Escolar Documentos
Profissional Documentos
Cultura Documentos
20417D
Upgrading Your Skills to MCSA Windows
Server 2012
Companion Content
ii Upgrading Your Skills to MCSA Windows Server 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Module 1
Installing and Configuring Windows Server 2012
Contents:
Lesson 1: Installing Windows Server 2012 R2 2
Lesson 2: Configuring Windows Server 2012 R2 and Windows Server 2012 4
Lesson 3: Configuring Remote Management for Windows Server 2012 R2 and
Windows Server 2012 7
Module Review and Takeaways 9
1-2 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 1
Installing Windows Server 2012 R2
Contents:
Resources 3
Installing and Configuring Windows Server 2012 1-3
Resources
Additional Reading: For more information about the Windows Server Virtualization
Validation Program, see http://go.microsoft.com/fwlink/?LinkId=269652.
Lesson 2
Configuring Windows Server 2012 R2 and Windows
Server 2012
Contents:
Demonstration: Exploring Server Manager in Windows Server 2012 R2 5
Demonstration: Installing and Optimizing Server Roles in Windows Server 2012 6
Installing and Configuring Windows Server 2012 1-5
6. On the Select server roles page of the Add Roles and Features Wizard, select Fax Server. In the Add
Roles and Features Wizard dialog box that opens, click Add Features.
7. On the Select server roles page of the Add Roles and Features Wizard, click Next.
8. On the Select features page of the Add Roles and Features Wizard, select BranchCache, and then
click Next.
9. On the Fax Server page of the Add Roles and Features Wizard, click Next.
10. On the Print and Document Services page of the Add Roles and Features Wizard, click Next.
11. On the Select role services page of the Add Roles and Features Wizard, click Next.
12. On the Confirmation page of the Add Roles and Features Wizard, select the Restart the destination
server automatically if required check box. In the Add Roles and Features Wizard dialog box,
click Yes, and then click Install.
13. On the Installation progress page of the Add Roles and Features Wizard, click Close.
14. Click the flag icon next to Server Manager Dashboard and review the messages.
15. On the Server Manager console, click the Dashboard node.
16. In the Roles and Server Groups area, under DNS, click Events.
17. In the DNS - Events Detail View dialog box, change the time period to 12 hours and the Event
Sources to All, and then click OK.
18. In the Roles and Server Groups area, under DNS, click BPA results.
19. On the DNS - BPA Results Detail View dialog box, on the Severity Levels drop-down menu, select
All, and then click OK.
20. In the Server Manager console, on the Tools menu, review the tools that are installed on LON-DC1.
21. Hold down the Start key to start the Microsoft design style Start screen.
22. On the Start screen, click Administrator, and then click Sign Out.
23. Sign in to LON-DC1 by using the Adatum\Administrator account and the password Pa$$w0rd.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Installation Type page, select Role-based or feature-based installation, and then click
Next.
5. On the Server Selection page, click Select a server from the server pool. Verify that LON-
DC1.Adatum.com is selected, and click Next.
6. On the Select server roles page, select Application Server, and then click Next.
10. On the Confirmation page, click Install. To dismiss the Add Role and Features wizard, click Close.
11. Click the App Server node of the Server Manager console.
12. Click the Dashboard node, and under App Server, click Performance.
Lesson 3
Configuring Remote Management for Windows
Server 2012 R2 and Windows Server 2012
Contents:
Resources 8
1-8 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: For more information on Windows Remote Management, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269663
Additional Reading: For more information on configuring Windows Remote Management,
visit the following Performance Team post: http://go.microsoft.com/fwlink/?LinkId=269664
Additional Reading: For more information on Remote Windows PowerShell, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269667
Installing and Configuring Windows Server 2012 1-9
Review Question(s)
Question: Why is the Server Core installation the default installation option for Windows Server 2012 R2
installations?
Answer: The Server Core installation is the default installation option for Windows Server 2012
R2 because it enables you to deploy the most frequently used roles with a minimal hardware
footprint.
Windows PowerShell commands are not Ensure that appropriate Windows PowerShell modules,
available such as Server Manager, are loaded.
Cannot install GUI features on Server Core Mount a WIM image that holds all the Windows Server
deployment 2012 R2 files, and use the -source option of the
Install-WindowsFeature cmdlet.
Unable to join the domain Verify DNS resolution and network connectivity
between the host and the domain controller.
1-10 Upgrading Your Skills to MCSA Windows Server 2012
Answer: You would have to configure WDS. You also would have to configure virtual machines
to use legacy network adapters.
Question: Which command could you use to configure the network address settings on a computer
running Server Core, other than sconfig.cmd?
Answer: You can use the Set-NetIPaddress Windows PowerShell utility to configure the
network address settings.
Question: After performing Exercise 3, would you be able to make a Remote Desktop connection from
LON-DC1 to LON-SVR5?
Answer: No. Although you do enable Windows Remote Management, Remote Desktop is not
enabled during this exercise.
Managing Windows Server 2012 by Using Windows PowerShell 2-1
Module 2
Managing Windows Server 2012 by Using Windows
PowerShell
Contents:
Lesson 1: Overview of Windows PowerShell 2
Lesson 2: Using Windows PowerShell to Manage AD DS 5
Lesson 1
Overview of Windows PowerShell
Contents:
Resources 3
Demonstration: Using the Windows PowerShell Integrated Scripting Environment (ISE) 3
Managing Windows Server 2012 by Using Windows PowerShell 2-3
Resources
Additional Reading: For more information about verbs for Windows PowerShell
commands, see Approved Verbs for Windows PowerShell Commands by visiting the following
link:
http://go.microsoft.com/fwlink/?LinkID=331439.
Additional Reading: For more information about Windows PowerShell modules, see
Windows PowerShell Modules by visiting the following link:
http://go.microsoft.com/fwlink/?linkID=270852
Additional Reading: For more information about Windows PowerShell DSC, see Get
Started with Windows PowerShell Desired State Configuration by visiting the following link:
http://go.microsoft.com/fwlink/?LinkID=331440
Additional Reading: For more information on new features of Windows PowerShell, see
What's New in Windows PowerShell by visiting the following link:
http://go.microsoft.com/fwlink/?LinkID=331441
9. In the script pane, under the Get-ChildItem cmdlet, type Get-P, and then press the Tab key
repeatedly until you get Get-Process.
10. Press Spacebar, type -, and then press the Tab key repeatedly until you get ComputerName. Then,
complete the command to read Get-Process ComputerName LON-DC1.
2-4 Upgrading Your Skills to MCSA Windows Server 2012
11. Execute the Get-Command cmdlet and show students that the list of cmdlets displayed as a result is
also available in the Commands tab.
Managing Windows Server 2012 by Using Windows PowerShell 2-5
Lesson 2
Using Windows PowerShell to Manage AD DS
Contents:
Questio n and Answers 6
Resources 6
Demonstration: Managing AD DS by Using Windows Po werShell 6
2-6 Upgrading Your Skills to MCSA Windows Server 2012
Answer: You can declare a variable and assign it a value by using an equal sign (=) or by using
Set-Variable.
Resources
4. To create a new OU named NewYork, at the command prompt, type the following command, and
then press Enter:
New-ADOrganizationalUnit NewYork
5. To create a new user named Ayla in the IT department and the A Datum organization, at the
command prompt, type the following command, and then press Enter:
6. To move the Ayla user to the NewYork OU, at the command prompt, type the following command,
and then press Enter:
7. To view the settings for the Domain Admins group, at the command prompt, type the following
command, and then press Enter:
8. To view the membership of the Domain Admins group, at the command prompt, type the following
command, and then press Enter:
9. To add Ayla to the Domain Admins group, at the command prompt, type the following command,
and then press Enter:
10. To enable the account created for Ayla, at the command prompt, type the following command, and
then press Enter:
11. To verify that Aylas account was enabled, at the command prompt, type the following command,
and then press Enter:
12. To disable Aylas account, at the command prompt, type the following commands by pressing Enter
after each:
Disable-ADAccount Ayla
Get-ADUser filter Name eq Ayla
13. To set the password for Ayla to Pa$$w0rd!!, at the command prompt, type the following command,
and then press Enter:
14. To verify how the New-ADUser cmdlet works, at the command prompt, type the following
command, and then press Enter:
Help New-ADUser
15. To view the contents of the ./NewUsers.csv file, at the command prompt, type the following
command, and then press Enter:
notepad ./NewUsers.csv
Note: You may need to use the full path for the NewUsers.csv file for the command above
to work. Check the notes within the script file to see the full path.
16. To use Import-Csv to view the contents of the ./NewUsers.csv file in Windows PowerShell, at the
command prompt, type the following command, and then press Enter:
Import-Csv ./NewUsers.csv
Note: You may need to use the full path for the NewUsers.csv file for the command above
to work. Check the notes within the script file to see the full path.
17. To use the output of the Import-Csv cmdlet as input for the New-ADUser cmdlet, at the command
prompt, type the following command, and then press Enter:
Note: You may need to use the full path for the NewUsers.csv file for the command above
to work. Check the notes within the script file to see the full path.
Note: You might get an error message due to the password not being set. Ignore the error
for now.
18. To set the city property for all users in the IT department to Seattle, at the command prompt, type
the following command, and then press Enter:
19. To set the division property for all users in the NewYork OU to Automotive, at the command
prompt, type the following command, and then press Enter:
Lesson 3
Managing Servers by Using Windows PowerShell
Contents:
Resources 10
Demonstration: Managing a Server by Using Windows Power Shell 10
2-10 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: For more information on using Windows PowerShell Web Access, see
Install and Use Windows PowerShell Web Access by visiting the following link:
http://go.microsoft.com/fwlink/?linkID=269669
Password: Pa$$w0rd
Computer: LON-DC1
5. Start a new job by running the following command:
Use Windows PowerShell ISE to help you write scripts and ensure that you are using the correct
syntax.
Review Question(s)
Question: Which cmdlet will display the content of a text file?
Answer: Get-Content displays the content of a text file. It is also acceptable to use type, which is
an alias for Get-Content.
Question: Which cmdlet will move a file to another directory?
Answer: Move-Item moves a file to another directory. It is also acceptable to use move and mi
as aliases for Move-Item.
Question: Which cmdlet will rename a file?
Answer: Rename-Item renames a file. It is also acceptable to use ren, which is an alias for
Rename-Item.
Question: Which cmdlet will create a new directory?
Answer: New-Item creates a new directory. It is also acceptable to use ni, which is an alias for
New-Item.
Question: Which cmdlet do you think would retrieve information from the event log?
Answer: Get-EventLog retrieves information from the event log.
Question: Which cmdlet do you think would start a stopped virtual machine?
Answer: Start-VM would start a stopped virtual machine.
ipconfig /a Get-NetIPConfiguration
Shutdown.exe Restart-Computer
Netstat Get-NetTCPConnection
2-12 Upgrading Your Skills to MCSA Windows Server 2012
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool Description
Windows PowerShell Integrated Script Editor Windows PowerShell ISE provides a simple, yet
(ISE) powerful interface to create and test scripts, and
discover new cmdlets.
Microsoft Visual Studio Workflow Designer This is a development tool that is used to create
Windows PowerShell workflows.
Active Directory Administrative Center This tool enables you to perform common Active
Directory management tasks, such as creating and
modifying user and computer accounts. All of the
changes that you make by using this management
tool are logged in the Windows PowerShell History
pane.
Administrators cannot find the correct Use the Get-Command cmdlets and Help in
Windows PowerShell cmdlet for a task. Windows PowerShell ISE to search for cmdlets.
Administrator cannot connect to a server by There are several possible reasons why this could
using remote Windows PowerShell. occur. For example, Remote Windows PowerShell
connections may be blocked by Windows Advanced
Firewall, or the WinRM service may be misconfigured
or disabled.
Get-Help does not provide any help for You may have to download the latest Help files. You
cmdlets. can download the latest files by using the Update-
Help cmdlet.
Module 3
Managing Storage in Windows Server 2012
Contents:
Lesson 1: Storage Features in Windows Server 2012 2
Lesson 2: Configuring iSCSI Storage 5
Lesson 3: Configuring Storage Spaces in Windows Server 2012 9
Lesson 1
Storage Features in Windows Server 2012
Contents:
Questio n and Answers 3
Resources 3
Demonstration: Configuring Data Deduplication 4
Managing Storage in Windows Server 2012 3-3
Answer: The answer varies according to the company. In smaller companies, it is very likely that
there is one share that stores all of the software or application files, and in such cases, data
deduplication would be a good way to reduce space. Generally, data deduplication should be
used on large volumes that contain data that does not change frequently. Data deduplication
cannot be used for volumes containing an operating system.
Answer: The answer will vary based on the students experience with the File Server Resource
Manager in Windows Server 2008. File Server Resource Manager is used in the following areas:
File classification infrastructure
Resources
Additional Reading: For more information, see File and Storage Services Overview at
http://go.microsoft.com/fwlink/?linkID=269670
Additional Reading: For more information, see What's New in File Server Resource
Manager in Windows Server 2012 at http://go.microsoft.com/fwlink/?linkID=270039
For more information, see What's New in File Server Resource Manager in Windows Server 2012
R2 at http://go.microsoft.com/fwlink/?LinkID=331422
Additional Reading: For more information, see How Basic Disks and Volumes Work at
http://go.microsoft.com/fwlink/?LinkID=199648
3-4 Upgrading Your Skills to MCSA Windows Server 2012
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (2 of 12 installed), expand File
and iSCSI Services (1 of 11 installed), select the Data Deduplication check box, and then click
Next.
7. On the Select features page, click Next.
Lesson 2
Configuring iSCSI Storage
Contents:
Questio n and Answers 6
Resources 6
Demonstration: Configuring iSCSI Target 6
Demonstration: Connecting to the iSCSI Storage 7
3-6 Upgrading Your Skills to MCSA Windows Server 2012
What is iSCSI?
Question: Can you use your organizations internal IP network to provide iSCSI?
Answer: Yes, you can. However, we recommend having a dedicated IP network for iSCSI so that
other network traffic does not interfere the iSCSI communication, and the iSCSI communication
does not interfere with the network traffic.
Answer: The answer varies depending on your experience, but primarily you might consider
using this approach if you want to implement virtualization technologies such as a Virtual
Desktop Infrastructure (VDI) in your organization.
Resources
Additional Reading: For more information, see Introduction of iSCSI Target in Windows
Server 2012 at http://go.microsoft.com/fwlink/?linkID=269674
5. On the Specify iSCSI virtual disk name page, type iSCSIDisk1, and then click Next.
Managing Storage in Windows Server 2012 3-7
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-SVR2, and then click Next.
9. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, and in the Type drop-down list, select IP Address. In the Value box, type 172.16.0.22, and
then click OK.
14. On the View results page, wait until the creation is completed, and then click Close.
15. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
16. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
17. On the Specify iSCSI virtual disk name page, type iSCSIDisk2, and then click Next.
18. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
19. On the Assign iSCSI target page, click lon-svr2, and then click Next.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, type LON-DC1, and then click
Quick Connect.
5. In the Quick Connect window, in the Discovered targets section, click iqn.1991-
05.com.microsoft:lon-dc1-lon-svr2-target, and then click Done.
6. In the iSCSI Initiator Properties dialog box, to close the dialog box, click OK.
Note: Notice that the new disks are added. They are all currently offline and not formatted.
3-8 Upgrading Your Skills to MCSA Windows Server 2012
Note: Keep the computers running. You must have them for the demonstration in the
lesson Configuring Storage Spaces in Windows Server 2012.
Managing Storage in Windows Server 2012 3-9
Lesson 3
Configuring Storage Spaces in Windows Server 2012
Contents:
Resources 10
Demonstration: Configuring a Storage Space 10
Demonstration: Implementing Redundant Storage Spaces 11
3-10 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: For more information, see Thin Provisioning and Trim Storage
Overview at http://go.microsoft.com/fwlink/?linkID=269672
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Simple vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Simple, and then click Next.
6. On the Specify the provisioning type page, click Thin, and then click Next. You should mention
that this configures thin provisioning for that volume.
7. On the Specify the size of the virtual disk page in the Specify size box, type 2, and then click Next.
8. On the Confirm selections page, click Create.
9. On the View results page, wait until the creation is completed. Ensure Create a volume when this
wizard closes is selected, and click Close.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, under Disk, click Simple vdisk virtual disk, and then click
Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
Managing Storage in Windows Server 2012 3-11
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Simple Volume, and then click Next.
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
Note: You should mention that this automatically configures a two-way mirror. You do not
see the Resiliency Settings page because you would require five disks to configure a three-way
mirror.
6. On the Specify the provisioning type page, click Thin, and then click Next.
7. On the Specify the size of the virtual disk page in the Specify size box, type 5, and then click Next.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, in the Disk pane, click the Mirrored vDisk virtual disk, and
then click Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Mirrored Volume, and then click Next.
15. On the Confirm selections page, click Create.
16. On the Completion page, wait until the creation is completed, and then click Close.
17. On the Start screen, type command prompt, and then press Enter.
18. At the command prompt, type the following command, and then press Enter:
20. In Server Manager, click the Tools menu, and then in the Tools drop-down list, select Computer
Management.
21. In the Computer Management console, under Storage, click Disk Management.
3. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4. In the Disable iSCSI Virtual Disk warning message box, click Yes.
5. Switch to LON-SVR2.
6. In the Computer Management console, under Storage, right-click Disk Management and in the
drop-down list, select Rescan Disks.
Note: Notice that the Simple Volume (E:) is not available, and the Mirrored Volume (F:) is
available.
7. On the taskbar, open File Explorer, click This PC, and then click Mirrored Volume (F:). You should
now see write.exe in the file list.
8. Close File Explorer.
9. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click Refresh Storage Pools.
Notice the warning that appears next to Mirrored vDisk.
10. In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
11. In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Note: Notice the Health Status that should indicate Unhealthy. The Operational Status
should indicate Detached. This means that the disk is not available on this computer any longer.
Lesson 4
Configuring BranchCache in Windows Server 2012
Contents:
Resources 14
Demonstration: How to Configure BranchCache 14
3-14 Upgrading Your Skills to MCSA Windows Server 2012
Resources
BranchCache Requirements
4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select installation type page, click Next.
6. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
7. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services, select the BranchCache for Network Files check box. If prompted, click Add
Features, and then click Next.
8. On the Select features page, click Next.
9. On the Confirm installation selections page, click Install.
10. When installation is complete, click Close, and then close Server Manager.
4. In the Options box, under Hash publication actions, select Allow hash publication only for
shared folder on which BranchCache is enabled, and then click OK.
5. Close the Local Group Policy Editor.
5. In the Advanced Sharing dialog box, click Share this folder, and then click Caching.
6. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
Managing Storage in Windows Server 2012 3-15
7. In the Advanced Sharing dialog box, click OK, and then click Close.
8. Close all open windows.
3-16 Upgrading Your Skills to MCSA Windows Server 2012
Answer: BranchCache only caches files that users in a remote location have accessed. DFS
replicates files between head office and a remote location so that all files exist in both locations.
Question: Why would you want to implement BranchCache in Hosted Cache mode instead of the
Distributed Cache mode?
Answer: When you use the Distributed Cache mode, the cache is distributed among all
computers running Windows 7 or newer. However, it is likely that these computers are turned off
or that portable computers are removed from the office. This means that a cached file might not
be available, forcing the file to be downloaded across the WAN link again. However, the Hosted
Cache mode keeps the cached files on a file server that will always be available.
Answer: No, you cannot configure data deduplication on a boot volume. You can configure data
deduplication only on volumes that are not system or boot volumes.
Question: Are you currently implementing volumes that are 10 terabytes or larger? What are the
problems with volumes of that size?
Answer: Depending on your situation, you may have very large volumes. However, the larger the
volume, the more difficult and lengthy the process of checking these volumes for errors becomes.
Windows Server 2012 R2 includes an enhanced version of the Chkdsk tool to optimize the
implementation of very large volumes; it also includes the new ReFS file system, which helps to
address the issue of NTFS formatted volumes.
Tools
Tool Use Where to find it
iSCSI Target Server Configure iSCSI targets In Server Manager, under File and Storage
Servers
iSCSI Initiator Configure a client to connect to In Server Manager, in the Tools drop-down
an iSCSI target virtual disk list
Answer: You must have an MPIO to create a second network route to the iSCSI target. This is
useful when you lose a connection to the iSCSI target because of a loss in a network adapter.
With MPIO set up and configured, if a network adapter fails, another network adapter can take
over.
Question: What is the purpose of the iSCSI Initiator component?
Answer: The iSCSI Initiator component is the client component for iSCSI to connect to an iSCSI
target. Windows 8 and Windows Server 2012 already have this component preinstalled as a
service. You only have to start them to use it.
Question: When would you consider implementing BranchCache into your own organization?
Answer: The answer varies, but BranchCache is only important if you have a branch office or a
location that is connected to your organizations headquarters with a low-bandwidth link.
Implementing Network Services 4-1
Module 4
Implementing Network Services
Contents:
Lesson 1: Implementing DNS and DHCP Enhancements 2
Lesson 2: Implementing IP Address Management (IPAM) 5
Lesson 3: Managing IP Address Spaces with IPAM 8
Lesson 1
Implementing DNS and DHCP Enhancements
Contents:
Resources 3
Demonstration: Configuring DNSSEC 3
Demonstration: Configuring Failo ver for DHCP 4
Implementing Network Services 4-3
Resources
Additional Reading: For detailed information of improved features for DNS server role in
Windows Server 2012 R2, see What's New in DNS Server in Windows Server 2012 R2 at
http://go.microsoft.com/fwlink/?LinkID=331423
Reference Links: For complete list of new and improved Windows PowerShell cmdlets for
DHCP in Windows Server 2012 R2, see Windows PowerShell for DHCP Server at
http://go.microsoft.com/fwlink/?LinkID=331424
4. On the menu, click Action, and in the drop-down list, click DNSSEC>Sign the Zone.
5. In the Zone Signing Wizard, click Next.
6. On the Signing Options screen, select Customize zone signing parameters, and click Next.
7. On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
8. On the Key Signing Key (KSK) screen, click Next.
9. On the KSK screen, click Add.
10. On the New Key Signing Key (KSK) screen, click OK.
11. On the Key Signing Key screen, click Next.
12. On the Zone Signing Key (ZSK) screen, click Next.
19. On the DNS Security Extensions (DNSSEC) screen, click Next, and then click Finish.
20. In Server Manager, click Tools, and then in the drop-down list click Group Policy Management.
21. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
4-4 Upgrading Your Skills to MCSA Windows Server 2012
22. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
23. In the Create Rules section, in the Suffix field, type Adatum.com.
24. On the DNSSEC tab, select the Enable DNSSEC in this rule check box.
25. Select the Require DNS clients to check that name and address data has been validated by the
DNS server option, and click Create.
26. Close all open windows.
2. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
3. Switch to LON-DC1.
4. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
5. In the DHCP Management console, expand lon-dc1.adatum.com, select and right-click the IPv4
node, and then click Configure Failover.
6. In the Configuration Failover Wizard, click Next.
7. On the Specify the partner server to use for failover screen, in the Partner Server field, enter
172.16.0.21, and then click Next.
8. On the Create a new failover relationship screen, in the Relationship Name field, enter Adatum.
9. In the Maximum Client Lead Time field, set the hours to 0 and set the minutes to 15.
13. Select Enable Message Authentication checkbox, and in Shared Secret field, type Pa$$w0rd, and
then click Next.
14. In Configure Failover window, click Finish.
15. Ensure that all five actions have status Successful, and then click Close.
Implementing Network Services 4-5
Lesson 2
Implementing IP Address Management (IPAM)
Contents:
Demonstration: Implementing IPAM 6
4-6 Upgrading Your Skills to MCSA Windows Server 2012
14. On the Select provisioning method screen, select Group Policy Based and type IPAM in the GPO
name prefix field, and then click Next.
15. On the Confirm the Settings screen, click Apply.
21. To return to the IPAM pane, close the Overview Tasks Details dialog box.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
5. When you are prompted to confirm the action, press Enter. It takes a few minutes to complete.
6. Return to Server Manager.
7. In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
8. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
9. Repeat steps 6 and 7 to configure LON-SVR1 to be managed.
gpupdate /force
gpupdate /force
16. Switch back to LON-SVR2 and right-click LON-DC1, and then click Refresh Server Access Status.
This may take a few minutes to complete.
17. Repeat step 16 to refresh the status for LON-SVR1.
18. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
19. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take several
minutes to complete.
4-8 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 3
Managing IP Address Spaces with IPAM
Contents:
Resources 9
Demonstration: Managing IP Addressing by Using IPAM 9
Demonstration: Configuring IPAM Reporting and Monitoring 9
Implementing Network Services 4-9
Resources
Additional Reading: For more information, see the IPAM Operations Guide at
http://go.microsoft.com/fwlink/?LinkID=331425
Deactivate a scope
1. Click the DHCP Scopes node, and then in the details pane, right-click the first scope listed named
Adatum and Scope ID of 172.16.0.0, and then click Deactivate DHCP Scope.
3. Click Tasks and review the options for configuring Purge Event Catalog Data and Export.
4. On the IPAM Configuration Events page, review and discuss the events displayed.
4-10 Upgrading Your Skills to MCSA Windows Server 2012
9. Click the Adatum scope, and discuss the information in the Scope Properties.
10. Click the Options tab, and discuss the information displayed.
11. Click Tasks and review the options for Retrieve Server Data and Export.
15. Click Tasks and review the options for Retrieve Server Data and Export.
16. In the IPAM console tree, click Server Groups.
17. Click the lon-dc1.adatum.com entry with the DNS server role, and discuss the information in the
Server Properties.
18. Click the DNS Zones tab, and discuss the information displayed.
19. Click Tasks and review the options for Retrieve Server Data and Export.
Implementing Network Services 4-11
Lesson 5
Implementing NAP
Contents:
Demonstration: Implementing NAP with DHCP 12
4-12 Upgrading Your Skills to MCSA Windows Server 2012
6. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
7. On the Select features page, click Next.
8. On the Network Policy and Access Services page, click Next.
9. On the Select role services page, select Network Policy Server, and then click Next.
10. On the Confirm installation selections page, click Install. Click Close when the installation
completes.
11. On the Server Manager Tools menu, select Network Policy Server.
12. In the Network Policy Server console, click NPS (Local).
13. In the details pane, click Configure NAP.
14. On the Select Network Connection Method For Use with NAP page in the Network connection
method drop-down list, select Dynamic Host Configuration Protocol (DHCP), and then click Next.
15. On the Specify NAP Enforcement Servers Running DHCP Server page, click Next.
19. On the Define NAP Health Policy page, clear the Enable auto-remediation of client computers
check box, and then click Next.
20. Click Finish.
21. In the console tree, expand Network Access Protection, expand System Health Validators, expand
Windows Security Health Validator, click Settings, and in the details pane, double-click Default
Configuration.
22. Clear all check boxes except A firewall is enabled for all network connections, and click OK.
23. Close the Network Policy Server console.
24. Click Tools, and then click DHCP.
25. Expand lon-dc1.adatum.com, select and then right-click IPv4, and then click Properties.
26. Click the Network Access Protection tab, and then click Enable on all scopes.
27. In the DHCP dialog box, click Yes.
Ensure that IPv6 is enabled on the IPAM server to manage IPv6 address spaces.
Use Group Policy to configure NRPT tables for DNSSEC client computers.
Disable authentication protocols that you are not using.
Document the NPS configuration by using NetshNps Show Config>Path\File.txt to save the
configuration to a text file.
Unable to connect to the IPAM server. Ensure that the Windows Internal Database
(WID) service and the Windows Process
Activation service are running.
Noncompliant NAP client computers are Check that the network policy is configured
being denied network access instead of to Grant Access instead of Deny Access.
being sent to the restricted network. Access must be granted so that
noncompliant computers can receive
remediation.
4-14 Upgrading Your Skills to MCSA Windows Server 2012
Question: What is the difference between a centralized and a distributed IPAM topology?
Answer: In a centralized topology, there is only one IPAM server in the forest. In a distributed
topology, there is an IPAM server in every site in the forest.
Answer: You must perform the following steps to ensure that it can be assessed for health:
1. Enable the NAP enforcement client.
2. Enable the Security Center.
( ) True
( ) False
Answer:
( ) True
() False
Implementing Remote Access 5-1
Module 5
Implementing Remote Access
Contents:
Lesson 1: Remote Access Overview 2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 4
Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 12
Lesson 1
Remote Access Overview
Contents:
Resources 3
Implementing Remote Access 5-3
Resources
Lesson 2
Implementing DirectAccess by Using the Getting
Started Wizard
Contents:
Questio n and Answers 5
Resources 5
Demonstration: Running the Getting Started Wizard 5
Demonstration: Identifying the Getting Started Wizard Settings 8
Implementing Remote Access 5-5
Resources
DirectAccess Components
3. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and
then click Organizational Unit.
5-6 Upgrading Your Skills to MCSA Windows Server 2012
4. In the New Object Organizational Unit dialog box, in the Name text box, type DA_Clients OU,
and then click OK.
5. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
6. In the New Object - Group dialog box, in the Group name text box, type DA_Clients.
7. Under Group scope, ensure that Global is selected, under Group type, ensure that Security is
selected, and then click OK.
8. In the details pane, right-click DA_Clients, and then click Properties.
9. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) text box, type LON-CL1, and then click OK.
12. Verify that LON-CL1 displays under Members, and then click OK.
13. Close the Active Directory Users and Computers console.
3. In the Remote Access Management Console, under Configuration, click DirectAccess and VPN.
4. Click Run the Getting Started Wizard.
5. On the Configure Remote Access page, click Deploy DirectAccess only.
6. Verify that Edge is selected, in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server text box, type 131.107.0.10, and then click Next.
7. On the Configure Remote Access page, click the here link.
8. On the Remote Access Review page, verify that two GPO objects are created, DirectAccess Server
Settings and DirectAccess Client settings.
9. Next to Remote Clients, click the Change link.
10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.
gpupdate /force
Implementing Remote Access 5-7
3. At the command prompt, type the following command, and then press Enter:
gpresult /R
4. Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with the password Pa$$w0rd, and then repeat steps 3 and 4 on LON-
CL1.
5. At the command prompt, type the following command, and then press Enter:
6. Verify that following message displays: DNS Effective Name Resolution Policy Table Settings.
Note: DirectAccess settings are inactive when this computer is in a corporate network.
9. In the Network and Sharing Center window, click Change adapter settings.
10. Right-click Ethernet, and then click Disable.
11. Right-click Ethernet 2, and then in the Networks dialog box, click Enable.
15. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, ensure that the following
details display, and then click OK.
IP address: 131.107.0.20
5. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access
the folder content.
6. Close all open windows.
5-8 Upgrading Your Skills to MCSA Windows Server 2012
7. Click the Start screen type cmd, and then press Enter.
8. At the command prompt, type the following command, and then press Enter:
ipconfig
Note: Notice the IP address for Tunnel adapter is IPHTTPSInterface starting with 2002.
This is an IP-HTTPS address.
2. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
3. At the command prompt, type the following command, and then press Enter:
Powershell
4. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Notice that client is connected via IPHTTPS. In the Connection Details pane, in the
bottom-right of the screen, note the use of Kerberos authentication for the machine and the
user.
4. In the DirectAccess Client Setup window, click Deployment Scenario, and review the default settings.
Click Select Groups, and record the default settings. Click Network Connectivity Assistant, and
then record the default settings.
5. Click Cancel, and then click OK.
6. In the Remote Access Setup window, under the image of the client computer named Step 2 Remote
Access Server, click Edit.
7. In the Remote Access Server Setup window, click Network Topology, and record the default settings.
8. Click Network Adapters, and record the default settings.
18. In the DirectAccess Application Server Setup window, review the default settings, click Cancel, and
then click OK.
19. Close all open windows.
7. In the Global Settings row, click the show link, and then review the IPsec ICMP exception setting.
8. In the Inbound Rules row, click the show link, and then review the following settings:
o Core Networking IPHTTPS (TCP-In). This rule allows the inbound IP-HTTPS traffic to provide
connectivity across HTTP proxies and firewalls.
5-10 Upgrading Your Skills to MCSA Windows Server 2012
o Domain Name Server (UDP-In), and Domain Name Server (TCP-In). These rules allow traffic
to the DNS64 server that is deployed on the Remote Access server. Notice the IPv6 address in the
rules. It is the address of the London_Network adapter on LON-RTR, which you can verify by
running the ipconfig /all command in the Windows PowerShell window
9. In the Connection Security Settings row, click the show link, and then in the Rules row, click the
show link. Review the following settings:
o DirectAccess Policy-DaServerToCorpSimplified. Review the IPv6 address prefixes, and
compare them with the IPv6 address prefixes you recorded in step 7 of the previous section in
this demonstration. Notice that they are the same prefixes that you configured in the Getting
Started Wizard.
10. In the Rules row, click the hide link.
11. Under the Connection Security Settings row, in the First Authentication row, click the show link,
and then review the Kerberos authentication setting.
12. Repeat step 11 for Second Authentication, Key Exchange (Main Mode), and Data Protection
(Quick Mode).
13. In the navigation pane, click the DirectAccess Client Settings GPO.
14. In the Group Policy Management Console dialog box, click OK, and then in the details pane, click
the Settings tab.
15. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, click the
show link on the right side. In the Public Key Policies/Trusted Root Certification Authorities row,
click the show link, and then in the Certificates row, click the Show link. Notice that the GPO is
configuring the DirectAccess client computers to trust the self-signed certificates with the IP address
of 131.107.0.10 and the name of DirectAccess-NLS.Adatum.com.
16. In the details pane, under Computer Configuration (Enabled), in the Security Setting row, and in
the Windows Firewall with Advanced Security row, click the show link.
17. Notice that there are three groups of firewall settings configured for the DirectAccess clients: Global
Settings, Outbound Rules, and Connection Security Settings.
18. In the Global Settings row, click the show link, and then review the IPsec ICMP exception setting.
19. In the Outbound Rules row, click the show link, and then review the following settings:
Core Networking IP-HTTPS (TCP-Out). This rule allows the outbound IP-HTTPS traffic to
provide connectivity across HTTP proxies and firewalls.
20. In the Connection Security Settings row, click the show link, and then in the Rules row, click the
show link.
21. Review the three rules, and then compare the IPv6 address prefixes with the IPv6 address prefixes that
you recorded in step 7 in the previous section of this demonstration. Notice that they are the same
prefixes that you configured with the Getting Started Wizard.
22. In the Rules row, click the hide link.
23. Under the Connection Security Settings row, in the First Authentication row, click the show link,
and then review the Kerberos authentication setting.
24. Repeat step 23 for Second Authentication, Key Exchange (Main Mode) and Data Protection
(Quick Mode).
25. Close the Group Policy Management console.
26. On LON-DC1, click the Server Manager icon.
Implementing Remote Access 5-11
o DirectAccess-NLS
The Getting Started Wizard creates these records.
5-12 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 3
Implementing and Managing an Advanced
DirectAccess Infrastructure
Contents:
Resources 13
Demonstration: Modifying the DirectAccess Infrastructure 13
Demonstration: Monitoring and Troubleshooting DirectAccess Connectivity 14
Implementing Remote Access 5-13
Resources
5. Under Select Groups, in the details pane, ensure that the Enable DirectAccess for mobile
computers only checkbox is cleared, and then click Next.
Note: In a real-world scenario, you might choose a security group instead allowing
DirectAccess for all domain computers.
6. On the Network Connectivity Assistant page, double-click the empty row under the Resource
column.
7. In the Configure Corporate Resources for NCA dialog box, verify that HTTP is selected, and then
type https://lon-svr1.adatum.com. Click Validate, and then click Add.
8. On the Network Connectivity Assistant page, click Finish to close configuration for Step 1.
11. On the Network Adapters page, select Use a self-signed certificate created automatically by
DirectAccess, verify that CN=131.107.0.10 is used as a certificate to authenticate IP-HTTPS
connections, and then click Next.
12. On the Authentication page, click Use computer certificates, click Browse, click AdatumCA, and
then click OK.
13. Click Enable Windows 7 client computers to connect via DirectAccess, and then click Finish to
close configuration for Step 2.
14. In the Remote Access Setup pane, under Step 3, click Edit.
15. On the Network Location Server page, click The network location server is deployed on a
remote web server (recommended), type https://lon-svr1.adatum.com, click Validate, and then
click Next.
Note: The DirectAccess configuration is not applied, because additional prerequisites need
to be configured, such as Active Directory configuration, firewall settings, and certificate
deployment. You will perform complete DirectAccess configuration in the lab..
3. Review the information in the central pane, under DirectAccess and VPN Client Status.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information
under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under Select Accounting Method, click Use inbox accounting,
click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical
data.
Implementing Remote Access 5-15
Review Question(s)
Question: What remote access solutions can you deploy by using Windows Server 2012 R2?
Answer: In the Windows Server 2012 R2 operating system, you can deploy the following remote
access solutions: DirectAccess, VPN, Routing, and Web Application Proxy.
Question: What are the main benefits of using DirectAccess for providing remote connectivity?
Answer: The main benefits of using DirectAccess for providing remote connectivity are as
follows:
Always-on connectivity. When the user is connected to the Internet, the user is also
connected to the intranet.
Seamless user experience. Same user experience regardless of whether connected locally
or remotely.
Bidirectional access. When the client computer is accessing the intranet, the computer is
also connected and managed.
Improved security. Administrators can set and control the intranet resources that are
accessible through DirectAccess.
Question: How do you configure DirectAccess clients?
Answer: To configure DirectAccess clients, use Group Policy. When you use the Configure
Remote Access Wizard to configure DirectAccess, two GPOs are created and linked to the
domain. These two GPOs define DirectAccess-related settings, and are applied on DirectAccess
clients.
Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?
Answer: When the DirectAccess client computer tries to locate the NLS server, if the DirectAccess
client computer can contact the NLS server, the DirectAccess client computer assumes it is on the
internal network. If the DirectAccess client computer cannot contact the NLS server, the
DirectAccess client computer assumes it is on the Internet. In organizations where DirectAccess is
a business-critical solution, the NLS should be a highly-available web server, because NLS server
availability is important for DirectAccess client computers to determine if they are located on an
internal network or on the Internet.
Answer: The NRPT stores a list of DNS namespaces and their corresponding configuration
settings. These settings define the DNS server to contact, and the DNS client behavior for that
namespace.
Question: What type of remote access solutions you can provide by using VPN in Windows Server 2012?
Answer: You can configure the following remote access solutions by using VPN in Windows
Server 2012:
Secure remote access to internal network resources for users located on the Internet. The
users act as VPN clients that are connecting to Windows Server 2012 VPN server.
Tools
Tool Use for Where to find it
Remote Access Getting A graphical tool that simplifies the Server Manager/Tools/Remote
Started Wizard configuration of DirectAccess Access Management Console
The DirectAccess client tries to connect to If you are using Teredo as the IPv6
the DirectAccess server by using IPv6 and transition technology, check whether you
IPsec with no success. have two public addresses on the external
network adapter of the DirectAccess server,
which is required for establishing two IPsec
tunnels.
5-18 Upgrading Your Skills to MCSA Windows Server 2012
Answer: Without a certificate, the DirectAccess server cannot identify and authenticate the client.
Implementing Failover Clustering 6-1
Module 6
Implementing Failover Clustering
Contents:
Lesson 1: Overview of Failover Clustering 2
Lesson 2: Implementing a Failover Cluster 4
Lesson 3: Configuring Highly-Available Applications and Services on a Failover Cluster 6
Lesson 1
Overview of Failover Clustering
Contents:
Resources 3
Implementing Failover Clustering 6-3
Resources
Reference Links: For more information about clustered storage spaces, see Deploy
Clustered Storage Spaces by visiting the following link:
http://go.microsoft.com/fwlink/?LinkID=331426.
Reference Links: For more information on failover cluster requirements, see
Understanding Requirements for Failover Clusters by visiting the following link:
http://go.microsoft.com/fwlink/?LinkID=331427.
Lesson 2
Implementing a Failover Cluster
Contents:
Demonstration: Validating and Configuring a Failover Cluster 5
Implementing Failover Clustering 6-5
5. In the Enter name field, type LON-SVR4, click Add, and then click Next.
6. Verify that Run all tests (recommended) is selected, and click Next.
7. In the Confirmation window, click Next.
8. Wait for the validation tests to finish, and then in the Summary window, click View Report. Review
the results of validation. Discuss any warnings, and explain why they displayed.
9. Close the report window, clear the Create the cluster now using the validated nodes check box,
and then click Finish.
10. On LON-SVR3, in Failover Cluster Manager, in the Management section of the center pane, click
Create Cluster.
11. Read the Before You Begin information page, and then click Next.
12. Type LON-SVR3, and then click Add. Type LON-SVR4, and then click Add.
13. Verify the entries, and then click Next.
14. In the Access Point for Administering the Cluster section, enter Cluster1 as the Cluster Name.
15. Under Address, type 172.16.0.125 as the IP address, and then click Next.
16. On the Confirmation page, verify the information, and then click Next.
17. On the Summary page, click Finish to return to the Failover Cluster Manager.
6-6 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 3
Configuring Highly-Available Applications and
Services on a Failover Cluster
Contents:
Demonstration: Clustering a File Server Role 7
Implementing Failover Clustering 6-7
6. On the Select Role page, click File Server, and then click Next.
7. On the File Server Type page, click File Server for general use, and then click Next.
8. On the Client Access Point page, in the Name box, type AdatumFS, in the Address box, type
172.16.0.130, and then click Next.
9. On the Select Storage page, click Cluster Disk 2, and then click Next.
10. On the Confirmation page, click Next.
Lesson 4
Maintaining a Failover Cluster
Contents:
Demonstration: Configuring Cluster-Aware Updating 9
Implementing Failover Clustering 6-9
10. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
11. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, click
CLUSTER1, and then click Connect.
12. In the Cluster Actions pane, click Preview updates for this cluster.
13. In the Cluster1-Preview Updates window, click Generate Update Preview List.
14. After few minutes, updates will display in the list. Review updates, and then click Close.
15. In the Cluster Actions pane, click Create or modify Updating Run Profile.
16. Review and explain available options. Do not make any changes. When you are finished, click Close.
17. Click Apply updates to this cluster.
21. On the Confirmation page, click Update, and then click Close.
22. In the Cluster nodes pane, review the updating progress window.
Note: Emphasize that one node of the cluster is in a Waiting state, while the other node is
restarting after it updates.
Note: This may require restart of both nodes, and it can take up to 10 minute to complete.
6-10 Upgrading Your Skills to MCSA Windows Server 2012
24. Sign in to LON-SVR3 with the user name Adatum\Administrator and the password Pa$$w0rd.
25. On LON-SVR3, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
26. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
click Cluster1, and then click Connect.
Review Question(s)
Question: Why is using a disk-only quorum configuration generally not a good idea?
Answer: The failover cluster stops functioning if the logical unit numbers (LUN) that is used as
the disk for the quorum fails. Even if all the other resources are available (including the disk for
the applications), nodes do not provide service when the quorum disk is not available.
Question: What is the purpose of CAU?
Answer: CAU enables administrators to update cluster nodes automatically with little or no loss
in availability during the update process.
Question: What is the main difference between synchronous and asynchronous replication in a multisite
cluster scenario?
Answer: When you use synchronous replication, the host receives a write-complete response
from the primary storage after the data is written successfully on both storage systems. If the
data is not written successfully to both storage systems, the application must attempt to write to
the disk again. With synchronous replication, both storage systems are identical.
When you use asynchronous replication, the node receives a write-complete response from the storage
after the data is written successfully on the primary storage. The data is written to the secondary
storage on a different schedule, depending on the hardware or software vendors
implementation.
Question: What is an enhanced feature in multisite clusters in Windows Server 2012?
Answer: In Windows Server 2012, you can adjust cluster quorum settings so that nodes do or do
not have a vote when the cluster determines whether it has quorum.
Tools
The tools for implementing failover clustering include:
Server Manager
iSCSI initiator
Disk Management
Cluster Validation Wizard reports an error Review the report that Cluster Validation
Wizard provides and determine the
problem.
Create Cluster Wizard reports that not all Review installed roles and features on
nodes support the desired clustered role cluster nodes. The clustered role must be
installed on each cluster node.
You cannot create a Print Server cluster This is not supported in Windows Server
2012. You should use other technologies to
provide a highly-available print server.
Implementing Failover Clustering 6-13
Question: After running the Validate a Configuration Wizard, how can you resolve the network
communication single point of failure?
Answer: You can resolve the network communication single point of failure by adding network
adapters on a separate network. This provides communication redundancy between cluster
nodes.
Question: In which situations might it be important to enable failback of a clustered application only
during a specific time?
Answer: Setting the failback to a preferred node at a specific time is important when you have to
ensure that the failback does not interfere with client connections, backup windows, or other
maintenance that a failback would interrupt.
Implementing Hyper-V 7-1
Module 7
Implementing Hyper-V
Contents:
Lesson 1: Configuring Hyper-V Servers 2
Lesson 2: Configuring Hyper-V Storage 4
Lesson 3: Configuring Hyper-V Networking 7
Lesson 1
Configuring Hyper-V Servers
Contents:
Resources 3
Demonstration: Configuring Hyper-V Settings 3
Implementing Hyper-V 7-3
Resources
Additional Reading: Note that the Hyper-V support for the Windows XP operating system
ends in April 2014, and support for Windows Server 2003 and Windows Server 2003 R2 expires in
July 2015. Visit the following website for a list of supported Hyper-V virtual-machine guest
operating systems on Windows Server 2012:
Hyper-V Overview
http://go.microsoft.com/fwlink/?linkid=272334
Additional Reading: Tip: 6 Best Practices for Physical Servers Hosting Hyper-V Roles
http://go.microsoft.com/fwlink/?linkID=269681
5. Click Virtual Machines. Show how to change the location of the default virtual machine
configuration files folder.
6. Click Physical GPUs. Explain that the Remote Desktop Virtualization Host role service must be
installed before you can enable RemoteFx and GPU management.
7. Click NUMA Spanning. Explain that when you enable NUMA spanning, servers take advantage of
non-uniform memory access (NUMA) performance optimizations.
Note: Mention that Live Migrations, Storage Migrations, and Replication Configuration is
discussed in Module 8: Implementing Failover Clustering with Hyper-V.
7-4 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 2
Configuring Hyper-V Storage
Contents:
Resources 5
Demonstration: Managing Virtual Hard Disks in Hyper-V 5
Implementing Hyper-V 7-5
Resources
2. Click Computer, and browse to the following location: E:\Program Files\Microsoft Learning\Base.
(Note: The drive letter may depend upon the number of drives on the physical host machine.)
3. Verify that the Base14A-WS12R2.vhd hard disk image file is present.
4. Click the Home tab, and click the New Folder icon twice to create two new folders. Right-click each
folder, and rename each folder to the names listed below:
o LON-GUEST1
o LON-GUEST2
5. Close File Explorer.
6. Switch to the Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter.
Lesson 3
Configuring Hyper-V Networking
Contents:
Resources 8
Demonstration: Configuring a Public and a Private Network Switch 8
7-8 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: What's New in Hyper-V Virtual Switch for Windows Server 2012 R2
http://go.microsoft.com/fwlink/?LinkID=331448
2. In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and click Create Virtual Switch.
3. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
o Name: Corporate Network
o External Network: Mapped to the host computer's physical network adapter. Varies depending
on host computer.
4. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
5. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
Lesson 4
Configuring Hyper-V Virtual Machines
Contents:
Resources 10
Demonstration: Creating a Virtual Machine 10
7-10 Upgrading Your Skills to MCSA Windows Server 2012
Resources
2. On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3. On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
4. On the Specify Generation page, click Next.
5. On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and then click Next.
6. On the Configure Networking page of the New Virtual Machine Wizard, select Private Network,
and then click Next.
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse,
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open, and click Finish.
8. On the taskbar, click the PowerShell icon.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
10. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
14. In the Settings for the LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action setting to Shut down the guest operating system.
15. To close the Settings for the LON-GUEST2 dialog box, click OK.
Implementing Hyper-V 7-11
Answer: You should use the VHDX format rather than the VHD format in the following
situations:
You need to support virtual hard disks larger than 2 TB. VHDX files can be a maximum of 64
terabytes in size.
You need to protect against data corruption caused by power failures. VHDX format is less
likely to become corrupted in the event of unexpected power failure because of the way the
file format processes updates.
You need to deploy a virtual hard disk to a large sector disk.
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a
file share. What operating system must the file server be running to support this configuration?
Answer: You can only deploy virtual hard disks to file shares that support SMB 3.0. Only the
Windows Server 2012 operating system supports hosting SMB 3.0 file shares.
Tools
Tool Used for Where to find it
Cannot deploy Hyper-V on x64 processor Processor does not support hardware-assisted
virtualization.
Virtual machine does not use dynamic Operating system may not support dynamic memory. In
memory some cases, applying a service pack or installing virtual
machine integration services will resolve this issue.
Implementing Hyper-V 7-13
Answer: You would create an external virtual network switch if you wanted to allow the virtual
machine to communicate with the local area network that is connected to the Hyper-V host.
Question: How can you ensure that one single virtual machine does not use all available bandwidth that
the Hyper-V host provides?
Answer: To ensure that no one single virtual machine uses all available bandwidth that the
Hyper-V host provides, you must configure maximum and minimum bandwidth settings on
virtual network adapters.
Question: What dynamic-memory configuration task can you perform on a virtual machine hosted on
Windows Server 2012 Hyper-V that was not possible on Hyper-V 2.0?
Answer: You can modify dynamic memory settings while the virtual machine is running on
Windows Server 2012 Hyper-V. You could not do this on previous versions of Hyper-V.
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-1
Module 8
Implementing Failover Clustering with Windows Server 2012
R2 Hyper-V
Contents:
Lesson 1: Overview of the Integration of Hyper-V Server 2012 with Failover Clustering 2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 4
Lesson 1
Overview of the Integration of Hyper-V Server 2012
with Failover Clustering
Contents:
Questio n and Answers 3
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-3
Answer: Answers may vary. For example, you can use storage replication, which is one alternative
to the Failover Clustering feature.
8-4 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 2
Implementing Hyper-V Virtual Machines on Failover
Clusters
Contents:
Questio n and Answers 5
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-5
Answer: If you use a shared hard virtual disk as cluster storage, you do not have to provide Fibre
Channel or Internet small computer system interface (iSCSI) connection to the virtual machines.
Lesson 3
Implementing Windows Server 2012 Hyper-V Virtual
Machine Movement
Contents:
Questio n and Answers 7
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-7
Answer: If you want to move a virtual machine to the host that does not support a shared-
nothing migration, or if you do not have a cluster, you must export and import the virtual
machine; for example, if you want to move a virtual machine from Windows Server 2012 host to
the Hyper-V in Windows 8.
8-8 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 4
Implementing Hyper-V Replica
Contents:
Questio n and Answers 9
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-9
Use new features in Hyper-V Replica to extend your replication to more than one server.
Consider using Scale-Out File Servers clusters as storage for highly available virtual machines.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Review Question(s)
Question: Do you have to implement CSV in order to provide high availability for virtual machines in
VMM in Windows Server 2008 R2?
Answer: No, you do not have to implement Cluster Shared Volume (CSV) to provide high
availability. However, CSV makes it much easier to implement and manage an environment
where you have multiple Hyper-V hosts accessing multiple logical unit numbers (LUNs) on shared
storage.
Tools
Tools for implementing Failover Clustering with Hyper-V include:
Failover Cluster Manager
Hyper-V Manager
VMM console
Virtual machine failover fails after The CSV home folder is located on the host-server
implementing CSV and migrating the system drive. You cannot move it. If the host computers
shared storage to CSV. use different system drives, the failovers will fail because
the hosts cannot access the same storage location. All
failover cluster nodes should use the same hard-drive
configuration.
A virtual machine fails over to another All the nodes in a host cluster must have the same
node in the host cluster, but loses all networks configured. If they do not, then the virtual
network connectivity. machines cannot connect to a network when they fail
over to another node.
Four hours after restarting a Hyper-V host By default, virtual machines do not fail back to a host
that is a member of a host cluster, there computer after they have migrated to another host.
are still no virtual machines running on the You can enable failback on the virtual machine
host. properties in Failover Cluster Management, or you can
Implementing Failover Clustering with Windows Server 2012 R2 Hyper-V 8-11
Module 9
Implementing Secure Data Access for Users and Devices
Contents:
Lesson 2: Implementing DAC Components 2
Lesson 3: Implementing DAC for Access Control 6
Lesson 4: Implementing Access-Denied Assistance 9
Lesson 2
Implementing DAC Components
Contents:
Demonstration: Configuring Claims, Resource Properties, and Rule s 3
Demonstration: Configuring Classification Rules 5
Implementing Secure Data Access for Users and Devices 9-3
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, click department.
5. In the Display name text box, type Company Department.
6. Select both User and Computer check boxes, and then click OK.
7. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.
8. In the Create Claim Type window, in the Source Attribute section, click description.
9. Clear the User check box, select the Computer check box, and then click OK.
10. In the Active Directory Administrative Center, click Dynamic Access Control.
11. In the central pane, double-click Resource Properties.
12. In the Resource Properties list, right-click Department, and then click Enable.
13. In the Resource Properties list, right-click Confidentiality, and then click Enable.
14. Double-click Department.
15. Scroll down to the Suggested Values section, and then click Add.
16. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK two times.
17. Click Dynamic Access Control, and then double-click Resource Property Lists.
18. In the central pane, double-click Global Resource Property List.
19. Ensure that both Department and Confidentiality appear in the Resource Properties list, and then click
Cancel. If they do not appear, click Add, add these two properties, and then click OK.
20. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. In the Create Central Access Rule dialog box, in the Name field, type Department Match.
23. In the Target Resources section, click Edit.
24. In the Central Access Rule dialog box, click Add a condition.
25. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
26. In the Permissions section, click Use following permissions as current permissions.
31. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
33. Click Add a condition.
34. Click the Group drop-down list box, and then click Company Department.
35. Click the Value drop-down list box, and then click Resource.
36. In the last drop-down list box, click Department, and then click OK three times.
37. In the Tasks pane, click New, and then click Central Access Rule.
41. In the last drop-down list box, click High, and then click OK.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.
42. In the Permissions section, click Use following permissions as current permissions.
48. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
Click Add a condition.
49. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a
condition.
Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in
the Select user, Computer, Service Account, or Group window, type Managers, click Check
Names, and then click OK.
50. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.
Note: If you cannot find ManagersWKS in the last drop-down list box, click Add items.
Then in the Select user, Computer, Service Account, or Group window, type ManagersWKS, click
Check Names, and then click OK.
Implementing Secure Data Access for Users and Devices 9-5
3. Select and then right-click Classification Properties, and then click Refresh.
4. Verify that the Confidentiality and Department properties are listed.
5. Click Classification Rules.
9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.
10. Click the Classification tab, ensure that following settings are set, and then click Configure:
11. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.
12. In the Expression field, which is next to the word String, type secret, and then click OK.
13. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
14. In File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
15. Click Wait for classification to complete, and then click OK.
16. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in Report Totals section.
20. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt contain the
word secret.
9-6 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 3
Implementing DAC for Access Control
Contents:
Demonstration: Creating and Deploying Central Access Policies 7
Demonstration: Evalua ting and Managing DAC 7
Implementing Secure Data Access for Users and Devices 9-7
2. In the Tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the Tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
13. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
14. Press and hold the Ctrl button and click both Department Match and Protect confidential docs,
click Add, and then click OK.
15. Close the Group Policy Management Editor and the Group Policy Management Console.
21. In the Properties dialog box, click the Security tab, and then click Advanced.
22. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
23. In the drop-down list box, select Protect confidential docs, and then click OK twice.
24. Right-click the Research folder, and then click Properties.
25. In the Properties dialog box, click the Security tab, and then click Advanced.
26. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
27. In the drop-down list box, click Department Match, and then click OK twice.
9-8 Upgrading Your Skills to MCSA Windows Server 2012
6. Double-click Audit File System, select all three check boxes, and then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management Console
8. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative
Center.
9. In the navigation pane, click Dynamic Access Control.
10. Double-click Central Access Rules, right-click Department Match, and then click Properties.
11. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
12. Click Authenticated Users, and then click Edit.
13. Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.
14. Click OK twice to close all windows.
15. Switch to LON-SVR1.
Lesson 4
Implementing Access-Denied Assistance
Contents:
Demonstration: Implementing Access-Denied Assistance 10
9-10 Upgrading Your Skills to MCSA Windows Server 2012
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box. Review other options, but do not make any
changes, and then click OK.
9. In the details pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types. Click Enabled, and then click OK.
10. Close the Group Policy Management Editor and the Group Policy Management Console.
11. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.
12. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
Implementing Secure Data Access for Users and Devices 9-11
Lesson 5
Implementing and Managing Work Folders
Contents:
Demonstration: Implementing Work Folders 12
9-12 Upgrading Your Skills to MCSA Windows Server 2012
3. In the New Sync Share Wizard, on the Before you begin page, click Next.
4. On the Select the server and path page, select Select by file share, ensure that the share you
created in the previous task (WF-Share) is highlighted, and then click Next.
5. On the Specify the structure for user folders, accept the default selection (user alias), and then click
Next.
6. On the Enter the sync share name page, accept the default, and then click Next.
7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.
8. In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click
Check Names, and then click OK.
9. On the Grant sync access to groups page, click Next.
10. On the Specify device policies page, note the selections, accept the default selection, and then click
Next.
11. On the Confirm selections page, click Create.
12. On the View results page, click Close.
13. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
14. Open Server Manager, click Tools, and then click Group Policy Management.
15. Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the
Group Policy Objects container, and then click New.
16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.
18. In the Group Policy Management Editor, expand User Configuration / Policies / Administrative
Templates / Windows Components, and then click Work Folders.
19. Double-click Specify Work Folders settings in the details pane.
20. In the Specify Work Folders settings dialog box, click Enabled.
21. In the Work Folders URL text box, type https://lon-svr3.adatum.com, and then select Force
automatic setup.
22. To close the Specify Work Folders settings dialog box, click OK, and then close the Group Policy
Management Editor.
23. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO.
24. In the Select GPO window, select Work Folders GPO, and then click OK.
25. Close the Group Policy Management Console.
Implementing Secure Data Access for Users and Devices 9-13
Review Question(s)
Question: What is a claim?
Answer: A claim is information that AD DS states about an object, which usually is a user or a
computer.
Question: What is the purpose of Central Access Policy?
Answer: Central access policies enable administrators to create policies that apply to one or
more file servers in an organization. Central access policies contain one or more Central Access
Policy rules. Each rule contains settings that determine applicability and permissions.
Tools
Tool Use Location
Claims are not populated with the Verify that the correct attribute is selected for the claim.
appropriate values. In addition, check that the attribute value for a specific
object is populated.
A conditional expression does not allow Verify that the expression is well defined. In addition, try
9-14 Upgrading Your Skills to MCSA Windows Server 2012
Module 10
Implementing Active Directory Domain Services
Contents:
Lesson 1: Deploying AD DS Domain Controllers 2
Lesson 3: Implementing Service Accounts 4
Lesson 5: Overview of Windows Azure Active Directory 6
Lesson 6: Maintaining AD DS 8
Module Review and Takeaways 10
Lab Review Questions and Answers 12
10-2 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 1
Deploying AD DS Domain Controllers
Contents:
Resources 3
Implementing Active Directory Domain Services 10-3
Resources
Additional Reading: You can see a complete list of new features for AD DS at:
Lesson 3
Implementing Service Accounts
Contents:
Demonstration: Configuring Group Managed Service Accounts 5
Implementing Active Directory Domain Services 10-5
3. At the Windows PowerShell prompt, type the following command, and then press Enter:
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
5. At the Windows PowerShell prompt, type the following command, and then press Enter:
6. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-ADServiceAccount -Filter *
Lesson 5
Overview of Windows Azure Active Directory
Contents:
Resources 7
Implementing Active Directory Domain Services 10-7
Resources
Additional Reading: Windows Azure partitioning for multitenancy is outside the scope of
this course, but for more information, see http://go.microsoft.com/fwlink/?LinkID=331430.
10-8 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 6
Maintaining AD DS
Contents:
Demonstration: Restoring AD DS Objects Using the Active Directory Recycle Bin 9
Implementing Active Directory Domain Services 10-9
4. In the navigation pane, click Adtaum (local) to return to the main tree.
Review Question(s)
Question: You have a mixture of client computers running Windows XP and Windows 8. After you
configure several settings in the Administrative Templates and Preferences of a GPO, Windows XP users
report that some settings are being applied while others are not.
Answer: Not all new settings apply to legacy systems such as Windows XP. In addition, Windows
XP cannot process Group Policy Preferences unless the correct client-side extensions are
downloaded and installed.
When you have branch offices across WAN links, what solutions are available to facilitate client logons in
the branch offices?
Answer: You could place a domain controller in the branch office.
What if security is a concern?
Answer: The domain controller could be an RoDC.
What can you do to help prevent network interruptions from preventing users from logging on?
Answer: You can create a password replication policy for the RoDC that enables the passwords of the
branch users to be cached locally.
Tools
Tool Use Location
Server Manager A central location for all Open by default on logon, or can be
aspects of server management accessed from the taskbar
Active Directory Control all aspects of Active Can be accessed from the Tools drop-
Administrative Directory management down menu in Server Manager
Center
Active Directory
Sites and Services
Active Directory
Implementing Active Directory Domain Services 10-11
GPMC Control all aspects of Group Can be accessed from the Tools drop-
Policy management down menu in Server Manager
Active Directory Restore object that were Can be accessed from the Active
Recycle Bin deleted in error from AD DS Directory Administration Center
Domain controller promotion fails Use the logs and troubleshooting diagnostic tools.
Group Policy is not being applied correctly Use Group Policy troubleshooting tools such as
GPResult and GPUpdate to discover the issues.
You have to restore a version of AD DS Take regular snapshots of AD DS, and then you
and do not know from which backup to can mount a read-only snapshot to compare to
restore the current AD DS.
10-12 Upgrading Your Skills to MCSA Windows Server 2012
Question: Assigning a user as the RODC server administrator grants that user the right to create user
accounts in AD DS. True or false?
Answer: False. Granting administrative rights to the RODC enables administrative access to
perform server maintenance duties such as backup, restore, installation applications and devices,
and others. It does not grant any rights in AD DS.
Question: What client-side extensions are applied even across a slow connection?
Answer: Administrative Templates settings and security settings are always applied, even across
slow connections.
Module 11
Implementing AD FS
Contents:
Lesson 2: Deploying AD FS 2
Lesson 3: Implementing AD FS for a Single Organization 4
Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 7
Lesson 2
Deploying AD FS
Contents:
Demonstration: Installing the AD FS Server Role 3
Implementing AD FS 11-3
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.22, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
7. Close DNS Manager.
Configure AD FS
1. On LON-SVR2, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Create a Group Managed Service Account.
7. In the Account Name box, type ADFS, and then click Next.
8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
9. On the Review Options page, click Next.
10. On the Pre-requisite Checks page, click Configure.
Lesson 3
Implementing AD FS for a Single Organization
Contents:
Demonstration: Configuring Claims Provider and Relying Party Trusts 5
Implementing AD FS 11-5
2. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. Right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
E-Mail-Addresses: E-Mail Address
User-Principal-Name: UPN
9. Click Finish, and then click OK.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for the relying party trust at this time, and then click Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.
9. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.
Implementing AD FS 11-7
Lesson 4
Deploying AD FS in a Business-to-Business Federation
Scenario
Contents:
Resources 8
Demonstration: Configuring Claim Rules 8
11-8 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: For more information on RelayState, see Supporting Identity Provider
Initiated RelayState: http://go.microsoft.com/fwlink/?LinkId=269666
3. In the Claim rule name box, type Send Group Name Rule.
4. In the Incoming claim type drop-down list, click Group, and then click Finish.
5. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab,
click the rule named Permit Access to All Users, and then click Remove Rule.
6. Click Yes to confirm.
11. In the Incoming claim value box, type Production, click Permit access to users with this
incoming claim, and then click Finish.
12. On the Issuance Authorization Rules tab, click Add Rule.
13. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users.
17. Click the Allow A. Datum Users rule, and then click Edit Rule.
18. In the Edit Rule Allow Adatum Users dialog box, click View Rule Language.
19. Click OK, and then click Cancel.
20. In the Edit Claim Rules for A. Datum Test App window, click OK.
Implementing AD FS 11-9
Lesson 5
Implementing Web Application Proxy
Contents:
Demonstration: Installing and Configuring Web Applica tion Proxy 10
11-10 Upgrading Your Skills to MCSA Windows Server 2012
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR3.Adatum.com, and then click Next.
5. On the Select server roles page, select the Remote Access check box, and then click Next.
6. On the Select features page, click Next.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or Remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and, to close the success
message, click OK.
16. Close the Microsoft Management Console, and do not save the changes.
Implementing AD FS 11-11
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
8. Right-click Personal, point to All Tasks, and then click Import.
11. On the Private key protection page, in the Password box, type Pa$$w0rd.
12. Select the Mark this key as exportable. This will allow you back up or transport your keys at a
later time check box, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store.
14. In the Certificate store box, select Personal, and then click Next.
15. On the Completing the Certificate Import Wizard page, click Finish.
3. On the Federation Server page, enter the following, and then click Next:
Federation service name: adfs.adatum.com
User name: Adatum\Administrator
Password: Pa$$w0rd
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.
Lesson 6
Implementing Workplace Join
Contents:
Demonstration: Performing a Workplace Join 13
Implementing AD FS 11-13
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Verify that the enterpriseregistration record exists.
4. Close DNS Manager.
2. On the Start screen, type workplace, and then click Workplace settings.
3. In the Workplace window, in the Enter your user ID to get workplace access or turn on device
management box, type Brad@adatum.com, and then click Join.
2. In Active Directory Users and Computers, click View, and then click Advanced Features.
3. Expand Adatum.com, and then click RegisteredDevices.
4. Right-click the object in the details pane, and then click Properties.
Answer: The only AD FS certificate that needs to be trusted is the service communication
certificate. The token signing and token decrypting certificates can be left as self-signed.
Therefore, only a single certificate from a third-party is required.
Question: Your organization has an application for customers that allows them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. What do you need to configure to support the application?
Answer: You need to perform the following tasks:
1. Configure the application to trust incoming claims. Use the WIF Federation Utility to
configure the application.
2. Configure a relying party trust for the application. This configures AD FS to provide claims to
the application for authorized users.
3. Configure claim rules for the relying party trust. This configures which information is
provided to the application.
Question: Your organization has an application for customers that enables them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. You are configuring a Web Application Proxy to support application
access over the Internet. Internally, your AD FS server uses the host name adfs.contoso.com and resolves
to 10.10.0.99. How will you allow external partners to resolve adfs.contso.com to the external IP address of
Web Application Proxy?
Answer: Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP
address internally and externally. The internal DNS server resolves adfs.contoso.com to the
internal IP address of the AD FS server. The external DNS server resolves adfs.contoso.com to the
external IP address of Web Application Proxy.
Question: Your organization has implemented a single AD FS server and a single Web Application Proxy
successfully. Initially, AD FS was used for only a single application, but now it is being used for several
business-critical applications. AD FS must be configured to be highly available.
During the installation of AD FS, you selected to use the Windows Internal Database. Can you use this
database in a highly available configuration?
Answer: Yes, the Windows Internal Database can be used to support up to five AD FS servers.
The first AD FS server is the primary server where all configuration changes take place. Changes
in the primary server are replicated to the other AD FS servers.
Question: Your organization wants to control access to applications that are available from the Internet
by using Workplace Join. What DNS changes do you need to perform so that devices can locate the Web
Application Proxy during the Workplace Join process?
Answer: Devices identify the server name based on the UPN name provided during the
Workplace Join process. Assuming that there is only a single UPN name used by your
Implementing AD FS 11-15
Answer: If you use the host name of an existing server for the AD FS server, you will not be able
to add additional servers to your server farm. All servers in the server farm must share the same
host name when providing AD FS services. The host name for AD FS also is used by AD FS proxy
servers.
Question: How can you test whether AD FS is functioning properly?
Answer: You can access https://hostname/federationmetadata/2007-
06/federationmetadata.xml on the AD FS server.
Monitoring and Maintaining Windows Server 2012 12-1
Module 12
Monitoring and Maintaining Windows Server 2012
Contents:
Lesson 1: Monitoring Windows Server 2012 2
Lesson 2: Implementing Windows Server Backup 7
Lesson 3: Implementing Server and Data Recovery 9
Lesson 1
Monitoring Windows Server 2012
Contents:
Questio n and Answers 3
Demonstration: Creating Da ta Collector Sets 4
Demonstration: Configuring Event Subscriptions 5
Monitoring and Maintaining Windows Server 2012 12-3
Answer: Many troubleshooting procedures benefit from server monitoring. Some of them are:
Establishing baseline metrics to determine typical operating conditions for servers.
Improving server performance by detecting anomalies.
Question: What are some key considerations that you would make when monitoring domain controllers?
Answer: The time of day when you monitor the domain controller is an important consideration.
Typically, domain controllers are at peak performance when they are signing in users, which is
usually at the beginning of the business day. At the same time, this is when authenticating
computers that were just turned on and started are loading GPOs and scripts, and resolving DNS
queries, especially if Active Directory-integrated DNS is being used. Because of this, mornings
would be a good time of day to monitor domain controllers. In addition, monitoring activity
during the middle of the night might not provide relevant information.
Another consideration is the network adapter. The number of errors in Domain Name System
(DNS) and replication might come down to networking issues related to the network adapters. In
addition, because AD DS is stored locally on a database, the speed of the hard drive can also be
an important factor.
Question: What are some key considerations you would make when monitoring the file and print servers?
Answer: Print spooling involves memory and disk space. You should ensure that these
components have appropriate data collector sets enabled and started. In addition, to check for
issues involving slow access to network shares, you should monitor the network interface.
Question: What are some key considerations you would make when monitoring the SQL Server database
server?
Answer:
There are two key considerations you need to make when monitoring the database server:
Procedure cache. The SQL Server database processing pulls data pages off the disk file and
runs them in memory in a store called the procedure cache.
Write speed of the disk. Check the write speed of the disk that records the transaction log
entries.
You should monitor the performance of these factors by using data collector sets.
Question: What are some key considerations you would make when monitoring the web server?
12-4 Upgrading Your Skills to MCSA Windows Server 2012
Answer: You will need to monitor the web server network interface, in addition to the workload
that the web server puts on the SQL Server. If SQL Server cannot respond quickly to the web
queries, time-outs and failures will occur. You must monitor both servers in order to get a true
picture of what is occurring.
b. In the Customized View dialog box, select the Action pane check box, and then click OK.
5. In the navigation pane, expand Data Collector Sets, expand User Defined, and then click Server
Manager Performance Monitor.
6. In the details pane, double-click Performance Counters to review the default counters created.
7. In the Performance Counter Properties dialog box, click Cancel.
3. In the Create New Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Windows Server Monitoring, click Create
manually (Advanced), and then click Next.
4. On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
5. In Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User Defined,
click Windows Server Monitoring, under the Actions pane, click More Actions, click New, and
then click Data Collector.
6. In the Create New Data Collector Wizard, in the Name text box, type Base Windows Server
Monitoring, click Performance counter data collector, click Next, and then click Add.
7. In the Available counters object list, expand Processor, click % Processor Time, and then click Add.
8. In the Available counters object list, expand Memory, click Available Mbytes, and then click Add.
9. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
10. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
Monitoring and Maintaining Windows Server 2012 12-5
4. In the Launch area, in the Start time list, select 1:00:00 AM, and then click OK.
5. Click the Stop Condition tab. On the tab, select the Overall duration check box, in the Units drop-
down list box, click Hours, and then click OK.
Note: The Windows Server Monitoring data collector set will run for one hour every night
at 1:00 A.M
2. Move the mouse pointer to the lower-right corner of the screen, right-click the Windows start icon,
and then click Run.
3. In the Run, Open text box, type the following command, and then press Enter:
cmd
4. At the command prompt, type the following command, and then press Enter:
winrm quickconfig
9. In the Object Types dialog box, select the Computers check box, and then click OK.
10. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select text box, type LON-DC1, and then click OK.
2. Move the mouse pointer to the lower-right corner of the screen, right-click the Windows start icon,
and then click Run.
3. In the Run, Open Text text box, type cmd, and then click OK.
4. At the command prompt, type the following command, and then press Enter:
wecutil qc
4. In the Subscription Properties dialog box, in the Subscription name text box, type LON-SVR1
Events.
5. Click Collector Initiated, and then click Select Computers.
Critical
Warning
Information
Verbose
Error
11. In the Logged drop-down list box, click Last 7 days.
12. In the Event logs drop-down list box, click Windows Logs. Click inside the Query Filter dialog box,
and then click OK.
13. In the Subscription Properties LON-SVR1 Events dialog box, click OK.
Lesson 2
Implementing Windows Server Backup
Contents:
Demonstration: Backing Up Windows Server 2012 by Using Windows
Server Backup (Optional) 8
12-8 Upgrading Your Skills to MCSA Windows Server 2012
4. In the Home ribbon dialog box, click New Folder, type Backup, and then press Enter.
5. In File Explorer, right-click Backup, click Share with, and then click Specific people.
6. In the File Sharing dialog box, in the drop-down list box, click Everyone, and then click Add.
7. In the Name area, beside the Everyone name, click the Read drop-down arrow, and then click
Read/Write.
8. Click Share, and then click Done.
9. Switch to LON-SVR1.
10. On LON-SVR1, click Server Manager.
11. In Server Manager, click Tools, and then click Windows Server Backup.
12. In the wbadmin [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup. Point out to students the elements of the Microsoft Management Console (MMC), such as
Status and Actions.
15. On the Select Backup Configuration page, click Custom, and then click Next.
16. On the Select Items for Backup page, click Add Items.
17. Expand Local disk (C), select the HR Data check box, click OK, and then click Next.
18. On the Specify Destination Type page, click Remote shared folder, and then click Next.
19. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
20. On the Confirmation page, click Backup.
21. On the Backup Progress page, after the backup is complete click Close.
Monitoring and Maintaining Windows Server 2012 12-9
Lesson 3
Implementing Server and Data Recovery
Contents:
Resources 10
Demonstration: Restoring with Windo ws Server Backup (Optional) 10
12-10 Upgrading Your Skills to MCSA Windows Server 2012
Resources
Additional Reading: For more information on using BCDEdit, visit the following link:
http://go.microsoft.com/fwlink/?LinkID=331449
Additional Reading: For more information on Hyper-V Replica, see the Microsoft Official
Courseware course 20409A, Server Virtualization with Windows Server Hyper-V and
Microsoft System Center.
3. In Server Manager, click Tools, and then click Windows Server Backup.
4. On the Windows Server Backup page, in the Actions pane, click Recover.
5. In the Recovery Wizard, on the Getting Started page, click A backup stored on another location,
and then click Next.
6. On the Specify Location type page, click Remote shared folder, and then click Next.
7. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
After you finish the demonstration, revert the virtual machines to their initial state:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20417D-LON-DC1, and then click Revert.
Analyze your important infrastructure resources, and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.
Review Question(s)
Question: Why is monitoring servers important for organizations?
Answer: Monitoring servers helps in obtaining information about the server-infrastructure health
and performance. Monitoring helps proactively protect servers from performance bottlenecks,
server failures, or issues related to security, such as denial of service (DoS) attacks or viruses.
Question: You want to create a strategy for how to back up different technologies that are used in your
organization, such as DHCP, DNS, AD DS, and SQL Server. What should you do?
Answer: Read documentation about the optimal backup strategy for each specific technology,
because every technology has specific best practices on backup and restore. Create
documentation and a checklist for backup and restore procedures.
Answer: Your company should develop backup and restore strategies based on multiple
parameters, such as business-continuity needs, risk-assessment procedures, and resource and
critical data identification. You must develop strategies that you should then evaluate and test.
These strategies should be suitable for the dynamic changes occurring with new technologies,
and should accommodate changes that occur with the organizations growth.
Tools
During monitoring, multiple sources are Collect as much information as possible about each
concurrently reporting different problems. of the reported problems. Although there might be
multiple issues, it is likely that you will find a
connection between these issues or problems.
The server has suffered a major failure on its Perform a bare-metal restore on a new system by
components. using the backup set that you created. Use the
documentation and checklist that you created as
part of your company's backup and restore strategy
and procedures.
You must have a way to back up and restore Install and configure Windows Azure Online Backup.
your data quickly to a different company's Using this service, you can back up and restore your
locations. You do not have backup media or data on each location or server, because the backup
backup hardware in each site. data is located in cloud services.
You must restore your data because of disk Always retain at least two sets of copies of your
system failure. However, you find that your backup data. In addition, you might consider
backup media is corrupted. keeping one copy onsite and another copy in the
cloud.
Monitoring and Maintaining Windows Server 2012 12-13
Answer: You should configure performance monitoring with different performance counters. To
start monitoring, you should first start to monitor with the following performance counters:
Processor - %Processor Time
Question: Users are reporting that they can no longer access data that is located on the server. You
connect to the server, and realize that the shared folder where users were accessing data is missing. What
should you do?
Answer: You should restore the folder by using Windows Server Backup.