20417D ENU Companion PDF

OFFI CI A L MI CROSOFT LEA RN I N G P RODU CT
20417D
Upgrading Your Skills to MCSA Windows
Server 2012
Companion Content
ii Upgrading Your Skills to MCSA Windows Server 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20417D

Released: 04/2014
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Installing and Configuring Windows Server 2012 1-1
Module 1
Installing and Configuring Windows Server 2012
Contents:
Lesson 1: Installing Windows Server 2012 R2 2
Lesson 2: Configuring Windows Server 2012 R2 and Windows Server 2012 4
Lesson 3: Configuring Remote Management for Windows Server 2012 R2 and
Windows Server 2012 7
Module Review and Takeaways 9
1-2 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 1
Installing Windows Server 2012 R2
Contents:
Resources 3
Resources
Hardware Requirements for Installing Windows Server 2012 R2
Additional Reading: For more information about the Windows Server Virtualization
Validation Program, see http://go.microsoft.com/fwlink/?LinkId=269652.
Migrating Server Roles
Additional Reading: Migrating Roles and Features in Windows Server

http://go.microsoft.com/fwlink/?LinkID=331437
Lesson 2
Configuring Windows Server 2012 R2 and Windows
Server 2012
Contents:
Demonstration: Exploring Server Manager in Windows Server 2012 R2 5
Demonstration: Installing and Optimizing Server Roles in Windows Server 2012 6
Demonstration: Exploring Server Manager in Windows Server 2012 R2

Demonstration Steps
1. Sign in to server LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. In Server Manager, click Manage, and then click Add Roles and Features. This starts the Add Roles
and Features Wizard.
3. On the Before you begin page of the Add Roles and Features Wizard, click Next.
4. On the Installation Type page of the Add Roles and Features Wizard, select Role-based or feature-
based installation, and then click Next.
5. On the Select destination server page of the Add Roles and Features Wizard, click Select a server
from the server pool. Verify that LON-DC1.Adatum.com is selected, and click Next.
6. On the Select server roles page of the Add Roles and Features Wizard, select Fax Server. In the Add
Roles and Features Wizard dialog box that opens, click Add Features.
7. On the Select server roles page of the Add Roles and Features Wizard, click Next.
8. On the Select features page of the Add Roles and Features Wizard, select BranchCache, and then
click Next.
9. On the Fax Server page of the Add Roles and Features Wizard, click Next.
10. On the Print and Document Services page of the Add Roles and Features Wizard, click Next.
11. On the Select role services page of the Add Roles and Features Wizard, click Next.
12. On the Confirmation page of the Add Roles and Features Wizard, select the Restart the destination
server automatically if required check box. In the Add Roles and Features Wizard dialog box,
click Yes, and then click Install.
13. On the Installation progress page of the Add Roles and Features Wizard, click Close.
14. Click the flag icon next to Server Manager Dashboard and review the messages.
15. On the Server Manager console, click the Dashboard node.
16. In the Roles and Server Groups area, under DNS, click Events.
17. In the DNS - Events Detail View dialog box, change the time period to 12 hours and the Event
Sources to All, and then click OK.
18. In the Roles and Server Groups area, under DNS, click BPA results.
19. On the DNS - BPA Results Detail View dialog box, on the Severity Levels drop-down menu, select
All, and then click OK.
20. In the Server Manager console, on the Tools menu, review the tools that are installed on LON-DC1.
21. Hold down the Start key to start the Microsoft design style Start screen.
22. On the Start screen, click Administrator, and then click Sign Out.
23. Sign in to LON-DC1 by using the Adatum\Administrator account and the password Pa$$w0rd.
24. On the taskbar, click the Windows PowerShell icon.

25. In the Windows PowerShell window, type the following command, and press Enter:
Stop-Computer
Demonstration: Installing and Optimizing Server Roles in Windows Server

2012
Demonstration Steps
1. Sign in to server LON-DC1 by using the Adatum\Administrator account, and the password
Pa$$w0rd.
2. In the already open Server Manager console, click Manage, and then click Add Roles and Features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Installation Type page, select Role-based or feature-based installation, and then click
Next.
5. On the Server Selection page, click Select a server from the server pool. Verify that LON-
DC1.Adatum.com is selected, and click Next.
6. On the Select server roles page, select Application Server, and then click Next.
7. On the Features page, click Next.

8. On the Application Server page, click Next.
9. On the Role Services page, click Next.
10. On the Confirmation page, click Install. To dismiss the Add Role and Features wizard, click Close.
11. Click the App Server node of the Server Manager console.
12. Click the Dashboard node, and under App Server, click Performance.
13. Review the console, and click OK.

14. Under the DHCP section, click BPA results. Discuss the BPA results, and click OK.
Lesson 3
Configuring Remote Management for Windows
Server 2012 R2 and Windows Server 2012
Contents:
Resources 8
Resources
How Remote Management Works in Windows Server 2012 R2 and

Windows Server 2012
Additional Reading: For more information on Windows Remote Management, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269663
Additional Reading: For more information on configuring Windows Remote Management,
visit the following Performance Team post: http://go.microsoft.com/fwlink/?LinkId=269664
Additional Reading: For more information on Remote Windows PowerShell, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269667
Module Review and Takeaways

Best Practices
Unless you must have a Server with a GUI installation to support roles and features, deploy Server
Core.
Use Windows Remote Management to manage multiple servers from a single server by using the
Server Manager console.
Use Windows PowerShell remoting to run remote Windows PowerShell sessions, rather than logging
on locally to perform the same task.
Review Question(s)
Question: Why is the Server Core installation the default installation option for Windows Server 2012 R2
installations?
Answer: The Server Core installation is the default installation option for Windows Server 2012
R2 because it enables you to deploy the most frequently used roles with a minimal hardware
footprint.
Real-world Issues and Scenarios

Unless a particular role requires it, consider using the Server Core installation option as your default
server deployment option. You can always install the GUI later if required.
Understand which roles and features you must deploy on a server prior to deploying that server,
rather than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Remote management connections fail Verify firewall settings.
Windows PowerShell commands are not Ensure that appropriate Windows PowerShell modules,
available such as Server Manager, are loaded.
Cannot install GUI features on Server Core Mount a WIM image that holds all the Windows Server
deployment 2012 R2 files, and use the -source option of the
Install-WindowsFeature cmdlet.
Unable to restart a computer running Use sconfig.cmd or the shutdown /r command.

Server Core
Unable to join the domain Verify DNS resolution and network connectivity
between the host and the domain controller.
Lab: Installing and Configuring Windows Server 2012 R2

Question and Answers
Question: What steps would you have to take to deploy Windows Server 2012 R2 over a virtual network?
Answer: You would have to configure WDS. You also would have to configure virtual machines
to use legacy network adapters.
Question: Which command could you use to configure the network address settings on a computer
running Server Core, other than sconfig.cmd?
Answer: You can use the Set-NetIPaddress Windows PowerShell utility to configure the
network address settings.
Question: After performing Exercise 3, would you be able to make a Remote Desktop connection from
LON-DC1 to LON-SVR5?
Answer: No. Although you do enable Windows Remote Management, Remote Desktop is not
enabled during this exercise.
Managing Windows Server 2012 by Using Windows PowerShell 2-1
Module 2
Managing Windows Server 2012 by Using Windows
PowerShell
Contents:
Lesson 1: Overview of Windows PowerShell 2
Lesson 2: Using Windows PowerShell to Manage AD DS 5
Lesson 3: Managing Servers by Using Windows PowerShell 9

Lab Review Questions and Answers 13
Lesson 1
Overview of Windows PowerShell
Contents:
Resources 3
Demonstration: Using the Windows PowerShell Integrated Scripting Environment (ISE) 3
Resources
Windows PowerShell Syntax
Additional Reading: For more information about verbs for Windows PowerShell
commands, see Approved Verbs for Windows PowerShell Commands by visiting the following
link:
http://go.microsoft.com/fwlink/?LinkID=331439.
Using Windows PowerShell Modules
Additional Reading: For more information about Windows PowerShell modules, see
Windows PowerShell Modules by visiting the following link:
http://go.microsoft.com/fwlink/?linkID=270852
What Are the New Features in Windows PowerShell?
Additional Reading: For more information about Windows PowerShell DSC, see Get
Started with Windows PowerShell Desired State Configuration by visiting the following link:
Additional Reading: For more information on new features of Windows PowerShell, see
What's New in Windows PowerShell by visiting the following link:
Demonstration: Using the Windows PowerShell Integrated Scripting

Environment (ISE)
Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$word.
2. Browse to the Start screen, type Windows PowerShell ISE, and then right-click the Windows
PowerShell ISE app tile. In the app bar, click Run as administrator.
3. Click View, and click Show Script Pane.
4. Click File, and click Open. Navigate to the demonstration script at
E:\Labfiles\Mod02\Democode\Using Windows PowerShell ISE.ps1, and then click Open.
5. In the script pane, type Get- and then press the Tab key. Point to students the list of nouns displayed,
select ChildItem, and then press Spacebar.
6. Type E:\ and point the use of IntelliSense once again.

7. Double-click Labfiles, type \ then double-click Mod02 and type \, and then double-click Democode.
8. Repeat steps 4 through 6 in the Output pane.
9. In the script pane, under the Get-ChildItem cmdlet, type Get-P, and then press the Tab key
repeatedly until you get Get-Process.
10. Press Spacebar, type -, and then press the Tab key repeatedly until you get ComputerName. Then,
complete the command to read Get-Process ComputerName LON-DC1.
11. Execute the Get-Command cmdlet and show students that the list of cmdlets displayed as a result is
also available in the Commands tab.
Lesson 2
Using Windows PowerShell to Manage AD DS
Contents:
Questio n and Answers 6
Resources 6
Demonstration: Managing AD DS by Using Windows Po werShell 6
Using Windows PowerShell Variables

Question: How do you declare variables and assign values to them?
Answer: You can declare a variable and assign it a value by using an equal sign (=) or by using
Set-Variable.
Resources
Additional Reading: about_Variables

Demonstration: Managing AD DS by Using Windows PowerShell

Demonstration Steps
1. Sign in to LON-DC1 with the user name Adatum\Administrator with the password Pa$$w0rd.
2. On the Start screen, type Windows PowerShell ISE, and then right-click Windows PowerShell ISE. In
the pop-up window, click Run as administrator.
3. Click File, and click Open. Locate the demonstration script at
E:\Labfiles\Mod02\Democode\Managing Users and Groups.ps1, and click Open.
4. To create a new OU named NewYork, at the command prompt, type the following command, and
then press Enter:
New-ADOrganizationalUnit NewYork
5. To create a new user named Ayla in the IT department and the A Datum organization, at the
command prompt, type the following command, and then press Enter:
New-ADUser name Ayla department IT city New York organization A Datum
6. To move the Ayla user to the NewYork OU, at the command prompt, type the following command,
and then press Enter:
Get-ADUser Filter Name eq Ayla | Move-ADObject targetpath

ou=NewYork,dc=adatum,dc=com
7. To view the settings for the Domain Admins group, at the command prompt, type the following
command, and then press Enter:
Get-ADGroup filter Name eq Domain Admins
8. To view the membership of the Domain Admins group, at the command prompt, type the following
Get-ADGroup filter Name eq Domain Admins | Get-ADGroupMember
9. To add Ayla to the Domain Admins group, at the command prompt, type the following command,
Add-ADGroupMember Domain Admins Ayla

10. To enable the account created for Ayla, at the command prompt, type the following command, and
then press Enter:
Get-ADUser filter Name eq Ayla | Enable-ADAccount
Note: If you receive an error regarding password complexity, go to step 13.
11. To verify that Aylas account was enabled, at the command prompt, type the following command,
Get-ADUser filter Name eq Ayla
12. To disable Aylas account, at the command prompt, type the following commands by pressing Enter
after each:
Disable-ADAccount Ayla
Get-ADUser filter Name eq Ayla
13. To set the password for Ayla to Pa$$w0rd!!, at the command prompt, type the following command,
Set-ADAccountPassword Ayla Reset NewPassword (ConvertTo-SecureString

AsPlainText Pa$$w0rd!! Force)
14. To verify how the New-ADUser cmdlet works, at the command prompt, type the following
Help New-ADUser
15. To view the contents of the ./NewUsers.csv file, at the command prompt, type the following
notepad ./NewUsers.csv
Note: You may need to use the full path for the NewUsers.csv file for the command above
to work. Check the notes within the script file to see the full path.
16. To use Import-Csv to view the contents of the ./NewUsers.csv file in Windows PowerShell, at the
command prompt, type the following command, and then press Enter:
Import-Csv ./NewUsers.csv
17. To use the output of the Import-Csv cmdlet as input for the New-ADUser cmdlet, at the command
prompt, type the following command, and then press Enter:
Import-Csv ./NewUsers.csv | New-ADUser Path ou=NewYork,dc=adatum,dc=com

passthru | Enbale-ADAccount passthru
Note: You might get an error message due to the password not being set. Ignore the error
for now.
18. To set the city property for all users in the IT department to Seattle, at the command prompt, type
the following command, and then press Enter:
Get-ADUser filter Department like IT | Set-ADUser city Seattle
19. To set the division property for all users in the NewYork OU to Automotive, at the command
prompt, type the following command, and then press Enter:
Get-ADUser filter * -Searchbase ou=NewYork,dc=adatum,dc=com | Set-ADUser

division Automotive
Lesson 3
Managing Servers by Using Windows PowerShell
Contents:
Resources 10
Demonstration: Managing a Server by Using Windows Power Shell 10
Resources
What Is Windows PowerShell Web Access?
Additional Reading: For more information on using Windows PowerShell Web Access, see
Install and Use Windows PowerShell Web Access by visiting the following link:
Introduction to Windows PowerShell Workflow
Additional Reading: Getting Started with Windows PowerShell Workflow

Demonstration: Managing a Server by Using Windows PowerShell

Demonstration Steps
1. Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then sign in to LON-DC1 with user
name Adatum\Administrator and the password Pa$$w0rd.
2. On LON-DC1, start Internet Explorer.
3. In the address bar, type https://LON-DC1.adatum.com/pswa, and then press Enter.
4. Sign in to Windows PowerShell Web Access by using the following information:
User name: Administrator
Password: Pa$$w0rd
Computer: LON-DC1
5. Start a new job by running the following command:
Start-Job -ScriptBlock {Get-ADUser Filter *}
6. Obtain the status of the job by running Get-Job.

7. Create a new scheduled job by running the following commands, and pressing Enter after each
command:
$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM

Register-ScheduledJob Name ScheduledJob1 ScriptBlock {Get-ADUser Filter * } -
Trigger $Trigger
8. Run the scheduled job immediately by running:
Start-Job DefinitionName ScheduledJob1


Best Practices
Set a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable when working with Windows PowerShell, and will equip you for using it
to perform more complex tasks and resolve certain problems.
Save the commands that you have used to resolve problems in a script file for later reference.
Use Windows PowerShell ISE to help you write scripts and ensure that you are using the correct
syntax.
Review Question(s)
Question: Which cmdlet will display the content of a text file?
Answer: Get-Content displays the content of a text file. It is also acceptable to use type, which is
an alias for Get-Content.
Question: Which cmdlet will move a file to another directory?
Answer: Move-Item moves a file to another directory. It is also acceptable to use move and mi
as aliases for Move-Item.
Question: Which cmdlet will rename a file?
Answer: Rename-Item renames a file. It is also acceptable to use ren, which is an alias for
Rename-Item.
Question: Which cmdlet will create a new directory?
Answer: New-Item creates a new directory. It is also acceptable to use ni, which is an alias for
New-Item.
Question: Which cmdlet do you think would retrieve information from the event log?
Answer: Get-EventLog retrieves information from the event log.
Question: Which cmdlet do you think would start a stopped virtual machine?
Answer: Start-VM would start a stopped virtual machine.

Many common tools can be replaced with Windows PowerShell cmdlets. The following table shows some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012 R2.
Old Command Windows PowerShell Equivalent
ipconfig /a Get-NetIPConfiguration
Shutdown.exe Restart-Computer
Net Start Start-Service (Restart-Service)
Net Stop Stop-Service (Restart-Service)
Net Use New-SmbMapping
Netstat Get-NetTCPConnection
Old Command Windows PowerShell Equivalent
Netsh advfirewall add New-NetFirewallRule
Route Print Get-NetRoute
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool Description
Windows PowerShell Integrated Script Editor Windows PowerShell ISE provides a simple, yet
(ISE) powerful interface to create and test scripts, and
discover new cmdlets.
Microsoft Visual Studio Workflow Designer This is a development tool that is used to create
Windows PowerShell workflows.
Powershell.exe This is the Windows PowerShell executable.
Active Directory Administrative Center This tool enables you to perform common Active
Directory management tasks, such as creating and
modifying user and computer accounts. All of the
changes that you make by using this management
tool are logged in the Windows PowerShell History
pane.

Administrators cannot find the correct Use the Get-Command cmdlets and Help in
Windows PowerShell cmdlet for a task. Windows PowerShell ISE to search for cmdlets.
Administrator cannot connect to a server by There are several possible reasons why this could
using remote Windows PowerShell. occur. For example, Remote Windows PowerShell
connections may be blocked by Windows Advanced
Firewall, or the WinRM service may be misconfigured
or disabled.
Get-Help does not provide any help for You may have to download the latest Help files. You
cmdlets. can download the latest files by using the Update-
Help cmdlet.
An administrator is new to Windows Use Windows PowerShell ISE to become more

PowerShell, and is uncomfortable with the familiar with the command line. Also, use the Get-
command line. Command and Show-Command cmdlets to provide
additional help.
Lab Review Questions and Answers

Lab: Managing Servers Running Windows Server 2012 by Using Windows
PowerShell

Question: What happens if you try to run an unsigned script that you have created locally and the
execution policy is set to RemoteSigned?
Answer: When a locally created script is run on a computer with the execution policy set to
RemoteSigned, the script runs successfully without warning. This is the default policy for
Windows Server 2012 R2.
Question: How can you automate the creation of hundreds of user accounts based on data contained in
an Excel spreadsheet?
Answer: You can save the Excel file as a CSV file, and then use a Windows PowerShell script that
uses the Import-CSV and Add-ADUser cmdlets.
Managing Storage in Windows Server 2012 3-1
Module 3
Managing Storage in Windows Server 2012
Contents:
Lesson 1: Storage Features in Windows Server 2012 2
Lesson 2: Configuring iSCSI Storage 5
Lesson 3: Configuring Storage Spaces in Windows Server 2012 9
Lesson 4: Configuring BranchCache in Windows Server 2012 13

Lesson 1
Storage Features in Windows Server 2012
Contents:
Resources 3
Demonstration: Configuring Data Deduplication 4
What Is Data Deduplication?

Question: On which of your shares can you use data deduplication?
Answer: The answer varies according to the company. In smaller companies, it is very likely that
there is one share that stores all of the software or application files, and in such cases, data
deduplication would be a good way to reduce space. Generally, data deduplication should be
used on large volumes that contain data that does not change frequently. Data deduplication
cannot be used for volumes containing an operating system.
Whats New in File Server Resource Manager?

Question: Are you currently using the File Server Resource Manager in Windows Server 2008? If yes, for
what areas do you use it?
Answer: The answer will vary based on the students experience with the File Server Resource
Manager in Windows Server 2008. File Server Resource Manager is used in the following areas:
File classification infrastructure
File management tasks

Quota management
File screening management
Resources
File and Storage Services in Windows Server 2012
Additional Reading: For more information, see File and Storage Services Overview at
What Is Data Deduplication?
Additional Reading: For more information, see Data Deduplication Overview at

For more information, see Introduction to Data Deduplication in Windows Server 2012 at
Whats New in File Server Resource Manager?
Additional Reading: For more information, see What's New in File Server Resource
Manager in Windows Server 2012 at http://go.microsoft.com/fwlink/?linkID=270039
For more information, see What's New in File Server Resource Manager in Windows Server 2012
R2 at http://go.microsoft.com/fwlink/?LinkID=331422
What Are Basic and Dynamic Disks?
Additional Reading: For more information, see How Basic Disks and Volumes Work at
For more information, see Dynamic disks and volumes at

Demonstration: Configuring Data Deduplication

Demonstration Steps
Add the Data Deduplication role service
1. Sign in to LON-DC1 with the user name Adatum\Administrator and the password Pa$$w0rd.
2. In Server Manager, click Add roles and features.

3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (2 of 12 installed), expand File
and iSCSI Services (1 of 11 installed), select the Data Deduplication check box, and then click
Next.
7. On the Select features page, click Next.
8. On the Confirm installation selections page, click Install.

9. When installation is complete, click Close.
Enable Data Deduplication on E: Drive

1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
2. In the File and Storage Services pane, click Volumes.
3. In the Volumes pane, right-click E:, and then in the drop-down list, select Configure Data
Deduplication.
4. In the Allfiles (E:\) Deduplication Settings dialog box, click General purpose file server from the
Data duplication list, and in the Deduplicate files older than (in days) box, type 3, and then click
Set Deduplication Schedule.
5. In the LON-DC1 Deduplication Schedule dialog box, click Enable throughput optimization, in the
Start time drop-down list, select the closest hour to the current time, and then click OK.
6. In the Allfiles (E:\) Deduplication Settings dialog box, click OK.

Lesson 2
Configuring iSCSI Storage
Contents:
Resources 6
Demonstration: Configuring iSCSI Target 6
Demonstration: Connecting to the iSCSI Storage 7
What is iSCSI?
Question: Can you use your organizations internal IP network to provide iSCSI?
Answer: Yes, you can. However, we recommend having a dedicated IP network for iSCSI so that
other network traffic does not interfere the iSCSI communication, and the iSCSI communication
does not interfere with the network traffic.
iSCSI Target Server and iSCSI Initiator

Question: When would you consider implementing diskless booting from iSCSI targets?
Answer: The answer varies depending on your experience, but primarily you might consider
using this approach if you want to implement virtualization technologies such as a Virtual
Desktop Infrastructure (VDI) in your organization.
Resources
Additional Reading: For more information, see Introduction of iSCSI Target in Windows
Server 2012 at http://go.microsoft.com/fwlink/?linkID=269674
Demonstration: Configuring iSCSI Target

Demonstration Steps
Add the iSCSI Target Server role service
1. On LON-DC1, in Server Manager, click Dashboard.
2. Click Add roles and features.

6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the iSCSI Target Server check box, and then click Next.

Create two iSCSI virtual disks and an iSCSI target on LON-DC1

2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, type iSCSIDisk1, and then click Next.
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-SVR2, and then click Next.
9. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, and in the Type drop-down list, select IP Address. In the Value box, type 172.16.0.22, and
then click OK.
11. On the Specify access servers page, click Next.

12. On the Enable Authentication page, click Next.
13. On the Confirm selections page, click Create.
14. On the View results page, wait until the creation is completed, and then click Close.
15. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
16. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
17. On the Specify iSCSI virtual disk name page, type iSCSIDisk2, and then click Next.
18. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
19. On the Assign iSCSI target page, click lon-svr2, and then click Next.

Demonstration: Connecting to the iSCSI Storage

Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1. Sign in to LON-SVR2 with user name Adatum\Administrator and the password Pa$$w0rd.
2. In Server Manager, on the Tools menu, in the Tools drop-down list, select iSCSI Initiator.
3. In the Microsoft iSCSI message box, click Yes.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, type LON-DC1, and then click
Quick Connect.
5. In the Quick Connect window, in the Discovered targets section, click iqn.1991-
05.com.microsoft:lon-dc1-lon-svr2-target, and then click Done.
6. In the iSCSI Initiator Properties dialog box, to close the dialog box, click OK.
Verify the presence of the iSCSI drive

1. In Server Manager, on the Tools menu, in the Tools drop-down list, select Computer Management.
2. In the Computer Management console, under Storage, click Disk Management.
Note: Notice that the new disks are added. They are all currently offline and not formatted.
3. Close the Computer Management console.
Note: Keep the computers running. You must have them for the demonstration in the
lesson Configuring Storage Spaces in Windows Server 2012.
Lesson 3
Configuring Storage Spaces in Windows Server 2012
Contents:
Resources 10
Demonstration: Configuring a Storage Space 10
Demonstration: Implementing Redundant Storage Spaces 11
Resources
What Are Thin Provisioning and Trim Storage?
Additional Reading: For more information, see Thin Provisioning and Trim Storage
Overview at http://go.microsoft.com/fwlink/?linkID=269672
Demonstration: Configuring a Storage Space

Demonstration Steps
Create a storage pool
1. On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2. In the navigation pane, click File and Storage Services, and in the Servers pane, click Storage Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4. In the New Storage Pool Wizard, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
6. On the Select physical disks for the storage pool page, click all available Physical disks, and then
click Next.

Create a simple virtual disk and a volume

1. In the VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New Virtual
Disk. Note: If New Virtual Disk appears dimmed, select StoragePool1 first.
2. In the New Virtual Disk Wizard, on the Before you begin page, click Next.
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Simple vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Simple, and then click Next.
6. On the Specify the provisioning type page, click Thin, and then click Next. You should mention
that this configures thin provisioning for that volume.
7. On the Specify the size of the virtual disk page in the Specify size box, type 2, and then click Next.
9. On the View results page, wait until the creation is completed. Ensure Create a volume when this
wizard closes is selected, and click Close.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, under Disk, click Simple vdisk virtual disk, and then click
Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Simple Volume, and then click Next.

16. On the Completion page, wait until the creation is completed, and then click Close.
Demonstration: Implementing Redundant Storage Spaces

Demonstration Steps
Create a redundant virtual disk and a volume
1. On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk.
2. In the New Virtual Disk Wizard, on the Before you begin page, click Next.
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
Note: You should mention that this automatically configures a two-way mirror. You do not
see the Resiliency Settings page because you would require five disks to configure a three-way
mirror.
6. On the Specify the provisioning type page, click Thin, and then click Next.
7. On the Specify the size of the virtual disk page in the Specify size box, type 5, and then click Next.

9. On the View results page, wait until the creation is completed, ensure Create a volume when this
wizard closes is selected, and then click Close.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, in the Disk pane, click the Mirrored vDisk virtual disk, and
then click Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Mirrored Volume, and then click Next.
16. On the Completion page, wait until the creation is completed, and then click Close.
17. On the Start screen, type command prompt, and then press Enter.
18. At the command prompt, type the following command, and then press Enter:
Copy C:\windows\system32\write.exe F:\
19. Close the command prompt.

20. In Server Manager, click the Tools menu, and then in the Tools drop-down list, select Computer
Management.
21. In the Computer Management console, under Storage, click Disk Management.
Note: Notice that the two volumes E: and F: are available.
Simulate a drive failure and test volume access

2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4. In the Disable iSCSI Virtual Disk warning message box, click Yes.
5. Switch to LON-SVR2.
6. In the Computer Management console, under Storage, right-click Disk Management and in the
drop-down list, select Rescan Disks.
Note: Notice that the Simple Volume (E:) is not available, and the Mirrored Volume (F:) is
available.
7. On the taskbar, open File Explorer, click This PC, and then click Mirrored Volume (F:). You should
now see write.exe in the file list.
8. Close File Explorer.
9. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click Refresh Storage Pools.
Notice the warning that appears next to Mirrored vDisk.
10. In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
11. In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Note: Notice the Health Status that should indicate Unhealthy. The Operational Status
should indicate Detached. This means that the disk is not available on this computer any longer.
12. To close the dialog box, click OK.

13. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
14. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
15. Notice the Health Status should indicate a Warning. The Operational Status should indicate
Degraded.
16. To close the dialog box, click OK.
Lesson 4
Configuring BranchCache in Windows Server 2012
Contents:
Resources 14
Demonstration: How to Configure BranchCache 14
Resources
BranchCache Requirements
Additional Reading: For more information, see BranchCache Overview at

Demonstration: How to Configure BranchCache

Demonstration Steps
Add BranchCache for the Network Files role service
1. Sign in to LON-SVR2 with user name Adatum\Administrator and the password Pa$$w0rd.
2. Open Server Manager by clicking the icon on the taskbar.
3. Click Add roles and features.
7. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the BranchCache for Network Files check box. If prompted, click Add
Features, and then click Next.
10. When installation is complete, click Close, and then close Server Manager.
Enable BranchCache for the server

1. On the Start screen, type gpedit.msc, and then press Enter.
2. Browse to Computer Configuration\Administrative Templates\Network\Lanman Server, and

double-click Hash Publication for BranchCache.
3. In the Hash Publication for BranchCache dialog box, click Enabled.
4. In the Options box, under Hash publication actions, select Allow hash publication only for
shared folder on which BranchCache is enabled, and then click OK.
5. Close the Local Group Policy Editor.
Enable BranchCache for a file share

1. On the taskbar, open File Explorer, and then click Local Disk (C:).
2. On the quick access bar located on the upper-left side of the window, click New Folder, type Share,
and then press Enter.
3. Right-click Share, and click Properties.
4. In the Share Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, click Share this folder, and then click Caching.
6. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
7. In the Advanced Sharing dialog box, click OK, and then click Close.
8. Close all open windows.

Review Question(s)
Question: How does BranchCache differ from Distributed File System (DFS)?
Answer: BranchCache only caches files that users in a remote location have accessed. DFS
replicates files between head office and a remote location so that all files exist in both locations.
Question: Why would you want to implement BranchCache in Hosted Cache mode instead of the
Distributed Cache mode?
Answer: When you use the Distributed Cache mode, the cache is distributed among all
computers running Windows 7 or newer. However, it is likely that these computers are turned off
or that portable computers are removed from the office. This means that a cached file might not
be available, forcing the file to be downloaded across the WAN link again. However, the Hosted
Cache mode keeps the cached files on a file server that will always be available.
Question: Is the Storage Spaces feature also available on Windows 8?

Answer: Yes, you can use Storage Spaces on both Windows Server 2012 and Windows 8.
Question: Can you configure data deduplication on a boot volume?
Answer: No, you cannot configure data deduplication on a boot volume. You can configure data
deduplication only on volumes that are not system or boot volumes.
Question: Are you currently implementing volumes that are 10 terabytes or larger? What are the
problems with volumes of that size?
Answer: Depending on your situation, you may have very large volumes. However, the larger the
volume, the more difficult and lengthy the process of checking these volumes for errors becomes.
Windows Server 2012 R2 includes an enhanced version of the Chkdsk tool to optimize the
implementation of very large volumes; it also includes the new ReFS file system, which helps to
address the issue of NTFS formatted volumes.
Tools
Tool Use Where to find it
iSCSI Target Server Configure iSCSI targets In Server Manager, under File and Storage
Servers
iSCSI Initiator Configure a client to connect to In Server Manager, in the Tools drop-down
an iSCSI target virtual disk list
Deduplication Analyze a volume on the C:\Windows\System32

Evaluation tool potential saving when enabling
(DDPEval.exe) data deduplication

Lab A: Managing Storage on Servers Running Windows Server 2012

Question: Why would you implement MPIO together with iSCSI? What problems would you solve with
this?
Answer: You must have an MPIO to create a second network route to the iSCSI target. This is
useful when you lose a connection to the iSCSI target because of a loss in a network adapter.
With MPIO set up and configured, if a network adapter fails, another network adapter can take
over.
Question: What is the purpose of the iSCSI Initiator component?
Answer: The iSCSI Initiator component is the client component for iSCSI to connect to an iSCSI
target. Windows 8 and Windows Server 2012 already have this component preinstalled as a
service. You only have to start them to use it.
Lab B: Implementing BranchCache

Question: In the lab, you moved LON-SVR1 to its own OU. Why?
Answer: The client configuration settings were configured in the Default Domain Policy that is
linked to the root of the domain. Those Group Policy settings prevent the Hosted cache mode
from being configured on LON-SVR1. By moving LON-SVR1 to its own OU, you were able to
block inheritance of Group Policy to that OU, and thereby prevent those settings from applying
to LON-SVR1.
Question: When would you consider implementing BranchCache into your own organization?
Answer: The answer varies, but BranchCache is only important if you have a branch office or a
location that is connected to your organizations headquarters with a low-bandwidth link.
Implementing Network Services 4-1
Module 4
Implementing Network Services
Contents:
Lesson 1: Implementing DNS and DHCP Enhancements 2
Lesson 2: Implementing IP Address Management (IPAM) 5
Lesson 3: Managing IP Address Spaces with IPAM 8
Lesson 5: Implementing NAP 11

Lesson 1
Implementing DNS and DHCP Enhancements
Contents:
Resources 3
Demonstration: Configuring DNSSEC 3
Demonstration: Configuring Failo ver for DHCP 4
Resources
What's New in DNS in Windows Server 2012
Additional Reading: For detailed information of improved features for DNS server role in
Windows Server 2012 R2, see What's New in DNS Server in Windows Server 2012 R2 at
Whats New in DHCP in Windows Server 2012
Reference Links: For complete list of new and improved Windows PowerShell cmdlets for
DHCP in Windows Server 2012 R2, see Windows PowerShell for DHCP Server at
Demonstration: Configuring DNSSEC

Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager click Tools, and then, in the drop-down list, click DNS.
3. Expand LON-DC1, and expand Forward Lookup Zones. Select Adatum.com.
4. On the menu, click Action, and in the drop-down list, click DNSSEC>Sign the Zone.
5. In the Zone Signing Wizard, click Next.
6. On the Signing Options screen, select Customize zone signing parameters, and click Next.
7. On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
8. On the Key Signing Key (KSK) screen, click Next.
9. On the KSK screen, click Add.
10. On the New Key Signing Key (KSK) screen, click OK.
11. On the Key Signing Key screen, click Next.
12. On the Zone Signing Key (ZSK) screen, click Next.
13. On the Zone Signing Key (ZKS) screen, click Add.

14. On the New Zone Signing Key (ZKS) screen, click OK.
15. On the Zone Signing Key screen, click Next.
16. On the Next Secure (NSEC) screen, click Next.

17. On the Trust Anchors (TAs) screen, click Next.
18. On the Signing and Polling Parameters screen, click Next.
19. On the DNS Security Extensions (DNSSEC) screen, click Next, and then click Finish.
20. In Server Manager, click Tools, and then in the drop-down list click Group Policy Management.
21. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
22. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
23. In the Create Rules section, in the Suffix field, type Adatum.com.
24. On the DNSSEC tab, select the Enable DNSSEC in this rule check box.
25. Select the Require DNS clients to check that name and address data has been validated by the
DNS server option, and click Create.
Demonstration: Configuring Failover for DHCP

Demonstration Steps
1. Sign in to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
Note: The server is authorized but no scopes are configured.
3. Switch to LON-DC1.
4. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
5. In the DHCP Management console, expand lon-dc1.adatum.com, select and right-click the IPv4
node, and then click Configure Failover.
6. In the Configuration Failover Wizard, click Next.
7. On the Specify the partner server to use for failover screen, in the Partner Server field, enter
172.16.0.21, and then click Next.
8. On the Create a new failover relationship screen, in the Relationship Name field, enter Adatum.
9. In the Maximum Client Lead Time field, set the hours to 0 and set the minutes to 15.
10. Ensure that the Mode field is set to Load balance.

11. Ensure the Load Balance Percentage is set to 50%.
12. Ensure that State Switchover Interval is cleared.
13. Select Enable Message Authentication checkbox, and in Shared Secret field, type Pa$$w0rd, and
then click Next.
14. In Configure Failover window, click Finish.
15. Ensure that all five actions have status Successful, and then click Close.
Lesson 2
Implementing IP Address Management (IPAM)
Contents:
Demonstration: Implementing IPAM 6
Demonstration: Implementing IPAM

Demonstration Steps
1. Sign in to LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. On the Server Manager Dashboard, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.

4. On the Select installation type screen, click Next.
5. On the Select destination server screen, click Next.
6. On the Select server roles screen, click Next.

7. On the Select features screen, check IP Address Management (IPAM) Server.
8. In the Add features that are required for IP Address Management (IPAM) Server pop-up
window, click Add Features, and then click Next.
9. In Confirm installation selections, click Install.
10. Close the wizard when complete.
11. In the Server Manager navigation pane, click IPAM.

12. In the IPAM Overview pane, click Provision the IPAM server.
13. In the Provision IPAM Wizard, click Next twice.
14. On the Select provisioning method screen, select Group Policy Based and type IPAM in the GPO
name prefix field, and then click Next.
15. On the Confirm the Settings screen, click Apply.
16. When provisioning has completed, click Close.

17. On the IPAM Overview pane, click Configure server discovery.
18. In the Configure Server Discovery dialog box, click Add to add the Adatum.com domain, and then
click OK.
19. In the IPAM Overview pane, click Start server discovery.
20. In the yellow banner, to determine the discovery status, click the More link. The Overview Task
Details window appears. Discovery takes a few minutes to complete. Wait until IPAM
ServerDiscovery task in the Overview Task Details window under Stage column displays
Complete.
21. To return to the IPAM pane, close the Overview Tasks Details dialog box.
Configure managed servers

1. In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.

3. At the Windows PowerShell prompt type the following command and then press Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM

IpamServerFqdn LON-SVR2.adatum.com
4. Read the information displayed, type Y, and then press Enter.
5. When you are prompted to confirm the action, press Enter. It takes a few minutes to complete.
6. Return to Server Manager.
7. In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
8. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
9. Repeat steps 6 and 7 to configure LON-SVR1 to be managed.

11. On the taskbar, click Windows PowerShell.
12. Type the following command, and then press Enter.
gpupdate /force

14. On the taskbar, click Windows PowerShell.
15. Type the following command and then press Enter.
gpupdate /force
16. Switch back to LON-SVR2 and right-click LON-DC1, and then click Refresh Server Access Status.
This may take a few minutes to complete.
17. Repeat step 16 to refresh the status for LON-SVR1.
18. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
19. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take several
minutes to complete.
Lesson 3
Managing IP Address Spaces with IPAM
Contents:
Resources 9
Demonstration: Managing IP Addressing by Using IPAM 9
Demonstration: Configuring IPAM Reporting and Monitoring 9
Resources
Using IPAM to Manage IP Addressing
Additional Reading: For more information, see the IPAM Operations Guide at
Demonstration: Managing IP Addressing by Using IPAM

Demonstration Steps
Add an IP address block
1. On LON-SVR2, in Server Manager, in the navigation pane, click IP Address Blocks.
2. On the upper-right side of the window, click Tasks, and then click Add IP Address Block.
3. In the Add or Edit IPv4 Address Block window, type the following in the boxes, and then click OK:
o Network ID: 172.16.0.0

o Prefix length: 16
o Start IP address: 172.16.0.201
o End IP address: 172.16.0.254

o Description: London subnet
4. In the IPv4 pane, beside Current view:, click IP Address Blocks. Note the newly created address
block for London.
Create an IP address reservation

1. In Server Manager, on the IPAM configuration page, in the navigation pane, click IP Address
Range Groups.
2. In the IPv4 pane, beside Current view, click IP Address Ranges.
3. Right-click the IP address range with a Network value of 172.16.0.0/16 configured on LON-DC1,
and then click Edit IP Address Range.
4. In the Edit IP Address Range window, click Reservations.
5. In the Reservations box, type 172.16.0.165, click Add, and then click OK.
Deactivate a scope
1. Click the DHCP Scopes node, and then in the details pane, right-click the first scope listed named
Adatum and Scope ID of 172.16.0.0, and then click Deactivate DHCP Scope.
Demonstration: Configuring IPAM Reporting and Monitoring

Demonstration Steps
1. On LON-SVR2, in Server Manager, in the IPAM console tree, click EVENT CATALOG.
2. On the IPAM Configuration Events page, click Tasks, click Retrieve Event Catalog Data, and then
wait until task completes.
3. Click Tasks and review the options for configuring Purge Event Catalog Data and Export.
4. On the IPAM Configuration Events page, review and discuss the events displayed.
5. In the IPAM console tree, click DNS and DHCP Servers.

6. Click the lon-dc1.adatum.com entry with the DHCP server role, and in the Details view, discuss the
Server Properties of lon-dc1.adatum.com.
7. Click Tasks and review the options for Retrieve Server Data and Export.
8. In the IPAM console tree, click DHCP scopes.
9. Click the Adatum scope, and discuss the information in the Scope Properties.
10. Click the Options tab, and discuss the information displayed.
12. In the IPAM console tree, click DNS Zone Monitoring.

13. Click the adatum.com zone, and discuss the information in the Zone Properties.
14. Click the Authoritative Servers tab, and discuss the information displayed.
16. In the IPAM console tree, click Server Groups.
17. Click the lon-dc1.adatum.com entry with the DNS server role, and discuss the information in the
Server Properties.
18. Click the DNS Zones tab, and discuss the information displayed.
Lesson 5
Implementing NAP
Contents:
Demonstration: Implementing NAP with DHCP 12
Demonstration: Implementing NAP with DHCP

Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.
2. In the Add Roles and Features Wizard, click Next.

4. On the Select destination server page, click Next.
5. On the Select server roles page, check Network Policy and Access Services.
6. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
8. On the Network Policy and Access Services page, click Next.
9. On the Select role services page, select Network Policy Server, and then click Next.
10. On the Confirm installation selections page, click Install. Click Close when the installation
completes.
11. On the Server Manager Tools menu, select Network Policy Server.
12. In the Network Policy Server console, click NPS (Local).
13. In the details pane, click Configure NAP.
14. On the Select Network Connection Method For Use with NAP page in the Network connection
method drop-down list, select Dynamic Host Configuration Protocol (DHCP), and then click Next.
15. On the Specify NAP Enforcement Servers Running DHCP Server page, click Next.
16. On the Specify DHCP Scopes page, click Next.

17. On the Configure Machine Groups page, click Next.
18. On the Specify a NAP Remediation Server Group and URL page, click Next.
19. On the Define NAP Health Policy page, clear the Enable auto-remediation of client computers
check box, and then click Next.
20. Click Finish.
21. In the console tree, expand Network Access Protection, expand System Health Validators, expand
Windows Security Health Validator, click Settings, and in the details pane, double-click Default
Configuration.
22. Clear all check boxes except A firewall is enabled for all network connections, and click OK.
23. Close the Network Policy Server console.
24. Click Tools, and then click DHCP.
25. Expand lon-dc1.adatum.com, select and then right-click IPv4, and then click Properties.
26. Click the Network Access Protection tab, and then click Enable on all scopes.
27. In the DHCP dialog box, click Yes.
28. In the IPv4 Properties dialog box, click OK.


Best Practices
Some best practices include the following:
Ensure that IPv6 is enabled on the IPAM server to manage IPv6 address spaces.
Use Group Policy to configure NRPT tables for DNSSEC client computers.
Disable authentication protocols that you are not using.
Document the NPS configuration by using NetshNps Show Config>Path\File.txt to save the
configuration to a text file.

Unable to connect to the IPAM server. Ensure that the Windows Internal Database
(WID) service and the Windows Process
Activation service are running.
Noncompliant NAP client computers are Check that the network policy is configured
being denied network access instead of to Grant Access instead of Deny Access.
being sent to the restricted network. Access must be granted so that
noncompliant computers can receive
remediation.

Lab A: Implementing Network Services

Question: Will client computers still be able to access the network if the DHCP server fails?
Answer: Yes, for the duration of the IP lease. Once the lease expires, the client computers will no
longer be able to renew their IP address and network access will fail.
Question: Is a third-party certification authority required to implement DNSSEC?
Answer: No certification authority is required.
Question: What is the difference between a centralized and a distributed IPAM topology?
Answer: In a centralized topology, there is only one IPAM server in the forest. In a distributed
topology, there is an IPAM server in every site in the forest.
Lab B: Deploying NAP

Question: On a client computer, what steps must you perform to ensure that the clients health is
assessed?
Answer: You must perform the following steps to ensure that it can be assessed for health:
1. Enable the NAP enforcement client.
2. Enable the Security Center.
3. Start the NAP agent service.

Question: NAP can protect your network from viruses and malware on remote computers that connect to
your network through VPN connections.
( ) True
( ) False
Answer:
( ) True
() False
Implementing Remote Access 5-1
Module 5
Implementing Remote Access
Contents:
Lesson 1: Remote Access Overview 2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 4
Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 12

Lesson 1
Remote Access Overview
Contents:
Resources 3
Resources
Managing Remote Access in Windows Server 2012
Additional Reading: For more information on remote access cmdlets in Windows

PowerShell, visit the following link: http://go.microsoft.com/fwlink/?LinkID=331443
Lesson 2
Implementing DirectAccess by Using the Getting
Started Wizard
Contents:
Resources 5
Demonstration: Running the Getting Started Wizard 5
Demonstration: Identifying the Getting Started Wizard Settings 8
How DirectAccess Works for Internal Clients

Question: Your organization requires only selected computers to be able to connect from the Internet to
the corporate network resources by using DirectAccess. How will you configure the DirectAccess settings
to meet the organizations requirements?
Answer: If only selected computers need to be provided with secure remote access from the
Internet to the corporate network resources, you can create computer groups and then configure
appropriate membership for the clients that need secure remote access. After you configure
group membership, you should configure DirectAccess to allow remote access for the computer
group that you created.
How DirectAccess Works for External Clients

Question: If you were using 6to4 instead of Teredo, would you need two IP addresses on the DirectAccess
server?
Answer: No. DirectAccess will first use Teredo, and then will try 6to4.If 6to4 fails, DirectAccess will
then try HTTPs.
Resources
DirectAccess Components
Additional Reading: For more information, visit the following links:

IPv6 - Technology Overview
Remote Access (DirectAccess, Routing and Remote Access) Overview
DirectAccess Tunneling Protocol Options
Additional Reading: For more information, visit the following links:

IPv6 Transition Technologies
Networking and Access Technologies
http://go.microsoft.com/fwlink/?LinkId=169500
[MS-IPHTTPS]: IP over HTTPS (IP-HTTPS) Tunneling Protocol
Demonstration: Running the Getting Started Wizard

Demonstration Steps
Configure Active Directory requirements
1. On LON-DC1, on the taskbar, click the Server Manager console.
2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory
Users and Computers.
3. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and
then click Organizational Unit.
4. In the New Object Organizational Unit dialog box, in the Name text box, type DA_Clients OU,
and then click OK.
5. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
6. In the New Object - Group dialog box, in the Group name text box, type DA_Clients.
7. Under Group scope, ensure that Global is selected, under Group type, ensure that Security is
selected, and then click OK.
8. In the details pane, right-click DA_Clients, and then click Properties.
9. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) text box, type LON-CL1, and then click OK.
12. Verify that LON-CL1 displays under Members, and then click OK.
13. Close the Active Directory Users and Computers console.
Configure the DirectAccess server

1. Switch to LON-RTR.
2. In Server Manager, click Tools, and then click Remote Access Management.
3. In the Remote Access Management Console, under Configuration, click DirectAccess and VPN.
4. Click Run the Getting Started Wizard.
5. On the Configure Remote Access page, click Deploy DirectAccess only.
6. Verify that Edge is selected, in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server text box, type 131.107.0.10, and then click Next.
7. On the Configure Remote Access page, click the here link.
8. On the Remote Access Review page, verify that two GPO objects are created, DirectAccess Server
Settings and DirectAccess Client settings.
9. Next to Remote Clients, click the Change link.
10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
13. On the DirectAccess Client Setup page, click Finish.

14. On the Remote Access Review page, click OK.
15. On the Configure Remote Access page, click Finish to finish the DirectAccess Wizard.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.
Validate the DirectAccess deployment

1. When you configured the DirectAccess server, the wizard created two GPOs and linked them to the
domain. To apply them, on LON-CL1, on the Start screen, type cmd, and then press Enter.
2. In the Command Prompt window, type the following command, and then press Enter:
gpupdate /force
gpresult /R
4. Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with the password Pa$$w0rd, and then repeat steps 3 and 4 on LON-
CL1.
netsh name show effectivepolicy
6. Verify that following message displays: DNS Effective Name Resolution Policy Table Settings.
Note: DirectAccess settings are inactive when this computer is in a corporate network.
7. Right-click the Start button, and then click Control Panel.

8. In Control Panel, click View Network Status and Tasks.
9. In the Network and Sharing Center window, click Change adapter settings.
10. Right-click Ethernet, and then click Disable.
11. Right-click Ethernet 2, and then in the Networks dialog box, click Enable.
12. In the Networks dialog box, click Yes.

13. Right-click Ethernet 2, and then click Properties.
14. In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
15. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, ensure that the following
details display, and then click OK.
IP address: 131.107.0.20
Subnet mask: 255.255.255.0

Preferred DNS server: 131.107.0.100
16. In the Ethernet 2 Properties dialog box, click OK.
Verify connectivity to the internal network resources

1. On LON-CL1, on the taskbar, click the Windows Internet Explorer icon.
2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter.

3. Verify that the default IIS 8.0 web page for LON-SVR1 displays.
4. Leave the Internet Explorer window open.
5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access
the folder content.
7. Click the Start screen type cmd, and then press Enter.
ipconfig
Note: Notice the IP address for Tunnel adapter is IPHTTPSInterface starting with 2002.
This is an IP-HTTPS address.
Verify connectivity to the DirectAccess server

Netsh name show effectivepolicy
2. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
Powershell
4. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Review the DirectAccess client settings.
Verify client connectivity to the DirectAccess server

2. Switch to the Remote Access Management Console.
3. In the console pane, click Remote Client Status.
Note: Notice that client is connected via IPHTTPS. In the Connection Details pane, in the
bottom-right of the screen, note the use of Kerberos authentication for the machine and the
user.
Demonstration: Identifying the Getting Started Wizard Settings

Demonstration Steps
Review the configuration changes in the Remote Access Management Console
1. On LON-RTR, open the Server Manager console, click Tools, and then click Remote Access
Management.
2. In the Remote Access Management Console, in the left pane, click DirectAccess and VPN.
3. In the Remote Access Setup window, under the image of the client computer named Step 1 Remote
Clients, click Edit.
4. In the DirectAccess Client Setup window, click Deployment Scenario, and review the default settings.
Click Select Groups, and record the default settings. Click Network Connectivity Assistant, and
then record the default settings.
5. Click Cancel, and then click OK.
6. In the Remote Access Setup window, under the image of the client computer named Step 2 Remote
Access Server, click Edit.
7. In the Remote Access Server Setup window, click Network Topology, and record the default settings.
8. Click Network Adapters, and record the default settings.
9. Click Authentication, and record the default settings.

11. In the Remote Access Setup window, under the image of the client computer named Step 3
Infrastructure Servers, click Edit.
12. In the Infrastructure Server Setup window, click Network Location Server, and record the default
settings.
13. Click DNS, and review the default settings.

14. Click DNS Suffix Search List, and record the default settings.
15. Click Management, and review the default settings.

17. In the Remote Access Setup window, under the image of the client computer named Step 4
Application Servers, click Edit.
18. In the DirectAccess Application Server Setup window, review the default settings, click Cancel, and
then click OK.
Review the infrastructure changes in the Group Policy Management Console

1. On LON-RTR, click the Server Manager icon, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Adatum.com, and notice that two new Group
Policy objects are created: DirectAccess Client Settings, and DirectAccess Server Settings.
3. In the navigation pane, click the DirectAccess Server Settings GPO.
4. In the Group Policy Management Console dialog box, click OK, and then in the details pane, click
the Settings tab.
5. In the details pane, under Computer Configuration (Enabled), in the Security Settings row, click
show link on the right side, and then in the Windows Firewall with Advanced Security row, click
the show link.
6. Notice that there are three groups of firewall settings configured for the DirectAccess servers: Global
Settings, Inbound Rules, and Connection Security Settings.
7. In the Global Settings row, click the show link, and then review the IPsec ICMP exception setting.
8. In the Inbound Rules row, click the show link, and then review the following settings:
o Core Networking IPHTTPS (TCP-In). This rule allows the inbound IP-HTTPS traffic to provide
connectivity across HTTP proxies and firewalls.
o Domain Name Server (UDP-In), and Domain Name Server (TCP-In). These rules allow traffic
to the DNS64 server that is deployed on the Remote Access server. Notice the IPv6 address in the
rules. It is the address of the London_Network adapter on LON-RTR, which you can verify by
running the ipconfig /all command in the Windows PowerShell window
9. In the Connection Security Settings row, click the show link, and then in the Rules row, click the
show link. Review the following settings:
o DirectAccess Policy-DaServerToCorpSimplified. Review the IPv6 address prefixes, and
compare them with the IPv6 address prefixes you recorded in step 7 of the previous section in
this demonstration. Notice that they are the same prefixes that you configured in the Getting
Started Wizard.
10. In the Rules row, click the hide link.
11. Under the Connection Security Settings row, in the First Authentication row, click the show link,
and then review the Kerberos authentication setting.
12. Repeat step 11 for Second Authentication, Key Exchange (Main Mode), and Data Protection
(Quick Mode).
13. In the navigation pane, click the DirectAccess Client Settings GPO.
14. In the Group Policy Management Console dialog box, click OK, and then in the details pane, click
the Settings tab.
15. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, click the
show link on the right side. In the Public Key Policies/Trusted Root Certification Authorities row,
click the show link, and then in the Certificates row, click the Show link. Notice that the GPO is
configuring the DirectAccess client computers to trust the self-signed certificates with the IP address
of 131.107.0.10 and the name of DirectAccess-NLS.Adatum.com.
16. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, and in
the Windows Firewall with Advanced Security row, click the show link.
17. Notice that there are three groups of firewall settings configured for the DirectAccess clients: Global
Settings, Outbound Rules, and Connection Security Settings.
18. In the Global Settings row, click the show link, and then review the IPsec ICMP exception setting.
19. In the Outbound Rules row, click the show link, and then review the following settings:
Core Networking IP-HTTPS (TCP-Out). This rule allows the outbound IP-HTTPS traffic to
provide connectivity across HTTP proxies and firewalls.
20. In the Connection Security Settings row, click the show link, and then in the Rules row, click the
show link.
21. Review the three rules, and then compare the IPv6 address prefixes with the IPv6 address prefixes that
you recorded in step 7 in the previous section of this demonstration. Notice that they are the same
prefixes that you configured with the Getting Started Wizard.
22. In the Rules row, click the hide link.
23. Under the Connection Security Settings row, in the First Authentication row, click the show link,
and then review the Kerberos authentication setting.
24. Repeat step 23 for Second Authentication, Key Exchange (Main Mode) and Data Protection
(Quick Mode).
25. Close the Group Policy Management console.
26. On LON-DC1, click the Server Manager icon.
27. In Server Manager, click Tools, and then click DNS.

28. In the Domain Name System (DNS) Manager console, in the navigation pane, expand Forward
Lookup Zones, expand Adatum.com, and then review the host (A and AAAA) resource records for
the following hosts:
o directaccess-corpConnectivityHost
o DirectAccess-NLS
The Getting Started Wizard creates these records.
Lesson 3
Implementing and Managing an Advanced
DirectAccess Infrastructure
Contents:
Resources 13
Demonstration: Modifying the DirectAccess Infrastructure 13
Demonstration: Monitoring and Troubleshooting DirectAccess Connectivity 14
Resources
Integrating a PKI with DirectAccess
Additional Reading: Active Directory Certificate Services

Considerations for Configuring Internal Network Connectivity for

DirectAccess Clients
Additional Reading: For more information, visit the following link:

Step 2: Plan the Remote Access Deployment
How to Troubleshoot DirectAccess Connectivity
Additional Reading: DirectAccess Capacity Planning

Demonstration: Modifying the DirectAccess Infrastructure

Demonstration Steps
Configure the Remote Access role
1. On LON-RTR, in Server Manager, on the Tools menu, click Remote Access Management.
2. In the Remote Access Management window, click DirectAccess and VPN.

3. Click Edit on Step 1 to select which clients will use DirectAccess.
4. On the Deployment Scenario page, click Next.
5. Under Select Groups, in the details pane, ensure that the Enable DirectAccess for mobile
computers only checkbox is cleared, and then click Next.
Note: In a real-world scenario, you might choose a security group instead allowing
DirectAccess for all domain computers.
6. On the Network Connectivity Assistant page, double-click the empty row under the Resource
column.
7. In the Configure Corporate Resources for NCA dialog box, verify that HTTP is selected, and then
type https://lon-svr1.adatum.com. Click Validate, and then click Add.
8. On the Network Connectivity Assistant page, click Finish to close configuration for Step 1.
9. Click Edit on Step 2.

10. On the Network Topology page, verify that Edge is selected, type 131.107.0.10, and then click
Next.
11. On the Network Adapters page, select Use a self-signed certificate created automatically by
DirectAccess, verify that CN=131.107.0.10 is used as a certificate to authenticate IP-HTTPS
connections, and then click Next.
12. On the Authentication page, click Use computer certificates, click Browse, click AdatumCA, and
then click OK.
13. Click Enable Windows 7 client computers to connect via DirectAccess, and then click Finish to
close configuration for Step 2.
14. In the Remote Access Setup pane, under Step 3, click Edit.
15. On the Network Location Server page, click The network location server is deployed on a
remote web server (recommended), type https://lon-svr1.adatum.com, click Validate, and then
click Next.
16. On the DNS page, click Next.

17. On the DNS Suffix Search List page, click Next.
18. On the Management page, click Finish to close configuration for Step 3.
19. Under Step 4, click Edit.

20. On the DirectAccess Application Server Setup page, click Finish.
21. Click Finish to apply the changes.
22. On the Remote Access Review page, click Cancel.
Note: The DirectAccess configuration is not applied, because additional prerequisites need
to be configured, such as Active Directory configuration, firewall settings, and certificate
deployment. You will perform complete DirectAccess configuration in the lab..
Demonstration: Monitoring and Troubleshooting DirectAccess

Connectivity
Demonstration Steps
2. On LON-RTR, open the Remote Access Management Console, and then in the left pane, click
Dashboard.
3. Review the information in the central pane, under DirectAccess and VPN Client Status.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information
under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under Select Accounting Method, click Use inbox accounting,
click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical
data.

Best Practices
Although DirectAccess was available in the Windows Server 2008 R2 edition, Windows Server
2012 introduces new features for improved manageability, ease of deployment, and improved
scale and performance.
Monitoring of the environment is now much easier with support of Windows PowerShell,
Windows Management Instrumentation (WMI), GUI monitoring, and Network Connectivity
Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network
without needing to implement IPv6, because your DirectAccess server acts as a proxy.
Consider integrating DirectAccess with your existing Remote Access solution because Windows
Server 2012 can implement DirectAccess server behind a NAT device, which is the most common
remote access server (RAS) solution for organizations.
Review Question(s)
Question: What remote access solutions can you deploy by using Windows Server 2012 R2?
Answer: In the Windows Server 2012 R2 operating system, you can deploy the following remote
access solutions: DirectAccess, VPN, Routing, and Web Application Proxy.
Question: What are the main benefits of using DirectAccess for providing remote connectivity?
Answer: The main benefits of using DirectAccess for providing remote connectivity are as
follows:
Always-on connectivity. When the user is connected to the Internet, the user is also
connected to the intranet.
Seamless user experience. Same user experience regardless of whether connected locally
or remotely.
Bidirectional access. When the client computer is accessing the intranet, the computer is
also connected and managed.
Improved security. Administrators can set and control the intranet resources that are
accessible through DirectAccess.
Question: How do you configure DirectAccess clients?
Answer: To configure DirectAccess clients, use Group Policy. When you use the Configure
Remote Access Wizard to configure DirectAccess, two GPOs are created and linked to the
domain. These two GPOs define DirectAccess-related settings, and are applied on DirectAccess
clients.
Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?
Answer: When the DirectAccess client computer tries to locate the NLS server, if the DirectAccess
client computer can contact the NLS server, the DirectAccess client computer assumes it is on the
internal network. If the DirectAccess client computer cannot contact the NLS server, the
DirectAccess client computer assumes it is on the Internet. In organizations where DirectAccess is
a business-critical solution, the NLS should be a highly-available web server, because NLS server
availability is important for DirectAccess client computers to determine if they are located on an
internal network or on the Internet.
Question: What is the use of an NRPT?

Answer: The NRPT stores a list of DNS namespaces and their corresponding configuration
settings. These settings define the DNS server to contact, and the DNS client behavior for that
namespace.
Question: What type of remote access solutions you can provide by using VPN in Windows Server 2012?
Answer: You can configure the following remote access solutions by using VPN in Windows
Server 2012:
Secure remote access to internal network resources for users located on the Internet. The
users act as VPN clients that are connecting to Windows Server 2012 VPN server.
Secure communication between network resources located on different geographical

locations (or sites). This solution is called site-to-site VPN. In each site, Windows Server
2012 acts as a VPN server that encrypts communication between the sites.
Tools
Tool Use for Where to find it
Remote Access Managing DirectAccess and VPN Server Manager/Tools

Management Console
Routing and Remote Managing VPN and routing Server Manager/Tools

Access Console
Remote Access Getting A graphical tool that simplifies the Server Manager/Tools/Remote
Started Wizard configuration of DirectAccess Access Management Console
Dnscmd.exe A command-line tool used for Run from command-line

DNS management
Services.msc Used for displaying, starting, Server Manager/Tools

stopping or restarting Windows
Server operating system services.
Gpedit.msc Managing Group Policy objects. Run from command-line
IPconfig.exe A command-line tool that displays Run from command-line

current TCP/IP network
configuration
DNS Manager console Helps in configuring name Server Manager/Tools

resolution
Mmc.exe Helps in the creation and Run from command-line

management of the Management
Console
Gpupdate.exe Helps in managing Group Policy Run from command-line

application
Active Directory Users Is useful in configuring group Server Manager/Tools

and Computers membership for client computers
that will be configured with
DirectAccess

You have configured DirectAccess, but Basic troubleshooting experience is

users are complaining of connectivity integrated in the Network Connectivity
issues. You want to troubleshoot those Assistant. Therefore, educate users how to
issues more efficiently. use it to determine what is preventing the
client computer from communicating with
the DirectAccess server.
The DirectAccess client tries to connect to If you are using Teredo as the IPv6
the DirectAccess server by using IPv6 and transition technology, check whether you
IPsec with no success. have two public addresses on the external
network adapter of the DirectAccess server,
which is required for establishing two IPsec
tunnels.

Lab: Implementing DirectAccess
Question: Why did you make the CRL available on LON-RTR?

Answer: You made the CRL available on LON-RTR so that the DirectAccess clients connecting
through the Internet can access the CRL.
Question: Why did you install a certificate on the client computer?
Answer: Without a certificate, the DirectAccess server cannot identify and authenticate the client.
Implementing Failover Clustering 6-1
Module 6
Implementing Failover Clustering
Contents:
Lesson 1: Overview of Failover Clustering 2
Lesson 2: Implementing a Failover Cluster 4
Lesson 3: Configuring Highly-Available Applications and Services on a Failover Cluster 6
Lesson 4: Maintaining a Failover Cluster 8

Lesson 1
Overview of Failover Clustering
Contents:
Resources 3
Resources
Failover Cluster Storage
Reference Links: For more information about clustered storage spaces, see Deploy
Clustered Storage Spaces by visiting the following link:
Reference Links: For more information on failover cluster requirements, see
Understanding Requirements for Failover Clusters by visiting the following link:
What Are Cluster Shared Volumes?

Additional Reading:
For more information about the Server Message Block 3.0 feature in Windows Server 2012, see
Server Message Block overview by visiting the following link:
For more information about Storage Spaces, see Storage Spaces Overview by visiting the following
link: http://go.microsoft.com/fwlink/?linkID=269680
Lesson 2
Implementing a Failover Cluster
Contents:
Demonstration: Validating and Configuring a Failover Cluster 5
Demonstration: Validating and Configuring a Failover Cluster

Demonstration Steps
1. On LON-SVR3, in Server Manager, click Tools, and then click Failover Cluster Manager.
2. In the Failover Cluster Manager, in the console tree, ensure that Failover Cluster Manager is
selected.
3. Under Management, click Validate Configuration, and then click Next.
4. In the Enter name field, type LON-SVR3, and then click Add.
5. In the Enter name field, type LON-SVR4, click Add, and then click Next.
6. Verify that Run all tests (recommended) is selected, and click Next.
7. In the Confirmation window, click Next.
8. Wait for the validation tests to finish, and then in the Summary window, click View Report. Review
the results of validation. Discuss any warnings, and explain why they displayed.
9. Close the report window, clear the Create the cluster now using the validated nodes check box,
and then click Finish.
10. On LON-SVR3, in Failover Cluster Manager, in the Management section of the center pane, click
Create Cluster.
11. Read the Before You Begin information page, and then click Next.
12. Type LON-SVR3, and then click Add. Type LON-SVR4, and then click Add.
13. Verify the entries, and then click Next.
14. In the Access Point for Administering the Cluster section, enter Cluster1 as the Cluster Name.
15. Under Address, type 172.16.0.125 as the IP address, and then click Next.
16. On the Confirmation page, verify the information, and then click Next.
17. On the Summary page, click Finish to return to the Failover Cluster Manager.
Lesson 3
Configuring Highly-Available Applications and
Services on a Failover Cluster
Contents:
Demonstration: Clustering a File Server Role 7
Demonstration: Clustering a File Server Role

Demonstration Steps
1. On LON-SVR3, open Failover Cluster Manager.
2. Expand Cluster1.adatum.com, expand Storage, and then click Disks.
3. Verify that three cluster disks are available.

4. Right-click Roles, and then click Configure Role.
5. In the Configure Role Wizard, on the Before You Begin page, click Next.
6. On the Select Role page, click File Server, and then click Next.
7. On the File Server Type page, click File Server for general use, and then click Next.
8. On the Client Access Point page, in the Name box, type AdatumFS, in the Address box, type
172.16.0.130, and then click Next.
9. On the Select Storage page, click Cluster Disk 2, and then click Next.
10. On the Confirmation page, click Next.
11. On the Summary page, click Finish.

Lesson 4
Maintaining a Failover Cluster
Contents:
Demonstration: Configuring Cluster-Aware Updating 9
Demonstration: Configuring Cluster-Aware Updating

Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.

5. On the Select server roles page, click Next.

6. On the Select features page, in the list of features, click Failover Clustering.
7. In Add features that are required for Failover Clustering? dialog box, click Add Features, and
then click Next.
10. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
11. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, click
CLUSTER1, and then click Connect.
12. In the Cluster Actions pane, click Preview updates for this cluster.
13. In the Cluster1-Preview Updates window, click Generate Update Preview List.
Note: Explain that updates are pulled from WSUS server.
14. After few minutes, updates will display in the list. Review updates, and then click Close.
15. In the Cluster Actions pane, click Create or modify Updating Run Profile.
16. Review and explain available options. Do not make any changes. When you are finished, click Close.
17. Click Apply updates to this cluster.
18. On the Getting Started page, click Next.

19. On the Advanced options page, review options for updating, and then click Next.
20. On the Additional Update Options page, click Next.
21. On the Confirmation page, click Update, and then click Close.
22. In the Cluster nodes pane, review the updating progress window.
Note: Emphasize that one node of the cluster is in a Waiting state, while the other node is
restarting after it updates.
23. Wait until the updating process finishes.
Note: This may require restart of both nodes, and it can take up to 10 minute to complete.
24. Sign in to LON-SVR3 with the user name Adatum\Administrator and the password Pa$$w0rd.
25. On LON-SVR3, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
26. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
click Cluster1, and then click Connect.
27. Click Configure cluster self-updating options.

28. On the Getting Started page, click Next.
29. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
30. In the Specify self-updating schedule area, click Weekly, in the Time of Day drop-down list, click
4:00 AM, in the Day of the week drop-down list, click Sunday, and then click Next.
31. On the Advanced Options page, click Next.

32. On the Additional Update Options page, click Next.
33. On the Confirmation page, click Apply.

Best Practices
Try to avoid using a quorum model that depends just on the disk for Hyper-V high availability or
Scale-Out File Server.
Perform regular backups of cluster configuration.
Ensure that in case of one node failure, other nodes can manage the load.
Carefully plan multisite clusters.
Review Question(s)
Question: Why is using a disk-only quorum configuration generally not a good idea?
Answer: The failover cluster stops functioning if the logical unit numbers (LUN) that is used as
the disk for the quorum fails. Even if all the other resources are available (including the disk for
the applications), nodes do not provide service when the quorum disk is not available.
Question: What is the purpose of CAU?
Answer: CAU enables administrators to update cluster nodes automatically with little or no loss
in availability during the update process.
Question: What is the main difference between synchronous and asynchronous replication in a multisite
cluster scenario?
Answer: When you use synchronous replication, the host receives a write-complete response
from the primary storage after the data is written successfully on both storage systems. If the
data is not written successfully to both storage systems, the application must attempt to write to
the disk again. With synchronous replication, both storage systems are identical.
When you use asynchronous replication, the node receives a write-complete response from the storage
after the data is written successfully on the primary storage. The data is written to the secondary
storage on a different schedule, depending on the hardware or software vendors
implementation.
Question: What is an enhanced feature in multisite clusters in Windows Server 2012?
Answer: In Windows Server 2012, you can adjust cluster quorum settings so that nodes do or do
not have a vote when the cluster determines whether it has quorum.

Your organization is considering the use of a geographically dispersed cluster that includes an alternate
data center. Your organization has only a single physical location, together with an alternate data center.
Can you provide an automatic failover in this configuration?
Answer: No, you cannot provide an automatic failover in this configuration. To provide an automatic
failover, you must have at least three separate sites.
Tools
The tools for implementing failover clustering include:
Failover Cluster Manager console

Cluster-Aware Updating console
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management

Cluster Validation Wizard reports an error Review the report that Cluster Validation
Wizard provides and determine the
problem.
Create Cluster Wizard reports that not all Review installed roles and features on
nodes support the desired clustered role cluster nodes. The clustered role must be
installed on each cluster node.
You cannot create a Print Server cluster This is not supported in Windows Server
2012. You should use other technologies to
provide a highly-available print server.

Lab: Implementing Failover Clustering

Question: What information do you have to collect as you plan a failover cluster implementation and
choose the quorum mode?
Answer: You have to collect information such as the:

Number of applications or services that you will deploy on the cluster.
Performance requirements and characteristics for each application or service.
Number of servers that must be available to meet the performance requirements.

Location of the users who use the failover cluster.
Type of storage that the shared cluster storage will use.
Question: After running the Validate a Configuration Wizard, how can you resolve the network
communication single point of failure?
Answer: You can resolve the network communication single point of failure by adding network
adapters on a separate network. This provides communication redundancy between cluster
nodes.
Question: In which situations might it be important to enable failback of a clustered application only
during a specific time?
Answer: Setting the failback to a preferred node at a specific time is important when you have to
ensure that the failback does not interfere with client connections, backup windows, or other
maintenance that a failback would interrupt.
Implementing Hyper-V 7-1
Module 7
Implementing Hyper-V
Contents:
Lesson 1: Configuring Hyper-V Servers 2
Lesson 2: Configuring Hyper-V Storage 4
Lesson 3: Configuring Hyper-V Networking 7
Lesson 4: Configuring Hyper-V Virtual Machines 9

Lesson 1
Configuring Hyper-V Servers
Contents:
Resources 3
Demonstration: Configuring Hyper-V Settings 3
Resources
New Hyper-V Features in Windows Server 2012 R2
Additional Reading: Whats New in Hyper-V in Windows Server 2012 R2

Hyper-V Integration Services
Additional Reading: Note that the Hyper-V support for the Windows XP operating system
ends in April 2014, and support for Windows Server 2003 and Windows Server 2003 R2 expires in
July 2015. Visit the following website for a list of supported Hyper-V virtual-machine guest
operating systems on Windows Server 2012:
Hyper-V Overview
http://go.microsoft.com/fwlink/?linkid=272334
Best Practices for Configuring Hyper-V Hosts
Additional Reading: Tip: 6 Best Practices for Physical Servers Hosting Hyper-V Roles
Demonstration: Configuring Hyper-V Settings

Demonstration Steps
1. Sign in to LON-HOST1 with user name Adatum\Administrator and the password Pa$$w0rd.
2. On the Tools menu, click Hyper-V Manager.

3. In the navigation pane, right-click LON-HOST1, and then click Hyper-V Settings.
4. Click Virtual Hard Disks. Show how to change the location of the default virtual hard disks folder.
5. Click Virtual Machines. Show how to change the location of the default virtual machine
configuration files folder.
6. Click Physical GPUs. Explain that the Remote Desktop Virtualization Host role service must be
installed before you can enable RemoteFx and GPU management.
7. Click NUMA Spanning. Explain that when you enable NUMA spanning, servers take advantage of
non-uniform memory access (NUMA) performance optimizations.
Note: Mention that Live Migrations, Storage Migrations, and Replication Configuration is
discussed in Module 8: Implementing Failover Clustering with Hyper-V.
Lesson 2
Configuring Hyper-V Storage
Contents:
Resources 5
Demonstration: Managing Virtual Hard Disks in Hyper-V 5
Resources
Virtual Hard Disks in Hyper-V
Additional Reading: Hyper-V Virtual Hard Disk Format Overview

Storage on SMB 3.0 File Shares
Additional Reading: Server Message Block overview

Fibre Channel Support in Hyper-V
Additional Reading: Hyper-V Virtual Fibre Channel Overview

Demonstration: Managing Virtual Hard Disks in Hyper-V

Demonstration Steps
1. On the taskbar, click File Explorer.
2. Click Computer, and browse to the following location: E:\Program Files\Microsoft Learning\Base.
(Note: The drive letter may depend upon the number of drives on the physical host machine.)
3. Verify that the Base14A-WS12R2.vhd hard disk image file is present.
4. Click the Home tab, and click the New Folder icon twice to create two new folders. Right-click each
folder, and rename each folder to the names listed below:
o LON-GUEST1
o LON-GUEST2
5. Close File Explorer.
6. Switch to the Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\

12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning\Base\
Base14A-WS12R2.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.

14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter.
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -

ParentPath E:\Program Files\Microsoft Learning\Base\Base14A-WS12R2.vhd.vhd
16. Close the PowerShell window.

17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base\Base14A-
WS12R2.vhd as a parent, and then click Close.
Lesson 3
Configuring Hyper-V Networking
Contents:
Resources 8
Demonstration: Configuring a Public and a Private Network Switch 8
Resources
What Is a Hyper-V Virtual Switch?
Additional Reading: Hyper-V Virtual Switch Overview

Virtual Switch Enhancements in Windows Server 2012 R2
Additional Reading: What's New in Hyper-V Virtual Switch for Windows Server 2012 R2
What Is Network Virtualization?
Additional Reading: Hyper-V Network Virtualization Overview

Demonstration: Configuring a Public and a Private Network Switch

Demonstration Steps
1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
2. In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and click Create Virtual Switch.
3. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
o Name: Corporate Network
o External Network: Mapped to the host computer's physical network adapter. Varies depending
on host computer.
4. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
5. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
6. Under Virtual Switches, select New virtual network switch.

7. Under Create virtual switch, select Private, and then click Create Virtual Switch.
8. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Private Network

o Connection type: Private network
Lesson 4
Configuring Hyper-V Virtual Machines
Contents:
Resources 10
Demonstration: Creating a Virtual Machine 10
Resources
How Dynamic Memory Works in Hyper-V
Additional Reading: Hyper-V Dynamic Memory Overview

Demonstration: Creating a Virtual Machine

Demonstration Steps
1. In the Hyper-V Manager, on the Actions pane, click New, and then click Virtual Machine.
2. On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3. On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
4. On the Specify Generation page, click Next.
5. On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and then click Next.
6. On the Configure Networking page of the New Virtual Machine Wizard, select Private Network,
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse,
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open, and click Finish.
8. On the taskbar, click the PowerShell icon.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
10. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM Name LON-GUEST2 MemoryStartupBytes 1024MB VHDPath E:\Program

Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd SwitchName Private
Network
11. Close the Windows PowerShell window.

12. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
13. In the Settings for the LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action setting to Nothing.
14. In the Settings for the LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action setting to Shut down the guest operating system.
15. To close the Settings for the LON-GUEST2 dialog box, click OK.

Review Question(s)
Question: In which situations should you use a fixed-memory allocation rather than dynamic memory?
Answer: You should use fixed-memory allocation in the following situations:

When the guest operating system or application does not support dynamic memory.
When the host operating system has limited memory resources and you need to ensure that
operating systems receive a fair allocation of memory.
Question: In which situations must you use virtual hard disks in VHDX format as opposed to virtual hard
disks in VHD format?
Answer: You should use the VHDX format rather than the VHD format in the following
situations:
You need to support virtual hard disks larger than 2 TB. VHDX files can be a maximum of 64
terabytes in size.
You need to protect against data corruption caused by power failures. VHDX format is less
likely to become corrupted in the event of unexpected power failure because of the way the
file format processes updates.
You need to deploy a virtual hard disk to a large sector disk.
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a
file share. What operating system must the file server be running to support this configuration?
Answer: You can only deploy virtual hard disks to file shares that support SMB 3.0. Only the
Windows Server 2012 operating system supports hosting SMB 3.0 file shares.

You need to ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual
machines paging the hard disk drive because they are provisioned with inadequate memory will decrease
performance for all virtual machines on the Hyper-V host.
In addition, monitor virtual machine performance carefully. One virtual machine that uses a
disproportionate amount of server resources can adversely impact the performance of all other virtual
machines that the Hyper-V server hosts.
Tools
Tool Used for Where to find it
The Sysinternals Convert physical hard disks to Microsoft TechNet website

disk2vhd tool VHD format Sysinternals Suite
Virtual Machine Manage virtual machines Microsoft TechNet website

Manager 2012 across multiple Hyper-V Virtual Machine Manager
servers
Perform online physical to
virtual conversions; (However,
Virtual Machine Manager 2012
R2 does not support physical-
to-virtual conversions.)
Tool Used for Where to find it

Cannot deploy Hyper-V on x64 processor Processor does not support hardware-assisted
virtualization.
Virtual machine does not use dynamic Operating system may not support dynamic memory. In
memory some cases, applying a service pack or installing virtual
machine integration services will resolve this issue.

Lab: Implementing Server Virtualization with Hyper-V

Question: What type of virtual network switch would you create if you wanted to allow the virtual
machine to communicate with the LAN that is connected to the Hyper-V host?
Answer: You would create an external virtual network switch if you wanted to allow the virtual
machine to communicate with the local area network that is connected to the Hyper-V host.
Question: How can you ensure that one single virtual machine does not use all available bandwidth that
the Hyper-V host provides?
Answer: To ensure that no one single virtual machine uses all available bandwidth that the
Hyper-V host provides, you must configure maximum and minimum bandwidth settings on
virtual network adapters.
Question: What dynamic-memory configuration task can you perform on a virtual machine hosted on
Windows Server 2012 Hyper-V that was not possible on Hyper-V 2.0?
Answer: You can modify dynamic memory settings while the virtual machine is running on
Windows Server 2012 Hyper-V. You could not do this on previous versions of Hyper-V.
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-1
Module 8
Implementing Failover Clustering with Windows Server 2012
R2 Hyper-V
Contents:
Lesson 1: Overview of the Integration of Hyper-V Server 2012 with Failover Clustering 2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 4
Lesson 3: Implementing Windows Server 2012 Hyper-V Virtual Machine Movement 6

Lesson 4: Implementing Hyper-V Replica 8

Lesson 1
Overview of the Integration of Hyper-V Server 2012
with Failover Clustering
Contents:
Options for Making Application and Services Highly Available

Question: Do you use any high availability solution for virtual machines in your environment?
Answer: Answers may vary. For example, you can use storage replication, which is one alternative
to the Failover Clustering feature.
Lesson 2
Implementing Hyper-V Virtual Machines on Failover
Clusters
Contents:
Configuring a Shared Virtual Hard Disk

Question: What is the main benefit of using shared hard virtual disks?
Answer: If you use a shared hard virtual disk as cluster storage, you do not have to provide Fibre
Channel or Internet small computer system interface (iSCSI) connection to the virtual machines.
Implementing Scale-Out File Servers for Virtual Machines

Question: Have you considered storing virtual machines on the SMB share? Why or why not?
Answer: Answers may vary. Students will most likely emphasize performance issues as a reason
for not deploying virtual machines on the server message block (SMB) share.
Maintaining and Monitoring Virtual Machines in Clusters

Question: What are some alternative technologies that you can use for virtual machine and network
monitoring?
Answer: You can use dedicated monitoring software such as System Center Operations Manager.
Lesson 3
Implementing Windows Server 2012 Hyper-V Virtual
Machine Movement
Contents:
Virtual Machine Migration Options

Question: When will you export and import a virtual machine instead of migrating it?
Answer: If you want to move a virtual machine to the host that does not support a shared-
nothing migration, or if you do not have a cluster, you must export and import the virtual
machine; for example, if you want to move a virtual machine from Windows Server 2012 host to
the Hyper-V in Windows 8.
Lesson 4
Implementing Hyper-V Replica
Contents:
Whats New in Hyper-V Replica in Windows Server 2012 R2

Question: Do you see extended replication as a benefit for your environment?
Answer: Answers will vary.


Best Practices
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To ensure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSV volumes.
Use new features in Hyper-V Replica to extend your replication to more than one server.
Consider using Scale-Out File Servers clusters as storage for highly available virtual machines.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Review Question(s)
Question: Do you have to implement CSV in order to provide high availability for virtual machines in
VMM in Windows Server 2008 R2?
Answer: No, you do not have to implement Cluster Shared Volume (CSV) to provide high
availability. However, CSV makes it much easier to implement and manage an environment
where you have multiple Hyper-V hosts accessing multiple logical unit numbers (LUNs) on shared
storage.
Tools
Tools for implementing Failover Clustering with Hyper-V include:
Failover Cluster Manager
Hyper-V Manager
VMM console

Virtual machine failover fails after The CSV home folder is located on the host-server
implementing CSV and migrating the system drive. You cannot move it. If the host computers
shared storage to CSV. use different system drives, the failovers will fail because
the hosts cannot access the same storage location. All
failover cluster nodes should use the same hard-drive
configuration.
A virtual machine fails over to another All the nodes in a host cluster must have the same
node in the host cluster, but loses all networks configured. If they do not, then the virtual
network connectivity. machines cannot connect to a network when they fail
over to another node.
Four hours after restarting a Hyper-V host By default, virtual machines do not fail back to a host
that is a member of a host cluster, there computer after they have migrated to another host.
are still no virtual machines running on the You can enable failback on the virtual machine
host. properties in Failover Cluster Management, or you can

implement the Performance and Resource Optimization
feature in VMM.

Lab: Implementing Failover Clustering with Windows Server 2012 Hyper-V

Question: How can you extend Hyper-V Replica in Windows Server 2012 R2?
Answer: You can use the extended replication feature to add a third host machine that can
replicate with passive copy and with a configurable replication timeout.
Question: What is the difference between Live Migration and Storage Migration?
Answer: In Live Migration, you move the machine from one host to another; however, in Storage
Migration, you move virtual machine storage, and optionally, configuration files to another
location on the same server.
Implementing Secure Data Access for Users and Devices 9-1
Module 9
Implementing Secure Data Access for Users and Devices
Contents:
Lesson 2: Implementing DAC Components 2
Lesson 3: Implementing DAC for Access Control 6
Lesson 4: Implementing Access-Denied Assistance 9
Lesson 5: Implementing and Managing Work Folders 11

Lesson 2
Implementing DAC Components
Contents:
Demonstration: Configuring Claims, Resource Properties, and Rule s 3
Demonstration: Configuring Classification Rules 5
Demonstration: Configuring Claims, Resource Properties, and Rules

Demonstration Steps
1. On LON-DC1, in the Server Manager click Tools and then open Active Directory Administrative
Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, click department.
5. In the Display name text box, type Company Department.
6. Select both User and Computer check boxes, and then click OK.
7. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.
8. In the Create Claim Type window, in the Source Attribute section, click description.
9. Clear the User check box, select the Computer check box, and then click OK.
10. In the Active Directory Administrative Center, click Dynamic Access Control.
11. In the central pane, double-click Resource Properties.
12. In the Resource Properties list, right-click Department, and then click Enable.
13. In the Resource Properties list, right-click Confidentiality, and then click Enable.
14. Double-click Department.
15. Scroll down to the Suggested Values section, and then click Add.
16. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK two times.
17. Click Dynamic Access Control, and then double-click Resource Property Lists.
18. In the central pane, double-click Global Resource Property List.
19. Ensure that both Department and Confidentiality appear in the Resource Properties list, and then click
Cancel. If they do not appear, click Add, add these two properties, and then click OK.
20. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. In the Create Central Access Rule dialog box, in the Name field, type Department Match.
23. In the Target Resources section, click Edit.
24. In the Central Access Rule dialog box, click Add a condition.
25. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
26. In the Permissions section, click Use following permissions as current permissions.
27. In the Permissions section, click Edit.

28. Remove permission for Administrators.
29. In Advanced Security Settings for Permissions, click Add.
30. In Permission Entry for Permissions, click Select a principal.

31. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
33. Click Add a condition.
34. Click the Group drop-down list box, and then click Company Department.
35. Click the Value drop-down list box, and then click Resource.
36. In the last drop-down list box, click Department, and then click OK three times.
Note: You should have this expression as a result: User-Company Department-Equals-

Resource-Department.
37. In the Tasks pane, click New, and then click Central Access Rule.
38. For the name of rule, type Access Confidential Docs.

39. In the Target Resources section, click Edit.
40. In the Central Access Rule window, click Add a condition.
41. In the last drop-down list box, click High, and then click OK.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.
42. In the Permissions section, click Use following permissions as current permissions.
43. In the Permissions section, click Edit.

44. Remove permission for Administrators.
45. In Advanced Security Settings for Permissions, click Add.
46. In the Permission Entry for Permissions, click Select a principal.

47. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
48. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
Click Add a condition.
49. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a
condition.
Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in
the Select user, Computer, Service Account, or Group window, type Managers, click Check
Names, and then click OK.
50. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.
Note: If you cannot find ManagersWKS in the last drop-down list box, click Add items.
Then in the Select user, Computer, Service Account, or Group window, type ManagersWKS, click
Demonstration: Configuring Classification Rules

Demonstration Steps
1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
2. In File Server Resource Manager, expand Classification Management.
3. Select and then right-click Classification Properties, and then click Refresh.
4. Verify that the Confidentiality and Department properties are listed.
5. Click Classification Rules.
6. In the Actions pane, click Create Classification Rule.

7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.
8. Click the Scope tab, and then click Add.
9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.
10. Click the Classification tab, ensure that following settings are set, and then click Configure:
Classification method: Content Classifier

Property: Confidentiality
Value: High
11. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.
12. In the Expression field, which is next to the word String, type secret, and then click OK.
13. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
14. In File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
15. Click Wait for classification to complete, and then click OK.
16. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in Report Totals section.
17. Close the report.

18. On the taskbar, click the File Explorer icon.
19. In the File Explorer window, expand drive C, and then expand the Docs folder.
20. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt contain the
word secret.
Lesson 3
Implementing DAC for Access Control
Contents:
Demonstration: Creating and Deploying Central Access Policies 7
Demonstration: Evalua ting and Managing DAC 7
Demonstration: Creating and Deploying Central Access Policies

Demonstration Steps
1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2. In the Tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the Tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
8. Close the Active Directory Administrative Center.

9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
10. In the Group Policy Management Console, under Domains, expand Adatum.com, right-click Test,
and then click Create a GPO in this domain, and link it here.
11. Type DAC Policy, and then click OK.
12. Right-click DAC Policy, and then click Edit.
13. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
14. Press and hold the Ctrl button and click both Department Match and Protect confidential docs,
click Add, and then click OK.
15. Close the Group Policy Management Editor and the Group Policy Management Console.
16. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.

17. At a Windows PowerShell command-line interface command prompt, type gpupdate /force, and
then press Enter.
18. Close Windows PowerShell.

19. On the taskbar, click the File Explorer icon.
20. In File Explorer, browse to drive C, right-click the Docs folder, and then click Properties.
21. In the Properties dialog box, click the Security tab, and then click Advanced.
22. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
23. In the drop-down list box, select Protect confidential docs, and then click OK twice.
24. Right-click the Research folder, and then click Properties.
25. In the Properties dialog box, click the Security tab, and then click Advanced.
26. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
27. In the drop-down list box, click Department Match, and then click OK twice.
Demonstration: Evaluating and Managing DAC

Demonstration Steps
1. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy Objects.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
6. Double-click Audit File System, select all three check boxes, and then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management Console
8. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative
Center.
9. In the navigation pane, click Dynamic Access Control.
10. Double-click Central Access Rules, right-click Department Match, and then click Properties.
11. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
12. Click Authenticated Users, and then click Edit.
13. Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.
14. Click OK twice to close all windows.

17. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
18. Close Windows PowerShell.
Lesson 4
Implementing Access-Denied Assistance
Contents:
Demonstration: Implementing Access-Denied Assistance 10
Demonstration: Implementing Access-Denied Assistance

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
5. In the details pane, double-click Customize message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box. Review other options, but do not make any
changes, and then click OK.
9. In the details pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types. Click Enabled, and then click OK.
10. Close the Group Policy Management Editor and the Group Policy Management Console.
11. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.
12. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
Lesson 5
Implementing and Managing Work Folders
Contents:
Demonstration: Implementing Work Folders 12
Demonstration: Implementing Work Folders

Demonstration Steps
1. On LON-SVR3, in Server Manager, expand File and Storage Services, and then click Work Folders.
2. In the WORK FOLDERS tile, click Tasks, and then click New Sync Share.
3. In the New Sync Share Wizard, on the Before you begin page, click Next.
4. On the Select the server and path page, select Select by file share, ensure that the share you
created in the previous task (WF-Share) is highlighted, and then click Next.
5. On the Specify the structure for user folders, accept the default selection (user alias), and then click
Next.
6. On the Enter the sync share name page, accept the default, and then click Next.
7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.
8. In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click
9. On the Grant sync access to groups page, click Next.
10. On the Specify device policies page, note the selections, accept the default selection, and then click
Next.
12. On the View results page, click Close.
13. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
14. Open Server Manager, click Tools, and then click Group Policy Management.
15. Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the
Group Policy Objects container, and then click New.
16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.
18. In the Group Policy Management Editor, expand User Configuration / Policies / Administrative
Templates / Windows Components, and then click Work Folders.
19. Double-click Specify Work Folders settings in the details pane.
20. In the Specify Work Folders settings dialog box, click Enabled.
21. In the Work Folders URL text box, type https://lon-svr3.adatum.com, and then select Force
automatic setup.
22. To close the Specify Work Folders settings dialog box, click OK, and then close the Group Policy
Management Editor.
23. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO.
24. In the Select GPO window, select Work Folders GPO, and then click OK.
25. Close the Group Policy Management Console.

Best Practices
Use central access policies instead of configuring conditional expressions on resources.
Enable access-denied assistance settings.

Always test changes that you have made to Central Access Rules and central access policies before
you implement them.
Use file classifications to assign properties to files.

Use Work Folders to synchronize business data across devices.
Use Workplace Join in BYOD scenarios.
Review Question(s)
Question: What is a claim?
Answer: A claim is information that AD DS states about an object, which usually is a user or a
computer.
Question: What is the purpose of Central Access Policy?
Answer: Central access policies enable administrators to create policies that apply to one or
more file servers in an organization. Central access policies contain one or more Central Access
Policy rules. Each rule contains settings that determine applicability and permissions.
Question: What is the BYOD concept?

Answer: BYOD is the policy of permitting employees to bring personal devices, such as laptops,
tablets, and smart phones, to the workplace, and allowing employees to use those devices to
access privileged company information and applications.
Tools
Tool Use Location
Active Directory Administering and creating Administrative tools

Administrative Center claims, resource properties,
rules, and policies
Group Policy Managing Group Policy Administrative tools

Management Console
(GPMC)
Group Policy Editing GPOs GPMC

Management Editor

Claims are not populated with the Verify that the correct attribute is selected for the claim.
appropriate values. In addition, check that the attribute value for a specific
object is populated.
A conditional expression does not allow Verify that the expression is well defined. In addition, try

access. using the Effective Access tab to troubleshoot the
problem.

Lab: Implementing Secure File Access

Question: How do file classifications enhance the usage of DAC?
Answer: By using file classifications, you can set attributes on files automatically, and then use
these attributes in conditional expressions when you implement DAC.
Question: Can you implement DAC without Central Access Policy?
Answer: Yes, you can set conditional expressions directly on resources.
Implementing Active Directory Domain Services 10-1
Module 10
Implementing Active Directory Domain Services
Contents:
Lesson 1: Deploying AD DS Domain Controllers 2
Lesson 3: Implementing Service Accounts 4
Lesson 5: Overview of Windows Azure Active Directory 6
Lesson 6: Maintaining AD DS 8
Lesson 1
Deploying AD DS Domain Controllers
Contents:
Resources 3
Resources
What is New in AD DS in Windows Server 2012 and Windows Server 2012

R2?
Additional Reading: You can see a complete list of new features for AD DS at:
What's New in Active Directory Domain Services (AD DS) at

What's New in Active Directory in Windows Server 2012 R2 at
Additional Reading:
What's New in Active Directory Domain Services (AD DS)
What's New in Active Directory in Windows Server 2012 R2
Deploying AD DS Domain Controllers on Server Core
Additional Reading: Guidance for using Windows PowerShell to establish a Window

Server 2012 Active Directory environment can be found at the following link:
Lesson 3
Implementing Service Accounts
Contents:
Demonstration: Configuring Group Managed Service Accounts 5
Demonstration: Configuring Group Managed Service Accounts

Demonstration Steps
1. Sign in to LON-DC1 as Administrator with the password Pa$$w0rd.
2. On the taskbar, right-click the Windows PowerShell icon, and click Run as Administrator.
3. At the Windows PowerShell prompt, type the following command, and then press Enter:
Add-KdsRootKey EffectiveTime ((get-date).addhours(-10))
New-ADServiceAccount Name Webservice DNSHostName LON-DC1

PrincipalsAllowedToRetrieveManagedPassword LON-DC1$
Add-ADComputerServiceAccount identity LON-DC1 ServiceAccount Webservice
Get-ADServiceAccount -Filter *
7. Note the output of the command.

Lesson 5
Overview of Windows Azure Active Directory
Contents:
Resources 7
Resources
Integration with Applications
Additional Reading: Windows Azure partitioning for multitenancy is outside the scope of
this course, but for more information, see http://go.microsoft.com/fwlink/?LinkID=331430.
Lesson 6
Maintaining AD DS
Contents:
Demonstration: Restoring AD DS Objects Using the Active Directory Recycle Bin 9
Demonstration: Restoring AD DS Objects Using the Active Directory

Recycle Bin
Demonstration Steps
Enable the Active Directory Recycle Bin

1. Sign in to LON-DC1 as Administrator with the password Pa$$w0rd.
2. In Server Manager, on the Tools menu, click Active Directory Administrative Center.
3. In the navigation pane, click Adatum (local).

4. In the Tasks pane, click Enable Recycle Bin.
5. In the Enable Recycle Bin Confirmation dialog box, click OK.
6. In the Active Directory Administrative Center dialog box, click OK.

7. Click the Refresh icon on the menu bar. Notice a Deleted Objects container now appears.
Delete a current user

1. In the center pane, double-click the IT organizational unit (OU).
2. Ensure that the Amr Zaki user account is selected, and in the Tasks pane, click Delete.
3. In the Delete Confirmation dialog box, click Yes.
4. In the navigation pane, click Adtaum (local) to return to the main tree.
Restore the user

1. In the center pane, double-click the Deleted Objects folder.
2. In the Tasks pane, click Restore.

3. In the navigation pane, under Adatum (local), click IT.
Note: Note that the Amr Zaki account is restored.


Best Practices
When cloning virtual domain controllers, delete snapshots before copying or exporting virtual
domain controllers.
When cloning virtual domain controllers, we recommend copying disks manually if there is only one
drive. We recommend Export for virtual machiness with more than one drive or other complex
customizations such as multiple network interface cards (NICs).
At least one global catalog should exist in every site.
AD DS should be at the minimum Windows Server 2008 R2 to provide fully automatic password and
SPN management for managed service accounts.
Back up GPOs after making any changes.
Do not use volumes that contain backups of GPOs or Active Directory data for other uses.
Review Question(s)
Question: You have a mixture of client computers running Windows XP and Windows 8. After you
configure several settings in the Administrative Templates and Preferences of a GPO, Windows XP users
report that some settings are being applied while others are not.
Answer: Not all new settings apply to legacy systems such as Windows XP. In addition, Windows
XP cannot process Group Policy Preferences unless the correct client-side extensions are
downloaded and installed.

You have a large company with multiple branch offices. Some branch offices have fast, redundant
connections while others have slow, unreliable connections.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
Answer: You could place a domain controller in the branch office.
What if security is a concern?
Answer: The domain controller could be an RoDC.
What can you do to help prevent network interruptions from preventing users from logging on?
Answer: You can create a password replication policy for the RoDC that enables the passwords of the
branch users to be cached locally.
Tools
Tool Use Location
Server Manager A central location for all Open by default on logon, or can be
aspects of server management accessed from the taskbar
Active Directory Control all aspects of Active Can be accessed from the Tools drop-
Administrative Directory management down menu in Server Manager
Center
Active Directory
Sites and Services
Active Directory
Tool Use Location

Domains and Trusts
GPMC Control all aspects of Group Can be accessed from the Tools drop-
Policy management down menu in Server Manager
Active Directory Can detect best practices Server Manager Dashboard

Best Practices violations and provide help
Analyzer implement best practices
Active Directory Restore object that were Can be accessed from the Active
Recycle Bin deleted in error from AD DS Directory Administration Center

Domain controller promotion fails Use the logs and troubleshooting diagnostic tools.
Group Policy is not being applied correctly Use Group Policy troubleshooting tools such as
GPResult and GPUpdate to discover the issues.
You have to restore a version of AD DS Take regular snapshots of AD DS, and then you
and do not know from which backup to can mount a read-only snapshot to compare to
restore the current AD DS.

Lab A: Implementing Active Directory Domain Services

Question: What passwords are cached on the RODC by default?
Answer: Passwords are not cached by default. You must configure a password replication policy.
Question: Assigning a user as the RODC server administrator grants that user the right to create user
accounts in AD DS. True or false?
Answer: False. Granting administrative rights to the RODC enables administrative access to
perform server maintenance duties such as backup, restore, installation applications and devices,
and others. It does not grant any rights in AD DS.
Question: What client-side extensions are applied even across a slow connection?
Answer: Administrative Templates settings and security settings are always applied, even across
slow connections.
Lab B: Troubleshooting and Maintaining Active Directory Domain Services

Question: Are Group Policy settings still enforced when a client computer such as a laptop is
disconnected from the LAN?
Answer: Yes. Group Policy is still being enforced even when a client computer is disconnected
from the LAN. The client computer cannot receive any changes to Group Policy until the
computer connects back to the LAN.
Question: The Active Directory Recycle Bin can be disabled using a Windows PowerShell script. True or
false?
Answer: False. As soon as it is enabled, the Active Directory Recycle Bin cannot be disabled.
Implementing AD FS 11-1
Module 11
Implementing AD FS
Contents:
Lesson 2: Deploying AD FS 2
Lesson 3: Implementing AD FS for a Single Organization 4
Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 7
Lesson 5: Implementing Web Application Proxy 9

Lesson 6: Implementing Workplace Join 12

Lesson 2
Deploying AD FS
Contents:
Demonstration: Installing the AD FS Server Role 3
Demonstration: Installing the AD FS Server Role

Demonstration Steps
Install AD FS
1. On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.

7. On the Active Directory Federation Services (AD FS) page, click Next.
9. Wait until installation is complete, and then click Close.
Add a DNS record for AD FS

1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.22, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
7. Close DNS Manager.
Configure AD FS
1. On LON-SVR2, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Create a Group Managed Service Account.
7. In the Account Name box, type ADFS, and then click Next.
8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
9. On the Review Options page, click Next.
10. On the Pre-requisite Checks page, click Configure.
11. On the Results page, click Close.

Lesson 3
Implementing AD FS for a Single Organization
Contents:
Demonstration: Configuring Claims Provider and Relying Party Trusts 5
Demonstration: Configuring Claims Provider and Relying Party Trusts

Demonstration Steps
Configure a Claims Provider Trust
1. On LON-SVR2, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. Right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
E-Mail-Addresses: E-Mail Address
User-Principal-Name: UPN
9. Click Finish, and then click OK.
Configure a WIF application for AD FS

1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample Web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the
path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/2007-
06/federationmetadata.xml, and then click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
9. In the Success window, click OK.
Configure a Relying Party Trust

1. On LON-SVR2, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.

3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published online or
on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lon-
svr1.adatum.com/adatumtestapp, and then click Next. This downloads the metadata configured in
the previous section.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then
click Next.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for the relying party trust at this time, and then click Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.
9. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.
Lesson 4
Deploying AD FS in a Business-to-Business Federation
Scenario
Contents:
Resources 8
Demonstration: Configuring Claim Rules 8
Resources
How Home Realm Discovery Works
Additional Reading: For more information on RelayState, see Supporting Identity Provider
Initiated RelayState: http://go.microsoft.com/fwlink/?LinkId=269666
Demonstration: Configuring Claim Rules

Demonstration Steps
1. On LON-SVR2, in AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the
Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
3. In the Claim rule name box, type Send Group Name Rule.
4. In the Incoming claim type drop-down list, click Group, and then click Finish.
5. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab,
click the rule named Permit Access to All Users, and then click Remove Rule.
6. Click Yes to confirm.
Note: With no rules, users are not permitted access.
7. On the Issuance Authorization Rules tab, click Add Rule.

8. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
9. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule.
10. In the Incoming claim type drop-down list, select Group.
11. In the Incoming claim value box, type Production, click Permit access to users with this
incoming claim, and then click Finish.
12. On the Issuance Authorization Rules tab, click Add Rule.
13. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users.
15. In the Incoming claim type drop-down list, select UPN.

16. In the Incoming claim value box, type @adatum.com, click Permit access to users with this
incoming claim, and then click Finish.
17. Click the Allow A. Datum Users rule, and then click Edit Rule.
18. In the Edit Rule Allow Adatum Users dialog box, click View Rule Language.
19. Click OK, and then click Cancel.
20. In the Edit Claim Rules for A. Datum Test App window, click OK.
Lesson 5
Implementing Web Application Proxy
Contents:
Demonstration: Installing and Configuring Web Applica tion Proxy 10
Demonstration: Installing and Configuring Web Application Proxy

Demonstration Steps
Install Web Application Proxy
1. On LON-SVR3, in Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR3.Adatum.com, and then click Next.
5. On the Select server roles page, select the Remote Access check box, and then click Next.
7. On the Remote Access page, click Next.

8. On the Select role services page, select Web Application Proxy.
9. In the Add Roles and Features Wizard, click Add Features.
10. On the Select role services page, click Next.

12. On the Installation progress page, click Close.
Export the adfs.adatum.com certificate from LON-SVR2

1. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
6. In the Add or Remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and, to close the success
message, click OK.
16. Close the Microsoft Management Console, and do not save the changes.
Import the adfs.adatum.com certificate on LON-SVR3

1. On LON-SVR3, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
8. Right-click Personal, point to All Tasks, and then click Import.
9. In the Certificate Import Wizard, click Next.

10. On the File to Import page, in the File name box, type \\LON-SVR2\c$\adfs.pfx, and then click
Next.
11. On the Private key protection page, in the Password box, type Pa$$w0rd.
12. Select the Mark this key as exportable. This will allow you back up or transport your keys at a
later time check box, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store.
14. In the Certificate store box, select Personal, and then click Next.
15. On the Completing the Certificate Import Wizard page, click Finish.
16. To clear the success message, click OK.

17. Close the Microsoft Management Console, and do not save the changes.
Configure Web Application Proxy

1. On LON-SVR3, in Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following, and then click Next:
Federation service name: adfs.adatum.com
User name: Adatum\Administrator
Password: Pa$$w0rd
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.

6. On the Results page, click Close.
Lesson 6
Implementing Workplace Join
Contents:
Demonstration: Performing a Workplace Join 13
Demonstration: Performing a Workplace Join

Demonstration Steps
Verify that the DNS record for Workplace Join exists
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Verify that the enterpriseregistration record exists.
4. Close DNS Manager.
Enable device registration

1. On LON-SVR2, on the taskbar, click Windows PowerShell.
2. At the Windows PowerShell command prompt, type Initialize-ADDeviceRegistration
ServiceAccountName Adatum\ADFS$, and then press Enter.
3. Type Y to confirm, and then press Enter.
4. Type Enable-AdfsDeviceRegistration, and then press Enter.
5. Close the Windows PowerShell.

6. In Server Manager, click Tools, and then click AD FS Management.
7. In the AD FS Management console, click Authentication Policies.
8. In the Actions pane, click Edit Global Primary Authentication.

9. In the Edit Global Authentication Policy window, select the Enable device authentication check box,
and then click OK.
10. Close the AD FS Management console.
Perform a Workplace Join

1. On LON-CL3, sign in as Admin with the password Pa$$word.
2. On the Start screen, type workplace, and then click Workplace settings.
3. In the Workplace window, in the Enter your user ID to get workplace access or turn on device
management box, type Brad@adatum.com, and then click Join.
4. When prompted, sign in as Adatum\Brad with the password Pa$$w0rd.
View the device object in AD DS

1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, click View, and then click Advanced Features.
3. Expand Adatum.com, and then click RegisteredDevices.
4. Right-click the object in the details pane, and then click Properties.
5. On the Attribute Editor tab, review the list of attributes.

6. Verify that the displayName attribute has a value of LON-CL3, and then click Cancel.
7. Close Active Directory Users and Computers.

Review Question(s)
Question: Your organization is planning to implement AD FS. In the short term, only internal clients will
be using AD FS to access internal applications. However, in the end, you will be providing access to web-
based applications that are secured by AD FS to users at home. How many certificates should you obtain
from a third-party CA?
Answer: The only AD FS certificate that needs to be trusted is the service communication
certificate. The token signing and token decrypting certificates can be left as self-signed.
Therefore, only a single certificate from a third-party is required.
Question: Your organization has an application for customers that allows them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. What do you need to configure to support the application?
Answer: You need to perform the following tasks:
1. Configure the application to trust incoming claims. Use the WIF Federation Utility to
configure the application.
2. Configure a relying party trust for the application. This configures AD FS to provide claims to
the application for authorized users.
3. Configure claim rules for the relying party trust. This configures which information is
provided to the application.
Question: Your organization has an application for customers that enables them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. You are configuring a Web Application Proxy to support application
access over the Internet. Internally, your AD FS server uses the host name adfs.contoso.com and resolves
to 10.10.0.99. How will you allow external partners to resolve adfs.contso.com to the external IP address of
Web Application Proxy?
Answer: Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP
address internally and externally. The internal DNS server resolves adfs.contoso.com to the
internal IP address of the AD FS server. The external DNS server resolves adfs.contoso.com to the
external IP address of Web Application Proxy.
Question: Your organization has implemented a single AD FS server and a single Web Application Proxy
successfully. Initially, AD FS was used for only a single application, but now it is being used for several
business-critical applications. AD FS must be configured to be highly available.
During the installation of AD FS, you selected to use the Windows Internal Database. Can you use this
database in a highly available configuration?
Answer: Yes, the Windows Internal Database can be used to support up to five AD FS servers.
The first AD FS server is the primary server where all configuration changes take place. Changes
in the primary server are replicated to the other AD FS servers.
Question: Your organization wants to control access to applications that are available from the Internet
by using Workplace Join. What DNS changes do you need to perform so that devices can locate the Web
Application Proxy during the Workplace Join process?
Answer: Devices identify the server name based on the UPN name provided during the
Workplace Join process. Assuming that there is only a single UPN name used by your
organization, you need to create a host record for enterpriseregistration.yourdomainname.com

that resolves to the IP address of the Web Application Proxy server.

Lab: Implementing AD FS

Question: Why was it important to configure adfs.adatum.com to use as a host name for the AD FS
service?
Answer: If you use the host name of an existing server for the AD FS server, you will not be able
to add additional servers to your server farm. All servers in the server farm must share the same
host name when providing AD FS services. The host name for AD FS also is used by AD FS proxy
servers.
Question: How can you test whether AD FS is functioning properly?
Answer: You can access https://hostname/federationmetadata/2007-
06/federationmetadata.xml on the AD FS server.
Monitoring and Maintaining Windows Server 2012 12-1
Module 12
Monitoring and Maintaining Windows Server 2012
Contents:
Lesson 1: Monitoring Windows Server 2012 2
Lesson 2: Implementing Windows Server Backup 7
Lesson 3: Implementing Server and Data Recovery 9

Lesson 1
Monitoring Windows Server 2012
Contents:
Demonstration: Creating Da ta Collector Sets 4
Demonstration: Configuring Event Subscriptions 5
Reasons for Monitoring Servers

Question: List four troubleshooting procedures that would benefit from server monitoring.
Answer: Many troubleshooting procedures benefit from server monitoring. Some of them are:
Establishing baseline metrics to determine typical operating conditions for servers.
Improving server performance by detecting anomalies.
Simplifying troubleshooting through early identification of malfunctioning components.

Making server management proactive through early identification of potential problems.
Predicting requirements for future server capacity.
Reallocating underused resources.
Monitoring Performance Bottlenecks

Question: What tools will you use for monitoring Windows Server 2012?
Answer: You should consider using the Event Viewer, Resource Monitor, Performance Monitor,
and Data Collector Sets. You can also use the Reliability Monitor and Task Manager.
Question: What are some key considerations that you would make when monitoring domain controllers?
Answer: The time of day when you monitor the domain controller is an important consideration.
Typically, domain controllers are at peak performance when they are signing in users, which is
usually at the beginning of the business day. At the same time, this is when authenticating
computers that were just turned on and started are loading GPOs and scripts, and resolving DNS
queries, especially if Active Directory-integrated DNS is being used. Because of this, mornings
would be a good time of day to monitor domain controllers. In addition, monitoring activity
during the middle of the night might not provide relevant information.
Another consideration is the network adapter. The number of errors in Domain Name System
(DNS) and replication might come down to networking issues related to the network adapters. In
addition, because AD DS is stored locally on a database, the speed of the hard drive can also be
an important factor.
Question: What are some key considerations you would make when monitoring the file and print servers?
Answer: Print spooling involves memory and disk space. You should ensure that these
components have appropriate data collector sets enabled and started. In addition, to check for
issues involving slow access to network shares, you should monitor the network interface.
Question: What are some key considerations you would make when monitoring the SQL Server database
server?
Answer:
There are two key considerations you need to make when monitoring the database server:
Procedure cache. The SQL Server database processing pulls data pages off the disk file and
runs them in memory in a store called the procedure cache.
Write speed of the disk. Check the write speed of the disk that records the transaction log
entries.
You should monitor the performance of these factors by using data collector sets.
Question: What are some key considerations you would make when monitoring the web server?
Answer: You will need to monitor the web server network interface, in addition to the workload
that the web server puts on the SQL Server. If SQL Server cannot respond quickly to the web
queries, time-outs and failures will occur. You must monitor both servers in order to get a true
picture of what is occurring.
Demonstration: Creating Data Collector Sets

Demonstration Steps
Enable default performance counters in Server Manager
1. On LON-SVR1, on the taskbar, click the Server Manager icon.
2. In Server Manager, in the left pane, click All Servers, and in the right pane, scroll down to the
Performance area. Right-click LON-SVR1, and then click Start performance counters.
3. In Server Manager, click Tools, and then click Performance Monitor.

4. If the Action pane does not display on the right side of Performance Monitor, do the following:
a. In Performance Monitor, on the ribbon, click View, and then click Customize.
b. In the Customized View dialog box, select the Action pane check box, and then click OK.
5. In the navigation pane, expand Data Collector Sets, expand User Defined, and then click Server
Manager Performance Monitor.
6. In the details pane, double-click Performance Counters to review the default counters created.
7. In the Performance Counter Properties dialog box, click Cancel.
Create a new data collector set named Windows Server Monitoring

1. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
2. Under the Actions pane, click More Actions, click New, and then click Data Collector Set.
3. In the Create New Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Windows Server Monitoring, click Create
manually (Advanced), and then click Next.
4. On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
5. In Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User Defined,
click Windows Server Monitoring, under the Actions pane, click More Actions, click New, and
then click Data Collector.
6. In the Create New Data Collector Wizard, in the Name text box, type Base Windows Server
Monitoring, click Performance counter data collector, click Next, and then click Add.
7. In the Available counters object list, expand Processor, click % Processor Time, and then click Add.
8. In the Available counters object list, expand Memory, click Available Mbytes, and then click Add.
9. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
10. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
Verify that the data collector set works correctly

1. In Performance Monitor, in the navigation pane, click Windows Server Monitoring, under the
Actions pane, click More Actions, and then click Start.
2. Wait at least one minute, under the Actions pane, click More Actions, and then click Stop.
3. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
Set data collector set scheduling

1. In Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User Defined,
in the details pane, right-click Windows Server Monitoring, and then click Properties.
2. In the Windows Server Monitoring Properties dialog box, click the Schedule tab.
3. On the Schedule tab, click Add.
4. In the Launch area, in the Start time list, select 1:00:00 AM, and then click OK.
5. Click the Stop Condition tab. On the tab, select the Overall duration check box, in the Units drop-
down list box, click Hours, and then click OK.
Note: The Windows Server Monitoring data collector set will run for one hour every night
at 1:00 A.M
6. Close Performance Monitor.
Demonstration: Configuring Event Subscriptions

Demonstration Steps
Configure the source computer
2. Move the mouse pointer to the lower-right corner of the screen, right-click the Windows start icon,
and then click Run.
3. In the Run, Open text box, type the following command, and then press Enter:
cmd
winrm quickconfig
5. In Server Manager, click Tools, and then click Computer Management.

6. In the Computer Management console, expand Local Users and Groups, and then click Groups.
7. In the details pane, double-click Administrators.

8. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
9. In the Object Types dialog box, select the Computers check box, and then click OK.
10. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type LON-DC1, and then click OK.
11. In the Administrators Properties dialog box, click OK.

Configure the collector computer

2. Move the mouse pointer to the lower-right corner of the screen, right-click the Windows start icon,
and then click Run.
3. In the Run, Open Text text box, type cmd, and then click OK.
wecutil qc
5. When you are prompted, type Y, and then press Enter.
Create a subscribed log

1. In Server Manager, click Tools, and then click Event Viewer.
2. In Event Viewer, in the navigation pane, click Subscriptions.
3. Right-click Subscriptions, and then click Create Subscription.
4. In the Subscription Properties dialog box, in the Subscription name text box, type LON-SVR1
Events.
5. Click Collector Initiated, and then click Select Computers.
6. In the Computers dialog box, click Add Domain Computers.

7. In the Select Computer dialog box, in the Enter the object name to select text box, type LON-
SVR1, and then click OK.
8. In the Computers dialog box, click OK.

9. In the Subscription Properties LON-SVR1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the following check boxes:
Critical
Warning
Information
Verbose
Error
11. In the Logged drop-down list box, click Last 7 days.
12. In the Event logs drop-down list box, click Windows Logs. Click inside the Query Filter dialog box,
and then click OK.
13. In the Subscription Properties LON-SVR1 Events dialog box, click OK.
Check the subscribed log

1. In Event Viewer, in the navigation pane, expand Windows Logs.
2. Click Forwarded Events, and check for events from LON-SVR1.
Lesson 2
Implementing Windows Server Backup
Contents:
Demonstration: Backing Up Windows Server 2012 by Using Windows
Server Backup (Optional) 8
Demonstration: Backing Up Windows Server 2012 by Using Windows

Server Backup (Optional)
Demonstration Steps
1. On LON-DC1, on the taskbar, click the File Explorer icon.
2. In the console tree of File Explorer, expand This PC and select Local Disk (C:).
3. On the ribbon, click the Home tab.
4. In the Home ribbon dialog box, click New Folder, type Backup, and then press Enter.
5. In File Explorer, right-click Backup, click Share with, and then click Specific people.
6. In the File Sharing dialog box, in the drop-down list box, click Everyone, and then click Add.
7. In the Name area, beside the Everyone name, click the Read drop-down arrow, and then click
Read/Write.
8. Click Share, and then click Done.
10. On LON-SVR1, click Server Manager.
11. In Server Manager, click Tools, and then click Windows Server Backup.
12. In the wbadmin [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup. Point out to students the elements of the Microsoft Management Console (MMC), such as
Status and Actions.
13. In the Actions pane, click Backup Once.

14. In the Backup Once Wizard, on the Backup Options page, click Different options, and then click
Next.
15. On the Select Backup Configuration page, click Custom, and then click Next.
16. On the Select Items for Backup page, click Add Items.
17. Expand Local disk (C), select the HR Data check box, click OK, and then click Next.
18. On the Specify Destination Type page, click Remote shared folder, and then click Next.
19. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
20. On the Confirmation page, click Backup.
21. On the Backup Progress page, after the backup is complete click Close.
Lesson 3
Implementing Server and Data Recovery
Contents:
Resources 10
Demonstration: Restoring with Windo ws Server Backup (Optional) 10
Resources
Options for Server Recovery
Additional Reading: For more information on using BCDEdit, visit the following link:
Considerations for Restoring Virtual Servers
Additional Reading: For more information on Hyper-V Replica, see the Microsoft Official
Courseware course 20409A, Server Virtualization with Windows Server Hyper-V and
Microsoft System Center.
Demonstration: Restoring with Windows Server Backup (Optional)

Demonstration Steps
1. On LON-SVR1, on the desktop, on the taskbar, click the File Explorer icon.
2. In File Explorer, click drive C:\, and then in the details pane, right-click the HR Data folder, and then
click Delete.
3. In Server Manager, click Tools, and then click Windows Server Backup.
4. On the Windows Server Backup page, in the Actions pane, click Recover.
5. In the Recovery Wizard, on the Getting Started page, click A backup stored on another location,
6. On the Specify Location type page, click Remote shared folder, and then click Next.
7. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
8. On the Select Backup Date page, click Next.

9. On the Select Recovery Type page, click Next.
10. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:), and then in the right
pane, click HR Data. Verify that the HR folder (and not the individual HR files) displays in the right
pane, and then click Next.
11. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
12. On the Confirmation page, click Recover.

13. On the Recovery Progress page, click Close.
14. Switch back to File Explorer, and confirm that on drive C, the HR Data folder is restored.
After you finish the demonstration, revert the virtual machines to their initial state:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20417D-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20417D-LON-SVR1.

Best Practices
Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
Analyze your important infrastructure resources, and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.
Review Question(s)
Question: Why is monitoring servers important for organizations?
Answer: Monitoring servers helps in obtaining information about the server-infrastructure health
and performance. Monitoring helps proactively protect servers from performance bottlenecks,
server failures, or issues related to security, such as denial of service (DoS) attacks or viruses.
Question: You want to create a strategy for how to back up different technologies that are used in your
organization, such as DHCP, DNS, AD DS, and SQL Server. What should you do?
Answer: Read documentation about the optimal backup strategy for each specific technology,
because every technology has specific best practices on backup and restore. Create
documentation and a checklist for backup and restore procedures.
Question: How frequently should you perform backups of critical data?

Answer: The frequency with which you perform a backup of critical data depends on your
organizations requirements and on how frequently data changes. You should always plan
backup strategies according to risk assessments. If critical data changes significantly during each
day, then you should perform backups at least once daily.
Question: Your organization needs information on which data to back up, how frequently to back up
different types of data and technologies, where to store backed up data (onsite or in the cloud), and how
fast they can restore backed up data if a failure were to occur. What is your recommendation for
improving your organizations ability to restore data efficiently, when it is necessary?
Answer: Your company should develop backup and restore strategies based on multiple
parameters, such as business-continuity needs, risk-assessment procedures, and resource and
critical data identification. You must develop strategies that you should then evaluate and test.
These strategies should be suitable for the dynamic changes occurring with new technologies,
and should accommodate changes that occur with the organizations growth.
Tools
Tool Use for Where to find it

Server Manager Monitoring multiple servers Server Manager
Dashboard
Performance Monitoring services, and application Server Manager/Tools

Monitor and hardware performance data
Resource Monitor Controlling how your system Server Manager/Tools

resources are being used by processes
and services
Windows Server Performing on-demand or scheduled Server Manager/Tools

Backup backup, and restoring data and
servers
Windows Azure Performing on-demand or scheduled Server Manager/Tools

Online Backup backups to the cloud, and restoring
data from the backup located in the
cloud

During monitoring, multiple sources are Collect as much information as possible about each
concurrently reporting different problems. of the reported problems. Although there might be
multiple issues, it is likely that you will find a
connection between these issues or problems.
The server has suffered a major failure on its Perform a bare-metal restore on a new system by
components. using the backup set that you created. Use the
documentation and checklist that you created as
part of your company's backup and restore strategy
and procedures.
You must have a way to back up and restore Install and configure Windows Azure Online Backup.
your data quickly to a different company's Using this service, you can back up and restore your
locations. You do not have backup media or data on each location or server, because the backup
backup hardware in each site. data is located in cloud services.
You must restore your data because of disk Always retain at least two sets of copies of your
system failure. However, you find that your backup data. In addition, you might consider
backup media is corrupted. keeping one copy onsite and another copy in the
cloud.

Lab: Monitoring and Maintaining Windows 2012 Servers

Question: Users are complaining of slow performance when they connect to files that are located on a file
server on the network. What should you do?
Answer: You should configure performance monitoring with different performance counters. To
start monitoring, you should first start to monitor with the following performance counters:
Processor - %Processor Time
Memory - Available MBytes

Logical Disk - % Free Space
Question: You are concerned about business-critical data that is located on your company's servers. You
want to perform backups daily, but not during the business hours. What should you do?
Answer: You should perform a scheduled backup that runs every day after the business hours,
for example, at 1:00 A.M.
Question: Users are reporting that they can no longer access data that is located on the server. You
connect to the server, and realize that the shared folder where users were accessing data is missing. What
should you do?
Answer: You should restore the folder by using Windows Server Backup.

20417D ENU Companion PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

20417D ENU Companion PDF

Enviado por

Direitos autorais:

Formatos disponíveis

OFFI CI A L MI CROSOFT LEA RN I N G P RODU CT

2014 Microsoft Corporation. All rights reserved.

Product Number: 20417D

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

Revised July 2013

Hardware Requirements for Installing Windows Server 2012 R2

Migrating Server Roles

Additional Reading: Migrating Roles and Features in Windows Server

Demonstration: Exploring Server Manager in Windows Server 2012 R2

24. On the taskbar, click the Windows PowerShell icon.

Demonstration: Installing and Optimizing Server Roles in Windows Server

7. On the Features page, click Next.

13. Review the console, and click OK.

How Remote Management Works in Windows Server 2012 R2 and

Module Review and Takeaways

Real-world Issues and Scenarios

Common Issues and Troubleshooting Tips

Remote management connections fail Verify firewall settings.

Unable to restart a computer running Use sconfig.cmd or the shutdown /r command.

Lab: Installing and Configuring Windows Server 2012 R2

Lesson 3: Managing Servers by Using Windows PowerShell 9

Windows PowerShell Syntax

Using Windows PowerShell Modules

What Are the New Features in Windows PowerShell?

Demonstration: Using the Windows PowerShell Integrated Scripting

6. Type E:\ and point the use of IntelliSense once again.

Question and Answers

Using Windows PowerShell Variables

Additional Reading: about_Variables

Demonstration: Managing AD DS by Using Windows PowerShell

New-ADUser name Ayla department IT city New York organization A Datum

Get-ADUser Filter Name eq Ayla | Move-ADObject targetpath

Get-ADGroup filter Name eq Domain Admins

Get-ADGroup filter Name eq Domain Admins | Get-ADGroupMember

Add-ADGroupMember Domain Admins Ayla

Get-ADUser filter Name eq Ayla | Enable-ADAccount

Note: If you receive an error regarding password complexity, go to step 13.

Get-ADUser filter Name eq Ayla

Set-ADAccountPassword Ayla Reset NewPassword (ConvertTo-SecureString

Import-Csv ./NewUsers.csv | New-ADUser Path ou=NewYork,dc=adatum,dc=com

Get-ADUser filter Department like IT | Set-ADUser city Seattle

Get-ADUser filter * -Searchbase ou=NewYork,dc=adatum,dc=com | Set-ADUser

What Is Windows PowerShell Web Access?

Introduction to Windows PowerShell Workflow

Additional Reading: Getting Started with Windows PowerShell Workflow

Demonstration: Managing a Server by Using Windows PowerShell

Start-Job -ScriptBlock {Get-ADUser Filter *}

6. Obtain the status of the job by running Get-Job.

$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM

8. Run the scheduled job immediately by running:

Start-Job DefinitionName ScheduledJob1

Module Review and Takeaways

Real-world Issues and Scenarios

Old Command Windows PowerShell Equivalent

Net Start Start-Service (Restart-Service)

Net Stop Stop-Service (Restart-Service)