LESSON PLAN - TestOut · TestOut Server Pro: Manage and Administer – English 3.1.x . LESSON PLAN...

TestOut Server Pro:

Manage and Administer – English 3.1.x

LESSON PLAN

Revised 2016/05/17

Copyright © 2015 TestOut Corporation. CompTIA, A+, Network+, Security+, Linux+ and related trademarks and trade names are the trademarks of CompTIA. Microsoft, MCITP, MSCA, MCTS, and Windows are the trademarks of Microsoft. Cisco and CCNA are the trademarks of Cisco. (ISC)2 and SSCP are the trademarks of (ISC)2. TestOut has no affiliation with any of these companies and the products and services advertised herein are not endorsed by any of them.

Table of Contents

Course Overview .................................................................................................. 4 Course Introduction for Instructors ........................................................................ 5

Section 1.1: Active Directory Overview ................................................................. 7 Section 1.2: Speeding Up Authentication .............................................................. 8 Section 1.3: Single Master Operations Roles (FSMO) .......................................... 9 Section 1.4: Read Only Domain Controllers (RODCs) ........................................ 11 Section 1.5: Virtual Domain Controllers .............................................................. 13

Section 1.6: Service Accounts ............................................................................ 14 Section 1.7: Maintaining Active Directory ............................................................ 16 Section 1.8: Restoring Active Directory ............................................................... 18 Section 2.1: Group Policy Foundation ................................................................. 20

Section 2.2: Administrative Templates ................................................................ 23 Section 2.3: Folder Redirection ........................................................................... 25

Section 2.4: Software Deployment ...................................................................... 26 Section 2.5: Security Settings ............................................................................. 28

Section 2.6: Password and Account Policies ...................................................... 30 Section 2.7: Advanced Auditing .......................................................................... 32 Section 2.8: Preferences ..................................................................................... 34

Section 2.9: Group Policy Management .............................................................. 36 Section 2.10: Management Delegation ............................................................... 38

Section 3.1: File Server Resource Manager ....................................................... 39 Section 3.2: Distributed File System ................................................................... 41 Section 3.3: Distributed File System Replication................................................. 43

Section 3.4: File Encryption ................................................................................ 45 Section 3.5: Disk Encryption ............................................................................... 47

Section 4.1: DNS Name Resolution .................................................................... 49 Section 4.2: DNS Forwarding and Delegation .................................................... 50

Section 4.3: DNS Zone ....................................................................................... 52 Section 4.4: DNS Zone Management ................................................................. 54 Section 4.5: DNS Records .................................................................................. 56

Section 4.6: DNS Options ................................................................................... 58 Section 5.1: Routing ............................................................................................ 60 Section 5.2: Network Address Translation (NAT)................................................ 62 Section 5.3: Virtual Private Networks (VPN) ....................................................... 63 Section 5.4: Network Policy Server ..................................................................... 65

Section 5.5: RADIUS .......................................................................................... 67

Section 5.6: Network Access Protection ............................................................. 69 Section 5.7: DirectAccess ................................................................................... 71 Section 6.1: Windows Software Update Services (WSUS) ................................. 73

Section 6.2: Windows Deployment Services (WDS) ........................................... 76 Section 6.3: WDS Image Management ............................................................... 78 Section 6.4: Performance Monitor....................................................................... 80 Section 6.5: Event Viewer ................................................................................... 82


Section 6.6: Network Monitor .............................................................................. 84

Server Pro: Manage and Administer Practice Exams .......................... 85 Microsoft 70-411 Practice Exams ....................................................................... 86 Appendix A: Approximate Time for the Course ................................................... 87 Appendix B: Exam 70-411: Administering Windows Server 2012 Objectives ..... 90

Appendix C: Server Pro: Manage and Administer Objectives ............. 96


Course Overview This course prepares students for TestOut’s Server Pro: Manage and Administer exam and Microsoft’s 70-411 certification exam.

Module 1 – Active Directory

This module teaches the students details about using Active Directory. This will include authentication, FSMO, RODCs, and maintaining and restoring Active Directory.

Module 2 – Group Policy

In this module students will learn about creating, configuring and managing

GPOs.

Module 3 – File Services

This module teaches students about controlling and organizing file resources and protecting access to data.

Module 4 – DNS

This module examines name resolution, resolving queries for records, creating and managing DNS zones, and creating DNS records.

Module 5 – Remote Access Management

In this module students will learn concepts about managing remote access. This includes understanding and configuring routers, securing communications over an untrusted network, authorizing remote clients and protecting access to a network.

Module 6 – Server Management

This module discusses management of server such as, updating software, deploying operating systems, and monitoring server, logs, and network traffic.

Practice Exams In Practice Exams students will have the opportunity to test themselves and

verify that they understand the concepts and are ready to take the certification

exam. The practice exams contain examples of the types of questions that a

student will find on the actual exam:

Microsoft 70-411 Practice Exams

Server Pro: Manage and Administer Practice Exams


Course Introduction for Instructors

This course provides students with the knowledge to become industry certified as a Windows professional. It prepares the student for the following exams:

Microsoft’s 70-411: Administering Windows Server 2012

TestOut’s Server Pro: Manage and Administer

Microsoft’s 70-411: Administering Windows 2012 certification measures the students’ ability to administer, configure, and manage Windows Server 2012 operating system. The following knowledge domains are addressed:

Deploy, manage, and maintain servers

Configure file and print services

Configure network services and access

Configure a network policy server infrastructure

Configure and manage Active Directory

Configure and manage Group Policy

Note: MS 70-411 objectives are listed in Appendix B: 70-411: Administering Windows Server 2012 Objectives

TestOut’s Server Pro: Manage & Administer certification measures the students’ ability to perform real-world job skills using the Windows Server 2012 operating system. The following knowledge domains are addressed:

Active Directory Management

Group Policy Configuration

File Services Management

DNS Configuration

Routing Configuration

Routing and Remote Access Configuration

Deployment Management

Note: TestOut’s Server Pro: Manage & Administer objectives are listed in Appendix C: Server Pro: Manage and Administer Objectives

The section introductions in LabSim and the lesson plans list the objectives that are met for each of the exams in that section.


The following icons are placed in front of lesson items in LabSim to help students quickly recognize the items in each section:

= Demonstration

= Exam

= Lab/Simulation

= Text lesson or fact sheet

= Video The video and demonstration icons are used throughout the lesson plans to help instructors differentiate between the timing for the videos and demonstrations. In the lesson plans the Total Time for each section is calculated by adding the approximate time for each section which is calculated using the following elements:

Video/demo times

Approximate time to read the text lesson (the length of each text lesson is taken into consideration)

Simulations (5 minutes is assigned per simulation. This is the amount of time it would take for a knowledgeable student to complete the lab activity. Plan that the new students will take much longer than this depending upon their knowledge level and computer experience.)

Questions (1 minute per question) Note: Appendix A: Approximate Time for the Course contains the approximate time for each section which are totaled for the entire course.


Section 1.1: Active Directory Overview

Summary

This section provides an overview of Active Directory. Concepts covered include:

Active Directory: o Centralized database o Contains user account and security information o Hierarchical framework with the following components:

Domain Object Organization Unit (OU) Generic Containers Trees and Forests Domain Controller Sites and Subnets

o NTDS.dit database file: Data table Link table Security descriptor (SD)

Lecture Focus Questions:

Why is DNS important for Active Directory?

What is the purpose of the schema?

What are the advantages of using organizational units over generic containers?

What is the difference between a tree and a forest? How can you tell when a new domain starts a new tree?

How does a site differ from a domain?

Video/Demo Time

1.1.1 Overview of Active Directory 8:13

Number of Exam Questions

7 questions

Total Time

About 20 minutes


Section 1.2: Speeding Up Authentication

Summary

This section provides information about speeding up authentication in the case of multiple-domain and multiple-site design. Features to improve performance in these situations include:

Global Catalog

Universal Group Membership Caching (UGMC)

Global Catalog vs UGMC

Lightweight Directory Access Protocol (LDAP)

Students will learn how to:

Add or remove the global catalog from a domain controller.

Enable Universal Group Membership Caching for a site.

Server Pro: Manage and Administer Exam Objectives:

1.0 Active Directory Management.o Implement Global Catalog Serverso Implement Universal Group Membership Caching (UGMC)

70-411 Exam Objectives:

502. Configure Domain Controllers.o Configure Universal Group Membership Caching (UGMC)


What are the advantages of having more than one Global Catalog server?

Why does a single domain network not need a Global Catalog server?

What is the function of Universal Group Membership caching?

When should Universal Group Membership caching be implemented?When would you use global catalog servers instead?

Video/Demo Time 1.2.1 Authentication Overview 4:47

1.2.2 Global Catalog Servers and UGMC 2:23

Total 7:10

Lab/Activity Configure Global Catalog Servers Enable Universal Group Membership Caching

Number of Exam Questions 8 questions

Total Time

About 30 minutes


Section 1.3: Single Master Operations Roles (FSMO)

Summary

This section provides details about Single Master Operations Roles (FSMO). Students will learn about:

The role of operations master roles

Operation roles at the forest levels:o Schema mastero Domain naming master

Operation roles at the domain levels:o Relative ID (RID) Mastero Primary Domain Controller (PDC) Emulatoro Infrastructure Master

Considerations about using operations master roles

Recommendations when designing operations master roles placement

Managing operations master role placement

Tools to manage operations master role placement:o MMC Snap-in Management Toolo Ntdsutil.exe

Details about the standby operations master


Transfer operation master roles among domain controllers.

Troubleshoot operation master roles to diagnose network problems.

Seize an operation master role in the case of a failed role operationsmaster.


1.0 Active Directory Management.o Manage Flexible Single-Master Operation (FSMO) roles


502. Configure Domain Controllers.o Transfer and seize operations masters



What is the purpose of an operation master role server?

What is the function of a PDC emulator? What does the infrastructure master do?

Which operations master roles are located at the forest level? How many of these roles are there in a forest?

How many domain operations masters are in a forest?

You are installing a new domain controller in a new domain in an existing forest. How many operation master roles will that server hold?

What might happen if the RID master becomes unavailable?

Which role(s) should be placed on a global catalog server? Which roles should not?

What is the difference between transferring a role and seizing a role?

Video/Demo Time

1.3.1 Overview of FSMO Roles 10:00 1.3.2 FSMO Role Transfer/Failure 2:38 1.3.3 Viewing FSMO Roles 4:11 1.3.5 Transferring FSMO Roles 4:18 1.3.6 Seizing FSMO Roles 4:41

Total 25:48

Lab/Activity

Transfer RID and PDC Masters Transfer the Infrastructure Master Troubleshoot Operations Masters


7 questions

Total Time

About 55 minutes


Section 1.4: Read Only Domain Controllers (RODCs)

Summary

This section provides information about deploying Read Only Domain Controllers (RODCs). Details covered include:

Features of RODCs:o Administrator role separationo Unidirectional replicationo Read-only datao Password replicationo DNS Server service

Installing RODC


Pre-create RODC accounts in Active Directory.

Install an RODC.


1.0 Active Directory Management.o Implement a Read Only Domain Controller (RODC)


502. Configure Domain Controllers.o Install and configure a read-only domain controller (RODC)


What is the purpose of administrator role separation?

How does unidirectional replication protect your network?

How does using an RODC allow for domain logon in the event of a WANlink failure?

How do DNS zones work differently on an RODC?

What are the forest functional level requirements for installing an RODC?

Which operating system versions must run on the PDC emulator?

Which permissions do you need to install an RODC?


Video/Demo Time

1.4.1 Read Only Domain Controllers (RODCs) 6:46 1.4.3 Pre-creating the RODC Account 7:19

Total 14:05

Lab/Activity

Create RODC Accounts


6 questions

Total Time

About 30 minutes


Section 1.5: Virtual Domain Controllers

Summary

This section discusses creating virtual domain controllers. Details covered include:

Issues concerning creating a snapshot of a Virtual Domain Controller and later reverting back to earlier snapshots

o Update Sequence Number (USN) rollback o VM-Generation-ID

System requirements: o Supported hypervisors o Supported guest operating systems

Virtual Domain Controller Cloning

System prerequisites before cloning a virtual domain controller: o Supported hypervisors o Supported guest operating systems o PDC Emulator

The basic steps for cloning a virtual domain controller


502. Configure Domain Controllers. o Configure Domain Controller cloning


Which versions of the Windows operating system support VM-Generation-ID identifiers?

Why is the VM-Generation-ID stored in two different locations?

What is the advantage of creating a new virtual domain controller by cloning an existing virtual domain controller?

Which group must the computer object for the domain controller be a member of to be cloned?

Video/Demo Time

1.5.1 Domain Controller Cloning 7:41


6 questions

Total Time About 20 minutes


Section 1.6: Service Accounts

Summary

This section examines using service accounts to allow an application or service to interact with the operating system. Concepts covered include:

Categories of service accounts: o Built-in local user account o Domain user account o Managed service account o Virtual account o Group managed service account

Requirements to use managed or virtual accounts

Common service account cmdlets: o New-ADServiceAccount o Get-ADServiceAccount o Set-ADServiceAccount o Remove-ADServiceAccount o Install-ADServiceAccount

Considerations when using group managed service accounts Students will learn how to:

Create a service account.

Create a managed service account and a group managed service account.


501 Configure service authentication. o Create and configure Service Accounts o Create and configure Group Managed Service Accounts o Create and configure Managed Service Accounts o Configure Kerberos delegation o Manage Service Principal Names (SPNs) o Configure virtual accounts



What are the differences between a managed service account and a virtual service account?

Which operating system is required to manage a service with a managed service account?

Which Windows PowerShell cmdlet will create a new managed service account?

If you have a domain controller running Windows Server 2003, how can you still use a virtual account?

Video/Demo Time

1.6.1 Overview of Service Accounts 2:55 1.6.2 Kerberos Delegation 2:33 1.6.3 Creating Service Accounts 10:32 1.6.4 Creating Managed Service Accounts 5:13 1.6.5 Creating Group Managed Service Accounts 7:43 1.6.6 Configuring Virtual Accounts 1:25

Total 30:21


8 questions

Total Time

About 45 minutes


Section 1.7: Maintaining Active Directory

Summary

In this section students will learn details about maintaining Active Directory. Concepts covered include:

Considerations when performing a system state backup

Using the Group Policy Management console to back up and restore onlyGroup Policy data

Steps to make and use snapshots of the Active Directory database

Tasks that can be performed from the command using the NTDSUtilcommand

o Changing the recovery mode passwordo Cleaning the metadatao Manually compacting the databaseo Manually moving the database and log files


Back up Active Directory and the SYSVOL.

Create and mount an Active Directory snapshot.

Use the NTDSUtil command to manage and optimize Active Directoryfrom the command line.


1.0 Active Directory Management.o Backup Active Directory


503 Maintain Active Directory.o Back up Active Directory and SYSVOLo Manage Active Directory offlineo Optimize an Active Directory databaseo Clean up metadatao Configure Active Directory snapshots



Which backup type should you perform if you want to protect Active Directory?

What are the requirements for performing a system state backup?

When using the dsamain command with the /dbpath option to expose a snapshot through an LDAP server, why can't you use port 389? Which port should you use?

Using NTDSUtil, which tasks can you perform to manage the Active Directory?

Video/Demo Time

1.7.1 Backing up Active Directory 2:10 1.7.2 Backing up AD and the SYSVOL 2:36 1.7.4 Managing AD Snapshots 7:51 1.7.7 Active Directory Maintenance 4:17 1.7.8 Using NTDSUtil 12:25

Total 29:19

Lab/Activity

Back up Active Directory


8 questions

Total Time

About 50 minutes


Section 1.8: Restoring Active Directory

Summary

This section discusses methods of restoring Active Directory. Details include:

Active Directory Recycle Bin: o Requirements o Enabling the Recycle Bin

Steps to enable the Recycle Bin in an existing forest

Considerations when using the Recycle Bin to restore delete Active Directory objects

Types of restoration available when restoring Active Directory: o Nonauthoritative o Authoritative

Methods for performing a domain controller restore: o Reinstalling Active Directory o Nonauthoritative system state restore o Authoritative system state restore o Critical volume or Bare metal recovery

Set the Burflags registry settings at the domain controller to perform a restore to all replicas in the domain:

o D2 performs a nonauthoritative restore o D4 performs an authoritative restore

Methods to restore lost Active Directory data: o LostAndFound container o Nonauthoritative restore o Authoritative restore o Active Directory Recycle Bin o Database snapshot

Warning and solution of a problem where group membership will not be restored when you restore Active Directory objects with an authoritative restore


Use the AD Recycle Bin to recover AD deleted objects.

Use the Administrative Center to recover a user.

Use the PowerShell command to recover a user.

Perform an authoritative restore using NTDSUtil.



503 Maintain Active Directory. o Perform object- and container-level recovery o Perform Active Directory restore o Configure and restore objects by using the Active Directory Recycle

Bin Lecture Focus Questions:

What is the difference between an authoritative and a nonauthoritative restore?

Why might group membership not be restored with an authoritative restore? When would this problem exist and how can you overcome it?

Which forest functional level is required for the Active Directory Recycle Bin?

What are the differences when a deleted object lifetime expires versus when a recycled object lifetime expires?

Video/Demo Time

1.8.1 Restoring Active Directory 6:56 1.8.2 Active Directory Recycle Bin 6:28 1.8.4 AD Restore 10:00

Total 23:24


12 questions

Total Time

About 45 minutes


Section 2.1: Group Policy Foundation

Summary

This section discusses creating and managing Group Policy objects. Details include:

GPO settings: o Undefined o Defined

Considerations when you configure GPO settings

Intervals that Windows refreshes the effective Group Policy settings

Gpupdate command switches to manually refresh group policy settings: o No switch o /force o /target:user o /target:computer o /boot o /logoff

Group Policy inheritance: o The order in which GPOs are applied o Effective GPO settings o Categories:

Computer policies User policies

Methods to customize how GPO settings are applied: o Block inheritance o Enforced o GPO Permissions o Disabling a GPO link o Disabling a part of the GPO o WMI filtering o Loopback processing o Slow link detection o Group Policy caching o Account policies

Guidelines when you use GPOs to deploy GPOs Students will learn how to:

Create and link Group Policy objects.

Modify and control Group Policy processing order.

Control how group policies are processed by configuring Group Policy slow link detection and loopback processing.

Troubleshoot Group Policy from a workstation using gpresult and RSOP.


Troubleshoot Group Policy from a server using Group Policy Modeling andGroup Policy Results.

Block inheritance to domain controllers and member servers.


2.0 Group Policy Configuration.o Manage Group Policy processing order


601 Configure Group Policy processing.o Configure processing order and precedenceo Configure blocking of inheritanceo Configure enforced policieso Configure security filtering and WMI filteringo Configure loopback processingo Configure and manage slow-link processingo Configure client-side extension (CSE) behavior


What is the difference between deleting a GPO and deleting a GPO link?

What is an undefined GPO setting? How does this affect the effectivesettings for a user or computer?

When are Group Policy settings refreshed?

How do you manually refresh Group Policy settings?

What will determine the effective Group Policy setting when an individualsetting is configured in two different GPOs?

When are computer policies enforced? User policies enforced?

How do you prevent inheritance from being blocked for a specific GPO?


Video/Demo Time

2.1.1 Group Policy Processing Order 4:51 2.1.2 Linking GPOs 4:04 2.1.3 Modifying GPO Processing Order 4:34 2.1.4 Modifying GPO Processing Order 8:54 2.1.5 Loopback Processing and Slow Link Detection 2:25 2.1.6 Loopback Processing and Slow Link Detection 8:16 2.1.7 Configuring Group Policy Caching 3:54 2.1.9 Troubleshooting Group Policy 8:51

Total 45:49

Lab/Activity

Control GPO Inheritance Configure GPO Permissions


10 questions

Total Time

About 70 minutes


Section 2.2: Administrative Templates

Summary

This section discusses using Administrative Templates. Concepts covered include:

Prior to Windows Server 2008, the Administrative Template format was.adm files

The process to work with .adm files

Older adm file format has been replaced on Windows Server 2008 (andlater) by the following:

o .admx fileso .adml files

ADMX files are saved on the local computer in the%systemroot%\PolicyDefinitions folder

The central storage location for .admx and .adml files on a domaincontroller is SYSVOL\domain_name\Policies\PolicyDefinitions folder


Import custom Administrative Templates.

Use the ADMX Migrator to convert older .adm Administrative Templatesto the new .admx format.

Configure property filters for Administrative Templates.

Create a Central Store to share .admx files with multiple computers.


1.0 Group Policy Configuration.o Create custom administrative templates by importing GPOs


602 Configure Group Policy settings.o Configure settings including software installation, folder redirection,

scripts, and administrative template settingso Import security templateso Import custom administrative template fileo Convert administrative templates using ADMX Migratoro Configure property filters for administrative templates



What is the Administrative Template central store and where is it located?

What are the advantages of the .admx file format?

What is the function of .adml files?

Video/Demo Time

2.2.1 Custom Administrative Templates 1:50 2.2.2 Importing Custom Administrative Templates 3:58 2.2.4 Converting Administrative Templates 4:06 2.2.5 Configuring Property Filters 2:18 2.2.6 Central Stores 1:45 2.2.7 Creating a Central Store 3:52 2.2.8 Exploring Admin Template Settings 6:48

Total 24:37

Lab/Activity

Import a GPO


6 questions

Total Time

About 35 minutes


Section 2.3: Folder Redirection

Summary

In this section students will learn the benefits of folder redirection and how to configure folder redirection. Students will learn how to:

Configure folder redirection to move the contents of the Documents folder to a new location.


602 Configure Group Policy settings. o Configure settings including software installation, folder redirection,

scripts, and administrative template settings Lecture Focus Questions:

Why would you choose to use folder redirection?

What is the difference between basic redirection and advanced redirection?

A folder that has been redirected appears to be on the local system, but where is it actually stored?

Video/Demo Time

2.3.1 Folder Redirection 1:52 2.3.2 Configuring Folder Redirection 3:59

Total 5:51


5 questions

Total Time

About 10 minutes


Section 2.4: Software Deployment

Summary

In this section students will learn about the software deployment lifecycle. Details in this section include:

Steps in the software deployment lifecycle:o Plano Deployo Manage (Upgrade)o Remove

Guidelines when you manage software distribution


Assign and publish software installer packages.

Configure software installation packages to customize deployment andremoval.


2.0 Group Policy Configuration.o Deploy software using Group Policy


602 Configure Group Policy settings.o Configure settings including software installation, folder redirection,

scripts, and administrative template settings


What is the difference between assigned and published software?

Why should you use the UNC path to an installer package rather than thelocal path?

What does it mean when a user or computer is outside of the scope ofmanagement for a software installation package? What happens to thesoftware when this condition exists?


Video/Demo Time

2.4.1 Software Deployment 2:43 2.4.2 Deploying Software with a GPO 14:38

Total 17:21

Lab/Activity

Assign Software Deploy Software 1 Deploy Software 2


14 questions

Total Time

About 50 minutes


Section 2.5: Security Settings

Summary

This section examines the following common GPO security setting categories:

Account Policies

Local Policies/Audit Policy

Local Policies/User Rights Assignment

Local Policies/Security Options

Windows Firewall with Advanced Security

Network List Manager Policies

Public Key Policies

Software Restriction Policies

Application Control Policies

IP Security Policies

Advanced Audit Policy Configuration

Event Log

Restricted Groups

System Services

Registry

File System

Wireless Network


Configure, save, and import a security template.


2.0 Group Policy Configuration.o Implement the following GPO policies:

Security Advanced audit


602. Configure Group Policy settings.o Import security templates



What is the difference between a user right and a security option?

Under what conditions are Account Policies in effect?

What are some of the User Rights Assignments you might consider using?

What is the function of the Network List Manager Policies?

Video/Demo Time

2.5.1 Security Options 1:43 2.5.2 Creating Security Templates 10:10

Total 11:53

Lab/Activity

Configure Security Options


7 questions

Total Time

About 30 minutes


Section 2.6: Password and Account Policies

Summary

This section covers password and account policies. Concepts covered include:

Password Policy:o Enforce password historyo Maximum password ageo Minimum password ageo Minimum password lengtho Password must meet complexity requirementso Store passwords using reversible encryption

Account Lockout Policy:o Account lockout durationo Account lockout thresholdo Reset account lockout after

Considerations when managing account policies

Kerberos policies:o Enforce user logon restrictionso Maximum lifetime for service ticketo Maximum lifetime for user ticketo Maximum lifetime for user ticket renewalo Maximum tolerance for computer clock synchronization

The role of granular password policies

Facts about granular password policies

Using ADSI Edit to create a PSO

Managing granular passwords using Active Directory AdministrativeCenter


Configure and manage Account Policy settings.

Use ADSI Edit to configure granular password policy settings.



Account Fine-grained password


504. Configure account policies.


o Configure domain user password policy o Configure and apply Password Settings Objects (PSOs) o Delegate password settings management o Configure local user password policy o Configure account lockout settings o Configure Kerberos policy settings


Users in a network have to change their passwords every 30 days, but many users have reported that they simply enter the same password to make the change. Which policy can you configure to prevent this?

What is the effect of setting the minimum password age account policy to 5 days?

How can you prevent users from creating passwords like desk, mom, chair, or office?

What is the effect of setting the account lockout policy to 0?

What happens when you configure the Account Policies settings in a GPO linked to an OU?

How can you configure different account policy settings for different users?

Which object types can you associate with a granular password policy?

A user has a granular password policy applied directly to the user account, and a different policy applied to a group of which the user is a member. Which policy will be in effect?

Video/Demo Time

2.6.1 Password Policies 2:09 2.6.2 Configuring Domain User Password Policy 4:30 2.6.3 Configuring Account Lockout 2:18 2.6.4 Configuring Local Password Policies 3:11 2.6.5 Configuring Kerberos Policy Settings 6:47 2.6.8 Creating a Fine-grained Password Policy 9:25

Total 28:20

Lab/Activity

Configure Account Policies Create a Fine-grained Password Policy


14 questions

Total Time

About 60 minutes


Section 2.7: Advanced Auditing

Summary

This section provides information about 53 new auditing capabilities that have been integrated with Group Policy. Concepts covered include:

Details about the advanced audit policy configuration

Categories of the 53 new auditing policy settings:o Account Logono Account Managemento Detailed Trackingo DS Accesso Logon/Logoffo Object Accesso Policy Changeo Privilege Useo Systemo Global Object Access Auditing


Use Group Policy to enforce auditing and secure audit logs.



Advanced audit


204. Configure advanced audit policies.o Implement auditing using Group Policy and AuditPol.exeo Create expression-based audit policieso Create removable device audit policies


What is the difference between auditing for success and auditing forfailure?

How can you configure auditing to track changes to Active Directoryobjects?

What is the result of excessive auditing?

Why should you design periodic reviews of audit logs?


Video/Demo Time

2.7.1 Advanced Audit Policies 7:22 2.7.2 Auditing Folder Access 14:46

Total 22:08

Lab/Activity

Configure Advanced Auditing Configure Removable Device Auditing


12 questions

Total Time

About 45 minutes


Section 2.8: Preferences

Summary

This section discusses using Group Policy preferences to configure, deploy, and manage operating system and application settings that you cannot manage using Group Policy settings. Details covered include:

Comparison of characteristics of Group Policy preferences to Group Policysettings

Facts about Group Policy preferences

Group Policy preferences:o Drive mapso Environmento Files Folderso Ini Fileso Network shareso Registryo Shortcutso Deviceso Folder optionso Internet settingso Local users and groupso Network optionso Power optionso Printerso Regional optionso Scheduled taskso Serviceso Start menu


Configure Group Policy preferences in a GPO.

Deploy shortcuts in a GPO.


2.0 Group Policy Configuration.o Configure Group Policy Preferences



604 Configure Group Policy preferences. o Configure Group Policy Preferences (GPP) settings including

printers, network drive mappings, power options, custom registry settings, Control Panel settings, Internet Explorer settings, file and folder deployment, and shortcut deployment.

o Configure item-level targeting Lecture Focus Questions:

What is the main difference between Group Policy preferences and Group Policy settings?

Which types of applications and operating system features does Group Policy preferences support?

How do you configure Group Policy preferences?

What are the operating system prerequisites for applying Group Policy preferences?

Video/Demo Time

2.8.1 Group Policy Preferences 1:58 2.8.2 Configuring Group Policy Preferences 7:47

Total 9:45

Lab/Activity

Configure Internet Explorer Settings in a GPO Configure Power Options in a GPO Deploy Desktop Shortcuts in a GPO


6 questions

Total Time

About 35 minutes


Section 2.9: Group Policy Management

Summary

This section examines management of Group Policy objects. Concepts covered include:

Considerations when you manage Group policy objects

Methods to create another GPO from an existing GPO: o Copy o Backup and Import o Starter GPO

Using cmdlets in the Group Policy module for Windows PowerShell to manage domain-based GPOs

Common GPO management cmdlets include: o New-GPO o Copy-GPO o Get-GPO o Backup-GPO o Remove-GPO o Rename-GPO o Restore-GPO o Import-GPO o New-GPLink o Set-GPLink o Remove-GPLink o New-GPStarterGPO

The dcgpofix command switches to restore the default group Policy objects to their original state:

o /target:dc o /target:domain o /target:both o /ignoreschema

Using the Remote Group Policy update

Updating Group Policy using the Group Policy Management console Students will learn how to:

Back up and restore a GPO.

Create and configure a migration table to migrate domain-specific settings.

Restore default GPOs to what they were initially when Active Directory was installed.



2.0 Group Policy Configuration.o Backup and restore GPOs


603. Manage Group Policy objects (GPOs).o Back up, import, copy, and restore GPOso Create and configure Migration Tableo Reset default GPOso Force Group Policy update


What is the difference between deleting a GPO and deleting a GPO link?

How can you copy a GPO from one domain to another? How can youcopy starter GPOs?

Which tools can you use to manage GPOs and GPO links?

When moving GPOs from one domain to another, how do you handlesettings that are domain-specific and cannot be copied directly?

Video/Demo Time

2.9.1 Group Policy Management 1:26 2.9.2 Managing GPOs 5:14 2.9.5 Migration Tables 1:10 2.9.6 Configuring Migration Tables 4:26 2.9.7 GPO Default Setting 1:31 2.9.8 Resetting GPO Defaults 3:18 2.9.9 Forcing Group Policy Updates 1:15

Total 18:20

Lab/Activity

Back Up a GPO Restore a GPO


9 questions

Total Time

About 40 minutes


Section 2.10: Management Delegation

Summary

This section examines delegating out Group Policy management.


Create a GPO and delegate the management of particular tasks for allGPOs to a specified group.

Use the Delegation of Control Wizard to delegate common administrativetasks.


2.0 Group Policy Configuration.o Delegate GPO management


603. Manage Group Policy objects (GPOs).o Delegate Group Policy management


What is the two-step procedure required to delegate Group Policy objectmanagement?

Which tools are required to complete a delegation of management?

Video/Demo Time

2.10.1 GPO Management Delegation 1:07 2.10.2 Delegating GPO Management 4:30 2.10.4 Delegating Password Management 4:24

Total 10:01

Lab/Activity Delegate GPO Creation

Delegate Administrative Control


6 questions

Total Time

About 25 minutes


Section 3.1: File Server Resource Manager

Summary

This section provides details of using the File Server Resource Manager to allow administrators to understand, control, and manage the quantity and type of data stored on their servers. Concepts covered include:

FSRM is installed as a role service of the File Services role

Key FSRM features:o Quotaso Notificationso File Screeningo Storage Reportso File Classificationo File Management

Methods for configuring quotas for Windows Server:o NTFS Disk Quotaso FSRM Folder and Volume Quotas


Configure volume and folder quotas.

Create quota templates.

Configure file screens and file screen exceptions.

Generate FSRM reports for both quotas and overall file system use.Schedule FSRM reports.


3.0 File Services Management.o Configure FSRM quotaso Configure FSRM file screens


202 Configure File Server Resource Manager (FSRM).o Install the FSRM roleo Configure quotaso Configure file screenso Configure reports



What are the primary differences between disk quotas with NTFS and quotas implemented through FSRM?

How does a soft quota differ from a hard quota?

How do quota templates facilitate quota management?

What is the difference between a quota and a file screen?

How is an active file screen more restrictive than a passive file screen?

How can you automatically assign classification information to files?

What can you accomplish with the file expiration task?

Video/Demo Time

3.1.1 File Server Resource Manager (FSRM) 2:49 3.1.2 Installing FSRM 1:07 3.1.4 FSRM Quotas 4:59 3.1.6 File Screens 4:41 3.1.8 Configuring Reports 3:32

Total 17:08

Lab/Activity

Add Role Services for FSRM Configure FSRM Quotas Configure FSRM File Screens


15 questions

Total Time

About 50 minutes


Section 3.2: Distributed File System

Summary

This section discusses using the Distributed File System (DFS) to provide a way to logically organize shared folders on multiple servers into a single logical folder hierarchy called a namespace. Concepts covered include:

DFS Namespaces include the following components:o Namespaceo Namespace servero Namespace rooto Folder

Namespace types and criteria:o Stand-aloneo Domain-based

Considerations when managing DFS Namespaces


Create a DFS namespace with folders and targets.

Add role services as required to support DFS and the appropriatereplication method.


3.0 File Services Management.o Implement DFS replication


201. Configure Distributed File System (DFS).o Install and configure DFS namespaces


What is the difference between the namespace root and a folder withinDFS?

If you have multiple namespace servers, which namespace type shouldyou implement?

Which namespace type and mode would you choose to support access-based enumeration?

If you have a single namespace server and that server fails, what happensto client access for folders within the DFS structure? Why?


How can you prevent users from adding or changing files in a replicated folder?

Video/Demo Time

3.2.1 DFS Namespaces and Replication 4:54 3.2.2 Installing a DFS Namespace 4:38

Total 9:32

Lab/Activity

Add Role Services for DFS and Create a Namespace


6 questions

Total Time

About 25 minutes


Section 3.3: Distributed File System Replication

Summary

This section discusses using the Distributed File System replication to increase fault tolerance and improve access. Concepts covered include:

Components that DFS replication uses to control replications:o Replication groupo Replicated foldero Connection

Considerations when configuring DFS

Cloning the DFS database in Windows Server 2012 R2

Recovering a corrupted database using DFS Replication in WindowsServer 2012 R2

Optimization strategies for DFS:o Fault toleranceo Referralso Remote Differential Compression (RDC)o Pollingo Stagingo Single-master


Configure DFS replication of folder targets.

Create and configure a replication schedule.

Manage and optimize DFS by configuring staging and fault tolerance.


3.0 File Services Management.o Implement DFS replication


201. Configure Distributed File System (DFS).o Configure DFS Replication Targetso Configure Replication Schedulingo Configure Remote Differential Compression settingso Configure stagingo Configure fault tolerance



When can you add a failover cluster to a DFS replication group?

How does Remote Differential Compression conserve bandwidth?

Adam, Bob, and Curt access different copies of a replicated folder and modify the same file simultaneously. When each of them saves the file, which file becomes the authoritative copy? What happens to the other copies of this file?

Video/Demo Time

3.3.1 Staging and Fault Tolerance 12:00 3.3.2 Configuring DFS Replication Targets 6:53 3.3.3 Cloning the DFS Database 10:58 3.3.5 Optimizing DFS 10:00

Total 39:51


9 questions

Total Time

About 55 minutes


Section 3.4: File Encryption

Summary

In this section students will learn about protecting data through file and disk encryption. Concepts covered include:

Components of EFS:o Encryption Processo Access to Encrypted Datao EFS-Related Group Policyo Encrypted Data Managemento Remote Storageo Certificate Management


Encrypt or decrypt a file or folder.

Add authorized users to allow encrypted file access.

Designate DRAs for file recovery.

Configure EFS settings in Group Policy.


3.0 File Services Management.o Encrypt files and folders with EFS


203. Configure file and disk encryption.o Configure the EFS recovery agento Manage EFS and Bitlocker certificates including backup and

restore


What is the importance of the DRA in the encryption process?

Which users have access to encrypted files and folders?

What is the relationship between encryption and compression?

What is the significance of encrypting the pagefile?

How does Rekeywiz affect your encryption deployment?


Video/Demo Time

3.4.1 Overview of EFS 2:25 3.4.2 EFS Recovery Agents 2:38 3.4.3 Encrypting a Folder 8:38 3.4.4 Designating an EFS Recovery Agent 11:49 3.4.5 Managing EFS Certificates 6:31

Total 32:01

Lab/Activity

Encrypt a Folder


11 questions

Total Time

About 50 minutes


Section 3.5: Disk Encryption

Summary

In this section students will learn about using BitLocker to protect unauthorized data access on lost, stole or otherwise compromised systems. Concepts covered include:

BitLocker key is required to access the contents of the encrypted volume

BitLocker uses integrity checking

BitLocker is only available on: o Windows Vista Ultimate and Enterprise editions o Windows 7 Ultimate and Enterprise editions o Windows 8 Professional and Enterprise editions o Windows Server 2008 or Windows Server 2008 R2 o Windows Server 2012

BitLocker is not installed by default

BitLocker To Go

Components of BitLocker: o BitLocker partition o Trusted Platform Module (TPM) o Non-TPM device support

How BitLocker differs from the Encrypting File System (EFS)

Security components of a BitLocker configuration: o TPM owner password o Recovery key o PIN o Startup key o Data volume key o Data Recovery Agent o Network Unlock

BitLocker modes which determine the security level: o TPM-only o TPM with startup key o TPM with PIN o TPM with PIN and startup key o Without a TPM

How to configure and manage BitLocker Students will learn how to:

Generate recovery keys and create a BitLocker DRA.

Configure BitLocker on a computer with a TPM.



3.0 File Services Management.o Encrypt the server hard disk with BitLocker


203. Configure file and disk encryption.o Configure BitLocker encryptiono Configure the Network Unlock featureo Configure BitLocker policieso Manage EFS and BitLocker certificates including backup and

restore


When implementing BitLocker, why is it a good idea to run a system checkbefore encrypting the drive?

What is the difference in function between BitLocker and BitLocker ToGo?

When using BitLocker, what are the requirements of the Trusted PlatformModule? How can you implement BitLocker without a TPM?

What would happen if BitLocker were enabled, and the USB flash devicewhich holds the key were to be lost?

Video/Demo Time

3.5.1 BitLocker Disk Encryption 11:35 3.5.2 Configuring BitLocker Encryption 11:40

Total 23:15

Lab/Activity

Configure BitLocker with a TPM


15 questions

Total Time

About 50 minutes


Section 4.1: DNS Name Resolution

Summary

This section provides details of how DNS Name Resolution maps logical host names to IP addresses. Concepts covered include:

A DNS server holds a database of hostnames and their corresponding IP addresses

HOSTS file

Components of the DNS hierarchy: o .dot domain (also called the root domain) o Top Level Domains (TLDs) (.com, .edu, .gov) o Second-level and additional domains o Hosts

Fully Qualified Domain Name (FQDN)

DNS is a distributed database

Caching-only DNS

DNS name resolution process for the client

DNS name resolution process for the server Lecture Focus Questions:

What is the purpose of DNS?

How does an FQDN identify a host?

What is the difference between a DNS server and a caching-only DNS server?

What is the difference between forwarding and recursion?

Video/Demo Time

4.1.1 Fully Qualified Domain Names 3:20 4.1.3 Name Resolution 8:17

Total 11:37


11 questions

Total Time

About 25 minutes


Section 4.2: DNS Forwarding and Delegation

Summary

This section provides details of using DNS forwarding and delegation to resolve queries for records. Concepts covered include:

The role of a forwarder

Methods to control the server’s use of forwarders:o Secondary zoneo Stub zoneo Conditional forwardero Disable recursion

Reasons to perform zone delegation

Process to delegate a zone


Create a root zone.

Use DNS Manager to setup forwarding and conditional forwarding toresolve names.

Create a delegation to enable name resolution.


4.0 DNS Configuration.o Configure DNS forwarderso Create DNS delegations


301. Configure DNS zones.o Configure zone and conditional forwardso Configure zone and conditional forward storage in Active Directoryo Configure zone delegation


What is the role of a forwarder?

What could be a disadvantage of using secondary zones?

Under what circumstances would you choose to set up conditionalforwarding?

When should you set up zone delegation?


Video/Demo Time

4.2.1 Configuring Forwarding and Root Hints 9:46 4.2.4 Creating a Delegation 4:43

Total 14:29

Lab/Activity

Configure Forwarders Delegate Domains


7 questions

Total Time

About 35 minutes


Section 4.3: DNS Zone

Summary

This section discusses provides the basic information about creating and using DNS zones. Concepts covered include:

Types of DNS zones:o Primaryo Secondaryo Active Directory-integratedo Stub

Zones are classified as one of two types:o Forward lookup zoneo Reverse lookup zone

Details about zone transfers

Tools to update of zone data:o DNS consoleo Dnscmd command

An Active Directory-integrated zone stores DNS information in ActiveDirectory rather than a zone file


Create a standard primary zone and a standard secondary zone.

Create a stub zone to refer requests over to the authoritative server.

Create a Primary forward lookup zone and configure it to allow zonetransfers to any server.

Configure a reverse lookup zone.

Create a new zone and configure the zone to be stored in ActiveDirectory.


4.0 DNS Configuration.o Create the following types of DNS zones

Primary Secondary Stub Reverse-lookup Active Directory-integrated



301. Configure DNS zones. o Configure primary and secondary zones o Configure stub zones


What is the difference between the name resolution of a forward lookup zone and a reverse lookup zone?

What are the advantages of using an Active Directory-integrated zone?

What are the main difference between a primary zone and a secondary zone?

Which tools can you use to manually force an update of zone data?

Which type of DNS server can host an Active Directory-integrated zone?

What is the function of the Start of Authority (SOA) record?

Video/Demo Time

4.3.1 Forward and Reverse Lookup Zones 2:05 4.3.2 Standard DNS Zones 5:57 4.3.3 AD Integrated Zones 5:37 4.3.6 Creating a New Zone 11:29

Total 25:08

Lab/Activity

Create Standard Zones Create a Reverse Lookup Zone Create an Active Directory-integrated Zone


8 questions

Total Time

About 55 minutes


Section 4.4: DNS Zone Management

Summary

This section discusses management of DNS zones. Concepts covered include:

Details about configuring DNS zones

Zone data is replicated based on the replication scope:o All domain controllers in this domaino All DNS servers in this domaino All DNS servers in this foresto Application partition

Reverse Zone Name Format for:o IPv4o IPv6


Change an existing zone to a different zone type.

Configure the properties of an existing zone as needed.

Disable zone transfers for a specified zone.

Enable Dynamic DNS to minimize DNS administration.


4.0 DNS Configuration.o Manage zone transfers


302. Configure DNS records.o Configure zone scavengingo Configure record options including Tim to Live (TTL) and weighto Configure secure dynamic updates


How does replicating DNS information to all domain controllers in thedomain affect network traffic versus replicating to all DNS servers in theforest?

Which type of zone would you create if you wanted to use secure dynamicupdates?

What is the purpose of PTR records?

What is the zone name format for the reverse lookup network of1375:2614:DDAB:EE21?


Video/Demo Time

4.4.1 Configuring Zone Properties 7:24

Lab/Activity

Disable Zone Transfers Configure a Partner DNS Solution Enable Dynamic DNS Updates Troubleshoot Dynamic DNS


15 questions

Total Time

About 45 minutes


Section 4.5: DNS Records

Summary

This section discusses DNS records which store entries for hostnames, IP addresses, and other information in the zone database. Details include:

Common resource records:o SOA (Start of Authority)o NS (Name Server)o A (Host Address)o AAAA (Quad-A)o MX (Mail Exchanger)o CNAME (Canonical Name)o DNAME (Domain Alias)o SRV (Service Locator)o PTR (Pointer)o WINS and WINS-R Resource Records

Considerations when managing resource records

Using the dnscmd command to add a DNS record


Create and configure an MX record to identify email servers.

Configure the priority and weight of a SRV record to regulate the traffic tothe records.

Create A records and PTR records for hosts.

Create CNAME records to be used as aliases to allow clients to access anintranet website.

Use ping to troubleshoot DNS problems.


4.0 DNS Configuration.o Manage dynamic DNS updates


302. Configure DNS records.o Create and configure DNS Resource Records (RR) including A,

AAAA, PTR, SOA, NS, SRV, CNAME, and MX records



What information does an SOA record contain?

What is the difference between an A and a quad-A record?

How is the DNAME record similar to a CNAME record?

Which are the most common DNS records?

Video/Demo Time

4.5.1 DNS Record Types 6:19 4.5.2 Creating Common Records 9:44

Total 16:03

Lab/Activity

Create Host Records Create CNAME Records Troubleshoot DNS Records


15 questions

Total Time

About 50 minutes


Section 4.6: DNS Options

Summary

In this section students will learn about different DNS options that can be configured or controlled. Concepts covered in this section include:

DNS Manager tabs to configure DNS server properties: o Interfaces o Forwarders o Root Hints o Debug Logging o Event Logging o Monitoring o Security o Advanced

Configure DNS Round Robin

Debug logging options to configure debug logging: o Packet direction o Packet contents o Transport protocol o Packet type o Other options o File path and name o Maximum size (bytes)

Stale records and Time to Live (TTL) value

Scavenging is controlled through a combination of DNS server and zone properties:

o Zone properties No-refresh interval Refresh interval

o DNS server properties: Scavenge Stale Resource Records Enable automatic scavenging of stale records

o Considerations when configuring scavenging Students will learn how to:

Enable DNS round robin on a DNS server.

Enable scavenging of stale records on a DNS server.

Enable scavenging of stale records and aging on Active Directory zones.



4.0 DNS Configuration.o Manage dynamic DNS updates

Create DNS records Configure DNS Round Robin Configure DNS aging and scavenging


302. Configure DNS records.o Configure record options including Time to Live (TTL) and weighto Configure round robino Configure secure dynamic updates


How do stale records affect DNS server performance?

When is a DNS record considered stale?

How does the no-refresh interval affect scavenging?

When should you activate debug logging? For what period of time?

Where do you enable scavenging?

Video/Demo Time

4.6.1 DNS Server Properties 0:33 4.6.2 Exploring DNS Server Properties 6:21

Total 6:54

Lab/Activity

Configure DNS Round Robin Configure DNS Aging and Scavenging


9 questions

Total Time

About 35 minutes


Section 5.1: Routing

Summary

This section discusses routing. The following details are covered:

The role of routers

Static route

Route metric

Default route

Persistent route

Managing routing table entries:o View the IPv4 or IPv6 routing tableo Add an IPv4 static routeo Change a routeo Add an IPv6 static routeo Delete a route

Considerations when creating routes

Characteristics of RIP

Features of RIP that can be configured:o Packet Protocolo Authenticationo Route Filterso Neighborso Timerso Clean-up Updateso VLSM


Install Routing and Remote Access on a server and configure it to functionas a router.

Enable LAN routing on a server using the Configure and Enable Routingand Remote Access wizard.

Using metrics, configure static routes on a server with subnets to makeadditional networks accessible.

Configure RIP by adding the RIP protocol and adding interfaces to runRIP.


5.0 Routing and Remote Access Configuration.o Configure LAN routing



303. Configure VPN and routing. o Install and configure the Remote Access role

Configure routing


Which role do you install on a Windows server to get the routing component?

What is the purpose of a default route?

Under what circumstances can you most effectively use static routes?

Which switch used with route add allows you to make a route permanent?

Which routes are automatically added to the routing table when routing is enabled?

Which routing protocols does Windows Server 2012 support?

What is the difference between RIP version 2 and RIP? Why has RIP version 2 become the standard?

What is Silent RIP and how does it affect learning and sharing routes?

What affect does configuring neighbors have on RIP broadcasts and multicasts?

What is route summarization?

Video/Demo Time

5.1.1 Routing and Remote Access 2:02 5.1.2 Installing RRAS 3:07 5.1.4 Routing 7:48 5.1.5 Configuring Routing 17:00

Total 29:57

Lab/Activity

Add Role Services for Routing and Remote Access Enable LAN Routing Add Static Routes Configure RIP Routing


6 questions

Total Time

About 65 minutes


Section 5.2: Network Address Translation (NAT)

Summary

This section discusses the role of NAT and configuring a NAT router.


Configure a server as a NAT router.

Configure a NAT router to provide DHCP and DNS proxy services.


5.0 Routing and Remote Access Configuration.o Configure Network Address Translation (NAT) routing


303. Configure VPN and routing.o Install and configure the Remote Access roleo Configure routing


What does a NAT router do?

What are the address ranges you can use when deploying NAT?

How can NAT provide security for a private network?

Video/Demo Time

5.2.1 NAT 3:18 5.2.2 Implementing NAT 15:17

Total 18:35

Lab/Activity

Configure NAT


6 questions

Total Time

About 30 minutes


Section 5.3: Virtual Private Networks (VPN)

Summary

This section discusses using a Virtual Private Network (VPN) to support secured communications over an untrusted network.

VPN protocols that are supported:o Point-to-Point Tunneling protocol (PPTP)o Layer Two Tunneling Protocol (L2TP)o Secure Socket Tunneling Protocol (SSTP)o Internet Key Exchange 2 (IKEv2)

Comparison of authentication protocols:o Password Authentication Protocol (PAP)o Challenge Handshake Authentication Protocol (CHAP)o Microsoft Challenge Handshake Authentication Protocol version 2

(MS-CHAP v2)o Extensible Authentication Protocol-Transport Layer Security (EAP-

TLS)

Configuration tasks to configure a VPN Server:o Enable remote accesso Configure portso Configure addressingo Configure network policies

The role of Web Application Proxy

Settings used for VPN connections on Windows clients:o Generalo Optionso Securityo Networkingo Sharing

The role of VPN Reconnect


Configure a server as a VPN remote access server.


5.0 Routing and Remote Access Configuration.o Configure a VPN server



303. Configure VPN and routing. o Configure VPN settings o Configure remote dial-in settings for users o Configure routing o Configure Web Application proxy in pass-through mode


Which VPN protocols does Windows support?

Which authentication protocols support smart card use?

What makes CHAP vulnerable to security breaches?

What type of security environments use EAP?

Video/Demo Time

5.3.1 VPN 5:43 5.3.4 Configuring VPN 20:39 5.3.5 Configuring Web Application Proxy 11:38

Total 38:00

Lab/Activity

Configure a VPN Server


15 questions

Total Time

About 65 minutes


Section 5.4: Network Policy Server

Summary

This section discusses using the Network Policy Server for authorization of remote clients. Concepts covered include:

The role of authorization

Components of a network policy:o Conditionso Constraintso Permissionso Settings

The process used for authentication when a remote access connection isrequested


Create and configure a connection request policy with conditions,permissions, authentications, and constraints.

Create and save NPS templates that can be used later when configuringother features of NPS.


5.0 Routing and Remote Access Configuration.o Create Network Policy Server (NPS) policies


402. Configure NPS policies.o Configure connection request policieso Configure network policies for VPN clients (multilink and bandwidth

allocation, IP filters, encryption, IP addressing)o Manage NPS templateso Import and export NPS policies



What is the difference between authorization and authentication?

What is the difference between constraints and conditions? How are they similar?

What happens to a connection that matches the policy conditions but not the policy constraints? How many other policies will be checked in this scenario?

Where does the server find the permissions for a connection?

What must occur before settings are applied?

Video/Demo Time

5.4.1 NPS Policies for VPN Clients 3:49 5.4.3 Exploring NPS Policies for VPN Clients 11:53 5.4.6 Using NPS Templates 3:12

Total 18:54

Lab/Activity

Create a Network Access Policy 1 Create a Network Access Policy 2


8 questions

Total Time

About 40 minutes


Section 5.5: RADIUS

Summary

This section examines using network policies stored on a RADIUS server to authenticate remote access clients from multiple servers. Concepts covered include:

Components of a RADIUS solution: o Remote access clients o RADIUS client o RADIUS server o RADIUS proxy o Remote RADIUS server group o Network policies o Connection request policies o RADIUS Accounting o NPS templates o User account databases o RADIUS messages

Configuration components and tasks to configure a RADIUS solution: o RADIUS server o RADIUS client o Remote access client o RADIUS proxy o RADIUS Accounting

Best practices for configuring NPS for RADIUS

RADIUS Accounting o Types of events to log on the RADIUS server:

Accounting requests Authentication requests Periodic status information logs

o Types of logging that can be configured: Local file logging SQL server logging


Configure a remote access server as a RADIUS client.

Configure a RADIUS server.

Configure a RADIUS proxy by configuring Remote RADIUS Server groups and Connection Request policies.



5.0 Routing and Remote Access Configuration.o Configure a RADIUS authentication solutiono Implement a RADIUS proxy server


401. Configure Network Policy Server (NPS).o Configure multiple RADIUS server infrastructureso Configure a RADIUS servero Configure RADIUS clientso Manage RADIUS templateso Configure RADIUS accountingo Configure certificates


When using a RADIUS solution, where are network access policiesconfigured?

What is the difference between a RADIUS client and a remote accessclient?

Why would you implement a RADIUS proxy?

What is the difference between a RADIUS client and a RADIUS proxy?

What is the difference between a connection request policy and a networkaccess policy?

How does the RADIUS proxy use the remote RADIUS server group whenprocessing authentication requests?

Video/Demo Time

5.5.1 RADIUS Concepts 5:58 5.5.2 Configuring RADIUS Clients 7:28 5.5.3 Configuring RADIUS Accounting 2:44 5.5.4 Configuring a Multi-server RADIUS Infrastructure 4:29 5.5.5 Configuring Connection Request Policies 10:07

Total 30:46

Lab/Activity

Configure a RADIUS Solution Configure a RADIUS Proxy


10 questions

Total Time

About 60 minutes


Section 5.6: Network Access Protection

Summary

This section discusses using Network Access Protection (NAP) to allow administrators to regulate network access or communication based on a computer’s compliance with health requirement policies. Concepts covered include:

Features of NAPo Health state validationo Health policy complianceo Limited access network

Components that comprise the NAP system:o NAP Cliento NAP Servero Enforcement Server (ES)o Remediation Server

Steps to configure the NAP server

Steps to configure the client computer

Configuration steps for the following enforcement points:o DHCPo VPNo 802.1xo Remote Desktop Gatewayo IPsec


Configure a DHCP server as an enforcement point.

Configure SHV settings, remediation server groups, health policies, andnetwork policies for NAP.

Enable NAP enforcement on a client computer.


5.0 Routing and Remote Access Configuration.o Implement a Network Access Protection (NAP) by creating the

following policies: Security Health Validator Health Network Connection Request



403. Configure Network Access Protection (NAP). o Configure System Health Validators (SHVs) o Configure health policies o Configure NAP enforcement using DHCP and VPN o Configure isolation and remediation of non-compliant computers

using DHCP and VPN o Configure NAP client settings


Why is a non-compliant computer not necessarily an immediate security threat?

What happens to a computer that receives a limited access health state validation?

What functions are performed by the System Health Validator (SHV)?

Which NAP component do you modify to identify the health checks that should be performed?

How do remediation servers and auto-remediation help clients become compliant?

Which type of communication occurs in the boundary network when using IPsec enforcement?

Video/Demo Time

5.6.1 Overview of NAP 10:10 5.6.3 Configuring NAP Enforcement using DHCP 14:08 5.6.4 Configuring Auto-remediation 0:58 5.6.5 Configuring NAP Enforcement using VPN 12:31

Total 37:47

Lab/Activity

Configure a System Health Validator


13 questions

Total Time

About 65 minutes


Section 5.7: DirectAccess

Summary

This section discusses using DirectAccess to connect through an Internet connection to a corporate intranet. Details covered include:

How DirectAccess works

DirectAccess connection methods: o Full enterprise network access (end-to-edge) o Selected server access (modified end-to-edge) o End-to-end

The process that DirectAccess clients use to connect to intranet resources

DirectAccess requirements: o Infrastructure o Server o Client

DirectAccess configuration components: o Server o Client side


Prepare a server with the server requirements to set up DirectAccess.

Build the infrastructure for DirectAccess by configuring DNS and certificates to support DirectAccess.

Deploy DirectAccess by identifying remote clients, defining the remote access server, setting up the infrastructure servers, and identifying internal application servers.


304. Configure DirectAccess. o Implement server requirements o Implement client configuration o Configure DNS for DirectAccess o Configure certificates for DirectAccess



What are the advantages of using DirectAccess to access corporate file servers?

What is the difference between full enterprise network access and selected server access?

What are the requirements for a DirectAccess server?

How does the client's IP address configuration affect how the client sends traffic to the DirectAccess server?

Video/Demo Time

5.7.1 DirectAccess Overview 7:34 5.7.3 DirectAccess Requirements 6:34 5.7.4 Implementing Server Requirements for DirectAccess 7:15 5.7.5 Configuring DNS for DirectAccess 2:33 5.7.6 Configuring Certificates for DirectAccess 12:12 5.7.7 Configuring DirectAccess 6:55

Total 43:03


11 questions

Total Time

About 65 minutes


Section 6.1: Windows Software Update Services (WSUS)

Summary

This section examines using the Windows Software Update Services (WSUS) to update software. Details covered include:

WSUS advantages

Components of WSUS: o Microsoft Update o Windows Server Update Services (WSUS) server o Automatic Updates

WSUS deployment scenarios: o Single WSUS server o Multiple independent servers o Multiple synchronized servers o Disconnected WSUS server

Products that Microsoft Update and WSUS support updating: o Windows operating systems o Exchange Server o SQL Server o Microsoft Office

Control updates based on the following criteria: o Product family (such as operating system version or product o Update classification (such as critical updates or drivers) o Language

Considerations for configuring WSUS on the server: o Installation o Configure the server o Approve updates o Add downstream servers

Automatic Update policies: o Configure Automatic Updates o Specify Intranet Microsoft Update Service Location o Enable Client-Side Targeting o Reschedule Automatic Updates Scheduled Installations o No Auto-Restart with Logged On Users for Scheduled Automatic

Updates Installations o Automatic Updates Detection Frequency o Allow Automatic Updates Immediate Installation o Re-prompt for Restart with Scheduled Installation o Allow Non-administrators to Receive Update Notifications o Do Not Display ‘Install Updates and Shut Down’ Option in Shut

Down Windows Dialog Box

Settings in the Configure Automatic Updates policy: o Download Option


Automatic Notification

o Installation Option Automatic (Scheduled) Notification

Targeting provides different updates based on group membership

Groups are created on the WSUS server through the console

Client computers are assigned to a group with:o Server-side targetingo Client-side targeting

Facts to be aware of when using computer groups


Install WSUS and configure a WSUS server to download updates fromMicrosoft Update.

Synchronize and approve updates.

Run reports to view client and update information.

Control client update behavior through Group Policy.

Create computer groups for targeting, and manually modify groupmembership.

Enable client-side targeting on the WSUS server.

Configure client-side targeting through Group Policy.


6.0 Deployment Manager.o Configure a WSUS servero Control access to WSUS updates using the following:

Computer groups Client-side targeting


102. Implement patch management.o Install and configure the Windows Server update Services (WSUS)

roleo Configure group policies for updateso Configure client-side targetingo Configure WSUS synchronizationo Configure WSUS groupso Manage patch management in mixed environments


How do clients receive updates in the absence of WSUS? What are thedisadvantages that this method poses for your network?


When should you deploy multiple, independent WSUS servers? How is this configuration similar to a single WSUS server?

How would you deploy WSUS when an Internet connection is not allowed for an isolated network?

What is the difference between synchronizing updates, downloading updates, and approving updates?

By default, how often does the client check for updates? Which policy allows you to have clients check more frequently?

Which policy points clients to your WSUS server instead of the Microsoft Update Web site?

When using client-side targeting, how do you identify the computer group for a specific computer? How does this differ from server-side targeting?

Video/Demo Time

6.1.1 WSUS Overview and Concepts 5:42 6.1.3 Installing WSUS 5:32 6.1.4 Configuring WSUS 10:06 6.1.7 WSUS GPOs and Groups 2:48 6.1.8 Configuring WSUS Group Policies 5:43

Total 29:51

Lab/Activity

Configure a Downstream Server Configure Computer Groups Configure Client-side Targeting


10 questions

Total Time

About 65 minutes


Section 6.2: Windows Deployment Services (WDS)

Summary

This section discusses using the Windows Deployment Services (WDS) to enable the deployment of Windows operating systems to client and server computers. Details covered include:

Types of WDS images:o Install Imageo Boot Imageo Capture Boot Imageo Discover Boot Image

Condition under which WDS can be used to deploy virtual hard diskimages

Server and network requirements for Windows Deployment Services

Clients requirements for using WDS to install a Windows operating system

Prestaging a computer account

Managing computer accounts used by WDS

PXE response methods:o Do not respond to any client computero Respond only to known client computerso Respond to all (known and unknown) client computers

Methods to control how computer accounts are created


Add the Windows Deployment Services server role and install theDeployment Server and Transport Server role services.

Configure and manage settings for the WDS server.

Prestage computer accounts to control which computers will respond toWDS servers.


6.0 Deployment Manager.o Install and configure a WDS servero Create WDS images


101. Deploy and manage server images.o Install the Windows Deployment Services (WDS) roleo Configure and manage boot, install, and discover images



Which operating systems can be deployed with Windows Deployment Services (WDS)?

When would you use a discover boot image?

When would you use a capture boot image? Why doesn't this boot image run on a WDS client that needs to install the operating system?

How do you enable a non-PXE client to use WDS to install an operating system?

How would you deploy a .VHD image using WDS?

Video/Demo Time

6.2.1 WDS Overview 3:58 6.2.2 Imaging Concepts 4:33 6.2.4 Installing WDS 1:09 6.2.5 Configuring WDS 6:47

Total 16:27

Lab/Activity

Configure a WDS Server Pre-stage Computer Accounts


9 questions

Total Time

About 45 minutes


Section 6.3: WDS Image Management

Summary

This section discusses management of WDS images. Details covered include:

Considerations when configuring multicasting with WDS

Use the WDS console to view and manage multicast transmission that arein progress

Tools to manage WDS imageso Windows Preinstallation Environment (WinPE)o System Preparation Tool (Sysprep)o Deployment Image Servicing and Management (DISM.exe)o ImageXo Windows System Image Manager (Windows SIM)o WDSUtil

Windows PowerShell cmdlets to perform common tasks in WDS

Facts about WDS images


Configure WDS server properties for multicast.

Configure WDS multicast transmissions.

Create image groups and add install images.

Add boot images to WDS.


6.0 Deployment Manager.o Create WDS imageso Control access to imageso Deploy images to clients


101. Deploy and manage server images.o Update images with patches, hotfixes, and driverso Install features for offline imageso Configure driver groups and packages


How does multicasting differ from unicasting?

How does auto-cast differ from scheduled-casting?


You have enabled scheduled-casting without a start condition. What must you do for a client to obtain an image using multicasting?

What is the difference between deleting and deactivating a multicast transmission?

Which two ways can you force a client currently using multicast to use unicast to complete the installation?

How do you split a multicast transmission so that faster clients are not slowed down by slower clients?

What are the differences between Sysprep, ImageX, and DISM? When can you use each tool? Which tasks can only be performed by one tool?

Which type of boot image can you use to deploy a 64-bit install image?

What is the relationship between a .wim file and a .rwm file?

What is the advantage of dynamic driver provisioning?

Video/Demo Time

6.3.1 Managing Images 10:30 6.3.3 Updating Images with Features 13:43

Total 24:13

Lab/Activity

Create WDS Images Create a Multicast Transmission


10 questions

Total Time

About 50 minutes


Section 6.4: Performance Monitor

Summary

This section discusses Performance Monitor and the other tools that can be used to monitor the reliability and performance of a Windows Server 2012 system:

Task Manager

Resource Monitor

Reliability Monitor

Performance Monitor

Data Collector Sets Students will learn how to:

Use Performance Monitor to create a data collector and configure the settings.

Use Performance Monitor to set alerts that will be triggered when a condition is met.

Use Task Manager, Resource Monitor and Performance Monitor to monitor real-time performance.


103. Monitor servers. o Configure Data Collector Sets (DCS) o Configure alerts o Monitor real-time performance o Monitor virtual machines (VMs) o Schedule performance monitoring


Which tool uses the System Stability Index number? What would a System Stability Index number of 2 indicate?

What is the main difference between Task Manager and Resource Monitor when it comes to monitoring the server?

Performance Monitor uses objects and counters to track performance. What is the difference between an object and a counter?


Video/Demo Time

6.4.1 Overview of Server Monitoring 4:24 6.4.2 Performance Monitor (DCS) 8:43 6.4.3 Performance Monitor (Alerts) 4:26 6.4.4 Real-time Performance Monitoring 4:57

Total 22:30


13 questions

Total Time

About 40 minutes


Section 6.5: Event Viewer

Summary

This section discusses using Event Viewer to view and manage local and remote logs. Details covered include:

Common event logs include: o Application o Security o System o Setup o ForwardedEvents

Features available with event logs: o Log size o Save events o Filter events o Custom views o Attach a Task o Event Log Online Help

Computers running the following versions of Windows can be configured as collector systems:

o Windows Server 2003 R2 or later o Windows Vista or later

Computers running the following versions of Windows can be configured as source systems:

o Windows XP with SP2 or later o Windows Server 2003 with SP1 or later

Event subscriptions use the following services: o Windows Remote Management (WinRM) o Windows Event Collector (Wecsvc)

Subscription type and source computers: o Collector initiated o Source computer initiated

Delivery optimization options: o Normal o Minimize bandwidth o Minimize latency o Custom

Configuring subscription types: o Collector initiated o Source initiated



View events to gather information, such as Event ID, Log Name, User, and Computer.

Create event filters and custom views.

Search and save logs.

Attach tasks to events or to logs.

Configure subscriptions to pull events from remote machines.


103. Monitor servers. o Monitor events o Configure event subscriptions o Configure network monitoring


Which log do you view to troubleshoot errors during a software installation?

What options do you have for a log file that has reached its designated capacity?

What happens to the data in a log that you save that has a filter on it?

How does a custom view differ from adding a filter to a log?

How can you combine events from multiple logs into a single report?

What tasks can you attach to an event or log?

What is the purpose of the Event Log Online Help link inside each event?

What two services are required to configure event subscriptions?

Where do you go to view events collected from remote computers collected using event subscriptions?

Video/Demo Time

6.5.1 Event Viewer and Event Subscriptions 4:34 6.5.2 Exploring Event Viewer 6:57 6.5.4 Configuring Event Subscriptions 6:47

Total 18:18


12 questions

Total Time

About 35 minutes


Section 6.6: Network Monitor

Summary

This section discusses using Network Monitor to capture, view, and analyze network traffic. Details covered include:

System Requirements o Supported operating systems o Hardware requirements

Capture

Filter o Display filter o Capture filter

Aliases

Conversations

Parsers

Command line


Configure Network Monitor to capture packets.

Configure and remove capture and display filters.

Configure conversations to group data by type.

Configure aliases to replace IP addresses with names.


103. Monitor servers. o Configure network monitoring


What are the differences between display filters and capture filters?

What is the difference between capturing in promiscuous mode and capturing without promiscuous mode? When will using promiscuous mode not result in significant differences in the data captured?

How can aliases make troubleshooting easier?

What permissions do you need to run Network Monitor?

Video/Demo Time

6.6.1 Network Monitoring 6:28


7 questions

Total Time

About 15 minutes

Server Pro: Manage and Administer Practice Exams

Summary

This section provides information to help prepare students to take the Server Pro: Manage and Administer certification exam. Students will have the opportunity of testing their mastery of the concepts presented in this course to reaffirm that they are ready for the certification exam.

Students will typically take about 5-10 minutes (depending upon the complexity and their level of knowledge) to complete each simulation question in the following practice exams. There is no time limit on the amount of time a student can take to complete the practice exams for the following domains.

Objective 1: Active Directory Management (7 simulation questions) Objective 2: Group Policy Configuration (18 simulation question) Objective 3: File Services Management (6 simulation questions) Objective 4: DNS Configuration (14 simulation questions) Objective 5: Routing and Remote Access Configuration (11 simulation questions) Objective 6: Deployment Management (7 simulation questions)

The Server Pro: Manage and Administer Certification Practice Exam consists of 15 simulation questions that are randomly selected from the above practice exams. Each time the Certification Practice Exam is accessed different questions may be presented.




Summary

This section provides information to help prepare students to take the MS 70-411 exam and to register for the exam. Students will have the opportunity of testing their mastery of the concepts presented in this course to reaffirm that they are ready for the certification exam. Students will typically take about 1 minute to complete each question in the following practice exams. There is no time limit on the amount of time a student can take to complete the practice exams for the following domains. Objective 100. Deploy, Manage, and Maintain Servers (61 questions) Objective 200. Configure File and Print Services (69 questions) Objective 300. Configure Network Services and Access (110 questions) Objective 400. Configure a Network Policy Server Infrastructure (31 questions) Objective 500. Configure and Manage Active Directory (76 questions) Objective 600. Configure and Manage Group Policy (63 questions) The Microsoft 70-411 Certification Practice Exam consists of 60 questions that are randomly selected from the above practice exams. Each time the Certification Practice Exam is accessed different questions may be presented. The Certification Practice Exam has a time limit of 2 hours. A passing score of 95% should verify that the student has mastered the concepts and is ready to take the real certification exam.


Appendix A: Approximate Time for the Course

The total time for the LabSim Server Pro: Manage and Administer course is approximately 44 hours and 30 minutes. The time is calculated by adding the approximate time for each section which is calculated using the following elements:

Video/demo times

Approximate time to read the text lesson (the length of each text lesson istaken into consideration)

Simulations (5 minutes assigned per simulation, of course many studentsmay take longer depending upon their knowledge level and experience)

Questions (1 minute per question)

The breakdown for this course is as follows:

Module Sections Time Minute HR:MM

1.0 Active Directory

1.1 Active Directory Overview 20

1.2 Speeding Up Authentication 30

1.3 Single Master Operations Roles (FSMO) 55

1.4 Read Only Domain Controllers (RODCs) 30

1.5 Virtual Domain Controllers 20

1.6 Service Accounts 45

1.7 Maintaining Active Directory 50

1.8 Restoring Active Directory 45 295 4:55

2.0 Group Policy

2.1 Group Policy Foundation 70

2.2 Administrative Templates 35

2.3 Folder Redirection 10

2.4 Software Deployment 50

2.5 Security Settings 30

2.6 Password and Account Policies 60

2.7 Advanced Auditing 45

2.8 Preferences 35

2.9 Group Policy Management 40

2.10 Management Delegation 25 400 6:40


3.0 File Services

3.1 File Server Resource Manager 50

3.2 Distributed File System (DFS) 25

3.3 Distributed File System Replication 55

3.4 File Encryption 50

3.5 Disk Encryption 50 220 3:50

4.0 DNS

4.1 DNS Name Resolution 25

4.2 DNS Forwarding and Delegation 35

4.3 DNS Zones 55

4.4 DNS Zone Management 45

4.5 DNS Records 50

4.6 DNS Options 35 245 4:05

5.0 Remote Access Management

5.1 Routing 65

5.2 Network Address Translation (NAT) 30

5.3 Virtual Private Networks (VPN) 65

5.4 Network Policy Server 40

5.5 RADIUS 60

5.6 Network Access Protection 65

5.7 DirectAccess 65 390 6:30

6.0 Server Management

6.1 Windows Software Update Services (WSUS) 65

6.2 Windows Deployment Services (WDS) 45

6.3 WDS Image Management 50

6.4 Performance Monitor 40

6.5 Event Viewer 35

6.6 Network Monitor 15 250 4:10

Server Pro: Manage & Administer Certification Practice Exam

100. Active Directory Management (7 questions) 35

200. Group Policy Configuration (18 questions) 90

300. File Services Management (6 questions) 30

400. DNS Configuration (14 questions) 70

500. Routing and Remote Access Configuration (11questions) 55

600. Deployment Management (7 questions) 35

Certification Practice Exam (15 questions) 75 390 6:30



100. Deploy, Manage, and Maintain Servers (61 questions) 61

200. Configure File and Print Services (69 questions) 69

300. Configure Network Service and Access, (110 questions) 110

400. Configure a Network Policy Server Infrastructure (31 questions) 31

500. Configure and Manage Active Directory (76 questions) 76

600. Configure and Manage Group Policy (63 questions) 63

Certification Practice Exam (60 questions) 60 470 7:50

Total Time

2660 44:30


Appendix B: Exam 70-411: Administering Windows Server 2012 Objectives

The Windows Exam 70-411: Administering Windows Server 2012 certification exam covers the following objectives. In the spread sheet below the column to the right lists the sections where the information is located in the course:

# Objective Module.Section

100 Deploy, Manage, and Maintain Servers (17 percent)

101 Deploy and manage server images This objective may include but is not limited to:

Install the Windows Deployment Services (WDS) role Configure and manage boot, install, and discover

images Update images with patches, hotfixes, and drivers Install features for offline images Configure driver groups and packages

6.2, 6.3

102 Implement patch management This objective may include but is not limited to:

Install and configure the Windows Server Update Services (WSUS) role

Configure group policies for updates Configure client-side targeting Configure WSUS synchronization Configure WSUS groups Manage patch management in mixed environments

6.1

103 Monitor servers This objective may include but is not limited to:

Configure Data Collector Sets (DCS) Configure alerts Monitor real-time performance Monitor virtual machines (VMs) Monitor events Configure event subscriptions Configure network monitoring Schedule performance monitoring

6.4, 6.5, 6.6

200 Configure File and Print Services (15 percent)


201 Configure Distributed File System (DFS) This objective may include but is not limited to:

Install and configure DFS namespaces Configure DFS Replication Targets Configure Replication Scheduling Configure Remote Differential Compression settings Configure staging Configure fault tolerance

3.2, 3.3

202 Configure File Server Resource Manager (FSRM) This objective may include but is not limited to:

Install the FSRM role Configure quotas Configure file screens Configure reports

3.1

203 Configure file and disk encryption This objective may include but is not limited to:

Configure BitLocker encryption Configure the Network Unlock feature Configure BitLocker policies Configure the EFS recovery agent Manage EFS and BitLocker certificates including

backup and restore

3.4, 3.5

204 Configure advanced audit policies This objective may include but is not limited to:

Implement auditing using Group Policy and AuditPol.exe

Create expression-based audit policies Create removable device audit policies

2.7


300 Configure Network Services and Access (17 percent)

301 Configure DNS zones This objective may include but is not limited to:

Configure primary and secondary zones Configure stub zones Configure conditional forwards Configure zone and conditional forward storage in

Active Directory Configure zone delegation Configure zone transfer settings Configure notify settings

4.2, 4.3

302 Configure DNS records This objective may include but is not limited to:

Create and configure DNS Resource Records (RR) including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records

Configure zone scavenging Configure record options including Time To Live (TTL)

and weight Configure round robin Configure secure dynamic updates

4.4, 4.5, 4.6

303 Configure VPN and routing This objective may include but is not limited to:

Install and configure the Remote Access role Implement Network Address Translation (NAT) Configure VPN settings Configure remote dial-in settings for users Configure routing Configure Web Application Proxy in pass-through

mode

5.1, 5.2, 5.3

304 Configure DirectAccess This objective may include but is not limited to:

Implement server requirements Implement client configuration Configure DNS for DirectAccess Configure certificates for DirectAccess

5.7

400 Configure a Network Policy Server Infrastructure (14 percent)


401 Configure Network Policy Server (NPS) This objective may include but is not limited to:

Configure multiple RADIUS server infrastructures Configure a RADIUS server, including RADIUS proxy Configure RADIUS clients Configure NPS templates Configure RADIUS accounting Configure certificates

5.5

402 Configure NPS policies This objective may include but is not limited to:

Configure connection request policies Configure network policies for VPN clients (multilink

and bandwidth allocation, IP filters, encryption, IP addressing)

Manage NPS templates Import and export NPS policies

5.4

403 Configure Network Access Protection (NAP) This objective may include but is not limited to:

Configure System Health Validators (SHVs) Configure health policies Configure NAP enforcement using DHCP and VPN Configure isolation and remediation of non-compliant

computers using DHCP and VPN Configure NAP client settings

5.6

500 Configure and Manage Active Directory (19 percent)

501 Configure service authentication This objective may include but is not limited to:

Create and configure Service Accounts Create and configure Group Managed Service

Accounts Create and configure Managed Service Accounts Configure Kerberos delegation Manage Service Principal Names (SPNs) Configure virtual accounts

1.6

502 Configure Domain Controllers This objective may include but is not limited to:

1.2, 1.3, 1.4, 1.5


Configure Universal Group Membership Caching (UGMC)

Transfer and seize operations masters Install and configure a read-only domain controller

(RODC) Configure Domain Controller cloning

503 Maintain Active Directory This objective may include but is not limited to:

Back up Active Directory and SYSVOL Manage Active Directory offline Optimize an Active Directory database Clean up metadata Configure Active Directory snapshots Perform object- and container-level recovery Perform Active Directory restore Configure and restore objects by using the Active

Directory Recycle Bin

1.7, 1.8

504 Configure account policies This objective may include but is not limited to:

Configure domain user password policy Configure and apply Password Settings Objects

(PSOs) Delegate password settings management Configure local user password policy Configure account lockout settings Configure Kerberos policy settings

2.6

600 Configure and Manage Group Policy (18 percent)

601 Configure Group Policy processing This objective may include but is not limited to:

Configure processing order and precedence Configure blocking of inheritance Configure enforced policies Configure security filtering and WMI filtering Configure loopback processing Configure and manage slow-link processing Configure client-side extension (CSE) behavior Force Group Policy update Configure and manage slow-link processing and

Group Policy caching.

2.1, 2.9


602 Configure Group Policy settings This objective may include but is not limited to:

Configure settings including software installation, folder redirection, scripts, and administrative template settings

Import security templates Import custom administrative template file Convert administrative templates using ADMX Migrator Configure property filters for administrative templates

2.2, 2.3, 2.4, 2.5

603 Manage Group Policy objects (GPOs) This objective may include but is not limited to:

Back up, import, copy, and restore GPOs Create and configure Migration Table Reset default GPOs Delegate Group Policy management

2.9, 2.10

604 Configure Group Policy preferences This objective may include but is not limited to:

Configure Group Policy Preferences (GPP) settings including printers, network drive mappings, power options, custom registry settings, Control Panel settings, Internet Explorer settings, file and folder deployment, and shortcut deployment

Configure item-level targeting

2.8


Appendix C: Server Pro: Manage and Administer Objectives

The Server Pro: Manage and Administer certification exam covers the following objectives. In the spread sheet below the column to the right lists the sections where the information is located in the course:

# Objective Module.Section

1.0 Active Directory Management

Implement Global Catalog Servers. Implement Universal Group Membership Caching

(UGMC). Manage Flexible Single-Master Operation (FSMO)

roles. Implement a Read Only Domain Controller (RODC). Backup Active Directory.

1.2, 1.3, 1.4, 1.7

2.0 Group Policy Configuration

Manage the Group Policy processing order. Create custom administrative templates by importing

GPOs. Deploy software using Group Policy. Implement the following GPO policies:

o Securityo Accounto Fine-grained passwordo Advanced audit

Configure Group Policy preferences. Backup and restore GPOs. Delegate GPO management.

2.1, 2.2, 2.4 2.5, 2.6, 2.7 2.8, 2.9, 2.10

3.0 File Services Management

Configure FSRM quotas. Configure FSRM file screens. Implement DFS replication. Encrypt files and folders with EFS. Encrypt the server hard disk with BitLocker.

3.1, 3.2, 3.3 3.4, 3.5


4.0 DNS Configuration

Configure DNS forwarders. Create DNS delegations. Create the following types of DNS zones:

o Primary o Secondary o Stub o Reverse-lookup o Active Directory-integrated

Manage zone transfers. Manage dynamic DNS updates. Create DNS records. Configure DNS Round Robin. Configure DNS aging and scavenging.

4.2, 4.3, 4.4 4.5, 4.6

5.0 Routing and Remote Access Configuration

Configure LAN routing. Configure Network Address Translation (NAT) routing. Configure a VPN server. Create Network Policy Server (NPS) policies. Configure a RADIUS authentication solution. Implement a RADIUS proxy server. Implement Network Access Protection (NAP) by

creating the following policies: o Security Health Validator o Health o Network o Connection Request

5.1, 5.2, 5.3 5.4, 5.5, 5.6

6.0 Deployment Management

Configure a WSUS server. Control access to WSUS updates using the following:

o Computer groups o Client-side targeting

Install and configure a WDS server. Create WDS images. Control access to images. Deploy images to clients.

6.1, 6.2, 6.3

LESSON PLAN - TestOut · TestOut Server Pro: Manage and Administer – English 3.1.x . LESSON PLAN...

Documents

Transcript of LESSON PLAN - TestOut · TestOut Server Pro: Manage and Administer – English 3.1.x . LESSON PLAN...