Microsoft 70-412 Configuring Advanced Windows Server 2012 Services

ABOUTTHEEXAMTheMicrosoft70412ispartthreeofaseriesofthreeexamsthattesttheskillsandknowledgenecessary toadministeraWindows Server2012 infrastructure inanenterpriseenvironment.Passing this exam validates a candidates ability to perform the advanced configuring tasksrequiredtodeploy,manage,andmaintainaWindowsServer2012 infrastructure,suchasfaulttolerance,certificateservices,and identity federation.Passing thisexamalongwith theothertwoexamsconfirmsthatacandidatehastheskillsandknowledgenecessaryforimplementing,managing,maintaining,andprovisioningservicesand infrastructure inaWindowsServer2012environment.SixmajortopicsmakeuptheMicrosoft70412Certification.Thetopicsareasfollows:

Configureandmanagehighavailability Configurefileandstoragesolutions Implementbusinesscontinuityanddisasterrecovery Configurenetworkservices ConfiguretheActiveDirectoryinfrastructure Configureidentityandaccesssolutions

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.

OBJECTIVES

CHAPTER1:CONFIGUREANDMANAGEHIGHAVAILABILITY1.1ConfigureNetworkLoadBalancing1.2Configurefailoverclustering1.3Managefailoverclusteringroles1.4ManageVirtualMachine(VM)movement

CHAPTER2:CONFIGUREFILEANDSTORAGESOLUTIONS2.1Configureadvancedfileservices2.2ImplementDynamicAccessControl(DAC)2.3Configureandoptimizestorage

CHAPTER3:IMPLEMENTBUSINESSCONTINUITYANDDISASTERRECOVERY3.1Configureandmanagebackups3.2Recoverservers3.3Configuresitelevelfaulttolerance

CHAPTER4:CONFIGURENETWORKSERVICES4.1 Implement an advanced Dynamic Host Configuration Protocol (DHCP)solution4.2ImplementanadvancedDNSsolution4.3DeployandmanageIPAM

CHAPTER5:CONFIGURETHEACTIVEDIRECTORYINFRASTRUCTURE5.1Configureaforestoradomain5.2Configuretrusts5.3Configuresites5.4ManageActiveDirectoryandSYSVOLreplication

CHAPTER6:CONFIGUREIDENTITYANDACCESSSOLUTIONS6.1ImplementActiveDirectoryFederationServices2.1(ADFSv2.1)6.2InstallandconfigureActiveDirectoryCertificateServices(ADCS)6.3Managecertificates6.4InstallandconfigureActiveDirectoryRightsManagementServices(ADRMS)

CHAPTER1CONFIGUREANDMANAGEHIGHAVAILABILITY

1.1CONFIGURENETWORKLOADBALANCING(NLB)

InstallNLBnodesRoundRobinLoadBalancingisforDNSservice.ItworksbycyclingthroughtheIPaddressescorrespondingtoaservergroup.HardwareloadbalancersarededicatedforroutingTCP/IPpacketstovariousserverswithinacluster.SoftwareLoadBalancersareusuallyoptions thatcome shippedwithexpensive serverapplicationpackages.Softwarebasedsolutionsusuallycostlessbutareoftenapplicationspecific.WindowsServer2012canbalanceloadrequestsacrosstheclusteryoucanhavemax32computersinacluster.Tosetupsuchacluster,allparticipatinghostsmuststayinthesamesubnet.ConfigureNLBprerequisitesNLBdoesn'tallowmulticastandunicasttotakeplacewithinacluster.Toruninunicastmode,thenetworkadaptermust allow the changingofMAC address.Only TCP/IP canbeusedon theparticipating adapter, and that the IPaddressesoftheparticipatingserversmustNOTbedynamic.ConfigureaffinityAffinityisaparameterforMultiplehostfilteringmodeonly.Nonemeansmultipleconnectionsfromthesameclientcanbeprocessedbydifferentclusterhosts.Singlemeansmultiplerequestsfromthesameclientshouldbedirectedtoonlythesameclusterhost.ClassCaffinitymeansmultiplerequestsfromthesameTCP/IPClassCaddressrangewillbedirectedtothesameclusterhost.Thisoptionisneededifyourclientsareusingmultipleproxyserverstoaccessthecluster.

ConfigureportrulesYouuseportrulesareforcontrollinghowtheclusternetworktrafficishandled.Thereare3differentfilteringmodes,andyoucanhavemax32portrulesperNLBcluster.Multiplehostsprovidesscaledperformanceandfaulttolerance.Singlehostprovidesportspecific faulttolerance.Disable is forblockingallnetworktrafficsthatareaddressedtoaspecificrangeofports.ConfigureclusteroperationmodeTheClusterOperationModeiseitherunicastormulticast(notenabledbydefault).Ifmulticastisturnedon,theclusterMAC addresswill be converted into amulticast address, and youwill be allowed to use IGMP. InternetGroupManagementProtocolIGMPsupportusefulforlimitingswitchflooding.

UpgradeanNLBclusterYoumayupgrade anexistingNLB cluster toWindows Server2012 if you take theentire clusteroffline and thenupgradeallthehosts.Oryoumayperformarollingupgradewhichisallabouttakingindividualclusterhostsofflineonebyone.Beforemakingtheupgrade,youneedtofirstverifythattheinvolvedapplicationsandroles/featuresrunningontheclusterarecompatiblewithWindowsServer2012.Thetargetnode'sinitialhoststateshouldbesettoStoppedfirst.Whentheupgradeiscompleteonthehost,youshouldfirstverifythattheapplicationsworkfinebeforeaddingitbacktothecluster.

1.2CONFIGUREFAILOVERCLUSTERINGConfigureQuorumThequorumconfigurationdeterminesthenumberoffailuresaclustercansustainatthemaxitisalwaysdeterminedbythenumberofvotingelementsthatarepartoftheactiveclustermembershipofthecluster.Aquorumwitnesscanhaveanadditionalsinglequorumvotesinceonequorumwitnesscanbesetupforeachcluster(itmaybeadesignateddiskresourceorafileshareresource).There are severalquorummodes.WithNodemajority (nowitness),onlynodes canhave votes since there isnoquorumwitnessconfigured.Nodemajoritywithwitnessmeansbothnodesandquorumwitnesscanvote (witnessvote allowed).Nomajority (diskwitness only)means only the diskwitness and no one else can have vote. It isrecommended that the voting elements in the cluster be set to an odd number. The use of a disk witness isrecommendedaslongasallnodescanseethedisk.Adiskonlyconfiguration,however,isneverrecommended.Voteweightallowsforflexibilitytheweightofeachvotecanbeadjustedthedefaultis1.Cluster configuration can be done via the Failover Cluster Manager GUI. Alternatively, you can use the SetClusterQuorumPowershellcmdlet.Inthecaseofafailovercluster,wheneveritgoesonlinethefirstdiskthatgoesonlinetogetherbecomestheonetobeassociatedwiththequorum.Thefailoverclusterexecutesadiskarbitrationalgorithmtodetermineownershipofthatdisk(andrepeatthisonallotherdisks).ConfigureclusternetworkingInWindows Server 2012, you use the ServerManagersNetwork LoadBalancingManager to configureNLBclustering.Throughtheconsoleyoucanconfigurenewclusterandalsoenablelogging.

Youusetheclustervalidationwizardtorunfocusedtestsontheplannedclusternodestoseekanaccurateassessmentofhowwellfailoverclusteringmaybe implementedontheproposedconfiguration.Tobeginaddinghardwaretoafailovercluster,youfirstconnectthehardwaretothefailoverclusterandthenruntheclustervalidationwizard.

ProperIPaddressconfigurationisnecessarybothatthehostandclusterlevels,whichcanallbedoneviatheGUI.

RestoresinglenodeorclusterconfigurationAclusterwithoutenoughquorumvoteswillnotstart.However,youcanoverridethisbyforcingtheclustertostartinForceQuorummodeviatheStartClusterNodecmdlet.Forabackuptobeperformed,theclustermustberunningwithaquorum.OnlydisksthatareOnlineandownedbytheinvolvedclusternodecanbebackeduporrestored.Whenyourestorefromabackup,youcanchoosetorestoreonlytheclusterconfigurationorthediskdataorboth.

ConfigureclusterstorageAllcomponentsofthestoragestackinaclustersetupshouldbeidenticalacrossallthenodesinsidethecluster.ItisparticularlyimportantforthemultipathI/OMPIOsoftwareandtheDeviceSpecificModuleDSMsoftwarecomponentstobe identical.ThehostbusadapterHBA, therelevantHBAdriversand theHBA firmwareattached to theclusterstorageshouldbeidenticalaswell.ImplementClusterAwareUpdatingClusterAwareUpdatingCAUcanautomatethesoftwareupdatingprocessonclusteredservers.Itcanputanodeintonodemaintenancemode,thenmovetheclusteredrolesoffthenodeandtheninstalltheupdatespriortoperformingarestartwhenneeded.CAUcanscheduleUpdatingRuns to takeplaceonregulardaily,weekly,ormonthly intervals. Itdoesnotwork forWindows Server 2008/R2 though. You may start CAU via Server Manager, Failover Cluster Manager or theClusterUpdateUI.exeutility.UpgradeaclusterYouuse theMigrateAClusterWizardmakes iteasy tomigrateservicesandapplications fromanearliercluster toWindowsServer2012.ThewizardhasaGUIformigratingtheconfigurationsettingsforclusteredroles.Sinceitdoesnotmigratesettingsoftheclusterandstorage,youmustfirstensurethatthenewclusterisproperlyconfiguredandreadyforthemigrationprocess.YouwanttoknowthatclusterupgradeiskindofsimilarbetweenWindowsServer2008andWindowsServer2012.

1.3MANAGEFAILOVERCLUSTERINGROLES

ConfigurerolespecificsettingsincludingcontinuouslyavailablesharesContinuouslyAvailableFileSharesCAFSinvolvesmakinguseoftheWindowsfilesharingcapabilitiesthroughaclustertoincreasetheavailabilityoffileshares.YouconfigurethisviatheHighAvailabilityWizard.Forthisfeaturetowork,SMB3.0isrequired,whichsupportsfeatureslikeSMBScaleOut,SMBDirect,andSMBMultichannel.TheCAFSgeneralusefileserverimplementationcanbeusedtoallowafilesharetobesupportedonafailovercluster.Ontheotherhand,thescaleoutfileserverimplementationoptionisforsupportingapplicationssuchasHyperVandDatabaseServer,with theultimategoalofzerodowntime.Donote that the implementationhasa limitofmax4servers.Also,CAFSwillnotworkontheEssentialsorFoundationeditions.

Youmay thenuse theNewShareWizard todetermine the typeofCAFS to create.SMBShareQuick isgeneralpurposewhileSMBShareApplicationsisforsupportingapplications.

ConfigureVMmonitoringTheFailoverClusterManagerallowsyoutomonitorthehealthofclusteredVMs.YoucanrightclicktheclusteredVMandthenselectConfigureMonitoringfromtheMoreActionsmenuitem.Youmaythenselecttheservicestomonitor.alternativelyyoucanuseAddClusterVMMonitoredItemtoenablemonitoringviathePowershell.VMmonitoringdoesrequirethatyouhaveWindowsServer2012forboththehostandguestOS.ConfigurefailoverandpreferencesettingsFailoverClusteringisthecoreFailoverClusteringfeaturewithoutanymanagementtools.RSATClusteringMgmthastheFailoverClusterManagersnapinandalsotheClusterAwareUpdatinginterface.RSATClusteringPowerShellhastherelevantcmdletsplustheClusterAwareUpdatingmoduleforPowerShell.RSATClusteringAutomationServerhasthe deprecated ComponentObjectModel programmatic interface,while RSATClusteringCmdInterface offers thedeprecatedcluster.execommandlinetool.TheycanallbeinstalledviatheServerManagersAddRolesandFeaturesWizard.

1.4MANAGEVIRTUALMACHINE(VM)MOVEMENT

PerformLiveMigration;performquickmigrationWithFailoverClusterManager,clustermigrationcanbeintheformof: Livemigration Quickmigration MovingVMtoanothernodeYoumaynotuselivemigrationtomovemultipleVMtogetheratthesametime.Onlyonelivemigrationisallowedtotakeplaceatatime.Forliveandquickmigration,thehardwareandsystemsettingsoftheinvolvednodesshouldbehighlysimilarifnottotallyidentical.WithLiveMigration,HyperVconnectstothedestinationhostandproducesanemptyVM.Then itcopiestheVM'smemorytothenewVM.Thefullmemorycontentsarereplicatedtothedestinationhostthroughthenetwork.Sharednothing livemigrationmeanschangesmadeduringmigrationare loggedforapplyingtotheVMonthedestinationhostlater.WithQuickMigration,aVMisfirstplacedinthesavedstate,thenitsmemoryinformationistransmittedtothetargethostforstartingtheVMintherethegoalisminimaldowntime.

PerformstoragemigrationTomigratethestorageofarunningVMyouneedtoperformstoragemigration.ItworksassumingthattheinvolvedVMisconfiguredtouseonlyvirtualharddisksandnothingelseforstorage.DuringstoragemigrationtheinvolvedVMcanstillrunwithoutdowntime.Import,export,andcopyVMsYoucan importandexportVMsbetweendifferentWindowsServerversions.To importaVM intoWindowsServer2012,toavoidtroublesitshouldfirstbeexportedwithWindowsServer2008R2sothattheimportprocesscanfindit.HOWEVER,technicallyWindowsServer2012HyperVcanimportaVMthatwasnotpreviouslyexportedbyreadingtherawconfigurationXMLfile.Notethat: YouuseImportVMtoimportaVM(youmustsupplyaXMLconfigurationfileasanargument). YouuseExportVMtoexportaVM(youdonotneedtosupplytheconfigurationfile). YouuseGetVMtoretrieveallrunningVMs. TostartorstopaVMyouuseStartVMandStopVMrespectively.ThroughtheVirtualMachineManagerAdministratorConsoleyoucanchoosetheCloneactiontocopyaVMviatheNewVirtualMachineWizard.YoumayeitherplacethevirtualmachineonahostorstoretheVMinthelibrary.YoucannotchangetherelevantOSsettingsthough.Migratefromotherplatforms(P2VandV2V)V2VmeansconvertingaVMtoaVMMVirtualMachinewhileP2VmeansconvertingaPhysicalServertoaVM.BeforeperformingaV2Voperation,youneedtofirstaddthenecessaryVMWareserverbasedvirtualmachinefiles.The.vmxfiledescribesthepropertiesandstructureofaVM.The.vmdkfileistheVMwarevirtualharddisk.YoumayusetheConvertVirtualMachineWizardtoperformV2Vconversion.Ontheotherhand,toperformP2VtheVirtual Machine Manager will need to install software on the physical computer for gathering the necessaryinformation.Thiswillberemoveduponconversioncompletion.

CHAPTER2CONFIGUREFILEANDSTORAGESOLUTIONS

2.1CONFIGUREADVANCEDFILESERVICES

ConfigureNFSdatastoreServicesforNetworkFileSystem(NFS)providessupportforfilesharingbetweenWindowsandUNIX: UNIXbasedclientcomputersaccessingresourcesoncomputersrunningWindowsServer2012this isdonevia

ServerforNFS WindowsServerbasedcomputersaccessingresourcesonUNIXfileserversthisisdoneviaClientforNFSYouusetheServicesforNFSGUIsnapintomanageeachinstalledcomponentofServicesforNFS.Touseit,youmustbeamemberofthelocaladmingroup.Youmayalsousecommandlinetoolstoachievethesame: mapadmin,foradministeringtheservice. nfsadmin,formanagingServerforNFSandClientforNFS. nfsshare,forcontrollingNFSsharedresources. nfsstat,forshowingandresettingcountsofcallsmadetoServerforNFS.ConfigureBranchCacheYoumayhaveBranchCachedeployed inadomainbasedornondomainbasedenvironment ifVPNorDirectAccessconnectionisavailablebetweenthecontentserversandthebranchoffice.TherearedifferentBranchCachemodes: WithBranchCacheindistributedcachemode,thecontentcacheatabranchofficewillbedistributedamongclient

computers. WithBranchCache inhostedcachemode,thecontentcacheatabranchofficewillbehostedononeormore

servercomputersknownashostedcacheservers. Inanycase,onlyonemodecanbeusedinabranchoffice.BranchCachecanvalidatecontentsusingblockhashesfoundinthecontentinformation.Also,torestrictcacheaccesstotheBranchCacheServicethelocalcacheisprotectedbyfilesystempermissions.Attheendoftheday,datastoredinthecontentcacheisnotencrypted.

ConfigureFileClassificationInfrastructure(FCI)usingFileServerResourceManager(FSRM)WiththeFileServerResourceManager(FSRM)itispossibletoconfigureadvancedfilesharesettingssuchassecurity,encryptionandcaching.FileClassificationInfrastructure(FCI)isafeaturethatcanautomatethedataclassificationprocessessothatyoumayclassifyfilesandapplypoliciesmoreeffectively.Keepinmind,FCIisexposedonlythroughFSRMandnowhereelse.PropertiesinFCIrequiretwopiecesofinformation,whicharenameandtype.Thepossibletypessupportedinclude: Yes/No Date Number MultipleChoiceListandOrderedList StringandMultiStringFolderClassifierchecksfileswithinthescopeofarule.ContentClassifiersearchescontentsforcertaintextorpatterns.Youmayhavemultipleclassificationrulesbeingusedtogether.ConfigurefileaccessauditingThereareauditpolicy settingsunderSecuritySettings\AdvancedAuditPolicyConfiguration. Inparticular thereare"ObjectAccess"policysettingsandauditeventsthatallowyoutotrackattemptstoaccessspecificobjectsortypesofobjectsonanetworkorcomputer.Throughthesesettingsyoumayauditattemptstoaccessafile,directory,registrykey,oranyotherobject (suchas filesand foldersonashared folder)assumingyouhaveenabled theappropriateObjectAccessauditingsubcategoryforsuccessand/orfailureevents.TheresultingDetailedFileSharesettingwilllogan event every time a file or folder is accessed. Detailed File Share audit events cover detailed information onpermissionsandotherrelevantcriteriausedtograntordenyaccess.

2.2IMPLEMENTDYNAMICACCESSCONTROL(DAC)

ConfigureuseranddeviceclaimtypesDynamicAccessControl (DAC)implementsclaimsbasedaccesscontrolsandauthentication,whichrelyonatrustedidentityprovidertoauthenticatetheuser.Thisidentityproviderissuesatokentotheuserasproofofidentity.TheADDSmaintainsaclaimsdictionaryineachforesttodescribehowaclaimmaytraverseatrustboundary.Allclaimsareaccordinglydefinedattheforestlevel.Touseuserclaims,youneedtohavesufficientWindowsServer2012domaincontrollersinplace.YouuseOpenGroupPolicyManagementtosupportuserclaims.DeviceclaimisanotherthingitmaybesourcedfromthedeviceobjectattributeinActiveDirectorythathasthevalueoftheclaim.

ImplementpolicychangesandstagingDACallows you to implement centralaccesspolicy. First you tag yourdatabymarking the relevant folders, thenconfigureaCentralAccessRuletospecifythatonlyspecificsecuritygroupsmayaccessthetaggeddata inaspecificway,andthenyouapplyaCentralAccessPolicytothecorrespondingWindowsServer2012FileServers.Infactyoucancreatecentralaccesspolicies for filessotocentrallydeployandmanageauthorizationpolicies.Notethatastagingpolicyrulecanbesetuptomonitortheeffectsofanewpolicyentrybeforeactuallyenableit.PerformaccessdeniedremediationAccessdeniedRemediationallows thosewhoencounteredanAccessDeniederror toexplainwhy they shouldbeallowedaccess.ThecaseissenttotheAdmindefinedinFSRMforfurtherreview.ThisfeatureisavailableonlyifyouimplementSMB3.0.Inotherwords,itmaynotworkwiththoseusinganearlierWindowsOS.ConfigurefileclassificationYoumayusethePowerShellclassifiertoclassifyafileautomatically.YouuseEnhancedcontentclassifiertospecifytheminimumandmaximumoccurrencesofastringorregularexpression.Youusedynamicnamespaceforclassificationrulesyoudothistospecifythetypeofinformationthatafoldercancontainandthenconfigureclassificationrulesbasedonthetypeofdesiredinformation.

2.3CONFIGUREANDOPTIMIZESTORAGE

ConfigureiSCSITargetandInitiatorAn initiator isaclientwhichcouldbeasoftware installedontheclientoperatingsystem,orahardware+softwarecombo.Atarget isahostprovidingtheLUN.Thetargetsystemmustsupportthe iSCSIprotocolandallow its localstorageresourcestobeassignedtoaLUNsothatitcanbemadeaccessiblethroughtheiSCSIprotocol.TheLUNwillneverbeinusebymorethanoneinitiatoratanyonetimeunlessinthecaseofaclusterwhereeachnodemustbeabletoaccessaLUN.MicrosofthasafullblownWindowsbasedinitiator.TousethisinitiatortheiSCSIservicemustfirstberunning.ConfigureInternetStorageNameserver(iSNS)InternetStorageNameService(iSNS) isaprotocolfor interactionbetween iSNSserversandclients.Theclientsareinitiatorswhichattempttodiscoverstoragedevicetargetsonthenetwork.Port3205isthetypicaliSNSServerport.Keep inmind,theMS implementationof iSNSServeronlysupportsthediscoveryof iSCSIdevicesbutnottheFibreChanneldevices.

ImplementthinprovisioningandtrimThinprovisioningand trim are featuresenabledbydefault for justintimeallocationsof storage spaceaswellasreclaiming storage.Assuming the storagearrayyouuse complieswith the certification requirements forWindowsServer2012, theywouldbeappropriate ifstorageconsumption ispredictable, that thestoragevolume tousecantoleratebriefoutage,andthatstoragemonitoringprocessesareinplacetowatchanddetectthecriticalthresholds.Tousethemproperly,youshouldcarefullyplanforandpredictthecorrespondingcapacityrequirements.ManageserverfreespaceusingFeaturesonDemandFeaturesonDemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveroleandfeaturefilesoraddrolesandfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailablethatkeepsthefeaturefiles.

CHAPTER3IMPLEMENTBUSINESSCONTINUITYANDDISASTERRECOVERY

3.1CONFIGUREANDMANAGEBACKUPS

ConfigureWindowsServerbackupsWindowsServerBackup isafeaturethatneedstobeaddedmanually.Onceadded,fromServerManageryoucaninvoketheServerBackupconsoleand itswizardformakingbackups.Youcanuse ittobackupafullserver(whichmeansallvolumes),selectedvolumes,orjustthesystemstate.Infactyoucancreateandmanagebackupsforthelocalcomputeroraremotecomputer.DokeepinmindthisconsoleisnotavailableinaServerCoreinstallation.

KeepinmindthattheWindowsServerBackupapplicationisforrestoringfilesandfoldersonly.Foracompletesystemrecovery,youmaywant tobootup from theWindowssetupdiskand thenchooseSystem ImageRecovery in theAdvancedoptionsscreen.Ifyourbackupmediahasbeenattachedproperly,itshouldbeautomaticallydiscovered.

ConfigureWindowsOnlinebackupsOnlineBackupisforstoringbackupsinWindowsAzure.Forthistowork,inadditiontoaddingtheWindowsServerBackupfeatureyoumustsignupfortheservice.Andyoumusthaveafastandreliableconnectionforthissolutiontobepractical.

ConfigurerolespecificbackupsFeaturesonDemandallowsyoutoaddorremovefilesthatareassociatedwithspecificrolesandfeatures(theyarecalledpayloadfiles).Whenfilesareremoved,theymustbeaddedbacksincetheremovalwasnottemporary.TousethefeatureviaDISMforfeatureremoval,thiscommandcanbeused:DISM.exe/Online/DisableFeature/Featurename:TousethefeatureviatheDISMPowerShellCmdlet,dothis:DisableWindowsOptionalFeatureOnlineFeatureNameRemoveIfyouusetheServerManagerPowerShellCmdlet,followthis:RemoveWindowsFeatureRemove

ManageVSSsettingsusingVSSAdminVSShasthreemajorcomponentsinadditiontotheserviceitself,whicharewriter,requesterandprovider.VSScreatesshadowcopyfortheentirevolume,NOTforanindividualfile.Youusevssadminaddshadowstoragetoaddavolumeshadowcopystorageassociation.Youusevssadmincreateshadowtocreateanewvolumeshadowcopy.Youusevssadmindeleteshadowstodeletevolumeshadowcopies.Andyouusevssadmindeleteshadowstorage todeletevolumeshadowcopystorageassociations.Youusevssadminlistshadowstolisttheexistingvolumeshadowcopies.Andyouusevssadminlistshadowstoragetolistalltheshadowcopystorageassociationsonthesystem.CreateSystemRestoresnapshotsVSSoperatesat theblock levelof theNTFS file system.SystemRestore snapshotsareautomaticallycreatedonaperiodic basis with a Task Scheduler job or when triggered by certain events. The snapshots created allow theproductionofconsistentbackupsofavolumeandavoidpotentialfilelockingsincetheyarereadonly.TheactualdatacopyprocesscanbehandledbytheWindowsfilesystem.

3.2RECOVERSERVERS

RestorefrombackupsYoucanrestorefromabackupusingtheRecoveryWizard.Itcanrestorefrombackupsstoredlocallyorinaremotefolder.

PerformaBareMetalRestore(BMR)Baremetal restore (BMR) involves takingaphysicalmachine thathascrashedandhave itbroughtuponanotherphysicalmachineyouareactuallyrestoringtoblankdiskdrives.Theproblemwiththiskindofrestoreisthatifthehardwareinvolvedisnotidenticalyoumayencounterproblems.ThroughtheWindowsServerBackupGUI,whenyouchoosetoBackupOnceyoucanpicktheBareMetalRecoveryoption.

RecoverserversusingWindowsRecoveryEnvironment(WinRE)andsafemodeThedefaultWindowsREimageisknownasWinre.wim.AlltherequiredWindowsREconfigurationsareautomaticallysetafterOOBE.InordertomanuallyenterWindowsREyouneedtobootusingaWindowssetupdiscorrestarttheserversystemandchooseRepairYourComputer.WindowsREgivesyoutheSystemImageRecoveryoption,allowingyoutorestorefromabackupcreatedbyWindowsServerBackup.

AtbootupifyoukeeppressingF8youcanreachamenuwhichallowsyoutobootintoSafeMode,whichgivesyouaccess tobasic files anddrivers.On theotherhand, SafeModewithNetworking loads all thesedriversplus theessentialservicesanddriverstoenablenetworking.Simplyput,SafeModeaimstohelpyoudiagnoseproblems.

ApplySystemRestoresnapshotsSystemrestorepointisasystemsnapshotthatcanbeconfiguredtotakeplaceautomatically.InPowershellyoucanenablethefeatureviaEnableComputerRestore.TodisableityouuseDisableComputerRestore.TofindoutabouttheavailablerestorepointsyouuseGetComputerRestorePoint.ToaddanewoneyouuseCheckpointComputer.TogoaheadwitharestoreyouuseRestoreComputerwiththeRestorePointoption.ConfiguretheBootConfigurationData(BCD)storeYouuseBCDboottosetupasystempartitionorrepairthebootenvironment.Ontheotherhand,youuseBCDEdittomanageBCDstores. BootConfigurationDataStoreBCDStore is firmwareindependent it issimplyanamespacecontainer forbootconfigurationobjectsandelementsthatholdthe informationrequiredto loadWindows.Atthephysical level it isabinaryfilefollowingtheregistryhiveformat.Infact it istheWindowsDeploymentServicesPXEProviderthatcreatestheBCDstoreforanimage.

3.3CONFIGURESITELEVELFAULTTOLERANCE

ConfigureHyperVReplicaincludingHyperVReplicaBrokerandVMsHyperVReplicaisasoftwarebasedasynchronousreplicationmechanismyouuseitforreplicatingVMs.ItinvolvesreplicatingVMstoother locations,through interceptingwritestoVHDs.OnceReplica isenabled,asourcehostwillmaintainaHyperVReplicaLogfileHRLfortheVHDs.AwritebytheVMmeansawritetotheVHDandalsoawritetotheHRL.WiththelogfilereplayedtothereplicaVHD,replicationcantakeplaceevery5minutes.ThereisnoneedtoenableHyperVReplicaonthesourcehost.However,youwillneedtoenableitonallthereplicahosts.Thefirstinitialcopymay bemade using offlinemedia or othermeans.Do keep inmind all hosts involvedmust use the sameprocessortype.Veryimportantly,HyperVReplicawillrequiretheFailoverClusteringroleknownasHyperVReplicaBrokerifeithertheprimaryorthereplicaHyperVserverispartofaWindowsServercluster.Configuremultisiteclusteringincludingnetworksettings,Quorum,andfailoversettingsAfailoverclusterhasmultipleindependentcomputersworkingtogethertoimproveavailability.Theclusteredservernodesareconnectedphysicallyviacablesandcanfunctionindifferentrolessuchasfileserver,printserver,mailserver,anddatabaseserver.Ifonefails,anotherissupposedto"pickup".Alltheparticipatingserversinaclustermustbeinthesamedomain.Also,theyshouldhavethesamedomainrole(infacttheroleofmemberserverispreferred).Thereisalsoacommonstorageunitphysicallyconnectedtoalltheparticipatingservers.Normallyyoushoulduseidenticalhardwareforalltheclusteredservers. IfyouareusingSerialAttachedSCSIorFibreChannel,allcomponentsofthestoragestackshouldbeidenticalinallservers.

CHAPTER4CONFIGURENETWORKSERVICES

4.1IMPLEMENTANADVANCEDDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)SOLUTION

Createandconfiguresuperscopesandmulticastscopes

ADHCPscopereferstoanadministrativegroupingofIPaddresses.Anadministratorcanfirstcreateascopeforeachphysicalsubnet,thenusesthescopetofurtherdefinetheparameterstobeusedbytheclients.EachsubnetcanonlyhaveonesingleDHCPscopewithasinglecontinuousrangeofIPaddresses.Ifyouwanttousemultipleaddressrangeswithinasinglescopethenyouwillhavetocarefullyconfiguretherequiredexclusionranges.Withasuperscope,youaretryingtoprovideleasesfrommorethanonescopetoyourclientsthatresideinasinglephysicalnetwork.TocreateasuperscopeyoumustuseDHCPManagertodefinethescopesthataretobeincludedinthesuperscope(theyareknownasmemberscopes).YouwillfindthisusefulifyouhavemultiplelogicalIPnetworksinaphysicalnetwork,orthatyouhaveclientsthatareabouttobemigratedtoanewscope.IfyouhaveDHCPclientsontheothersideofaBOOTPrelayagentwithmultiplelogicalsubnetsinaphysicalnetwork,thissuperscopeconfigurationwillalsowork.

MulticastscopemaybeusedthroughtheMulticastAddressDynamicClientAllocationProtocolMADCAP.ThisprotocolallowsaMADCAPservertodynamicallyprovideIPaddressestotheMADCAPclients.YouwantyourMADCAPservertoalsoactasamulticastserverMCS.ThisMCSisassignedanaddress.Yourmulticastclientsneedtoregistermembershipwith theMCS inorder toreceivestreamssent to thisMCSaddress.WindowsServerhas theNewMulticastScopeWizardUIforcreatingamulticastscope.ImplementDHCPv6DHCPv6statelessmodeclientsmayuseDHCPv6toobtainnetworkconfigurationparametersseparatelyfromaddressconfiguration.IPv6clientsmayconfigureanIPv6addressviaanonDHCPv6basedmechanism(suchasIPv6addressautoconfigurationandstaticconfiguration).In contrast,DHCPv6 statefulmodeallows clients to acquireboth the IPv6addressand thenetwork configurationparametersthroughDHCPv6together.ConfigurehighavailabilityforDHCPincludingDHCPfailoverandsplitscopesKnowthe80/20ruleforscopes.ThismeansyoushoulddividescopeaddressesbetweentwoDHCPserversonewithapproximately80%oftheaddressesandanotherwithapproximately20%oftheaddresses.EmployingmultipleDHCPservers for fault tolerance and redundancy is called splitscope configuration. There is in fact aDHCP SplitScopeConfigurationWizardyoucanuseforIPv4scopes.DHCPfailoverisafeatureinWindowsServer2012thatcansupporttheuseof2DHCPserversinafailoverrelationshipwhendealingwithIPv4scopesandsubnets.Failoverpartnerscanoperateineitherhotstandbyorloadsharingmode.Withtheformerthereisoneactiveprimaryserverandonesecondaryserver,althoughonlyonecanstayactiveatatime.Withloadsharing(thedefault),youhavetwoserversworkingsimultaneously.Suchasetupismostidealwhenbothserversareinthesamephysicalsite.ConfigureDHCPNameProtectionDHCP Name protection is a feature against name squatting, which is said to take place when a nonWindowscomputer is registering itself inDNSwithanamealready registered toaWindowsbased computer (servernamesquattedbyaclient/servernamesquattedbyaserver/clientnamesquattedbyaclient/clientnamesquattedbyaserver).ThefeatureworksusingDynamicHostConfigurationIdentifierDHCIDintheDHCPserver.ForittoworktheDHCIDRRresourcerecordmustbesupportedinDNSformappingnamesandpreventingduplicateregistration.

4.2IMPLEMENTANADVANCEDDNSSOLUTION

ConfiguresecurityforDNSincludingDNSSEC,DNSSocketPool,andcachelockingDNSSECreferstothegroupofextensionsforhardeningtheDNSinfrastructureasspecifiedinIETFRFC4033,4034and4035.Ithasseveralnewtypesofrecord,includingDNSKEY,RRSIG,DS,andNSEC/NSEC3.DynamicDNSupdatescanbedeployedforDNSSECsignedzoneswithactivedirectory,andthatthescavengingstalerecordoptioncanbeusedforpurgingoldDNSSECrecords.YoucanenableDNSSECviatheZoneSigningWizard.ADNSserverwithsocketpooliscapableofdeployingsourceportrandomizationthisisforprotectingagainstDNScachepoisoningattacks.Itsimplyallowstheservertorandomlypickasourceportwhentheservicestartssothereisnolongerapredicablesourceportwhenissuingqueries.Thedefaultsizeofthissocketpoolis2500.Cache lockingmeanstheDNSserverisdisallowingthecachedrecordstobeoverwrittenforthedurationoftheTTLvalue.Thisisdonetoprotectagainstpossiblecachepoisoningattacks.Bydefaultithasavalueof100%,meaningthecachedentrieswillnotbeoverwrittenatall.ConfigureDNSloggingTheDNSserverlogcanbeviewedbytheDNSManagerortheEventViewer.FromthePropertiesoftheDNSServer,insidetheDebugLoggingtabthereisacheckboxnamedLogPacketsforDebugging.Youmayalsousefilebasedlogsasanadvancedtactic.However,thisshouldbetreatedasatemporarymeasureonly.Keepinmind,themoreyoulog,themoreoverheadsaretobeinvolved.ConfiguredelegatedadministrationYoumayusetheNewDelegationWizardtoaddanewdelegateddomain.Zonedelegationworkslike"dividing"yourDNSnamespace. Youwant todo this if you find theneed todistribute traffic loads amongmultiple servers andimproveDNSnameresolutionperformance/resiliency,orthatyouprefertoextendthenamespacetoaccommodatetheopeningofanewremotebranch.ConfigurerecursionYoumayhaveyourDNSserverdesignatedasaforwarderwhentheotherDNSserversareconfiguredtoforwardthequeries that can't be resolved locally. You can use the DNS Manager or the dnscmd command with the/ResetForwardersoptiontoconfiguresuchfeature.

YoucanspecifythattheDNSserveronlyusesforwardersandmakenofurtherrecursioneveniftheforwardersfail.IfyoudisablerecursionfortheDNSserver,itwillneverperformrecursiononanyquery.ConfigurenetmaskorderingNetmaskorderingisafeatureyoucanusetoreturnaddressesfortypeADNSqueries.YoudothistoprioritizelocalresourcestoyourDNSclients(youwantyourclientstoreceivequeryresultsthataremostrelevanttotheirlocation).YouwillfindthisfeatureparticularlyusefulifyouhavemanytypeArecordsforthesameDNSname,thateachofthesetypeArecordshasadifferentaddress.YoumayuseDnscmd/Config/LocalNetPriorityNetMasktoachievethis.ConfigureaGlobalNameszoneAspecialzonenamedGlobalNames(GNZ)canbeusedtoprovideresolutionofsinglelabelnames.GlobalNameszonecanbecreatedviatheDNSManagerUIorthednscmdcommand.DonotethatGNZ isforaidingtheretirementofWINSonly.AlsonotethatsinglelabelnameresolutionofrecordsisNOTsupposedtousedynamicregistration.

4.3DEPLOYANDMANAGEIPAM

ConfigureIPAMmanuallyorbyusingGroupPolicyYoumayhaveanIPAMserverdeployedateverysite.Ifyournetworkisreasonablysmall,youmaywanttohaveoneIPAMserverdeployedfortheentirenetwork.YoushouldinstallIPAMonaserverthathasjoinedadomain,oryouwillreceiveawarning.

FYI,anIPAMservershouldbesetupasasinglepurposeserver.Donotcollocateothernetworkinfrastructurerolesonthesameserver!EachIPAMservercansupportmax150DHCPserversand500DNSservers.ExternaldatabasesandnonMSimplementationsarenotsupported.Provisioning is theprocess thatyoumustgo through for the infrastructure servers tobemanaged.You chooseaprovisioningmethod through the IPAM consoleoverview (this ishowyou launch theProvision IPAMwizard).Themanualprovisioningmethodisusuallynotpreferredduetoconcernoncomplexity.TheGroupPolicybasedmethodislesspronetoerrorssinceGPOsareautomaticallyappliedtotheinfrastructureserversoncetheyareassignedastatusofmanagedviatheIPAMconsole.ConfigureserverdiscoveryServerdiscovery involvesdefiningthescopeofdiscoverypriortoactuallydiscoveringtheservers. IPAMusesADtodefine thescopeofservers thatare tobemanaged.Tobegindiscoveringserversyou firstsetascopeby invokingConfigureserverdiscoveryfromwithintheIPAMclientconsole.Youneedtochooseadomaintodiscover(thisisthescope).Toactuallydiscoverserverroles,youclickStartserverdiscoverytocalluptheIPAMServerDiscoverytask.CreateandmanageIPblocksandrangesYouneedtoknowthebasicconceptshere.IPaddressblocksrefertothelargechunksofIPaddressesfororganizingaddressspaceatahigher level.IPaddressrangesaresmallerchunksofaddressesthatcorrespondtoDHCPscopes.IndividualIPaddressesarethesmallestunitstheymaptoasingleIPaddressrange.Thegoalofalltheseistoallowamorestructuralwayofmanagingtheoveralladdressspaceandvisualization.

IPaddressesdetailedtrackingandutilizationdataisavailable,thatIPv4andIPv6addressspacesareorganizedintoIPaddress blocks, IP address ranges, and individual IP addresses. You may further organize IP address space intohierarchical,logicalgroups. MonitorutilizationofIPaddressspaceAsingle IPAMservercansupportmax6000DHCPscopesand150DNSzones.Doremember, IPaddressutilizationtrendsareIPv4only.Infact,IPAMcanautomaticallycollectthedynamicaddressscopestogetherwiththeirutilizationstatisticsfromtheDHCPserversbeingmanaged.ThroughIPAMyoucanevencreate,duplicate,edit,ordeleteDHCPscopesdirectlywithoutgoingthroughtheDHCPconsole.MigratetoIPAMTo bemanaged andmonitored by IPAM, the security settings and firewall ports on aWindows servermust beconfiguredtoallowtheIPAMservertoaccessit.ThiscanbedonemanuallyorviaGPOs.DelegateIPAMadministrationTheIPAMsetupcreatesseverallocalsecuritygroupstoisolateandrestricttherelevantpermissions.IPAMUserscanviewinformationinserverdiscovery,addressspaceconfiguration,andservermanagement.TheycanalsoviewIPAMandDHCPserveroperationaleventsbutnot theaddress tracking information. IPAMMSMAdministratorscanalsoperform common management tasks and server management tasks. IPAM ASM Administrators can additionallyperformIPaddressspacetasks.IPAMIPAuditAdministratorscaninparticularviewandtracktheimportantIPaddresstrackinginformation.IPAMAdministratorscandoeverythingIPAM.ManageIPAMcollectionsIPAMhasanumberofscheduleddatacollectiontasks.Theyareselfexplanatory: AddressExpiry AddressUtilization Audit ServerAvailability ServerConfiguration ServerDiscovery ServiceMonitoring

Keepinmind,theinformationkeptintheIPAMdatabaseisregularlyupdatedwithinputsfromthesedatacollectiontasks,althoughthedatabasecanbemanuallymodifiedbyyoutheadministrator.

CHAPTER5CONFIGURETHEACTIVEDIRECTORYINFRASTRUCTURE

5.1CONFIGUREAFORESTORADOMAIN

ImplementmultidomainandmultiforestActiveDirectoryenvironments including interoperabilitywithpreviousversionsofActiveDirectoryWhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthelowestfunctionallevelthatispossible,whichisWindows2003,sothatyoumaytakeadvantageofthedefaultActiveDirectoryfeatureswhileaccommodatingolderversionsofWindowsServer.WindowsServer2012requiresattheleastaWindowsServer2003forestfunctionallevel.BeforeyoucanadddomaincontrollersthatrunWindowsServer2012totheforest,theexistingforestfunctionallevelmustbeatleastWindowsServer2003.UpgradeexistingdomainsandforestsincludingenvironmentpreparationandfunctionallevelsYouneedto installtheActiveDirectoryDomainServices (ADDS)roleonaserversotoallow ittoactasaDomainController.Afterthisyouneedtopromotetheservertoadomaincontroller.YoudoNOTusethedcpromocommandanymore.When you raise the forest functional level, newer advanced features can become available at the expense ofcompatibility.Afteryouraisethedomainfunctionallevel,domaincontrollersrunningearlieroperatingsystemswillnotbeabletoparticipateinthedomainanymore.Keepinmind,rollbackorloweringoflevelishighlydifficult!Also,youcannotsetthedomainfunctionalleveltoavaluelowerthantheforestfunctionallevel.Configuremultipleuserprincipalname(UPN)suffixesYoucanusetheADDomainsandTrustsUItoaddnewuserprincipalname(UPN)suffixes.BydefaulttheUPNsuffixforauseraccountistheDNSdomainnamethatkeepstheuseraccount.ItispossibletoaddotherUPNsuffixesforsimplifying administration and user logons (technically you can provide one single UPN suffix for all users). Doremember,anUPNsuffixisonlyusefulinADitisnotmeanttobepartofanyformalDNSdomainname.

5.2CONFIGURETRUSTS

Configureexternal,forest,shortcut,andrealmtrustsThetoolsthatyoucanusetocreateandmanagetrustsareActiveDirectoryDomainsandTrusts(i.e.Domain.msc)andNetdom.exe.Nltestisfortestingyoursecuredchannels.Netdiagisfortestingthenetworkhealth.Dcdiagisfortestingthedomaincontrollerhealth.Communicationbetweendifferentdomainshastotakeplacethroughtrusts,whichareauthenticationpipelines.Thenecessarydefault trustsare createdwhenyouuse theActiveDirectory InstallationWizard.Youmayalsouse theNetdomcommandlinetooltocreatenewtrustsbyhand.YouwanttocreateexternaltrustsforprovidingaccesstoresourceslocatedonaWindowsNT4.0domain.Youalsowanttomakeuseofforesttruststoshareresourcesbetweenforests.Shortcuttrustsarefor improvinguser logontimesbetweentwodifferentdomains.A realm trust is for establishing communication between nonWindows KerberosV5 realm andWindows baseddomain. Simply put, it provides crossplatform interoperability with security services running other Kerberos V5versions.ConfiguretrustauthenticationKerberosisthedefaultinWindowssotherearenoprerequisitesatallforimplementingKerberosbasedauthentication.YoucansetthevariousKerberossecuritypolicyparametersviatheGroupPolicysnapin.Keepinmind,withKerberosauthentication transparent transitive trust is used among the domains inside a forest. It does not authenticatebetweendomains indifferent foreststhough. Inorder tousearesource inanother forest,theuserhastoprovidecredentialsforformallyloggingontoadomaininthatparticularforest.TheintegrityofcommunicationsthattakeplacealonginterforesttrustscanbeprotectedviaSIDfilteringandselectiveauthentication.Theformercanbeusedtostopamalicioususerwithadmincredentialsinatrustedforestfromtakingcontroloverthetrustingforest.Thelattercanrestrictthequantityofauthenticationrequestsallowedtopassthroughaninterforesttrust.ConfigureSIDfilteringSIDfilteringmaybesetonalltrusts.YouwanttoknowthatSIDhistoryallowsforlegitimateuses,justthatthereisasecuritythreatwhenbeingusedtoexploitanunprotectedtrust amalicioususerwhohasadmincredentialsmaymanipulatetheSIDhistoryattributeofasecurityprincipalinthetrustedforesttogainfullaccesstothetrustingforest!SIDfilteringworksbyverifyingtheincomingauthenticationrequestmadebyasecurityprincipalinthetrusteddomaintomakesureitcontainsonlytheSIDofthesecurityprincipaloriginatedfromthetrusteddomain.ASID filterquarantine iseven stricter whenbeingapplied toa trusteddomainonly thoseSIDs from the trusteddomaincantraversethetrustrelationship.

ConfigurenamesuffixroutingNamesuffixroutingisformanagingthewayauthenticationrequestsareroutedacrossforestsjoinedbyforesttrusts.Wheneveraforesttrust iscreated,bydefaultalltheuniquenamesuffixesarerouted.Auniquenamesuffix isnotsubordinatetoanyothernamesuffix.Allnamesthatsubordinateauniquenamesuffixare implicitlyrouted. Ifyouhaveaneedtoselectivelyexcludemembersofachilddomainfromauthenticatinginaprespecifiedforest,youmayconsider todisablenamesuffix routing for thecorrespondingname.Youmayevendisable routingentirely for theforestnameitself!

5.3CONFIGURESITES

ConfiguresitesandsubnetsAsitetopologyservesasalogicalrepresentationofthephysicalnetwork.Designingasitetopologyinvolvesplanningfordomaincontrollerplacementaswellasdesigningsitelinksandsitelinkbridgestoensureefficientroutingofqueryandtrafficsforreplication.YouwillalsoneedtoplanthecreationofsubnetobjectsforrepresentingallIPaddresseswithinasite.SubnetobjectscanbecreatedinADviatheADSiteandServicesUI.Theseobjectsserveasthelogicalrepresentationofyourphysicalsubnets.Youmaypickasiteobjectforthesubnetobjectyoucreateinotherwords,asiteisactuallydefinedbythesubnetappliedtoit.NotethatallsubnetnamesinADtaketheformofnetwork/bitsmasked.Itmakessenseforeachphysicallocationtoberepresentedbyasite.Foreverylocationwithasiteyouneedtoplantocreatesiteobjectsandassociatesubnetswiththesesites.YoushouldalsoplantocreatesubnetobjectsthatrepresentallIPaddresseswithinthesite.InthecasethatyouhaveseveralnetworksconnectedwithfastandreliableWANlinksthenyoumayincludeallofthesubnetsinonesinglesite.CreateandconfiguresitelinksToconnectyoursitesyouneedtousesitelinks.Youshouldfirstidentifythesitesthatyouwanttoconnectwiththesite link,thencreateasite linkobject intherespective InterSiteTransportscontainer,andthengivethesite linkanamebeforesettingthesitelinkproperties.EachlinkobjectisforrepresentinganactualWANlink,andyoumayassigncostvaluestodifferentsitelinkstofavorcertainconnectionsovertheothers.WhenmeasuringlogonperformancerequirementsovertheWANlink,youshouldconsiderfactorssuchaslinkspeedandavailablebandwidth,numberofusersandpatternsofuse,andtheestimatedamountofnetworktraffic.Havingtoomanydomaincontrollersinalocationmaypushupsupportcostsandproduceexcessivereplicationtraffic.

ManagesitecoverageTalkingaboutAutomaticSiteCoverage,bydefaulteachdomaincontrollerwillperformacheckonallsitesintheforestandthenexaminethereplicationcostmatrix.Adomaincontrollerwilltrytoadvertiseitselfinsitesthatdonothaveadomaincontrollerinthere,suchthateverysitecanhaveadomaincontrollerdefinedbydefault.Therefore,intheorydomaincontrollerspublishedinDNSarethosethatcomefromtheclosestsite(asjudgedbyexaminingthereplicationtopology).Automaticsitecoveragecancalculateanddeterminetheway inwhichasitecoversanotherthathasnodomaincontrollerinit.Doremember,sitecoverageisALWAYSdeterminedbysitelinkcosts(domaincontrollerswillaccordinglyregisterthemselvesinsites).ManageregistrationofSRVrecordsWindowsbaseddomaincontrollersalwaysregisterDNSrecordsthatindicatethesitetheybelongto.WheneverDNSisused,a Locatorwill first search fora sitespecificDNS recordbefore looking fornon sitespecific records. IP/DNScompatibleLocatorisusedwhenthedomainnameisDNScompatible.WindowsNT4.0compatibleLocatorisusedifthedomainnameisaNetBIOSname.Acomputerclientmayormaynotbelocatedphysicallyinthesiteassociatedwithitsaddress.AdomaincontrollerwillneedtousesiteinformationtochecktheIPaddressoftheclientcomputeragainstalistofsubnetsofthesameforest.BecausetherelevantConfigurationcontainerisreplicatedtoalldomaincontrollers,anydomaincontrollerinthesameforestcanidentifythesitewhereaclientresides.YouneedtoknowthatduringtheregistrationofSRVrecords inDNS, it istheSiteCoverageAlgorithmthat isbeingusedtodeterminewhichdomaincontrollerscanregistersiteSRVrecordsthatdesignatethemasthepreferreddomaincontrollersforsitesthatarenotrepresentedbyanyspecificdomaincontroller.MovedomaincontrollersbetweensitesDomain controller placement is important as it relies on site information to inform clients about the domaincontrollersthatpresentwithintheclosestsiteastheclients.Generallyyoushouldplaceforestrootdomaincontrollersprimarilyinhublocationsoratlocationsthathostuseintensivedatacenters.Youshouldalsoconsiderplacingregionaldomaincontrollersforeachdomainrepresentedineachhublocation.

5.4MANAGEACTIVEDIRECTORYANDSYSVOLREPLICATION

ConfigurereplicationtoReadOnlyDomainControllers(RODCs)ARODCReadOnlyDCissimplyanadditionaldomaincontrollerthathostsreadonlypartitionsoftheActiveDirectorydatabase.ItisprimarilyforuseinbranchofficewithpoorWANlink.Sinceitcankeepcachedcredentials,fasterlogincanbemadepossible.

NotethataRODCcanonlyreplicatefromawritableWindowsServerdomaincontroller.YoumaytriggerreplicationtoaRODCviarepadmin/replicateor repadmin/syncall.ManagementofaRODCcanbeperformed remotelyvia theRemoteServerAdministrationToolsRSATortheWindowsRemoteShellWinRS.ConfigurePasswordReplicationPolicy(PRP)forRODCsYoumayconfigurePasswordReplicationPolicy(PRP)viatheADUsersandComputersMMCsnapinortherepadmincommand.YoumayalsoviewthecachedpasswordsonaRODCviathesetools.Keep inmind,RODCsofthesamedomaininthesamesitecannotsharecachedcredentials.MonitorandmanagereplicationWhenyouhavemultiplesitesconfigured,intersitereplicationwillprogressviaDEFAULTIPSITELINK,whichusesameshtopologythat isreliablebutrelativelybandwidthdemanding.Youmaycontrolsite linkavailabilitythroughsettingascheduleforsitelinks.Doremember,thetimesettingsinthesitelinkscheduleswouldconformonlytothelocaltimeof the site. You need to also set the site link replication interval property to indicate how frequently youwantreplicationtotakeplaceduringthetimeswhenthescheduleallowsreplication.AsmallintervalcanreducelatencyattheexpenseofWANtraffics.Generally,lowlatencyispreferredunlessyourWANlinkisslow.UpgradeSYSVOLreplicationtoDistributedFileSystemReplication(DFSR)SYSVOL replicationreliesontheFileReplicationService (FRS)ortheDistributedFileSystemReplication (DFSR)toreplicatechanges,andtheybothreplicateaccordingtotheschedulecreatedduringsitetopologydesign.TheDFSRserviceisanewandmoreefficientmultimasterreplicationenginewhichworksusingRPCforreplicatingafolderscopedefinedbythereplicatedfolderpath.ItcachesconfigurationinformationstoredinXMLfiles.ThepossibleconfigurationmodesareWMIbasedandActiveDirectorybased.ItissaidthatDFSRismoresecureduetotheuseofActiveDirectorysecurityandWMIsecurity.

CHAPTER6CONFIGUREIDENTITYANDACCESSSOLUTIONS

6.1IMPLEMENTACTIVEDIRECTORYFEDERATIONSERVICES2.1(ADFSV2.1)

ImplementclaimsbasedauthenticationincludingRelyingPartyTrustsActive Directory Federation Services (ADFS) is the role that provides Web based singlesignon mechanism forauthenticatingusertomultipleWebapplicationswithinasinglesession.ItsWebAgentisaroleservicethatcreatesanADFSenabledWebserver.AnADFSenabledWebservercanauthenticateandauthorizefederatedaccesstolocallyhostedWebapplications.A federation server authenticates and routes requests from user accounts outside of the internal network. Afederation server proxy provides intermediary proxy services between an Internet client and a federation serverbehindthefirewall.AfederationpartneristrustedbytheFederationServicetoprovidesecuritytokenstoitsusers.Aresourcepartner isa federationpartner that trusts theFederationService to issueclaimsbasedsecurity tokens.Aresourcefederationserverreferstothefederationserverthatresidesintheresourcepartnerorganization.Youmaysetupfederationtrustrelationshipsbetweentwopartnerorganizations.Dorealizethatfederationtrustsdonot involveanydirectcommunicationover thenetworkbetween theaccountFederationServiceand theresourceFederationService.ConfigureClaimsProviderTrustrulesClaims are statementsusedprimarily for authorizing access to claimsbased applicationswhile a claim type is forproviding context for the claim value.A claim rule is for representing an instanceofbusiness logic thatwill takeincomingclaims,applyconditionstotheseclaimsandaccordinglyproduceoutgoingclaims.ThroughtheADFSyoudefinetheclaimsthataretobeexchangedbetweenfederatedpartners.YoumayaddanewclaimsprovidertrustviatheADFSManagementsnapin.Withthiswizardthereareoptionstousethe WSFederation Passive protocol and the SAML 2.0 WebSSO protocol. Alternatively you may use the AD FSManagementsnapintoautomaticallyimportconfigurationdatafromthefederationmetadatathatyourpartnerhaspublished.

ConfigureattributestoresincludingActiveDirectoryLightweightDirectoryServices(ADLDS)AnorganizationmayhostanADFSsecuredapplication inaperimeternetwork thatmaintainsaseparatestoreofcustomeraccountsintheperimeternetwork.Thisarrangementallowsyoutomoreeasilyisolatecustomeraccountsandemployeeaccounts.YoucanaccordinglymanagethelocalaccountsforcustomersintheperimeternetworkviatheADDSortheADLightweightDirectoryServicesastheaccountstore.NotethatADLDSisLDAPbaseditoffersflexible support for directoryenabled applications. You can run it onmember servers or even standalone servercomputers.ADLDShasitsownserverrole.However,itcanrunconcurrentlywithADDSinthesamenetwork.ManageADFScertificatesAfederationservermustpossessatleastaserverauthenticationcertificateandatokensigningcertificatebeforeitisallowedtotakepartinADFScommunications.Thetrustpolicywillalsorequireaverificationcertificatewhichisinfactthepublickeyportionofthetokensigningcertificate.TheserverauthenticationcertificateisSSLbasedyouuseittosecurewebservicestrafficwithyourclientsandproxy.ItmaybeinstalledviatheIISsnapin.Thetokensigningcertificateisforsigningallthesecuritytokensitproduces.Theverificationcertificateisforverifyingthatasecuritytokenwasinfactissuedbyavalidfederationserver.Itisinfactthetokensigningcertificateofanotherfederationserver.Ontheotherhand,aserverthatrunstheFederationServiceProxyroleserviceneedstohaveaSSLclientauthenticationcertificateandalsoaserverauthenticationcertificate.ConfigureADFSproxyAnaccount federation server is the server located in thecorporatenetworkofyourpartnerorganization. It is theserverthat issuessecuritytokenstousers.Ontheotherhand,anaccountfederationserverproxy is located intheperimeternetworkofthepartnerorganization.ItcancollectauthenticationcredentialsfromwebbrowserclientsthatlogonovertheInternet.UsingafederationserverproxycanprovideadditionalsecuritylayerstoyourADFSdeploymentsinceitisolatesADFSfromtheoutsideworld.Whenyouplaceafederationserverproxyintheperimeternetworkoftheaccountpartner,itcollectsusercredentialinformation.Ifyouplaceitintheperimeternetworkofyourresourcepartner,itrelayssecuritytoken requests to the resource federation server and accordingly produces the necessary organizational securitytokens.YoumaycreateitviatheADFSFederationServerProxyConfigurationWizardGUIorFsconfig.exe.IntegratewithcloudservicesYouwant to know thatAD FS 2.0 supports SecurityAssertionMarkup Language SAML 2.0,which is essential inprovidinginteroperabilitywithcloudservices.ItisalsoknownthatyoumayuseDirsyncandADFStosynchronizeyourlocalADuserswiththecloudbasedOffice365andthenconfigureADFStoimplementsinglesignonaccordingly.

6.2INSTALLANDCONFIGUREACTIVEDIRECTORYCERTIFICATESERVICES(ADCS)

InstallanEnterpriseCertificateAuthority(CA)ACertificateAuthority(CA)generatesandvalidatesdigitalcertificates.IttypicallyaddsitsownsignaturetothepublickeyoftheclientsotoindicatethatthepublickeyisvalidifyoutrustthisCA.FromServerManageryouneedtousetheAddRolesWizardtoaddActiveDirectoryCertificateServicesbyhand.YouneedtodeterminethetypeofCAyouprefer.AstandaloneCAdoesnotrequiretheuseofAD.IfyouchoosetouseanEnterpriseCA, itmeanstheCA isAD integratedsoallthemanualtasksbecomeautomaticUNLESSyouareservingpeoplewhodonotbelongtoAD.

EnterpriseCAscanonlyissuecertificatestomembersoftheADforest.CertificatetemplatesthatdefinetheformatandcontentofthecertificatescanonlybeusedwithenterpriseCAs.ConfigureCRLdistributionpointsWhen the outstanding certificates issued by this CA are revoked, a Certificate Revocation List (CRL) should bepublishedtoreflectthechange.YouusetheCertificationAuthorityMMCsnapintoaddorchangeCRLdistributionpoints,which are paths represented as attributes on a certificate issued. You can also fine tune the relationshipbetweenafullCRLanddeltaCRL(whichholdsa listofalltherevokedcertificatessincethe lasttimeafullCRLwasmade)throughspecifyinganoverlapperiodbetweenthem.ThisoverlapperiodspecifiestheamountoftimeattheendofaCRL'slifetimethatacertificateclientmaystilluseforobtaininganewCRLbeforetheoldonestopsworking.

InstallandconfigureOnlineResponderOnlineResponderservicemaybeusedtoimplementOnlineCertificateStatusProtocol(OCSP).Thisserviceworksbydecodingrevocationstatusrequestsforspecificcertificatesandperformingevaluationaccordingly.InfactyoumayuseitasanalternativetooranextensionofCRLsforprovidingcertificaterevocationdatatoyourclients.Keepinmind,foranOCSPtofunctioncorrectlytheremustbeavalidResponseSigningcertificate(evenifyouarenotusingaMicrosoftOCSPresponder).InadditiontoconfiguringthecertificatetemplatesandissuancepropertiesfortheOCSPResponseSigningcertificates(whichmaybedoneviatheCertificateTemplatessnapin),thelocationoftheOCSPrespondermustbeaddedtotheauthority informationaccessextensionontheCA.AndyoumustenabletheOCSPResponseSigningcertificatetemplateforthisCA.ImplementadministrativeroleseparationAdministratorRoleSeparation(ARS)canbeconfiguredtoauserwhoisnotadomainadmin.Thegoalistoallowsomelocaladmintaskstobedelegated.ConfigureCAbackupandrecoveryYoushouldregularlybackupthecertificationauthoritydatabase,theCAcertificate,andtheCAkeysonaregularbasisgivenconsiderationonthenumberofcertificatesissued.ThemorecertificatesyouissuethemorefrequentlytheCAshouldbebackedup.WhenyouloginasaCAadministratororamemberoftheBackupOperatorsgroupyoucanbackupaCAviatheCertificationAuthoritysnapin.FromitsActionmenuthereisataskknownasBackUpCA.Ontheotherhand,thereisanactionknownasRestoreCAforcallinguptheCertificationAuthorityRestoreWizard.

6.3MANAGECERTIFICATES

ManagecertificatetemplatesCertificate templates have different versions. Since Windows Server 2008 there are new version 3 certificatetemplatesupdatedtosupportnewfeatures,encryptionandhashalgorithms.Therearetemplatepropertiesoptionsinthe Certificate Templates MMC snapin. Kerberos Authentication template serves a different purpose to issuecertificatestodomaincontrollerswhichinturnpresentthecertificatestoclientcomputersduringauthentication.Tocreateanewtemplate,thebestthingtodoistoduplicateanexistingtemplateanduseitspropertiesasthedefaultforyours.

Implementandmanagecertificatedeployment,validation,andrevocationKeepinmind,ifyouareusinganEnterpriseCA,yourcertificatetemplateswillbestoredinAD.Aspreviouslysaid,certificatetemplateshavedifferentversions.IfyouupgradeaCA,youmayalsoneedtoupdatetheADschemaforsupportingthenewcertificatetemplateattributes.Youmayaswellupgradethecertificatetemplatestoincludethenewattributes.YoumaydosobeforeorafterupgradingyourCAstoWindowsServer2012.WhenconfiguringnewtemplatesthereisanoptionknownasDonotstorecertificatesandrequestsintheCAdatabase.Withit,yourCAwillprocesscertificaterequestswithoutaddingrecordstotheCAdatabase(sotosaveworkloadandspace).On theotherhand, theDonot include revocation information in issuedcertificatesoptioncanbeused toexcluderevocationinformationfromtheissuedcertificates(sotocutdownvalidationtime).TheEnterprisePKIMCsnapin isamonitoringtool.Youneedtomanuallyadd it(under ActiveDirectoryCertificateServices).With it you can view the CA status information. The statusmay beOK,Warning, Error, orUnable todownload.Youmayusecertificatetrustpolicytomakethenecessarycertificatepathvalidationsettings(sotofacilitateautomaticcertificatemanagement).Withthesesettingsyoumaymanage: TrustedRootCertificates. TrustedPublishers. NetworkRetrievalandPathValidation. RevocationCheckingPolicy.ManagecertificaterenewalWhenconfiguringenrollment,youshouldnotassignpermissionstodomainlocalgroupssinceassigningpermissionstolocalgroupsmayleadtoresultininconsistencyintheapplicationofpermissions.Ifyouwanttouseautoenrollment(whichmaybeconfiguredtowork inbackgroundtaskthatrequirenouser inputatall),theuserorcomputermustbelongtodomaingroupswithRead,Enroll,andAutoenrollpermissions.ToenableenrollmentviatheCertificatessnapin,Webbasedenrollmentorautomaticrenewal,makesuretheReadandEnrollpermissionsareproperlyassigned.Forcertificaterenewalinparticular,theReadandEnrollpermissionsmustbepresent.ManagecertificateenrollmentandrenewaltocomputersandusersusingGroupPoliciesAspreviouslysaid,properpermissionsarenecessaryforrenewalandenrollment.Youmayusegrouppoliciestoassignthesepermissionsasneeded.

ConfigureandmanagekeyarchivalandrecoveryEnterpriseCAshaveakeyrecoveryagentcertificatetemplatewithdefaultconfigurationthatgrantspermissionstotheDomainAdmins/EnterpriseAdminsso theymayenroll forkey recoveryagentcertificates.YoumayalsoaddakeyrecoveryagentcertificatetemplateviatheCertificationAuthorityMMCsnapin.ThisUIcanalsobeusedtoconfigurekeyrecovery.Remember,keyrecoverymaybeperformedonaCAonlyforthosecertificatesissuedbythatsameCA.IftherearemultipleissuingCAsyouwillneedtoconfigureeachCAonebyone.Atypicalkeyrecoveryprocessinvolvesanumberofsteps.FirstyouneedtoidentifythearchivedkeysforrecoveryviaCertutil.exegetkey.ThenyouneedtoretrievethearchivedkeysfromtheCAdatabase(youmaydosothroughusingthecertificate'sserialnumber).ThenyouneedtodecryptthearchivedkeysviabothCertutil.exerecoverkeyandthekey recoveryagentcertificate (youneed tohaveCertificateManagementprivileges).Oncedecrypted, store it inapasswordprotectedfileandhaveittransferredtotheuserwhoneedsit.TheuserneedstoimportthecertificateandthecorrespondingrecoveredkeysviaCertutil.exeimportPFXintohispersonalcertificatestoreinordertouseit.You must understand that key recovery agent keys are high value data assets that must be protected againstcompromiseandloss.Aprivatekeymustbemadeavailableforusepriortoarchivalforaslongasthedataencryptedwiththatkeyisstillneeded.Auditingofthekeyrecoveryeventsshouldalsobeconsidered(whichcanalsobedoneviatheCertificationAuthoritysnapin).

6.4INSTALLANDCONFIGUREACTIVEDIRECTORYRIGHTSMANAGEMENTSERVICES(ADRMS)

InstallalicensingorcertificateADRMSserverActive Directory Rights Management Services (AD RMS) is for safeguarding digital information and preventingunauthorizeduse.Youshould installADRMSasaserver roleviaServerManager.The firstRMSserver is the rootcluster in the case of loadbalancing. You should be amember of the Enterprise Admins group to perform thenecessaryclusterconfigurationtasks.ManageADRMSServiceConnectionPoint(SCP)TheADRMSServiceConnectionPoint (SCP) isanADobject.Thisobjectholds thewebaddressofyourADRMScertificationcluster.AllADRMSenabledapplicationswillrelyonthisSCPfordiscoveringtheADRMSservice.Inotherwords,itservesasthefirstconnectionpointfordiscoveringtheADRMSwebservices.YoucanhaveonlyonesingleSCPinAD.ToaddanewSCPtheexistingonemustfirstberemoved.

ManageADRMSclientdeploymentThere isanADRMSclient included inthedefault installationofVista,WindowsServer2008and laterversions.ToproperlyconsumerightsprotectedcontenttheclientmustaddtheADRMSURLtotheLocalIntranetsecurityzoneofthebrowser.YoumayusetheRightsProtectedFolderExplorertoworkwithRightsProtectedFolders.Youcanuse ittosecurelystoreorsendfilestoauthorizedusers.Also,withityoucancontrolwhichuserswillbeabletoaccessthosefiles.ManageTrustedUserDomainsYouneedtoknowthatintheworldofADRMSeverysingleentityisrepresentedbyacertificate.TheADRMSserverclusterisrepresentedbyaServerLicensorCertificateSLC.ClientcomputershaveaSecurityProcessorCertificateSPC.UsersareidentifiedbyaRightsAccountCertificateRACwhenbeingauthenticatedbytheRMSserver.Bydefault,ADRMSwillnotprocessrequestsfromthosewithRACsissuedbyanotherADRMSclusterUNLESSyouaddthoseADRMSdomainstoalistoftrusteduserdomains.ManageTrustedPublishingDomainsTheRACisalwaysusedbytheserverforencryptinglicensesbeingsenttotheuser.ThereisalsoacertificateknownasClientLicensorCertificate(CLC),whichisobtainedduringclientactivation.PublishingLicenses(PL)arecertificatesthatexpressrightsoveradocument.YoucanhaveaPLstampedintoaprotecteddocumentandencryptedwiththeSLC'spublickey,plusgettingsignedwiththeusersCLC.Similarly,youmayaddtrustpolicies(trustedpublishingdomainTPD)sothatADRMScanhandlelicensingrequestsforcontentsrightsprotectedbyanotherADRMScluster.ManageFederatedIdentitysupportTechnicallyspeaking,rightscanbeassignedtouserswhohaveafederatedtrustwithADFS.Thisallowsyoutoshareaccess to those rightsprotectedcontentswithanotherorganizationwithoutsettingupaseparateActiveDirectorytrust.Federatedidentitysupportisafeatureyoucanusetoallowuserstomakeuseofcredentialsestablishedbyafederated trust relationship through AD FS for obtaining a RAC. Do note that when RACs are issued through afederated identity, the standard rights account certificate validity periodwill be based on those specified in theFederatedIdentitySupportsetting.ManageRMStemplatesRightspolicytemplatesinADRMSareforcontrollingtherightsthatauserorgrouphasonaparticularrightsprotectedcontentitem.Bydefault,ADRMSstoresrightspolicytemplatesintheconfigurationdatabaseandalsokeepsacopyofallrightspolicytemplatesinasharedfolder.Thereisarightspolicytemplatecreationwizardyoucanusefortemplatecreation. There is also a rights policy template distribution pipeline that can guide you through the templatedistributionprocess.

ConfigureExclusionPoliciesYoumayuseexclusionpoliciestodisallowcertainentitiestoacquirecertificateandmakelicenserequests.Thiscanbedoneonthebasisofuser,application,andlockboxversion.UselicensesthatarecreatedforthatentitybyserversoftheADRMSclusterwillkeeparecord intheexclusion list.Toenableexclusion,fromwithintheADRMSconsoleyouneedtofindandturnontheExclusionPoliciesEnableApplicationExclusionoption.Tosetupexclusion,youmayusetheExcludeUserAccountwizardortheExcludeApplicationwizard.TosetuplockboxexclusionyouwillneedtoturnontheEnableLockboxExclusionoptionseparately.

CoverAbout the ExamObjectivesCHAPTER 1 CONFIGURE AND MANAGE HIGH AVAILABILITY1.1 CONFIGURE NETWORK LOAD BALANCING (NLB)Install NLB nodesConfigure NLB prerequisitesConfigure affinityConfigure port rulesConfigure cluster operation modeUpgrade an NLB cluster

1.2 CONFIGURE FAILOVER CLUSTERINGConfigure QuorumConfigure cluster networkingRestore single node or cluster configurationConfigure cluster storageImplement Cluster Aware UpdatingUpgrade a cluster

1.3 MANAGE FAILOVER CLUSTERING ROLESConfigure role specific settings including continuously available sharesConfigure VM monitoringConfigure failover and preference settings

1.4 MANAGE VIRTUAL MACHINE (VM) MOVEMENTPerform Live Migration; perform quick migrationPerform storage migrationImport, export, and copy VMsMigrate from other platforms (P2V and V2V)

CHAPTER 2 CONFIGURE FILE AND STORAGE SOLUTIONS2.1 CONFIGURE ADVANCED FILE SERVICESConfigure NFS data storeConfigure BranchCacheConfigure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)Configure file access auditing

2.2 IMPLEMENT DYNAMIC ACCESS CONTROL (DAC)Configure user and device claim typesImplement policy changes and stagingPerform access denied remediationConfigure file classification

2.3 CONFIGURE AND OPTIMIZE STORAGEConfigure iSCSI Target and InitiatorConfigure Internet Storage Name server (iSNS)Implement thin provisioning and trimManage server free space using Features on Demand

CHAPTER 3 IMPLEMENT BUSINESS CONTINUITY AND DISASTER RECOVERY3.1 CONFIGURE AND MANAGE BACKUPSConfigure Windows Server backupsConfigure Windows Online backupsConfigure role specific backupsManage VSS settings using VSSAdminCreate System Restore snapshots

3.2 RECOVER SERVERSRestore from backupsPerform a Bare Metal Restore (BMR)Recover servers using Windows Recovery Environment (Win RE) and safe modeApply System Restore snapshotsConfigure the Boot Configuration Data (BCD) store

3.3 CONFIGURE SITE LEVEL FAULT TOLERANCEConfigure Hyper V Replica including Hyper V Replica Broker and VMsConfigure multi site clustering including network settings, Quorum, and failover settings

CHAPTER 4 CONFIGURE NETWORK SERVICES4.1 IMPLEMENT AN ADVANCED DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) SOLUTIONCreate and configure superscopes and multicast scopesImplement DHCPv6Configure high availability for DHCP including DHCP failover and split scopesConfigure DHCP Name Protection

4.2 IMPLEMENT AN ADVANCED DNS SOLUTIONConfigure security for DNS including DNSSEC, DNS Socket Pool, and cache lockingConfigure DNS loggingConfigure delegated administrationConfigure recursionConfigure netmask orderingConfigure a GlobalNames zone

4.3 DEPLOY AND MANAGE IPAMConfigure IPAM manually or by using Group PolicyConfigure server discoveryCreate and manage IP blocks and rangesMonitor utilization of IP address spaceMigrate to IPAMDelegate IPAM administrationManage IPAM collections

CHAPTER 5 CONFIGURE THE ACTIVE DIRECTORY INFRASTRUCTURE5.1 CONFIGURE A FOREST OR A DOMAINImplement multi domain and multi forest Active Directory environments including interoperability with previous versions of Active DirectoryUpgrade existing domains and forests including environment preparation and functional levelsConfigure multiple user principal name (UPN) suffixes

5.2 CONFIGURE TRUSTSConfigure external, forest, shortcut, and realm trustsConfigure trust authenticationConfigure SID filteringConfigure name suffix routing

5.3 CONFIGURE SITESConfigure sites and subnetsCreate and configure site linksManage site coverageManage registration of SRV recordsMove domain controllers between sites

5.4 MANAGE ACTIVE DIRECTORY AND SYSVOL REPLICATIONConfigure replication to Read Only Domain Controllers (RODCs)Configure Password Replication Policy (PRP) for RODCsMonitor and manage replicationUpgrade SYSVOL replication to Distributed File System Replication (DFSR)

CHAPTER 6 CONFIGURE IDENTITY AND ACCESS SOLUTIONS6.1 IMPLEMENT ACTIVE DIRECTORY FEDERATION SERVICES 2.1 (AD FSV2.1)Implement claims based authentication including Relying Party TrustsConfigure Claims Provider Trust rulesConfigure attribute stores including Active Directory Lightweight Directory Services (AD LDS)Manage AD FS certificatesConfigure AD FS proxyIntegrate with cloud services

6.2 INSTALL AND CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES (AD CS)Install an Enterprise Certificate Authority (CA)Configure CRL distribution pointsInstall and configure Online ResponderImplement administrative role separationConfigure CA backup and recovery

6.3 MANAGE CERTIFICATESManage certificate templatesImplement and manage certificate deployment, validation, and revocationManage certificate renewalManage certificate enrollment and renewal to computers and users using Group PoliciesConfigure and manage key archival and recovery

6.4 INSTALL AND CONFIGURE ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES (AD RMS)Install a licensing or certificate AD RMS serverManage AD RMS Service Connection Point (SCP)Manage AD RMS client deploymentManage Trusted User DomainsManage Trusted Publishing DomainsManage Federated Identity supportManage RMS templatesConfigure Exclusion Policies