup Settings screen, click Restart.
6. After the computer restarts, you will see the Advanced Boot Options on the screen.
7. In the Advanced Boot Options menu, select the Directory Services Repair Mode option.
Restartable AD DS adds minor changes to the existing MMC snap-ins. A domain controller running Windows Server 2012 AD DS displays Domain Controller in the Services (Local) node of the Component Services snap-in and the Computer Management snap-in. Using the snap-in, an administrator can easily stop and restart AD DS the same way he or she can stop and restart any other service that is running locally on the server.
Although stopping AD DS is similar to logging on in Directory Services Restore Mode, restartable AD DS provides a unique state, known as AD DS Stopped, for a domain controller that is running Windows Server 2012.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-39
Domain Controller States The three possible states for a domain controller that is running Windows Server 2012 are:
• AD DS Started. In this state, AD DS is started. The domain controller is able to perform AD DS related tasks normally.
• AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in DSRM and a domain-joined member server.
• DSRM. This mode or state allows standard AD DS administrative tasks. With DSRM, the Active Directory database (Ntds.dit) on the local domain controller is offline. Another domain controller can be contacted for logon, if one is available. If no other domain controller can be contacted, by default you can do one of the following:
• Log on to the domain controller locally in DSRM by using the DSRM password.
• Restart the domain controller to log on with a domain account.
As with a member server, the server is joined to the domain. This means that Group Policy and other settings are still applied to the computer. However, a domain controller should not remain in the AD DS Stopped state for an extended period. A domain controller in the AD DS Stopped state cannot service logon requests or replicate with other domain controllers.
Demonstration: Performing AD DS Database Maintenance
There are several tasks and related tools that you can use to perform AD DS database maintenance.
This demonstration shows how to:
• Stop AD DS.
• Perform an offline defragmentation of the AD DS database.
• Check the integrity of the AD DS database.
• Start AD DS.
Demonstration Steps Stop AD DS
1. On LON-DC1, open the Services console.
2. Stop the Active Directory Domain Services service.
Perform an offline defragmentation of the AD DS database
• Run the following commands from a Windows PowerShell prompt, and press Enter after each line:
ntdsutil activate instance NTDS files compact to C:\
Check the integrity of the offline database
1. Run the following commands from a Windows PowerShell prompt, and press Enter after each line:
Integrity quit Quit
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-40 Maintaining Active Directory® Domain Services
2. Close the command prompt window.
Start AD DS
1. Open the Services console.
2. Start the Active Directory Domain Services service.
Creating AD DS Snapshots
Ntdsutil in Windows Server 2012 can create and mount snapshots of AD DS. A snapshot is a type of historical backup that captures the exact state of the directory service at the time of the snapshot. You can use Ntdsutil to explore the contents of a snapshot and examine the state of the directory service at the time the snapshot was made, or connect to a mounted snapshot with the LDIFDE tool and export a reimported object into AD DS.
Creating an AD DS Snapshot To start the snapshot process, you must first create a snapshot. To create a snapshot, follow these steps:
1. Open the command prompt.
2. Type ntdsutil, and then press Enter.
3. Type snapshot, and then press Enter.
4. Type activate instance ntds, and then press Enter.
5. Type create, and then press Enter.
6. The command returns a message that indicates that the snapshot set was generated successfully.
7. The globally unique identifier (GUID) that is displayed is important for commands in later tasks. Make note of the GUID or, alternatively, copy it to the Clipboard.
8. Type quit, and then press Enter.
Schedule snapshots of Active Directory regularly. You can use the Task Scheduler to execute a batch file by using the appropriate Ntdsutil commands.
Mounting an AD DS Snapshot To view the contents of a snapshot, you must mount the snapshot as a new instance of AD DS. This is also accomplished with Ntdsutil. To mount a snapshot, follow these steps:
1. Open an elevated command prompt.
2. Type ntdsutil, and then press Enter.
3. Type activate instance ntds, and then press Enter.
4. Type snapshot, and then press Enter.
5. Type list all, and then press Enter.
6. Notice that the command returns a list of all snapshots.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-41
7. Type mount {GUID}, where GUID is the GUID returned by the create snapshot command, and then press Enter.
8. Type quit, and then press Enter.
9. Type quit, and then press Enter.
10. Type dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000, and then press Enter.
11. The port number, 50000, can be any open and unique TCP port number.
12. A message indicates that the startup of Active Directory Domain Services is complete.
13. Do not close the command prompt window. Leave the command you just ran, Dsamain.exe, running while you continue to the next step.
Viewing an AD DS Snapshot After the snapshot has been mounted, you can use tools to connect to and explore the snapshot. Even Active Directory Users and Computers can connect to the instance. To connect to a snapshot with Active Directory Users and Computers, follow these steps:
1. Open Active Directory Users and Computers.
2. Right-click the root node, and then click Change Domain Controller.
3. Notice that the Change Directory Server dialog box appears.
4. Click <Type a Directory Server name[:port] here>.
5. Type LON-DC1:50000, and then press Enter.
6. LON-DC1 is the name of the domain controller on which you mounted the snapshot, and 50000 is the TCP port number that you configured for the instance. You now are connected to the snapshot.
7. Click OK.
Note that snapshots are read-only. You cannot modify the contents of a snapshot. Moreover, there are no direct methods with which to move, copy, or restore objects or attributes from a snapshot to the production instance of Active Directory.
Unmounting an AD DS Snapshot If you mounted the snapshot, when you are finished using or viewing it, it must be unmounted. To unmount the snapshot, follow these steps:
1. Switch to the command prompt in which the snapshot is mounted.
2. Press Ctrl+C to stop DSAMain.exe.
3. Type ntdsutil, and then press Enter.
4. Type activate instance ntds, and then press Enter.
5. Type snapshot, and then press Enter.
6. Type unmount GUID, where GUID is the GUID of the snapshot, and then press Enter.
7. Type quit, and then press Enter.
8. Type quit, and then press Enter.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-42 Maintaining Active Directory® Domain Services
Understanding How to Restore Deleted Objects
When you delete an object in AD DS, it is moved to the Deleted Objects container and stripped of many important attributes. You can reveal the list of attributes that remain when an object is deleted, but you can never retain linked attribute values such as group membership.
As long as the object has not yet been cleaned out and removed, that is, scavenged, by the garbage collection process after reaching the end of its tombstone lifetime, you can restore or reanimate the deleted object.
To restore a deleted object, follow these steps:
1. Click Start, and, in the Start Search box, type LDP.exe, and then press Ctrl+Shift+Enter. This executes the command as an administrator.
2. Notice that the User Account Control dialog box appears.
3. Click Use another account.
4. In the User name box, type the user name of an administrator.
5. In the Password box, type the password for the administrative account, and then press Enter.
6. Notice that LDP opens.
7. Click the Connection menu, click Connect, and then click OK.
8. Click the Connection menu, click Bind, and then click OK.
9. Click the Options menu, and then click Controls.
10. In the Load Predefined list, click Return Deleted Objects, and then click OK.
11. Click the View menu, click Tree, and then click OK.
12. Expand the domain, and then double-click CN=Deleted Objects,DC=contoso,DC=com.
13. Right-click the deleted object, and then click Modify.
14. In the Attribute box, type isDeleted.
15. In the Operation section, click Delete.
16. Press Enter.
17. In the Attribute box, type distinguishedName.
18. In the Values box, type the distinguished name of the object in the parent container or the OU into which you want the object’s restoration to occur. For example, type the distinguished name of the object before it was deleted.
19. In the Operation section, click Replace.
20. Press Enter.
21. Select the Extended check box.
22. Click Run, click Close, and then close LDP.
23. Use Active Directory Users and Computers to repopulate the object’s attributes, reset the password of a user object, and enable the object if it is disabled.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-43
Configuring the Active Directory Recycle Bin
In Windows Server 2012, the Active Directory Recycle Bin can be enabled to provide a simplified process for restoring deleted objects. This feature overcomes problems with authoritative restore or tombstone reanimation. Tombstone reanimation simply means bringing a tombstoned object back into the AD DS, because of the additional steps necessary to begin using it the object fully, such as re-adding various attribute values manually. The Active Directory Recycle Bin enables administrators to restore deleted objects with full functionality, without having to restore AD DS data from backups and restart AD DS or reboot domain controllers. Active Directory Recycle Bin builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects.
How Active Directory Recycle Bin Works When you enable Active Directory Recycle Bin, all attributes of the deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and Active Directory AD LDS environments.
After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system preserves all of the object's link-valued and non-link-valued attributes, and the object becomes logically deleted. A deleted object is moved to the Deleted Objects container, and the relative distinguished name, also known as a RDN, of the object is changed to a "delete-mangled RDN", which is an RDN that is unique within the Deleted Objects container. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime. Within the deleted object lifetime, you can recover a deleted object with Active Directory Recycle Bin and make it a live Active Directory object again.
The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. For an item deleted after the Active Directory Recycle Bin has been enabled, that is a recycled object, the recycled object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. When tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days. You can modify the values of the msDS-deletedObjectLifetime and tombstoneLifetime attributes anytime. When msDS-deletedObjectLife is set to some value other than null, it no longer assumes the value of tombstoneLifetime.
Enabling the Active Directory Recycle Bin You can enable the Active Directory Recycle Bin only when the forest functional level is set to Windows Server 2008 R2 or newer.
To enable the Active Directory Recycle Bin in Windows Server 2012, you can follow either of these sets of steps:
• From the Active Directory module for Windows PowerShell prompt, use the Enable-ADOptionalFeature cmdlet.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-44 Maintaining Active Directory® Domain Services
• From Active Directory Administrative Center, select the domain, and then click Enable Active Directory Recycle Bin in the Tasks pane.
Only items that have been deleted after the Active Directory Recycle Bin is turned on can be restored from the Active Directory Recycle Bin.
Restoring Items from the Active Directory Recycle Bin In Windows Server 2012, the Active Directory Administrative Center provides a GUI for restoring AD DS objects that are deleted. When the Active Directory Recycle Bin has been enabled, the Deleted Objects container is visible in Active Directory Administrative Center. Deleted objects will be visible in this container until their deleted object lifetime period has expired. You can choose to restore the objects to their original location or to an alternate location within AD DS.
Demonstration: Using the Active Directory Recycle Bin
In this demonstration, you will see how to:
• Enable the Active Directory Recycle Bin.
• Create and then delete test accounts.
• Restore deleted accounts.
Demonstration Steps 1. On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2. Enable the Recycle Bin.
3. Press F5 to refresh Active Directory Administrative Center.
4. In Active Directory Administrative Center, create the following user accounts in the Research OU. Give each a password of Pa$$w0rd:
o Test1
o Test2
5. Delete the Test1 and Test2 user accounts.
6. In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum domain.
7. Restore Test1 to its original location.
8. Restore Test2 to the IT OU.
9. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-45
Lab: Maintaining AD DS Scenario A. Datum Corporation is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and data center in London support the head office and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure, and is making several organizational changes that require modifications to the AD DS infrastructure. A new location requires a secure method of providing onsite AD DS. A. Datum is opening a new branch office that does not yet have a secure data center, but does now require a domain controller. You need to deploy a domain controller for this office. In addition, you have been asked to extend the capabilities of Active Directory Recycle Bin to the entire organization. As part of an overall virtualization strategy, IT management also wants you to perform a proof of concept deployment of a domain controller using domain controller cloning.
Objectives After completing this lab, you will be able to:
• Install and configure an RODC.
• Configure and view Active Directory snapshots.
• Configure the Active Directory Recycle Bin.
• Use domain controller cloning to deploy a domain controller.
Lab Setup Estimated Time: 75 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-SVR1,
User Name: Adatum\Administrator
Password: Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
a. User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Adatum
5. Repeat steps 2 through 4 for 20411C-LON-SVR1.
Exercise 1: Installing and Configuring an RODC
Scenario A. Datum is adding a new branch office. You have been asked to configure an RODC to service logon requests at the branch office. You also need to configure password policies that ensure caching only of passwords for local users in the branch office.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-46 Maintaining Active Directory® Domain Services
The main tasks for this exercise are as follows:
1. Verify Requirements for Installing an RODC.
2. Install an RODC.
3. Configure a Password-Replication Policy.
Task 1: Verify Requirements for Installing an RODC 1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the properties of Adatum.com, verify that the forest functional level is at least Windows Server 2003.
3. On LON-SVR1, open Server Manager, and verify whether the computer is a domain member.
4. Use System Properties to place LON-SVR1 in a workgroup named TEMPORARY.
5. Restart LON-SVR1.
6. On LON-DC1, open Active Directory Users and Computers.
7. Delete the LON-SVR1 computer account from the Computers container.
8. In the Domain Controllers OU, precreate an RODC account by using default settings, except for the following:
o Computer name: LON-SVR1
o Delegate to: ADATUM\IT
9. Close Active Directory Users and Computers.
Task 2: Install an RODC 1. Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd.
2. On LON-SVR1, add the Active Directory Domain Services Role.
3. Complete the Active Directory Domain Services Installation Wizard by using default options except those listed below:
o Domain: Adatum.com
o Network credentials: Adatum\April (a member of the IT group)
o Password for April: Pa$$w0rd
o Directory Services restore mode password: Pa$$w0rd
o Replicate from: LON-DC1.Adatum.com
4. When installation is complete, restart LON-SVR1.
Task 3: Configure a Password-Replication Policy Configure password-replication groups
1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. In the Users container, view the membership of the Allowed RODC Password Replication Group, and verify that there are no current members.
3. In the Domain Controllers OU, open the properties of LON-SVR1.
4. On the Password Replication Policy tab, verify that the Allowed RODC Password Replication Group and Denied RODC Password Replication Group are listed.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-47
Create a group to manage password replication to the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group named Remote Office Users.
2. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users.
Configure a password-replication policy for the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then open the properties of LON-SVR1.
2. On the Password Replication Policy tab, allow the Remote Office Users group to replicate passwords to LON-SVR1.
Evaluate the resulting password-replication policy
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the properties of LON-SVR1.
2. On the Password Replication Policy tab, click Advanced. On the Resultant Policy tab, add Aziz, and then confirm that Aziz’s password can be cached.
Monitor credential caching
1. Attempt to log on to LON-SVR1 as Aziz. This logon will fail because Aziz does not have permission to logon to the RODC, but authentication is performed and the credentials are now cached.
2. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the properties of LON-SVR1.
3. On the Password Replication Policy tab, open the Advanced configuration.
4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only Domain Controller option. Notice that Aziz’s password has been cached.
Prepopulate credential caching
1. On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click LON-SVR1, and then click Properties.
2. On the Password Replication Policy tab, click Advanced.
3. On the Policy Usage tab, prepopulate the password for Louise and LON-CL1.
4. Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added.
5. Close all open windows on LON-DC1.
Results: After completing this exercise, you should have successfully installed and configured an RODC.
Exercise 2: Configuring AD DS Snapshots
Scenario As part of the overall disaster recovery plan for A. Datum, you have been instructed to test the process for taking Active Directory snapshots and viewing them. If the process is successful, you will schedule them to occur on a regular basis to assist in the recovery of deleted or modified AD DS objects.
The main tasks for this exercise are as follows:
1. Create a Snapshot of AD DS.
2. Make a Change to AD DS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-48 Maintaining Active Directory® Domain Services
3. Mount an Active Directory Snapshot, and Create a New Instance.
4. Explore a Snapshot with Active Directory Users and Computers.
5. Unmount an Active Directory Snapshot.
Task 1: Create a Snapshot of AD DS 1. On LON-DC1, open a command prompt window, and then type each of the following commands
followed by Enter:
ntdsutil snapshot activate instance ntds create quit Quit
2. The command returns a message indicating that the snapshot set was generated successfully. The GUID that displays is important for commands in later tasks. Make a note of the GUID or copy it to the Clipboard.
Task 2: Make a Change to AD DS 1. On LON-DC1, open Server Manager.
2. From Server Manager, open Active Directory Users and Computers.
3. Delete Adam Barr's account from the Marketing OU.
Task 3: Mount an Active Directory Snapshot, and Create a New Instance 1. Open an administrative command prompt, and then type each of the following commands followed
by Enter:
ntdsutil snapshot activate instance ntds list all
The command returns a list of all snapshots.
2. Type each of the following commands followed by Enter:
mount guid quit Quit
Where guid is the GUID of the snapshot you created.
3. Use the snapshot to start an instance of Active Directory by typing the following command, all on one line, and then press Enter:
dsamain /dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000
Note that datetime will be a unique value. There only should be one folder on your C:/ drive with a name that begins with $snap.
A message indicates that AD DS startup is complete. Leave Dsamain.exe running, and do not close the command prompt.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-49
Task 4: Explore a Snapshot with Active Directory Users and Computers 1. Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then
click Change Domain Controller. Type the directory server name and port LON-DC1:50000, and then press Enter. Click OK.
2. Locate the Adam Barr user account object in the Marketing OU. Note that Adam Barr's object is displayed because the snapshot was taken prior to deleting it.
Task 5: Unmount an Active Directory Snapshot 1. In the command prompt, press Ctrl+C. to stop DSAMain.exe.
2. Type the following commands:
ntdsutil snapshot activate instance ntds list all unmount guid list all quit Quit
Where guid is the GUID of the snapshot.
Results: After completing this exercise, you should have successfully configured AD DS snapshots.
Exercise 3: Configuring the Active Directory Recycle Bin
Scenario As part of the Disaster Recovery plan for AD DS, you need to configure and test the Active Directory Recycle Bin to allow for object and container level recovery.
The main tasks for this exercise are as follows:
1. Enable the Active Directory Recycle Bin.
2. Create and Delete Test Users.
3. Restore the Deleted Users.
4. Prepare for the Next Module.
Do not perform if you are performing the optional exercise entitled “Cloning a Domain Controller”. If you are performing the optional exercise, return here when done to finish the “To prepare for next module” task as outlined below.
Task 1: Enable the Active Directory Recycle Bin 1. On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2. Enable the Recycle Bin.
3. Press F5 to refresh Active Directory Administrative Center.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-50 Maintaining Active Directory® Domain Services
Task 2: Create and Delete Test Users 1. In Active Directory Administrative Center, create the following users in the Research OU. Give
each a password of Pa$$w0rd:
o Test1
o Test2
2. Delete the Test1 and Test2 accounts.
Task 3: Restore the Deleted Users 1. In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum
domain.
2. Restore Test1 to its original location.
3. Restore Test2 to the IT OU.
4. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
Task 4: Prepare for the Next Module Do not perform if you are performing the optional exercise entitled “Cloning a Domain Controller”. If you are performing the optional exercise, return here when done to finish the “To prepare for next module” task as outlined below.
Note: Do not perform if you are performing the optional exercise entitled “Cloning a Domain Controller”. If you are performing the optional exercise, return here when done to finish the “To prepare for next module” task as outlined below.
When you finish the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you should have successfully configured the Active Directory Recycle Bin.
Exercise 4: Optional Exercise: Cloning a Domain Controller
Scenario IT management at A. Datum wants to be able to deploy new virtual domain controllers rapidly when necessary. They are considering using the domain controller clone in Windows Server°2012 R2. You must perform a domain controller cloning procedure as a proof-of-concept for your IT management team.
The main tasks for this exercise are as follows:
1. Check for Domain Controller Clone Prerequisites.
2. Export the Source Domain Controller.
3. Perform Domain Controller Cloning.
Task 1: Check for Domain Controller Clone Prerequisites 1. Switch to LON-DC1.
2. Add the domain controller LON-DC1 to the Active Directory group Cloneable Domain Controllers.
3. Verify applications and services on LON-DC1 to support cloning.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 2-51
4. Create a DCCloneConfig.xml file, and then configure that a cloned domain controller should be named LON-DC3.
5. Shut down LON-DC1.
Task 2: Export the Source Domain Controller 1. On the host computer, in Hyper-V Manager, export LON-DC1.
2. Start LON-DC1.
Task 3: Perform Domain Controller Cloning 1. Import a new virtual machine by using the exported files. Name the new virtual machine 20411C-
LON-DC3, and then select to Copy the virtual machine (create a new unique ID).
2. In Hyper-V Manager, start LON-DC3.
Results: After completing this exercise, you will have successfully cloned a domain controller.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED2-52 Maintaining Active Directory® Domain Services
Module Review and Takeaways
Best Practice: Best Practices for Administering AD DS
• Do not virtualize all domain controllers on the same hypervisor host or server.
• Virtual machine snapshots provide an excellent reference point or quick recovery method, but you should not use them as a replacement for regular backups. They also will not allow you to recover objects by reverting to an older snapshot.
• Use RODCs when physical security makes a writable domain controller unfeasible.
• Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center for performing large-scale tasks or those tasks that involve multiple objects. You also can use the Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated administrative tasks.
• Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be invaluable in saving time when recovering accidentally deleted objects in AD DS.
Review Question(s) Question: Which AD DS objects should have their credentials cached on an RODC located in a remote location?
Question: What benefits does Active Directory Administrative Center provide over Active Directory Users and Computers?
Tools
Tool Used for Where to find it
Hyper-V Manager Managing virtualized hosts on Windows Server 2012
Server Manager - Tools
Active Directory module for Windows PowerShell
Managing AD DS through scripts and from the command line
Server Manager - Tools
Active Directory Users and Computers
Managing objects in AD DS Server Manager – Tools
Active Directory Administrative Center
Managing objects in AD DS, enabling and managing the Active Directory Recycle Bin
Server Manager - Tools
Ntdsutil.exe Managing AD DS snapshots, compacting and moving the AD DS database, transferring and seizing operation master roles, etc.
Command prompt
Dsamain.exe Mounting AD DS snapshots for browsing, compare existing objects between databases, etc.
Command prompt
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-1
Module 3 Managing User and Service Accounts
Contents: Module Overview 3-1
Lesson 1: Configuring Password Policy and User Account Lockout Settings 3-2
Lesson 2: Configuring Managed Service Accounts 3-11
Lab: Managing User and Service Accounts 3-19
Module Review and Takeaways 3-23
Module Overview Managing user accounts in an enterprise environment can be a challenging task. You must ensure that you configure the user accounts in your environment properly, and that you protect them from unauthorized use and from users who abuse their account privileges. Using dedicated service accounts for system services and background processes, as well as setting appropriate account policies, will help to ensure that your environment running the Windows Server® 2012 R2 operating system gives users and applications the access they need to function properly.
This module will help you to understand the different options available for providing adequate password security for accounts in your environment, and show you how to configure accounts to provide authentication for system services and background processes.
Objectives After completing this module, you will be able to:
• Configure password policy and account-lockout settings.
• Configure managed service accounts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-2 Managing User and Service Accounts
Lesson 1 Configuring Password Policy and User Account Lockout Settings
As an administrator, you must ensure that the user accounts in your environment conform to the security settings established by your organization. Window Server 2012 uses account policies to configure security-related settings for user accounts. This module will help you to identify the settings available for configuring account security and the methods available to configure those settings.
Lesson Objectives After this lesson, you will be able to:
• Explain user account policies.
• Explain Kerberos policies.
• Explain how to configure user account policies.
• Describe Password Settings objects (PSOs).
• Explain how to configure PSOs.
• Configure PSOs.
• Discuss planning password policies.
User Account Policies
User account policies in Active Directory® Domain Services (AD DS) define the default settings for security-related attributes assigned to user objects. In AD DS, account policies are separated into two different groups of settings: password policy and account lockout. You can configure both groups of settings in the local policy settings for an individual Windows Server 2012 server, or for the entire domain by using the Group Policy Management Console (GPMC) in AD DS. When local policy settings conflict with Group Policy settings, Group Policy settings override local policy settings.
In the Group Policy Management editor within AD DS, you can apply most policy settings at different levels within the AD DS structure: domain, site, or organizational unit (OU). However, you can apply only account policies at one level in AD DS to the entire domain. Therefore, you can apply only one set of account policy settings to an AD DS domain.
Password policy The password policy settings are designed to work together. For example, you have a user who likes to use the same password as much as possible. However, due to the password policy requirement to change the password periodically, the user must create a different password. There are ways the user can work around this requirement and be able to use a preferred password relatively quickly. In this case, combining the requirement to change the password periodically, with enforcing the password history, as well as setting a minimum password age makes it more difficult for that user to do so. Remember that the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-3
goal of the password policy is not to make life difficult for the user, but to make it more difficult for someone to guess or steal the user’s password.
You define the password policy by using the following settings:
• Enforce password history. This is the number of unique new passwords that you must associate with a user account before an old password can be reused. The default setting is 24 previous passwords. When you use this setting with the minimum password-age setting, the enforce password history setting prevents constant reuse of the same password.
• Maximum password age. This is the number of days that a password can be used before the user must change it. Regularly changing passwords helps to prevent the compromise of passwords. However, you must balance this security consideration against the logistical considerations that result from requiring users to change passwords too often. The default setting of 42 days is probably appropriate for most organizations.
• Minimum password age. This is the number of days that a password must be used before the user can change it. The default value is one day, which is appropriate if you also enforce password history. You can restrict the constant use of the same password if you use this setting in conjunction with a short setting to enforce password history.
• Minimum password length. This is the minimum number of characters that a user’s password must contain. The default value is seven. This default is a widely used minimum, but you should consider increasing the password length to at least 10 to enhance security. Each additional character that is required makes it exponentially harder to use brute force techniques. This means guessing and replacing each character until the user derives all of the characters. These are some examples that show the exponential increase in difficulty that longer passwords create:
• Seven-character passwords have 10 million possible combinations.
• Eight-character passwords have 100 million combinations.
• Nine-character passwords have 1 billion possible combinations.
• Complexity requirements. Windows Server includes a default password filter that is enabled by default, and you should not disable it. The filter requires that a password have the following characteristics:
o Does not contain your name or your user name.
o Contains at least six characters.
o Contains characters from three of the following four groups:
• Uppercase letters, such as A and Z. • Lowercase letters, such as a and z. • Numerals, such as 0 and 9. • Special, nonalphanumeric characters, such as !, @, #, ), (, and *.
Account lockout policy You can define thresholds for account lockout, duration of the lockout, and a way to unlock accounts. Thresholds for account lockout stipulate that accounts become inoperable after a certain number of failed logon attempts during a certain amount of time. Account lockout policies help detect and prevent brute force attacks on account passwords. The following settings are available:
• Account lockout duration. Defines the number of minutes that a locked account remains locked. After the specified number of minutes, the account is unlocked automatically. To specify that an administrator must unlock the account, set the value to zero. This requires administrators to unlock high security accounts, and then to configure this setting to 30 minutes for normal users.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-4 Managing User and Service Accounts
• Account lockout threshold. Determines the number of failed logon attempts that are allowed before a user account is locked out. A value of zero means that the account is never locked out. You should set this value high enough to allow for users who mistype their passwords, but low enough to help ensure that brute force attempts to guess the password fail. Common values for this setting range from three to five.
• Reset account lockout counter after. Determines how many minutes must elapse after a failed logon attempt before the bad logon counter is reset to zero. This setting applies when a user has typed in his or her password incorrectly, but they have not exceeded the account lockout threshold. Consider setting this value to 30 minutes.
Kerberos Policies
You deploy Kerberos policy settings for the entire domain from the Default Domain Policy. This policy is for domain user and computer accounts, and determines Kerberos-related settings such as ticket lifetimes and enforcement. Kerberos policies do not exist in the Local Computer Policy. The Kerberos Policy configuration options contain settings for the Kerberos version 5 (V5) protocol ticket-granting ticket (TGT), and the session ticket lifetimes and time-stamp settings. For most organizations, the default settings are appropriate. You will find the Kerberos policy in the Group Policy Object Editor in the Account Policy section of the Computer Configuration, Security Settings, under the Password and Account Lockout policies just mentioned.
Kerberos is an authentication protocol that issues identity “tickets” which allow entities to prove who they are to other entities in a secure manner. Kerberos has several unique advantages as an authentication protocol. It has the ability to provide delegated authentication by allowing Windows operating systems services to impersonate a client computer when accessing resources for it. Kerberos provides single sign-on for domain users and computers by issuing TGTs that they can trade for session tickets to access specific server sessions. Kerberos has expansive interoperability with other networking components, because Kerberos is part of the TCP/IP suite of non-proprietary protocols. It provides a more efficient authentication with servers, because you use Kerberos session tickets presented by user-level services for approved access to server resources. Finally, Kerberos delivers mutual authentication, because the server presents its credentials back to the user-level services.
Kerberos Policy You can use the Kerberos Policy in a Group Policy Object (GPO) to enforce user logon restrictions and to define thresholds for maximum service and user ticket lifetime, maximum user ticket renewal lifetime, and the maximum time computer clocks can be out of synchronization. The following settings are available:
• Enforce user logon restrictions. Determines if the Kerberos V5 Key Distribution Center (KDC) will validate every session ticket request against the user account’s user rights policy. This can add extra security, but it is not required, and can slow down services access to network resources. This setting is enabled by default.
• Maximum lifetime for service ticket. Defines the maximum time a service ticket is valid for authenticating client access to a particular service. If the service ticket expires before the client requests the server connection, the server will respond with an error and client redirects back to the KDC to get a new service ticket. This maximum lifetime must be at least 10 minutes but not greater
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-5
than the maximum lifetime for a user ticket. By default, the maximum service ticket lifetime is 600 minutes, or 10 hours.
• Maximum lifetime for user ticket. Sets the amount of time a user account’s TGT is valid. The default is 10 hours.
• Maximum lifetime for user ticket renewal. Sets the amount of time in days that the user account’s TGT can be renewed. The default is seven days.
• Maximum tolerance for computer clock synchronization. Determines the amount of time that client computers' clocks can be out of sync with the domain controller. The primary domain controller (PDC) emulator operation master role on a domain determines the correct time for the entire domain. TGT and service tickets domain replication packets are time stamped and the times on the various tickets and packets are verified between correspondent computers. However, it is possible for any two computers to be out of sync on their clocks. Administrators can set the amount of time that the clocks can be out of sync. The default for this setting is five minutes.
You can create access control based on claims and compound authentication by deploying Dynamic Access Control. You must ensure that you have sufficient Windows Server 2008 and higher domain controllers available that use these new authorization types. The KDC administrative template policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring. Note that domain controllers running Windows Server 2003 cannot be in a domain allowing claims and compound authentication. Additionally, Windows Server 2012 is required for Kerberos clients running the Windows 8 operating system to support claims and compound authentication by using Kerberos authentication. Devices running Windows 8 will fail authentication if they cannot find a domain controller running Windows Server 2012. You must ensure that there are sufficient domain controllers running Windows Server 2012 for any account, referral, and resource domains that are supported.
Configuring User Account Policies
There are several options available for configuring user account policies when administering an AD DS environment.
Local policy settings with Secpol.msc Each individual Windows Server 2012 computer has its own set of account policies, which apply to accounts created and managed on the local computer. To configure these policy settings, open the Local Security Policy console by running secpol.msc from the command prompt. You can locate the password policy and account policy settings within the Local Security Policy Console by expanding Security Settings, and then expanding Account Policies.
Group policy with Group Policy Management In the AD DS domain environment, you configure domain-wide account policy settings within the Group Policy Management Editor. Follow these steps to find the settings domain-wide account policy settings:
• Expand the Computer Configuration node, expand the Policies node, expand the Windows Settings node, expand the Security Settings node, and then expand the Account Policies node.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-6 Managing User and Service Accounts
The settings found within the Account Policies node are the same settings found in the Local Security Policy, with the addition of the Kerberos Policy settings that apply to domain authentication.
The Group Policy Account Policy settings exist in the template of every GPO that you create in the GPMC. However, you can apply an account policy only once in a domain and in only one GPO. This is the Default Domain Policy, and it links to the root of the AD DS domain. Therefore, the Account Policy settings in the Default Domain Policy apply to every computer that is joined to the domain.
Note: If settings conflict between the account policy settings in the Local Security Policy and the account policy settings in the Default Domain Policy GPO, the Default Domain Policy settings take precedence.
When you initially install a Windows operating system such as Windows 8.1 or Windows Server 2012 R2, the computer will have a password policy with settings configured and established by default, but the account lockout policy does not have any settings configured. When you install a domain, the Default Domain Policy that is created contains all three policies. The Password and Kerberos Policies settings are configured and established by default, but there are no settings configured for the account lockout policy. You can make changes to any of the policies, including configuring the settings in the account lockout policy. However, you need to consider the implications carefully before doing so.
In most cases, your organization will already have established domains and computer systems that have these settings configured. Most organizations also have numerous written security policies that dictate standards for password and account lockout policies. In these cases, you cannot make changes without approval or addressing the written security policies.
Question: Why would you use secpol.msc to configure local account policy settings for a Windows Server 2012 computer instead of using domain- based Group Policy account policy settings?
What Are Password Settings Objects?
Starting with Windows Server® 2008, administrators can define more than one password policy in a single domain by implementing fine-grained password policies. These enable you to have more granular control over user password requirements, and you can have different password requirements for different users or groups.
To support the fine-grained password policy feature, AD DS in Windows Server 2008 and newer versions includes two object types:
• Password Setting Container. Windows Server creates the Password Setting Container (PSC) by default, and you can view it in the domain’s System container. The container stores the PSOs that you create and link to global security groups or to users.
• Password Settings objects. Members of the Domain Admins group create PSOs, and then define the specific password and account lockout settings to be linked to a specific security group or user.
Fine-grained password policies apply only to user objects and to global security groups. You can also use inetOrgPerson objects instead of user objects. By linking a PSO to a user or a group, you are modifying an
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-7
attribute called msDS-PSOApplied, which is empty by default. This approach now treats password and account lockout settings not as domain-wide requirements, but as attributes to a specific user or a group.
For example, to configure a strict password policy for administrative accounts, create a global security group, add the administrative user accounts as members, and link a PSO to the group. Applying fine-grained password policies to a group in this manner is more manageable than applying the policies to each individual user account. If you create a new service account, you simply add it to the group, and the account becomes managed by the PSO.
Note: By default, only members of the Domain Admins group can set fine-grained password policies. However, you also can delegate the ability to set these policies to other users.
Applying fine-grained password policies You cannot apply a fine-grained password policy to an OU directly. To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that maps logically to an OU, and enforces a fine-grained password policy. You can add an OU’s users as members of the newly created shadow group, and then apply the fine-grained password policy to this shadow group. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
The settings that you manage using a fine-grained password policy are identical to those in the Password Policy and Accounts Policy nodes of a GPO. However, you do not implement fine-grained password policies as part of a Group Policy and you do not apply them as part of a GPO. Instead, there is a separate class of object in AD DS that maintains the settings for fine-grained password policies—the PSO.
You can create one or more PSOs in your domain. Each PSO contains a complete set of password and lockout policy settings. You apply a PSO by linking the PSO to one or more global security groups or users.
To use a fine-grained password policy, your domain functional level must be Windows Server 2008 or newer. This means that all of your domain controllers in the domain are running Windows Server 2008 or newer, and the domain functional level has been raised to Windows Server 2008 or newer.
To confirm and modify the domain functional level, perform the following steps:
1. Open Active Directory Domains and Trusts.
2. In the console tree, expand Active Directory Domains and Trusts, and then expand the tree until you can see the domain.
3. Right-click the domain, and then click Raise domain functional level.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-8 Managing User and Service Accounts
Configuring PSOs
You can create and apply PSOs in the Windows Server 2012 environment by using either of the following tools:
• Active Directory Administrative Center
• Windows® PowerShell®
Configuring PSOs by using Windows PowerShell In Windows Server 2012, you can use the new Windows PowerShell cmdlets in the Active Directory module for Windows PowerShell to create and manage PSOs in your domain.
• New-ADFineGrainedPasswordPolicy
This cmdlet creates a new PSO, and define the PSO parameters. For example, the following command creates a new PSO named TestPwd, and then specifies its settings:
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
• Add-FineGrainedPasswordPolicySubject
This cmdlet enables you to link a user or group to an existing PSO. For example, the following command links the TestPwd PSO to the AD DS group named group1:
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects Marketing
Configuring PSOs by using the Active Directory Administrative Center The Active Directory Administrative Center provides a GUI for creating and managing PSOs. To manage PSOs in the Active Directory Administrative Center, follow these steps:
1. Open the Active Directory Administrative Center.
2. Click Manage, click Add Navigation Nodes, select the appropriate target domain in the Add Navigation Node dialog box, and then click OK.
3. In the Active Directory Administrative Center navigation pane, open the System container, and then click Password Settings Container.
4. In the Tasks pane, click New, and then click Password Settings.
5. Fill in or edit fields inside the property page to create a new Password Settings object.
6. Under Directly Applies To, click Add, type Marketing, and then click OK.
This associates the Password Policy object with the members of the global group that you created for the test environment.
7. Click OK to create the PSO.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-9
Note: The Active Directory Administrative Center interface for PSO management uses the Windows PowerShell cmdlets mentioned previously to carry out the creation and management of PSOs.
Considerations for configuring PSOs It is possible for you to link more than one PSO to a user or a security group. You might do this if a user is a member of multiple security groups, which might each have an assigned PSO already, or if you assign multiple PSOs directly to a user object. In either case, it is important to understand that you can apply only one PSO as the effective password policy.
If you assign multiple PSOs to a user or a group, the msDS-PasswordSettingsPrecedence attribute helps to determine the resultant PSO. A PSO with a lower value takes precedence over a PSO with a higher value.
The following process describes how AD DS determines the resultant PSO if you link multiple PSOs to a user or a group:
1. Any PSO that you link directly to a user object is the resultant PSO. If you link multiple PSOs directly to the user object, the PSO with the lowest msDS-PasswordSettingsPrecedence value is the resultant PSO. If two PSOs have the same precedence, the PSO with the mathematically smallest objectGUID is the resultant PSO.
2. If you do not link any PSOs directly to the user object, AD DS compares the PSOs for all global security groups that contain the user object. The PSO with the lowest msDS-PasswordSettings
Precedence value is the resultant PSO. If you apply multiple PSOs to the same user, and they have the same msDS-PasswordSettingsPrecedence value, AD DS applies the PSO with the mathematically smallest globally unique identifier (GUID).
3. If you do not link any PSOs to the user object, either indirectly through group membership or directly, AD DS applies the Default Domain Policy.
All user objects contain a new attribute called msDS-ResultantPSO. You can use this attribute to help determine the distinguished name of the PSO that AD DS applies to the user object. If you do not link a PSO to the user object, this attribute does not contain any value and the Default Domain Policy GPO contains the effective password policy.
To view the effect of a policy that AD DS is applying to a user, follow these steps:
1. Open Active Directory Users and Computers, then, on the View menu, ensure that Advanced Features is enabled.
2. Open the properties of a user account. You can view the msDS-ResultantPSO attribute on the Attribute Editor tab if you have configured the Show Constructed Attributes option under the Filter options.
Demonstration: Configuring PSOs
In this demonstration, you will see how to use the Active Directory Administrative Center to create and configure a PSO. You will create a global security group in the Information Technology (IT) OU named ITAdmins, and then create a PSO for the group.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-10 Managing User and Service Accounts
Demonstration Steps 1. In Server Manager, select Active Directory Users and Computers.
2. In Active Directory Users and Computers, create a global security group named ITAdmins in the IT OU.
3. Open the Group Policy Management console, and explore the Default Doman Policy and the settings for the various account policies.
4. Open the Active Directory Administrative Center, and navigate to Adatum.com, System, Password Settings Container.
5. Create a new Password Settings object with the following settings:
o Name: IT Administrators PSO.
o Precedence of 1.
o Minimum password length of 10.
o Maximum password age of 30.
o Enforce account lockout policy: enabled.
o Number of failed logon attempts allowed set to 5.
o Apply policy to the ITAdmins group created in step 2.
6. Close all open windows.
Discussion: Planning Password Policies
Key points
Consider the following questions, and then discuss your answers with the class.
Question: Woodgrove Bank, a trusted lending institution for over 100 years, is concerned that their customers might perceive that their security practices are outdated. The bank president told the managers that they should review their policies, and update them to reflect industry standards. The information systems (IS) Director asks you to draw up a plan to enhance the password policy settings. What would you recommend?
Question: Pleased with your answers on the password policy, the IS Director asks you to come up with a new account lockout policy that will ensure security while also ensuring that the productivity of bank tellers will not be negatively impacted by being locked out frequently.
Question: Tailspin Toys is creating a new research department that will work with a global technology partner on video games. They want to ensure that the strictest password policies are applied to the researchers in the department. What do you suggest they do?
Question: The IS Director wants to know what Microsoft technology experts consider to be the best practices for configuring password policies. He asks you to make a list. What would your list include?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-11
Lesson 2 Configuring Managed Service Accounts
Creating user accounts to provide authentication for applications, system services, and background processes is a common practice in the Windows environment. Historically, accounts were created, and often named for use by a specific service. Windows Server 2012 supports AD DS account-like objects called managed service accounts that make service accounts easier to manage and less of a security risk to your environment.
This lesson will introduce you to managed service accounts, and new functionality related to managed service accounts introduced in Windows Server 2012.
Lesson Objectives After completing this lesson, you will be able to:
• Describe service accounts.
• Identify the challenges of using standard user accounts for services.
• Describe managed service accounts.
• Explain how to configure managed service accounts.
• Describe group-managed service accounts.
Service Account Overview
In Windows, applications sometimes require administrative access to local and network resources. In the past, it was common to give these applications administrative account permissions to the resources. For example, a Microsoft® SQL Server® needs to manage its databases and it might need local administrative access to do this. In a distributed SQL Server environment, with multiple SQL Servers each hosting numerous databases, it may need administrative access to all of them. For that reason, an administrator needs to create an account for SQL Server that belongs to the Domain Admins group, or at least the computers’ local Administrators group with a password set to never expire. Administrators need to remember to periodically change the password manually on every server service it is run under. This type of account introduces possible security issues and, if compromised, can endanger the entire domain.
Therefore, you could consider running the application or service using a built-in local account. Windows operating systems have three built-in local accounts to allow application and service access of resources. These accounts are tied to the individual computer rather than a user account, as follows:
• Local System. Has extensive privileges on the local system and acts as the computer on the network. It is a very high-privileged built-in account. The name of the account is "NT AUTHORITY\SYSTEM".
• Local Service. Has the same level of access to resources and objects as members of the local Users group. This limited access helps protect the system if individual services or processes are compromised. Services running as the Local Service account will access network resources as a null session without any credentials. The name of the account is "NT AUTHORITY\LOCAL SERVICE".
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-12 Managing User and Service Accounts
• Network Service. Has more access to resources and objects than members of the Users group have, such as the Local Service account. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is "NT AUTHORITY\NETWORK SERVICE".
However, use of the Local System account could still compromise security, considering the high-level privileges under which it operates. Therefore, you should take extra care when using this account for application access. Alternatively, the Local Service account may not have enough privileges to access all the resources required by the application. If the application needs resources on other computers, you could use the Network Service account. However, you must add the machine account to a group in the domain or individually on the other computers. In all cases, you should take a thorough security analysis to ensure you consider all aspects of using the Service Accounts.
Challenges of Using Standard User Accounts for Services
Many applications such as SQL Server or Internet Information Services (IIS) contain services that you install on the server that hosts the application. These services typically run at server startup or are triggered by other events. Services often run in the background and do not require any user interaction.
For a service to start up and authenticate, you use a service account. A service account may be an account that is local to the computer, such as the built-in Local Service, Network Service, or Local System accounts. You also can configure a service account to use a domain-based account located in AD DS.
To help centralize administration and to meet application requirements, many organizations choose to use a domain-based account to run application services. While this does provide some benefit over using a local account, there are a number of associated challenges, such as the following:
• Extra administration effort may be necessary to manage the service account password securely. This includes tasks such as changing the password and resolving situations that cause an account lockout. Service accounts also typically are configured to have passwords that do not expire, which may go against your organization’s security policies.
• It can be difficult to determine where a domain-based account is being used as a service account. You may use a standard user account for multiple services on various servers throughout the environment. A simple task, such as changing the password, may cause authentication issues for some applications. It is important to know where and how to use a standard user account when it is associated with an application service.
• Extra administration effort may be necessary to manage the service principal name (SPN). Using a standard user account may require manual administration of the SPN. If the logon account of the service changes, the computer name is changed. Alternatively, if a Domain Name System (DNS) host name property is modified, you may need to manually modify the SPN registrations to reflect the change. A misconfigured SPN causes authentication problems with the application service.
Windows Server 2012 supports an AD DS object, named a managed service account, which you use to facilitate service-account management. The following topics provide information on the requirements and use of managed service accounts in Windows Server 2012.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-13
Managed Service Account and Virtual Accounts
A managed service account is an AD DS object class that enables simplified password and SPN management for service accounts. The managed service account first appeared in Windows 7 and Windows Server 2008 R2.
Many network-based applications use an account to run services or provide authentication. For example, an application on a local computer might use the Local Service, Network Service, or Local System accounts. These service accounts may work fine. However, these typically are shared among multiple applications and services, making it difficult to manage for a specific application. Furthermore, you cannot manage these local service accounts at the domain level.
Alternatively, it is quite common that an application might use a standard domain account that you configure specifically for the application. However, the main drawback is that you need to manage passwords manually, which increases administration effort.
A managed service account can provide an application with its own unique account, while eliminating the need for an administrator to administer the account’s credentials manually.
How a Managed Service Account Works Managed service accounts are stored in AD DS as msDS-ManagedServiceAccount objects. This class inherits structural aspects from the Computer class, which it inherits from the User class. This enables a managed service account to fulfill User-like functions, such as providing authentication and security context for a running service. It also enables a managed service account to use the same password update mechanism used by Computer objects in AD DS, a process that requires no user intervention.
Managed service accounts provide the following benefits to simplify administration:
• Automatic password management. A managed service account automatically maintains its own password, including password changes.
• Simplified SPN management. You can manage SPN management automatically if you configured your domain at the Windows Server 2008 R2 domain functional level or higher.
Managed service accounts are stored in the CN=Managed Service Accounts, DC=<domain>, DC=<com> container. You can view this by enabling the Advanced Features option in the View menu within Active Directory Users and Computers. This container is visible by default in the Active Directory Administrative Center.
Requirements for using managed service accounts To use a managed service account, the server that runs the service or application must be running Windows Server 2008 R2 or Windows Server 2012. You also must ensure that .NET Framework 3.5.x and the Active Directory module for Windows PowerShell are both installed on the server.
Note: You cannot share a standard managed service account between multiple computers or that you use in server clusters where the service is replicated between nodes. Additionally, you cannot use managed service accounts for unattended scheduled tasks.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-14 Managing User and Service Accounts
To simplify and provide full automatic password and SPN management, we strongly recommend that the AD DS domain be at the Windows Server 2008 R2 functional level or higher. However, if you have a domain controller running Windows Server 2008 or Windows Server® 2003, you can update the Active Directory schema to Windows Server 2008 R2 to support this feature. The only disadvantage is that the domain administrator must configure SPN data manually for the managed service accounts.
To update the schema in Windows Server 2008, Windows Server 2003, or mixed-mode environments, you must perform the following tasks:
1. Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.
2. Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active Directory Management Gateway Service, or Windows Server 2003 with the Active Directory Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with domain controllers running Windows Server 2003 or Windows Server 2008 to use Windows PowerShell cmdlets to manage managed service accounts.
Considerations for managed service accounts on Windows Server 2012 domain controllers In Windows Server 2012, you create managed service accounts as the new group managed service account object type by default. However, to accommodate this, you must fulfill one of the requirements for group managed service accounts before you can create any managed service account on a Windows Server 2012 domain controller.
On a Windows Server 2012 domain controller, you must create a key distribution services root key for the domain before you can create any managed service accounts. To create the root key, run the following cmdlet from the Active Directory PowerShell module for Windows PowerShell:
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10))
You can find more information about group managed service accounts, including further explanation of creating a Key Distribution Services (KDS) root key and the cmdlet above later in this lesson.
What Are Group Managed Service Accounts?
Group managed service accounts enable you to extend the capabilities of standard managed service accounts to more than one server in your domain. In server farm scenarios with Network Load Balancing (NLB) clusters or IIS servers, there often is a need to run system or application services under the same service account. Standard managed service accounts cannot provide managed service account functionality to services that are running on more than one server. By using group managed service accounts, you can configure multiple servers to use the same managed service account and still retain the benefits that managed service accounts provide, like automatic password maintenance and simplified SPN management.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-15
Group managed service account requirements In order to support group managed service account functionality, your environment must meet the following requirements:
• At least one domain controller must be running Windows Server 2012 to store managed password information.
• Client computers using group managed service accounts must have Windows 8 and newer, and server-based computers must have Windows Server 2012 and newer.
• You must create a KDS root key on a domain controller in the domain. To create the KDS root key, run the following command from the Active Directory Module for Windows PowerShell on a Windows Server 2012 domain controller:
Add-KdsRootKey –EffectiveImmediately
Note: The –EffectiveImmediately switch uses the current time to establish the timestamp that marks the key as valid. However, when using –EffectiveImmediately switch, the actual effective time is set to 10 hours later than the current time. This 10-hour difference is to allow for AD DS replication to replicate the changes to other domain controllers in the domain. For testing purposes, it is possible to bypass this functionality by setting the –EffectiveTime parameter to 10 hours before the current time by running the following command: Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
Understanding group managed service account functionality Group managed service accounts enable managed service account functionality across multiple servers by delegating the management of managed service account password information to Windows Server 2012 domain controllers. By doing this, the management of passwords is no longer dependent on the relationship between a single server and AD DS, but is controlled entirely by AD DS.
The group managed service account object contains a list of principals, either computers or AD DS groups, that are allowed to retrieve group managed service account password information from AD DS. The principals are then allowed to use the group Managed Service Account for authentication for services.
You create group managed service accounts by using the same cmdlets from the Active Directory Module for Windows PowerShell. In fact, the cmdlets used for managed service account management will create group managed service accounts by default.
On a Windows Server 2012 domain controller, create a new managed service account by using the New-ADServiceAccount cmdlet with the –PrinicipalsAllowedToRetrieveManagedPassword parameter. This parameter accepts one or more comma-separated computer accounts or AD DS groups that are permitted to obtain password information for the group managed service account that is stored in AD DS on Windows Server 2012 domain controllers.
For example, the following cmdlet will create a new group managed service account called SQLFarm, and enable the LON-SQL1, LON-SQL2, and LON-SQL3 hosts to use the group managed service account:
New_ADServiceAccount –Name LondonSQLFarm –PrincipalsAllowedToRetrieveManagedPassword LON-SQL1, LON-SQL2, LON-SQL3
Once you have added a computer to use the PrincipalsAllowedToRetrieveManagedPassword parameter, the group managed service account is available to be assigned to services by using the same assignment process as standard managed service accounts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-16 Managing User and Service Accounts
Using AD DS groups to manage group managed service account server farms You can use AD DS security groups to identify group managed service accounts. When you use an AD DS group for the PrincipalsAllowedToRetriveManagedPassword parameter, any computers that are members of that group will be allowed to retrieve the password and utilize group managed service account functionality. When you use an AD DS group as the principal allowed to retrieve a managed password, any accounts that are members of the group will also have the same capability.
Demonstration: Configuring Group Managed Service Accounts
Creating and configuring a managed service account requires the use of four cmdlets from the Active Directory Module for Windows PowerShell:
• Add-KDSRootkey creates the KDS root key to support group managed service accounts, a requirement on Windows Server 2012 domain controllers (DCs):
Add-KDSRootKey –EffectiveImmediately
• New-ADServiceAccount creates the managed service account within AD DS:
New-ADServiceAccount –Name <MSA Name> -DNSHostname <DC DNS Name>
• Add-ADComputerServiceAccount associates the managed service account with a computer account in the AD DS domain:
Add-ADComputerServiceAccount –identity <Host Computer Name> -ServiceAccount <MSA Name>
• Install-ADServiceAccount installs the managed service account on a host computer in the domain, and makes the managed service account available for use by services on the host computer:
Install-ADServiceAccount –Identity <MSA Name>
Demonstration Steps: In this demonstration, you will see how to:
• Create the KDS root key for the domain.
• Create and associate a managed service account.
Demonstration Steps Create the Key Distribution Services (KDS) root key for the domain
1. On LON-DC1, from Server Manager, open the Active Directory Module for Windows PowerShell console.
2. Use the Add-KDSRootKey cmdlet to create the domain KDS root key.
Create and associate a managed service account
1. Use the New-ADServiceAccount cmdlet to create a managed service account.
2. Use the Add-ADComputerServiceAccount cmdlet to associate the managed service account with LON-SVR1.
3. Use the Get-ADSeviceAccount cmdlet to view the newly created managed service account and confirm proper configuration.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-17
Install a managed service account
1. On LON-SVR1, open the Active Directory Module for Windows PowerShell console.
2. Use the Install-ADServiceAccount cmdlet to install the managed service account on LON-SVR1.
3. Open Server Manager, and start the Services console.
4. Open the Properties pages for the Application Identity service, and then select the Log On tab.
5. Configure the Application Identity service to use Adatum\SampleApp_SVR1$.
Kerberos Delegation and Service Principal Names
An application for a service might need to make a connection to another server’s services on behalf of the client. For example, a client uses a front-end server that makes a connection to a back-end server; however, this connection needs authentication. Kerberos uses delegation of authentication to make this happen. The requesting service, the client in this example, requests that the KDC authorize a second service to act on its behalf. The second service can then delegate authentication to a third service. However, in Windows Server 2003 and newer, Microsoft has added the constrained delegation model to limit the scope of services that can be delegated this way, especially third-tier services and beyond. This provides a safer form of delegation for services to use. By using constrained delegation, you can configure service account delegation to specific sets of service accounts. You can configure a particular service account to be trusted for delegation to a specific instance of a service running on a specific computer or a set of specific instances of services running on specified computers.
A SPN is a unique identifier for each instance of a service running on a computer. When using Kerberos authentication, a defined SPN for a service allows clients to identify that instance of the service on the network. The SPN is registered in the AD DS and is associated with the account of the service specified by the SPN. When a service needs to authenticate to another service, it uses that service’s SPN to distinguish it from other services on that computer. A service can use constrained delegation if it can obtain a Kerberos service ticket for itself on behalf of the user being delegated, in this case, another service. When using constrained delegation, the user can obtain the service ticket directly by authenticating through curb roles or the service can obtain the service ticket on behalf of the user.
One problem with this model is that when a domain administrator configured the service for constrained delegation, the service administrator did not know which front end service was being delegated to the resource services they owned. In Windows Server 2012, the remedy for this is to allow the ability to configure a service’s constrained delegation from the domain administrator to the service administrator. This allows the backend service administrator to allow or deny access by front-end services. Windows Server 2012 implements new extensions for constrained delegation. For example, the Service for User to Proxy ( S4U2proxy) extension allows a service to use its Kerberos service ticket for a user to obtain a service ticket from the KDC to a back-end service. A service administrator can configure constrained delegation on the backend service’s account, even in another domain. You can configure front-end services, such as Microsoft Office Outlook® Web Access and Microsoft SharePoint® Server for constrained delegation to back-end servers on other domains. This enhances your ability to support service solutions across domains by using your existing Kerberos authentication mechanisms.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-18 Managing User and Service Accounts
Windows Server 2012 R2 introduces the Protected User security group. This group generates non-configurable protection on devices and computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This substantially reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
• The Protected Users group membership cannot authenticate by using NTLM, Digest Authentication, or Credential Security Support Provider (CredSSP). On Windows 8.1 devices, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is part of the Protected User group.
• The Kerberos protocol will not use the weaker Data Encryption Standard (DES) or RC4 encryption types in the pre-authentication process. Therefore, the domain must be configured to support at least the Advanced Encryption Standard cipher suite.
• The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This can cause former connections to other systems to fail if the user is in the Protected Users group.
• The default Kerberos TGTs lifetime setting of four hours is configurable by using Authentication Policies and Silos, which you can access through the Active Directory Administrative Center. This means that after four hours, the user must authenticate again.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-19
Lab: Managing User and Service Accounts Scenario A. Datum is a global engineering and manufacturing company with their head office based in London, United Kingdom. An IT office and data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has completed a security review for passwords and account lockout policies. You need to implement the recommendations contained in the report to control password complexity and length. You also need to configure appropriate account lockout settings. Part of your password policy configuration will include a specific password policy you need to assign to the Executive security group. This group requires a different password policy than the policy applied at the domain level.
You need to configure a new group managed service account to support a new Web-based application. Using a group managed service account will help maintain the password security requirements for the account.
Objectives
After completing this lab, you will be able to:
• Configure password policy and account lockout settings.
• Create and associate a managed service account.
Lab Setup Estimated Time: 45 minutes
Virtual machines: 20411C-LON-DC1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
Exercise 1: Configuring Password Policy and Account Lockout Settings
Scenario A. Datum has recently completed a security review for passwords and account lockout policies. You need to implement the recommendations contained in the report to control password complexity and length. You also need to configure appropriate account lockout settings. Part of your password policy configuration will include a specific password policy to be assigned to the Managers security group. This group requires a different password policy than what has been applied at the domain level.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-20 Managing User and Service Accounts
The report has recommended that you apply the following password settings to all accounts in the domain:
• Password history: 20 passwords.
• Maximum password age: 45 days.
• Minimum password age: 1 day.
• Password length: 10 characters.
• Complexity enabled: Yes.
• Account Lockout duration: 30 minutes.
• Account lockout threshold: 5 attempts.
• Reset account lockout counter after: 15 minutes.
The report has also recommended that you apply a separate policy to users in the Managers group, due to the elevated privileges assigned to those user accounts. The policy applied to the Managers groups should contain the following settings:
• Password history: 20 passwords.
• Maximum password age: 20 days.
• Minimum password age: 1 day.
• Password length: 15 characters.
• Complexity enabled: Yes.
• Account Lockout duration: 0 minutes (An administrator will have to unlock the account).
• Account lockout threshold: 3 attempts.
• Reset account lockout counter after: 30 minutes.
The main tasks for this exercise are as follows:
1. Configure a Domain-Based Password Policy
2. Configure an Account Lockout Policy
3. Configure and Apply a Fine-Grained Password Policy
Task 1: Configure a Domain-Based Password Policy 1. On LON-DC1, open the Group Policy Management console.
2. Edit the Default Domain Policy, and configure the following Account Password Policy settings:
o Password history: 20 passwords
o Maximum password age: 45 days
o Minimum password age: 1 day
o Password length: 10 characters
o Complexity enabled: Yes
Task 2: Configure an Account Lockout Policy 1. In the Group Policy Management Editor, configure the following Account Lockout Policy settings for
the Default Domain Policy:
o Account Lockout duration: 30 minutes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-21
o Account lockout threshold: 5 attempts
o Reset account lockout counter after: 15 minutes
2. Close Group Policy Management Editor.
3. Close Group Policy Management.
Task 3: Configure and Apply a Fine-Grained Password Policy 1. On LON-DC1, open the Active Directory Administrative Center console.
2. Change the group scope for the Managers group to Global.
Note: Make sure that you open the Properties page for the Managers group, and not the Managers OU.
3. In the Active Directory Administrative Center, configure a fine-grained password policy for the Adatum\Managers group with the following settings:
o Name: ManagersPSO
o Precedence: 10
o Password length: 15 characters
o Password history: 20 passwords
o Complexity enabled: Yes
o Minimum password age: 1 day
o Maximum password age: 30 days
o Number of failed logon attempts allowed: 3 attempts
o Reset failed logon attempts count after: 30 minutes
o Until an administrator manually unlocks the account: selected
4. Close the Active Directory Administrative Center.
Results: After completing this exercise, you will have configured password policy and account lockout settings.
Exercise 2: Creating and Associating a Managed Service Account
Scenario You need to configure a managed service account to support a new Web-based application that is being deployed to the DefaultAppPool Web service on LON-DC1. Using a managed service account will help maintain the password security requirements for the account.
The main tasks for this exercise are as follows:
1. Create and Associate a Managed Service Account
2. Install a Group Managed Service Account on LON-DC1
3. To Prepare for the Next Module
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED3-22 Managing User and Service Accounts
Task 1: Create and Associate a Managed Service Account 1. On LON-DC1, open the Active Directory Module for Windows PowerShell console.
2. Create the KDS root key by using the Add-KdsRootKey cmdlet. Make the effective time minus 10 hours, so the key will be effective immediately.
3. Create the new service account named Webservice for the host LON-DC1.
4. Associate the Webservice managed account with LON-DC1.
5. Verify the group managed service account was created by using the Get-ADServiceAccount cmdlet.
Task 2: Install a Group Managed Service Account on LON-DC1 1. On LON-DC1, install the Webservice service account.
2. From the Tools menu in Server Manager, open Internet Information Services (IIS) Manager.
3. Configure the DefaultAppPool to use the Webservice$ account as the identity.
4. Stop and start the application pool.
Task 3: To Prepare for the Next Module When you are finished with the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have created and associated a managed service account.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 3-23
Module Review and Takeaways Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
User accounts contained in a .csv file fail to import when using the Comma-Separated Values Data Exchange tool.
User password settings are not applying as expected.
The New-ADServiceAccount cmdlet fails with key-related messages.
Review Question(s) Question: In what scenario could users have multiple PSOs applied to their accounts without actually having PSOs linked to their user accounts?
Question: What benefit do managed service accounts provide compared to standard user accounts used for services?
Tools
Tool What it is used for Where to find it
Comma-Separated Values Data Exchange tool
Importing and exporting users by using .csv files
Command prompt: csvde.exe
LDIFDE utility Importing, exporting, and modifying users by using .ldf files
Command prompt: ldifde.exe
Local Security Policy Configuring local account policy settings
Secpol.msc
Group Policy Management Console
Configuring domain Group Policy account policy settings
Server Manager – Tools
Active Directory Administrative Center
Creating and managing PSOs Server Manager – Tools
Active Directory module for Windows PowerShell
Creating and managing managed service accounts
Server Manager - Tools
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-1
Module 4 Implementing a Group Policy Infrastructure
Contents: Module Overview 4-1
Lesson 1: Introducing Group Policy 4-2
Lesson 2: Implementing and Administering GPOs 4-11
Lesson 3: Group Policy Scope and Group Policy Processing 4-17
Lesson 4: Troubleshooting the Application of GPOs 4-33
Lab: Implementing a Group Policy Infrastructure 4-40
Module Review and Takeaways 4-47
Module Overview Group Policy provides an infrastructure within which you can define settings centrally and deploy them to users and computers in your enterprise. In an environment managed by a well-implemented Group Policy infrastructure, very little configuration takes place by an administrator directly touching a user’s computer. You can define, enforce, and update the entire configuration by using the settings in Group Policy Objects (GPOs) or GPO filtering. By using GPO settings, you can affect an entire site or domain within an enterprise, or narrow your focus to a single organizational unit (OU). This module will detail what Group Policy is, how it works, and how best to implement it in your organization.
Objectives After completing this module, you will be able to:
• Describe the components and technologies that comprise the Group Policy framework.
• Configure and understand a variety of policy setting types.
• Scope GPOs by using links, security groups, Microsoft® Windows® Management Instrumentation (WMI) filters, loopback processing, and preference targeting.
• Describe how GPOs are processed.
• Locate the event logs that contain Group Policy-related events and troubleshoot the Group Policy application.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-2 Implementing a Group Policy Infrastructure
Lesson 1 Introducing Group Policy
Several components interact in a Group Policy infrastructure. You need to understand what each component does, how all of the components work together, and how you can assemble them into different configurations. This lesson provides a comprehensive overview of Group Policy components, procedures, and functions.
Lesson Objectives After completing this lesson, you will be able to:
• Identify the business requirements for configuration management.
• Describe the core components and terminology of Group Policy.
• Explain the benefits of implementing GPOs.
• Describe GPOs.
• Explain the function and behavior of the client-side GPO components.
• Explain GPO refresh.
• Create and configure GPOs.
What Is Configuration Management?
If you have only one computer in your environment—at home, for example—and you need to modify the desktop background. In an environment with one computer, such as your home, you can modify settings such as the desktop background in several different ways. Most people would probably open the Appearance and Personalization screen from the Control Panel, and make the change in the Windows interface. While that works well for one computer, it may be tedious if you want to make the change across multiple computers. Maintaining a consistent environment is more difficult with multiple individually-managed computers.
Configuration management is a centralized approach to applying one or more changes to one or more user accounts or computers. The key elements of configuration management are:
• Setting. A setting is also known as a centralized definition of a change. The setting brings a user account or a computer to a desired state of configuration.
• Scope. The scope of the change is the collection of computers or user accounts where changes occur.
• Application. The application is a mechanism or process that ensures that the setting is applied to users and computers within the scope.
Group Policy is a framework within Windows that enables you to manage configuration in an AD DS domain. Group policy components reside in Active Directory® Domain Services (AD DS), on domain controllers, and on each Windows server and client.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-3
Overview of Group Policies
The most granular component of Group Policy is an individual policy setting. An individual policy setting defines a specific configuration, such as a policy setting that prevents a user from accessing registry-editing tools. If you define that policy setting, and then apply it to a user, that user will be unable to run tools such as Regedit.exe.
Note that some settings affect a user, known as user-configuration settings or user policies, and some affect the computer, known as computer-configuration settings or computer policies. However, settings do not affect groups, security principals other than user objects, or other directory objects.
Group Policy manages various policy settings, and the Group Policy framework is extensible. You can manage just about any configurable setting with Group Policy.
Within the Group Policy Management Editor, you can define a policy setting by double-clicking it. The policy setting Properties dialog box appears. A policy setting can have three states: Not Configured, Enabled, and Disabled.
In a new GPO, every policy setting defaults to Not Configured. When you enable or disable a policy setting, a change is made to the configuration of users and computers to which the GPO is applied. When you return a setting to its Not Configured value, you return it to its default value.
The effect of the change depends on the policy setting. For example, if you enable the Prevent Access To Registry Editing Tools policy setting, users are unable to launch the Regedit.exe Registry Editor. If you disable the policy setting, you ensure that users can launch the Registry Editor. Notice the double negative in this policy setting: You disable a policy that prevents an action, so you allow the action.
Some policy settings bundle several configurations into one policy, and these might require additional parameters.
Note: Many policy settings are complex, and the effect of enabling or disabling them might not be obvious. Furthermore, some policy settings affect only certain versions of the Windows operating system. Be sure to review a policy setting’s explanatory text in the Group Policy Management Editor detail pane or on the Explain tab in the policy setting’s Properties dialog box. Additionally, always test the effects of a policy setting and its interactions with other policy settings before deploying a change in your production environment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-4 Implementing a Group Policy Infrastructure
Benefits of Using Group Policy
Group Policies are very powerful administrative tools. You can use them to push various settings to a large number of users and computers. Because you can apply them to levels ranging from local to domain, you also can focus these settings very precisely.
Primarily, you can use Group Policies to configure settings that you do not want users to deviate from. Additionally, you can use Group Policies to provide additional security and some advanced system settings, to standardize desktop environments on all computers in an OU or in an entire enterprise, and for other purposes that the following sections detail.
Apply Security Settings GPOs include a large number of security-related settings that you can apply to both users and computers. For example, you can enforce settings for Windows Firewall and configure auditing and other security settings. You also can configure full sets of user-rights assignments.
Manage Desktop and Application Settings You can use a Group Policy to provide a consistent desktop and application environment to all users in your organization. By using GPOs, you can configure settings for some applications that support GPOs and also configure each setting that affects the look and feel of the user environment.
Deploy Software GPOs enable you to deploy software to users and computers. When you use the Software Installation feature of Group Policy, you can deploy software that is in the .msi format. Additionally, you can enforce automatic software installation or you can let your users decide whether they want the software to deploy to their machines.
Note: Deploying large packages with GPOs may not be the most efficient way of distributing an application to your organization’s computers. In many circumstances, it may be more effective to distribute the applications as part of the desktop computer image. Be careful when deploying large packages over a WAN link because the software distribution may consume a large portion of the available bandwidth and degrade the overall user experience. For large environments with multiple sites, System Center Configuration Manager offers more control over software deployments, including the ability to distribute software to client computers from a local distribution point.
Manage Folder Redirection With folder redirection, you can manage and back up data quickly and easily. By redirecting folders, you can also ensure that users have access to their data regardless of the computer on which they sign in. Additionally, you can centralize all user data to one place on a network server, while still providing a user experience that is similar to storing these folders on their own computers. For example, you can configure folder redirection to redirect the users’ Documents folders to a shared folder on a network server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-5
Configure Network Settings Using Group Policy enables you to configure various network settings on client computers. For example, you can enforce settings for wireless networks for allowing users to connect only to specific service set identifiers (SSIDs), and with predefined authentication and encryption settings. You also can deploy policies that apply to wired network settings and also configure the client side of services, such as Network Access Protection (NAP).
Configure Security
Group Policy enables you to also configure security settings. Security settings are available throughout Group Policy. In addition, security templates can be used to automate the settings in Group Policy. Security templates are files that represent a specific security configuration. Security templates can be imported into a GPO. IT administrators may have used some of the default templates available in Windows Server 2003 such as the Secure or Highly Secure templates. Today, Security Compliance Manager is the tool of choice for automating security settings for Group Policy application. Security Compliance Manager is covered in detail in course 20410C: Installing and Configuring Windows Server 2012.
Group Policy Objects
Note: GPOs can be managed in AD DS by using the Group Policy Management Console (GPMC).
To create a new GPO in a domain, right-click the Group Policy Objects container, and then click New.
To modify the configuration settings in a GPO, right-click the GPO, and then click Edit. This opens the Group Policy Management Editor snap-in.
The Group Policy Management Editor displays the thousands of policy settings available in a GPO in an organized hierarchy that begins with the division between computer settings and user settings: the Computer Configuration node and the User Configuration node.
GPOs are displayed in a container named Group Policy Objects. The next two levels of the hierarchy are nodes, named Policies and Preferences. You will learn about the difference between these two nodes later in this module. Progressing further down the hierarchy, you can see that the Group Policy Management Editor displays folders, which also are called nodes or policy setting groups. The policy settings are within the folders. The screen capture below shows the Group Policy hierarchy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-6 Implementing a Group Policy Infrastructure
GPO Scope
Configuration is defined by policy settings in GPOs. However, you must specify the computers or users to which the GPO applies before the configuration changes in a GPO will affect computers or users in your organization. This is called scoping a GPO. The scope of a GPO is the collection of users and computers that will apply the settings in the GPO.
You can use several methods to manage the scope of domain-based GPOs. The first is the GPO link. You can link GPOs to sites, domains, and OUs in AD DS. The site, domain, or OU then becomes the maximum scope of the GPO. All computers and users within the site, domain, or OU, including those in child OUs, will be affected by the configurations that the policy settings in the GPO specify.
Note: You can link a GPO to more than one domain, OU, or site. Linking GPOs to multiple sites can introduce performance issues when the policy is being applied, and you should avoid linking a GPO to multiple sites. This is because the GPOs are stored in the domain controllers of the forest root domain in a multisite network. The consequence of this is that computers in other domains may need to traverse a slow wide area network (WAN) link to obtain the GPOs.
You can further narrow the scope of the GPO with one of two types of filter. Security filters specify security groups or individual user objects that fall within the GPO’s scope, but to which the GPO explicitly should or should not apply. WMI filters specify a scope by using characteristics of a system, such as an operating-system version or free disk space. Use security filters and WMI filters to narrow or specify the scope within the initial scope that the GPO link created.
Note: Windows Server 2008 introduced a new component of Group Policy: Group Policy Preferences. Settings that are configured by Group Policy Preferences within a GPO can be filtered or targeted based on several criteria. Targeted preferences allow you to further refine the scope of preferences within a single GPO.
Group Policy Client and Client-Side Extensions
Group Policy Application It is important to understand the GPO application process on client computers. The sequence below details the process:
1. When Group Policy refresh begins, a service known as the Group Policy Client determines which GPOs apply to the computer or user. The Group Policy Client was introduced in Windows Vista®.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-7
2. The Group Policy Client downloads any GPOs that are not cached already.
3. Group Policy client-side extensions (CSEs) interpret the settings in a GPO and make appropriate changes to the local computer or to the currently logged-on user. There are CSEs for each major category of policy setting. For example, there is a security CSE that applies security changes, a CSE that executes startup and logon scripts, a CSE that installs software, and a CSE that makes changes to registry keys and values. Each Windows version includes added CSEs to extend the functional reach of Group Policy, and there are several dozen CSEs in Windows.
One of the more important concepts to remember about Group Policy is that it is very client-driven. The Group Policy client pulls the GPOs from the domain, triggering the CSEs to apply settings locally. Group Policy is not a push technology.
In fact, you can configure the behavior of CSEs by using Group Policy. Most CSEs will apply settings in a GPO only if that GPO has changed. This behavior improves overall policy processing by eliminating redundant applications of the same settings. Most policies are applied in such a way that standard users cannot change the setting on their computer, and they will therefore always be subject to the configuration enforced by Group Policy. However, standard users can change some settings, and many settings can be changed if a user is an administrator on that system. If users in your environment are administrators on their computers, you should consider configuring CSEs to reapply policy settings even if the GPO has not changed. That way, if an administrative user changes a configuration so that it is no longer compliant with policy, the configuration will be reset to its compliant state at the next Group Policy refresh.
Note: You can configure CSEs to reapply policy settings at the next background refresh, even if the GPO has not changed. You can do this by configuring a GPO scoped to computers, and then defining the settings in the Computer Configuration\Policies\Administrative Templates\System\ Group Policy node. For each CSE that you want to configure, open its policy-processing policy setting, such as Registry Policy Processing for the Registry CSE. Click Enabled, and select the Process even if the Group Policy objects have not changed check box.
The security CSE manages an important exception to the default policy-processing settings. Security settings are reapplied every 16 hours, even if a GPO has not changed.
Note: Enable the Always Wait For Network At Startup And Logon policy setting for all Windows clients. Without this setting, by default, Windows clients perform only background refreshes. This means that a client may start up, and then a user might sign in without receiving the latest policies from the domain. Note that when the setting is enabled, the overall startup and sign in time will increase. The setting is located in Computer Configuration\Policies\Administrative Templates\System\Logon. Be sure to read the policy setting’s explanatory text.
Group Policy Refresh Policy settings in the Computer Configuration node are applied at system startup, and then every 90 to 120 minutes thereafter. User Configuration policy settings are applied at logon, and then every 90 to 120 minutes thereafter. The application of policies is called Group Policy refresh.
Note: You can manually force a policy refresh by using the GPUpdate command.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-8 Implementing a Group Policy Infrastructure
Demonstration: How to Create a GPO and Configure GPO Settings
Group Policy settings, also known as policies, are contained in a GPO, and you can view and modify them by using the Group Policy Management Editor. This demonstration explores the categories of settings available in a GPO.
Computer Configuration and User Configuration There are two major categories of policy settings: computer settings, which are contained in the Computer Configuration node, and user settings, which are contained in the User Configuration node:
• The Computer Configuration node contains the settings that are applied to computers, regardless of who logs on to them. Computer settings are applied when the operating system starts, during background refreshes, and every 90 to 120 minutes thereafter.
• The User Configuration node contains settings that are applied when a user logs on to the computer, during background refreshes, and every 90 to 120 minutes thereafter.
Within the Computer Configuration and User Configuration nodes are the Policies and Preferences nodes. Policies are settings that are configured and behave similarly to the policy settings in older versions of the Windows operating system. Preferences were introduced in Windows Server 2008.
The Policies nodes Computer Configuration and User Configuration contain hierarchy of folders that contain policy settings. Because there are thousands of settings, the scope of this course does not include individual settings. However, it is worthwhile to define the broad categories of settings in the folders.
Software Settings Node The Software Settings node is the first node. It contains only the Software Installation extension, which helps you specify how applications are installed and maintained within your organization.
Windows Settings Node In both the Computer Configuration and User Configuration nodes, the Policies node contains a Windows Settings node, which includes the Scripts, Security Settings, and Policy-Based QoS nodes.
Note: It also contains the Name Resolution Policy folder that contains settings for configuring the DirectAccess feature of the Windows 8 operating system, which is discussed in a later module.
Scripts Node The Scripts extension enables you to specify two types of scripts, startup/shutdown in the Computer Configuration node, and logon/logoff in the User Configuration node. Startup/shutdown scripts run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off. When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, the Scripts CSE executes the scripts from top to bottom. You can determine the order of execution for multiple scripts in the Properties dialog box. When a computer is shut down, the CSE first processes logoff scripts, followed by shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a policy setting. You can use any Microsoft ActiveX® scripting language to write scripts. Some possibilities include Microsoft Visual Basic® Scripting Edition (VBScript), Microsoft JScript®, Perl, and Microsoft MS-DOS®–style batch files (.bat and .cmd). Logon scripts on a shared network directory in another forest are supported for network logon across forests. Windows 7 and Windows 8 both support Windows PowerShell® scripts, too.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-9
Security Settings Node The Security Settings node allows a security administrator to configure security by using GPOs. This can be done after, or instead of, using a security template to set system security.
Policy-Based QoS Node This quality of service (QoS) node, known as Policy-Based QoS node, defines policies that manage network traffic. For example, you might want to ensure that users in the Finance department have priority for running a critical network application during the end-of-year financial reporting period. The Policy-Based QoS node enables you to do that.
In the User Configuration node only, the Windows Settings folder contains the additional Remote Installation Services, Folder Redirection, and Internet Explorer Maintenance nodes. Remote Installation Services (RIS) policies control the behavior of a remote operating-system installation. Folder Redirection enables you to redirect user data and settings folders such as AppData, Desktop, Documents, Pictures, Music, and Favorites from their default user profile location to an alternate location on the network, where they can be centrally managed. Windows Internet Explorer® Maintenance enables you to administer and customize Windows Internet Explorer.
Administrative Templates Node In the Computer Configuration and User Configuration nodes, the Administrative Templates node contains registry-based Group Policy settings. There are thousands of such settings available for configuring the user and computer environment. As an administrator, you might spend a significant amount of time manipulating these settings. To assist you with the settings, a description of each policy setting is available in two locations:
• On the Explain tab in the Properties dialog box for the setting. Additionally, the Settings tab in the Properties dialog box for each setting also lists the required operating system or software for the setting.
• On the Extended tab of the Group Policy Management Editor. The Extended tab appears on the lower right of the details pane, and provides a description of each selected setting in a column between the console tree and the settings pane. The required operating system or software for each setting is also listed.
Demonstration This demonstration shows how to:
1. Open the GPMC.
2. Create a new GPO named Desktop in the Group Policy container.
3. In the computer configuration, prevent the last logon name from displaying, and then prevent Windows Installer from running.
4. In the user configuration, remove the Search link from the Start menu, and then hide the display settings tab.
Demonstration Steps
Use the GPMC to create a new GPO 1. Sign in to LON-DC1 as administrator.
2. Open the Group Policy Management console.
3. Create a new GPO called Desktop.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-10 Implementing a Group Policy Infrastructure
Configure Group Policy settings 1. Open the new Desktop policy for editing.
2. In the computer configuration, prevent the last logon name from displaying, and prevent Windows Installer from running.
3. In the user configuration, remove the Search link from the Start menu, and then hide the display settings tab.
4. Close all open windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-11
Lesson 2 Implementing and Administering GPOs
In this lesson, you will examine GPOs in more detail, learning how to create, link, edit, manage, and administer GPOs and their settings.
Lesson Objectives After completing this lesson, you will be able to:
• Describe domain-based GPOs.
• Describe how to create, link, and edit GPOs.
• Define GPO storage.
• Describe starter GPOs.
• Describe how to perform common GPO management tasks.
• Explain how to delegate administration of GPOs.
• Describe how to use Windows PowerShell to manage GPOs.
Domain-Based GPOs
Domain-based GPOs are created in AD DS and stored on domain controllers. You can use them to manage configuration centrally for the domain’s users and computers. The other type of GPO is a local GPO which is tied to a specific computer. The remainder of this course refers to domain-based GPOs rather than local GPOs, unless otherwise specified.
When you install AD DS, two default GPOs are created: Default Domain Controllers Policy and Default Domain Policy.
Default Domain Policy The Default Domain Policy GPO is linked to the domain, and it applies to Authenticated Users. This GPO does not have any WMI filters. Therefore, it affects all users and computers in the domain. This GPO contains policy settings that specify password, account lockout, and Kerberos Version 5 authentication protocol policies. These settings are of critical importance to the AD DS environment and thus make the Default Domain Policy a critical component of Group Policy. You should not add unrelated policy settings to this GPO. If you need to configure other settings to apply broadly in your domain, create additional GPOs that link to the domain.
Default Domain Controllers Policy The Default Domain Controllers Policy GPO is linked to the OU of the domain controllers. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers or other computer objects located in the Domain Controllers OU. You should modify the Default Domain Controllers GPO to implement your auditing policies and to assign user rights required on domain controllers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-12 Implementing a Group Policy Infrastructure
Note: Windows computers also have local GPOs, which are primarily used when computers are not connected to domain environments. Since Windows Vista, all Windows operating systems have supported the existence of multiple local GPOs. As with domain-based GPOs, it is a good practice to create new GPOs for customizations. In the Computer Configuration node, you can configure all computer-related settings. In the User Configuration node, you can configure settings that you want to apply to all users on the computer. The user settings in the Local Computer GPO can be modified by the user settings in two new local GPOs: Administrators and Non-Administrators. These two GPOs apply user settings to logged-on users according to whether they are members of the local Administrators group, in which case they would use the Administrators GPO, or not members of the Administrators group, and therefore would use the Non-Administrators GPO. You can further refine the user settings with a local GPO that applies to a specific user account. User-specific local GPOs are associated with local, not domain, user accounts. Domain-based GPO settings combine with those applied using local GPOs, but, because domain-based GPOs apply after local GPOs and there are conflicting settings, the settings from the domain-based GPOs take precedence over the settings from local GPOs.
GPO Storage
Group Policy settings are presented as GPOs in AD DS user interface tools, but a GPO is actually two components: a Group Policy container and a Group Policy template.
The Group Policy container is an AD DS object stored in the Group Policy Objects container within the domain-naming context of the directory. Like all AD DS objects, each Group Policy container includes a globally unique identifier (GUID) attribute that uniquely identifies the object within AD DS. The Group Policy container defines basic attributes of the GPO, but it does not contain any of the settings. The settings are contained in the Group Policy template, a collection of files stored in the SYSVOL of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\GPOGUID path, where GPOGUID is the GUID of the Group Policy container. When you make changes to the settings of a GPO, the changes are saved to the Group Policy template of the server from which the GPO was opened. By default, when Group Policy refresh occurs, the CSEs apply settings in a GPO only if the GPO has been updated.
The Group Policy client can identify an updated GPO by its version number. Each GPO has a version number that is incremented each time a change is made. The version number is stored as a Group Policy container attribute and in a text file, Group Policy template.ini, in the Group Policy template folder. The Group Policy client knows the version number of each GPO it has previously applied. If, during Group Policy refresh, the Group Policy client discovers that the version number of the Group Policy container has been changed, the CSEs will be informed that the GPO is updated.
GPO Replication Group Policy container and Group Policy template are both replicated between all domain controllers in AD DS. However, different replication mechanisms are used for these two items.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-13
The Group Policy container in AD DS is replicated by the Directory Replication Agent (DRA). The DRA uses a topology generated by the Knowledge Consistency Checker (KCC), which you can define or refine manually. The result is that the Group Policy container is replicated within seconds to all domain controllers in a site and is replicated between sites based on your inter-site replication configuration.
The Group Policy template in the SYSVOL is replicated by using one of the following two technologies. The file replication service (FRS) is used to replicate SYSVOL in domains running on Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and Windows 2000. If all domain controllers are running Windows Server 2008 or newer, you can configure SYSVOL replication by using Distributed File System (DFS) Replication, which is a much more efficient and robust mechanism.
Because the Group Policy container and Group Policy template are replicated separately, it is possible for them to become out of sync for a short time. Typically, when this happens, the Group Policy container will replicate to a domain controller first. Systems that obtained their ordered list of GPOs from that domain controller will identify the new Group Policy container. Those systems will then attempt to download the Group Policy template, and they will notice that the version numbers are not the same. A policy processing error will be recorded in the event logs. If the reverse happens, and the GPO replicates to a domain controller before the Group Policy container, clients obtaining their ordered list of GPOs from that domain controller will not be notified of the new GPO until the Group Policy container has replicated.
Starter GPOs
A Starter GPO is used as a template from which to create other GPOs within GPMC. Starter GPOs only contain Administrative Template settings. You may use a Starter GPO to provide a starting point for new GPOs created in your domain. The Starter GPO already may contain specific settings that are recommended best practices for your environment. Starter GPOs can be exported to, and imported from, cabinet (.cab) files to make distribution to other environments simple and efficient.
GPMC stores Starter GPOs in a folder named, StarterGPOs, which is located in SYSVOL. Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. These Starter GPOs contain Administrative Template settings that reflect Microsoft-recommended best practices for the configuration of the client environment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-14 Implementing a Group Policy Infrastructure
Common GPO Management Tasks
Like critical data and AD DS-related resources, you must back up GPOs to protect the integrity of AD DS and GPOs. GPMC not only provides the basic backup and restore options, but also provides additional control over GPOs for administrative purposes. Options for managing GPOs include the following:
Backing Up GPOs You can back up GPOs individually or as a whole with GPMC or Windows PowerShell. You must provide only a backup location, which can be any valid local or shared folder. You must have Read permission on the GPO to back it up. Every time that you perform a backup, a new backup version of the GPO is created, which provides a historical record.
Restoring Backed Up GPOs You can restore any version of a GPO. If one becomes corrupt or you delete it, you can restore any of the historical versions of that GPO. The restore interface provides the ability for you to view the settings stored in the backed-up version before restoring it.
Importing GPO Settings from a Backed Up GPO You can import policy settings from one GPO into another. Importing a GPO allows you to transfer settings from a backed up GPO to an existing GPO. Importing a GPO transfers only the GPO settings. The import process does not import GPO links. Security principals defined in the source may need to be migrated to target.
Note: It is not possible to merge imported settings with the current target GPO settings. The imported settings will overwrite all existing settings.
Copying GPOs You can copy GPOs in the same domain and across domains by using GPMC or Windows PowerShell. A copy operation copies an existing, live GPO to the desired destination domain. A new GPO is always created during this process. The new GPO is named “copy of OldGPOName”. For example, if you copied a GPO named “Desktop”, the new version would be named “Copy of Desktop”. After the file is copied and pasted into the Group Policy Objects container, you can rename the policy. The destination domain can be any trusted domain in which you have the rights to create new GPOs. When copying between domains, security principals defined in the source may need to be migrated to target.
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Migration Tables When importing GPOs or copying them between domains, you can use migration tables to modify references in the GPO that need to be adjusted for the new location. For example, you may need to replace the Universal Naming Convention (UNC) path for folder redirection with a UNC path that is appropriate for the new user group to which the GPO will be applied. You can create migration tables prior to this process, or you can create them during the import or cross-domain copy operation.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-15
Delegating Administration of Group Policies
Delegation of GPO-related tasks allows you to distribute the administrative workload across the enterprise. You can task one group with creating and editing GPOs, while another group performs reporting and analysis duties. A third group might be in charge of creating WMI filters.
You can delegate the following Group Policy tasks independently:
• Creating GPOs.
• Editing GPOs.
• Managing Group Policy links for a site, domain, or OU.
• Performing Group Policy Modeling analyses on a given domain or OU.
• Reading Group Policy Results data for objects in a given domain or OU.
• Creating WMI filters in a domain.
The Group Policy Creator Owners group allows its members to create new GPOs and edit or delete GPOs that they have created.
Group Policy Default Permissions By default, the following users and groups have Full Control over GPO management:
• Domain Admins.
• Enterprise Admins.
• Creator Owner.
• Local System.
The Authenticated User group has Read and Apply Group Policy permissions.
Creating GPOs By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. There are two methods by which you can grant a group or user this right:
• Add the user or group to the Group Policy Creator Owners group.
• Explicitly grant the group or user permission to create GPOs by using GPMC.
Editing GPOs To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission by using the GPMC.
Managing GPO Links The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can manage this permission by using the Delegation tab on the container. You also can delegate it through the Delegation of Control Wizard in Active Directory Users and Computers.
Group Policy Modeling and Group Policy Results You can delegate the ability to use the reporting tools in the same fashion, through either GPMC or the Delegation of Control Wizard in Active Directory Users and Computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-16 Implementing a Group Policy Infrastructure
Create WMI Filters You can delegate the ability to create and manage WMI filters in the same fashion, through GPMC or the Delegation of Control Wizard in Active Directory Users and Computers.
Managing GPOs with Windows PowerShell
In addition to using the Group Policy Management console and the Group Policy Management Editor, you can also perform common GPO administrative tasks by using Windows PowerShell.
The following table lists some of the more common administrative tasks possible with Windows PowerShell.
Cmdlet name Description
New-GPO Creates a new GPO.
New-GPLink Creates a new GPO link for the specified GPO.
Backup-GPO Backs up the specified GPOs.
Restore-GPO Restores the specified GPOs.
Copy-GPO Copies a GPO.
Get-GPO Gets the specified GPOs.
Import-GPO Imports the backed up settings into a specified GPO.
Set-GPInheritance Grants specified permissions to a user or security group for the specified GPOs.
For example, the following command creates a new GPO called Sales:
New-GPO -Name Sales -comment "This the sales GPO"
The following command imports the settings from a backed-up Sales GPO stored in a folder located at C:\Backups into a new GPO named NewSales:
import-gpo -BackupGpoName Sales -TargetName NewSales -path c:\backups
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-17
Lesson 3 Group Policy Scope and Group Policy Processing
A GPO is a collection of configuration instructions that will be processed by the CSEs of computers. Until the GPO is scoped, it does not apply to any users or computers. The GPO’s scope determines which CSEs of which computers will receive and process the GPO. Only the computers or users within the scope of a GPO will apply the settings in that GPO. You will learn to manage the scope of a GPO in this lesson. The following mechanisms are used to scope a GPO:
• The GPO link to a site, domain, or OU, and whether that link is enabled or not.
• The Enforce option of a GPO.
• The Block Inheritance option on an OU.
• Security group filtering.
• WMI filtering.
• Policy node enabling or disabling.
• Preferences targeting.
• Loopback policy processing.
You must be able to define the users or computers to which you plan to deploy these configurations. Consequently, you must master the art of scoping GPOs. In this lesson, you will learn each of the mechanisms with which you can scope a GPO and, in the process, you will master the concepts of Group Policy application, inheritance, and precedence.
Lesson Objectives After completing this lesson, you will be able to:
• Explain what GPO links are.
• Describe GPO processing.
• Describe GPO inheritance and precedence.
• Use security filters to filter GPO scope.
• Describe how to use WMI filters to filter GPO scope.
• Describe how to enable and disable GPOs.
• Explain how and when to use loopback processing.
• Describe strategies for computers that are disconnected, or which are connected by slow links.
• Explain when Group Policy settings take effect.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-18 Implementing a Group Policy Infrastructure
GPO Links
You can link a GPO to one or more AD DS sites, domains, or OUs. After you have linked a GPO, the users or computers in that container are within the scope of the GPO, including computers and users in child OUs.
Link a GPO To link a GPO, either:
• Right-click the domain or OU in the GPMC console tree, and then click Link as existing GPO.
• If you have not yet created a GPO, click Create A GPO In This {Domain | OU | Site} And Link It Here.
You can choose the same commands to link a GPO to a site, but by default, your AD DS sites are not visible in the GPMC. To show sites in the GPMC, right-click Sites in the GPMC console tree, and then click Show Sites.
Note: A GPO linked to a site affects all computers in the site, without regard to the domain to which the computers belong, as long as all computers belong to the same Active Directory forest. Therefore, when you link a GPO to a site, that GPO can be applied to multiple domains within a forest. Site-linked GPOs are stored on domain controllers in the domain in which you create the GPO. Therefore, domain controllers for that domain must be accessible for site-linked GPOs to be applied correctly. If you implement site-linked policies, you must consider policy application when planning your network infrastructure. You can either place a domain controller from the GPO’s domain in the site to which the policy is linked, or ensure that a WAN connectivity provides accessibility to a domain controller in the GPO’s domain.
When you link a GPO to a container, you define the initial scope of the GPO. Select a GPO, and then click the Scope tab to identify the containers to which the GPO is linked. In the details pane of the GPMC, the GPO links are displayed in the first section of the Scope tab.
The impact of the GPO’s links is that the Group Policy Client downloads the GPO if either the computer or the user objects fall within the scope of the link. The GPO will be downloaded only if it is new or updated. The Group Policy Client caches the GPO to make policy refresh more efficient.
Link a GPO to Multiple OUs You can link a GPO to more than one OU. It is common, for example, to apply configuration to computers in several OUs. You can define the configuration in a single GPO, and then link that GPO to each OU. If you later change settings in the GPO, your changes will apply to all OUs to which the GPO is linked.
Delete or Disable a GPO Link After you have linked a GPO, the GPO link appears in the GPMC underneath the site, domain, or OU. The icon for the GPO link has a small shortcut arrow. When you right-click the GPO link, a context menu appears. To delete a GPO link, right-click the GPO link in the GPMC console tree, and then click Delete.
Deleting a GPO link does not delete the GPO itself, which remains in that GPO container. However, deleting the link does change the scope of the GPO, so that it no longer applies to computers and users within the previously linked container object.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-19
You also can modify a GPO link by disabling it. To disable a GPO link, right-click the GPO link in the GPMC console tree and then clear the Link Enabled option.
Disabling the link also changes the GPO scope so that it no longer applies to computers and users within that container. However, the link remains so that you can easily re-enable it.
Demonstration: How to Link GPOs
This demonstration shows how to:
• Open the Group Policy Management console.
• Create two new GPOs.
• Link the first GPO to the domain.
• Link the second GPO to the IT OU.
• Disable the first GPO’s link.
• Delete the second GPO.
• Re-enable the first GPO’s link.
Demonstration Steps
Create and edit two GPOs 1. Open the GPMC.
2. Create two new GPOs called Remove Run Command and Do Not Remove Run Command.
3. Edit the settings of the two GPOs.
Link the GPOs to different locations 1. Link the Remove Run Command GPO to the domain. The Remove Run Command GPO is now
attached to the Adatum.com domain.
2. Link the Do Not Remove Run Command GPO to the IT OU. The Do Not Remove Run Command GPO is now attached to the IT OU.
3. View the GPO inheritance on the IT OU. The Group Policy Inheritance tab shows the order of precedence for the Group Policy Objects.
Disable a GPO link 1. Disable the Remove Run Command GPO on the Adatum.com domain.
2. Refresh the Group Policy Inheritance pane for the IT OU and then notice the results in the right pane. The Remove Run Command GPO is no longer listed.
Delete a GPO link 1. Select the IT OU, and then delete the Do Not Remove Run Command GPO link. Verify the removal of
the Do Not Remove Run command and the absence of the Remove Run command GPOs.
2. Enable the Remove Run Command GPO on the Adatum.com domain. Refresh the Group Policy Inheritance window for the IT OU, and then notice the results in the right pane.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-20 Implementing a Group Policy Infrastructure
Group Policy Processing Order
The GPOs that apply to a user, computer, or both do not apply all at once. GPOs are applied in a particular order. This order means that settings that are processed first may be overwritten by conflicting settings that are processed later.
Group Policy follows the following hierarchical processing order:
1. Local GPOs. Each computer running Windows 2000 or newer has at least one local group policy. The local policies are applied first, when such policies are configured.
2. Site-linked GPOs. Policies linked to sites are processed second. If there are multiple site policies, they are processed synchronously in the listed preference order.
3. Domain-linked GPOs. Policies linked to domains are processed third. If there are multiple domain policies, they are processed synchronously in the listed preference order.
4. OU-linked GPOs. Policies linked to top-level OUs are processed fourth. If there are multiple top-level OU policies, they are processed synchronously in the listed preference order.
5. Child OU-linked GPOs. Policies linked to child OUs are processed fifth. If there are multiple child OU policies, they are processed synchronously in the listed preference order. When there are multiple levels of child OUs, policies for higher-level OUs are applied first and policies for the lower-level OUs are applied next.
In Group Policy application, the general rule is that the last policy applied wins. For example, a policy that restricts access to the Control Panel applied at the domain level could be reversed by a policy applied at the OU level for the objects contained in that particular OU.
If you link several GPOs to an OU, their processing occurs in the order that the administrator specifies on the OU’s Linked Group Policy Objects tab in the GPMC. By default, processing is enabled for all GPO links. You can disable a container’s GPO link to block the application of a GPO completely for a given site, domain, or OU. For example, if a recent change was made to a GPO and it is causing production issues, you can disable the link or links until the issue is resolved. Note that if the GPO is linked to other containers, they will continue to process the GPO if their links are enabled.
You also can disable the user or computer configuration of a particular GPO independently from either the user or computer. If one section of a policy is known to be empty, disabling the other side speeds up policy processing slightly. For example, if you have a policy that only delivers user desktop configuration, you could disable the computer side of the policy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-21
Configuring GPO Inheritance and Precedence
You can configure a policy setting in more than one GPO, which may result in GPOs conflicting with each other. For example, you may enable a policy setting in one GPO, disable it in another GPO, and then not configure it in a third GPO. In this case, the precedence of the GPOs determines which policy setting the client applies. A GPO with higher precedence prevails over a GPO with lower precedence.
Precedence is shown as a number in the GPMC. The smaller the number—that is, the closer to 1—the higher the precedence. Therefore, a GPO that has a precedence of 1 will prevail over other GPOs. Select the relevant AD DS container, and then click the Group Policy Inheritance tab to view the precedence of each GPO.
When a policy setting is enabled or disabled in a GPO with higher precedence, the configured setting takes effect. However, remember that policy settings are set to Not Configured, by default. If a policy setting is not configured in a GPO with higher precedence, the policy setting, either enabled or disabled, in a GPO with lower precedence will take effect.
You can link more than one GPO to an AD DS container object. The link order of GPOs determines the precedence of GPOs in such a scenario. GPOs with a higher link order take precedence over GPOs with a lower link order. When you select an OU in the GPMC, the Linked Group Policy Objects tab shows the link order of GPOs linked to that OU.
The default behavior of Group Policy is that GPOs linked to a higher-level container are inherited by lower-level containers. When a computer starts up or a user logs on, the Group Policy Client examines the location of the computer or user object in AD DS, and evaluates the GPOs with scopes that include the computer or user. Then, the CSEs apply policy settings from these GPOs. Policies are applied sequentially, beginning with the policies linked to the site, followed by those linked to the domain, followed by those linked to OUs—from the top-level OU down to the OU in which the user or computer object exists. It is a layered application of settings, so a GPO that is applied later in the process overrides settings applied earlier in the process because it has higher precedence.
The sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, so the resultant set of policies for a user or computer will be the cumulative effect of site, domain, and OU policies.
By default, inherited GPOs have lower precedence than GPOs linked directly to the container. For example, you might configure a policy setting to disable the use of registry-editing tools for all users in the domain by configuring the policy setting in a GPO linked to the domain. That GPO, and its policy setting, is inherited by all users within the domain. However, because you probably want administrators to be able to use registry-editing tools, you will link a GPO to the OU that contains administrators’ accounts, and then configure the policy setting to allow the use of registry-editing tools. Because the GPO linked to the administrators’ OU takes higher precedence than the inherited GPO, administrators will be able to use registry-editing tools.
Precedence of Multiple Linked GPOs If there are multiple GPOs linked to an AD DS container object, the objects’ link order determines their precedence.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-22 Implementing a Group Policy Infrastructure
To change the precedence of a GPO link:
1. Select the AD DS container object in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrows to change the link order of the selected GPO.
Block Inheritance You can configure a domain or OU to prevent the inheritance of policy settings. This is known as blocking inheritance. To block inheritance, right-click the domain or OU in the GPMC console tree, and then select Block Inheritance.
The Block Inheritance option is a property of a domain or OU, so it blocks all Group Policy settings from GPOs linked to parents in the Group Policy hierarchy. For example, when you block inheritance on an OU, GPO application begins with any GPOs linked directly to that OU. Therefore, GPOs linked to higher-level OUs, the domain, or the site will not apply.
You should use the Block Inheritance option sparingly because blocking inheritance makes it more difficult to evaluate Group Policy precedence and inheritance. With security group filtering, you can carefully scope a GPO so that it applies to only the correct users and computers in the first place, making it unnecessary to use the Block Inheritance option.
Enforce a GPO Link Additionally, you can set a GPO link to be Enforced. To enforce a GPO link, right-click the GPO link in the console tree, and then select Enforced from the context menu.
When you set a GPO link to Enforced, the GPO takes the highest level of precedence. Policy settings in that GPO will prevail over any conflicting policy settings in other GPOs. Furthermore, a link that is enforced will apply to child containers even when those containers are set to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. Enforced will cause policies to override any conflicting policies and will apply, regardless of whether a Block Inheritance option is set.
Enforcement is useful when you must configure a GPO that defines a configuration mandated by your corporate IT security and usage policies. Therefore, you want to ensure that other GPOs do not override those settings. You can do this by enforcing the GPO’s link.
Evaluating Precedence To facilitate evaluation of GPO precedence, you can simply select an OU or domain, and then click the Group Policy Inheritance tab. This tab will display the resulting precedence of GPOs, accounting for GPO link, link order, inheritance blocking, and link enforcement. This tab does not account for policies that are linked to a site, for GPO security, or WMI filtering.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-23
Using Security Filtering to Modify Group Scope
Although you can use Enforcement and Block Inheritance options to control the application of GPOs to container objects, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.
Each GPO has an ACL that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. For example, if a GPO is scoped to a computer by its link to the computer’s OU, but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users that you specify.
By default, Authenticated Users are given the Allow Read permissions and the Allow Apply Group Policy permission on each new GPO. This means that, by default, all users and computers are affected by the GPOs set for their domain, site, or OU, regardless of the other groups in which they might be members. Therefore, there are two ways of filtering GPO scope:
• Remove the Apply Group Policy permission, currently set to Allow, for the Authenticated Users group, but do not set this permission to Deny. Then, determine the groups to which the GPO should be applied and set the Read and Apply Group Policy permissions for these groups to Allow.
• Determine the groups to which the GPO should not be applied and set the Apply Group Policy permission for these groups to Deny. If you deny the Apply Group Policy permission to a GPO, the user or computer will not apply settings in the GPO, even if the user or computer is a member of another group that is allowed the Apply Group Policy Permission.
Filtering a GPO to Apply to Specific Groups To apply a GPO to a specific security group:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. In the Security Filtering section, select the Authenticated Users group, and then click Remove.
Note: You cannot filter GPOs with domain local security groups.
3. Click OK to confirm the change.
4. Click Add.
5. Select the group to which you want the policy to apply, and then click OK.
Filtering a GPO to Exclude Specific Groups The Scope tab of a GPO does not allow you to exclude specific groups. To exclude a group—that is, to deny the Apply Group Policy permission—you must use the Delegation tab.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-24 Implementing a Group Policy Infrastructure
To deny a group the Apply Group Policy permission:
1. Select the GPO in the Group Policy Objects container in the console tree.
2. Click the Delegation tab.
3. Click the Advanced button. The Security Settings dialog box appears.
4. Click the Add button.
5. Select the group you want to exclude from the GPO. Remember, it must be a global group. GPO scope cannot be filtered by domain local groups.
6. Click OK. The group you selected is given the Allow Read permission, by default.
7. Clear the Allow Read permission check box.
8. Select the Deny Apply Group Policy check box.
9. Click OK. You are warned that Deny permissions override other permissions. Because Deny permissions override Allow permissions, we recommend that you use them sparingly. Microsoft Windows reminds you of this best practice with the warning message. The process to exclude groups with the Deny Apply Group Policy permission is far more laborious than the process to include groups in the Security Filtering section of the Scope tab.
10. Confirm that you want to continue.
Note: Deny permissions are not exposed on the Scope tab. Unfortunately, when you exclude a group, the exclusion is not shown in the Security Filtering section of the Scope tab. This is yet one more reason to use Deny permissions sparingly.
What Are WMI Filters?
WMI is a management-infrastructure technology that enables administrators to monitor and control managed objects in the network. A WMI query is capable of filtering systems based on characteristics, including random access memory (RAM), processor speed, disk capacity, IP address, operating-system version and service-pack level, installed applications, and printer properties. Because WMI exposes almost every property of every object within a computer, the list of attributes that you can use in a WMI query is virtually unlimited. WMI queries are written using WMI Query Language (WQL).
You can use a WMI query to create a WMI filter, with which you can filter a GPO. You can use Group Policy to deploy software applications and service packs. You might create a GPO to deploy an application, and then use a WMI filter to specify that the policy should apply only to computers with a certain operating system and service pack, such as Windows XP Service Pack 3 (SP3). The WMI query to identify such systems is:
Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3"
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-25
When the Group Policy Client evaluates the GPOs it has downloaded to determine which should be handed off to the CSEs for processing, it performs the query against the local system. If the system meets the criteria of the query, the query result is a logical True, and the CSEs process the GPO.
WMI exposes namespaces, within which are classes that can be queried. Many useful classes, including Win32_Operating System, are found in a class called root\CIMv2.
To create a WMI filter:
1. Right-click the WMI Filters node in the GPMC console tree, and then click New. Type a name and description for the filter, and then click the Add button.
2. In the Namespace box, type the namespace for your query.
3. In the Query box, enter the query.
4. Click OK, and then click Save.
To filter a GPO with a WMI filter:
1. Select the GPO or GPO link in the console tree.
2. Click the Scope tab.
3. Click the WMI drop-down list, and then select the WMI filter. In the pop-up window, click Yes to confirm the change of the WMI filter.
You can filter a GPO with only a single WMI filter, but you can also create a WMI filter with a complex query that uses multiple criteria. You can link a single WMI filter to one or more GPOs. The General tab of a WMI filter displays the GPOs that use the WMI filter.
There are three significant caveats regarding WMI filters:
• First, mastering the WQL syntax of WMI queries can be challenging. However, you can often find examples on the Internet when you search by using the keywords “WMI filter” and “WMI query”, along with a description of the query that you want to create.
• Second, WMI filters are expensive in terms of Group Policy processing performance. Because the Group Policy Client must perform the WMI query at each policy processing interval, there is a slight impact on system performance every 90 to 120 minutes. With the performance of today’s computers, the impact might not be noticeable. However, you should test the effects of a WMI filter prior to deploying it widely in your production environment.
Note: Note that the WMI query is processed only once, even if you use it to filter the scope of multiple GPOs.
Demonstration: How to Filter Policies
This demonstration shows how to:
• Create a GPO that removes the Help menu link from the Start menu, and then link it to the IT OU.
• Use security filtering to exempt a user from the GPO.
• Test Group Policy application.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-26 Implementing a Group Policy Infrastructure
Demonstration Steps
Create a new GPO, and link it to the IT organizational unit 1. Open the GPMC on LON-DC1.
2. Create a new GPO called Remove Help menu, and then link it to the IT organizational unit.
3. Modify the settings of the GPO to remove Help from the Start menu.
Filter Group Policy application by using security group filtering 1. Remove the Authenticated Users entry from the Security Filtering list for the Remove Help menu
GPO in the IT organizational unit.
2. Add the user Ed Meadows to the Security filtering list. Now, only Ed Meadows has the apply policy permission.
Filter Group Policy application by using WMI filtering 1. Create a WMI filter called XP filter.
2. Add the following query to the filter:
Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"
3. Save the query as XP filter.
4. Create a new GPO called Software Updates for XP.
5. Modify the policy’s properties to use the XP filter.
6. Close the GPMC.
Enable and Disable GPOs and GPO Nodes
You can prevent the settings in the Computer Configuration or User Configuration nodes from processing during policy refresh by changing the GPO Status.
To enable or disable a GPO's nodes, select the GPO or GPO link in the console tree, click the Details tab shown in the figure, and then select one of the following from the GPO Status drop-down list:
• Enabled. Both computer configuration settings and user configuration settings will be processed by CSEs during policy refresh.
• All Settings Disabled. CSEs will not process the GPO during policy refresh.
• Computer Configuration Settings Disabled. During computer policy refresh, computer configuration settings in the GPO will not be applied.
• User Configuration Settings Disabled. During user policy refresh, user configuration settings in the GPO will not be applied.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-27
You can configure GPO status to optimize policy processing. For example, if a GPO contains only user settings, then setting the GPO Status option to disable computer settings prevents the Group Policy client from attempting to process the GPO during computer policy refresh. Because the GPO contains no computer settings, there is no need to process the GPO, and you can save a few processor cycles.
Note: You can define a configuration that should take effect in case of an emergency, security incident, or other type of disaster in a GPO, and then link the GPO so that it is scoped to appropriate users and computers. Then, disable the GPO. If you require the configuration to be deployed, enable the GPO.
Loopback Policy Processing
By default, a user’s settings come from GPOs scoped to the user object in AD DS. Regardless of which computer the user logs on to, the resultant set of policies that determine the user’s environment is the same. There are situations, however, in which you might want to configure a user differently, depending on the computer in use. For example, you might want to lock down and standardize user desktops when users sign in to computers in closely managed environments, such as conference rooms, reception areas, laboratories, classrooms, and kiosks. It also is important for Virtual Desktop Infrastructure (VDI) scenarios, including remote virtual machines and Remote Desktop Services (RDS).
Imagine a scenario in which you want to enforce a standard corporate appearance for the Windows desktop on all computers in conference rooms and other public areas of your office. How will you centrally manage this configuration by using Group Policy? Policy settings that configure desktop appearance are located in the User Configuration node of a GPO. Therefore, by default, the settings apply to users, regardless of which computer they sign in to. The default policy processing does not give you a way to scope user settings to apply to computers, regardless of which user logs on. That is how loopback policy processing can be useful.
Loopback policy processing alters the default algorithm that the Group Policy client uses to obtain the ordered list of GPOs that should be applied to a user’s configuration. Instead of user configuration being determined by the User Configuration node of GPOs that are scoped to the user object, user configuration can be determined by the User Configuration node policies of GPOs that are scoped to the computer object.
The Configure user Group Policy loopback processing mode policy, located in the Computer Configuration\Policies\Administrative Templates\System\Group Policy folder in Group Policy Management Editor, can be set to Not Configured, Enabled, or Disabled, like all policy settings.
When enabled, the policy can specify the Replace or Merge mode:
• Replace. In this case, the GPO list for the user is replaced entirely by the GPO list already obtained for the computer at computer startup. The settings in the User Configuration policies of the computer’s GPOs are applied to the user. The Replace mode is useful in a situation such as a classroom where users should receive a standard configuration rather than the unrestricted configuration applied to those users in a less managed environment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-28 Implementing a Group Policy Infrastructure
• Merge. In this case, the GPO list obtained for the computer at computer startup is appended to the GPO list obtained for the user when logging on. Because the GPO list obtained for the computer is applied later, settings in GPOs on the computer’s list have precedence if they conflict with settings in the user’s list. This mode would be useful when you need to apply additional settings to users’ typical configurations. For example, you might allow a user to receive the user’s typical configuration when logging on to a computer in a conference room or reception area, but replace the wallpaper with a standard bitmap, and disable the use of certain applications or devices.
Note: Note that when you combine loopback processing with security group filtering, the application of user settings during policy refresh uses the computer’s credentials to determine which GPOs to apply as part of the loopback processing. However, the logged-on user also must have the Apply Group Policy permission for the GPO to be applied successfully. Also note that the loopback processing flag is configured on a per-session basis rather than per GPO.
Strategies for Slow Links and Disconnected Systems
Some settings that you can configure with Group Policy can be impacted by the speed of the link that the user’s computer has with your domain network. For instance, deploying software by using GPOs would be inappropriate over slower links. Furthermore, it is important to consider the effect of GPOs on computers that are disconnected from the domain network.
Slow Links The Group Policy Client addresses the issue of slow links by detecting the connection speed to the domain, and by determining whether the connection should be considered a slow link. That determination is then used by each CSE to decide whether to apply settings. The software extension, for example, is configured to forego policy processing, so that software is not installed if a slow link is detected.
Note: By default, a link is considered to be slow if it is less than 500 kilobits per second (Kbps). However, you can configure this to a different speed.
If Group Policy detects a slow link, it sets a flag to indicate the slow link to the CSEs. The CSEs then can determine whether to process the applicable Group Policy settings. The following table describes the default behavior of the client-side extensions.
Client-side extension Slow link processing Can it be changed?
Registry policy processing On No
Internet Explorer maintenance Off Yes
Software Installation policy Off Yes
Folder Redirection policy Off Yes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-29
Client-side extension Slow link processing Can it be changed?
Scripts policy Off Yes
Security policy On No
Internet Protocol security (IPsec) policy Off Yes
Wireless policy Off Yes
Encrypting File System (EFS) Recovery policy On Yes
Disk Quota policy Off Yes
Disconnected Computers If a user is working while disconnected from the network, the settings previously applied by Group Policy continue to take effect. That way, a user’s experience is identical, regardless of whether he or she is on the network or away. A notable exception to this rule is that startup, logon, logoff, and shutdown scripts will not run if the user is disconnected.
If a remote user connects to the network, the Group Policy client wakes up and determines whether a Group Policy refresh window was missed. If so, it performs a Group Policy refresh to obtain the latest GPOs from the domain. Again, the CSEs determine, based on their policy processing settings, whether settings in those GPOs are applied.
Group Policy Caching
A new Group Policy feature named Group Policy Caching was introduced in Windows Server 2012 R2 and Windows 8.1. Group Policy Caching, which is on by default on computers that run Windows Server 2012 R2 or Windows 8.1, caches Group Policy information after every background processing session. The cached information is saved locally on the computer. The Group Policy Caching feature has the following characteristics:
• If Group Policy is configured to run synchronously, as it is by default, then the cached Group Policy information can be used in place of a GPO download. This can improve the overall performance of Group Policy.
• If Group Policy is configured to run asynchronously then computers will download the latest version of the GPOs on demand and not use the cached information.
• In the new Group Policy Caching setting in Group Policy, there are two settings, one for slow link detection and one for a timeout period. These are used by computers to determine whether they are on a slow link or whether they are disconnected from the network. If they are disconnected from the network, Group Policy processing is suspended.
Group Policy Caching improves performance in general by reducing the repetitive downloads of GPOs, and especially for computers connected by a slow link by reducing the overall bandwidth consumption over the slow link.
Note: This process does not apply to the Windows XP operating system or the Windows Server 2003 operating system. It applies only to Windows Vista and later.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-30 Implementing a Group Policy Infrastructure
Identifying When Settings Become Effective
There are several processes that must be completed before Group Policy settings are actually applied to a user or a computer. This topic discusses these processes.
GPO Replication Must Happen Before a GPO can take effect, the Group Policy container in Active Directory must be replicated to the domain controller from which the Group Policy Client obtains its ordered list of GPOs. Additionally, the Group Policy template in SYSVOL must replicate to the same domain controller.
Group Changes Must Be Incorporated Finally, if you have added a new group or changed the membership of a group that is used to filter the GPO, that change also must be replicated. Furthermore, the change must be in the security token of the computer and the user. This requires either a restart for the computer to update its group membership or a logoff and logon for the user to update its group membership.
User or Computer Group Policy Refresh Must Occur Refresh happens at startup for computer settings, at logon for user settings, and every 90 to 120 minutes thereafter, by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that, when you make a change in your environment, on average, the changes will start to take effect after one-half of that time, or 45 to 60 minutes, has passed.
By default, Windows clients with Windows XP and later installed on them perform only background refreshes at startup and logon. This means that a client might start up and a user might sign in without receiving the latest policies from the domain. We highly recommend that you change this default behavior so that policy changes are implemented in a managed, predictable way. Enable the policy setting Always Wait For Network At Startup And Logon for all Windows clients. The setting is located in Computer Configuration\Policies\Administrative Templates\System\Logon. Be sure to read the policy setting’s explanatory text. Note that this does not affect the startup or logon time for computers that are not connected to a network. If a computer detects that it is disconnected, it does not "wait" for a network.
Logon or Restart Although most settings are applied during a background policy refresh, some CSEs do not apply the setting until the next startup or logon event. For example, newly added startup and logon script policies do not run until the next computer startup or logon. Software installation will occur at the next startup if the software is assigned in computer settings. Changes to folder-redirection policies will not take effect until the next logon.
Manually Refresh Group Policy When you troubleshoot Group Policy processing, you might need to initiate a Group Policy refresh manually so that you do not have to wait for the next background refresh. You can use the GPUpdate command to initiate a Group Policy refresh. Used on its own, this command triggers processing identical to a background Group Policy refresh. Both computer policy and user policy are refreshed. Use the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-31
/target:computer or /target:user parameter to limit the refresh to computer or user settings, respectively. During background refresh, by default, settings are applied only if the GPO has been updated. The /force switch causes the system to reapply all settings in all GPOs scoped to the user or computer. Some policy settings require a logoff or reboot before they actually take effect. The /logoff and /boot switches of GPUpdate cause a logoff or reboot, respectively. You can use these switches when you apply settings that require a logoff or reboot.
For example, the command that will cause a total refresh application, and reboot and logon to apply updated policy settings, if necessary, is:
gpupdate /force /logoff /boot
Most CSEs Do Not Reapply Settings if the GPO Has Not Changed Remember that most CSEs apply settings in a GPO only if the GPO version has changed. This means that if a user can change a setting that was specified originally by Group Policy, the setting will not be brought back into compliance with the settings that the GPO specifies until the GPO changes. Fortunately, most policy settings cannot be changed by a non-privileged user. However, if a user is an administrator of his or her computer, or if the policy setting affects a part of the registry or of the system that the user has permissions to change, this could create a conflict.
You have the option of instructing each CSE to reapply the settings of GPOs, even if the GPOs have not been changed. Processing behavior of each CSE can be configured in the policy settings found in Computer Configuration\Administrative Templates\System\Group Policy.
Considerations For Managing Group Policy In A Multi-Domain Environment
Managing Group Policy in a multi-domain environment brings more complexity for administrators and requires more planning in order to ensure seamless operations. Some of the common challenges faced by Group Policy administrators in a multi-domain environment are:
• Ensuring that a GPO in one domain matches the same GPO in another domain.
• Deploying new GPOs to multiple domains.
• Migrating GPOs in case of a consolidation or a merger/acquisition
Same Policy, Multiple Domain
There are a couple of familiar cases where administrators want the same GPO in different domains. One such scenario is when a Test AD DS environment must match a Production AD DS environment for user acceptance testing or for compliance. Another such scenario is when a company has multiple domains and needs to deploy common settings to all enterprise computers. In both of these cases, the following considerations are important.
• A domain trust simplifies the ongoing administration of maintaining the same GPOs in a multi-domain environment by allowing for easy copy operations from the GPMC or Windows PowerShell. In addition, restore operations are also seamless across domains.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-32 Implementing a Group Policy Infrastructure
• As mentioned previously in this module, a migration table can be used to update UNC paths and security principals. For example, if a GPO references a specific file server, the UNC path can be updated on the fly to reference a different file server in the other domain. If a security principal is referenced in one domain, it can be updated to the other domain.
Migrating GPOs
Migrating GPOs is the process of taking GPOs in one domain and moving them to another domain. This is a common task in a merger or acquisition scenario, or when a company is migrating internally to a new AD DS environment. The same methods used for deploying new GPOs across multiple domains can be used – implement a domain trust, and then use migration tables. The GPMC or Windows PowerShell can handle the operational aspects of the migration, such as copy, backup and restore, or import settings. To import a GPO named GPO2 from the current domain, adatum.com to the target domain of contoso.com, you could use the following PowerShell command:
Import-GPO –BackupGpoName GPO2 -TargetName GPO2 -Path C:\temp\GPO\backups –Domain adatum.com
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-33
Lesson 4 Troubleshooting the Application of GPOs
With the interaction of multiple settings in multiple GPOs scoped by using a variety of methods, Group Policy application can be complex to analyze and understand. Therefore, you must be equipped to evaluate and troubleshoot your Group Policy implementation effectively, identify potential problems before they arise, and solve unforeseen challenges. Windows Server provides tools that are indispensable for supporting Group Policy. In this lesson, you will explore the use of these tools in both proactive and reactive troubleshooting and support scenarios.
Lesson Objectives After completing this lesson, you will be able to:
• Describe how to refresh GPOs on a client computer.
• Analyze the set of GPOs and policy settings that have been applied to a user or computer.
• Generate Resultant Set of Policy (RSoP) reports to help in the analysis of GPO settings.
• Proactively model the impact of Group Policy or Active Directory changes on the RSoP.
• Locate the event logs containing Group Policy–related events.
Refreshing GPOs
Computer configuration settings are applied at startup, and then are refreshed at regular intervals. Any startup scripts are run at computer startup. The default refresh interval is every 90 minutes, but this is configurable. The exception to the set interval is domain controllers, which have their settings refreshed every five minutes.
User settings are applied at logon and are refreshed at regular, configurable intervals. The default refresh interval for user settings is also 90 minutes. Any logon scripts are run at logon.
Note: A number of user settings require two logons before the user sees the effect of the GPO. This is because users logging on to the same computer use cached credentials to speed up logons. This means that, although the policy settings are being delivered to the computer, the user is already logged on and the settings will therefore not take effect until the next logon. The folder redirection setting is an example of this.
You can change the refresh interval by configuring a Group Policy setting. For computer settings, the refresh interval setting is found in the Computer Configuration\Policies\Administrative Templates\System\Group Policy node. For user settings, the refresh interval is found at the corresponding settings under User Configuration. An exception to the refresh interval is security settings. The security settings section of the Group Policy will be refreshed at least every 16 hours, regardless of the interval that you set for the refresh interval.
You can also refresh Group Policy manually. The command line utility Gpupdate refreshes and delivers any new Group Policy configurations. The Gpupdate /force command refreshes all the Group Policy
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-34 Implementing a Group Policy Infrastructure
settings. There is also a new Windows PowerShell Invoke-GPUpdate cmdlet, which performs the same function.
A new feature available in Windows Server 2012 and in Windows 8 is Remote Policy Refresh. This feature allows administrators to use the GPMC to target an OU and force a Group Policy refresh on all of its computers and their currently logged-on users. To do this, you right-click any OU, and then click Group Policy Update. The update occurs within 10 minutes.
Note: Sometimes, the failure of a GPO to apply is as a result of problems with the underlying technology that is responsible for replicating both AD DS and SYSVOL. In Windows Server 2012, you can view the replication status by using Group Policy Management, selecting the Domain node, clicking the Status tab, and then clicking Detect Now.
What is RSoP?
Group Policy inheritance, filters, and exceptions are complex, and it is often difficult to determine which policy settings will apply.
RSoP is the net effect of GPOs applied to a user or computer, taking into account GPO links, exceptions, such as Enforced and Block Inheritance, and application of security and WMI filters. RSoP is also a collection of tools that help you evaluate, model, and troubleshoot the application of Group Policy settings. RSoP can query a local or remote computer, and then report back the exact settings that were applied to the computer and to any user who has logged on to the computer. RSoP also can model the policy settings that are anticipated to be applied to a user or computer under a variety of scenarios, including moving the object between OUs or sites, or changing the object’s group membership. With these capabilities, RSoP can help you manage and troubleshoot conflicting policies.
Windows Server 2012 provides the following tools for performing RSoP analysis:
• The Group Policy Results Wizard.
• The Group Policy Modeling Wizard.
• GPResult.exe.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-35
Generate RSoP Reports
To help you analyze the cumulative effect of GPOs and policy settings on a user or computer in your organization, the GPMC includes the Group Policy Results Wizard. If you want to understand exactly which policy settings have applied to a user or a computer and why, the Group Policy Results Wizard is the tool to use.
Generate RSoP Reports with the Group Policy Results Wizard The Group Policy Results Wizard can reach into the WMI provider on a local or remote computer that is running Window Vista or a newer version of the Windows operating system. The WMI provider can report everything there is to know about the way Group Policy was applied to the system. The WMI provider knows when processing occurred, which GPOs were applied, which GPOs were not applied and why, errors that were encountered, and the exact policy settings that took precedence and their source GPO.
The requirements for running the Group Policy Results Wizard are:
• The target computer must be online.
• You must have administrative credentials on the target computer.
• The target computer must be running the Windows XP operating system or a newer version.
• You must be able to access WMI on the target computer. This means the computer must be online, connected to the network, and accessible through ports 135 and 445.
Note: Performing RSoP analysis by using the Group Policy Results Wizard is just one example of remote administration. To perform remote administration, you may need to configure inbound rules for the firewall that your clients and servers use.
• The WMI service must be started on the target computer.
• If you want to analyze RSoP for a user, that user must have logged on at least once to the computer, although it is not necessary for the user to be currently logged on.
After you have ensured that the requirements are met, you are ready to run an RSoP analysis.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree, and then click Group Policy Results Wizard.The wizard prompts you to select a computer. It then connects to the WMI provider on that computer, and provides a list of users that have logged on to it. You then can select one of the users, or you can skip RSoP analysis for user configuration policies.
The wizard produces a detailed RSoP report in a dynamic HTML format. If Internet Explorer Enhanced Security Configuration is set, you will be prompted to allow the console to display the dynamic content. You can expand or collapse each section of the report by clicking the Show or Hide link, or by double-clicking the heading of the section.
The report is displayed on three tabs:
• Summary. The Summary tab displays the status of Group Policy processing at the last refresh. You can identify information that was collected about the system, the GPOs that were applied and denied,
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-36 Implementing a Group Policy Infrastructure
security group membership that might have affected GPOs filtered with security groups, WMI filters that were analyzed, and the status of CSEs.
• Settings. The Settings tab displays the RSoP settings applied to the computer or user. This tab shows you exactly what has happened to the user through the effects of your Group Policy implementation. You can learn a tremendous amount of information from the Settings tab, although some data is not reported, including IPsec, wireless, and disk-quota policy settings.
• Policy Events. The Policy Events tab displays Group Policy events from the event logs of the target computer.
After you generate an RSoP report with the Group Policy Results Wizard, you can right-click the report to rerun the query, print the report, or save the report as either an XML file or an HTML file that maintains the dynamic expanding and collapsing sections. You can open both file types with Internet Explorer, so the RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results folder in the console tree, you can switch to Advanced View. In the Advanced View, RSoP is displayed by using the RSoP snap-in, which exposes all applied settings, including IPsec, wireless, and disk quota policies.
Generate RSoP Reports with GPResult.exe The GPResult.exe command is the command-line version of the Group Policy Results Wizard. GPResult taps into the same WMI provider as the wizard, produces the same information and, in fact, enables you to create the same graphical reports. GPResult runs on Windows XP and later.
Note:
When you run the GPResult command, you are likely to use the following options:
/s computername
This option specifies the name or IP address of a remote system. If you use a dot (.) as the computer name, or do not include the /s option, the RSoP analysis is performed on the local computer:
/scope [user | computer]
This displays RSoP analysis for user or computer settings. If you omit the /scope option, RSoP analysis includes both user and computer settings:
/userusername
This specifies the name of the user for which you want to display RSoP data:
/r
This option displays a summary of RSoP data:
/v
This option displays verbose RSoP data, which presents the most meaningful information:
/z
This displays super verbose data, including the details of all policy settings applied to the system. Often, this is more information than you will require for typical Group Policy troubleshooting:
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-37
/udomain\user/ppassword
This provides credentials that are in the Administrators group of a remote system. Without these credentials, GPResult runs by using the credentials with which you are logged on:
[/x | /h] filename
This option saves the reports in the XML or HTML format. These options are available in Windows Vista Service Pack 1 (SP1) and newer, and Windows Server 2008 and newer.
Troubleshoot Group Policy with the Group Policy Results Wizard or GPResult.exe As an administrator, you will likely encounter scenarios that require Group Policy troubleshooting. You might need to diagnose and solve problems that could include the following:
• GPOs are not being applied at all.
• The resultant set of policies for a computer or user is not what was expected.
The Group Policy Results Wizard and GPResult.exe often will provide the most valuable insight into Group Policy processing and application problems. Remember that these tools examine the WMI RSoP provider to report exactly what happened on a system. Examining the RSoP report will often point you to GPOs that are scoped incorrectly or policy processing errors that prevented the application of GPO settings.
Demonstration: How to Perform What-if Analysis with the Group Policy Modeling Wizard
If you move a computer or user between sites, domains, or OUs, or if you change its security group membership, the GPOs scoped to that user or computer will change. Therefore, the RSoP for the computer or user will be different. The RSoP will also change if slow link or loopback processing occurs, or if there is a change to a system characteristic that a WMI filter targets.
Before you make any of these changes, you should evaluate the potential impact that a user or computer will have on the RSoP. The Group Policy Results Wizard can perform RSoP analysis only on what has actually happened. To predict the future, and to perform what-if analyses, you can use the Group Policy Modeling Wizard. To perform Group Policy Modeling, right-click the Group Policy Modeling node in the GPMC console tree, click Group Policy Modeling Wizard, and then perform the steps in the wizard.
Modeling is performed by conducting a simulation on a domain controller, so you are first asked to select a domain controller. You do not need to be logged on locally to the domain controller, but the modeling request will be performed on the domain controller. You are then asked to specify the settings for the simulation by:
• Selecting a user or computer object to evaluate, or specifying the OU, site, or domain to evaluate.
• Choosing whether slow link processing should be simulated.
• Specifying to simulate loopback processing and, if so, choosing Replace or Merge mode.
• Selecting a site to simulate.
• Selecting security groups for the user and for the computer.
• Choosing which WMI filters to apply in the simulation of user and computer policy processing.
When you have specified the simulation’s settings, a report is produced that is very similar to the Group Policy Results report discussed earlier. The Summary tab shows an overview of which GPOs will be
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-38 Implementing a Group Policy Infrastructure
processed, and the Settings tab details the policy settings that will be applied to the user or computer. This report, too, can be saved by right-clicking it, and then choosing Save Report.
Demonstration This demonstration shows how to:
• Run GPResult.exe from the command prompt.
• Run GPResult.exe from the command prompt, and then output the results to an HTML file.
• Open the GPMC.
• Run the Group Policy Reporting Wizard, and then view the results.
• Run the Group Policy Modeling Wizard, and then view the results.
Demonstration Steps
Use GPResult.exe to create a report 1. On LON-DC1, open a PowerShell prompt.
2. Run the following commands:
Gpresult /r Gpresult /h results.html
3. Open the results.html report in Internet Explorer, and then review the report.
Use the Group Policy Reporting Wizard to create a report 1. Close the PowerShell window, and then open the Group Policy Management Console.
2. From the Group Policy Results node, launch the Group Policy Results Wizard.
3. Complete the wizard by using the defaults.
4. Review the report, and then save the report to the Desktop.
Use the Group Policy Modeling Wizard to create a report 1. From the Group Policy Modeling node, launch the Group Policy Modeling Wizard.
2. Specify the user for the report as Ed Meadows and the computer container as the IT organizational unit.
3. Complete the wizard using the defaults, and then review the report.
4. Close the GPMC.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-39
Examine Policy Event Logs
Windows Vista introduced ways to improve your ability to troubleshoot Group Policy not only with RSoP tools, but also with improved logging of Group Policy events, including the:
• System log, which reports high-level information about Group Policy, including errors created by the Group Policy client when it cannot connect to a domain controller or locate GPOs.
• Application log, which captures events recorded by CSEs.
• Group Policy Operational log, which provides detailed information about Group Policy processing.
To find Group Policy logs, open the Event Viewer snap-in or console. The System and Application logs are in the Windows Logs node. The Group Policy Operational Log is found in Applications And Services Logs\Microsoft \Windows\GroupPolicy\Operational.
Additional Logging for Windows Server 2012 R2 and Windows 8.1 Additional information is available in the Group Policy Operational log beginning with Windows Server 2012 R2 and Windows 8.1. The following new event IDs are some examples of the additional logging.
• Event ID 4257. This event logs the start of the policy download on a computer.
• Event ID 4126. This event marks the time when a computer receives applicable policies.
• Event ID 5257. This event marks the completion of the policy download.
In addition, WMI processing information has been enhanced and new information is available in the logs which can be helpful for troubleshooting WMI related Group Policy issues.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-40 Implementing a Group Policy Infrastructure
Lab: Implementing a Group Policy Infrastructure Scenario A. Datum is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and a data center are located in London to support the London office and other locations. A. Datum recently has deployed a Windows Server 2012 server and client infrastructure.
You have been asked to use Group Policy to implement standardized security settings to lock computer screens when users leave computers unattended for 10 minutes or more. You also have to configure a policy setting that will prevent access to certain programs on local workstations.
After some time, you have been made aware that a critical application fails when the screens saver starts, and an engineer has asked you to prevent the setting from applying to the team of Research engineers that uses the application every day. You have also been asked to configure conference room computers to use a 45-minute timeout.
After creating the policies, you need to evaluate the resultant set of policies for users in your environment to ensure that the Group Policy infrastructure is optimized and that all policies are applied as they were intended.
Objectives
After completing this lab, you will be able to:
• Create and configure a GPO.
• Manage Group Policy scope.
• Troubleshoot Group Policy application.
• Manage GPOs.
Lab Setup Estimated Time: 90 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then double-click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
a. User name: Administrator
b. Password: Pa$$w0rd
c. Domain: Adatum
5. Repeat steps 2 and 3 for 20411C-LON-CL1. Do not sign in to LON-CL1 until directed to do so.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-41
Exercise 1: Creating and Configuring Group Policy Objects
Scenario You have been asked to use Group Policy to implement standardized security settings to lock computer screens when users leave computers unattended for 10 minutes or more. You also have to configure a policy setting that will prevent users from running the Notepad application on local workstations.
The main tasks for this exercise are as follows:
1. Create and Edit a GPO.
2. Link the GPO.
3. View the Effects of the GPO’s Settings.
Task 1: Create and Edit a GPO 1. On LON-DC1, from Server Manager, open the GPMC.
2. Create a GPO named ADATUM Standards in the Group Policy Objects container.
3. Edit the ADATUM Standards policy, and navigate to User Configuration, Policies, Administrative Templates, System.
4. Prevent users from running notepad.exe by configuring the Don’t run specified Windows applications policy setting.
5. Navigate to the User Configuration, Policies, Administrative Templates, Control Panel, Personalization folder, and then configure the Screen saver timeout policy to 600 seconds.
6. Enable the Password protect the screen saver policy setting, and then close the Group Policy Management Editor window.
Task 2: Link the GPO • Link the ADATUM Standards GPO to the Adatum.com domain.
Task 3: View the Effects of the GPO’s Settings 1. Sign in to LON-CL1 as Adatum\Pat with the password Pa$$w0rd.
2. Attempt to change the screen saver wait time and resume settings. You are prevented from doing this by Group Policy.
3. Attempt to run Notepad. You are prevented from doing this by Group Policy.
Results: After this exercise, you should have successfully created, edited, and linked the required Group Policy Objects (GPOs).
Exercise 2: Managing GPO Scope
Scenario After some time, you have been made aware that a critical application that the Research Engineering team uses is failing when the screen saver starts. You have been asked to prevent the GPO setting from applying to any member of the Engineering security group. You also have been asked to configure conference room computers to be exempt from corporate policy. However, they always must have a 45-minute screensaver timeout applied.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-42 Implementing a Group Policy Infrastructure
The main tasks for this exercise are as follows:
1. Create and link the required GPOs.
2. Verify the Order of Precedence.
3. Configure the Scope of a GPO with Security Filtering.
4. Configure Loopback Processing.
Task 1: Create and link the required GPOs 1. On LON-DC1, open Active Directory Users and Computers and in the Research OU, create a sub-
OU called Engineers, and then close Active Directory Users and Computers.
2. In the Group Policy Management Console, create a new GPO linked to the Engineers OU called Engineering Application Override.
3. Configure the Screen saver timeout policy setting to be disabled, and then close the Group Policy Management Editor.
Task 2: Verify the Order of Precedence • In the Group Policy Management console tree, select the Engineers OU, and then click the Group
Policy Inheritance tab. Notice that the Engineering Application Override GPO has precedence over the ADATUM Standards GPO. The screen saver timeout policy setting you just configured in the Engineering Application Override GPO will be applied after the setting in the ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting, and will win. Screen saver timeout will be disabled for users within the scope of the Engineering Application Override GPO.
Task 3: Configure the Scope of a GPO with Security Filtering 1. On LON-DC1, open Active Directory Users and Computers. In the Research\Engineers OU, create
a global security group named GPO_Engineering Application Override_Apply.
2. In the Group Policy Management console, select the Engineering Application Override GPO. Notice that, in the Security Filtering section, the GPO applies by default to all authenticated users. Configure the GPO to apply only to the GPO_Engineering Application Override_Apply group.
3. In the Users folder, create a global security group named GPO_ADATUM Standards_Exempt.
4. In the Group Policy Management console, select the ADATUM Standards GPO. Notice that in the Security Filtering section, the GPO applies by default to all authenticated users.
5. Configure the GPO delegation to deny Apply Group Policy permission to the GPO_ADATUM Standards_Exempt group.
Task 4: Configure Loopback Processing 1. On LON-DC1, switch to Active Directory Users and Computers.
2. Create a new OU called Kiosks.
3. Under Kiosks, create a sub-OU called Conference Rooms.
4. Switch to the Group Policy Management console.
5. Create a new GPO named Conference Room Policies and link it to the Kiosks\Conference Rooms OU.
6. Confirm that the Conference Room Policies GPO is scoped to Authenticated Users.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-43
7. Edit the Conference Room Policies GPO and modify the Screen Saver timeout policy to launch the screen saver after 45 minutes.
8. Modify the Configure user Group Policy loopback processing mode policy setting to use Merge mode.
Results: After this exercise, you should have successfully configured the required scope of the GPOs.
Exercise 3: Verifying GPO Application
Scenario After creating the required policies, you need to evaluate the resultant set of policies for the users in your environment to ensure that the Group Policy infrastructure is healthy, and that all policies are applied as they were intended.
The main tasks for this exercise are as follows:
1. Perform Resultant Set of Policy Analysis.
2. Analyze RSoP with GPResults.
3. Evaluate GPO Results by Using the Group Policy Modeling Wizard.
4. Review Policy Events and Determine GPO Infrastructure Status.
Task 1: Perform Resultant Set of Policy Analysis 1. On LON-CL1, verify that you are still logged on as Adatum\Pat. If necessary, provide the password of
Pa$$w0rd.
2. Run the command prompt as an administrator, with the user name Adatum\Administrator and the password Pa$$w0rd.
3. Run the gpupdate /force command. After the command has completed, make a note of the current system time, which you will need to know for a task later in this lab:
Time:
4. Restart LON-CL1, and then wait for it to restart before proceeding with the next task.
5. On LON-DC1, switch to the Group Policy Management console.
6. Use the Group Policy Results Wizard to run an RSoP report for Pat on LON-CL1.
7. Review Group Policy Summary results. For both user and computer configuration, identify the time of the last policy refresh and the list of allowed and denied GPOs. Identify the components that were used to process policy settings.
8. Click the Details tab. Review the settings that were applied during user and computer policy application, and then identify the GPO from which the settings were obtained.
9. Click the Policy Events tab, and then locate the event that logs the policy refresh you triggered with the GPUpdate command in Task 1.
10. Click the Summary tab, right-click the page, and then choose Save Report. Save the report as an HTML file your desktop. Then open the RSoP report from the desktop.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-44 Implementing a Group Policy Infrastructure
Task 2: Analyze RSoP with GPResults 1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open a command prompt and run the gpresult /r command. RSoP summary results are displayed. The information is very similar to the Summary tab of the RSoP report produced by the Group Policy Results Wizard.
3. Type gpresult /v, and then press Enter. A more detailed RSoP report is produced. Notice that many of the Group Policy settings applied by the client are listed in this report.
4. Type gpresult /z, and then press Enter. The most detailed RSoP report is produced.
5. Type gpresult /h:"%userprofile%\Desktop\RSOP.html", and then press Enter. An RSoP report is saved as an HTML file to your desktop.
6. Open the saved RSoP report from your desktop. Compare the report, its information, and its formatting with the RSoP report you saved in the previous task.
Task 3: Evaluate GPO Results by Using the Group Policy Modeling Wizard 1. Switch to LON-DC1.
2. Start the Group Policy Modeling Wizard.
3. Select Adatum\Mike as the user, and LON-CL1 as the computer for modeling.
4. When prompted, select the Loopback Processing check box, and then click Merge. Even though the Conference Room Polices GPO specifies loopback processing, you must instruct the Group Policy Modeling Wizard to consider loopback processing in its simulation.
5. When prompted, on the Alternate Active Directory Paths page, choose the Kiosks\Conference Rooms location. You are simulating the effect of LON-CL1 as a conference room computer.
6. Accept all other options as defaults.
7. On the Summary tab, scroll to and expand, if necessary, User Details, Group Policy Objects, and Applied GPOs.
8. Check whether the Conference Room Policies GPO applies to Mike as a User policy when he logs on to LON-CL1 if LON-CL1 is in the Conference Rooms OU.
9. Scroll to, and expand if necessary, User Details, Policies, Administrative Templates and Control Panel/Personalization.
10. Confirm that the screen saver timeout is 2,700 seconds (45 minutes), the setting configured by the Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM Standards GPO.
Task 4: Review Policy Events and Determine GPO Infrastructure Status 1. On LON-CL1, you are logged on as Adatum\Administrator.
2. Open the Control Panel and then browse to the Event Viewer.
3. Locate and review Group Policy events in the System log.
4. Locate and review Group Policy events in the Application log. Review the events and identify the Group Policy events that have been entered in this log. Which events are related to Group Policy application and which are related to the activities you have been performing to manage Group Policy? Note that depending on how long the virtual machine has been running, you may not have any Group Policy Events in the application log.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-45
5. Browse to the Group Policy Operational log and locate the first event related in the Group Policy refresh you initiated in Exercise 1, with the GPUpdate command. Review that event and the events that followed it.
Results: After this exercise, you should have successfully used Resultant Set of Policy (RSoP) tools to verify the correct application of your GPOs.
Exercise 4: Managing GPOs
Scenario You must back up all critical GPOs. You use the Group Policy Management backup feature to back up the ADATUM Standard GPO.
The main tasks for this exercise are as follows:
1. Perform a Backup of GPOs.
2. Perform a Restore of GPOs.
3. Troubleshooting GPOs.
4. Preparing for the Next Module.
Task 1: Perform a Backup of GPOs 1. Switch to LON-DC1, and in the Group Policy Management console, in the navigation pane, click on
the Group Policy Objects folder.
2. Backup the ADATUM Standards GPO to C:\.
Task 2: Perform a Restore of GPOs • In the Group Policy Management console, restore the previous back up of ADATUM Standards.
Task 3: Troubleshooting GPOs 1. Run the GPOTroubleshooting.ps1 PowerShell script in the Allfiles directory.
2. Verify that the ADATUM Standards GPO is not applying to Pat.
3. Troubleshoot and resolve the problem.
Task 4: Preparing for the Next Module • When you have finished the lab, revert all virtual machines back to their initial state.
Results: After this exercise, you should have successfully performed common management tasks on your GPOs.
Question: Which policy settings are already being deployed by using Group Policy in your organization?
Question: Many organizations rely heavily on security group filtering to scope GPOs, rather than linking GPOs to specific OUs. In these organizations, GPOs typically are linked very high in the Active Directory logical structure—to the domain itself or to a first-level OU. What advantages do you gain by using security group filtering rather than GPO links to manage a GPO’s scope?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED4-46 Implementing a Group Policy Infrastructure
Question: Why might it be useful to create an exemption group—a group that is denied the Apply Group Policy permission—for every GPO that you create?
Question: Do you use loopback policy processing in your organization? In which scenarios and for which policy settings can loopback policy processing add value?
Question: In which situations have you used RSoP reports to troubleshoot Group Policy application in your organization?
Question: Question: In which situations have you used, or could you anticipate using, Group Policy modeling?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 4-47
Module Review and Takeaways Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Group Policy settings are not applied to all users or computers in OU where GPO is applied
Group Policy settings sometimes need two restarts to apply
Review Question(s) Question: You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be the possible causes?
Question: What GPO settings are applied across slow links by default?
Question: You need to ensure that a domain-level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish this?
Tools
Tool Use for Where to find it
Group policy reporting RSoP
Reporting information about the current policies being delivered to clients.
Group Policy Management console.
GPResult A command-line utility that displays RSoP information.
Command-line utility built into Windows.
GPUpdate Refreshing local and AD DS-based Group Policy settings.
Command-line utility built into Windows.
Dcgpofix Restoring the default Group Policy Objects to their original state after initial installation.
Command-line utility that shipped with Windows Server 2003.
GPOLogView Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista®, Windows 7, and newer versions.
Command-line utility available as a free download from the Microsoft Download Center.
Group Policy Management scripts
Sample scripts that perform a number of different troubleshooting and maintenance tasks.
Available as a free download from the Microsoft Download Center.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-1
Module 5 Managing User Desktops with Group Policy
Contents: Module Overview 5-1
Lesson 1: Implementing Administrative Templates 5-2
Lesson 2: Configuring Folder Redirection and Scripts 5-8
Lesson 3: Configuring Group Policy Preferences 5-13
Lesson 4: Managing Software with Group Policy 5-19
Lab: Managing User Desktops with Group Policy 5-23
Module Review and Takeaways 5-29
Module Overview Using Group Policy Objects (GPOs), you can implement desktop environments across your organization by using Administrative Templates, Folder Redirection, Group Policy preferences, and, where applicable, use software deployment to install and update application programs. It is important to know how to use these various GPO features so that you can configure your users’ computer settings properly.
Objectives After completing this module, you will be able to:
• Describe and implement Administrative Templates.
• Configure folder redirection and scripts by using GPOs.
• Configure GPO preferences.
• Manage software by using GPOs.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-2 Managing User Desktops with Group Policy
Lesson 1 Implementing Administrative Templates
The Administrative Template files provide the majority of available GPO settings. These GPO settings modify specific registry keys. Administrative Templates are sometimes called using registry-based policies. For many applications, the use of the registry-based policy that the Administrative Template files deliver is the most simple and best way to support centralized management of policy settings. In this lesson, you will learn how to configure Administrative Templates.
Lesson Objectives After completing this lesson, you will be able to:
• Describe Group Policy Administrative Templates.
• Describe ADM and ADMX, or Administrative Template, files.
• Describe the central store.
• Describe example scenarios for using Administrative Templates.
• Explain how to configure settings with Administrative Templates.
What Are Administrative Templates?
You can use Administrative Templates to control the environment of an operating system and the user experience. There are two sets of Administrative Templates: one for users and one for computers. You can use some Administrative Templates for both users and computers.
Using the Administrative Template sections of the GPO, you can deploy thousands of modifications to the registry. Administrative Templates have the following characteristics:
• They are organized into subfolders that deal with specific areas, such as network, system, and Windows® components.
• The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and the settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
• Some Administrative Template settings exist for both user and computer. For example, there is a setting to prevent Windows Messenger from running in both the user and the computer templates. In case of conflicting settings, the computer setting prevails.
• Some Administrative Template settings are available only to certain versions of Windows operating systems. For example, you can apply a number of new settings only to the Windows 8 operating system and newer versions of the Windows operating system. Double-clicking the settings displays the supported versions for that setting.
• In GPOs, some Administrative Template settings leave their settings in place on computers after the GPOs no longer apply to the computer. This is called tattooing. In such cases, you can manually adjust the settings or the Administrative Template, or the setting can remain as is.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-3
What Are ADM and ADMX Files?
ADM Files ADM files are text files that define the user interface and policy settings that an administrator can configure through Group Policy. Each successive Windows operating system and service pack has included a newer version of ADM files. ADM files use their own markup language. Therefore, it is difficult to customize ADM files. The ADM templates are located in the %SystemRoot%\Inf folder.
A major drawback of ADM files is that they are copied into every GPO that is created, and consume about 3 megabytes (MB) of space. This can cause the System Volume (SYSVOL) folder to become very large and increase replication traffic.
ADMX Files The Windows Vista® operating system and the Windows Server® 2008 operating system introduced a new format for displaying registry-based policy settings. You use a standards-based XML file format known as ADMX files to define these settings. These new files replace ADM files.
Group Policy tools on Windows Server 2008 and Windows Vista and newer operating systems continue to recognize the custom ADM files that you have in your existing environment, but ignore any ADM file that ADMX files have superseded. Unlike ADM files, ADMX files are not stored in individual GPOs. The Group Policy Editor automatically reads and displays settings from the local ADMX file store. By default, ADMX files are stored in the Windows\PolicyDefinitions folder, but they can be stored in a central location.
ADMX files are language neutral. The plain-language descriptions of the settings are not part of the ADMX files. They are stored in language-specific ADML files. This means that administrators who speak different languages, such as English or Spanish, can use a language-specific ADML file to look at the same GPO and see the policy descriptions in their own language. ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML language files for the language of the installed operating system are installed. You must install additional languages manually.
Migrate Classic Administrative Templates to .ADMX ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM templates to the new ADMX format and provides a graphical user interface for creating and editing Administrative Templates. You can download the ADMX Migrator from the Microsoft Download Center website at
Download the ADMX Migrator from the Microsoft Download Center website
http://go.microsoft.com/fwlink/?linkID=270013
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-4 Managing User Desktops with Group Policy
The Central Store
For domain-based enterprises, you can create a central store location of ADMX files, which anyone with permission to create or edit GPOs can access. The Group Policy Management Editor on Windows Vista or newer operating systems and Windows Server 2008 or newer operating systems automatically reads and displays Administrative Template policy settings from ADMX files that are stored in the central store, and then ignores the ones stored locally. If a domain controller is not available, the local store is used.
Initially, you must create the central store, and then update it manually on a domain controller. The use of ADMX files is dependent on the computer’s operating system where you are creating or editing a GPO.
To create a central store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies.
For example, to create a central store for the corp.contoso.com domain, create a PolicyDefinitions folder in the following location: \\corp.contoso.com\SYSVOL\corp.contoso.com\Policies.
A user must copy all files and subfolders of the PolicyDefinitions folder. The Windows folder contains the PolicyDefinitions folder on a computer that runs the Windows 7 operating system or newer versions of the Windows operating system. The PolicyDefinitions folder stores all .admx files and .adml files for all languages that are enabled on the client computer.
Note: You must update the PolicyDefintions folder after each service pack and for other additional software, such as Microsoft® Office 2013 ADMX files.
Discussion: Practical Uses of Administrative Templates
Spend a few minutes examining the Administrative Templates, and consider how you could employ some of them in your organization.
Be prepared to share information about your organization’s current use of GPOs and logon scripts, such as:
• How do you provide desktop security currently?
• How much administrative access do users have to their systems?
• Which Group Policy settings will you find useful in your organization?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-5
Demonstration: Configuring Settings with Administrative Templates
Group Policy editing tools in Windows Server 2012 and later operating systems provide several functionalities that make the configuration and management of GPOs easier. In this demonstration, you will review these options.
Filter Policy Settings for Administrative Templates A disadvantage in the Group Policy editing tools in previous versions of the Windows operating system is the inability to search for a specific policy setting. With thousands of policies to choose from, it can be difficult to locate the exact setting that you want to configure. The Group Policy Management Editor in Windows Server 2008 R2 and later solves this problem for Administrative Template settings. You now can create filters to locate specific policy settings.
To create a filter:
1. Right-click Administrative Templates, and then click Filter Options.
2. To locate a specific policy, select the Enable keyword filters check box, enter the words to include in the filter, and then select the fields within which to search.
You can also filter for Group Policy settings that apply to specific versions of the Windows Operating System, Windows Internet Explorer®, and other Windows components.
Note that the filter only applies to settings in the Administrative Templates nodes.
Filter Based on Comments You also can search and filter based on policy-setting comments. Windows enables you to add comments to policy settings in the Administrative Templates node. To do so, double-click a policy setting, and then click the Comment tab.
It is a good practice to add comments to configured policy settings. You should document the justification for a setting and its intended effect. You also should add comments to the GPO itself. Windows Server 2012 enables you to attach comments to a GPO. In the Group Policy Management Editor, in the console tree, right-click the root node, click Properties, and then click the Comment tab.
How to Copy GPO Settings Starter GPOs can contain only Administrative Templates policy settings. But in addition to using Starter GPOs, there are two other ways to copy settings from one GPO into a new GPO:
• You can copy and paste entire GPOs in the Group Policy Objects container of the Group Policy Management Console (GPMC), so that you have a new GPO with all settings of the source GPO.
• To transfer settings between GPOs in different domains or forests, right-click a GPO, and then click Back Up. In the target domain, create a new GPO, right-click the GPO, and then click Import Settings. You will be able to import the settings of the backed up GPO.
Filtering Administrative Template Policy Settings
This demonstration shows how to:
• Filter Administrative Template policy settings.
• Apply comments to Administrative Template policy settings.
• Add comments to Administrative Template policy settings.
• Create a new GPO by copying an existing GPO.
• Create a new GPO by importing settings that were exported from another GPO.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-6 Managing User Desktops with Group Policy
Demonstration Steps
Filter Administrative Template policy settings 1. On LON-DC1, open the Group Policy Management Console.
2. Create a new Group Policy Object (GPO) named GPO1.
3. Open GPO1 for editing.
4. Locate the User Configuration, Policies, Administrative Templates node.
5. Filter the settings to display only those that contain the keywords screen saver.
6. Filter the settings to display only configured values.
Add comments to a policy setting 1. Locate the Personalization value from User Configuration\Policies\ Administrative
Templates\Control Panel.
2. Add a comment to both the Password Protect the screen saver and Enable screen saver values.
Add comments to a GPO • Open the GPO1 policy root node, and then add a comment to the Comment tab.
Create a new GPO by copying an existing GPO • Copy GPO1, and then paste it to the Group Policy Objects folder.
Create a new GPO by importing settings that were exported from another GPO 1. Backup GPO1.
2. Create a new GPO called ADATUM Import.
3. Import the settings from the GPO1 backup into the ADATUM Import GPO.
Extending Administrative Templates
As discussed previously, Administrative Templates offer administrators thousands of configurable settings out of the box that you can deploy to computers or user objects. A lesser-known feature of Administrative Templates is the ability to extend the Administrative Templates to include more settings that are not otherwise available. Extending Administrative Templates involves four major steps:
1. Download the Administrative Template or create a new custom template from scratch. Many vendors, including Microsoft and other third-party developers, offer free downloads of administrative templates. One popular administrative template is the template for Microsoft Office. The Administrative Template for Microsoft Office allows for customization of settings specific to Office, including specific settings for each of the applications included in the Office suite.
2. Add the Administrative Templates to a GPO. Once you add an administrative template to a GPO, a new folder or set of folders containing new settings becomes available for customization.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-7
3. Customize the administrative template settings. You can customize the administrative template settings in the same way you customize regular GPO settings. By using the familiar Group Policy Management Editor, it is easy for administrators to customize their applications.
4. Deploy the GPO along with the administrative template settings. Once deployed, you configure applications through the administrative template settings.
Demonstration: Configuring Administrative Templates
Demonstration Steps Add the Office 2013 administrative template files to LON-DC1:
1. On LON-DC1, copy the Office 2013 administrative template files from the E:\Labfiles\Mod05\Office 2013 folder to the PolicyDefinitions folder.
Configure Office 2013 settings:
1. On LON-DC1, create a new GPO named Office 2013.
2. Edit the Office 2013 GPO by enabling the Display Developer tab in the ribbon setting.
3. Edit the Office 2013 GPO by disabling the Replace text as you type setting.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-8 Managing User Desktops with Group Policy
Lesson 2 Configuring Folder Redirection and Scripts
You can use GPOs to deploy scripts to users and computers. You also can redirect folders that are included in the user’s profile to a central server. These features enable you to configure the users’ desktop settings more easily and, where desirable, create a standardized desktop environment that meets your organizational needs.
Lesson Objectives After completing this lesson, you will be able to:
• Describe folder redirection.
• Explain the settings available for configuring folder redirection.
• Describe security settings for redirected folders.
• Explain how to configure folder redirection.
• Describe Group Policy settings for applying scripts.
• Explain how to configure scripts by using Group Policy.
What Is Folder Redirection?
You can use the Folder Redirection feature to manage data effectively and, optionally, back up data. By redirecting folders, you can ensure user access to data regardless of the computers from which a user logs in. Folder redirection has the following characteristics:
• When you redirect folders, you change the folder’s storage location from the user computer’s local hard disk to a shared folder on a network file server.
• After you redirect a folder to a file server, it still appears to the user as if the folder is stored on the local hard disk.
• You can use the Offline Files technology in conjunction with redirection to synchronize data in the redirected folder to the user’s local hard drive. This ensures that users have access to their data if a network outage occurs or if the user is working offline. Note that Offline Files is sometimes referred to as Client-Side Caching (CSC).
Advantages of Folder Redirection There are many advantages of folder redirection, including:
• Users that log in to multiple computers can access their data as long as they can access the network share.
• Offline folders allow users to access their data even if they disconnect from the local area network (LAN).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-9
• You can easily back up data that is stored on servers in network shares.
• You can reduce roaming profile size greatly by redirecting data from the profile.
Settings for Configuring Folder Redirection
In a GPO, the following settings are available for folder redirection:
• None. None is the default setting. Folder redirection is not enabled.
• Basic. Basic folder redirection is for:
o Users who must redirect their folders to the same parent folder.
o Users who need their data to be private.
• Advanced. You can use Advanced redirection to specify different network locations for different Active Directory® security groups.
• Follow the Documents folder. Follow the Documents folder redirection is available only for the Pictures, Music, and Videos folders. This setting makes the affected folder a subfolder of the Documents folder.
Target Folder Locations for Basic and Advanced Settings If you choose Basic or Advanced, you can choose from the following target folder locations:
• Create a folder for each user under the root path. This option creates a folder in the form \\server\share\User Account Name\Folder Name. For example, if you want to store your users’ desktop settings in a shared folder called Documents on a server called LON-DC1, you could define the root path as \\lon-dc1\Documents.
Each user has a unique path for the redirected folder to ensure that data remains private. By default, that user is granted exclusive rights to the folder. In the case of the Documents folder, the current contents of the folder are moved to the new location.
• Redirect to the following location. This option uses an explicit path for the redirection location. It causes multiple users to share the same parent path for the redirected folder. By default, that user is granted exclusive rights to the folder. In the case of the Documents folder, the current contents of the folder are moved to the new location.
• Redirect to the local user profile location. This option moves the location of the folder to the local user profile under the Users folder.
• Redirect to the user’s home directory. This option is available only for the Documents folder. When used, the Documents folder is redirected to the home directory configured on the user’s Active Directory user object.
Note: After the initial creation and application of a GPO that delivers folder redirection settings, users require two log ins before redirection takes effect. This is because users will log in with cached credentials. To allow folder redirection settings to take effect with just one log in, the Always wait for the network at computer startup and logon Group Policy setting has to be
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-10 Managing User Desktops with Group Policy
enabled. However, enabling the policy setting will degrade the overall user log in experience because it will take longer to log in.
Question: Users in the same department often log in to different computers. They need access to their Documents folder. They also need data to be private. What folder redirection setting would you choose for these users?
Security Settings for Redirected Folders
You must create and configure the permissions manually on a shared network folder to store the redirected folders. However, folder redirection also can create the user’s redirected folders.
Folder permissions are handled as follows:
• When you use this option, the correct subfolder permissions are set automatically.
• If you manually create folders, you must know the correct permissions. The slide illustrates these permissions.
Demonstration: Configuring Folder Redirection
This demonstration shows how to:
• Create a shared folder.
• Create a GPO to redirect the Documents folder.
• Test folder redirection.
Demonstration Steps
Create a shared folder 1. On LON-DC1, create a folder named C:\Redirect.
2. Share the folder to Everyone with Read/Write permission.
Create a GPO to redirect the Documents folder 1. Open the Group Policy Management Console. Create a GPO named Folder Redirection, and then
link it to the Adatum domain.
2. Edit the Folder Redirection GPO.
3. Configure the Documents folder properties to use the Basic-Redirect everyone’s folder to the same location setting.
4. Ensure that the Target folder location is set to Create a folder for each user under the root path.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-11
5. Specify the root path as \\LON-DC1\Redirect.
6. Close all open windows on LON-DC1.
Test folder redirection 1. Log in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Check the properties of the Documents folder. The path will be \\LON-DC1\Redirect.
3. Log off of LON-CL1.
Group Policy Settings for Applying Scripts
You can use Group Policy scripts to perform a number of tasks. There may be actions that you need to perform every time a computer starts up or shuts down, or when users log in or log off. For example, you can use scripts to:
• Clean up desktops when users log off and shut down computers.
• Delete the contents of temporary directories.
• Map drives or printers.
• Set environment variables.
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts that are assigned to the user who is logging on run in that user’s security context.
Other Group Policy settings control aspects of how scripts run. For example, if multiple scripts are assigned, you can control whether they run synchronously or asynchronously.
You can write scripts in any scripting language that the Windows client can interpret, such as Visual Basic® Scripting Edition (VBScript), Microsoft JScript®, or simple command or batch files.
Note: In Windows Server 2008 R2 and Windows Server 2012, the user interface (UI) in the Group Policy Management Editor for Logon, Logoff, Startup, and Shutdown scripts provides an additional tab for Windows PowerShell® scripts. You can deploy your Windows PowerShell script by adding it to this tab. The Windows Server 2008 R2 operating system or newer and the Windows 7 operating system or newer can run Windows PowerShell scripts through Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access to that network location. If clients cannot access the network location, the scripts fail to run. Although any network location stores scripts, as a best practice, use the Netlogon share because all users and computers that are authenticated to Active Directory Domain Services (AD DS) have access to this location.
For many of these settings, using Group Policy preferences is a better alternative to configuring them in Windows images or using logon scripts. Group Policy preferences are covered in more detail later in this module.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-12 Managing User Desktops with Group Policy
Demonstration: Configuring Scripts with GPOs
This demonstration shows how to:
• Create a logon script to map a network drive.
• Create and link a GPO to use the script, and store the script in the Netlogon share.
• Log in to the client to test the results.
Demonstration Steps
Create a logon script to map a network drive 1. On LON-DC1, launch Notepad, and then type the following command:
Net use t: \\LON-dc1\Redirect
2. Save the file as Map.bat.
3. Copy the file to the clipboard.
Create and link a GPO to use the script, and store the script in the Netlogon share 1. Use the Group Policy Management Console to create a new GPO named Drivemap, and then link it
to the Adatum.com domain.
2. Edit the GPO to configure a user logon script.
3. Paste the Map.bat script into the Netlogon share.
4. Add the Map.bat script to the logon scripts.
Log in to the client to test the results 1. On LON-CL1, log in as Adatum\Administrator with the password Pa$$word.
2. Verify that drive is mapped.
3. Log off of LON-CL1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-13
Lesson 3 Configuring Group Policy Preferences
Prior to the release of the Windows Server® 2008 operating system, you could not use Group Policy to control common settings that affect the user and computer environment, such as mapped drives. Typically, these settings were delivered through logon scripts or imaging solutions.
However, the Windows Server 2012 operating system includes the Group Policy preferences built-in to the GPMC, which enable settings such as mapped drives to be delivered through Group Policy. Additionally, you can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer that is running Windows 7 or Windows 8. This allows you to deliver many common settings by using Group Policy.
Lesson Objectives After completing this lesson, you will be able to:
• Describe Group Policy preferences.
• Identify the differences between Group Policy settings and preferences.
• Describe Group Policy preference features.
• Identify the preference item-level targeting options
• Explain how to configure settings by using preferences.
What Are Group Policy Preferences?
Group Policy preference extensions include more than 20 Group Policy extensions that expand the range of configurable settings within a GPO. You now can use preferences to apply a number of settings that had to be applied by scripts in the past, such as drive mappings.
Group Policy preferences are supported natively on Windows Server 2008 and newer, and on Windows Vista Service Pack 2 (SP2) and newer. You can download and install Group Policy client-side extensions of Group Policy preferences for Windows Server 2003, Windows XP Service Pack 3 (SP3), and Windows Vista Service Pack 1 (SP1) to provide support for preferences on those systems.
Examples of the new Group Policy preference extensions include:
• Folder Options
• Drive Maps
• Printers
• Scheduled Tasks
• Services
• Start Menu
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-14 Managing User Desktops with Group Policy
Configuring Group Policy preferences does not require any special tools or software installation, but they are natively part of the GPMC in the Windows Server 2008 operating system and newer, and are applied in the same manner as Group Policy settings, by default. Preferences have two distinct sections: Windows Settings and Control Panel Settings.
When you configure a new preference, you can perform the following four basic actions:
• Create. Create a new preference setting for the user or computer.
• Delete. Remove an existing preference setting for the user or computer.
• Replace. Delete and recreate a preference setting for the user or computer. The result is that Group Policy preferences replace all existing settings and files associated with the preference item.
• Update. Modify an existing preference setting for the user or computer.
Comparing Group Policy Preferences and Administrative Templates
Preferences are similar to policies in that they apply configurations to the user or computer. However, there are several differences in the way that you can configure and apply them. One of these differences is that preferences are not enforced. However, you can configure preferences to be reapplied automatically.
The following is a list of other differences between Group Policy settings and preferences:
• Preference settings are not enforced.
• Group Policy settings disable the user interface for settings that the policy manages. Preferences do not do this.
• Group Policy settings are applied at regular intervals. You can apply preferences once only or at regular intervals.
• The end user can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them.
• In some cases, you can configure the same settings through a policy setting as well as a preference item. If conflicting preference and Group Policy settings are configured and applied to the same object, the value of the policy setting always applies.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-15
Features of Group Policy Preferences
After you create a Group Policy preference, you must configure its properties. Different preferences will require different input information. For example, shortcut preferences require target paths, whereas environment variables require variable types and values.Group Policy Preferences also provide a number of features in the common settings properties to assist in the deployment.
General Properties Tab The General Properties tab is where basic information is provided. The first step is to specify the action for the preference: Create, Delete, Replace, or Update. Different settings will be available, depending on the initial action selected. For example, when creating a drive mapping, you must provide a Universal Naming Convention (UNC) path and an option for the drive letter that you want to assign.
Common Properties Tab The common properties are consistent for all preferences. You can use the Common Property tab to control the behavior of the preference as follows:
• Stop processing items in this extension if an error occurs. If an error occurs while processing a preference, no other preferences in this GPO will process.
• Run in logged-on user’s security context. Preferences can run as the System account or the logged-on user. This setting forces the logged-on user context.
• Remove this item when it is no longer applied. Unlike policy settings, preferences are not removed when the GPO that delivered it is removed. This setting will change that behavior.
• Apply once and do not reapply. Normally, preferences are refreshed at the same interval as Group Policy settings. This setting changes that behavior to apply the setting only once on logon or startup.
• Use Item-level targeting. One of the most powerful features of preferences is item-level targeting. You can use this feature to specify criteria easily, so that you can determine exactly which users or computers will receive a preference. Criteria include, but is not limited to:
o Computer name
o IP address range
o Operating system
o Security group
o User
o Windows Management Instrumentation (WMI) queries
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-16 Managing User Desktops with Group Policy
Item-Level Targeting Options
Item-level targeting is a feature that allows Group Policy settings to apply to computers or user objects only when the computers or user objects match defined criteria. This makes very powerful targeting control possible and allows Information Technology (IT) administrators to pinpoint exactly to where and when a setting should apply. Item-level targeting offers the following features:
• Target 27 different categories. Item-level targeting can use 27 different categories for targeting computers and user objects. This allows for precision targeting. See Figure 5.1 for the complete list of categories.
• Combine different categories together by using AND or OR Boolean logic. Instead of using a single category for targeting, you can use multiple categories. For example, if you want to deploy printers only to portable computers and only when the users of the portable computers are members of the Sales group, you can do that with item-level targeting. You can then go a step further by deploying one group of printers if the computers are portable, being used by a member of the Sales group, and in a specific IP subnet, while deploying another set of printers when the IP subnet changes.
• Item-level targeting is refreshed during the Group Policy background refresh. This means that configuring computer and user objects by using item-level targeting is a dynamic way to manage the user objects and computer objects.
The following figure, shows the 27 different categories for item-level targeting.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-17
FIGURE 5.1
Demonstration: Configuring Group Policy Preferences
This demonstration shows how to:
• Configure a desktop shortcut with Group Policy preferences.
• Target the preference.
• Configure a new folder with Group Policy preferences.
• Target the preference.
• Test the preference.
Demonstration Steps
Configure a desktop shortcut with Group Policy preferences 1. On LON-DC1, in the Group Policy Management Console, open the Default Domain Policy for
editing.
2. Navigate to Computer Configuration\Preferences\ Windows Settings\Shortcuts.
3. Create a new shortcut to the Notepad.exe program.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-18 Managing User Desktops with Group Policy
Target the preference • Target the preference for the computer, LON-CL1.
Configure a new folder with Group Policy preferences 1. Navigate to User Configuration\Preferences\Windows Settings\Folders.
2. Create a new folder for the C:\Reports folder.
Target the preference • Target this preference for computers that are running the Windows 8 operating system.
Test the preferences 1. Switch to LON-CL1, and refresh Group Policy by using the following command at the command
prompt:
gpupdate /force
2. Log in and verify the presence of both the C:\Reports folder and the Notepad shortcut on the Desktop.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-19
Lesson 4 Managing Software with Group Policy
Windows Server 2012 includes a feature called Software Installation and Maintenance that AD DS, Group Policy, and the Windows Installer service use to install, maintain, and remove software from your organization’s computers. In this lesson, you will learn how to manage software with Group Policy.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the role Group Policy software distribution plays in the software lifecycle.
• Describe how Windows Installer enhances software distribution.
• Describe the difference between assigning and publishing software.
• Explain how to manage software upgrades by using Group Policy.
How Group Policy Software Distribution Helps to Address the Software Lifecycle
The software lifecycle consists of four phases: preparation, deployment, maintenance, and removal. You can use Group Policy to manage all phases except the preparation. You can apply Group Policy settings to users or computers in a site, domain, or organizational unit (OU) to install, upgrade, or remove software automatically.
By applying Group Policy settings to software, you can manage the phases of software deployment without deploying software on each computer individually.
Using Group Policy to manage the software lifecycle has some advantages and some disadvantages that are important to consider before you begin. The advantages of using Group Policy to manage the software lifecycle are:
• Group Policy software distribution is available as part of Group Policy and AD DS. Thus, using Group Policy does not incur any additional costs for your organization, and is always available to implement at because it is already installed and ready for use.
• Group Policy software distribution does not require client software, agent software, or additional management software. IT administrators can use familiar tools to manage the software lifecycle.
• Group Policy software distribution is quick and easy to use. This allows for both faster software distribution and reduced IT training costs.
The disadvantages of using Group Policy to manage the software lifecycle are:
• Group Policy software distribution has a minimal feature set. This minimal feature set limits the ability to control aspects of the distribution such as the day and time of installation, the order of installation when deploying multiple applications, or the reboot process, such as reboot suppression or reboot windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-20 Managing User Desktops with Group Policy
• Group Policy software distribution does not have any reporting. Thus, you cannot easily gather information such as how many computers have the distributed software, which computers an installation failed on, or which computers do not have the distributed software. This could lead to a scenario in which you deploy an update to an application and the update attempts to install on computers that no longer have the application to be updated.
• Group Policy software distribution is limited to deployment of Microsoft Windows Installer (MSI) packages. IT administrators have to convert non-MSI installation programs into MSI packages before being able to deploy the software by using Group Policy.
Note: For larger organizations, especially organizations that have more than 500 computers, and for any organizations with specific software distribution requirements, Microsoft System Center 2012 Configuration Manager provides enterprise-level features and control. These enterprise-level features and control eliminate the disadvantages found in Group Policy software distribution.
How Windows Installer Enhances Software Distribution
To enable Group Policy to deploy and manage software, Windows Server 2012 uses the Windows Installer service. This component automates the installation and removal of applications by applying a set of centrally defined setup rules during the installation process. The Windows Installer service installs the MSI package files. MSI files contain a database that stores all the instructions required to install the application. Small applications may be entirely stored as MSI files, whereas other larger applications will have many associated source files that the MSI references. Many software vendors provide MSI files for their applications.
The Windows Installer service has the following characteristics:
• This service runs with elevated privileges, so that software can be installed by the Windows Installer service, no matter which user is signed into the system. Users only require read access to the software distribution point.
• Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or repair the application.
• Windows Installer cannot install .exe files. To distribute a software package that installs with an .exe file, the .exe file must be converted to an .msi file by using a third-party utility.
Question: Do users need administrative rights to install applications manually that have MSI files?
Question: What are some of the disadvantages of deploying software through Group Policy?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-21
Assigning and Publishing Software
There are two deployment types available for delivering software to clients. Administrators can either install software for users or computers in advance by assigning the software, or give users the option to install the software when they require it by publishing the software in AD DS. Both user and computer configuration sections of a GPO have a Software Settings section. You can add software to a GPO by adding a new package to the Software Installation node and then specifying whether to assign or publish it.
You also can choose advanced deployment of a package. Use this option to apply a customization file to a package for custom deployment. For example, if you use the Office Customization tool to create a setup customization file to deploy Microsoft Office.
Assigning Software Assigning software has the following characteristics:
• When you assign software to a user, the user’s Start menu advertises the software when the user logs on. Installation does not begin until the user double-clicks the application's icon or a file that is associated with the application.
• Users do not share deployed applications. When you assign software to a user, an application that you install for one user through Group Policy may not be available to other users. Assigning software to a user is preferred when the software is used by a subset of users, or when the software has licensing costs associated with it and you do not want to purchase licenses that will not be used.
• When you assign an application to a computer, the application is installed the next time that the computer starts. The application will be available to all users of the computer. Assigning software to a computer is preferred when you need to have the software installed on a specific set of computers or on all computers in an environment, regardless of which users use the computers. This is a common situation when dealing with agent software such as monitoring agents, security-related agents, or management agents.
Publishing Software Publishing software has the following characteristics:
• The Programs\Programs and Features\ shortcut in Control Panel advertises a published application to the user. Users can install the application by using the Install a program from the network shortcut or extension activation can install the application. Extension activation will initiate the program installation when a user clicks on a file type that is associated with the program.
• Applications that users do not have permission to install are not advertised to them.
• Applications cannot be published to computers.
Note: When configuring Group Policy to deploy an application, the application installer must be available via a UNC path. If you use local paths, the deployment will fail.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-22 Managing User Desktops with Group Policy
Managing Software Upgrades by Using Group Policy
Software vendors occasionally release software updates. These usually address minor issues, such as an update or feature enhancements that do not warrant a complete application reinstallation. Microsoft releases some software patches as .MSP files.
Major updates that provide new functionality require users to upgrade a software package to a newer version. You can use the Upgrades tab to upgrade a package by using the GPO. When you perform upgrades by using Group Policy, you’ll notice the following characteristics:
• You may redeploy a package if the original Windows Installer file has been modified.
• Upgrades will often remove the old version of an application and install a newer version. These upgrades usually maintain application settings.
• You can remove software packages if they were delivered originally by using Group Policy. This is useful if you are replacing a line-of-business (LOB) application with a different application. Removal can be mandatory or optional.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-23
Lab: Managing User Desktops with Group Policy Scenario A. Datum Corporation is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and a data center are located in London to support the London head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has been using logon scripts to provide users with drive mappings to file shares. The maintenance of these scripts is an ongoing problem because they are large and complex. Your manager has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts can be removed.
Your manager has also asked you to place a shortcut to the Notepad application for all users that belong to the IT security group and to add a new Computer Administrators security group as a local Administrator on all servers.
A. Datum wants to be able to manage Office 2013 settings for all client computers. They have decided to use Administrative Templates to do this.
Objectives After completing this lab, you will be able to:
• Implement settings by using Group Policy preferences.
• Configure Office 2013 settings using Administrative Templates.
• Configure folder redirection.
• Deploy software by using Group Policy.
Lab Setup Estimated Time: 45 minutes
Virtual Machines 20411C-LON-DC1 20411C-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-24 Managing User Desktops with Group Policy
4. Log in using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20411C-LON-CL1.
Exercise 1: Implementing Settings by Using Group Policy Preferences
Scenario A. Datum has been using logon scripts to provide users with drive mappings to file shares. The maintenance of these scripts is an ongoing problem because they are large and complex. Your manager has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts can be removed. Your manager has also asked you to place a shortcut to the Notepad application for all users that belong to the IT security group.
The main tasks for this exercise are as follows:
1. Create a New GPO, and Link it to the Branch Office 1 Organizational Unit (OU)
2. Edit the Default Domain Policy with the Required Group Policy Preferences
3. Test the Preferences
Task 1: Create a New GPO, and Link it to the Branch Office 1 Organizational Unit (OU) 1. On LON-DC1, open File Explorer, and then create a folder and share it with Specific people by using
the following properties: Path: C:\Branch1, share name: Branch1, Permissions: Everyone, Read/Write.
2. On LON-DC1, open Active Directory Users and Computers, and then create an OU in the Adatum.com domain called Branch Office 1.
3. Move user Holly Dickson from the IT OU to the Branch Office 1 OU.
4. Move the LON-CL1 computer to the Branch Office 1 OU.
5. Open the Group Policy Management Console.
6. Create and link a new GPO named Branch1 to the Branch Office 1 OU.
7. Open the Branch1 GPO for editing.
8. Edit the GPO to configure a mapped drive by using Group Policy preferences.
9. Map the S:\ drive to \\LON-dc1\Branch1.
Task 2: Edit the Default Domain Policy with the Required Group Policy Preferences 1. Open the Default Domain Policy for editing.
2. Navigate to User Configuration\Preferences\Windows Settings\Shortcuts.
3. Create a new shortcut to the Notepad.exe program:
o Name: Notepad
o Action: Create
o Location: Desktop
o Target path: C:\Windows\notepad.exe
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-25
4. Target the preference for members of the IT security group.
5. Close all open windows.
Task 3: Test the Preferences 1. Switch to LON-CL1 and restart the computer.
2. Log in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and then use the gpupdate /force command to refresh the Group Policy.
4. Log off of LON-CL1.
5. Log in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.
6. Verify that a drive is mapped to \\LON-DC1\Branch1.
7. Verify that the shortcut to Notepad is on Holly’s desktop.
8. If the shortcut does not appear, repeat steps 2 through 5.
9. Log off of LON-CL1.
Results: After this exercise, you should have created the required scripts and preference settings successfully, and then assigned them by using Group Policy Objects (GPOs).
Exercise 2: Managing Microsoft Office 2013 by Using Administrative Templates
Scenario In order to manage the Office 2013 settings by using GPOs, you need to import the Office 2013 Administrative Templates into a GPO. Then you need to verify that you can configure the settings and that the settings are being applied to target computers.
The main tasks for this exercise are as follows:
1. Import the Office 2013 Administrative Templates
2. Configure Office 2013 Settings
3. Verify That the Settings Have Been applied
Task 1: Import the Office 2013 Administrative Templates 1. On LON-DC1, copy the Office 2013 administrative template files from the E:\Labfiles\Mod05\Office
2013 folder to the PolicyDefinitions folder.
Task 2: Configure Office 2013 Settings 1. On LON-DC1, create a new GPO named Office 2013.
2. Edit the Office 2013 GPO by enabling the Display Developer tab in the ribbon setting.
3. Edit the Office 2013 GPO by disabling the Replace text as you type setting.
Task 3: Verify That the Settings Have Been applied 1. Log in to LON-CL1 as Adatum\Holly.
2. Run Microsoft Word on LON-CL1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-26 Managing User Desktops with Group Policy
3. Verify that the Developer tab is present and that Microsoft Word is not auto correcting misspelled words as you type.
Results: After this exercise, you should have successfully added the Microsoft® Office 2013 administrative template files to a GPO, customized Office 2013 settings, and validated the settings on a computer that is in the GPO scope.
Exercise 3: Deploying Software by Using Group Policy
Scenario In order to provide employees with a standardized XML editor, you need to deploy XML Notepad 2007 to all domain computers by using a GPO.
The main tasks for this exercise are as follows:
1. Deploy XML Notepad 2007 by Using a New GPO
2. Verify that XML Notepad 2007 Was Successfully Deployed on LON-CL1
Task 1: Deploy XML Notepad 2007 by Using a New GPO 1. On LON-DC1, create a new GPO named Deploy XML Notepad, and link it to the domain.
2. Edit the GPO and configure the computer assigned software deployment of \\LON-DC1-Mod05\xmlnotepad.msi.
Task 2: Verify that XML Notepad 2007 Was Successfully Deployed on LON-CL1 1. Switch to LON-CL1, and restart it.
2. Log in to LON-CL1 after restarting, and then verify that XML Notepad 2007 is installed.
Results: After this exercise, you should have successfully deployed XML Notepad 2007 to all domain-joined computers and verified the installation on LON-CL1.
Exercise 4: Configuring Folder Redirection
Scenario In order to help minimize profile sizes, your manager has asked you to configure folder redirection for the branch office users. This will allow you to redirect several profile folders to each user’s home drive.
The main tasks for this exercise are as follows:
1. Create a Shared Folder to Store the Redirected Folders
2. Create a New GPO and Link it to the Branch Office OU
3. Edit the Folder Redirection Settings in the Policy You Created
4. Test the Folder Redirection Settings
5. To Prepare for the Next Module
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-27
Task 1: Create a Shared Folder to Store the Redirected Folders • On LON-DC1, open File Explorer, and then create a folder and share it with Specific people by
using the following properties:
o Path: C:\Branch1\Redirect
o Share name: Branch1Redirect
o Permissions: Everyone, Read/Write.
Task 2: Create a New GPO and Link it to the Branch Office OU • On LON-DC1, open Group Policy Management, and then create and link a new GPO named Folder
Redirection to the Branch Office 1 OU.
Task 3: Edit the Folder Redirection Settings in the Policy You Created 1. Open the Folder Redirection GPO for editing.
2. Under User Configuration, browse to Folder Redirection, and then configure the Documents folder properties to use the Basic-Redirect everyone’s folder to the same location setting.
3. Ensure that the Target folder location is set to Create a folder for each user under the root path.
4. Specify the root path as \\LON-DC1\Branch1Redirect.
5. Close all open windows on LON-DC1.
Task 4: Test the Folder Redirection Settings 1. Switch to LON-CL1.
2. Log in as Adatum\Administrator with the password Pa$$w0rd.
3. Open the Command Prompt window, and use the gpupdate /force command to refresh the Group Policy.
4. Log off, and then log in as Adatum\Holly with the password Pa$$word.
5. Browse to the desktop.
6. Right-click the desktop and use the Personalize menu to enable User’s Files on the desktop.
7. From the Desktop, open the Holly Dickson folder.
8. Right-click Documents, and then click Properties.
9. In the Document Properties dialog box, note that the location of the folder is now the network share in a subfolder named for the user.
10. If the folder redirection is not evident, log off, and then log in as Adatum\Holly with the password Pa$$word. Repeat steps 7 to 9.
11. Log off of LON-CL1.
Task 5: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED5-28 Managing User Desktops with Group Policy
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-CL1.
Results: After this exercise, you should have successfully configured folder redirection to a shared folder on the LON-DC1 server.
Question: Which options can you use to separate user's redirected folders to different servers?
Question: Can you name two methods you could use to assign a GPO to selected objects within an OU?
Question: You have created Group Policy preferences to configure new power options. How can you ensure that they will be applied only to laptop computers?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 5-29
Module Review and Takeaways
Best Practice: Best Practices Related to Group Policy Management
• Include comments on GPO settings.
• Use a central store for Administrative Templates when client computers run Windows Vista or newer.
• Use Group Policy preferences to configure settings that are not available in the policy settings.
• Use Group Policy software installation to deploy packages in .msi format to a large number of users or computers.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
You have configured folder redirection for an OU, but none of the users’ folders is being redirected to the network location. When you look in the root folder, you observe that a subdirectory named for each user exists, but they are empty.
You have assigned an application to an OU. After multiple log-ins, users report that no one has installed the application.
You have computers running a mixture of the Windows XP operating system and the Windows 8 operating system. After configuring several settings in the Administrative Templates of a GPO, users with the Windows XP operating system report that some settings are being applied and others are not.
Group Policy preferences are not being applied.
Review Question(s) Question: Why can some Group Policy settings take two log ins before going into effect?
Question: How can you support Group Policy preferences on Windows XP?
Question: What is the benefit of having a central store?
Question: What is the main difference between Group Policy settings and Group Policy preferences?
Question: What is the difference between publishing and assigning software through Group Policy?
Question: Can you use Windows PowerShell® scripts as startup scripts?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-1
Module 6 Implementing Remote Access
Contents: Module Overview 6-1
Lesson 1: Overview of Remote Access 6-2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 6-9
Lab A: Implementing DirectAccess by Using the Getting Started Wizard 6-21
Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 6-27
Lab B: Deploying an Advanced DirectAccess Solution 6-39
Lesson 4: Implementing VPN 6-50
Lab C: Implementing VPN 6-60
Lesson 5: Implementing Web Application Proxy 6-65
Lab D: Implementing Web Application Proxy 6-71
Module Review and Takeaways 6-75
Module Overview Remote access technologies in the Windows Server® 2012 operating system enable users to connect securely to data and resources in corporate networks. In Windows Server 2012, four component technologies virtual private network (VPN), DirectAccess, routing, and Web Application Proxy, are integrated into a single, unified server role called Remote Access.
In this module, you will learn how to implement remote access technologies in Windows Server 2012. You will also learn about different implementation scenarios for small or medium-sized organizations and enterprise organizations.
Objectives After completing this module, you will be able to:
• Install and manage the Remote Access role in Windows Server 2012.
• Implement DirectAccess by using the Getting Started Wizard.
• Implement and manage an advanced DirectAccess infrastructure.
• Implement VPN access.
• Implement Web Application Proxy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-2 Implementing Remote Access
Lesson 1 Overview of Remote Access
The type of remote access technology that an organization chooses to implement generally depends on the organization’s business requirements. Some organizations might deploy several remote access technologies on different servers, and some deploy them on the same server. For example, organizations that need administrators to manage servers from the Internet will deploy DirectAccess, and at the same time, they will deploy Web Application Proxy if they need to publish internal applications to the Internet.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the remote access options available in Windows Server 2012.
• Describe how to manage remote access in Windows Server 2012.
• Explain how to install and manage the Remote Access role in Windows Server 2012.
• Describe the considerations for deploying a public key infrastructure (PKI) for remote access in Windows Server 2012.
Remote Access Options
The Remote Access role in Windows Server 2012 provides four remote access options:
• DirectAccess
• VPN
• Routing
• Web Application Proxy
Each of these options represents a technology that organizations can use for different business scenarios to access internal resources from offices in remote locations or from the Internet.
DirectAccess DirectAccess enables remote users to securely access corporate resources, such as email servers, shared folders, or internal websites, without connecting to a VPN. DirectAccess also provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office. With the new unified management experience, you can configure DirectAccess and older VPN connections from one location. Other enhancements in DirectAccess include simplified deployment and improved performance and scalability.
VPN VPN connections enable your users who are working offsite, such as at home, at a customer site, or from a public wireless access point, to access a server on your organization’s private network. VPN connections use the infrastructure that a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between a computer, the VPN client, and their organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears as if the data is sent over a dedicated private link.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-3
Routing Windows Server 2012 can act as a router or network address translation (NAT) device between two internal networks or between the Internet and the internal network. Routing works with routing tables and supports routing protocols such as Routing Information Protocol version 2, Internet Group Management Protocol (IGMP), and Dynamic Host Configuration Protocol (DHCP) Relay Agent.
Web Application Proxy Web Application Proxy is a new feature in Windows Server 2012 R2. It provides reverse proxy functionality for web applications located in an organization’s internal network where users that are located on the Internet can access internal web applications. Web Application Proxy preauthenticates users by using Active Directory® Federation Services (AD FS) technology and acts as an AD FS proxy.
Managing Remote Access in Windows Server 2012
After you install the Remote Access role on a server running Windows Server 2012, you can manage the role by using the Microsoft Management Console (MMC), or by using Windows® PowerShell®. You can use the MMC for your daily tasks of managing remote access, and you can use Windows PowerShell for managing multiple servers and for scripting or automating the management tasks.
There are two MMCs for managing the Remote Access role: the Remote Access Management Console and the Routing and Remote Access console. You can access these consoles from the Tools menu in Server Manager.
The Remote Access Management Console The Remote Access Management Console allows you to manage DirectAccess, VPN, and Web Application Proxy. When you open this console for the first time, it provides you with a wizard-based setup to configure remote access settings according to your business requirements. After you configure the initial remote access settings, you will be provided with the following options in the console to manage your remote access solution:
• Configuration. You can edit the remote access settings by using wizards and by using the graphical representation of the current network configuration in the console.
• Dashboard. You can monitor the overall status of servers and clients that are part of the remote access solution.
• Operational status. You can access detailed information on the status of the servers that are part of the remote access solution.
• Remote client status. You can access detailed information on the status of the clients that are connecting to the remote access solution.
• Reporting. You can generate historical reports on different parameters, such as remote access usage, access details, connection details, and server load statistics.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-4 Implementing Remote Access
The Routing and Remote Access Console You can use the Routing and Remote Access console to configure a server running Windows Server 2012 as a NAT device, as a router for both IPv4 and IPv6 protocols, and as a VPN server. After the configuration is complete, you can manage the remote access solution by using following options in the console:
• Server Status. You can monitor the status of the remote access server (RAS), the ports in use, and the server’s uptime.
• Remote Access Client, Ports, Remote Access Logging. You can monitor the client status, port status, and detailed logging information about clients connected to the remote access server.
• IPv4. You can configure the IPv4 settings such as NAT, IPv4 routing with static routes, and the following routing protocols: Routing Information Protocol version 2, Internet Group Management Protocol, and DHCP Relay Agent.
• IPv6. You can configure IPv6 settings, such as IPv6 routing with static routes and DHCP Relay Agent routing protocol.
Windows PowerShell Commands Windows PowerShell commands in Windows Server 2012 allow you to configure remote access and allow you to create scripts for automation of some configuration and management procedures. Some examples of Windows PowerShell commands for remote access include:
• Set-DAServer. Sets the properties specific to the DirectAccess server.
• Get-DAServer. Displays the properties of the DirectAccess Server.
• Set-RemoteAccess. Modifies the configurations that are common to both DirectAccess and VPN, such as Secure Sockets Layer (SSL) certificate, Internal interface, and Internet interface.
• Get-RemoteAccess. Displays the configuration of DirectAccess and VPN, both Remote Access VPN and site-to-site VPN.
For complete list of remote access cmdlets in Windows PowerShell, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=331164
Demonstration: Installing and Managing the Remote Access Role
In this demonstration, you will see how to:
• Install the Remote Access role.
• Manage the Remote Access role.
Demonstration Steps
Install the Remote Access role 1. On LON-SVR1, switch to the Server Manager console, click Manage, and then start the Add Roles and
Features wizard.
2. Complete the wizard with the following settings:
o On the Before You Begin page, click Next.
o On the Select installation type page, click Next.
o On the Select destination server page, click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-5
o On the Select server roles, click Remote Access, and then click Next.
o On the Select features page, click Next.
o On the Remote Access page, click Next.
o On the Select role services page, click DirectAccess and VPN (RAS), and in the Add Roles and Features Wizard page, click Add Features.
o On the Select role services page, click Next.
o On the Confirm installation selection page, click Install, and then when installation finishes, click Close.
Manage the Remote Access role 1. In the Server Manager console, open the Remote Access Management Console.
2. In the Remote Access Management Console, review the options for configuring and managing remote access.
3. From the Server Manager console, open the Routing and Remote Access console.
4. In the Routing and Remote Access console, review the options for configuring and managing remote access.
Network Address Translation
NAT functionality is a component of the Routing and Remote Access service that enables corporate computers to access resources on the Internet or other public networks. NAT technology translates private IPv4 addresses in a corporate network into public IPv4 addresses.
Why is NAT Necessary?
Computers and devices that need to connect to Internet have to be configured with public Internet Protocol (IP) addresses. However, the number of public IPv4 addresses is becoming limited every day and organizations cannot obtain public IPv4 address for every corporate computer. Therefore organizations use private IP addressing for corporate computers. Because private IP addresses are not routable on the Internet, computers configured with private IP address cannot access the Internet. By using NAT, organizations need to obtain only one public IPv4 addresses to access the Internet. NAT translates private IPv4 address into public IPv4 address which provides Internet access to corporate computers.
The NAT server has two network adapters. One of these network adapters is configured with a private IPv4 address and is connected to the corporate network, whereas the other network adapter is configured with a public IPv4 address and is connected to the Internet.
How NAT Works
In order for a client computer to connect to the Internet by using NAT, it has to be configured to use the NAT server as a default gateway. When a client computer on the private network requests access to a computer located on the Internet, such as a web server, the NAT-enabled server translates the outgoing packets and then sends them to the web server on the Internet. The NAT server also translates the response from the web server on the Internet and returns it to the client on the corporate network.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-6 Implementing Remote Access
The NAT server secures the corporate network by hiding the IP addresses of computers in a corporate network. When a computer in the corporate network communicates with a web server located on the Internet, only the external IP address of the NAT server is visible to the Internet web server. Furthermore, you can configure Windows Firewall and Advanced Security on the NAT server to protect your corporate network from Internet security threats.
Considerations for Deploying a PKI for Remote Access
PKI helps you verify and authenticate the identity of each party involved in an electronic transaction. It also helps establish trust between computers and the corresponding applications that are hosted on application servers. A common example includes the use of PKI technology to secure websites and remote access. Digital certificates are key components of PKI that contain electronic credentials, which are used to authenticate users or computers. Windows Server 2012 supports building a certificate services infrastructure in your organization by using Active Directory Certificate Services (AD CS) components.
Using PKI for Remote Access When employees of an organization access internal resources from the Internet, it is very important that the communication and data in transit are protected from interception by unauthorized users. Therefore, the communication between the employees located on the Internet and the internal resources should be encrypted. Furthermore, users that connect from the Internet and their computers should be authenticated. Remote access technologies in Windows Server 2012 use PKI for authenticating users and computers and encrypting data and communication when users are remotely accessing internal resources.
When planning for using PKI for remote access in your organizations, you should consider following:
• Will you use PKI for encryption of only data and traffic between client computers and remote access servers? In this scenario, the certificate is installed on the remote access server only, where users are authenticated with their user name and password, and PKI is not used for user authentication.
• Will you use PKI not just for encryption, but also for authenticating users and their computers? In this scenario you should use PKI not just for data encryption, but also for issuing certificates to users and computers.
• Which type of certificates will you use? You can use self-signed certificates or certificates issued by a private certification authority (CA) or by a public CA.
o Self-signed certificates are issued by the server itself, and, by default, they are trusted only by the issuing server, and not by other computers in the organization. You can use self-signed certificates in small and medium-sized organizations that use DirectAccess configured with the Getting Started Wizard, which provides simple setup and configuration.
o You typically use certificates issued by a private CA in organizations that want to manage their own PKI infrastructure and where PKI is used for many purposes, such as remote access, client authentication, and server authentication. These organizations realize significant cost benefits because a large number of certificates are not purchased, but are issued by the private CA. When deploying a private CA, an administrator can create customized certificate templates that will meet an organization’s specific business requirements. Administrators can also configure
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-7
autoenrollment, so that all trusted users or computers automatically enroll for a certificate from the private CA. However, a private CA requires greater administrative efforts for managing CA servers and providing user support in organizations.
o You use certificates issued by a public CA in organizations that deploy certificates for applications which need to be trusted by many different operating systems, or computers and devices that are not managed by these organizations. You cannot use a private CA because, by default, a private CA provides certificates that need to be trusted only by domain computers. Therefore, using a private CA is less appropriate in this scenario. Public CAs are also used by organizations that do not have a PKI infrastructure deployed or organizations that need smaller number of certificates. Organizations that use certificates generated by Public CAs require less administrative effort for managing PKI. This is because organizations’ administrators do not manage the Public CA infrastructure. Purchasing certificates from a public CA involves procedures that are different from the ones required from private CAs. For example, an organization that needs to purchase a certificate from a public CA has to prove the ownership of the domain name.
When deploying advanced DirectAccess infrastructure, you use certificates generated by a private or public CA. Using self-signed certificates is not supported in advanced DirectAccess infrastructures.
o The following table includes the advantages and disadvantages of certificates issued by public or private CA.
CA type Advantages Disadvantages
Private CA • Provides greater control over certificate management
• Lower cost when compared to a public CA
• Customized templates
• Autoenrollment
• By default, not trusted by external clients (web browsers, operating systems)
• Requires greater administration
Public CA • Trusted by many external clients (web browsers, operating systems)
• Requires minimal administration
• Higher cost when compared to an internal CA
• Cost is based per certificate
• Certificate procurement is slower
Some organizations have started using a hybrid approach for their PKI architecture. A hybrid approach uses an external public CA for the root CA, and a hierarchy of internal CAs for distribution of certificates. This gives organizations the advantage of having their internally issued certificates trusted by external clients, while still providing the advantages of an internal CA. The only disadvantage to this method is the cost. A hybrid approach is typically the most expensive approach because public certificates for CAs are very expensive.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-8 Implementing Remote Access
Configuring User Settings for Remote Access
Business requirements for remote access in organizations may vary by employee type. Some employees may not need remote access, while others may, based on additional conditions. You can use the Active Directory Users and Computers console to configure user settings for different remote access options. The settings are located in the Dial-In Properties of the user account.
User Settings for Remote Access include:
• Network Access Permission. Defines the actions that the Remote Access role will perform when a user tries to establish a connection and is authenticated by Active Directory Domain Services (AD DS). There are three actions that can be configured:
o Allow access. Remote access is allowed for the user connecting from a remote location.
o Deny access. Remote access is denied for the user connecting from a remote location.
o Control access through NPS network policy. This action is configured by default in the user account properties in the Active Directory Users and Computers console. A remote access server can have multiple Network Policy Server (NPS) network policies configured. NPS network policies perform multiple checks to verify whether different conditions about the remote access user and computer are met. Based on the verification results, NPS network policy will allow or deny the remote access. If all NPS Network Policies are deleted, then remote access will be denied to users that are configured using NPS Network Policy, because there is no NPS Network Policy available to authorize them for remote access.
• Verify Caller ID. If a remote access client computer establishes a connection using a telephone line, the remote access server can be configured to verify caller identification (caller ID) information. For this option to be configured, the telephony equipment at the remote access server location must be able to transfer the caller ID information to the remote access server by using appropriate drivers.
• Callback Options. If Callback Options is enabled, once the remote access client computer initiates a connection by using a telephone line, the remote access server calls back the client computer. The number that the server uses for calling back the client is the caller number, or it can be a number configured by the administrator.
• Assign Static IP Addresses. In many scenarios, after the remote access client computer successfully establishes a connection with the remote access server, an IP address is assigned automatically to the remote access client computer by the organization’s DHCP server. However, an administrator can also configure a static IP address for the remote access client computer by using dial-in properties of the user account.
• Apply Static Routes. An administrator can configure static routes that will be added to the remote access client computer routing table when the connection is established with the remote access server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-9
Lesson 2 Implementing DirectAccess by Using the Getting Started Wizard
The DirectAccess feature in Windows Server 2012 enables seamless remote access to intranet resources without first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless connectivity to the application infrastructure, for both internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any application on the client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the components that are required to implement DirectAccess.
• Describe DirectAccess server deployment options.
• Describe DirectAccess tunneling protocol options.
• Describe how DirectAccess works for internal clients.
• Describe how DirectAccess works for external clients.
• Explain how to deploy DirectAccess by running the Getting Started Wizard.
• Identify the changes made by the Getting Started Wizard.
• Explain the limitations of deploying DirectAccess by using the Getting Started Wizard.
DirectAccess Components
To deploy and configure DirectAccess, your organization must support the following infrastructure components:
• DirectAccess server.
• DirectAccess clients.
• Network location server.
• Internal resources, such as corporate applications.
• An AD DS domain.
• Group Policy.
• PKI (optional for the internal network).
• Domain Name System (DNS) server.
• Network Access Protection (NAP) server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-10 Implementing Remote Access
DirectAccess Server The DirectAccess server can be any computer running Windows Server 2012 that you join to a domain, that accepts connections from DirectAccess clients, and that establishes communication with intranet resources. This server provides authentication services for DirectAccess clients and acts as an Internet Protocol security (IPsec) tunnel mode endpoint for external traffic. The new Remote Access server role allows centralized administration, configuration, and monitoring for both DirectAccess and VPN connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup simplifies DirectAccess management for small and medium-sized organizations. The wizard does so by removing the need for full PKI deployment and removing the requirement for two separate network interface cards that are connected to the Internet and configured with two consecutive public IPv4 addresses . In Windows Server 2012, the wizard detects the actual implementation state of the DirectAccess server, and then automatically selects the best deployment method, thereby masking from the administrator the complexity of manually configuring IPv6 transition technologies.
DirectAccess Clients A DirectAccess client can be any domain-joined computer running Windows 8, Windows 7 Enterprise Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer to a domain without requiring the client computer to be located within your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo. Teredo is used if the client is separated from the DirectAccess server by a NAT device. Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the DirectAccess server, the client computer automatically attempts to connect by using the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) protocol, which uses an SSL connection to ensure connectivity.
Network Location Server A DirectAccess client uses the network location server to determine its location. If the client computer can securely connect to the network location server by using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS), then the client computer assumes it is on the intranet, and the DirectAccess policies are not enforced. If the network location server is not contactable, the client assumes it is on the Internet. The network location server is installed on the DirectAccess server with the web-server role.
Note: The URL for the network location server is distributed by using a Group Policy object (GPO).
Internal Resources You can configure any application that is running on internal servers or client computers to be available for DirectAccess clients. For older applications and servers that do not have IPv6 support, such as in the Windows Server 2003 operating system or other third-party operating systems, Windows Server 2012 includes native support for protocol translation through NAT64 and name resolution through DNS64a gateway to convert IPv6 communication from the DirectAccess client to IPv4 for the internal servers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-11
Active Directory Domain You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain functional level. DirectAccess provides integrated multiple-domain support, which allows client computers from different domains to access resources that may be located in different trusted domains.
Group Policy You need to use Group Policy for the centralized administration and deployment of DirectAccess settings. The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess server, and selected servers.
PKI PKI deployment is optional for simplified configuration and management. DirectAccess enables client authentication requests to be sent over a HTTPS-based Kerberos proxy service running on the DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the client.
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, and force tunneling, you still must implement certificates for authentication for every client that will participate in DirectAccess communication.
DNS Server When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or newer, or a third-party DNS server that supports DNS message exchanges over the ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess provides the ability to configure NAP health check directly from the setup user interface.
IPv6 - Technology Overview http://go.microsoft.com/fwlink/?LinkID=269679
Remote Access (DirectAccess, Routing and Remote Access) Overview http://go.microsoft.com/fwlink/?LinkID=269658
DirectAccess Server Deployment Options
DirectAccess server deployment options in Windows Server 2012 include:
• Deploying multiple endpoints. When you implement DirectAccess on multiple servers in different network locations, the DirectAccess client computer running the Windows 8 operating system automatically chooses the closest endpoint. You must specify the endpoint manually for DirectAccess client computers running Windows 7. This also works for Distributed File System (DFS) shares that are redirected to an appropriate AD DS site.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-12 Implementing Remote Access
• Multiple domain and multiple forest support. Organizations that have complex multidomain or multiforest infrastructure can deploy DirectAccess servers in multiple domains or forests. In this scenario, DirectAccess client computers can connect to DirectAccess servers located in different domains or forests.
• Deploy a DirectAccess server behind a NAT. You can deploy a DirectAccess server behind a NAT device, with support for a single or multiple interfaces, which removes the prerequisite for a public address. In this configuration, only IP-HTTPS is deployed, which allows a secure IP tunnel to be established by using a secure HTTP connection.
• Support for one-time password (OTP) and virtual smart cards. DirectAccess supports OTP authentication, where users are authenticated by providing a combination of user name, password, and an OTP. This feature requires a PKI deployment. In addition, DirectAccess can use the trusted platform module (TPM)–based virtual smart card, which uses the TPM of a client computer, to act as a virtual smart card for two-factor authentication.
• Offload network adapters with support for network information center (NIC) Teaming. NIC Teaming in Windows Server 2012 is fully supported without the need for third-party drivers. DirectAccess servers support NIC Teaming. This capability allows DirectAccess client computers to benefit from bandwidth aggregation on the network cards and failover capability in case one of the network cards is not working.
• Off-premise provisioning. With the new Djoin.exe tool, you can easily provision a non-domain computer with an Active Directory binary large object (BLOB) so that the computer can be joined to a domain without being connected to the internal network. After the computer is joined to the domain, it can access the intranet resources by using DirectAccess.
DirectAccess Tunneling Protocol Options
DirectAccess uses IPv6 and IPsec when clients connect to internal resources. However, many organizations do not have native IPv6 infrastructure. Therefore, DirectAccess uses transitioning tunneling technologies to connect IPv6 clients to connect to IPv4 internal resources, and by communicating through IPv4-based Internet.
DirectAccess tunneling protocols include:
• ISATAP. ISATAP enables DirectAccess clients to connect to the DirectAccess server over IPv4 networks for intranet communication. By using ISATAP, an IPv4 network emulates a logical IPv6 subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other for IPv6 connectivity. Windows Vista®, Windows Server 2008, and newer Windows client and server operating systems can act as ISATAP hosts. ISATAP does not need changes on IPv4 routers because IPv6 packets are tunneled within an IPv4 header. In order to use ISATAP, you have to configure DNS servers to answer ISATAP queries, and IPv6 must be enabled on network hosts.
• 6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an IPv4 header, and then sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure the 6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4 does not work if clients are located behind an IPv4 NAT device.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-13
• Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4 Internet, when clients are located behind an IPv4 NAT device. In this scenario you should configure the firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess server by using a GPO.
• IP HTTPS. IP HTTPS enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based Internet. IP HTTPS is used by clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4, or Teredo. You can configure IP HTTPS for DirectAccess clients and the DirectAccess server by using Group Policy.
For more information on IPv6 transition technologies, visit the following link: http://go.microsoft.com/fwlink/?LinkID=154382
For an overview of Teredo, visit the following link: http://go.microsoft.com/fwlink/?LinkId=169500
For more information on IP HTTPS, visit the following link: http://go.microsoft.com/fwlink/?LinkId=169501
How DirectAccess Works for Internal Clients
A network location server is an internal network server that hosts an HTTPS-based URL. DirectAccess clients try to access a network location server URL to determine if they are located on the intranet or on a public network. The DirectAccess server also can be the network location server. In some organizations where DirectAccess is a business-critical service, the network location server should be highly available. Generally, the web server on the network location server does not have to be dedicated exclusively to supporting DirectAccess clients.
The network location server must be available from each company location, because the behavior of the DirectAccess client depends on the response from the network location server. Branch locations may need a separate network location server at each branch location to ensure that the network location server remains accessible even when there is a link failure between branches.
How DirectAccess Works for Internal Clients The DirectAccess connection process happens automatically, without user intervention. DirectAccess clients use the following process to connect to intranet resources:
1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network location server URL. Because the FQDN of the network location server URL corresponds to an exemption rule in the Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the DNS query to a locally-configured Domain Name System (DNS) server (an intranet-based DNS server). The intranet-based DNS server resolves the name.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-14 Implementing Remote Access
2. The DirectAccess client accesses the HTTPS-based URL of the network location server, and during this process it obtains the certificate of the network location server.
3. Based on the certificate revocation list (CRL) distribution points field of the network location server’s certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to determine if the network location server’s certificate has been revoked.
4. If the HTTP response code is 200, the DirectAccess client determines the success of accessing the network location server URL. This can be successful access, certificate authentication, or revocation check. Next, the DirectAccess client will use the network location awareness service to determine if it should switch to the domain firewall profile and ignore the DirectAccess policies because it is on the corporate network.
5. The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its computer account. Because the client no longer references any DirectAccess rules in the NRPT for the rest of the connected session, all DNS queries are sent through interface-configured DNS servers, also known as intranet-based DNS servers. With the combination of network location detection and computer domain logon, the DirectAccess client configures itself for normal intranet access.
6. Based on the computer’s successful logon to the domain, the DirectAccess client assigns the domain (firewall network) profile to the attached network.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall profiles, and they are disabled from the list of active connection security rules. The DirectAccess client has successfully determined that it is connected to its intranet, and does not use DirectAccess settings, that is NRPT rules or Connection Security tunnel rules. The DirectAccess client can access intranet resources normally. It also can access Internet resources through normal means, such as a proxy server.
Question: How will you configure the settings for different types of clients that need DirectAccess?
How DirectAccess Works for External Clients
When a DirectAccess client cannot reach the URL address specified for the network location server, the DirectAccess client assumes that it is not connected to the intranet and that it is located on the Internet. When the client computer cannot communicate with the network location server, it starts to use NRPT and connection security rules. The NRPT has DirectAccess-based rules for name resolution, and connection security rules define DirectAccess IPsec tunnels for communication with intranet resources. Internet-connected DirectAccess clients use the following process to connect to intranet resources.
1. The DirectAccess client attempts to access the network location server.
2. The client attempts to locate a domain controller.
3. The client attempts to access intranet resources first, and then Internet resources.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-15
DirectAccess Clients Attempt to Access the Network Location Server The DirectAccess clients attempt to access the network location server as follows:
1. The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally configured DNS server, such as an Internet-based DNS server. An external Internet-based DNS server would not be able to resolve the name.
2. The DirectAccess client processes the name resolution request as defined in the DirectAccess exemption rules in the NRPT.
3. Because the network location server is not found on the same network where the DirectAccess client is currently located, the DirectAccess client applies a public or private firewall network profile to the attached network.
4. The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles, provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller After starting up and determining its network location, the DirectAccess client attempts to locate and log on to a domain controller. This process creates an IPsec tunnel, or infrastructure tunnel, by using the IPsec tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The process is as follows:
1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name query that is addressed to the IPv6 address of the intranet DNS server, and forwards it to the DirectAccess client’s TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address in the DNS name query matches a connection security rule that corresponds with the infrastructure tunnel, the DirectAccess client uses Authenticated Internet Protocol (AuthIP) and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client, both the computer and the user, authenticates itself with its installed computer certificate and its NTLM credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol negotiation and the use of multiple sets of credentials for authentication.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the DirectAccess server.
5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name query response is sent back to the DirectAccess server and back through the IPsec infrastructure tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-16 Implementing Remote Access
DirectAccess Client Attempts to Access Intranet Resources The first time that the DirectAccess client sends traffic to an intranet location, such as an email server, that is not on the list of destinations for the infrastructure tunnel, the following process occurs:
1. The application or process that attempts to communicate constructs a message or payload, and hands it off to the TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address matches the connection security rule that corresponds with the intranet tunnel which specifies the IPv6 address space of the entire intranet, the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and the user account’s Kerberos credentials.
4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5. The DirectAccess server forwards the packet to the intranet resources. The response is sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources When the user or a process on the DirectAccess client attempts to access an Internet resource, such as an Internet web server, the following process occurs:
1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There are no matches. The DNS client service constructs the DNS name query that is addressed to the IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
3. Because the destination IP address in the DNS name query does not match the connection security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query normally.
4. The Internet DNS server responds with the IP address of the Internet resource.
5. The user application or process creates the first packet to send to the Internet resource. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection process, because both of these processes use NRPT tables to locate an appropriate DNS server to resolve the name queries. However, the main difference is in the IPsec tunnel that is established between the client and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec infrastructure tunnel, and, when accessing intranet resources, a second IPsec tunnel is established to access intranet resources.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-17
Question: If you were using 6to4 instead of Teredo, would you need two sequential public Internet Protocol (IP) addresses on the DirectAccess server?
Demonstration: Running the Getting Started Wizard
In this demonstration, you will see how to configure DirectAccess by running the Getting Started Wizard.
Demonstration Steps Create security group for DirectAccess client computers
1. On LON-DC1, open the Active Directory Users and Computers console, and create an organizational unit with the name DA_Clients OU. Inside that organizational unit, create a Global Security group with the name DA_Clients.
2. Add LON-CL1 to the DA_Clients security group.
3. Close the Active Directory Users and Computers console
Configure DirectAccess by running the Getting Started Wizard • On LON-RTR, in the Server Manager console, select Remote Access Management. Complete the
Run the Getting Started Wizard in the Remote Access Management Console with the following settings:
a. On the Configure Remote Access page, click Deploy DirectAccess only.
b. Verify that Edge is selected, and then in the Type the public name or IPv4 address used by clients to connect to Remote Access server box, type 131.107.0.10.
c. On the Remote Access Review page, remove Domain Computers, and add DA_Clients as remote clients.
d. Ensure that the Enable DirectAccess for mobile computers only check box is cleared.
e. Restart LON-RTR.
Getting Started Wizard Configuration Changes
The Getting Started Wizard makes multiple configuration changes so that DirectAccess clients can connect to the intranet. These changes include:
• GPO settings. Two GPOs are created in order to define which computers will be allowed to connect to the corporate network by using DirectAccess:
o DirectAccess server settings GPO. Defines settings that will apply to DirectAccess servers.
o DirectAccess client settings GPO. Defines settings that will apply to DirectAccess clients.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-18 Implementing Remote Access
• Remote clients. In the wizard, you can configure the following client computer settings for DirectAccess:
o Select groups. You can select which groups of client computers will be configured for DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In the wizard, you can edit this setting and replace the Domain Computers group with a custom security group.
o Enable DirectAccess for mobile computers only. This setting is enabled by default, and it can be disabled in the wizard.
o Network Connectivity Assistant. Network Connectivity Assistant runs on every client computer and provides DirectAccess connectivity information, diagnostics, and remediation support.
o Resources that validate connectivity to an internal network. DirectAccess client computers need information that will help them decide whether they are located on an intranet or the Internet. Therefore, they will contact the resources you provide in this wizard. You can provide a URL that will be accessed by an HTTP request or FQDN that will be contacted by a PING command. By default, this is not configured.
o Helpdesk email address. By default, this setting is not configured.
o DirectAccess connection name. The default name is Workplace Connection.
o Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
• Remote access server. In the wizard, you define the network topology where the DirectAccess server is located:
o On an edge of the internal corporate network, where the edge server has two network adapters.
o On a server located behind an edge device, where the server has two network adapters.
o On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings is already selected in the wizard. The public name or IPv4 address where DirectAccess clients connect from Internet is already entered in the wizard. You can also define the network adapter to which the DirectAccess clients connect, as well as certificates used for IP-HTTPS connections.
• Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect to these servers before they connect to internal corporate resources. By default, two entries are configured, the domain name suffix and DirectAccess-NLS name followed by the domain name suffix. For example, if the domain name is contoso.com, then following entries are configured: contoso.com and DirectAccess-NLS.contoso.com.
Demonstration: Identifying the Getting Started Wizard Settings
In this demonstration, you will see how to identify the changes made by the DirectAccess Getting Started Wizard.
Demonstration Steps 1. On LON-RTR, switch to the Server Manager console, and then open the Remote Access Management
console.
2. In Remote Access Management console, select DirectAccess and VPN.
3. In the Remote Access Setup window, under the image of the client computer labeled as Step 1 Remote Clients, click Edit to display the DirectAccess Client Setup window.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-19
4. Review the default settings of all items in the menu on the left, Deployment Scenario, Select Groups, and Network Connectivity Assistant, and then close the window without saving any changes.
5. In the Remote Access Setup window, under the image of the client computer labeled as Step 2 Remote Access Servers, click Edit to display the Remote Access Server Setup window.
6. Review the default settings of all items in the menu on the left, Network Topology, Network Adapters, and Authentication, and then close the window without saving any changes.
7. In the Remote Access Setup window, under the image of the client computer labeled as Step 3 Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
8. Review the default settings of all items in the menu on the left, Network Location Server, DNS, DNS Suffix Search List, and Management, and then close the window without saving any changes.
9. In the Remote Access Setup window, under the image of the client computer labeled as Step 4 Application Servers, click Edit to display the DirectAccess Application Server Setup window.
10. Review the default settings for all items, and then close the window without saving any changes.
11. Close all open windows.
Limitations of DirectAccess Deployments When Using the Getting Started Wizard
The Getting Started Wizard is simple to implement, but it is not suitable for deployments that need to support multisite access, that require a highly-available infrastructure, or that require support for computers running Windows 7 in a DirectAccess scenario.
Self-signed Certificates The Getting Started Wizard creates a self-signed certificate to enable SSL connections to the DirectAccess and network location servers. In order for DirectAccess to function, you need to ensure the CRL distribution point for both certificates is available externally. In addition, the self-signed certificate is supported for single DirectAccess server scenarios only and cannot be used in multisite deployments.
Note: The CRL contains all revoked certificates and reasons for revocation.
Because of these limitations, most companies configure either a public certificate for the DirectAccess and network location servers or provide certificates generated by an internal CA. Organizations that have implemented an internal CA can use the web server certificate template to issue a certificate to the DirectAccess and network location server servers. The organizations must also ensure that CRL distribution points are accessible from the Internet.
Network Location Server Design The network location server is a critical part of a DirectAccess deployment. The Getting Started Wizard deploys the network location server on the same server as the DirectAccess server. If DirectAccess client computers on the intranet cannot successfully locate and access the secure Web page on the network
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-20 Implementing Remote Access
location server, they might not be able to access intranet resources. When DirectAccess clients obtain a physical connection to the intranet or experience a network status change on the intranet, such as an address change when roaming between subnets, they attempt an HTTPS connection to the network location server URL. If the client can establish an HTTPS connection to a network location server and check the revocation status for the web server’s certificate, the client determines that it is on the intranet. As a result, the NRPT will be disabled on the client and Windows Firewall will be configured to use the Domain profile with no IPsec tunnels.
The network location server needs to be deployed on a highly-available, high-capacity intranet web server. Larger companies will consider implementing the network location server on a Network Load Balanced cluster or by using an external hardware balancer.
Support for Windows 7 The Getting Started Wizard configures the remote access server to act as a Kerberos proxy to perform IPsec authentication without requiring certificates. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to domain controllers on behalf of the client. This configuration is only applicable for clients running Windows 8 or Windows Server 2012. If Windows 7 clients need to be supported for DirectAccess, you must deploy a PKI to issue computer certificates for backward compatibility.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-21
Lab A: Implementing DirectAccess by Using the Getting Started Wizard
Scenario Many users at A. Datum Corporation work from outside the organization. This includes mobile users as well as people who work from home. These users currently connect to the internal network by using a third-party VPN solution. The security department is concerned about the security of the external connections and wants to ensure that the connections are as secure as possible. The support team wants to minimize the number of support calls related to remote access, and would also like to have more options for managing remote computers.
Information Technology (IT) management at A. Datum is considering deploying DirectAccess as the remote access solution for the organization. As an initial proof-of-concept deployment, management has requested that you configure a simple DirectAccess environment that can be used with client computers running Windows 8.
Objectives After completing this lab, you will be able to:
• Verify that the infrastructure is prepared for the DirectAccess deployment.
• Run the Getting Started Wizard.
• Validate the DirectAccess deployment.
Lab Setup Estimated Time: 30 minutes
Virtual Machine(s): 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-RTR, 20411C-LON-CL1, 20411C-INET1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20411C-LON-SVR1, 20411C-LON-RTR, 20411C-INET1, and 20411C-LON-CL1.
Exercise 1: Verifying Readiness for a DirectAccess Deployment
Scenario Before you deploy DirectAccess, you need to ensure that the infrastructure is ready for the deployment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-22 Implementing Remote Access
The main tasks for this exercise are as follows:
1. Document the Network Configuration.
2. Verify the Server Readiness for DirectAccess.
Task 1: Document the Network Configuration
Verify the IP address on LON-DC1 1. Switch to LON-DC1.
2. Open Control Panel.
3. Open the Ethernet Properties dialog box.
4. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
5. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify network configuration on LON-RTR 1. Switch to LON-RTR.
2. Open Server Manager, and then from Tools menu, open Routing and Remote Access.
3. In Routing and Remote Access console, disable the Routing and Remote Access. This step is needed in order to disable the Routing and Remote Access that was preconfigured for this lab.
4. Open Control Panel.
5. Under the Network and Internet section, click View network status and tasks.
6. In Network and Sharing Center window, click on Change adapter settings.
7. In Network Connections window, verify that there are three network adapters: Ethernet, Ethernet 2, and Internet.
8. In Network Connections window, disable, and then enable Ethernet adapter.
9. Repeat step 8 for Internet network connection.
10. Verify that Ethernet adapter is connected to the domain network adatum.com.
11. Open the Ethernet Properties dialog box.
12. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
13. Verify that the IP address corresponds with the subnet used in the domain network. (The IP address should be 172.16.0.1.)
14. Open the Internet Properties dialog box.
15. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
16. Verify that IP address corresponds with the subnet used to simulate internet connectivity. (The IP address should be 131.107.0.10.)
Verify network configuration on LON-CL1 1. Switch to LON-CL1
2. Open Control Panel, click Network and Sharing Center and then click on Change adapter settings.
3. Verify that the Ethernet adapter is connected to domain network Adatum.com.
4. Open the Ethernet Properties dialog box.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-23
5. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
6. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify network configuration on LON-SVR1 1. Switch to LON-SVR1.
2. Open Control Panel and under the Network and Internet section, select View network status and tasks, and then select Change adapter settings.
3. Verify that the Ethernet adapter is connected to domain network Adatum.com.
4. Open the Ethernet Properties dialog box.
5. Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box.
6. Document the current IP address, subnet mask, default gateway, and DNS configuration.
Verify network configuration on INET1 1. Switch to INET1.
2. Open Control Panel, the under the Network and Internet section, click View network status and tasks to open the Network Connections window.
3. Document the current IP address, subnet mask, and DNS configuration of the Ethernet adapter.
Note: The INET1 server role in this module is to simulate the Internet DNS server.
Task 2: Verify the Server Readiness for DirectAccess 1. On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit with the name DA_Clients OU. Inside that organizational unit, create a Global Security group with the name DA_Clients.
2. Add LON-CL1 to the DA_Clients security group.
3. Close the Active Directory Users and Computers console.
Results: After completing this exercise, you should have successfully verified the readiness for DirectAccess deployment.
Exercise 2: Configuring DirectAccess
Scenario You have verified that the infrastructure is prepared for the DirectAccess deployment. A colleague has already installed the role on LON-RTR. You now need to configure DirectAccess on the DirectAccess server by using the Getting Started Wizard.
The main tasks for this exercise are as follows:
1. Configure DirectAccess by Using the Getting Started Wizard.
Task 1: Configure DirectAccess by Using the Getting Started Wizard 1. Switch to LON-RTR.
2. On LON-RTR, in the Server Manager console, select Remote Access Management. Complete the Run the Getting Started Wizard in the Remote Access Management console with the following settings:
o On the Configure Remote Access page, click Deploy DirectAccess only.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-24 Implementing Remote Access
o Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to connect to Remote Access server box, type 131.107.0.10.
o On the Remote Access Review page, change remote clients to DA_Clients.
o Clear the Enable DirectAccess for mobile computers only check box.
Results: After completing this exercise, you should have successfully configured DirectAccess by using the Getting Stared Wizard.
Exercise 3: Validating the DirectAccess Deployment
Scenario Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start by verifying the changes made by the Getting Started Wizard, and then you will verify that client computers can access the internal network by using DirectAccess.
The main tasks for this exercise are as follows:
1. Verify the GPO Deployment.
2. Test DirectAccess Connectivity.
Task 1: Verify the GPO Deployment 1. Switch to LON-CL1.
2. Open the Command Prompt window and type gpupdate /force to force apply Group Policy on LON-CL1.
3. At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is applied to the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then repeat Step 2 and Step 3 on LON-CL1.
4. Type the following command at the command prompt.
netsh name show effectivepolicy
and verify that following message is displayed DNS Effective Name Resolution Policy Table Settings Note: DirectAccess settings are inactive when this computer is inside a corporate network.
5. Simulate moving the client computer LON-CL1 out of the corporate network, and to the Internet, by disabling Ethernet network adapter and enabling Ethernet 2 network adapter which is configured with following values:
o IP address: 131.107.0.20
o Subnet mask: 255.255.255.0
o Preferred DNS server: 131.107.0.100
6. Close all open windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-25
Task 2: Test DirectAccess Connectivity
Verify connectivity to the internal network resources 1. Switch to LON-CL1.
2. On LON-CL1, on the taskbar, start Internet Explorer.
3. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
4. Leave the Internet Explorer window open.
5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access the folder content.
6. Close all open windows.
7. Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click search, and in the search box, type cmd.
8. At the command prompt, run the ipconfig command.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS address.
Verify connectivity to the DirectAccess server 1. At the command prompt, type the following command:
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com and Directaccess-NLS.Adatum.com.
2. At the Windows PowerShell prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Notice the DirectAccess client settings.
Verify client connectivity on DirectAccess Server 1. Switch to LON-RTR.
2. In the Remote Access Management console pane, click Remote Client Status.
Notice that Client is connected via IPHttps. In the Connection Details pane, in the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
3. Close all open windows.
Note: After completing the lab, do not revert virtual machines.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-26 Implementing Remote Access
Results: After completing this exercise, you should have successfully verify that client computers can access the internal network by using DirectAccess.
Question: Why did you create the DA_Clients group?
Question: How will you configure IPv6 address for client computers running Windows 8 to use DirectAccess?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-27
Lesson 3 Implementing and Managing an Advanced DirectAccess Infrastructure
The Getting Started Wizard in the Remote Access Management console provides an easy way for organizations to configure DirectAccess connectivity for remote clients. However, as you learned in the previous lesson, there are limitations to deploying DirectAccess by using the Getting Started Wizard. Therefore, instead of using the Getting Started Wizard, some organizations choose to deploy DirectAccess by configuring advanced features, such as using PKI, configuring advanced DNS settings, and configuring advanced settings for network location servers and management servers.
Lesson Objectives After completing this lesson, you will be able to:
• Describe advanced DirectAccess options.
• Explain how to integrate a PKI with DirectAccess.
• Explain how to implement certificates for DirectAccess clients.
• Describe the considerations for planning internal network configuration.
• Explain how to configure advanced DNS settings.
• Describe how to implement network location servers.
• Describe how to implement management servers.
• Describe how to modify the DirectAccess infrastructure.
• Explain how to monitor DirectAccess connectivity.
• Explain how to troubleshoot DirectAccess connectivity.
Overview of the Advanced DirectAccess Options
You can configure advanced DirectAccess options by using the Remote Access Management console, or by using Windows PowerShell. When you install the Remote Access server role, there are two wizards available in the Remote Access Management console for initial DirectAccess deployment:
• The Getting Started Wizard that you can use for deploying DirectAccess quickly.
• The Remote Access Setup Wizard that you can use to configure advanced options for DirectAccess
The following are the advanced options you can use to configure DirectAccess:
• Scalable and customized PKI infrastructure. The DirectAccess deployment can benefit from a custom PKI solution, whether used with a public or a private CA. You can configure the PKI components according to your organization’s business requirements, for example, to provide support for computers running Windows 7.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-28 Implementing Remote Access
• Customized network configuration options. Organizations can benefit from deploying DirectAccess that meets specific network topology and design requirements, including complex scenarios such as multisite and multidomain deployments. You can configure the DirectAccess clients so that they can connect to the corporate network by using multiple Internet connections in different geographical locations as DirectAccess entry points. Customized network configuration options include advanced DNS configurations and firewall settings.
• Scalable and highly-available server deployment. While configuring advanced DirectAccess options, organizations can use a variety of solutions for better scalability of the servers. This helps them achieve their business goal of better remote access performance. Additionally, in cases where DirectAccess is a business critical solution, organizations can deploy multiple servers that are highly available so that no single point of failure exists and users can establish DirectAccess connectivity regardless of any potential issue. You can also configure management servers that will perform management tasks, such as deploying Windows updates on DirectAccess clients and servers.
• Customized monitoring and troubleshooting. Advanced DirectAccess options include customized monitoring and troubleshooting options that will help you to quickly diagnose any resolve any potential DirectAccess issue.
Integrating a PKI with DirectAccess
While planning the implementation of DirectAccess, organizations can choose to use a private or public CA. If an organization has already deployed an internal PKI infrastructure that is used for different purposes, such as user or server authentication, the organization can further customize the current PKI infrastructure in order to enhance the deployment of DirectAccess.
Configuring PKI for DirectAccess includes the following steps:
1. Add and configure the Active Directory Certificate Services server role if it is not already present. At least one server with the Certificate Authority role should be present in the corporate network. The CA server receives certificate requests, issues certificates for network location server and DirectAccess clients and servers, and manages the CRL.
For more information on Active Directory Certificate Services server role on Windows Server 2012, visit the following link: http://go.microsoft.com/fwlink/?LinkID=331165
2. Create the certificate template. DirectAccess needs a web certificate template to be configured on the CA server, which will be used for issuing a certificate to the network location server. The network location server will use its web certificate to authenticate itself to DirectAccess client computers and to encrypt traffic between itself and DirectAccess client computers.
3. Create a CRL distribution point and publish the CRL list. When connecting to the network location server, DirectAccess client computers check if the certificate presented to them by the network location server is revoked. Therefore, you have to configure your CA server with a CRL distribution point where the CRL will be published and will be accessible to the DirectAccess client computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-29
4. Distribute the computer certificates. DirectAccess uses IPsec for encrypting the traffic between DirectAccess client computers and DirectAccess servers. IPsec requires that the CA server issue computer certificates to both DirectAccess client computers and DirectAccess servers. The most efficient way for distributing computer certificates is by using Group Policy.
Implementing Client Certificates for DirectAccess
Organizations that have an environment with computers running Windows 7 can also use DirectAccess. For a computer running Windows 7 to use DirectAccess, a computer certificate for IPsec authentication should be issued to the computer.
The most efficient way for issuing certificates to client computers is by using Group Policy. The steps for configuring a GPO for issuing certificates include:
1. Create a GPO and link the GPO to the organizational unit where DirectAccess client computers are located.
2. Edit the GPO created in the previous step by navigating to Computer Configuration \Policies\Windows Settings\Security Settings\Public Key Policies, and then, at Automatic Certificate Request Settings, configure Automatic Certificate Request to issue the Computer certificate.
3. To apply the GPO settings to the DirectAccess client computers, perform one, but not both, of following actions:
o At each DirectAccess client computer, run the gpupudate /force command.
o Restart the DirectAccess client computer.
4. Verify that the GPO has been applied by opening an MMC on a client computer, with Certificates for the Local Computer snap-in added. In the Certificates console, verify that a certificate with the DirectAccess client computer name is present with Intended Purposes of Client Authentication and Server Authentication.
Internal Network Configuration Options
Depending on your organization’s business requirements, you can configure multiple network topologies when deploying an advanced DirectAccess infrastructure.
Consider following when planning for internal network configuration :
• Plan for DirectAccess server location. You can install the DirectAccess server in different network configurations:
o Edge. The DirectAccess server role service is installed on a computer that acts as an
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-30 Implementing Remote Access
edge server. An edge server also acts as a firewall. The edge server has two network adapters, where one network adapter is connected to the Internet and the other network adapter is connected to the internal network.
o Behind an edge device with two network adapters. In this configuration, the DirectAccess role service is installed on a computer located in a perimeter network behind an edge device. The DirectAccess server has two network adapters, where one network adapter is connected to the perimeter network and the other network adapter is connected to the internal network.
o Behind an edge device with one network adapter. This configuration assumes that the DirectAccess role service is installed on a computer located in the internal network.
• Plan the IP address assignment. You should plan your IP addressing depending on whether your organization has deployed native IPv6 addressing, both IPv6 and IPv4, or IPv4 only addressing. In a scenario where both Internet and intranet IP addressing is IPv4, you have to configure the external network adapter of the DirectAccess server with two consecutive public IPv4 addresses. This configuration is needed by the Teredo tunneling protocol because the DirectAccess server will act as a Teredo server.
• Plan the firewall configuration. The DirectAccess server requires specific ports to be opened on the corporate firewall so that the DirectAccess client computers can connect from Internet to the internal network. Firewall ports needed for DirectAccess on IPv4 network include:
o Teredo traffic. UDP destination port 3544 inbound and UDP source port 3544 outbound.
o 6to4 traffic. IP Protocol 41 inbound and outbound.
o IP-HTTPS—Transmission Control Protocol (TCP) destination port 443 and TCP source port 443 outbound.
o For scenarios where DirectAccess and network location server are installed on the same server with a single adapter, TCP port 62000 on the server should be open.
• Plan for Active Directory. DirectAccess requires at least one domain controller installed on a server running Windows Server 2003 or later Windows server operating systems. The computer where the DirectAccess role service is installed should be a domain member. The DirectAccess client computers also have to be domain members. DirectAccess clients can establish a connection from the Internet with any domain in the same forest as the DirectAccess server and with any domain that has a two-way trust with the DirectAccess server forest.
• Plan for client deployment. Before deploying clients, you should configure the following settings:
o Create a security group for DirectAccess client computers and configuring the group membership.
o Configure DirectAccess to be available for all computers in the domain or just for mobile computers.
o Configure the Network Connectivity Assistant.
For more information on deploying DirectAccess clients, visit the following link: http://go.microsoft.com/fwlink/?LinkID=331166
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-31
Configuring Advanced DNS Settings
Detailed planning for a DNS server is very important for proper configuration of DirectAccess. This is because many components of the DirectAccess technology use the DNS service. DirectAccess supports a DNS server on Windows Server 2003 and newer Windows Server operating systems. We recommend using a DNS integrated with Active Directory.
DNS in DirectAccess is used for the following:
• Resolving network location server. DirectAccess clients attempt to resolve the network location server name in DNS, and then contact the network location server to determine if they are on the internal network.
• Resolving IP-HTTPS server name. The IP-HTTPS name should be resolved by DirectAccess client computers by using public DNS servers.
• Checking CRL revocation. DirectAccess client computers attempt to resolve the CRL distribution point name in DNS.
• Answering ISATAP queries. DNS servers should be configured to answer ISATAP queries. By default, the DNS server service blocks name resolution for the name ISATAP through the DNS Global Query Block List.
• Connectivity verifiers. To verify connectivity to an internal network, DirectAccess creates a default web probe that is used by DirectAccess client computers. For this, the following names should be registered manually in DNS:
o directaccess-webprobehost. Should resolve to the internal IPv4 address of the DirectAccess server or to the IPv6 address in an IPv6-only environment.
o directaccess-corpconnectivityhost. Should resolve to localhost, or loopback, address. Therefore, A and AAAA records should be created in DNS. A record should resolve to IPv4 address 127.0.0.1 and AAAA record should resolve to IPv6 address that is constructed out of NAT64 prefix with the last 32 bits as 127.0.0.1. The NAT64 prefix can be retrieved by running the get-netnattransitionconfiguration cmdlet.
To separate Internet traffic from intranet traffic in DirectAccess, Windows Server 2012 and Windows 8 include the NRPT, a feature that allows DNS servers to be defined per DNS namespace, rather than per interface.
The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that describe the DNS client’s behavior for that namespace.
When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules stored in the NRPT, and:
• If a match is found, the request is processed according to the settings in the NRPT rule.
• If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNS servers configured in the TCP/IP settings for the specified network interface.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-32 Implementing Remote Access
DNS settings on the network interface are configured depending on the client location:
• For a remote client computer, the DNS servers are typically the Internet DNS servers configured through the Internet Service Provider (ISP).
• For a DirectAccess client on the intranet, the DNS servers are typically the intranet DNS servers configured through DHCP.
Single-label names, for example, http://internal, typically have configured DNS search suffixes appended to the name before they are checked against the NRPT.
If no DNS search suffixes are configured, and the single-label name does not match any other single-label name entry in the NRPT, the request is sent to the DNS servers specified in the client’s TCP/IP settings.
Namespaces, such as internal.adatum.com, for example, are entered into the NRPT, followed by the DNS servers to which requests matching that namespace should be directed. If an IP address is entered for the DNS server, which is typically the DirectAccess server, all DNS requests are sent directly to the DNS server over the DirectAccess connection. The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.
Some names must be treated differently with regards to name resolution; these names should not be resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers specified in the client’s TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When a computer is configured to use NRPT, the name resolution mechanism uses the following, in this order:
• The local name cache
• The hosts file
• NRPT
Then, the name resolution mechanism subsequently sends the query to the DNS servers specified in the TCP/IP settings.
You may also need to create exemption rules in NRPT in the following scenarios:
• If your organization uses multiple domain names in the internal namespace, you have to add more DNS suffixes in NRPT.
• If the FQDNs of your CRL distribution points are based on the intranet namespace, you have to create exemption rules for the FQDNs of the CRL distribution points.
• In a scenario where the organization’s domain name is the same on both the Internet and on intranet, that is a split-brain DNS configuration, you have to create exemption rules for Internet clients to be directed should they resolve Internet FQDN, or intranet FQDN.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-33
Implementing Network Location Servers
The network location server hosts the network location server website that can be located on DirectAccess server or on another server in your organization. If the network location server website is located on the DirectAccess server, the website is created automatically when you deploy DirectAccess. If the network location server website is located on another computer running a Windows Server operating system, you have to manually install Internet Information Services (IIS) on that computer, and configure the network location server website.
You should configure network location server to meet the following requirements:
• An HTTPS server certificate is configured for the network location server website.
• A CA that issues the HTTPS certificate for the network location server website should be trusted by the DirectAccess client computers.
• The network location server website server certificate must be checked against a CRL.
• The DirectAccess client computers on the internal network must be able to resolve the name of the network location server.
• The network location server should not be accessible to DirectAccess client computers on the Internet.
• If DirectAccess is business critical for the organization, the network location server should be configured with high availability for computers located on the internal network.
Implementing Management Servers
Management servers in a DirectAccess infrastructure are the servers that provide different management tasks, such as Windows Update and antivirus updates. Management servers also perform software or hardware inventory assessments. In a DirectAccess infrastructure, domain controllers are also considered management servers.
DirectAccess clients can automatically discover management servers:
• Domain controllers. DirectAccess servers perform auto-discovery of domain controllers for all domains in the same forest as the DirectAccess server and DirectAccess client computers.
• System Center Configuration Manager servers. DirectAccess servers perform auto-discovery of Microsoft System Center 2012 Configuration Manager servers for all domains in the same forest as the DirectAccess server and DirectAccess client computers.
Discovery of domain controllers and Configuration Manager servers is automatically performed during the initial DirectAccess configuration.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-34 Implementing Remote Access
You can display the detected management servers by using the following Windows PowerShell cmdlet:
Get-DAMgmtServer –Type All
After the initial DirectAccess deployment, if any changes are made, such as adding or removing management servers such as domain controllers or Configuration Manager servers, you can update the management servers list by clicking Refresh Management Servers in the Remote Access Management console.
Management servers should meet following requirements:
• Management servers should be accessible over the first tunnel, which is an infrastructure tunnel. During the initial DirectAccess deployment, management servers are, by default, automatically configured to be accessible over the infrastructure tunnel.
• Management servers must fully support IPv6. If native IPv6 is deployed, management servers communicate with DirectAccess clients by using native IPv6 address. In an IPv4 environment, management servers communicate with DirectAccess clients by using ISATAP.
Demonstration: Modifying the DirectAccess Infrastructure
In this demonstration, you will see how to modify the DirectAccess infrastructure deployed by using the Getting Started Wizard and apply advanced configuration settings.
Demonstration Steps
Configure the Remote Access role 1. On, LON-RTR, in the Server Manager console, start the Remote Access Management console, click
DirectAccess and VPN.
2. Modify the Remote Access Setup configuration by performing the following steps.
3. In the details pane of the Remote Access Management console, under Step 1, click Edit, and then specify the following:
a. Select Groups: Domain Computers.
Note: In real-world scenario, you might choose a security group, instead allowing DirectAccess for all domain computers.
b. Network Connectivity Assistant – Resource: https://lon-svr1.adatum.com
4. In the details pane of the Remote Access Management console, under Step 2, click Edit.
5. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.10.
6. Select Use a self-signed certificate created automatically by DirectAccess server.
7. On the Network Adapters page, verify that CN=131.107.0.10 is used as a certificate to authenticate IP-HTTPS connection.
8. On the Authentication page, select Use computer certificates, click Browse, and then select AdatumCA.
9. Select Enable Windows 7 client computers to connect via DirectAccess.
10. On the Authentication page, click Finish.
11. In details pane of the Remote Access Management console, under Step 3, click Edit.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-35
12. On the Network Location Server page, select The network location server is deployed on a remote web server (recommended), type https://lon-svr1.adatum.com, and choose Validate.
13. On the DNS page, examine the values, and then click Next.
14. In the DNS Suffix Search List, examine the values, and then click Next.
15. On the Management page, click Finish.
16. In details pane of the Remote Access Management console, display the settings for Step 4.
17. In the Remote Access Setup windows, review the settings, and then click Finish.
18. In the details pane of the Remote Access Management console, click Finish.
19. In the Remote Access Review page, click Cancel.
Note: The DirectAccess configuration is not applied, because additional prerequisites need to be configured, such as AD DS configuration, firewall settings and certificate deployment.
How to Monitor DirectAccess Connectivity
You can monitor DirectAccess connectivity by using the Remote Access Management console. This console contains information on how DirectAccess server components work. By using the Remote Access Management console, you can also monitor DirectAccess client connectivity information. By monitoring DirectAccess connectivity, you can obtain information about DirectAccess role service health that will help you troubleshoot potential connectivity issues.
Remote Access Management console includes the following monitoring components:
• Dashboard. Remote Access Management console includes centralized dashboard for multiple DirectAccess monitored components. It contains the following information: Operation status, Configuration status, DirectAccess, and VPN client status. Information about each of these components is available in separate windows in the Remote Access Management Console.
• Operation Status. Operation status provides information about the health of each DirectAccess component: DNS, DNS64, domain controllers, IP-HTTPS, Kerberos, NAT64, network adapters, network location server, and Network security and services. If the DirectAccess component is healthy, a green check mark appears next to it. If there is any issue with the DirectAccess component, it is marked with a blue question mark. By clicking the component, you can obtain detailed information about the related issue, the cause of the issue, and how to resolve it.
• Remote Access Client Status. Remote Access Client Status displays information about the DirectAccess client computers that connect to the DirectAccess server. The information displayed in this window includes: User Name, Host Name, ISP Address, Protocol/Tunnel, and Duration. For each DirectAccess client connection, you can view more detailed information.
• Remote Access Reporting. Remote Access reporting provides same information as Remote Access Client Status, but as a historical DirectAccess client usage report. You can choose the start date and end date for the report. In addition, Remote Access Reporting displays Server Load Statistics, which is
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-36 Implementing Remote Access
statistical connectivity information on: Total DirectAccess sessions, Average sessions per day, Maximum concurrent sessions, and Unique DirectAccess clients.
How to Troubleshoot DirectAccess Connectivity
Organizations should develop a troubleshooting methodology for DirectAccess connectivity in order to eliminate any problem that DirectAccess client computers face quickly. Troubleshooting methodology should contain step-by-step instructions on how to diagnose the problem.
You can troubleshoot DirectAccess connectivity by using the following methods:
• Troubleshooting methodology. Whenever DirectAccess client computers are not able to connect to the DirectAccess server, we recommend that you follow a methodology to diagnose the problem. Troubleshooting methodology includes the following steps:
o Confirm that DirectAccess supports the operating system version.
o Confirm that the DirectAccess client computer is a member of the domain.
o Confirm that the DirectAccess client computer received computer configuration Group Policy settings for DirectAccess.
o Confirm that the DirectAccess server computer received computer configuration Group Policy settings for DirectAccess.
o Confirm that the DirectAccess client computer has a global IPv6 address.
o Confirm that the DirectAccess client computer is able to reach the IPv6 addresses of the DirectAccess server.
o Confirm that the intranet servers have a global IPv6 address.
o Confirm that the DirectAccess client computer on the Internet correctly determines that it is not on the intranet.
o Ensure that DirectAccess client computer is assigned the domain firewall profile.
o Confirm that the DirectAccess client computer has IPv6 reachability to its intranet DNS servers, and that the DirectAccess client computer is able to use intranet DNS servers to resolve and to reach intranet FQDNs.
Also, confirm that the DirectAccess client computer is able to communicate with intranet servers by using application layer protocols.
o Confirm that the DirectAccess client computer is able to establish both IPsec infrastructure and intranet tunnels with the DirectAccess server.
• Command-line tools. Use the following command-line tools for performing the checks according to your troubleshooting methodology:
o Netsh
o Ping
o Nslookup
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-37
o Ipconfig
o Certutil
o Nltest
• GUI tools. Use the following GUI tools for performing the checks according to your troubleshooting methodology:
o Remote Access Server Management Console
o Group Policy Management Console (GPMC) and Editor
o Windows Firewall with Advanced Security
o Event Viewer
o Certificates
Demonstration: Monitoring and Troubleshooting DirectAccess Connectivity
In this demonstration, you will see how to monitor and troubleshoot DirectAccess connectivity.
Demonstration Steps
Verify DirectAccess Group Policy configuration settings for Windows 8 clients 1. Switch to LON-CL1.
2. Restart LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd. Open the Command Prompt window, and then type the following commands.
gpupdate /force gpresult /R
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for the Computer Settings.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as Adatum\Administrator by using the password Pa$$w0rd, and then repeat step 2 on LON-CL1.
Move the client computer to the Internet virtual network 1. Switch to LON-CL1.
2. Simulate moving the client computer LON-CL1 out of the corporate network, and to the Internet, by disabling Ethernet network adapter and enabling Ethernet 2 network adapter which is configured with following values:
3. IP address: 131.107.0.20
4. Subnet mask: 255.255.255.0
5. Preferred DNS server: 131.107.0.100
6. Close the Network Connections window.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-38 Implementing Remote Access
Verify connectivity to the DirectAccess server 1. On LON-CL1, open a command prompt, and type the following command.
ipconfig
2. Notice the IP address that starts with 2002. This is IP-HTTPS address.
3. If you notice that there is no IP address for iphttpsinterface, type the following commands and restart the computer and repeat steps 1 and 2.
Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled
4. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
Monitoring DirectAccess connectivity 1. Switch to LON-RTR.
2. On LON-RTR, open the Remote Access Management console, and then in the left pane, click Dashboard.
3. Review the information in the central pane, under the DirectAccess and VPN Client Status.
If no information appears, restart LON-CL1, and then perform steps 2 and 3.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under Select Accounting Method, click Use inbox accounting, click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical data.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-39
Lab B: Deploying an Advanced DirectAccess Solution Scenario The proof-of-concept deployment of DirectAccess was a success, so IT management has decided to enable DirectAccess for all mobile clients, including computers running Windows 7. IT management also wants to ensure that the DirectAccess deployment is scalable and provides redundancy.
You need to modify the proof of concept deployment to meet the new requirements.
Objectives After completing this lab, you will be able to:
• Prepare the infrastructure for the advanced DirectAccess deployment.
• Implement the advanced DirectAccess infrastructure.
• Validate the DirectAccess deployment.
Lab Setup Estimated Time: 60 minutes
Virtual Machine(s): 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-RTR, 20411C-LON-CL3, 20411C-LON-CL1, 20411C-INET1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20411C-LON-SVR1, 20411C-LON-RTR, 20411C-INET1, 20411C-LON-CL3, and 20411C-LON-CL1.
Exercise 1: Preparing the Environment for DirectAccess
Scenario As the first step in implementing the advanced DirectAccess solution, you need to prepare the network infrastructure. You will configure an internal network location server and configure and distribute the required certificates.
The main tasks for this exercise are as follows:
1. Configure the AD DS and DNS requirements.
2. Configure CRL Distribution.
3. Configure Client Certificate Distribution.
4. Configure the Network Location Server and DirectAccess Server Certificates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-40 Implementing Remote Access
Task 1: Configure the AD DS and DNS requirements
Edit the security group for DirectAccess client computers 1. Switch to LON-DC1.
2. Open the Active Directory Users and Computers console, and then in Organizational Unit named DA_Clients OU, modify the membership of the DA_Clients group to include LON-CL3 and LON-CL1.
3. Close the Active Directory Users and Computers console.
Configure firewall rules for ICMPv6 traffic to enable subsequent testing of DirectAccess in the lab environment 1. Open the Group Policy Management console, and then open Default Domain Policy.
2. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security.
3. Create a new inbound rule with the following settings:
o Rule Type: Custom
o Protocol type: ICMPv6
o Specific ICMP types: Echo Request
o Name: Inbound ICMPv6 Echo Requests
4. Create a new outbound rule with the following settings:
o Rule Type: Custom
o Program: All Programs
o Protocol type: ICMPv6
o Specific ICMP types: Echo Request
o Scope: Any IP address
o Action: Allow the connection
o Profile: Domain, Private, Public
o Name: Outbound ICMPv6 Echo Requests
5. Close the Group Policy Management Editor and Group Policy Management console.
Create required DNS records 1. Open the DNS Manager console, and then create new host records with the following settings:
o Name: nls; IP Address: 172.16.0.21
o Name: crl; IP Address: 172.16.0.1
2. Close the DNS Manager console.
Note: The NLS record will be used by the client to determine the network location. Note: The CRL record will be used by the internal clients to check the revocation status on the certificates that are used in DirectAccess
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-41
Remove ISATAP from the DNS global query block list 1. Open the Command Prompt window, type the following command, and then press Enter.
dnscmd /config /globalqueryblocklist wpad
Ensure that the Command completed successfully message appears.
2. Close the Command Prompt window.
Configure the DNS suffix on LON-RTR 1. Switch to LON-RTR, and in the Internet Properties dialog box, open the Internet Protocol Version
4 (TCP/IPv4) Properties dialog box, then open Advanced TCP/IP Settings dialog box, and add the Adatum.com DNS suffix.
2. Close the Internet Properties dialog box.
Note: Internet client needs this suffix when resolving names for internal resources.
Task 2: Configure CRL Distribution
Configure certificate requirements Note: Following steps will be performed to prepare the CA with proper extensions for the CRL distribution point, which will be included in the future certificates that will be used by the CA.
1. Switch to LON-DC1, and then open the Certification Authority console.
2. Configure AdatumCA certification authority with the following extension settings:
o Add Location: http://crl.adatum.com/crld/
o Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
o Location: type ..crl at the end of the Location string
o Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
o Do not restart Certificate Services.
o Add Location: \\LON-RTR\crldist$\.
o Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
o Location: type .crl at the end of the Location string.
o Select Publish CRLs to this location and select Publish Delta CRLs to this location.
o Restart Certificate Services.
o Close the Certificate Authority console.
Export Root Certificate Note: In following steps you will export the root certificate because it will be required in Labs C and D for configuring VPN and Web Application Proxy.
1. In Certification Authority, open the Properties of AdatumCA.
2. On the General tab, click View Certificate. In the Certificate window, click the Details tab, an then click Copy to File to start the Certificate Export Wizard.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-42 Implementing Remote Access
3. Select the DER encoded binary x.509 (.CER) format for exporting the certificate, and then store the certificate in the c:\Root.cer file.
4. Close the Certification Authority console.
Task 3: Configure Client Certificate Distribution
Configure computer certificate auto-enrollment 1. On LON-DC1, open the Group Policy Management console.
2. In the console tree, navigate to Forest: Adatum.com, Domains, and Adatum.com.
3. Edit the Default Domain Policy, and then in the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4. Under Automatic Certificate Request Settings, configure Automatic Certificate Request to issue the Computer certificate.
5. Close the Group Policy Management Editor and close the Group Policy Management console.
Task 4: Configure the Network Location Server and DirectAccess Server Certificates
Request a certificate for LON-SVR1 1. On LON-SVR1, open a command prompt, type the following command, and then press Enter.
gpupdate /force
2. At the command prompt, type the following command, and then press Enter.
mmc
3. Add the Certificates snap-in for Local computer.
4. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates, request a new certificate, and then under Request Certificates, configure the Adatum Web Certificate with the following setting:
o Subject name: Under Common name, type nls.adatum.com.
5. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.adatum.com is enrolled with Intended Purposes of Server Authentication.
6. Close the console. When you are prompted to save settings, click No.
Change the HTTPS bindings Note: In following steps you will configure the https bindings for the host name nls.adatatum.com that will be used by the clients to determine their network location.
1. Open the Internet Information Services (IIS) Manager console.
2. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
3. Configure Site Bindings by selecting nls.adatum.com as SSL Certificate.
4. Close the Internet Information Services (IIS) Manager console.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-43
Configure DirectAccess server with the appropriate certificate 1. Switch to LON-RTR.
2. Open a command prompt, and then refresh group policy by typing gpupdate /force.
3. Open Microsoft Management Console by typing mmc, and then add the Certificates snap-in for Local computer.
4. In the Certificates snap-in, in the mmc console, request a new certificate with the following settings:
o Certificate template: Adatum Web Certificate
o Common name: 131.107.0.10
o Friendly name: IP-HTTPS Certificate
5. Close the console.
Note: Instead of issuing a certificate with the IP address in the subject name, in real environment, you can use FQDN of the Internet facing server that will be reachable by the external client.
Create CRL distribution point on LON-RTR 1. Switch to Server Manager.
2. In Internet Information Services (IIS) Manager, create new virtual directory named CRLD, enable browsing for the CRLD directory, and then assign c:\crldist as a home directory.
3. Using the Internet Information Services (IIS) Manager configuration editor, locate the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
4. In the middle pane of the console, locate the allowDoubleEscaping entry, change the value from False to True, and then apply the changes.
5. Close Internet Information Services (IIS) Manager.
Note: You need to modify the value of allowDoubleEscaping to allow clients to access CRL deltas that will have a '+' appended to the filename.
Share and secure the CRL distribution point 1. Open File Explorer.
2. In the details pane of File Explorer, configure the following permissions for CRLDist$ share name:
o Grant Full Share and NTFS permission to the LON-DC1 computer.
Publish the CRL to LON-RTR This step makes the CRL available on the edge server for Internet-based DirectAccess clients.
1. Switch to LON-DC1.
2. Start the Certification Authority console.
3. In the console tree, open AdatumCA, right-click Revoked Certificates, point to All Tasks, click Publish, and then choose the New CRL option.
4. On the taskbar, start the File Explorer.
5. In File Explorer, open the following location: \\LON-RTR\CRLDist$.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-44 Implementing Remote Access
6. In File Explorer, notice the AdatumCA files.
7. Close File Explorer.
Results: After completing this exercise, you will have prepared the environment for implementing advanced DirectAccess infrastructure.
Exercise 2: Implementing the Advanced DirectAccess Infrastructure
Scenario Now that you have prepared the environment, you can modify the DirectAccess configuration to use the advanced infrastructure components.
The main tasks for this exercise are as follows:
1. Modify the DirectAccess Deployment.
2. Verify the Server and GPO Configuration.
Task 1: Modify the DirectAccess Deployment
Configure the Remote Access role 1. On LON-RTR, open the Server Manager console.
2. In the Server Manager console, start the Remote Access Management console, click DirectAccess and VPN, and complete the Remote Access Setup Wizard by performing the following steps.
3. In the details pane of the Remote Access Management console, under Step 1, click Edit, and then specify the following:
o Select Groups: Verify that DA_Clients (ADATUM\DA_Clients) group is listed.
o Network Connectivity Assistant – Delete the current resource, and add following resource: https://nls.adatum.com
4. In the details pane of the Remote Access Management console, under Step 2, click Edit.
5. On the Network Topology page, verify that Edge is selected, and type 131.107.0.10.
6. On the Network Adapters page, clear selection for Use a self-signed certificate created automatically by DirectAccess and configure 131.107.0.10 that is issued by AdatumCA and is used as a certificate to authenticate IP-HTTPS connection.
7. On the Authentication page, select Use computer certificates, click Browse, and then select AdatumCA.
8. Select Enable Windows 7 client computers to connect via DirectAccess and then click Finish.
Note: You need to enable certificate authentication with certificates issued from trusted CA to support Window 7 clients.
9. In details pane of the Remote Access Management console, under Step 3, click Edit.
10. On the Network Location Server page, select The network location server is deployed on a remote web server (recommended); in the Type in the URL of the network location server box, type https://nls.adatum.com, and then click Validate. Ensure that URL is validated.
11. On the DNS page, ensure that nls.adatum.com is listed, and also add following entry in the NRPT table: crl.adatum.com.
12. On the Management page, click Finish.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-45
13. In details pane of the Remote Access Management console, display the settings for Step 4.
14. On the DirectAccess Application Server Setup page, review the settings, and then click Finish.
15. In the details pane of the Remote Access Management console, click Finish.
16. On the Remote Access Review page, click Apply.
17. In the Applying Remote Access Setup Wizard Settings dialog box, click Close.
Task 2: Verify the Server and GPO Configuration On the Start screen, open the command prompt, and then run the following commands.
gpupdate /force Ipconfig
Verify that LON-RTR has an IPv6 address for Tunnel adapter IP HTTPS Interface starting with 2002.
Results: After completing this exercise, you will have implemented the advanced DirectAccess infrastructure.
Exercise 3: Validating the DirectAccess Deployment
Scenario With the advanced DirectAccess infrastructure in place, you now need to test the deployment. You will verify that both Windows 8 and Windows 7 clients can connect to the internal network by using DirectAccess.
The main tasks for this exercise are as follows:
1. Verify Windows 8 Client Connectivity.
2. Verify Windows 7 Client Connectivity.
3. Monitor Client Connectivity.
Task 1: Verify Windows 8 Client Connectivity
Verify DirectAccess Group Policy configuration settings for Windows 8 clients 1. Simulate moving the client computer LON-CL1 back from public network to intranet network, by
reverting LON-CL1 in Hyper-V Manager, and then starting LON-CL1.
2. On LON-CL1, in the Command Prompt window run the following commands.
gpupdate /force gpresult /R
Note: If an error message appears, restart LON-CL1, and perform again Step 2.
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings.
Verify client computer certificate distribution 1. On LON-CL1, open the Certificates MMC.
2. Verify that a certificate with the name LON-CL1.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication.
3. Close the console without saving it.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-46 Implementing Remote Access
Verify IP address configuration 1. On LON-CL1, open Internet Explorer, and then go to http://lon-svr1.adatum.com/. The default
Internet Information Services (IIS) 8.0 web page for LON-SVR1 appears.
2. In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8.0 web page for LON-SVR1 appears.
3. Open File Explorer, type \\Lon-SVR1\Files, and then press Enter. You should see a folder window with the contents of the Files folder.
4. Close all open windows.
Move the client computer to the Internet virtual network 1. Switch to LON-CL1.
2. Simulate moving the client computer LON-CL1 out of the corporate network, and to the Internet, by disabling Ethernet network adapter and enabling Ethernet 2 network adapter.
3. Close the Network Connections window.
Verify connectivity to the DirectAccess server 1. On LON-CL1, open a command prompt, and type the following command.
ipconfig
2. Notice the IP address that starts with 2002. This is IP-HTTPS address.
3. If you notice that there is no IP address for iphttpsinterface, type the following commands and restart the computer and repeat steps 1 and 2.
Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled
Note: In this lab setup, IP-HTTPS connectivity on firewall is enabled and other connectivity methods from the client, such as the Teredo or 6to4 tunneling protocol, are disabled. If you are planning to use the Teredo or 6to4 tunneling protocol in the production environment, you do not have to disable them.
4. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings present three entries for adatum.com, crl.adatum.com and nls.Adatum.com.
5. At the command prompt, type the following command, and then press Enter.
powershell
6. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Notice the DirectAccess client settings.
Verify connectivity to the internal network resources 1. On the taskbar, open Internet Explorer, and then go to http://lon-svr1.adatum.com/. You should
see the default IIS 8.0 web page for LON-SVR1.
2. Open File Explorer, type \\LON-SVR1\Files, and then press Enter.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-47
3. You should see a folder window with the contents of the Files folder.
4. At the command prompt, type the following command.
ping lon-dc1.adatum.com
5. Verify that you are receiving replies from LON-DC1.adatum.com.
6. At the command prompt, type the following command, and then press Enter.
gpupdate /force
7. Close all open windows.
8. Switch to LON-RTR.
9. Start the Remote Access Management console and review the information on Remote Client Status.
Notice that LON-CL1 is connected via IPHTTPS. In the Connection Details pane, in the bottom-right of the screen, note the use of Machine Certificate, User Ntlm and User Kerberos.
10. Close all open windows.
Task 2: Verify Windows 7 Client Connectivity
Verify DirectAccess Group Policy configuration settings for Windows 7 clients 1. Switch to LON-CL3.
2. Restart LON-CL3, and then sign in as Adatum\Administrator with the password Pa$$w0rd. Open the Command Prompt window, and then type the following commands.
gpupdate /force gpresult /R
3. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings.
4. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart the computer. After the computer restarts, sign in as Adatum\Administrator and run the Gpresult /R command again.
Verify client computer certificate distribution 1. On LON-CL3, open the Certificates MMC.
2. Verify that a certificate with the name LON-CL3.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication.
3. Close the console window without saving it.
Verify IP address configuration 1. On LON-CL3, open Internet Explorer, and then go to http://lon-svr1.adatum.com/. The default IIS
8.0 web page for LON-SVR1 appears.
2. In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8.0 web page for LON-SVR1 appears.
3. Open File Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder window with the contents of the Files folder.
4. Close all open windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-48 Implementing Remote Access
Move the client computer to the Internet virtual network 1. Switch to LON-CL3.
2. Simulate moving the client computer LON-CL1 out of the corporate network, and to the Internet, by disabling Internal network adapter and enabling Internet network adapter.
3. Close the Network Connections window.
Verify connectivity to the DirectAccess server 1. On LON-CL3, open a command prompt, and type the following command.
ipconfig
2. Notice the IP address that starts with 2002. This is IP-HTTPS address.
3. If you notice that there is no IP address for iphttpsinterface, type the following commands and repeat step 2.
Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled
Verify the IP address for Tunnel adapter iphttpsinterface which starts with 2002. This is an IP-HTTPS address.
4. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings present three entries for adatum.com, crl.adatum.com and nls.Adatum.com.
Verify connectivity to the internal network resources 1. On the taskbar, open Internet Explorer, and go to http://lon-svr1.adatum.com/. You should see the
default IIS 8.0 web page for LON-SVR1.
2. Open File Explorer, type \\LON-SVR1\Files, and then press Enter.
3. You should see a folder window with the contents of the Files folder.
4. At the command prompt, type the following command:
ping lon-dc1.adatum.com
5. Verify that you are receiving replies from LON-DC1.adatum.com.
6. At the command prompt, type the following command, and then press Enter.
gpupdate /force
7. Close all open windows.
8. Switch to LON-RTR.
9. Start the Remote Access Management console and review the information on Remote Client Status.
Notice that LON-CL3 is connected via IPHttps.
10. Close all open windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-49
Task 3: Monitor Client Connectivity 1. Switch to LON-RTR.
2. On LON-RTR, open the Remote Access Management console, and then in the left pane, click Dashboard.
3. Review the information in the central pane, under the DirectAccess and VPN Client Status.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under the Select Accounting Method, click Use inbox accounting, click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical data.
Note: After completing the lab, do not revert virtual machines.
Results: After completing this exercise, you will have verified that both Windows 8 and Windows 7 clients can connect to the internal network by using DirectAccess.
Question: Why did you make the CRL available on the Edge server?
Question: Why did you install a certificate on the client computer?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-50 Implementing Remote Access
Lesson 4 Implementing VPN
VPN provides secure access to organizations’ internal data and applications to clients and devices that are using the Internet. To properly implement and support a VPN environment within your organization, you must understand how to select a suitable tunnelling protocol, configure VPN authentication, and configure the server role to support your chosen configuration.
Lesson Objectives After completing this lesson, you will be able to:
• Describe various VPN scenarios.
• Describe the tunnelling protocols used for a VPN connection.
• Describe the VPN authentication options.
• Describe VPN Reconnect.
• Explain how to configure VPN by using the Getting Started Wizard.
• Explain how to configure VPN.
• Describe the purpose of the Connection Manager Administration Kit (CMAK).
• Describe how to create a connection profile.
VPN Scenarios
As in previous versions of Windows Server, there are two types of VPN connection in Windows Server 2012:
• Remote access
• Site-to-site
Remote Access VPN Connections Remote access VPN connections enable your users who are working offsite, such as, at home, at a customer site, or from a public wireless access point, to access a server on your organization’s private network by using the infrastructure that a public network, such as the internet, provides. From the user’s perspective, the VPN is a point-to-point connection between the computer, the VPN client, and your organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
Site-to-Site VPN Connections Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your organization to establish routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-51
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router, the VPN client, authenticates itself to the answering router, the VPN server, and for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
Properties of VPN Connections VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP), have the following properties:
• Encapsulation. With VPN technology, private data is encapsulated with a header containing routing information that allows the data to traverse the transit network.
• Authentication. Authentication for VPN connections takes the following three forms:
o User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method, and verifies that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server.
o Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. We recommend computer-certificate authentication because it is a much stronger authentication method than a preshared key. Computer-level authentication is only performed for L2TP/IPsec connections.
o Data origin authentication and data integrity. To verify that the data sent on the VPN connection originated at the other end of the connection and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are only available for L2TP/IPsec connections.
• Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit network, the sender encrypts the data, and then the receiver decrypts it. The encryption and decryption processes depend on the sender and the receiver both using a common encryption key.
Packets that are intercepted in the transit network are unintelligible to anyone who does not have the common encryption key. The encryption key’s length is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-52 Implementing Remote Access
VPN Tunneling Protocol Options
PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames, and then transmits the encapsulated PPP packets across a point-to-point link. PPP was defined originally as the protocol to use between a dial-up client and a network access server.
PPTP You can use PPTP for remote access and site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet, and a second interface on the intranet.
PPTP enables you to encrypt and encapsulate in an IP header multiprotocol traffic that is then sent across an IP network or a public IP network, such as the Internet:
• Encapsulation. PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses a TCP connection for tunnel management, and a modified version of Generic Route Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the encapsulated PPP frames can be encrypted, compressed, or both.
• Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption by using encryption keys that are generated from the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication process. VPN clients must use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames are encrypted. PPTP uses the underlying PPP encryption and encapsulates a previously encrypted PPP frame.
L2TP L2TP enables you to encrypt multiprotocol traffic to send over any medium that supports point-to-point datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding. L2TP represents the best features of PPTP and L2F.
Unlike PPTP, the Microsoft implementation of L2TP does not use Microsoft Point-to-Point Encryption to encrypt PPP datagrams. L2TP relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec.
To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec. Client support for L2TP is built in to the Windows 8, Windows 7, Windows Vista, and Windows XP remote access clients. VPN server support for L2TP is built in to Windows Server 2012, Windows Server 2008, and Windows Server 2003 products.
The encapsulation and encryption methods for L2TP is described as follows:
• Encapsulation. Encapsulation for L2TP/IPsec packets consists of two layers, L2TP encapsulation, and IPsec encapsulation. L2TP encapsulates and encrypts data in the following way:
o First layer. The first layer is the L2TP encapsulation. A PPP frame, an IP datagram, is wrapped with an L2TP header and a User Datagram Protocol (UDP) header.
o Second layer. The second layer is the IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec ESP header and trailer, an IPsec Authentication trailer that provides message
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-53
integrity and authentication, and a final IP header. The IP header contains the source and destination IP addresses that correspond to the VPN client and server.
• Encryption. The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
SSTP SSTP is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and web proxies, which otherwise might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload by using the following encapsulation and encryption methods:
• Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP uses a TCP connection over port 443 for tunnel management and as PPP data frames.
• Encryption. The SSTP message is encrypted with the SSL channel of the HTTPS protocol.
IKEv2 Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. IKEv2 supports mobility making it a good protocol choice for a mobile workforce. IKEv2-based VPNs enable users to move easily between wireless hotspots, or between wireless and wired connections.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods:
• Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH) for transmission over the network.
• Encryption. The message is encrypted with one of the following protocols by using encryption keys that are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, and 3DES encryption algorithms.
IKEv2 is supported only on computers that are running Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2. IKEv2 is the default VPN tunneling protocol in Windows 7 and Windows 8.
VPN Authentication Options
The authentication of access clients is an important security concern. Authentication methods typically use an authentication protocol that is negotiated during the process of establishing a connection. The following methods are supported by the Remote Access role.
PAP Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-54 Implementing Remote Access
validation. PAP is included in Microsoft Windows Server 2012 to support older client operating systems than support no other authentication method.
CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors of network access servers and clients use CHAP. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol, such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.
MS-CHAP V2 MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:
1. The authenticator, that is the remote access server or the computer that is running NPS, sends a challenge to the remote access client. The challenge consists of a session identifier and an arbitrary challenge string.
2. The remote access client sends a response that contains a one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.
3. The authenticator checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the client’s encrypted response, and the user password.
4. The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.
EAP With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a remote access connection. The remote access client and the authenticator, either the remote access server or the Remote Authentication Dial-In User Service (RADIUS) server, negotiates the exact authentication scheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAP-TLS) by default. You can plug in other EAP modules to the server that is running Routing and Remote Access to provide other EAP methods.
Other Options In addition to the previously mentioned authentication methods, there are two other options that you can enable when selecting an authentication method:
• Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather the lack of one. Unauthenticated access allows remote systems to connect without authentication. You should never enable this option should never in a production environment because it leaves your network at risk. However, this option can sometimes be useful for troubleshooting authentication issues in a test environment.
• Machine Certificate for Internet Key Exchange version 2 (IKEv2). Select this option if you want to use VPN Reconnect.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-55
What Is VPN Reconnect?
In dynamic business scenarios, users must be able to securely access data anytime, from anywhere, and access it continuously without interruption. For example, users might want to securely access data that is on the company’s server from a branch office or while they are traveling.
To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7. With this feature, users can access the company’s data by using a VPN connection, which will reconnect automatically if connectivity is interrupted. VPN Reconnect, therefore, enables roaming between different networks.
VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN connectivity. Users who connect via wireless mobile broadband will benefit most from this capability. Consider a user with a laptop that is running Windows 8. When the user travels to work in a train, the user connects to the Internet with a wireless mobile broadband card, and then establishes a VPN connection to the company’s network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless mobile broadband card reconnects automatically to the Internet. With earlier versions of Windows client and server operating systems, VPN did not reconnect automatically. Therefore, the user would have to repeat the multistep process of connecting to the VPN manually. This was time-consuming and frustrating for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2012 and Windows 8 reestablish active VPN connections automatically when Internet connectivity is reestablished. Even though the reconnection might take several seconds, users do not need to reinstate the connection manually, or authenticate again to access internal network resources.
The system requirements for using the VPN Reconnect feature are:
• Windows Server 2012 or Windows Server 2008 R2 as a VPN server.
• Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2 client.
• PKI, because a computer certificate is required for a remote connection with VPN Reconnect. You can use certificates issued by either an internal or public CA.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-56 Implementing Remote Access
VPN Configuration by Using the Getting Started Wizard
You can configure VPN by using the Getting Started Wizard in the Remote Access Management console. You can use this wizard to configure both DirectAccess and VPN, DirectAccess only, or VPN only. If you choose to configure VPN only, the Routing and Remote Access console will be displayed. In this console, you can enter the VPN configuration settings and deploy the VPN solution.
Before deploying your organization’s VPN solution, consider the following configuration requirements:
• Your VPN server requires two network interfaces. You must determine which network interface will connect to the Internet, and which network interface will connect to your private network. During the configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access VPN server will not operate correctly.
• Determine whether remote clients receive IP addresses from a DHCP server on your private network or from the remote access VPN server that you are configuring. If you have a DHCP server on your private network, the remote access VPN server can lease 10 addresses at a time from the DHCP server, and then assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN server can automatically generate and assign IP addresses to remote clients. If you want the remote access VPN server to assign IP addresses from a range that you specify, you must determine what that range should be.
• Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS clients on your private network.
Note: To enable a RADIUS infrastructure, install the Network Policy and Access Services server role. The NPS can act as either a RADIUS proxy or a RADIUS server.
• By default, the Getting Started Wizard configures Windows Authentication for VPN clients.
• Ensure that the person who is responsible for the deployment of your VPN solution has the necessary administrative group memberships to install the server roles and configure the necessary services. Membership in the local Administrators group is required to perform these tasks.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-57
Options for Modifying the VPN Configuration
After you complete the steps to deploy and initially configure your VPN solution, your server is ready for use as a remote access VPN server. However, the following are the additional tasks that you can perform on your remote access or VPN server:
• Configure static packet filters. Add static packet filters to better protect your network.
• Configure services and ports. Choose which services on the private network you want to make available for remote access users.
• Adjust logging levels. Configure the level of event details that you want to log. You can decide which information you want to track in log files.
• Configure the number of VPN ports. Add or remove VPN ports.
• Create a Connection Manager profile for users. Manage the client connection experience for users, and simplify configuration and troubleshooting of client connections.
• Add AD CS. Configure and manage a CA on a server for use in a PKI.
• Increase remote access security. Protect remote users and the private network by enforcing use of secure authentication methods, requiring higher levels of data encryption, and more.
• Increase VPN security. Protect remote users and the private network by methods such as requiring the use of secure tunneling protocols or by configuring account lockout.
• Consider implementing VPN Reconnect. Consider adding VPN Reconnect to reestablish VPN connections automatically for users who temporarily lose their Internet connections.
Demonstration: Configuring VPN
In this demonstration, you will see how to:
• Review the default VPN configuration.
• Verify the certificate requirements for IKEv2 and SSTP.
• Configure the remote access server.
Demonstration Steps
Review the default VPN configuration 1. Switch to LON-RTR.
2. From Server Manager, open the Remote Access Management Console and from the Remote Access Management Console, enable VPN.
3. From Server Manager, open the Routing and Remote Access console.
4. In the Routing and Remote Access console, in the navigation pane select Ports and then verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP. Modify the number of ports for each type of connection to 5.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-58 Implementing Remote Access
5. In the Routing and Remote Access console, verify that:
o IPv4 Remote Access Server is selected.
o SSL Certificate Binding Certificate 131.107.0.10 is selected.
o EAP is selected as authentication protocol.
o VPN server is configured with IPv4 address assignment with Dynamic Host Configuration Protocol (DHCP).
6. Close the Routing and Remote Access console.
Verify certificate requirements for IKEv2 and SSTP 1. Switch to LON-RTR.
2. From the Start screen, open an MMC console, and then add the Certificates – Computer Account snap-in.
3. In the Certificates console, verify that certificate 131.107.0.10 has Intended Purpose for Server Authentication (this is required for SSTP and IKEv2 VPN connectivity).
4. Close the console without saving changes.
Configure the Remote Access server 1. On LON-RTR, from Server Manager, open the Network Policy Server console.
2. In the Network Policy Server console, disable all network policies and create a new Remote Access Server(VPN-Dial up) network policy named VPN Policy with the following settings:
o Windows Groups: IT
o Specify Access Permission: Access granted
o Configure Authentication Methods: clear the Microsoft Encrypted Authentication (MS-CHAP) check box and add EAP-MSCHAP v2 and Microsoft: Smart Card or other certificate.
o Complete the wizard by accepting the default settings on the other pages of the wizard.
What Is the Connection Manager Administration Kit?
You can use the CMAK to customize users’ remote connection options by creating predefined connections to remote servers and networks. The CMAK wizard creates an executable file, which you can then distribute in many ways, or include during deployment activities as part of the operating system image.
Connection Manager is a client network connection tool that allows a user to connect to a remote network, such as an ISP or a corporate network protected by a VPN server. You can use this tool to customize the remote connection experience for users on your network by creating predefined connections to remote servers and networks. You use the CMAK wizard to create and customize a connection for your users.
CMAK is an optional component that is not installed by default. You must install CMAK to create connection profiles that your users can install to access remote networks.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-59
Distributing the Connection Profile
The CMAK wizard compiles the connection profile into a single executable file with an .exe file name extension. You can deliver this file to users through any method that is available to you. Some methods to consider are:
• Including the connection profile as part of the image that is included with new computers.
You can install your connection profile as part of the client computer images that are installed on your organization’s new computers.
• Delivering the connection profile on removable media for the user to install manually.
You can deliver the connection-profile installation program on a CD/DVD, USB flash drive, or any other removable media that you permit your users to access. Some removable media support autorun capabilities, which allow you to start the installation automatically when the user inserts the media into the client computer.
• Delivering the connection profile with automated software distribution tools.
Many organizations use a desktop management and software deployment tool such as Configuration Manager, previously called Systems Management Server. Configuration Manager provides the ability to package and deploy software that is intended for your client computers. The installation can be invisible to your users, and you can configure it to report back to the management console whether the installation was successful or not.
Demonstration: How to Create a Connection Profile
In this demonstration, you will see how to:
• Install the CMAK feature.
• Create a connection profile.
• Examine the profile.
Demonstration Steps
Install the CMAK feature 1. If necessary, on LON-CL1, sign in as Adatum\administrator with the password Pa$$w0rd.
2. Open Control Panel, and turn on a new windows feature named RAS Connection Manager Administration Kit (CMAK).
Create a connection profile 1. From Administrative Tools, open the Connection Manager Administration Kit.
2. Complete the Connection Manager Administration Kit Wizard to create the connection profile.
Examine the created profile • Use Windows Explorer to examine the contents of the folder that you created with the Connection
Manager Administration Kit Wizard to create the connection profile. Usually, you would now distribute this profile to your users.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-60 Implementing Remote Access
Lab C: Implementing VPN Scenario The DirectAccess deployment is working very well, but there are a number of computers deployed at A. Datum that cannot connect by using DirectAccess. For example, some home users are using computers that are not members of the A.Datum.com domain. Other users are running operating system versions that do not support DirectAccess. To enable remote access for these computers, you must deploy a VPN solution.
Objectives After completing this lab, you will be able to:
• Implement VPN.
• Validate the VPN deployment.
Estimated Time: 45 minutes
Virtual Machine(s): 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-RTR, 20411C-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Exercise 1: Implementing VPN
Scenario The first step in implementing VPN is to modify the remote access server configuration to provide VPN connectivity. You need to ensure that the clients can connect to the server by using IKEv2 and SSTP.
The main tasks for this exercise are as follows:
1. Review the Default VPN Configuration.
2. Verify Certificate Requirements for IKEv2 and SSTP.
3. Configure the Remote Access Server.
Task 1: Review the Default VPN Configuration 1. Switch to LON-RTR.
2. In Remote Access Management console, and from the Actions pane, select Enable VPN.
3. In the Routing and Remote Access console, verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP. Modify the number of ports for each type of connection to 5.
4. In the Routing and Remote Access console, verify that:
o IPv4 Remote Access Server is selected.
o SSL Certificate Binding Certificate 131.107.0.10 is selected.
o EAP is selected as authentication protocol.
o VPN server is configured to assign IPv4 addressing by using Dynamic Host Configuration Protocol (DHCP).
5. Close the Routing and Remote Access console.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-61
Task 2: Verify Certificate Requirements for IKEv2 and SSTP 1. Switch to LON-RTR.
2. On the Start screen, open an MMC console, and then add the Certificates – Computer Account snap-in.
3. In the Certificates console, verify that certificate 131.107.0.10 has Intended Purpose for Server Authentication (this is required for SSTP and IKEv2 VPN connectivity).
4. Close the console without saving changes.
Task 3: Configure the Remote Access Server 1. On LON-RTR, from Server Manager, open the Network Policy Server console.
2. In the Network Policy Server console, in the navigation pane, expand Policies, and then click Network Policies.
3. Disable existing network policies and create a new network policy with following settings:
o Policy name: VPN Policy
o Type of network access server: Remote Access Server(VPN-Dial up)
o Windows Groups: IT
o Specify Access Permission: Access granted
o Configure Authentication Methods: Clear the Microsoft Encrypted Authentication (MS-CHAP) check box, add Microsoft Secured password (EAP-MSCHAP v2), and then Microsoft: Smart Card or other certificate.
4. Complete the wizard by accepting the default settings on the other pages of the wizard.
Results: After completing this exercise, you will have modified the remote access server configuration to provide VPN connectivity.
Exercise 2: Validating the VPN Deployment
Scenario Now that you have deployed the VPN solution, you will verify that the clients that cannot connect using DirectAccess can connect using VPN. You also want to test the DirectAccess offline domain join feature.
The main tasks for this exercise are as follows:
1. Remove the Client Computer from the Domain.
2. Verify that DirectAccess Does Not Work.
3. Configure a VPN Connection and Verify Connectivity.
4. Rejoin the Computer to the Domain by Using DirectAccess Offline Domain Join.
5. Verify DirectAccess connectivity.
Task 1: Remove the Client Computer from the Domain 1. Switch to LON-CL1.
2. Open Control Panel.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-62 Implementing Remote Access
3. In Control Panel, remove LON-CL1 from the Adatum.com domain, and add LON-CL1 to a workgroup named WORKGROUP.
4. If prompted for username and password in the Windows Security dialog box, for username type Administrator, for password type Pa$$w0rd, and then click OK.
5. Restart LON-CL1.
Task 2: Verify that DirectAccess Does Not Work 1. When the LON-CL1 computer restarts, sign in with the user name Admin and password Pa$$w0rd.
2. Open Internet Explorer, then in the Address bar, type https://nls.adatum.com/, and then press Enter. Notice that you are unable to open the website.
3. Leave the Internet Explorer window open.
4. On the taskbar, open File Explorer, type \\Lon-SVR1\Files, and then press Enter. Notice that the Network Error message appears.
5. Close all open windows.
Note: The client is unable to open the resource by using DirectAccess because this feature is not available for workgroup computers.
Task 3: Configure a VPN Connection and Verify Connectivity 1. On LON-CL1, open the Control Panel.
2. In Control Panel, start the Set up a new connection or network wizard with following settings:
3. Choose a connection option: Connect to a workplace
4. How do you want to connect: Use my Internet connection (VPN)
5. Do you want to set up Internet connection before continuing: I’ll set up an Internet connection later
6. Internet address: 131.107.0.10
7. Destination name: Adatum VPN, and select Allow other people to use this connection
8. Configure Adatum VPN connection to allow following protocol: Micrososft CHAP version 2 (MS-CHAP v2).
9. Open the Adatum VPN connection, and then sign in with user name Adatum\Danielle and password Pa$$w0rd.
10. Verify that you are now connected to Adatum by using the PPTP connection.
Note: To verify the type of connection, you can view the status of the connection in Network Connections window in Control Panel Note: If you are unable to connect, restart LON-CL1 and then perform step 9 again. Note: In the following steps you will import the certificate of AdatumCA in Trusted Root Certification Authorities so that the clients trust the certificate on the VPN server establish a VPN connection by using the SSTP protocol.
11. Open File Explorer, then open \\172.16.0.10\C$ and then install the Root.cer certificate on LON-CL1 to Local Machine by choosing the Place all certificates in the Trusted Root Certification Authorities option.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-63
12. On the Start screen, open a command prompt, open an MMC console, and then add the Certificate -Local Computer snap-in.
13. In the Certificates console, in the navigation pane, navigate to Trusted Root Certification Authorities\Certificates and then verify that AdatumCA certificate exists.
14. Switch to Network and Sharing Center, and then open the Adatum VPN Properties dialog box; on the Security tab, select IKEv2 and Use Extensible Authentication Protocol (EAP).
15. Disconnect the Adatum VPN and connect once again.
16. Open the Adatum VPN connection, and then sign in with user name Adatum\Danielle and password Pa$$w0rd.
17. Verify that now the connection is established by using IKEv2 protocol.
18. Open the Adatum VPN Properties dialog box, and then on the Security tab, select Secure Socket Tunneling Protocol (SSTP) and Use Extensible Authentication Protocol (EAP).
19. Disconnect the Adatum VPN and connect once again with Adatum VPN connection, and then if the Network sign-in dialog box appears, sign in with user name Adatum\Danielle and password Pa$$w0rd.
20. Verify that now the connection is established by using SSTP protocol.
21. Disconnect the Adatum VPN connection.
Task 4: Rejoin the Computer to the Domain by Using DirectAccess Offline Domain Join Provision computer account data in Active Directory
1. Switch to LON-DC1.
2. Open Server Manager, and from the Tools menu, open the Group Policy Management console.
3. In the Group Policy Management console, open the Direct Access Client Settings console, and in the Details pane, select the entire Unique ID string, including the braces, right-click, and then click Copy. Record the Unique ID for the GPO. (Copy the Unique ID to Notepad.)
4. Minimize the Group Policy Management console.
5. Open the Windows PowerShell window, and then type the following commands.
Djoin.exe /provision /domain adatum.com /machine LON-CL1 /savefile client.txt /policynames “DirectAccess Client Settings” /POLICYPATHS “c:\windows\SYSVOL\sysvol\adatum.com\policies\[unique ID of Group Policy Object copied in previous step]\Machine\Registry.pol” /reuse
6. At the Windows PowerShell command prompt, type the following command.
Copy .\client.txt C:\
Note: You are copying the Client.txt file to C:\ which will be accessed to the VPN client via the Internet. This is done so that the client computer can download the file and use the Djoin.exe command to run the file to perform an offline domain join.
Add the client computer to the DA_Clients group • At the Windows PowerShell command prompt, type the following command.
Add-ADGroupMember -Identity DA_Clients -Members LON-CL1$
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-64 Implementing Remote Access
NOTE: No output or confirmation is received. You can use ADAC to confirm that the CLIENT computer account was added to the DA_Clients group.
Configure the client by using the offline domain join file 1. Switch to LON-CL1, then connect to LON-RTR by using VPN SSTP connection you created in previous
task and if the Windows Security dialog box appears, sign in with username Adatum\Danielle and password Pa$$w0rd.
2. Open the File Explorer, connect to address \\172.16.0.10\c$, copy the client.txt file, on LON-CL1 create a folder named Client File, and then paste the file client.txt into folder Client File.
3. On LON-CL1, start the Command Prompt (Admin) and in the Administrator: Command Prompt window, type the following commands and press Enter after each command.
copy “c:\Client File\client.txt” c:\windows Cd.. Djoin.exe /requestodj /loadfile client.txt /windowspath C:\Windows /localos
Note: You run djoin.exe from the c:\windows folder because the client.txt file that contains the AD DS blob is located in the c:\windows folder.
4. At the command prompt, type the following command, and then press Enter to restart LON-CL1.
Shutdown /t 0 /r /f
Task 5: Verify DirectAccess connectivity 1. When the computer restarts, sign in with the user name Adatum\Administrator and password
Pa$$w0rd.
2. On LON-CL1, open Internet Explorer, and in the address bar, type http://lon-svr1.adatum.com/. The default IIS 8.0 web page for LON-SVR1 appears.
3. In the address bar, type https://nls.adatum.com/, and then press Enter. Notice that you are unable to open the website.
4. Close Internet Explorer.
5. On the taskbar, click File Explorer, and then open \\LON-SVR1\Files. Notice that you can access the Network share.
6. Close all open windows.
Note: After completing the lab, do not revert virtual machines.
Results: After completing this exercise, you will have verified that the clients that cannot connect by using DirectAccess can now connect by using VPN.
Question: In the lab, you configured the VPN server to allocate an IP address configuration by using a static pool of addresses. Is there a way to automate IP configuration?
Question: Why was DirectAccess not working when we removed LON-CL1 from the Adatum.com domain?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-65
Lesson 5 Implementing Web Application Proxy
Many organizations need to provide access to web applications that are on the corporate network to users who are not on the corporate network, but who connect to the corporate network through the Internet. The process of configuring an application so that it is accessible from the Internet is called publishing. Windows Server 2012 R2 introduces the Web Application Proxy role service, which you can use for publishing applications. Web Application Proxy is deployed as a component of the Remote Access role in Windows Server 2012 R2.
Lesson Objectives After completing this lesson, you will be able to:
• Explain Web Application Proxy.
• Identify the authentication options for Web Application Proxy.
• Explain how to publish applications with Web Application Proxy.
• Explain how to publish a secure website.
What Is Web Application Proxy?
Web Application Proxy is a Remote Access role service that is new in Windows Server 2012 R2. This role service, by functioning as a reverse web proxy, provides access to internal corporate web applications to users who remotely connect to the corporate network. Web Application Proxy uses the AD FS technology to preauthenticate Internet users, and acts as an AD FS proxy for publishing claims-aware applications.
You must deploy AD FS before you install Web Application Proxy. AD FS provides users with the Single Sign On (SSO) functionality, which means that, if users enter their credentials for accessing a corporate web application once, they will not be asked to enter their credentials again for subsequent access to the corporate web application for the remainder of that session. AD FS is required during the Web Application Proxy configuration process. After Web Application Proxy configuration is complete, you can publish both claims-aware applications that use AD FS pre-authentication, or web applications that use pass-through pre-authentication.
A typical scenario for Web Application Proxy server placement is in the perimeter network between two firewall devices. The AD FS server and applications that are published are located in the corporate network, together with domain controllers and other internal servers and are protected by the second firewall. This scenario provides secure access to corporate applications for users located on the Internet, and, at the same time, protects the corporate IT infrastructure from security threats from the Internet.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-66 Implementing Remote Access
What is AD FS
AD FS is the Microsoft implementation of an identity federation solution that uses claims-based authentication. AD FS provides the mechanisms to implement both the identity provider and the service provider components in an identity federation deployment. In Windows Server 2012, AD FS is included as a server role that you can install by using Server Manager. When you install the server role, all required operating system components are installed automatically.
AD FS Features The following are some of the key features of AD FS:
• Web SSO. Many organizations have deployed AD DS. After authenticating to AD DS through Integrated Windows authentication, users can access all other resources that they have permission to access within the AD DS forest boundaries. AD FS extends this capability to intranet or Internet-facing applications, thereby enabling customers, partners, and suppliers to have a similar, streamlined user experience when they access an organization’s web-based applications.
• Web services interoperability. AD FS is compatible with the web services specifications. AD FS employs the federation specification of WS-*, called WS-Federation. WS-Federation enables environments that do not use the Windows identity model to federate with Windows environments.
• Support for different types of clients. Because AD FS is based on the WS-* architecture, it supports federated communications between any WS-enabled endpoints, including communications between servers and different types of clients, such as computers, devices and applications.
• Extensible architecture. AD FS provides an extensible architecture that organizations can use to modify AD FS to coexist with their current security infrastructure and business policies.
• Enhanced security. AD FS also increases security by allowing each individual organization in a federation to manage its own identities, and, at the same time, securely share and accept identities and credentials from other organizations.
Authentication Options for Web Application Proxy
Web Application Proxy in Windows Server 2012 R2 supports two types of preauthentication:
• AD FS preauthentication. AD FS preauthentication uses AD FS for web applications that use claims-based authentication. When a user initiates a connection to the corporate web application, the first entry point the user will connect to is the Web Application Proxy. Next, Web Application Proxy will preauthenticate the user in the AD FS server, and if the authentication is successful, Web Application
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-67
Proxy will establish a connection to the web server in the corporate network where the application is hosted.
• Pass-through preauthentication. Pass-through preauthentication does not use AD FS for authentication, and Web Application Proxy does not preauthenticate the user. Instead, the user is connected to the web application through Web Application Proxy, which if the web application is configured for authentication, authenticates the user.
AD FS preauthentication provides the following benefits when compared to pass-through preauthentication:
• Workplace join. Workplace join is a new feature in AD FS in Windows Server 2012 R2, which allows devices that are not members of the Active Directory domain—such as smartphones, tablets, or non-company laptops—to be added a workplace. After these non-domain devices are added to the workplace, you can configure them for AD FS preauthentication.
• SSO. SSO allows users that are preauthenticated by AD FS to enter their credentials only once to sign onto a corporate network. If users subsequently access other applications that use AD FS for authentication, they will not be prompted again for their credentials.
• Multifactor authentication. Multifactor authentication allows you to configure multiple types of credentials in order to strengthen security. For example, you can configure that users enter user names and passwords together with activating smart cards.
• Multifactor access control. Multifactor access control is used in organizations that want to strengthen their security in publishing web applications by implementing authorization claim rules. Their rules are configured so that they issue a permit or deny claims that will determine whether a user or a group will be allowed or denied to access a web application that is using AD FS preauthentication.
Publishing Applications with Web Application Proxy
After the Web Application Proxy server role is installed, you need to configure it by using the Web Application Proxy Configuration Wizard from the Remote Access Management console. When the Web Application Proxy Configuration Wizard completes, it creates the Web Application Proxy console which you can use for further management and configuration of the Web Application Proxy.
Web Application Proxy Configuration Wizard requires that you enter the following information during the initial configuration process:
• AD FS name. To locate this name, open the AD FS Management console, under Edit Federation Service Properties, find the value in the Federation Service name box.
• Credentials of local administrator account for AD FS.
• AD FS Proxy Certificate. A certificate to be used by Web Application Proxy for AD FS proxy functionality.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-68 Implementing Remote Access
After completing the Web Application Proxy Configuration Wizard, you need to publish your web application by using the Web Application Proxy console. You need to provide the following information for publishing the web application:
• The type of preauthentication. Pass-through is a type of preauthentication.
• The application that will be published.
• The external URL of the application, for example, https://lon-svr1.adatum.com.
• A certificate whose subject name covers the external URL, for example lon-svr1.adatum.com.
• The URL of the back end server. Note that this value is automatically entered when you enter the external URL.
Demonstration: Publishing a Secure Website
In this demonstration, you will see how to:
• Install the Web Application Proxy role service.
• Configure access to an internal web site.
• Disable DirectAccess on a client computer.
• Verify access to the internal website from the client computer.
Demonstration Steps
Install the Web Application Proxy role 1. Switch to LON-RTR.
2. Open Server Manager from the Start screen, and then on the Dashboard page, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Select server roles page, expand Remote Access, and then select Web Application Proxy.
Obtain certificate for the ADFS1 farm 1. Open an MMC console, add the Certificates - Computer account snap-in, and then request a new
certificate with the following settings:
a. Subject Name: Common Name adfs1.adatum.com
b. Alternative name: DNS adfs1.adatum.com, lon-svr1.adatum.com, enterpriseregistration.adatum.com.
2. Close all open windows.
Obtain certificate for the web site on LON-SVR1 1. Switch to LON-SVR1.
2. Open an MMC console, add the Certificates - Computer account snap-in, and then request a new certificate with the Subject Name Common Name lon-svr1.adatum.com
3. Open the Internet Information Services (IIS) Manager console.
4. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-69
5. Configure Site Bindings by entering lon-svr1.adatum.com as a host name and selecting lon-svr1.adatum.com as SSL Certificate.
6. Close the Internet Information Services (IIS) Manager console
Configure Web Application Proxy 1. On LON-RTR, from Server Manager, open Remote Access Management console, and in the navigation
pane, click Web Application Proxy and run the Web Application Proxy Configuration Wizard.
2. In the Web Application Proxy Configuration Wizard, for Federation service name, enter the FQDN of the federation service: adfs1.adatum.com.
3. In the User name and Password boxes, enter Administrator and Pa$$w0rd.
4. On the AD FS Proxy Certificate page, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, adfs1.adatum.com
5. On the Results page, verify that the configuration was successful, and then close the wizard.
6. If you receive an error message, switch to LON-SVR4, and ensure that all services that are configured to start automatically are started. If not, start the services manually. Repeat steps from 1 to 5.
Publish internal web site 1. On LON-RTR the Web Application Proxy server, in the Remote Access Management console, in the
navigation pane, start the Publish New Application Wizard.
2. On the Preauthentication page, select Pass-through.
3. In the Name box, enter a friendly name for the application, LON-SVR1 Web.
4. In the External URL box, enter the external URL for this application https://lon-svr1.adatum.com.
5. In the External certificate list, select the certificate adfs1.adatum.com.
6. In the Backend server URL box, ensure that https://lon-svr1.adatum.com is listed. Note that this value is automatically entered when you enter the external URL.
7. On the Confirmation page, review the settings, and then click Publish.
8. On the Results page, ensure that the application published successfully, and then click Close.
Configure internal web site authentication 1. Switch to LON-SVR1.
2. From Server Manager, open the Internet Information Services (IIS) Manager console.
3. In the Internet Information Services (IIS) Manager console, navigate to Default Web Site.
4. Configure Authentication for the Default Web Site with following settings:
5. Windows Authentication - Enabled.
6. Anonymous Authentication – Disabled.
7. Close the Internet Information Services (IIS) Manager console.
Disable DirectAccess on client computer 1. Switch to LON-CL1.
2. Open Control Panel.
3. In Control Panel, remove LON-CL1 from the Adatum.com domain, add LON-CL1 to a workgroup named WORKGROUP, and then restart LON-CL1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-70 Implementing Remote Access
Verify access to the internal website from the client computer 1. Switch to LON-CL1, and sign in with username Admin and password Pa$$w0rd.
2. On LON-CL1, open Internet Explorer, and then type the following address https://lon-svr1.adatum.com.
3. In Internet Explorer window, click on Continue to this website (not recommended).
Note: This is expected behavior, since in this lab environment, LON-SVR1 certificate is not trusted by LON-CL1. In real world scenario, a trusted certificate should be used by the published server.
4. When prompted, in Internet Explorer dialog box type Adatum\Bill for user name and Pa$$w0rd for password, and then click OK and verify that the default IIS 8.0 web page for LON-SVR1 opens.
5. If you are unable to connect to https://lon-svr1.adatum.com, perform following steps:
6. On LON-CL1, open the Registry Editor window, navigate to HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig and notice the three entries starting with DA.
7. In the Registry Editor window, in the navigation pane, delete each of the entries starting with DA, and then close the Registry Editor window.
8. Restart LON-CL1 and perform steps from 1 to 3 to verify connectivity to default IIS 8.0 web page on LON-SVR1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-71
Lab D: Implementing Web Application Proxy Scenario The remote access deployment is working very well at A. Datum, but IT management also wants to enable users from partner companies to access some internal applications. These users should not have access to any internal resources except for the specified applications. You need to implement and test Web Application Proxy for these users.
Objectives After completing this lab, you will be able to:
• Implement Web Application Proxy.
• Validate the Web Application Proxy deployment.
Estimated Time: 30 minutes
Virtual Machine(s): 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-SVR4, 20411C-LON-RTR, 20411C-INET1,20411C-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Exercise 1: Implementing Web Application Proxy
Scenario You need to implement Web Application Proxy to enable external users to access applications at A. Datum. The initial deployment will be used as a proof-of-concept while the developers at A. Datum modify the internal applications to use claims-based authentication.
The main tasks for this exercise are as follows:
1. Install the Web Application Proxy Role Service.
2. Configure Access to an Internal Website.
Task 1: Install the Web Application Proxy Role Service
Install the Web Application Proxy role service 1. Switch to LON-RTR.
2. Open Server Manager from the Start screen, and then on the Dashboard page, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Select server roles page, expand Remote Access, and then select Web Application Proxy.
Task 2: Configure Access to an Internal Website
Obtain certificate for the ADFS1 farm 1. Open an MMC console, add the Certificates - Computer account snap-in, and then request a new
certificate with the following settings:
a. Subject Name: Common Name adfs1.adatum.com
b. Alternative name: DNS adfs1.adatum.com, lon-svr1.adatum.com, enterpriseregistration.adatum.com.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-72 Implementing Remote Access
Configure bindings for the web site on LON-SVR1 1. Switch to LON-SVR1.
2. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
3. Configure Site Bindings by entering lon-svr1.adatum.com as a host name and selecting lon-svr1.adatum.com as SSL Certificate.
4. Close the Internet Information Services (IIS) Manager console
Configure Web Application Proxy 1. Switch to LON-RTR.
2. From Server Manager, open Remote Access Management console, and in the navigation pane, click Web Application Proxy and run the Web Application Proxy Configuration Wizard.
3. In the Web Application Proxy Configuration Wizard, for Federation service name, enter the FQDN of the federation service: adfs1.adatum.com.
4. In the User name and Password boxes, enter Administrator and Pa$$w0rd.
5. On the AD FS Proxy Certificate page, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, adfs1.adatum.com
6. On the Results page, verify that the configuration was successful, and then close the wizard.
7. If you receive an error message, switch to LON-SVR4, and ensure that all services that are configured to start automatically are started. If not, start the services manually. Repeat steps from 1 to 5.
Publish internal web site 1. On the Web Application Proxy server, in the Remote Access Management console, in the navigation
pane, start the Publish New Application Wizard.
2. On the Preauthentication page, select Pass-through.
3. In the Name box, enter a friendly name for the application, LON-SVR1 Web.
4. In the External URL box, enter the external URL for this application https://lon-svr1.adatum.com.
5. In the External certificate list, select the certificate adfs1.adatum.com.
6. In the Backend server URL box, ensure that https://lon-svr1.adatum.com is listed. Note that this value is automatically entered when you enter the external URL.
7. On the Confirmation page, review the settings, and then click Publish.
8. On the Results page, ensure that the application published successfully, and then click Close.
Configure internal web site authentication 1. Switch to LON-SVR1.
2. From Server Manager, open the Internet Information Services (IIS) Manager console.
3. In the Internet Information Services (IIS) Manager console, navigate to Default Web Site.
4. Configure Authentication for the Default Web Site with following settings:
a. Windows Authentication - Enabled.
b. Anonymous Authentication – Disabled.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-73
5. Close the Internet Information Services (IIS) Manager console.
Results: After completing this exercise, you will have implemented Web Application Proxy.
Exercise 2: Validating the Web Application Proxy Deployment
Scenario Now that you have deployed the Web Application Proxy role service, you need to verify that external users can access the internal application through the proxy.
The main tasks for this exercise are as follows:
1. Disable DirectAccess on client computer.
2. Verify access to the internal website from the client computer.
3. To Prepare for the Next Module.
Task 1: Disable DirectAccess on client computer In this task, LON-CL1 computer will be removed from the domain. Because DirectAccess works for domain members only, removing a computer from the domain will disable DirectAccess on LON-CL1. DirectAccess is disabled so that LON-CL1 connects to an internal website by using Web Application Proxy, and not by using DirectAccess.
1. Switch to LON-CL1.
2. Open Control Panel.
3. In Control Panel, remove LON-CL1 from the adatum.com domain, and add LON-CL1 to a workgroup named WORKGROUP.
4. If prompted for username and password in the Windows Security dialog box, for username type Administrator, for password type Pa$$w0rd, and then click OK.
5. Restart LON-CL1.
Task 2: Verify access to the internal website from the client computer 1. Switch to LON-CL1, and sign in with username Admin and password Pa$$w0rd.
2. On LON-CL1, open Internet Explorer, and then type the following address https://lon-svr1.adatum.com.
3. When prompted, in Internet Explorer dialog box type Adatum\Bill for user name and Pa$$w0rd for password, and then click OK and verify that the default IIS 8.0 web page for LON-SVR1 opens.
4. If you are unable to connect to https://lon-svr1.adatum.com, restart LON-CL1 and then perform steps from 1 to 3.
5. If you are still not able to connect, perform following steps:
o On LON-CL1, open the Registry Editor window, navigate to HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig and notice the three entries starting with DA.
o In the Registry Editor window, in the navigation pane, delete each of the entries starting with DA, and then close the Registry Editor window.
Note: These registry settings you just deleted are from the previous labs and they might cause problems for Web Application Proxy. This is why you are deleting them.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-74 Implementing Remote Access
o Restart LON-CL1 and perform steps from 1 to 3 to verify connectivity to default IIS 8.0 web page on LON-SVR1.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C -LON-SVR1, 20411C-LON-SVR4, 20411C-LON-RTR, 20411C-INET, 20411C-LON-CL3, and 20411C-LON-CL1.
Results: After completing this exercise, you will have verified that external users are able to access the internal application through the Web Application Proxy.
Question: Where should we deploy the Web Application Proxy server?
Question: What is required for a client to be able to access a published application?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 6-75
Module Review and Takeaways
Best Practice: Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 editions, Windows 8 introduces new features for improved manageability, ease of deployment, and improved scale and performance.
• Monitoring of the environment is now much easier with support of Windows PowerShell, Windows Management Instrumentation (WMI), and GUI monitoring, along with Network Connectivity Assistant on the client side.
• One of the best enhancements is that DirectAccess can now access IPv4 servers on your network and your servers do not need to have IPv6 addresses to be exposed through DirectAccess, because your DirectAccess server acts as a proxy.
• For ease of deployment, you do not need to have IP addresses on the Internet-facing network. Therefore, this is a good scenario for proof-of-concept. However, if you are concerned about security and if you want to integrate with NAP, you still need two public addresses.
• Consider integrating DirectAccess with your existing Remote Access solution because Windows Server 2012 can implement DirectAccess server behind the NAT device, which is the most common Remote Access Server solution for organizations.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
You have configured DirectAccess, but users are complaining about connectivity issues. You want to troubleshoot those issues more efficiently.
The DirectAccess client tries to connect to the DirectAccess server by using IPv6 and IPsec with no success.
Review Question(s) Question: What remote access solutions can you deploy by using Windows Server 2012 R2?
Question: What are the main benefits of using DirectAccess for providing remote connectivity?
Question: How do you configure DirectAccess clients?
Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?
Question: What is the use of an NRPT?
Question: What type of remote access solutions you can provide by using VPN in Windows Server 2012?
Question: What type of applications you can publish by using Web Application Proxy in Windows Server 2012 R2?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED6-76 Implementing Remote Access
Tools
Tool Use for Where to find it
Remote Access Management Console
Managing DirectAccess and VPN Server Manager/Tools
Routing and Remote Access Console
Managing VPN and routing Server Manager/Tools
Remote Access Getting Started Wizard
A graphical tool that simplifies the configuration of DirectAccess
Server Manager/Tools/Remote Access Management Console
Web Application Proxy
Publishing web applications Server Manager/Tools
Dnscmd.exe A command-line tool used for DNS management
Run from command-line
Services.msc Helps manage Windows services Server Manager/Tools
Gpedit.msc Helps in editing the Local Group Policy Run from command-line
IPconfig.exe A command-line tool that displays current TCP/IP network configuration
Run from command-line
DNS Manager console Helps configure name resolution Server Manager/Tools
Mmc.exe Helps in the creation and management of the Management Console
Run from command-line
Gpupdate.exe Helps manage Group Policy application Run from command-line
Active Directory Users and Computers
Is useful in configuring group membership for client computers that will be configured with DirectAccess
Server Manager/Tools
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-1
Module 7 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Contents: Module Overview 7-1
Lesson 1: Installing and Configuring a Network Policy Server 7-2
Lesson 2: Configuring RADIUS Clients and Servers 7-6
Lesson 3: NPS Authentication Methods 7-12
Lesson 4: Monitoring and Troubleshooting a Network Policy Server 7-20
Lab: Installing and Configuring a Network Policy Server 7-26
Module Review and Takeaways 7-30
Module Overview The Network Policy Server (NPS) role in the Windows Server® 2012 operating system provides support for the Remote Authentication Dial-In User Service (RADIUS) protocol, which you can configure as a RADIUS server or proxy. Additionally, NPS provides Network Access Protection (NAP) services. To support remote clients and to implement NAP, it is important that you know how to install, configure, and troubleshoot NPS.
Objectives After completing this module, you will be able to:
• Install and configure NPS.
• Configure RADIUS clients and servers.
• Explain NPS authentication methods.
• Monitor and troubleshoot NPS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-2 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 1 Installing and Configuring a Network Policy Server
NPS is implemented as a server role in Windows Server 2012 and newer versions. While installing the NPS role, you must decide whether to use NPS as a RADIUS server, RADIUS proxy, or a NAP policy server. After the installation, you can use the NPS Management console or Windows® PowerShell® to configure NPS. You must understand how to install and configure the NPS role in order to support your RADIUS or NAP infrastructure.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the NPS role service.
• Explain how to install NPS.
• Describe the tools used to configure an NPS.
• Explain how to configure general NPS settings.
What Is a Network Policy Server?
NPS enables you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. You also can use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups.
You can use NPS to implement network-access authentication, authorization, and client health policies with any combination of the following three functions:
• RADIUS server
• RADIUS proxy
• NAP policy server
RADIUS Server NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and dial-up and virtual private network (VPN) connections. When using NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft® SQL Server® database.
NPS is the Microsoft implementation of a RADIUS server. NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote Access service, which is available in releases from the Windows® 2000 operating system through the Windows Server 2008 R2 operating system. In addition, you can use NPS with the new Remote Access role in Windows Server 2012 and newer.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-3
When an NPS server is a member of an Active Directory® Domain Services (AD DS) domain, NPS uses AD DS as its user-account database and provides single sign-on (SSO). This means that the same set of user credentials enable network-access control, such as authenticating and authorizing access to a network, and access to resources within the AD DS domain.
Organizations that maintain network access, such as Internet service providers (ISPs), have the challenge of managing a variety of network-access methods from a single administration point, regardless of the type of network-access equipment they use. The RADIUS standard supports this requirement. RADIUS is a client-server protocol that enables network-access equipment, when used as RADIUS clients, to submit authentication and accounting requests to a RADIUS server.
A RADIUS server has access to user-account information, and can verify network-access authentication credentials. If the user’s credentials are authentic and RADIUS authorizes the connection attempt, the RADIUS server then authorizes the user’s access based on configured conditions, and logs the network-access connection in an accounting log. Using RADIUS allows you to collect and maintain the network-access user authentication, authorization, and accounting data in a central location, rather than on each access server.
RADIUS Proxy When using NPS as a RADIUS proxy, you configure connection request policies that indicate which connection requests the NPS server will forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You also can configure NPS to forward accounting data for logging by one or more computers in a remote RADIUS server group. With NPS, your organization also can outsource its remote-access infrastructure to a service provider, while retaining control over user authentication, authorization, and accounting. You can create NPS configurations for the following solutions:
• Wireless access.
• Organization dial-up or VPN remote access.
• Outsourced dial-up or wireless access.
• Internet access.
• Authenticated access to extranet resources for business partners.
NAP Policy Server When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that attempt to connect to the network. NPS also acts as a RADIUS server when it is configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to be compliant with your organization’s network policy.
Windows 7 and newer versions and Windows Server 2008 R2 and newer versions include NAP, which helps protect access to private networks by ensuring that client computers are configured in accordance with the organization’s network health policies before they can connect to network resources. Additionally, NAP monitors client computer compliance with the administrator-defined health policy while the computer is connected to the network. NAP autoremediation allows you to ensure that noncompliant computers are updated automatically, bringing them into compliance with health policy so that they can connect to the network successfully.
System administrators define network health policies, and then create these policies by using NAP components that either NPS provides, depending on your NAP deployment, or that third-party companies provide.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-4 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Health policies can include software requirements, security-update requirements, and required-configuration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access.
Demonstration: Installing the Network Policy Server Role Service
This demonstration shows how to:
• Install the NPS role service.
• Register NPS in AD DS.
Demonstration Steps
Install the NPS Role 1. Switch to LON-DC1.
2. Open Server Manager, and then add the Network Policy and Access Services role.
3. Close Server Manager.
Register NPS in AD DS 1. Open the Network Policy Server console.
2. Register the server in AD DS.
3. Leave the Network Policy Server window open.
Tools for Configuring a Network Policy Server
After you install the Network Policy Server role, you can open the Network Policy Server tool on the Administrative Tools menu, or you can use the Network Policy Server snap-in to create a custom Microsoft Management Console (MMC) tool. You also can use netsh commands to manage and configure the NPS role.
The following tools enable you to manage the Network Policy and Access Services server role:
• Network Policy Server MMC snap-in. Use the Network Policy Server MMC snap-in to configure a RADIUS server, a RADIUS proxy, or a NAP technology.
• Netsh commands for NPS. The netsh commands for NPS are a command set that is equivalent to all configuration settings that are available through the NPS MMC snap-in. You can run netsh commands manually at the netsh prompt or in administrator scripts.
One example of using netsh is that, after you install and configure NPS, you can save the configuration by using the netsh nps show config > path\file.txt command. You then save the NPS configuration with this command each time that you make a change.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-5
• Windows PowerShell. You also can use Windows PowerShell cmdlets to configure and manage a Network Policy Server. For example, to export the NPS configuration, you can use the Export-NpsConfiguration -Path <filename> cmdlet.
Demonstration: Configuring General NPS Settings
This demonstration shows how to:
• Configure a RADIUS server for VPN connections.
• Save the configuration.
Demonstration Steps
Configure a RADIUS server for VPN connections 1. In the Network Policy Server console, launch the Configure VPN or Dial-Up Wizard.
2. Add LON-RTR as a RADIUS client.
3. Use a shared secret of Pa$$word for authentication between the RADIUS client and the NPS server.
4. Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2) for authentication.
Save the configuration 1. Open Windows PowerShell.
2. Use the Export-NpsConfiguration -Path lon-dc1.xml command to save the configuration.
3. Examine this configuration with notepad.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-6 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 2 Configuring RADIUS Clients and Servers
RADIUS is an industry-standard authentication protocol that many vendors use to support the exchange of authentication information between elements of a remote-access solution. To centralize your organization’s remote-authentication needs, you can configure NPS as a RADIUS server or a RADIUS proxy. While configuring RADIUS clients and servers, you must consider several factors, such as the RADIUS servers that will authenticate connection requests from RADIUS clients and the ports that RADIUS traffic will use.
Lesson Objectives After completing this lesson, you will be able to:
• Describe a RADIUS client.
• Describe a RADIUS Proxy.
• Explain how to configure a RADIUS client.
• Describe the how to use of a connection request policy.
• Describe and configure connection request processing for a RADIUS proxy environment.
• Explain how to create a new connection request policy.
What Is a RADIUS Client?
RADIUS clients are usually network access servers such as wireless access points, 802.1X authenticating switches, and VPN servers. A network access server (NAS) is defined as a device that provides access to a larger network. You can configure NAS to act as a RADIUS client. RADIUS clients communicate with a RADIUS server for authentication, authorization, and accounting. By default, RADIUS devices communicate with each other over ports 1812 and 1813 or 1645 and 1646. End-user computing devices such as wireless laptop computers, tablets, and other computing devices are not typically RADIUS clients. These types of devices are clients of the NAS devices. In addition to deploying NPS as a RADIUS server, a RADIUS proxy, or a NAP policy server, you must also configure RADIUS clients in NPS.
RADIUS Client Examples Examples of network access servers include the following:
• Network access servers that provide remote access connectivity to an organization’s network or the Internet. For example, a computer that is running the Windows Server 2012 operating system and the Remote Access Service (RAS) that provides either traditional dial-up or VPN remote access services to an organization’s intranet.
• Wireless access points that provide physical-layer access to an organization’s network by using wireless-based transmission and reception technologies.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-7
• Switches that provide physical-layer access to an organization’s network using traditional local area network (LAN) technologies, such as Ethernet.
• NPS-based RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that you configure on the RADIUS proxy, or other RADIUS proxies.
What Is a RADIUS Proxy?
A RADIUS proxy routes RADIUS messages between RADIUS clients and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt.
As a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. NPS records information in an accounting log about forwarded messages.
You can use NPS as a RADIUS proxy when:
• You are a service provider who offers outsourced dial, VPN, or wireless network-access services to multiple customers.
In this case, your NAS sends connection requests to the NPS RADIUS proxy. Based on the user name’s realm portion in the connection request, the NPS RADIUS proxy on your premises that your company also maintains forwards the connection request to a RADIUS server. The customer maintains the RADIUS server and can authenticate and authorize the connection attempt.
• You want to provide authentication and authorization for user accounts that are not:
o Members of the domain in which the NPS server is a member.
o Members of a domain that has a two-way trust with the NPS server’s member domain.
This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm-name portion of the user name, and then forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for NAS in another domain or forest.
• You want to perform authentication and authorization by using a database that is not a Windows account database.
In this case, NPS forwards connection requests that match a specified realm name to a RADIUS server that has access to a different database of user accounts and authorization data. An example of another user database is a SQL Server database.
• You want to process a large number of connection requests.
In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers, and it increases processing of large numbers of RADIUS clients and authentications each second.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-8 Installing, Configuring, and Troubleshooting the Network Policy Server Role
• You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration.
An intranet firewall is between your intranet and your perimeter network (the network between your intranet and the Internet). By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet.
Demonstration: Configuring a RADIUS Client
This demonstration shows how to configure a RADIUS client.
Demonstration Steps 1. Open Routing and Remote Access.
2. Disable the existing configuration.
3. Reconfigure LON-RTR as a VPN Server with the following information:
o Public interface: Local Area Connection 2
o The VPN server allocates addresses from the pool: 172.16.0.100 to 172.16.0.110
o Option to configure the server with: Yes, setup this server to work with a RADIUS server.
o Primary RADIUS server: LON-DC1
o Secret: Pa$$w0rd
4. Start the VPN service.
What Is a Connection Request Policy?
Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform authentication and authorization of connection requests that the NPS server receives from RADIUS clients. You can configure connection request policies to designate which RADIUS servers to use for RADIUS accounting.
Note: You can export connection request policies, other NPS policies, and the entire NPS server configuration from one NPS server and then import them to a different NPS server. Use the Netsh command line utility or the Export-NpsConfiguration and Import-NpsConfiguration commands in Windows PowerShell to perform exports and imports.
You can create a series of connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally, and NPS functions as a RADIUS server, and other types of messages
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-9
are forwarded to another RADIUS server, where NPS functions as a RADIUS proxy. This is useful in a multi-domain environment where some requests should go to a different RADIUS server.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on a variety of factors, including:
• The time of day and day of the week.
• The realm name in the connection request.
• The connection type that you are requesting.
• The RADIUS client’s IP address.
Conditions Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS access request message. If multiple conditions exist, NPS enforces the policy only if all of the conditions in the connection request message and in the connection request policy match.
Settings Connection request policy settings are a set of properties that are applied to an incoming RADIUS message. Settings consist of the following groups of properties:
• Authentication
• Accounting
• Attribute manipulation
• Advanced
Default Connection Request Policy When you install NPS, a default connection request policy is created with the following conditions:
• Authentication is not configured.
• Accounting is not configured to forward accounting information to a remote RADIUS server group.
• Attribute manipulation is not configured with rules that change attributes in forwarded connection requests.
• Forwarding Request is turned on, which means that the local NPS server authenticates and authorizes connection requests.
• Advanced attributes are not configured.
The default connection request policy uses NPS as a RADIUS server. To configure an NPS server to act as a RADIUS proxy, you also must configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard. You either can delete the default connection request policy or verify that the default connection request policy is the last policy processed.
Note: If you installed NPS and the Routing and Remote Access service on the same computer, and you configure the Routing and Remote Access service for Windows authentication and accounting, it is possible for Routing and Remote Access service authentication and accounting requests to be forwarded to a RADIUS server. This can occur when Routing and Remote Access service authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-10 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Configuring Connection Request Processing
The default connection request policy uses NPS as a RADIUS server, and processes all authentication requests locally.
Considerations for Configuring Connection Request Processing When configuring connection request processing, consider the following:
• To configure an NPS server to act as a RADIUS proxy and forward connection requests to other NPS or RADIUS servers, you must configure a remote RADIUS server group, and then add a new connection request policy that specifies conditions and settings that the connection requests must match.
• You can use the New Connection Request Policy Wizard to create a new remote RADIUS server group when you create a new connection request.
• If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy.
• If you want the NPS server to act as both a RADIUS server, by processing connection requests locally, and as a RADIUS proxy, by forwarding some connection requests to a remote RADIUS server group, then you should add a new policy, and then verify that the default connection request policy is the last policy processed.
Ports for RADIUS and Logging By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for IPv6 and IPv4 for all installed network adapters.
Note: If you disable either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol.
The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in Request for Comments (RFC) 2865 “Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." However, by default, many existing access servers, and often legacy access servers, use port 1645 for authentication requests and port 1646 for accounting requests. When you are considering what port numbers to use, make sure that you configure NPS and the access server to use the same port numbers. If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to enable RADIUS traffic on the new ports.
Configuring NPS UDP Port Information You can use the following procedure to configure the User Datagram Protocol (UDP) ports that NPS uses for RADIUS authentication and accounting traffic.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-11
To configure the NPS UDP port information by using the Windows interface, follow these steps:
1. Open the NPS console.
2. Right-click Network Policy Server, and then click Properties.
3. Click the Ports tab, and then examine the settings for ports.
4. If your RADIUS authentication and RADIUS accounting UDP ports vary from the provided default values (1812 and 1645 for authentication, and 1813 and 1646 for accounting), type your port settings in Authentication and Accounting.
Note: To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.
Demonstration: Creating a Connection Request Policy
This demonstration shows how to create a VPN connection request policy.
Demonstration Steps 1. On LON-DC1, switch to the Network Policy Server console.
2. View the existing Connection Request Policies. The wizard created these automatically when you specified the NPS role of this server.
3. Create a new Connection Request Policy with the following settings:
o Type of network access server: Remote Access Server (VPN-Dial up)
o Condition: NAS Port Type as Virtual (VPN)
o Other settings: default values
4. Assign the new policy the highest priority.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-12 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 3 NPS Authentication Methods
Authentication is the process of verifying the identity of a user or computer that is attempting to connect to a network. NPS must receive proof of identity from the user or computer in the form of credentials. NPS authenticates and authorizes a connection request before allowing or denying access when users attempt to connect to your network through network access servers, also known as RADIUS clients. These network access servers can be devices such as wireless access points, 802.1X authenticating switches, dial-up servers, and VPN servers.
When you deploy NPS, you can specify the required type of authentication method for access to your network.
Some authentication methods implement the use of password-based credentials. The network access server then passes these credentials to the NPS server, which verifies the credentials against the user accounts database. Other authentication methods implement the use of certificate-based credentials for the user, the client computer, the NPS server, or some combination of the three. Certificate-based authentication methods provide strong security and we recommend them over password-based authentication methods.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the password-based authentication methods for an NPS server.
• Describe how to use certificates to provide authentication for network clients.
• Describe the types of certificates that various authentication methods require.
• Describe how to deploy certificates for Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP).
Password-Based Authentication Methods
Any authentication method has advantages and disadvantages in terms of security, usability, and breadth of support. However, password-based authentication methods do not provide strong security because malicious individuals can guess passwords, and, for that reason, they are not recommended. Instead, consider using a certificate-based authentication method for all network access methods that support certificate use. This is especially true for wireless connections. For these types of connections, consider using PEAP-MS-CHAP v2 or PEAP-TLS.
The configuration of the network access server determines the authentication method you require for the client computer and network policy on the NPS server. Consult your access server documentation to determine which authentication protocols are supported.
You can configure NPS to accept multiple authentication protocols. You also can configure your network access servers, also called RADIUS clients, to attempt to negotiate a connection with client computers by requesting the use of the most secure protocol first, then the next most secure, and so on, down to the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-13
least secure. For example, the Routing and Remote Access service tries to negotiate a connection by using the following protocols in the order shown:
1. Extensible Authentication Protocol (EAP)
2. MS-CHAP v2
3. MS-CHAP
4. Challenge Handshake Authentication Protocol (CHAP)
5. Shiva Password Authentication Protocol (SPAP)
6. Password Authentication Protocol (PAP)
When you choose EAP as the authentication method, the negotiation of the EAP type occurs between the access client and the NPS server.
MS-CHAP Version 2 MS-CHAP v2 provides stronger security for network access connections than its predecessor, MS-CHAP. MS-CHAP v2 is a one-way encrypted password, mutual-authentication process that works as follows:
1. The authenticator, which is the network access server or the NPS server, sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string.
2. The access client sends a response that contains:
o The user name.
o An arbitrary peer-challenge string.
o A one-way encryption of the received challenge string, the peer-challenge string, the session identifier, and the user’s password.
3. The authenticator checks the client’s response, and then sends back a response that contains:
o An indication of the connection attempt’s success or failure.
o An authenticated response based on the sent challenge string, the peer-challenge string, the client’s encrypted response, and the user’s password.
4. The access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the access client terminates the connection.
MS-CHAP MS-CHAP, also known as MS-CHAP version 1, is a nonreversible, encrypted password-authentication protocol.
The challenge handshake process works as follows:
1. The authenticator, which is the network access server or the NPS server, sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string.
2. The access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.
3. The authenticator checks the response and, if valid, authenticates the user’s credentials.
Note: If you use MS-CHAP, MS-CHAP v2, or EAP-TLS as the authentication protocol, then you can use Microsoft Point-to-Point Encryption to encrypt the data that was sent on the Point-to-Point Protocol or Point-to-Point Tunneling Protocol (PPTP) connection.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-14 Installing, Configuring, and Troubleshooting the Network Policy Server Role
MS-CHAP v2 provides stronger security for network access connections than MS-CHAP. Therefore, we recommend using MS-CHAP v2 instead of MS-CHAP.
CHAP The CHAP is a challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme to encrypt the response.
Various vendors of network access servers and clients use CHAP. A server that is running Routing and Remote Access supports CHAP, so access clients that require CHAP are authenticated. Because CHAP requires the use of a reversibly-encrypted password, you should consider using another authentication protocol, such as MS-CHAP v2.
Additional Considerations When implementing CHAP, consider the following:
• When users’ passwords expire, CHAP does not provide the ability for them to change passwords during the authentication process.
• Verify that your network access server supports CHAP before you enable it on an NPS server’s network policy. For more information, refer to your NAS documentation.
• You cannot use Microsoft Point-to-Point Encryption with CHAP.
PAP PAP uses plaintext passwords and is the least secure authentication protocol. It typically is negotiated if the access client and network access server cannot negotiate a more secure authentication method. When you enable PAP as an authentication protocol, user passwords are sent in plaintext form. Anyone capturing the packets of the authentication process can read the password easily, and then use it to gain unauthorized access to your intranet. We strongly discourage the use of PAP, especially for VPN connections.
Unauthenticated Access With unauthenticated access, user credentials such as a user name and password are not required. Although there are some situations in which unauthenticated access is useful, in most cases, we do not recommend that you deploy unauthenticated access to your organization’s network.
When you enable unauthenticated access, users can access your network without sending user credentials. Additionally, unauthenticated access clients do not negotiate the use of a common authentication protocol during the connection establishment process, and they do not send NPS a user name or password.
If you permit unauthenticated access, clients can connect without being authenticated if the authentication protocols that are configured on the access client do not match the authentication protocols that are configured on the network access server. In this case, the use of a common authentication protocol is not negotiated, and the access client does not send a user name and password. This circumstance creates a serious security problem. Therefore, you should not allow unauthenticated access on most networks.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-15
Using Certificates for Authentication
Certificates are digital documents that certification authorities (CAs) issue, such as Active Directory Certificate Services (AD CS) or the VeriSign public CA. You can use certificates for many purposes, such as code signing and securing email communication. However, with NPS, you use certificates for network access authentication because they provide strong security for authenticating users and computers, and eliminate the need for less secure, password-based authentication methods.
NPS servers use EAP-TLS and PEAP to perform certificate-based authentication for many types of network access, including VPN and wireless connections.
Authentication Methods You can configure two authentication methods, EAP and PEAP, to use certificate-based authentication. You use EAP to configure the authentication type TLS (EAP-TLS), and PEAP to configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAP v2). These authentication methods always use certificates for server authentication. Depending on the authentication type that you configure with the authentication method, you also might use certificates for user authentication and client computer authentication.
Note: Using certificates for VPN connection authentication is the strongest form of authentication available in Windows Server. You must use certificates for Internet Protocol security (IPsec) authentication on VPN connections that are based on Layer Two Tunneling protocol (L2TP) over Internet protocol security (IPsec). PPTP connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients such as computing devices with wireless network adapters, such as your portable computer or personal digital assistant, use PEAP with EAP-TLS and smart cards or certificates for authentication.
Note: You can deploy certificates for use with NPS by installing and configuring the AD CS server role.
Mutual Authentication When you use EAP with a strong EAP type, such as TLS with smart cards or certificates, the client and the server use certificates to verify their identities to each other. This is known as mutual authentication. Certificates must meet specific requirements to allow the server and the client to use them for mutual authentication.
One such requirement is configuring the certificate with one or more purposes in extended key usage (EKU) extensions to correlate with the actual certificate use. For example, you must configure a certificate that you use for a client’s authentication with the Client Authentication purpose. Similarly, you must configure a certificate that you use for a server’s authentication with the Server Authentication purpose. When you use certificates for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When you use a certificate for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-16 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Certificate Templates Certificate Templates is an MMC snap-in that enables customization of the certificates that AD CS issues. Customization possibilities include how you use certificates and what the certificates contain, including their purposes. In Certificate Templates, you can duplicate a default template, such as the Computer template, to customize the template that the CA uses to assign certificates to computers. You also can customize a duplicated certificate template and assign purposes to it in EKU extensions. By default, the Computer template includes the Client Authentication purpose and the Server Authentication purpose in EKU extensions.
The certificate template that you customize can include any purpose for which you will use the certificate. For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose as well as the Client Authentication purpose. When using NPS, you can configure NPS to check certificate purposes before granting network authorization. NPS can check additional EKUs and Issuance Policy purposes, also known as Certificate Policies.
Note: Some non-Microsoft CA software might contain a purpose named All, which represents all possible purposes. This is indicated by a blank, or null, EKU extension. Although All is intended to mean all possible purposes, you cannot substitute the All-purpose for the Client Authentication purpose, the Server Authentication purpose, or any other purpose that is related to network access authentication.
Required Certificates for Authentication
The following table details the certificates that are required to deploy each of the listed certificate-based authentication methods successfully.
Certificate Required for EAP-TLS and PEAP-TLS?
Required for PEAP-MS-CHAP v2? Details
CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User
Yes. The CA certificate is enrolled automatically for domain member computers. For nondomain member computers, you must import the certificate manually into the certificate store.
Yes. This certificate is enrolled automatically for domain member computers. For nondomain member computers, you must import the certificate manually into the certificate store.
For PEAP-MS-CHAP v2, this certificate is required for mutual authentication between client and server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-17
Certificate Required for EAP-TLS and PEAP-TLS?
Required for PEAP-MS-CHAP v2? Details
Client computer certificate in the certificate store of the client
Yes. Client computer certificates are required unless user certificates are distributed on smart cards. Client certificates are enrolled automatically for domain member computers. For nondomain member computers, you must import the certificate manually or obtain it with the Web-enrollment tool.
No. User authentication is performed with password-based credentials, not certificates.
If you deploy user certificates on smart cards, client computers do not need client certificates.
Server certificate in the certificate store of the NPS server
Yes. You automatically distribute server certificates to members of the Remote Access Service (RAS) and Internet Authentication Service (IAS) servers group in AD DS.
Yes. In addition to using AD CS for server certificates, you can purchase server certificates from other CAs that computers already trust.
The NPS server sends the server certificate to the client computer. The client computer uses the certificate to authenticate the NPS server.
User certificate on a smart card
Automatically distribute server certificates to members of the RAS and IAS servers group in AD DS.
No. User authentication is performed with password-based credentials, not certificates.
For EAP-TLS and PEAP-TLS, if you do not auto-enroll client computer certificates, user certificates on smart cards are required.
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication provides authenticated access to 802.11 wireless networks and wired Ethernet networks. 802.1X provides support for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS in a variety of ways.
If you configure the Validate server certificate option on the client, the client authenticates the server by using its certificate. You accomplish client computer and user authentication by using certificates from the client certificate store or a smart card, establishing mutual authentication.
With wireless clients, you can use PEAP-MS-CHAP v2 as the authentication method. PEAP-MS-CHAP v2 is a password-based user authentication method that uses TLS with server certificates. During PEAP-MS-CHAP v2 authentication, if you configure the Validate server certificate option on the client, the NPS server supplies a certificate to validate its identity to the client. You accomplish client computer and user authentication with passwords, which eliminates some of the difficulty of deploying certificates to wireless client computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-18 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Deploying Certificates for PEAP and EAP
All certificates that you use for network access authentication with EAP-TLS and PEAP must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS). After this minimum requirement is met, both client and server certificates have additional requirements.
Minimum Server Certificate Requirements You can configure clients to validate server certificates by using the Validate server certificate option within the authentication protocol’s properties. With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the client accepts the server authentication attempt when the certificate meets the following requirements:
• The Subject name contains a value. If you issue a certificate to your NPS server that has a blank Subject, the certificate is not available to authenticate your NPS server. Follow these steps to configure the certificate template with a Subject name:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In Subject name format, select a value other than None.
• The computer certificate on the server chains to a trusted root CA, and does not fail any of the checks that CryptoAPI performs and that the remote access or network policies specify.
• The NPS or VPN server computer certificate is configured with the Server Authentication purpose in EKU extensions. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
• The server certificate is configured with a required algorithm value of RSA. Follow these steps to configure the required cryptography setting:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and then click Properties.
3. Click the Cryptography tab. From the Algorithm name drop-down menu, select RSA. Ensure that Minimum key size is set to 2048.
• The Subject Alternative Name (SubjectAltName) extension. If you use this extension, it must contain the server’s fully qualified domain name (FQDN). Follow these steps to configure the certificate template with the Domain Name System (DNS) name of the enrolling server:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In Include this information in alternate subject name, select DNS name.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-19
With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, except the following:
• Certificates that do not contain the Server Authentication purpose in EKU extensions.
• Certificates that do not contain a subject name.
• Registry-based and smart card-logon certificates.
Minimum Client Certificate Requirements With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
• An enterprise CA issued the client certificate or it is mapped to an Active Directory user or computer account.
• The user or computer certificate on the client chains to a trusted-root CA, and the certificate includes the Client Authentication purpose in EKU extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2. Cryptography Application Programming Interface (CryptoAPI) performs checks on the certificates based on remote access and/or network policies.
• The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
• For user certificates, the Subject Alternative Name extension in the certificate contains the user principal name (UPN). Follow these steps to configure the UPN in a certificate template:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In the Include this information in alternate subject name area, select User principal name (UPN).
• For computer certificates, the Subject Alternative Name extension in the certificate must contain the client’s FQDN, also known as the DNS name. Follow these steps to configure this name in the certificate template:
1. Open Certificate Templates.
2. In the details pane, right-click a duplicated certificate template that you want to change, and then click Properties.
3. Click the Subject Name tab, and then click Build from this Active Directory information.
4. In the Include this information in alternate subject name area, select DNS name.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:
• Wireless clients do not display registry-based and smart card-logon certificates.
• Wireless clients and VPN clients do not display password-protected certificates.
• Certificates that do not contain the Client Authentication purpose in EKU extensions.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-20 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lesson 4 Monitoring and Troubleshooting a Network Policy Server
You can monitor NPS by configuring and using logging for events and user authentication and accounting requests. Event logging enables you to record NPS events in the system and security event logs. You can use request logging for connection analysis and billing purposes. The information that the log files collect is useful for troubleshooting connection attempts and for security investigation.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the methods for monitoring NPS.
• Describe how to configure log file properties.
• Describe how to configure SQL Server logging in NPS.
• Describe how to configure NPS events to record in Event Viewer.
Methods Used to Monitor NPS
The two types of accounting, or logging, that you can use to monitor NPS are:
• Event logging for NPS. You can use event logging to record NPS events in the system and security event logs. You use this primarily for auditing and troubleshooting connection attempts.
• Logging user authentication and accounting requests. You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server database. Use request logging primarily for connection analysis and billing purposes, and as a security investigation tool, because it enables you to identify a hacker’s activity.
To make the most effective use of NPS logging:
• Turn on logging initially for authentication and accounting records. Modify these selections after you determine what is appropriate for your environment.
• Ensure that you configure event logging with sufficient capacity to maintain your logs.
• Back up all log files on a regular basis because you cannot recreate them when they are damaged or deleted.
• Use the RADIUS Class attribute to track usage and simplify identification of which department or user to charge for usage. Although the Class attribute, which is generated automatically, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is re-sent. You might need to delete duplicate requests from your logs to track usage accurately.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-21
• To provide failover and redundancy with SQL Server logging, place two computers that are running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers. For more information, refer to the SQL Server documentation.
Note: To interpret logged data, view the information on the Microsoft TechNet website: Interpret NPS Database Format Log Files http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409
Logging NPS Accounting
You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure the log files where you want to store the accounting data.
Considerations for Configuring Accounting for NPS The following list provides more information about configuring NPS accounting:
• To send the log file data for collection by another process, you can configure NPS to write to a named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. To use named pipes:
o In the Local File Properties dialog box, in the Create a new log file area, select Never (unlimited file size).
• To create the log file directory, instead of user variables, use system environment variables such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs, that is, %windir%\System32\Logs\.
• Switching log-file formats does not cause NPS to create a new log file. If you change log file formats, the file that is active when the change occurs will contain a mixture of the two formats. Records at the start of the log will have the previous format, and records at the end of the log end will have the new format.
• If you are administering an NPS server remotely, you cannot browse the directory structure. If you need to log accounting information to a remote server, specify the log file name by typing a Universal Naming Convention (UNC) name, such as \\MyLogServer\LogShare.
• If RADIUS accounting fails due to a full hard-disk drive or other causes, NPS stops processing connection requests. This prevents users from accessing network resources.
• NPS enables you to log to a SQL Server database in addition to, or instead of, logging to a local file.
Note: If you do not supply a full path statement in Log File Directory, the default path is used. For example, if you type NPSLogFile in Log File Directory, the file is located at %systemroot%\System32\NPSLogFile.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-22 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Configuring Log File Properties To configure log file properties by using the Windows interface, follow these steps:
1. Open the Network Policy Server MMC snap-in.
2. In the console tree, click Accounting.
3. In the details pane, click Change Log File Properties.
4. In Log File Properties, on the Log File tab, in Directory, type the location where you want to store NPS log files. The default location is the systemroot\System32\LogFiles folder.
5. From the Format drop-down menu, select from DTS Compliant, ODBC (Legacy), and IAS (Legacy).
6. To configure NPS to start new log files at specified intervals, click the interval that you want to use:
o For heavy transaction volume and logging activity, click Daily.
o For lower transaction volumes and logging activity, click Weekly or Monthly.
o To store all transactions in one log file, click Never (unlimited file size).
o To limit the size of each log file, click When log file reaches this size, and then type a file size, after which a new log is created. The default size is 10 megabytes (MB).
7. To configure NPS to delete log files automatically when the disk is full, click When disk is full delete older log files. If the oldest log file is the current log file, it is not deleted.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
Configuring SQL Server Logging
You can configure NPS to perform RADIUS accounting to a SQL Server database. You can use this procedure to configure logging properties and the connection to the running SQL Server that stores your accounting data. The SQL Server database can be on the local computer or on a remote server.
Note: NPS formats accounting data as an XML document that it sends to the report_event stored procedure in the SQL Server database that you designate in NPS. For SQL Server logging to function properly, you must have a stored procedure named report_event in the SQL Server database that can receive and parse the XML documents from NPS.
Configuring SQL Server Logging in NPS To configure SQL Server logging in NPS using the Windows interface, follow these steps:
1. Open the Network Policy Server MMC snap-in.
2. In the console tree, click Accounting.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-23
3. In the details pane, click Change SQL Server Logging Properties. The SQL Server Logging Properties dialog box opens.
4. In the Log the following information area, select the information that you want to log:
o To log all accounting requests, select Accounting requests.
o To log authentication requests, select Authentication requests.
o To log periodic status, such as interim accounting requests, select Periodic accounting status.
o To log periodic status, such as interim authentication requests, select Periodic authentication status.
5. To configure the number of concurrent sessions that you want to allow between the NPS server and the SQL Server database, type a number in the Maximum number of concurrent sessions box.
6. To configure the SQL Server data source, click Configure. The Data Link Properties dialog box opens. On the Connection tab, specify the following:
o To specify the server’s name on which the database is stored, type or select a name in the Select or enter a server name box.
o To specify the authentication method with which to sign in to the server, click Use Windows NT integrated security, or click Use a specific user name and password, and then type your credentials in the User name and Password boxes.
o To allow a blank password, select Blank password.
o To store the password, select Allow saving password.
o To specify to which database to connect on the computer that is running SQL Server, click Select the database on the server, and then select a database name from the list.
7. To test the connection between the NPS server and the computer that is running SQL Server, click Test Connection.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
Configuring NPS Events to Record in the Event Viewer
You can configure NPS event logging to record connection request failure and success events in the Event Viewer system log.
Configuring NPS Event Logging To configure NPS event logging by using the Windows interface, perform the following tasks:
1. Open the Network Policy Server snap-in.
2. Right-click NPS (Local), and then click Properties.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-24 Installing, Configuring, and Troubleshooting the Network Policy Server Role
3. On the General tab, select each of the following options, as required, and then click OK:
o Rejected authentication requests
o Successful authentication requests
Note: To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group.
Using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure NPS to record. NPS records connection request failure events in the System and Security event logs by default. Connection request failure events consist of requests that NPS rejects or discards. Other NPS authentication events are recorded in the Event Viewer. Note that the Event Viewer security log might record some events containing sensitive data.
Connection Request Failure Events Although NPS records connection request failure events by default, you can change the configuration according to your logging needs. NPS rejects or ignores connection requests for a variety of reasons, including the following:
• The RADIUS message is not formatted according to RFC 2865 “Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting."
• The RADIUS client is unknown.
• The RADIUS client has multiple IP addresses and has sent the request on an address other than the one that you define in NPS.
• The message authenticator, also known as a digital signature, that the client sent is invalid because the shared secret is invalid.
• NPS was unable to locate the user name’s domain.
• NPS was unable to connect to the user name’s domain.
• NPS was unable to access the user account in the domain.
When NPS rejects a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the matching network policy, and the reason for the rejection.
Connection Request Success Events Although NPS records connection request success events by default, you can change the configuration according to your logging needs. When NPS accepts a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching network policy.
Logging Schannel Events Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as SSL and TLS. These protocols provide identity authentication and secure, private communication through encryption.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-25
Logging of client-certificate validation failures is a secure channel event and is not enabled on the NPS server, by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL \EventLogging
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-26 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lab: Installing and Configuring a Network Policy Server Scenario A. Datum is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and data center located in London supports the London office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN servers that are located at different points to provide connectivity for its employees. You are responsible for performing the tasks necessary to support these VPN connections.
Objectives After completing this lab, you will be able to:
• Install and configure NPS to support RADIUS.
• Configure and test a RADIUS client.
Lab Setup Estimated Time: 60 minutes
Virtual Machines: 20411C-LON-DC1, 20411C-LON-RTR, 20411C-LON-CL2
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and then, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-RTR and 20411C-LON-CL2.
Exercise 1: Installing and Configuring NPS to Support RADIUS
Scenario You have been tasked with installing an NPS into the existing infrastructure to be used for RADIUS services. In this exercise, you will configure the RADIUS server with appropriate templates to help manage any future implementations. You also need to configure Accounting to log authentication information to a local text file on the server.
The main tasks for this exercise are as follows:
1. Install and Configure the Network Policy Server
2. Configure NPS Templates
3. Configure RADIUS Accounting
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-27
Task 1: Install and Configure the Network Policy Server 1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Using Server Manager, install the Network Policy and Access Services role by using default values to complete the installation wizard.
4. Open the Network Policy Server console, and then register the server in Active Directory.
5. Leave the Network Policy Server console open.
Task 2: Configure NPS Templates 1. Create a new Shared Secrets template with the following properties:
o Name: Adatum Secret
o Shared secret: Pa$$w0rd
2. Create a new RADIUS Clients template with the following properties:
o Friendly name: LON-RTR
o Address (IP or DNS): LON-RTR
o Shared Secret: Use Adatum Secret template
3. Leave the Network Policy Server console open.
Task 3: Configure RADIUS Accounting 1. In the Network Policy Server console, launch the Accounting Configuration Wizard.
2. Choose the Log to a text file on the local computer option, and then use the default values to complete the wizard.
3. Leave the Network Policy Server console open.
Results: After this exercise, you should have enabled and configured Network Policy Server (NPS) to support Remote Authentication Dial-In User Service (RADIUS) in the required environment.
Exercise 2: Configuring and Testing a RADIUS Client
Scenario You need to configure a server as a VPN server and a RADIUS client, including the client configuration, and then you need to modify the Network Policy settings.
The main tasks for this exercise are as follows:
1. Configure a RADIUS Client
2. Configure a Network Policy for RADIUS
3. Test the RADIUS Configuration
4. To Prepare for the Next Module
Task 1: Configure a RADIUS Client 1. Create a RADIUS client by using the following property:
o Template: LON-RTR
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-28 Installing, Configuring, and Troubleshooting the Network Policy Server Role
2. Leave the console open, and then switch to LON-RTR.
3. Sign in as Adatum\Administrator with the password Pa$$w0rd.
4. Open Routing and Remote Access, and Disable Routing and Remote Access.
5. Select Configure and Enable Routing and Remote Access.
6. Reconfigure LON-RTR as a VPN Server:
o Local Area Connection 2 is the public interface
o The VPN server allocates addresses from the pool: 172.16.0.100 > 172.16.0.110
o The server is configured with the option Yes, setup this server to work with a RADIUS server.
o Primary RADIUS server: LON-DC1
o Secret: Pa$$w0rd
The VPN service starts.
Task 2: Configure a Network Policy for RADIUS 1. Switch to LON-DC1.
2. Switch to the Network Policy Server console.
3. Disable the two existing network policies. These will interfere with the processing of the policy that you are about to create.
4. Create a new Network Policy by using the following properties:
o Policy name: Adatum VPN Policy
o Type of network access server: Remote Access Server(VPN-Dial up)
o Condition: NAS Port Type = Virtual (VPN)
o Permission: Access granted
o Authentication methods: default
o Constraints: default
o Settings: default
Task 3: Test the RADIUS Configuration 1. Switch to LON-CL2 and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Create a new VPN connection with the following properties:
o Internet address to connect to: 10.10.0.1
o Destination name: Adatum VPN
o Allow other people to use this connection: true
3. After you create the VPN, modify its settings by viewing the properties of the connection, and then selecting the Security tab. Use the following settings to reconfigure the VPN:
o Type of VPN: Point to Point Protocol (PPTP)
o Authentication: Allow these protocols =Microsoft CHAP Version 2 (MS-CHAP v2)
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 7-29
4. Test the VPN connection. Use the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
Task 4: To Prepare for the Next Module When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-RTR and 20411C-LON-DC1.
Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS client.
Question: What does a RADIUS proxy provide?
Question: What is a RADIUS client, and what are some examples of RADIUS clients?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED7-30 Installing, Configuring, and Troubleshooting the Network Policy Server Role
Module Review and Takeaways Review Question(s)
Question: How can you make the most effective use of the NPS logging features?
Question: What consideration must you follow if you choose to use a nonstandard port assignment for RADIUS traffic?
Question: Why must you register the NPS server in AD DS?
Tools
Tool Use for Where to find it
Network Policy Server Managing and creating Network Policy
Network Policy Server on the Administrative Tools menu
Netsh command-line tool
Creating administrative scripts for configuring and managing the Network Policy Server role
In a Command Prompt window, type netsh –c nps to administer from a command prompt
Event Viewer Viewing logged information from application, system, and security events
Event Viewer on the Administrative Tools menu
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-1
Module 8 Implementing Network Access Protection
Contents: Module Overview 8-1
Lesson 1: Overview of Network Access Protection 8-2
Lesson 2: Overview of NAP Enforcement Processes 8-7
Lesson 3: Configuring NAP 8-13
Lesson 4: Configuring IPsec Enforcement for NAP 8-18
Lesson 5: Monitoring and Troubleshooting NAP 8-27
Lab: Implementing Network Access Protection 8-31
Module Review and Takeaways 8-37
Module Overview Your network is only as secure as the least-secure computer attached to it. Many programs and tools exist to help you to secure your network-attached computers, such as antivirus or malware detection software. However, if the software on some of your computers is not up to date, or if you have not enabled or configured them correctly, then these computers could pose a security risk.
Computers that remain within the office environment and always connect to the same network are relatively easy for you to keep configured and updated. Computers that connect to different networks, especially unmanaged networks, are less easy to control. For example, it is difficult to control laptop computers that users use to connect to customer networks or public Wi-Fi hotspots. Furthermore, unmanaged computers that are seeking to connect remotely to your network, such as users connecting from their home computers, also pose a challenge.
Network Access Protection (NAP) enables you to create customized health-requirement policies to validate computer health before allowing computers to access the network or communicate with other computers on the network. Additionally, NAP can update compliant computers automatically to ensure their ongoing compliance, and can limit the access of noncompliant computers to a restricted network until they become compliant.
Objectives After completing this module, you will be able to:
• Describe how NAP can help protect your network.
• Describe the various NAP enforcement processes.
• Configure NAP.
• Monitor and troubleshoot NAP.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-2 Implementing Network Access Protection
Lesson 1 Overview of Network Access Protection
NAP is a policy-enforcement platform that is built into all Windows client computers beginning with the Windows® XP operating system with Service Pack 3 (SP3), and all server-based operating systems beginning with the Windows Server® 2008 operating system. You can use NAP to protect network assets more strongly by enforcing compliance with system-health requirements. NAP provides the necessary software components to help ensure that computers connected or connecting to your network remain manageable, and so that they do not become a security risk to your enterprise’s network and other attached computers. Understanding the functionality and limitations of NAP will help you protect your network from the security risks posed by noncompliant computers.
Lesson Objectives After completing this lesson, you will be able to:
• Explain how you can use NAP to enforce computer health requirements.
• Describe the scenarios in which you would use NAP.
• Describe the NAP enforcement methods.
• Describe the architecture of a NAP–enabled network infrastructure.
What Is Network Access Protection?
NAP provides components and an application programming interface (API) that can help enforce compliance with your organization’s health-requirement policies for network access or communication. NAP enables you to create solutions for validating computers that connect to your networks, and to provide necessary updates or access to requisite health-update resources. Additionally, NAP enables you to limit the access or communication of noncompliant computers.
You can integrate NAP’s enforcement features with software from other vendors or with custom programs. It is important to remember that NAP does not protect a network from hackers. Rather, it helps you maintain the health of your organization’s networked computers automatically, which in turn helps maintain your network’s overall integrity. For example, if a computer has all of the software and configuration settings that the health policy requires, the computer is compliant and will have unlimited network access. However, NAP does not prevent an authorized user with a compliant computer from uploading malware or malicious software to the network or engaging in other inappropriate behavior.
How to use NAP You can use NAP in three distinct ways:
• To validate the health state. When a computer attempts to connect to the network, NAP validates the computer’s health state against the health-requirement policies that the administrator defines. You also can define what to do if a computer is not compliant. In a monitoring-only environment, all computers have their health state evaluated, and NAP logs the compliance state of each computer for analysis. In a limited access environment, computers that comply with the health-requirement policies
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-3
have unlimited network access, and computers that do not comply with health-requirement policies have access limited to a restricted network.
• To enforce health-policy compliance. You can help ensure compliance with health-requirement policies by choosing to update noncompliant computers automatically with missing software updates or configuration changes through management software, such as Microsoft® System Center 2012 Configuration Manager. In a monitoring-only environment, NAP will ensure that computers update their network access before they receive required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are complete. In both environments, computers that are compatible with NAP can become compliant automatically and you can define exceptions for computers that are not NAP compatible.
• To limit network access. You can protect your networks by limiting the access of noncompliant computers. You can base limited network access on a specific amount of time, or on what resources that the noncompliant computer can access. In the latter case, you define a restricted network that contains health update resources, and the limited access will last until the noncompliant computer comes into compliance. You also can configure exceptions so that computers that are not compatible with NAP have unlimited network access. By default, computers that are running operating systems other than Windows are not compatible with NAP. However, there are third-party solutions that you can use to extend NAP technology to other operating systems.
NAP Scenarios
NAP provides a solution for common types of hardware considerations, such as roaming laptops, desktop computers, visiting laptops, and unmanaged computers. Depending on the needs of your organization, you can configure a solution to address any or all of these scenarios for your network.
Roaming laptops Portability and flexibility are two primary advantages of a laptop, but these features also present a system health threat. Laptop users frequently connect their laptops to other networks. While users are away from your organization, their laptops might not receive the most recent software updates or configuration changes. Additionally, exposure to unprotected networks, such as the Internet, could introduce security-related threats to the laptops. NAP allows you to check any laptop’s health state when it reconnects to the organization’s network, whether through a virtual private network (VPN), a Windows 8 DirectAccess connection, or the workplace network connection.
Desktop computers Although users typically do not take their desktop computers out of your company’s buildings, they still can present a threat to your network. To minimize this threat, you must maintain these computers with the most recent updates and required software. Otherwise, these computers are at risk of infection from websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to automate health state checks to verify each desktop computer’s compliance with health-requirement policies. You can check log files to determine which computers do not comply. Additionally, by using management software, you can generate automatic reports and automatically update noncompliant computers. When you change health-requirement policies, you can configure NAP to provision computers automatically with the most recent updates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-4 Implementing Network Access Protection
Visiting laptops Organizations frequently need to allow consultants, business partners, and guests to connect to their private networks. The laptops that these visitors bring into your organization might not meet system health requirements and can present health risks. NAP enables you to determine which visiting laptops are noncompliant and limit their access to restricted networks. Typically, you would not require or provide any updates or configuration changes for visiting laptops. You can opt to configure Internet access for visiting laptops, but not for other organizational computers that have limited access.
Unmanaged home computers Sometimes, unmanaged home computers that are not a member of the company’s Active Directory® domain can connect to a managed company network through VPN. Unmanaged home computers provide an additional challenge because you cannot physically access these computers. Lack of physical access makes enforcing compliance with health requirements, such as the use of antivirus software, more difficult. However, NAP enables you to verify the health state of a home computer every time it makes a VPN connection to the company network, and to limit its access to a restricted network until it meets system health requirements.
NAP Enforcement Methods
Components of the NAP infrastructure, known as enforcement clients and enforcement servers, require health-state validation, and enforce limited network access for noncompliant computers. All Windows client computers beginning with Windows XP with SP3, and all server-based operating systems beginning with Windows Server 2008 include NAP support for the following network-access or communication methods:
• IPsec-protected traffic. Internet Protocol security (IPsec) enforcement confines communication to compliant computers after they connect successfully and obtain a valid IP address configuration. IPsec enforcement is the strongest form of limited network access or communication in NAP.
• Institute of Electrical and Electronics Engineers (IEEE) 802.1X–authenticated network connections. IEEE 802.1X enforcement requires that a computer is compliant to obtain unlimited network access through an IEEE 802.1X–authenticated network connection. Examples of this type of network connection include an authenticating Ethernet switch or an IEEE 802.11 wireless access point (AP).
• Remote access VPN connections. VPN enforcement requires that a computer is compliant to obtain unlimited network access through a remote access VPN connection. For noncompliant computers, network access is limited through a set of IP packet filters that the VPN server applies to the VPN connection.
• DirectAccess connections. DirectAccess connections require that a computer is compliant to obtain unlimited network access through a DirectAccess server. For noncompliant computers, network access is limited to the set of computers that are defined as infrastructure servers by using the infrastructure tunnel. Compliant computers can create the separate intranet tunnel that provides unlimited access to intranet resources. DirectAccess connections use IPsec enforcement.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-5
• Dynamic Host Configuration Protocol (DHCP) address configurations. DHCP enforcement requires that a computer is compliant to obtain an unlimited access IPv4 address configuration from a DHCP server. For noncompliant computers, network access is restricted with an IPv4 address configuration that limits access to the restricted network.
These network access or communication methods, or NAP enforcement methods, are useful separately or together for limiting noncompliant computer access or communication. A server that is running Network Policy Server (NPS) in Windows Server 2012 acts as a health policy server for all of these NAP enforcement methods.
NAP Platform Architecture
The following table describes the components of a NAP-enabled network infrastructure.
Components Description
NAP clients
These computers support the NAP platform for communication and for validation prior to network access of a system’s health.
NAP enforcement points These are computers or network-access devices that use NAP or that you can use with NAP to require evaluation of a NAP client’s health state, and then provide restricted network access or communication. NAP enforcement points use a NPS that is acting as a NAP health policy server to evaluate the health state of NAP clients, whether to allow network access or communication, and the set of remediation actions that a noncompliant NAP client must perform.
• NAP enforcement points include the following:
• Health Registration Authority (HRA). A computer that runs Windows Server 2012 and Internet Information Services (IIS), and that obtains health certificates from a certification authority (CA) for compliant computers.
• VPN server. A computer that runs Windows Server 2012 and Routing and Remote Access, and that enables remote access VPN intranet connections through remote access.
• DHCP server. A computer that runs Windows Server 2012 and the DHCP Server service, and that provides automatic IPv4 address configuration to intranet DHCP clients.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-6 Implementing Network Access Protection
Components Description
• Network access devices. These are Ethernet switches or wireless access points that support IEEE 802.1X authentication.
NAP health policy servers These are computers that run Windows Server 2012 and the NPS service, and that store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the Remote Authentication Dial-In User Service (RADIUS) server and proxy that Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting server for network access. When acting as an authentication, authorization, and accounting server or NAP health policy server, NPS typically runs on a separate server for centralized configuration of network access and health-requirement policies. The NPS service also runs on NAP enforcement points, based on Windows Server 2012, that do not have a built-in RADIUS client, such as an HRA or a DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
Health requirement servers These computers provide the current system health state for NAP health policy servers. An example of these would be a health requirement server for an antivirus program that tracks the latest version of the antivirus signature file.
Active Directory Domain Services (AD DS)
This Windows directory service stores account credentials and properties, and also stores Group Policy settings. Although not required for health-state validation, AD DS is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
802.1X devices An 802.1X device can be an authenticating Ethernet switch or an IEEE 802.11 wireless AP.
Restricted network This is a separate logical or physical network that contains:
• Remediation servers. These computers contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers.
• NAP clients with limited access. These computers are placed on the restricted network when they do not comply with health-requirement policies.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-7
Lesson 2 Overview of NAP Enforcement Processes
When a client attempts to access or communicate on the network, it must present its system health state or proof-of-health compliance. If a client cannot prove that it is compliant with system-health requirements, such as that it has the latest operating system and antivirus updates installed, then you can limit its access to, or communication on, the network to a restricted network that contains server resources. You can restrict this access until you remedy the health-compliance issues. After the updates install, the client requests access to the network or attempts the communication again. If compliant, the client receives unlimited access to the network or the communication is allowed.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the general NAP enforcement processes.
• Discuss IPsec enforcement.
• Describe 802.1X enforcement.
• Explain VPN enforcement.
• Discuss DHCP enforcement.
NAP Enforcement Processes
Whatever form of NAP enforcement you select, many of the client-server communications are common. The following points summarize these communications:
• Between a NAP client and a HRA. The NAP client sends its current system health state to the HRA and requests a health certificate from the HRA. If the client is compliant, the HRA sends a health certificate to the NAP client. If the client is noncompliant, the HRA sends remediation instructions to the client.
• Between a NAP client and a remediation server. Although the NAP client has unlimited intranet access, it accesses the remediation server to ensure that it remains compliant. If the NAP client has limited access, it communicates with the remediation server to become compliant, based on instructions from the NAP health policy server.
• Between an HRA and a NAP health policy server. The HRA sends RADIUS messages to the NAP health policy server that contains the NAP client’s system health state. The NAP health policy server sends RADIUS messages to indicate that the NAP client has either:
o Unlimited access because it is compliant. Based on this response, the HRA obtains a health certificate, and then sends it to the NAP client.
o Limited access until it performs a set of remediation functions. Based on this response, the HRA does not issue a health certificate to the NAP client.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-8 Implementing Network Access Protection
• Between an 802.1X network access device and a NAP health-policy server. The 802.1X network access device sends RADIUS messages to transfer Protected Extensible Authentication Protocol (PEAP) messages that an 802.1X NAP client sends. The NAP health policy server sends RADIUS messages to:
o Indicate that the 802.1X client has unlimited access because it is compliant.
o Indicate a limited access profile to place the 802.1X client on the restricted network until it performs a set of remediation functions.
o Send PEAP messages to the 802.1X client.
• Between a VPN server and a NAP health policy server. The VPN server sends RADIUS messages to transfer PEAP messages that are sent by a VPN-based NAP client. The NAP health policy server sends RADIUS messages to:
o Indicate that the VPN client has unlimited access because it is compliant.
o Indicate that the VPN client has limited access through a set of IP packet filters that are applied to the VPN connection.
o Send PEAP messages to the VPN client.
• Between a DHCP server and a NAP health policy server. The DHCP server sends the NAP health policy server RADIUS messages that contain the DHCP client’s system health state. The NAP health policy server sends RADIUS messages to the DHCP server to indicate that the DHCP client has either:
o Unlimited access because it is compliant.
o Limited access until it performs a set of remediation functions.
• Between a NAP health policy server and a health requirement server. When you are performing network access validation for a NAP client, the NAP health policy server might have to contact a health requirement server to obtain information about the current requirements for system health.
Communication based on the type of enforcement Depending upon the type of enforcement you select, the following communication occurs:
• Between a NAP client and an 802.1X network access device. The NAP client performs authentication of the 802.1X connection, and then provides its current system health state to the NAP health policy server. The NAP health policy server provides either remediation instructions, because the 802.1X client is noncompliant, or indicates that the 802.1X client has unlimited network access. NAP routes these messages through the 802.1X network access device.
• Between a NAP client and a VPN server. The NAP client that acts as a VPN client indicates its current system health state to the NAP health policy server. The NAP health policy server responds with messages to provide either remediation instructions, because the VPN client is noncompliant, or to indicate that the VPN client has unlimited intranet access. NAP routes these messages through the VPN server.
• Between a NAP client and a DHCP server. The NAP client, which is also the DHCP client, communicates with the DHCP server to obtain a valid IPv4 address configuration and to indicate its current system health state. The DHCP server allocates an IPv4 address configuration for the restricted network, and then provides remediation instructions if the DHCP client is noncompliant, or it allocates an IPv4 address configuration for unlimited access if the DHCP client is compliant.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-9
IPsec Enforcement
With IPsec enforcement, a computer must be compliant to initiate communications with other compliant computers. Because IPsec-based NAP enforcement uses IPsec, you can define requirements for protected communications with compliant computers based on one of the following communications characteristics:
• IP address.
• Transmission Control Protocol port number.
• User Datagram Protocol (UDP) port number.
IPsec enforcement restricts communication to compliant computers after they have connected successfully and obtained a valid IP address configuration. IPsec enforcement is the strongest form of limited network access or communication in NAP.
The components of IPsec enforcement consist of an HRA that is running Windows Server 2012 and an IPsec enforcement client in one of the following operating systems:
• Windows XP with SP3
• Windows Vista®
• Windows 7
• Windows 8
• Windows 8.1
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
The HRA obtains X.509 certificates for NAP clients when the clients prove that they are compliant. These health certificates then authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet.
IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts sent from computers that cannot negotiate IPsec protection by using health certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point, each individual computer performs IPsec enforcement. Because you can take advantage of IPsec policy settings, the enforcement of health certificates can be done for any of the following:
• All computers in a domain.
• Specific computers on a subnet.
• A specific computer.
• A specific set of TCP or UDP ports.
• A set of TCP or UDP ports on a specific computer.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-10 Implementing Network Access Protection
Considerations for IPsec enforcement When selecting an IPsec NAP enforcement method, consider the following points:
• IPsec enforcement is more complex to implement than other enforcement methods, because it requires an HRA and a CA.
• No additional hardware is required to implement IPsec enforcement. There is no need to upgrade switches or Wireless Application Protocols (WAPs), which you would have to do if you select 802.1X enforcement.
• You can implement IPsec enforcement in any environment.
• IPsec enforcement is very secure and difficult to circumvent.
• You can configure IPsec to encrypt communication for additional security.
• IPsec enforcement is applied to IPv4 and IPv6 communication.
802.1X Enforcement
With 802.1X enforcement, a computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection, such as to an authenticating Ethernet switch or an IEEE 802.11 wireless AP.
For noncompliant computers, network access is limited through a restricted access profile that the Ethernet switch or wireless AP places on the connection. The restricted access profile can specify either IP packet filters, or a virtual local area network (VLAN) identification (ID) that corresponds to the restricted network. 802.1X enforcement imposes health policy requirements every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforcement also monitors the health status of the connected NAP client actively, and then applies the restricted access profile to the connection if the client becomes noncompliant.
The components of 802.1X enforcement consist of NPS in Windows Server 2012 and an Extensible Authentication Protocol(EAP) host enforcement client in Windows 7, Windows 8, Windows Server 2008, and Windows Server 2012 clients, whether server computers or client computers. 802.1X enforcement provides strong limited network access for all computers that access the network through an 802.1X-authenticated connection.
To implement 802.1X enforcement, you must ensure that the network switches or wireless APs support 802.1X authentication. The switches or wireless APs then act as an enforcement point for NAP clients. The health status of the client is sent as part of the authentication process. When a computer is noncompliant, the switch places the computer on a separate VLAN or uses packet filters to restrict access to only remediation servers.
Considerations for 802.1X enforcement When deciding the 802.1X NAP enforcement method for your organization, consider the following points:
• The switch or wireless AP that connects with the client enforces noncompliant computer isolation. This makes it very difficult to circumvent, and is therefore very secure.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-11
• Use 802.1X enforcement for internal computers. This type of enforcement is appropriate for local area network (LAN) computers with both wired and wireless connections.
• You cannot use 802.1X enforcement if your switches and wireless APs do not support the use of 802.1X for authentication.
VPN Enforcement
VPN enforcement imposes health-policy requirements every time that a computer attempts to obtain a remote access VPN connection to the network. VPN enforcement also actively monitors the health status of the NAP client, and applies the restricted network’s IP packet filters to the VPN connection if the client becomes noncompliant.
The components of VPN enforcement consist of NPS in Windows Server 2012. It also consists of a VPN enforcement client that is part of the remote access client in Windows client computers and server-based operating systems.
VPN enforcement provides limited network access for all computers that access the network through a remote access VPN connection. VPN enforcement uses a set of remote-access IP packet filters to limit VPN client traffic, so that it can reach only the resources on the restricted network, which are typically remediation servers. The VPN server applies the IP packet filters to the IP traffic that it receives from the VPN client, and silently discards all packets that do not correspond to a configured packet filter.
Considerations for VPN enforcement When considering the VPN NAP enforcement method, consider the following points:
• VPN enforcement is best suited in situations in which you are using VPN already. It is unlikely that you will implement VPN connections on an internal network to use VPN enforcement.
• Use VPN enforcement to ensure that staff members connecting from home computers are not introducing malware to your network. Users often do not maintain their home computers correctly, and they represent a high risk. Many users do not have antivirus software, or do not apply Windows updates regularly.
• Use VPN enforcement to ensure that roaming laptops are not introducing malware to your network. Roaming laptops are more susceptible to malware than computers directly on the corporate network, because they may be unable to download virus updates and Windows updates from outside the corporate network. They also are more likely to be in environments where malware is present.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-12 Implementing Network Access Protection
DHCP Enforcement
DHCP enforces health-policy requirements every time that a DHCP client attempts to lease or renew an IP address configuration. DHCP enforcement also actively monitors the NAP client’s health status and, if the client becomes noncompliant, renews the IPv4 address configuration for access only to the restricted network.
The components of DHCP enforcement consist of a DHCP Enforcement service that is part of the DHCP Server service in Windows Server 2012. It also consists of a DHCP enforcement client that is part of the DHCP Client service in all Windows client computers beginning with Windows XP with SP3, and all server-based operating systems beginning with Windows Server 2008.
Because DHCP enforcement relies on a specific IPv4 address configuration that a user who has administrator-level access can override, it is the weakest form of limited network access in NAP. DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 address to 255.255.255.255 so that there is no route to the attached subnet.
To allow the noncompliant computer to access the restricted network’s remediation servers, the DHCP server assigns the Classless Static Routes DHCP option. This option contains host routes to the restricted network’s computers, such as the Domain Name System (DNS) and remediation servers. The result of DHCP limited network access is an IP configuration and routing table that only allows connectivity to destination IP addresses that reside on the restricted network. Therefore, when an application attempts to send to a unicast IPv4 address other than those supplied by the Classless Static Routes option, the TCP/IP protocol returns a routing error.
Considerations for DHCP enforcement When considering the DHCP NAP enforcement method, consider the following points:
• DHCP enforcement is easy to implement, and can apply to any computer with a dynamic IP address.
• DHCP enforcement is easy to circumvent. A client can circumvent DHCP enforcement by using a static IP address. Additionally, a user could modify a noncompliant computer by adding static host routes to reach servers that are not remediation servers.
• DHCP enforcement is not possible for IPv6 clients. If computers on your network use IPv6 addresses to communicate, DHCP enforcement is ineffective.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-13
Lesson 3 Configuring NAP
If you want your NAP deployment to work optimally, it is important that you understand what each of the NAP components does, and how they interact to protect your network. If you want to protect your network by using NAP, you need to understand the configuration requirements for the NAP client, as well as how to configure NPS as a NAP health policy server, configure health policies and network policies, and configure the client and server settings. It also is important to test the NAP before using it.
Lesson Objectives After completing this lesson, you will be able to:
• Describe system health validators (SHVs).
• Explain the use of a health policy.
• Discuss the use of remediation server groups.
• Describe the NAP client-configuration requirements.
• Explain how to enable and configure NAP.
What Are System Health Validators?
System health agents (SHAs) and SHVs are NAP infrastructure components that provide health-state status and validation. Windows 8 includes a Windows Security Health Validator (WSHV) that monitors the Windows Security Center settings. Windows Server 2012 also includes a WSHV.
The design of NAP makes it very flexible and extensible, and it can interoperate with any vendor’s software that provides SHAs and SHVs that use the NAP API. An SHV receives a statement of health (SoH), and then compares the system health-status information in the SoH with the required system health state. For example, if the SoH is from an antivirus SHA, and it contains the last version number for the virus-signature file, then the corresponding antivirus SHV can check with the antivirus health requirement server for the latest version number to validate the NAP client’s SoH.
The SHV returns a SoH response (SoHR) to the NAP Administration Server. The SoHR can contain remediation information about how the corresponding SHA on the NAP client can meet current system-health requirements. For example, the SoHR that the antivirus SHV sends could instruct the NAP client’s antivirus SHA to request the latest version, by name or IP address, of the antivirus signature file from a specific antivirus signature server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-14 Implementing Network Access Protection
What Is a Health Policy?
Health policies consist of one or more SHVs and other settings that you can use to define client-computer configuration requirements for the NAP-capable computers that connect to your network. When NAP-capable clients connect to the network, the client computer sends a SoH to the NPS. The SoH is a report of the client configuration state, and NPS compares the SoH to the requirements that the health policy defines. If the client configuration state does not match the requirements that the health policy defines, then, depending on the NAP configuration, NAP:
• Rejects the connection request.
• Places the NAP client on a restricted network, where it can receive updates from remediation servers that bring the client into compliance with health policy. After the NAP client achieves compliance and resubmits its new health state, NPS enables it to connect.
• Allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy.
After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition of a network policy that you want to use to enforce NAP when client computers attempt connection to your network.
What Are Remediation Server Groups?
A remediation server group is a list of restricted network servers that provide resources that bring noncompliant NAP-capable clients into compliance with your defined client health policy. A remediation server hosts the updates that a NAP agent can use to bring noncompliant client computers into compliance with health policy, as defined by NPS. For example, a remediation server can host antivirus signatures. If a health policy requires that client computers have the latest antivirus definitions, then the following work together to update noncompliant computers:
• An antivirus SHA.
• An antivirus SHV.
• An antivirus policy server.
• The remediation server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-15
NAP Client Configuration
Remember these basic guidelines when you configure NAP clients:
• Some NAP deployments that use the Windows Security Health Validator require that you enable Security Center. Security Center is not included with Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.
• You must enable the Network Access Protection Client service when you deploy NAP to NAP-capable client computers.
• You must configure the appropriate NAP enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients by using Group Policy. Some NAP deployments that use Windows Security Health Validator require Security Center.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
To enable Security Center in Group Policy, follow these steps:
1. Open the Group Policy Management console.
2. In the console tree, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then double-click Security Center.
3. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Enable the Network Access Protection Service on Clients You can use the Enable the Network Access Protection Service on Clients procedure to enable and configure NAP service on NAP-capable client computers. When you deploy NAP, enabling this service is required.
Note: To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.
To enable the Network Access Protection service on client computers, follow these steps:
1. Open Control Panel, click System and Security, click Administrative Tools, and then double-click Services.
2. In the services list, scroll down and then double-click Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change Startup Type to Automatic, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-16 Implementing Network Access Protection
Enable and Disable NAP Enforcement Clients You can use the Enable and Disable NAP Enforcement Clients procedure to enable or disable one or more NAP enforcement clients on NAP-capable computers. These can include the following client types:
• DHCP enforcement client.
• Remote access enforcement client.
• EAP enforcement client.
• IPsec enforcement client, which is also used for DirectAccess connections.
• Remote Desktop Gateway (RD Gateway) enforcement client.
To enable and disable NAP Enforcement Clients, follow these steps:
1. Open the NAP client configuration console (NAPCLCFG.MSC).
2. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to enable or disable, and then click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group are able to perform this procedure. As a security best practice, consider performing this procedure by using the Run as command.
Demonstration: Configuring NAP
This demonstration shows how to:
• Install the NPS server role.
• Configure NPS as a NAP health policy server.
• Configure health policies.
• Configure network policies for compliant computers.
• Configure network policies for noncompliant computers.
• Configure the DHCP server role for NAP.
• Configure client NAP settings.
• Test NAP.
Demonstration Steps
Install the NPS server role 1. Switch to LON-DC1, and sign in as a domain administrator.
2. Open Server Manager, and then install the Network Policy and Access Services role.
Configure NPS as a NAP health policy server 1. Open the Network Policy Server console.
2. Configure the Windows Security Health Validator to require that all Windows 8 computers are running a firewall.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-17
Configure health policies 1. Create a health policy named Compliant in which the condition is that Client passes all SHV checks.
2. Create another health policy named Noncompliant in which the condition is that Client fails one or more SHV checks.
Configure network policies for compliant computers 1. Disable the two existing network policies. These will interfere with the processing of the policies you
are about to create.
2. Create a new network policy named Compliant-Full-Access that has a condition of the Compliant health policy. Computers are granted unrestricted access.
Configure network policies for noncompliant computers • Create a new network policy named Noncompliant-Restricted that has a condition of the
Noncompliant health policy. Computers are granted restricted access.
Configure the DHCP server role for NAP 1. Open the DHCP console.
2. Modify the properties of the IPv4 scope to support Network Access Protection.
3. Create a new DHCP policy that allocates appropriate DHCP scope options to noncompliant computers. These options assign a DNS suffix of restricted.Adatum.com.
Configure client NAP settings 1. Enable the DHCP Quarantine Enforcement Client on LON-CL1.
2. Start the Network Access Protection Agent service.
3. Use the local Group Policy Management console to enable the Security Center.
4. Reconfigure LON-CL1 to obtain an IP address from a DHCP server.
Test NAP 1. Verify the obtained configuration by using ipconfig.
2. Disable and stop the Windows Firewall service.
3. In the System Tray area, click the Network Access Protection pop-up warning. Review the information in the Network Access Protection dialog box. Click Close.
4. Verify the obtained configuration by using ipconfig.
5. Notice that the computer has a subnet mask of 255.255.255.255 and a DNS Suffix of restricted.Adatum.com. Leave all windows open.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-18 Implementing Network Access Protection
Lesson 4 Configuring IPsec Enforcement for NAP
Lesson Objectives After completing this lesson, you will be able to:
• Describe what IPsec is and how it you can use it to secure network traffic.
• Describe the IPsec authentication and encryption options.
• Describe the steps that occur when a client connects to the network with IPsec enforcement enabled.
• Describe the planning components for IPsec enforcement, including defining the secure networks, boundary networks, and restricted networks, and also describe how these networks enforce IPsec policies.
• Describe how to implement the HRA server and the configuration of the server.
• Describe the CA requirements for IPsec enforcement, and describe how to configure the CA to meet these requirements.
• Describe the network policies you use for IPsec enforcement.
What Is IPsec?
• IPsec is a protocol suite standardized by the Internet Engineering Task Force (IETF) to secure IP communications by using cryptography. IETF standardized IPsec with a series of Request For Comments (RFCs). It operates at the Internet layer, also called layer 3, of the Open Systems Interconnection (OSI) model. It is built into the vast majority of operating systems in use today, including all supported versions of Windows. IPsec has the following characteristics:
• IPsec can protect communication between two independent computers or between two independent networks.
• IPsec works in the background. Applications and services do not need to be aware of, or configured to work with IPsec. Instead, IPsec is applied transparently.
• You can use IPsec to provide protection against intellectual property theft, corruption of data, man-in-the-middle attacks, and various other network-based attacks.
• Windows supports IPsec transport mode and IPsec tunnel mode. Transport mode is commonly used for Layer Two Tunneling Protocol (L2TP)/IPSEC VPNs while tunnel mode is commonly used for site-to-site connectivity such as a wide area network (WAN).
• You can use packet filtering to strictly control the network traffic coming from a host or going to a host. This gives administrators far reaching control of network communication.
You often combine IPsec with other forms of network-based protection mechanisms such as network-based firewalls, host-based firewalls, and Group Policy. It is a good practice to implement multiple layers of security on a network. Using multiple layers of security is often referred to as “defense in depth” or as a “multi-layered security strategy”.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-19
In a common corporate deployment, IPsec relies on the following components:
• AD DS. AD DS provides the common infrastructure and is a prerequisite for common implementations of a Microsoft-based public key infrastructure (PKI). In addition, you can use Group Policy to standardize on security related settings for IPsec.
• PKI. You can use Active Directory Certificate Services (AD CS) to distribute certificates automatically to ease the administrative overhead of implementing IPsec. Configuring a CA for IPsec is discussed in more detail in the Configuring the Certification Authority topic later in this module.
• Two or more computers running a supported version of Windows and joined to the same domain. The computers can be client computers or server-based computers.
IPsec Authentication and Encryption Options
IPsec offers flexible authentication options and encryption options. For authentication, IPsec provides the following methods:
• Kerberos V5 authentication protocol. Kerberos is the default authentication protocol used by Windows computers when the computers are part of the same AD DS domain or trusted AD DS domains.
• When computers are not part of the same AD DS domain or trusted AD DS domains, certificate authentication is used. Certificate authentication is most common between companies that are partners, between company employees and external parties, such as consultants, board members, and customers.
• In development or testing scenarios, a preshared key can be used instead of Kerberos or certificate authentication. This method is not secure because the key is stored in plain text. This method is rarely implemented and provides authentication protection only.
The encryption options provided by IPsec are based on the security association (SA) and include the following options:
• Data Encryption Standard (DES). DES uses a 56-bit key, which is considered insecure today.
• Triple DES (3DES). 3DES (pronounced “triple des”) uses three 56-bit keys by applying DES three times for encryption.
• Advanced Encryption Standard (AES). Multiple key lengths are supported: 128, 192, and 256 bits. Security increases as the key length size increases. The vast majority of new IPsec implementations use AES today because it provides the strongest security and does not require additional administrative effort.
In addition to authentication and encryption, IPsec relies on data integrity to secure network communication. You use data integrity to ensure that communication received from a computer was not modified en route to the destination. Data integrity relies on the same encryption standards as data encryption, but you use it to sign a hash for integrity purposes. For implementations of IPsec with AES, the encryption and integrity options must match and are often grouped together.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-20 Implementing Network Access Protection
NAP with IPsec Enforcement Components
You can deploy NAP enforcement for IPsec policies for Windows Firewall by using a CA, an HRA server, a computer running NPS, and an IPsec enforcement client. The CA issues X.509 certificates with the System Health object identifier (OID) to NAP clients when they are determined to be compliant. You then use these certificates to authenticate NAP clients when they initiate IPsec communications with other IPsec clients on an intranet.
IPsec enforcement confines your network’s communication to compliant clients and provides the strongest NAP implementation available. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.
The process for configuring NAP with IPsec enforcement NAP with IPsec enforcement provides the strongest and most flexible method for maintaining client computer compliance with network health requirements. To implement NAP with IPsec, you must do the following:
• Configure a CA to issue health certificates. You must use the System Health Authentication template, and you must grant the HRA permission to enroll the certificate.
• Install HRA. The HRA is a component of NAP that is central to IPsec enforcement. The HRA obtains health certificates on behalf of NAP client computers when they are compliant with network health requirements. These health certificates authenticate NAP client computers for IPsec-protected communications with other NAP client computers on an intranet. If a NAP client computer does not have a health certificate, the IPsec peer authentication fails.
• Select authentication requirements. The HRA can provide health certificates to authenticated domain users only, or optionally provide health certificates to anonymous users.
• Configure the NPS server with the required health policies. The policies will vary based on the company security requirements and existing infrastructure.
• Configure NAP client computers for IPsec NAP enforcement. The NAP agent must be running, and the NAP IPsec enforcement client must be running. You can do this by using Group Policy or local policy, or by using the commands available in the Netsh command-line tool.
• Use IPsec policies to create logical networks. IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are:
o Secure network. Computers on the secure network have health certificates and require that incoming communication be authenticated by using these certificates.
o Boundary network. Computers on the boundary network have health certificates but do not require IPsec authentication of incoming communication attempts.
o Restricted network. Computers on the restricted network do not have health certificates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-21
How IPsec Enforcement Works
To obtain a health certificate and become a secure network member, a NAP client that is using IPsec enforcement starts on the network and uses the following process:
1. When the computer starts, the host-based firewall is enabled, however, it does not allow any exceptions so that no other computer can initiate communications with it. At this point, the computer is in the restricted network because it does not have a health certificate. The computer can communicate with other computers in the restricted and boundary networks and can access the Internet. However, it cannot initiate communications with the computers in the secure network.
2. The NAP client obtains network access and an IP address configuration.
3. The IPsec NAP enforcement client sends its credentials and system statement of health (SSoH) to the HRA by using HTTP or a protected HTTP over a SSL session.
4. The HRA passes the SSoH to the NAP health policy server in a RADIUS Access-Request message.
5. The NPS service on the NAP health policy server receives the RADIUS Access-Request message, extracts the SSoH, and passes it to the NAP Administration Server component.
6. The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.
7. The SHVs analyze their SoHs and return SoHRs to the NAP Administration server.
8. The NAP Administration server passes the SoHRs to the NPS service.
9. The NPS service compares the SoHRs to the configured health policies and creates the System Statement of Health Response (SSoHR).
10. The NPS service constructs and sends a RADIUS Access-Accept message with the SSoHR as a RADIUS vendor specific attribute to the HRA.
11. The HRA sends the SSoHR back to the IPsec NAP enforcement client. If the NAP client is compliant, the HRA also issues a health certificate.
After the health certificate is issued the NAP client removes any existing health certificates, if necessary, and adds the newly issued health certificate to its computer certificate store. The IPsec NAP enforcement client configures IPsec settings to authenticate by using the health certificate for IPsec-protected communications. It also configures the host-based firewall to allow incoming communications from any peer that uses a health certificate for IPsec authentication. The NAP client now belongs to the secure network.
Note: The IPsec NAP enforcement client performs steps 3 through 11 whenever new SoH information arrives at the NAP Agent or when the health certificate is about to expire.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-22 Implementing Network Access Protection
Noncompliant NAP client If the NAP client is noncompliant, the NAP client does not have a health certificate and cannot initiate communication with computers in the secure network. The NAP client performs the following remediation process to become a secure network member:
1. The IPsec NAP enforcement client passes the SSoHR to the NAP Agent.
2. The NAP Agent passes the SoHRs in the SSoHR to the appropriate SHAs.
3. Each SHA analyzes its SoHR and, based on the contents, performs the remediation as needed to correct the NAP client’s system health state.
4. Each SHA that required remediation passes an updated SoH to the NAP Agent.
5. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new SSoH, and passes it to the IPsec NAP enforcement client.
6. The IPsec NAP enforcement client uses HTTP or a protected HTTP over SSL session to send its new SSoH to the HRA.
7. The HRA receives the SSoH and sends it to the NAP health policy server in a RADIUS Access-Request message.
8. The NPS service on the NAP health policy server receives the RADIUS Access-Request message, extracts the SSoH, and passes it to the NAP Administration Server.
9. The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.
10. The SHVs analyze the contents of their SoHs and return SoHRs to the NAP Administration Server.
11. The NAP Administration Server passes the SoHRs to the NPS service.
12. The NPS service compares the SoHRs to the configured set of health policies and creates the SSoHR.
13. The NPS service constructs and sends a RADIUS Access-Accept message containing the SSoHR to the HRA.
14. The HRA receives the RADIUS Access-Accept message, extracts the SSoHR, and sends it to the NAP client by using HTTP or the HTTP over SSL session. Because the NAP client now is compliant, the HRA issues the NAP client a health certificate.
Planning IPsec Logical Networks
IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined by which computers have health certificates and which computers require IPsec authentication with health certificates for incoming communication attempts. The logical networks allow for limited network access and remediation, and provide compliant computers with protection from noncompliant computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-23
IPsec enforcement defines the following logical networks:
• Secure network. The set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the AD DS domain would be in the secure network.
• Boundary network. The set of computers that have health certificates but do not require incoming communication attempts to use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network.
• Restricted network. The set of computers that do not have health certificates. This includes noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable such as computers that are running versions of Windows that do not support NAP, computers running the Mac operating system, or UNIX-based computers.
Based on the three logical networks, the following types of initiated communications are possible: secure, boundary, and restricted.
Secure network Computers in the secure network can initiate communications with computers in all three logical networks. Communications initiated to computers in the secure network or boundary network are authenticated with IPsec and health certificates. IPsec does not authenticate communications initiated to computers in the restricted network.
Computers in the secure network will accept communications initiated from computers in the secure and boundary networks that IPsec authenticates, but will not accept communications initiated from computers in the restricted network. For example, a client computer in the secure network can request a webpage from a web server in the secure network. However, a client computer in the restricted network cannot request a web page from a web server in the secure network. You can configure the requirements for initiated communication on a TCP or UDP port basis to limit specific traffic. For example, it is possible to require IPsec authentication with health certificates for remote procedure call (RPC) traffic, but not web traffic. In this case, a client computer in the restricted network could request a webpage from a web server in the secure network, but not be able to use RPC to connect to that same server.
Boundary network Computers in the boundary network can initiate communications with computers in the secure or boundary networks that are authenticated with IPsec and health certificates or with computers in the restricted network that IPsec does not authenticate.
Computers in the boundary network will accept communications initiated from computers in the secure and boundary networks that are authenticated with IPsec and health certificates, and from computers in the restricted network that IPsec does not authenticate.
Boundary network members typically consist only of the HRA and NAP remediation servers. Servers in the boundary network must be accessible from noncompliant NAP clients in the restricted network to perform initial remediation functions and obtain health certificates. Additionally, they must be accessible from compliant computers in the secure network to perform ongoing remediation functions, renew health certificates, and manage computers in the boundary network.
A computer is a member of the secure or boundary network for the time specified in the health certificate’s validity period. Before the health certificate expires, the IPsec-protected NAP client contacts the HRA to obtain a new health certificate. You can configure the validity time for health certificates on the HRA. Validity time typically spans hours rather than years, in the case of computer or user certificates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-24 Implementing Network Access Protection
Restricted network Computers in the restricted network can initiate communications with computers in the restricted and boundary networks. Computers in the restricted network cannot initiate communications to computers in the secure network, unless the IPsec policy settings of the secure network’s computers specifically allow them to.
Computers in the restricted network can accept communications initiated from computers in all three logical networks.
Configuring the HRA Server
To support IPsec NAP enforcement, you must configure an HRA server. This process involves the following steps:
1. Configure authentication requirements. When you install the HRA, you are prompted to configure the HRA. The HRA either issues certificates only when users are authenticated to the domain, or to optionally provide health certificates to anonymous users. If you select to allow only domain-authenticated users, a single website named DomainHRA is created. If you choose to allow anonymous users to obtain health certificates, an additional website, NonDomainHRA, is created to support that configuration.
2. Configure CAs. The HRA must be associated, either during installation or subsequently, with either a stand-alone or enterprise CA. This is discussed in the next topic.
3. Configure the request policy. The security settings used by the HRA to communicate with clients are known as request policy settings. You can use the HRA snap-in to specify these security mechanisms and determine which asymmetric key algorithm, hash algorithm, and cryptographic service provider (CSP) the HRA server uses to encrypt communication with client computers.
Note: It is not mandatory that you configure request policy settings on your HRA server. By default, a NAP-capable client computer initiates a negotiation process with an HRA server by using a mutually acceptable default security mechanism for encrypting communication.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-25
Configuring the Certification Authority
To obtain and issues certificates, you must associate the HRA with a CA. This process involves choosing a CA type, verifying CA security settings, and configuring additional settings.
Choose a CA type When configuring the HRA to use a CA, you can select one of the following:
• Stand-alone CA. A stand-alone CA issues certificates that are not based on templates. Consequently, you do not need to configure a certificate template. However, you must still configure CA security settings and certificate issuance requirements so that the HRA can request and issue health certificates automatically to client computers that are health policy–compliant.
• Enterprise CA. An enterprise CA certificate is based on templates. Therefore, if you select an enterprise CA, you must configure the required certificate template as part of the CA preparation process.
Note: If you install your enterprise CA on a computer that is running Windows Server 2008 or Windows Server 2012, the required HRA template already exists. If your enterprise CA is running Windows Server 2003, you must manually create the required template.
Complete the following tasks on your enterprise CA to ensure that it is ready to support the requirements of your HRA:
1. Verify certificate availability. Use the Certificate Templates snap-in to check for the presence of the System Health Authentication template.
2. Verify certificate enrollment permissions for the HRA. To check that the HRA has the required permissions to obtain and issue health certificates, follow these steps:
a. Open the Certificate Templates snap-in, and view the properties of your System Health Authentication template.
b. Check the security settings to verify that both the Enroll and Autoenroll permissions have been granted to the DNS name of your HRA server.
Verify CA security settings After selecting the CA type, you must now verify the CA security settings. For NAP client computers to obtain health certificates automatically when they have been determined to be compliant with network health requirements, you must configure your NAP CAs to issue health certificates automatically. Use the following process to ensure that certificates are issued automatically.
1. Open the Certification Authority management console snap-in.
2. Verify that the Policy Module for your CA is configured with this value: Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.
Note: This process applies to both enterprise and stand-alone CA servers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-26 Implementing Network Access Protection
Configure additional settings You can add the CA to the HRA during installation of the HRA role or at any time thereafter by using the HRA console. After you add the CA to the HRA, you can use the HRA console to complete these additional tasks:
1. Configure CA wait time. The HRA attempts to obtain health certificates only from the CA that is configured first in the processing order, unless that CA has been marked as unavailable. You can change the number of minutes to wait before identifying a CA as unavailable.
2. Configure health certificate validity period. Client computers attempt to renew their health certificate 15 minutes before expiration or when a change in client health status occurs. You can configure a custom validity period for health certificates. The default validity period is four hours.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-27
Lesson 5 Monitoring and Troubleshooting NAP
Monitoring and troubleshooting NAP is an important administrative task because of different technology levels, including varied expertise and prerequisites, for each NAP enforcement method. Trace logs are available for NAP, but are disabled by default. These logs serve two purposes: troubleshooting and evaluating a network’s health and security.
Lesson Objectives After completing this lesson, you will be able to:
• Describe how NAP tracing can help monitor and troubleshoot NAP.
• Explain how to configure NAP tracing.
• Troubleshoot NAP with the Netsh command-line tool.
• Use the NAP event log to troubleshoot NAP.
What Is NAP Tracing?
Aside from the preceding general guidelines, you can use the NAP Client Configuration console to configure NAP tracing. Tracing records NAP events in a log file, and is useful for troubleshooting and maintenance. Additionally, you can use tracing logs to evaluate your network’s health and security. You can configure three levels of tracing: Basic, Advanced, and Debug.
Enable NAP tracing when:
• Troubleshooting NAP problems.
• Evaluating the overall health and security of your organization’s computers.
In addition to trace logging, you can view NPS accounting logs. These logs can contain useful NAP information. By default, NPS accounting logs are located in %systemroot%\system32\logfiles.
The following logs might contain NAP-related information:
• IASNAP.LOG. This file contains detailed data about NAP processes, NPS authentication, and NPS authorization.
• IASSAM.LOG. This file contains detailed data about user authentication and authorization.
Demonstration: Configuring NAP Tracing
Two tools are available for configuring NAP tracing. The NAP Client Configuration console is part of the Windows user interface, and Netsh is a command-line tool.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-28 Implementing Network Access Protection
Using the Windows user interface You can use the Windows user interface to enable or disable NAP tracing and to specify the level of recorded detail by performing the following steps:
1. Open the NAP Client Configuration console by running napclcfg.msc.
2. In the console tree, right-click NAP Client Configuration (Local Computer), and then click Properties.
3. In the NAP Client Configuration (Local Computer) Properties dialog box, select Enabled or Disabled.
Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, we recommend that you perform this operation by using the Run As command.
4. If you chose Enabled, under Specify the level of detail at which the tracing logs are written, select Basic, Advanced, or Debug.
Using a command-line tool To use a command-line tool to enable or disable NAP tracing and specify the level of recorded detail, perform the following steps:
1. Open an elevated command prompt.
2. To enable or disable NAP tracing, do one of the following:
o To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set tracing state=enable level =[advanced or basic].
o To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable level =verbose.
o To disable NAP tracing, type: netsh nap client set tracing state=disable.
Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, we recommend that you perform this operation by using the Run As command.
Viewing log files To view the log files, navigate to the %systemroot%\tracing\nap directory, and then open the particular trace log that you want to view.
Demonstration Steps
Configure tracing from the GUI 1. On LON-CL1, open the NAPCLCFG – [NAP Client Configuration (Local Computer)] console.
2. From the NAP Client Configuration (Local Computer) properties, enable Advanced tracing.
Configure tracing from the command line • At the command prompt, type netsh nap client set tracing state = enable, and then press Enter.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-29
Troubleshooting NAP
You can use the following tools to troubleshoot NAP.
Netsh commands Use the Netsh NAP command to help troubleshoot NAP issues. The following command displays the status of a NAP client, including the following:
• Restriction state.
• Status of enforcement clients.
• Status of installed SHAs.
• Trusted server groups that have been configured.
netsh NAP client show state
The following command displays the local configuration settings on a NAP client, including:
• Cryptographic settings.
• Enforcement client settings.
• Settings for trusted server groups.
• Client-tracing settings that have been configured.
netsh NAP client show config
The following command displays the Group Policy configuration settings on a NAP client, including:
• Cryptographic settings.
• Enforcement client settings.
• Settings for trusted server groups.
• Client-tracing settings that have been configured.
netsh NAP client show group
Troubleshooting NAP with Event Logs
NAP services record NAP-related events into the Windows event logs. To view these events, follow these steps:
• Open Event Viewer, select Custom Views, select Server Roles, and then select Network Policy and Access Services.
The following events provide information about NAP services that are running on an NPS server:
• Event ID 6272. Network Policy Server granted access to a user. Occurs when a NAP client
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-30 Implementing Network Access Protection
authenticates successfully, and, depending on its health state, obtains full or restricted access to the network.
• Event ID 6273. Network Policy Server denied access to a user. Occurs when an authentication or authorization problem arises, which is associated with a reason code.
• Event ID 6274. Network Policy Server discarded the request for a user.
• Occurs when a configuration problem arises, or if the RADIUS client settings are incorrect or NPS cannot create accounting logs.
• Event ID 6276. Network Policy Server quarantined a user. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access.
• Event ID 6277. Network Policy Server granted access to a user, but put it on probation because the host did not meet the defined health policy. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access for a limited time when the date specified in the policy has passed.
• Event ID 6278. Network Policy Server granted full access to a user because the host met the defined health policy. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-31
Lab: Implementing Network Access Protection Scenario A. Datum is a global engineering and manufacturing company with its head office in London, United Kingdom. An Information Technology (IT) office and data center in London support the head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
To help increase security and meet compliance requirements, A. Datum is required to extend their VPN solution to include NAP. You need to establish a way to verify and, if required, automatically bring client computers into compliance whenever they connect remotely by using the VPN connection. You will accomplish this goal by using NPS to create system health validation settings and network and health policies, and to configure NAP to verify and remediate client health.
Objectives After completing this lab, you will be able to:
• Configure NAP components.
• Configure VPN access.
• Configure the client settings to support NAP.
Lab Setup Estimated Time: 60 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-RTR, 20411C-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, click Administrative Tools, and then double-click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-CL2 and 20411C-LON-RTR.
Exercise 1: Configuring NAP Components
Scenario You should configure NAP components, such as certificate requirements, health and network policies, and connection-request policies as the first step in implementing compliance and security.
The main tasks for this exercise are as follows:
1. Configure Server and Client Certificate Requirements
2. Configure Health Policies
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-32 Implementing Network Access Protection
3. Configure Network Policies
4. Configure Connection Request Polices for VPN
Task 1: Configure Server and Client Certificate Requirements 1. Switch to the LON-DC1 virtual server.
2. Open the Certification Authority tool.
3. In the Certificate Templates Console details pane, open the properties of the Computer certificate template.
4. On the Security tab, grant the Authenticated Users group the Allow Enroll permission.
5. Restart the Certification Authority.
6. Close the Certification Authority tool.
Task 2: Configure Health Policies 1. Switch to the LON-RTR computer.
2. Create a management console by running mmc.exe.
3. Add the Certificates snap-in with the focus on the local computer account.
4. Navigate to the Personal certificate store and request a new certificate.
5. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and then click Next.
6. Enroll the Computer certificate that is listed.
7. Close the console, and do not save the console settings.
8. Using Server Manager, install the NPS Server with the following role services:
o Network Policy Server
9. Open the Network Policy Server console.
10. Expand the Network Access Protection node to the Windows Security Health Validator node, and open the Default Configuration.
11. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections.
12. Create a health policy with the following settings:
o Name: Compliant
o Client SHV checks: Client passes all SHV checks
o SHVs used in this health policy: Windows Security Health Validator
13. Create a health policy with the following settings:
o Name: Noncompliant
o Client SHV checks: Client fails one or more SHV checks
o SHVs used in this health policy: Windows Security Health Validator
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-33
Task 3: Configure Network Policies 1. Disable all existing network policies.
2. Configure a new network policy with the following settings:
o Name: Compliant-Full-Access
o Conditions: Health Policies, Compliant
o Access permissions: Access granted
o Settings: NAP Enforcement, Allow full network access
o Authentication methods: none
o Perform machine health check only: Yes
3. Configure a new network policy with the following settings:
o Name: Noncompliant-Restricted
o Conditions: Health Policies, Noncompliant
o Access permissions: Access granted
o Settings: NAP Enforcement, Allow limited access is selected, and Enable auto-remediation of client computers is not selected.
o IP Filters: IPv4 input filter
Destination network: 172.16.0.10/255.255.255.255
IPv4 output filter:
Source network: 172.16.0.10/255.255.255.255
o Authentication methods: none
o Perform machine health check only: Yes
Task 4: Configure Connection Request Polices for VPN 1. Disable existing connection request policies.
2. Create a new Connection Request Policy with the following settings:
o Policy name: VPN connections
o Type of network access server: Remote Access Server (VPN-Dial up)
o Conditions, Tunnel type: L2TP, SSTP, and PPTP
o Authenticate requests on this server: Enabled
o On the Specify Authentication Methods page, perform the following:
1. Select Override network policy authentication settings.
2. Add Microsoft: Protected EAP (PEAP).
3. Add Microsoft: Secured password (EAP-MSCHAP v2).
4. Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-34 Implementing Network Access Protection
Results: After this exercise, you should have installed and configured the required Network Access Protection (NAP) components, created the health and network policies, and created the connection request policies.
Exercise 2: Configuring Virtual Private Network Access
Scenario After configuring NAP, you will configure a VPN server, and then enable the PING protocol through the firewall for testing purposes.
The main tasks for this exercise are as follows:
1. Configure a VPN Server
2. Allow PING for Testing Purposes
Task 1: Configure a VPN Server 1. On LON-RTR, open Routing and Remote Access.
2. Disable Routing and Remote Access.
3. Select Configure and Enable Routing and Remote Access.
4. Use the following settings to complete configuration:
o Select Remote access (dial-up or VPN).
o Select the VPN check box.
o Select the interface named Internet, and clear the Enable security on the selected interface by setting up static packet filters check box.
o Select Ethernet as the network selection.
o Under IP Address Assignment, type 172.16.0.100 and 172.16.0.110 for the IP addresses respectively.
o Complete the process by accepting defaults when you receive a prompt, and by clicking OK to confirm any messages.
5. In the Network Policy Server, click the Connection Request Policies node, and verify that the Microsoft Routing and Remote Access Service Policy is disabled. This was created automatically when Routing and Remote Access was enabled.
6. Close the Network Policy Server management console, and then close the Routing and Remote Access console.
Task 2: Allow PING for Testing Purposes 1. On LON-RTR, open Windows Firewall with Advanced Security.
2. Create an inbound rule with the following properties:
o Type: Custom
o All programs
o Protocol type: Select ICMPv4, and then click Customize
o Specific ICMP types: Echo Request
o Default scope
o Action: Allow the connection
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-35
o Default profile
o Name: ICMPv4 echo request
3. Close the Windows Firewall with Advanced Security console.
Results: After this exercise, you should have created a virtual private network (VPN) server and configured inbound communications.
Exercise 3: Configuring the Client Settings to Support NAP
Scenario In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and configure the required client-side NAP components.
The main tasks for this exercise are as follows:
1. Enable a Client NAP Enforcement Method
2. Establish a VPN Connection
3. To Prepare for the Next Module
Task 1: Enable a Client NAP Enforcement Method 1. Switch to the LON-CL2 computer.
2. Run the NAP Client Configuration tool (napclcfg.msc).
3. Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.
4. Close the NAP Client Configuration tool.
5. Run services.msc, and then configure the Network Access Protection Agent service for automatic startup.
6. Start the service.
7. Close the services console.
8. Open the Local Policy Editor (gpedit.msc), and then enable the Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center/Turn on Security Center (Domain PCs only) setting.
9. Close the Local Group Policy Editor.
Task 2: Establish a VPN Connection 1. On LON-CL2, create a new VPN connection with the following properties:
o Internet address to connect to: 10.10.0.1
o Destination name: Adatum VPN
o Allow other people to use this connection: Enable
2. After you have created the VPN, modify its settings by viewing the properties of the connection, and then clicking the Security tab. Use the following settings to reconfigure the VPN:
o Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled)
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED8-36 Implementing Network Access Protection
o Properties of this authentication type:
Validate server certificate: Disable
Connect to these servers: Disable
Authentication method: Secured password (EAP-MSCHAP v2)
Enable Fast Reconnect: Disable
Enforce Network Access Protection: Enable
3. Test the VPN connection:
o In the Network Connections window, connect to the Adatum VPN connection
4. At the command prompt, run ipconfig /all to verify that the System Quarantine State is Not Restricted.
5. Ping 172.16.0.10.
6. Disconnect the Adatum VPN.
7. Switch to LON-RTR.
8. Open Network Policy Server.
9. In the Default Configuration of the Windows Security Health Validator, enable the Restrict access for clients that do not have all available security updates installed option on the Windows 8/Windows 7/Windows Vista page.
10. Switch back to LON-CL2, and then reconnect the VPN.
11. Run the ipconfig /all command to verify that the System Quarantine State is Restricted.
12. Disconnect the VPN.
Task 3: To Prepare for the Next Module When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-RTR and 20411C-LON-DC1.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have enabled and tested NAP on LON-CL2.
Question: The DHCP NAP enforcement method is the weakest enforcement method in Windows Server 2012. Why is it a less preferable enforcement method than other available methods?
Question: Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would this scenario provide?
Question: Could you have used DHCP NAP enforcement for the client? Why or why not?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 8-37
Module Review and Takeaways Review Question(s)
Question: What are the three main client configurations that you need to configure for most NAP deployments?
Question: You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events?
Question: On a client computer, what steps must you perform to ensure that its health is assessed?
Tools
Tool Use for Where to find it
Services Enable and configure the NAP service on client computers.
In Control Panel, click System and Maintenance, click Administrative Tools, and then double-click Services.
Netsh NAP Using Netsh, you can create scripts to configure NAP automatically, and display the configuration and status of the NAP client service.
Open a command window with administrative rights, and then type netsh –c nap. You can type help to get a full list of available commands.
Group Policy Some NAP deployments that use Windows Security Health Validator require that Security Center is enabled.
Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration/Administrative Templates/Windows Components/Security Center sections of Group Policy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-1
Module 9 Optimizing File Services
Contents: Module Overview 9-1
Lesson 1: Overview of FSRM 9-2
Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports 9-8
Lesson 3: Implementing Classification and File Management Tasks 9-18
Lab A: Configuring Quotas and File Screening Using File Server Resource Manager 9-22
Lesson 4: Overview of DFS 9-26
Lesson 5: Configuring DFS Namespaces 9-33
Lesson 6: Configuring and Troubleshooting DFS Replication 9-37
Lab B: Implementing Distributed File System 9-43
Module Review and Takeaways 9-47
Module Overview The files on your servers are constantly changing with new, removed, and modified content. The File and Storage Services server role in the Windows Server® 2012 operating system helps administrators in an enterprise environment manage the continually growing and changing amount of data. When storage requirements and the data being stored change, the challenges of managing a growing and increasingly complex storage infrastructure increase as well. Therefore, to meet the needs of your organization, you need to understand and control how existing storage resources are used. This module introduces you to File Server Resource Manager (FSRM) and Distributed File System (DFS), two technologies that you can use to address and manage these issues.
Objectives After completing this module, you will be able to:
• Describe FSRM.
• Use FSRM to manage quotas, file screens, and storage reports.
• Implement classification and file management tasks.
• Describe DFS.
• Configure DFS namespaces.
• Configure and troubleshoot DFS Replication.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-2 Optimizing File Services
Lesson 1 Overview of FSRM
FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data stored on your servers. When you use FSRM, you can:
• Place quotas on storage volumes, screen files and folders
• Generate comprehensive storage reports
• Control the file classification infrastructure
• Use file management tasks to perform scheduled actions on sets of files
These tools help you monitor existing storage resources, and help you plan and implement future policy changes.
Lesson Objectives After completing this lesson, you will be able to:
• Describe common capacity management challenges.
• Describe the features available within FSRM.
• Explain how to install and configure the FSRM role service.
Understanding Capacity Management Challenges
Capacity management is a proactive process of determining the current and future capacity needs of your enterprise's storage environment. As the size and complexity of the data increases, the need for capacity management also increases. To meet the storage needs of your organization effectively, you need to track how much storage capacity is available, how much storage space you need for future expansion, and how you are currently using your environment’s storage.
Key Capacity Management Challenges The following challenges are major components of effective capacity management:
• Determining existing storage use. To manage your storage environment, you need to understand your environment’s current storage requirements. Knowing how much data is being stored on your servers, what types of data are being stored, and how the data is currently being used is how you establish the benchmarks of capacity management in your environment.
• Establishing and enforcing storage use policies. Capacity management includes ensuring that your storage environment is being used to its full potential. Managing growth is important to ensure that your storage environment is not overwhelmed by unplanned or unauthorized data storage on your servers. Modern media data such as audio, video, and graphic files consume a large amount of storage space and, if unmonitored, the unauthorized storage of these files can consume the storage space that is required for legitimate business use.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-3
• Anticipating future requirements. Storage requirements are constantly changing. New projects and new organizational initiatives require increased storage. New applications and imported data require additional storage. If you are not able to anticipate or prepare for events like these, your storage environment may not be able to meet your storage requirements.
Addressing Capacity Management Challenges To address these key challenges, you need to implement basic capacity management measures to proactively manage the storage environment and prevent these challenges from becoming problems. The following is a list of capacity management measures that you can use to manage your storage environment proactively:
• Analyze how storage is being used. The first step in capacity management is analyzing the current storage environment. Accurate analysis begins with proper tools that provide usable and organized information regarding the current state of your storage environment.
• Define storage resource management policies. A robust set of policies are necessary to maintain the current storage environment and ensure that storage growth happens in a manageable and predictable way. Preventing unauthorized files from being saved to your servers, ensuring that data is stored in the right location, and ensuring that users have the required storage are a few of the key areas your capacity management policies may address.
• Implement policies to manage storage growth. After implementing capacity management policies, you need to have an effective tool to ensure that the policies that are established are enforced. Quotas on a user’s data storage must be maintained, restricted files must be prevented from being saved, and business files must be stored in the proper locations.
• Implement a system for reporting and monitoring. Establish a reporting and notification system to inform you of how policies are enforced. These reports should be in addition to reports regarding the general state of your capacity management system and data storage situation.
Question: What capacity management challenges have you experienced or are you experiencing in your environment?
What Is FSRM?
FSRM is a role service under the File Services role in Windows Server 2012. You can install it using Server Manager. Then, you can use the FSRM console to manage FSRM on your server. FSRM provides a set of tools and capabilities that enable you to manage and monitor your server’s storage capacity effectively.
FSRM contains five components that work together to provide a capacity management solution.
Quota Management Quota management allows you to create, manage, and obtain information about quotas to set storage limits on volumes or folders. By defining notification thresholds, you can send email notifications, log an event, run a command or script, or generate reports when users approach or exceed a quota. Quota management also allows you to create and manage quota templates to simplify the quota management process.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-4 Optimizing File Services
File Screening Management File screening management allows you to prevent specific file types from being stored on a volume or folder, or to notify you when users store these types of files. When users attempt to save files of an unauthorized type, file screening can block the process and notify the administrators to allow for proactive management.
Like quota management, file screening management allows you to create templates to simplify file screening management. You can also create file groups that allow you to manage which file types may be blocked or allowed.
Storage Reports Management Storage reports management allows you to schedule and configure storage reports. These reports provide information regarding the components and aspects of FSRM including:
• Quota usage.
• File screening activity.
• Files that may negatively affect capacity management, such as large files, duplicate files, or unused files.
• Files listed and filtered according to owner, file group, or a specific file property.
Note: Storage reports can be run based on a schedule, or you can generate them on demand.
Classification Management Classification allows you to identify, categorize, and manage files by using a wide array of properties. You can assign property values to files by using classification rules, which can be applied on demand or based on a schedule.
File Management Tasks File management tasks leverage the capabilities of classification management to allow you to delete old files or move files to a specific location based on a file property, such as file name or file type. You can automate file management procedures by scheduling and configuring specific tasks, which can automate the application or expiration of custom commands.
Note: Volumes that FSRM manages must be formatted with New Technology File System (NTFS). FSRM is included with Windows Server 2003 Service Pack 1 (SP1) and newer.
New Functionality for Windows Server 2012 R2
The following are new functionalities for Windows Server 2012 R2:
• The ability to clear property values that no longer apply to an updated file during the reevaluation of existing classification property values
• The ability to configure the maximum number of files per storage report
• The ability to configure maximum values in the default parameters for specific storage reports
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-5
Demonstration: How to Install and Configure FSRM
You can install FSRM in Windows Server 2012 by adding the FSRM role service within the File and Storage Services role. FSRM includes several configuration options that apply globally to all FSRM components.
You can access these options by using the following steps:
1. Open the File Server Resource Manager console.
2. In the left pane, right-click the root File Server Resource Manager node, and then click Configure Options.
FSRM Options In the File Server Resource Manager Options properties dialog box, several tabs allow you to configure various aspects of FSRM. The following tabs are available on the File Server Resource Manager Options properties dialog box:
• Email Notifications tab. This tab allows you to provide the name or address of a Simple Mail Transfer Protocol (SMTP) server name, along with other details that FSRM will use to send email notifications.
• Notification Limits tab. Notification limits allow you to specify a time period that FSRM will wait between sending notifications to avoid excessive notifications from a repeatedly exceeded quota or unauthorized file detection. They also allow you to set separate values for email notifications, entries recorded to the event log, commands being run, or reports being generated. The default value for each is 60 minutes.
• Storage Reports tab. This tab allows you to configure and view the default parameters for any existing storage reports.
• Report Locations tab. This tab allows you to view and modify the location in which three types of storage report are stored: incident reports, scheduled reports, and on demand reports. By default, each category is stored in its own folder: %systemdrive%\Storage Reports.
Note: If FSRM generates a large number of storage reports, you may want to relocate the storage report folders to another physical volume to decrease disk I/O load on your system volume. You may also want to change the location if the size of your storage reports causes a capacity issue on your system volume.
• File Screen Audit tab. On this tab, a single check box allows you to enable or disable the recording of file screening activity to the auditing database. You can view the resulting file screening activity when you run the File Screening Audit report from Storage Reports Management.
• Automatic Classification tab. This tab allows you to provide a schedule that governs the automatic classification of files. Within the tab, you can specify which logs to generate and if and how to generate a report of the classification process.
• Access-Denied Assistance tab. This tab enables you to provide a customized message when FSRM prevents a file-level operation because of a quota management or file screening management restriction.
Managing FSRM Management of a server running FSRM typically happens locally through the FSRM Microsoft Management Console (MMC) console. However, there are other options available for managing a server running FSRM.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-6 Optimizing File Services
Using Windows PowerShell to Manage FSRM Windows® PowerShell® 4.0 contains new cmdlets for managing FSRM that extend management capabilities to all aspects of FSRM. The FileServerResourceManager module for Windows PowerShell is installed on a Windows Server 2012 computer automatically when you install the FSRM role service.
The Windows PowerShell 4.0 cmdlets replace the functionality previously supplied by the FSRM command line executables dirquota.exe, filescrn.exe, and storrpt.exe. While these executables are still present in Windows Server 2012, they have been deprecated and will be removed in a future version of Windows Server. Therefore, you should create any management solutions involving command line tasks by using the Windows PowerShell cmdlets.
To see a complete list of available FSRM cmdlets, run the following command from a Windows PowerShell command-line interface:
Get-Command –Module FileServerResourceManager
Managing FSRM Remotely You can connect remotely to another server that is running FSRM by using the FSRM console. From there, you manage FSRM in the same way that you manage resources on your local computer.
To manage FSRM remotely by using the FSRM console:
• Ensure that both servers are running Windows Server 2008 R2 or newer, and have FSRM installed.
• Enable the Remote File Server Resource Manager Management exception from within Windows Firewall manually, either through the Control Panel, or by using Group Policy.
• Allow remote procedure call (RPC) traffic through any firewalls between the two servers.
• Sign in to the local computer with an account that is a member of the local Administrators group on the remote computer.
You also can run the FSRM Windows PowerShell cmdlets remotely by using Windows PowerShell remoting capabilities. In this demonstration, you will see how to:
• Install the FSRM role service.
• Specify FSRM configuration options.
• Manage FSRM by using Windows PowerShell.
Demonstration Steps Install the FSRM role service
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Server Manager.
3. Install the File Server Resource Manager role service within the File and Storage Services role.
Specify FSRM configuration options
1. Open the File Server Resource Manager console.
2. Open the File Server Resource Manager Options window for the local instance of File Server Resource Manager.
3. Enable file screen auditing.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-7
Manage FSRM by using Windows PowerShell
• From a Windows PowerShell command prompt, run the following command:
set-FSRMSetting -SMTPServer “server1” -AdminEmailAddress “[email protected]” -FromEmailAddress “[email protected]”
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-8 Optimizing File Services
Lesson 2 Using FSRM to Manage Quotas, File Screens, and Storage Reports
Data is the core component of your server infrastructure. Under most circumstances, file servers hold the data your users or applications use.
Quota management can help you ensure that users and applications use the only the amounts of space allotted to them. File screens in FSRM can help you control the file types that can be stored within your file and storage infrastructure, and storage reports enable you to provide detailed reporting on quota management, file screening, and several other aspects of FSRM functionality.
Lesson Objectives After completing this lesson, you will be able to:
• Describe quota management.
• Describe quota templates.
• Explain how to monitor quota usage.
• Describe file screening management.
• Describe file groups.
• Describe file screen templates and file screen exceptions.
• Describe storage reports.
• Describe a report task.
• Explain how to use FSRM to manage quotas, file screens, and generate storage reports.
What Is Quota Management?
In FSRM, quota management allows you to control the amount of disk space that is used on a volume or folder. For example, you can use a quota to ensure that individual users do not consume excessive amounts of storage with their home drives, or to limit the amount of space consumed by multimedia files in a particular folder.
Quota Types You can create two different types of quotas with quota management:
• A hard quota prevents users from saving files after the space limit is reached, and it generates notifications when the volume of data reaches each configured threshold.
• A soft quota does not enforce the quota limit, but it generates configured notifications.
Quota Notifications Configure notification thresholds if you want to be alerted when the volume of stored data approaches a quota limit. For the thresholds that you define, you can send email notifications, log an event, run a
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-9
command or script, or generate storage reports. For example, you might want to notify the administrator and the user when a folder reaches 85 percent of its quota limit, and then send another notification when the quota limit is reached. In some cases, you might want to run a script that raises the quota limit automatically when a threshold is reached.
Creating Quotas When you create a quota on a volume or a folder, you can base the quota on a quota template or use custom properties. Whenever possible, base a quota on a quota template. You can reuse a quota template to create additional quotas, and it simplifies ongoing quota maintenance.
FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a quota template to a parent volume or folder. Then, a quota that is based on the template is created for existing subfolders and for any new subfolders that might be created. You can also create quotas using the Windows PowerShell cmdlet, New-FSRMQuota.
The following Windows PowerShell cmdlet example will create a 10-gigabyte (GB) quota on a folder named Data.
New-FsrmQuota -Path "C:\Data" -Description "limit to 10 GB." -Size 10GB
What Are Quota Templates?
FSRM quota templates give you flexibility in creating, using, and managing templates for quotas. A quota template defines a space limit, the quota type, whether hard or soft, and a set of notifications to be generated when the quota limit is approached or exceeded.
Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can apply a standard storage limit and a standard set of notification thresholds to many volumes and folders on servers throughout your organization.
Template-Based Quota Updating If you base your quotas on a template, you can update all quotas that are based on the template by editing that template. This feature simplifies the process of updating quota properties by providing a central point where Information Technology (IT) administrators can make all changes.
For example, you can create a User Quota template that you use to place a 200-megabyte (MB) limit on the personal folder of each user. For each user, you would then create a quota based on the User Quota template, and then assign it to the user’s folder. If you decide later to allow each user additional space on the server, you increase the space limit in the User Quota template, and then choose to update each quota that is based on that quota template.
Quota Template Examples FSRM provides several quota templates, for example:
• You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personal folder of each user, and then send storage reports to users who exceed the quota.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-10 Optimizing File Services
• For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant a one-time 50 MB quota extension to users who exceed the 200 MB quota limit.
• Other default templates are designed for monitoring disk usage through soft quotas, such as the Monitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you use these templates, users can exceed the quota limit, but email and event log notifications are generated when they do so.
The following Windows PowerShell cmdlet example will create a quota on a folder named Data based on the 100 MB template.
New-FsrmQuota -Path "C:\Data" –Description "limit to 100 MB." –Template "100 MB Limit"
Monitoring Quota Usage
In addition to the information in the notifications sent by quotas, you can find about quota usage in a variety of ways. You can view the quotas in quota management within the FSRM console, generate a Quota Usage report, or create soft quotas for monitoring overall disk usage. You can also use a Windows PowerShell cmdlet.
Quota Usage Report Use the Quota Usage report to identify quotas that may soon be reached or exceeded, so that you can take the appropriate action. Generating a Quota Usage report will be covered in greater detail in the Managing Storage Reports lesson.
Templates for Monitoring Disk Usage To monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides the following default templates that you can use or adapt for this purpose.
• Monitor 200 GB Volume Usage
• Monitor 500 MB Share
Windows PowerShell You can use the Get-FSRMQuota cmdlet to view FSRM quotas that exist on the server, along with the statistics for each quota.
The following Windows PowerShell cmdlet will get all of the quotas in a particular folder hierarchy by using the Path parameter.
Get-FsrmQuota -Path "C:\Data\..."
For more information about Windows PowerShell for FSRM see the article File Server Resource Manager (FSRM) cmdlets in Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=331168
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-11
What Is File Screening Management?
File Screening Management allows you to block certain file types from being saved on a volume or in a folder tree. A file screen regulates all folders in the designated path. You use file groups to control the file types that file screens manage. For example, you might create a file screen to prevent users from storing audio and video files in their personal folders on the server. Like all components of FSRM, you can choose to generate email or other notifications when a file screening event occurs.
File Screen Types You can configure a file screen as either active or passive:
• Active screening prevents users from saving unauthorized file types on the server, and generates configured notifications when they attempt to do so.
• Passive screening sends configured notifications to users who are saving specific file types, but it does not prevent users from saving those files.
File Screening Management Considerations When planning your organization’s file screening management considerations, you can base your file screens on the built-in file screen templates, or create customized file groups to screen for specific file types.
For additional flexibility, you can configure a file screen exception in a subfolder of a path where you have created a file screen. When you place a file screen exception on a subfolder, you allow users to save file types there that would otherwise be blocked by the file screen applied to the parent folder. You can also create file screens in Windows PowerShell by using the New-FSRMFileScreen cmdlet.
This Windows PowerShell cmdlet creates a passive file screen on C:\Shares that logs any files that match the "Non-HTML text files" file group. The file screen template is passive because the command does not specify the Active parameter.
New-FsrmFileScreen -Path "C:\Shares" -Description "Filter Non-HTML text files" –IncludeGroup "Non-HTML text files"
Note: A file screen does not does not remove files that were saved to the path before the file screen was created, regardless of whether the files are members of blocked file groups.
Note: Encrypted files or files that cannot be read by the SYSTEM account cannot be classified.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-12 Optimizing File Services
What Are File Groups?
Before you begin working with file screens, you must understand the role of file groups in determining which files are screened. You use a file group to define a namespace for a file screen or a file screen exception, or to generate a Files by File Group storage report.
File Group Characteristics A file group includes or excludes files based on string patterns. For example, an Audio Files file group might include the following file name patterns:
• Files to include: *.mp*: Includes all audio files created in the current and future MPEG formats, such as MP2 and MP3.
• Files to exclude: *.mpp: Excludes files created in Microsoft® Project, .mpp files, which would otherwise be included by the *.mp* inclusion rule.
FSRM provides several default file groups, which you can view in File Screening Management by clicking the File Groups node. You can define additional file groups or change the files you want to include and exclude. Any change that you make to a file group affects all existing file screens, templates, and reports to which the file group has been added.
Note: For your convenience, you can modify file groups when you edit the properties of a file screen, file screen exception, file screen template, or the Files by File Group report. Note that any changes that you make to a file group from these property sheets affect all items that use that file group.
You can use Windows PowerShell to create file screen groups with the New-FsrmFileGroup cmdlet. This example creates a file group named "Non-HTML text files". The command indicates that files that end in txt or ml are included in the file group, and that files that end in .html are not included in the file group.
New-FsrmFileGroup -Name "Non-HTML text files" –IncludePattern @("*.txt", "*ml") –ExcludePattern "*.html"
What Are a File Screen Templates and File Screen Exceptions?
You use file screen templates and file screen exceptions to expand the capabilities of file screening management in FSRM.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-13
File Screen Templates To simplify file screen management, you can create your file screens based on file screen templates. A file screen template defines the following:
• File groups to block.
• Types of screening to perform.
• Notifications to be generated.
You can configure two screening types in a file screen template. Active screening does not allow users to save any files related to the selected file groups that you configure with the template. Passive screening allows users to save files, but provides notifications for monitoring.
FSRM provides several default file screen templates that meet common administrative needs. You can use these default file screen templates to block audio and video files, executable files, image files, and email files. To view the default templates, in the File Server Resource Manager console tree, click the File Screen Templates node. By creating file screens exclusively from templates, you can centrally manage your file screens by updating the templates instead of individual file screens.
Note: You create file screens from file screen templates, just as you create quotas from quota templates.
File Screen Exceptions Occasionally, you need to allow exceptions to file screening. For example, you might want to block video files from a file server, but you also need to allow your training group to save video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception.
A file screen exception is a special type of file screen that overrides any file screening that would otherwise apply to a folder and all its subfolders in a designated exception path. That is, it creates an exception to any rules derived from a parent folder. To determine which file types the exception will allow, file groups are assigned.
You create file screen exceptions by specifically choosing the Create File Screen Exception from the File Screens node under File Screening Management in FSRM.
Note: File screen exceptions always override file screens with conflicting settings. Therefore, you must plan and implement file screen exceptions carefully.
The New-FsrmFileScreenTemplate cmdlet creates a file screen template. This command creates a passive file screen template named "Filter Non-HTML text files" that logs any files that match the "Non-HTML text files" file group. The file screen template is passive because the command does not specify the Active parameter. This means that users can create non-HTML text files.
New-FsrmFileScreenTemplate "Filter Non-HTML text files" –IncludeGroup "Non-HTML text files"
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-14 Optimizing File Services
What Are Storage Reports?
FSRM can generate reports, called storage reports, that help you understand file usage on your storage server. You can use storage reports to monitor disk usage patterns by file type or user, identify duplicate files and dormant files, track quota usage, and audit file screening.
From the Storage Reports Management node, you can create report tasks, which you then use to schedule one or more periodic reports, or you can generate reports on demand. For on-demand and scheduled reports, current data is gathered before the report is generated. Reports can also be generated automatically to notify you when a user exceeds a quota threshold, or saves an unauthorized file.
Storage Report Types The following table describes the storage reports that are available.
Report Description
Duplicate Files This report lists files that appear to be duplicates, such as files with the same size and last modified time. Use this report to identify and reclaim disk space that is wasted by duplicate files. This is the only report that is not configurable.
File Screening Audit This report lists file screening events that have occurred on the server for a specific number of days. Use this report to identify users or applications that violate screening policies.
Files by File Group This report lists files that belong to specific file groups. Use this report to identify file group usage patterns and file groups that occupy large amounts of disk space. This can help you determine which file screens to configure on the server.
Files by Owner This report lists files that are grouped by file owners. Use this report to analyze usage patterns on the server, and to identify users who use large amounts of disk space.
Files by Property This report lists files by the values of a particular classification property. Use this report to observe file classification usage patterns.
Folders by Property This report lists folders by the value of a particular secure classification property. Use this report to observe folder classification patterns.
Large Files This report lists files that are of a specific size or larger. Use this report to identify files that are consuming the most disk space on the server. This can help you quickly reclaim large quantities of disk space.
Least Recently Accessed Files
This report lists files that are not accessed for a specific number of days. This can help you identify seldom-used data that can be achieved and removed from the server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-15
Report Description
Most Recently Accessed Files
This report lists files that are accessed within a specified number of days. Use this report to identify frequently used data that must be kept highly available.
Quota Usage This report lists quotas for which the quota usage is higher than a specified percentage. Use this report to identify quotas with high usage levels so that you can take appropriate action.
Configuring Report Parameters Except for the Duplicate Files report, all storage reports have configurable report parameters that determine the content in the report. Parameters vary with the type of report. For some reports, you can use report parameters to select the volumes and folders on which to report, set a minimum file size to include, or restrict a report to files owned by specific users.
Saving Reports Regardless of how you generate a report or whether you choose to view the report immediately, the report is saved on the disk. Incident reports are saved in the dynamic HTML (DHTML) format. You can save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats. Scheduled reports, on-demand reports, and incident reports are saved in separate folders within a designated report repository.
By default, the reports are stored in the subdirectories of the %Systemdrive%\StorageReports\ folder. To change the default report locations, in the File Server Resource Manager Options dialog box, on the Report Locations tab, specify where to save each type of storage report.
The New-FsrmStorageReport cmdlet creates a storage report on the server. In this example, a series of commands creates a LargeFiles storage report that the server runs monthly, and then restricts the report to files larger than 10 MB.
The first command gets a DateTime object and stores it in the $d variable.
This second command returns a FsrmScheduledTask object that describes a schedule that runs the task at midnight on the first day of the month. The command stores results in the $task variable.
The third command creates a LargeFiles storage report named "Find large files" on C:\Shares. The command sets the schedule for the report stored in the $task variable, and limits the report to files larger than 10 MB
$d = Get-Date "12:00am" $task = New-FsrmScheduledTask -Time $d.ToFileTimeUtc() -Monthly 1 New-FsrmStorageReport -Name "Find large files" -Namespace @("C:\Shares") -Schedule $task -ReportType @("LargeFiles") –LargeFileMinimum 10MB
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-16 Optimizing File Services
What Is a Report Task?
A report task is a set of storage management reports that run based on a schedule.
The report task specifies which reports to generate, what parameters to use, and which volumes and folders to report on. The report task also reports on how often to generate the reports, and in which file formats to save them.
When you schedule a set of reports, the reports are saved automatically in the report repository. You can also have the reports emailed automatically to a group of administrators. You can schedule report tasks by using the following steps from within FSRM.
1. Click the Storage Reports Management node.
2. Right-click Storage Reports Management, and then click Schedule a New Report Task. You also can click Schedule a New Report Task in the Actions pane.
Note: To minimize the impact of report processing on server performance, generate multiple reports on the same schedule so that the data is gathered only once.
Generating On Demand Reports During daily operations, you may want to generate reports on demand to analyze the different aspects of the current disk usage on the server. Before the reports are generated, current data is gathered.
When you generate reports on demand, the reports are saved in the report repository, but no report task is created for later use. You can view the reports immediately after they are generated, or you can send the reports to a group of administrators by email.
To generate reports on demand:
1. Click the Storage Reports Management node.
2. Right-click Storage Reports Management, and then click Generate Reports Now, or, in the Actions pane, click Generate Reports Now).
Note: When generating an on-demand report, you can wait for the reports to be generated and then immediately display them. If you choose to open the reports immediately, you must wait while the reports generate. Processing time will vary depending on the types of reports and the scope of the data.
Demonstration: Using FSRM to Manage Quotas and File Screens, and to Generate On-Demand Storage Reports
In this demonstration, you will see how to:
• Create a quota.
• Test a quota.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-17
• Create a file screen.
• Test a file screen.
• Generate a storage report.
Demonstration Steps Create a quota
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Server Manager.
3. Open the File Server Resource Manager console.
4. Create a quota based on the 100 MB Limit on the E:\Labfiles\Mod09\Data folder.
Test a quota
1. Open Windows PowerShell.
2. Create a new 130 MB file in the E:\Labfiles\Mod09\Data folder by using the following command:
fsutil file createnew largefile.txt 130000000
3. Close Windows PowerShell.
Create a file screen
• In File Server Resource Manager, create a new file screen based on the Block Image Files file-screen template for E:\Labfiles\Mod09\Data.
Test a file screen
1. Open File Explorer.
2. Navigate to E:\Labfiles\Mod09.
3. Create a new bitmap (.bmp) image named testimage.
4. Copy the testimage, and then paste it into the E:\Labfiles\Mod09\Data folder.
5. View and cancel the error window.
6. Close the File Explorer window.
Generate a storage report
1. Generate an on-demand report for Large Files on drive E.
2. View and close the html report.
3. Close File Server Resource Manager.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-18 Optimizing File Services
Lesson 3 Implementing Classification and File Management Tasks
Every organization stores data on different storage systems. As storage systems process more and more data at higher speeds, the demand for disk space to store the data has increased. The large amount of files, folders, and information, and the way they are stored, organized, managed, and maintained, becomes a challenge for organizations. Furthermore, organizations must satisfy requirements for security, compliance, and data leakage prevention for company confidential information.
Windows Server 2012 introduces many technologies that can help organizations respond to the challenges of managing, maintaining, securing, and optimizing data that is stored on different storage devices. These technologies include the FSRM, file classification infrastructure, and data deduplication, each of which provides new features that were not included in Windows Server 2008 R2.
Lesson Objectives After completing this lesson, you will be able to:
• Describe file classification.
• Describe classification rules.
• Explain how to configure file classification.
• Describe storage optimization options in Windows Server 2012.
What Is File Classification?
File classification is a role service that enables data to be automatically categorized or labeled by evaluating it against predefined sets of rules. For example, you can set the Confidentiality property to High on all documents whose content contains the word “secret.”
In Windows Server 2008 R2 and Windows Server 2012, classification management and file management tasks enable administrators to manage groups of files based on various file and folder attributes. You can automate file and folder maintenance tasks, such as cleaning up stale data, or protecting sensitive information. For this reason, file and folder maintenance tasks are more efficient than maintaining the file system by navigating through its hierarchical view.
Classification management is designed to ease the burden and management of data that is spread across the organization. You can classify files in a variety of ways. In most scenarios, classification is performed manually. The file classification infrastructure in Windows Server 2012 enables organizations to convert these manual processes into automated policies. Administrators can specify file management policies based on a file’s classification, and apply corporate requirements for managing data based on business value.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-19
You can use file classification to perform the following actions:
• Define classification properties and values, which you can assign to files by running classification rules.
• Create, update, and run classification rules. Each rule assigns a single predefined property and value to files within a specified directory, based on installed classification plug-ins.
• When running a classification rule, reevaluate files that are already classified. You can choose to overwrite existing classification values, or add the value to properties that support multiple values. You can also use classification rules to declassify files that are not in the classification criterion anymore.
What Are Classification Rules?
The file classification infrastructure uses classification rules to scan files automatically, and then to classify them according to the contents of a file. You configure file classifications in the FSRM console. Classification properties are defined centrally in AD DS so that these definitions can be shared across file servers within the organization. You can create classification rules that scan files for a standard string, or for a string that matches a pattern such as a regular expression. When a configured classification parameter is found in a file, that file is classified as configured in the classification rule.
When planning for file classifications, you should follow this general process:
1. Identify which classification or classifications you want to apply on documents.
2. Determine the method you to want to use to identify documents for classification.
3. Determine the schedule for automatic classifications.
4. Establish a review of classification success.
After you have a defined the classifications, you can plan the DAC implementation by defining conditional expressions that enable you to control access to highly confidential documents based on particular user attributes.
Automatic file classification rules can also be created if you use the Windows PowerShell cmdlet New-FsrmClassificationRule. Each rule sets the value for a single property. By default, a rule runs only once and ignores files that already have a property value assigned. However, you can configure a rule to evaluate files regardless of whether a value is already assigned to the property by using the –ReevaluateProperty parameter.
Demonstration: Configuring File Classification
In this demonstration, you will see how to:
• Create a classification property.
• Create a classification rule.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-20 Optimizing File Services
Demonstration Steps 1. On LON-SVR1, from Server Manager, start the File Server Resource Manager.
2. In File Server Resource Manager, create a local property with the following settings:
o Name: Corporate Documentation
o Property Type: Yes/No
3. In File Server Resource Manager, create a classification rule with the following settings:
o General tab, Rule name: Corporate Documents Rule. Ensure that the rule is enabled.
o Scope tab: E:\Labfiles\Corporate Documentation
o Classification tab, Classification method: Folder Classifier
o Property-Choose a property to assign to files: Corporate Documentation
o Property-Specify a value: Yes.
o Evaluation type tab, Re-evaluate existing property values, and Aggregate the values.
4. In the action pane, select Run the classification with all rules, and then select Wait for classification to complete.
5. Review the Automatic classification report that displays in Windows Internet Explorer®, and ensure that report lists the same number of files classified as is listed in the Corporate Documentation folder. There will be two files.
What Are File Management Tasks?
File management tasks automate the process of finding subsets of files on a server and applying simple commands to them on a scheduled basis. Files are identified by classification properties that have been assigned to the file by a classification rule.
File management tasks include a file expiration command, and you can also create custom tasks. You can define files that will be processed by a file management task through the following properties:
• Location
• Classification properties
• Creation time
• Modification time
• Last accessed time
• File name
You also can configure file management tasks to notify file owners of any impending policy that will be applied to their files.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-21
File Expiration Tasks File expiration tasks automatically move all files that match certain criteria to a specified expiration directory. An administrator can then back up the files in the expiration directory and delete them. When you run a file expiration task, a new directory is created within the expiration directory. The new directory is grouped by the server name on which the task was run, and it is named according to the name of the file management task and the time it was run. When an expired file is discovered, it is moved into the new directory, while preserving its original directory structure.
Custom File Management Tasks Expiration is not always a desired action to be performed on files. File management tasks allow you to run custom commands. Using the Custom Commands dialog box, you can run an executable file, script, or other custom command to perform an operation on the files within the scope of the file management task.
Note: You configure custom tasks by selecting the Custom type on the Action tab of the Create File Management Task window.
Demonstration: How to Configure File Management Tasks
In this demonstration, you will see how to:
• Create a file management task.
• Configure a file management task to expire documents.
Demonstration Steps Update the Date\Timestamp of a File
On LON-SVR1 navigate to E:\Labfiles\Mod09\Data, and then open the April.txt file. Enter some text, and then save and close the file.
Create a File Management Task
1. Open File Server Resource Manager, and then expand the File Management Tasks node.
2. Create a file management task named Expire Documents with a scope of E:\Labfiles\Mod09\Data.
Configure a File Management Task to expire documents
1. On the Action tab, configure the task for File expiration to the E:\Labfiles\Mod09\Expired directory.
2. Add a condition that sets the Days since file was last modified to be 100 days.
3. Run the File Management Task, and then view the report.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-22 Optimizing File Services
Lab A: Configuring Quotas and File Screening Using File Server Resource Manager
Scenario A. Datum Corporation is a global engineering and manufacturing company with a head office based in London, United Kingdom. An IT office and data center in London support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
Each network client within the Adatum domain is provided with a server-based home folder that is used for storing personal documents or files that are works-in-progress. It has come to your attention that home folders are becoming quite large, and may contain file types such as MPEG Audio Layer-3 (MP3) files that are not approved due to corporate policy. You decide to implement FSRM quotas and file screening to help address this issue.
Objectives After completing this lab, you will be able to:
• Configure FSRM quotas.
• Configure file screening and generate a storage report.
Lab Setup Estimated Time: 30 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-SVR1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, double-click Administrative Tools, and then double-click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-SVR1.
Exercise 1: Configuring File Server Resource Manager Quotas
Scenario You are implementing FSRM quotas to control the size of home folders. Each home folder is limited to 100 MB. To ensure that administrators are made aware of home folders that are running out of space, an event is written to the event log when a user exceeds 85 percent of their storage quota so that it can be tracked by administrators.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-23
The main tasks for this exercise are as follows:
1. Create a Quota Template
2. Configure a Quota Based on the Quota Template
3. Test That the Quota is Functional
Task 1: Create a Quota Template 1. On LON-SVR1, from Server Manager, install the File Server Resource Manager.
2. In the File Server Resource Manager console, use the Quota Templates node to configure a template that sets a hard limit of 100 MB on the maximum folder size.
3. Configure the template to record an event in the Event Log when the folder reaches 85 percent and 100 percent capacity.
Task 2: Configure a Quota Based on the Quota Template 1. Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod09\Users folder by using the quota template that you created in Task 1.
2. Configure the quota to auto apply on existing and new subfolders.
3. Create an additional folder named Max in the E:\Labfiles\Mod09\Users folder, and ensure that the new folder is listed in the quotas list in File Server Resource Manager.
Task 3: Test That the Quota is Functional 1. Open a Windows PowerShell window, and use the following commands to create a file in the
E:\Labfiles\Mod09\Users\Max folder. Press Enter after each of the three commands:
E: cd \Labfiles\Mod09\Users\Max fsutil file createnew file1.txt 89400000
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press Enter:
fsutil file createnew file2.txt 16400000
4. Notice that the file cannot be created. The message returned from Windows references disk space, but the file creation fails because it would exceed the quota limit. Close the Windows PowerShell window.
5. Close all open windows on LON-SVR1.
Results: After completing this exercise, you should have configured a File Server Resource Manager (FSRM) quota.
Exercise 2: Configuring File Screening and Storage Reports
Scenario Managers are concerned that large media files are being stored in home folders, which violates corporate policy. Managers want to prevent media files such as video, audio, and graphics files from being saved. You need to implement file screening to prevent media files from being stored in home folders. However, you have also been made aware that several users store Microsoft Project files with the extension .mpp in
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-24 Optimizing File Services
their home directories. You must ensure that the file screen you create does not restrict the storage of these files.
You have also been asked to provide a report to your manager documenting any attempts to save restricted media files on LON-SVR1.
The main tasks in this exercise are:
• Create a file group.
• Create a file screen template.
• Create a file screen.
• Test the file screen.
• Generate an on-demand storage report.
The main tasks for this exercise are as follows:
1. Create a file screen
2. Create a File Group
3. Test the File Screen
4. Generate an On-Demand Storage Report
5. To Prepare for the Next Lab
Task 1: Create a file screen 1. On LON-SVR1, open File Server Resource Manager.
2. Create a File Screen based on the Block Audio and Video Files file screen template for the E:\Labfiles\Mod09\Users directory.
Task 2: Create a File Group 1. On LON-SVR1, open the File Server Resource Manager Configuration Options dialog box, and on
the File Screen Audit tab, enable the Record file screening activity in auditing database option.
Note: This step allows recording of file screening events. These recordings will supply data for a File Screen Audit report, which you will run later in this exercise.
2. Create a new File Group with the following properties:
o File group name: MPx Media Files
o Files to include: *.mp*
o Files to exclude *.mpp
3. Modify the Block Audio and Video Files template to only use the MPx Media Files file group.
Task 3: Test the File Screen 1. On the taskbar, click the File Explorer shortcut.
2. Create a new text document in E:\Labfiles\Mod09, and then rename it as musicfile.mp3.
3. Copy musicfile.mp3 into E:\Labfiles\Mod09\Users. You will be notified that the system was unable to copy the file.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-25
Task 4: Generate an On-Demand Storage Report 1. Open the File Server Resource Manager console.
2. Right-click Storage Reports Management, select Generate Reports Now, and then provide the following parameters:
o Generate only the File Screening Audit report
o Report on E:\Labfiles\Mod09\Users
3. Review the generated reports in Internet Explorer.
4. Close all open windows on LON-SVR1.
Task 5: To Prepare for the Next Lab When you finish the lab, do not shut down the virtual machines. You will need them for the next lab.
Results: After completing this exercise, you will have configured file screening and storage reports in FSRM.
Question: What criteria do you need to be meet to use FSRM for managing a server’s file structure?
Question: In what ways can classification management and file-management tasks decrease administrative overhead when dealing with a complex file and folder structure?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-26 Optimizing File Services
Lesson 4 Overview of DFS
You can use DFS to meet the challenges of managing data for branch offices by providing fault-tolerant access and wide area network (WAN) replication of files that are located throughout an enterprise.
Lesson Objectives After completing this lesson, you will be able to:
• Describe DFS.
• Describe DFS namespaces.
• Describe DFS Replication.
• Describe how DFS namespaces and DFS Replication work.
• Describe data deduplication.
• Describe scenarios where DFS can be used.
• Explain how to install the DFS role.
What Is DFS?
To access a file share, users typically require the Universal Naming Convention (UNC) name to access the shared folder content. Many large organizations have hundreds of file servers that are dispersed geographically throughout an organization. This introduces a number of challenges for users who are trying to find and access files efficiently.
Through the use of a namespace, DFS can simplify the UNC folder structure. In addition, DFS can replicate the virtual namespace and the shared folders to multiple servers within the organization. This can ensure that the shares are located as close as possible to users, thereby providing an additional benefit of fault tolerance for the network shares.
DFS includes two technologies that are implemented as role services:
• DFS namespace. A single name that represents a logical collection of shared folders that may be hosted on different file servers. A traditional shared folder has a UNC path that points to a specific folder on a single file server, but a domain-based DFS namespace path uses the name of the domain instead of a server name and appears as a single shared folder. You can map it to a drive letter in the same way that a traditional file share is mapped. When a user connects to a DFS namespace, they are presented with a series of subfolders that point to shared folders on various file servers. In this way, a user can access multiple shared folders through a single drive mapping. You can use DFS namespaces in conjunction with DFS replication or as a stand-alone mechanism to organize shared folders.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-27
• DFS Replication. A multimaster replication engine that synchronizes files between servers for local and WAN network connections. DFS Replication supports replication scheduling, bandwidth throttling, and uses remote differential compression (RDC) to update only the portions of files that have changed since the last replication. You can use DFS Replication in conjunction with DFS namespace or as a stand-alone file replication mechanism.
What Is a DFS Namespace?
DFS namespaces enable a virtual representation of shared folder structures. You can create either a domain-based or a stand-alone namespace. Each type has different characteristics.
Domain-Based Namespace A domain-based namespace can be used when:
• Namespace high availability is required. Accomplish this by replicating the namespace to multiple namespace servers.
• You need to hide the name of the namespace servers from users. This also makes it easier to replace a namespace server or migrate the namespace to a different server. Users will then access the \\domainname\namespace format as opposed to the \\servername\share format.
If you choose to deploy a domain-based namespace, you will also need to choose whether to use the Windows 2000 server mode or the Windows Server 2008 mode. Windows Server 2008 mode increases the number of folder targets from 5,000 to 50,000, and also provides support for access-based enumeration. With access-based enumeration, you can also hide folders that users do not have permission to view.
To use Windows Server 2008 mode, you must meet the following requirements:
• The Active Directory® Domain Services (AD DS) forest must be at a Windows Server 2003 or higher forest functional level.
• The AD DS domain must be at the Windows Server 2008 domain functional level.
• All namespace servers must be Windows Server 2008.
Stand-alone Namespace Stand-alone DFS namespaces support up to 50,000 folders with targets. A stand-alone namespace is used when:
• An organization has not implemented AD DS.
• An organization does not meet the requirements for a Windows Server 2008 mode namespace, or a domain-based namespace.
• There are requirements for more than 5,000 DFS folders.
• An organization is hosting a DFS namespace in a failover cluster.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-28 Optimizing File Services
What Is DFS Replication?
DFS Replication provides a way to keep folders synchronized between servers across well-connected and limited-bandwidth connections. Take note of the following key points regarding DFS Replication:
• DFS Replication uses RDC. RDC is a client-server protocol that can update files efficiently over a limited bandwidth network. RDC detects data insertions, removals, and rearrangements in files, enabling DFS Replication to replicate only the changed file blocks when files are updated. RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS Replication also supports cross-file RDC, which allows DFS Replication to use RDC, even when a file with the same name does not exist at the client. Cross-file RDC can determine files that are similar to the file that needs to be replicated, and it uses blocks of similar files that are identical to the replicating file to minimize the amount of data that needs to be replicated.
• DFS Replication uses a hidden staging folder to stage a file before sending or receiving it. Staging folders hold modified or new files while they wait to be replicated. The sender computer stages a file when a request comes from another member of the DFS topology. The file is read from the replicated folder and a compressed version of the file is created in the staging folder. The compressed file is sent to other computers in the DFS topology. If RDC is used, only a portion of the file may need to be replicated. The receiving computer downloads the data and recreates the file in its staging folder. Once replication completes, DFS decompresses the file and moves it into the replicated folder. Every replicated folder has a staging folder located under the local path of the replicated folder in the DfsrPrivate\Staging folder.
• DFS Replication detects changes on the volume by monitoring the file system update sequence number (USN) journal and replicates changes only after the file is closed.
• DFS Replication uses a version vector exchange protocol to determine which files need to be synchronized. The protocol sends less than 1 KB per file across the network to synchronize the metadata associated with changed files on the sending and receiving members.
• DFS Replication uses a conflict resolution heuristic of “last writer wins” for files that are in conflict, and “earliest creator wins” for name conflicts. A file that is updated at multiple servers simultaneously is in conflict. Files and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and Deleted folder, which is located under the local path of the replicated folder in the DfsrPrivate\ConflictandDeleted folder.
• DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFS Replication database loss.
• DFS Replication uses a Windows Management Instrumentation (WMI) provider that provides interfaces to obtain configuration and monitoring information from the DFS Replication service.
Note: The DFS Replication service is a replacement for the file replication service (FRS). The FRS has been deprecated and, starting with Windows Server 2008 R2, the FRS can no longer be used for DFS Replication.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-29
How DFS Namespace and DFS Replication Works
Even though DFS namespace and DFS Replication are separate role services, you can use them together to provide high availability and data redundancy. The following process describes how DFS namespace and DFS Replication work together:
1. User accesses a folder in the virtual namespace. When a user attempts to access a folder in a namespace, the client computer contacts the server that is hosting the namespace root. The host server can be a stand-alone server that is hosting a stand-alone namespace, or a domain-based configuration that is stored in AD DS and then replicated to various locations to provide high availability. The namespace server sends back to the client computer a referral containing a list of servers that host the shared folders, called folder targets, that are associated with the folder being accessed. DFS is a site-aware technology, so client computers can be configured to access namespaces that are within their site first to ensure the most reliable access.
2. Client computer accesses the first server in the referral. The client computer caches the referral information and then contacts the first server in the referral. This referral typically is a server in the client’s own site, unless there is no server located within the client’s site. In this case, the administrator can configure the target priority.
On the slide example, the Marketing folder that is published within the namespace actually contains two folder targets. One share is located on a file server in New York, and the other share is located on a file server in London. The shared folders are kept synchronized by DFS Replication. Even though multiple servers host the source folders, this fact is invisible to users, who only access a single folder in the namespace. If one of the target folders becomes unavailable, users are redirected to the remaining targets within the namespace.
What Is Data Deduplication?
In Windows Server 2012, you can enable data deduplication for nonsystem volumes. Data deduplication optimizes volume storage by finding redundant data on a volume, and then ensuring that the data is stored only once on the volume. This is achieved by storing the data in a single location, and providing reference to the single location for other redundant copies of the data. Data is segmented into 32- to 218-KB chunks, so data deduplication can optimize not only redundant files, but also portions of files that are redundant on the volume.
Data deduplication can be implemented in conjunction with DFS Replication to provide an even more efficient storage and replication infrastructure.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-30 Optimizing File Services
How Data Deduplication Works Once a volume has data deduplication enabled, Windows 2012 optimizes the volumes by maintaining the following components:
• Chunk store. Optimized file data is located in the chunk store.
• Optimized files. Optimized files are stored as reparse points. A reparse point contains a pointer to the locations of the chunk data within the chunk store, so the respective chunks can be retrieved when required.
• Unoptimized files. These include any files that do not meet the file-age criteria for data deduplication. In order to be optimized by data deduplication, files must remain static for a certain amount of time. Unoptimized files could include system state files, encrypted files, files smaller than 32 KB, files with extended attibutes, or files that are in use by other applications.
Benefits of Data Deduplication Data deduplication can help you cope with storage growth in the following areas:
• Capacity optimization. Data deduplication enables a server to store more data in less physical disk space.
• Scale and performance. Data deplucation is highly scalable in Windows Server 2012. It can run on multiple volumes without affecting other services and applications running on the server. Data deduplication can be throttled to accommodate other heavy workloads on the server, so that no performance degradation occurs for important server tasks.
• Reliability data integrity. Windows Server 2012 uses checksum consistency and validation to ensure that the integrity of data affected by data deduplication remains intact. Data deduplication also maintains redundant copies of the most frequently used data on a volume to protect against data corruption.
• Bandwidth efficiency. In combination with DFS Replication, or other file replication technologies such as BranchCache, data deduplication can greatly reduce the bandwidth consumed replicating file data, if replication partners are also running Windows Server 2012.
• Simple optimization management. Windows Server 2012 and Windows PowerShell 3.0 contain integrated support for data deduplication. Implementation and management within Windows Server 2012 is done with familiar tools.
Implementing Data Deduplication Use the following process to implement data deduplication on a server:
1. Install the Data Deduplication role service for the File Services role.
This can be performed by using the Add Roles and Features wizard in Server Manager, or by using the following Windows PowerShell cmdlets:
Add-WindowsFeature -name FS-Data-Deduplication Import-Module Deduplication
2. Enable data deduplication on one or more volumes.
Within Server Manager, you can right-click a volume and select Configure Data Deduplication, which opens the Data Deduplication Settings page. Alternatively, you can use the following Windows PowerShell cmdlet to enable data deduplication for the volume E:
Enable-DedupVolume E:
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-31
3. Optionally, configure data deduplication jobs for a volume.
By default, built-in jobs are created and scheduled when you enable data deduplication for a volume. If required, you can manually configure these jobs, or create additional jobs to further manage how data deduplication functions.
Data Deduplication Overview
http://go.microsoft.com/fwlink/?LinkID=331169
DFS Scenarios
Several key scenarios can benefit from DFS namespace and DFS Replication. These scenarios include:
• Sharing files across branch offices.
• Data collection.
• Data distribution.
Sharing Files Across Branch Offices Large organizations that have many branch offices often have to share files or collaborate between these locations. DFS Replication can help replicate files between branch offices or from a branch office to a hub site. Having files in multiple branch offices also benefits users who travel from one branch office to another. The changes that users make to their files in one branch office are replicated back to their branch office.
This scenario is recommended only if users can tolerate some file inconsistencies as changes are replicated throughout the branch servers. Note that DFS Replication only replicates a file after it is closed. Therefore, DFS Replication is not recommended for replicating database files or any files that are held open for long periods of time. Also, DFS replication is not suitable for files that multiple users may modify in different locations between replication cycles. This is because it uses a ‘last write wins’ scenario to determine which file version is authoritative. A user may update a file only to have their modification overwritten by another user’s changes when replication occurs
Data Collection DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing the files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using DFS Replication and then backed up at the hub site by using standard backup procedures. This increases the branch office data recoverability if a server fails, because files will be available in two separate locations and backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware and onsite IT personnel expertise. Replicated data can also make branch office file shares fault tolerant. If the branch office server fails, clients in the branch office can access the replicated data at the hub site.
Data Distribution You can use DFS namespaces and DFS Replication to publish and replicate documents, software, and other line-of-business (LOB) data throughout your organization. DFS namespaces and folder targets can increase data availability and distribute client load across various file servers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-32 Optimizing File Services
Demonstration: How to Install the DFS Role
This demonstration shows how to install the DFS Role.
Demonstration Steps
Install the DFS role • Under the File and Storage Management role, install the DFS Namespaces and DFS Replication role
services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-33
Lesson 5 Configuring DFS Namespaces
Configuring a DFS namespace consists of several tasks, including creating the namespace structure, creating folders within the namespace, and adding folder targets. You can also choose to perform additional management tasks, such as configuring the referral order, enabling client fail back, and implementing DFS Replication. This lesson provides information on how to complete these configuration and management tasks to deploy an effective DFS solution.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the process for deploying namespaces to publish content.
• Describe permissions required to create and manage a namespace.
• Explain how to create and configure DFS namespaces and folder targets.
• Describe the options for optimizing a namespace.
Deploying Namespaces to Publish Content
Most DFS implementations consist primarily of content that is published within the DFS namespace. To configure a namespace for publishing content to users, perform the following procedures in the following order:
1. Create a namespace. Use the New Namespace Wizard to create the namespace from within the DFS Management console. When you create a new namespace, you must provide the name of the server that you want to use as the namespace server, and the namespace name and type, whether domain-based or stand-alone. You can also specify whether the namespace is enabled for Windows Server 2008 mode.
2. Create a folder in the namespace. After you create the namespace, add a folder in the namespace that will contain the content that you want to publish. During the folder creation, you have the option to add folder targets, or you can perform a separate task to add, edit, or remove folder targets later.
3. Add folder targets. After you create a folder within the namespace, the next task is to create folder targets. The folder target is a shared folder’s UNC path on a specific server. You can browse for shared folders on remote servers and create shared folders as needed. Additionally, you can add multiple folder targets to increase the folder’s availability in the namespace. If you add multiple folder targets, consider using DFS Replication to ensure that the content is the same between the targets.
4. Set the ordering method for targets in referrals. A referral is an ordered list of targets that a client computer receives from the namespace server when a user accesses a namespace root or folder. When a client receives the referral, the client attempts to access the first target in the list. If the target is not available, the next target is attempted. By default, targets in the client’s site are always listed first in the referral. You can configure the method for ordering targets outside the client’s site on the
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-34 Optimizing File Services
Referrals tab of the Namespace Properties dialog box. You have the choice of configuring the lowest cost, random order, or configuring the ordering method to exclude targets outside the client’s site.
Note: Folders inherit referral settings from the namespace root. You can override the namespace settings on the Referrals tab of the Folder Properties dialog box by excluding targets outside the client’s site.
You can use Windows PowerShell cmdlets such as New-DfsnRoot and Set-DfsnRoot to create and manage DFS namespaces.
This example creates a DFS namespace that has a root at the path \\Adatum\AccountingResources. The root target for the path is the shared folder \\Adatum-FS\AccountingResources. The namespace type is Windows Server 2008 mode, specified as a type of DomainV2.
New-DfsnRoot -TargetPath "\\Adatum-FS\AccountingResources" -Type DomainV2 -Path "\\Adatum\AccountingResources"
Optional Management Tasks A number of optional management tasks that you can consider include:
• Set target priority to override referral ordering. You can have a specific folder target that you want everyone to use from all site locations or a specific folder target that should be used last among all targets. You can configure these scenarios by overriding the referral ordering on the Advanced tab of the Folder Target Properties dialog box.
• Enable client failback. If a client cannot access a referred target, the next target is selected. Client failback will ensure that clients fail back to the original target after it is restored. You can configure client failback on the Referrals tab of the Namespace Properties dialog box by selecting the Clients fail back to preferred targets check box. All folders and folder targets inherit this option. However, you can also override a specific folder to enable or disable client failback features, if required.
• Replicate folder targets using DFS Replication. You can use DFS Replication to keep the contents of folder targets in sync. The next topic discusses DFS Replication in detail.
For more information about Windows PowerShell for DFS-N see the TechNet article DFS Namespace (DFSN) Cmdlets in Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=331170
Permissions Required to Create and Manage a Namespace
To perform DFS namespace management tasks, a user either has to be a member of an administrative group or has to be delegated specific permission to perform the task. To delegate the required permissions, right-click the namespace and then click Delegate Management Permissions.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-35
The following table describes the groups that can perform DFS administration by default, and the method for delegating the ability to perform DFS management tasks.
Task Groups that can perform the task by default Delegation method
Create a domain-based namespace
Domain admins Click Delegate Management Permissions
Add a namespace server to a domain-based namespace
Domain admins Add users to local administrators group on the namespace server
Manage a domain-based namespace
Local administrators on each namespace server
Click Delegate Management Permissions
Create a stand-alone namespace
Local administrators on each namespace server
Add users to local administrators group on the namespace server
Manage a stand-alone namespace.
Local administrators on each namespace server
Click Delegate Management Permissions
Create a replication group, or enable DFS Replication on a folder
Domain admins Add users to local administrators group on the namespace server
Demonstration: How to Create Namespaces
This demonstration shows how to:
• Create a new namespace.
• Create a new folder and folder target.
Demonstration Steps Create a new namespace
1. Open the DFS Management console.
2. Create a domain-based namespace on LON-SVR1 named Research.
Create a new folder and folder target
1. Create a new folder named Proposals in the \\Adatum.com\Research namespace.
2. Create a folder target for Proposals that points to \\LON-SVR1\Proposal_docs.
3. Confirm namespace functionality by navigating to \\Adatum.com\Research, and confirming that the Proposals folder displays.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-36 Optimizing File Services
Optimizing a Namespace
Namespaces have a number of configuration options with which you can optimize their usability and performance.
Rename or Move a Folder You can rename or move a folder in a namespace. This allows you to reorganize the hierarchy of folders to best suit the needs of your organization’s users. For example, when your company reorganizes, you can reorganize the namespace to match the new structure.
Disable Referrals to a Folder A referral is a list of targets that a client computer receives from a domain controller or namespace server when the user accesses a root or folder with namespace targets. By disabling a folder target’s referral, you prevent client computers from accessing that folder target in the namespace. This is useful when you are moving data between servers.
Specify Referral Cache Duration Clients do not contact a namespace server for a referral each time they access a folder in a namespace; instead, namespace root referrals are cached. Clients that use a cached referral will renew the cache duration value of the referral each time a file or folder is accessed using the referral. This means that the clients will use the referral indefinitely until the client’s referral cache is cleared or the client is restarted. You can customize the referral cache duration. The default is 300 seconds, which is also 5 minutes.
Configure Namespace Polling To maintain a consistent domain-based namespace across namespace servers, namespace servers must poll AD DS periodically to obtain the most current namespace data. The two modes for namespace polling are:
• Optimize for consistency. Namespace servers poll the primary domain controller (PDC) emulator each time a namespace change occurs. This is the default.
• Optimize for scalability. Each namespace server polls its closest domain controller at periodic intervals.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-37
Lesson 6 Configuring and Troubleshooting DFS Replication
To configure DFS Replication effectively, it is important to understand the terminology and requirements that are associated with the feature. This lesson provides information on the specific elements, requirements, and scalability considerations related to DFS Replication. This lesson also provides a process for configuring an effective replication topology.
Lesson Objectives After completing this lesson, you will be able to:
• Describe replication groups and replicated folders.
• Describe the initial replication process.
• Explain how to configure DFS namespaces and DFS Replication.
• Describe DFS troubleshooting options.
New Features For Windows Server 2012 R2
Windows Server 2012 R2 has many new or updated features for DFS Replication. These changes assist administrators in optimizing and administering DFS replication. These changes are described in the following table.
Feature or functionality New or Updated? Description
Windows PowerShell module for DFS Replication
New Provides Windows PowerShell cmdlets for performing the majority of administration tasks for DFS Replication, as well as new functionality.
Database cloning for initial synchronization
New Allows the DFS Replication database to be exported and imported to seed replicated folders and files on target servers, thus greatly reducing the time and bandwidth required to add new replication servers or recover from disaster.
Database corruption recovery
New When DFS Replication detects database corruption, it rebuilds the database and then resumes replication normally, with no files arbitrarily losing conflicts. When replicating with a read-only partner, DFS Replication resumes replication without waiting indefinitely for an administrator to manually set the primary flag.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-38 Optimizing File Services
Feature or functionality New or Updated? Description
Cross-file RDC disable New You can now specifically choose to use the cross-file RDC capability or not, depending on your data and network topologies. Although cross-file RDC can result in large bandwidth savings in networks that have limited bandwidth, there is a potential in high speed LANs for cross-file RDC to increase local server processing time and negatively affect performance. Cross-file RDC can be configured on a per-connection basis.
File staging tuning New You can now choose a minimum file size for a file to stage. For servers on LANs with larger files, increasing the minimum staging size for files can increase replication performance.
Preserved file restoration New This feature provides the capability to restore files from the ConflictAndDeleted and PreExisting folders. Administrators can now inventory and retrieve the conflicted, deleted, and pre-existing files with Windows PowerShell cmdlets.
Unexpected shutdown database improvements
Updated When DFS Replication detects an unexpected shutdown on Windows Server 2012 R2, it defaults to triggering the automatic recovery process. You must opt out of this behavior by using the registry value. In addition, if the only replicated folder on a volume is the built-in SYSVOL of a domain controller, it automatically triggers recovery regardless of the registry setting.
Membership disabling improvements
Updated DFS Replication now leaves the DfsrPrivate folder untouched when you disable membership. You can recover conflicted, deleted, and preexisting files from that location as long as the membership is not re-enabled. Enabling the membership deletes the contents of all private folders.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-39
Replication Groups and Replicated Folders
A replication group is a set of member servers that participate in replicating one or more replicated folders. There are two main types of replication groups:
• Multipurpose replication group. This replication group helps to configure replication between two or more servers for publication, content sharing, or other scenarios.
• Replication group for data collection. This replication group configures a two-way replication between two servers, such as a branch office server and a hub server. Use this group type to collect data from the branch office server to the hub server. You can then use standard backup software to back up the hub server data.
A replicated folder is synchronized between each member server. Creating multiple replicated folders within a single replication group helps to simplify the following for the entire group:
• Replication Group type
• Topology
• Replication schedule
• Bandwidth throttling
The replicated folders that are stored on each member can be located on different volumes in the member. Replicated folders do not need to be shared folders or part of a namespace, although the DFS Management snap-in makes it easy to share replicated folders, and optionally, publish them to an existing namespace.
Replication Topologies When configuring a replication group, you must define its topology. You can select between the following:
• Hub and spoke. To select this option, you require at least three member servers in the replication group. This topology works well in publication scenarios where data originates at the hub and is replicated to members at the spokes.
• Full mesh. If 10 or fewer members are in the replication group, this topology works well. Each member replicates to all others, as required.
• No topology. Choose this option if you want to manually configure a custom topology after creating the replication group.
You can use Windows PowerShell cmdlets such as New-DfsReplicatedFolder, Set- DfsReplicatedFolder, New-DfsReplicationGroup, and Set- DfsReplicationGroup to create and manage DFS replication objects.
For more information see the TechNet article Distributed File System Replication cmdlets in Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=389179
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-40 Optimizing File Services
Initial Replication Process
When you first configure replication, you choose a primary member that has the most updated files to be replicated. This server is considered authoritative for any conflict resolution that occurs when the receiving members have files that are older or newer when compared to the same files on the primary member.
Consider the following concepts about the initial replication process:
• Initial replication does not begin immediately. The topology and DFS Replication settings must be replicated to all domain controllers, and each member in the replication group must poll its closest domain controller to obtain these settings. Active Directory replication latency and the long polling interval of 60 minutes on each member determine the amount of time this takes.
• Initial replication always occurs between the primary member and its receiving replication partners. After a member has received all files from the primary member, that member will replicate files to its receiving partners. In this way, replication for a new replicated folder starts from the primary member and then progresses out to the other replication group members.
• When receiving files from the primary member during initial replication, the receiving members with files that are not present on the primary member will move those files to their respective DfsrPrivate\PreExisting folder. If a file is physically identical to a file on the primary member, then the file is not replicated. If the version of a file on the receiving member is different from the primary member’s version, the receiving member’s version is moved to the Conflict and Deleted folder, and RDC can be used to download only the changed blocks.
• To determine whether files are identical on the primary member and receiving member, DFS Replication compares the files using a hash algorithm. If the files are identical, only minimal metadata is transferred.
• After you configure replication and the initial replication takes place, the primary member designation is removed. That member is then managed like any other member, and its files are no longer considered authoritative over other members that have completed initial replication. Any member that has completed initial replication is considered authoritative over members that have not completed initial replication.
Using Database Cloning For Initial Replication
The initial replication can take a long time to complete and it can use a large amount of bandwidth when dealing with a large set of files. Windows Server 2012 R2 provides a new feature to clone the database for the initial replication. The Export-DfsrClone cmdlet allows exporting the DFS replication database and volume configuration XML file settings for a given volume from the local computer to create a clone of that database. Exports may take a long time to complete on a large dataset. You can use the Get-DfsrCloneState cmdlet to determine the status of the export operation.
After you clone the data and copy the exported database and XML file to the new DFS member server, you then use the Import-DfsrClone cmdlet to inject the database onto a volume and validate the files on the file system. This provides dramatic performance improvements during the initial sync.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-41
The following cmdlet will export a database and create a clone of the database in a folder named Dfsrclone.
Export-DfsrClone -Volume C: -Path “C:\Dfsrclone”
After copying the cloned database to the C:\Dfsrclone folder on the new DFS member server, use the following cmdlet to import the cloned database.
Import-DfsrClone -Volume C: -Path “C:\Dfsrclone”
Using File Staging Tuning to Optimize Replication
DFS replication now allows you to configure the staging minimum file size from as little as 256 KB to as large as 512 TB. When you do not use RDC or staging, files are no longer compressed or copied to the staging folder, which can increase performance at the cost of much higher bandwidth usage.
Demonstration: How to Configure DFS Replication
In this demonstration, you will see how to:
• Create a new folder target for replication.
• Create a new replication group.
Demonstration Steps Create a new folder target for replication
• On LON-SVR1, create a folder target for \\LON-SVR4\Proposal_docs.
Create a new replication group
1. Add the folder to the replication group for LON-SVR1 and LON-SVR4.
2. Declare LON-SVR1 as the primary member, and create a full-mesh replication.
Troubleshooting DFS
Windows Server 2012 provides a number of tools that you can use to monitor and troubleshoot DFS Replication. The tools include:
• Diagnostic Reports. Use Diagnostic Reports to run a diagnostic report for the following:
• Health Report. Shows extensive replication statistics and reports on replication health and efficiency.
• Propagation Test. Generates a test file in a replicated folder to verify replication and provide statistics for the propagation report.
• Propagation Report. Provides information about the progress for the test file that is generated during a propagation test. This report will detail if the replication is functional.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-42 Optimizing File Services
• Verify Topology. Use Verify Topology to verify and report on the status of the replication group topology. This will report any members that are disconnected.
• Dfsrdiag.exe. Use this command-line tool to monitor the replication state of the DFS Replication service.
Troubleshooting DFS DFS problems generally fall into one of the following categories:
• Unable to access the DFS namespace. Ensure that both the Net Logon service and DFS service are running on all servers that are hosting the namespace.
• Inability to find shared folders. If clients cannot connect to a shared folder, use standard troubleshooting techniques to ensure that the folder is accessible and that clients have permissions. Remember that clients connect to the shared folder directly.
• Unable to access DFS links and shared folders. Verify that the underlying folder is available and that the client has permissions on it. If a replica exists, verify whether the problem is related to replication latency. Refer to the following replication latency entry in this list.
• Security-related issue. Remember that the client accesses the shared folder directly. Therefore, you must verify the shared folder and access control list (ACL) permissions on the folder.
• Replication latency. Remember that the DFS Replication topology is stored in the domain's AD DS. Consequently, there is some latency before any modification to the DFS Namespace is replicated to all domain controllers.
• Database corruption. Previously, a corrupt database would trigger DFS replication to delete the database and start the initial sync process again, as if replication was being set up for the first time. Now the new database corruption recovery feature rebuilds the database using local file and USN information and marks each file with a normal replicated state. You cannot recover files from the ConflictAndDeleted and Preexisting folders except from backup. DFS Replication Windows PowerShell cmdlets allow the recovery of files from these folders by using the Get-DfsrPreservedFiles and Restore-DfsrPreservedFiles cmdlets. You can restore these files and folders into their previous location or a new location. You can choose to move or copy the files, and you can keep all versions of a file or only the latest version.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-43
Lab B: Implementing Distributed File System Scenario A. Datum Corporation has deployed a new branch office. This office has a single server. To support the requirements of a branch staff, you must configure DFS. To avoid performing backups remotely, a departmental file share in the branch office will be replicated back to the head office for centralized backup, and branch data files will be replicated to the branch server to provide quicker access.
Objectives After completing this lab, you will be able to:
• Install the DFS role service.
• Configure a DFS namespace.
• Configure DFS Replication.
Lab Setup Estimated Time: 45 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-SVR4
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the virtual machines that are still running from the last lab and 20411C-LON-SVR4. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20411C-LON-SVR4, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
Exercise 1: Installing the DFS Role Service
Scenario To support the creation of a replicated namespace, your managers have asked you to perform the installation of the DFS server role for LON-SVR1 and LON-SVR4.
The main tasks for this exercise are as follows:
1. Install the DFS Role Service on LON-SVR1
2. Install the DFS Role Service on LON-SVR4
Task 1: Install the DFS Role Service on LON-SVR1 • On LON-SVR1, from Server Manager, under the File and Storage Management role, install the DFS
Namespaces and DFS Replication role services.
Task 2: Install the DFS Role Service on LON-SVR4 1. On LON-SVR4, in Server Manager, under the File and Storage Management role, install the DFS
Namespaces and DFS Replication role services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-44 Optimizing File Services
Results: After completing this exercise, you will have installed the Distributed File System (DFS) role service on LON-SVR1 and installed the DFS role service on LON-SVR4.
Exercise 2: Configuring a DFS Namespace
Scenario You have been asked to configure a DFS namespace to support the newly requested file structure. Management has requested that the new structure meet the following requirements:
• Namespace: \\Adatum.com\BranchDocs
• File shares to include:
o \\LON-SVR4\ResearchTemplates
o \\LON-SVR1\DataFiles
The main tasks for this exercise are as follows:
1. Create the BranchDocs Namespace
2. Enable Access-Based Enumeration for the BranchDocs Namespace
3. Add the ResearchTemplates Folder to the BranchDocs Namespace
4. Add the DataFiles Folder to the BranchDocs Namespace
5. Verify the BranchDocs Namespace
Task 1: Create the BranchDocs Namespace 1. Switch to LON-SVR1 and then open Server Manager.
2. Open DFS Management.
3. Create a new namespace with the following properties:
o Server: LON-SVR1
o Name: BranchDocs
o Namespace type: Domain-based namespace, and select Enable Windows Server 2008 mode
4. Under the Namespaces node, verify that the namespace has been created.
Task 2: Enable Access-Based Enumeration for the BranchDocs Namespace • In DFS Management, in the \\Adatum.com\BranchDocs Properties dialog box, on the Advanced
tab, select the Enable access-based enumeration for this namespace check box.
Task 3: Add the ResearchTemplates Folder to the BranchDocs Namespace • Add a new folder to the BranchDocs namespace:
o Folder name: ResearchTemplates
o Add a folder target:
Path: \\LON-SVR4\ResearchTemplates
Create share
Local path: C:\BranchDocs\ResearchTemplates
Permissions: All users have read and write permissions
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-45
Task 4: Add the DataFiles Folder to the BranchDocs Namespace • Add a new folder to the BranchDocs namespace:
o Folder name: DataFiles
o Add a folder target:
Path: \\LON-SVR1\DataFiles
Create share
Local path: C:\BranchDocs\DataFiles
Permissions: All users have read and write permissions
Task 5: Verify the BranchDocs Namespace 1. On LON-SVR1, open File Explorer, in the address bar, type \\Adatum.com\BranchDocs\, and then
press Enter.
2. Verify that both ResearchTemplates and DataFiles display, and then close the window.
Results: After completing this exercise, you will have configured a DFS namespace.
Exercise 3: Configuring DFS Replication
Scenario You have been asked to ensure that the files contained in the new DFS namespace are replicated to both LON-SVR1 and LON-SVR4 to ensure data availability.
The main tasks for this exercise are as follows:
1. Create Another Folder Target for DataFiles
2. Configure Replication for the Namespace
3. To Prepare for the Next Module
Task 1: Create Another Folder Target for DataFiles 1. In DFS Management, expand Adatum.com\BranchDocs, and then click DataFiles.
2. In the details pane, notice that there is currently only one folder target.
3. Add a new folder target:
o Path to target: \\LON-SVR4\DataFiles
o Create share
o Local path: C:\BranchDocs\DataFiles
o Permissions: All users have read and write permissions
o Create folder
4. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED9-46 Optimizing File Services
Task 2: Configure Replication for the Namespace 1. Complete the Replicate Folder Wizard:
o Primary member: LON-SVR1
o No topology
o Use defaults elsewhere, and accept any messages.
2. Create a new replication topology for the namespace:
o Type: Full mesh
o Schedule and bandwidth: Use default settings
3. In the details pane, on the Memberships tab, verify that the replicated folder displays on both LON-SVR4 and LON-SVR1.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR1 and 20411C-LON-SVR4.
Results: After completing this exercise, you will have configured DFS Replication.
Question: What are the requirements for deploying a namespace in Windows Server 2008 mode?
Question: What are the benefits of hosting a namespace on several namespace servers?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 9-47
Module Review and Takeaways
Best Practice:
• Use quota templates to control and monitor the amount of data that groups store
• Use file classification to identify and provide more granular control over certain types of data
• Do not use DFS for files that may be accessed by different people simultaneously. DFS is best suited for static files or one-way replication scenarios.
• Data deduplication can help reduce the amount of storage space consumed by similar files.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
When you try to run a file management task at a command prompt you may receive an error specifying that the task could not be found
Review Question(s) Question: How do FSRM templates for quotas and file screens provide a more efficient FSRM management experience?
Question: Why does DFS Replication make a more efficient replication platform than FSRM?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-1
Module 10 Configuring Encryption and Advanced Auditing
Contents: Module Overview 10-1
Lesson 1: Encrypting Drives by Using BitLocker 10-2
Lesson 2: Encrypting Files by Using EFS 10-9
Lesson 3: Configuring Advanced Auditing 10-13
Lab: Configuring Encryption and Advanced Auditing 10-21
Module Review and Takeaways 10-26
Module Overview As an administrator of the Windows Server® 2012 operating system, you should ensure the continued security of the files and folders on your servers. You can encrypt sensitive files by using native Windows Server 2012 tools. However, you must be aware of some considerations and implementation methods in order to provide a reliable environment.
By using the available features of Windows Server 2012, you can better understand how files and folders are being used on your computers running the Windows® operating system. You can also audit file and folder access. Auditing file and folder access can give you insight into the general performance of your network, as well as more critical information, such as unauthorized usage attempts.
This module describes the Windows Server 2012 tools that can help you to provide increased file system security on your servers.
Objectives After completing this module, you will be able to:
• Encrypt hard drives by using Windows BitLocker® Drive Encryption.
• Encrypt files by using Encrypting File System (EFS).
• Configure advanced auditing.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-2 Configuring Encryption and Advanced Auditing
Lesson 1 Encrypting Drives by Using BitLocker
BitLocker is a built-in full hard drive encryption feature available with Windows Vista®, Windows Server 2008, and newer Windows operating systems. It is important to understand how BitLocker works before you implement it in your environment. You should also know the requirements to deploy BitLocker and how to recover BitLocker encrypted drives.
Lesson Objectives After completing this lesson, you will be able to:
• Describe what BitLocker is and how it is used.
• Explain how BitLocker works.
• Identify the BitLocker requirements.
• Describe the steps for configuring BitLocker.
• Describe the Group Policy settings that you can use to manage BitLocker on servers.
• Describe how to configure BitLocker.
• Describe the process for recovering encrypted files, including network unlock.
• Identify best practices for planning and implementing a BitLocker deployment.
What is BitLocker?
BitLocker is a drive encryption technology that enables a user to encrypt an entire hard drive to protect it from unauthorized access attempts. BitLocker was introduced in Windows Vista and Windows 2008. BitLocker is available on select versions of the Windows operating system. The BitLocker Requirements topic in this module describes the hardware and software requirements for using BitLocker. On Windows Server operating systems, BitLocker is a feature that can be added by using Server Manager. BitLocker has the following characteristics.
• BitLocker can encrypt an entire hard drive or only the utilized parts of a hard drive. Encrypting only the utilized portion of a hard drive is faster than encrypting an entire hard drive.
• BitLocker can be combined with EFS. While BitLocker can encrypt an entire hard drive, authorized users that can log in to the BitLocker protected computer can gain access to the data if they have the appropriate New Technology File System (NTFS) permissions. EFS encryption works at the user level and can protect data on a shared computer. With this protection, each user can only gain access to their own data or any files and folders to which they have been granted EFS access, even if the NTFS permissions are set to allow access for users that do not have EFS access.
• BitLocker protects the integrity of the Windows boot process. BitLocker verifies that the required early boot files have not been tampered with or modified. If the verification finds files that were tampered with as a rootkit or a boot sector virus might, then Windows will not start. Secured Boot is the newest
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-3
implementation of integrity process verification available and is only available for Windows 8 and newer, Windows RT and newer, as well as Windows Server 2012 and newer operating systems.
• Some BitLocker features, such as system integrity verification and multifactor authentication, are only usable when Trusted Platform Module (TPM) is available on the computer. TPM is a special hardware chip on computers used for encryption and is discussed in more detail in upcoming topics. The version of TPM must be 1.2 or higher. However, BitLocker can still provide protection for computers without TPM.
BitLocker offers protection for data by encrypting the entire content of a hard drive. This Encryption also offers data protection for computers that are retired and being recycled, sold, or donated. Before BitLocker, many organizations protected hard drives by using a destruction service or stockpiling old hard drives and recycling, selling, or donating the remainder of the hardware.
How BitLocker Works
BitLocker is a feature of Windows operating systems that can be installed and enabled on demand to protect data on computers. BitLocker works in conjunction with TPM, if one is available. A TPM is a dedicated microprocessor located in the computer that handles cryptographic operations and can be utilized for implementations of security software such as BitLocker. A TPM stores the encryption keys used to encrypt and decrypt hard drives with BitLocker. TPMs offer additional security features, but this module will focus specifically on BitLocker integration with TPM. While BitLocker does not require a TPM, a deployment without a TPM is not as secure as a deployment with one. See the upcoming section on BitLocker requirements to understand why a TPM offers better security for BitLocker. In either configuration, BitLocker encrypts the contents of a hard drive, including Windows temp files, and system files, so that only authorized users can access the contents of the hard drive. BitLocker uses Advanced Encryption Standard (AES) encryption with a 128-bit or a 256-bit key, depending on the configuration.
BitLocker can be used in many different scenarios, including the following:
• On an existing Windows Server 2012 computer with a standard, unencrypted hard drive or drives. BitLocker can be added and enabled on the server. BitLocker will encrypt the entire contents of the hard drive or hard drives or the used space of a hard drive based on the configuration the user selects. Group Policy can control the configuration, and Windows PowerShell® can automate a deployment across an enterprise.
• In a new deployment of a Windows Server 2012 computer. You can enable BitLocker as part of the deployment so that all data written to the hard drive uses encryption from the beginning of the operating system deployment.
BitLocker can be centrally configured by using Group Policy and enhanced by using computers with TPMs. Also, it offers centralized management and reporting with Microsoft® BitLocker Administration and Monitoring (MBAM).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-4 Configuring Encryption and Advanced Auditing
BitLocker Requirements
There are software and hardware requirements that must be met in order to implement BitLocker.
Operating System requirements • The Windows XP operating system. Does not
support BitLocker for encrypting hard drives but supports the ability to read and copy data from a portable hard drive encrypted with Windows BitLocker To Go®. This is only supported when encrypted using a password. To enable the ability for reading and copying BitLocker To Go encrypted data, the BitLocker To Go Reader program must be installed on the Windows XP computer.
• Windows Vista. Windows Vista was the first Windows client operating system to support BitLocker natively. Only the Ultimate and Enterprise versions of Windows Vista support BitLocker.
• Windows 7. Only the Ultimate and Enterprise versions of Windows 7 support BitLocker.
• Windows Server 2008 and newer. All version of Windows Server since Windows Server 2008 support BitLocker.
Hardware requirements BitLocker has some optional enhancements that require a TPM on a computer. For BitLocker, a computer must have a TPM 1.2 or newer chip. The following features require a TPM chip.
• System integrity verification. BitLocker has the option to validate critical system files at startup and prevent the startup of the computer if the files have been tampered with or altered.
• Multifactor authentication. When you combine BitLocker with TPM, multifactor authentication is supported. In such a scenario, BitLocker can be configured also to require one or more of the following:
o A personal identification number (PIN).
o Password.
o A USB drive that contains a BitLocker startup key.
There are some other minor requirements, such as having the system hard drive be the first bootable device that your organization must meet before you can implement BitLocker.
BitLocker Frequently Asked Questions (FAQ)
http://go.microsoft.com/fwlink/?LinkID=331171
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-5
Configuring BitLocker
The high-level steps below describe the process of implementing BitLocker on a computer running the Windows Server 2012 operating system:
1. If your hardware supports it, you may enable TPM on the computer. You perform this in the BIOS on a computer.
2. Add the BitLocker Drive Encryption feature on the server by using Server Manager. Upon adding the feature, you will be prompted also to add the Enhanced Storage feature and the management tools. The Enhanced Storage feature, which provides the BitLocker binary files, is required while the management tools are optional.
3. Configure Group Policy or local Group Policy for BitLocker settings. This step is required if the computer does not have a TPM chip.
4. Turn on BitLocker on the desired volume.
Thereafter, configuring BitLocker involves managing BitLocker recovery keys, managing and updating BitLocker settings in Group Policy, and supporting the BitLocker technology on the protected computers.
Using Group Policy to Manage BitLocker
Group Policy is the primary feature for configuring BitLocker. The location for configuring BitLocker in a Group Policy Object (GPO) is Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. Under that node, there are approximately 40 different configurable policy settings. The following settings represent some of the settings that are often used by organizations and explain what the settings are used for.
• Choose drive encryption method and cipher strength. This setting controls the encryption method. The default encryption used by BitLocker is AES 128-bit. However, many organizations choose to configure this setting for AES 256-bit for better security. Note that this setting is for Windows Server 2012, Windows 8, and Windows RT. A similar setting controls the encryption method and cipher strength on older versions of Windows. For organizations that require the strongest security settings, AES 256-bit is the best choice. For organizations that require optimum performance and are willing to sacrifice some security, AES 128-bit is the best choice.
• Deny write access to fixed data drives/removable drives not protected by BitLocker. This setting is available under the Fixed Data Drives node and the Removable Data Drives node, but not under the Operating Systems Drives node. This setting can ensure that users cannot write to a data drive, whether fixed or removable, unless it is protected by BitLocker. In addition, it can prevent write access by any device that does not have identifiers that match the company identifiers. These identifiers are configured in the Provide the unique identifiers for your organization setting. Note that if this
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-6 Configuring Encryption and Advanced Auditing
setting is enabled, read access is still permitted when the drives are not protected by BitLocker. Organizations that have stringent data protection policies often use this setting.
• Configure use of passwords for fixed data drives/removable data drives. This setting is under the Fixed Data Drives node and the Removable Data Drives node, but not under the Operating Systems Drives node. You can use this setting to set a password policy on fixed or removable data drives protected by BitLocker. Passwords can be mandatory, password complexity can be mandatory, and a minimum password length can be mandated. The settings are enforced when activating BitLocker. Companies that deploy BitLocker often use this setting. This setting can help align the BitLocker password policy with the corporate password policies and security policies.
• Require additional authentication at startup. This setting is available under the Operating System Drives node. You can use this setting to configure computers that are running Windows 7 or newer and Windows Server 2008 R2 or newer Operating Systems. This setting can configure BitLocker settings for computers with a TPM. The settings can mandate the use of the TPM, can require a startup PIN and/or startup key, or can allow or disable all of the requirements. This is a commonly used setting that helps companies standardize their deployment of BitLocker.
• Allow network unlock at startup. This setting requires Windows 8 and newer or Windows Server 2012 and newer. This setting allows a computer that is on a trusted local area network (LAN) and joined to a domain to unlock the operating system drive protected by BitLocker automatically at startup. This setting is only valid for computers that have a TPM. In addition, you must meet several requirements to use this feature. This setting eases the effort of using a computer that is protected with BitLocker by automating the unlock operation of the operating system drive.
BitLocker: How to enable Network Unlock.
http://go.microsoft.com/fwlink/?LinkID=331172
Many more settings allow for complete customization of BitLocker for an organization. Some of the other categories of settings that we have not covered directly here are for recovering hard drives protected by BitLocker, managing the type of TPM validation that is performed, and miscellaneous security settings.
Demonstration: Configuring BitLocker
This demonstration shows how to configure BitLocker on a computer running Windows Server 2012 R2.
Demonstration Steps Edit Group Policy to configure BitLocker:
1. On LON-DC1, modify Group Policy by enabling the Choose how BitLocker-protected fixed drives can be recovered option. Ensure that the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives option is selected, and then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option, and then click OK.
2. On LON-SVR1, force an update of Group Policy.
3. Restart LON-SVR1.
Add the BitLocker Drive Encryption feature:
1. On LON-SVR1, add the BitLocker Drive Encryption feature and any required role services.
2. Restart LON-SVR1 to complete the process.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-7
Turn on BitLocker and then validate that BitLocker is encrypting the data volume.
1. On LON-SVR1, turn on BitLocker for the F: volume, and then use the password option for unlocking the volume at startup.
2. For backing up the recovery key, save the recovery key locally to the E:\Labfiles\Mod10 folder.
3. Restart LON-SVR1 to complete the process.
4. After the restart, log in to LON-SVR1, and then run the manage-bde –status command to view the status of the F: volume. The F: volume should show the protection status as "Protection On".
Recovering Drives Encrypted with BitLocker
Recovering data from drives encrypted with BitLocker is a straightforward process as long as a recovery mechanism was configured properly initially. In this lesson, the terms recovery key and recovery password are interchangeable. As some system administrators have noticed, different areas of the GUI and tools use different terms. There are multiple methods for recovering data, and a few are presented in the scenarios below.
Scenario 1 – A computer with a data drive encrypted with BitLocker goes down with a hardware problem. There are a few options for recovering the data:
1. Move the hard drive or virtual hard drive to another server and then use the same password to unlock the drive. Copy the data to another location to complete the recovery process.
2. Move the hard drive or virtual hard drive to another server and then use the recovery key located in the recovery key file to unlock the drive. Copy the data to another location to complete the recovery process.
3. Move the hard drive or virtual hard drive to another server and then use the recovery key located in AD DS to unlock the hard drive. Copy the data to another location to complete the recovery process.
4. Move the hard drive or virtual hard drive to another server and then use the data recovery agent to unlock the hard drive. Copy the data to another location to complete the recovery process.
Scenario 2 – A computer with a TPM and an operating system drive encrypted with BitLocker has a boot order change or another qualifying hardware change. In this scenario, assuming that BitLocker is configured for integrity validation through Secured Boot or TPM platform validation, BitLocker will automatically go into recovery mode. This mode is sometimes called the BitLocker recovery console.
1. Obtain the recovery key from a file, from a printout, or from the computer object in AD DS and type it at the recovery prompt to unlock the hard drive.
2. Mount the operating system drive as a data drive in another computer and use the data recovery agent to unlock the hard drive.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-8 Configuring Encryption and Advanced Auditing
The key to the recovery of encrypted drives is proper planning and configuration before you deploy BitLocker. You should consider the following pre-deployment tasks prior to deploying BitLocker:
• Configure Group Policy to ensure that recovery information is available for the appropriate system administrators. For enterprise environments, this often means configuring a data recovery agent and/or mandating the storage of recovery keys in AD DS. There is a Group Policy setting that ensures that BitLocker cannot be enabled until recovery information is stored in AD DS. For Windows 7 and later, the setting is named “Choose how BitLocker-protected <drive type> drives can be recovered” where <drive type> represents a fixed drive, a removable drive, or an operating system drive.
• If you intend for self-service recovery to be available, ensure that users follow the same procedures to store recovery key files. For example, create a security policy that mandates that users must store BitLocker recovery key files in a specific shared folder or in Microsoft SharePoint®.
• Test recoverability of all of the supported hard drive types that you intend to protect with BitLocker. Use the manage-bde –forcerecovery command to test recovery.
• Store BitLocker key packages in addition to recovery keys. The recovery keys are valuable when you want to recover data from a corrupted hard drive.
• Review your organization’s security policy and align your BitLocker configuration with the security policy. This may include selecting the appropriate key protectors, such as whether a TPM will be required, whether users will have to use a startup key to unlock a drive protected with BitLocker, and whether your organization will use multifactor authentication.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-9
Lesson 2 Encrypting Files by Using EFS
EFS is a built-in component of the NTFS file system that enables encryption and decryption of file and folder contents on an NFTS volume. You should understand how EFS works before you implement EFS in your environment. You should also know how to recover the encrypted files and troubleshoot issues when EFS encryption does not work properly.
Lesson Objectives After completing this lesson, you will be able to:
• Describe EFS.
• Explain how EFS works.
• Explain how to recover files encrypted with EFS.
• Explain how to encrypt a file by using EFS.
What Is EFS?
EFS is a feature that can encrypt files that are stored on an NTFS-formatted partition. This option is available to all users by default. You can also use EFS to encrypt files on a file share. After a file is encrypted with EFS, only authorized users can access it. If a user is authorized, then access to the file is transparent, and the user can open it as if it were an unencrypted file. An unauthorized user will receive a message that access is denied after an attempts to open the file.
EFS encryption provides an additional layer of security in addition to NTFS permissions. Users who have NTFS permission to read a file must still be authorized by EFS to decrypt the file.
The default configuration of EFS requires no administrative effort. Users can begin encrypting files immediately, and EFS automatically generates a user certificate with a key pair for a user if one does not already exist. Using a certification authority (CA) to issue user certificates enhances manageability of the certificates.
You can disable EFS on client computers by using Group Policy. In a GPO, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting File System, right-click Encrypting File System, click Properties, and then click Don’t allow.
Note: If you are not using certificates from a CA and you want to allow EFS to be used on a file share, then you must configure the file server computer account to be trusted for delegation. Domain controllers are trusted for delegation by default.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-10 Configuring Encryption and Advanced Auditing
How EFS Works
EFS uses a combination of public-key and symmetric-key encryption to protect files from attack. EFS uses a symmetric key to encrypt the file, and a public key to protect the symmetric key.
Symmetrickey encryption uses the same key to encrypt and decrypt a file. This type of encryption is faster and stronger than public key encryption. Because it is difficult to secure the symmetric key during a cross-network transfer, it requires additional security. Symmetric key encryption is the typical method for encrypting large amounts of data.
EFS uses public key encryption to protect the symmetric key that is required to decrypt files. Each user certificate contains both a private key and a public key that is used to encrypt the symmetric key. Only the user with both the certificate and its private key can decrypt the symmetric key.
The file encryption and decryption process is as follows:
• Encryption. When a user encrypts a file, EFS generates a file encryption key to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file. This ensures that only the user who has the matching EFS encryption private key can decrypt the file. After a user encrypts a file, the file remains encrypted for as long as it is stored on the disk.
• Decryption. To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by using the cipher command. When this occurs, EFS decrypts the FEK with the user’s private key, and then decrypts the data by using the FEK.
Note: Additional copies of the symmetric key are encrypted with the recovery agent public key, and are available to the user who encrypted the file and any authorized recovery administrators.
Recovering EFS–Encrypted Files
If a user who encrypted a file by using EFS loses the private key for any reason, then you need a method for recovering the EFS–encrypted file. The key is stored in the user’s profile where the files or folders were encrypted, so gaining access to that profile may be valuable in a recovery situation. The private key is part of a user certificate that is used for encryption. Backing up a user certificate is another method for recovering EFS–encrypted files. You can import the backed-up user certificate into another profile, and you can use that copy of the user certificate to decrypt the file. However, this method is difficult to implement when there are many users because it is time consuming and takes a lot of administrative effort.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-11
A better method for recovering EFS-encrypted files is to make use of a recovery agent. A recovery agent is an individual who is authorized to decrypt all EFS-encrypted files. The default recovery agent is the domain Administrator. The profile of the Administrator account is in the domain on the first domain controller in the forest. The Administrator profile contains the recovery key needed to decrypt EFS-encrypted files. It is a good practice to back up the key that is part of the profile and store it in a secure location. However, you can delegate the recovery agent role to any user.
When you add a new recovery agent through Group Policy, the agent is automatically added to all newly-encrypted files, but the agent is not automatically added to the existing encrypted files. Because the recovery agent for a file is set at the time that the file is encrypted, an encrypted file must be accessed and saved to update the recovery agent.
To back up the recovery agent certificate, you should always export the certificate with the private key and keep it in a secure location. The two reasons to back up the private key for the recovery agent or the recovery key are:
• To secure against system failure. The domain administrator key that is used by default for EFS recovery is stored only on the first domain controller in the domain. If anything happened to this domain controller, EFS recovery would be impossible.
• To make the recovery key portable. The recovery key is not automatically available to the recovery agent on all computers. The recovery key must be installed in the recovery agent’s profile. If roaming profiles are not used, then exporting and importing the recovery key is a method to update the recovery agent’s profile on a particular computer.
Demonstration: Encrypting a File by Using EFS
This demonstration shows how to:
• Verify that a computer account supports EFS on a network share.
• Use EFS to encrypt a file on a network share.
• View the certificate used for encryption.
• Test access to an encrypted file.
Demonstration Steps
Verify that a computer account supports EFS on a network share 1. On LON-DC1, open Active Directory Users and Computers.
2. Verify that that LON-DC1 is trusted for delegation to any service.
Use EFS to encrypt a file on a network share 1. Log in to LON-CL1 as Adatum\Doug with a password of Pa$$w0rd.
2. Navigate to \\LON-DC1\Mod10Share.
3. Create a new Microsoft Word document named MyEncryptedFile.
4. Open MyEncryptedFile, type My secret data, and then save the file.
5. Encrypt MyEncryptedFile.
6. Log off LON-CL1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-12 Configuring Encryption and Advanced Auditing
View the certificate used for encryption 1. On LON-DC1, navigate to C:\Users\. Notice that Doug has a profile on the computer. This is where
the self-signed certificate is stored. It cannot be viewed in the Microsoft Management Console (MMC) Certificates snap-in unless Doug logs in locally to the server.
2. Navigate to C:\Users\Doug\AppData\roaming\Microsoft\SystemCertificates\My\Certificates. This is the folder that stores the self-signed certificate for Doug.
Test access to an encrypted file 1. Log in to LON-CL1 as Adatum\Alex.
2. Attempt to open \\LON-DC1\Mod10Share\MyEncryptedFile by using Microsoft Word. The attempt will fail because the file was encrypted by Doug.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-13
Lesson 3 Configuring Advanced Auditing
Auditing logs report a variety of activities in your enterprise to the Windows Security Log. You can then monitor these auditing logs to identify issues that warrant further investigation. Auditing successful activities can be useful as well, because it provides documentation of changes. It can also log failed and potentially attempts by hackers or unauthorized users to access enterprise resources. When configuring auditing, you will specify audit settings, enable an audit policy, and then monitor events in the security logs.
Lesson Objectives After completing this lesson, you will be able to:
• Describe audit policies.
• Explain how to specify audit settings for a file or folder.
• Explain how to enable audit policy.
• Explain how to evaluate events in the security log.
• Describe the Advanced Audit Policy Configuration.
• Explain how to configure advanced auditing.
Overview of Audit Policies
Audit policy configures a system to audit categories of activities. If audit policy is not enabled, a server will not audit those activities.
You can view standard audit policies in Group Policy, under Computer Configuration. In Computer Configuration, expand Policies\Windows Settings\Security Settings\Local Policies, and then click Audit Policy. To configure auditing, you must define the policy setting. In the Group Policy Management Editor, double-click any policy setting, and select the Define These Policy Settings check box. Then, select whether to enable auditing of Success events, Failure events, or both.
The following table defines each audit policy and its default settings on a Windows Server 2012 domain controller.
Audit policy setting Description Default setting
Audit Account Logon Events
Creates an event when a user or computer attempts to authenticate by using an Active Directory account. For example, when a user logs in to any computer in the bdomain, an account logon event is generated.
Successful account log ins are audited.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-14 Configuring Encryption and Advanced Auditing
Audit policy setting Description Default setting
Audit Logon Events
Creates an event when a user logs in interactively (locally) to a computer or over the network (remotely). For example, if a workstation and a server are configured to audit logon events, the workstation audits a user logging in directly to that workstation. When the user connects to a shared folder on the server, the server logs that remote log in. When a user logs in, the domain controller records a logon event because logon scripts and policies are retrieved from the domain controller.
Successful log ins are audited.
Audit Account Management
Audits events, including the creation, deletion, or modification of user, group, or computer accounts, and the resetting of user passwords.
Successful account management activities are audited.
Audit Directory Service Access
Audits events that are specified in the system access control list (SACL), which is seen in an Active Directory object’s Properties Advanced Security Settings dialog box. In addition to defining the audit policy with this setting, you must also configure auditing for the specific object or objects by using the SACL of the object or objects. This policy is similar to the Audit Object Access policy that you use to audit files and folders, but this policy applies to Active Directory objects.
Successful directory service access events are audited, but few objects’ SACLs specify audit settings.
Audit Policy Change
Audits changes to user rights assignment policies, audit policies, or trust policies.
Successful policy changes are audited.
Audit Privilege Use Audits the use of a privilege or user right. See the explanatory text for this policy in the Group Policy Management Editor.
No auditing is performed by default.
Audit System Events
Audits system restart, shutdown, or changes that affect the system or security logs.
Successful system events are audited.
Audit Process Tracking
Audits events such as program activation and process exit. See the explanatory text for this policy in the Group Policy Management Editor.
No events are audited.
Audit Object Access
Audits access to objects such as files, folders, registry keys, and printers that have their own SACLs. In addition to enabling this audit policy, you must configure the auditing entries in objects’ SACLs.
No events are audited.
Notice that most successful and major Active Directory events are already audited by domain controllers. Therefore, the creation of a user, the resetting of a user’s password, the log in to the domain, and the retrieval of a user’s logon scripts are all logged.
However, not all failure events are audited by default. You might need to implement additional failure auditing based on your organization’s Information Technology (IT) security policies and requirements. For example, if you audit failed account logon events, you can expose attempts by hackers to access the domain by repeatedly trying to log in as a domain user without knowing the account’s password. Auditing
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-15
failed account management events can reveal a hacker who is attempting to manipulate the membership of a security-sensitive group.
One of the most important tasks you must perform is to balance and align the audit policy with your corporate policies, as well as with what is realistic. Your corporate policy might state that all failed log ins and successful changes to Active Directory users and groups must be audited. That is easy to achieve in AD DS. You should decide how you will use that information before implementing audit policies. Verbose auditing logs are useless If you do not know how or do not have the tools to manage those logs effectively, verbose auditing logs are useless. To implement auditing, you must have a well-configured audit policy, and have the tools with which to manage audited events.
Specifying Auditing Settings on a File or Folder
Many organizations elect to audit file system access to provide insight into resource usage and potential security issues. Windows Server 2012 supports granular auditing based on user or group accounts and the specific actions performed by those accounts. To configure auditing, you must complete three steps: specify auditing settings, enable audit policy, and evaluate events in the security log.
You can audit access to a file or folder by adding auditing entries to its SACL. To do this, you must perform the following steps:
1. Open the Properties dialog box of the file or folder, and then click the Security tab.
2. On the Security tab, click Advanced.
3. Click Auditing.
4. To add an entry, click Edit. This opens the Auditing tab in Edit mode.
5. Click Add and then select the user, group, or computer to audit.
6. In the Auditing Entry dialog box, select the type of access to audit.
Considerations for Configuring Auditing for Files and Folders You can audit for successes, failures, or both as the specified user, group, or computer attempts to access the resource by using one or more of the access levels.
You can audit successes for the following purposes:
• To log resource access for reporting and billing.
• To monitor access that would suggest users are performing actions greater than what you had planned, indicating that permissions are too generous.
• To identify access that is out of character for a particular account, which might be a sign that a user account has been breached by a hacker.
You can audit failed events for the following purposes:
• To monitor for attempts to access a resource by unauthorized users.
• To identify failed attempts to access a file or folder to which a user does require access. This would indicate that the permissions are not sufficient to meet a business requirement.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-16 Configuring Encryption and Advanced Auditing
Auditing entries direct Windows operating systems to audit the successful or failed activities of a security principal to use a specific permission, whether that security principal is a user, group, or computer. Full Control includes all individual access levels, so this entry covers any type of access. For example, if you assign Full Control to the Consultant group, and if a Consultant group member attempts access of any kind and fails, this activity will be logged.
Typically, auditing entries reflect the permission entries for the object, but auditing entries and permissions entries may not always match. In the above scenario, keep in mind, that a member of the Consultants group can also belong to another group that does have permission to access the folder. Because that access will be successful, the activity is not logged. Therefore, if you are concerned about restricting folder access and ensuring that users do not access it in any way, you should monitor failed access attempts. However, you should also audit successful access to identify situations in which a user is accessing the folder through another group membership that is potentially incorrect.
Note: Audit logs can grow large quite rapidly. Therefore, configure the bare minimum required to achieve your company’s security objective. When you specify to audit the successes and failures on an active data folder for the Everyone group by using Full Control (all permissions), this generates enormous audit logs that could impact the performance of the server, and can make locating a specific audit event almost impossible.
Enabling Audit Policy
Configuring auditing entries in the security descriptor of a file or folder does not, in itself, enable auditing. Auditing must also be enabled by defining the appropriate audit policy setting within Group Policy.
After auditing is enabled, the security subsystem begins to log access as directed by the audit settings.
The policy setting must be applied to the server that contains the object that is being audited. You can configure the policy setting in the server’s local GPO, or you can use a GPO that is scoped to the server.
You can define the policy then to audit Success events, Failure events, or both. The policy setting must specify auditing of Success or Failure attempts that match the type of auditing entry in the object’s SACL. For example, to log a failed attempt by Consultants to access the Confidential Data folder, you must configure the Audit object access policy to audit failures, and you must configure the SACL of the Confidential Data folder to audit failures for the consultants’ user objects or group objects. If the audit policy audits successes only, the failure entries in the folder’s SACL will not trigger logging.
Locating Audit Policy Settings In Group Policy Management in AD DS, there is a group of standard settings in a GPO that control audit behavior. This set of audit policy settings is found under Computer Configuration, in the following node:
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-17
Windows Settings\Security\Local Policies\Audit Policy. The audit policy settings govern the following basic settings:
• Audit account logon events
• Audit account management
• Audit directory service access
• Audit logon events
• Audit object access
• Audit policy change
• Audit privilege use
• Audit process tracking
• Audit system events
Note: Remember that audited and logged access is the combination of the settings in audit policy and the audit entries on specific files and folders. If you have configured audit entries to log failures, but the policy enables only logging for successes, your audit logs will remain empty.
Evaluating Events in the Security Log
After you have enabled the Audit Object Access Policy setting and specified the access you want to audit by using object SACLs, the system begins to log access according to the audit entries. You can view the resulting events in the server’s security event log. To do this, in Administrative Tools, open the Event Viewer console, and then expand Windows Logs\Security.
In the security event log, audit events are represented as either Audit Success or Audit Failure Event Types. The Details field of each event will contain the relevant information, depending on what type of event was audited. Many audit categories will return a large number of events. These events can be tedious to navigate, so event filtering is recommended. You can filter based on the details field, and include appropriate information, such as the name of a user or the name of a file or folder that is being audited.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-18 Configuring Encryption and Advanced Auditing
Advanced Audit Policies
In Windows Server 2012 and Windows Server 2008 R2, administrators can use Group Policy to audit more specific aspects of client behavior on the computer or network. This makes it easier for the administrator to identify the behaviors that are of greatest interest. For example, in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy, there is only one policy setting, Audit logon events, for logon events. In Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies, you can instead choose from 10 different policy settings in the Logon/Logoff category. This provides you with more detailed control of which aspects of log in and log out you audit.
These security auditing enhancements can help your organization’s audit compliance with important business-related and security-related rules by tracking precisely-defined activities, such as:
• A group administrator who has modified settings or data on servers that contain finance information.
• An employee within a defined group who has accessed an important file.
• That the correct SACL is applied to every file, folder, or registry key on a computer or file share, as a verifiable safeguard against undetected access.
Understanding Advanced Audit Policy Settings There are 10 categories of advanced audit policy settings that you can configure in Group Policy for Windows Server 2012:
• Account Logon. These settings enable auditing the validation of credentials, and other Kerberos-specific authentication and ticket operation events. The validation of credentials in a domain environment occurs on domain controllers, which means that the auditing entries will be logged on domain controllers.
• Account Management. You can enable auditing for events related to the modification of user accounts, computer accounts, and groups with the Account Management group of settings. This auditing setting will also log password change events.
• Detailed Tracking. These settings control auditing of encryption events, Windows process creation and termination events, and remote procedure call (RPC) events.
• DS Access. These audit settings involve access to Directory Services, including general access, changes, and replication.
• Logon/Logoff. Standard log in and log out events are audited by this group of settings. Other account-specific activity, such as Internet Protocol security (IPsec), Network Policy Server, and other uncategorized log in and log out events are also audited. This is a little different than a related setting named Account Logon. For Logon/Logoff auditing, these audit events capture logon events at the destination server. Thus, events are logged to the Event Log on the destination server. However, the events are not related to the validation of credentials.
• Object Access. These settings enable auditing for any access to AD DS, registry, application, and file storage. One of the available subcategories of Object Access is Audit Removable Storage. By auditing removable storage, an administrator can track each time a user accesses or attempts to access data on a removable storage device.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-19
• Policy Change. When you configure these settings, internal changes to audit policy settings are audited.
• Privilege Use. Within the Windows environment, Windows Server 2012 audits attempts of privilege use, when you configure these settings.
• System. System settings are used for auditing changes to the state of the security subsystem.
• Global Object Access Auditing. These settings are for controlling the SACL settings for all objects on one or more computers. When settings in this group are configured and applied with Group Policy, SACL membership is determined by the configuration of the policy setting, and the SACLs are configured directly on the server itself. You can configure SACLs for file system and registry access under Global Object Access Auditing.
Understanding AuditPol Besides Group Policy, there is also a built-in command-line tool for managing advanced audit policy settings. The tool is named AuditPol (auditpol.exe), and AuditPol offers the following functionality:
• Configure auditing on individual computers. AuditPol manages auditing settings on individual computers, especially computers that are not joined to an Active Directory domain and thus are not available for targeting by using Group Policy. AuditPol is especially useful in perimeter networks where it is common to find stand-alone, non-domain-joined computers.
• Get the current auditing settings. By running the auditpol /get /category:* command, you can quickly see the current auditing settings across all of the advanced auditing categories.
• Update the current auditing settings. By running the auditpol /set /user:adatum\Marc /subcategory:”Logon” /success:enable /failure:enable /include command, you can audit successful and unsuccessful log in access by adatum\Marc.
• Backup and restore settings across computers. AuditPol has a switch to back up all of the auditing settings and another switch to restore all of the backed-up settings. This allows administrators to configure auditing settings once, back up the settings, and then use the restore switch to implement the settings on other computers.
Overview of Dynamic Access Control and Expression-based Auditing Dynamic Access Control is a new feature available since Windows Server 2012. Dynamic Access Control greatly enhances the way that administrators grant access to resources by providing for real-time control of access based on predefined expressions. It offers the following functionality.
• Apply access control to resources based on the classification of the resource. For example, if a folder containing confidential data is classified as Confidential, then Dynamic Access Control can grant access only to users who are in a specific department.
• Apply access control to resources based on the device being used for access. For example, if a user is attempting to access data from a mobile device, then Dynamic Access Control can limit the access to only specific data or no data at all.
• Apply access control to resources based on the user and specific Active Directory attributes. For example, if a user is in a certain locale, then the user can gain access to specific resources. If a user has a certain title and is in a certain locale, then the user can gain access to other resources.
Expression-based auditing is a new way to perform auditing that works in conjunction with Dynamic Access Control. Expression-based auditing provides the following auditing capabilities.
• Audit files and folders based on their classification. If a file or folder is classified as Confidential, then it can be automatically audited. As new files and folders are classified, they are automatically audited based on the auditing configuration.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-20 Configuring Encryption and Advanced Auditing
• Audit files and folders based on a specific user and a specific action. Auditing can be very granular and allow for targeted auditing based on specific requirements.
• Add contextual information into audit events. Adding information to the events allows for easier filtering and monitoring of events.
Note: Microsoft Official Curriculum 20412, Configuring Advanced Windows Server 2012 Services, covers Dynamic Access Control in detail.
Demonstration: Configuring Advanced Auditing
This demonstration shows how to create and edit a GPO for audit policy configuration.
Demonstration Steps
Create and edit a GPO for audit policy configuration 1. On LON-DC1, open Group Policy Management.
2. Create a new GPO called File Audit.
3. Edit the File Audit GPO, and enable Success and Failure audit events for the Audit Detailed File Share and Audit Removable Storage settings.
4. Close Group Policy Management.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-21
Lab: Configuring Encryption and Advanced Auditing Scenario A. Datum is a global engineering and manufacturing company with head office based in London, United Kingdom. An IT office and data center are located in London to support the London location and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
You have been asked to configure the Windows Server 2012 environment to protect sensitive files, and to ensure that access to files on the network is audited appropriately. You have also been asked to configure auditing for the new server.
Objectives After completing this lab, you will be able to:
• Encrypt and recover files by using EFS management tools.
• Configure advanced auditing.
Lab Setup Estimated Time: 40 minutes
Virtual Machines: 20411C-LON-DC1, 20411C-LON-CL1, and 20411C-LON-SVR1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. On the host computer, press the Windows key, click Administrative Tools, and then double-click
Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-SVR1 and 20411C-LON-CL1.
Exercise 1: Encrypting and Recovering Files
Scenario Your organization wants to allow users to encrypt files with EFS. However, there are concerns about recoverability. To enhance the management of the certificates used for EFS, you will configure an internal CA to issue certificates to users. You will also configure a recovery agent for EFS, and verify that the recovery agent can recover files.
The main tasks for this exercise are as follows:
1. Update the Recovery Agent Certificate for the Encrypting File System (EFS).
2. Update Group Policy on the Computers.
3. Obtain a Certificate for EFS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-22 Configuring Encryption and Advanced Auditing
4. Encrypt a File.
5. Use the Recovery Agent to Open the File.
Task 1: Update the Recovery Agent Certificate for the Encrypting File System (EFS) 1. On LON-DC1, from Server Manager, open the Group Policy Management administrative tool.
2. Edit the Default Domain Policy that is linked to Adatum.com.
3. In the Group Policy Management Editor, browse to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.
4. In the Encrypting File System folder, delete the existing Administrator certificate.
5. Create a new Data Recovery Agent.
6. Read the information about the new certificate, and verify that it was issued by AdatumCA.
Task 2: Update Group Policy on the Computers 1. On LON-DC1, use the Windows PowerShell prompt to run gpupdate /force.
2. On LON-CL1, open a command prompt and run gpupdate /force.
3. Log off LON-CL1.
Task 3: Obtain a Certificate for EFS 1. On LON-CL1, log in as Adatum\Doug with a password of Pa$$w0rd.
2. Run mmc.exe to open an empty MMC console.
3. Add the Certificates snap-in to the MMC console.
4. In the MMC console, right-click Personal, and request a new certificate.
5. Select a Basic EFS certificate.
6. Verify that the new certificate was issued by AdatumCA.
7. Close the console, and do not save the changes.
Task 4: Encrypt a File 1. On LON-CL1, browse to \\LON-DC1\Mod10Share\Marketing.
2. Open the properties of DougFile.
3. Enable encryption in the advanced attributes for only the DougFile.
4. Close File Explorer.
5. Log off LON-CL1.
Task 5: Use the Recovery Agent to Open the File 1. On LON-DC1, browse to E:\Labfiles\Mod10\Mod10Share\Marketing.
2. Open DougFile.txt, modify the contents, and then save the file.
Results: After completing this exercise, you will have encrypted and recovered files.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-23
Exercise 2: Configuring Advanced Auditing
Scenario Your manager has asked you to track all access to file shares that are stored on LON-SVR1. You also need to be aware of any time a user accesses a file on a removable storage device that is attached to the server. You have decided to implement the appropriate object access settings by using Advanced Audit Policy Configuration.
The main tasks for this exercise are as follows:
1. Create a GPO for Advanced Auditing.
2. Verify Audit Entries.
Task 1: Create a GPO for Advanced Auditing 1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. Create a new organizational unit (OU) in Adatum.com named File Servers.
3. Move LON-SVR1 from the Computers container to the File Servers OU.
4. On LON-DC1, open Group Policy Management.
5. Create a new GPO called File Audit, and link it to the File Servers OU.
6. Edit the File Audit GPO and then, under Computer Configuration, browse to the Advanced Audit Policy Configuration\Audit Policies\Object Access node.
7. Configure both the Audit Detailed File Share and Audit Removable Storage settings to record Success and Failure events.
8. Restart LON-SVR1, and log in as Adatum\Administrator with a password of Pa$$w0rd.
Task 2: Verify Audit Entries 1. Log in to LON-CL1 as Adatum\Allan with a password of Pa$$w0rd.
2. Open File Explorer, and navigate to \\LON-SVR1\Mod10.
3. Open the testfile text file in Notepad, and then close Notepad.
4. Switch to LON-SVR1.
5. Open Event Viewer, and view the Audit Success events in the Security Log.
6. Double-click one of the log entries with a Source of Microsoft Windows security auditing, and a Task Category of Detailed File Share.
7. Click the Details tab, and note the access that was performed.
Results: After completing this exercise, you will have configured advanced auditing.
Exercise 3: Using Windows BitLocker® Drive Encryption to Secure Data Drives The main tasks for this exercise are as follows:
1. Use Group Policy to Prepare the Server for Implementing BitLocker
2. Enable BitLocker for a Data Drive.
3. Move the Data Drive to Another Server
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-24 Configuring Encryption and Advanced Auditing
4. Recover the Data
5. To Prepare for the Next Module
Task 1: Use Group Policy to Prepare the Server for Implementing BitLocker 1. On LON-DC1, modify Group Policy by enabling the Choose how BitLocker-protected fixed drives
can be recovered option. Ensure that the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives option is selected, and then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Then click OK.
2. On LON-SVR1, run the gpupdate /force command.
3. Restart LON-SVR1.
Task 2: Enable BitLocker for a Data Drive. Add the BitLocker Drive Encryption feature:
1. On LON-SVR1, add the BitLocker Drive Encryption feature and any required role services.
2. Restart LON-SVR1 to complete the process.
Turn on BitLocker, and then validate that BitLocker is encrypting the data volume.
1. On LON-SVR1, turn on BitLocker for the F: volume, and use the password option for unlocking the volume at startup.
2. For backing up the recovery key, save the recovery key locally to the E:\Labfiles\Mod10 folder.
3. Restart LON-SVR1 to complete the process.
After restarting, log in to LON-SVR1 and then run the manage-bde –status command to view the status of the F: volume. The F: volume should show the protection status as "Protection On".
Task 3: Move the Data Drive to Another Server 1. On LON-SVR1, remove the small computer system interface (SCSI) hard drive named 20411C-LON-
SVR1-Encrypted.vhdx.
2. On LON-DC1, add D:\Program Files\Microsoft Learning\20411\Drives\20411C-LON-SVR1\20411C-LON-SVR1-Encrypted.vhdx as a SCSI hard drive.
3. Bring the added hard drive online on LON-DC1.
Task 4: Recover the Data 1. On LON-DC1, double-click the F: drive from File Explorer.
2. In the BitLocker window, click More options.
3. Acquire the BitLocker recovery key from the LON-SVR1 computer object in Active Directory Users and Computers.
4. Type the BitLocker recovery key into the BitLocker window to unlock the drive.
5. In File Explorer, verify that the unlocked icon displays and that the hard drive is accessible.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 10-25
Task 5: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR1 and 20411C-LON-CL1.
Results: After completing this exercise, you will have configured Group Policy for BitLocker, enabled BitLocker on a data drive, moved the data drive to a different server, and then prepared for recovering data from the drive.
Question: In Exercise 1, Task 1, why were you asked to generate a new data recovery agent certificate by using the AdatumCA certification authority (CA)?
Question: What are the benefits of placing servers in an OU, and then applying audit policies to that OU?
Question: What is the reason for applying audit policies across the entire organization?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED10-26 Configuring Encryption and Advanced Auditing
Module Review and Takeaways Review Question(s)
Question: Some users are encrypting files that are stored on network shares to protect them from other departmental users with NTFS permissions to those files. Is this an effective way to prevent users from viewing and modifying those files?
Question: Why might EFS be considered a problematic encryption method in a widely-distributed network file server environment?
Question: You have configured an audit policy by using Group Policy to apply to all of the file servers in your organization. After enabling the policy and confirming that the Group Policy settings are being applied, you discover that audit events are not being recorded in the event logs. What is the most likely reason for this?
Tools
Tool Used to
Group Policy Management Console
Manage GPOs containing audit policy settings
Server Manager - Tools
Event Viewer View audit policy events Server Manager - Tools
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-1
Module 11 Deploying and Maintaining Server Images
Contents: Module Overview 11-1
Lesson 1: Overview of Windows Deployment Services 11-2
Lesson 2: Managing Images 11-9
Lesson 3: Implementing Deployment with Windows Deployment Services 11-16
Lesson 4: Administering Windows Deployment Services 11-22
Lab: Using Windows Deployment Services to Deploy Windows Server 2012 11-28
Module Review and Takeaways 11-34
Module Overview Organizations need deployment technologies that can reduce or eliminate user interaction during the deployment process. You can use the Deployment Services role in Windows Server® 2012 and Windows Server 2008 to help support both lite-touch and zero-touch, high-volume deployments. This module explores the functionality of Windows® Deployment Services (Windows DS), and explains how to use Windows Deployment Services tools to perform lite-touch installations.
Objectives After completing this module, you will be able to:
• Describe the important features and functionality of Windows Deployment Services.
• Manage images by using Windows Assessment and Deployment Kit (Windows ADK) Tools.
• Configure Windows Deployment Services in Windows Server 2012.
• Perform deployments with Windows Deployment Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-2 Deploying and Maintaining Server Images
Lesson 1 Overview of Windows Deployment Services
Windows Deployment Services enables you to deploy updates to or complete installations of the Windows operating system. You can use a network-based installation of Windows Deployment Services to deploy these operating systems on new computers. This means that you do not have to be physically present at each computer. In addition, you do not have to install each operating system directly from local media. Consequently, Windows Deployment Services scales well to support the deployment needs of larger organizations.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the function of Windows Deployment Services.
• Describe the components of Windows Deployment Services.
• Describe the benefits of Windows Deployment Services.
• Identify how to use Windows Deployment Services to support various deployment scenarios.
What Is Windows Deployment Services?
Windows Deployment Services is a server role provided with Windows Server 2012. It provides the following functions:
• Enables the performance of network-based installations.
• Simplifies the deployment process.
• Supports deployment to computers that have no installed operating system.
• Provides end-to-end deployment solutions for both client and server computers.
• Uses existing technologies, such as Windows Preinstallation Environment (Windows PE), Windows image file (.wim) and virtual hard disk (.vhd and .vhdx) image files, and image-based deployment.
Windows Deployment Services enables automated deployment of Windows operating systems. You can completely automate deployment of the following operating systems:
• Windows XP
• Windows Server 2003
• Windows Vista® with Service Pack 1 (SP1)
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-3
• Windows Server 2012
• Windows 8.1
• Windows Server 2012 R2
Windows Deployment Services enables you to create, store, and deploy installation images of supported operating systems, and supports .wim, .vhd, and .vhdx image files. Deployment now can be unicast or multicast. Multicasting manages the network traffic that the deployment process consumes. This potentially speeds up deployment without affecting other network services adversely.
Operating Systems Components Windows Deployment Services utilizes the componentized nature of Windows operating systems. Components allow you to separate the core functionality of the operating system in an image by adding or removing components at any time. For example, you can create an image containing the Windows 8.1 Pro operating system and the applications used by all users in your company. You can use this image as a standard image across your organization. You can save this standard image in a.wim file used for deployment by using Windows DS. As time goes by and Microsoft releases updates for Windows 8.1, you can simply apply these updates to the base .wim file. By using this component approach, you do not need to create new images as updates are released.
Updates are not the only componentized element that you can apply to images. The following elements follow the component infrastructure:
• Updates
• Service Packs
• Language packs
• Device drivers
You can reduce the size of images and total number of available images in a server running Windows Deployment Services by taking advantage of the componentized nature of the Windows operating system, and the ability to apply components to images managed by Windows Deployment Services.
Windows Deployment Services Components
Windows Deployment Services role in the Windows Server 2012 operating system is composed of two components: the Transport Server and the Deployment Server. You can install only the Transport Server, to use its multicasting engine to transfer data; or both the Transport Server and Deployment Server, to manage and deploy images across a network.
Transport Server The transport server component provides the core networking functionality of Windows Deployment Services for multicast transmission. You can install the transport server by itself to allow a computer to send data by using multicast packets. If you install this role by itself, you must create multicast sessions manually by using Windows PowerShell®. You can use multicast sessions to transfer any type of data.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-4 Deploying and Maintaining Server Images
The multicasting engine provides the main utility of the Transport Server component. The multicasting engine allows you to push data over a network to multiple computers simultaneously. This saves time and network bandwidth. The transport server component provides two types of multicasting:
• Scheduled-Cast. Schedule-Cast is a multicast type that you can use to schedule a multicast session. There are two ways to configure Scheduled-Cast:
o Client count. When you specify a client count, the server waits until the defined count of connected clients is reached, and then it starts to send the information.
o Point in time. When you specify a point in time, the server waits until the specified time and begins deployment to connected client computers.
Note: You can use both the client count and point-in-time options for a schedule cast. When doing so, the transmission starts as soon as one of the conditions is met, either the client count is reached, or the scheduled time is reached. You can also create a Scheduled-Cast with no threshold, in which case the transmission only starts once you manually initiate it.
While Scheduled-Cast uses a network efficiently, it is somewhat labor-intensive. Each target computer must be turned on, connected, and queued.
• Autocast. Autocast is a type of multicast that automatically creates a new session for each client connection received. A target can join an Autocast at any time, and the server repeats the transmission as long as targets are connected. If the target starts receiving the image in the middle of an Autocast, or if the target misses some portion of the image, it remains connected and collects the additional parts of the file. Once a client’s particular session has completed, the server initiates a new session to ensure clients that connected in the middle of the transmission receive all the necessary data.
Deployment Server The Deployment Server component of Windows Deployment Services requires the installation of the Transport Serve. The deployment server uses the multicasting engine provided by the transport server component to push operating system images across the network.
The deployment server provides the following functionality:
• Pre-Boot EXecution Environment (PXE) Server. PXE servers listen for Dynamic Host Configuration Protocol (DHCP) requests and respond to DHCP clients with a PXE offer. PXE clients use the information on this offer to establish a connection with the PXE server and join a session hosted by the transport server. Sessions created by using the Deployment Server interface to push an image to be applied to PXE clients.
• Image store. The image store manages images uploaded to a server running Windows Deployment Services. You can classify images by separating them into image groups. You can store .wim, .vhd, and .vhdx images. You can use two types of images in Windows Deployment Services:
o Boot image. Image store uses boot images to start PXE clients. They contain a scaled down version of the Windows operating system referred to as Windows PE.
o Install images. You can use an install images to apply an operating system to a hard drive on a computer. For PXE clients, the Windows PE operating system starts, establishes a session with the server running Windows Deployment Services, and then downloads an image. Beginning on Windows Server 2012 R2, images start to be applied to a hard drive as they are downloaded. In prior versions, the entire image had to be downloaded before being applied to a hard drive.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-5
Note: You can use .vhd and .vhdx images as install images in Windows Server 2012 R2. In prior versions, you could only use .vhd images as boot images.
• Windows Deployment Services Client. The Windows Deployment Services client is an integral part of Windows PE and is the component responsible for connecting to a server running Windows Deployment Services, joining a session, and applying an install image.
TFT Server. Windows Deployment Services acts as a trivial FTP (TFTP) server. TFTP is a faster transmission protocol, when compared to File Transfer Protocol (FTP), due to its use of User Datagram Protocol (UDP) packets instead of TCP packets.
Question: What is the advantage of multicasting as opposed to unicasting in volume deployment scenarios?
Why Use Windows Deployment Services?
Any organization that wants to reduce the effort required of an administrator during operating system deployment can do so by using Windows Deployment Services. An environment that relies only on Windows Deployment Services for operating system deployment provides the ability to deploy an operating system over the network with little interaction from users. To create a Windows Deployment Services session, start the target computers by using PXE, and then join the session. Once the session starts, there is no need for user interaction. This type of deployment is a light-touch installation.
Windows Deployment Services can also be used in conjunction with other technologies to provide an even less interactive deployment, called zero-touch installation. In a zero-touch installation, a designated server can use the Wake On LAN protocol to start computers by using PXE, and then join a session managed by Windows Deployment Services. That way, there is no interaction necessary with the target computers.
Note: Zero Touch deployments are not taught in this course, since they require other technologies, such as Microsoft® System Center 2012 R2 Configuration Manager.
Whether you use Lite Touch or Zero Touch deployments, Windows Deployment Services allows organizations to create a more autonomous and efficient environment for installing Windows. Consider the following scenarios.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-6 Deploying and Maintaining Server Images
Deployment over a Small Network In a small network consisting of a single server and around 25 computers running the Windows XP operating system, you could use Windows Deployment Services to expedite the upgrade process of the client computers to Windows 8.1. Once you have installed and configured the Windows Deployment Services server role on the single server, you can use Windows Deployment Services to perform the following tasks:
1. Add boot.wim from the sources folder of the Windows Server 2012 media as a boot image in Windows Deployment Services.
2. Add install.wim from the sources folder of the Windows 8.1 media as an install image.
3. Create a capture image from the boot image that you added previously.
Note: A capture image is a modified boot image that contains the necessary elements that enable you to capture a .wim file image from a configured reference computer.
4. Start your reference computer from the network using PXE.
5. Perform a standard installation of Windows 8.1 from the install.wim image.
6. Install office productivity applications and custom applications as required on the reference computer.
7. Generalize the reference computer with the System Preparation Tool (Sysprep).
8. Restart the reference computer from the network using PXE.
9. Connect to the capture image that you created, use it to capture the local operating system, and upload it back to the Windows Deployment Services server.
10. Start each of the existing target computers from the network using PXE, and connect to the appropriate boot image.
11. Select the custom install image. Deployment will start.
The benefits of this deployment method to the organization in this scenario are:
• A standardized desktop computer image.
• Quick deployment of each computer with limited installer interaction.
This solution would not suit larger deployments, as you need the installer to start the deployment on the target computer. Additionally, the installer is required to select a disk partition on which to install the selected installation image.
Deployment over a Medium- to Large-Size Organization In the second scenario, a medium- to large-size organization wants to deploy multiple servers in branch offices that are geographically dispersed. Sending experienced information technology (IT) staff to each location to deploy the servers would be time-consuming and expensive.
By using Windows Deployment Services, IT staff can address this issue remotely:
1. Add boot.wim from the Windows Server 2012 R2 media as a boot image in Windows Deployment Services.
2. Add install.wim from the Windows Server 2012 R2 media as an install image.
3. Create a capture image.
4. Start the reference computer from the network.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-7
5. Perform a standard installation of Windows Server 2012 R2 from the install.wim image.
6. Customize the reference computer as required.
7. Generalize the reference computer.
8. Restart the reference computer.
9. Capture the reference Windows operating system, and upload it back to the Windows Deployment Services server.
10. Configure the necessary Active Directory® Domain Services (AD DS) computer accounts. This prestages the computer accounts.
11. Use Windows System Image Manager (Windows SIM) in the Windows ADK to create an unattended answer file.
12. Configure the answer file for use with the captured installation image on Windows Deployment Services.
13. Configure a custom naming policy in Windows Deployment Services so that each server computer receives a suitable computer name during deployment.
14. Configure Windows Deployment Services to use a default boot image.
15. Configure Windows Deployment Services to respond to PXE requests and start deployment of the install image automatically.
16. Start each of the target computers from the network.
Note: To avoid a boot loop, it is advisable to configure the computer’s basic input/output system (BIOS) to start up from the hard disk and then the network. For further information about avoiding a boot loop, refer to the Windows Deployment Services Deployment Guide.
The benefits of this deployment method to the organization in this scenario are:
• Standardized server builds.
• Automatic domain-join following deployment.
• Automatic computer naming.
• Little or no installer interaction.
The solution does not implement multicast transmissions, nor does it use PXE referral. You could also use these technologies to help manage network traffic during the deployment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-8 Deploying and Maintaining Server Images
Discussion: How to Use Windows Deployment Services
Windows Deployment Services can be useful for many deployment scenarios involving Windows operating systems.
Question: The A. Datum Corporation IT staff is about to deploy Windows Server 2012 to various new branch offices. Management provided the following requirements to the IT staff:
The configuration of the various branch office servers should be consistent.
Because the planned deployments are to new branch offices with no current IT infrastructure in place, there is no requirement to upgrade settings from existing servers.
Automation of the deployment process is important, as there are many servers to deploy.
How would you use Windows Deployment Services to aid deployment?
Discussion: How to Use Windows Deployment Services
Windows Deployment Services can be useful for many deployment scenarios involving Windows operating systems.
Question: A. Datum Corporation wants to deploy several dozen new servers in their head offices. Windows Server 2012 will be installed on these servers. Management provided the following information to the IT staff:
The configuration of the various servers will vary slightly. There are two basic server configurations: full server, and Server Core.
Managing network traffic is critical, as the network is near capacity.
How would you advise staff at A. Datum to proceed with the deployment?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-9
Lesson 2 Managing Images
You can use Windows Deployment Services to manage images and apply them to computers over your network. Once you deploy Windows Deployment Services, you must create a set of standard images for your organization based on the needs of users and server administrators. Over time, updates to the operating system and the applications available in your images will become available, or new features must added to existing images. You can use different tools to manage your images in order to keep them up to date.
Lesson Objectives After completing this lesson you will be able to:
• Explain the role of images in Windows Deployment Services.
• Identify the Windows ADK tools for image management.
• Describe the various image types.
• Describe how to create an install image.
• Describe how to manage and maintain images.
• Describe how to use Deployment Image Servicing and Management (DISM) to configure an image.
The Role of Images in Windows Deployment Services
Windows Deployment Services relies on images to start remote computers by using PXE boot and to deploy an operating system and any required applications to those same computers.
There are two functional categories of images used by Windows Deployment Services:
• Boot images. Usually you only need two boot images in Windows Deployment Services, one for computers running 32-bit processors, and one for computers running 64-bit processors. The boot image contains a scaled-down version of the Windows operating system named Windows PE.
• Install images. Install images contain the operating system you want to deploy to a given computer along with any applications, updates, roles, and settings configured on the original computer that created the image. Install images are a mirror of a hard drive you can apply to any drive on a Windows Deployment Services client computer.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-10 Deploying and Maintaining Server Images
Once a Windows Deployment Services client connects to a server running Windows Deployment Services by using PXE boot, it downloads a suitable boot image. The client then starts Windows PE and automatically runs the Windows Deployment Services client software to connect to a Windows Deployment Services session and download an install image. There are three formats of image files in Windows Deployment Services that can be used as boot images or install images on a computer running Windows Server 2012 R2:
• .wim files. The .wim format is a file-based disk image format that was introduced in the Windows Vista operating system. .wim files are compressed packages that contain several related files. These related files are grouped together in images. Each .wim file contains one or more image, as shown on the slide. .wim files follow the structure described below:
o .wim header. A .wim header defines the .wim file content, such as .wim file attributes, such as version, size, and compression type, and the memory location of key resources such as metadata resource, lookup table, and XML data.
o File resource. A file resource is a series of packages that contain captured data, such as source files.
o Metadata resource. Metadata resource stores information on how captured data that includes directory structure and file attributes is organized in the .wim file. There is one metadata resource for each image in a .wim file.
o Lookup table. Lookup table contains the memory location of resource files in the .wim file.
o XML data. XML Data contains additional miscellaneous data, such as directory and file counts, total bytes, creation and modification times, and description information about the .wim image.
o Integrity table. Contains the security hash information against which the integrity of an image is verified during an apply operation. This is created when you set the /check switch during a DISM capture operation.
• VHD files. vhd files are a representation of a hard drive contained in a single file. You can mount .vhd files as a drive on a computer, or use the file as a hard drive for a virtual computer hosted by server running Microsoft Hyper-V® Server 2012. One of the new features in Windows Server 2012 R2 is the ability to use .vhd files as install images. In earlier versions of Windows Server, .vhd files could only be used as boot images.
• VHDX files. .vhdx files are similar to .vhd files, with a few added features:
o Size limit. .vhd files can store up to 2 gigabytes (GB) of data, while .vhdx files can store up to 64 terabytes (TB).
o Metadata resource. .vhdx files contain a metadata resource that is similar to the one found in .wim files. This contains information about the operating system, packages, and updates are installed on the image.
Note: .vhdx images in Windows Deployment Services were introduced in Windows Server 2012 R2. Prior to this version, .vhdx images were not supported, and .vhd images could only be used as boot images.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-11
Windows ADK Tools for Image Management
The Windows ADK is a collection of tools and documentation that you can use to automate the deployment of Windows operating systems and to assess your environment. You can then create a report showing the changes that you should make before deploying a new Windows operating system. Windows ADK replaces the Windows Automated Installation Kit (Windows AIK) in Windows 7. The core tools used in most Windows deployment scenarios include the following:
• Windows SIM. Windows SIM enables you to create and manage unattended installation answer files and distribution shares. Answer files replace user interactivity during an install and provide settings the installer uses to configure the operating system. These files operate in conjunction with an image to apply settings to the operating system.
• Windows PE. Windows PE is a minimal 32- or 64-bit operating system that has limited services and is built on the Windows 8.1 kernel. Windows PE loads during Windows installation and deployment. Windows PE provides read and write access to Windows file systems, and supports a range of hardware drivers, including network connectivity, which makes it useful for troubleshooting and system recovery. You can run Windows PE from the Windows product CD or DVD, a universal serial bus (USB) flash drive, or a network share by using the PXE. Windows ADK includes several tools to build and configure Windows PE.
• ImageX. This command-line tool captures and modifies install images, and applies images to target computers. ImageX is still available in Windows ADK. However, it is deprecated, and might not be available in future versions of Windows.
• User State Migration Tool (USMT). This tool enables you to migrate user settings from a previous Windows operating system to Windows 8.1.
• DISM. DISM enables you to service and manage Windows images. You can use DISM to apply updates, drivers, and language packs to a Windows image, offline or online.
Image Types
Before capturing an image, you must configure it based on the needs and policies of your organization. Images can be as basic as a simple image with a standard installation of the operating system, or as complex as an image of the operating system, with all of the applications used by the organization installed and ready for deployment. There are three types of images: thin, thick, and hybrid.
Thin Images A thin image is the smallest possible image you can create. It contains just the operating system and the necessary settings for a computer to be used in a network environment. Thin images do not contain any installed applications, with the exception of the Configuration Manager agent. A thin image is
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-12 Deploying and Maintaining Server Images
an appropriate baseline for all computers that will use the same operating system, regardless of the applications and utilities that may loaded afterwards. However, the downside of thin images is that since they do not contain any installed applications, you must deploy all of the necessary applications to the computer after you deploy the image.
Thick Images A thick image is the opposite of a thin image. It contains the operating system and every application required by the end user. The advantage of a thick image is that, once deployed, the user can work on the computer without having to install anything else. The disadvantages are that thick images are larger than thin images, and that you must service the image more often, since it has multiple applications.
Hybrid Images Most organizations work with images that fall somewhere between thin and thick. Administrators commonly identify the various applications required by most of the users in the organization, and then create an image that contains all of those common applications. Once the image is applied to a computer, the specific applications for an individual user are deployed as well. This type of image is a hybrid image. Large organizations usually have a set of hybrid images for each department, such as one for the accounting department, one for the sales department, and one for the IT department.
Creating an Install Image
Before we discuss each step in detail, the process of creating an install image can be summarized as follows:
1. Create a capture image.
2. Start the reference computer from the network and perform a standard installation of Windows.
3. Customize the reference computer as required.
4. Generalize the reference computer.
5. Capture the reference Windows operating system, and upload it back to the Windows Deployment Services server.
Create Capture Image A capture image is a special boot image that you can use to start a reference computer, capture its system drive, and store it in a .wim file. A reference computer is a computer that creates an image that will later deploy an operating system to multiple computers.
To create a capture image, execute the following steps:
1. From the Windows Deployment Services administrator console, expand a server running Windows Deployment Services and click Boot images.
2. Right-click the boot image you want to use as base for the capture image depending on the processor architecture of the reference computer, whether 32-bit or 64-bit, and click Create Capture Image.
3. In the Create Capture Image Wizard, on the Metadata and Location page, in the Image name box, type the name of the image.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-13
4. In the Image description box, type a description for the image.
5. In the Location and file name box, type the path of the .wim file that you will create as your capture image, and then click Next.
6. In the Task Progress page, select Add image to the Windows Deployment Server now, and click Finish.
7. In the Add Image Wizard, on the Image File page, ensure the file location is correct, and click Next.
8. On the Image Metadata page, enter a name and description for the capture image, and then click Next.
9. On the Summary page, click Next.
Install Windows on Reference Computer You can install Windows on the reference computer by using any of the following methods:
• Manual install. Start the reference computer by using the Windows install media, or connect to share or USB drive that contains the install media and run setup.exe.
• Windows Deployment Services-based install. Start the reference computer by using PXE, and start a Windows Deployment Services session to apply the standard install.wim for the desired Windows operating system.
• Other methods. You can use any other operating system deployment tool to apply the standard install.wim image to the reference computer. Some of the tools that you can use are:
o DISM
o ImageX
o System Center 2012 R2 Configuration Manager
Customize the Reference Computer After installing the operating system on a reference computer, configure the reference computer by doing one or more of the following:
• Enable and configure required Windows roles and features.
• Install any required applications.
• Configure all required operating system settings.
Generalize the Reference Computer Windows uses a series of Global Universal Identifications (GUIDs) for different components of the operating system. These unique identifiers must be distinct from identifiers used on other computers on the same local network. When you create a reference image, if you simply apply that image to multiple computers on the same network, they will all have the same unique identifiers, and therefore will not be able to communicate with one another. To solve this issue, you can use a tool called sysprep.
To generalize an image using sysprep, execute the following steps:
1. Open a command prompt with elevated privileges.
2. In the command prompt, type the following, and then press Enter.
sysprep /generalized
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-14 Deploying and Maintaining Server Images
Capture the Reference Image After generalizing the image, you must execute the following steps to capture the image:
1. Restart the reference by using PXE boot.
2. Connect to session in the server running Windows Deployment Services to download the capture image.
3. Follow the Capture Image wizard and specify the name of the .wim file you want to create with the image from the reference computer.
Once an image is captured, you can add it as an install image to Windows Deployment Services and use it for deployment.
Managing and Maintaining Images
Image servicing is the act of making changes to an image by adding or removing Windows features, applying updates, configuring local settings, upgrading the edition of Windows used in the image, and adding drivers, among other operations.
DISM is a command-line tool in Windows that combines separate Windows platform technologies into a single, cohesive tool for servicing Windows images. By using DISM, IT professionals can view the components of an applied or mounted operating system image, and add or remove packages, software updates, and drivers. You can use DISM to service Windows images offline before a deployment, or to create a Windows PE image.
Some of the most common tasks you can perform using DISM include:
• Adding and removing Windows images to or from .wim files (offline).
• Adding and removing packages (offline and online).
• Adding and removing drivers (offline and online).
• Enabling or disabling Windows features (offline and online).
• Adding Operating System updates (offline).
• Configuring Windows settings (offline and online).
• Customizing a Windows PE image (offline).
Image Management You can perform most servicing and management operations on an offline Windows image by using the DISM command-line tool. DISM extends the offline servicing functionality to include the ability to add and remove drivers without using an unattended answer file, to enumerate drivers and packages, to modify configuration settings, and more.
Two scenarios in which you can use offline servicing include:
• Mount scenario. Perform this on a technician computer to maintain master images. In this scenario, you use DISM to mount and service the image.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-15
• Apply scenario. Perform this on the destination computer during deployment. In this scenario, you use ImageX, or DISM to apply the image, and then use DISM to service the image.
DISM has two main sets of commands:
• Imaging commands. These commands enable image management tasks such as mounting an image file and enumerating images in a file. The following shows the syntax for DISM imaging commands.
DISM.exe [dism_global_options] {servicing_option} [<servicing_argument>] Servicing commands
• Servicing commands. These commands enable tasks that involve modifying a Windows image, such as injecting drivers, adding packages, and modifying Windows configuration. The following shows the syntax for DISM servicing commands.
DISM.exe {/Image:<path_to_image> | /Online} [dism_global_options] {servicing_option} [<servicing_argument>]
Note: Note: The full list of DISM commands can be found at http://go.microsoft.com/fwlink/?LinkId=266552
Offline Servicing Tasks The tasks that help you perform offline servicing include:
• Collecting drivers, update packages, and language packs, and storing them in an accessible location.
• Copying an instance of your master image to the technician computer or an accessible share.
• Mounting the image.
• Servicing the image.
• Unmounting the image.
• Committing the changes to the image.
Demonstration: Using DISM to Configure an Image
In this demonstration, you will see how to extract information from a .wim file and how to service an offline image.
Demonstration Steps 1. Verify the contents of the E:\install.wim file.
2. Mount the Windows Server 2012 R2 SERVERSTANDARDCORE image and check the installed Windows features.
3. Add the Telnet server feature to the image and unmount it. (Note that the source files are needed to install this specific feature).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-16 Deploying and Maintaining Server Images
Lesson 3 Implementing Deployment with Windows Deployment Services
While Windows Deployment Services is not complicated to install and configure, it is important that you understand the makeup of its components and how to configure them correctly. By doing this, you will ensure that it provides the appropriate level of deployment automation, and that it addresses your organization’s deployment needs. Once you install and configure Windows Deployment Services, you must understand how to use it and its associated tools to create, manage, and deploy images to computers within your organization.
Lesson Objectives After completing this lesson, you will be able to:
• Describe Windows Deployment Services components.
• Explain how to install and configure Windows Deployment Services.
• Explain the process of using Windows Deployment Services to deploy Windows Server.
Understanding Windows Deployment Services Components
When you deploy the Windows Deployment Services server role, you can choose from two configuration options. You can choose the default configuration, which deploys both the Deployment Server and Transport Server role services, or you can choose to deploy only the Transport Server role service. In this second scenario, the Deployment Server role service provides the image server; the Transport Server does not provide imaging functionality.
The Deployment Server enables an end-to-end deployment solution, while the Transport Server provides a platform that you use to create a custom multicast deployment solution.
The following table compares the two role services.
Server component Deployment server Transport server
Requirements AD DS, DHCP, and Domain Name System (DNS)
No infrastructure requirements
PXE Uses the default PXE provider You must create a PXE provider
Image server Includes Windows Deployment Services image server
None
Transmission Unicast and multicast Multicast only
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-17
Server component Deployment server Transport server
Management Both the WDSutil.exe command-line tools and the Windows Deployment Services Microsoft Management Console (MMC) snap-in
WDSutil.exe only
Target computer Uses Windows Deployment Services client or the Wdsmcast.exe tool
Wdsmcast.exe only
Transport Server Functionality You can use the Transport Server to perform the following functions:
• Boot from the network. The Transport Server provides only a PXE listener. This component listens to and accepts incoming traffic. You must write a custom PXE provider to use a Transport Server to boot a computer from the network.
• Multicasting. The multicast server in Windows Deployment Services consists of a multicast provider and a content provider:
o Multicast provider. This provider transmits data over the network.
o Content provider. This provider interprets the data and passes it to the multicast provider. This is installed with both the Transport Servers and Deployment Server, and can transfer any file type, although it has specific knowledge about the .wim image file format.
Windows Deployment Services Installation Requirements The specific requirements for installing the Windows Deployment Services role depend on whether you are deploying a Deployment Server or only a Transport Server.
To install a Deployment Server, your network and target server must meet the following requirements:
• AD DS. Your Windows Deployment Services server must be either a member of an AD DS domain or a domain controller for an AD DS domain.
• DHCP. You must have a working DHCP server with an active scope on the network. This is because Windows Deployment Services uses PXE, which relies on DHCP to allocate Internet Protocol (IP) configurations.
• DNS. You must have a working DNS server on the network so that client computers can locate the required services for deployment.
• NTFS file system volume. The server running Windows Deployment Services requires an NTFS volume for the image store. Windows Deployment Services accesses the image store within the context of the logged on user. Therefore, deployment user accounts must have sufficient permissions on image files.
While not a requirement, the Windows ADK enables you to simplify the process for creating answer files, unattend.xml, for use with automated Windows Deployment Services deployments.
Note: To install the Windows Deployment Services role, you must be a member of the Local Administrators group on the server. To initialize the server, you must be a member of the Domain Users group.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-18 Deploying and Maintaining Server Images
Installing and Configuring Windows Deployment Services
Once your network infrastructure meets the prerequisites, you can install the Windows Deployment Services server role.
Installing the Windows Deployment Services Server Role Follow these high-level steps to install the role:
1. Open Server Manager, and then add the Windows Deployment Services server role.
2. Choose whether you want to install the Deployment Server role service, which includes the Transport Server role, or just the Transport Server role service.
3. Complete the wizard to install the required role.
Initial Windows Deployment Services Configuration Once Windows Deployment Services is installed, open Windows Deployment Services from Administrative Tools. Follow these high-level steps to configure Windows Deployment Services:
1. Select your server in Windows Deployment Services console, and launch the Configuration wizard.
2. Specify a location to store images. This location:
o Must be an NTFS partition.
o Must be large enough to accommodate the deployment images that you anticipate needing.
o Should be a separate physical disk from that on which the operating system is installed to help optimize performance.
3. If the DHCP server role is co-hosted on the Windows Deployment Services server, you must:
o Prevent the PXE server from listening on User Datagram Protocol (UDP) port 67; this port is used by DHCP.
o Configure DHCP option 60 to PXEClient; this enables the PXE client to locate the Windows Deployment Services server port.
Note: If you deploy Windows Deployment Services to a server that is already running the DHCP Server role, these changes are made automatically. If you subsequently add the DHCP Server role to a Windows Deployment Server, you must ensure that you make these changes.
4. Determine how you want the PXE server to respond to clients:
o The default is that the PXE server does not respond to any clients; this is useful when you are initially configuring Windows Deployment Services, as you do not yet have any images available for clients.
o Alternatively, you can choose to configure the PXE server to:
Respond to known client computers. These are computers that you have prestaged.
Respond to all client computers, whether you have prestaged them or not; if you select this option, you can additionally define that administrator approval is required for unknown computers. While awaiting approval, client computers are in a pending queue.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-19
Note: If necessary, you can reconfigure these settings after the initial configuration is complete.
Managing Deployments with Windows Deployment Services
Once you install and configure Windows Deployment Services, you can then prepare Windows Deployment Services to service client deployments. This involves the following procedures.
Configuring Boot Settings You must complete several configuration tasks to configure boot settings on the server that is hosting Windows Deployment Services.
• Add boot images. A boot image is a Windows PE image that you use to boot a computer and install the install image. Typically, you use the boot.wim file on the Windows Server 2012 product DVD in the \sources folder. You may also decide to create a capture image, which is a specific type of boot image that you can use to capture a currently installed operating system on a reference computer.
• Configure the PXE boot policy for known and unknown clients. This policy determines the required installer behavior during the initial part of the deployment. By default, both known and unknown computer policies require the installer to press F12 to connect to the Windows Deployment Services image server. Failure to do so results in the computer using BIOS settings to determine an alternative boot method—for example, hard disk or CD ROM. Instead of this default, you can configure the following options:
• Always continue the PXE boot. This option ensures that the computer continues through the deployment process without any installer interaction.
• Continue the PXE boot unless the user pressed the Esc key. This option gives the installer the ability to cancel the deployment.
• Configure a default boot image. If you have multiple boot images—for example, to support multiple platforms—you can configure a default boot image for each of them. This image is selected after a timeout period on the PXE client computer.
• Associate an answer file for setup. For each client architecture, you can define an associated answer file. This answer file provides information that is used during the initial setup phase, and enables the Windows Deployment Services image server to select the appropriate install image for the client, without installer intervention.
• Create discover images. Not all computers support PXE network boot. For those that do not, you can create a discover image based on a boot image and export it to a removable storage device. To create a discover image, specify:
• The image name and description.
• The boot image on which it is based.
• A filename with which to store the image.
• The name of the Windows Deployment Services server that will be used for deployment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-20 Deploying and Maintaining Server Images
Configuring Install Settings You must configure additional install settings in Windows Deployment Services.
• Add install images. This is the operating system image that you use to install Windows Server. Typically, you start with the installation image install.wim, in the \sources folder on the Windows Server 2012 product DVD. Thereafter, you might choose to create custom images for groups of computers that have similar configurations.
Note: Before you can create install images, you must define an install image group in which to consolidate the related images. If you do not do so, the Windows Deployment Services administration program creates a generic group.
• Associate an answer file with an install image. If you have created an answer file, for example by using Windows ADK, you can associate it with an install image to provide the necessary information to complete deployment of the computer with no installer interaction.
• Configure a client naming policy. You can use the client naming policy to define computer names for unknown computers during deployment. The policy uses a number of variables to create a unique name:
• %First. The installer’s first name. Placing a number after the % sign results in using only that many characters. For example, %3First uses the first three characters of the installer’s first name.
• %Last. The installer’s last name. You can also define the number of characters to use.
• %Username. The installer’s user name. Again, you can limit the number of characters by specifying a number after the % sign.
• %MAC. The media access control (MAC) address.
• %[n]#. You can use this sequence to define a unique identifying sequential number to the computer name containing n digits. If you want to use a multiple-digit number, pad the variable with leading zeros after the % sign. For example, %2# results in the sequential numbers 1, 2, 3, and so on. %02# results in 01, 02, and 03.
• Specify the AD DS location for computer accounts. The default is to use the same AD DS domain as the Windows Deployment Services server. Alternatively, you can select between:
• The same domain as the user performing the deployment.
• The same organizational unit (OU) as the user who is performing the deployment.
• A specified AD DS location.
Note: The Windows Deployment Services computer requires Create Computer object and Write All Properties permissions on the AD DS container that you specify.
Configuring Transmission Settings Configure multicast transmissions. Unicast transmission is enabled by default. No additional steps are required for you to deploy clients using unicast. However, to enable multicast transmission, specify:
• The multicast transmission name.
• An install image with which the transmission is associated.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-21
• A method of multicast transmission. Choose between Autocast and Scheduled-Cast. If you choose Scheduled-Cast, you can define both a threshold minimum number of clients before transmission starts and the start date and time.
Configuring Drivers Windows Deployment Services in Windows Server 2012 enables you to add and configure driver packages on the server, and then deploy them to client computers during installations based on their hardware.
Use the following high-level steps to configure drivers:
1. Obtain the drivers that you need. These must be in the form of an .inf file rather than an .msi or .exe file.
2. Configure filters, if desired, on the driver group. These filters determine which computers receive the drivers based on the hardware characteristics of the client computers. For example, you can create a filter that applies the drivers only to computers that have a BIOS manufactured by A. Datum.
3. Add the drivers as a driver package. Driver packages must be associated with a driver group. If you associate the driver package with an unfiltered group, all computers receive the driver.
You can use Windows Deployment Services to add driver packages to your Windows 8 and Windows Server 2012 boot images. Therefore, you do not have to export the image. Use the tools in the Windows ADK to add driver packages manually, and then add the updated boot image.
Question: What is the advantage of defining a client naming policy?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-22 Deploying and Maintaining Server Images
Lesson 4 Administering Windows Deployment Services
When you have completed the configuration of Windows Deployment Services, you must create and administer boot images, install images, and optionally capture and discover images. In addition, you must make these images available to client computers with the desired level of automation, using an appropriate transmission mechanism.
Lesson Objectives After completing this lesson, you will be able to:
• Describe the common administration tasks.
• Explain how to add and configure boot, capture, discover, and install images.
• Explain how to automate deployments.
• Explain how to configure multicast transmission to deploy your images.
Common Administration Tasks
To configure Windows Deployment Services effectively, you must complete a number of common administration tasks. To help you complete these tasks, Windows Deployment Services provides a number of tools to help you. The administrative tasks that you must complete include the following:
• Configuring DHCP.
• Creating and servicing images.
• Managing the boot menu.
• Prestaging client computers.
• Automating deployment.
• Configuring transmission.
Configuring DHCP Clients that boot using PXE require a dynamically allocated Internet Protocol version 4 (IPv4) configuration. You must create and configure an appropriate DHCP scope for this purpose. Additionally, if the DHCP and Windows Deployment Services server roles are co-hosted, then you must configure how the PXE server listens for client requests; there is an inherent conflict as both DHCP and Windows Deployment Services use UDP port 67. To create and manage DHCP scopes, you can use the DHCP snap-in or the Netsh.exe command-line tool.
Creating and Servicing Images You can create and service images with the Windows Deployment Services snap-in, Windows SIM, the WDSutil.exe command-line tool, or the Dism.exe command-line tool.
For example, to add a boot image, use the following command:
WDSUTIL /Verbose /Progress /Add-Image /ImageFile:<path> /ImageType:Boot
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-23
To create a capture image, use the following command:
WDSUTIL /New-CaptureImage /Image:<source boot image name> /Architecture:{x86|ia64|x64} /DestinationImage /FilePath:<file path>
To add an install image, use the following two commands, pressing Enter after each line:
WDSUTIL /Add-ImageGroup /ImageGroup:<image group name> WDSUTIL /Verbose /Progress /Add-Image /ImageFile:<path to .wim file> /ImageType:Install
Note: You can also perform these management tasks using the Windows Deployment Service management console, found in Server Manager.
Managing the Boot Menu The boot environment for Windows Server 2012 relies on the Boot Configuration Data (BCD) store. This store defines how the boot menu is configured. You can customize the store using Bcdedit.exe.
Note: When you customize the BCD store, you must force it to be recreated for your changes to take effect. To do this, run the following two WDSutil.exe commands, pressing Enter after each line, to stop and then restart the Windows Deployment Services server: wdsutil /stop-server wdsutil /start-server
The following is a list of limitations for the boot menu user interface:
• Screen size. Only 13 images can be displayed on the menu. If you have more, the installer must scroll down to see them.
• Mouse. There is no mouse pointer.
• Keyboard. There is no support for alternate keyboards, other than what the BIOS supports.
• Localization. There is limited support for localization, other than what the BIOS supports.
• Accessibility. There is limited support for accessibility.
Prestaging Client Computers Windows Deployment Services supports deployment to unknown clients. You can exert some control over unknown clients by configuring administrator approval. This ensures that clients that are attempting to deploy with Windows Deployment Services are placed in a pending queue awaiting your approval. You can also configure the client computer’s name during approval.
However, if you want more specific control over deployments, you can prestage the computers in AD DS.This enables you to configure the client to:
• Start from a different Windows Deployment Services server.
• Use a different network boot program.
• Use a specific unattend file.
• Use a specific boot image.
• Join a particular AD DS domain.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-24 Deploying and Maintaining Server Images
You can type the following command in the WDSutil.exe command-line tool to prestage computers:
WDSUTIL /Add-Device /Device:<name> /ID:<GUIDorMACAddress>
In this example, <GUIDorMACAddress> is the identifier of the new computer.
Automating Deployment You can automate Windows Deployment Services deployments from end-to-end. You can use the Windows Deployment Services snap-in and Windows SIM to complete these tasks.
Configuring Transmission Multicasting enables you to deploy an image to a large number of client computers without consuming excessive network bandwidth.
Consider enabling multicast transmissions if your organization:
• Anticipates many concurrent deployments.
• Has routers that support the propagation of multicasts; that is support for the Internet Group Management Protocol (IGMP).
You can use the Windows Deployment Services snap-in or the WDSutil.exe command-line tool to manage multicast transmission. For example, to create a multicast transmission with Autocast, use the following command:
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly name> /ImageType:Install /ImageGroup:<Image group name> /TransmissionType:AutoCast
To create a Scheduled-Cast transmission, use the following command:
WDSUTIL /New-MulticastTransmission /Image:<image name> /FriendlyName:<friendly name> /ImageType:Install /ImageGroup:<Image group name> /TransmissionType:ScheduledCast [/Time:<yyyy/mm/dd:hh:mm>][/Clients:<no of clients>]
Demonstration: How to Administer Images
This demonstration shows how to administer images. In this demonstration, this process will be broken down into the following four steps:
• Install and configure the Windows Deployment Services role.
• Add a boot image.
• Create a capture image.
• Add an install image.
Demonstration Steps Install and configure the Windows Deployment Services role
1. Switch to the LON-SVR1 computer.
2. Open Server Manager.
3. Install the Windows Deployment Services server role with both role services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-25
4. In the Windows Deployment Services console, right-click LON-SVR1.Adatum.com, and then click Configure Server.
5. Use the following information to complete configuration:
o Integrate Windows Deployment Services with AD DS.
o On the Remote Installation Folder Location page, accept the defaults.
o Accept the System Volume Warning message.
o On the PXE Server Initial Settings page, select the Respond to all (known and unknown) client computers option.
o When prompted, choose not to add images to the server.
Add a boot image
1. Switch to LON-SVR1.
2. If necessary, open the Windows Deployment Services console.
3. Add a new boot image using the following information to complete the process:
o On the Image File page, use the file name: D:\sources\boot.wim.
o Accept the defaults on the Image Metadata page.
o Accept the defaults on the Summary page.
4. On the Task Progress page, click Finish.
Add an install image
1. If necessary, open Windows Deployment Services.
2. Add a new Image Group with the image group name of Windows Server 2012 R2.
3. Use the Add Image Wizard to add a new install image to this group. Use the following information to complete the process:
a. On the Image File page, use the following file name: D:\sources\install.wim
b. On the Available Images page, clear all check boxes except Windows Server 2012 R2 SERVERSTANDARDCORE.
c. Accept the defaults on the Summary page.
d. On the Task Progress page, click Finish.
4. Minimize the Windows Deployment Services window.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-26 Deploying and Maintaining Server Images
Automating Deployments
You can automate four phases during the Windows Deployment Services deployment process. These are:
• PXE Boot Policy. You can define how the PXE server responds to clients, and whether the installer is required to press the F12 key to connect to the Windows Deployment Services server and select a boot image. For example, the Always continue the PXE boot option ensures that the computer continues through the deployment process without any installer interaction.
• The default boot image. If you configure a default boot image, the installer will not be prompted to make a selection.
• The Windows Deployment Services screens. When the client computer uses the TFTP protocol to connect to the Windows Deployment Services server and select a boot image, the installer must then provide credentials and select an operating system image to install. You can create an Unattend.xml answer file to automate this phase.
• Windows Setup. You can customize the setup program so that, once the install image has been selected, either automatically or manually, the setup program will complete the installation process with no installer intervention. This is the same type of automation that you use to automate installations with the Windows ADK.
Use Windows SIM to create both types of answer files, and then use the Windows Deployment Services snap-in to associate the answer files with the required deployment phase.
Automate Client Unattend Use the following procedure to associate an answer file for the client unattend deployment phase:
1. Create the Unattend.xml file in Windows ADK with settings appropriate to Windows Deployment Services.
2. Copy the file to the Windows Deployment Services server, and paste it into a folder under \RemoteInstall.
3. Open Windows Deployment Services.
4. View the Properties dialog box for the Windows Deployment Services server in the Windows Deployment Services console.
5. On the Client tab, enable unattended installation, and then select the answer file that you created earlier.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-27
Sample Unattend Answer File for Windows Deployment Services Client Unattend The following is a portion of a sample answer file that required automation of the Windows Deployment Services client Unattend phase:
<WindowsDeploymentServices> <Login> <WillShowUI>OnError</WillShowUI> <Credentials> <Username>Installer</Username> <Domain>Adatum.com</Domain> <Password>Pa$$w0rd</Password> </Credentials> </Login> <ImageSelection> <WillShowUI>OnError</WillShowUI> <InstallImage> <ImageName>Windows Server 2021</ImageName> <ImageGroup>Adatum Server Images</ImageGroup> <Filename>Install.wim</Filename> </InstallImage> <InstallTo> <DiskID>0</DiskID> <PartitionID>1</PartitionID> </InstallTo> </ImageSelection> </WindowsDeploymentServices>
Automate Windows Setup To automate the Windows Setup process, use the following steps:
1. Create the unattend.xml file in Windows ADK, with settings appropriate to Windows Setup.
2. Copy the file to a suitable location on the Windows Deployment Services server.
3. In Windows Deployment Services, view the properties of the appropriate install image.
4. Enable the Allow image to install in unattended mode option, and then select the answer file that you created.
Demonstration: How to Configure Multicast Transmission
This demonstration shows how to configure multicast transmission.
Demonstration Steps 1. Open the Windows Deployment Services console on LON-SVR1.
2. Create a new multicast transmission by using the following information:
o Transmission name: Windows Server 2012 R2 Branch Servers
o Image group: Windows Server 2012 R2
o Image: Windows Server 2012 R2 SERVERENTERPRISECORE
o Multicast type: Autocast
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-28 Deploying and Maintaining Server Images
Lab: Using Windows Deployment Services to Deploy Windows Server 2012
Scenario A. Datum Corporation is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and data center are in London to support the head office and other branch locations. A. Datum has recently deployed a Windows Server 2012 R2 server and client infrastructure.
A. Datum is deploying servers to branch offices throughout the region for the Research department. Management selected you to automate this deployment. You suggest using Windows Deployment Services to deploy Windows Server 2012 R2 to the branch offices. Management has sent you some instructions by email regarding the deployment. You must read these instructions, and then install and configure Windows Deployment Services to support the deployment.
Objectives After completing this lab, you will be able to:
• Install and configure Windows Deployment Services.
• Create operating system images using Windows Deployment Services.
• Configure custom computer naming.
• Deploy images with Windows Deployment Services.
Lab Setup Estimated Time: 75 minutes
Virtual Machines: 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-SVR3
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-SVR1.
6. Do not start 20411C-LON-SVR3 until directed to do so.
Exercise 1: Installing and Configuring Windows Deployment Services
Scenario To assist with the process of configuring Windows Deployment Services, you have received an email with the appropriate configuration information.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-29
Branch Office Deployment Guide • Requirements Overview. To configure Microsoft Windows Deployment Services to aid in the
deployment of branch office servers.
• Additional Information. Deployment method: Automated standard image deployments.
• Configuration information:
o LON-SVR1 will host Windows Deployment Services.
o Configure multicast transmission to use Autocast.
o Configure automatic naming to identify branch servers.
o Place branch servers in the Research OU.
o Perform a Server Core installation.
The main tasks for this exercise are as follows:
1. Read the Supporting Documentation.
2. Install the Windows Deployment Services Role.
3. Configure Windows Deployment Services.
Task 1: Read the Supporting Documentation • Read the supporting documentation in the exercise scenario to determine the deployment details.
Task 2: Install the Windows Deployment Services Role 1. Switch to the LON-SVR1 computer.
2. Open Server Manager.
3. Install the Windows Deployment Services server role with both role services.
4. Close Server Manager.
Task 3: Configure Windows Deployment Services 1. Open the Windows Deployment Services console.
2. Right-click LON-SVR1.Adatum.com, and then click Configure Server.
3. Use the following information to complete configuration:
a. Integrate Windows Deployment Services with AD DS.
b. On the Remote Installation Folder Location page, accept the defaults.
c. Accept the System Volume Warning message.
d. On the PXE Server Initial Settings page, select the Respond to all client computers (known and unknown) option.
e. When prompted, choose not to add images to the server.
Results: After completing this exercise, you will have installed and configured Windows® Deployment Services (Windows DS) to deploy the Windows Server® 2012 operating system.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-30 Deploying and Maintaining Server Images
Exercise 2: Creating Operating System Images with Windows Deployment Services
Scenario Windows Deployment Services is installed and configured successfully. You now must create various operating-system images to aid deployment.
The main tasks for this exercise are as follows:
1. Insert the Windows Server 2012 R2 Installation Media in LON-SVR1.
2. Add a Boot Image.
3. Add an Install Image.
Task 1: Insert the Windows Server 2012 R2 Installation Media in LON-SVR1 1. On the host computer, open Hyper-V Manager.
2. Open the Settings page for 20411C-LON-SVR1.
3. Select the DVD Drive, and attach the International Organization for Standardization (ISO) file located at D:\Program Files\Microsoft Learning\20411\Drives\Windows2012R2.iso.
Task 2: Add a Boot Image 1. Switch to LON-SVR1.
2. If necessary, open the Windows Deployment Services console.
3. Add a new boot image using the following information to complete the process:
o On the Image File page, use the file name: D:\sources\boot.wim.
o Accept the defaults on the Image Metadata page.
o Accept the defaults on the Summary page.
4. On the Task Progress page, click Finish.
Task 3: Add an Install Image 1. If necessary, open Windows Deployment Services.
2. Add a new Image Group with the image group name of Windows Server 2012 R2.
3. Use the Add Image Wizard to add a new install image to this group. Use the following information to complete the process:
a. On the Image File page, use the following file name: D:\sources\install.wim
b. On the Available Images page, clear all check boxes except Windows Server 2012 R2 SERVERSTANDARDCORE.
c. Accept the defaults on the Summary page.
d. On the Task Progress page, click Finish.
Results: After completing this exercise, you will create an operating system image with Windows Deployment Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-31
Exercise 3: Configuring Custom Computer Naming
Scenario To automate computer naming, you must configure the custom naming properties for Windows Deployment Services according to the requirements sent to you by management. This also involves configuring delegation on the Active Directory OU that will contain the computer accounts. Administrator approval is required, so you must also configure that.
The main tasks for this exercise are as follows:
1. Configure Automatic Naming.
2. Configure Administrator Approval.
3. Configure Active Directory® Domain Services (AD DS) Permissions.
Task 1: Configure Automatic Naming 1. In Windows Deployment Services, view the properties of LON-SVR1.Adatum.com.
2. On the AD DS tab, use the following information to configure automatic naming:
o Format: BRANCH-SVR-%02#
o Computer Account Location: Research OU
Task 2: Configure Administrator Approval 1. In Windows Deployment Services, view the properties of LON-SVR1.Adatum.com.
2. On the PXE Response tab, select Require administrator approval for unknown computers, and change the PXE Response Delay to 3 seconds.
3. Open Windows PowerShell, and then type the following command to create a message for installers to view while awaiting admin approval:
WDSUTIL /Set-Server /AutoAddPolicy /Message:“The Adatum administrator is authorizing this request. Please wait.”
4. Close the command prompt window.
Task 3: Configure Active Directory® Domain Services (AD DS) Permissions 1. Switch to the LON-DC1 computer, and open Active Directory Users and Computers.
2. Right-click the Research organizational unit (OU), and use the Delegate Control Wizard to delegate the LON-SVR1 computer account the ability to create computer objects in the OU. Use the following information to help:
a. Tasks to delegate: Create a custom task to delegate
b. On the Active Directory Object Type page, click Only the following objects in the folder, select the Computer objects check box, and select the Create selected objects in this folder check box.
c. On the Permissions page, in the Permissions list, select the Full Control check box.
Results: After completing this exercise, you will have configured custom computer naming.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-32 Deploying and Maintaining Server Images
Exercise 4: Deploying Images with Windows Deployment Services
Scenario You have provided instructions for a branch supervisor to initiate the installation process on the branch office server computer. The installation now will occur.
The main tasks for this exercise are as follows:
1. Configure a Windows Deployment Services Server for Multicast Transmission.
2. Configure the Client for PXE Booting.
3. To Prepare for the Next Module.
Task 1: Configure a Windows Deployment Services Server for Multicast Transmission 1. Switch to the LON-SVR1 computer.
2. Create a new multicast transmission using the following information to complete the process:
o Transmission name: Windows Server 2012 Branch Servers
o Image group: Windows Server 2012 R2
o Image: Windows Server 2012 R2 SERVERSTANDARDCORE
o Multicast type: Autocast
Task 2: Configure the Client for PXE Booting 1. On the host computer, switch to Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-SVR3, and then click Settings.
3. In the Settings for 20411C-LON-SVR3 dialog box, click BIOS.
4. In the results pane, click Legacy Network adapter.
5. Use the arrows to move Legacy Network adapter to the top of the list, and then click OK.
6. In Hyper-V Manager, click 20411C-LON-SVR3, and in the Actions pane, click Start.
7. In the Actions pane, click Connect.
8. When the computer reboots, note the PXE Dynamic Host Configuration Protocol notice. When prompted, press F12 for Network Boot.
o Question: Do you see the admin approval message?
9. Switch to the LON-SVR1 computer.
10. In Windows Deployment Services, click Pending Devices.
11. Right-click the pending request, and then click Approve.
12. In the Pending Device dialog box, click OK.
13. Switch to the LON-SVR3 computer.
o Question: Which image is the default?
o Question: Does setup start?
14. You do not have to continue setup.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 11-33
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state
1. On the host computer, start Hyper-V Manager.
2. Right-click 20411C-LON-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR3 and 20411C-LON-SVR1.
Results: After completing this exercise, you will have deployed an image with Windows Deployment Services.
Question: How do You Use Windows Deployment Services in Your Organization?
Question: For what two categories of image do you need to use Windows Deployment Services to deploy an operating system to a computer over the network?
Question: How can you avoid name conflicts when deploying an operating system to multiple computers in the same transmission?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED11-34 Deploying and Maintaining Server Images
Module Review and Takeaways Review Question(s)
Question: Windows Deployment Services supports two types of multicast transmission. Which type is suitable for minimizing total network traffic during deployment to a fixed number of clients?
Question: How is Windows ADK useful with Windows Deployment Services deployments?
Question: What steps are necessary to automate the end-to-end deployment process?
Tools
Tool What it is used for Where to find it
Windows Deployment Services console
Administering Windows Deployment Services
Server Manager - Tools
WDSutil.exe Command-line management of Windows Deployment Services
Command line
Windows ADK Managing image files and creating answer files
Download from Microsoft.com
Dism.exe Offline and online servicing of images Windows ADK
Netsh.exe Command-line tool for managing network-related settings
Command line
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-1
Module 12 Implementing Update Management
Contents: Module Overview 12-1
Lesson 1: Overview of WSUS 12-2
Lesson 2: Deploying Updates with WSUS 12-9
Lab: Implementing Update Management 12-15
Module Review and Takeaways 12-19
Module Overview Windows Server® Update Services (WSUS) improves security by applying security updates to Microsoft computers in a timely way. It provides the infrastructure to download, test, and approve security updates. Applying security updates quickly helps prevent security incidents that are a result of known vulnerabilities. While implementing WSUS, you must keep in mind the hardware and software requirements for WSUS, the settings to configure, and the updates to approve or remove according to your organization’s needs.
Objectives After completing this module, you will be able to:
• Describe the role of WSUS.
• Describe the WSUS update management process.
• Deploy updates with WSUS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-2 Implementing Update Management
Lesson 1 Overview of WSUS
The WSUS role provides a central management point for updates to your computers running the Windows® operating system. By using WSUS, you can create a more efficient update environment in your organization, and stay better informed of the overall update status of the computers on your network. This lesson introduces you to WSUS, and describes the key features of the WSUS server role.
Lesson Objectives After completing this lesson, you will be able to:
• Describe WSUS.
• Explain the WSUS update management process.
• Identify the server requirements for WSUS.
What Is WSUS?
WSUS is a server role included in the Windows Server 2012 operating system that downloads and distributes updates to Windows clients and servers. WSUS can obtain updates that are applicable to the operating system and common Microsoft applications such as Microsoft® Office and Microsoft SQL Server®.
In the simplest configuration, a small organization can have a single WSUS server that downloads updates from Microsoft Update. The WSUS server then distributes the updates to computers that are configured to obtain automatic updates from the WSUS server. You must approve the updates before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can configure a pilot group to be the first set of computers that are used for testing updates.
WSUS can generate reports to help monitor update installation. These reports can identify which computers have not applied recently approved updates. Based on these reports, you can investigate why updates are not being applied.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-3
WSUS Server Deployment Options
Before installing and configuring WSUS servers, you must consider how to deploy WSUS in your environment. WSUS implementations vary in size and configuration depending on your network environment and how you want to manage updates. You can have a single WSUS server for your entire organization, multiple WSUS servers acting independently, or multiple WSUS servers connected to each other in a hierarchy.
Single WSUS Server The most basic implementation of WSUS uses a single WSUS server, inside your network, connecting to Microsoft Update to download updates through a firewall. In some scenarios you may even use a proxy server between the WSUS server and the Internet. In this scenario, the WSUS server uses port 8530 for HTTP communication, and port 8531 for HTTPS. You need to make sure your firewall has the necessary rules needed to allow the server to connect to Microsoft Update. This basic scenario is commonly used for small networks, with a single physical location.
Multiple WSUS Servers If your environment is composed of several isolated physical locations, you may need to implement a WSUS server in each location. When you implement a WSUS server in each location, you can manage each individual server independently. You can think of this scenario as a single WSUS server per physical location. Although this is a valid option, it requires substantially more administrative effort, especially as the number of physical locations grows. You must download updates to each server separately, approve updates on each server individually, and manage WSUS clients so that they receive updates from the correct WSUS server. In this scenario, each WSUS server has its own connection to the Internet to download updates from Microsoft Update.
You can have individual WSUS servers for organizations that have a small number of physical locations, where each physical location has its own Information Technology (IT) management team. You can also use this scenario for a single physical location that has too many clients to be managed by a single WSUS server, and place the WSUS servers in a network load balancing cluster.
Additional Reading: For more information about capacity for WSUS servers, visit http://go.microsoft.com/fwlink/?LinkID=331173.
Disconnected WSUS Servers A disconnected WSUS server is a server that does not connect to Microsoft Update over the Internet or receive its updates from any other server in the network. Instead, this server receives its updates from removable media generated on another WSUS server.
A disconnected WSUS server is commonly used in remote environments where Internet connectivity is scarce or extremely expensive. You can use a WSUS server in a different location to synchronize with Microsoft Update, export the updates to portable media, and then ship the portable media to the remote location to be imported into the disconnected WSUS server.
WSUS Server Hierarchies All the scenarios we have discussed so far deal with an independently managed WSUS server that connects directly to Microsoft Update or receives its updates in a disconnected manner. However, in
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-4 Implementing Update Management
larger organizations with multiple physical locations, you may want to have the ability to synchronize with Microsoft Update on one server. You might also want to push the updates to servers in different locations over your network, and approve updates from a single location.
WSUS server hierarchies allow you to:
• Download updates to servers that are closer to clients, for instance, in branch offices.
• Download updates once, to a single server, and then replicate the updates over your network to other servers.
• Separate WSUS servers based on the language used by their clients.
• Scale WSUS for a large organization that has more client computers than a single WSUS server can manage.
In a WSUS server hierarchy, there are two types of servers:
• Upstream servers. Upstream servers connect directly to Microsoft Update to retrieve updates, or are disconnected and receive updates by using portable media.
• Downstream servers. Downstream servers receives updates from a WSUS upstream server.
Downstream servers can be configured in two modes:
• Autonomous mode. Autonomous mode, or distributed administration, allows a downstream server to retrieve updates from an upstream server, but maintain administration of the updates locally. In this scenario, the downstream server maintains its own set of computer groups, and updates can be approved independently of approval settings in the upstream servers. This allows a different group of administrators to manage updates at their locations, and only use the upstream server as a source of download updates.
• Replica mode. Replica mode, or centralized administration, allows a downstream server to receive updates, computer group membership information, and approvals from an upstream server. In this scenario, a single group of administrators is able to manage updates for the entire organization. In addition, downstream servers can be placed in different physical offices and receive all updates and management data from an upstream server.
You can have multiple layers in your WSUS hierarchy, and some of your downstream servers may be configured by using autonomous mode, while other may use replica mode. For instance, you can have a single upstream server connected to Microsoft Update downloading updates for your entire organization. Then you can have two downstream servers in autonomous mode, one that manages updates for all computers running software in English, and another for all computers running software in Spanish. Finally, you can have another set of downstream servers receiving their updates from the middle tier WSUS servers, configured in replica mode. These are the actual servers that clients receive updates from, but all the management is done at the middle tier.
Note: Downstream servers can be configured to download update information, or metadata, from an upstream server, but to download the actual updates from Microsoft Update. This is a common scenario where the downstream servers have good Internet connectivity and you want to reduce wide area network (WAN) traffic.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-5
WSUS Database WSUS stores information about updates, computer groups, and approvals in a database. WSUS can use two types of databases:
• Windows Internal Database. This is the default setting for a WSUS database. When you deploy WSUS by using a Windows Internal Database, a file named SUSDB.mdf is created to store the data used by WSUS in the %windir%\wid\data folder. We recommend this scenario for:
o Environments with a single WSUS server that do not require network load balancing.
o Environments with multiple independent WSUS servers in different physical locations.
• SQL Server database. If you already have SQL Server available in your environment, you can use it to store the data used by WSUS. You can use SQL Server tools to access the WSUS database directly for database management and reports purposes. SQL Server is also necessary for the following scenarios:
o Environments that require a WSUS network-load-balancing cluster.
o Environments that require database administrators (DBAs) to manage all databases used by the organization.
The WSUS Update Management Process
The update management process allows you to manage and maintain WSUS and the updates retrieved by WSUS. This process is a continuous cycle during which you can reassess and adjust the WSUS deployment to meet changing needs. The four phases in the update management process are:
• Assess
• Identify
• Evaluate and plan
• Deploy
The Assess Phase The goal of the assess phase is to set up a production environment that supports update management for routine and emergency scenarios. The assess phase is an ongoing process that you use to determine the most efficient topology for scaling the WSUS components. As your organization changes, you might identify the need to add more WSUS servers in different locations.
The Identify Phase During the identify phase, you identify new updates that are available and determine whether they are relevant to your organization. You have the option to configure WSUS to retrieve all updates automatically, or to retrieve only specific types of updates. WSUS also identifies which updates are relevant to registered computers.
The Evaluate-and-Plan Phase After relevant updates have been identified, you need to evaluate whether they work properly in your environment. It is always possible that the specific combination of software in your environment might have problems with an update.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-6 Implementing Update Management
To evaluate updates, you should have a test environment in which you can apply updates to verify proper functionality. During this time, you might identify dependencies that are required for an update to function properly, and you can plan any changes that you need to make. This can be achieved if you use one or more computer groups for testing purposes. For instance, you may have a computer group with client computers that run all the operating systems and applications that are updated by using WSUS. You can use another computer group for servers that run the different applications and operating systems that are updated by WSUS. Before you deploy updates to the entire organization, you can push updates to these computer groups, test them, and after making sure they work as expected, deploy these updates to the organization
The Deploy Phase After you have thoroughly tested an update and determined any dependencies, you can approve it for deployment in the production network. Ideally, you should approve the update for a pilot group of computers before approving the update for the entire organization. You can also configure WSUS to use automatic updates. Automatic updates are discussed in the next lesson.
Server Requirements for WSUS
You can use Server Manager to install and configure the WSUS server role. However, to be able to implement WSUS, your server must meet some minimum hardware and software requirements.
The following software is required for WSUS:
• Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 Service Pack 1 (SP1) or newer, Windows Server 2003 SP1 or newer, Windows Small Business Server 2008, or Windows Small Business Server 2003
• Internet Information Services (IIS) 6.0 or newer
• Microsoft .NET Framework 2.0 or newer
• Microsoft Management Console (MMC) 3.0
• Microsoft Report Viewer Redistributable 2008 or newer
• SQL Server 2012, SQL Server 2008, SQL Server 2005 SP2, or Windows Internal Database
The minimum hardware requirements for WSUS are approximately the same as the minimum hardware requirements for Windows Server operating systems. However, you must consider disk space as part of your deployment. A WSUS server requires about 10 gigabytes (GB) of disk space, and you should allocate at least 30 GB of disk space for the downloaded updates. A WSUS server should also have a 1.4-gigahertz (GHz) or faster x64 processor and at least 2 GB of random access memory (RAM).
A single WSUS server can support thousands of clients. For example, a single WSUS server with 4 GB of RAM and dual quad-core CPUs can support up to 100,000 clients. However, in most cases, an organization with that many clients will likely have multiple WSUS servers to reduce the load on WAN links.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-7
Configuring Clients to Use WSUS
You can configure computers to use a WSUS server instead of defaulting to Windows Update if you use a Group Policy Object (GPO) or if you manually change the settings of each individual computer. We recommend using a GPO because it is the easiest way to configure clients. To create a GPO that configures computers to use a WSUS server, use the following steps:
1. Open Server Manager on a domain controller, and, from the Tools menu, click Group Policy Manager.
2. In the Group Policy Manager window, in the navigation pane, expand your forest, then right-click your domain, and then click Create a GPO in this domain, and Link it here…
Note: Depending on your WSUS environment, you may need to create different GPOs for different sites, instead of a single GPO for the entire domain.
3. In the New GPO dialog box, in the Name textbox, type a name for your GPO, and then click OK.
4. Right-click the GPO you just created, and then click Edit.
5. In Group Policy Management Editor, expand Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Update.
6. In the details pane, double click Configure Automatic Updates.
7. In the Configure Automatic Updates dialog box, select Enabled.
8. Select Auto download and notify for install if you want the client to automatically download any update required by the computer and notify the end-user that an update will occur, and then click OK.
9. In the details pane, double-click Specify intranet Microsoft update service location.
10. In the Specify intranet Microsoft update service location dialog box, select Enabled.
11. In the Intranet update service textbox, type the URL for the WSUS server followed by the port you want to use. For instance, if the server is named LON-SVR1 and you are using HTTP, the URL would be http://LON-SVR1:8530.
12. In the Intranet statistics server textbox, type the URL of the WSUS server as specified in step 9 above, and then click OK.
13. Close the Group Policy Editor.
Once Windows Update is configured on the WSUS clients, the Windows Update Agent service will run continuously on the clients. The agent is responsible for retrieving updates from WSUS and deploying those updates.
Scheduling Windows 8 Updates Microsoft introduced a feature in Windows 8 (and Windows Server 2012) named Automatic Maintenance. Automatic maintenance reduces the usage of system resources because it eliminates the need for the Windows Update Agent to constantly run in the background. Instead, Automatic
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-8 Implementing Update Management
Maintenance uses a scheduled task that runs nightly by default. Automatic Maintenance performs several maintenance activities, such as hard drive defragmentation, running antivirus scans, and installing updates.
Note: To take advantage of the Automatic Maintenance feature in Windows 8 and Windows Server 2012 and newer operating systems, configure your GPO to download updates from WSUS, but not to automatically install updates.
When you use Automatic Maintenance, the scheduled task runs nightly and downloads all updates available to the client, along with any deadlines set for the computer. All updates are then offered to the end-user. If a deadline is set for a time the automatic maintenance task is not scheduled to run, the Windows Update Agent is scheduled to run at the time of the deadline to ensure the update is installed.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-9
Lesson 2 Deploying Updates with WSUS
This lesson explains the specifics of deploying updates with WSUS to client computers. Deploying updates to Windows Update clients through WSUS can provide numerous benefits. You can configure updates to be downloaded, approved, and installed automatically, without the input of an administrator. Alternatively, you can exercise more control over the update process and provide a controlled environment in which to deploy updates. You can perform testing on an isolated test computer group before approving an update for deployment in your entire organization.
Lesson Objectives After completing this lesson, you will be able to:
• Explain how to administer WSUS.
• Identify computer groups in WSUS.
• Describe the options for approving WSUS updates.
• Describe how to configure the Automatic Updates feature to use WSUS.
• Deploy updates by using WSUS.
• View WSUS reports.
• Troubleshoot WSUS.
WSUS Administration
The WSUS administration console is an MMC snap-in that you can use to administer WSUS. You can use this tool to:
• Identify and download updates.
• Approve updates for deployment.
• Organize computers into groups.
• Review the update status of computers.
• Generate reports.
Monitoring is an essential part of maintaining a service. WSUS logs detailed health information to the event log. In addition, you can download a management pack to facilitate monitoring in Microsoft System Center 2012 Operations Manager (Operations Manager).
Controlling Updates on Client Computers Client computers perform updates according to either manual configuration or, in most Active Directory® Domain Services (AD DS) environments, Group Policy. In some cases, you might want to initiate the update process outside of the normal update schedule. You can use the wuauclt.exe tool to control the auto-update behavior on Windows Update client computers. The following command initiates the detection of Microsoft Updates from the Windows Update source:
Wuauclt.exe /detectnow
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-10 Implementing Update Management
Administration with Windows PowerShell® In Windows Server 2012, WSUS includes Windows PowerShell cmdlets that you can use to manage your WSUS server. The following table lists these cmdlets.
Cmdlet Description
Add-WsusComputer Adds a specified client computer to a specified target group.
Approve-WsusUpdate Approves an update to be applied to clients.
Deny-WsusUpdate Declines the update for deployment.
Get-WsusClassification Gets the list of all WSUS classifications currently available in the system.
Get-WsusComputer Gets the WSUS computer object that represents the client computer.
Get-WsusProduct Gets the list of all products currently available on WSUS by category.
Get-WsusServer Gets the value of the WSUS update server object.
Get-WsusUpdate Gets the WSUS update object with details about the update.
Invoke-WsusServerCleanup Performs the process of cleanup on a specified WSUS server.
Set-WsusClassification Sets whether the classifications of updates that WSUS synchronizes are enabled or disabled.
Set-WsusProduct Sets whether the product representing the category of updates to synchronize is enabled or disabled.
Set-WsusServerSynchronization Sets whether the WSUS server synchronizes from Microsoft Update or from an upstream server, and uses the upstream server properties.
What Are Computer Groups?
Computer groups are a way to organize the computers to which a WSUS server deploys updates. The two computer groups that exist by default are All Computers and Unassigned Computers. New computers that contact the WSUS server are assigned automatically to both of these groups.
You can create custom computer groups for controlling how updates are applied. Typically, custom computer groups contain computers with similar characteristics. For example, you might create a custom computer group for each department in your organization. You can also create a custom computer group for a test lab where you first deploy updates for testing. You would also typically group servers separately from client computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-11
When you manually assign new computers to a custom computer group, it is called server-side targeting. You can also use client-side targeting to assign computers to a custom computer group. To use client-side targeting, you need to configure a registry key or GPO for the computer that specifies the custom computer group to be joined during initial registration with the WSUS server.
Server-side targeting enables administrators to manage WSUS computer group membership manually. This is useful when the AD DS structure does not support the logical client-side for computer groups, or when computers need to be moved between groups for testing or other purposes. Client-side targeting is used most commonly in large organizations where automated assignment is required and computers must be assigned to specific groups.
Approving Updates
The default configuration for WSUS does not automatically approve updates for application to computers. Although it is possible to automatically approve updates, it is not recommended. The best practice for approving updates is to first test updates in a lab environment, and then to test the updates in a pilot group, and only then to update the production environment. This process reduces the risk of an update causing an unexpected problem in your production environment. You would perform this process by approving updates for specific groups of computers before approving the update for the All Computers group.
Some updates are not considered critical and do not have any security implications. You might decide not to implement some of these updates. For any updates that you decide not to implement, you can decline the update. After an update is declined, it is removed from the list of updates on the WSUS server in the default view.
If you apply an update and find that it is causing problems, you can use WSUS to remove that update. However, the update can be removed only if that specific update supports removal. Most updates support removal.
When you look at the details of an update, it will indicate if the update is superseded by another update. Superseded updates are typically no longer required, because a newer update includes the changes in this update as well. Superseded updates are not declined by default because, in some cases, they are still required. For example, the older update might be required if some servers are not running the latest service pack.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-12 Implementing Update Management
Configuring Automatic Updates
When you enable the Automatic Updates feature on a server, the default configuration automatically downloads updates from Microsoft Update and installs them. After you have implemented WSUS, your clients should be configured to obtain updates automatically from the WSUS server instead.
The location from which Automatic Updates obtains updates is controlled by a registry key. Although it is possible to configure the registry key manually by using the Regedit tool, this method is not recommended except when the computer is not in a domain. If a computer is in a domain, it is much more efficient to create a GPO that configures the registry key.
For AD DS environments, Automatic Updates are typically configured in a GPO by configuring the settings located under Computer Configuration. To locate the settings, expand Policies, expand Administrative Templates, expand Windows Components, and then locate the Windows Updates node.
In addition to configuring the source for updates, you can also use a GPO to configure the following settings:
• Update frequency. This setting determines how often the updates are detected.
• Update installation schedule. This setting determines when updates are installed. When updates cannot be installed at the scheduled time, this setting also determines when updates are rescheduled for.
• Automatic restart behavior. This setting determines whether the computer will restart automatically if required to do so by an update.
• Default computer group in WSUS. This setting determines the computer group in which the computer will be registered during initial registration with WSUS.
Demonstration: Deploying Updates by Using WSUS
In this demonstration, you will learn how to:
• Approve an update.
• Deploy an update.
Demonstration Steps 1. On LON-SVR1, open the Windows Server Update Services console.
2. Approve the Update for Microsoft Office 2013 (KB2727096), 32-bit Edition update.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-13
WSUS Reporting
WSUS provides a series of reports you can use to manage your WSUS environment. Reports are divided into three categories:
• Update Reports. Shows reports related to the updates available in WSUS.
o Update Status Summary. Shows a summary of update status.
o Update Detailed Status. Shows details of each update status. Each page shows a single update, with a list of computers for that update.
o Update Tabular Status. Shows a summary of update status in a tabular view.
o Update Tabular Status for Approved Updates. Shows a summary of update status for approved updates in a tabular view.
• Computer Updates. Shows reports related to computers and computer groups managed by WSUS.
o Computer Status Summary. Shows a summary of computer status.
o Computer Detailed Status. Shows details of each computer status. Each page shows the updates for a single computer.
o Computer Tabular Status. Shows a summary of computer status in a tabular view.
o Computer Tabular Status for Approved Updates. Shows a summary of computer status for approved updates in a tabular view.
• Synchronization Updates. Shows reports related to synchronization of update data.
o Synchronization Results. Shows the results of the last synchronization.
Although you will be able to see these reports in the WSUS console right after installing WSUS, they will not be available until you configure your server to support viewing reports. To configure your server for reporting, execute the following steps:
1. Log on to the WSUS server by using an account with administrative rights.
2. From Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard window, in the Before you begin page, click Next.
4. In the Installation type page, click Next.
5. In the Select destination server page, click Next.
6. In the Server roles page, click Next.
7. In the Features page, select .NET Framework 3.5 features, and then click Next.
8. In the Confirmation page, click Specify alternate source path.
9. In the Specify Alternate Source Path page, in the Path textbox, type the path to the location containing the SxS files, and then click OK.
10. In the Confirmation page, click Install.
11. After the install is complete, in the Confirmation page, click Close.
12. From Server Manager, from the Tools menu, click Windows Server Update Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-14 Implementing Update Management
13. In the Update Services window, under the navigation pane, click Reports.
14. In the details pane, click any report.
15. In the Feature Unavailable dialog box, click Microsoft Report Viewer 2008 Redistributable.
16. In Internet Explorer, click Download.
17. In the pop-up dialog box in Windows Internet Explorer®, click Run.
18. In the Microsoft Report Viewer Redistributable 2008 SP1 Setup dialog box, click Next, and then click Finish.
WSUS Troubleshooting
Once your WSUS environment is configured and in use, you might find problems that must be dealt with. Some problems are very simple to handle, while others may require the use of special debugging tools. Here’s a list of common problems you may encounter when managing a WSUS environment:
• Computers not appearing in WSUS. This is usually caused by misconfiguration of the client computer, or the GPO being applied to the client computer.
• WSUS server stops with full database. When this happens, you will notice an SQL Server dump file (SQLDumpnnnn.txt) in the LOGS folder for SQL Server. This is usually due to index corruption in the database. You may need help from a SQL Server DBA to recreate indexes or you may simply need to re-install WSUS to fix the problem.
• You cannot connect to WSUS. Verify network connectivity. Ensure the client can connect to the ports used by WSUS by using the Telnet client utility.
• Other problems. Consider using the server diagnostics tool and the client diagnostics tool available from Microsoft.
You can download these tools from the following website http://go.microsoft.com/fwlink/?LinkID=331174
Note: The diagnostics tools are available from Microsoft as is, and are not supported tools. Make sure you view the readme.txt file for each tool before using them.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-15
Lab: Implementing Update Management Scenario A. Datum is a global engineering and manufacturing company with head office based in London, United Kingdom. An IT office and a data center are located in London to support the London location and other branch office locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
A. Datum has been manually applying updates to servers in a remote location. This has resulted in difficulty identifying which servers have updates applied and which do not. This is a potential security issue. You have been asked to automate the update process by extending A. Datum’s WSUS deployment to include the branch office.
Objectives After completing this lab, you will be able to:
• Implement the WSUS server role.
• Configure update settings.
• Approve and deploy an update by using WSUS.
Lab Setup Estimated Time: 60 minutes
Virtual machines: 20411C-LON-DC1, 20411C-LON-SVR1, 20411C-LON-SVR4, 20411C-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, on the Start screen, click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
5. Perform steps 2 through 4 for 20411C-LON-SVR1, 20411C-LON-SVR4, and 20411C-LON-CL1.
Exercise 1: Implementing the WSUS Server Role
Scenario Your organization already has a WSUS server called LON-SVR1, which is located in the head office. You need to install the WSUS server role on LON-SVR4 at a branch location. LON-SVR4 will use LON-SVR1 as the source for Windows Update downloads. The installation on LON-SRV4 will use the Windows Internal Database for the deployment.
The main tasks for this exercise are as follows:
1. Install the Windows Server® Update Services (WSUS) Server Role
2. Configure WSUS to Synchronize with an Upstream WSUS Server
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-16 Implementing Update Management
Task 1: Install the Windows Server® Update Services (WSUS) Server Role 1. Log on to LON-SVR4 as Adatum\Administrator with a password of Pa$$w0rd.
2. From Server Manager, install the Windows Server Update Services role with the WID Database and WSUS Services Role Services. Also, configure the updates location as C:\WSUSUpdates.
3. Open the Windows Server Update Services console and complete the installation when prompted.
Task 2: Configure WSUS to Synchronize with an Upstream WSUS Server 1. On LON-SVR4, complete the Windows Server Update Services Configuration Wizard, specifying the
following settings:
o Upstream Server: LON-SVR1.Adatum.com
o No proxy server
o Default languages
o Manual sync schedule
o Begin initial synchronization
2. In the Windows Server Update Services console, under Options, set Computers to Use Group Policy or registry settings on computers. You many need to wait until synchronization is complete before selecting this option.
Results: After completing this exercise, you should have implemented the WSUS server role.
Exercise 2: Configuring Update Settings
Scenario You need to configure the Group Policy settings to deploy automatic WSUS settings to client computers. With the WSUS role configured on LON-SVR4, you must ensure that the Research Department has its own computer group in WSUS on LON-SVR4. You must also configure client computers in the Research organizational unit (OU) to use LON-SVR4 as their source for updates.
The main tasks for this exercise are as follows:
1. Configure WSUS Groups
2. Configure Group Policy to Deploy WSUS Settings
3. Verify the Application of Group Policy Settings
4. Initialize Windows Update
Task 1: Configure WSUS Groups 1. On LON-SVR4, if necessary, open the Windows Server Update Services console.
2. Create a new computer group named Research.
Task 2: Configure Group Policy to Deploy WSUS Settings 1. Switch to LON-DC1.
2. Open Group Policy Management.
3. Create and link a new GPO to the Research OU named WSUS Research.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-17
4. Configure the following policy settings under the Windows Update node:
o Configure Automatic Updates: Auto download and schedule the install
o Microsoft Update service location: http://LON-SVR4.Adatum.com:8530
o Intranet statistics server: http://LON-SVR4.Adatum.com:8530
o Client-side targeting group: Research
5. Move LON-CL1 to the Research OU.
Task 3: Verify the Application of Group Policy Settings 1. Switch to LON-CL1.
2. Restart LON-CL1.
3. On LON-CL1, log on as Adatum\Administrator with a password of Pa$$w0rd.
4. Open a command prompt by using the Run as Administrator option.
5. At the command prompt, run the following command:
Gpresult /r
6. In the output of the command, confirm that, under Computer Settings, WSUS Research is listed under Applied Group Policy Objects.
Task 4: Initialize Windows Update 1. On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow /reportnow
2. Switch to LON-SVR4.
3. In the Update Services console, expand Computers, then expand All Computers, and then click Research.
4. Verify that LON-CL1 appears in the Research Group. If it does not, then repeat steps 1-3. It may take several minutes for LON-CL1 to display.
5. Verify that updates are reported as needed. If updates are not reported, repeat steps 1-3. It may take 10-15 minutes for updates to register.
Results: After completing this exercise, you should have configured update settings for client computers.
Exercise 3: Approving and Deploying an Update by Using WSUS
Scenario After you have configured the Windows Update settings, you can view, approve, and then deploy required updates. You have been asked to use LON-CL1 as a test case for the Research Department. You will approve, deploy, and verify an update on LON-CL1 to confirm the proper configuration of the WSUS environment.
The main tasks for this exercise are as follows:
1. Approve WSUS Updates for the Research Computer Group
2. Deploy Updates to LON-CL1
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED12-18 Implementing Update Management
3. Verify Update Deployment to LON-CL1
4. To Prepare for the Next Module
Task 1: Approve WSUS Updates for the Research Computer Group 1. On LON-SVR4, open the WSUS console.
2. Approve the Update for Microsoft Office 2013 (KB2760267), 32-bit Edition update for the Research group.
Task 2: Deploy Updates to LON-CL1 1. On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow
2. Open Windows Update and then check for updates.
3. Click Install to install the approved update.
Task 3: Verify Update Deployment to LON-CL1 1. On LON-CL1, open Event Viewer.
2. Navigate to Applications and Services Logs\ Microsoft\Windows, and view the events under WindowsUpdateClient / Operational.
3. Confirm that events are logged in relation to the update.
Task 4: To Prepare for the Next Module When you finish the lab, revert all virtual machines back to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411C-LON-SVR1, 20411C-LON-SVR4, and 20411C-LON-CL1.
Results: After completing this exercise, you should have approved and deployed an update by using WSUS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 12-19
Module Review and Takeaways Review Question(s)
Question: Your manager has asked if all updates to the Windows operating system should be applied automatically when they are released. Do you recommend an alternative process?
Question: Your organization implements several applications that are not Microsoft applications. A colleague has proposed using WSUS to deploy application and operating system updates. Are there any potential issues with using WSUS?
Question: Why is WSUS easier to manage in an Active Directory® Domain Services (AD DS) domain?
Tools
Tool Use Where to find it
WSUS Administration console Administer WSUS Server Manager - Tools
Windows PowerShell WSUS cmdlets
Administer WSUS from the command–line interface
Windows PowerShell
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-1
Module 13 Monitoring Windows Server 2012
Contents: Module Overview 13-1
Lesson 1: Monitoring Tools 13-2
Lesson 2: Using Performance Monitor 13-11
Lesson 3: Monitoring Event Logs 13-20
Lab: Monitoring Windows Server 2012 13-24
Module Review and Takeaways 13-30
Module Overview Monitoring and troubleshooting processes are very important because they allow administrators to provide performance-optimized Information Technology (IT) infrastructures. Monitoring processes can improve your ability to identify, troubleshoot, and repair issues before end users experience them. By designing a comprehensive monitoring solution for your organization, you can reduce end-user problems and prevent potentially serious issues.
When a system failure or an event that affects system performance occurs, you must be able to repair the problem or resolve the issue quickly and efficiently. With so many variables and components in the modern network environment, the ability to determine the root cause quickly often depends on having an effective performance-monitoring methodology and toolset. You can use performance-monitoring tools to identify components that require additional tuning and troubleshooting. By identifying components that require additional tuning, you can improve the efficiency of your servers.
After you deploy the Windows Server® 2012 operating system in your environment, you must make sure that it continues to run efficiently by maintaining a stable environment. This module describes how to monitor and troubleshoot a Windows Server 2012 environment.
Objectives After completing this module, you will be able to:
• Describe the monitoring tools for Windows Server 2012.
• Use Performance Monitor to view and analyze performance statistics of programs that are running on your servers.
• Monitor event logs to view and interpret the recorded events.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-2 Monitoring Windows Server 2012
Lesson 1 Monitoring Tools
Windows Server 2012 provides a range of tools to monitor an operating system and the applications on a computer. You can use these tools to configure your system for efficiency and troubleshoot problems. Small and medium sized organizations can use the monitoring tools in Windows Server 2012 to monitor their server infrastructure. However, enterprise organizations that deploy more a complex IT infrastructure will need a more complex monitoring and management solution, such as Microsoft® System Center 2012.
Lesson Objectives After completing this lesson, you will be able to:
• Describe how Task Manager works.
• Describe the features of Performance Monitor.
• Describe the role of Resource Monitor.
• Describe Reliability Monitor.
• Describe Event Viewer.
• Describe how to monitor other servers with Server Manager
Overview of Task Manager
Enhancements to Task Manager in Windows Server 2012 provide more information to help you identify and resolve performance-related issues. Task Manager includes the following tabs:
• Processes. The Processes tab displays a list of running programs, subdivided into applications and internal processes of the Windows® operating system. For each running process, this tab displays a summary of processor and memory usage.
• Performance. The Performance tab displays a summary of CPU usage, memory usage and network statistics.
• Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user view to see more detailed information about the specific processes that a user is running.
• Details. The Details tab lists all the running processes on the server, providing statistics about the CPU, memory, and consumption of other resources. You can use this tab to manage the running processes. For example, you can stop a process, stop a process and all related processes, and change the processes’ priority values. By changing a process’s priority, you determine how much of the CPU’s resources the process can consume. By increasing the priority of a process, you allow the process to request for more of the CPU’s resource.
• Services. The Services tab provides a list of the running Windows services and related information. This includes information about whether the service is running and the process identifier (PID) of the running service. You can start and stop services by using the list on the Services tab.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-3
You might consider using Task Manager when a performance-related problem arises. For example, you might examine the running processes to determine if a particular program is using excessive CPU resources. Always remember that Task Manager shows a snapshot of current resource consumption, and that you may need to examine historical data to determine a true picture of a server’s performance and response under load.
Overview of Performance Monitor
Performance Monitor enables you either to view current performance statistics, or to view historical data that was gathered during a selected timeframe. With Windows Server 2012, you can monitor operating system performance through performance objects and counters in the objects. Windows Server 2012 collects the following types of data from counters in various ways:
• A real-time snapshot value.
• The total since the last computer startup.
• An average over a specific time interval.
• An average of last values.
• The number per second.
• A maximum value.
• A minimum value.
Performance Monitor provides you with a collection of objects and counters that record data about computer resource usage. There are many counters that you can research and consider monitoring to meet your specific requirements.
The three components of Performance Monitor you can use to view performance data are:
• Monitoring tools. Allows you to configure performance objects and counters to monitor performance data in real-time, or to store monitoring data in a log file or in a database.
• Data collector sets. Represents a custom set of performance counters for monitoring specific technologies such as Active Directory® Domain Services (AD DS) diagnostics, system diagnostics, and system performance.
• Reports. Each data collector set automatically creates performance reports. The reports include performance data that was collected during the time data collector set was running
Primary Processor Counters CPU counters are a feature of the computer’s CPU that stores the count of hardware-related events. The primary processor counters include:
• Processor > % Processor Time. This counter measures the percentage of elapsed time the processor spends executing a nonidle thread. If the percentage is greater than 85 percent, the processor is overwhelmed and the server may require a faster processor. In other words, this counter displays the percentage of elapsed processor time used by a given thread to run instructions. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. This count includes code that handles some hardware interrupts and trap conditions.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-4 Monitoring Windows Server 2012
• Processor > Interrupts/sec. This counter displays the rate, in incidents per second, at which the processor received and serviced hardware interrupts.
• System > Processor Queue Length. This counter displays an approximate number of threads that each processor is servicing. If the value is more than two times the number of CPUs for an extended period, then it means that the server does not have enough processor power. The processor queue length, sometimes referred to as processor queue depth, that this counter reports is an instantaneous value that is representative only of a current snapshot of the processor. Therefore, you must observe this counter over an extended period to notice data trends. Additionally, the System > Processor Queue Length counter reports a total queue length for all processors, not a length for each processor.
Primary Memory Counters The Memory performance object consists of counters that describe the behavior of the computer’s physical and virtual memory. Physical memory is the amount of random access memory (RAM) on the computer. Virtual memory consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory.
The Memory > Pages/sec counter measures the rate at which pages are read from or written to disk for resolving hard-page faults. If excessive paging results in a value that is greater than 1,000, there may be a memory leak. In other words, the Memory>Pages/sec counter displays the number of hard page faults per second. A hard page fault occurs when the requested memory page cannot be located in RAM because it exists currently in the paging file. An increase in this counter indicates that more paging is occurring, which in turn suggests a lack of physical memory.
Primary Disk Counters The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks store file, program, and paging data. Disks are read to retrieve these items, and items are written to disks to record changes to them. The total values of physical disk counters are the total of all the values of the logical disks, or partitions, into which they are divided. The primary disk counters include:
• Physical Disk > % Disk Time. This counter indicates how busy a particular disk is, and it measures the percentage of time that the disk was busy during the sample interval. A counter approaching 100 percent indicates that the disk is busy nearly all of the time, and a performance bottleneck may be imminent. You may consider replacing the current disk system with a faster one.
• Physical Disk > Avg. Disk Queue Length. This counter indicates how many disk requests are waiting to be serviced by the I/O manager in Windows 7 at any given moment. If the value is larger than two times the number of spindles, it means that the disk itself may be the bottleneck. The longer the queue is, the less satisfactory the disk throughput.
Note: Throughput is the total amount of traffic that passes a given network-connection point for each unit of time. Workload is the amount of processing that the computer does at a given time.
Primary Network Counters Most workloads require access to production networks to ensure communication with other applications and services, and to communicate with users. Network requirements include elements such as throughput and the presence of multiple network connections.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-5
Workloads might require access to several different networks that must remain secure. Examples include connections for:
• Public network access.
• Networks for performing backups and other maintenance tasks.
• Dedicated remote-management connections.
• Network-adapter teaming for performance and failover.
• Connections to the physical host computer.
• Connections to network-based storage arrays.
By monitoring the network performance counters, you can evaluate your network’s performance. The primary network counters include:
• Network Interface > Current Bandwidth. This counter indicates the current bandwidth being consumed on the network interface in bits per second (bps). Most network topologies have maximum potential bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths of 10 Mbps, 100 Mbps, 1 Gigabit per second (Gbps), and higher. To interpret this counter, divide the value given by 1,048,576 for Mbps. If the value approaches the network’s maximum potential bandwidth, you should consider implementing a switched network or upgrading to a network that supports higher bandwidths.
• Network Interface > Output Queue Length. This counter indicates the current length of the output packet queue on the selected network interface. A growing value, or one that is consistently higher than two, could indicate a network bottleneck, which you should investigate.
• Network Interface > Bytes Total/sec. This measures the rate at which bytes are sent and received over each network adapter, including framing characters. The network is saturated if you discover that more than 70 percent of the interface is consumed.
Overview of Resource Monitor
The Resource Monitor interface in Windows Server 2012 provides detailed information about your server’s real-time performance.
You can use Resource Monitor to monitor the use and performance of CPU, disk, network, and memory resources in real time. This enables you to identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify which processes are using which resources. Furthermore, you can use Resource Monitor to track a process or processes by selecting their check boxes. When you select a process, it remains selected in every pane of Resource Monitor, which provides the information that you require regarding that process at the top of the screen, no matter where you are in the interface.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-6 Monitoring Windows Server 2012
Overview of Reliability Monitor
Reliability Monitor is a tool that is installed by default in the Windows Server 2012 operating system. It monitors hardware and software issues that occur during the selected time interval. Based on the number and type of issues, it assigns a number called stability index that indicates the reliability of the server. The stability index ranges from 1 to 10, where 1 represents least stable and 10 represents the most stable state of the server. By using the stability index, administrators can quickly evaluate the reliability of a server. Any issue that affects the server will potentially change the value of the stability index.
You can find the Reliability Monitor tool by accessing the Control Panel, navigating to the Action Center, and then clicking on Maintenance. The Reliability Monitor is represented with a link named View reliability history. By clicking on this link, a Reliability Monitor window is displayed. The Reliability Monitor window includes following:
• A reporting history on the stability index values shown during previous days or weeks. The following stability index information is available about Application failures, Windows failures, Miscellaneous failures, Warnings, and Information.
• A reliability details table that contains the source of the issue, summary information, date, and action taken.
• A group of actions that can be performed, represented as links in the console:
o Saving the reliability history to xml file. You can use this option if you want to keep track of older reliability history information.
o Starting the Problem Reports console. You can use this to view issues related to specific applications. For each problem that is detected, options in the console allow you to view more details about the problem, to check online for a solution for the specific problem, or to delete the reported problem information.
o Checking for a solution for all reported problems. You can use this option if you want Reliability Monitor to connect to the Internet in order to locate online information about resolving the all reported problems.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-7
Overview of Event Viewer
Windows Event Viewer provides access to the Windows Server 2012 event logs. Event logs provide information about system events that occur within the Windows Operating System. These events include information, warning, and error messages about Windows components and installed applications.
Event Viewer provides categorized lists of essential Windows log events, including application, security, setup, and system events. Event Viewer also provides log groupings for individual installed applications and specific Windows component categories. Individual events provide detailed information about the type of event that occurred. When an event occurs, Event Viewer provides details about the source of the event, and detailed technical information to assist you in troubleshooting the event.
Additionally, Event Viewer allows you to consolidate logs from multiple computers onto a centralized server by using subscriptions. Finally, you can configure event viewer to run a specific action when a specified type of event occurs. This may include sending an email message, launching an application, running a script, or other types of maintenance actions.
Event Viewer in Windows Server 2012 contains the following important features:
• The ability to view multiple logs. You can filter for specific events across multiple logs. This makes it easier to investigate issues and troubleshoot the problems that might appear in several logs.
• Customized views. You can use filtering to narrow searches down to only the events in which you are interested, and you can save these filtered views.
• The ability to configure tasks scheduled to run in response to events. You can automate responses to events. Event Viewer is integrated with Task Scheduler.
• The ability to create and manage event subscriptions. You can collect events from remote computers, and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs. These logs provide detailed information such as:
• A description of the event.
• An event ID number.
• The component or subsystem that generated the event.
• Information, Warning, or Error status.
• The time of the event.
• The user’s name on whose behalf the event occurred.
• The computer on which the event occurred.
• A link to Microsoft TechNet for more information about the type of event.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-8 Monitoring Windows Server 2012
Windows Server Logs Event Viewer has many built-in logs, including those in the following table.
Built-In log Description and use
Application log This log contains errors, warnings, and informational events that pertain to the operation of applications such as Microsoft Exchange Server, the Simple Mail Transfer Protocol (SMTP) service, and other applications.
Security log This log reports the results of auditing, if you enable it. Audit events are successful or failed, depending on the event. For example, the log would report success or failure depending on whether a user was able to access a file or not.
Setup log This log contains events related to application setup.
System log General events are logged by Windows components and services, and they are classified as error, warning, or information. Windows Operating System predetermines the events that system components log.
Forwarded events This log stores events that are collected from remote computers. To collect events from remote computers, you must create an event subscription.
Application and Services Logs Applications and Services logs store events from a single application or component rather than events that might have system-wide impact. This category of logs includes four subtypes:
• Admin
• Operational
• Analytic
• Debug
Admin logs are of interest to end users, administrators, and support personnel who use Event Viewer to troubleshoot problems. These logs provide guidance about how to respond to issues. The events found in the Admin logs indicate a problem and a well-defined solution upon which an administrator can act.
Events in the Operational log are also useful for IT professionals, but they are likely to require more interpretation. You can use operational events to analyze and diagnose a problem or occurrence, and to trigger tools or tasks based on the problem or occurrence.
Analytic and Debug logs are not very user-friendly. Analytic logs store events that trace an issue, and they often log a high volume of events. Developers use debug logs when they are debugging applications. By default, both Analytic and Debug logs are hidden and disabled.
Windows log files are 1,028 kilobytes (KB) in size, and events are overwritten as needed. If you want to clear a log manually, you must log in to the server as a local administrator.
If you want to configure event log settings centrally, you can do so by using Group Policy. Open the Group Policy Management Editor for your selected Group Policy Object (GPO), and then navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-9
For each log, you can define the following properties:
• The location of the log file.
• The maximum size of the log file.
• Automatic backup options.
• Permissions on the logs.
• Behavior that occurs when the log is full.
Monitoring a Server With Server Manager
Organizations have multiple servers that have to be monitored, and these servers can be physical or virtual. The number of servers in an organization depends on the size of the organization and the complexity of the IT infrastructure. The most efficient way to monitor multiple servers is to deploy management and monitoring software that provides a centralized dashboard where administrators will be able to monitor all components of the IT infrastructure.
Depending on the size of the organization and the complexity of its IT infrastructure, monitoring software can be classified in two ways:
• Enterprise management and monitoring solutions, such as the System Center suite.
• Small and medium-sized organization monitoring solutions, such as Server Manager.
Server Manager is software that is installed by default in Windows Server 2012, and it can also be installed as a console on a Windows 8 client computer. It provides monitoring of both local and remote servers, where monitoring data is collected from monitored servers and is presented in a centralized dashboard. By using Server Manager, administrators can monitor up to 100 servers. For monitoring more than 100 servers, you should consider an enterprise monitoring solution such as System Center.
Server Manager can monitor Windows Server 2008 and newer Windows Server operating systems. It can also monitor Server Core editions of Windows Server 2008 R2 and later Windows Server Core operating systems. For administrators to monitor remote servers with Server Manager, remote servers have to be configured to allow remote management. Configuration for remote management and monitoring is enabled by default, and can be changed by using Server Manager and Windows PowerShell® on the monitored server. Server Manager does not support monitoring of the Windows client operating system.
When using Server Manager, you can perform following monitoring tasks on remote servers, such as:
• Adding remote servers to a pool of servers that Server Manager will monitor. Administrators can choose what servers will be monitored.
• Creating custom groups of monitored servers. Monitored servers in Server Manager can be grouped by different criteria, such as department, city, or country. Grouping servers helps organizations assign different administrators to monitor different groups of servers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-10 Monitoring Windows Server 2012
• Starting different tools on remote servers. Administrators can start different tools remotely, such as Microsoft Management Console (MMC) consoles for monitoring different types of data or starting Windows PowerShell on remote servers. Administrators do not have to log on locally on a server in order to perform different management tasks, such as starting a service.
• Determining server status and identifying critical events. Servers that have critical issues are displayed on the centralized dashboard in the color red to alert administrators to start troubleshooting the issue.
• Analyzing or troubleshooting different types of issues. Centralized console monitoring information can be displayed by type, such as AD DS, Domain Name System (DNS), Microsoft Internet Information Services (IIS) or Remote Access, so that administrators can locate the type of the issue and start to troubleshoot it. The centralized console also provides general monitoring information that is displayed on the console as All Servers.
• Monitoring the status of Best Practices Analyzer tool. Best Practices Analyzer is a tool that runs on every server and compares current server role configuration with recommended settings from Microsoft based on best practices. Server Manager displays results of the Best Practices Analyzer tool from all monitored servers in the centralized dashboard.
Customizing how monitoring data are displayed. Administrators can customize how monitoring data is displayed in order to focus on the type of monitoring data that is relevant for troubleshooting a particular issue.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-11
Lesson 2 Using Performance Monitor
You can use Performance Monitor to collect, analyze, and interpret performance-related data about your organization’s servers. This enables you to make informed capacity planning decisions. However, to make informed decisions, it is important to know how to establish a performance baseline, how to use data collector sets, and how to use reports to help you compare performance data to your baseline.
Lesson Objectives After completing this lesson, you will be able to:
• Explain what a baseline is.
• Describe data collector sets.
• Describe how to capture counter data with a data collector set.
• Describe how to configure an alert.
• Describe how to view Performance Monitor reports.
• Identify the key parameters that you should track when monitoring network infrastructure services.
• Identify considerations for monitoring virtual machines.
Performance Baselines, Trends, and Capacity Planning
By calculating performance baselines for your server environment, you can interpret real-time monitoring information more accurately. A baseline for your server’s performance indicates what your performance-monitoring statistics look like during normal use. You can establish a baseline by monitoring performance statistics over a specific period. When an issue or symptom occurs in real time, you can compare your baseline statistics to your real-time statistics, and then identify anomalies.
Trends Analysis You should consider the value of performance data carefully to ensure that it reflects your server environment. Additionally, you should gather performance data which you can use to plan for business or technological growth and create upgrade plans. You may be able to reduce the number of servers that are in operation after you measure performance and assess the required environment.
By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. Review historical analysis along with your business requirements, and use this data to determine when additional capacity is required. Some peaks are associated with one-time activities, such as extremely large orders. Other peaks occur on a regular basis, such as a monthly payroll processing. These peaks could make a capacity increase necessary to meet the demands of an increased number of employees.
Capacity Planning Planning for future server capacity is a best practice for all organizations. Planning for business changes often requires additional server capacity to meet targets. By aligning your IT strategy with your business
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-12 Monitoring Windows Server 2012
strategy, you can support business objectives. Furthermore, you should consider virtualizing your environment to reduce the number of physical servers that you require. You can consolidate servers by implementing the Hyper-V® role in the Windows Server 2012 environment.
Capacity planning focuses on assessing server workload, the number of users that a server can support, and the ways to scale systems to support additional workload and users in the future. New server applications and services affect the performance of your IT infrastructure. These services could receive dedicated hardware although they often use the same LAN and wide area network (WAN) infrastructure. Planning for future capacity should include all hardware components and how new servers, services, and applications affect the existing infrastructure. Factors such as power, cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. You should consider how your servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2012 or Windows Server 2012 R2 might affect the performance of your servers and network. An update can sometimes cause problem with an application that might be incompatible with Windows Server 2012. Careful performance monitoring before and after you apply updates can identify these problems and help you rectify them.
An expanding business can require your infrastructure to support a growing number of users. You should consider your organization’s current and anticipated business requirements when purchasing hardware. This will help you to meet future business requirements by increasing the number of servers or by adding capacity to existing hardware when needed.
Additional capacity requirements can include:
• More servers.
• Additional hardware.
• Reducing application loads.
• Reducing the number of users that connect to a server. (You can do this by distributing the users to multiple servers.)
Understanding Bottlenecks A performance bottleneck occurs when a computer is unable to service requests for a specific resource. The resource might be a key component, such as a disk, memory, processor, or network. Alternatively, the shortage of a component within an application package might cause the bottleneck. By using performance-monitoring tools on a regular basis, and comparing the results to your baseline and to historical data, you can often identify performance bottlenecks before they affect users.
After you identify a bottleneck, you must decide how to remove it. Your options for removing a bottleneck include:
• Running fewer applications.
• Adding resources to the computer.
A computer suffering from a severe resource shortage might stop processing user requests. This requires immediate attention. However, if your computer experiences a bottleneck but still operates within acceptable limits, you might decide to defer any changes until you resolve the situation or have an opportunity to take corrective action.
Analyzing Key Hardware Components There are four key hardware components: processor, disk, memory, and network. By understanding how your operating system uses these components and how they interact with one another, you will have a better understanding of how to optimize server performance.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-13
Processor Processor speed is an important factor in determining your server’s overall computing capacity. Processor speed the number of operations that are performed in a measured period, for example, a billion processor cycles per second is one gigahertz (GHz). Servers with multiple processors and processors with multiple cores generally perform processor-intensive tasks with greater efficiency and speed than single processor or single-core processor computers.
Processor architecture also is important. 64-bit processors can access more memory and have a significant effect on performance. However, it is important to note that both Windows Server 2012 and Windows Server 2012 R2 are only available in 64-bit editions.
Disk Server hard disks store programs and data. Consequently, the throughput of hard disks affects the speed of the workstation or server, especially when the workstation or server is performing disk-intensive tasks. Most hard disks have moving parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the requested information. Furthermore, disk controller performance and configuration also affects the overall disk performance. By selecting faster disks, and by using array of disks such as Redundant Array of Independent Disks (RAID), to optimize access times, you can alleviate the potential for the disk subsystem to create a performance bottleneck.
You also should remember that information on the disk moves into memory before it is used. If there is a surplus of memory, the Windows Server operating system creates a file cache for items recently written to, or read from, the disks. Installing additional memory in a server can often improve the disk subsystem performance, because accessing the cache is faster than moving the information into memory.
Memory Programs and data load from the disk into memory before the program manipulates the data. In servers that run multiple programs, or where datasets are extremely large, increasing the amount of memory installed can help improve server performance.
Windows Server uses a memory model in which memory requests by applications that exceed total available memory of the computer are not rejected, but are handled by a process known as paging. During paging, data and programs in memory not currently being utilized by processes are moved into an area on the hard disk, known as the paging file. This frees up physical memory to satisfy the excessive requests. But, because a hard disk is comparatively slow, it has a negative effect on workstation performance. By adding more memory, and by using a 64-bit processor architecture that supports larger memory, you can reduce the need for paging.
Network The network is a critical component for performance monitoring, because many network applications are dependent on network communications performance. Poor network performance can cause slow or unresponsive applications and server functionality. Therefore, network capacity planning is very important. While planning for network capacity, you must consider bandwidth capacity and the capacity of any network devices, such as router and switch capacity. In many cases, optimized configuration of network devices such as switches or routers, improves the performance of the network and network applications.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-14 Monitoring Windows Server 2012
What Are Data Collector Sets?
Data collector sets are a custom set of performance counters, event traces, and system configuration data.
A data collector set organizes multiple data-collection points into a single, portable component. You can use a data collector set on its own, or group it with other data collector sets. You can also incorporate a data collector set into logs, or view it in the Performance Monitor. You can configure a data collector set to generate alerts when it reaches thresholds in performance counters.
Although it is useful to analyze current performance activity on a server computer, you might find it more useful to collect performance data over a set period, and then analyze and compare it with data that you gathered previously. You can use this comparison to determine resource usage to plan for growth and to identify potential performance problems.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or until it reaches a predefined size. For example, you can run the data collector set for 10 minutes every hour during your working hours, to create a performance baseline. You also can set the data collector to restart when set limits are reached so that a separate file is created for each interval. You can configure a schedule for performance monitoring when configuring a data collector set. Scheduling options are located in the Schedule tab of the data collector set properties window. The schedule monitoring options that you can select include, beginning date, expiration date, and start time. You can also choose which day of the week you want performance monitoring to run.
After you have created a combination of data collectors that describe useful system information, you can save them as a data collector set, and then run the set and view the results.
Data collector sets can contain the following types of data collectors:
• Performance counters. This data collector provides server performance data.
• Event trace data. This data collector provides information about system activities and events, and is often is useful for troubleshooting.
• System configuration information. This data collector allows you to record the current state of registry keys and to record changes to those keys.
You can create a data collector set from a template, from an existing set of data collectors in a Performance Monitor view, or by selecting individual data collectors and setting each individual option in the data collector set properties.
Demonstration: Capturing Counter Data with a Data Collector Set
This demonstration shows how to:
• Create a data collector set.
• Create a load on the server.
• Analyze the resulting data in a report.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-15
Demonstration Steps
Create a data collector set 1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Open Performance Monitor.
3. Create a new User Defined data collector set with the following key counters:
o Processor > % Processor Time
o Memory > Pages/sec
o PhysicalDisk > % Disk Time
o PhysicalDisk > Avg. Disk Queue Length
o System > Processor Queue Length
o Network Interface > Bytes Total/sec
4. Start the data collector set.
Create a disk load on the server 1. Open a Windows PowerShell prompt, and then use the fsutil command to create a large file with size
of 104857600 bytes.
2. Copy the file to the LON-DC1 server to generate network load.
3. Create a new copy of the large file on the local hard disk by copying it from LON-DC1.
4. Delete all the newly created files.
Analyze the resulting data in a report 1. Switch to Performance Monitor, and then stop the data collector set.
2. Select the Performance Monitor tool, and then select View Log Data.
3. Add the data that you collected in the data collector set to the chart.
4. Change the view to Report.
What Are Alerts?
Alert is a functionality in the Windows Server 2012 operating system that notifies you when certain events have occurred or when certain performance thresholds are reached. You can configure alerts in Windows Server 2012 as network messages or as events that are logged in the application event log. You also can configure alerts to start applications and performance logs. You can configure alerts when you create data collectors, by selecting the Performance Counter Alert type of the data collector.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-16 Monitoring Windows Server 2012
When you create the alert, configure the following settings:
• Alert when. This is the alert-threshold setting for a specific performance counter.
• Alert Action. This setting specifies whether to log an entry in the application event log or to start another data collector set.
• Alert Task. This setting specifies which command task should be triggered, and when the alert threshold is reached. In addition, you may specify command parameters, if applicable.
Demonstration: Configuring an Alert
With alert counters, you can create a custom data collector set that contains performance counters. You can then configure actions that occur based on the measured counters exceeding the maximum or dropping below the minimum limits that you define. After you create the data collector set, you must configure the actions that the system will take when the alert criteria are met.
Alert counters are especially useful in situations where a performance issue arises periodically, and you can configure the actions to run programs, generate events, or a combination of these.
This demonstration shows how to:
• Create a data collector set with an alert counter.
• Generate a server load that exceeds the configured threshold.
• Examine the event log for the resulting event.
Demonstration Steps
Create a data collector set with an alert counter 1. Create a new User Defined data collector set.
2. Use the Performance Counter Alert option, and then add only the Processor > % Processor Time counter.
3. Set the threshold to be above 10 percent and to generate an entry in the event log when this condition is met.
4. Start the data collector set.
Generate a server load that exceeds the configured threshold 1. Open the Windows PowerShell prompt, and then run the following tool to generate a load on the
server:
C:\Labfiles\StressTool 95
2. When the tool has run for a minute, stop it.
Examine the event log for the resulting event • Open Event Viewer, and examine the Diagnosis-PLA log for performance alerts.
Demonstration: Viewing Reports in Performance Monitor
This demonstration shows how to view a performance report.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-17
Demonstration Steps
View a performance report 1. In the navigation pane, expand Reports/User Defined/LON-SVR1 Performance.
2. Expand the folder beneath LON-SVR1 Performance. The previous collection process of the data collector set generated this report. You can change from the chart view to any other supported view.
3. If the report is not displayed, click on the Refresh button on the toolbar, and then repeat Step 2.
4. Close all open windows.
Monitoring Network Infrastructure Services
Because network infrastructure services are an essential foundation of many other server-based services, it is important that you configure them correctly and that they run optimally.
Your organization can benefit in several ways by gathering performance-related data on your network infrastructure services.
• Optimizing network infrastructure server performance. By providing performance baseline and trend data, you can help your organization optimize performance of your network infrastructure server.
• Troubleshooting servers. When server performance degrades, either over time or during periods of peak activity, you can help identify possible causes and take corrective action. This can help you quickly bring a service back within the limits of your service level agreement (SLA).
Monitoring DNS DNS provides name-resolution services on your network. You can monitor the Windows Server 2012 DNS Server role to determine the following aspects of your DNS infrastructure:
• General DNS server statistics, including the number of overall queries and responses that the DNS server is processing.
• User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) counters for measuring DNS queries and responses that the DNS server processes respectively by using either of these transport protocols.
• Dynamic update and secure dynamic update counters for measuring registration and update activity that dynamic clients generate.
• Memory usage counter for measuring system memory usage and memory allocation patterns that are created by operating the server computer as a DNS server.
• Recursive lookup counters for measuring queries and responses when the DNS Server service uses recursion to look up and fully resolve DNS names on behalf of requesting clients.
• Zone transfer counters, including specific counters for measuring all zone transfer (AXFR), incremental zone transfer (IXFR), and DNS zone-update notification activity.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-18 Monitoring Windows Server 2012
Monitoring DHCP The Dynamic Host Configuration Protocol (DHCP) service provides dynamic IP configuration services for your network. You can monitor the Windows Server 2012 DHCP server role to determine the following aspects of your DHCP server:
• The Average Queue Length, which indicates the current length of the DHCP server’s internal message queue. This number represents the number of unprocessed messages that the server receives. A large number might indicate heavy server traffic.
• The Milliseconds per packet counter is the average time in milliseconds that the DHCP server uses to process each packet that it receives. This number varies depending on the server hardware and its I/O subsystem. A spike could indicate a problem, either with the I/O subsystem becoming slower or because of an intrinsic processing overhead on the server.
Considerations for Monitoring Virtual Machines
Server virtualization has only been a part of the Windows Server operating system since the release of Windows Server 2008 and the introduction of the Hyper-V role. Many organizations have migrated some or all of their server workloads to virtual machines that are running virtualization servers. From a monitoring perspective, it is important to remember that servers running as guest virtual machines consume resources in the same way as physical host server computers.
With Hyper-V server virtualization, you can create separate virtual machines, and run them concurrently by using the resources of the operating system running on a single physical server. The operating systems running within each virtual machine are known as guests, while the computer running Hyper-V is the host.
Virtual machine guests function as physical computers. Virtual machine guests that are hosted on the same hypervisor remain independent of one another. You can run multiple virtual machines that are using different operating systems on a host server simultaneously, as long as the host server has enough resources.
When you create a virtual machine, you configure characteristics that define the available resources for that guest. These resources include memory, processors, disk-configuration and storage technology, and network-adapter configuration. These virtual machines operate within the boundaries of the resources that you allocate to them, and can suffer from the same performance bottlenecks as host servers. As a result, it is important that you monitor virtual machines in the same way you monitor your host servers.
Note: It addition to monitoring the virtual machine guests, always remember that you must monitor the host that runs them.
Microsoft provides a tool, Hyper-V Resource Metering, that enables you to monitor resource consumption on your virtual machines. Resource metering allows you to track the resource utilization of virtual machines hosted on Windows Server 2012 computers that have the Hyper-V role installed.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-19
With resource metering, you can measure the following parameters on individual Hyper-V virtual machines:
• Average graphics processing unit (GPU) use.
• Average physical memory use, including:
o Minimum memory use.
o Maximum memory use.
• Maximum disk-space allocation.
• Incoming network traffic for a network adapter.
• Outgoing network traffic for a network adapter.
By measuring how much of these resources each virtual machine uses, an organization can bill departments or customers based on their hosted virtual-machine use, rather than charging a flat fee per virtual machine. An organization with only internal customers also can use these measurements to see patterns of use and plan future expansions.
You perform resource-metering tasks by using Windows PowerShell cmdlets in the Hyper-V Windows PowerShell module. There is no GUI tool that enables you to perform this task. You can use the following cmdlets to perform resource metering tasks:
• Enable-VMResourceMetering. Starts collecting data on a per-virtual-machine basis.
• Disable-VMResourceMetering. Disables resource metering on a per-virtual-machine basis.
• Reset-VMResourceMetering. Resets virtual machine resource-metering counters.
• Measure-VM. Displays resource-metering statistics for a specific virtual machine.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-20 Monitoring Windows Server 2012
Lesson 3 Monitoring Event Logs
Event Viewer provides a convenient and accessible location for you to view events that occur and that Windows Server records into one of several log files based on the type of event that occurs. To support your users, you should know how to access event information quickly and conveniently, and know how to interpret the data in the event log.
Lesson Objectives After completing this lesson, you will be able to:
• Describe how to use Server Manager to view event logs.
• Explain what a custom view is.
• Describe how to create a custom view.
• Explain what event subscriptions are.
• Describe how to configure an event subscription.
Using Server Manager to View Event Logs
Server Manager provides a centralized location where event logs for multiple monitored remote servers can be stored and accessed. Server Manager provides a monitoring and troubleshooting solution where administrators can view the information regarding specific events from different servers and different applications in one console. This is more efficient when compared to viewing event logs by connecting to a specific server from a remote location.
Server Manager event logs can be viewed for all servers, for a specific server, or per server role, such as AD DS, DNS, or Remote Access. You can choose different event log views from the navigation pane in Server Manager:
• Local Server. Displays event logs that are generated on the local server where Server Manager is running. By default, Application, Security, and System event logs are displayed.
• All Servers. Displays event logs from all servers that are monitored by the server manager.
• AD DS, DNS, Remote Access. Displays event logs from all servers that are monitored and that have specific server roles installed, such as AD DS, DNS, or the Remote Access role. These logs display specific information generated by the AD DS, DNS, or the Remote Access server role.
• Roles and Server Groups tiles in Server Manager Dashboard. You can also choose an Events link in a specific Server Group tile in the Server Manager Dashboard such as AD DS tile, DNS tile, or Remote Access tile, to display the events for the specific server role.
You can further customize the event log views as described below.
• Creating queries for specific types of events that need to be displayed. These queries can be saved and used later when searching for the events that are defined in the query criteria.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-21
Configuring event data that needs to be displayed. You can choose what type of events to display, such as Critical, Error, Warning, and Informational. You can also choose the event log files from where the events will be displayed, such as Application, Directory Service, DNS Server, Security, System, and Setup.
What Is a Custom View?
Event logs contain vast amounts of data, and it could be a challenge to narrow the set of events to just those events that interest you. Custom views allow you to query and sort just the events that you want to analyze. You also can save, export, import, and share these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that may be related to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create a custom view. You create custom views in the Action pane in Event Viewer.
You can filter custom views based on multiple criteria, including:
• The time that the event was logged.
• Event level, such as errors or warnings.
• Logs from which to include events.
• Specific Event IDs to include or exclude.
• User context of the event.
• Computer on which the event occurred.
Demonstration: Creating a Custom View
This demonstration shows how to:
• View Server Roles custom views.
• Create a custom view.
Demonstration Steps
View Server Roles custom views • In Event Viewer, examine the predefined Server Roles custom views.
Create a custom view 1. Create a new custom view to select the following event types:
o Critical
o Warning
o Error
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-22 Monitoring Windows Server 2012
2. Select the following logs:
o System
o Application
3. Name the custom view as Adatum Custom View
4. View the resulting filtered events in the details pane.
What Are Event Subscriptions?
Event log subscriptions is a feature that, when configured, enables a single server to collect copies of events from multiple systems. Using the Windows Remote Management (WinRM) service and the Windows Event Collector service (Wecsvc), you can collect events in the event logs of a centralized server, where you can analyze them together with the event logs of other computers that are being collected on the same central server.
Subscriptions can be either collector-initiated or source computer-initiated:
• Collector-initiated. A collector-initiated subscription, or a pull subscription, identifies all of the computers from which the collector will receive events, and will typically pull events from these computers. In a collector-initiated subscription, the subscription definition is stored and maintained on the collector computer. You use pull subscriptions when many of the computers have to be configured to forward the same types of events to a central location. In this manner, only one subscription definition has to be defined and specified to apply to all computers in the group.
• Source computer-initiated. In a source computer-initiated subscription, or push subscription, source computers push events to the collector. In a source computer-initiated subscription, the subscription definition is created and managed on the source computer, which is the computer that is sending events to a central source. You can define these subscriptions manually, or by using Group Policy. You create push subscriptions when each server is forwarding a different set of events than other servers are, or when control over the event-forwarding process has to be maintained at the source computer. This may be the case when frequent changes must be made to the subscription.
To use the event subscription, you must configure the forwarding and the collecting computers. The event-collecting functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are participating in the forwarding and collecting process.
Enabling Subscriptions To enable subscriptions, perform the following tasks:
1. On each source computer, run the following command at an elevated command prompt to enable WinRM:
winrm quickconfig
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-23
2. On the collector computer, type the following command at an elevated command prompt to enable the Wecsvc:
wecutil qc
3. Add the computer account of the collector computer to the local Administrators group on each of the source computers.
Demonstration: Configuring an Event Subscription
This demonstration shows how to:
• Configure the source computer.
• Configure the collector computer.
• Create and view the subscribed log.
Demonstration Steps
Configure the source computer 1. Switch to LON-DC1 and, if necessary, sign in as Adatum\Administrator with the password
Pa$$w0rd.
2. Run the winrm quickconfig command at a command prompt.
Note: The service is already running.
3. Open Active Directory Users and Computers, and add the LON-SVR1 computer as a member of the domain local Administrators group.
Configure the collector computer 1. Switch to LON-SVR1, and then open a command prompt.
2. Run the wecutil qc command.
Create and view the subscribed log 1. Switch to Event Viewer.
2. Create a new subscription to collect events from LON-DC1:
o Collector initiated
o Source computer LON-DC1
o All events types
o Last 30 days
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-24 Monitoring Windows Server 2012
Lab: Monitoring Windows Server 2012 Scenario A. Datum Corporation is a global engineering and manufacturing company with its head office in London, United Kingdom. An IT office and data center are located in London to support the London location and other locations. A. Datum recently deployed a Windows Server 2012 server and client infrastructure.
Because the organization has deployed new servers, it is important to establish a performance baseline with a typical load for these new servers. You have been asked to work on this project. Additionally, to make the process of monitoring and troubleshooting easier, you decide to perform centralized monitoring of event logs.
Objectives After completing this lab, you will be able to:
• Establish a performance baseline.
• Identify the source of a performance problem.
• View and configure centralized event logs.
Lab Setup Estimated Time: 60 minutes
Virtual Machines: 20411C-LON-DC1, 20411C-LON-SVR1
User Name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Microsoft Hyper-V® Manager, click 20411C-LON-DC1, and then, in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20411C-LON-SVR1.
Exercise 1: Establishing a Performance Baseline
Scenario In this exercise, you will use Performance Monitor on the server, and create a baseline by using typical performance counters.
The main tasks for this exercise are as follows:
1. Create and Start a Data Collector Set.
2. Create a Typical Workload on the Server.
3. Analyze the Collected Data.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-25
Task 1: Create and Start a Data Collector Set 1. Switch to the LON-SVR1 computer.
2. Open Performance Monitor.
3. Create a new User Defined data collector set by using the following information to complete the process:
o Name: LON-SVR1 Performance
o Create: Create manually (Advanced)
o Type of data: Performance counter
o Select the following counters:
Memory, Pages/sec
Network Interface, Bytes Total/sec
PhysicalDisk, %Disk Time
PhysicalDisk, Avg. Disk Queue Length
Processor, %Processor Time
System, Processor Queue Length
o Sample interval: 1 second
o Where to store data: default value
4. Save and close the data collector set.
5. In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then click Start.
Task 2: Create a Typical Workload on the Server 1. Open a command prompt, and then run the following commands by pressing Enter after each
command:
Fsutil file createnew bigfile 104857600 Copy bigfile \\LON-dc1\c$ Copy \\LON-dc1\c$\bigfile bigfile2 Del bigfile*.* Del \\LON-dc1\c$\bigfile*.*
2. Do not close the command prompt.
Task 3: Analyze the Collected Data 1. Switch to Performance Monitor.
2. Stop the LON-SVR1 Performance data collector set.
3. Switch to the Performance Monitor node.
4. View logged data, and then add the following counters:
o Memory, Pages/sec
o Network Interface, Bytes Total/sec
o PhysicalDisk, %Disk Time
o PhysicalDisk, Avg. Disk Queue Length
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-26 Monitoring Windows Server 2012
o Processor, %Processor Time
o System, Processor Queue Length
5. On the toolbar, click the down arrow, and then click Report.
6. Record the values that are listed in the report for later analysis. Recorded values include:
o Memory, Pages/sec
o Network Interface, Bytes Total/sec
o PhysicalDisk, %Disk Time
o PhysicalDisk, Avg. Disk Queue Length
o Processor, %Processor Time
o System, Processor Queue Length
Results: After this exercise, you should have established a baseline for performance-comparison purposes.
Exercise 2: Identifying the Source of a Performance Problem
Scenario In this exercise, you will simulate a load to represent the system in live usage, gather performance data by using your data collector set, and then determine the potential cause of the performance problem.
The main tasks for this exercise are as follows:
1. Create Additional Workload on the Server.
2. Capture Performance Data by Using a Data Collector Set.
3. Remove the Workload, and Review the Performance Data.
Task 1: Create Additional Workload on the Server 1. On LON-SVR1, switch to the command prompt.
2. Change to the C:\Labfiles folder.
3. On LON-SVR1, run StressTool.exe 95.
Task 2: Capture Performance Data by Using a Data Collector Set 1. Switch to Performance Monitor.
2. In Performance Monitor, click User Defined, in the results pane, right-click LON-SVR1 Performance.
3. Wait one minute to allow the data capture to occur.
Task 3: Remove the Workload, and Review the Performance Data 1. At the command prompt, press Ctrl+ C. Leave the command prompt running.
2. Switch to Performance Monitor.
3. Stop the data collector set.
4. In Performance Monitor, in the navigation pane, click Performance Monitor.
5. On the toolbar, click View log data.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-27
6. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Remove.
7. Click Add.
8. In the Select Log File dialog box, click Up One Level.
9. Double-click the LON-SVR1_date-000002 folder, and then double-click DataCollector01.blg.
10. Click the Data tab, and then click OK.
Record the following values:
a. Memory, Pages/sec
b. Network Interface, Bytes Total/sec
c. PhysicalDisk, %Disk Time
d. PhysicalDisk, Avg. Disk Queue Length
e. Processor, %Processor Time
f. System, Processor Queue Length
11. Close the Performance Monitor Properties dialog box.
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4 through 9.
Question: Compared with your previous report, which values have changed?
Question: What would you recommend?
Results: After this exercise, you should have used performance tools to identify a potential performance bottleneck.
Exercise 3: Viewing and Configuring Centralized Event Logs
Scenario In this exercise, you will use LON-DC1 to collect event logs from LON-SVR1. Specifically, you will use this process to gather performance-related alerts from your network servers.
The main tasks for this exercise are as follows:
1. Configure Subscription Prerequisites.
2. Create a Subscription.
3. Configure a Performance Counter Alert.
4. Introduce Additional Workload on the Server.
5. Verify Results.
6. To Prepare for the Next Module.
Task 1: Configure Subscription Prerequisites 1. Switch to LON-SVR1.
2. At the command prompt, run winrm quickconfig to enable the administrative changes that are necessary on a source computer.
3. Add the LON-DC1 computer to the local Administrators group.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-28 Monitoring Windows Server 2012
4. Switch to LON-DC1.
5. At a command prompt, run wecutil qc to enable the administrative changes that are necessary on a collector computer.
Task 2: Create a Subscription 1. Open Event Viewer.
2. Create a new subscription with the following properties:
o Computers: LON-SVR1
o Name: LON-SVR1 Events
o Collector Initiated
o Events: Critical, Warning, Information, Verbose, and Error
o Logged: Last 7 days
o Logs: Applications and Services Logs> Microsoft > Windows > Diagnosis-PLA > Operational
Task 3: Configure a Performance Counter Alert 1. Switch to LON-SVR1.
2. Open Performance Monitor.
3. Create a new User Defined data collector set by using the following information to complete the process:
o Name: LON-SVR1 Alert
o Create: Create manually (Advanced)
o Type of data: Performance counter Alert
o Select the following counters: Processor, %Processor Time above 10 percent
o Sample interval: 1 second
o Where to store data: default value
o Alert Action: Log an entry in the application event log
4. Start the LON-SVR1 Alert data collector set.
Task 4: Introduce Additional Workload on the Server 1. Switch to the command prompt.
2. Change to the C:\Labfiles, and then run StressTool.exe 95.
3. Wait one minute for the data capture to occur, and, at the command prompt, press Ctrl+ C, and then close the command prompt.
Task 5: Verify Results • Switch to LON-DC1, and then open Forwarded Events.
Question: In Performance Monitor, are there any performance-related alerts in the subscribed application log? Hint: They have an ID of 2031.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-29
Task 6: To Prepare for the Next Module When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 and 3 for 20411C-LON-SVR1.
Results: At the end of this exercise, you will have centralized event logs and examined these logs for performance-related events.
Question: During the lab, you collected data in a data collector set. What is the advantage of collecting data in this way?
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED13-30 Monitoring Windows Server 2012
Module Review and Takeaways Best Practices:
• Create an end-to-end monitoring strategy for your Information Technology (IT) infrastructure. Monitoring should focus on proactively detecting potential failures or performance issues.
• When monitoring, estimate the baseline of system utilizations for each server. This will help you determine whether the system is performing well or is overused.
Review Question(s) Question: What significant counters should you monitor in Performance Monitor?
Question: Why is it important to monitor server performance periodically?
Question: Why should you use performance alerts?
Tools
Tool Use for Where to find it
Server Manager Dashboard
Monitoring multiple servers Server Manager
Performance Monitor Monitoring and analyzing real-time and logged performance data
Server Manager/Tools
Reliability Monitor Monitoring hardware and software issues
Control Panel
Resource Monitor Monitoring the use and performance of CPUs, disks, networks, and memory in real time
Server Manager/Tools
Event Viewer Viewing and managing event logs Server Manager/Tools
Task Manager Identifying and resolving performance-related problems
Server Manager/Tools
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDAdministering Windows Server® 2012 13-31
Course Evaluation
Keep this evaluation topic page if this is the final module in this course. Insert the Product_Evaluation.ppt on this page.
If this is not the final module in the course, delete this page
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-1
Module 1: Configuring and Troubleshooting Domain Name System
Lab: Configuring and Troubleshooting DNS Exercise 1: Configuring DNS Resource Records
Task 1: Add the Required Mail Exchange (MX Record) 1. Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then click DNS.
3. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
4. Right-click Adatum.com, and then click New host (A or AAAA).
5. In the New Host dialog box, in the Name box, type Mail1.
6. In the IP address box, type 172.16.0.250, and then click Add Host.
7. In the DNS dialog box, click OK.
8. In the New Host dialog box, click Done.
9. Right-click Adatum.com, and then click New Mail Exchanger (MX).
10. In the New Resource Record dialog box, in the Fully qualified domain name (FQDN) of mail server box, type Mail1.Adatum.com, and then click OK.
Task 2: Add the Required Microsoft Lync Server Records 1. To add the required Microsoft® Lync® Server records, right-click Adatum.com, and then click New
host (A or AAAA).
2. In the New Host dialog box, in the Name box, type Lync-svr1.
3. In the IP address box, type 172.16.0.251, and then click Add Host.
4. In the DNS dialog box, click OK.
5. In the New Host dialog box, click Done.
6. Right-click Adatum.com, and then click Other New Records.
7. In the Resource Record Type dialog box, in the Select a resource record type list, scroll down, then click Service Location (SRV), and then click Create Record.
8. In the New Resource Record dialog box, in the Service box, type _sipinternaltls.
9. In the Protocol box, type _tcp.
10. In Port Number, type 5061.
11. In the Host offering this service box, type Lync-svr1.adatum.com.
12. Click OK, and then click Done.
Task 3: Create the Reverse Lookup Zone 1. In DNS Manager, in the navigation pane, click Reverse Lookup Zones.
2. Right-click Reverse Lookup Zones, and then click New Zone.
3. In the New Zone Wizard, click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-2 Administering Windows Server® 2012
4. On the Zone Type page, click Primary zone, and then click Next.
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click IPv4 Reverse Lookup Zone, and then click Next.
7. On the second Reverse Lookup Zone Name page, in the Network ID: box, type 172.16, and then click Next.
8. On the Dynamic Update page, click Next.
9. On the Completing the New Zone Wizard page, click Finish.
Results: After this exercise, you should have configured the required messaging service records and the reverse lookup zone successfully.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-3
Exercise 2: Configuring DNS Conditional Forwarding
Task 1: Add the Conditional Forwarding Record for contoso.com 1. In DNS, in the navigation pane, click Conditional Forwarders.
2. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
3. In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
4. Click in the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press Enter. Validation will fail because the server cannot be contacted.
5. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check box.
6. Click OK.
Results: After this exercise, you should have successfully configured conditional forwarding.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-4 Administering Windows Server® 2012
Exercise 3: Installing and Configuring DNS Zones
Task 1: Install the DNS Server Role on LON-SVR1 1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2. If necessary, on the taskbar, click Server Manager.
3. In Server Manager, in the navigation pane, click Dashboard, and then, in the details pane, click Add roles and features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, in the Roles list, select the DNS Server check box.
8. In the Add Roles and Features Wizard dialog box, click Add Features.
9. On the Select server roles page, click Next.
10. On the Select features page, click Next.
11. On the DNS Server page, click Next.
12. On the Confirm installation selections page, click Install.
13. After the role is installed, click Close.
Task 2: Create the Required Secondary Zones on LON-SVR1 1. To use Windows® PowerShell® to create the secondary zone, type the following in a Windows
PowerShell Administrator console, and then press Enter:
Add-DnsServerSecondaryZone -Name "Adatum.com" -ZoneFile "Adatum.com.dns" -MasterServers 172.16.0.10
Task 3: Enable and Configure Zone Transfers 1. Switch to LON-DC1.
2. On the desktop, open Windows PowerShell on the taskbar.
3. At the Windows PowerShell Administrator console, type the following cmdlet, and then press Enter:
Set-DnsServerPrimaryZone -Name "adatum.com" –Notify Notifyservers –notifyservers “172.16.0.21” -SecondaryServers “172.16.0.21” –SecureSecondaries TransferToSecureServers
4. In DNS Manager, in the navigation pane, click Adatum.com, and then, on the toolbar, click Refresh.
5. Right-click Adatum.com, and then click Properties.
6. In the Adatum.com Properties dialog box, click the Zone Transfers tab.
7. Click Notify, and verify that the server 172.16.0.21 appears.
8. Click Cancel.
Task 4: Configure TTL, Aging, and Scavenging 1. On LON-DC1, in DNS Manager, right-click Adatum.com, and then click Properties.
2. In the Adatum.com Properties dialog box, click the Start of Authority (SOA) tab.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-5
3. In the Minimum (default) TTL box, type 2, and then click OK.
4. Right-click LON-DC1, and then click Set Aging/Scavenging for All Zones.
5. In the ServerAging/Scavenging Properties dialog box, select the Scavenge stale resource records check box, and then click OK.
6. In the Server Aging/Scavenging Confirmation dialog box, select the Apply these settings to the existing Active Directory-integrated zones check box, and then click OK.
Task 5: Configure Clients to Use the New Name Server 1. Switch to LON-CL1.
2. Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
3. On the Start screen, type Control, and then click Control Panel.
4. In Control Panel, click Network and Internet.
5. In Network and Internet, click Network and Sharing Center.
6. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
7. In the Ethernet Status dialog box, click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, in the Preferred DNS server box, type 172.16.0.21, and then click OK.
10. In the Ethernet Properties dialog box, click Close.
11. In the Ethernet Status dialog box, click Close.
Results: After this exercise, you should have successfully installed and configured Domain Name System (DNS) on LON-SVR1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-6 Administering Windows Server® 2012
Exercise 4: Troubleshooting DNS
Task 1: Test Simple and Recursive Queries 1. Switch to LON-DC1.
2. On LON-DC1, switch to DNS Manager.
3. In the navigation pane, right-click LON-DC1, and then click Properties.
4. Click the Monitoring tab.
5. On the Monitoring tab, select A simple query against this DNS server, and then click Test Now.
6. On the Monitoring tab, select A recursive query to other DNS servers, and then click Test Now. Notice that the Recursive test fails for LON-DC1, which is normal given that there are no forwarders configured for this DNS server to use.
7. Pause your mouse pointer over the lower left corner of the display, and then click the Windows icon.
8. On the Start screen, type cmd, and then press Enter.
9. In the Search results pane, click Command Prompt.
10. At the command prompt, type the following command, and then press Enter:
sc stop dns
11. Switch back to DNS Manager.
12. In DNS Manager, in the LON-DC1 Properties dialog box, on the Monitoring tab, click Test Now. Now, both simple and recursive tests fail because no DNS server is available.
13. Switch to the command prompt.
14. At the command prompt, type the following command, and then press Enter:
sc start dns
15. Switch back to DNS Manager.
16. On the Monitoring tab, click Test Now. The simple test completes successfully.
17. Close the LON-DC1 Properties dialog box.
Task 2: Verify Start-of-Authority Resource Records with Windows PowerShell 1. On LON-DC1, on the taskbar, click Windows PowerShell.
2. At the Windows PowerShell prompt, type the following command, and then press Enter:
resolve-dnsname –name Adatum.com –type SOA
3. Close the Windows PowerShell prompt.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL1-7
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-SVR1 and 20411C-LON-CL1.
Results: After this exercise, you should have successfully tested and verified DNS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-9
Module 2: Maintaining Active Directory® Domain Services
Lab: Maintaining AD DS Exercise 1: Installing and Configuring an RODC
Task 1: Verify Requirements for Installing an RODC 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, in the navigation pane, right-click the Adatum.com domain, and then click Raise domain functional level.
3. In the Raise domain functional level window, confirm that the Current domain functional level is set to Windows Server(R) 2008 R2. The minimum level for RODC support is Windows Server® 2003. Click Cancel.
4. Switch to LON-SVR1.
5. On LON-SVR1, in Server Manager, click Local Server, and then click LON-SVR1 beside Computer name.
6. In the System Properties window, click Change.
7. In the Computer Name/Domain Changes window, click the Workgroup radio button, type TEMPORARY into the Workgroup field, and then click OK.
8. In the Computer Name/Domain Changes window, click OK.
9. Click OK twice to confirm the name change and pending server restart.
10. In the System Properties window, click Close.
11. In the Microsoft® Windows® window, click Restart Now.
12. Switch to LON-DC1.
13. On LON-DC1, in Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then click Computers.
14. Right-click LON-SVR1, and then click Delete.
15. Click Yes twice.
16. In Active Directory Users and Computers, right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account.
17. In the Active Directory Domain Services Installation Wizard window, click Next.
18. Click Next to accept the current credentials.
19. In the Computer name field, type LON-SVR1, and then click Next.
20. On the Select a site page, click Next.
21. On the Additional Domain Controller Options page, click Next.
22. On the Delegation of RODC Installation and Administration page, type Adatum\IT in the Group or user field, and then click Next.
23. On the Summary page, click Next.
24. Click Finish to complete the wizard.
25. Close Active Directory® Users and Computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-10 Administering Windows Server® 2012
Task 2: Install an RODC 1. Log on to LON-SVR1 as Administrator with the password Pa$$w0rd.
2. On LON-SVR1, in Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. Ensure that Role-based or feature-based installation is selected, and then click Next.
5. Select LON-SVR1, and then click Next.
6. On the Select server roles page, select the check box to select Active Directory Domain Services, click Add Features, and then click Next.
7. On the Select features page, click Next.
8. Click Next, and then click Install to continue the installation.
9. When the installation completes, click Close.
10. In Server Manager, click the Notifications icon, and then click Promote this server to a domain controller.
11. In the Deployment Configuration window, beside Domain, click Select.
12. In the Windows Security window, type Adatum\April for User name and Pa$$w0rd as a password, and then click OK.
13. In the Select a domain from the forest window, click Adatum.com, and then click OK.
14. In the Deployment Configuration window, click Next.
15. On the Domain Controller Options screen, under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in the Password and Confirm password fields, and then click Next.
16. On the Additional Options page, beside Replicate from, click the drop-down box, click LON-DC1.Adatum.com, and then click Next.
17. On the Paths page, click Next.
18. On the Review Options page, click Next.
19. On the Prerequisites Check page, click Install.
20. After the Active Directory Domain Services Wizard has completed, LON-SVR1 will restart.
Task 3: Configure a Password-Replication Policy Configure password-replication groups
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, click the Users container, double-click Allowed RODC Password Replication Group, click the Members tab, and then verify that nothing is listed there.
3. Click OK.
4. In Active Directory Users and Computers, click the Domain Controllers organizational unit (OU), right-click LON-SVR1, and then click Properties.
5. Click the Password Replication Policy tab, and confirm that Allowed RODC Password Replication Group and Denied RODC Password Replication Group are both listed.
6. Click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-11
Create a group to manage password replication to the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, right-click the Research OU, click New, and then click Group.
2. In the New Object – Group window, type Remote Office Users in the Group name field, confirm that Global and Security are selected, and then click OK.
3. In Active Directory Users and Computers, click the Research OU, and then double-click the Remote Office Users group.
4. In the Remote Office Users Properties window, click the Members tab.
5. Click Add, type Aziz; Colin; Lukas; Louise and then click Check Names.
6. Click Object Types, select Computers, and then click OK.
7. In the Enter the object names to select field, type LON-CL1, click Check names, and then click OK.
8. Click OK to the close the Remote Office Users Properties window.
Configure a password-replication policy for the remote office RODC
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, right-click LON-SVR1, and then click Properties.
2. In the LON-SVR1 Properties window, click the Password Replication Policy tab, and then click Add.
3. In the Add Groups, Users, and Computers window, click the radio button to select Allow passwords for the account to replicate to this RODC, and then click OK.
4. In the search window, in the Enter the object names to select field, type Remote Office Users, click Check Names, and then click OK.
5. In the LON-SVR1 Properties window, click Apply, and do not close the window.
Evaluate the resulting password-replication policy
1. On LON-DC1, in the LON-SVR1 Properties window, on the Password Replication Policy tab, click Advanced.
2. Click the Resultant Policy tab, click Add, type Aziz, click Check Names, and then click OK.
3. Confirm that the Resultant Setting for Aziz is Allow.
4. Click Close, and then click OK to close the LON-SVR1 Properties dialog box.
Monitor credential caching
1. Switch to LON-SVR1.
2. Attempt to sign in as Adatum\Aziz with the password Pa$$w0rd. The sign in will fail, because Aziz does not have permission to sign in to LON-SVR1. However, the credentials for Aziz’s account were processed and cached on LON-SVR1.
3. Switch to LON-DC1.
4. In Active Directory Users and Computers, click the Domain Controllers OU, double-click LON-SVR1, and then click the Password Replication Policy tab.
5. On the Password Replication Policy tab, click Advanced. Notice that Aziz’s account’s password has been stored on LON-SVR1.
6. Click Close, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-12 Administering Windows Server® 2012
Prepopulate credential caching
1. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, double-click LON-SVR1, and then click the Password Replication Policy tab.
2. On the Password Replication Policy tab, click Advanced, and then click Prepopulate Passwords.
3. Type Louise; LON-CL1, click Check names, click OK, and then click Yes.
4. Click OK, and confirm that Louise and LON-CL1 have both been added to the list of accounts with cached credentials.
5. Close all open windows on LON-DC1.
Results: After completing this exercise, you should have successfully installed and configured an RODC.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-13
Exercise 2: Configuring AD DS Snapshots
Task 1: Create a Snapshot of AD DS 1. On LON-DC1, move your mouse to the bottom left corner, and then click the Start charm.
2. From the Start screen, type cmd, and then press Enter.
3. At the command prompt, type the following, and then press Enter:
Ntdsutil
4. At the command prompt, type the following, and then press Enter:
Snapshot
5. At the command prompt, type the following, and then press Enter:
activate instance ntds
6. At the command prompt, type the following, and then press Enter:
Create
7. Either make a note of the GUID number that the command returns, or copy the GUID to the clipboard.
8. After the snapshot is created, at the command prompt, type the following, and then press Enter:
Quit
9. At the command prompt, type the following, and then press Enter:
quit
Task 2: Make a Change to AD DS 1. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In Active Directory Users and Computers, double-click the Marketing OU, right-click Adam Barr, and then click Delete.
3. Click Yes to confirm the deletion.
Task 3: Mount an Active Directory Snapshot, and Create a New Instance 1. On LON-DC1, Move your mouse to the bottom left corner, and then click the Start charm.
2. On the Start screen, type cmd, right-click the Command Prompt, and then click Run as Administrator.
3. At the command prompt, type the following, and then press Enter:
Ntdsutil
4. At the command prompt, type the following, and then press Enter:
Snapshot
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-14 Administering Windows Server® 2012
5. At the command prompt, type the following, and then press Enter:
activate instance ntds
6. At the command prompt, type the following, and then press Enter:
list all
7. At the command prompt, type the following, and then press Enter:
mount <GUID
8. Where <GUID> is the GUID returned by the Create command in Task 1.
9. At the command prompt, type the following, and then press Enter:
Quit
10. At the command prompt, type the following, and then press Enter:
Quit
11. On the Desktop taskbar, click the File Explorer icon, and select the Local Disk (C:) node. There only should be one folder on your C:\ drive with a name that begins with $snap. Note the full name of the $SNAP folder, which includes a datetime value.
12. Write down the datetime value.
13. At the command prompt, type the following, and then press Enter:
dsamain /dbpath C:\$SNAP_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000
14. Note that datetime will be a unique value. Replace it with the value written down in step 11. A message indicates that Active Directory Domain Services startup is complete. Leave Dsamain.exe running, and do not close the command prompt.
Task 4: Explore a Snapshot with Active Directory Users and Computers 1. Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then
click Change Domain Controller.
2. Click <Type a Directory Server name[:port] here>, type LON-DC1:50000, and then press Enter. Click OK.
3. In the navigation pane, double-click Adatum.com.
4. In the navigation pane, double-click the Marketing OU.
5. Locate the Adam Barr user account object. Note that the Adam Barr object is displayed because the snapshot was taken prior to deleting it.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-15
Task 5: Unmount an Active Directory Snapshot 1. In the command prompt, press Ctrl+C. to stop DSAMain.exe.
2. Type the following commands and press the Enter after each line.
ntdsutil snapshot activate instance ntds list all unmount guid list all quit Quit
Where guid is the GUID of the snapshot.
Results: After completing this exercise, you should have successfully configured AD DS snapshots.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-16 Administering Windows Server® 2012
Exercise 3: Configuring the Active Directory Recycle Bin
Task 1: Enable the Active Directory Recycle Bin 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Click Adatum (local).
3. In the Tasks pane, click Enable Recycle Bin in the Tasks pane, click OK on the warning message box, and then click OK to the refresh Active Directory Administrative Center message.
4. Press F5 to refresh Active Directory Administrative Center.
Task 2: Create and Delete Test Users 1. In Active Directory Administrative Center, double-click the Research OU.
2. In the Task pane, click New, and then click User.
3. Enter the following information under Account, and then click OK:
o Full name: Test1
o User UPN logon: Test1
o Password: Pa$$w0rd
o Confirm password: Pa$$w0rd
4. Repeat the previous steps to create a second user, Test2.
5. Select both Test1 and Test2. Right-click the selection, and then click Delete.
6. At the confirmation prompt, click Yes.
Task 3: Restore the Deleted Users 1. In Active Directory Administrative Center, click Adatum (Local), and then double-click Deleted
Objects.
2. Right-click Test1, and then click Restore.
3. Right-click Test2, and then click Restore To.
4. In the Restore To window, click the IT OU, and then click OK.
5. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
Task 4: Prepare for the Next Module
Note: Do not perform if you are performing the optional exercise entitled “Cloning a Domain Controller”. If you are performing the optional exercise, return here when done to finish the “To prepare for next module” task as outlined below.
When you finish the lab, revert the virtual machines to their initial state by completing the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-17
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-SVR1.
Results: After completing this exercise, you should have successfully configured the Active Directory Recycle Bin.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-18 Administering Windows Server® 2012
Exercise 4: Optional Exercise: Cloning a Domain Controller
Task 1: Check for Domain Controller Clone Prerequisites 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In Active Directory Administrative Center, double-click Adatum (local), and then, in the details pane, double-click the Domain Controllers OU.
3. In the details pane, select LON-DC1, and then, in the Tasks panes, in the LON-DC1 section, click Add to group.
4. In the Select Groups dialog box, in the Enter the object names to select, type Cloneable, and then click Check Names.
5. Ensure that the group name is expanded to Cloneable Domain Controllers, and then click OK.
6. On LON-DC1, in the taskbar, click the Windows PowerShell icon.
7. At the Windows PowerShell® command prompt, type the following command, and then press Enter:
Get-ADDCCloningExcludedApplicationList
8. Verify the list of critical applications. In production you need to verify each application or use a domain controller that has fewer applications installed by default. Type the following command, and then press Enter:
Get-ADDCCloningExcludedApplicationList –GenerateXML
9. To create the DCCloneConfig.xml file, at the Windows PowerShell command prompt, type the following command, and then press Enter:
New-ADDCCloneConfigFile
10. To shut down LON-DC1, at the Windows PowerShell command prompt, type the following command, and then press Enter:
Stop-Computer
Task 2: Export the Source Domain Controller 1. On the host computer, in Hyper-V Manager, in the details pane, select the 20411C-LON-DC1 virtual
machine.
2. In the Actions pane, in the 20411C-LON-DC1 section, click Export.
3. In the Export Virtual Machine dialog box, select the location D:\Program Files\Microsoft Learning\20411, and then click Export.
4. Wait until the export is finished.
5. In the Actions pane, in the 20411C-LON-DC1 section, click Start.
Task 3: Perform Domain Controller Cloning 1. In the Actions pane, in the upper section that is named like the host computer, click Import Virtual
Machine.
2. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next.
3. On the Locate Folder page, click Browse, select the folder D:\Program Files\Microsoft Learning\20411\20411C-LON-DC1, click Select Folder, and then click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL2-19
4. On the Select Virtual Machine page, select 20411C-LON-DC1, and then click Next.
5. On the Choose Import Type page, select Copy the virtual machine (create a new unique ID), then click Next.
6. On the Choose Folders for Virtual Machine Files page, select the store the virtual machine in a different location check box. For each folder location provide the following path: D:\Program Files\Microsoft Learning\20411\. Click Next.
7. On the Choose Folders to Store Virtual Hard Disks page, provide the path D:\Program Files\Microsoft Learning\20411\, and then click Next.
8. On the Completing Import Wizard page, click Finish.
9. In the details pane, identify and select the newly imported virtual machine named 20411C-LON-DC1, which has the State shown as Off. In the lower section of the Actions pane, click Rename.
10. Type 20411C-LON-DC3 as the name, and then press Enter.
11. In the Actions pane, in the 20411-LON-DC3 section, click Start, and then click Connect to see the virtual machine starting.
12. While the server is starting, note the “Domain Controller cloning is at x% completion” message.
Results: After completing this exercise, you will have successfully cloned a domain controller.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL3-21
Module 3: Managing User and Service Accounts
Lab: Managing User and Service Accounts Exercise 1: Configuring Password Policy and Account Lockout Settings
Task 1: Configure a Domain-Based Password Policy 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com, expand Group Policy Objects, right-click Default Domain Policy, and then click Edit.
3. In the Group Policy Management Editor, in the navigation pane, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy.
4. Double-click Enforce password history.
5. In the Enforce password history Properties window, type 20 in the Keep password history for field, and then click OK.
6. Double-click Maximum password age.
7. In the Maximum password age Properties window, type 45 in the Password will expire in field, and then click OK.
8. Double-click Minimum password age.
9. In the Minimum password age Properties window, ensure that the Password can be changed after field is 1, and then click OK.
10. Double-click Minimum password length.
11. In the Minimum password length Properties window, type 10 in the Password must be at least field, and then click OK.
12. Double-click Password must meet complexity requirements.
13. In the Password must meet complexity requirements Properties window, click Enabled, and then click OK.
14. Do not close the Group Policy Management Editor.
Task 2: Configure an Account Lockout Policy 1. In the Group Policy Management Editor, in the navigation pane, click Account Lockout Policy.
2. Double-click Account lockout duration.
3. In the Account lockout duration Properties window, click Define this policy setting, type 30 in the Account is locked out for field, and then click OK.
4. In the Suggested Value Changes window, note the suggested values, including the automatic configuration of Account lockout threshold, and then click OK.
5. Double-click Reset account lockout counter after.
6. In the Reset account lockout counter after Properties window, type 15 in the Reset account lockout counter after field, and then click OK.
7. Close Group Policy Management Editor.
8. Close Group Policy Management.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL3-22 Administering Windows Server® 2012
Task 3: Configure and Apply a Fine-Grained Password Policy 1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Adatum (local).
3. In the details pane, double-click the Managers OU.
4. In the details pane, right-click the Managers group, and then click Properties.
Note: Make sure that you open the Properties page for the Managers group, and not the Managers organizational unit (OU). In the Managers window, under Group scope, click Global, and then click OK.
5. In the Active Directory Administrative Center, in the navigation pane, click Adatum (local).
6. In the details pane, double-click the System container.
7. In the details pane, right-click the Password Settings Container, click New, and then click Password Settings.
8. In the Create Password Settings window, complete the following steps:
a. Type ManagersPSO in the Name field.
b. Type 10 in the precedence field.
c. Type 15 in the Minimum password length field.
d. Type 20 in the Number of passwords remembered field.
e. Type 30 in the User must change the password after (days) field.
f. Click Enforce account lockout policy.
g. Type 3 in the Number of failed logon attempts allowed field.
h. Type 30 in the Reset failed logon attempts count after(mins) field.
i. Click the Until an administrator manually unlocks the account option.
9. In the Directly Applies To section, click Add.
10. In the Select Users and Groups window, in the Enter the object names to select field, type Managers, click Check Names, and then click OK.
11. In the Create Password Settings window, click OK.
12. Close the Active Directory Administrative Center.
Results: After completing this exercise, you will have configured password policy and account lockout settings.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL3-23
Exercise 2: Creating and Associating a Managed Service Account
Task 1: Create and Associate a Managed Service Account 1. On LON-DC1, In Server Manager, click Tools, and then click Active Directory Module for Windows
PowerShell.
2. Type the following in the Windows PowerShell command window, and then press Enter:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
3. Type the following in the Windows PowerShell command window, and then press Enter:
New-ADServiceAccount –Name Webservice –DNSHostName LON-DC1 –PrincipalsAllowedToRetrieveManagedPassword LON-DC1$
4. Type the following in the Windows PowerShell command window, and then press Enter:
Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount Webservice
5. Type the following in the Windows PowerShell command window, and then press Enter:
Get-ADServiceAccount -Filter *
6. Note the output of the command, ensuring the newly created account is listed.
7. Minimize the Windows PowerShell command window.
Task 2: Install a Group Managed Service Account on LON-DC1 1. On LON-DC1, type the following in the Windows PowerShell command window, and then press Enter:
Install-ADServiceAccount –Identity Webservice
2. In Server Manager click the Tools menu, and then click Internet Information Services (IIS) Manager.
3. In the Internet Information Services (IIS) Manager console, if a window appears with a “Do you want to get started with Microsoft Web Platform to stay connected” message, click Cancel.
4. Expand LON-DC1 (Adatum\Administrator), and then click Application Pools.
5. In the details pane, right-click the DefaultAppPool, and then click Advanced Settings.
6. In the Advanced Settings dialog box, in the Process Model section, click Identity, and then click the ellipses.
7. In the Application Pool Identity dialog box, click Custom Account, and then click Set.
8. In the Set Credentials dialog box, type Adatum\Webservice$ in the User name: field, and then click OK three times.
9. In the Actions pane, click Stop to stop the application pool.
10. Click Start to start the application pool.
11. Close the Internet Information Services (IIS) Manager.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL3-24 Administering Windows Server® 2012
Task 3: To Prepare for the Next Module 1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing this exercise, you will have created and associated a managed service account.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-25
Module 4: Implementing a Group Policy Infrastructure
Lab: Implementing a Group Policy Infrastructure Exercise 1: Creating and Configuring Group Policy Objects
Task 1: Create and Edit a GPO 1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the Group Policy Objects container.
3. In the console tree, right-click the Group Policy Objects container, and then click New.
4. In the Name box, type ADATUM Standards, and then click OK.
5. In the details pane of the Group Policy Management console, right-click the ADATUM Standards Group Policy Object (GPO), and then click Edit.
6. In the console tree, expand User Configuration, Policies, and Administrative Templates, and then click System.
7. Double-click the Don’t run specified Windows applications policy setting.
8. In the Don’t run specified Windows applications window, click Enabled.
9. Click Show.
10. In the Show Contents dialog box, in the Value list, type notepad.exe, and then click OK.
11. In the Don’t run specified Windows applications dialog box, click OK.
12. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization.
13. In the details pane, click the Screen saver timeout policy setting.
14. Double-click the Screen Saver timeout policy setting.
15. Click Enabled.
16. In the Seconds box, type 600, and then click OK.
17. Double-click the Password protect the screen saver policy setting.
18. Click Enabled, and then click OK.
19. Close the Group Policy Management Editor.
Task 2: Link the GPO 1. In the Group Policy Management console tree, right-click the Adatum.com domain, and then click
Link an Existing GPO.
2. In the Select GPO dialog box, click ADATUM Standards, and then click OK.
Task 3: View the Effects of the GPO’s Settings 1. Switch to LON-CL1, and sign in as Adatum\Pat with the password Pa$$w0rd.
2. On the Start screen, click the Desktop tile.
3. Right-click the desktop, and then click Personalize.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-26 Administering Windows Server® 2012
4. Click Screen Saver. Notice that the Wait control is disabled—you cannot change the timeout. Notice that the On resume, display logon screen option is selected and disabled, and that you cannot disable password protection.
5. Click OK to close the Screen Saver Settings dialog box.
6. Click Start.
7. In the Start screen, click the down arrow icon to view all the apps.
8. In the Apps list, click Notepad. Notepad does not open.
Results: After this exercise, you should have successfully created, edited, and linked the required Group Policy Objects (GPOs).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-27
Exercise 2: Managing GPO Scope
Task 1: Create and link the required GPOs 1. On LON-DC1, switch to Server Manager, click Tools and then click Active Directory Users and
Computers.
2. In the console tree, expand the Adatum.com domain and click the Research organizational unit (OU).
3. Right-click the Research OU, point to New, and then click Organizational Unit.
4. Type Engineers, and then click OK.
5. Close Active Directory® Users and Computers.
6. Switch to the Group Policy Management console.
7. In the console tree, expand Forest: Adatum.com, Domains, Adatum.com, Research, if not already expanded, and then click the Engineers OU.
8. Right-click the Engineers OU, and then click Create a GPO in this domain and Link it here.
9. Type Engineering Application Override, and then click OK.
10. Under the Group Policy Objects node, right-click the Engineering Application Override GPO, and then click Edit.
11. In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization.
12. Double-click the Screen saver timeout policy setting.
13. Click Disabled, and click OK.
14. Close the Group Policy Management Editor.
Task 2: Verify the Order of Precedence 1. In the Group Policy Management console tree, expand the Research OU and then click the
Engineers OU.
2. Click the Group Policy Inheritance tab. Notice that the Engineering Application Override GPO has higher precedence than the ADATUM Standards GPO. The screen saver timeout policy setting you just configured in the Engineering Application Override GPO is applied after the setting in the ADATUM Standards GPO. Therefore, the new setting will overwrite the standards setting, and will win. Screen saver timeout will be disabled for users within the scope of the Engineering Application Override GPO.
Task 3: Configure the Scope of a GPO with Security Filtering 1. On LON-DC1, From Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In the console tree, if necessary, expand the Adatum.com domain and the Research OU, and then click the Engineers OU.
3. Right-click the Engineers OU, point to New, and then click Group.
4. Type GPO_Engineering Application Override_Apply, and then press Enter.
5. Switch to the Group Policy Management console.
6. In the console tree, if required, expand the Engineers OU, and then double-click the link of the Engineering Application Override GPO under the Engineers OU. A message appears.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-28 Administering Windows Server® 2012
7. Read the message, and then select the Do not show this message again check box, and then click OK. In the Security Filtering section, you will see that the GPO applies by default to all authenticated users.
8. In the Security Filtering section, click Authenticated Users.
9. Click the Remove button. A confirmation prompt appears.
10. Click OK.
11. In the details pane, click the Add button.
12. In the Select User, Computer, or Group dialog box, in the Enter the object name to select (examples): box, type GPO_Engineering Application Override_Apply, and then press Enter.
13. Switch to Active Directory Users and Computers.
14. In the console tree, expand the Adatum.com domain, if not expanded already, and then click the Users folder.
15. Right-click Users, point to New, and then click Group.
16. Type GPO_ADATUM Standards_Exempt, and then press Enter.
17. Switch to the Group Policy Management console.
18. In the console tree, click the Adatum.com domain object. Under the Group Policy Objects node, double-click the ADATUM Standards GPO. In the Security Filtering section, notice that the GPO applies by default to all authenticated users.
19. Click the Delegation tab.
20. Click the Advanced button. The ADATUM Standards Security Settings dialog box appears.
21. Click the Add button. The Select Users, Computers, Service Accounts, or Groups dialog box appears.
22. In the Enter the object names to select (examples): box, type GPO_ADATUM Standards_Exempt, and press Enter.
23. Select the Deny check box next to Apply group policy.
24. Click OK. A warning message appears to remind you that deny permissions override allow permissions. Click Yes. Notice that the permission appears on the Delegation tab as Custom.
Task 4: Configure Loopback Processing 1. On LON-DC1, switch to Active Directory Users and Computers.
2. In the console, click Adatum.com.
3. Right-click Adatum.com, point to New, and then click Organizational Unit.
4. In the New Object – Organizational Unit dialog box, type Kiosks, and then click OK.
5. Right-click Kiosks, point to New, and then click Organizational Unit.
6. In the New Object – Organizational Unit dialog box, type Conference Rooms, and then click OK.
7. Switch to the Group Policy Management console. Refresh the console if necessary.
8. In the tree, expand the Kiosks OU, and then click the Conference Rooms OU.
9. Right-click the Conference Rooms OU, and then click Create a GPO in this domain, and Link it here.
10. In the New GPO box, in the Name box, type Conference Room Policies, and then press Enter.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-29
11. In the console tree, expand Conference Rooms, and then click the Conference Room Policies GPO.
12. Click the Scope tab. Confirm that the GPO is scoped to apply to Authenticated Users.
13. Right-click the Conference Room Policies GPO in the console tree, and then click Edit.
14. In the Group Policy Management Editor console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization.
15. Double-click the Screen saver timeout policy setting.
16. Click Enabled.
17. In the Seconds box, type 2700, and then click OK.
18. In the console tree, expand Computer Configuration, Policies, Administrative Templates, and System, and then click Group Policy.
19. Double-click the Configure user Group Policy loopback processing mode policy setting.
20. Click Enabled.
21. In the Mode drop-down list, select Merge, and then click OK.
22. Close the Group Policy Management Editor.
Results: After this exercise, you should have successfully configured the required scope of the GPOs.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-30 Administering Windows Server® 2012
Exercise 3: Verifying GPO Application
Task 1: Perform Resultant Set of Policy Analysis 1. Switch to LON-CL1.
2. Verify that you are logged on as Adatum\Pat. If necessary, unlock the computer by using the password Pa$$w0rd.
3. Right-click the Start menu and then click Command Prompt (Admin).
4. In the User Account Control dialog box, in the User name box, type Administrator. In the Password box, type Pa$$w0rd. Click Yes.
5. At the command prompt, type the following command, and then press Enter:
gpupdate /force
6. Wait for the command to complete. Make a note of the current system time, which you will need to know for a task later in this lab. To record the system time, type the following command, and then press Enter twice:
Time
7. Restart LON-CL1.
8. Wait for LON-CL1 to restart before proceeding with the next task. Do not sign in to LON-CL1.
9. Switch to LON-DC1.
10. Switch to the Group Policy Management console.
11. In the console tree, if required, expand Forest: Adatum.com, and then click Group Policy Results.
12. Right-click Group Policy Results, and click Group Policy Results Wizard.
13. On the Welcome to the Group Policy Results Wizard page, click Next.
14. On the Computer Selection page, click Another computer, type LON-CL1, and then click Next.
15. On the User Selection page, click Display policy settings for, click Select a specific user, select ADATUM\Pat, and then click Next.
16. On the Summary Of Selections page, review your settings, and then click Next.
17. Click Finish. The RSoP report appears in the details pane of the console.
18. Review the Group Policy Results. For both user and computer configuration, identify the time of the last policy refresh and the list of allowed and denied GPOs. Identify the components that were used to process policy settings.
19. Click the Details tab. Review the settings that were applied during user and computer policy application and identify the GPO from which the settings were obtained.
20. Click the Summary tab, right-click the page, and then click Save Report.
21. In the navigation pane, click Desktop, and then click Save.
22. Open the saved RSoP report from the Desktop. Examine the RSoP report, and then close it.
Task 2: Analyze RSoP with GPResults 1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2. Right-click the Start menu and then click Command Prompt.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-31
3. At the command prompt, type the following command, and then press Enter:
gpresult /r
RSoP summary results are displayed. The information is very similar to the Summary tab of the RSoP report produced by the Group Policy Results Wizard.
4. At the command prompt, type the following command, and then press Enter:
gpresult /v
Notice that many of the Group Policy settings applied by the client are listed in this report.
5. At the command prompt, type the following command, and then press Enter:
gpresult /z
The most detailed RSoP report is produced.
6. At the command prompt, type the following command, and then press Enter:
gpresult /h:"%userprofile%\Desktop\RSOP.html"
An RSoP report is saved as an HTML file to your desktop.
7. Open the saved RSoP report from your desktop.
8. Compare the report, its information, and its formatting with the RSoP report you saved in the previous task.
Task 3: Evaluate GPO Results by Using the Group Policy Modeling Wizard 1. Switch to LON-DC1.
2. In the Group Policy Management console tree, expand Forest:Adatum.com, if not expanded already, and then click Group Policy Modeling.
3. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. The Group Policy Modeling Wizard appears.
4. Click Next.
5. On the Domain Controller Selection page, click Next.
6. On the User And Computer Selection page, in the User information section, click the User button, and then click Browse. The Select User dialog box appears.
7. Type Mike, and then press Enter.
8. In the Computer information section, click the Computer button, and then click Browse. The Select Computer dialog box appears.
9. Type LON-CL1, and then press Enter.
10. Click Next.
11. On the Advanced Simulation Options page, select the Loopback Processing check box, and then click Merge. Even though the Conference Room Polices GPO specifies the loopback processing, you must instruct the Group Policy Modeling Wizard to consider loopback processing in its simulation.
12. Click Next.
13. On the Alternate Active Directory Paths page, click the Browse button next to Computer location. The Choose Computer Container dialog box appears.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-32 Administering Windows Server® 2012
14. Expand Adatum and Kiosks, and then click Conference Rooms. You are simulating the effect of LON-CL1 as a conference room computer.
15. Click OK.
16. Click Next.
17. On the User Security Groups page, click Next.
18. On the Computer Security Groups page, click Next.
19. On the WMI Filters for Users page, click Next.
20. On the WMI Filters for Computers page, click Next.
21. Review your settings on the Summary of Selections page, and then click Next.
22. Click Finish.
23. On the Details tab, scroll to and expand, if necessary, User Details, Group Policy Objects, and Applied GPOs.
24. Will the Conference Room Policies GPO apply to Mike as a User policy when he logs on to LON-CL1, if LON-CL1 is in the Conference Rooms OU?
25. Scroll to, and expand if necessary, User Details, Settings, Policies, Administrative Templates and Control Panel/Personalization.
26. Confirm that the screen saver timeout is 2,700 seconds (45 minutes), the setting configured by the Conference Room Policies GPO that overrides the 10-minute standard configured by the ADATUM Standards GPO.
Task 4: Review Policy Events and Determine GPO Infrastructure Status 1. Switch to LON-CL1.
2. Right-click Start, click Control Panel, click Systems and Security, and then click Administrative tools.
3. Double-click Event Viewer.
4. In the console tree, expand Windows Logs, and then click System log.
5. Click the Source column header to sort the System log by Source.
6. Scroll down the System log until you locate events with Group Policy as the Source.
7. Review the information associated with Group Policy events, including when policies are downloaded and in which order the GPO processing occurs.
8. In the console tree, click the Application log.
9. Click the Source column header to sort the Application log by the Source column.
10. Review the events and identify the Group Policy events that have been entered in this log. Which events are related to Group Policy application and which are related to the activities you have been performing to manage Group Policy? Note that depending on how long the virtual machine has been running, you may not have any Group Policy Events in the application log.
11. In the console tree, expand Applications and Services Logs, Microsoft, Windows, and Group Policy, and then click Operational.
12. Locate the first event related to the Group Policy refresh you initiated in Exercise 1, with the GPUpdate command. Review that event and the events that followed it.
13. Switch to LON-DC1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-33
14. Switch to the Group Policy Management console. Expand Forest:Adatum.com, expand Domains, expand Adatum.com, and then expand Group Policy Objects.
15. Under Group Policy Objects in the left pane, click to select the ADATUM Standards GPO.
16. In the right pane, click the Status tab. Then, click Detect Now in the bottom right corner. This will detect the status of the ADATUM Standards GPO.
17. Switch to LON-CL1 and then sign off.
Results: After this exercise, you should have successfully used Resultant Set of Policy (RSoP) tools to verify the correct application of your GPOs.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-34 Administering Windows Server® 2012
Exercise 4: Managing GPOs
Task 1: Perform a Backup of GPOs 1. Switch to LON-DC1.
2. Switch to the Group Policy Management console and then click the Group Policy Objects node.
3. In the details pane, right-click ADATUM Standards, and then click Back Up.
4. In the Back Up Group Policy Object dialog box, in the Location box, type C:\.
5. Click Back Up.
6. In the Backup dialog box, click OK.
Task 2: Perform a Restore of GPOs 1. In the Group Policy Management console, right-click ADATUM Standards, and then click Restore
from Backup.
2. In the Restore Group Policy Object Wizard dialog box, click Next.
3. On the Backup Location page, click Next.
4. On the Source GPO page, click Next.
5. On the Completing the Restore Group Policy Object Wizard page, click Finish.
6. In the Restore dialog box, click OK.
7. Close all open windows.
Task 3: Troubleshooting GPOs 1. On LON-DC1, open Windows PowerShell® and run the E:\Labfiles\Mod04\TroubleshootGPO.ps1
command.
2. Switch to LON-CL1.
3. Sign in as Adatum\Pat with the password Pa$$w0rd.
4. Right-click the Start menu and then click Command Prompt.
5. At the command prompt, type gpupdate /force and press Enter.
6. Right-click on the Start menu and click Run from the context menu. Type Notepad, click OK, and then verify that Notepad launches.
7. At the command prompt, run the gpresult /user pat /v | more command. Check to see if the ADATUM Standards GPO is being applied or filtered out.
8. Switch back to LON-DC1.
9. At the Windows PowerShell prompt, type Get-GPPermission –Name “ADATUM Standards” –All, and then press Enter. Check to see if Pat or any of Pat’s groups have the appropriate permissions for the GPO.
10. At the Windows PowerShell prompt, type Set-GPPermission -Name "ADATUM Standards" -PermissionLevel GpoApply -TargetName "Authenticated Users" -TargetType Group -Replace, and then press Enter.
11. Click Server Manager, if Server Manager is not running already.
12. In Server Manager, click Tools, and then click Group Policy Management.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL4-35
13. In the left pane, expand Forest: Adatum.com. Expand Domains. Expand Adatum.com. Expand Group Policy Objects.
14. Click the ADATUM Standards GPO under Group Policy Objects. Verify that the Authenticated Users group is shown in the security filtering list.
15. Switch back to LON-CL1.
16. At the command prompt, type gpupdate /force, and the press Enter. Sign off of LON-CL1 and then sign in as Adatum\Pat with the password Pa$$w0rd.
17. Right-click on the Start menu and click Run from the context menu. At the Run prompt, type Notepad.exe and then click OK. Verify that Notepad does not launch.
Task 4: Preparing for the Next Module When you have finished the lab, revert all virtual machines back to their initial state.
1. On the host computer, start Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411C-LON-CL1.
Results: After this exercise, you should have successfully performed common management tasks on your GPOs.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-37
Module 5: Managing User Desktops with Group Policy
Lab: Managing User Desktops with Group Policy Exercise 1: Implementing Settings by Using Group Policy Preferences
Task 1: Create a New GPO, and Link it to the Branch Office 1 Organizational Unit (OU) 1. On LON-DC1, on the taskbar, click File Explorer.
2. In the details pane, double-click Local Disk (C:), and then, on the Home tab, click New folder.
3. Name the new folder Branch1.
4. Right-click the Branch1 folder, click Share with, and then click Specific people.
5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
6. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.
7. Click Share, and then click Done.
8. Close the Local Disk (C:) window.
9. Click Start.
10. Click Administrative Tools.
11. In Administrative Tools, double-click Active Directory Users and Computers.
12. In Active Directory® Users and Computers, click Adatum.com.
13. Right-click Adatum.com, point to New, and then click Organizational Unit.
14. In the New Object – Organizational Unit dialog box, in the Name box, type Branch Office 1, and then click OK.
15. In the navigation pane, click IT.
16. In the details pane, right-click Holly Dickson, and then click Move.
17. In the Move dialog box, click Branch Office 1, and then click OK.
18. In the navigation pane, click Computers.
19. In the details pane, right-click LON-CL1, and then click Move.
20. In the Move dialog box, click Branch Office 1, and then click OK.
21. Click Start.
22. Click Administrative Tools, and then double-click Group Policy Management.
23. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
24. Right-click Branch Office 1, and then click Create a GPO in this domain and link it here.
25. In the New GPO dialog box, in the Name box, type Branch1, and then click OK.
26. In the navigation pane, click Group Policy Objects.
27. Right-click the Branch1 GPO, and then click Edit.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-38 Administering Windows Server® 2012
28. In the Group Policy Management Editor, under User Configuration, expand Preferences, and then expand Windows Settings.
29. In the left pane, right-click Drive Maps, click New in the context menu, and then click Mapped Drive.
30. In the New Drive Properties window, click the Action drop-down menu, and then click Create.
31. In the Location section, type \\LON-DC1\Branch1.
32. In the Drive letter section, click the drop-down menu, and then click S.
33. Click OK to close the New Drive Properties dialog box.
Task 2: Edit the Default Domain Policy with the Required Group Policy Preferences 1. In Group Policy Management, click the Group Policy Objects folder, in the details pane, right-click
the Default Domain Policy, and then click Edit.
2. Expand User Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut.
3. In the New Shortcut Properties dialog box, in the Action list, click Create.
4. In the Name box, type Notepad.
5. In the Location box, click the arrow, and then select Desktop.
6. In the Target path box, type C:\Windows\System32\Notepad.exe.
7. On the Common tab, select the Item-level targeting check box, and then click Targeting.
8. In the Targeting Editor dialog box, click New Item, and then click Security Group.
9. In the lower part of the dialog box, click the ellipsis button.
10. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT, and then click OK.
11. Click OK twice.
12. Close all open windows.
Task 3: Test the Preferences 1. Switch to LON-CL1.
2. On the Start screen click the Desktop tile.
3. Right-click the Start menu, expand the Shut down or Sign out submenu, and then click Restart.
4. When the computer has restarted, log in as Adatum\Administrator with the password Pa$$w0rd.
5. On the Start screen, click the Desktop tile.
6. Right-click Start and then click Command Prompt.
7. At the command prompt, type the following command, and then press Enter:
gpupdate /force
8. Log off of LON-CL1.
9. Log in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.
10. Click Desktop, and on the taskbar, click File Explorer.
11. Examine the navigation pane, and verify that you have a drive mapped to \\lon-dc1\Branch1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-39
12. Verify that the Notepad shortcut is on Holly’s desktop.
13. If the shortcut does not appear, repeat steps 4 through 8.
14. Log off of LON-CL1.
Results: After this exercise, you should have created the required scripts and preference settings successfully, and then assigned them by using Group Policy Objects (GPOs).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-40 Administering Windows Server® 2012
Exercise 2: Managing Microsoft Office 2013 by Using Administrative Templates
Task 1: Import the Office 2013 Administrative Templates 1. On LON-DC1, click File Explorer on the taskbar.
2. Navigate to the E:\Labfiles\Mod05\Office 2013\admx\en-us folder.
3. Copy all of the .adml files to the C:\Windows\PolicyDefinitions\en-US folder.
4. In File Explorer, navigate to the E:\Labfiles\Mod05\Office 2013\admx folder.
5. Copy all of the .admx files to the C:\Windows\PolicyDefinitions folder.
Task 2: Configure Office 2013 Settings 1. On LON-DC1, click Server Manager, click Tools, and then click Group Policy Management.
2. Expand Forest: adatum.com.
3. Expand Domains.
4. Expand adatum.com.
5. Right-click Group Policy Objects, and then click New.
6. In the New GPO window, type Office 2013 into the Name field, and then click OK.
7. Right-click the Office 2013 GPO in the left pane, and then click Edit.
8. Under User Configuration in the left pane, expand Policies.
9. Expand Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer.
10. Expand Microsoft Word 2013.
11. Expand Word Options, and then click Customize Ribbon.
12. In the right pane, double-click the Display Developer tab in the Ribbon setting.
13. In the Display Developer tab in the Ribbon window, click the Enabled radio button, and then click OK.
14. In the left pane, expand Proofing, and then click AutoCorrect.
15. In the right pane, double-click the Replace text as you type setting.
16. In the Replace text as you type window, click Disabled, and then click OK.
17. Close the Group Policy Management Editor.
18. In the Group Policy Management Console, right-click the Adatum.com domain, and then click Link an Existing GPO in the context menu.
19. In the Select GPO window, click the Office 2013 GPO, and then click OK.
Task 3: Verify That the Settings Have Been applied 1. Switch to LON-CL1.
2. Log in to LON-CL1 as Adatum\Holly with the password of Pa$$w0rd.
3. Click Start, click the down arrow to view all apps, and then click Word 2013. If a First things first dialog box appear, click Ask me later, click Accept, click Next three times, and then click All done.
4. In Microsoft Word, check the ribbon to verify that the Developer tab is visible.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-41
5. In Microsoft Word, type misspelled words to verify that Microsoft Word is not auto correcting the misspelled words as you type.
6. Close Microsoft Word.
Results: After this exercise, you should have successfully added the Microsoft® Office 2013 administrative template files to a GPO, customized Office 2013 settings, and validated the settings on a computer that is in the GPO scope.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-42 Administering Windows Server® 2012
Exercise 3: Deploying Software by Using Group Policy
Task 1: Deploy XML Notepad 2007 by Using a New GPO 1. Switch to LON-DC1.
2. Click Start.
3. Click Administrative Tools, and then double-click Group Policy Management.
4. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
5. Right-click Adatum.com, and then click Create a GPO in this domain and Link it here.
6. In the New GPO dialog box, in the Name box, type Deploy XML Notepad, and then click OK.
7. In the navigation pane, click Group Policy Objects.
8. Right-click the Deploy XML Notepad GPO, and then click Edit.
9. In the Group Policy Management Editor, under Computer Configuration, expand Policies, and then expand Software Settings.
10. Right-click Software installation. From the context menu, click New, and then click Package.
11. In the Open dialog box, browse to \\LON-DC1\Mod05, click XmlNotepad.msi, and then click Open.
12. In the Deploy Software window, ensure that the Assigned option is selected, and then click OK.
Task 2: Verify that XML Notepad 2007 Was Successfully Deployed on LON-CL1 1. Switch to LON-CL1.
2. Right-click the Start menu, click Shut down or sign out, and then click Restart.
3. After restart, log in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.
4. Click Start, type XML, and then verify that XML Notepad 2007 displays as the app search results.
5. If XML Notepad 2007 does not appear in the search results, then right-click Start and click Command Prompt. At the command prompt, run gpupdate /force, restart LON-CL1, and then repeat step 3 and step 4.
Results: After this exercise, you should have successfully deployed XML Notepad 2007 to all domain-joined computers and verified the installation on LON-CL1.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-43
Exercise 4: Configuring Folder Redirection
Task 1: Create a Shared Folder to Store the Redirected Folders 1. On LON-DC1, on the taskbar, click File Explorer.
2. In the details pane, double-click Local Disk (C:), and then, on the Home tab, click New folder.
3. Name the new folder Branch1Redirect.
4. Right-click the Branch1Redirect folder, click Share with, and then click Specific people.
5. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add.
6. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write.
7. Click Share, and then click Done.
8. Close the Local Disk (C:) window.
Task 2: Create a New GPO and Link it to the Branch Office OU 1. On LON-DC1, from Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
3. Right-click Branch Office 1, and then click Create a GPO in this domain and Link it here.
4. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK.
Task 3: Edit the Folder Redirection Settings in the Policy You Created 1. Expand Branch Office 1, right-click Folder Redirection, and then click Edit.
2. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection.
3. Right-click Documents, and then click Properties.
4. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down arrow, and then select Basic – Redirect everyone’s folder to the same location.
5. Ensure the Target folder location box is set to Create a folder for each user under the root path.
6. In the Root Path box, type \\LON-DC1\Branch1Redirect, and then click OK.
7. In the Warning dialog box, click Yes.
8. Close all open windows on LON-DC1.
Task 4: Test the Folder Redirection Settings 1. Switch to LON-CL1.
2. Log in as Adatum\Administrator with the password Pa$$w0rd.
3. Right-click Start and then click Command Prompt.
4. At the command prompt, type the following command, and then press Enter:
gpupdate /force
5. Log off, and then log in as Adatum\Holly with the password Pa$$w0rd.
6. On the Start screen, click Desktop.
7. Right-click the desktop, and then click Personalize.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL5-44 Administering Windows Server® 2012
8. In the navigation pane, click Change desktop icons.
9. In Desktop Icon Settings, select the User’s Files check box, and then click OK.
10. On the desktop, double-click Holly Dickson.
11. Right-click Documents, and then click Properties.
12. In the Document Properties dialog box, note that the location of the folder is now the network share in a subfolder named for the user.
13. If the folder redirection is not evident, log off, and then log in as Adatum\Holly with the password Pa$$word. Repeat steps 10 through 12.
14. Log off of LON-CL1.
Task 5: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-CL1.
Results: After this exercise, you should have successfully configured folder redirection to a shared folder on the LON-DC1 server.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-45
Module 6: Implementing Remote Access
Lab A: Implementing DirectAccess by Using the Getting Started Wizard Exercise 1: Verifying Readiness for a DirectAccess Deployment
Task 1: Document the Network Configuration
Verify the IP address on LON-DC1 1. Switch to LON-DC1.
2. Right-click the Start button and then click Control Panel.
3. Under the Network and Internet section, click View network status and tasks.
4. In the Network and Sharing Center window, from the menu on the left, click Change adapter settings.
5. In the Network Connections window, right-click the Ethernet icon, and then click Properties.
6. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
7. Document the current IP address, subnet mask, default gateway, and DNS configuration.
8. Click Cancel twice, and then click Close to close the Network Connections window.
Verify network configuration on LON-RTR 1. Switch to LON-RTR.
2. On the Start screen, click on Server Manager.
3. In Server Manager window, on the upper right side click on Tools, and then click Routing and Remote Access.
4. In Routing and Remote Access console, in the left pane, right-click LON-RTR (local) and then click Disable Routing and Remote Access.
5. Click Yes in Routing and Remote Access dialog box. This step is needed in order to disable the Routing and Remote Access that was preconfigured for this lab.
6. Right-click the Start button and then click Control Panel.
7. Under the Network and Internet section, click View network status and tasks.
8. In Network and Sharing Center window, click on Change adapter settings.
9. In Network Connections window, verify that there are three network adapters: Ethernet, Ethernet 2, and Internet.
10. In Network Connections window, right-click Ethernet adapter and then click Disable.
11. In Network Connections window, right-click Ethernet adapter and then click Enable.
12. Repeat steps 10 and 11 for Internet network connection.
13. Verify that Ethernet adapter is connected to the domain network Adatum.com.
14. Right-click the Ethernet adapter, and then click Properties.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-46 Administering Windows Server® 2012
15. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
16. Verify that the IP address corresponds with the subnet used in domain network. (The IP address should be 172.16.0.1.), and then click Cancel twice.
17. Right-click the Internet adapter, and then click Properties.
18. In the Internet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
19. Verify that the IP address corresponds with the subnet used to simulate internet connectivity. (IP address should be 131.107.0.10).
20. Click Cancel twice, and then close the Network Connections window.
Verify network configuration on LON-CL1 1. Switch to LON-CL1.
2. Right-click the Start button, and then click Control Panel.
3. In the Control Panel window, click on Network and Internet, click on View Network Status and Tasks and then click on Change adapter settings.
4. Verify that the Ethernet adapter is connected to the domain network Adatum.com.
5. Right-click the Ethernet adapter, and then click Properties.
6. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
7. Document the current IP address, subnet mask, default gateway, and DNS configuration.
8. Click Cancel twice, and then click Close.
Verify network configuration on LON-SVR1 1. Switch to LON-SVR1.
2. Right-click the Start button and then click Control Panel.
3. Under the Network and Internet section, click View network status and tasks.
4. In the Network and Sharing Center window, from the menu on the left, click Change adapter settings.
5. Verify that the Ethernet adapter is connected to the domain network Adatum.com.
6. Right-click the Ethernet adapter, and click Properties.
7. In Ethernet Properties, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
8. Document the current IP address, subnet mask, default gateway, and DNS configuration.
9. Click Cancel twice, and then click Close.
Verify network configuration on INET1 1. Switch to INET1.
2. Right-click the Start button and then click Control Panel.
3. Under the Network and Internet section, click View network status and tasks, and then click Change adapter settings.
4. In the Network Connections window, right-click the Ethernet adapter, and in then click Properties.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-47
5. In the Ethernet Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6. Document the current IP address, subnet mask, and DNS configuration.
7. Click Cancel twice, and then close all open windows.
Note: The INET1 server role in this module is to simulate the Internet DNS server.
Task 2: Verify the Server Readiness for DirectAccess 1. On LON-DC1, from the task bar, click the Server Manager console.
2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and then click Organizational Unit.
4. In the New Object – Organizational Unit dialog box, in the Name box, type DA_Clients OU, and then click OK.
5. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click DA_Clients OU, click New, and then click Group.
6. In the New Object - Group dialog box, in the Group name box, type DA_Clients.
7. Under Group scope, ensure that Global is selected, and under Group type, ensure that Security is selected, and then click OK.
8. In the details pane, right-click DA_Clients, and then click Properties.
9. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) box, type LON-CL1, and then click OK.
12. Verify that LON-CL1 is displayed under Members, and then click OK.
13. Close the Active Directory Users and Computers console.
Results: After completing this exercise, you should have successfully verified the readiness for DirectAccess deployment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-48 Administering Windows Server® 2012
Exercise 2: Configuring DirectAccess
Task 1: Configure DirectAccess by Using the Getting Started Wizard 1. Switch to LON-RTR.
2. In Server Manager, click Tools, and then select Remote Access Management.
3. In the Remote Access Management console, and under Configuration, click DirectAccess and VPN.
4. Click Run the Getting Started Wizard.
5. On the Configure Remote Access page, click Deploy DirectAccess only.
6. Verify that Edge is selected, and in Type the public name or IPv4 address used by clients to connect to the Remote Access server box, type 131.107.0.10, and then click Next.
7. In the Configure Remote Access page, click the here link.
Note: Ensure that you click the here link to display an additional window for configuring GPO settings and Active Directory security groups, which will contain the computers that will be affected by the DirectAcess settings
8. On the Remote Access Review page, verify that two GPO objects are created, Direct Access Server Settings and DirectAccess Client settings.
9. Click the Change link beside Remote Clients.
10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
13. On the DirectAccess Client Setup page, click Finish.
14. On the Remote Access Review page, click OK.
15. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.
Results: After completing this exercise, you should have successfully configured DirectAccess by using the Getting Stared Wizard.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-49
Exercise 3: Validating the DirectAccess Deployment
Task 1: Verify the GPO Deployment 1. When you configured the DirectAccess server, the wizard created two Group Policies and linked them
to the domain. To apply them, on LON-CL1, on the Start screen, type cmd and press Enter to open Command Prompt.
2. At the command prompt, type the following command, and then press Enter.
gpupdate /force
3. At the command prompt, type the following command, and then press Enter.
gpresult /R
4. Under the Computer Settings section, verify that DirectAccess Client Settings GPO is applied.
Note: If DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as Adatum\Administrator by using the password Pa$$w0rd, and then repeat steps 3 and 4 on LON-CL1.
5. At the command prompt, type the following command, and then press Enter.
netsh name show effectivepolicy
6. Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
7. To move the client from the intranet to the public network, on LON-CL1, to open Control Panel, at the command prompt, type control, and then press Enter.
8. In Control Panel, click Network and Sharing Center.
9. In the Network and Sharing Center window, click Change adapter settings.
10. Right-click Ethernet, and then click Disable.
11. Right-click Ethernet 2, and then click Enable.
12. Right-click Ethernet 2, and then click Properties.
13. In the Ethernet 2 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
14. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, ensure that following is displayed, and then click OK.
o IP address: 131.107.0.20
o Subnet mask: 255.255.255.0
o Preferred DNS server: 131.107.0.100
15. In the Ethernet 2 Properties dialog box, click Close.
16. Close all open windows.
Task 2: Test DirectAccess Connectivity
Verify connectivity to the internal network resources 1. Switch to LON-CL1.
2. On LON-CL1, on the taskbar, click the Internet Explorer icon.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-50 Administering Windows Server® 2012
3. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
4. Leave the Internet Explorer window open.
5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access the folder content.
6. Close all open windows.
7. Click the Start button, on the Start screen type cmd, and then press Enter.
8. At the command prompt, type ipconfig, and press Enter.
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS address.
Verify connectivity to the DirectAccess server 1. At the command prompt, type the following, and then press Enter.
Netsh name show effectivepolicy
2. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com and Directaccess-NLS.Adatum.com.
3. At the command prompt, type the following command, and then press Enter.
Powershell
4. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Notice the DirectAccess client settings.
Verify client connectivity on DirectAccess Server 1. Switch to LON-RTR.
2. Switch to the Remote Access Management console.
3. In the Console pane, click Remote Client Status. Notice that client is connected via IPHttps. In the Connection Details pane, in the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
4. Close all open windows.
Note: After completing the lab, do not revert virtual machines.
Results: After completing this exercise, you should have successfully verify that client computers can access the internal network by using DirectAccess.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-51
Lab B: Deploying an Advanced DirectAccess Solution Exercise 1: Preparing the Environment for DirectAccess
Task 1: Configure the AD DS and DNS requirements
Edit the security group for DirectAccess client computers 1. Switch to LON-DC1.
2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory Users and Computers.
3. In the Active Directory Users and Computers console tree, click DA_Clients OU, and then in details pane double-click DA_Clients group.
4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.
6. In the Enter the object names to select (examples) box, type LON-CL3, click Check Names, and then press OK.
7. Verify that LON-CL3 and LON-CL1 are displayed below the Members list, and then click OK.
8. Close the Active Directory Users and Computers console.
Configure firewall rules for ICMPv6 traffic to enable subsequent testing of DirectAccess in the lab environment 1. Switch to LON-DC1.
2. In the Server Manager console, in the upper-right corner, click Tools, and then click Group Policy Management.
3. In the console tree, expand Forest: Adatum.com\Domains\Adatum.com.
4. In the console tree, right-click Default Domain Policy, and then click Edit.
5. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security.
6. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
7. On the Rule Type page, click Custom, and then click Next.
8. On the Program page, click Next.
9. On the Protocols and Ports page, in the Protocol type drop-down list, click ICMPv6, and then click Customize.
10. In the Customize ICMP Settings window, click Specific ICMP types, select Echo Request, and then click OK.
11. Click Next.
12. On the Scope page, click Next.
13. On the Action page, click Next.
14. On the Profile page, click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-52 Administering Windows Server® 2012
15. On the Name page, in the Name box, type Inbound ICMPv6 Echo Requests, and then click Finish.
16. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule.
17. On the Rule Type page, click Custom, and then click Next.
18. On the Program page, click Next.
19. On the Protocols and Ports page, under Protocol type, click ICMPv6, and then click Customize.
20. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
21. Click Next.
22. On the Scope page, click Next.
23. On the Action page, click Allow the connection, and then click Next.
24. On the Profile page, click Next.
25. On the Name page, in the Name box, type Outbound ICMPv6 Echo Requests, and then click Finish.
26. Close the Group Policy Management Editor and Group Policy Management consoles.
Create required DNS records 1. In the Server Manager console, click Tools, and then click DNS.
2. In the console tree of DNS Manager, expand LON-DC1\Forward Lookup Zones\Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the Name box, type nls. In the IP address box, type 172.16.0.21. Click Add Host, and then click OK.
Note: The NLS record will be used by the client to determine the network location.
5. In the New Host dialog box, in the Name box, type CRL. In the IP address box, type 172.16.0.1, and then click Add Host.
6. In the DNS dialog box, which confirms that the record was created, click OK.
7. In the New Host dialog box, click Done.
8. Close the DNS Manager console.
Note: The CRL record will be used by the internal clients to check the revocation status on the certificates that are used in DirectAccess
Remove ISATAP from the DNS global query block 1. On the Start screen, type cmd.exe, and then press Enter to launch the Command Prompt window.
2. In the Command Prompt window, type the following command, and then press Enter.
dnscmd /config /globalqueryblocklist wpad
3. Ensure that Command completed successfully message appears.
4. Close the Command Prompt window.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-53
Configure the DNS suffix on LON-RTR 1. Switch to LON-RTR.
2. On the Start screen, type Control Panel, and then press Enter.
3. In Control Panel, click View network status and tasks.
4. In the Network and Sharing Center window, click Change adapter settings.
5. In the Network Connection window, right-click Internet, and then click Properties.
6. In the Internet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Advanced.
8. On the DNS tab, in the DNS suffix for this connection box, type Adatum.com, and then click OK.
9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click OK.
10. In the Internet Properties dialog box, click Close.
11. Close the Network Connections window.
Note: Internet client needs this suffix when resolving names for internal resources.
Task 2: Configure CRL Distribution
Configure certificate requirements Note: Following steps will be performed to prepare the CA with proper extensions for the CRL distribution point, which will be included in the future certificates that will be used by the CA.
1. On LON-DC1, in Server Manager, on the Tools menu, click Certification Authority.
2. In the details pane, right-click AdatumCA, and then click Properties.
3. In the AdatumCA Properties dialog box, click the Extensions tab.
4. On the Extensions tab, click Add. In the Location box, type http://crl.adatum.com/crld/.
5. Under Variable, click <CAName>, and then click Insert.
6. Under Variable, click <CRLNameSuffix>, and then click Insert.
7. Under Variable, click <DeltaCRLAllowed>, and then click Insert.
8. In the Location box, type .crl at the end of the Location string, and then click OK.
9. Select the Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates checkboxes, and then click Apply.
10. Click No in the dialog box that displays prompting you to restart Active Directory Certificate Services.
11. Click Add.
12. In the Location box, type \\LON-RTR\crldist$\.
13. Under Variable, click <CaName>, and then click Insert.
14. Under Variable, click <CRLNameSuffix>, and then click Insert.
15. Under Variable, click <DeltaCRLAllowed>, and then click Insert.
16. In the Location box, type .crl at the end of the string, and then click OK.
17. Select Publish CRLs to this location and select Publish Delta CRLs to this location, and then click OK.
18. Click Yes to restart Active Directory Certificate Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-54 Administering Windows Server® 2012
Export Root Certificate Note: In following steps you will export the root certificate because it will be required in Labs C and D for configuring VPN and Web Application Proxy.
1. In Certification Authority, right-click AdatumCA, and then select Properties.
2. On the General tab, click View Certificate.
3. In the Certificate window, click the Details tab, and then click Copy to File.
4. In the Certificate Export Wizard, click Next.
5. Select DER encoded binary x.509 (.CER), and then click Next.
6. In the File Name box, type c:\Root.cer, and then click Next.
7. Click Finish to close Certificate Export Wizard.
8. Click OK three times and then close the Certification Authority console.
Task 3: Configure Client Certificate Distribution
Configure computer certificate auto-enrollment 1. On LON-DC1, switch to Server Manager, click Tools on the upper-right side of the window, and then
click Group Policy Management.
2. In the console tree, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
3. In the console tree, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
5. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
6. In the Automatic Certificate Request Setup Wizard, click Next.
7. On the Certificate Template page, click Computer, click Next, and then click Finish.
8. Close the Group Policy Management Editor and close the Group Policy Management console.
Task 4: Configure the Network Location Server and DirectAccess Server Certificates
Request a certificate for LON-SVR1 1. On LON-SVR1, on the Start screen, type cmd, and then press Enter to open a command prompt.
2. At the command prompt, type the following command, and then press Enter.
gpupdate /force
3. At the command prompt, type the following command, and then press Enter.
mmc
4. Click File, and click Add/Remove Snap-in.
5. In the Available snap-ins list, click Certificates, and then click Add.
6. In the Certificates snap-in dialog box, select Computer account, and then click Next.
7. Select Local computer, click Finish, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-55
8. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates.
9. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
10. Click Next twice.
11. On the Request Certificates page, click Adatum Web Certificate, and then click More information is required to enroll for this certificate.
12. On the Subject tab in the Certificate Properties dialog box, under Subject name, under Type, select Common name.
13. In the Value box, type nls.adatum.com, and then click Add.
14. Click OK, click Enroll, and then click Finish.
15. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.adatum.com is enrolled with Intended Purposes of Server Authentication.
16. Close the console window. When you are prompted to save settings, click No.
Change the HTTPS bindings Note: In following steps you will configure the https bindings for the host name nls.adatatum.com that will be used by the clients to determine their network location.
1. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager message box, expand LON-SVR1 (ADATUM\Administrator) and then if the Internet Information Service Manager message box appears, click No to close the message box.
3. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
4. In the Actions pane, click Bindings, and then click Add.
5. In the Add Site Bindings dialog box, click https, in the Host name box type nls.adatum.com, in the SSL Certificate list, click the certificate with the name nls.adatum.com, click OK, and then click Close.
6. Close the Internet Information Services (IIS) Manager console.
Configure DirectAccess server with the appropriate certificate 1. Switch to LON-RTR.
2. On the Start screen, type cmd and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
gpupdate /force
4. At the command prompt, type mmc, open a Microsoft Management Console, and then press Enter.
5. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
6. In the Available snap-ins list, click Certificates, and then click Add.
7. In the Certificates snap-in dialog box, select Computer account, and then click Next.
8. Select Local computer, click Finish, and then click OK.
9. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-56 Administering Windows Server® 2012
10. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
11. Click Next twice.
12. On the Request Certificates page, click Adatum Web Certificate, and then click More information is required to enroll for this certificate.
13. On the Subject tab of the Certificate Properties dialog box, under Subject name, under Type, select Common name.
14. In the Value box, type 131.107.0.10, and then click Add.
15. Click OK, click Enroll, and then click Finish.
16. In the details pane of the Certificates snap-in, verify that a new certificate with the name 131.107.0.10 is issued with Intended Purposes of Server Authentication.
17. Right-click the certificate, and click Properties.
18. In the Friendly Name box, type IP-HTTPS Certificate, and then click OK.
19. Close the console window. If you are prompted to save settings, click No.
Note: Instead of issuing a certificate with the IP address in the subject name, in real environment, you can use FQDN of the Internet facing server that will be reachable by the external client.
Create CRL distribution point on LON-RTR 1. Switch to Server Manager.
2. Click Tools, and click Internet Information Services (IIS) Manager.
3. In the Internet Information Services (IIS) Manager console, in the left pane, click on LON-RTR (Adatum\Administrator)
4. If the Internet Information Service Manager message box appears, click No to close the message box.
5. In the console tree, browse to LON-RTR\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.
6. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the ellipsis button.
7. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
8. Type CRLDist, and press Enter.
9. In the Browse for Folder dialog box, click OK.
10. In the Add Virtual Directory dialog box, click OK.
11. In the middle pane of the console, double-click Directory Browsing, and in the Actions pane, click Enable.
12. In the left pane, click the CRLD folder.
13. In the middle pane of the console, under the Management section, double-click the Configuration Editor icon.
14. Click the down-arrow of the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
15. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-57
16. In the Actions pane, click Apply.
17. Close Internet Information Services (IIS) Manager.
Note: You need to modify the value of allowDoubleEscaping to allow clients to access CRL deltas that will have a '+' appended to the filename.
Share and secure the CRL distribution point 1. On the taskbar, click File Explorer.
2. Double-click Local Disk (C:).
3. In the details pane of Windows Explorer, right-click the CRLDist folder, and then click Properties.
4. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, select Share this folder.
6. In the Share name box, type a dollar sign ($) at the end so that the share name is CRLDist$.
7. In the Advanced Sharing dialog box, click Permissions.
8. In the Permissions for CRLDist$ dialog box, click Add.
9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
10. In the Object Types dialog box, select Computers, and then click OK.
11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type LON-DC1, and then click Check Names. Click OK.
12. In the Permissions for CRLDist$ dialog box, in the Group or user names list, select LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, select Allow. Click OK.
13. In the Advanced Sharing dialog box, click OK.
14. In the CRLDist Properties dialog box, click the Security tab.
15. On the Security tab, click Edit.
16. In the Permissions for CRLDist dialog box, click Add.
17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
18. In the Object Types dialog box, select Computers. Click OK.
19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type LON-DC1, click Check Names, and then click OK.
20. In the Permissions for CRLDist dialog box, in the Group or user names list, select LON-DC1 (ADATUM\LON-DC1$). In the Permissions for LON-DC1 area, under Full control, select Allow, and then click OK.
21. In the CRLDist Properties dialog box, click Close.
22. Close the File Explorer window.
Publish the CRL to LON-RTR This step makes the CRL available on the edge server for Internet-based DirectAccess clients.
1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Certification Authority.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-58 Administering Windows Server® 2012
3. In the console tree, expand AdatumCA, right-click Revoked Certificates, point to All Tasks, and then click Publish.
4. In the Publish CRL dialog box, click New CRL, and then click OK.
5. On the taskbar, click File Explorer, type \\LON-RTR\CRLDist$, and then press Enter.
6. In the File Explorer window, notice the AdatumCA files.
7. Close the File Explorer window.
Results: After completing this exercise, you will have prepared the environment for implementing advanced DirectAccess infrastructure.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-59
Exercise 2: Implementing the Advanced DirectAccess Infrastructure
Task 1: Modify the DirectAccess Deployment
Configure the Remote Access role 1. On LON-RTR, in Server Manager, on the Tools menu, click Remote Access Management.
2. In the Remote Access Management console, click DirectAccess and VPN.
3. To select which clients will use DirectAccess, in the central pane, under Step 1, click Edit.
4. On the Deployment Scenario page, click Next.
5. On the Select Groups page, verify that DA_Clients (ADATUM\DA_Clients) group is listed, and then click Next.
6. On the Network Connectivity Assistant page, under the Resource column, delete the existing record by right-clicking on the arrow and selecting Delete.
7. Double-click the empty row under the Resource column.
8. In the Configure Corporate Resources for NCA page, verify that HTTP is selected, and then type https://nls.adatum.com. Click Validate, and then click Add.
9. In the Network Connectivity Assistant page, click Finish to close configuration for Step 1.
10. On Step 2, click Edit.
11. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.10
12. Click Next.
13. On the Network Adapters page, clear selection for Use a self-signed certificate created automatically by DirectAccess and click Browse.
14. On Select Certificate, choose the certificate 131.107.0.10 that is issued by AdatumCa and is used as a certificate to authenticate IP-HTTPS connections, click OK, and then click Next.
15. On the Authentication page, select Use computer certificates, click Browse, select AdatumCA, and then click OK.
16. Select Enable Windows 7 client computers to connect via DirectAccess, and then click Finish.
Note: You need to enable certificate authentication with certificates issued from trusted CA to support Window 7 clients.
17. In the Remote Access Setup pane, under Step 3, click Edit.
18. On the Network Location Server page, select The network location server is deployed on a remote web server (recommended); in the Type in the URL of the network location server box, type https://nls.adatum.com, and then click Validate.
19. Ensure that the URL is validated, and click Next.
20. On the DNS page, double-click an empty row below nls.adatum.com.
21. In the DNS suffix box, type crl.adatum.com, click Apply to add entry in NRPT table, and then click Next.
22. In the DNS Suffix Search List page, click Next.
23. On the Management page, click Finish to close configuration for Step 3.
24. Under Step 4, click Edit.
25. On the DirectAccess Application Server Setup page, click Finish.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-60 Administering Windows Server® 2012
26. In the central pane, click Finish to apply the changes.
27. In Remote Access Review window, click Apply.
28. In the Applying Remote Access Setup Wizard Settings dialog box, click Close.
Task 2: Verify the Server and GPO Configuration 1. On the Start screen, type cmd, and then press Enter.
2. At the command prompt, type the following commands, and then press Enter.
gpupdate /force Ipconfig
3. Verify that LON-RTR has an IPv6 address for Tunnel adapter IP HTTPS Interface starting with 2002.
Results: After completing this exercise, you will have implemented the advanced DirectAccess infrastructure.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-61
Exercise 3: Validating the DirectAccess Deployment
Task 1: Verify Windows 8 Client Connectivity
Verify DirectAccess Group Policy configuration settings for Windows 8 clients 1. To move the client from the public network back to the intranet, revert LON-CL1 in Hyper-V
Manager, and then start LON-CL1.
2. At the command prompt, type the following command and then press Enter.
gpupdate /force
Note: If an error message appears, restart LON-CL1, and perform again Step 2.
3. At the command prompt, type the following command, and then press Enter.
gpresult /R
4. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings.
5. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart the computer. After the computer restarts, sign in as Adatum\Administrator and run the Gpresult /R command again.
Verify client computer certificate distribution 1. On LON-CL1, in the command prompt, type mmc.exe, and then press Enter.
2. Click File, and click Add/Remove Snap-in.
3. In the Available snap-ins list, click Certificates, and then click Add.
4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
5. Select Local computer, click Finish, and then click OK.
6. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer) \Personal\Certificates.
7. In the details pane, verify that a certificate with the name LON-CL1.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication.
8. Close the console window. When you are prompted to save settings, click No.
Verify IP address configuration 1. On LON-CL1, on the Start screen, click the Desktop tile.
2. On the taskbar, click the Internet Explorer icon.
3. In the Address bar, type http://lon-svr1.adatum.com/, and then press Enter. If a notification appears to indicate whether to enable private network access, click Turn on. The default IIS 8.0 web page for LON-SVR1 appears.
4. In the Address bar, type https://nls.adatum.com/, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
5. Leave the Internet Explorer window open.
6. On the Start screen, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears.
7. Close all open windows.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-62 Administering Windows Server® 2012
Move the client computer to the Internet virtual network 1. To move the client from the intranet to the public network, on LON-CL1, to open Control Panel, at
the command prompt, type control, and then press Enter.
2. In Control Panel, click Network and Sharing Center.
3. In the Network and Sharing Center window, click Change adapter settings.
4. Right-click Ethernet, and then click Disable.
5. Right-click Ethernet 2, and then click Enable.
6. Close the Network Connections window.
Verify connectivity to the DirectAccess server 1. On LON-CL1, at the command prompt, type the following command, and then press Enter.
ipconfig
2. Notice the IP address for Tunnel adapter is iphttpsinterface which starts with 2002. This is an IP-HTTPS address.
3. If you notice that there is no IP address for iphttpsinterface, type the following commands and restart the computer and repeat steps 1 and 2.
Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled
Note: In this lab setup, IP-HTTPS connectivity on firewall is enabled and other connectivity methods from the client, such as the Teredo or 6to4 tunneling protocol, are disabled. If you are planning to use the Teredo or 6to4 tunneling protocol in the production environment, you do not have to disable them.
4. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings present three entries for adatum.com, crl.adatum.com and nls.Adatum.com.
5. At the command prompt, type the following command, and then press Enter.
powershell
6. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Notice the DirectAccess client settings.
Verify connectivity to the internal network resources 1. On the taskbar, click the Internet Explorer icon.
2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
3. Leave the Internet Explorer window open.
4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-63
5. Switch to the Command Prompt window.
6. At the command prompt, type the following command and then press Enter.
ping lon-dc1.adatum.com
7. Verify that you are receiving replies from lon-dc1.adatum.com.
8. At the command prompt, type the following command, and then press Enter.
gpupdate /force
9. Close all open windows.
10. Switch to LON-RTR.
11. On the taskbar, click the Remote Access Management icon.
12. In the Console pane, click Remote Client Status.
Notice that LON-CL1 is connected via IPHTTPS. In the Connection Details pane, in the bottom-right of the screen, note the use of Machine Certificate, User Ntlm and User Kerberos.
13. Close all open windows.
Task 2: Verify Windows 7 Client Connectivity
Verify DirectAccess Group Policy configuration settings for Windows 7 clients 1. Switch to LON-CL3.
2. Restart LON-CL3 and then sign in as Adatum\Administrator with the password Pa$$w0rd. This is to ensure that the LON-CL3 computer connects to the domain as a member of the DA_Clients security group.
3. Click the Start button, type cmd and then press Enter to open the Command Prompt window.
4. At the command prompt, type the following command and then press Enter.
gpupdate /force
5. At the command prompt, type the following command, and then press Enter.
gpresult /R
6. Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Group Policy Objects for the Computer Settings.
7. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart the computer. After the computer restarts, sign in as Adatum\Administrator and run the Gpresult /R command again.
Verify client computer certificate distribution 1. On LON-CL3, click the Start button, type mmc.exe, and then press Enter.
2. Click File, and click Add/Remove Snap-in.
3. In the Available snap-ins list, click Certificates, and then click Add.
4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
5. Select Local computer, click Finish, and then click OK. In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)\Personal\Certificates.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-64 Administering Windows Server® 2012
6. In the details pane, verify that a certificate with the name LON-CL3.adatum.com is present with Intended Purposes of Client Authentication and Server Authentication.
7. Close the console window. When you are prompted to save settings, click No.
Verify IP address configuration 1. On LON-CL3, on the taskbar, click the Internet Explorer icon.
2. In the Address bar, type http://lon-svr1.adatum.com/, and then press Enter. If a notification appears to indicate whether to enable private network access, click Turn on. The default IIS 8.0 web page for LON-SVR1 appears In the Address bar, type https://nls.adatum.com/, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
3. Leave the Internet Explorer window open.
4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears.
5. Close all open windows.
Move the client computer to the Internet virtual network 1. To move the client from the intranet to the public network, on LON-CL3, to open Control Panel, at
the command prompt, type control, and then press Enter.
2. In Control Panel, click Network and Sharing Center.
3. In the Network and Sharing Center window, click Change adapter settings.
4. Right-click Internal, and then click Disable.
5. Right-click Internet, and then click Enable.
6. Close the Network Connections window.
Verify connectivity to the DirectAccess server 1. On LON-CL3, click Start, type cmd, and then press Enter to open the command prompt.
2. At the command prompt, type the following command, and then press Enter.
ipconfig
3. Notice the IP address for Tunnel adapter iphttpsinterface which starts with 2002. This is an IP-HTTPS address.
4. If you notice that there is no IP address for iphttpsinterface, type the following commands and repeat step 2.
Netsh interface teredo set state disabled Netsh interface 6to4 set state disabled
Verify the IP address for Tunnel adapter iphttpsinterface which starts with 2002. This is an IP-HTTPS address.
5. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
Verify that DNS Effective Name Resolution Policy Table Settings present three entries for adatum.com, crl.adatum.com and nls.Adatum.com.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-65
Verify connectivity to the internal network resources 1. On the taskbar, click the Internet Explorer icon.
2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
3. Leave the Internet Explorer window open.
4. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. A folder window with the contents of the Files folder appears.
5. Switch to the Command Prompt window.
6. At the command prompt, type the following command, and then press Enter.
ping lon-dc1.adatum.com
7. Verify that you are receiving replies from lon-dc1.adatum.com.
8. At the command prompt, type the following command, and then press Enter.
gpupdate /force
9. Close all open windows.
10. Switch to LON-RTR.
11. On the taskbar, click Remote Access Management icon.
12. In the Console pane, click Remote Client Status, and then from the Tasks pane click Refresh.
In central pane, notice that LON-CL3 is connected via IPHttps.
13. Close all open windows.
Task 3: Monitor Client Connectivity 1. Switch to LON-RTR.
2. On LON-RTR, open the Remote Access Management console, and then in the left pane, click Dashboard.
3. Review the information in the central pane, under the DirectAccess and VPN Client Status.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under the Select Accounting Method, click Use inbox accounting, click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical data.
Note: After completing the lab, do not revert virtual machines.
Results: After completing this exercise, you will have verified that both Windows 8 and Windows 7 clients can connect to the internal network by using DirectAccess.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-66 Administering Windows Server® 2012
Lab C: Implementing VPN Exercise 1: Implementing VPN
Task 1: Review the Default VPN Configuration 1. Switch to LON-RTR.
2. In the Remote Access Management Console, click DirectAccess and VPN, and from the Actions pane, under the VPN section, select Enable VPN.
3. In the Enable VPN dialog box, click OK.
4. Click Close to finish the wizard.
5. In Server Manager, on the Tools menu, click Routing and Remote Access.
6. Expand LON-RTR, right-click ports, click Properties, and verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP.
7. Double-click WAN Miniport (SSTP). In the Maximum ports box, type 5, and then click OK. In the Routing and Remote Access message box, click Yes.
8. Repeat Step 8 for IKEv2, PPTP, and L2TP.
9. To close the Ports Properties dialog box, click OK.
10. Right-click LON-RTR (local), click Properties, and in the General tab, verify that IPv4 Remote access server is selected.
11. Click Security, and then verify that Certificate 131.107.0.10 is selected for SSL Certificate Binding.
12. Click Authentication Methods, and then verify that EAP is selected as the authentication protocol and then click OK.
13. Click the IPv4 tab, and then verify that VPN server is configured to assign IPv4 addressing by using Dynamic Host Configuration Protocol (DHCP).
14. To close the LON-RTR (local) Properties dialog box, click OK.
Task 2: Verify Certificate Requirements for IKEv2 and SSTP 1. Switch to LON-RTR.
2. On the Start screen, type mmc, and then press Enter.
3. On the File menu, select Add/Remove Snap-in.
4. Select Certificates, click Add, Select Computer account, and then click Next.
5. Verify that Local computer is selected, and then click Finish.
6. To close the Add or Remove Snap-in, click OK.
7. Expand Certificates (Local Computer), expand Personal, and then click Certificates.
8. Notice that certificate 131.107.0.10 has been issued by AdatumCA with Intended Purpose for Server Authentication (this is required for SSTP and IKEv2 VPN connectivity).
9. Close the console without saving the changes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-67
Task 3: Configure the Remote Access Server 1. On LON-RTR, in Server Manager, on the Tools menu, click Network Policy Server.
2. In the Network Policy Server console, in the navigation pane, expand Policies, and then click Network Policies.
3. In the details pane, right-click the policy at the top of the list, and then click Disable.
4. In the details pane, right-click the policy at the bottom of the list, and then click Disable.
5. In the navigation pane, right-click Network Policies, and then click New.
6. In the New Network Policy wizard, in the Policy name box, type VPN Policy.
7. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next.
8. On the Specify Conditions page, click Add.
9. In the Select condition dialog box, click Windows Groups, and then click Add.
10. In the Windows Groups dialog box, click Add Groups.
11. In the Select Group dialog box, in the Enter the object name to select (examples) box, type IT, and then click OK.
12. Click OK again, click Next, and on the Specify Access Permission page, click Access granted, and then click Next.
13. On the Configure Authentication Methods page, clear the Microsoft Encrypted Authentication (MS-CHAP) check box.
14. To add EAP Types, click Add.
15. On the Add EAP Types page, select Microsoft Secured password (EAP-MSCHAP v2), and then click OK.
16. To add EAP Types, click Add.
17. On the Add EAP Types page, select Microsoft: Smart Card or other certificate, and then click OK.
18. Click Next.
19. On the Configure Constraints page, click Next.
20. On the Configure Settings page, click Next.
21. On the Completing New Network Policy page, click Finish.
Results: After completing this exercise, you will have modified the remote access server configuration to provide VPN connectivity.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-68 Administering Windows Server® 2012
Exercise 2: Validating the VPN Deployment
Task 1: Remove the Client Computer from the Domain 1. Switch to LON-CL1.
2. On the Start screen, type control, and then press Enter to open Control Panel.
3. In Control Panel, click System.
4. In the System window, under Computer name, domain and workgroup settings, click Change settings.
5. In the System Properties dialog box, click Change.
6. In the Computer Name/Domain Changes dialog box, select Workgroup, type WORKGROUP, click OK, and then in Computer Name/Domain Changes dialog box click OK.
7. If Windows Security dialog box appears, for username type Administrator, for password type Pa$$w0rd, and then click OK.
8. In the Welcome to the WORKGROUP workgroup dialog box, click OK.
9. To restart the computer, click OK.
10. To close System Properties dialog box, click Close.
11. Click Restart Now.
Task 2: Verify that DirectAccess Does Not Work 1. When the LON-CL1 computer restarts, sign in with the user name Admin and password Pa$$w0rd.
2. On LON-CL1, click the Desktop tile, and on the taskbar, click the Internet Explorer icon.
3. In the Address bar, type https://nls.adatum.com/, and then press Enter. Notice that you are unable to open the website.
4. Leave the Internet Explorer window open.
5. On the taskbar, click File Explorer, type \\Lon-SVR1\Files, and then press Enter. Notice that the Network Error message appears.
6. Close all open windows.
Note: The client is unable to open the resource by using DirectAccess because this feature is not available for workgroup computers.
Task 3: Configure a VPN Connection and Verify Connectivity 1. On LON-CL1, on the Start screen, type control, and then press Enter to open Control Panel.
2. In Control Panel window, under Network and Internet section, click View network status and tasks.
3. Under Change your network settings, click Set up a new connection or network.
4. On the Choose a connection option page, click Connect to a workplace, and then click Next.
5. On the How do you want to connect? page, select Use my Internet connection (VPN).
6. Select I’ll set up an Internet connection later.
7. In the Internet address box, type 131.107.0.10.
8. In the Destination name box, type Adatum VPN, select Allow other people to use this connection, and then click Create.
9. In the Network and Sharing Center window, click Change adapter settings.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-69
10. In Network Connections window, right-click Adatum VPN connection and select Properties. Click on Security tab and select Allow these protocols, then ensure that Micrososft CHAP version 2 (MS-CHAP v2) is selected, and then click OK.
11. In Network Connections window, double-click Adatum VPN, and then in the right side of the screen, under the Connections list, click on Adatum VPN, and then click Connect.
12. In the Network sign-in dialog box, in the User name box, type Adatum\Danielle, in the Password box, type Pa$$w0rd, and then click OK.
13. Verify that you are connected to Adatum by using PPTP connection.
Note: To verify the type of connection, you can view the status of the connection in Network Connections window in Control Panel
Note: If you are unable to connect, restart LON-CL1 and then perform steps 11 and 12 again.
Note: In the following steps you will import the certificate of AdatumCA in Trusted Root Certification Authorities so that the clients trust the certificate on the VPN server establish a VPN connection by using the SSTP protocol.
14. On the taskbar, click on the File Explorer icon.
15. In This PC window, in the address bar, type \\172.16.0.10\C$\ and then press Enter.
16. In the Windows Security dialog box, click on Use another account, for username type Adatum\Administrator, for password type Pa$$w0rd and then press Enter.
17. In the c$ window, right-click Root.cer file, and then click Install Certificate.
18. In the Open File – Security Warning dialog box, click Open.
19. In the Welcome to the Certification Import Wizard, select Local Machine, and then click Next.
20. In the User Account Control dialog box, click Yes.
21. In the Certificate Import Wizard, select Place all certificates in the following store, click Browse, select Trusted Root Certification Authorities, and then click OK. Click Next to proceed, and then click Finish.
22. In the Certificate Import Wizard, click OK.
23. On the Start screen, type cmd, and then press Enter to open a command prompt.
24. In the Command Prompt window, type mmc and press Enter.
25. In the User Account Control dialog box, click Yes.
26. On the File menu, click Add/Remove Snap-in.
27. In Add or Remove Snap-ins window, from the Available snap-ins select Certificates, and then click Add.
28. In Certificates snap-in dialog box, select Computer account, click Next, click Finish, and then click OK.
29. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
30. Verify that AdatumCA exists.
These steps you performed will import the certificate of AdatumCA in Trusted Root Certification Authorities so that the clients trust the certificate on the VPN server establish a VPN connection by using the SSTP protocol.
31. Switch to Network and Sharing Center, and then click Change adapter settings.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-70 Administering Windows Server® 2012
32. Right-click Adatum VPN, and then click Properties.
33. Click the Security tab.
34. In the Type of VPN list, select IKEv2, and then select Use Extensible Authentication Protocol (EAP).
35. Click OK twice.
36. In Network Connections window, double click Adatum VPN icon, and then click Disconnect.
37. In Network Connections window, double click Adatum VPN icon, and then on the right side of the screen, under the Networks section, select Adatum VPN, and then click Connect.
38. If the Network sign-in dialog box appears, in the User name box, type Adatum\Danielle, in the Password box, type Pa$$w0rd, and then click OK.
39. Verify that the connection is now established by using IKEv2 protocol.
40. In the Network Connections window, right-click Adatum VPN, and then click Properties.
41. Click the Security tab.
42. In the Type of VPN list, select Secure Socket Tunneling Protocol (SSTP), and then select Use Extensible Authentication Protocol (EAP).
43. Click OK twice.
44. In Network Connections window, double click Adatum VPN icon, and then click Disconnect.
45. In Network Connections window, double click Adatum VPN icon, and on the right side of the screen, under the Networks section, select Adatum VPN, and then click Connect.
46. If the Network sign-in dialog box appears, in the User name box, type Adatum\Danielle, in the Password box, type Pa$$w0rd, and then click OK.
47. Verify that the connection is now established by using SSTP protocol.
48. Disconnect the Adatum VPN connection.
Task 4: Rejoin the Computer to the Domain by Using DirectAccess Offline Domain Join
Provision computer account data in Active Directory
1. Switch to LON-DC1.
2. Open Server Manager.
3. From the Tools menu, open the Group Policy Management console.
4. In the console tree, under Domains, expand the Adatum.com domain.
5. In the console tree, click Direct Access Client Settings, and then click OK.
6. In the Details pane, click the Details tab.
7. Select the entire Unique ID string, including the brackets, right-click, and then click Copy. Record the Unique ID for the GPO. (Copy the Unique ID to Notepad).
8. Minimize the Group Policy Management console.
9. Open the Windows PowerShell window, type the following command, and then press Enter.
Djoin.exe /provision /domain adatum.com /machine LON-CL1 /savefile client.txt /policynames “DirectAccess Client Settings” /POLICYPATHS “c:\windows\SYSVOL\sysvol\adatum.com\policies\[unique ID of Group Policy Object copied in previous step]\Machine\Registry.pol” /reuse
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-71
10. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Copy .\client.txt C:\
Note: You are copying the Client.txt file to C:\ which will be accessed to the VPN client via the Internet. This is done so that the client computer can download the file and use the Djoin.exe command to run the file to perform an offline domain join.
Add the client computer to the DA_Clients group 1. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Add-ADGroupMember -Identity DA_Clients -Members LON-CL1$
Note: No output or confirmation is received. You can use ADAC to confirm that the CLIENT computer account was added to the DA_Clients group.
Configure the client using the offline domain join file 1. Switch to LON-CL1.
2. In Network Connections window, double click Adatum VPN icon, and on the right side of the screen, under the Networks section, select Adatum VPN, and then click Connect.
3. Verify that the connection is now established by using SSTP protocol.
4. On the taskbar, click on the File Explorer icon.
5. In This PC window, in the address bar, type \\172.16.0.10\C$\ and then press Enter.
6. If the Windows Security dialog box appears, click on Use another account, for username type Adatum\Administrator, for password type Pa$$w0rd and then press Enter.
7. In the c$ window, right-click client.txt file, and then click Copy.
8. In the c$ window, in the navigation pane, right-click Local Disk (C:), click New, click Folder, type Client File, and then press Enter.
9. In the c$ window, in the navigation pane, right-click Client File folder, and then click Paste.
10. Right-click the Start button, click Command Prompt (Admin), in the User Account Control dialog box click Yes, and in the Administrator: Command Prompt window, type the following commands and press Enter after each command.
copy “c:\Client File\client.txt” c:\windows Cd.. Djoin.exe /requestodj /loadfile client.txt /windowspath C:\Windows /localos
Note: You run djoin.exe from the c:\windows folder because the client.txt file that contains the AD DS blob is located in the c:\windows folder.
11. At the command prompt, type the following command, and then press Enter to restart LON-CL1.
Shutdown /t 0 /r /f
Task 5: Verify DirectAccess connectivity 1. When the computer restarts, sign in with the user name Adatum\Administrator and password
Pa$$w0rd.
2. On LON-CL1, click the Desktop tile, and then on the taskbar, click the Internet Explorer icon.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-72 Administering Windows Server® 2012
3. In the address bar, type http://lon-svr1.adatum.com/, and then press Enter. The default IIS 8.0 web page for LON-SVR1 appears.
4. In the Address bar, type https://nls.adatum.com/, and then press Enter. Notice that you are unable to open the website.
5. Close the Internet Explorer.
6. On the taskbar, click File Explorer, type \\LON-SVR1\Files, and then press Enter. Notice that you can access the Network share.
7. Close all open windows.
Note: After completing the lab, do not revert virtual machines.
Results: After completing this exercise, you will have verified that the clients that cannot connect by using DirectAccess can now connect by using VPN.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-73
Lab D: Implementing Web Application Proxy Exercise 1: Implementing Web Application Proxy
Task 1: Install the Web Application Proxy Role Service
Install the Web Application Proxy role service 1. Switch to LON-RTR.
2. On the Start screen, click Server Manager.
3. On the Dashboard page, click Add roles and features.
4. In the Add Roles and Features Wizard, click Next three times to get to the server role selection page.
5. On the Select server roles page, expand Remote Access, select Web Application Proxy, and then click Next.
6. On the Select features page, click Next.
7. On the Confirm installation selections page, click Install.
8. On the Installation progress page, verify that the installation is successful, and then click Close.
Task 2: Configure Access to an Internal Website
Obtain certificate for the ADFS1 farm 1. On the Start screen, type cmd, and press Enter.
2. In the Command Prompt window, type mmc, and then press Enter.
3. In the MMC console, on the File menu, click Add or Remove Snap-In.
4. In Add or Remove Snap-ins, select Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local Computer is selected, click Finish and then click OK to close Add or Remove Snap-ins window.
6. Expand Certificates (local Computer), Personal, and then click Certificates.
7. Right-click Certificates, select All Tasks, and then click Request new Certificate.
8. On the Before You Begin page, click Next.
9. On the Select Certificate Enrollment Policy page, click Next.
10. Select Adatum Web Certificate, and then click More information is required to enroll for this certificate. Click here to configure settings.
11. From Subject Name in Type, select Common Name, in the Value box, type adfs1.adatum.com, and then click Add.
12. In the Alternative name list, select DNS; in the Value box, type adfs1.adatum.com and then click Add.
13. In the Alternative name list, select DNS; in the Value box, type enterpriseregistration.adatum.com, and then click Add.
14. In the Alternative name list, select DNS; in the Value box, type lon-svr1.adatum.com. and then click Add.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-74 Administering Windows Server® 2012
15. To close the Certificate Properties dialog box, click OK, and then click Enroll to proceed with Certificate Enrollment.
16. To close the Certificate Enrollment dialog box, click Finish.
Configure bindings for the web site on LON-SVR1 1. Switch to LON-SVR1.
2. In Server Manager, from the Tools menu, click on Internet Information Services (IIS) Manager.
3. In the Internet Information Services (IIS) Manager message box, expand LON-SVR1 (ADATUM\Administrator) and then then if the Internet Information Service Manager message box appears, click No to close the message box.
4. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
5. In the Actions pane, click Bindings, and then click Add.
6. In the Add Site Bindings dialog box, from the Type drop-down list select https, in the Host name box type lon-svr1.adatum.com, in the SSL Certificate drop-down list, select the certificate with the name lon-svr1.adatum.com, click OK, and then click Close.
7. Close the Internet Information Services (IIS) Manager console.
Configure Web Application Proxy 1. Switch to LON-RTR.
2. In Server Manager, from the Tools menu, open Remote Access Management console.
3. In the navigation pane, click Web Application Proxy.
4. In the middle pane, click Run the Web Application Proxy Configuration Wizard.
5. In the Web Application Proxy Configuration Wizard, on the Welcome page, click Next.
6. On the Federation Server page, perform the following steps:
a. In the Federation service name box, enter the FQDN of the federation service; adfs1.adatum.com.
b. In the User name and Password boxes, enter Administrator and Pa$$w0rd and then click Next.
7. On the AD FS Proxy Certificate page, in the list of certificates currently installed on the Web Application Proxy server, select the adfs1.adatum.com certificate that will be used by Web Application Proxy for AD FS proxy functionality, and then click Next.
8. On the Confirmation page, review the settings. Click Configure.
9. On the Results page, verify that the configuration is successful, and then click Close.
10. If you receive an error message, switch to LON-SVR4, and ensure that all services that are configured to start automatically are started. If not, start the services manually. Repeat steps from 1 to 8.
Publish internal web site 1. On the Web Application Proxy server, in the Remote Access Management console, in the navigation
pane, click Web Application Proxy, and then in the Tasks pane, click Publish.
2. In the Publish New Application Wizard, on the Welcome page, click Next.
3. On the Preauthentication page, click Pass-through and then click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-75
4. On the Publishing Settings page, perform following steps:
a. In the Name box, enter a friendly name for the application, LON-SVR1 Web.
b. In the External URL box, enter the external URL for this application https://lon-svr1.adatum.com.
c. In the External certificate list, select the certificate adfs1.adatum.com.
d. In the Backend server URL box, ensure that https://lon-svr1.adatum.com is listed, and then click Next. Note that this value is automatically entered when you enter the external URL.
5. On the Confirmation page, review the settings, and then click Publish.
6. On the Results page, ensure that the application published successfully, and then click Close.
Configure internal web site authentication 1. Switch to LON-SVR1.
2. In Server Manager, from the Tools menu, click on Internet Information Services (IIS) Manager.
3. In the Internet Information Services (IIS) Manager console, expand LON-SVR1 (ADATUM\Administrator) and then then if the Internet Information Service Manager message box appears, click No to close the message box .
4. In the console tree of Internet Information Services (IIS) Manager, navigate to LON-SVR1/Sites, and then click Default Web site.
5. In the Internet Information Services (IIS) Manager console, in the Default Web Site Home pane, double-click Authentication.
6. In the Internet Information Services (IIS) Manager console, in the Authentication pane, right-click Windows Authentication, and then click Enable.
7. In the Internet Information Services (IIS) Manager console, in the Authentication pane, right-click Anonymous Authentication, and then click Disable.
8. Close the Internet Information Services (IIS) Manager console.
Results: After completing this exercise, you will have implemented Web Application Proxy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-76 Administering Windows Server® 2012
Exercise 2: Validating the Web Application Proxy Deployment
Task 1: Disable DirectAccess on client computer In this task, LON-CL1 computer will be removed from the domain. Because DirectAccess works for domain members only, removing a computer from the domain will disable DirectAccess on LON-CL1. DirectAccess is disabled in order that LON-CL1 connects to an internal website by using Web Application Proxy, and not by using DirectAccess.
1. Switch to LON-CL1.
2. On the Start screen, type control, and then press Enter to open Control Panel.
3. In Control Panel, click System and then under Computer name, domain and workgroup settings, click Change Settings.
4. In System Properties dialog box, click Change.
5. In the Computer Name/Domain Changes dialog box, select Workgroup, type WORKGROUP, click OK, and then in Computer Name/Domain Changes dialog box click OK.
6. If Windows Security dialog box appears, for username type Administrator, for password type Pa$$w0rd, and then click OK.
7. In the Welcome to the WORKGROUP workgroup dialog box, click OK.
8. To restart the computer, click OK.
9. To close System Properties dialog box, click Close.
10. Click Restart Now.
Task 2: Verify access to the internal website from the client computer 1. Switch to LON-CL1.
2. On LON-CL1, sign in with username Admin and password Pa$$w0rd.
3. On the Start screen, click Internet Explorer, type the following address https://lon-svr1.adatum.com and then press Enter.
4. When prompted, in Internet Explorer dialog box type Adatum\Bill for user name and Pa$$w0rd for password, and then click OK to verify that the default IIS 8.0 web page for LON-SVR1 opens.
5. If you are unable to connect to https://lon-svr1.adatum.com, restart LON-CL1 and then perform steps from 2 to 4.
6. If you are still not able to connect, perform following steps:
o On LON-CL1, on the Start screen, type cmd and then press Enter.
o In the command prompt window, type regedit, then press Enter, and in the User Account Control dialog box, click Yes.
o In the Registry Editor window, in the navigation pane, navigate to HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig and notice the three entries starting with DA.
o In the Registry Editor window, in the navigation pane right-click each of the entries starting with DA, click Delete, and in the Confirm Key Delete dialog box, click Yes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL6-77
o Close the Registry Editor window.
Note: These registry settings you just deleted are from the previous labs and they might cause problems for Web Application Proxy. This is why you are deleting them.
o Restart LON-CL1 and perform steps from 2 to 4 to verify connectivity to default IIS 8.0 web page on LON-SVR1.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C -LON-SVR1, 20411C-LON-SVR4, 20411C-LON-RTR, 20411C-INET, 20411C-LON-CL3, and 20411C-LON-CL1.
Results: After completing this exercise, you will have verified that external users are able to access the internal application through the Web Application Proxy.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL7-79
Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role
Lab: Installing and Configuring a Network Policy Server Exercise 1: Installing and Configuring NPS to Support RADIUS
Task 1: Install and Configure the Network Policy Server 1. Switch to LON-DC1.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. If necessary, on the taskbar, click Server Manager.
4. In the details pane, click Add roles and features.
5. In the Add Roles and Features Wizard, click Next.
6. On the Select installation type page, click Role-based or feature based installation, and then click Next.
7. On the Select destination server page, click Next.
8. On the Select server roles page, select the Network Policy and Access Services check box.
9. Click Add Features, and then click Next twice.
10. On the Network Policy and Access Services page, click Next.
11. On the Select role services page, verify that the Network Policy Server check box is selected, and then click Next.
12. On the Confirm installation selections page, click Install.
13. Verify that the installation was successful, and then click Close.
14. Close the Server Manager window.
15. Click Start, and then click Administrative Tools.
16. Double-click Network Policy Server.
17. In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register server in Active Directory.
18. In the Network Policy Server message box, click OK.
19. In the subsequent Network Policy Server dialog box, click OK.
20. Leave the Network Policy Server console window open.
Task 2: Configure NPS Templates 1. In the Network Policy Server console, in the navigation pane, expand Templates Management.
2. In the navigation pane, right-click Shared Secrets, and then click New.
3. In the New RADIUS Shared Secret Template dialog box, in the Template name box, type Adatum Secret.
4. In the Shared secret and Confirm shared secret boxes, type Pa$$w0rd, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL7-80 Administering Windows Server® 2012
5. In the navigation pane, right-click RADIUS Clients, and then click New.
6. In the New RADIUS Client dialog box, in the Friendly name box, type LON-RTR.
7. Click Verify, and in the Verify Address dialog box, in the Address box, type LON-RTR, and then click Resolve.
8. Click OK.
9. In the New RADIUS Client dialog box, under Shared Secret, in the Select an existing Shared Secrets template area, click Adatum Secret, and then click OK.
10. Leave the console open.
Task 3: Configure RADIUS Accounting 1. In Network Policy Server, in the navigation pane, click Accounting.
2. In the details pane, click Configure Accounting.
3. In the Accounting Configuration Wizard, click Next.
4. On the Select Accounting Options page, click Log to a text file on the local computer, and then click Next.
5. On the Configure Local File Logging page, click Next.
6. On the Summary page, click Next.
7. On the Conclusion page, click Close.
8. Leave the console open.
Results: After this exercise, you should have enabled and configured Network Policy Server (NPS) to support Remote Authentication Dial-In User Service (RADIUS) in the required environment.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL7-81
Exercise 2: Configuring and Testing a RADIUS Client
Task 1: Configure a RADIUS Client 1. In the Network Policy Server console, expand RADIUS Clients and Servers.
2. Right-click RADIUS Clients, and then click New.
3. In the New RADIUS Client dialog box, clear the Enable this RADIUS client check box.
4. Select the Select an existing template check box.
5. Click OK.
6. Leave the Network Policy Server console open.
7. Switch to LON-RTR.
8. Sign in as Adatum\Administrator with the password Pa$$w0rd.
9. Click Start.
10. In Start, click Administrative Tools, and then double-click Routing and Remote Access.
11. If required, at the Enable DirectAccess Wizard dialog box, click Cancel, and then click OK.
12. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable Routing and Remote Access.
13. In the Routing and Remote Access dialog box, click Yes.
14. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure and Enable Routing and Remote Access.
15. Click Next, ensure that the Remote access (dial-up or VPN) option is selected, and then click Next.
16. Select the VPN check box, and then click Next.
17. Click the network interface named Ethernet 2. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next.
18. On the Network Select page, ensure that the Ethernet network interface is selected and then click Next.
19. On the IP Address Assignment page, select From a specified range of addresses, and then click Next.
20. On the Address Range Assignment page, click New. Next to Start IP address, type 172.16.0.100. Next to End IP address, type 172.16.0.110, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next.
21. On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work with a RADIUS server, and then click Next.
22. On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1.
23. In the Shared secret box, type Pa$$w0rd, and then click Next.
24. Click Finish.
25. In the Routing and Remote Access dialog box, click OK.
26. If prompted again, click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL7-82 Administering Windows Server® 2012
Task 2: Configure a Network Policy for RADIUS 1. Switch to the LON-DC1 computer.
2. Switch to Network Policy Server.
3. In Network Policy Server, expand Policies, and then click Network Policies.
4. In the details pane, right-click the policy at the top of the list, and then click Disable.
5. In the details pane, right-click the policy at the bottom of the list, and then click Disable.
6. In the navigation pane, right-click Network Policies, and then click New.
7. In the New Network Policy Wizard, in the Policy name box, type Adatum VPN Policy.
8. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next.
9. On the Specify Conditions page, click Add.
10. In the Select condition dialog box, click NAS Port Type, and then click Add.
11. In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK.
12. Click Next, and, on the Specify Access Permission page, click Access granted, and then click Next.
13. On the Configure Authentication Methods page, click Next.
14. On the Configure Constraints page, click Next.
15. On the Configure Settings page, click Next.
16. On the Completing New Network Policy page, click Finish.
Task 3: Test the RADIUS Configuration 1. Switch to LON-CL2.
2. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
3. On the Start screen, type Control, and then in the Apps list, click Control Panel.
4. In Control Panel, click Network and Internet.
5. Click Network and Sharing Center.
6. Click Set up a new connection or network.
7. On the Choose a connection option page, click Connect to a workplace, and then click Next.
8. On the How do you want to connect page, click Use my Internet connection (VPN).
9. Click I’ll set up an Internet connection later.
10. On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.
11. In the Destination name box, type Adatum VPN.
12. Select the Allow other people to use this connection check box, and then click Create.
13. In the Network And Sharing Center window, click Change adapter settings.
14. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
15. In the Type of VPN list, click Point to Point Tunneling Protocol (PPTP).
16. Under Authentication, click Allow these protocols, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL7-83
17. In the Network Connections window, right-click the Adatum VPN connection, and then click Connect/Disconnect.
18. In the Networks list on the right, click Adatum VPN, and then click Connect.
19. In Network Authentication, in the User name box, type Adatum\Administrator.
20. In the Password box, type Pa$$w0rd, and then click OK.
21. Wait for the VPN connection to be established. Ensure that your connection is successful.
Task 4: To Prepare for the Next Module When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-CL2, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-RTR and 20411C-LON-DC1.
Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS client.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-85
Module 8: Implementing Network Access Protection
Lab: Implementing Network Access Protection Exercise 1: Configuring NAP Components
Task 1: Configure Server and Client Certificate Requirements 1. On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.
2. In the certsrv management console, expand AdatumCA, right-click Certificate Templates, and then select Manage on the context menu.
3. In the Certificate Templates Console details pane, right-click Computer, and then click Properties.
4. Click the Security tab in the Computer Properties dialog box, and then select Authenticated Users.
5. In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission, and then click OK.
6. Close the Certificate Templates Console.
7. In certsrv – [Certification Authority (Local)], right-click AdatumCA, point to All Tasks, and then click Stop Service.
8. Right-click AdatumCA, point to All Tasks, and then click Start Service.
9. Close the certsrv management console.
Task 2: Configure Health Policies 1. Switch to the LON-RTR computer.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. Right-click Start, click Run, then type mmc.exe, and then press Enter.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.
8. The Certificate Enrollment dialog box opens. Click Next.
9. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and then click Next.
10. Select the Computer check box, and then click Enroll.
11. Verify the status of certificate installation as Succeeded, and then click Finish.
12. Close the Console1 window.
13. Click No when prompted to save console settings.
14. On LON-RTR, switch to Server Manager.
15. In Server Manager, in the details pane, click Add Roles and Features.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-86 Administering Windows Server® 2012
16. Click Next.
17. On the Select installation type page, click Next.
18. On the Select destination server page, click Next.
19. On the Select server roles page, select the Network Policy and Access Services check box.
20. Click Add Features, and then click Next twice.
21. On the Network Policy and Access Services page, click Next.
22. On the Select Role Services page, click Next.
23. Click Install.
24. Verify that the installation was successful, and then click Close.
25. Close the Server Manager window.
26. Click Start, and then click Administrative Tools.
27. In Administrative Tools, double-click Network Policy Server.
28. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.
29. In the right pane under Name, double-click Default Configuration.
30. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall is enabled for all network connections check box, and then click OK.
31. In the navigation pane, expand Policies.
32. Right-click Health Policies, and then click New.
33. In the Create New Health Policy dialog box, in the Policy name, box, type Compliant.
34. In the Client SHV checks box, verify that Client passes all SHV checks is selected.
35. In the SHVs used in this health policy box, select the Windows Security Health Validator check box.
36. Click OK.
37. Right-click Health Policies, and then click New.
38. In the Create New Health Policy dialog box, in the Policy Name box, type Noncompliant.
39. In the Client SHV checks box, select Client fails one or more SHV checks.
40. In the SHVs used in this health policy area, select the Windows Security Health Validator check box.
41. Click OK.
Task 3: Configure Network Policies 1. In the navigation pane, under Policies, click Network Policies.
Note: Important: Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable.
2. Right-click Network Policies, and then click New.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-87
3. On the Specify Network Policy Name and Connection Type page, in the Policy name box, type Compliant-Full-Access, and then click Next.
4. On the Specify Conditions page, click Add.
5. In the Select condition dialog box, double-click Health Policies.
6. In the Health Policies dialog box, in the Health policies box, type Compliant, and then click OK.
7. On the Specify Conditions page, click Next.
8. On the Specify Access Permission page, click Next.
9. On the Configure Authentication Methods page, clear all check boxes, select the Perform machine health check only check box, and then click Next.
10. Click Next again.
11. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next.
12. On the Completing New Network Policy page, click Finish.
13. Right-click Network Policies, and then click New.
14. On the Specify Network Policy Name And Connection Type page, in the Policy name box, type Noncompliant-Restricted, and then click Next.
15. On the Specify Conditions page, click Add.
16. In the Select condition dialog box, double-click Health Policies.
17. In the Health Policies dialog box, in the Health policies box, type Noncompliant, and then click OK.
18. On the Specify Conditions page, click Next.
19. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
20. On the Configure Authentication Methods page, clear all check boxes, select the Perform machine health check only check box, and then click Next.
21. Click Next again.
22. On the Configure Settings page, click NAP Enforcement. Click Allow limited access.
23. Clear the Enable auto-remediation of client computers check box.
24. In the Configure Settings window, click IP Filters.
25. In the IPv4 section, click Input Filters, and then click New.
26. In the Add IP Filter dialog box, select Destination network.
27. In the IP address box, type 172.16.0.10.
28. In the Subnet mask box, type 255.255.255.255, and then click OK.
29. Click Permit only the packets listed below, and then click OK.
30. Under IPv4, click Output Filters, and then click New.
31. In the Add IP Filter dialog box, select Source network.
32. In the IP address box, type 172.16.0.10.
33. In the Subnet mask box, type 255.255.255.255, and then click OK.
34. Click Permit only the packets listed below, and then click OK.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-88 Administering Windows Server® 2012
35. On the Configure Settings page, click Next.
36. On the Completing New Network Policy page, click Finish.
Task 4: Configure Connection Request Polices for VPN 1. Click Connection Request Policies.
2. Disable both the default Connection Request policies that are found under Policy Name by right-clicking each of the policies, and then clicking Disable.
3. Right-click Connection Request Policies, and then click New.
4. On the Specify Connection Request Policy Name And Connection Type page, in the Policy name box, type VPN connections.
5. Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next.
6. On the Specify Conditions page, click Add.
7. In the Select Condition dialog box, double-click Tunnel Type, and then select PPTP, SSTP, and L2TP. Click OK, and then click Next.
8. On the Specify Connection Request Forwarding page, verify that Authenticate requests on this server is selected, and then click Next.
9. On the Specify Authentication Methods page, select the Override network policy authentication settings check box.
10. In the EAP Types area, click Add.
11. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
12. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
13. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit.
14. Verify that Enforce Network Access Protection is selected, and then click OK.
15. Click Next twice, and then click Finish.
Results: After this exercise, you should have installed and configured the required Network Access Protection (NAP) components, created the health and network policies, and created the connection request policies.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-89
Exercise 2: Configuring Virtual Private Network Access
Task 1: Configure a VPN Server 1. On LON-RTR, click Start.
2. Click Administrative Tools, and then double-click Routing and Remote Access. If prompted, at the Enable DirectAccess Wizard dialog box, click Cancel, and then click OK.
3. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable Routing and Remote Access.
4. In the Disable Routing and Remote Access dialog box, click Yes.
5. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure and Enable Routing and Remote Access.
6. Click Next, ensure that the Remote access (dial-up or VPN) option is selected, and then click Next.
7. Select the VPN check box, and then click Next.
8. Click the network interface named Internet. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next.
9. On the Network Selection page, click Next.
10. On the IP Address Assignment page, select From a specified range of addresses, and then click Next.
11. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address, and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next.
12. On the Managing Multiple Remote Access Servers page, verify that No, use Routing and Remote Access to authenticate connection requests is selected, and then click Next.
13. Click Finish.
14. Click OK twice, and then wait for the Routing and Remote Access Service to start.
15. Switch to Network Policy Server.
16. In the Network Policy Server, click Connection Request Policies, and, in the results pane, verify that the Microsoft Routing and Remote Access Service Policy is Disabled.
Note: Click Action, and then click Refresh. If the Microsoft Routing and Remote Access Service Policy is Enabled, right-click it, and then click Disable.
17. Close the Network Policy Server management console.
18. Close the Routing and Remote Access console.
Task 2: Allow PING for Testing Purposes 1. On LON-RTR, click Start.
2. Click Administrative Tools, and then double-click Windows Firewall with Advanced Security.
3. Click Inbound Rules, right-click Inbound Rules, and then click New Rule.
4. Select Custom, and then click Next.
5. Verify that All programs is selected, and then click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-90 Administering Windows Server® 2012
6. Next to Protocol type, select ICMPv4, and then click Customize.
7. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.
8. Click Next to accept the default scope.
9. In the Action window, verify that Allow the connection is selected, and then click Next.
10. Click Next to accept the default profiles.
11. In the Name window, in the Name box, type ICMPv4 echo request, and then click Finish.
12. Close the Windows Firewall with Advanced Security console.
Results: After this exercise, you should have created a virtual private network (VPN) server and configured inbound communications.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-91
Exercise 3: Configuring the Client Settings to Support NAP
Task 1: Enable a Client NAP Enforcement Method 1. Switch to the LON-CL2 computer.
2. Right-click Start, and then click Command Prompt.
3. At the command prompt, type MMC, and then press Enter.
4. In the MMC labeled Console1, click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins window, click NAP Client Configuration, click Add, and then click OK.
6. In the Add or Remove Snap-ins window, click OK.
7. In Console1, in the navigation pane, click Enforcement Clients.
8. In the results pane, right-click EAP Quarantine Enforcement Client, and then click Enable.
9. Close Console1.
10. Switch to the Command Prompt window, type Services.msc, and then press Enter.
11. In Services, in the results pane, double-click Network Access Protection Agent.
12. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup type list, click Automatic.
13. Click Start, and then click OK.
14. Press the Windows key, and then press the R key to display the Run windows.
15. In the Run window, type gpedit.msc, and then press Enter.
16. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Security Center.
17. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
18. Close the console window.
19. Close the Services console, and then close the Administrative Tools and System and Security windows.
Task 2: Establish a VPN Connection 1. On LON-CL2, right-click the Start menu. click Control Panel, and then click Network and Internet.
2. Click Network and Sharing Center.
3. Click Set up a new connection or network.
4. On the Choose a connection option page, click Connect to a workplace, and then click Next.
5. On the How do you want to connect page, click Use my Internet connection (VPN).
6. Click I’ll set up an Internet connection later.
7. On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.
8. In the Destination name box, type Adatum VPN.
9. Select the Allow other people to use this connection check box, and then click Create.
10. In the Network And Sharing Center window, click Change adapter settings.
11. Right-click the Adatum VPN connection, click Properties, and then click the Security tab.
12. Under Authentication, click Use Extensible Authentication Protocol (EAP).
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-92 Administering Windows Server® 2012
13. In the Use Extensible Authentication Protocol (EAP) list, select Microsoft: Protected EAP (PEAP) (encryption enabled), and then click Properties.
14. Clear the Verify the server’s identity by validating the certificate check box.
15. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access Protection check box.
16. Click OK twice to accept the settings.
17. In the Network Connections window, right-click the Adatum VPN connection, and then click Connect/Disconnect.
18. In the Networks list on the right, click Adatum VPN, and then click Connect.
19. In Network Authentication, in the User name box, type Adatum\Administrator.
20. In the Password box, type Pa$$w0rd, and then click OK.
21. Right-click Start, click Run, then type cmd.exe, and then press Enter.
22. At the command prompt, type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should be Not Restricted.
23. At the command prompt, type ping 172.16.0.10, and then press Enter. This should be successful. The client now meets the requirement for VPN full connectivity.
24. Switch to Network Connections.
25. Right-click Adatum VPN, and then click Connect/Disconnect.
26. In the Networks list on the right, click Adatum VPN, and then click Disconnect.
27. Switch to LON-RTR.
28. In Administrative Tools, double-click Network Policy Server.
29. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.
30. In the right pane, under Name, double-click Default Configuration.
31. On the Windows 8/Windows 7/Windows Vista tab, select the Restrict access for clients that do not have all available security updates installed check box, and then click OK.
32. Switch to LON-CL2.
33. In the Networks list on the right, click Adatum VPN, and then click Connect.
34. Switch to the command prompt.
35. Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State should be Restricted.
36. Switch to Network Connections.
37. Right-click Adatum VPN, and then click Connect/Disconnect.
38. In the Networks list on the right, select Adatum VPN, and then click Disconnect.
Task 3: To Prepare for the Next Module When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft® Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-CL2, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL8-93
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-RTR and 20411C-LON-DC1.
Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have enabled and tested NAP on LON-CL2.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-95
Module 9: Optimizing File Services
Lab A: Configuring Quotas and File Screening Using File Server Resource Manager Exercise 1: Configuring File Server Resource Manager Quotas
Task 1: Create a Quota Template 1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the taskbar, click the Server Manager shortcut.
3. In Server Manager, click Manage, and then click Add Roles and Features.
4. In the Add Roles and Features Wizard, click Next.
5. Confirm that role-based or feature-based installation is selected, and then click Next.
6. Confirm that LON-SVR1.Adatum.com is selected, and then click Next.
7. On the Select server roles page, expand File and Storage Services (Installed), expand File and iSCSI Services, and then select the File Server Resource Manager check box.
8. In the pop-up window that displays, click Add Features.
9. Click Next twice to confirm the role service and feature selection.
10. On the Confirm installation selections page, click Install.
11. When the installation completes, click Close.
12. In Server Manager, click Tools, and then click File Server Resource Manager.
13. In the File Server Resource Manager console, expand Quota Management, and then click Quota Templates.
14. Right-click Quota Templates, and then click Create Quota Template.
15. In the Create Quota Template dialog box, in the Template name field, type 100 MB Limit Log to Event Viewer.
16. Under Notification thresholds, click Add.
17. In the Add Threshold dialog box, click the Event log tab.
18. On the Event log tab, select the Send warning to event log check box, and then click OK.
19. In the Create Quota Template dialog box, click Add.
20. In the Add Threshold dialog box, in the Generate notification when the usage reaches (%) field, type 100.
21. Click the Event Log tab, select the Send warning to event log check box, and then click OK twice.
Task 2: Configure a Quota Based on the Quota Template 1. In the File Server Resource Manager console, click Quotas.
2. Right-click Quotas, and then click Create Quota.
3. On the Create Quota dialog box, in the Quota path field, type E:\Labfiles\Mod09\Users.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-96 Administering Windows Server® 2012
4. Click Auto apply template and create quotas on existing and new subfolders.
5. In the Derive properties from this quota template (recommended) list, click 100MB Limit Log to Event Viewer, and then click Create.
6. In the details pane, verify that the E:\Labfiles\Mod09\Users path has been configured with its own quota entry. You may have to refresh the Quotas folder to view the changes.
7. From the taskbar, open File Explorer.
8. In the File Explorer window, expand drive E, expand Labfiles, expand Mod09, and then click Users.
9. In the Users folder, create a new folder named Max.
10. In File Server Resource Manager, on the Action menu, click Refresh.
11. In the details pane, notice that the newly created folder now displays in the list.
Task 3: Test That the Quota is Functional 1. On LON-SVR1, on the taskbar, click the Windows PowerShell shortcut.
2. In the Windows® PowerShell® window, type the following commands. Press Enter after each of the three commands:
E: cd \Labfiles\Mod09\Users\Max fsutil file createnew file1.txt 89400000
This creates a file that is over 85 megabytes (MB), which will generate a warning in Event Viewer.
3. On the taskbar, click the Server Manager shortcut.
4. In Server Manager, click Tools, and then click Event Viewer.
5. In the Event Viewer console, expand Windows Logs, and then click Application.
6. In the details pane, note Event ID 12325, and the warning that 85% of the quota has been exceeded.
7. In the Windows PowerShell window, type the following command, and then press Enter:
fsutil file createnew file2.txt 16400000
Notice that the file cannot be created. The message returned from Windows references disk space, but the file creation fails because it would exceed the quota limit.
8. In the Windows PowerShell window, type exit, and then press Enter.
9. Return to event viewer and note there is a second event 12325 indicating that 100% of the quota has been exceeded. (you may have to refresh the view)
10. Close all open windows on LON-SVR1.
Results: After completing this exercise, you should have configured a File Server Resource Manager (FSRM) quota.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-97
Exercise 2: Configuring File Screening and Storage Reports
Task 1: Create a file screen 1. On LON-SVR1, open Server Manager and then from the Tools menu click File Server Resource
Manager.
2. In the File Server Resource Manager console tree, expand File Screening Management, and then click File Screens.
3. Right-click File Screens, and then click Create File Screen.
4. In the Create File Screen window, in the File screen path text box, type E:\Labfiles\Mod09\Users.
5. In the Create File Screen window, click the Derive properties from this file screen template (recommended) drop-down list, and then click Block Audio and Video Files.
6. Click Create.
Task 2: Create a File Group 1. On LON-SVR1, right-click File Server Resource Manager (Local), and then click Configure Options.
2. In the File Server Resource Manager Options dialog box, click the File Screen Audit tab.
3. On the File Screen Audit tab, select the Record file screening activity in auditing database check box, and then click OK.
Note: This step is to allow recording of file screening events. These recordings will supply data for a File Screen Audit report, which you will run later in this exercise.
4. In the File Server Resource Manager console tree, expand File Screening Management, and then click File Groups.
5. Right-click File Groups, and then click Create File Group.
6. In the Create File Group Properties window, in the File group name box, type MPx Media Files.
7. In the Files to include box, type *.mp*, and then click Add.
8. In the Files to exclude box, type *.mpp, click Add, and then click OK.
9. In the File Server Resource Manager console tree, expand File Screening Management, and then click File Screen Templates.
10. Right-click the Block Audio and Video Files template, and then click Edit Template Properties.
11. On the Settings tab, under File groups, remove the check box next to Audio and Video Files.
12. Select the check box next to MPx Media Files.
13. Click OK. Click Yes at the message prompt.
14. Click OK at the message.
Task 3: Test the File Screen 1. On the taskbar, click the File Explorer shortcut.
2. In the File Explorer window, in the left pane, click Allfiles (E:).
3. In the right pane, right-click and point to New, and then click Text Document.
4. Rename New Text Document.txt to musicfile.mp3. Click Yes to change the file name extension.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-98 Administering Windows Server® 2012
5. Right-click musicfile.mp3, and then click Copy.
6. In the left pane, expand Allfiles (E:), expand Labfiles, expand Mod09, right-click Users, and then click Paste. You will be notified that the system was unable to copy the file to E:\Labfiles\Mod09\Users.
7. Click Cancel.
Task 4: Generate an On-Demand Storage Report 1. In the File Server Resource Manager console, click Storage Reports Management.
2. Right-click Storage Reports Management, and then click Generate Reports Now.
3. Under Select reports to generate, select the File Screening Audit check box.
4. Click the Scope tab and then click Add.
5. In the Browse for Folder dialog box, browse to E:\Labfiles\Mod09\Users, and then click OK.
6. Click OK to close the Storage Reports Task Properties.
7. In the Generate Storage Reports dialog box, verify that Wait for reports to be generated and then display them is selected, and then click OK.
8. Double-click the FileScreenAudit HTML document, and then review the generated html reports.
9. Close all open windows on LON-SVR1.
Task 5: To Prepare for the Next Lab When you finish the lab, do not shut down the virtual machines. You will need them for the next lab.
Results: After completing this exercise, you will have configured file screening and storage reports in FSRM.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-99
Lab B: Implementing Distributed File System Exercise 1: Installing the DFS Role Service
Task 1: Install the DFS Role Service on LON-SVR1 1. Switch to LON-SVR1.
2. On the taskbar, click Server Manager.
3. In Server Manager, click Manage, and then click Add Roles and Features.
4. In the Add Roles and Features Wizard, click Next.
5. On the Select installation type page, click Next.
6. On the Select destination server page, click Next.
7. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select the DFS Namespaces check box.
8. In the Add Roles and Features pop-up window, click Add Features.
9. Select the DFS Replication check box, and then click Next.
10. On the Select features page, click Next.
11. On the Confirm installation selections page, click Install.
12. When the installation completes, click Close.
13. Close Server Manager.
Task 2: Install the DFS Role Service on LON-SVR4 1. Switch to LON-SVR4.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select the DFS Namespaces check box.
7. In the Add Roles and Features pop-up window, click Add Features.
8. Select the DFS Replication check box, and then click Next.
9. On the Select features page, click Next.
10. On the Confirm installation selections page, click Install.
11. When the installation completes, click Close.
12. Close Server Manager.
Results: After completing this exercise, you will have installed the Distributed File System (DFS) role service on LON-SVR1 and installed the DFS role service on LON-SVR4.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-100 Administering Windows Server® 2012
Exercise 2: Configuring a DFS Namespace
Task 1: Create the BranchDocs Namespace 1. Switch to LON-SVR1 and then open Server Manager.
2. In Server Manager, click Tools, and then click DFS Management.
3. In the navigation pane, click Namespaces.
4. Right-click Namespaces, and then click New Namespace.
5. In the New Namespace Wizard, on the Namespace Server page, under Server, type LON-SVR1, and then click Next.
6. On the Namespace Name and Settings page, under Name, type BranchDocs, and then click Next.
7. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Adatum.com\BranchDocs.
8. Ensure that the Enable Windows Server 2008 mode check box is selected, and then click Next.
9. On the Review Settings and Create Namespace page, click Create.
10. On the Confirmation page, ensure that the Create namespace task is successful, and then click Close.
11. In the navigation pane, expand Namespaces, click \\Adatum.com\BranchDocs.
12. In the details pane, click the Namespace Servers tab, and ensure that there is one entry that is enabled for \\LON-SVR1\BranchDocs.
Task 2: Enable Access-Based Enumeration for the BranchDocs Namespace 1. In the navigation pane, under Namespaces, right-click \\Adatum.com\BranchDocs, and then click
Properties.
2. In the \\Adatum.com\BranchDocs Properties dialog box, click the Advanced tab.
3. On the Advanced tab, select the Enable access-based enumeration for this namespace check box, and then click OK.
Task 3: Add the ResearchTemplates Folder to the BranchDocs Namespace 1. In DFS Management, right-click Adatum.com\BranchDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type ResearchTemplates.
3. In the New Folder dialog box, click Add.
4. In the Add Folder Target dialog box, type \\LON-SVR4\ResearchTemplates, and then click OK.
5. In the Warning dialog box, click Yes to create the shared folder.
6. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\ResearchTemplates.
7. Click All users have read and write permissions, and then click OK.
8. In the Warning dialog box, click Yes to create the folder.
9. Click OK again to close the New Folder dialog box.
Task 4: Add the DataFiles Folder to the BranchDocs Namespace 1. In DFS Management, right-click Adatum.com\BranchDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type DataFiles, and then click Add.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-101
3. In the Add Folder Target dialog box, type \\LON-SVR1\DataFiles, and then click OK.
4. In the Warning dialog box, click Yes.
5. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\DataFiles.
6. Click All users have read and write permissions, and then click OK. The permissions will be configured later.
7. In the Warning dialog box, click Yes.
8. Click OK again to close the New Folder dialog box.
Task 5: Verify the BranchDocs Namespace 1. On LON-SVR1, open File Explorer, in the address bar type \\Adatum.com\BranchDocs\, and then
press Enter
2. In the BranchDocs window, verify that both ResearchTemplates and DataFiles display.
3. Close the BranchDocs window.
Results: After completing this exercise, you will have configured a DFS namespace.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-102 Administering Windows Server® 2012
Exercise 3: Configuring DFS Replication
Task 1: Create Another Folder Target for DataFiles 1. In DFS Management, expand Adatum.com\BranchDocs, and then click DataFiles.
2. In the details pane, notice that there is currently only one folder target.
3. Right-click DataFiles, and then click Add Folder Target.
4. In the New Folder Target dialog box, under Path to folder target, type \\LON-SVR4\DataFiles, and then click OK.
5. In the Warning dialog box, click Yes to create the shared folder on LON-SVR4.
6. In the Create Share dialog box, under Local path of shared folder, type C:\BranchDocs\DataFiles.
7. In the Create Share dialog box, under Shared folder permissions, select All users have read and write permissions, and then click OK.
8. In the Warning dialog box, click Yes to create the folder on LON-SVR4.
9. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure Replication for the Namespace 1. In DFS Management, in the Replicate Folder Wizard, on both the Replication Group and Replicated
Folder Name page, accept the default settings, and then click Next.
2. On the Replication Eligibility page, click Next.
3. On the Primary Member page, select LON-SVR1, and then click Next.
4. On the Topology Selection page, select No topology, and then click Next.
5. In the Warning dialog box, click OK.
6. On the Review Settings and Create Replication Group page, click Create.
7. On the Confirmation page, click Close.
8. In the Replication Delay dialog box, click OK.
9. In the DFS Management console, expand Replication, and then click Adatum.com\BranchDocs\DataFiles.
10. In the Action pane, click New Topology.
11. In the New Topology Wizard, on the Topology Selection page, click Full mesh, and then click Next.
12. On the Replication Group Schedule and Bandwidth page, click Next.
13. On the Review Settings and Create Topology page, click Create.
14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK.
15. In the details pane, on the Memberships tab, verify that the replicated folder displays on both LON-SVR4 and LON-SVR1.
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL9-103
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR1 and 20411C-LON-SVR4.
Results: After completing this exercise, you will have configured DFS Replication.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-105
Module 10: Configuring Encryption and Advanced Auditing
Lab: Configuring Encryption and Advanced Auditing Exercise 1: Encrypting and Recovering Files
Task 1: Update the Recovery Agent Certificate for the Encrypting File System (EFS) 1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Default Domain Policy.
3. In the Group Policy Management Console dialog box, click OK to clear the message.
4. Right-click Default Domain Policy, and then click Edit.
5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
6. Right-click the Administrator certificate, and then click Delete.
7. In the Certificates window, click Yes.
8. Right-click Encrypting File System, and then click Create Data Recovery Agent.
9. Read the information for the new certificate that was created. Notice that this certificate was obtained from AdatumCA.
10. Close the Group Policy Management Editor.
11. Close Group Policy Management.
Task 2: Update Group Policy on the Computers 1. On LON-DC1, on the taskbar, click the Windows® PowerShell® button.
2. At the Windows PowerShell prompt, type the following command, and then press Enter:
gpupdate /force
3. Close the Windows PowerShell command prompt.
4. Switch to LON-CL1.
5. On LON-CL1, at the Start screen, type cmd, and then press Enter.
6. At the command prompt, type the following command, and then press Enter
gpupdate /force
7. Close the command prompt.
8. Log off LON-CL1.
Task 3: Obtain a Certificate for EFS 1. On LON-CL1, log in as Adatum\Doug with a password of Pa$$w0rd.
2. Click the Desktop tile, right-click the Start button, click Command Prompt, type MMC, and then press Enter.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-106 Administering Windows Server® 2012
3. In Console1, click File, and then click Add/Remove Snap-in.
4. In the list of available snap-ins, click Certificates, and then click Add.
5. In the Add Or Remove Snap-ins dialog box, click OK.
6. In the left pane, click Certificates – Current User, right-click Personal, point to All Tasks, and then click Request New Certificate.
7. In the Certificate Enrollment wizard, click Next.
8. On the Select Certificate Enrollment Policy page, click Next to use the Active Directory® Enrollment Policy.
9. On the Request Certificates page, select the Basic EFS check box, and then click Enroll.
10. On the Certificate Installation Results page, click Finish.
11. In the Console1 window, in the left pane, expand Certificates – Current User, expand Personal, and then click Certificates.
12. Read certificate details, and note that it was issued by AdatumCA.
13. Close Console1, and do not save the settings.
Task 4: Encrypt a File 1. On LON-CL1, open File Explorer, type \\LON-DC1\Mod10Share\Marketing in the address field,
and then press Enter.
2. Right-click DougFile, and then click Properties.
3. On the General tab, click Advanced.
4. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and then click OK.
5. In the DougFile Properties dialog box, click OK.
6. In the Encryption Warning dialog box, click Encrypt the file only, and then click OK. Wait a few seconds for the file to be encrypted and the dialog box to automatically close.
7. Look at the color of the file name.
8. Close the File Explorer window.
9. Log off LON-CL1.
Task 5: Use the Recovery Agent to Open the File 1. On LON-DC1, on the taskbar, click the File Explorer button.
2. In File Explorer, browse to E:\Labfiles\Mod10\Mod10Share\Marketing.
3. Double-click DougFile.txt.
4. In Notepad, add some text to the file, click File, and then click Save.
5. Close Notepad, and then close File Explorer.
Results: After completing this exercise, you will have encrypted and recovered files.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-107
Exercise 2: Configuring Advanced Auditing
Task 1: Create a GPO for Advanced Auditing 1. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In Active Directory Users and Computers, right-click Adatum.com, click New, and then click Organizational Unit.
3. Type File Servers, and then press Enter.
4. Click the Computers container, right-click LON-SVR1, click Move, click the File Servers organizational unit (OU), and then click OK.
5. In Server Manager, click Tools, and then click Group Policy Management.
6. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com, click and then right-click File Servers, and then click Create a GPO in this domain and Link it here.
7. In the New Group Policy Object (GPO) window, type File Audit, and then press Enter.
8. Double-click the Group Policy Objects container, right-click File Audit, and then click Edit.
9. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access.
10. Double-click Audit Detailed File Share.
11. In the Properties dialog box, select the Configure the following audit events check box.
12. Select both the Success and Failure check boxes, and then click OK.
13. Double-click Audit Removable Storage.
14. In the Properties dialog box, select the Configure the following audit events check box.
15. Select both Success and Failure check boxes, and then click OK.
16. Close the Group Policy Management Editor and the Group Policy Management console.
17. Restart LON-SVR1.
18. Log in to LON-SVR1 as Adatum\Administrator with a password of Pa$$w0rd.
Task 2: Verify Audit Entries 1. Log in to LON-CL1 as Adatum\Allan with a password of Pa$$w0rd.
2. On the Start screen, type \\LON-SVR1\Mod10, and then press Enter.
3. Double-click the testfile text file to open it in Notepad.
4. Close Notepad.
5. Switch to LON-SVR1.
6. On LON-SVR1, in Server Manager, click Tools, and then click Event Viewer.
7. In Event Viewer, double-click Windows Logs, and then click Security.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-108 Administering Windows Server® 2012
8. Double-click one of the log entries with a Source of Microsoft Windows security auditing, and a Task Category of Detailed File Share.
9. Click the Details tab, and note the access that was performed.
Results: After completing this exercise, you will have configured advanced auditing.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-109
Exercise 3: Using Windows BitLocker® Drive Encryption to Secure Data Drives
Task 1: Use Group Policy to Prepare the Server for Implementing BitLocker 1. Log in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In Group Policy Management, double-click Forest: Adatum.com, double-click Domains, double-click Adatum.com, expand Group Policy Objects, and then right-click the Default Domain Policy and click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand BitLocker Drive Encryption, and then click Fixed Data Drives.
5. In the right pane, double-click the Choose how BitLocker-protected fixed drives can be recovered setting.
6. In the Choose how BitLocker-protected fixed drives can be recovered window, click Enabled, ensure that the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives option is selected, and then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Then click OK.
7. Close the Group Policy Management Editor.
8. Switch to LON-SVR1.
9. If necessary, log in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
10. Click the Windows PowerShell button on the taskbar.
11. At the Windows PowerShell command prompt, run the gpupdate /force command.
12. Restart LON-SVR1.
Task 2: Enable BitLocker for a Data Drive. Add the BitLocker Drive Encryption feature:
1. Log in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Before you begin window, click Next.
4. In the Select installation type window, click Next.
5. In the Select destination server window, click Next.
6. In the Select server roles window, click Next.
7. In the Select features window, click BitLocker Drive Encryption. In the Add features that are required for BitLocker Drive Encryption window, click Add Features, and then click Next.
8. In the Confirm installation selections window, click Restart the destination server automatically if required, click Yes on the warning dialog box, and then click Install.
9. After restarting, log in to the LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. The BitLocker Drive Encryption installation progress should show that the installation succeeded within a couple of minutes. Click Close once the installation succeeds.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-110 Administering Windows Server® 2012
Turn on BitLocker and then validate that BitLocker is encrypting the data drive.
1. Go to Control Panel and type BitLocker in the Search Control Panel search box.
2. In the search results, click BitLocker Drive Encryption. If you do not see BitLocker Drive Encryption, then restart LON-SVR1 again and go back to Step 1 to search the Control Panel.
3. In the BitLocker Drive Encryption window, click the down arrow icon next to the F: drive, and then click Turn on BitLocker.
4. In the Choose how you want to unlock this drive window, click Use a password to unlock the drive, type the password Pa$$w0rd, click to confirm, and then click Next.
5. In the How do you want to back up your recovery key window, click Save to a file.
6. In the Save BitLocker recovery key as window, navigate to E:\Labfiles\Mod10 and then click Save.
7. In the BitLocker Drive Encryption dialog box, click Yes to save the recovery key to the computer.
8. Click Next after the recovery key is saved to the file.
9. In the Are you ready to encrypt this drive window, click Start encrypting.
10. Click Close when the encryption is complete.
11. Click the PowerShell button on the taskbar.
12. At the PowerShell prompt, run the manage-bde -status command to view the current status. The F: volume should show the protection status as “Protection On”.
Task 3: Move the Data Drive to Another Server 1. Switch to LON-SVR1.
2. On the Virtual Machine Connection window for LON-SVR1, click File, and then click Settings.
3. In the left pane, click Hard Drive under SCSI Controller. Note that the name of the virtual hard disk (VHDX) file includes 20411C-LON-SVR1-Encrypted.
4. In the right pane, click Remove and then click OK. If a Settings dialog box appears, click Continue to remove the virtual hard disk.
5. Switch to LON-DC1.
6. On the Virtual Machine Connection window for LON-DC1, click File, and then click Settings.
7. In the left pane of the Settings window, click SCSI Controller.
8. In the right pane, click Hard Drive and then click Add.
9. In the right pane, click Browse, browse to D:\Program Files\Microsoft Learning\20411\Drives\20411C-LON-SVR1\Virtual Hard Disks\, click the .avhdx file, and then click Open.
10. Click OK. If a Settings dialog box appears, click Continue.
11. Right-click the Start menu and then click Computer Management.
12. In the Computer Management window, click Disk Management.
13. In the list of disks, right-click Disk 2 and then click Online.
Task 4: Recover the Data Add the BitLocker Drive Encryption feature on LON-DC1:
1. Log in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Manage, and then click Add Roles and Features.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-111
3. In the Before you begin window, click Next.
4. In the Select installation type window, click Next.
5. In the Select destination server window, click Next.
6. In the Select server roles window, click Next.
7. In the Select features window, click BitLocker Drive Encryption. In the Add features that are required for BitLocker Drive Encryption window, click Add Features, and then click Next.
8. In the Confirm installation selections window, click Restart the destination server automatically if required, click Yes on the warning dialog box, and then click Install.
9. After restarting, log in to the LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. The BitLocker Drive Encryption installation progress should show that the installation succeeded within a couple of minutes. Click Close once the installation succeeds.
10. Go to Control Panel, and then type BitLocker in the Search Control Panel search box.
11. In the search results, click BitLocker Drive Encryption. If BitLocker Drive Encryption does not appear in the search results, click the PowerShell icon on the taskbar, run the gpupdate /force command, and then restart LON-DC1. Then, start again from Step 1.
Recover the data on LON-DC1:
1. On LON-DC1, click the File Explorer button on the taskbar. Note that Local Disk (F:) is shown with a lock icon to indicate that the drive is locked with BitLocker.
2. Double-click the Local Disk (F:) drive.
3. In the BitLocker (F:) window, click More options. Note the option for entering a recovery key.
4. Leave the BitLocker window open and switch to Server Manager.
5. In Server Manager, click Tools and then click Active Directory Users and Computers.
6. In Active Directory Users and Computers, click View, and then click Advanced Features.
7. Right-click Adatum.com and then click Find.
8. In the Find Users, Contacts, and Groups window, select Computers from the Find drop-down menu.
9. In the Computer name field, type LON-SVR1 and then click Find Now.
10. In the search results, double-click LON-SVR1 and then click the BitLocker Recovery tab.
11. Bring up the BitLocker window, type the 48-digit recovery password into the recovery key field, and then click Unlock.
12. Go back to File Explorer and note that the F: drive has an unlocked icon. The drive is now unlocked and data can be recovered.
Task 5: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL10-112 Administering Windows Server® 2012
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR1 and 20411C-LON-CL1.
Results: After completing this exercise, you will have configured Group Policy for BitLocker, enabled BitLocker on a data drive, moved the data drive to a different server, and then prepared for recovering data from the drive.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-113
Module 11: Deploying and Maintaining Server Images
Lab: Using Windows Deployment Services to Deploy Windows Server 2012 Exercise 1: Installing and Configuring Windows Deployment Services
Task 1: Read the Supporting Documentation • Read the supporting documentation in the exercise scenario to determine the deployment details.
Task 2: Install the Windows Deployment Services Role 1. Switch to the LON-SVR1 computer.
2. In Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard window, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select the Windows Deployment Services check box.
7. In the Add Roles and Features Wizard window, click Add Features.
8. On the Select server roles page, click Next.
9. On the Select features page, click Next.
10. On the WDS page, review the information presented, and then click Next.
11. On the Select role services page, click Next.
12. On the Confirm installation selections page, click Install.
13. On the Installation Results page, click Close.
Task 3: Configure Windows Deployment Services 1. In Server Manager, click Tools, and then click Windows Deployment Services.
2. In the Windows Deployment Services console, expand Servers.
3. Right-click LON-SVR1.Adatum.com, and then click Configure Server. Click Next.
4. On the Install Options page, click Next.
5. On the Remote Installation Folder Location page, click Next.
6. In the System Volume Warning dialog box, click Yes.
7. On the PXE Server Initial Settings page, click Respond to all client computers (known and unknown), and then click Next.
8. On the Operation Complete page, clear the Add images to the server now check box, and then click Finish.
Results: After completing this exercise, you will have installed and configured Windows® Deployment Services (Windows DS) to deploy the Windows Server® 2012 operating system.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-114 Administering Windows Server® 2012
Exercise 2: Creating Operating System Images with Windows Deployment Services
Task 1: Insert the Windows Server 2012 R2 Installation Media in LON-SVR1 1. On the host computer, open Hyper-V® Manager.
2. In Hyper-V Manager, right-click the 20411C-LON-SVR1 virtual machine, and then click Settings.
3. In the Settings window, under IDE Controller 1, click DVD Drive.
4. In the Settings window, under Media, click to select Image file, and then click Browse.
5. In the Open window, double-click Local Disk (D:), double-click Program Files, double-click Microsoft Learning, double-click 20411, double-click Drives, and then double-click WIndows2012R2.iso.
6. Click OK to close the Settings for 20411C-LON-SVR1 window.
Task 2: Add a Boot Image 1. Switch to LON-SVR1.
2. In Windows Deployment Services, in the console tree, expand LON-SVR1.Adatum.com.
3. Right-click Boot Images, and then click Add Boot Image.
4. In the Add Image Wizard, on the Image File page, click Browse.
5. In the Select Windows Image File dialog box, in the navigation pane, expand This PC, double-click DVD Drive (D:), double-click sources, and then double-click boot.wim.
6. On the Image File page, click Next.
7. On the Image Metadata page, click Next.
8. On the Summary page, click Next.
9. On the Task Progress page, click Finish.
Task 3: Add an Install Image 1. In the Windows Deployment Services console, right-click Install Images, and then click Add Image
Group.
2. In the Add Image Group dialog box, in the Enter a name for the image group field, type Windows Server 2012 R2, and then click OK.
3. In the Windows Deployment Services console, right-click Windows Server 2012 R2, and then click Add Install Image.
4. In the Add Image Wizard, on the Image File page, click Browse.
5. In the File name text box, type D:\sources\install.wim, and then click Open.
6. On the Image File page, click Next.
7. On the Available Images page, clear all check boxes except Windows Server 2012 R2 SERVERSTANDARDCORE, and then click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-115
8. On the Summary page, click Next.
9. On the Task Progress page, click Finish.
Results: After completing this exercise, you will create an operating system image with Windows Deployment Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-116 Administering Windows Server® 2012
Exercise 3: Configuring Custom Computer Naming
Task 1: Configure Automatic Naming 1. In Windows Deployment Services, in the console tree, right-click LON-SVR1.Adatum.com, and then
click Properties.
2. Click the AD DS tab.
3. In the Format text box, type BRANCH-SVR-%02#.
4. Under Computer Account Location, click The following location, and then click Browse.
5. In the Browse for a Directory Service Folder dialog box, expand Adatum, click Research, and then click OK.
6. In the LON-SVR1 Properties dialog box, click OK.
Task 2: Configure Administrator Approval 1. In Windows Deployment Services, in the console tree, right-click LON-SVR1.Adatum.com, and then
click Properties.
2. Click the PXE Response tab.
3. Select the Require administrator approval for unknown computers check box. Change the PXE Response Delay to 3 seconds, and then click OK.
4. On the taskbar, click the Windows PowerShell® shortcut.
5. At the command prompt, type the following command, and then press Enter:
WDSUTIL /Set-Server /AutoAddPolicy /Message:“The Adatum administrator is authorizing this request. Please wait.”
6. Close the command prompt window.
Task 3: Configure Active Directory® Domain Services (AD DS) Permissions 1. Switch to the LON-DC1 computer.
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In Active Directory Users and Computers, expand Adatum.com, right-click Research, and then click Delegate Control.
4. In the Delegation of Control Wizard, click Next.
5. On the Users or Groups page, click Add.
6. In the Select Users, Computers, or Groups dialog box, click Object Types.
7. In the Object Types dialog box, select the Computers check box, and then click OK.
8. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select text box, type LON-SVR1, click Check Names, and then click OK.
9. On the Users or Groups page, click Next.
10. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
11. On the Active Directory Object Type page, click Only the following objects in the folder, select the Computer objects check box, select the Create selected objects in this folder check box, and then click Next.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-117
12. On the Permissions page, in the Permissions list, select the Full Control check box, and then click Next.
13. On the Completing the Delegation of Control Wizard page, click Finish.
Results: After completing this exercise, you will have configured custom computer naming.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-118 Administering Windows Server® 2012
Exercise 4: Deploying Images with Windows Deployment Services
Task 1: Configure a Windows Deployment Services Server for Multicast Transmission 1. Switch to the LON-SVR1 computer.
2. In Windows Deployment Services, in the console tree, right-click Multicast Transmissions, and then click Create Multicast Transmission.
3. In the Create Multicast Transmission Wizard, on the Transmission Name page, in the Type a name for this transmission field, type Windows Server 2012 Branch Servers, and then click Next.
4. On the Image Selection page, in the Select the image group that contains the image list, click Windows Server 2012 R2.
5. In the Name list, click Windows Server 2012 R2 SERVERSTANDARDCORE, and then click Next.
6. On the Multicast Type page, verify that Auto-Cast is selected, and then click Next.
7. Click Finish.
Task 2: Configure the Client for PXE Booting 1. On the host computer, switch to Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-SVR3, and then click Settings.
3. In the Settings for 20411C-LON-SVR3 dialog box, click BIOS.
4. In the results pane, click Legacy Network adapter.
5. Use the arrows to move Legacy Network adapter to the top of the list, and then click OK.
6. In Hyper-V Manager, click 20411C-LON-SVR3, and, in the Actions pane, click Start.
7. In the Actions pane, click Connect.
8. When the computer reboots, review the Pre-Boot EXecution Environment (PXE) Dynamic Host Configuration Protocol (DHCP) notice. When prompted, press F12 for Network Boot.
o Question: Do you see the admin approval message?
o Answer: Yes.
9. Switch to the LON-SVR1 computer.
10. In Windows Deployment Services, click Pending Devices.
11. Right-click the pending request, and then click Approve.
12. In the Pending Device dialog box, click OK.
13. Switch to the LON-SVR3 computer.
o Question: Which image is the default?
o Answer: Microsoft® Windows Setup (x64)
o Question: Does setup start?
o Answer: Yes
14. You do not have to continue setup.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL11-119
Task 3: To Prepare for the Next Module When you finish the lab, revert the virtual machines to their initial state
1. On the host computer, start Hyper-V Manager.
2. Right-click 20411C-LON-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 20411C-LON-SVR3 and 20411C-LON-SVR1.
Results: After completing this exercise, you will have deployed an image with Windows Deployment Services.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL12-121
Module 12: Implementing Update Management
Lab: Implementing Update Management Exercise 1: Implementing the WSUS Server Role
Task 1: Install the Windows Server® Update Services (WSUS) Server Role 1. Log on to LON-SVR4 as Adatum\Administrator with a password of Pa$$w0rd.
2. On LON-SVR4, in Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, ensure Role-based or feature-based installation is selected, and then click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select the Windows Server Update Services check box.
7. In the pop-up window, click Add Features.
8. On the Select server roles page, click Next.
9. On the Select features page, click Next.
10. On the Windows Server Update Services page, click Next.
11. On the Select role services page, confirm that both WID Database and WSUS Services are selected, and then click Next.
12. On the Content location selection page, in the text box, type C:\WSUSUpdates, and then click Next.
13. On the Confirm installation selections page, click Install.
14. When the installation completes, click Close.
15. In Server Manager, click Tools, and then click Windows Server Update Services.
16. In the Complete WSUS Installation window, click Run, and wait for the task to complete. Click Close.
17. Do not close the Windows Server Update Services Configuration Wizard window.
Task 2: Configure WSUS to Synchronize with an Upstream WSUS Server 1. In the Windows Server Update Services Configuration Wizard window, click Next twice.
2. On the Choose Upstream Server page, click the Synchronize from another Windows Server Update Services server option, in the Server name text box, type LON-SVR1.Adatum.com, and then click Next.
3. On the Specify Proxy Server page, click Next.
4. On the Connect to Upstream Server page, click Start Connecting. Wait for the upstream server settings to be applied, and then click Next.
5. On the Choose Languages page, click Next.
6. On the Set Sync Schedule page, click Next.
7. On the Finished page, click the Begin initial synchronization option, and then click Finish.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL12-122 Administering Windows Server® 2012
8. In the Windows Server Update Services console, in the navigation pane, double-click LON-SVR4, and then click Options.
9. In the Options pane, click Computers. In the Computers dialog box, select Use Group Policy or registry settings on computers. Click OK. You many need to wait until synchronization is complete before selecting this option.
Results: After completing this exercise, you should have implemented the WSUS server role.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL12-123
Exercise 2: Configuring Update Settings
Task 1: Configure WSUS Groups 1. On LON-SVR4, in the WSUS console, in the navigation pane, double-click LON-SVR4, and then
double-click Computers.
2. Click All Computers, and then, in the Actions pane, click Add Computer Group.
3. In the Add Computer Group dialog box, in the Name text box, type Research, and then click Add.
Task 2: Configure Group Policy to Deploy WSUS Settings 1. Switch to LON-DC1.
2. In Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console, double-click Forest: Adatum.com, double-click Domains, and then double-click Adatum.com.
4. Right-click the Research organizational unit (OU), and then click Create a GPO in this domain, and Link it here.
5. In the New GPO dialog box, in the Name text box, type WSUS Research, and then click OK.
6. Double-click the Research OU, right-click WSUS Research, and then click Edit.
7. In the Group Policy Management Editor, under Computer Configuration, double-click Policies, double-click Administrative Templates, double-click Windows Components, and then click Windows Update.
8. In the Settings pane, double-click Configure Automatic Updates, and then click the Enabled option.
9. In the Configure automatic updating field, click and select 4 – Auto download and schedule the install, and then click OK.
10. In the Settings pane, double-click Specify intranet Microsoft update service location, and then click the Enabled option.
11. In the Set the intranet update service for detecting updates and the Set the intranet statistics server text boxes, type http://LON-SVR4.Adatum.com:8530, and then click OK.
12. In the Settings pane, double click Enable client-side targeting.
13. In the Enable client-side targeting dialog box, click the Enabled option, in the Target group name for this computer text box, type Research, and then click OK.
14. Close the Group Policy Management Editor and the Group Policy Management console.
15. Open Active Directory Users and Computers.
16. In Active Directory Users and Computers, double-click Adatum.com, click Computers, right-click LON-CL1, and then click Move.
17. In the Move dialog box, click the Research OU, and then click OK.
18. Close Active Directory Users and Computers.
Task 3: Verify the Application of Group Policy Settings 1. Switch to LON-CL1.
2. On LON-CL1, move the mouse pointer to the right-hand side of the screen, click the Settings icon, click Power, and then click Restart.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL12-124 Administering Windows Server® 2012
3. After LON-CL1 restarts, log on as Adatum\Administrator with a password of Pa$$w0rd.
4. On the Start screen, type cmd, right-click the Command Prompt tile, and then click Run as Administrator.
5. At the command prompt, type the following command, and then press Enter:
Gpresult /r
6. In the output of the command, confirm that, under Computer Settings, WSUS Research is listed under Applied Group Policy Objects.
Task 4: Initialize Windows Update 1. On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow /reportnow
2. Switch to LON-SVR4.
3. In the Update Services console, expand Computers, then expand All Computers, and then click Research.
4. Verify that LON-CL1 appears in the Research Group. If it does not, then repeat steps 1-3. It may take several minutes for LON-CL1 to display.
5. Verify that updates are reported as needed. If updates are not reported, repeat steps 1-3. It may take 10-15 minutes for updates to register.
Results: After completing this exercise, you should have configured update settings for client computers.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL12-125
Exercise 3: Approving and Deploying an Update by Using WSUS
Task 1: Approve WSUS Updates for the Research Computer Group 1. On LON-SVR4, in Windows Server Update Services, under Updates, click All Updates, right-click
Update for Microsoft Office 2013 (KB2760267), 32-bit Edition, and then click Approve.
2. In the Approve Updates window, in the Research drop-down list box, select Approved for Install.
3. Click OK, and then click Close.
Task 2: Deploy Updates to LON-CL1 1. On LON-CL1, at the command prompt, type the following command, and then press Enter:
Wuauclt.exe /detectnow
2. Click to the Start screen and then type Windows Update.
3. Under Search, click Windows Update.
4. Click Check for updates.
5. Click 1 important update is available.
6. Click Install to install the approved update.
7. Close the Windows Update window when the installation is complete.
Task 3: Verify Update Deployment to LON-CL1 1. On LON-CL1, on the Start screen, type Event Viewer, and then click View event logs.
2. In Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then click WindowsUpdateClient / Operational to view events.
3. Confirm that events are logged in relation to the update.
Task 4: To Prepare for the Next Module When you finish the lab, revert all virtual machines back to their initial state. To do this, perform the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20411C-LON-SVR1, 20411C-LON-SVR4, and 20411C-LON-CL1.
Results: After completing this exercise, you should have approved and deployed an update by using WSUS.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-127
Module 13: Monitoring Windows Server 2012
Lab: Monitoring Windows Server 2012 Exercise 1: Establishing a Performance Baseline
Task 1: Create and Start a Data Collector Set 1. Switch to the LON-SVR1 computer.
2. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
3. Click Start, type Perf in the Search box, and, in the Apps list, click Performance Monitor.
4. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.
5. Right-click User Defined, point to New, and then click Data Collector Set.
6. In the Create new Data Collector Set Wizard, in the Name box, type LON-SVR1 Performance.
7. Click Create manually (Advanced), and then click Next.
8. On the What type of data do you want to include? page, select the Performance counter check box, and then click Next.
9. On the Which performance counters would you like to log? page, click Add.
10. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
11. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
12. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>.
13. Click Avg. Disk Queue Length and then click Add >>.
14. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>.
15. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK.
16. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and then click Next.
17. On the Where would you like the data to be saved? page, click Next.
18. On the Create the data collector set? page, click Save and close, and then click Finish.
19. In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then click Start.
Task 2: Create a Typical Workload on the Server 1. Click Start, type Cmd in the Search box, and then in the Apps list, click Command Prompt.
2. At the command prompt, type the following command, and then press Enter:
Fsutil file createnew bigfile 104857600
3. At the command prompt, type the following command, and then press Enter:
Copy bigfile \\LON-dc1\c$
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-128 Administering Windows Server® 2012
4. At the command prompt, type the following command, and then press Enter:
Copy \\LON-dc1\c$\bigfile bigfile2
5. At the command prompt, type the following command, and then press Enter:
Del bigfile*.*
6. At the command prompt, type the following command, and then press Enter:
Del \\LON-dc1\c$\bigfile*.*
7. Do not close the command prompt.
Task 3: Analyze the Collected Data 1. Switch to Performance Monitor.
2. In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3. In Performance Monitor, in the navigation pane, click Performance Monitor.
4. On the toolbar, click View Log Data.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.
6. In the Select Log File dialog box, double-click Admin.
7. Double-click LON-SVR1 Performance, double-click the LON-SVR1_date-000001 folder, and then double-click DataCollector01.blg.
8. Click the Data tab, and then click Add.
9. In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.
11. Expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Click Avg. Disk Queue Length and then click Add >>.
13. Expand Processor, click %Processor Time, and then click Add >>.
14. Expand System, click Processor Queue Length, click Add >>, and then click OK.
15. In the Performance Monitor Properties dialog box, click OK.
16. On the toolbar, on the Change grpaph type icon, click the down arrow, and then click Report.
17. Record the values listed in the report for later analysis.
Results: After this exercise, you should have established a baseline for performance-comparison purposes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-129
Exercise 2: Identifying the Source of a Performance Problem
Task 1: Create Additional Workload on the Server 1. On LON-SVR1, switch to the command prompt.
2. At the command prompt, type the following command, and then press Enter:
C:
3. At the command prompt, type the following command, and then press Enter:
Cd \Labfiles
4. At the command prompt, type the following command, and then press Enter:
StressTool 95
Task 2: Capture Performance Data by Using a Data Collector Set 1. Switch to Performance Monitor.
2. In Performance Monitor, click User Defined, in the results pane, right-click LON-SVR1 Performance, and then click Start.
3. Wait one minute to allow the data capture to occur.
Task 3: Remove the Workload, and Review the Performance Data 1. After one minute, switch to the command prompt.
2. Press Ctrl+C.
3. Do not close the command prompt.
4. Switch to Performance Monitor.
5. In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
6. In Performance Monitor, in the navigation pane, click Performance Monitor.
7. On the toolbar, click View log data.
8. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Remove.
9. Click Add.
10. In the Select Log File dialog box, click Up One Level.
11. Double-click the LON-SVR1_date-000002 folder, and then double-click DataCollector01.blg.
12. Click the Data tab, and then click OK.
Record the following values:
o Memory, Pages/sec
o Network Interface, Bytes Total/sec
o PhysicalDisk, %Disk Time
o PhysicalDisk, Avg. Disk Queue Length
o Processor, %Processor Time
o System, Processor Queue Length
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-130 Administering Windows Server® 2012
13. Click OK to close the Performance Monitor Properties dialog box.
Note: If you receive an error at this point, or the values in your report are zero, repeat steps 4 through 11.
Question: Compared with your previous report, which values have changed?
Answer: Memory and disk activity are reduced, but processor activity has increased significantly.
Question: What would you recommend?
Answer: You should continue to monitor the server to ensure that the processor workload does not reach capacity.
Results: After this exercise, you should have used performance tools to identify a potential performance bottleneck.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-131
Exercise 3: Viewing and Configuring Centralized Event Logs
Task 1: Configure Subscription Prerequisites 1. On LON-SVR1, switch to the command prompt.
2. At the command prompt, type the following command, and then press Enter:
winrm quickconfig
3. If prompted, type Y, and then press Enter.
4. On the taskbar, click Server Manager.
5. In Server Manager, in the navigation pane, click Local Server. On the toolbar, click Tools, and then click Computer Management.
6. In Computer Management (Local), expand System Tools, expand Local Users and Groups, and then click Groups.
7. In the results pane, double-click Administrators.
8. Click Add, and, in the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types.
9. In the Object Types dialog box, select the Computers check box, and then click OK.
10. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type LON-DC1, and then click OK.
11. In the Administrators Properties dialog box, click OK.
12. Switch to LON-DC1.
13. Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
14. In Start, type Cmd, and, in the Apps list, click Command Prompt.
15. At the command prompt, type the following command, and then press Enter:
Wecutil qc
16. When prompted, type Y, and then press Enter.
Task 2: Create a Subscription 1. Click on Start, then on the Start screen, type Event, and, in the Apps list, click Event Viewer.
2. In Event Viewer, in the navigation pane, click Subscriptions.
3. Right-click Subscriptions, and then click Create Subscription.
4. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
5. Click Collector Initiated and then click Select Computers.
6. In the Computers dialog box, click Add Domain Computers.
7. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1, and then click OK.
8. In the Computers dialog box, click OK.
9. In the Subscription Properties – LON-SVR1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check boxes.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-132 Administering Windows Server® 2012
11. In the Logged drop-down list, click Last 7 days.
12. In the Event logs drop-down list, expand Applications and Services Logs, expand Microsoft, expand Windows, expand Diagnosis-PLA, and then select the Operational check box.
13. Click the mouse pointer back into the Query Filter dialog box, and then click OK.
14. In the Subscription Properties – LON-SVR1 Events dialog box, click OK.
Task 3: Configure a Performance Counter Alert 1. Switch to the LON-SVR1 computer.
2. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.
3. Right-click User Defined, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set Wizard, in the Name box, type LON-SVR1 Alert.
5. Click Create manually (Advanced), and then click Next.
6. On the What type of data do you want to include? page, click Performance Counter Alert, and then click Next.
7. On the Which performance counters would you like to monitor? page, click Add.
8. In the Available counters list, expand Processor, click %Processor Time, click Add >>, and then click OK.
9. On the Which performance counters would you like to monitor? page, in the Alert when list, click Above.
10. In the Limit box, type 10, and then click Next.
11. On the Create the data collector set? page, click Finish.
12. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Alert.
13. In the results pane, right-click DataCollector01, and then click Properties.
14. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1, and then click the Alert Action tab.
15. Select the Log an entry in the application event log check box, and then click OK.
16. In the navigation pane, right-click LON-SVR1 Alert, and then click Start.
Task 4: Introduce Additional Workload on the Server 1. At the command prompt, type the following command, and then press Enter:
C:
2. At the command prompt, type the following command, and then press Enter:
Cd \Labfiles
3. At the command prompt, type the following command, and then press Enter:
StressTool 95
4. Wait one minute to allow for alerts to generate.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDL13-133
5. Press Ctrl+C.
6. Close the command prompt.
Task 5: Verify Results 1. Switch to LON-DC1.
2. In Event Viewer, in the navigation pane, expand Windows Logs.
3. Click Forwarded Events.
Question: Are there any performance-related alerts?
Answer: Answers may vary, but there should be some events that relate to the imposed workload on LON-SVR1. Events will have an ID of 2031.
Task 6: To Prepare for the Next Module When you are finished with the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1. On the host computer, start Microsoft Hyper-V® Manager.
2. In the Virtual Machines list, right-click 20411C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20411C-LON-SVR1.
Results: At the end of this exercise, you will have centralized event logs and examined these logs for performance-related events.
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITED
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
MCT U
SE ON
LY. STUD
ENT U
SE PROH
IBITEDNotes
