Embed Size (px)
Citation preview
Exam Ref70-410:
Installingand
ConfiguringWindows
Server 2012R2
Craig Zacker
Published by Microsoft Press
3/1537
Introduction
Most books take a very low-level approach,teaching you how to use basic concepts toaccomplish fine-grained tasks. Like the Mi-crosoft 70-410 certification exam, this booktakes a high-level approach, building on yourexisting knowledge of lower-level MicrosoftWindows system administration and extend-ing it into higher-level server concepts neededfor Windows Server 2012 R2.
Candidates for this exam are InformationTechnology (IT) Professionals who have Win-dows Server 2012 R2 operating system know-ledge and experience and want to validate theskills and knowledge necessary to implement
the Windows Server 2012 R2 core infrastruc-ture services.
The 70-410 exam is the first in a series of threeexams that validate the skills and knowledgenecessary to implement a core Windows Serv-er 2012 R2 Infrastructure into an existing en-terprise environment. This book covers theinitial implementation and configuration ofthe Windows Server 2012 R2 core services,such as Active Directory and the networkingservices. This book, along with the Exam Re-ference books covering the 70-411 and 70-412exams, will collectively illustrate the skills andknowledge necessary for implementing, man-aging, maintaining and provisioning servicesand infrastructure in a Windows Server 2012R2 environment.
This book covers every exam objective, but itdoes not cover every exam question. Only theMicrosoft exam team has access to the examquestions themselves and Microsoft regularly
5/1537
adds new questions to the exam, making it im-possible to cover specific questions. Youshould consider this book a supplement toyour relevant real-world experience and otherstudy materials. If you encounter a topic inthis book that you do not feel completely com-fortable with, use the links you’ll find in text tofind more information and take the time to re-search and study the topic. Great informationis available on MSDN, TechNet, and in blogsand forums.
Microsoft certificationsMicrosoft certifications distinguish you byproving your command of a broad set of skillsand experience with current Microsoftproducts and technologies. The exams andcorresponding certifications are developed tovalidate your mastery of critical competenciesas you design and develop, or implement and
6/1537
support, solutions with Microsoft productsand technologies both on-premises and in thecloud. Certification brings a variety of benefitsto the individual and to employers andorganizations.
MORE INFO ALL MICROSOFTCERTIFICATIONS
For information about Microsoft certi-fications, including a full list of avail-able certifications, go to ht-tp://www.microsoft.com/learning/en/us/certification/cert-default.aspx.
Errata & book supportWe’ve made every effort to ensure the accur-acy of this book and its companion content.
7/1537
Any errors that have been reported since thisbook was published are listed at:
http://aka.ms/ER410R2/errata
If you find an error that is not already listed,you can report it to us through the same page.
If you need additional support, email Mi-crosoft Press Book Support at [email protected].
Please note that product support for Microsoftsoftware is not offered through the addressesabove.
We want to hear from youAt Microsoft Press, your satisfaction is our toppriority, and your feedback our most valuableasset. Please tell us what you think of thisbook at:
http://aka.ms/tellpress
8/1537
The survey is short, and we read every one ofyour comments and ideas. Thanks in advancefor your input!
Stay in touchLet’s keep the conversation going! We’re onTwitter: http://twitter.com/MicrosoftPress.
9/1537
Preparing for theexam
Microsoft certification exams are a great wayto build your resume and let the world knowabout your level of expertise. Certification ex-ams validate your on-the-job experience andproduct knowledge. While there is no substi-tution for on-the-job experience, preparationthrough study and hands-on practice can helpyou prepare for the exam. We recommend thatyou round out your exam preparation plan byusing a combination of available study materi-als and courses. For example, you might usethe Training Guide and another study guidefor your “at home” preparation and take a Mi-crosoft Official Curriculum course for the
classroom experience. Choose the combina-tion that you think works best for you.
11/1537
Chapter 1. Installingand configuringservers
Installing new Windows servers on your net-work is not something to be done casu-ally—you must plan the installation well in ad-vance. Among other things, you must decidewhat edition of the operating system to install,whether you are installing the full graphicaluser interface (GUI) or the Server Core option,what your virtualization strategy will be, ifany, and what roles you intend to implementon the server. If you are installing WindowsServer 2012 R2 for the first time, you mightalso have to decide whether to add the server
to your production network or install it on atest network.
HAVE YOU READ PAGE XIII?
It contains valuable information re-garding the skills you need to pass theexam.
This chapter discusses the process of installingWindows Server 2012 R2 using either a cleaninstall or a server upgrade and the server con-figuration tasks you must perform immedi-ately following the installation. Finally, it con-siders the configuration of various types ofhard disk technologies used for local storageand the deployment of roles to servers all overthe network.
Objectives in this chapter:
13/1537
▪ Objective 1.1: Install servers
▪ Objective 1.2: Configure servers
▪ Objective 1.3: Configure local storage
14/1537
EXAM TIP
Some exam questions are in a multiple-choice format, where answers areeither right or wrong. If, while takingthe exam, it seems as though two an-swers could be right but you can chooseonly one answer, you’ve likely missed aclue in the question text that would en-able you to discard one of these an-swers. When exams are authored, thequestion writer has to provide logicalreasons as to why one answer is correctas well as valid reasons as to why theother answers are incorrect. Althoughthere is a small chance that you’vecome across a poorly worded question,it’s not likely. It’s more likely, however,that under the duress of a stressful ex-am situation, you’ve overlooked a vitalbit of evidence that discounts an an-swer that you suspect is correct.
15/1537
Objective 1.1: InstallserversInstallation is a key topic and has been extens-ively tested in previous Windows Server ex-ams. The 70-410 exam is no different. This ob-jective discusses planning a Windows Server2012 R2 installation. It looks at the preinstall-ation requirements and how you can prepareyour installation hardware. It also considersthe server roles you can implement duringinstallation.
To review the topics in this objective, this sec-tion takes you through a clean installation ofWindows Server 2012 R2 using the ServerCore option and describes how the Featureson Demand function enables you to optimizeresources by removing all the files associatedwith a deleted server role or feature. The ob-jective also looks at the options for upgradinga server running Windows Server 2008 or
16/1537
Windows Server 2008 R2 to Windows Server2012 R2 and migrating roles from an existingserver to a new one.
NOTE
This objective covers how to:
▪ Plan for a server installation
▪ Plan for server roles
▪ Plan for a server upgrade
▪ Install a server using Server Core
▪ Optimize resource utilization usingFeatures on Demand
▪ Migrate roles from previous ver-sions of Windows Server
17/1537
Planning for a server installation
In versions of Windows Server prior to Win-dows Server 2008 R2, installation planningcould be a complex task. You had to decidefrom the outset what edition of the operatingsystem to install, whether to install the 32-bitor 64-bit version, and whether you should per-form a Server Core installation or whether youshould use the full GUI. All of these decisionsaffected the server hardware requirementsand all of these decisions were irrevocable. Tochange the edition, the platform, or the inter-face, you had to reinstall the server from thebeginning.
With Windows Server 2012, you have far few-er options to choose from and far fewer in-stallation decisions to make. Since WindowsServer 2008 R2, there has been no 32-bit ver-sion; only a 64-bit operating system is avail-able, reflecting the fact that most major ap-plications are now 64-bit and that modern
18/1537
server configurations are typically supportedon hardware that requires 64 bits. There areonly four Windows Server 2012 R2 editionsfrom which to choose, two fewer than the sixeditions in Windows Server 2008 R2. TheServer Core installation option and the fullGUI installation option remain, along with athird option called the Minimal Server Inter-face. However, it is now possible to switchbetween these options without reinstalling theoperating system each time.
Selecting a Windows Server 2012R2 edition
Microsoft releases all of its operating systemsin multiple editions, which provides con-sumers with varying price points and featuresets. When planning a server deployment, theoperating system edition you choose should bebased on multiple factors, including thefollowing:
19/1537
▪ The roles you intend the servers to perform
▪ The virtualization strategy you intend toimplement
▪ The licensing strategy you plan to use
Compared to Windows Server 2008, Microsofthas simplified the process of selecting a serveredition by reducing the available products. Aswith Windows Server 2008 R2, WindowsServer 2012 R2 requires a 64-bit processor ar-chitecture. All of the 32-bit versions have beeneliminated, and there is no build that supportsItanium processors. This leaves WindowsServer 2012 R2 with the following coreeditions:
▪ Windows Server 2012 R2 Datacen-ter. The Datacenter edition is designed forlarge and powerful servers with up to 64processors and include fault-tolerance fea-tures such as hot-add processor support.
20/1537
As a result, this edition is available onlythrough the Microsoft volume-licensingprogram and is bundled with a server fromoriginal equipment manufacturers(OEMs).
▪ Windows Server 2012 R2 Stand-ard. The Standard edition includes the fullset of Windows Server 2012 R2 featuresand differs from the Datacenter editiononly in the number of virtual machine(VM) instances permitted by the license.
▪ Windows Server 2012 R2 Essen-tials. The Essentials edition includesnearly all the features in the Standard andDatacenter editions; it does not includeServer Core, Hyper-V, and Active DirectoryFederation Services. The Essentials editionis limited to one physical or virtual serverinstance and a maximum of 25 users.
21/1537
▪ Windows Server 2012 R2 Founda-tion. The Foundation edition is a scaled-down version of the operating system; it isdesigned for small businesses that requireonly basic server features, such as file andprint services and application support. TheFoundation edition comes pre-installedwith server hardware, includes no virtual-ization rights, and is limited to 15 users.
The price of each edition is commensuratewith its respective capabilities. Obviously, thegoal of administrators planning server deploy-ments is to purchase the most cost-effectiveedition that meets their needs. The followingsections examine the primary differencesamong the Windows Server 2012 R2 editions.
Supporting server roles
Windows Server 2012 R2 includes predefinedcombinations of services, called roles, whichimplement common server functions.
22/1537
Computers running the Windows Server 2012R2 operating system can perform a wide vari-ety of tasks, using both the software includedwith the product and third-party applications.After you install the Windows Server 2012 R2operating system, you can use Server Manageror Windows PowerShell to install one or moreroles on that computer.
Some of the Windows Server 2012 R2 editionsinclude all of the available roles, whereas oth-ers include only some of them. Selecting theappropriate edition of Windows Server has al-ways been a matter of anticipating the rolesthat the computer must perform. At one time,this was a relatively simple process. Youplanned your server deployments by decidingwhich ones would be domain controllers,which ones would be certificate servers, whichones would use failover clustering, and soforth. Once you made these decisions, you
23/1537
were done because server roles were largelystatic.
With the increased focus on virtualization inWindows Server 2012 R2, however, more ad-ministrators are forced to consider not onlywhat roles a server must perform at the timeof the deployment but what roles a servermight perform in the future.
By using virtualized servers, you can modifyyour network’s server strategy at will to ac-commodate changing workloads and businessrequirements or to adapt to unforeseen cir-cumstances. Therefore, the process of anticip-ating the roles a server will perform must ac-count for the potential expansion of your busi-ness and possible emergency needs.
Supporting server virtualization
The Windows Server 2012 R2 Datacenter edi-tion and the Standard edition each includessupport for Hyper-V, but each edition varies in
24/1537
the number of VMs permitted by its license.Each running instance of the Windows Server2012 R2 operating system is classified as beingin a physical operating system environment(POSE) or in a virtual operating system en-vironment (VOSE). When you purchase aWindows Server 2012 R2 license, you can per-form a POSE installation of the operating sys-tem, as always. After installing the Hyper-Vrole, you can then create VMs and performVOSE installations on them. The number ofVOSE installations permitted by your licensedepends on the edition you purchased, asshown in Table 1-1.
25/1537
Table 1-1. Physical and virtual instancessupported by Windows Server 2012 R2
editions
Edition POSEInstances
VOSEInstances
Datacenter 1 Unlimited
Standard 1 2
Essentials 1 (POSE or VOSE) 1 (POSE or VOSE)
Foundation 1 0
26/1537
LICENSE RESTRICTIONS ARENOT SOFTWARERESTRICTIONS
The limitations specified in Table 1-1are those of the license, not the soft-ware. You can, for example, createmore than two VMs on a copy of Win-dows Server 2012 R2 Standard, but youmust purchase additional licenses to doso.
27/1537
EXAM TIP
The 70-410 exam can contain questionsabout licensing in which you must fig-ure out how many copies of Windowsare needed for a particular number ofvirtual machines on a Hyper-V serverand which version of Windows wouldbest meet the requirements while min-imizing the cost.
Server licensing
Microsoft provides several different saleschannels for Windows Server 2012 R2 li-censes, and not all of the editions are availablethrough all of the channels. Licensing Win-dows Server 2012 R2 includes purchasing li-censes for both servers and clients, and thereare many options for each one.
28/1537
If you are already involved in a licensingagreement with Microsoft, you should alreadybe aware of the server editions that are avail-able to you through that agreement. If you arenot aware, however, you should investigate thelicensing options available to you before youselect a server edition.
Table 1-2 lists the sales channels throughwhich you can purchase each of the WindowsServer 2012 R2 editions.
29/1537
Table 1-2. Windows Server sales channelavailability by edition
Retail VolumeLicensing
OriginalEquipmentManufacturer
Datacenter No Yes Yes
Standard Yes Yes Yes
Essentials Yes Yes Yes
Foundation No No Yes
Installation requirements
If your computer does not meet the followinghardware specifications, Windows Server 2012R2 will not install correctly (or possibly at all):
▪ 1.4-GHz 64-bit processor
▪ 512 MB RAM
30/1537
▪ 32 GB available disk space
▪ Super VGA (1024 × 768) or higher resolu-tion monitor
▪ Keyboard and mouse (or other compatiblepointing device)
▪ Internet access
32 GB of available disk space should be con-sidered an absolute minimum. The systempartition will need extra space if you install thesystem over a network or if your computer hasmore than 16 GB of RAM installed. The addi-tional disk space is required for paging, hi-bernation, and dump files. In practice, you areunlikely to come across a computer with 32GB of RAM and only 32 GB of disk space. Ifyou do, free more disk space or invest in addi-tional storage hardware.
31/1537
As part of Microsoft’s increased emphasis onvirtualization and cloud computing in its serv-er products, it has significantly increased themaximum hardware configurations for Win-dows Server 2012 R2. These maximums arelisted in Table 1-3.
Table 1-3. Maximum hardware configura-tions in Windows Server versions
WindowsServer 2012R2
WindowsServer 2008R2
Processors 640 256
RAM 4 TB 2 TB
Failoverclusternodes
64 16
32/1537
Choosing installation options
Many enterprise networks today use serversthat are dedicated to a particular role. When aserver is performing a single role, it does notmake sense to have so many other processesrunning on the server that contribute little ornothing to that role. Windows Server 2012 R2provides installation options that enable ad-ministrators to keep the unnecessary re-sources installed on a server to a minimum.
Using Server Core
Windows Server 2012 R2 includes an installa-tion option that minimizes the user interfaceon a server. When you select the WindowsServer Core installation option, you will installa stripped-down version of the operating sys-tem. There is no Start menu, no desktop Ex-plorer shell, no Microsoft Management Con-sole (MMC), and virtually no graphical applic-ations. All you see when you start the
33/1537
computer is a single window with a commandprompt, as shown in Figure 1-1.
34/1537
Figure 1-1. The default Server Core interface
WHAT IS SERVER CORE?
Server Core is not a separate product oredition. It is an installation option in-cluded with the Windows Server 2012R2 Standard edition and the WindowsServer 2012 R2 Datacenter edition.
35/1537
There are several advantages to running serv-ers using Server Core:
▪ Hardware resource conserva-tion. Server Core eliminates some of themost memory-intensive and processor-in-tensive elements of the Windows Server2012 R2 operating system, thus devotingmore of the system hardware to runningessential services.
▪ Reduced disk space. Server Core re-quires less disk space for the installed op-erating system elements and less swapspace, which maximizes the utilization ofthe server’s storage resources.
▪ Reduced patch frequency. The graph-ical elements of Windows Server 2012 R2are among the most frequently updated, sorunning Server Core reduces the numberof updates that administrators must apply.
36/1537
Fewer updates also mean fewer server re-starts and less downtime.
▪ Reduced attack surface. The less soft-ware there is running on the computer, thefewer entrance points for attackers to ex-ploit. Server Core reduces the potentialopenings presented by the operating sys-tem, increasing its overall security.
When Microsoft first introduced the ServerCore installation option in Windows Server2008, it was an intriguing idea, but few ad-ministrators took advantage of it. The mainreason for this was that most server adminis-trators were not sufficiently conversant withthe command-line interface that is used tomanage a Windows server without a GUI.
In Windows Server 2008 and Windows Server2008 R2, the decision to install the operatingsystem using the Server Core option was irre-vocable. Once you installed the operating
37/1537
system using Server Core, there was no way toget the GUI back except to perform a completereinstallation. That has all changed in Win-dows Server 2012 and Windows Server 2012R2. You can now switch a server from theServer Core option to the Server with a GUIoption and back again, at will, by using Win-dows PowerShell commands.
MORE INFO THERE AND BACKAGAIN
For more information on convertingfrom the Server Core option to theServer with a GUI option and backagain, see “Objective 1.2: Configureservers,” later in this chapter.
This ability means that administrators can in-stall Windows Server 2012 R2 using the Server
38/1537
with a GUI option, configure the server usingthe familiar graphical tools, and then switchthe server to Server Core to take advantage ofthe benefits listed earlier.
Server Core Defaults
In Windows Server 2012 R2, Server Core isthe default installation option for reasons oth-er than simply providing administrators withthe ability to switch options after installing. InWindows Server 2012 R2, Microsoft is at-tempting to fundamentally modify the waythat administrators work with their servers.Server Core is now the default installation op-tion because in the new way of managing serv-ers, administrators should rarely, if ever, haveto work at the server console, either physicallyor remotely.
Windows Server has long been capable of re-mote administration, but this capability hasbeen piecemeal. Some Microsoft Management
39/1537
Console (MMC) snap-ins enabled administrat-ors to connect to remote servers, and Win-dows PowerShell 2.0 provided some remotecapabilities from the command line, but Win-dows Server 2012 R2, for the first time, in-cludes comprehensive remote administrationtools that nearly eliminate the need to work atthe server console.
The new Server Manager application in Win-dows Server 2012 R2 enables administratorsto add servers from all over the enterprise andcreate server groups to facilitate the simultan-eous configuration of multiple systems. Thenew Windows PowerShell 4.0 environment in-creases the number of available cmdlets from230 to well over 2,000.
With tools like these, you can install your serv-ers using the Server Core option, execute a fewcommands to join each server to an ActiveDirectory Domain Services domain, and thennever touch the server console again. You can
40/1537
perform all subsequent administration tasks,including the deployment of roles and fea-tures, by using Server Manager and WindowsPowerShell from a remote workstation.
Server Core Capabilities
In addition to omitting most of the graphicalinterface, a Server Core installation omitssome of the server roles found in a Server witha GUI installation. However, the Server Coreoption in Windows Server 2012 R2 includes 12of the 19 roles, plus support for SQL Server2012, as opposed to only 10 roles in WindowsServer 2008 R2 and nine in Windows Server2008.
Table 1-4 lists the roles and features that areavailable and not available in a Windows Serv-er 2012 R2 Server Core installation.
41/1537
Table 1-4. Windows Server 2012 R2 ServerCore roles
Roles Available inServer CoreInstallation
Roles Not Availablein Server CoreInstallation
Active Directory Certi-ficate Services
Active Directory Federa-tion Services
Active Directory DomainServices
Application Server(deprecated)
Active Directory Light-weight DirectoryServices
Fax Server
Active Directory RightsManagement Services
Network Policy and AccessServices
DHCP Server Remote Desktop Gateway
Remote Desktop SessionHost
Remote Desktop WebAccess
42/1537
Roles Available inServer CoreInstallation
Roles Not Availablein Server CoreInstallation
DNS Server Volume Activation Services
File and StorageServices
Windows DeploymentServices
Hyper-V
Print and DocumentServices
Remote Access
Web Server (IIS)
Windows Server UpdateServices
Using the Minimal Server Interface
If the advantages of Server Core sound tempt-ing, but there are traditional server
43/1537
administration tools you don’t want to give up,Windows Server 2012 R2 provides a com-promise called the Minimal Server Interface.
The Minimal Server Interface is a setting thatremoves some of the most hardware-intensiveelements from the graphical interface. Theseelements include Internet Explorer and thecomponents of the Windows shell, includingthe desktop, File Explorer, and the Windows 8desktop apps. Also omitted are the ControlPanel items implemented as shell extensions,including the following:
▪ Programs and Features
▪ Network and Sharing Center
▪ Devices and Printers Center
▪ Display
▪ Firewall
44/1537
▪ Windows Update
▪ Fonts
▪ Storage Spaces
What’s left in the Minimal Server Interface arethe Server Manager application, the MMC ap-plication, Device Manager, and the entireWindows PowerShell interface. This providesadministrators with most of the tools theyneed to manage local and remote servers.
To configure a Windows Server 2012 R2 Serv-er with a GUI installation to use the MinimalServer Interface, you must remove the ServerGraphical Shell feature by using WindowsPowerShell or the Remove Roles And FeaturesWizard, as shown in Figure 1-2.
45/1537
Figure 1-2. Using the User Interfaces And In-frastructure feature in the Remove Roles And
Features Wizard
Using Features on Demand
During a Windows Server 2012 R2 installa-tion, the Setup program copies the files for allthe operating system components from the
46/1537
installation medium to a directory calledWinSxS, the side-by-side component store.This enables you to activate any of the featuresincluded with Windows Server 2012 R2without having to supply an installationmedium.
The only drawback of this arrangement is thatthe WinSxS directory permanently occupiesapproximately 5 GB of disk space, much ofwhich is, in many cases, devoted to data thatwill never be used after the initial serverdeployment.
With the increasing use of VMs to distributeserver roles, enterprise networks often havemore copies of the server operating systemthan ever before, and therefore they havemore wasted disk space. In addition, the ad-vanced storage technologies often used bytoday’s server infrastructures, such as storagearea networks (SANs) and solid state drives
47/1537
(SSDs), are making that disk space moreexpensive.
Features on Demand, introduced in WindowsServer 2012, is a third state for operating sys-tem features that enables administrators toconserve disk space by removing specific fea-tures, not only from operation but also fromthe WinSxS directory.
Features on Demand provides a third installa-tion state for each of the features in WindowsServer 2012 R2. In versions of the operatingsystem prior to Windows Server 2012, featurescould only be Enabled or Disabled. Featureson Demand provides the following threestates:
▪ Enabled
▪ Disabled
▪ Disabled with payload removed
48/1537
To implement this third state, you must usethe Windows PowerShell Uninstall-Win-dowsFeature cmdlet, which now supports anew –Remove flag. Thus, the Windows Power-Shell command to disable the Server Graphic-al Shell and remove its source files from theWinSxS directory would be as follows:
Uninstall-WindowsFeatureServer-Gui-Shell -Remove
Once you delete the source files for a featurefrom the WinSxS folder, they are not irretriev-able. If you attempt to enable that featureagain, the system will download it from Win-dows Update or, alternatively, retrieve it froman image file you specify by using the –Sourceflag with the Install-WindowsFeature cmdlet.This enables you to retrieve the required filesfrom a removable disk or from an image fileon the local network. You can also use GroupPolicy to specify a list of installation sources.
49/1537
FEATURES ON DEMAND
This ability to retrieve source files for afeature from another location is the ac-tual functionality to which the nameFeatures on Demand refers. Microsoftoften uses this capability to reduce thesize of updates downloaded from theInternet. When the user installs the up-date, the program downloads the addi-tional files required and completes theinstallation.
Upgrading servers
An in-place upgrade is the most complicatedform of Windows Server 2012 R2 installation.It is also the lengthiest and the most likely tocause problems during its execution. Whenev-er possible, Microsoft recommends that ad-ministrators perform a clean installation or
50/1537
migrate required roles, applications, and set-tings instead.
Although in-place upgrades often proceedsmoothly, the complexity of the upgrade pro-cess and the large number of variables in-volved means that there are many things thatcan go wrong. To minimize the risks involved,it is important for you to take the upgrade pro-cess seriously, prepare the system beforehand,and have the ability to troubleshoot any prob-lems that might arise. The following sectionsdiscuss these subjects in greater detail.
Upgrade paths
Upgrade paths for Windows Server 2012 R2are limited. In fact, it’s easier to specify whenyou can perform an upgrade than when youcan’t. If you have a 64-bit computer runningWindows Server 2008 or Windows Server2008 R2, you can upgrade it to Windows
51/1537
Server 2012 R2 as long as you use an appro-priate operating system edition.
Windows Server 2012 R2 does not support thefollowing:
▪ Upgrades from Windows Server versionsprior to Windows Server 2008
▪ Upgrades from pre-RTM editions of Win-dows Server 2012 R2
▪ Upgrades from Windows workstation op-erating systems
▪ Cross-platform upgrades, such as 32-bitWindows Server 2008 to 64-bit WindowsServer 2012 R2
▪ Upgrades from any Itanium edition
▪ Cross-language upgrades, such as fromWindows Server 2008, U.S. English toWindows Server 2012 R2, French
52/1537
In any of these cases, the Windows Setup pro-gram will not permit the upgrade to proceed.
Preparing to upgrade
Before you begin an in-place upgrade to Win-dows Server 2012 R2, you should perform anumber of preliminary procedures to ensurethat the process goes smoothly and that theserver data is protected.
Consider the following before you perform anyupgrade to Windows Server 2012 R2:
▪ Check hardware compatibility. Makesure that the server meets the minimumhardware requirements for Windows Serv-er 2012 R2.
▪ Check disk space. Make sure that thereis sufficient free disk space on the partitionwhere the old operating system is installed.During the upgrade procedure, sufficientdisk space is needed to simultaneously
53/1537
hold both operating systems. After the up-grade is complete, you can remove the oldfiles, freeing up some additional space.
▪ Confirm that software is signed. Allkernel-mode software on the server, in-cluding device drivers, must be digitallysigned or the software will not load. Thiscan result in an aborted upgrade process,hardware failures after the upgrade is com-pleted, or failure of the system to startafter the upgrade. If you cannot locate asoftware update for the application ordriver that is signed, then you should unin-stall the application or driver before youproceed with the installation.
54/1537
DISABLING THE DRIVERSIGNATURE
If an unsigned driver prevents thecomputer from starting, you candisable the driver signature re-quirement by pressing F8 duringthe startup, selecting AdvancedBoot Options, and then selectingDisable Driver SignatureEnforcement.
▪ Save mass storage drivers on remov-able media. If a manufacturer has sup-plied a separate driver for a device in yourserver, save the driver to a CD, a DVD, or aUSB flash drive in either the media rootdirectory or the /amd64 folder. To providethe driver during Setup, click Load Driveror press F6 on the disk selection page. You
55/1537
can browse to locate the driver or you canhave Setup search the media.
▪ Check application compatibility. TheSetup program displays a CompatibilityReport page that can notify you of possibleapplication compatibility problems. Youcan sometimes solve these problems by up-dating or upgrading the applications.Create an inventory of the softwareproducts installed on the server and checkthe manufacturers’ websites for updates,availability of upgrades, and announce-ments regarding support for WindowsServer 2012 R2. In an enterprise environ-ment, you should test all applications forWindows Server 2012 R2 compatibility, nomatter what the manufacturer says, beforeyou perform any operating systemupgrades.
56/1537
▪ Ensure computer functionality. Makesure that Windows Server 2008 or Win-dows Server 2008 R2 is running properlyon the computer before you begin the up-grade process. You must start an in-placeupgrade from within the existing operatingsystem, so you cannot count on WindowsServer 2012 R2 to correct any problemsthat prevent the computer from starting orrunning the Setup program.
▪ Perform a full backup. Before you per-form any upgrade procedure, you shouldback up the entire system or, at the veryleast, the essential data files. Your backupshould include all data and configurationinformation that is necessary for your tar-get computer to function. When you per-form the backup, be sure to include theboot and system partitions and the systemstate data. Removable hard drives make
57/1537
this a simple process, even if there is not asuitable backup device in the computer.
▪ Disable virus protection soft-ware. Virus protection software can makeinstallations much slower by scanningevery file that is copied locally to yourcomputer. If installed, you should disablethis software before performing theupgrade.
▪ Disconnect the UPS device. If you havean uninterruptible power supply (UPS)connected to your target computer, discon-nect the data cable before performing theupgrade. Setup automatically attempts todetect connected devices; UPS equipmentcan cause issues with this process.
▪ Purchase the correct Windows Serv-er 2012 R2 edition. Be sure to purchasethe appropriate Windows Server 2012 R2
58/1537
edition for the upgrade and have the in-stallation disk and product key handy.
During the upgrade process, when the systemrestarts, the boot menu provides an option toroll back to the previous operating system ver-sion. However, once the upgrade is complete,this option is no longer available and it is notpossible to uninstall Windows Server 2012 R2and revert to the old operating system version.
Migrating roles
Migration is the preferred method of replacingan existing server with one running WindowsServer 2012 R2. Unlike an in-place upgrade, amigration copies vital information from an ex-isting server to a clean Windows Server 2012R2 installation.
When migrating, nearly all the restrictions lis-ted earlier in regard to upgrades do not apply.By using the Windows Server Migration Tools
59/1537
and migration guides supplied with WindowsServer 2012 R2, you can migrate data betweenservers under any of the following conditions:
▪ Between versions. You can migrate datafrom any Windows Server version fromWindows Server 2003 SP2 to WindowsServer 2012 R2. This includes migrationsfrom one server running Windows Server2012 R2 to another.
▪ Between platforms. You can migratedata from a 32-bit or 64-bit server to a64-bit server running Windows Server2012 R2.
▪ Between editions. You can migrate databetween servers running different Win-dows Server editions.
▪ Between physical and virtual in-stances. You can migrate data from a
60/1537
physical server to a virtual one, or thereverse.
▪ Between installation options. You canmigrate data from one server to another,even when one server is using the ServerCore installation option and the other isusing the Server with a GUI option.
Migration at the server level is different fromany migrations you might have performed onworkstation operating systems. Instead of per-forming a single migration procedure thatcopies all the user data from the source to thedestination computer at once, in a server mi-gration you migrate roles or role servicesindividually.
Windows Server 2012 R2 includes a collectionof migration guides that provide individual-ized instructions for each of the roles suppor-ted by Windows Server 2012 R2. Some of the
61/1537
roles require the use of Windows Server Mi-gration Tools; others do not.
Installing Windows Server MigrationTools
Windows Server Migration Tools is a WindowsServer 2012 R2 feature that consists of Win-dows PowerShell cmdlets and help files thatenable administrators to migrate certain rolesbetween servers.
Before you can use the migration tools,however, you must install the Windows ServerMigration Tools feature on the destinationserver running Windows Server 2012 R2 andthen copy the appropriate version of the toolsto the source server.
Windows Server Migration Tools is a standardfeature that you install on Windows Server2012 R2 by using the Add Roles And FeaturesWizard in Server Manager, as shown in
62/1537
Figure 1-3, or the Install-WindowsFeatureWindows PowerShell cmdlet.
Figure 1-3. The Select Features page of the AddRoles And Features Wizard
63/1537
Using migration guides
Once you have installed the Windows ServerMigration Tools on both the source server andthe destination server, you can proceed to mi-grate data between the two.
By using the migration tools, administratorscan migrate certain roles, features, shares, op-erating system settings, and other data fromthe source server to the destination serverrunning Windows Server 2012 R2. Some rolesrequire the use of the migration tools, whereasothers that have their own internal communic-ation capabilities do not.
There is no single procedure for migrating allthe Windows Server roles, whether they havetheir own migration tools or not. Instead, Mi-crosoft provides detailed migration guides forindividual roles; in some instances, Microsoftprovides detailed migration guides for indi-vidual role services within a role.
64/1537
MORE INFO MIGRATIONGUIDES
Up-to-date migration guides are avail-able at the Windows Server MigrationPortal at the Windows Server 2012 R2TechCenter(http://technet.microsoft.com/en-us/library/jj134039).
65/1537
THOUGHT EXPERIMENT:INSTALLING ROLES WITHWINDOWS POWERSHELL
In this thought experiment, apply what you’velearned about this objective. You can find an-swers to these questions in the Answers sec-tion at the end of this chapter.
Ralph recently took delivery of a new serverwith Windows Server 2012 R2 Datacenter edi-tion already installed with the full GUI option.Ralph wants to configure the system as a webserver, using the absolute minimum of hard-ware resources. His first step is to use ServerManager to install the Web Server (IIS) role.
With this in mind, answer the followingquestions.
1. What Windows PowerShell commandshould Ralph use to convert the fullGUI installation to Server Core?
66/1537
2. What Windows PowerShell commandshould Ralph use to completely removethe GUI installation files from thesystem?
Objective summary
▪ Microsoft releases all its operating systemsin multiple editions, which provides con-sumers with varying price points and fea-ture sets.
▪ When you select the Windows Server Coreinstallation option, you get a stripped-down version of the operating system.
▪ The Minimal Server Interface is a settingthat removes some of the most hardware-intensive elements from the graphicalinterface.
67/1537
▪ An in-place upgrade is the most complic-ated form of a Windows Server 2012 R2 in-stallation. It is also the lengthiest and themost likely to cause problems during itsexecution. Whenever possible, Microsoftrecommends that administrators performa clean installation or migrate required ap-plications and settings instead.
▪ Migration is the preferred method of repla-cing an existing server with one runningWindows Server 2012 R2. Unlike an in-place upgrade, a migration copies vital in-formation from an existing server to aclean Windows Server 2012 R2installation.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questions
68/1537
and explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following processor archi-tectures can be used for a clean Win-dows Server 2012 R2 installation?(Choose all that apply.)
a. 32-bit processor only
b. 64-bit processor only
c. 32-bit or 64-bit processor
d. 64-bit or Itanium processor
2. Which of the following paths is a validupgrade path to Windows Server 2012R2?
a. Windows Server 2003 Standardto Windows Server 2012 R2Standard
69/1537
b. Windows Server 2008 Standardto Windows Server 2012 R2Standard
c. Windows Server 2008 32-bit toWindows Server 2012 R2 64-bit
d. Windows 7 Ultimate to WindowsServer 2012 R2 Essentials
3. Which of the following features must beadded to a Windows Server 2012 R2Server Core installation to convert it tothe Minimal Server Interface?
a. Graphical Management Tools andInfrastructure
b. Server Graphical Shell
c. Windows PowerShell
d. Microsoft Management Console
70/1537
4. Which of the following terms is thename of the directory where Windowsstores all the operating system modulesit might need to install at a later time?
a. Windows
b. System32
c. bin
d. WinSxS
5. Which of the following statements arevalid reasons as to why administratorsmight want to install their WindowsServer 2012 R2 servers by using theServer Core option? (Choose all thatapply.)
a. A Server Core installation can beconverted to the full GUI withoutreinstalling the operating system.
71/1537
b. The Windows PowerShell 4.0 in-terface in Windows Server 2012R2 includes more than 10 timesas many cmdlets as WindowsPowerShell 2.0.
c. The new Server Manager in Win-dows Server 2012 R2 makes itmuch easier to administer serversremotely.
d. A Windows Server 2012 R2 Serv-er Core license costs significantlyless than a full GUI license.
Objective 1.2: ConfigureserversA server is rarely ready to perform all the tasksyou have planned for it immediately after in-stallation. Typically some postinstallation
72/1537
configuration is required and further configur-ation changes might become necessary afterthe server is in service.
73/1537
NOTE
This objective covers how to:
▪ Configure Server Core
▪ Delegate administration
▪ Add and remove features in offlineimages
▪ Deploy roles on remote servers
▪ Convert Server Core to and fromfull GUI
▪ Configure services
▪ Configure NIC teaming
▪ Install and configure WindowsPowerShell Desired State Configur-ation (DSC)
74/1537
Completing postinstallationtasks
As part of the new emphasis on cloud-basedservices in Windows networking, WindowsServer 2012 R2 contains a variety of tools thathave been overhauled to facilitate remote serv-er management capabilities.
The new Server Manager, for example, is de-signed to enable administrators to manageWindows servers without having to interactdirectly with the server console, either physic-ally or remotely. However, there are sometasks that administrators might have to per-form immediately after the operating systeminstallation that require direct access to theserver console:
▪ Configuring the network connection
▪ Setting the time zone
▪ Enabling Remote Desktop
75/1537
▪ Renaming the computer
▪ Joining a domain
Using GUI tools
In Windows Server 2012 R2, the Propertiestile in Server Manager, as shown in Figure 1-4,provides the same functionality as the InitialConfiguration Tasks window in previous Win-dows Server versions. To complete any or allof the postinstallation configuration tasks on aGUI Windows Server 2012 R2 installation, youcan use the tools in the Properties tile, eitherby working directly at the server console or byusing Remote Desktop to access the serverfrom another computer.
76/1537
Figure 1-4. The Properties tile of the local serv-er in Server Manager
The Ethernet entry in the Properties tile spe-cifies the current status of the computer’s net-work interface. If there is an active DynamicHost Configuration Protocol (DHCP) server onthe network, the server will have already re-trieved an IP address and other settings andused them to configure the interface. If thereis no DHCP server on the network, or if you
77/1537
must configure the computer with a static IPaddress, click the Ethernet hyperlink to dis-play the Network Connections window fromthe Control Panel. You can use this to open theEthernet Properties sheet and the InternetProtocol Version 4 (TCP/IPv4) Propertiessheet, where you can configure the TCP/IPclient.
Accurate computer clock time is essential forActive Directory Domain Services communica-tion. If the server is located in a time zone oth-er than the default Pacific zone, click the TimeZone hyperlink to open the Date and Timedialog box, where you can correct the setting.
By default, Windows Server 2012 R2 does notallow Remote Desktop connections. To enablethem, click the Remote Desktop hyperlink toopen the Remote tab of the System Propertiessheet.
78/1537
In a manual operating system installation, theWindows Setup program assigns a uniquename beginning with WIN to the computer.To change the name of the computer and joinit to a domain, click the Computer Name hy-perlink to open the System Properties sheetand click Change to open the ComputerName/Domain Changes dialog box.
Using command-line tools
If you selected the Server Core option wheninstalling Windows Server 2012 R2, you canperform the same postinstallation tasks fromthe command line. At the very minimum, youwill have to rename the computer and join itto a domain. To do this, you can use the Scon-fig.exe or Netdom.exe program.
To rename a computer, run Netdom.exe withthe following syntax, as shown in Figure 1-5:
79/1537
netdom renamecomputer %ComputerName%/NewName: <NewComputerName>
Figure 1-5. Renaming a computer from thecommand line
To restart the computer as directed, use thefollowing command:
shutdown /r
80/1537
Then, to join the computer to a domain, usethe following syntax:
netdom join %ComputerName% /domain:<DomainName> /userd: <UserName>/passwordd:*
In this command, the asterisk (*) in the /pass-wordd parameter causes the program toprompt you for the password to the user ac-count you specified.
These commands assume that a DHCP serverhas already configured the computer’s TCP/IPclient. If this is not the case, you must manu-ally configure it before you can join a domain.To assign a static IP address to a computer us-ing Server Core, you can use the Netsh.exeprogram or the New-NetIPAddress cmdlet inWindows PowerShell.
81/1537
Converting between GUI and ServerCore
In Windows Server 2012 R2, you can convert acomputer installed with the full GUI option toServer Core and add the full GUI to a ServerCore computer. This is a major improvementin the usefulness of Server Core over the ver-sion in Windows Server 2008 R2, in whichyou can only change the interface by rein-stalling the entire operating system.
With this capability, administrators can installservers with the full GUI, use the graphicaltools to perform the initial setup, and thenconvert them to Server Core to conserve sys-tem resources. If it later becomes necessary, itis possible to reinstall the GUI components.
To convert a full GUI installation of WindowsServer 2012 R2 to Server Core by using ServerManager, you must run the Remove Roles AndFeatures Wizard and uninstall the followingfeatures, as shown in Figure 1-6:
82/1537
▪ Graphical Management Tools AndInfrastructure
▪ Server Graphical Shell
83/1537
Figure 1-6. Uninstalling features using the Re-move Features page in Server Manager
To add the full GUI to a Server Core computer,you must use Windows PowerShell to installthe same features you removed in the previousprocedure. To convert a Windows Server 2012R2 Server Core installation to the full GUI
84/1537
option, use the following Windows PowerShellcommand:
Install-WindowsFeatureServer-Gui-Mgmt-Infra,Server-Gui-Shell–Restart
To convert a full GUI server installation toServer Core, use the following command:
Uninstall-WindowsFeatureServer-Gui-Mgmt-Infra,Server-Gui-Shell-Restart
Configuring NIC teaming
NIC teaming is a feature in Windows Server2012 R2 that enables administrators to com-bine the bandwidth of multiple network inter-face adapters, providing increased perform-ance and fault tolerance. Virtualization en-ables administrators to separate vital network
85/1537
functions on different systems without havingto purchase a separate physical computer foreach one. However, one of the drawbacks ofthis practice is that a single server hostingmultiple VMs is still a single point of failurefor all of them. A single malfunctioning net-work adapter, a faulty switch, or even an un-plugged cable can bring down a host serverand all its VMs.
EXAM TIP
The objectives for the 70-410 examspecifically mention the use of the NICteaming feature. Exam candidatesshould be familiar with this feature andits operation.
NIC teaming, also called bonding, balancing,and aggregation, is a technology that has
86/1537
been available for some time, but it was alwaystied to specific hardware implementations.The NIC teaming capability in Windows Serv-er 2012 R2 is hardware independent and en-ables you to combine multiple physical net-work adapters into a single interface. The res-ults can include increased performance bycombining the throughput of the adapters andprotection from adapter failures by dynamic-ally moving all traffic to the functioning NICs.
NIC teaming in Windows Server 2012 R2 sup-ports two modes:
▪ Switch Independent Mode. All the net-work adapters are connected to differentswitches, providing alternative routesthrough the network.
▪ Switch Dependent Mode. All the net-work adapters are connected to the sameswitch, providing a single interface withtheir combined bandwidth.
87/1537
In Switch Independent Mode, you can choosebetween two configurations. The active/activeconfiguration leaves all the network adaptersfunctional, providing increased throughput. Ifone adapter fails, all the traffic is shunted tothe remaining adapters. In the active/standbyconfiguration, one adapter is left offline tofunction as a failover in the event the activeadapter fails. In active/active mode, an ad-apter failure causes a performance reduction;in active/standby mode, the performance re-mains the same before and after an adapterfailure.
In Switch Dependent Mode, you can choosestatic teaming, a generic mode that balancesthe traffic between the adapters in the team,or you can opt to use the Link AggregationControl Protocol defined in IEEE 802.3ax, as-suming that your equipment supports it.
In Windows Server 2012, there is one signific-ant limitation to NIC teaming. If your traffic
88/1537
consists of large TCP sequences, such as aHyper-V live migration, the system will avoidusing multiple adapters for those sequences tominimize the number of lost and out-of-orderTCP segments. You will therefore not realizeany performance increase for large file trans-fers using TCP. In Windows Server 2012 R2, anew Dynamic Mode splits these large TCP se-quences into smaller units and distributesthem among the NICs on a team. This is nowthe default load-balancing mode in WindowsServer 2012 R2.
You can create and manage NIC teams by us-ing Server Manager or Windows PowerShell.To create a NIC team by using Server Man-ager, follow these steps.
1. In Server Manager, in the Propertiestile, click NIC Teaming. The NIC Team-ing window opens, as shown in Fig-ure 1-7.
89/1537
Figure 1-7. The NIC Teaming window inServer Manager
2. In the Teams tile, click Tasks and selectNew Team to open the New Team page.
3. Click the Additional Properties arrow toexpand the window, as shown in Fig-ure 1-8.
90/1537
Figure 1-8. The New Team page in Serv-er Manager
91/1537
4. In the Team Name text box, type thename you want to assign to the team.
5. In the Member Adapters box, select thenetwork adapters you want to add to theteam.
6. In the Teaming Mode drop-down list,select one of the following options:
▪ Static Teaming
▪ Switch Independent
▪ LACP
7. In the Load Balancing Mode drop-downlist, select one of the following options:
▪ Address Hash
▪ Hyper-V Port
▪ Dynamic
92/1537
8. If you selected Switch Independent forthe Teaming Mode value, use theStandby Adapter drop-down list to se-lect one of the adapters to function asthe offline standby.
9. Click OK. The new team is listed in theTeams tile, as shown in Figure 1-9.
93/1537
Figure 1-9. The new NIC team in the NICTeaming window in Server Manager
Once you have created a NIC team, the NICTeaming window enables you to monitor thestatus of the team and the team interface youhave created. The team itself and the individu-al adapters all have status indicators that in-form you if an adapter goes offline.
94/1537
If this occurs, the indicator for the faulty ad-apter immediately switches to disconnected,as shown in Figure 1-10, and depending onwhich teaming mode you chose, the status ofthe other adapter might also change.
95/1537
Figure 1-10. A NIC team showing a failedadapter
Using Server Manager
The Server Manager tool in Windows Server2012 R2 is an application that is the most ob-vious evidence of a major paradigm shift in
96/1537
Windows Server administration. Prior to Win-dows Server 2012, an administrator whowanted to install a role by using graphical con-trols had to work at the server console byeither physically sitting at the keyboard or byconnecting to it by using Remote Desktop Ser-vices (formerly Terminal Services). In con-trast, the Windows Server 2012 R2 ServerManager can install roles and features to anyserver on the network.
Adding servers
The primary difference between the WindowsServer 2012 and Windows Server 2012 R2Server Managers and previous versions is theability to add and manage multiple servers atonce. When you log on to a GUI installation ofWindows Server 2012 R2 with an administrat-ive account, Server Manager loads automatic-ally, displaying the Welcome tile.
97/1537
The Server Manager interface consists of anavigation pane on the left containing iconsrepresenting various views of server resources.Selecting an icon displays a home page in theright pane, which consists of a number of tilescontaining information about the resource.The Dashboard page, which opens by default,contains, in addition to the Welcome tile,thumbnails that summarize the other viewsavailable in Server Manager, as shown in Fig-ure 1-11. These other views include a page forthe Local Server, one for All Servers, and oth-ers for server groups and role groups.
98/1537
Figure 1-11. Dashboard thumbnails
Although only the local server appears in Serv-er Manager when you first run it, you can addother servers, enabling you to manage themtogether. The servers you add can be physicalor virtual and can be running any version ofWindows Server since Windows Server 2003.After you add servers to the interface, you cancreate groups containing collections of servers,
99/1537
such as the servers at a particular office loca-tion or those performing a particular function.These groups appear in the navigation pane,enabling you to administer them as a singleentity.
To add servers in Server Manager, use the fol-lowing procedure.
1. Open Server Manager and, in the navig-ation pane, click All Servers. The AllServers home page opens, as shown inFigure 1-12.
100/1537
Figure 1-12. The All Servers home pagein Server Manager
2. From the Manage menu, select AddServers. The Add Servers dialog boxopens, as shown in Figure 1-13.
101/1537
Figure 1-13. The Add Servers dialog boxin Server Manager
3. Select one of the following tabs to spe-cify how you want to locate servers toadd:
▪ Active Directory. Enables you tosearch for computers running spe-cific operating systems in specific
102/1537
locations in an Active Directory Do-main Services domain
▪ DNS. Enables you to search forservers in your currently configuredDomain Name System (DNS) server
▪ Import. Enables you to supply atext file containing the names of theservers you want to add
4. Initiate a search or upload a text file todisplay a list of available servers, asshown in Figure 1-14.
103/1537
Figure 1-14. Searching for servers inServer Manager
5. Select the servers you want to add andclick the right arrow button to add themto the Selected list.
6. Click OK. The servers you selected areadded to the All Servers home page.
104/1537
For administrators of enterprise networks, itmight be necessary to add a large number ofservers to Server Manager. To avoid having towork with a long scrolling list of servers, youcan create server groups based on server loca-tions, functions, or any other organizationalparadigm.
Adding roles and features
The Server Manager program in WindowsServer 2012 R2 combines what used to be sep-arate wizards for adding roles and features in-to one, the Add Roles And Features Wizard.Once you add multiple servers to the ServerManager interface, they are integrated into theAdd Roles And Features Wizard, so you candeploy roles and features to any of yourservers.
To install roles and features by using ServerManager, use the following procedure.
105/1537
1. In Server Manager, from the Managemenu, select Add Roles And Features.The Add Roles And Features Wizardstarts, displaying the Before You Beginpage.
2. Click Next to open the Select Installa-tion Type page, as shown in Figure 1-15.
106/1537
Figure 1-15. Configuring the Select In-stallation Type page in the Add Roles
And Features Wizard
3. Leave the Role-Based Or Feature-BasedInstallation option selected and clickNext. The Select Destination Serverpage opens, as shown in Figure 1-16.
107/1537
Figure 1-16. Configuring the SelectDestination Server page in the Add
Roles And Features Wizard
4. Select the server on which you want toinstall the roles or features. If the serverpool contains a large number of servers,you can use the Filter text box to displaya subset of the pool based on a textstring. When you have selected the
108/1537
server, click Next. The Select ServerRoles page opens, as shown in Fig-ure 1-17.
109/1537
Figure 1-17. The Select Server Roles pagein the Add Roles And Features Wizard
110/1537
INSTALLINGCOMPONENTS TO
MULTIPLE SERVERS
Although you can use the AddRoles And Features Wizard toinstall components to any serveryou have added to Server Man-ager, you cannot use it to installcomponents to multiple serversat once. You can, however, dothis by using WindowsPowerShell.
5. Select the role or roles you want to in-stall on the selected server. If the rolesyou select have other roles or features asdependencies, an Add Features ThatAre Required dialog box opens.
111/1537
SELECTING ALL ROLESAND FEATURES
Unlike earlier versions of ServerManager, the Windows Server2012 R2 version enables you toselect all the roles and featuresfor a particular server configura-tion at once, rather than makingyou run the wizard multipletimes.
6. Click Add Features to accept the de-pendencies and then click Next to openthe Select Features page, as shown inFigure 1-18.
112/1537
Figure 1-18. Configuring the SelectFeatures page in the Add Roles And
Features Wizard
7. Select any features you want to install inthe selected server and click Next.Dependencies might appear for yourfeature selections.
113/1537
8. The wizard then displays pages specificto the roles or features you have chosen.Most roles have a Select Role Servicespage, on which you can select which ele-ments of the role you want to install.Complete each of the role-specific orfeature-specific pages and click Next. AConfirm Installation Selections pageopens.
9. You can select from the following op-tional functions:
▪ Restart The Destination ServerAutomatically If Desired. Causesthe server to restart automaticallywhen the installation is completed, ifthe selected roles and features re-quire it
▪ Export Configuration Set-tings. Creates an XML script docu-menting the procedures performed
114/1537
by the wizard, which you can use toinstall the same configuration on an-other server by using WindowsPowerShell
▪ Specify An Alternate SourcePath. Specifies the location of animage file containing the softwareneeded to install the selected rolesand features. Use this option whenyou have previously deleted thesource files from the system usingFeatures on Demand.
10. Click Install to open the InstallationProgress page. Depending on the rolesand features installed, the wizard mightdisplay hyperlinks to the tools needed toperform required postinstallation tasks.When the installation is complete, clickClose to complete the wizard.
115/1537
USING AN EXPORTEDCONFIGURATION FILE
To use an exported configuration file toinstall roles and features on anothercomputer running Windows Server2012 R2, use the following command ina Windows PowerShell session with el-evated privileges:
Install-WindowsFeature–ConfigurationFilePath<ExportedConfig.xml>
Once you install roles on your servers, theroles appear as icons in Server Manager’s nav-igation pane. These icons actually representrole groups. Each role group contains all theinstances of that role found on any of your ad-ded servers. You can therefore administer therole across all of the servers on which you haveinstalled it.
116/1537
Deploying roles to VHDs
In addition to installing roles and features toservers on the network, Server Manager alsoenables administrators to install them to VMsthat are currently in an offline state. For ex-ample, you might have an offline web serverVM stored on a backup host server, in case thecomputer hosting your main web server VMsshould fail. Server Manager enables you to se-lect a virtual hard disk (VHD) file and installor remove roles and features without having todeploy the VM.
To install roles or features to an offline VHDfile, use the following procedure.
1. In Server Manager, from the Managemenu, select Add Roles and Features.The Add Roles And Features Wizardstarts, displaying the Before You Beginpage.
117/1537
2. Click Next to open the Select Installa-tion Type page.
3. Leave the Role-Based Or Feature-BasedInstallation option selected and clickNext. The Select Destination Serverpage opens.
4. Select the Select A Virtual Hard Diskoption. A Virtual Hard Disk text box ap-pears at the bottom of the page.
5. In the Virtual Hard Disk text box, typeor browse to the location of the VHD fileyou want to modify.
6. In the Server Pool box, select the serverthat the wizard should use to mount theVHD file, as shown in Figure 1-19, andclick Next. The Select Server Roles pageopens.
118/1537
Figure 1-19. Configuring the SelectDestination Server page in the Add
Roles And Features Wizard
119/1537
WHAT IT MEANS TOMOUNT THE VHD FILE
The wizard must mount theVHD file on the server you se-lect to look inside and determ-ine which roles and features arealready installed and which areavailable for installation.Mounting a VHD file onlymakes it available through thecomputer’s file system; it is notthe same as starting the VM byusing the VHD.
7. Select the role or roles you want to in-stall on the selected server, adding therequired dependencies if necessary, andclick Next. The Select Features pageopens.
120/1537
8. Select any features you want to installon the selected server and click Next.Dependencies might appear for yourfeature selections.
9. The wizard then displays pages specificto the roles or features you have chosen,enabling you to select role services andconfigure other settings. Complete eachof the role-specific or feature-specificpages and click Next. A Confirmationpage opens.
10. Click Install. The Installation Progresspage opens. When the installation iscomplete, click Close to dismount theVHD and complete the wizard.
Configuring services
Most Windows Server roles and many of thefeatures include services, which are programs
121/1537
that run continuously in the background, typ-ically waiting for a client process to send a re-quest to them. Server Manager provides accessto services running on servers all over thenetwork.
When you first look at the Local Server homepage in Server Manager, one of the tiles youfind there is the Services tile, shown in Fig-ure 1-20. This tile lists all the services installedon the server and specifies their operationalstatus and their Start Type. When you right-click a service, the shortcut menu providescontrols that enable you to start, stop, restart,pause, and resume the service.
122/1537
Figure 1-20. The Services tile in ServerManager
The Services tile in the Server Manager displayis similar to the traditional Services snap-infor MMC found in previous versions of Win-dows Server. However, although you can startand stop a service in Server Manager, you can-not modify its Start Type, which specifieswhether the service should start automaticallywith the operating system. To do that you
123/1537
must use the Services MMC snap-in or theSet-Service cmdlet in Windows PowerShell.
Another difference of the Services tile in Win-dows Server 2012 R2 Server Manager is thatthis tile appears in many locations throughoutServer Manager and in each place it displays alist of services for a different context. This is agood example of the organizational principleof the new Server Manager. The same tools,repeated in many places, provide a consistentmanagement interface to different sets ofcomponents.
For example, when you select the All Serversicon in the navigation pane, you first see theServers tile, as usual, containing all the serversyou have added to the Server Manager con-sole. When you select some or all of the serv-ers and scroll down to the Services tile, you seethe same display as before, but now it containsall the services for all the computers you
124/1537
selected. This enables you to monitor the ser-vices on all the servers at once.
In the same way, when you select one of therole group icons, you can select from the serv-ers running that role and the Services tile willcontain only the services associated with thatrole for the servers you selected.
To manipulate other server configuration set-tings, you must use the Services snap-in forMMC as mentioned earlier. However, you canlaunch that, and many other snap-ins, by us-ing Server Manager.
After selecting a server from the Servers panein any group home page, click the Tools menuto display a list of the utilities and MMC snap-ins, including the Services snap-in. To managea remote server with an MMC snap-in, youmust manually connect it.
125/1537
Delegating server administration
As networks grow, so does the number of ad-ministrative tasks there are to perform on aregular basis, and so does the IT staff that isneeded to perform them. Delegating adminis-trative tasks to specific individuals is a naturalpart of enterprise server management, as is as-signing those individuals the permissions theyneed—and only the permissions they need—toperform those tasks.
DELEGATING PRIVILEGES
For information on delegating printerprivileges, see Objective 2.2, “Configureprint and document services.” For in-formation on delegating administrativecontrol via Active Directory, see Object-ive 5.3, “Create and manage Active Dir-ectory groups and organizationalunits.”
126/1537
On smaller networks with small IT staffs, it isnot uncommon for task delegation to be in-formal and for everyone in the IT departmentto have full access to the entire network.However, on larger networks with larger ITstaffs, this becomes increasingly impractical.For example, you might want the newly hiredjunior IT staffers to be able to create new useraccounts but not be able to redesign your Act-ive Directory tree or change the CEO’spassword.
Delegation is the practice by which adminis-trators grant other users a subset of the priv-ileges that they possess. As such, delegation isas much a matter of restricting permissions asit is of granting them. You want to provide in-dividuals with the privileges they need whileprotecting sensitive information and delicateinfrastructure.
127/1537
Using Windows PowerShellDesired State Configuration(DSC)
Desired State Configuration (DSC) is the nextphase in the development of Windows Power-Shell, a process that began over a decade agoand first appeared as a Windows componentin Windows PowerShell 1.0 (released in2006). Windows Server 2012 expanded thefunctionality of Windows PowerShell by usingthe command line infrastructure as an under-layment for all of the new graphical capabilit-ies in the operating system. Windows Power-Shell 3.0 added thousands of new cmdlets,making it possible to use the command line toaccomplish any task you might otherwise per-form in Server Manager.
In Windows PowerShell 4.0, DSC provides anew scripting model that enables administrat-ors to create modules called configurations,which consist of nodes representing
128/1537
computers and resources that define elementsthat administrators want to define as part ofthe configuration for a particular node.
For example, a relatively simple script to de-ploy a Web server might appear as follows:
Configuration CompanyWeb{
Node "ServerB"{
WindowsFeature InstallIIS{
Ensure = "Present"Name = "Web-Server"
}File CopyWebSite{
Ensure = "Present"Type = "Directory"Recurse = $trueSourcePath = $WebsitePathDestinationPath =
"C:\inetpub\wwwroot"Requires =
"[WindowsFeature]InstallIIS"
129/1537
}}
}
In this script, the Node block identifies thecomputer to be configured and the Win-dowsFeature and File blocks are both built-inresources that you can use to define the con-figuration you want to deploy. The Win-dowsFeature block specifies that the configur-ation must install the Web-Server role, andthe File block copies the content files for awebsite to the node from a location defined bythe $WebsitePath variable. DSC includesmany other built-in resources that you can useto define more complex configuration ele-ments, such as system services, registry set-tings, environment variables, and user andgroup accounts. It is also possible for adminis-trators to create their own custom resources.
Once you have created a configuration script,you can deploy it by executing the defined
130/1537
configuration name—in this case Com-panyWeb—from a Windows PowerShellprompt.
In large enterprise deployments, administrat-ors can create a centralized DSC server by in-stalling the PowerShell Desired State Config-uration Service, a Windows PowerShell fea-ture that uses the Internet Information Ser-vices Web server to deploy configuration logicand data to nodes all over the network. Afterstoring DSC configuration scripts on the serv-er, administrators can configure nodes tocheck periodically for changes in their config-urations or configure the server to push newconfigurations to nodes as needed.
131/1537
THOUGHT EXPERIMENT:CONFIGURING SERVER CORE
USING WINDOWS POWERSHELL
In this thought experiment, apply what you’velearned about this objective. You can find an-swers to these questions in the Answers sec-tion at the end of this chapter.
Deepak is an IT technician who has been as-signed the task of configuring a new serverrunning Windows Server 2012 R2 Server Core,called ServerA, which is to be shipped out tothe company’s branch office. The server mustbe configured to function as a file server withsupport for the Distributed File System (DFS),a print server with support for Internet print-ing, and a secured intranet web/FTP server fordomain users.
With this in mind, answer the followingquestions.
132/1537
1. What Windows PowerShell commandshould Deepak use to install the re-quired roles on the servers?
2. What Windows PowerShell commandcan Deepak use to obtain the shortnames for the roles used by WindowsPowerShell?
3. List the commands that Deepak mustrun on the new server to install the re-quired modules.
Objective summary
▪ Server Manager is designed to enable ad-ministrators to fully manage Windowsservers without ever having to interact dir-ectly with the server console, either physic-ally or remotely.
133/1537
▪ There are some tasks that administratorsmight have to perform immediately afterthe operating system installation that re-quire direct access to the server console.
▪ If you selected the Server Core optionwhen installing Windows Server 2012 R2,you can perform postinstallation tasksfrom the command line.
▪ In Windows Server 2012 R2, the Proper-ties tile in Server Manager provides thesame functionality as the Initial Configura-tion Tasks window in previous versions.
▪ In Windows Server 2012 R2, you can con-vert a computer installed with the full GUIoption to Server Core and add the full GUIto a Server Core computer.
▪ NIC teaming is a new feature in WindowsServer 2012 R2 that enables
134/1537
administrators to combine the bandwidthof multiple network interface adapters,providing increased performance and faulttolerance.
▪ For administrators of enterprise networks,it might be necessary to add a large num-ber of servers to Server Manager. To avoidhaving to work with a long scrolling list ofservers, you can create server groups basedon server locations, functions, or any otherorganizational paradigm.
▪ In addition to installing roles and featuresto servers on the network, Server Managerenables administrators to install them toVMs that are currently in an offline state.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.
135/1537
You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which features must be removed from afull GUI installation of Windows Server2012 R2 in order to convert it to a Serv-er Core installation? (Choose all thatapply.)
a. Windows Management Instru-mentation (WMI)
b. Graphical Management Tools andInfrastructure
c. Desktop Experience
d. Server Graphical Shell
2. Which of the following NIC teamingmodes provides fault tolerance andbandwidth aggregation?
136/1537
a. Hyper-V live migration
b. Switch Independent Mode
c. Switch Dependent Mode
d. Link Aggregation ControlProtocol
3. Which of the following command-linetools are used to join a computer to adomain?
a. Net.exe
b. Netsh.exe
c. Netdom.exe
d. Ipconfig.exe
4. Which of the following statementsabout Server Manager is not true?
137/1537
a. Server Manager can deploy rolesto multiple servers at the sametime.
b. Server Manager can deploy rolesto VHDs while they are offline.
c. Server Manager can install rolesand features at the same time.
d. Server Manager can install rolesand features to any WindowsServer 2012 R2 server on thenetwork.
5. Which of the following operations canyou not perform on a service by usingServer Manager? (Choose all thatapply.)
a. Stop a running service
b. Start a stopped service
138/1537
c. Disable a service
d. Configure a service to start whenthe computer starts
Objective 1.3: Configurelocal storageAlthough Windows Server 2012 R2 is designedto take advantage of remote storage and cloudcomputing, the configuration of local storageremains an important consideration.
139/1537
NOTE
This objective covers how to:
▪ Design storage spaces
▪ Configure basic and dynamic disks
▪ Configure MBR and GPT disks
▪ Manage volumes
▪ Create and mount virtual harddisks (VHDs)
▪ Configure storage pools and diskpools
▪ Create storage pools by using diskenclosures
140/1537
Planning server storage
A Windows server can conceivably perform itstasks using the same type of storage as a work-station; that is, one or more standard harddisks connected to a standard drive interfacesuch as Serial ATA (SATA). However, the I/Oburdens of a server are different from those ofa workstation; a standard storage subsystemcan easily be overwhelmed by file requestsfrom dozens or hundreds of users. In addition,standard hard disks offer no fault toleranceand are limited in their scalability.
A variety of storage technologies are bettersuited for server use. The process of designinga storage solution for a server depends on sev-eral factors, including the following:
▪ The amount of storage the server needs
▪ The number of users who will be accessingthe server at the same time
141/1537
▪ The sensitivity of the data to be stored onthe server
▪ The importance of the data to theorganization
The following sections examine these factorsand the technologies you can choose when cre-ating a plan for your network storagesolutions.
How many servers do I need?
When is one big file server preferable to sever-al smaller ones? This is one of the most fre-quently asked questions when planning a serv-er deployment. In the past, you might haveconsidered the advantages and disadvantagesof using one server to perform several rolesversus distributing the roles among severalsmaller servers. Today, however, the emphasisis on virtualization, which means that al-though you might have many VMs running
142/1537
different roles, they could all be running on asingle large physical server.
If you are considering large physical servers orif your organization’s storage requirements areextremely large, you must also consider the in-herent storage limitations of Windows Server2012 R2.
The number of sites your enterprise networkencompasses and the technologies you use toprovide network communication among thosesites can also affect your plans. If, for example,your organization has branch offices scatteredaround the world and uses relatively expensivewide area network (WAN) links to connectthem, it would probably be more economicalto install a server at each location than to haveall your users access a single server by usingthe WAN links.
Within each site, the number of servers youneed can depend on how often your users
143/1537
work with the same resources and how muchfault tolerance and high availability you wantto build into the system. For example, if eachdepartment in your organization typicallyworks with its own applications and docu-ments and rarely needs access to those of oth-er departments, deploying individual serversto each department might be preferable. Ifeveryone in your organization works with thesame set of resources, centralized serversmight be a better choice.
Estimating storage requirements
The amount of storage space you need in aserver depends on a variety of factors, not justthe initial requirements of your applicationsand users. In the case of an application server,start by allocating the amount of space neededfor the application files themselves plus anyother space the application needs, as recom-mended by the developer. If users will be
144/1537
storing documents on the server, then allocatea specific amount of space for each user theserver will support. Then factor in the poten-tial growth of your organization and your net-work, both in terms of additional users andadditional space required by each user and ofdata files and updates to the application itself.
Using Storage Spaces
Windows Server 2012 R2 includes a disk virtu-alization technology called Storage Spaces,which enables a server to concatenate storagespace from individual physical disks and alloc-ate that space to create virtual disks of any sizesupported by the hardware.
This type of virtualization is a feature oftenfound in SAN and network attached storage(NAS) technologies, which require a substan-tial investment in specialized hardware andadministrative skill. Storage Spaces providessimilar capabilities by using standard direct-
145/1537
attached disk drives or simple external “Just aBunch of Disks” (JBOD) arrays.
Storage Spaces uses unallocated disk space onserver drives to create storage pools. A storagepool can span multiple drives invisibly,providing an accumulated storage resourcethat administrators can expand or reduce asneeded by adding disks to or removing themfrom the pool. By using the space in the pool,administrators can create virtual disks of anysize.
Once created, a virtual disk behaves just like aphysical disk, except that the actual bits mightbe stored on any number of physical drives inthe system. Virtual disks can also provide faulttolerance by using the physical disks in thestorage pool to hold mirrored or parity data.
After creating a virtual disk, you can createvolumes on it just as you would on a physicaldisk. Server Manager provides the tools you
146/1537
need to create and manage storage pools andvirtual disks and provides you with the abilityto create volumes and file system shares, withsome limitations.
Understanding Windows disksettings
When you install Windows Server 2012 R2 ona computer, the setup program automaticallyperforms all the preparation tasks for theprimary hard disk in the system. However,when you install additional hard disk driveson a server, or when you want to use settingsthat differ from the system defaults, you mustperform the following tasks manually:
▪ Select a partitioning style. WindowsServer 2012 R2 supports two hard diskpartition styles: the master boot record(MBR) partition style and the GUID (glob-ally unique identifier) partition table
147/1537
(GPT) partition style. You must choose oneof these partition styles for a drive; youcannot use both.
▪ Select a disk type. Windows Server 2012R2 supports two disk types: the basic disktype and the dynamic disk type. You can-not use both types on the same disk drive,but you can mix disk types in the samecomputer.
▪ Divide the disk into partitions orvolumes. Although many professionalsuse the terms partition and volume inter-changeably, it is correct to refer to parti-tions on basic disks and volumes on dy-namic disks.
▪ Format the partitions or volumeswith a file system. Windows Server 2012R2 supports the NTFS file system, the FATfile system (including the FAT16, FAT32,
148/1537
and exFAT variants), and the new ReFSfile system (covered later in this chapter, inthe Understanding file systems section.)
The following sections examine the options foreach of these tasks.
Selecting a partition style
The term partition style refers to the methodthat Windows operating systems use to organ-ize partitions on the disk. Servers runningWindows Server 2012 R2 computers can useeither of the following two hard disk partitionstyles:
▪ MBR. The MBR partition style has beenaround since before Windows and is still acommon partition style for x86-based andx64-based computers.
▪ GPT. GPT has existed since the late 1990s,but no x86 version of Windows prior to
149/1537
Windows Server 2008 and Windows Vistasupports it. Today, most operating systemssupport GPT, including Windows Server2012 R2.
Before Windows Server 2008 and WindowsVista, all x86-based Windows computers usedonly the MBR partition style. Computersbased on the x64 platform could use either theMBR or GPT partition style, as long as theGPT disk was not the boot disk.
Unless the computer’s architecture providessupport for an Extensible Firmware Interface(EFI)–based boot partition, it is not possibleto boot from a GPT disk. If this is the case, thesystem drive must be an MBR disk and youcan use GPT only on separate nonbootabledisks for data storage.
When you use Server Manager to initialize adisk in Windows Server 2012 R2, it uses theGPT partition style, whether it is a physical or
150/1537
a virtual disk. There are no controls in ServerManager supporting MBR, although it dis-plays the partition style in the Disks tile.
Understanding disk types
Most personal computers use basic disks be-cause they are the easiest to manage. Ad-vanced volume types require the use of dy-namic disks. A basic disk using the MBR parti-tion style organizes data by using primary par-titions, extended partitions, and logical drives.A primary partition appears to the operatingsystem as though it is a physically separatedisk and can host an operating system, inwhich case it is known as the active partition.
When you work with basic MBR disks in Win-dows Server 2012 R2 using the DiskManagement snap-in, you can create threevolumes that take the form of primary parti-tions. When you create the fourth volume, thesystem creates an extended partition, with a
151/1537
logical drive on it, of the size you specified. Ifthere is free space left on the disk, the systemallocates it to the extended partition, as shownin Figure 1-21, where you can use it to createadditional logical drives.
Figure 1-21. Primary and extended partitionson a basic disk using MBR
When you select the GPT partition style, thedisk still appears as a basic disk, but you cancreate up to 128 volumes, each of which ap-pears as a primary partition, as shown in Fig-ure 1-22. There are no extended partitions orlogical drives on GPT disks.
152/1537
Figure 1-22. Primary partitions on a basic diskusing GPT
The alternative to using a basic disk is to con-vert it to a dynamic disk. The process of con-verting a basic disk to a dynamic disk creates asingle partition that occupies the entire disk.You can then create an unlimited number ofvolumes out of the space in that partition. Dy-namic disks support several different types ofvolumes, as described in the next section.
Understanding volume types
A dynamic disk can contain an unlimitednumber of volumes that function much likeprimary partitions on a basic disk, but youcannot mark an existing dynamic disk as
153/1537
active. When you create a volume on a dynam-ic disk by using the Disk Management snap-inin Windows Server 2012 R2, you choose fromthe following five volume types:
▪ Simple volume. Consists of space from asingle disk. After you have created a simplevolume, you can extend it to multiple disksto create a spanned or striped volume, aslong as it is not a system volume or bootvolume. You can also extend a simplevolume into any adjacent unallocatedspace on the same disk or, with some limit-ations, shrink the volume by deallocatingany unused space in the volume.
▪ Spanned volume. Consists of space from2 to 32 physical disks, all of which must bedynamic disks. A spanned volume is essen-tially a method for combining the spacefrom multiple dynamic disks into a singlelarge volume. Windows Server 2012 R2
154/1537
writes to the spanned volume by filling allthe space on the first disk and then fillingeach of the additional disks in turn. Youcan extend a spanned volume at any timeby adding disk space. Creating a spannedvolume does not increase the disk’s read/write performance or provide fault toler-ance. In fact, if a single physical disk in thespanned volume fails, all the data in theentire volume is lost.
▪ Striped volume. Consists of space from2 to 32 physical disks, all of which must bedynamic disks. The difference between astriped volume and a spanned volume isthat in a striped volume, the system writesdata one stripe at a time to each successivedisk in the volume. Striping provides im-proved performance because each diskdrive in the array has time to seek the loca-tion of its next stripe while the other drivesare writing. Striped volumes do not
155/1537
provide fault tolerance, however, and youcannot extend them after creation. If asingle physical disk in the striped volumefails, all the data in the entire volume islost.
▪ Mirrored volume. Consists of anidentical amount of space on two physicaldisks, both of which must be dynamicdisks. The system performs all read andwrite operations on both disks simultan-eously so they contain duplicate copies ofall data stored on the volume. If one diskfails, the other continues to provide accessto the volume until the failed disk is re-paired or replaced.
▪ RAID-5 volume. Consists of space onthree or more physical disks, all of whichmust be dynamic. The system stripes dataand parity information across all the disksso that if one physical disk fails, the
156/1537
missing data can be re-created by using theparity information on the other disks.RAID-5 volumes provide improved readperformance because of the disk striping,but write performance suffers due to theneed for parity calculations.
Understanding file systems
To organize and store data or programs on ahard drive, you must install a file system. A filesystem is the underlying disk drive structurethat enables you to store information on yourcomputer. You install file systems by format-ting a partition or volume on the hard disk.
In Windows Server 2012 R2, five file systemoptions are available:
▪ NTFS
▪ FAT32
▪ exFAT
157/1537
▪ FAT (also known as FAT16)
▪ ReFS
NTFS is the preferred file system for a server;the main benefits are improved support forlarger hard drives than FAT and better secur-ity in the form of encryption and permissionsthat restrict access by unauthorized users.
Because the FAT file systems lack the securitythat NTFS provides, any user who gains accessto your computer can read any file without re-striction. Additionally, FAT file systems havedisk size limitations: FAT32 cannot handle apartition greater than 32 GB or a file greaterthan 4 GB. FAT cannot handle a hard diskgreater than 4 GB or a file greater than 2 GB.Because of these limitations, the only viablereason for using FAT16 or FAT32 is the needto dual boot the computer with a non-Win-dows operating system or a previous version
158/1537
of Windows that does not support NTFS,which is not a likely configuration for a server.
ReFS is a new file system first appearing inWindows Server 2012 R2 that offers practic-ally unlimited file and directory sizes and in-creased resiliency that eliminates the need forerror-checking tools, such as Chkdsk.exe.However, ReFS does not include support forNTFS features such as file compression, En-crypted File System (EFS), and disk quotas.ReFS disks also cannot be read by any operat-ing systems older than Windows Server 2012and Windows 8.
Working with disks
Windows Server 2012 R2 includes tools thatenable you to manage disks graphically orfrom the command prompt. All WindowsServer 2012 R2 installations include the Fileand Storage Services role, which causes Server
159/1537
Manager to display a menu when you click theicon in the navigation pane, as shown in Fig-ure 1-23. This menu provides access to homepages that enable administrators to managevolumes, disks, storage pools, shares, andiSCSI devices.
160/1537
Figure 1-23. Using the File and Storage Ser-vices menu in Server Manager
Server Manager is the only graphical tool thatcan manage storage pools and create virtualdisks. It can also perform some—but notall—of the standard disk and volume manage-ment operations on physical disks. Like theother Server Manager home pages, the File
161/1537
page and the Storage Services page enablesyou to perform tasks on any servers you haveadded to the interface.
Disk Management is an MMC snap-in that isthe traditional tool for performing disk-relatedtasks. To access the Disk Management snap-in, open the Computer Management consoleand select Disk Management.
You can also manage disks and volumes fromthe command line by using the DiskPart.exeutility.
Adding a new physical disk
When you add a new hard disk to a WindowsServer 2012 R2 computer, you must initializethe disk before you can access its storage. Toadd a new secondary disk, shut down the com-puter and install or attach the new physicaldisk per the manufacturer’s instructions. Anewly added physical disk is listed in ServerManager in the Disks tile, as shown in
162/1537
Figure 1-24, with a status of Offline and an un-known partition style.
Figure 1-24. A newly added physical disk inServer Manager
To make the disk accessible, you must firstbring it online by right-clicking it in the Diskstile and, from the shortcut menu, selecting
163/1537
Bring Online. After you confirm your actionand the disk status changes to Online, right-click it and select Initialize.
Unlike the Disk Management snap-in, ServerManager does not allow you to choose the par-tition style for the disk. A Task Progress win-dow opens; when the process is completed,click Close. The disk then appears in the listwith a partition style of GPT.
You can convert a disk from one partition styleto another at any time using Disk Manage-ment by right-clicking the disk you need toconvert and then, from the shortcut menu, se-lecting Convert To GPT Disk or Convert ToMBR Disk. However, be aware that convertingthe disk partition style is a destructive process.You can perform the conversion only on anunallocated disk, so if the disk you want toconvert contains data, you must back up thedisk and then delete all existing partitions orvolumes before you begin the conversion.
164/1537
Creating and mounting virtual harddisks (VHDs)
Hyper-V relies on the virtual hard disk (VHDor VHDX) format to store virtual disk data infiles that can easily be transferred from onecomputer to another. The Disk Managementsnap-in in Windows Server 2012 R2 enablesyou to create VHD and VHDX files and mountthem on the computer. Once they are moun-ted, you can treat them just like physical disksand use them to store data. When dismount-ing a VHD or VHDX, the stored data is pack-aged in the file so you can copy or move it asneeded.
To create a VHD in Disk Management, use thefollowing procedure.
1. In Server Manager, click Tools, Com-puter Management. The ComputerManagement console opens.
165/1537
2. Click Disk Management to open theDisk Management snap-in.
3. From the Action menu, select CreateVHD. The Create And Attach VirtualHard Disk dialog box opens, as shownin Figure 1-25.
166/1537
Figure 1-25. Configuring the Create AndAttach Virtual Hard Disk settings
167/1537
4. In the Location text box, type the pathand file name for the file you want tocreate.
5. In the Virtual Hard Disk Size box, typethe maximum size of the disk you wantto create.
6. Select one of the following Virtual HardDisk Format options:
▪ VHD. The original and more com-patible format, which supports filesof up to 2,040 GB
▪ VHDX. A new version of the formatthat supports files of up to 64 TB butcan be read only by computers run-ning Windows Server 2012 and Win-dows Server 2012 R2
7. Select one of the following Virtual HardDisk Type options:
168/1537
▪ Fixed Size (Recommended). Al-locates all the disk space for theVHD/VHDX file at once
▪ Dynamically Expanding. Alloc-ates disk space to the VHD/VHDXfile as you add data to the virtualhard disk
8. Click OK. The system creates the VHDor VHDX file and attaches it so that itappears as a disk in the snap-in.
Once you have created and attached the VHDor VHDX file, it appears as an uninitializeddisk in the Disk Management snap-in and inServer Manager. By using either tool, you caninitialize the disk and create volumes on it,just as you would a physical disk. After storingdata on the volumes, you can detach the VHDor VHDX file and move it to another locationor mount it on a Hyper-V VM.
169/1537
Creating a storage pool
Once you have installed your physical disks,you can concatenate their space into a storagepool, from which you can create virtual disksof any size.
To create a storage pool by using Server Man-ager, follow this procedure.
1. In Server Manager, click the File and St-orage Services icon and, in the menuthat opens, click Storage Pools. The St-orage Pools tile then opens, as shown inFigure 1-26.
170/1537
Figure 1-26. The Storage Pools tile
2. In the Storage Pools tile, select theprimordial space on the server whereyou want to create the pool and, fromthe Tasks menu, select New StoragePool. The New Storage Pool Wizardstarts, displaying the Before You Beginpage.
171/1537
3. Click Next. The Specify A Storage PoolName and Subsystem page opens, asshown in Figure 1-27.
Figure 1-27. The Specify A Storage PoolName and Subsystem page
4. In the Name text box, type the nameyou want to assign to the storage pool.
172/1537
Then select the server on which youwant to create the pool and click Next.The Select Physical Disks For the Stor-age Pool page opens, as shown in Fig-ure 1-28.
173/1537
Figure 1-28. The Select Physical DisksFor The Storage Pool page
THE WIZARD DISPLAYSELIGIBLE DISKS ONLY
The wizard displays only thedisks that are eligible for addi-tion to the pool. Disks thatalready have partitions orvolumes on them do not appear.
174/1537
5. Select the check boxes for the disks youwant to add to the pool and click Next toopen the Confirm Selections page.
6. Click Create. The wizard creates the newstorage pool and the View Results pageopens.
7. Click Close. The wizard closes and thenew pool appears on the Storage Poolstile, as shown in Figure 1-29.
175/1537
Figure 1-29. The new pool shown on theStorage Pools tile
8. Close the Server Manager window.
After you have created a storage pool, you canmodify its capacity by adding or removingphysical disks. The Tasks menu in the PhysicalDisks tile on the Storage Pools home page con-tains the following options:
▪ Add Physical Disk. Enables you to add aphysical disk to the pool as long as it is
176/1537
initialized and does not contain anyvolumes
▪ Remove Disk. Removes the spaceprovided by a physical disk from the stor-age pool. This option is available only if alldata has already been evicted from thedisk.
To create a new storage pool by using Win-dows PowerShell, you use the New-Stor-agePool cmdlet with the following basicsyntax:
New-StoragePool –FriendlyName <poolname> -StorageSubSystemFriendlyName<subsystem name>-PhysicalDisks <CIM instances>
To obtain the correct designations for the stor-age subsystem and the physical disks, use the
177/1537
Get-StorageSubsystem and Get-PhysicalDiskcmdlets.
In addition to the required parameters, theNew-StoragePool cmdlet also accepts the fol-lowing options, which are not available in thewizard.
▪ -EnclosureAwareDefault. Specifieswhether the storage pool is being createdfrom disks housed in a disk enclosure thatsupports SCSI Enclosure Services. This en-ables the pool to use additional informa-tion provided by the enclosure, such as slotlocations, to balance data storage amongthe hardware devices.
▪ -ProvisioningTypeDefault. Specifiesthe type of provisioning (Unknown, Fixed,or Thin) to be used for the creation of vir-tual disks from this pool
178/1537
▪ -ResiliencySettingsNameDe-fault. Specifies the resiliency setting(Simple, Mirror, or Parity) that the systemshould use by default when creating virtualdisks from the pool
Creating virtual disks
After you have created a storage pool, you canuse the space to create as many virtual disks asyou need.
To create a virtual disk by using Server Man-ager, use the following procedure.
1. In Server Manager, click the File AndStorage Services icon and, in the menuthat opens, click Storage Pools. The St-orage Pools home page opens.
2. Scroll down (if necessary) to expose theVirtual Disks tile and, from the Tasksmenu, select New Virtual Disk. The New
179/1537
Virtual Disk menu opens, displaying theBefore You Begin page.
3. Click Next to open the Select The ServerAnd Storage Pool page.
4. Select the pool in which you want to cre-ate a virtual disk and click Next. TheSpecify The Virtual Disk Name pageopens.
5. In the Name text box, type a name forthe virtual disk and click Next. TheSelect The Storage Layout page opens,as shown in Figure 1-30.
180/1537
Figure 1-30. The Select The Storage Lay-out page
6. Select one of the following layout op-tions and click Next.
▪ Simple. Requires the pool to con-tain at least one physical disk andprovides no fault tolerance. Whenmore than one physical disk is
181/1537
available, the system stripes dataacross the disks.
▪ Mirror. Requires the pool to con-tain at least two physical disks andprovides fault tolerance by storingidentical copies of every file. Twophysical disks provide protectionagainst a single disk failure; fivephysical disks provide protectionagainst two disk failures.
▪ Parity. Requires the pool to containat least three physical disks andprovides fault tolerance by stripingparity information along with data.
182/1537
DISK-LEVEL FAULTTOLERANCE
The fault tolerance built into St-orage Spaces is provided at thedisk level, not the volume level,as in the Disk Managementsnap-in. Theoretically, you canuse Disk Management to createmirrored or RAID-5 volumesout of virtual disks, but thiswould defeat the purpose of cre-ating them in the first place be-cause the virtual disks might belocated on the same physicaldisk.
7. The Specify The Provisioning Type pageopens, as shown in Figure 1-31.
183/1537
Figure 1-31. The Specify The Provision-ing Type page
8. Select one of the following ProvisioningType options and click Next.
▪ Thin. The system allocates spacefrom the storage pool to the disk asneeded, up to the maximum spe-cified size.
184/1537
▪ Fixed. The system allocates themaximum specified amount of spaceto the disk immediately on creatingit.
The Specify The Size Of The VirtualDisk page opens, as shown in Fig-ure 1-32.
185/1537
Figure 1-32. The Specify The Size Of TheVirtual Disk page
9. In the Specify Size text box, specify thesize of the disk you want to create andclick Next. The Confirm Selections pageopens.
10. Click Create. The View Results pageopens as the wizard creates the disk.
186/1537
11. Click Close. The wizard closes and thenew disk opens in the Virtual Disks tile,as shown in Figure 1-33.
Figure 1-33. The new disk is shown inthe Virtual Disks tile in Server Manager
12. Close the Server Manager window.
By default, the New Volume Wizard launcheswhen you create a new virtual disk. At thispoint, the disk is a virtual equivalent of a
187/1537
newly installed physical disk. It contains noth-ing but unallocated space, and you must createat least one volume before you can store dataon it.
Creating a simple volume
Technically speaking, you create partitions onbasic disks and volumes on dynamic disks.This is not just an arbitrary difference in no-menclature. Converting a basic disk to a dy-namic disk actually creates one big partition,occupying all the space on the disk. Thevolumes you create on the dynamic disk arelogical divisions within that single partition.
Windows versions prior to 2008 use the cor-rect terminology in the Disk Managementsnap-in. The menus enable you to create parti-tions on basic disks and volumes on dynamicdisks. Windows Server 2012 R2 uses the termvolume for both disk types and enables you tocreate any of the available volume types,
188/1537
whether the disk is basic or dynamic. If thevolume type you select is not supported on abasic disk, the wizard converts it to a dynamicdisk as part of the volume creation process.
Despite the menus that refer to basic parti-tions as volumes, the traditional rules for basicdisks remain in effect. The New SimpleVolume menu option on a basic disk createsup to three primary partitions. When you cre-ate a fourth volume, the wizard actually cre-ates an extended partition and a logical driveof the size you specify. If there is any remain-ing space on the disk, you can create addition-al logical drives in the extended partition.
189/1537
BE CAREFUL IF USING THEDISKPART.EXE UTILITY
When you use DiskPart.exe (acommand-line utility included withWindows Server 2012 R2) to managebasic disks, you can create four primarypartitions or three primary partitionsand one extended partition. TheDiskPart.exe utility contains a supersetof the commands supported by theDisk Management snap-in. In otherwords, DiskPart can do everything DiskManagement can do and more.However, whereas the DiskManagement snap-in prevents youfrom unintentionally performing ac-tions that might result in data loss,DiskPart has no safeties and thus doesnot prohibit you from performing suchactions. For this reason, Microsoft re-commends that only advanced users
190/1537
use DiskPart and that they use it withdue caution.
To create a new simple volume on a basic ordynamic disk by using the Disk Managementsnap-in, use the following procedure.
1. In Server Manager, click Tools and clickComputer Management. The ComputerManagement console opens.
2. Click Disk Management to launch theDisk Management snap-in.
3. In the Graphical View, right-click an un-allocated area in the disk on which youwant to create a volume and, from theshortcut menu, select New SimpleVolume. The New Simple Volume Wiz-ard starts.
191/1537
4. Click Next to bypass the Welcome page.The Specify Volume Size page opens, asshown in Figure 1-34.
Figure 1-34. Configuring the SpecifyVolume Size page
5. Select the size for the new partition orvolume, within the maximum and
192/1537
minimum limits stated on the page, byusing the Simple Volume Size In MBspin box, and then click Next. TheAssign Drive Letter Or Path page opens,as shown in Figure 1-35.
Figure 1-35. Configuring the AssignDrive Letter Or Path page
193/1537
6. Configure one of the following threeoptions:
▪ Assign The Following DriveLetter. If you select this option,click the associated drop-down listfor a list of available drive lettersand select the letter you want to as-sign to the drive.
▪ Mount In The Following EmptyNTFS Folder. If you select this op-tion, either type the path to an exist-ing NTFS folder or click Browse tosearch for or create a new folder.The entire contents of the new drivewill appear in the folder you specify.
▪ Do Not Assign A Drive LetterOr Drive Path. Select this option ifyou want to create the partition butare not yet ready to use it. When youdo not assign a volume a drive letter
194/1537
or path, the drive is left unmountedand inaccessible. When you want tomount the drive for use, assign adrive letter or path to it.
7. Click Next to open the Format Partitionpage, as shown in Figure 1-36.
195/1537
Figure 1-36. Configuring the FormatPartition page
8. Specify whether the wizard shouldformat the volume and if so, how. If youdo not want to format the volume at thistime, select the Do Not Format ThisVolume option. If you want to formatthe volume, select the Format This
196/1537
Volume With The Following Settingsoption, and then configure the associ-ated options as follows.
▪ File System. Select the desired filesystem. The options available de-pend on the size of the volume andcan include ReFS, NTFS, exFAT,FAT32, and FAT.
▪ Allocation Unit Size. Specify thefile system’s cluster size. The clustersize signifies the basic unit of bytesin which the system allocates diskspace. The system calculates the de-fault allocation unit size based onthe size of the volume. You can over-ride this value by clicking theassociated drop-down list and thenselecting one of the values. For ex-ample, if your client uses consist-ently small files, you might want to
197/1537
set the allocation unit size to a smal-ler cluster size.
▪ Volume Label. Specify a name forthe partition or volume. The defaultname is New Volume, but you canchange the name to anything youwant.
▪ Perform A Quick Format. Whenthis check box is selected, Windowsformats the disk without checkingfor errors. This is a faster method toformat the drive, but Microsoft doesnot recommend it. When you checkfor errors, the system looks for andmarks bad sectors on the disk sothat your clients will not use thoseportions of the disk.
▪ Enable File And Folder Com-pression. Selecting this check box
198/1537
turns on folder compression for thedisk. This option is available only forvolumes being formatted with theNTFS file system.
9. Click Next. The Completing The NewSimple Volume Wizard page opens.
10. Review the settings to confirm your op-tions and then click Finish. The wizardcreates the volume according to yourspecifications.
11. Close the console containing the DiskManagement snap-in.
This procedure can create volumes on physicalor virtual disks. You can also create simplevolumes by using a similar wizard in ServerManager. When you launch the New VolumeWizard in Server Manager, which you can dofrom the Volumes or Disks home page, the
199/1537
options the wizard presents are nearly identic-al to those in the New Simple Volume Wizardin Disk Management.
The primary difference is that, like all ServerManager wizards, the New Volume Wizard in-cludes a page that enables you to select theserver and the disk on which you want to cre-ate the volume, as shown in Figure 1-37. Youcan therefore use this wizard to createvolumes on any disk on any of your servers.
200/1537
Figure 1-37. The Select The Server And Diskpage in the New Volume Wizard in Server
Manager
Creating a striped, spanned,mirrored, or RAID-5 volume
The procedure for creating a striped, spanned,mirrored, or RAID-5 volume is almost the
201/1537
same as that for creating a simple volume, ex-cept that the Specify Volume Size page is re-placed by the Select Disks page.
To create a striped, spanned, mirrored, orRAID-5 volume, use the following procedure.
1. In Server Manager, click Tools and clickComputer Management. The ComputerManagement console opens.
2. Click Disk Management to open theDisk Management snap-in.
3. Right-click an unallocated area on adisk and then, from the shortcut menu,select the command for the type ofvolume you want to create. A NewVolume Wizard starts, named for yourselected volume type.
202/1537
4. Click Next to bypass the Welcome page.The Select Disks page opens, as shownin Figure 1-38.
Figure 1-38. Configuring the SelectDisks page
203/1537
5. On the Select Disks page, select thedisks you want to use for the newvolume from the Available list box andthen click Add. The disks you chose aremoved to the Selected list box, joiningthe original disk you selected whenlaunching the wizard. For a striped,spanned, or mirrored volume, you musthave at least two disks in the Selectedlist; for a RAID-5 volume, you musthave at least three.
6. Specify the amount of space you want touse on each disk by using the Select theAmount of Space in MB spin box. Thenclick Next. The Assign Drive Letter orPath page opens.
If you are creating a spanned volume,you must click each disk in the Selectedlist and specify the amount of space touse on that disk. The default value for
204/1537
each disk is the size of the unallocatedspace on that disk.
If you are creating a striped, mirrored,or RAID-5 volume, you specify only onevalue because these volumes require thesame amount of space on each disk. Thedefault value is the size of the unalloc-ated space on the disk with the least freespace.
7. Specify whether you want to assign adrive letter or path and then click Next.The Format Partition page opens.
8. Specify if or how you want to format thevolume and then click Next. The Com-pleting The New Simple Volume Wizardpage opens.
9. Review the settings to confirm your op-tions and then click Finish. If any of thedisks you selected to create the volume
205/1537
are basic disks, a Disk Managementmessage box opens, warning you thatthe volume creation process will convertthe basic disks to dynamic disks.
10. Click Yes. The wizard creates thevolume according to your specifications.
MORE INFO ADDITIONALOPTIONS
See “Creating a simple volume”earlier in this chapter for moreinformation about the optionson the Assign Drive Letter orPath and Format Partitionpages.
11. Close the Disk Management snap-in.
206/1537
The commands that appear in a disk’s shortcutmenu depend on the number of disks installedin the computer and the presence of unalloc-ated space on them. For example, at least twodisks with unallocated space must be availableto create a striped, spanned, or mirroredvolume, and at least three disks must be avail-able to create a RAID-5 volume.
207/1537
THOUGHT EXPERIMENT: USINGSTORAGE POOLS
In this thought experiment, apply what you’velearned about this objective. You can find an-swers to these questions in the Answers sec-tion at the end of this chapter.
On a new server running Windows Server2012 R2, Morris created a storage pool thatconsists of two physical drives holding 1 TBeach. Then he created three simple virtualdisks out of the space in the storage pool.Using the Disk Management snap-in, Morristhen created a RAID-5 volume out of the threevirtual disks.
With this in mind, answer the followingquestions.
1. In what way is Morris’s storage plan in-effectual at providing fault tolerance?
208/1537
2. Why will adding a third disk to the stor-age pool fail to improve the fault toler-ance of the storage plan?
3. How can Morris modify the storageplan to make it fault tolerant?
Objective summary
▪ Windows Server 2012 R2 supports twohard disk partition types: MBR and GPT;two disk types: basic and dynamic; fivevolume types: simple, striped, spanned,mirrored, and RAID-5; and three file sys-tems: ReFS, NTFS, and FAT.
▪ The Disk Management snap-in can initial-ize, partition, and format disks on the localmachine. Server Manager can perform
209/1537
many of the same tasks for servers all overthe network.
▪ Windows Server 2012 R2 includes a newdisk virtualization technology called Stor-age Spaces, which enables a server to con-catenate storage space from individualphysical disks and allocate that space tocreate virtual disks of any size supportedby the hardware.
▪ All Windows Server 2012 R2 installationsinclude the File and Storage Services role,which causes Server Manager to display amenu when you click the icon in the navig-ation pane. This menu provides access tohome pages that enable administrators tomanage volumes, disks, storage pools,shares, and iSCSI devices.
▪ The Disk Management snap-in in Win-dows Server 2012 R2 enables you to create
210/1537
VHD files and mount them on thecomputer.
▪ Once you have installed your physicaldisks, you can concatenate their space intoa storage pool, from which you can createvirtual disks of any size. Once you havecreated a storage pool, you can use thespace to create as many virtual disks as youneed.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following statements aretrue of striped volumes? (Choose allthat apply.)
211/1537
a. Striped volumes provide en-hanced performance over simplevolumes.
b. Striped volumes provide greaterfault tolerance than simplevolumes.
c. You can extend striped volumesafter creation.
d. If a single physical disk in thestriped volume fails, all the datain the entire volume is lost.
2. Which of the following statements bestdescribes the requirements for extend-ing a volume on a dynamic disk?(Choose all that apply.)
a. If you want to extend a simplevolume, you can use only the
212/1537
available space on the same diskif the volume is to remain simple.
b. The volume must have a file sys-tem (a raw volume) before youcan extend a simple or spannedvolume.
c. You can extend a simple orspanned volume if you formattedit by using the FAT or FAT32 filesystems.
d. You can extend a simple volumeacross additional disks if it is nota system volume or a bootvolume.
3. Which of the following volume typessupported by Windows Server 2012 R2provide fault tolerance? (Choose all thatapply.)
213/1537
a. Striped
b. Spanned
c. Mirrored
d. RAID-5
4. A JBOD drive array is an alternative towhich of the following storagetechnologies?
a. SAN
b. SCSI
c. RAID
d. iSCSI
214/1537
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
Objective 1.1: Thoughtexperiment
Uninstall-WindowsFeatureServer-Gui-Mgmt-Infra,Server-Gui-Shell–RestartUninstall-WindowsFeatureServer-Gui-Mgmt-Infra,Server-Gui-Shell–Remove
Objective 1.1: Review
1. Correct answer: B
a. Incorrect: Windows Server2012 R2 cannot run on a 32-bitprocessor.
215/1537
b. Correct: Windows Server 2012R2 can run only on a 64-bitprocessor.
c. Incorrect: Windows Server2012 R2 cannot run on a 32-bitprocessor.
d. Incorrect: Windows Server2012 R2 cannot run on an Itani-um processor.
2. Correct answer: B
a. Incorrect: You cannot upgradeany version of Windows Server2003 Standard to Windows Serv-er 2012 R2 Standard.
b. Correct: You can upgrade Win-dows Server 2008 Standard toWindows Server 2012 R2Standard.
216/1537
c. Incorrect: You cannot upgradeWindows Server 2008 R2 32-bit,or any 32-bit version, to WindowsServer 2012 R2 64-bit.
d. Incorrect: You cannot upgradeWindows 7 Ultimate, or anyworkstation operating system, toWindows Server 2012 R2Essentials.
3. Correct answer: A
a. Correct: Installing the GraphicalManagement Tools and Infra-structure module—and only thatmodule—on a Server Core install-ation results in the Minimal Serv-er Interface.
b. Incorrect: Installing the ServerGraphical Shell with the Graphic-al Management Tools and
217/1537
Infrastructure converts a ServerCore installation to the full GUI.
c. Incorrect: Windows PowerShellis a command-line interface thathas no effect on the MinimalServer Installation.
d. Incorrect: MMC is one of thegraphical applications availablein the Minimal Server Installa-tion, but you do not install itindividually.
4. Correct answer: D
a. Incorrect: The Windows direct-ory contains live operating sys-tem files, not the installation files.
b. Incorrect: The System32 direct-ory contains live operating sys-tem files, not the installation files.
218/1537
c. Incorrect: There is no bin dir-ectory associated with the Win-dows operating system.
d. Correct: Windows stores all theoperating system installationmodules in the WinSxS directory.
5. Correct answers: A, C
a. Correct: It is possible to converta computer running WindowsServer 2012 R2 between the Serv-er Core and the Full GUI interfaceas needed.
b. Incorrect: The inclusion of ad-ditional cmdlets in WindowsPowerShell 3.0 is not a benefit ex-clusive to Server Core.
219/1537
c. Correct: Server Manager incor-porates a server selection inter-face into many of its wizards.
d. Incorrect: There are no differ-ent licenses for Server Core andFull GUI versions of WindowsServer 2012 R2.
Objective 1.2: Thoughtexperiment
1. Install-WindowsFeature
2. Get-WindowsFeature
3. Install-WindowsFeature FS-FileServer
Install-WindowsFeature FS-DFS-Namespace
Install-WindowsFeature FS-DFS-Replication
220/1537
Install-WindowsFeature FS-NFS-Service
Install-WindowsFeature Print-Inter-netServices –allsubfeatures
Install-WindowsFeature Web-Server
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-Ftp-Service
The Install-WindowsFeature FS-Fileservercommand is not necessary, as it installs as de-pendency for DFS. The Install-WindowsFeature Web-Server and Install-WindowsFeature Web-Windows-Auth com-mands are not necessary, as they install as de-pendencies for Print-Internet.
221/1537
Objective 1.2: Review
1. Correct answers: B, D
a. Incorrect: Windows Manage-ment Instrumentation (WMI) is aset of driver extensions oftenused with Windows PowerShell.You do not have to remove it toconvert to a Server Coreinstallation.
b. Correct: Removing the Graphic-al Management Tools and Infra-structure feature is required toconvert to a Server Coreinstallation.
c. Incorrect: Desktop Experienceis not installed by default on a fullGUI or a Server Core installation.
222/1537
d. Correct: Server Graphical Shellprovides support for the Win-dows graphical interface, includ-ing the desktop and File Explorer.You must remove it to convert toa Server Core installation.
2. Correct answer: B
a. Incorrect: Hyper-V live migra-tion is not a NIC teaming mode.
b. Correct: In Switch IndependentMode, the NICs in the team areconnected to different switches,providing alternate paths throughthe network.
c. Incorrect: In Switch DependentMode, the NICs in the team areconnected to the same switches,providing link aggregation but nofault tolerance.
223/1537
d. Incorrect: Link AggregationControl Protocol is not a NICteaming mode.
3. Correct answer: C
a. Incorrect: Net.exe is a Windowscommand-line tool that providesmany different functions, but itcannot join a computer to adomain.
b. Incorrect: Netsh.exe is a net-work shell program that you canuse to configure the network in-terface, but it cannot join a com-puter to a domain.
c. Correct: Netdom.exe is theWindows command-line domainmanager application.
224/1537
d. Incorrect: Ipconfig.exe can dis-play network configuration set-tings and reset DHCP settings,but it cannot join a computer to adomain.
4. Correct answer: A
a. Correct: Server Manager cannotdeploy roles to multiple servers atthe same time.
b. Incorrect: Server Manager canmount offline VHD files and in-stall roles and features to them.
c. Incorrect: Server Manager com-bines the role and feature install-ation processes into a singlewizard.
d. Incorrect: Server Manager caninstall roles and features to any
225/1537
Windows Server 2012 R2 serveron the network.
5. Correct answers: C, D
a. Incorrect: You can stop a run-ning service by using ServerManager.
b. Incorrect: You can start astopped service by using ServerManager.
c. Correct: You cannot disable aservice by using Server Manager.
d. Correct: You cannot configure aservice to start when the com-puter starts by using ServerManager.
226/1537
Objective 1.3: Thoughtexperiment
1. Morris has created a RAID-5 volumeout of virtual disks created out of a stor-age pool that has only two physicaldisks in it. A RAID-5 volume can onlyprovide fault tolerance by storing dataon three physical disks.
2. Adding a third disk will not guaranteefault tolerance because there is no as-surance that each of the three virtualdisks exists on a separate individualdisk.
3. To make the plan fault-tolerant, Morrisshould delete the three simple virtualdisks and create one new virtual disk byusing either the mirror or parity layoutoption.
227/1537
Objective 1.3: Review
1. Correct answers: A, D
a. Correct: Striping provides im-proved performance because eachdisk drive in the array has time toseek the location of its next stripewhile the other drives are writing.
b. Incorrect: Striped volumes donot contain redundant data andtherefore do not provide faulttolerance.
c. Incorrect: Striped volumes can-not be extended after creationwithout destroying the datastored on them in the process.
d. Correct: If a single physical diskin the striped volume fails, all thedata in the entire volume is lost.
228/1537
2. Correct answers: A, D
a. Correct: When extending asimple volume, you can use onlythe available space on the samedisk. If you extend the volume toanother disk, it is no longersimple.
b. Incorrect: You can extend asimple or spanned volume, evenif it does not have a file system (araw volume).
c. Incorrect: You can extend avolume if you formatted it by us-ing the NTFS file system. Youcannot extend volumes by usingthe FAT or FAT32 file systems.
d. Correct: You can extend asimple volume across additional
229/1537
disks if it is not a system volumeor a boot volume.
3. Correct answers: C, D
a. Incorrect: A striped volumespreads data among multipledisks, but it writes the data onlyonce. Therefore, it does notprovide fault tolerance.
b. Incorrect: A spanned volumeuses space on multiple drives, butit writes the data only once.Therefore, it does not providefault tolerance.
c. Correct: A mirrored volumewrites duplicate copies of all datato two disks, thereby providingfault tolerance.
230/1537
d. Correct: A RAID-5 volumewrites data and parity informa-tion on multiple disks, therebyproviding fault tolerance.
4. Correct answer: C
a. Incorrect: A SAN is a separatenetwork dedicated to storage anda JBOD is a drive array that canbe installed on a SAN or on astandard network.
b. Incorrect: SCSI is disk inter-face, not a type of drive array.
c. Correct: A JBOD array is an al-ternative to a RAID array thattreats each disk as an independ-ent volume.
d. Incorrect: A JBOD array is notan alternative to iSCSI, which is a
231/1537
protocol used for SANcommunications.
232/1537
Chapter 2. Configuringserver roles andfeatures
This chapter covers some of the fundamentalservices that most Windows servers perform.In the business world, file and printer sharingwere the reasons computers were networkedin the first place, and with Windows Server2012 R2, remote management has become acritical element of server administration.
Objectives in this chapter:
▪ Objective 2.1: Configure file and shareaccess
▪ Objective 2.2: Configure print and docu-ment services
▪ Objective 2.3: Configure servers for remotemanagement
Objective 2.1: Configure fileand share accessOne of the critical daily functions of server ad-ministrators is deciding where users shouldstore their files and who should be permittedto access them.
234/1537
NOTE
This objective covers how to:
▪ Create and configure shares
▪ Configure share permissions
▪ Configure offline files
▪ Configure NTFS permissions
▪ Configure access-based enumera-tion (ABE)
▪ Configure Volume Shadow CopyService (VSS)
▪ Configure NTFS quotas
▪ Create and configure Work Folders
235/1537
Creating folder shares
Sharing folders makes them accessible to net-work users. After you have configured thedisks on a file server, you must create sharesto enable network users to access those disks.As noted in the planning discussions inChapter 1 you should have a sharing strategyin place by the time you are ready to createyour shares. This strategy should consist of thefollowing information:
▪ What folders you will share
▪ What names you will assign to the shares
▪ What permissions you will grant users tothe shares
▪ What Offline Files settings you will use forthe shares
If you have the necessary permissions for afolder, you can share it on a Windows Server
236/1537
2012 R2 computer by right-clicking the folderin any File Explorer window, selecting ShareWith, Specific People from the shortcut menu,and following the instructions in the File Shar-ing dialog box, as shown in Figure 2-1.
237/1537
Figure 2-1. The File Sharing dialog box
This method of creating shares provides a sim-plified interface that contains only limitedcontrol over elements such as share permis-sions. You can specify only that the shareusers receive Read permissions or Read/Writepermissions to the share. If you are not the
238/1537
Creator Owner of the folder, you can accessthe Sharing tab of the folder’s Properties sheetinstead. Clicking the Share button launchesthe same File Sharing dialog box. Clicking theAdvanced Sharing button displays the Ad-vanced Sharing dialog box, shown in Fig-ure 2-2, which provides greater control overshare permissions.
239/1537
Figure 2-2. The Advanced Sharing dialog box
240/1537
NETWORK DISCOVERY
For the users on the network to be ableto browse the shares you create on thefile server in File Explorer, you mustmake sure the Network Discovery set-tings and the File Sharing settings areturned on in the Network and SharingCenter control panel.
To take control of the shares on all your diskson all your servers and exercise granular con-trol over their properties, you can use the Fileand Storage Services home page in ServerManager.
Windows Server 2012 R2 supports two typesof folder shares:
▪ Server Message Blocks (SMB). SMB isthe standard file sharing protocol used byall versions of Windows.
241/1537
▪ Network File System (NFS). NFS is thestandard file sharing protocol used bymost UNIX and Linux distributions.
When you install Windows Server 2012 R2,the setup program installs the Storage Servicesrole service in the File and Storage Servicesrole by default. However, before you can cre-ate and manage SMB shares by using ServerManager, you must install the File Server roleservice; to create NFS shares, you must installthe Server for NFS role service.
To create a folder share by using Server Man-ager, use the following procedure.
1. In Server Manager, click the File and St-orage Services icon and, in the submenuthat appears, click Shares. The Shareshome page appears.
2. From the Tasks menu, select NewShare. The New Share Wizard starts,
242/1537
displaying the Select The Profile ForThis Share page, as shown in Figure 2-3.
Figure 2-3. Configuring the Select TheProfile For This Share page in the New
Share Wizard
3. From the File Share Profile list, selectone of the following options:
243/1537
▪ SMB Share–Quick. Provides basicSMB sharing with full share andNTFS permissions
▪ SMB Share–Advanced. ProvidesSMB sharing with full share andNTFS permissions and access to ser-vices provided by File Server Re-source Manager
▪ SMBShare–Applications. ProvidesSMB sharing with settings suitablefor Hyper-V and other applications
▪ NFS Share–Quick. Provides basicNFS sharing with authenticationand permissions
▪ NFS Share–Advanced. ProvidesNFS sharing with authenticationand permissions and access to
244/1537
services provided by File Server Re-source Manager
4. Click Next. The Select The Server AndPath For This Share page appears.
5. Select the server on which you want tocreate the share and either select avolume on the server or specify a pathto the folder you want to share. ClickNext. The Specify Share Name pageappears.
245/1537
MORE INFO NFSSHARING
Selecting one of the NFS shareprofiles adds two pages to thewizard: The Specify Authentica-tion Methods page and the Spe-cify The Share Permissionspage. Each page provides accessto functions implemented by theServer for NFS role service, ascovered in Objective 2.1, “Con-figure Advanced File Services,”in Exam 70-412, “ConfiguringAdvanced Windows Server 2012R2 Services.”
6. In the Share Name text box, specify thename you want to assign to the shareand click Next. The Configure ShareSettings page appears, as shown in Fig-ure 2-4.
246/1537
Figure 2-4. Configuring Other Settingson the Configure Share Settings page of
the New Share Wizard
7. Select any or all of the followingoptions:
▪ Enable Access-Based Enumera-tion. Prevents users from seeing
247/1537
files and folders they do not havepermission to access
▪ Allow Caching Of Share. Enablesoffline users to access the contentsof this share
▪ Enable BranchCache On TheFile Share. Enables BranchCacheservers to cache files accessed fromthis share
▪ Encrypt Data Access. Causes theserver to encrypt remote file accessto this share
248/1537
ACCESS-BASEDENUMERATION
Access-based enumeration(ABE), a feature first introducedin Windows Server 2003 R2,applies filters to shared foldersbased on the individual user’spermissions to the files and sub-folders in the share. Simply put,users who cannot access a par-ticular shared resource are un-able to see that resource on thenetwork. This feature preventsusers from seeing files andfolders they cannot access. Youcan enable or disable ABE for ashare at any time by opening theshare’s Properties sheet in theSharing and Storage Manage-ment console and clicking Ad-vanced, which displays the sameAdvanced dialog box displayed
249/1537
by the Provision a Shared FolderWizard.
250/1537
OFFLINE FILES
Offline Files, also known asclient-side caching, is a Win-dows feature that enables clientsystems to maintain local copiesof files they access from servershares. When a client selects theAlways Available Offline optionfor a server-based file, folder, orshare, the client system copiesthe selected data to the localdrive and updates it regularly sothe client user can always accessit, even if the server is offline.To enable clients to use the Off-line Files feature, the sharemust have the Allow Caching OfShare check box selected. Win-dows Server 2012 R2 and Win-dows 8.1 also have an AlwaysOffline mode for the OfflineFiles feature that causes clients
251/1537
to always use the cached copy ofserver files, providing betterperformance. To implement thismode, you must set theConfigure slow-link modeGroup Policy setting on the cli-ent to a value of 1 millisecond.
8. Click Next to move to the Specify Per-missions To Control Access page.
9. Modify the default share and NTFS per-missions as needed and click Next. TheConfirm Selections page appears.
252/1537
ADVANCED SHAREPROFILES
Selecting one of the Advancedshare profiles on the Select TheProfile For This Share page addstwo more pages to the wizard:The Specify Folder ManagementProperties page and the Apply AQuota To A Folder Or Volumepage. Each page provides accessto functions of the File ServerResource Manager application,as covered in Objective 2.2,“Configure File Server ResourceManager (FSRM),” in Exam70-411, “Administering Win-dows Server 2012 R2.”
10. Click Create. The View Results page ap-pears as the wizard creates the share.
253/1537
11. Close the New Share Wizard.
After you create a share by using the wizard,the new share appears in the Shares tile on theShares home page in Server Manager. You cannow use the tile to manage a share by right-clicking it and opening its Properties sheet orby clicking Stop Sharing.
Assigning permissions
Using Windows Server 2012 R2, you can con-trol access to a file server to provide networkusers the access they need while protectingother files against possible intrusion and dam-age, whether deliberate or not. To implementthis access control, Windows Server 2012 R2uses permissions.
Permissions are privileges granted to specificsystem entities, such as users, groups, or com-puters, enabling them to perform a task or ac-cess a resource. For example, you can grant a
254/1537
specific user permission to read a file whiledenying that same user the permissionsneeded to modify or delete the file.
Windows Server 2012 R2 has several sets ofpermissions, which operate independently ofeach other. For the purpose of file sharing, youshould be familiar with the operation of thefollowing permission systems:
▪ Share permissions. Control access tofolders over a network. To access a file overa network, a user must have appropriateshare permissions (and appropriate NTFSpermissions if the shared folder is on anNTFS volume).
▪ NTFS permissions. Control access tothe files and folders stored on diskvolumes formatted with the NTFS file sys-tem. To access a file, either on the localsystem or over a network, a user must havethe appropriate NTFS permissions.
255/1537
All these permission systems operate inde-pendently of each other and sometimes com-bine to provide increased protection to a spe-cific resource. For network users to be able toaccess a shared folder on an NTFS drive, youmust grant them both share permissions andNTFS permissions. As you saw earlier, you cangrant these permissions as part of the sharecreation process, but you can also modify thepermissions at any time afterward.
Understanding the Windowspermission architecture
To store permissions, Windows elements havean access control list (ACL). An ACL is a col-lection of individual permissions in the formof access control entries (ACEs). Each ACEconsists of a security principal (that is, thename of the user, group, or computer grantedthe permissions) and the specific permissionsassigned to that security principal. When you
256/1537
manage permissions in any of the WindowsServer 2012 R2 permission systems, you areactually creating and modifying the ACEs inan ACL.
To manage permissions in Windows Server2012 R2, you can use a tab in the protectedelement’s Properties sheet, like the one shownin Figure 2-5, with the security principals lis-ted at the top and the permissions associatedwith them at the bottom. Share permissionsare typically found on a Share Permissions taband NTFS permissions are located on a Secur-ity tab. All the Windows permission systemsuse the same basic interface, although the per-missions themselves differ. Server Manageralso provides access to NTFS and share per-missions by using a slightly different interface.
257/1537
Figure 2-5. Configuring the Security tab of aProperties dialog box
258/1537
Understanding basic and advancedpermissions
The permissions protecting a particular sys-tem element are not like the keys to a lock,which provide either full access or no access atall. Permissions are designed to be granular,enabling you to grant specific degrees of ac-cess to security principals.
To provide this granularity, each Windowspermission system has an assortment of per-missions you can assign to a security principalin any combination. Depending on the permis-sion system with which you are working, youmight have dozens of different permissionsavailable for a single system element.
Windows provides preconfigured permissioncombinations suitable for most common ac-cess control tasks. When you open the Proper-ties sheet for a system element and look at itsSecurity tab, the NTFS permissions you seeare called basic permissions. Basic
259/1537
permissions are actually combinations of ad-vanced permissions, which provide the mostgranular control over the element.
EXAM TIP
Prior to Windows Server 2012, basicpermissions were known as standardpermissions and advanced permissionswere known as special permissions.Candidates for certification examsshould be aware of these alternativeterms.
For example, the NTFS permission system has14 advanced permissions you can assign to afolder or file. However, there are also six basicpermissions, which are various combinationsof the 14 advanced permissions. You can alsoassign both types of permissions in a single
260/1537
ACE, combining a basic permission with oneor more advanced permissions, to create acustomized combination. In most cases,however, administrators work only with basicpermissions. Many administrators rarely, ifever, have reason to work directly with ad-vanced permissions.
If you find it necessary to work directly withadvanced permissions, Windows makes it pos-sible. When you click the Advanced button onthe Security tab of any Properties sheet, anAdvanced Security Settings dialog box ap-pears, as shown in Figure 2-6, which enablesyou to access directly the ACEs for the selectedsystem element. System Manager provides ac-cess to the same dialog box through a share’sProperties sheet.
261/1537
Figure 2-6. The default settings of the Ad-vanced Security Settings dialog box.
Allowing and denying permissions
When you assign permissions to a system ele-ment, you are, in effect, creating a new ACE inthe element’s ACL. There are two basic typesof ACE: Allow and Deny. This makes it
262/1537
possible to approach permission managementtasks from two directions:
▪ Additive. Start with no permissions andthen grant Allow permissions to individualsecurity principals to give them the accessthey need.
▪ Subtractive. Start by granting all possibleAllow permissions to individual securityprincipals, giving them full control overthe system element, and then grant themDeny permissions for the access you don’twant them to have.
Most administrators prefer the additive ap-proach, because Windows, by default, at-tempts to limit access to important system ele-ments. In a properly designed permissionhierarchy, the use of Deny permissions is oftenunnecessary. Many administrators frown ontheir use, because combining Allow and Denypermissions in a hierarchy can make it
263/1537
difficult to determine the effective permissionsfor a specific system element.
Inheriting permissions
The most important principle in permissionmanagement is that permissions tend to rundownward through a hierarchy. This is calledpermission inheritance. Permission inherit-ance means that parent elements pass theirpermissions down to their subordinate ele-ments. For example, when you grant Alice Al-low permissions to access the root of the Ddrive, all the folders and subfolders on the Ddrive inherit those permissions, which meansAlice can access them.
The principle of inheritance greatly simplifiesthe permission assignment process. Withoutit, you would have to grant individual Allowpermissions to security principals for everyfile, folder, share, object, and key they need toaccess. With inheritance, you can grant access
264/1537
to an entire file system by creating one set ofAllow permissions.
In most cases, whether consciously or not, sys-tem administrators take inheritance into ac-count when they design their file systems andtheir Active Directory Domain Services OUstructures. The location of a system element ina hierarchy is often based on how the adminis-trators plan to assign and delegatepermissions.
In some situations, an administrator mightwant to prevent subordinate elements from in-heriting permissions from their parents. Thereare two ways to do this:
▪ Turn off inheritance. When you assignadvanced permissions, you can configurean ACE not to pass its permissions down toits subordinate elements. This effectivelyblocks the inheritance process.
265/1537
▪ Deny permissions. When you assign aDeny permission to a system element, itoverrides any Allow permissions that theelement might have inherited from its par-ent objects.
Understanding effective access
A security principal can receive permissions inmany ways, and it is important for an admin-istrator to understand how these permissionscombine. The combination of Allow permis-sions and Deny permissions a security princip-al receives for a given system element—wheth-er explicitly assigned, inherited, or receivedthrough a group membership—is called the ef-fective access for that element. Because a se-curity principal can receive permissions fromso many sources, it is not unusual for thosepermissions to overlap. The following rulesdefine how the permissions combine to formthe effective access.
266/1537
▪ Allow permissions are cumulat-ive. When a security principal receives Al-low permissions from more than onesource, the permissions are combined toform the effective access permissions.
▪ Deny permissions override Allowpermissions. When a security principalreceives Allow permissions—whether ex-plicitly, by inheritance, or from agroup—you can override those permissionsby granting the principal Deny permissionsof the same type.
▪ Explicit permissions take preced-ence over inherited permis-sions. When a security principal receivespermissions by inheriting them from a par-ent or from group memberships, you canoverride those permissions by explicitly as-signing contradicting permissions to thesecurity principal itself.
267/1537
Of course, instead of examining and evaluat-ing all the possible permission sources, youcan just open the Advanced Security Settingsdialog box and click the Effective Access tab.On this tab, you can select a user, group, ordevice and view its effective access, withoutaccounting for group membership or while ac-counting for group membership.
Setting share permissions
In Windows Server 2012 R2, shared foldershave their own permission system, which is in-dependent from the other Windows permis-sion systems. For network users to accessshares on a file server, you must grant themthe appropriate share permissions. By default,the Everyone special identity receives the Al-low Read Full Control share permission to anynew shares you create using File Explorer. Inshares you create using Server Manager, the
268/1537
Everyone special identity receives the AllowFull Control share permission.
To modify the share permissions for an exist-ing share by using File Explorer, you open theProperties sheet for the shared folder, selectthe Sharing tab, click Advanced Sharing, andthen click Permissions to open the Share Per-missions tab, as shown in Figure 2-7.
269/1537
Figure 2-7. The Share Permissions tab for ashared folder
By using this interface, you can add securityprincipals and allow or deny them the threeshare permissions. To set share permissions
270/1537
by using Server Manager, either while creatinga share or modifying an existing one, use thefollowing procedure.
1. In Server Manager, click the File and St-orage Services icon and, in the submenuthat appears, click Shares to open theShares home page.
2. In the Shares tile, right-click a shareand, from the shortcut menu, selectProperties. The Properties sheet for theshare opens.
3. Click Permissions. The Permissionspage opens.
4. Click Customize Permissions. The Ad-vanced Security Settings dialog box forthe share opens.
5. Click the Share tab to display the inter-face shown in Figure 2-8.
271/1537
Figure 2-8. The Share tab of the Ad-vanced Security Settings dialog box for
a share in Server Manager
6. Click Add to open a Permission Entrydialog box for the share.
7. Click the Select A Principal link to dis-play the Select User, Computer, ServiceAccount, Or Group dialog box.
272/1537
8. Type the name of or search for the se-curity principal to whom you want toassign share permissions and click OK.The security principal you specified ap-pears in the Permission Entry dialogbox.
9. Select the type of permissions you wantto assign (Allow or Deny).
10. Select the check boxes for the permis-sions you want to assign and click OK.
11. The new ACE you just created appearsin the Advanced Security Settings dialogbox.
273/1537
BYPASSING SHAREPERMISSIONS
Many file server administratorssimply leave the Allow Full Con-trol share permission to theEveryone special identity inplace, essentially bypassing theshare permission system, andrely solely on NTFS permissionsfor granular file system protec-tion. NTFS permissions controlaccess by both local and remoteusers, rendering share permis-sions redundant.
12. Click OK to close the Advanced SecuritySettings dialog box.
13. Click OK to close the share’s Propertiessheet.
274/1537
14. Close the Server Manager window.
Understanding NTFS authorization
The majority of Windows installations todayuse the NTFS file systems as opposed toFAT32. One of the main advantages of NTFSis that they support permissions, which FAT32does not. As described earlier in this chapter,every file and folder on an NTFS drive has anACL that consists of ACEs, each of which con-tains a security principal and the permissionsassigned to that principal.
In the NTFS permission system, the securityprincipals involved are users and groups,which Windows refers to by using securityidentifiers (SIDs). When a user attempts to ac-cess an NTFS file or folder, the system readsthe user’s security access token, which con-tains the SIDs for the user’s account and allthe groups to which the user belongs. The sys-tem then compares these SIDs to those stored
275/1537
in the file or folder’s ACEs to determine whataccess the user should have. This process iscalled authorization.
Assigning basic NTFS permissions
Most file server administrators work almostexclusively with basic NTFS permissions be-cause there is no need to work directly withadvanced permissions for most common ac-cess control tasks.
To assign basic NTFS permissions to a sharedfolder, the options are essentially the same aswith share permissions. You can open thefolder’s Properties sheet in File Explorer andselect the Security tab or you can open ashare’s Properties sheet in Server Manager, asdescribed in the following procedure.
1. In Server Manager, open the Shareshome page.
276/1537
NTFS PERMISSIONS
NTFS permissions are not lim-ited to shared folders. Every fileand folder on an NTFS volumehas permissions. Although thisprocedure describes the processof assigning permissions to ashared folder, you can open theProperties sheet for any folderin a File Explorer window, clickthe Security tab, and work withits NTFS permissions in thesame way.
2. Open the Properties sheet for a shareand click Permissions to open the Per-missions page.
277/1537
NEW SHARE WIZARD
The New Share Wizard displaysthis same Permissions interfaceon its Specify Permissions toControl Access page. The rest ofthis procedure applies equallywell to that page and its sub-sequent dialog boxes.
3. Click Customize Permissions to openthe Advanced Security Settings dialogbox for the share, displaying the Per-missions tab, as shown in Figure 2-9.This dialog box is as close as the Win-dows graphical interface can come todisplaying the contents of an ACL.
278/1537
Figure 2-9. The Advanced Security Set-tings dialog box for a share in Server
Manager
4. Click Add. This opens the PermissionEntry dialog box for the share.
5. Click the Select A Principal link to dis-play the Select User, Computer, ServiceAccount, or Group dialog box.
279/1537
6. Type the name of or search for the se-curity principal to whom you want toassign NTFS permissions and click OK.The security principal you specified ap-pears in the Permission Entry dialogbox.
7. In the Type drop-down list, select thetype of permissions you want to assign(Allow or Deny).
8. In the Applies To drop-down list, spe-cify which subfolders and files shouldinherit the permissions you areassigning.
9. Select the check boxes for the basic per-missions you want to assign and clickOK. The new ACE you just created ap-pears in the Advanced Security Settingsdialog box.
280/1537
10. Click OK twice to close the AdvancedSecurity Settings dialog box and theProperties sheet.
11. Close the Server Manager window.
Assigning advanced NTFSpermissions
In Windows Server 2012 R2, the ability tomanage advanced permissions is integratedinto the interface you use to manage basicpermissions.
In the Permission Entry dialog box, clickingthe Show Advanced Permissions link changesthe list of basic permissions to a list of ad-vanced permissions. You can then assign ad-vanced permissions in any combination, justas you would basic permissions.
281/1537
Combining share permissions withNTFS permissions
It is important for file server administrators tounderstand that the NTFS permission systemis completely separate from the share permis-sion system and that for network users to ac-cess files on a shared NTFS drive, the usersmust have the correct NTFS share permissionsand the correct share permissions.
The share and NTFS permissions assigned to afile or folder can conflict. For example, if auser has the NTFS Write and Modify permis-sions for a folder but lacks the Change sharepermission, that user will not be able to modi-fy a file in that folder.
The share permission system is the simplest ofthe Windows permission systems and itprovides only basic protection for shared net-work resources. Share permissions provideonly three levels of access, in contrast to thefar more complex system of NTFS
282/1537
permissions. Generally, network administrat-ors prefer to use either NTFS or share permis-sions, not both.
Share permissions provide limited protection,but this might be sufficient on some small net-works. Share permissions might also be theonly option on a computer with FAT32 drivesbecause the FAT file system does not have itsown permission system.
On networks already possessing a well-planned system of NTFS permissions, sharepermissions are not really necessary. In thiscase, you can safely grant the Full Controlshare permission to Everyone and allow theNTFS permissions to provide security. Addingshare permissions would complicate the ad-ministration process without providing anyadditional protection.
283/1537
Configuring Volume ShadowCopies
Volume Shadow Copies is a Windows Server2012 R2 feature that enables you to maintainprevious versions of files on a server, so ifusers accidentally delete or overwrite files,they can access a previous copy of those files.You can implement Volume Shadow Copiesonly for an entire volume; you cannot selectspecific shares, folders, or files.
To configure a Windows Server 2012 R2volume to create Shadow Copies, use the fol-lowing procedure.
1. Open File Explorer. The File Explorerwindow appears.
2. In the Folders list, expand the Com-puter container, right-click a volumeand, from the shortcut menu, selectConfigure Shadow Copies. The Shadow
284/1537
Copies dialog box appears, as shown inFigure 2-10.
285/1537
Figure 2-10. The Shadow Copies dialogbox
286/1537
3. In the Select A Volume box, choose thevolume for which you want to enableShadow Copies. By default, when youenable Shadow Copies for a volume, thesystem uses the following settings:
▪ The system stores the shadow copieson the selected volume.
▪ The system reserves a minimum of300 MB of disk space for the shadowcopies.
▪ The system creates shadow copies at7:00 A.M. and 12:00 P.M. everyweekday.
4. To modify the default parameters, clickSettings to open the Settings dialog box.
5. In the Storage Area box, specify thevolume where you want to store theshadow copies.
287/1537
6. Specify the Maximum Size for the stor-age area or choose the No Limit option.If the storage area becomes filled, thesystem begins deleting the oldest shad-ow copies. However, no matter howmuch space you allocate to the storagearea, Windows Server 2012 R2 supportsa maximum of 64 shadow copies foreach volume.
7. Click Schedule to open the Scheduledialog box. By using the controlsprovided, you can modify the existingShadow Copies tasks, delete them, orcreate new ones, based on the needs ofyour users.
8. Click OK twice to close the Schedule andSettings dialog boxes.
9. Click Enable. The system enables theShadow Copies feature for the selected
288/1537
volume and creates the first copy in thedesignated storage area.
10. Close File Explorer.
After you complete this procedure, users canrestore previous versions of files on the selec-ted volumes from the Previous Versions tab onany file or folder’s Properties sheet.
Configuring NTFS quotas
Managing disk space is a constant concern forserver administrators, and one way to preventusers from monopolizing storage is to imple-ment quotas. Windows Server 2012 R2 sup-ports two types of storage quotas. The moreelaborate of the two is implemented as part ofFile Server Resource Manager. The second,simpler option is NTFS quotas.
289/1537
EXAM TIP
The objectives for the 70-410 examspecifically mention NTFS quotas,while the quotas in File Server Re-source Manager are covered in the ob-jectives for exam 70-411. Candidatesshould be careful to distinguishbetween the two types of quotas.
NTFS quotas enable administrators to set astorage limit for users of a particular volume.Depending on how you configure the quota,users exceeding the limit can either be denieddisk space or just receive a warning. The spaceconsumed by individual users is measured bythe size of the files they own or create.
NTFS quotas are relatively limited in that youcan only set limits at the volume level. The fea-ture is also limited in the actions it can take in
290/1537
response to a user exceeding the limit. Thequotas in File Server Resource Manager, bycontrast, are much more flexible in the limitsyou can set and the responses of the program(which can send email notifications, executecommands, generate reports, or create logevents.
To configure NTFS quotas for a volume, usethe following procedure.
1. Open File Explorer. The File Explorerwindow appears.
2. In the Folders list, expand the Com-puter container, right-click a volumeand, from the shortcut menu, selectProperties. The Properties sheet for thevolume appears.
3. Click the Quota tab to display the inter-face shown in Figure 2-11.
291/1537
Figure 2-11. The Quota tab of a volume’sProperties sheet
292/1537
4. Select the Enable Quota Managementcheck box to activate the rest of thecontrols.
5. If you want to prevent users from con-suming more than their quota of diskspace, select the Deny Disk Space ToUsers Exceeding Quota Limit check box.
6. Select the Limit Disk Space To optionand specify amounts for the quota limitand the warning level.
7. Select the Log Event check boxes to con-trol whether users exceeding the spe-cified limits should trigger log entries.
8. Click OK to create the quota and closethe Properties sheet.
9. Close File Explorer.
293/1537
Configuring Work Folders
Work Folders is a Windows Server 2012 R2feature that enables administrators to providetheir users with synchronized access to theirfiles on multiple workstations and deviceswhile storing them on a network file server.The principle is roughly the same as Mi-crosoft’s SkyDrive service, except that the filesare stored on a private Windows server in-stead of a cloud server on the Internet. Thisenables administrators to maintain controlover the files, backing them up, classifyingthem, and/or encrypting them as needed.
294/1537
EXAM TIP
Work Folders is a new feature in Win-dows Server 2012 R2 that has been ad-ded to the 70-410 objectives. Candid-ates for the revised exam should be fa-miliar with the process of creating andconfiguring Work Folders on a server,though they need not dwell on the Win-dows 8.1 client side of the application.
To set up the Work Folders environment, youinstall the Work Folders role service in the Fileand Storage Services role on a server runningWindows Server 2012 R2 and create a newtype of share called a sync share. This installsthe IIS Hostable Web Core feature, whichmakes it possible for the server to respond toincoming HTTP requests from Work Foldersclients on the network.
295/1537
On the client side, you configure Work Foldersin the Windows 8.1 Control Panel, specifyingthe email address of the user and the locationof the Work Folders on the local disk. The sys-tem also creates a system folder called WorkFolders, which appears in File Explorer and infile management dialogs. When the user savesfiles to the Work Folders on the client system,they are automatically synchronized with theuser’s folder on the Work Folders server.
Users can create as many Work Folders clientsas they need on different computers or otherdevices. After saving files to their WorkFolders on their office workstations, for ex-ample, users can go home and find those filesalready synchronized to their home com-puters. In the same way, Work Folders cansynchronize a user’s files to a portable deviceat the office and the user can work on themwhile offline during the commute home. Arriv-ing home and connecting to the Internet, the
296/1537
device synchronizes the files back to the serv-er, so that the user finds the latest versions onthe office computer the next day.
Work Folders is not designed to be a collabor-ative tool; it is just a means synchronizingfolders between multiple devices while en-abling administrators to retain control overthem. It is possible to specify that WorkFolders files remain encrypted during syn-chronization and administrators can imposesecurity policies that force the use of lockscreens and mandatory data wipes for lostmachines.
297/1537
THOUGHT EXPERIMENT:CREATING PERMISSIONS
In the following thought experiment, applywhat you’ve learned about the objective to pre-dict what steps you need to take. You can findanswers to these questions in the Answers sec-tion at the end of this chapter.
You are working as a help desk administratorfor a corporate network and you receive a callfrom a user named Leo who is requesting ac-cess to the files for a new classified projectcalled Contoso. The Contoso files are stored ina shared folder on a file server, which is lockedin a secured underground data storage facility.After verifying that the user has the appropri-ate security clearance for the project, you cre-ate a new group on the file server calledCONTOSO_USERS and add Leo’s user ac-count to that group. Then you add theCONTOSO_USERS group to the access con-trol list for the Contoso folder on the file server
298/1537
and assign the group the following NTFSpermissions:
▪ Allow Modify
▪ Allow Read & Execute
▪ Allow List Folder Contents
▪ Allow Read
▪ Allow Write
Later, Leo calls to tell you that although he isable to access the Contoso folder and read thefiles stored there, he has been unable to savechanges back to the server.
What is the most likely cause of the problem?
299/1537
Objective summary
▪ Creating folder shares makes the datastored on a file server’s disks accessible tonetwork users.
▪ NTFS permissions enable you to controlaccess to files and folders by specifying thetasks individual users can perform onthem. Share permissions provide rudi-mentary access control for all the files on anetwork share. Network users must havethe proper share and NTFS permissions toaccess file server shares.
▪ ABE applies filters to shared folders basedon an individual user’s permissions to thefiles and subfolders in the share. Simplyput, users who cannot access a particularshared resource are unable to see that re-source on the network.
300/1537
▪ Offline Files is a Windows feature that en-ables client systems to maintain local cop-ies of files they access from server shares.
▪ Volume Shadow Copies is a Windows Serv-er 2012 R2 feature that enables you tomaintain previous versions of files on aserver, so if users accidentally delete oroverwrite a file, they can access a copy.
▪ NTFS quotas enable administrators to set astorage limit for users of a particularvolume.
▪ Work Folders is a Windows Server 2012R2 feature that synchronizes files betweenmultiple client devices and a file server loc-ated on a private network.
301/1537
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. What is the maximum number of shad-ow copies a Windows Server 2012 R2system can maintain for each volume?
a. 8
b. 16
c. 64
d. 128
2. Which of the following terms describesthe process of granting users access to
302/1537
file server shares by reading theirpermissions?
a. Authentication
b. Authorization
c. Enumeration
d. Assignment
3. Which of the following are tasks you canperform by using the quotas in FileServer Resource Manager but can’t per-form by using NTFS quotas? (Choose allthat apply.)
a. Send an email message to an ad-ministrator when users exceedtheir limits.
b. Specify different storage limits foreach user.
303/1537
c. Prevent users from consumingstorage space on a volume beyondtheir allotted limit.
d. Generate warnings to users whenthey approach their allotted stor-age limit.
4. In the Windows Server 2012 R2 NTFSpermission system, combinations of ad-vanced permissions are also known as_____________ permissions.(Choose all that apply.)
a. Special
b. Basic
c. Share
d. Standard
304/1537
5. Which of the following statements bestdescribes the role of the security prin-cipal in file system permissionassignments?
a. The security principal in file sys-tem permission assignments isthe only person who can access afile that has no permissions as-signed to it.
b. The security principal in file sys-tem permission assignments isthe person responsible for creat-ing permission policies.
c. The security principal in file sys-tem permission assignments isthe person assigning thepermissions.
d. The security principal in file sys-tem permission assignments is
305/1537
the person to whom the permis-sions are assigned.
Objective 2.2: Configureprint and documentservicesLike the file-sharing functions discussed in theprevious section, print device sharing is one ofthe most basic applications for which localarea networks were designed.
306/1537
NOTE
This objective covers how to:
▪ Configure the Easy Print printdriver
▪ Configure Enterprise PrintManagement
▪ Configure drivers
▪ Configure printer pooling
▪ Configure print priorities
▪ Configure printer permissions
Deploying a print server
Installing, sharing, monitoring, and managinga single network print device is relativelysimple, but when you are responsible for
307/1537
dozens or even hundreds of print devices on alarge enterprise network, these tasks can beoverwhelming.
Understanding the Windows printarchitecture
It is important to understand the terms Mi-crosoft uses when referring to the componentsof the network printing architecture. Printingin Microsoft Windows typically involves thefollowing four components:
▪ Print device. A print device is the actualhardware that produces hard-copy docu-ments on paper or other print media. Win-dows Server 2012 R2 supports both localprint devices, which are attached directlyto computer ports, and network interfaceprint devices, which are connected to thenetwork either directly or through anothercomputer.
308/1537
▪ Printer. In Windows, a printer is the soft-ware interface through which a computercommunicates with a print device. Win-dows Server 2012 R2 supports numerousphysical interfaces, including UniversalSerial Bus (USB), IEEE 1394 (FireWire),parallel (LPT), serial (COM), Infrared DataAccess (IrDA), Bluetooth ports, and net-work printing services such as LPR, Inter-net Printing Protocol (IPP), and standardTCP/IP ports.
▪ Print server. A print server is a com-puter (or standalone device) that receivesprint jobs from clients and sends them toprint devices that are either attached loc-ally or connected to the network.
▪ Printer driver. A printer driver is adevice driver that converts the print jobsgenerated by applications into an appro-priate string of commands for a specific
309/1537
print device. Printer drivers are designedfor a specific print device and provide ap-plications with access to all the printdevice’s features.
310/1537
PRINTING NOMENCLATURE
“Printer” and “print device” are themost commonly misused terms in theWindows printing vocabulary. Obvi-ously, many sources use “printer” torefer to the printing hardware.However, in Windows, printer andprint device are not equivalent. For ex-ample, you can add a printer to a Win-dows Server 2012 R2 computer withouta physical print device being present.The computer can then host the print-er, print server, and printer driver.These three components enable thecomputer to process the print jobs andstore them in a print queue until theprint device is available.
311/1537
Understanding Windows printing
These four components work together to pro-cess the print jobs produced by Windows ap-plications and turn them into hard-copy docu-ments, as shown in Figure 2-12.
Figure 2-12. The Windows print architecture
Before you can print documents in Windows,you must install at least one printer. To install
312/1537
a printer in Windows, you must do thefollowing:
▪ Select the print device’s specific manufac-turer and model.
▪ Specify the port (or other interface) thecomputer will use to access the printdevice.
▪ Supply a printer driver created specificallyfor that print device.
When you print a document in an application,you select the printer that will be the destina-tion for the print job.
The printer is associated with a printer driverthat takes the commands generated by the ap-plication and converts them into a printer con-trol language (PCL), a language understood bythe printer. PCLs can be standardized, like thePostScript language, or they can be
313/1537
proprietary languages developed by the printdevice manufacturer.
The printer driver enables you to configure theprint job to use the various capabilities of theprint device. These capabilities are typicallyincorporated into the printer’s Propertiessheet. For example, your word-processing ap-plication does not know if your print device iscolor or monochrome or if it supports duplexprinting. The printer driver provides supportfor print device features such as these.
After the printer processes a print job, it storesthe job in a print queue, known as a spooler.Depending on the arrangement of the printingcomponents, the spooled jobs might be in PCLformat, ready to go to the print device, or in aninterim format, in which case the printerdriver must process the spooled jobs into thePCL format before sending them to the device.If other jobs are waiting to be printed, a newjob might wait in the spooler for some time.
314/1537
When the server finally sends the job to theprint device, the device reads the PCL com-mands and produces the hard-copy document.
Windows printing flexibility
The flexibility of the Windows print architec-ture is manifested in the different ways youcan deploy the four printing components. Asingle computer can perform all the roles (ex-cept for the print device, of course) or you candistribute those roles across the network. Thefollowing sections describe four fundamentalconfigurations that are the basis of most Win-dows printer deployments:
▪ Direct printing
▪ Locally attached printer sharing
▪ Network-attached printing
▪ Network-attached printer sharing
315/1537
You can scale these configurations up to ac-commodate a network of virtually any size.
Direct Printing
The simplest print architecture consists of oneprint device connected to one computer, alsoknown as a locally attached print device, asshown in Figure 2-13. When you connect aprint device directly to a Windows Server 2012R2 computer and print from an applicationrunning on that system, the computer suppliesthe printer, printer driver, and print serverfunctions.
316/1537
Figure 2-13. A locally attached print device
Locally Attached Printer Sharing
In addition to printing from an applicationrunning on that computer, you can also sharethe printer (and the print device) with otherusers on the same network. In this arrange-ment, the computer with the locally attachedprint device functions as a print server. Fig-ure 2-14 shows the other computers on thenetwork, which are known as the print clients.
317/1537
Figure 2-14. Sharing a locally attached printer
In the default Windows Server 2012 R2printer-sharing configuration, each client usesits own printer and printer driver. As before,the application running on the client computersends the print job to the printer and theprinter driver renders the job, based on thecapabilities of the print device.
318/1537
The main advantage of this printing arrange-ment is that multiple users, located anywhereon the network, can send jobs to a single printdevice connected to a computer functioning asa print server. The downside is that processingthe print jobs for many users can impose a sig-nificant burden on the print server. Althoughany Windows computer can function as a printserver, you should use a workstation for thispurpose only when you have no more than ahandful of print clients to support or you havea very light printing volume.
Network-Attached Printing
The printing solutions discussed thus far in-volve print devices connected directly to acomputer using a USB or other port. Printdevices do not necessarily have to be attachedto computers, however. You can connect aprint device directly to the network instead.Many print device models are equipped withnetwork interface adapters, enabling you to
319/1537
attach a standard network cable. Some printdevices have expansion slots into which youcan install a network printing adapter youhave purchased separately. Finally, for printdevices with no networking capabilities, stan-dalone network print servers are available,which connect to the network and enable youto attach one or more print devices. Printdevices so equipped have their own IP ad-dresses and typically have an embedded web-based configuration interface.
With network-attached print devices, theprimary deployment decision the administrat-or must make is to decide which computer willfunction as the print server. One simple (butoften impractical) option is to let each printclient function as its own print server, asshown in Figure 2-15. Each client processesand spools its own print jobs, connects to theprint device by using a TCP (Transmission
320/1537
Control Protocol) port, and sends the jobs dir-ectly to the device for printing.
Figure 2-15. A network-attached print devicewith multiple print servers
Even individual end users with no adminis-trative assistance will find this arrangementsimple to set up. However, the disadvantagesare many, including the following:
321/1537
▪ Users examining the print queue see onlytheir own jobs.
▪ Users are oblivious of the other users ac-cessing the print device. They have no wayof knowing what other jobs have been sentto the print device or how long it will beuntil the print device completes their jobs.
▪ Administrators have no way of centrallymanaging the print queue because each cli-ent has its own print queue.
▪ Administrators cannot implement ad-vanced printing features, such as printerpools (covered later in this section) or re-mote administration.
▪ Error messages appear only on the com-puter that originated the job that the printdevice is currently processing.
322/1537
▪ All print job processing is performed bythe client computer rather than being par-tially offloaded to an external print server.
For these reasons, this arrangement is suitableonly for small workgroup networks that do nothave dedicated administrators supportingthem.
Network-Attached Printer Sharing
The other, far more popular option fornetwork-attached printing is to designate onecomputer as a print server and use it to serviceall the print clients on the network. To do this,you install a printer on one computer (whichbecomes the print server) and configure it toaccess the print device directly through a TCPport. You then share the printer, just as youwould a locally attached print device, and con-figure the clients to access the print share.
323/1537
As you can see in Figure 2-16, the physicalconfiguration is the same as in the previousarrangement, but the logical path the printjobs take on the way to the print device is dif-ferent. Instead of going straight to the printdevice, the jobs go to the print server, whichspools them and sends them to the printdevice in order.
324/1537
Figure 2-16. A network-attached print devicewith a single shared print server
With this arrangement, virtually all the disad-vantages of the multiple print server arrange-ment become advantages:
▪ All the client jobs are stored in a singleprint queue, so users and administratorscan see a complete list of the jobs waitingto be printed.
325/1537
▪ Part of the job-rendering burden is shiftedto the print server, returning control of theclient computer to the user more quickly.
▪ Administrators can manage all the queuedjobs from a remote location.
▪ Print error messages appear on all clientcomputers.
▪ Administrators can implement printerpools and other advanced printingfeatures.
▪ Administrators can manage security,auditing, monitoring, and logging func-tions from a central location.
Advanced Printing Configurations
Administrators can use the four configurationsdescribed in the previous sections as buildingblocks to create printing solutions for their
326/1537
networks. Many possible variations can beused to create a network printing architecturethat supports your organization’s needs. Someof the more advanced possibilities are asfollows:
▪ You can connect a single printer to mul-tiple print devices, creating what is called aprinter pool. On a busy network with manyprint clients, the print server can distributelarge numbers of incoming jobs amongseveral identical print devices to providemore timely service and better faulttolerance.
▪ You can connect multiple print devicesthat support different paper forms andvarious paper sizes to a single printer,which will distribute jobs with different re-quirements to the appropriate printdevices.
327/1537
▪ You can connect multiple printers to asingle print device. By creating multipleprinters, you can configure different prior-ities, security settings, auditing, and mon-itoring parameters for different users. Forexample, you can create a high-priorityprinter for company executives and alower-priority printer for junior users. Thisensures that the executives’ jobs get prin-ted first, even if the printers are connectedto the same print device.
Sharing a printer
Using Windows Server 2012 R2 as a printserver can be simple or complex, dependingon how many clients the server has to supportand how much printing they do. For a home orsmall business network, in which a handful ofusers need occasional access to the printer, nospecial preparation is necessary. However, ifthe computer must support heavy printer use,
328/1537
hardware upgrades (such as additional diskspace or system memory) might be needed.
You might also consider making the computera dedicated print server. In addition tomemory and disk space, using Windows Serv-er 2012 R2 as a print server requires processorclock cycles, just like any other application. Ona server handling heavy print traffic, otherroles and applications are likely to experiencesubstantial performance degradation. If youneed a print server to handle heavy traffic,consider dedicating the computer to printserver tasks only and deploying other rolesand applications elsewhere.
On a Windows Server 2012 R2 computer, youcan share a printer as you are installing it or atany time afterward. On older printers, you ini-tiate the installation process by launching theAdd Printer Wizard from the Devices andPrinters control panel. However, most of theprint devices on the market today use either a
329/1537
USB connection to a computer or an Ethernetor wireless connection to a network.
In the case of a USB-connected printer, youplug the print device into a USB port on thecomputer and turn on the device to initiate theinstallation process. Manual intervention isrequired only when Windows Server 2012 R2does not have a driver for the print device.
For network-attached print devices, an install-ation program supplied with the product loc-ates the print device on the network, installsthe correct drivers, creates a printer on thecomputer, and configures the printer with theproper IP address and other settings.
After the printer is installed on the WindowsServer 2012 R2 computer that will function asyour print server, you can share it with yournetwork clients by using the followingprocedure.
330/1537
1. Open the Devices and Printers controlpanel. The Devices and Printers windowappears.
2. Right-click the icon for the printer youwant to share and, from the shortcutmenu, select Printer Properties. Theprinter’s Properties sheet appears.
PROPERTIES
The shortcut menu for everyprinter provides access to twoProperties sheets. The PrinterProperties menu item opens theProperties sheet for the printerand the Properties menu itemopens the Properties sheet forthe print device.
3. Click the Sharing tab.
331/1537
4. Select the Share This Printer check box.The printer name appears in the ShareName text box. You can accept the de-fault name or supply one of your own.
5. Select one or both of the following op-tional check boxes:
▪ Render Print Jobs On ClientComputers. Minimizes the re-source utilization on the print serverby forcing the print clients to per-form the bulk of the printprocessing.
▪ List In The Directory. Creates anew printer object in the Active Dir-ectory Domain Services (AD DS)database, enabling domain users tolocate the printer by searching thedirectory. This option appears onlywhen the computer is a member ofan AD DS domain.
332/1537
6. Optionally, click Additional Drivers toopen the Additional Drivers dialog box.This dialog box enables you to loadprinter drivers for other Windows plat-forms, such as x86. When you installthe alternate drivers, the print serverautomatically supplies them to clientsrunning those operating systemversions.
7. Select any combination of the availablecheck boxes and click OK. For eachcheck box you select, Windows Server2012 R2 displays a Printer Drivers dia-log box.
8. In each Printer Drivers dialog box, typeor browse to the location of the printerdrivers for the selected operating sys-tem and click OK.
333/1537
9. Click OK to close the Additional Driversdialog box.
10. Click OK to close the Properties sheetfor the printer. The printer icon in thePrinters control panel now includes asymbol indicating that it has beenshared.
11. Close the control panel.
At this point, the printer is available to clientson the network.
Managing printer drivers
Printer drivers are the components that enableyour computers to manage the capabilities ofyour print devices. When you install a printeron a server running Windows Server 2012 R2,you also install a driver that other Windowscomputers can use.
334/1537
The printer drivers you install on WindowsServer 2012 R2 are the same drivers that Win-dows workstations and other server versionsuse, with one stipulation. As a 64-bit platform,Windows Server 2012 R2 uses 64-bit devicedrivers, which are suitable for other com-puters running 64-bit versions of Windows. Ifyou have 32-bit Windows systems on your net-work, however, you must install a 32-bit driveron the server for those systems to use.
The Additional Drivers dialog box, accessiblefrom the Sharing tab of a printer’s Propertiessheet, enables you to install drivers for otherprocessor platforms. However, you must in-stall those drivers from a computer running onthe alternative platform. In other words, to in-stall a 32-bit driver for a printer on a serverrunning Windows Server 2012 R2, you mustaccess the printer’s Properties sheet from acomputer running a 32-bit version of Win-dows. You can do this by accessing the printer
335/1537
directly through the network by using File Ex-plorer or by running the Print Managementsnap-in on the 32-bit system and using it tomanage your Windows Server 2012 R2 printserver.
INSTALLING DRIVERS
For the server to provide drivers sup-porting different platforms to clientcomputers, you must make sure wheninstalling the drivers for the same printdevice that they have identical names.For example, Windows Server 2012 R2will treat “HP LaserJet 5200 PCL6”and “HP LaserJet 5200 PCL 6” as twodifferent drivers. The names must beidentical in order for the server to ap-ply the drivers properly.
336/1537
Using remote access Easy Print
When a Remote Desktop Services client con-nects to a server, it runs applications using theserver’s processor(s) and memory. However, ifthat client wants to print a document from oneof those applications, it wants the print job togo to the print device connected to the clientcomputer.
The component that enables Remote Desktopclients to print to their local print devices iscalled Easy Print. Easy Print takes the form ofa printer driver that is installed on the serveralong with the Remote Desktop Session Hostrole service.
The Remote Desktop Easy Print driver ap-pears automatically in the Print Managementsnap-in, but it is not associated with a particu-lar print device. Instead, the driver functionsas a redirector, enabling the server to accessthe printers on the connected clients.
337/1537
On Windows Server 2012 R2, Easy Print re-quires no configuration other than the allow-ance of Remote Desktop connections or the in-stallation of the Remote Desktop Services role.However, once it is operational, it provides theserver administrator with additional access tothe printers on the Remote Desktop clients.
When a Remote Desktop client connects to aserver by using the Remote Desktop Connec-tion program or the RD Web Access site, theprinters installed on the client system are re-directed to the server and appear in the PrintManagement snap-in as redirected serverprinters, as shown in Figure 2-17.
338/1537
Figure 2-17. Printers redirected by Easy Printon a Remote Desktop server
A client running an application on the servercan therefore print to a local print device usingthe redirected printer. Administrators can alsoopen the Properties sheet for the redirectedprinter in the usual manner and then manipu-late its settings.
339/1537
Configuring printer security
As with folder shares, clients must have theproper permissions to access a shared printer.Printer permissions are much simpler thanNTFS permissions; they dictate whether usersare allowed to use the printer, manage docu-ments submitted to the printer, or manage theproperties of the printer itself. To assign per-missions for a printer, use the followingprocedure.
1. Open Control Panel and select Hard-ware, Devices and Printers. The Devicesand Printers window appears.
2. Right-click one of the printer icons inthe window and, from the shortcutmenu, select Printer Properties. Theprinter’s Properties sheet appears.
3. Click the Security tab. The top half ofthe display lists all the security
340/1537
principals currently possessing permis-sions to the selected printer. The bot-tom half lists the permissions held bythe selected security principal.
4. Click Add. The Select Users, Computers,Or Groups dialog box appears.
5. In the Enter The Object Names ToSelect text box, type a user or groupname and click OK. The user or groupappears in the Group Or User Nameslist.
6. Select the security principal you addedand select or clear the check boxes inthe bottom half of the display to Allowor Deny the user any of the basicpermissions.
7. Click OK to close the Properties sheet.
8. Close Control Panel.
341/1537
Like NTFS permissions, there are two types ofprinter permissions: basic and advanced. Eachof the three basic permissions consists of acombination of advanced permissions.
Managing documents
By default, all printers assign the Allow Printpermission to the Everyone special identity,which enables all users to access the printerand manage their own documents. Users whopossess the Allow Manage Documents permis-sion can manage any users’ documents.
Managing documents refers to pausing, re-suming, restarting, and canceling documentsthat are currently waiting in a print queue.Windows Server 2012 R2 provides a printqueue window for every printer, which enablesusers to view the jobs that are currently wait-ing to be printed. To manage documents, usethe following procedure.
342/1537
1. Open Control Panel and select Hard-ware, Devices and Printers. The Devicesand Printers window appears.
2. Right-click one of the printer icons and,from the shortcut menu, select SeeWhat’s Printing. A print queue windownamed for the printer appears, asshown in Figure 2-18.
Figure 2-18. A Windows Server 2012 R2print queue window
3. Select one of the menu items to performthe associated function.
343/1537
4. Close the print queue window.
5. Close Control Panel.
Managing printers
Users with the Allow Manage This Printer per-mission can go beyond manipulating queueddocuments; they can reconfigure the printeritself. Managing a printer refers to altering theoperational parameters that affect all usersand controlling access to the printer.
Generally, most of the software-based tasksthat fall under the category of managing aprinter are those you perform once while set-ting up the printer for the first time. Day-to-day printer management is more likely to in-volve physical maintenance, such as clearingprint jams, reloading paper, and changingtoner or ink cartridges. However, the followingsections examine some of the printer man-ager’s typical configuration tasks.
344/1537
Setting printer priorities
In some cases, administrators with the Man-age This Printer permission might want to givecertain users in your organization priority ac-cess to a print device so that when print trafficis heavy, their jobs are processed before thoseof other users. To do this, you must createmultiple printers, associate them with thesame print device, and then modify their pri-orities, as described in the followingprocedure.
1. Open Control Panel and select Hard-ware, Devices and Printers. The Devicesand Printers window opens.
2. Right-click one of the printer icons and,from the shortcut menu, select PrinterProperties. The Properties sheet for theprinter appears.
345/1537
3. Click the Advanced tab, as shown in Fig-ure 2-19.
Figure 2-19. The Advanced tab of aprinter’s Properties sheet
346/1537
4. Set the Priority spin box to a numberrepresenting the highest priority youwant to set for the printer. Higher num-bers represent higher priorities. Thehighest possible priority is 99.
PRINTER PRIORITIES
The values of the Priority spinbox do not have any absolutesignificance; they are pertinentonly in relation to one another.As long as one printer has ahigher priority value than an-other, the server will process itsprint jobs first. In other words,it doesn’t matter if the higherpriority value is 9 or 99, as longas the lower priority value isless.
347/1537
5. Click the Security tab.
6. Add the users or groups that you wantto provide with high-priority access tothe printer and assign the Allow Printpermission to them.
7. Revoke the Allow Print permission fromthe Everyone special identity.
8. Click OK to close the Properties sheet.
9. Create an identical printer using thesame printer driver and pointing to thesame print device. Leave the Prioritysetting at its default value of 1 and leavethe default permissions in place.
10. Rename the printers, specifying the pri-ority assigned to each one.
11. Close Control Panel.
348/1537
Inform the privileged users that they shouldsend their jobs to the high-priority printer. Alljobs sent to that printer will be processed be-fore those sent to the other, lower-priorityprinter.
Creating a printer pool
As mentioned earlier, a printer pool increasesthe production capability of a single printer byconnecting it to multiple print devices. Whenyou create a printer pool, the print serversends each incoming job to the first printdevice it finds that is not busy. This effectivelydistributes the jobs among the available printdevices, providing users with more rapidservice.
To configure a printer pool, use the followingprocedure.
1. Open Control Panel and select Hard-ware, Devices and Printers. The Devicesand Printers window opens.
349/1537
2. Right-click one of the printer icons and,from the shortcut menu, select PrinterProperties. The Properties sheet for theprinter appears.
3. Click the Ports tab.
4. Select the Enable Printer Pooling checkbox and click OK.
5. Select all the ports to which the printdevices are connected.
6. Close Control Panel.
To create a printer pool, you must have at leasttwo identical print devices, or at least twoprint devices that use the same printer driver.The print devices must be in the same locationbecause there is no way to tell which printdevice will process a given document. Youmust also connect all the print devices in thepool to the same print server. If the print
350/1537
server is a Windows Server 2012 R2 computer,you can connect the print devices to any viableports.
Using the Print and DocumentServices role
All the printer sharing and management cap-abilities discussed in the previous sections areavailable on any Windows Server 2012 R2computer in its default installation configura-tion. However, installing the Print And Docu-ment Services role on the computer providesadditional tools that are particularly useful toadministrators involved with network printingon an enterprise scale.
When you install the Print And Document Ser-vices role by using Server Manager’s AddRoles And Features Wizard, a Select Role Ser-vices page appears, enabling you to select fromthe following options:
351/1537
▪ Print Server. Installs the Print Manage-ment console for Microsoft ManagementConsole (MMC), which enables adminis-trators to deploy, monitor, and manageprinters throughout the enterprise
▪ Distributed Scan Server. Enables thecomputer to receive documents fromnetwork-based scanners and forward themto the appropriate users
▪ Internet Printing. Creates a website thatenables users on the Internet to send printjobs to shared Windows printers
▪ LPD Service. Enables UNIX clients run-ning the line printer remote (LPR) pro-gram to send their print jobs to Windowsprinters
As always, Windows Server 2012 R2 adds anew icon to the Server Manager navigation
352/1537
pane when you install a role. The Print Ser-vices home page contains a filtered view ofprint-related event log entries, a status displayfor the role-related system services and roleservices, and performance counters.
The Print Management console, an adminis-trative tool, consolidates the controls for theprinting components throughout the enter-prise into a single console. By using this tool,you can access the print queues and Propertiessheets for all the network printers in the enter-prise, deploy printers to client computers byusing Group Policy, and create custom viewsthat simplify the process of detecting printdevices that need attention due to errors ordepleted consumables.
Windows Server 2012 R2 installs the PrintManagement console when you add the PrintAnd Document Services role to the computer.You can also install the console without therole by adding the Print And Document
353/1537
Services Tools feature, found under RemoteServer Administration Tools, Role Administra-tion Tools in the Add Roles And FeaturesWizard.
The following sections demonstrate some ofthe administration tasks you can perform byusing the Print Management console.
Adding print servers
By default, the Print Management console dis-plays only the local machine in its list of printservers. Each print server has four nodes be-neath it, as shown in Figure 2-20, listing thedrivers, forms, ports, and printers associatedwith that server.
354/1537
Figure 2-20. A print server displayed in thePrint Management console
To manage other print servers and their print-ers, you must add them to the console by usingthe following procedure.
1. In Server Manager, click Tools and thenclick Print Management to open thePrint Management console.
355/1537
2. Right-click the Print Servers node and,from the shortcut menu, click Add/Re-move Servers to open the Add/RemoveServers dialog box.
3. In the Specify Print Server box, clickBrowse. The Select Print Server dialogbox opens.
4. Select the print server you want to addto the console and click Select Server.The server you selected appears in theAdd Server text box in the Add/RemoveServers dialog box.
5. Click Add To List. The server you selec-ted appears in the Print Servers list.
6. Click OK. The server appears under thePrint Servers node.
7. Close the Print Management console.
356/1537
You can now manage the printers associatedwith the server you have added to the console.
Viewing printers
One of the major difficulties for printing ad-ministrators on large enterprise networks iskeeping track of dozens or hundreds of printdevices, all in frequent use and all needing at-tention on a regular basis. Whether the main-tenance required is a major repair, an ink ortoner replenishment, or a paper tray refill,print devices will not get the attention theyneed until an administrator is aware of theproblem.
The Print Management console provides mul-tiple ways to view the printing components as-sociated with the print servers on the network.To create views, the console takes the com-plete list of printers and applies various filtersto it, selecting which printers to display.
357/1537
Under the Custom Filters node, there are fourdefault filters, as follows:
▪ All Printers. Contains a list of all theprinters hosted by all the print serverswhich have been added to the console
▪ All Drivers. Contains a list of all theprinter drivers installed on all the printservers which have been added to theconsole
▪ Printers Not Ready. Contains a list of allprinters that are not reporting a Readystatus
▪ Printers With Jobs. Contains a list of allthe printers that currently have jobs wait-ing in the print queue
Views such as Printer Not Ready are a usefulway for administrators to identify printers thatneed attention without having to browse
358/1537
individual print servers or search through along list of every printer on the network. Inaddition to these defaults, you can create yourown custom filters.
Managing printers and print servers
After you have used filtered views to isolatethe printers you want to examine, selecting aprinter displays its status, the number of jobscurrently in its print queue, and the name ofthe print server hosting it. If you right-clickthe filter in the left pane and select Show Ex-tended View from the shortcut menu, an addi-tional pane appears containing the contents ofthe selected printer’s queue. You can manipu-late the queued jobs just as you would fromthe Print Queue window in the Print Serverconsole.
The Print Management console also enablesadministrators to access the configuration in-terface for any printer or print server
359/1537
appearing in any of its displays. Right-clickinga printer or print server anywhere in the con-sole interface and then selecting Propertiesfrom the shortcut menu displays the sameProperties sheet you would see on the printserver computer itself. Administrators canthen configure printers and print serverswithout having to travel to the site of the printserver or establish a Remote Desktop connec-tion to the print server.
Deploying printers with GroupPolicy
Configuring a print client to access a sharedprinter is a simple matter of browsing the net-work or the AD DS tree and selecting theprinter. However, when you have to configurehundreds or thousands of print clients, thetask becomes more complicated. AD DS helpssimplify the process of deploying printers tolarge numbers of clients.
360/1537
Publishing printers in the AD DS database en-ables users and administrators to search forprinters by name, location, or model (if youpopulate the Location and Model fields in theprinter object). To create a printer object inthe AD DS database, you can either select theList In The Directory check box while sharingthe printer or right-click a printer in the PrintManagement console and, from the shortcutmenu, select List In Directory.
To use AD DS to deploy printers to clients, youmust configure the appropriate policies in aGroup Policy object (GPO). You can link aGPO to any domain, site, or organizationalunit (OU) in the AD DS tree. When you config-ure a GPO to deploy a printer, all the users orcomputers in that domain, site, or OU will re-ceive the printer connection by default whenthey log on.
To deploy printers with Group Policy, use thefollowing procedure.
361/1537
1. In the Print Management console, right-click a printer in the console’s scopepane and, from the shortcut menu, se-lect Deploy With Group Policy. TheDeploy With Group Policy dialog boxappears, as shown in Figure 2-21.
Figure 2-21. The Deploy With GroupPolicy dialog box
362/1537
2. Click Browse to open the Browse For AGroup Policy Object dialog box.
3. Select the GPO you want to use to de-ploy the printer and click OK. The GPOyou selected appears in the GPO Namefield.
4. Select the appropriate check box to se-lect whether to deploy the printer to theusers associated with the GPO, the com-puters (or both) and click Add. The newprinter GPO associations appear in thetable.
Deploying the printer to the usersmeans that all the users associated withthe GPO will receive the printer connec-tion no matter what computer they useto log on. Deploying the printer to thecomputers means that all the computersassociated with the GPO will receive the
363/1537
printer connection no matter who logson to them.
5. Click OK. A Print Management messagebox appears, informing you that the op-eration has succeeded.
6. Click OK and then click OK again toclose the Deploy With Group Policy dia-log box.
7. Close the Print Management console.
The next time the users running WindowsServer 2008 or later and Windows Vista orlater who are associated with the GPO refreshtheir policies or restart, they will receive thenew settings and the printer will appear in theDevices and Printers control panel.
364/1537
THOUGHT EXPERIMENT:ENTERPRISE PRINTING
In the following thought experiment, applywhat you’ve learned about the objective to pre-dict what steps you need to take. You can findanswers to these questions in the Answers sec-tion at the end of this chapter.
You are a desktop support technician for a lawfirm with a group of 10 legal secretaries whoprovide administrative support to the attor-neys. All the secretaries use a single, shared,high-speed laser printer that is connected to adedicated Windows print server. The secretar-ies print multiple copies of large documents ona regular basis, and although the laser printeris fast, it runs almost constantly. Sometimesthe secretaries have to wait 20 minutes ormore after submitting a print job for their doc-uments to reach the top of the queue. The of-fice manager has offered to purchase addition-al printers for the department. However, the
365/1537
secretaries are accustomed to just clickingPrint and don’t like the idea of having to exam-ine multiple print queues to determine whichhas the fewest jobs before submitting adocument.
With this in mind, answer the followingquestion.
What can you do to provide the office with aprinting solution that will enable the secretar-ies to utilize additional printers mostefficiently?
Objective summary
▪ Printing in Windows typically involves thefollowing four components: print device,printer, print server, and print driver.
▪ The simplest form of print architectureconsists of one print device connected to
366/1537
one computer, known as a locally attachedprint device. You can share this printer(and the print device) with other users onthe same network.
▪ With network-attached print devices, theadministrator’s primary deployment de-cision is which computer will function asthe print server.
▪ Remote Desktop Easy Print is a driver thatenables Remote Desktop clients runningapplications on a server to redirect theirprint jobs back to their local print devices.
▪ Printer permissions are much simpler thanNTFS permissions; they dictate whetherusers are allowed to use the printer, man-age documents submitted to the printer, ormanage the properties of the printer itself.
367/1537
▪ The Print Management console is an ad-ministrative tool that consolidates the con-trols for the printing componentsthroughout the enterprise into a singleconsole.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following terms best de-scribes the software interface throughwhich a computer communicates with aprint device?
a. Printer
b. Print server
368/1537
c. Printer driver
d. Print Management console
2. You are setting up a printer pool on acomputer running Windows Server2012 R2. The printer pool containsthree identical print devices. You openthe Properties dialog box for the printerand select the Enable Printer Poolingoption on the Ports tab. Which of thefollowing steps must you perform next?
a. Configure the LPT1 port to sup-port three printers.
b. Select or create the ports mappedto the three printers.
c. On the Device Settings tab, con-figure the installable options tosupport two additional printdevices.
369/1537
d. On the Advanced tab, configurethe priority for each print deviceso that printing is distributedamong the three print devices.
3. One of your print devices is not workingproperly, so you want to temporarilyprevent users from sending jobs to theprinter serving that device. Which of thefollowing actions should you take?
a. Stop sharing the printer.
b. Remove the printer from ActiveDirectory.
c. Change the printer port.
d. Rename the share.
4. You are administering a computer run-ning Windows Server 2012 R2 con-figured as a print server. Users in the
370/1537
Marketing group report that they can-not print documents using a printer onthe server. You view the permissions inthe printer’s properties. The Marketinggroup is allowed Manage Documentspermission. Which of the followingstatements best explains why the userscannot print to the printer?
a. The Everyone group must begranted the Manage Documentspermission.
b. The Administrators group mustbe granted the Manage Printerspermission.
c. The Marketing group must begranted the Print permission.
d. The Marketing group must begranted the Manage Printerspermission.
371/1537
5. You are administering a print serverrunning Windows Server 2012 R2. Youwant to perform maintenance on a printdevice physically connected to the printserver. There are several documents inthe print queue. You want to preventthe documents from being printed tothe printer, but you don’t want users tohave to resubmit the documents to theprinter. Which of the following state-ments best describes the best way to dothis?
a. Open the printer’s Properties dia-log box, select the Sharing tab,and select the Do Not Share ThisPrinter option.
b. Open the printer’s Properties dia-log box and select a port that isnot associated with a print device.
372/1537
c. Open the printer’s queue window,select the first document, and se-lect Pause from the Documentwindow.
d. Open the printer’s queue windowand select the Pause Printing op-tion from the Printer menu.
Objective 2.3: Configureservers for remotemanagementWindows Server 2012 R2 is designed to facilit-ate remote server management so adminis-trators rarely, if ever, have to work directly atthe server console. This conserves server re-sources that can better be devoted to applica-tions and saves administrators’ time.
373/1537
NOTE
This objective covers how to:
▪ Configure WinRM
▪ Configure down-level servermanagement
▪ Configure servers for day-to-daymanagement tasks
▪ Configure multiserver management
▪ Configure Server Core
▪ Configure Windows Firewall
▪ Manage non-domain joined servers
374/1537
Using Server Manager for remotemanagement
Server Manager has been the primary serveradministration tool for Windows Server eversince Windows Server 2003. The most obviousimprovement to the Server Manager tool inWindows Server 2012 R2 is the ability to per-form administrative tasks on remote serversand on the local system.
When you log on to a GUI installation of Win-dows Server 2012 R2 with an administrativeaccount, Server Manager loads automatically,displaying the Welcome tile. The Server Man-ager interface consists of a navigation pane onthe left containing icons representing variousviews of server resources. Selecting an icondisplays a home page in the right pane, whichconsists of a number of tiles containing in-formation about the resource. The Dashboardpage, which appears by default, contains, inaddition to the Welcome tile, thumbnails that
375/1537
summarize the other views available in ServerManager. These other views include a page forthe Local Server, a page for All Servers, con-taining any additional servers you have addedto the manager, and others for server groupsand role groups.
ADDING SERVERS
For information on adding servers tothe Server Manager interface, see “Ad-ding Servers” in Objective 1.2, “Config-uring Servers.”
Adding servers
The primary difference between the WindowsServer 2012 R2 (and Windows Server 2012)Server Manager and previous versions is theability to add and manage multiple servers atonce. Although only the local server appears in
376/1537
Server Manager when you first run it, you canadd other servers, enabling you to managethem together. The servers you add can bephysical or virtual and can be running any ver-sion of Windows Server since Windows Server2003. After you add servers to the interface,you can create groups containing collections ofservers, such as those at a particular locationor those performing a particular function.These groups appear in the navigation pane,enabling you to administer them as a singleentity.
To add servers in Server Manager, use the fol-lowing procedure.
1. In the navigation pane, click the AllServers icon to open the All Servershome page.
2. From the Manage menu, select AddServers to open the Add Servers dialogbox.
377/1537
3. Select one of the following tabs to spe-cify how you want to locate servers toadd:
▪ Active Directory. Enables you tosearch for computers running spe-cific operating systems in specificlocations in the local AD DS domain
▪ DNS. Enables you to search forservers in your currently configuredDomain Name System (DNS) server
▪ Import. Enables you to supply atext file containing the names or IPaddresses of the servers you want toadd
4. Initiate a search or upload a text file todisplay a list of available servers.
5. Select the servers you want to add andclick the right arrow button to add them
378/1537
to the Selected list, as shown in Fig-ure 2-22.
Figure 2-22. Selecting servers in ServerManager
6. Click OK. The servers you selected areadded to the All Servers home page.
379/1537
7. Close the Server Manger console.
Once you have added remote servers to theServer Manager interface, they appear on theAll Servers home page. You can then accessthem in a variety of ways, depending on theversion of Windows the remote server isrunning.
Managing non-domain joinedservers
When you add servers that are members of anActive Directory Domain Services (AD DS) do-main to the Server Manager interface, Win-dows Server 2012 R2 uses the standard Ker-beros authentication protocol and your cur-rent domain credentials when connecting tothe remote systems. You can also add serversthat are not joined to an AD DS domain, butobviously, the system cannot authenticate us-ing an AD DS account.
380/1537
EXAM TIP
Candidates for the 70-410 exam shouldbe familiar with remote managementtechniques for both non-domain serv-ers and domain servers. This means us-ing alternative authentication methodsand network communication that doesnot rely on AD DS for server discovery.
To manage a non-domain joined server usingServer Manager, you must first complete thefollowing tasks:
▪ Supply administrative credentials for thenon-domain joined server
▪ Add the non-domain joined server to thesystem’s WS-Management TrustedHostslist
381/1537
To add non-domain joined servers to ServerManager, you must use the DNS option or theImport option in the Add Servers Wizard.After creating the server entries, you mustright-click each one and select Manage Asfrom the context menu. This displays a Win-dows Security dialog box, in which you cansupply credentials for an account with admin-istrative privileges on the remote server.
Domain membership automatically estab-lishes a trust relationship among the com-puters in the domain. To manage computersthat are not in a common domain, you mustestablish that trust yourself by adding thecomputers you want to manage to the Trus-tedHosts list on the computer running ServerManager.
The TrustedHosts list exists on a logical drivecalled WSMan:; the path to the list itself isWSMan:\localhost\Client\TrustedHosts. Toadd a computer to the list, use the Set-Item
382/1537
cmdlet in Windows PowerShell. After openinga Windows PowerShell session with adminis-trative privileges on the computer runningServer Manager, use the following commandto add the servers you want to manage to thelist:
Set-ItemWSMan:\localhost\Client\TrustedHosts–value <servername> -force
Managing Windows Server 2012 R2servers
When you add servers running Windows Serv-er 2012 R2 to Server Manager, you can imme-diately begin using the Add Roles andFeatures Wizard to install roles and featureson any of the servers you have added.
You can also perform other administrativetasks, such as configuring network interfacecard (NIC) teaming and restarting the server,
383/1537
because Windows Remote Management(WinRM) is enabled by default on WindowsServer 2012 R2.
Configuring WinRM
WinRM enables administrators to manage acomputer from a remote location by usingtools based on Windows Management Instru-mentation (WMI) and Windows PowerShell. Ifthe default WinRM setting has been modified,or if you want to change it manually, you cando so through the Server Manager interface.
On the Local Server home page, the Propertiestile contains a Remote Management indicatorthat specifies the server’s current WinRMstatus. To change the WinRM state, click theRemote Management hyperlink to open theConfigure Remote Management dialog box.Clearing the Enable Remote Management OfThis Server From Other Computers check box
384/1537
disables WinRM; selecting the check box en-ables it.
USING WINDOWSPOWERSHELL
To manage WinRM from a WindowsPowerShell session, as in the case of acomputer with a Server Core installa-tion, use the following command:
Configure-SMRemoting.exe–Get|–Enable|-Disable
▪ -Get Displays the current WinRMstatus
▪ -Enable Enables WinRM
▪ -Disable Disables WinRM
385/1537
Configuring Windows Firewall
If you attempt to launch MMC snap-ins target-ing a remote server, such as the ComputerManagement console, you will receive an errorbecause of the default Windows Firewall set-tings in Windows Server 2012 R2. MMC usesthe Distributed Component Object Model(DCOM) for remote management instead ofWinRM, and these settings are not enabled bydefault.
To address this problem, you must enable thefollowing inbound Windows Firewall rules onthe remote server you want to manage:
▪ COM+ Network Access (DCOM-In)
▪ Remote Event Log Management (NP-In)
▪ Remote Event Log Management (RPC)
▪ Remote Event Log Management (RPC-EPMAP)
386/1537
To modify the firewall rules on the remote sys-tem, you can use any one of the followingmethods:
▪ Open the Windows Firewall with AdvancedSecurity MMC snap-in on the remote serv-er (if it is a Full GUI installation).
▪ Use the NetSecurity module in WindowsPowerShell.
▪ Create a GPO containing the appropriatesettings and apply it to the remote server.
▪ Run the Netsh AdvFirewall command froman administrative command prompt.
387/1537
USING WINDOWSPOWERSHELL
To configure the Windows Firewallrules required for remote server man-agement using DCOM on a Server Coreinstallation, you can use the followingWindows PowerShell syntax:
Set-NetFirewallRule –name<rule name> –enabled True
To obtain the Windows PowerShellnames for the preconfigured rules inWindows Firewall, use the Get-NetFirewallRule command. The result-ing commands to enable the four ruleslisted earlier are as follows:
Set-NetFirewallRule –nameComPlusNetworkAccess-DCOM-In
–enabled TrueSet-NetFirewallRule –nameRemoteEventLogSvc-In-TCP
388/1537
–enabled TrueSet-NetFirewallRule –nameRemoteEventLogSvc-NP-In-TCP–enabled TrueSet-NetFirewallRule –name
RemoteEventLogSvc-RPCSS-In-TCP–enabled True
For the administrator interested in remotemanagement solutions, the Group Policymethod provides distinct advantages. It notonly enables you to configure the firewall onthe remote system without accessing the serv-er console directly but enables you to config-ure the firewall on Server Core installationswithout having to work from the commandline. Finally—and possibly most important forlarge networks—you can use Group Policy to
389/1537
configure the firewall on all the servers youwant to manage at once.
To configure Windows Firewall settings by us-ing Group Policy, use the following procedure.This procedure assumes the server is a mem-ber of an AD DS domain and has the GroupPolicy Management feature installed:
1. In Server Manager, open the GroupPolicy Management console and createa new GPO, giving it a name like ServerFirewall Configuration.
2. Open the GPO you created using theGroup Policy Management Editor.
390/1537
MORE INFO GPOS
For more detailed informationon creating GPOs and linkingthem to other objects, see Ob-jective 6.1, “Create Group PolicyObjects (GPOs).”
3. Browse to the Computer Configura-tion\Policies\Windows Settings\Secur-ity Settings\Windows Firewall with Ad-vanced Security\Inbound Rules node.
4. Right-click Inbound Rules and, fromthe shortcut menu, select New Rule. TheNew Inbound Rule Wizard appears, dis-playing the Rule Type page.
5. Select the Predefined option and, in thedrop-down list, select COM+ Network
391/1537
Access and click Next. The PredefinedRules page opens.
6. Click Next to open the Action page.
7. Leave the Allow The Connection optionselected and click Finish. The rule ap-pears in the Group Policy ManagementEditor console.
8. Open the New Inbound Rule Wizardagain.
9. Select the Predefined option and, in thedrop-down list, select Remote EventLog Management. Click Next. The Pre-defined Rules page opens, displayingthe three rules in the Remote Event LogManagement group.
10. Leave the three rules selected and clickNext to open the Action page.
392/1537
11. Leave the Allow The Connection optionselected and click Finish. The threerules appear in the Group Policy Man-agement Editor console.
12. Close the Group Policy ManagementEditor console.
13. In the Group Policy Management con-sole, link the Server Firewall Configura-tion GPO you just created to yourdomain.
14. Close the Group Policy Managementconsole.
The settings in the GPO you created will be de-ployed to your remote servers the next timethey recycle or restart and you will be able touse MMC snap-ins, such as Computer Man-agement and Disk Management, to connect tothem remotely.
393/1537
Managing down-level servers
The Windows Firewall rules you have to en-able for remote servers running WindowsServer 2012 R2 are also disabled by default oncomputers running earlier versions of Win-dows Server, so you also have to enable themthere.
Unlike Windows Server 2012 R2 and WindowsServer 2012, however, earlier versions of theoperating system lack the WinRM supportneeded for them to be managed by using thenew Server Manager.
By default, when you add servers runningWindows Server 2008 or Windows Server2008 R2 to the Windows Server 2012 R2 Serv-er Manager, they appear with a manageabilitystatus that reads “Online - Verify WinRM 3.0service is installed, running, and required fire-wall ports are open.”
394/1537
To add WinRM support to servers runningWindows Server 2008 or Windows Server2008 R2, you must download and install thefollowing updates:
▪ .NET Framework 4.0
▪ Windows Management Framework 3.0
These updates are available from the Mi-crosoft Download Center at the followingURLs:
▪ http://www.microsoft.com/en-us/down-load/details.aspx?id=17718
▪ http://www.microsoft.com/en-us/down-load/details.aspx?id=34595
After you install the updates, the system auto-matically starts the Windows Remote Manage-ment service, but you must still complete thefollowing tasks on the remote server:
395/1537
▪ Enable the Windows Remote Management(HTTP-In) rules in Windows Firewall, asshown in Figure 2-23.
Figure 2-23. The Windows Remote Man-agement rules in the Windows Firewall
with Advanced Security console
▪ Create a WinRM listener by running thewinrm quickconfig command at a com-mand prompt with Administrativeprivileges.
396/1537
▪ Enable the COM+ Network Access and Re-mote Event Log Management rules in Win-dows Firewall, as described in the previoussection.
After installing the updates listed here, thereare still limitations to the management tasksyou can perform on earlier versions of Win-dows Server from a remote location. For ex-ample, you cannot use the Add Roles AndFeatures Wizard in Server Manager to installroles and features on earlier versions of Win-dows Server. These servers do not appear inthe server pool on the Select Destination Serv-er page.
However, you can use Windows PowerShell toinstall roles and features on servers runningWindows Server 2008 and Windows Server2008 R2 remotely, as in the followingprocedure.
397/1537
1. Open a Windows PowerShell sessionwith Administrative privileges.
2. Establish a Windows PowerShell ses-sion with the remote computer by usingthe following command:
Enter-PSSession <remote servername> -credential <user name>
3. Type the password associated with theuser name you specified and pressEnter.
4. Display a list of the roles and featureson the remote server by using the fol-lowing command:
Get-WindowsFeature
5. Using the short name of the role or ser-vice as it appears in the Get-
398/1537
WindowsFeature display, install thecomponent by using the followingcommand:
Add-WindowsFeature <featurename>
6. Close the session with the remote serverby using the following command:
Exit-PSSession
7. Close the Windows PowerShell window.
399/1537
WINDOWS POWERSHELL
When you install a role or feature on aremote server by using WindowsPowerShell, the installation does notinclude the role’s management tools asa wizard-based installation does.However, you can install the toolsalong with the role or feature if you in-clude the IncludeManagementToolsparameter in the Install-Win-dowsFeature command line. Be aware,however, that in the case of a ServerCore installation, adding the In-cludeManagementTools parameter willnot install any MMC snap-ins or othergraphical tools.
Creating server groups
For administrators of enterprise networks, itmight be necessary to add a large number of
400/1537
servers to Server Manager. To avoid having towork with a long scrolling list of servers, youcan create server groups based on server loca-tions, functions, or any other organizationalparadigm.
When you create a server group, it appears asan icon in the navigation pane, and you canmanage the servers in the group just as youwould those in the All Servers group.
To create a server group, use the followingprocedure:
1. In Server Manager, in the navigationpane, click the All Servers icon. The AllServers home page appears.
2. From the Manage menu, select CreateServer Group to open the Create ServerGroup dialog box, as shown in Fig-ure 2-24.
401/1537
Figure 2-24. The Create Server Groupdialog box in Server Manager
3. In the Server Group Name text box,type the name you want to assign to theserver group.
4. Select one of the four tabs to choose amethod for selecting servers.
402/1537
5. Select the servers you want to add to thegroup and click the right arrow buttonto add them to the Selected box.
6. Click OK. A new server group icon withthe name you specified appears in thenavigational pane.
7. Close the Server Manager console.
Creating server groups does not affect thefunctions you can perform on them. You can-not, for example, perform actions on entiregroups of servers. The groupings are just ameans to keep a large number of servers or-ganized and easy to locate.
Using Remote ServerAdministration Tools
You can manage remote servers from anycomputer running Windows Server 2012 R2;
403/1537
all the required tools are installed by default.However, administrators have found it mostefficient to use their client computers to man-age servers remotely (especially with the intro-duction of cloud-based services).
To manage Windows servers from a worksta-tion, you must download and install the Re-mote Server Administration Tools package forthe version of Windows running on yourworkstation from the Microsoft DownloadCenter at http://www.microsoft.com/download.
Remote Server Administration Tools is pack-aged as a Microsoft Update file with an .msuextension, enabling you to deploy it easilyfrom File Explorer, from the commandprompt, or by using Software Distribution in aGPO. When you install Remote Server Admin-istration Tools on a workstation running Win-dows 8 or Windows 8.1, all the tools are activ-ated by default, unlike in previous versions
404/1537
that required you to turn them on by using theWindows Features control panel. You can stilluse the control panel to turn selected featuresoff, however.
When you launch Server Manager on a Win-dows workstation, there is no local server andthere are no remote servers to manage untilyou add some. You add servers by using thesame process described in Objective 1.2.
Your access to the servers you add depends onthe account you use to log on to the worksta-tion. If an “Access denied” message appears,you can connect to the server using anotheraccount by right-clicking it and, from theshortcut menu, selecting Manage As to displaya standard Windows Security dialog box, inwhich you can supply alternative credentials.
405/1537
Working with remote servers
Once you have added remote servers to ServerManager, you can access them using a varietyof remote administration tools.
Server Manager provides three basic methodsfor addressing remote servers, as follows:
▪ Contextual tasks. When you right-click aserver in a Servers tile anywhere in ServerManager, you see a shortcut menu thatprovides access to tools and commandspointed at the selected server. Some ofthese are commands that Server Managerexecutes on the remote server, such as Re-start Server and Windows PowerShell.Others launch tools on the local systemand direct them at the remote server, suchas MMC snap-ins and the Install RolesAnd Features Wizard. Still others modifyServer Manager itself by removing serversfrom the interface. Other contextual tasks
406/1537
sometimes appear in the Tasks menus forspecific panes.
▪ Noncontextual tasks. The menu bar atthe top of the Server Manager consoleprovides access to internal tasks, such aslaunching the Add Server Wizard and theInstall Roles And Features Wizard, and theServer Manager Properties dialog box, inwhich you can specify the console’s refreshinterval.
▪ Noncontextual tools. The console’sTools menu provides access to externalprograms, such as MMC snap-ins and theWindows PowerShell interface, that aredirected at the local system.
407/1537
THOUGHT EXPERIMENT:DEPLOYING WINDOWS
FIREWALL RULES
In the following thought experiment, applywhat you’ve learned about the objective to pre-dict what steps you need to take. You can findanswers to these questions in the Answers sec-tion at the end of this chapter.
Ralph is responsible for the 24 servers runninga particular application and the servers arescattered across his company’s enterprise net-work. Ralph wants to use Server Manager onhis Windows 8 workstation to manage thoseservers and monitor the events that occur onthem. To do this, he must enable the incomingCOM+ Network Access and Remote Event LogManagement rules in Windows Firewall on theservers.
Because he can’t travel to the locations of allthe servers and many of the sites do not havetrustworthy IT personnel, Ralph has decided
408/1537
to use Group Policy to configure WindowsFirewall on all the servers. The company’s Act-ive Directory Domain Services tree is organ-ized geographically, which means that Ralph’sservers are located in many different OUs un-der one domain.
With this in mind, answer the followingquestion.
How can Ralph use Group Policy to deploy therequired Windows Firewall rule settings to his24 servers and only those servers?
Objective summary
▪ Windows Server 2012 R2 is designed to fa-cilitate remote server management so ad-ministrators rarely if ever have to work dir-ectly at the server console. This conservesserver resources that can better be devotedto applications.
409/1537
▪ When you add servers running WindowsServer 2012 R2 to Server Manager, you canimmediately begin using the Add Rolesand Features Wizard to install roles andfeatures on any of the servers you haveadded.
▪ The Windows Firewall rules you have toenable for remote servers running Win-dows Server 2012 R2 are also disabled bydefault on computers running versionsearlier than Windows Server 2012, so youalso have to enable them there.
▪ For administrators of enterprise networks,it might be necessary to add a large num-ber of servers to Server Manager. To avoidhaving to work with a long scrolling list ofservers, you can create server groups basedon server locations, functions, or any otherorganizational paradigm.
410/1537
▪ You can manage remote servers from anycomputer running Windows Server 2012R2; all the required tools are installed bydefault. However, the new administrativemethod that Microsoft is promoting urgesadministrators to keep servers locked awayand use a workstation to manage serversfrom a remote location.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following tasks must youperform before you can manage a re-mote server running Windows Server
411/1537
2012 R2 using the ComputerManagement snap-in?
a. Enable WinRM on the remoteserver.
b. Enable the COM+ Network Ac-cess rule on the remote server.
c. Enable the Remote Event LogManagement rules on the remoteserver.
d. Install Remote Server Adminis-tration Tools on the remoteserver.
2. Which of the following Windows Power-Shell cmdlets can you use to list the ex-isting Windows Firewall rules on a com-puter running Windows Server 2012R2? (Choose all that apply.)
a. Get-NetFirewallRule
412/1537
b. Set-NetFirewallRule
c. Show-NetFirewallRule
d. New-NetFirewallRule
3. Which of the following tasks can younot perform remotely on a server run-ning Windows Server 2008?
a. Install roles by using ServerManager
b. Install roles by using WindowsPowerShell
c. Connect to the remote server byusing the Computer Managementsnap-in
d. Monitor event log entries
4. Which of the following updates mustyou install on a server running
413/1537
Windows Server 2008 before you canconnect to it by using Windows Server2012 R2 Server Manager? (Choose allthat apply.)
a. .NET Framework 3.5
b. .NET Framework 4.0
c. Windows Management Frame-work 3.0
d. Windows Server 2008 R2
5. When you run Server Manager from aWindows 8 workstation using RemoteServer Administration Tools, which ofthe following elements do not appear inthe default display?
a. The Dashboard
b. The Local Server home page
414/1537
c. The All Servers home page
d. The Welcome tile
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
Objective 2.1: Thoughtexperiment
The most likely cause of the problem is thatLeo does not have sufficient share permissionsfor read/write access to the Contoso files.Granting the CONTOSO_USERS group the Al-low Full Control share permission should en-able Leo to save his changes to the Contosofiles.
415/1537
Objective 2.1: Review
1. Correct answer: C
a. Incorrect: Windows Server2012 R2 can maintain more than8 volume shadow copies.
b. Incorrect: Windows Server2012 R2 can maintain more than16 volume shadow copies.
c. Correct: Windows Server 2012R2 can maintain up to 64 volumeshadow copies before it beginsdeleting the oldest data.
d. Incorrect: Windows Server2012 R2 cannot maintain 128volume shadow copies.
2. Correct answer: B
416/1537
a. Incorrect: Authentication is theprocess of verifying the user’sidentity.
b. Correct: Authorization is theprocess by which a user is gran-ted access to specific resourcesbased on the permissions he orshe possesses.
c. Incorrect: Access-based enu-meration is a Windows featurethat prevents users from seeingresources to which they do nothave permissions.
d. Incorrect: Assignment de-scribes the process of grantingpermissions, not readingpermissions.
3. Correct answer: A
417/1537
a. Correct: Using File Server Re-source Manager, you can notifyadministrators with email mes-sages when users exceed their al-lotment of storage.
b. Incorrect: Using NTFS Quotas,you can create quotas for indi-vidual users that specify differentstorage limits.
c. Incorrect: You can use NTFSquotas to prevent users from con-suming storage space on avolume beyond their allottedlimit.
d. Incorrect: You can use NTFSquotas to generate warnings tousers when they approach theirallotted storage limit.
418/1537
4. Correct answers: B, D
a. Incorrect: In Windows Serverversions prior to Windows Server2012 R2, special permissions arecombined to form standardpermissions.
b. Correct: Basic permissions areformed by creating various com-binations of advancedpermissions.
c. Incorrect: Share permissionsare a system that is separate fromthe NTFS permission system.
d. Correct: In Windows Server ver-sions prior to Windows Server2012 R2, standard permissionsare formed by creating variouscombinations of specialpermissions.
419/1537
5. Correct answer: D
a. Incorrect: The owner is the onlyperson who can access a file thathas no permissions assigned to it.
b. Incorrect: The security princip-al is not the person responsiblefor creating an organization’s per-mission policies.
c. Incorrect: The security princip-al receives permissions; the se-curity principal does not createthem.
d. Correct: The security principalis the user or computer to whichpermissions are assigned.
420/1537
Objective 2.2: Thoughtexperiment
Install additional, identical printers, connect-ing them to the same Windows Server 2012 R2print server, and create a printer pool by se-lecting the appropriate check box on the Portstab of the printer’s Properties sheet.
Objective 2.2: Review
1. Correct answer: A
a. Correct: In Windows, a printeris the software interface throughwhich a computer communicateswith a print device.
b. Incorrect: A print server is adevice that receives print jobsfrom clients and sends them toprint devices that are either
421/1537
attached locally or connected tothe network.
c. Incorrect: A printer driver is adevice driver that converts theprint jobs generated by applica-tions into an appropriate string ofcommands for a specific printdevice.
d. Incorrect: The PrintManagement snap-in is a toolthat administrators can use tomanage printers all over thenetwork.
2. Correct answer: B
a. Incorrect: Whether the printersare pooled or not, each one mustbe connected to a separate port.
422/1537
b. Correct: To set up printer pool-ing, select the Enable PrinterPooling check box and select orcreate the ports corresponding toprinters that will be part of thepool.
c. Incorrect: You do not use theinstallable options settings to cre-ate a printer pool.
d. Incorrect: Priorities have noth-ing to do with printer pooling.
3. Correct answer: A
a. Correct: If you stop sharing theprinter, users will no longer beable to use the print device.
b. Incorrect: Removing the printerfrom Active Directory will pre-vent users from finding the
423/1537
printer by using a search, butthey can still access it.
c. Incorrect: Changing the printerport will prevent the printer fromsending jobs to the print device,but it will not prevent users fromsending jobs to the printer.
d. Incorrect: Renaming the sharecan make it difficult for users tofind the printer, but they can stilluse it when they do find it.
4. Correct answer: C
a. Incorrect: The Manage Docu-ments permission does not allowusers to send jobs to the printer.
b. Incorrect: The Manage Printerspermission does not allow usersto send jobs to the printer.
424/1537
c. Correct: The Print permissionallows users to send documentsto the printer; the Manage Docu-ments permission does not.
d. Incorrect: The Manage Docu-ments permission does not allowusers to send jobs to the printer.
5. Correct answer: D
a. Incorrect: A printer that is notshared will continue to processjobs that are already in the queue.
b. Incorrect: Changing the portwill require the users to resubmitthe jobs that were in the queue.
c. Incorrect: Pausing the first doc-ument in the queue will not pre-vent the other queued jobs fromprinting.
425/1537
d. Correct: When you select thePause Printing option, the docu-ments will remain in the printqueue until you resume printing.This option applies to all docu-ments in the queue.
Objective 2.3: Thoughtexperiment
After creating a GPO containing the requiredWindows Firewall settings, Ralph should cre-ate a security group containing all the 24 com-puter objects representing his servers. Then heshould link the GPO to the company domainand use security filtering to limit the scope ofthe GPO to the group he created.
Objective 2.3: Review
1. Correct answer: B
426/1537
a. Incorrect: WinRM is enabled bydefault on Windows Server 2012R2.
b. Correct: The COM+ NetworkAccess rule must be enabled onthe remote server for MMC snap-ins to connect.
c. Incorrect: The Remote EventLog Management rules are notnecessary to connect to a remoteserver using an MMC snap-in.
d. Incorrect: The remote serverdoes not have to be running Re-mote Server AdministrationTools.
2. Correct answers: A, C
a. Correct: The Get-NetFire-wallRule cmdlet displays a list of
427/1537
all the rules on a system runningWindows Firewall.
b. Incorrect: The Set-NetFireWallRule cmdlet is formanaging specific rules, not list-ing them.
c. Correct: The Show-NetFire-wallRule cmdlet displays a list ofall the rules on a system runningWindows Firewall.
d. Incorrect: The New-NetFireWallRule cmdlet is forcreating rules, not listing them.
3. Correct answer: A
a. Correct: You cannot install roleson a remote server running Win-dows Server 2008 by using Serv-er Manager.
428/1537
b. Incorrect: You can install roleson a remote server running Win-dows Server 2008 by using Win-dows PowerShell.
c. Incorrect: You can connect to aremote server running WindowsServer 2008 by using the Com-puter Management console aslong as you enable the COM+Network Access rule.
d. Incorrect: You can monitorevent log entries on a remoteserver running Windows Server2008 as long as you enable theRemote Event Log Managementrules.
4. Correct answers: B, C
a. Incorrect: .NET Framework 3.5is not needed for Server Manager
429/1537
to connect to Windows Server2008.
b. Correct: .NET Framework 4.0 isneeded for Server Manager toconnect to Windows Server 2008.
c. Correct: Windows ManagementFramework 3.0 is needed forServer Manager to connect toWindows Server 2008.
d. Incorrect: It is not necessary toupgrade to Windows Server 2008R2 for Server Manager to connectto Windows Server 2008.
5. Correct answer: B
a. Incorrect: The Dashboard doesappear in the default Server Man-ager display.
430/1537
b. Correct: The Local Server homepage does not appear, because thelocal system is a workstation, nota server.
c. Incorrect: The All Servers homepage does appear in the defaultServer Manager display.
d. Incorrect: The Welcome tiledoes appear in the default ServerManager display.
431/1537
Chapter 3. ConfiguringHyper-V
The concept of virtualizing servers has, in thepast several years, grown from a novel experi-ment to a convenient lab and testing tool to alegitimate deployment strategy for productionservers. Windows Server 2012 R2 includes theHyper-V role, which enables administrators tocreate virtual machines (VMs), each of whichruns in its own isolated environment. VMs areself-contained units that administrators caneasily move from one physical computer to an-other, greatly simplifying the process of de-ploying network applications and services.
This chapter covers some of the fundamentaltasks that administrators perform to createand deploy Hyper-V servers and VMs.
Objectives in this chapter:
▪ Objective 3.1: Create and configure virtualmachine settings
▪ Objective 3.2: Create and configure virtualmachine storage
▪ Objective 3.3: Create and configure virtualnetworks
Objective 3.1: Create andconfigure virtual machinesettingsServer virtualization in Windows Server 2012R2 is based on a module called a hypervisor.Sometimes called a virtual machine monitor
433/1537
(VMM), the hypervisor is responsible for ab-stracting the computer’s physical hardwareand creating multiple virtualized hardware en-vironments, called VMs. Each VM has its own(virtual) hardware configuration and can run aseparate copy of an operating system (OS).Therefore, with sufficient physical hardwareand the correct licensing, a single computerrunning Windows Server 2012 R2 with theHyper-V role installed can support multipleVMs, which administrators can manage as ifthey were standalone computers.
434/1537
REMOTEFX
RemoteFX enables remote computersto connect Hyper-V guest VMs with anenhanced desktop experience, includ-ing graphics adapter virtualization,USB redirection, and intelligent encod-ing and decoding. Don’t expect manyquestions about RemoteFX on theexam.
435/1537
NOTE
This objective covers how to:
▪ Configure dynamic memory
▪ Configure smart paging
▪ Configure Resource Metering
▪ Configure guest integrationservices
▪ Create and configure Generation 1and Generation 2 VMs
▪ Configure and use enhanced ses-sion mode
Virtualization architectures
Virtualization products can use several differ-ent architectures to share a computer’s
436/1537
hardware resources among VMs. The earliertype of virtualization products, including Mi-crosoft Windows Virtual PC and MicrosoftVirtual Server, requires a standard OS in-stalled on a computer. This becomes the“host” OS. Then you install the virtualizationproduct, which adds the hypervisor compon-ent. The hypervisor essentially runs alongsidethe host OS, as shown in Figure 3-1, and en-ables you to create as many VMs as the com-puter has hardware to support.
437/1537
Figure 3-1. A hybrid VMM sharing hardwareaccess with a host operating system
This arrangement, in which the hypervisorruns on top of a host OS, is called Type II vir-tualization. By using the Type II hypervisor,you create a virtual hardware environment foreach VM. You can specify how much memoryto allocate to each VM, create virtual diskdrives by using space on the computer’s phys-ical drives, and provide access to peripheral
438/1537
devices. You then install a “guest” OS on eachVM, just as if you were deploying a new com-puter. The host OS then shares access to thecomputer’s processor with the hypervisor,with each taking the clock cycles it needs andpassing control of the processor back to theother.
Type II virtualization can provide adequateVM performance, particularly in classroomand laboratory environments, but it does notprovide performance equivalent to separatephysical computers. Therefore, it is not gener-ally recommended for high-traffic servers inproduction environments.
The virtualization capability built into Win-dows Server 2012 R2, called Hyper-V, uses adifferent type of architecture. Hyper-V usesType I virtualization, in which the hypervisoris an abstraction layer that interacts directlywith the computer’s physical hardware—thatis, without an intervening host OS. The term
439/1537
hypervisor is intended to represent the levelbeyond the term supervisor, in regard to theresponsibility for allocating a computer’s pro-cessor clock cycles.
The hypervisor creates individual environ-ments called partitions, each of which has itsown OS installed and accesses the computer’shardware via the hypervisor. Unlike Type IIvirtualization, no host OS shares processortime with the hypervisor. Instead, the hyper-visor designates the first partition it creates asthe parent partition and all subsequent parti-tions as child partitions, as shown in Fig-ure 3-2.
440/1537
Figure 3-2. A Type I VMM, with the hypervisorrunning directly on the hardware
The parent partition accesses the system hard-ware through the hypervisor, just as the childpartitions do. The only difference is that theparent runs the virtualization stack, which cre-ates and manages the child partitions. Theparent partition is also responsible for thesubsystems that directly affect the perform-ance of the computer’s physical hardware,such as Plug and Play, power management,and error handling. These subsystems also run
441/1537
in the OSs on the child partitions, but they ad-dress only virtual hardware, whereas the par-ent, or root, partition handles the actualhardware.
HYPER-V
It might not seem like the Hyper-V rolein Windows Server 2012 R2 providesType I virtualization, because it re-quires the Windows Server OS to be in-stalled and running. However, addingthe Hyper-V role actually converts theinstalled instance of Windows Server2012 R2 into the parent partition andcauses the system to load the hyper-visor before the OS.
442/1537
Hyper-V implementations
Windows Server 2012 R2 includes the Hyper-V role only in the Standard and Datacentereditions. The Hyper-V role is required for theOS to function as a computer’s primary parti-tion, enabling it to host other VMs. No specialsoftware is required for an OS to function as aguest OS in a VM. Therefore, although Win-dows Server 2012 R2 Essentials does not in-clude the Hyper-V role, it can function as aguest OS. Other guest OSs supported byHyper-V include the current Windows work-station OSs and many other non-Microsoftserver and workstation products.
Hyper-V licensing
The primary difference between the Standardand Datacenter editions of Windows Server2012 R2 is the number of VMs they support.When you install a Windows Server 2012 R2instance on a VM, you must have a license for
443/1537
it, just like when you install it on a physicalmachine. Purchasing the Datacenter editionallows you to license an unlimited number ofVMs running Windows Server 2012 R2 on thatone physical machine. The Standard licenseallows you to license only two virtual instancesof Windows Server 2012 R2.
444/1537
READERAID HEADER
Readeraid. You might find that reportsvary on the specific minimum require-ments of Windows Server 2008. This isnot uncommon for new operating sys-tems because the minimum require-ments change as the operating systemmoves from beta to the release candid-ate stage to the final RTM version. Therequirements outlined in Table 1-1 arenot finalized. You might be able to getWindows Server 2008 to install on acomputer that does not meet these spe-cifications, but the experience will beless than optimal.
Hyper-V hardware limitations
The Windows Server 2012 R2 version ofHyper-V contains massive improvements inthe scalability of the system over previous
445/1537
versions. A Windows Server 2012 R2 Hyper-Vhost system can have up to 320 logical pro-cessors, supporting up to 2,048 virtual CPUsand up to 4 terabytes (TB) of physicalmemory.
One server can host as many as 1,024 activeVMs and a single VM can have up to 64 virtualCPUs and up to 1 TB of memory.
Hyper-V can also support clusters with up to64 nodes and 8,000 VMs.
446/1537
WINDOWS POWERSHELL
Another major improvement in theWindows Server 2012 and WindowsServer 2012 R2 versions of Hyper-V isthe inclusion of a Hyper-V module forWindows PowerShell, which includesnew cmdlets dedicated to the creationand management of the Hyper-V ser-vice and its VMs.
Hyper-V Server
In addition to the Hyper-V implementation inWindows Server 2012 R2, Microsoft providesa dedicated Hyper-V Server product, which isa subset of Windows Server 2012 R2. Hyper-VServer 2012 R2 includes the Hyper-V role,which it installs by default during the OS in-stallation. With the exception of some limitedFile and Storage Services and Remote Desktop
447/1537
capabilities, the OS includes no other roles, asshown in Figure 3-3.
Figure 3-3. Roles available in Hyper-V Server
The Hyper-V Server is also limited to the Serv-er Core interface, althoughas with all ServerCore installationsit includes SCONFIG, a
448/1537
simple, script-based configuration interface,as shown in Figure 3-4. You can manageHyper-V Server remotely by using ServerManager and Hyper-V Manager, just as youwould any other Server Core installation.
449/1537
Figure 3-4. The Server Core interface in Hyper-V Server
Unlike Windows Server 2012 R2, Hyper-VServer is a free product, available for down-load from Microsoft’s website. However,Hyper-V Server does not include any licensesfor virtual instances. You must obtain and li-cense all the OSs you install on the VMs youcreate.
450/1537
Installing Hyper-V
Once you have the appropriate hardware, youcan add the Hyper-V role to Windows Server2012 R2 by using Server Manager, just as youwould any other role.
Adding the Hyper-V role installs the hyper-visor software, and, in the case of a full GUIinstallation, also installs the managementtools. The primary tool for creating and man-aging VMs and their components on Hyper-Vservers is the Hyper-V Manager console.Hyper-V Manager provides administratorswith a list of all the VMs on the local host andenables administrators to configure the envir-onments of both the servers and the individualVMs. There is also a set of Hyper-V cmdletsfor Windows PowerShell that enables you toexercise complete control over VMs using thatinterface.
451/1537
Microsoft recommends that you do not installother roles with Hyper-V. It is better to imple-ment any other roles that you need the physic-al computer to perform within one of the VMsyou create by using Hyper-V. In addition, youmight want to consider installing Hyper-V ona computer by using the Server Core installa-tion option. This will minimize the overheadexpended on the partition. As with other roles,installing Hyper-V on Server Core excludesthe graphical management tools, which youmust install separately as a feature on anothercomputer.
Before you can install the Hyper-V role on aserver running Windows Server 2012 R2, youmust have the appropriate hardware:
▪ A 64-bit processor that includes hardware-assisted virtualization. This is available inprocessors that include a virtualization op-tion, such as Intel Virtualization
452/1537
Technology (Intel VT) or AMDVirtualization (AMD-V) technology.
▪ A system BIOS that supports the virtualiz-ation hardware, on which the virtualizationfeature has been enabled.
▪ Hardware-enforced Data Execution Pre-vention (DEP), which Intel describes aseXecute Disable (XD) and AMD describesas No eXecute (NX). This is a technologyused in CPUs to segregate areas ofmemory. Specifically, you must enable theIntel XD bit (execute disable bit) or theAMD NX bit (no execute bit).
To install the Hyper-V role, use the followingprocedure.
1. In Server Manager, on the Managemenu, select Add Roles And Features.The Add Roles And Features Wizard
453/1537
starts, displaying the Before You Beginpage.
2. Click Next to open the Select Installa-tion Type page.
3. Leave the Role-Based Or Feature-BasedInstallation option selected and clickNext. The Select Destination Serverpage opens.
4. Select the server on which you want toinstall Hyper-V and click Next. TheSelect Server Roles page opens.
5. Select the Hyper-V role. The AddFeatures That Are Required For Hyper-V dialog box appears.
6. Click Add Features to accept the de-pendencies and then click Next to openthe Select Features page.
454/1537
7. Click Next to open the Hyper-V page.
8. Click Next. The Create Virtual Switchespage opens, as shown in Figure 3-5.
Figure 3-5. The Create Virtual Switchespage of the Add Roles and Features
Wizard
455/1537
9. Select the appropriate check box for anetwork adapter and click Next. TheVirtual Machine Migration page opens,as shown in Figure 3-6.
Figure 3-6. The Virtual Machine Migra-tion page of the Add Roles and Features
Wizard
456/1537
10. Click Next to open the Default Storespage.
11. Specify alternatives to the default loca-tions for virtual hard disk (VHD) andVM configuration files, if desired, andclick Next. The Confirm InstallationSelection page opens.
12. Click Install to move to the InstallationProgress page as the wizard installs therole.
13. Click Close to close the wizard.
14. Restart the server.
Installing the role modifies the Windows Serv-er 2012 R2 startup procedure so that thenewly installed hypervisor is able to addressthe system hardware directly and then loadthe OS as the primary partition on top of that.
457/1537
USING WINDOWSPOWERSHELL
You can also install the Hyper-V role byusing the Install-WindowsFeature cm-dlet, using the following syntax:
Install-WindowsFeature –NameHyper-V-ComputerName <name>-IncludeManagementTools-Restart
Using Hyper-V Manager
Once you have installed the Hyper-V role andrestarted the computer, you can begin to cre-ate VMs and deploy OSs on them by using theHyper-V Manager console, which you can ac-cess from the Tools menu in Server Manager.
Like most of the Windows Server 2012 R2management tools, including Server Manager
458/1537
itself, you can use the Hyper-V Manager con-sole to create and manage VMs on multipleservers, enabling administrators to exercisefull control over their servers from a centrallocation.
To run Hyper-V Manager on a server that doesnot have the Hyper-V role, you must installthe Hyper-V Management Tools feature.These tools are also found in the Remote Serv-er Administration Tools feature
Once you install and launch the Hyper-V Man-ager console, you can add servers to the dis-play by right-clicking the Hyper-V Managernode in the left pane and selecting Connect ToServer from the shortcut menu. The SelectComputer dialog box appears, in which youcan type or browse to the name of a Hyper-Vserver.
The Hyper-V Manager console lists all theVMs on the selected server, as shown in
459/1537
Figure 3-7, along with status informationabout each one.
460/1537
Figure 3-7. The Hyper-V Manager console
Creating a virtual machine
After installing Hyper-V and configuring itusing Hyper-V Manager, you are ready to cre-ate VMs and install the OS on each one. Byusing Hyper-V Manager, you can create newVMs and define the hardware resources that
461/1537
the system should allocate to them. In the set-tings for a particular VM, depending on thephysical hardware available in the computerand the limitations of the guest OS, adminis-trators can specify the number of processorsand the amount of memory allotted to a VM,install virtual network adapters, and createvirtual disks by using a variety of technologies,including storage area networks (SANs).
By default, Hyper-V stores the files that makeup VMs in the folders you specified on the De-fault Stores page during the role installation.Each VM uses the following files:
▪ A virtual machine configuration file inXML format with an .xml extension thatcontains the VM configuration informa-tion, including all settings for the VM
▪ One or more VHD (.vhd or .vhdx) files tostore the guest OS, applications, and datafor the VM
462/1537
In addition, a VM can use a saved-state (.vsv)file if the machine has been placed into asaved state.
To create a new VM, use the followingprocedure.
1. In Server Manager, on the Tools menu,select Hyper-V Manager to open theHyper-V Manager console.
2. In the left pane, select a Hyper-V server.
3. From the Action menu, select New, Vir-tual Machine. The New Virtual MachineWizard starts, displaying the Before YouBegin page.
4. Click Next to open the Specify NameAnd Location page.
5. In the Name text box, type a name forthe VM, keeping in mind that the sys-tem will also use this name to create the
463/1537
VM files and folders. To create the VMfiles in a location other than the default,select the Store The Virtual Machine InA Different Location check box and typean alternate path in the Location textbox. Then click Next. The Specify Gen-eration page appears.
MORE INFORMATION VMGENERATIONS
For more information on thedistinction between Generation1 virtual machines and Genera-tion 2 virtual machines, see“Creating Generation 1 andGeneration 2 VMs” later in thischapter.
6. Specify whether you want to create aGeneration 1 or Generation 2 virtual
464/1537
machine and click Next. The AssignMemory page opens.
MORE INFORMATIONMEMORY
For more information on howHyper-V uses memory, see “Al-locating memory” later in thischapter.
7. In the Startup Memory text box, typethe amount of memory you want theVM to use and click Next. The ConfigureNetworking page opens, as shown inFigure 3-8.
465/1537
Figure 3-8. The Configure Networkingpage of the New Virtual Machine
Wizard
8. From the Connection drop-down list,select a virtual switch and click Next.The Connect Virtual Hard Disk pageopens, as shown in Figure 3-9.
466/1537
Figure 3-9. The Connect Virtual HardDisk page of the New Virtual Machine
Wizard
467/1537
MORE INFORMATIONNETWORKS
For more information on virtualswitches and networking VMs,see Objective 3.3, “Create andconfigure virtual networks,”later in this chapter.
9. Leave the Create A Virtual Hard Diskoption selected and type values for thefollowing fields:
▪ Name. Specifies the file name forthe VHD, using the .vhdx formatnew to Windows Server 2012 R2
▪ Location. Specifies a location forthe VHD other than the default youspecified on the Default Stores page
468/1537
▪ Size. Specifies the maximum size ofthe VHD
MORE INFORMATIONSTORAGE
By default, the wizard creates aVHD file that starts small anddynamically expands up to themaximum size you specify. Formore information on Hyper-Vstorage, see Objective 3.2,“Create and configure virtualmachine storage,” later in thischapter.
10. Click Next. The Installation Optionspage opens.
11. Leave the Install An Operating SystemLater Option selected and click Next.
469/1537
The Completing The New VirtualMachine Wizard page opens.
12. Click Finish. The wizard creates the newVM and adds it to the list of VMs inHyper-V Manager.
The VM that this procedure creates is theequivalent of a bare-metal computer. It has allthe (virtual) hardware it needs to run, but ithas no software.
470/1537
USING WINDOWSPOWERSHELL
To create a new VM by using WindowsPowerShell, use the New-VM cmdletwith the following basic syntax:
New-VM –Name "VM name"–MemoryStartupBytes <memory>–NewVHDSizeBytes <disk size>
For example, the following commandcreates a new VM called ServerA with 1GB of memory and a new 60-GB VHDdrive:
New-VM –Name "ServerA"–MemoryStartupBytes 1GB–NewVHDSizeBytes 60GB
There are, of course, many more para-meters for the New-VM cmdlet, whichyou can explore through the Get-Helpcmdlet.
471/1537
Each VM on a Hyper-V server consists of acollection of settings that specify the hardwareresources in the machine and the configura-tion settings that control those resources. Youcan manage and modify those settings by us-ing the Settings page for the particular VM.
Selecting a VM from the list in Hyper-V Man-ager displays a series of icons in the Actionspane. Clicking the Settings icon opens the Set-tings dialog box, shown in Figure 3-10, whichis the primary configuration interface for thatVM. Here, you can modify any of the settingsthat the New Virtual Machine Wizard con-figured for you.
472/1537
Figure 3-10. The Settings dialog box for a VM
473/1537
Creating Generation 1 andGeneration 2 VMs
In Windows Server 2012 R2, Hyper-V includesa new type of virtual machine, which it refersto as Generation 2. The VM type created by allprevious versions is called Generation 1. Whenyou create a new virtual machine in theHyper-V manager, the New Virtual MachineWizard includes a new page (shown in Fig-ure 3-11) on which you specify whether youwant to create a Generation 1 or Generation 2VM. The New-VM cmdlet in Windows Power-Shell also includes a new –Generationparameter.
474/1537
Figure 3-11. The Specify Generation page in theNew Virtual Machine Wizard
Generation 1 VMs are designed to emulate thehardware found in a typical computer. To dothis, they use drivers for specific devices, suchas an AMI BIOS, an S3 graphics adapter, andan Intel chipset and network adapter.
475/1537
Generation 1 VMs that you create with Win-dows Server 2012 R2 Hyper-V are completelycompatible with all previous Hyper-Vversions.
Generation 2 VMs use synthetic drivers andsoftware-based devices instead; they provideadvantages that include the following:
▪ UEFI boot. Instead of using the tradition-al BIOS, Generation 2 VMs support SecureBoot using the Universal Extensible Firm-ware Interface (UEFI), which requires asystem to boot from digitally signeddrivers and enables them to boot fromdrives larger than 2 TB with GUID parti-tion tables.
▪ SCSI disks. Generation 2 VMs omit theIDE disk controller used by Generation 1VMs to boot the system and use a high-performance virtual SCSI controller for alldisks, enabling the VMs to boot from
476/1537
VHDX files and support hot-disk adds andremoves.
The end result is a Generation 2 virtual ma-chine that deploys much faster than its Gener-ation 1 counterparts and performs better aswell. The limitations, however, are that Gener-ation 2 VMs can only run the following guestoperating systems:
▪ Windows Server 2012
▪ Windows Server 2012 R2
▪ Windows 8 64-bit
▪ Windows 8.1 64-bit
Installing an operating system
Once you have created a VM, you can installan OS on it. Hyper-V in Windows Server 2012R2 supports all the following as OSs you caninstall in Generation 1 VMs:
477/1537
▪ Windows Server 2012 R2
▪ Windows Server 2012
▪ Windows Server 2008 R2
▪ Windows Server 2008
▪ Windows Home Server 2011
▪ Windows Small Business Server 2011
▪ Windows Server 2003 R2
▪ Windows Server 2003 SP2
▪ Windows 8.1
▪ Windows 8
▪ Windows 7 Enterprise and Ultimate
▪ Windows Vista Business, Enterprise, andUltimate SP2
478/1537
▪ Windows XP Professional SP3
▪ Windows XP x64 Professional SP2
▪ CentOS 6.0–6.2
▪ Red Hat Enterprise Linux 6.0–6.2
▪ SUSE Linux Enterprise Server 11 SP2
GUEST OSS
This is the official list of supportedguest OSs at RTM. Other OSs mightalso function but have not been fullytested.
One of the advantages of installing software onVMs is that there are several ways to accessthe installation files. A VM, by default, has a
479/1537
DVD drive, which can itself be physical orvirtual.
When you open the Settings dialog box for aGeneration 1 VM and select the DVD drive inthe Hardware list, you see the interface shownin Figure 3-12. In the Media section, you canselect one of the following options for thedrive:
▪ None. The equivalent of a drive with nodisk inserted
▪ Image File. Points to a disk image filewith a .iso extension stored on one of thehost computer’s drives or on a shared net-work drive
▪ Physical CD/DVD Drive. Links the vir-tual DVD drive to one of the physical DVDdrives in the host computer
480/1537
In a Generation 2 VM, the DVD drive supportsonly the None option and the Image File op-tion, as shown in Figure 3-12. The ability tomount an image file to a virtual DVD drive isparticularly useful for administrators whodownload OS files as disk images. Once youhave mounted an installation disk, eitherphysically or virtually, you can click Start inthe Actions pane of Hyper-V Manager, whichis the equivalent of turning on the VM.
Starting a VM causes the thumbnail in theHyper-V Manager to go live, displaying thecontents of the computer’s screen. To displaythe VM’s activity at full size, click Connect inthe Actions pane to open a new window for theVM. You can then interact with the VMthrough that window, just as if you were sit-ting at a physical computer’s console.
481/1537
Figure 3-12. DVD drive settings for a VM
When the VM boots from the disk you moun-ted, the OS installation proceeds just as if youwere using a physical computer. During the
482/1537
installation process, you can work with theVHD drive just as you would a physical one,creating partitions of various sizes and select-ing one for the OS. When the installation iscomplete, the VM restarts, and you can thenlog on and use it in the normal manner.
Configuring Guest IntegrationServices
In some cases, certain Hyper-V guest OS fea-tures do not function properly using the OS’sown device drivers. Hyper-V, therefore, in-cludes a software package called Guest Integ-ration Services, which you can install on yourVMs for compatibility purposes.
Some of the functions provided by the GuestIntegration Services package are as follows:
▪ Operating System Shutdown. Enablesthe Hyper-V Manager console to remotelyshut down a guest OS in a controlled man-ner, eliminating the need for an
483/1537
administrator to log on and manually shutthe system down.
▪ Time Synchronization. Enables Hyper-V to synchronize the OS clocks in parentand child partitions.
▪ Data Exchange. Enables the WindowsOSs on the parent and child partitions toexchange information, such as OS versioninformation and fully qualified domainnames.
▪ Heartbeat. Implements a service inwhich the parent partition sends regularheartbeat signals to the child partitions,which are expected to respond in kind. Afailure of a child partition to respond in-dicates that the guest OS has frozen ormalfunctioned.
484/1537
▪ Backup. Enables backup of Windows VMsby using Volume Shadow Copy Services.
▪ Guest Services. Enables administratorsto copy files to a virtual machine withoutusing a network connection.
The Windows Server 2012, Windows ServerR2, Windows 8, and Windows 8.1 operatingsystems have the latest Guest Integration Ser-vices software built in, so there is no need toinstall the package on VMs running those OSsas guests. Earlier versions of Windows haveearlier versions of the Guest Integration Ser-vices package that need to be upgraded,however, and some Windows versions do notinclude the package at all.
485/1537
LINUX
For Linux guest OSs, you must down-load and install the latest release ofLinux Integration Services Version 3.4for Hyper-V from the Microsoft Down-load Center. As of this writing, thelatest version is 3.4 and is available athttp://www.microsoft.com/en-gb/download/details.aspx?id=34603.
To upgrade Guest Integration Services on aWindows guest OS, use the followingprocedure:
1. In Server Manager, on the Tools menu,select Hyper-V Manager. The Hyper-VManager console starts.
2. In the left pane, select a Hyper-V server.
486/1537
3. In the Actions pane, start the VM onwhich you want to install Guest Integra-tion Services and click Connect. A Virtu-al Machine Connection window opens.
4. In the Virtual Machine Connection win-dow, from the Action menu, select In-sert Integration Services Setup Disk.Hyper-V mounts an image of the GuestIntegration Services disk to a virtualdisk drive and an Autoplay windowappears.
5. Click Install Hyper-V Integration Ser-vices. A message box appears, askingyou to upgrade the existing installation.
6. Click OK. The system installs the pack-age and prompts you to restart thecomputer.
7. Click Yes to restart the computer.
487/1537
Once you have installed or upgraded Guest In-tegration Services, you can enable or disableeach of the individual functions by openingthe Settings dialog box for the VM and select-ing the Integration Services page, as shown inFigure 3-13.
488/1537
Figure 3-13. Integration Services settings for aVM
At this point, you are ready to configure andmanage the VM just as if you were working on
489/1537
a physical server. This can include modifyingthe network configuration, enabling remotedesktop, loading the appropriate roles and fea-tures, and installing applications.
Using Enhanced Session mode
In previous versions of Hyper-V, when youopen a Virtual Machine Connection window inthe Hyper-V Manager console, you receivemouse and keyboard connectivity plus a lim-ited cut and paste functionality. To obtain anyfurther access, such as audio or print function-ality, you could establish a Remote DesktopServices connection to the VM, but this re-quires the computers to be connected to thesame network, which is not always possible.
Starting in Windows Server 2012 R2, Hyper-Vsupports an enhanced session mode that en-ables the Virtual Machine Connection windowto redirect any of the following local resources
490/1537
to VMs running Windows Server 2012 R2 orWindows 8.1:
▪ Display configuration
▪ Audio
▪ Printers
▪ Clipboard
▪ Smart cards
▪ USB devices
▪ Drives
▪ Supported Plug and Play devices
The enhanced session mode works by estab-lishing a Remote Desktop Protocol connectionbetween the host computer and the VM, but itdoes not require a standard network path be-cause it uses VMBus instead. VMBus is a high-
491/1537
speed conduit between the various partitionsrunning on a Hyper-V server.
Enhanced session mode is enabled by defaultin Windows 8.1, but in Windows Server 2012R2, you must enable it on the Enhanced Ses-sion Mode Policy page of the Hyper-V Settingsdialog box, as shown in Figure 3-14.
492/1537
Figure 3-14. Enhanced Session Mode Policysettings
493/1537
Allocating memory
Dynamic memory enables Hyper-V to adjustthe amount of RAM allocated to VMs, depend-ing on their ongoing requirements. Some com-puter components can be virtualized. You cantake some disk space and create a virtual harddrive, and you can take an image file and cre-ate a virtual DVD drive. You can also createvirtual network interface adapters and othercomponents, which appear like the real thingin a VM. System memory is different,however. There is no substitute for memory,so all Hyper-V can do is take the physicalmemory installed in the computer and allocateit among the various VMs.
When you create a VM, you specify how muchmemory to allocate to the VM. Obviously, theamount of memory available for use is basedon the physical memory installed in thecomputer.
494/1537
After you have created the VM, you can modifythe amount of memory allocated to it by shut-ting down the VM, opening its Settings dialogbox, and changing the Startup RAM setting onthe Memory page, as shown in Figure 3-15.This enables you to experiment with variousamounts of memory, and set the optimumperformance level for the system.
495/1537
Figure 3-15. Memory settings for a VM
496/1537
Using Dynamic Memory
In the first versions of Hyper-V, shutting downthe VM was the only way to modify itsmemory allocation. In the Windows Server2012 R2 version, however, you can use a fea-ture called Dynamic Memory to automaticallyreallocate memory to the VM from a sharedmemory pool as its demands change. If a vir-tualized server starts to experience largeramounts of client traffic, for example, Hyper-Vcan increase the memory allocated to the sys-tem, and reduce it again when the trafficsubsides.
To use Dynamic Memory, you must enable itby selecting the Enable Dynamic Memorycheck box on the VM’s Memory settings pageand then configure the following settings:
▪ Startup RAM. Specifies the amount ofmemory that you want to allocate to theVM when it starts. When you are using Dy-namic Memory, this value can be the
497/1537
minimum amount of memory needed toboot the system.
▪ Minimum RAM. Specifies the smallestamount of memory the VM can use at anytime. OSs can require more memory tostart up than to run, so this value can besmaller than the Startup RAM value.
▪ Maximum RAM. Specifies the largestamount of memory that the VM can use atany time. The value can range from a lowequal to the Startup RAM value to a high of64 GB.
▪ Memory Buffer. Specifies a percentagethat Hyper-V uses to calculate how muchmemory to allocate to the VM, comparedto its actual utilization, as measured byperformance counters. For example, withthe Memory Buffer value set to 20 percent,a VM with applications and OS that
498/1537
consume 1 GB of memory will receive a dy-namic allocation of 1.2 GB.
▪ Memory Weight. Specifies a relativevalue that specifies the priority of this VMcompared to the other VMs on the samecomputer. When the physical memory inthe computer is insufficient to allocate thefull-buffered amount specified for eachVM, the VMs with the highest MemoryWeight settings receive priority.
RAM
You can reduce the Minimum RAM, in-crease the Maximum RAM, or changethe Memory Buffer value or theMemory Weight value at any time, butto enable or disable Dynamic Memory,you must shut down the VM.
499/1537
In addition to configuring the VM settings, theguest VM must be running Windows Vista orlater or Windows Server 2003 SP2 or later andhave Windows Server 2012 R2 Guest Integra-tion Services installed to use DynamicMemory.
500/1537
USING WINDOWSPOWERSHELL
To configure the memory settings for aVM, use the Set-VMMemory cmdlet byusing the following basic syntax:
Set-VMMemory <VM name>-DynamicMemoryEnabled $true-MinimumBytes <memory>-StartupBytes <memory>-MaximumBytes <memory>-Priority <value> -Buffer<percentage>
For example, to configure the memorysettings for the VM ServerA, enablingDynamic Memory and configuring val-ues for all of its settings, use the follow-ing command:
Set-VMMemory ServerA-DynamicMemoryEnabled $true-MinimumBytes 64MB
501/1537
Configuring Smart Paging
Dynamic Memory was introduced in WindowsServer 2008 R2 Hyper-V, but Windows Server2012 R2 improves on the concept by addingthe Minimum RAM setting. This makes it pos-sible for Hyper-V to reduce the memory usedby a VM to a level lower than that needed tostart the system, reclaiming that memory forother uses.
The problem with having minimum RAM val-ues that are lower than the startup RAM val-ues is that it becomes possible to deplete thesupply of physical memory with too manyVMs running simultaneously at their minim-um RAM values. If this occurs, a VM that hasto restart might be unable to do so becausethere is not enough free memory to increaseits memory allocation from its minimum RAMvalue to its startup RAM value.
To address this possibility, Hyper-V includes afeature called smart paging. If a VM has to
502/1537
restart and there is not enough memory avail-able to allocate its startup RAM value, the sys-tem uses hard disk space to make up the dif-ference and begins paging memory contents todisk.
Disk access rates are far slower than memoryaccess rates, of course, so smart paging incursa severe performance penalty, but the pagingoccurs only for as long as it takes to restart theVM and return it to its minimum RAMallocation.
Hyper-V only uses smart paging in specificconditions: when a VM must be restarted,there is no free memory available, and thereare no other means available to free up the ne-cessary memory.
You can select the Smart Paging File Locationpage in a VM’s Setting dialog box to specify alocation for the paging file. Selecting the fast-est possible hard drive is recommended.
503/1537
Configuring resource metering
Resource metering is a Windows Power-Shell–based feature in Windows Server 2012R2 Hyper-V that enables administrators todocument VM usage by using a variety of cri-teria. There are various reasons why organiza-tions might want to track the use of VMs. Forlarge corporations, it might be a matter of in-ternal accounting and controlling ongoing ex-penses, such as wide area network (WAN)bandwidth. For service providers, it might benecessary to bill customers based on the VMresources they use.
Resource metering uses Windows PowerShellcmdlets to track a variety of performance met-rics for individual VMs, including thefollowing:
▪ CPU utilization
▪ Minimum, maximum, and averagememory utilization
504/1537
▪ Disk space utilization
▪ Incoming and outgoing network traffic
Resource metering statistics remain consist-ent, even when you transfer VMs between hostsystems by using Live Migration or move VHDfiles between VMs.
To use resource metering, you must first en-able it for the specific VM that you want tomonitor by using the Enable-VMResourceMe-tering cmdlet with the following syntax:
Enable-VMResourceMetering –VMName<name>
Once you have enabled metering, you can dis-play a statistical report at any time by usingthe Measure-VM cmdlet with the followingsyntax:
505/1537
Measure-VM –VMName <name>
In addition to metering resources for entireVMs, administrators can also create resourcepools that enable them to monitor specific VMcomponents, such as processors, memory, net-work adapters, and VHDs. You create a re-source pool by using the New-VMRe-sourcePool cmdlet and then enable meteringfor the pool by using Enable-VMResourceMetering.
By using techniques such as pipelining, ad-ministrators can use the resource meteringcmdlets to gather data on VM performanceand export it to applications or data files.
506/1537
THOUGHT EXPERIMENT:CONFIGURING VIRTUAL
MACHINE MEMORY
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Alice has a computer with 8 GB of memory in-stalled and running Windows Server 2012 R2,which she has configured as a Hyper-V server.After creating eight VMs, each with a startupRAM value of 1,024 MB, Alice is havingtrouble getting all eight VMs to boot. What set-tings can she modify to resolve the problemwithout changing the startup RAM value?
Objective summary
▪ Virtualization is a process that adds a layerof abstraction between actual, physical
507/1537
hardware and the system making use of it.Instead of having the server access thecomputer’s hardware directly, an interven-ing component called a hypervisor createsa VM environment, and the server OS runsin that environment.
▪ Virtualization is the process of deployingand maintaining multiple instances of anOS, called VMs, on a single computer.
▪ Microsoft Hyper-V is a hypervisor-basedvirtualization system for x64 computersstarting with Windows Server 2008. Thehypervisor is installed between the hard-ware and the OS and is the main compon-ent that manages the virtual computers.
▪ For licensing purposes, Microsoft refers toeach VM that you create on a Hyper-Vserver as a virtual instance. Each WindowsServer 2012 R2 version includes licenses
508/1537
for a set number of virtual instances; youmust purchase additional licenses to li-cense additional instances.
▪ To keep a small footprint and minimaloverhead, Hyper-V Server contains onlythe Windows Hypervisor, Windows Serverdriver model, and virtualizationcomponents.
▪ Hyper-V in Windows Server 2012 R2 sup-ports two types of VMs: Generation 1 andGeneration 2. Generation 1 VMs are de-signed to emulate the hardware found in atypical computer and are compatible withprevious versions of Hyper-V. Generation2 VMs use synthetic drivers and software-based devices instead and can only run onthe Windows Server 2012 R2 Hyper-V.
▪ Windows Server 2012 R2 Hyper-V sup-ports an enhanced session mode that
509/1537
enables the Virtual Machine Connectionwindow to redirect a variety of local re-sources to VMs running Windows Server2012 R2 or Windows 8.1.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following statementsabout Type I and Type II virtualizationare true? (Choose all that apply.)
a. In Type I virtualization, the hy-pervisor runs on top of a host OS.
510/1537
b. In Type I virtualization, the hy-pervisor runs directly on the com-puter hardware.
c. In Type II virtualization, the hy-pervisor runs on top of a host OS.
d. In Type II virtualization, the hy-pervisor runs directly on the com-puter hardware.
2. Which of the following types of servervirtualization provides the best per-formance for high-traffic servers in pro-duction environments?
a. Type I virtualization
b. Type II virtualization
c. Presentation virtualization
d. RemoteApp
511/1537
3. Which of the following Microsoft oper-ating systems includes a license that en-ables you to license an unlimited num-ber of virtual instances?
a. Hyper-V Server
b. Windows Server 2012 R2Datacenter
c. Windows Server 2012 R2Standard
d. Windows Server 2012 R2Foundation
4. Which of the following Hyper-V fea-tures make it possible for a VM to func-tion with a minimum RAM value that islower than the startup RAM value?(Choose all that apply.)
a. Smart paging
512/1537
b. Dynamic Memory
c. Memory Weight
d. Guest Integration Services
5. When you install the Hyper-V role on aserver running Windows Server 2012R2, the instance of the OS on which youinstalled the role is converted to whatsystem element?
a. The hypervisor
b. The Virtual Machine Monitor
c. The parent partition
d. A child partition
6. Which of the following statementsabout Generation 1 and Generation 2virtual machines are true? (Choose allthat apply.)
513/1537
a. You must create a Generation 1VM before you can create a Gen-eration 2 VM.
b. Generation 2 VMs deploy fasterthan Generation 1 VMs.
c. Generation 2 VMs only supportWindows 8.1 and Windows Serv-er 2012 R2 as guest operatingsystems.
d. Generation 2 VMs use the samedevice drivers as Generation 1VMs.
514/1537
Objective 3.2: Create andconfigure virtual machinestorageWhen you create a VM in Windows Server2012 R2 Hyper-V, you emulate all the com-ponents that you typically find in a physicalcomputer. When you virtualize memory, asdiscussed in Objective 3.1, “Create and config-ure virtual machine settings,” you take a por-tion of the physical memory in the computerand dedicate it to a VM. The same is true withhard disk space. Hyper-V uses a specializedVHD format to package part of the space on aphysical disk and make it appear to the VM asthough it is a physical hard disk drive.
When you create a new Generation 1 VM inHyper-V, the wizard creates a virtual storagesubsystem that consists of two IntegratedDrive Electronics (IDE) controllers and oneSmall Computer Systems Interface (SCSI)
515/1537
controller. The IDE controllers host the VM’ssystem drive and its DVD drive. Like theirphysical equivalents, each IDE controller canhost two devices, so you can create two addi-tional virtual drives and add them to thesystem.
The SCSI controller in the default Generation1 VM configuration is unpopulated, and youcan create additional drives and add them tothat controller to provide the VM with addi-tional storage. In a Generation 2 VM, the sys-tem and DVD drives are connected to the de-fault SCSI controller and there is no IDEalternative.
In a VM of either generation, you can also cre-ate additional SCSI controllers and add drivesto them. By creating multiple drives andcontrollers, Hyper-V makes it possible to con-struct virtual storage subsystems that emulatealmost any physical storage solution youmight devise.
516/1537
NOTE
This objective covers how to:
▪ Create VHDs and VHDX
▪ Configure differencing drives
▪ Modify VHDs
▪ Configure pass-through disks
▪ Manage checkpoints
▪ Implement a virtual Fibre Channeladapter
▪ Configure storage Quality of Ser-vice (QoS)
517/1537
Virtual disk formats
Windows Server 2012 R2 Hyper-V supportsthe original VHD disk image file and the newVHDX format. The original VHD format wascreated by a company called Connectix for itsVirtual PC product. Microsoft later acquiredthe product and used the VHD format for allits subsequent virtualization products,including Hyper-V. There are three types ofVHD files, as follows:
▪ Fixed hard disk image. An image file ofa specified size in which all the disk spacerequired to create the image is allocatedduring its creation. Fixed disk images canbe wasteful in terms of storage becausethey can contain large amounts of emptyspace, but they are also efficient from aperformance standpoint because there isno overhead due to dynamic expansion.
518/1537
▪ Dynamic hard disk image. An imagefile with a specified maximum size, whichstarts small and expands as needed to ac-commodate the data the system writes toit. This option conserves disk space but cannegatively affect performance.
▪ Differencing hard disk image. A childimage file associated with a specific parentimage. The system writes all changes madeto the data on the parent image file to thechild image, to manage disk space or to fa-cilitate a rollback at a later time.
VHD images are limited to maximum size of 2TB and are compatible with all versions ofHyper-V and Microsoft Type II hypervisorproducts, such as Virtual Server and VirtualPC. Windows Server 2012 introduced an up-dated version of the format, which uses aVHDX filename extension.
519/1537
VHDX image files can be as large as 64 TB,and they also support 4-KB logical sector sizesto provide compatibility with new 4-KB nativedrives. VHDX files can also use larger blocksizes (up to 256 MB), which enable adminis-trators to fine-tune the performance level of avirtual storage subsystem to accommodatespecific applications and data file types.However, VHDX files are not backward com-patible and can only be read by Windows Serv-er 2012, Windows Server 2012 R2, Windows8, and Windows 8.1 Hyper-V servers. If mi-grating your VMs from Windows Server 2012R2 to an older version of Hyper-V is even a re-mote possibility, you should continue usingthe VHD file format.
Creating virtual disks
Windows Server 2012 R2 Hyper-V providesseveral ways to create virtual disk files. Youcan create them as part of a VM or create them
520/1537
at another time and add them to a VM. Thegraphical interface in Hyper-V Managerprovides access to most of the VHD paramet-ers, but the Windows PowerShell cmdlets in-cluded in Windows Server 2012 R2 providethe most granular control over the disk imageformat.
Creating a virtual disk with a VM
The New Virtual Machine Wizard includes aConnect Virtual Hard Disk page with whichyou can add a single disk to your new VM. Theoptions for this disk are relatively limited andconsist of the following:
▪ Create A Virtual Hard Disk. Enablesyou to specify the name, location, and sizeof a new VHD. The wizard only allows youto create a dynamically expanding disk us-ing the VHDX format, but you can also cre-ate fixed and differencing VHDX disks us-ing Windows PowerShell.
521/1537
▪ Use An Existing Virtual HardDisk. Enables you to specify the locationof an existing VHD or VHDX disk, whichthe VM will presumably use as its systemdisk.
▪ Attach A Virtual Hard DiskLater. Prevents the wizard from addingany virtual disks to the VM configuration.The assumption is that you will manuallyadd a disk later, before you start the VM.
The object of this wizard page is to create thedisk on which you will install the VM’s OS orto select an existing disk on which an OS isalready installed. The disk the wizard createsis always a dynamically expanding one con-nected to IDE Controller 0 on a Generation 1VM or connected to the SCSI Controller on aGeneration 2 VM.
522/1537
VHDS
It has become a common practice forMicrosoft to release evaluation copiesof its products as preinstalled VHDfiles as an alternative to the traditionalinstallable disk images. After down-loading one of these files, you can cre-ate a VM on a Hyper-V server and se-lect the Use An Existing Virtual HardDisk option to mount the VHD as itssystem drive.
Creating a new virtual disk
You can create a VHD file at any time withoutadding it to a VM by using the New VirtualHard Disk Wizard in Hyper-V Manager. Tocreate a new virtual disk, use the followingprocedure.
523/1537
1. In Server Manager, on the Tools menu,select Hyper-V Manager. The Hyper-VManager console opens.
2. In the left pane, select a Hyper-V server.
3. From the Action menu, select New,Hard Disk to start the New Virtual HardDisk Wizard, displaying the Before YouBegin page.
4. Click Next to open the Choose DiskFormat page.
5. Select one of the following disk formatoptions:
▪ VHD. Creates an image no largerthan 2 TB, using the highly compat-ible VHD format
▪ VHDX. Creates an image up to 64TB, using the new VHDX format
524/1537
6. Click Next to open the Choose DiskType page.
7. Select one of the following disk typeoptions:
▪ Fixed Size. Creates a disk of a spe-cific size, allocating all of the spaceat once
▪ Dynamically Expanding. Createsa disk that can grow to the maxim-um size you specify as you add data
▪ Differencing. Creates a child drivethat will contain changes made to aspecified parent drive
8. Click Next. The Specify Name AndLocation page opens.
9. Specify a file name for the disk image inthe Name text box and, if desired,
525/1537
specify a location for the file other thanthe server default. Click Next to openthe Configure Disk page.
10. For fixed and dynamically expandingdisks, select and configure one of thefollowing options:
▪ Create A New Blank VirtualHard Disk. Specifies the size (orthe maximum size) of the disk imagefile to create
▪ Copy The Contents Of The Spe-cified Physical Disk. Enables youto select one of the physical harddisks in the computer and copy itscontents to the new disk image
▪ Copy The Contents Of The Spe-cified Virtual Hard Disk. En-ables you to select an existing virtual
526/1537
disk file and copy its contents to thenew disk image
11. Click Next. The Completing The NewVirtual Hard Disk Wizard page opens.
12. Click Finish.
The wizard creates the new image disk andsaves it to the specified location.
527/1537
USING WINDOWSPOWERSHELL
You can create new VHD files by usingWindows PowerShell, which gives youmore control than is available throughthe graphical interface. To create a newdisk image, use the New-VHD cmdletwith the following basic syntax:
New-VHD –Pathc:\filename.vhd|c:\filename.vhdx–Fixed|-Dynamic|-Differencing–SizeBytes <size>[-BlockSizeBytes <block size>][-LogicalSectorSizeBytes512|4096] [-ParentPath<pathname>]
When using the cmdlet to create a diskimage, the extension you specify for thefilename determines the format (VHDor VHDX); also, you can specify theblock size and the logical sector size forthe image, two things you cannot do in
528/1537
the GUI. For example, the followingcommand creates a 400-GB fixedVHDX image file with a logical sectorsize of 4 KB:
New-VHD –Path c:\diskfile.vhdx–Fixed–SizeBytes 400GB-LogicalSectorSizeBytes 4096
Adding virtual disks to virtualmachines
Creating virtual disk image files as a separateprocess enables administrators to exercisemore control over their capabilities, but aftercreating the VHD or VHDX files, you must addthem to a VM for them to be useful.
To add a hard disk drive to a physical com-puter, you must connect it to a controller; thesame is true with a VM in Hyper-V. When you
529/1537
open the Settings dialog box for a Generation 1VM in its default configuration, you see threecontrollers labeled IDE Controller 0, IDE Con-troller 1, and SCSI Controller. These corres-pond to the controllers you might find in atypical physical server computer.
Each IDE controller can support two devicesand the default VM configuration uses onechannel on IDE Controller 0 for the systemhard disk and one channel on IDE controller 1for the system’s DVD drive. If you did not cre-ate a virtual disk as part of the new VirtualMachine Wizard—that is, if you chose the At-tach A Virtual Hard Disk Later option—thenyou must add a hard disk image to IDE Con-troller 0 to use as a system drive. A Generation1 VM cannot boot from the SCSI controller.
To add an existing virtual system drive to aVM, use the following procedure.
530/1537
1. In Server Manager, on the Tools menu,select Hyper-V Manager to open theHyper-V Manager console.
2. In the left pane, select a Hyper-V server.
3. Select a VM and, in the Actions pane,select Settings. The Settings dialog boxfor the VM appears.
4. Select IDE Controller 0, as shown inFigure 3-16.
531/1537
Figure 3-16. The IDE Controller inter-face in the Settings dialog box
5. In the IDE Controller box, select HardDrive and click Add. The Hard Drivepage opens, as shown in Figure 3-17.
532/1537
Figure 3-17. The Hard Drive interface inthe Settings dialog box
6. In the Controller drop-down and theLocation drop-down, select the IDEcontroller and the channel you want touse for the hard disk.
533/1537
7. With the Virtual Hard Disk option se-lected, click Browse and select the diskimage file you want to add.
8. Click OK to close the Settings dialogbox.
Although you cannot use a SCSI drive as thesystem disk in a Generation 1 VM, you can addvirtual data disks to the SCSI controller. InGeneration 2 VMs, you must create a SCSIsystem disk to boot the machine. . Unlike theIDE connectors, which support only twodevices each, a SCSI connector in Hyper-V cansupport up to 64 drives. You can also add mul-tiple SCSI controllers to a VM, providing al-most unlimited scalability for your virtualstorage subsystem.
Creating differencing disks
A 1differencing disk enables you to preservean existing virtual disk image file in its
534/1537
original state while mounting it in an operat-ing system and even modifying its contents.For example, when building a laboratorysetup, you can create a baseline system by in-stalling a clean copy of an OS on a new virtualdisk and configuring the environment to fityour needs. Then you can create a new child-differencing disk using your baseline image asthe parent. All subsequent changes you maketo the system will then be written to the differ-encing disk while the parent remains un-touched. You can experiment on the test sys-tem as you wish, knowing that you can revertto your baseline configuration by just creatinga new differencing disk.
You can create multiple differencing disks thatpoint to the same parent image, enabling youto populate a lab network with as many VMsas you need, which saves disk space and elim-inates the need to repeatedly install the OS.
535/1537
To create a cloned version of a baseline install-ation with a differencing disk, use the follow-ing procedure.
1. Install and configure the baselineVM. Create a new VM with a new diskimage file and install a guest OS on it.Configure the OS as needed and installany roles, features, applications, or ser-vices you need.
2. Generalize the parent image. Openan elevated command prompt on thebaseline system and run the Sysprep.exeutility with the appropriate parametersfor your requirements. Sysprep config-ures the system to assign itself a new,unique security ID (SID) the next timethe computer starts. This enables you tocreate multiple cloned systems from asingle disk image.
536/1537
3. Create a parent disk image. Onceyou have generalized the baseline in-stallation, you no longer need the ori-ginal VM. You can delete everything ex-cept the VHD or VHDX file containingthe disk image. This will become yourparent image. Open the Properties sheetfor the image file and set the read-onlyflag to ensure that the baseline does notchange.
4. Create a differencing disk. By usingthe New Virtual Hard Disk Wizard orthe New-VHD cmdlet for WindowsPowerShell, create a new differencingdisk pointing to the baseline image youcreated and prepared earlier as the par-ent image.
5. Create a cloned VM. Create a newVM and, on the Connect Virtual HardDisk page, attach the differencing disk
537/1537
you just created to it by using the UseAn Existing Virtual Hard Disk option.
You can then proceed to create additionalcloned VMs with differencing disks that all usethe same parent. Each one can function inde-pendently and the parent disk will remainunchanged.
When you create a differencing drive by usingthe New Virtual Hard Disk Wizard, selectingthe Differencing option on the Choose DiskType page causes the Configure Disk page toappear as shown in Figure 3-18. In the Loca-tion text box, specify the name of the file thatyou want to use as the parent image.
In the same way, if you create the differencingdisk by using Windows PowerShell, you mustrun the New-VHD cmdlet with the –Differen-cing parameter and the –ParentPath paramet-er, specifying the location of the parent disk.
538/1537
Figure 3-18. The Configure Disk page in theNew Virtual Hard Disk Wizard
Configuring pass-through disks
This objective has thus far been concernedprimarily with VHDs, areas of space on aphysical disk drive allocated for use by VMs.
539/1537
However, it is also possible for VMs to accessphysical disks directly.
A pass-through disk is a type of virtual diskthat points to a physical disk drive installed onthe host computer. When you add a hard driveto any of the controllers in a VM, you have theoption of selecting a physical hard disk as op-posed to a virtual one.
To add a physical hard disk to a VM, the VMmust have exclusive access to it. This meansthat you must first take the disk offline in theparent OS by using the Disk Managementsnap-in, as shown in Figure 3-19, or theDiskpart.exe utility. Once the disk is offline, itwill be available for selection in the PhysicalHard Disk drop-down list.
540/1537
Figure 3-19. An offline disk in the DiskManagement snap-in
Modifying virtual disks
Windows Server 2012 R2 and Hyper-Vprovide several ways for administrators tomanage and manipulate VHD images withoutmounting them in a VM. Once you have cre-ated a VHD, whether you have attached it to aVM or not, you can manage it by using the
541/1537
Edit Virtual Hard Disk Wizard in Hyper-VManager. To edit an existing VHD or VHDXfile, use the following procedure.
1. In Server Manager, on the Tools menu,select Hyper-V Manager to open theHyper-V Manager console.
2. In the left pane, select a Hyper-V server.
3. In the Actions pane, select Edit Disk.The Edit Virtual Hard Disk Wizardstarts, displaying the Before You Beginpage.
4. Click Next to open the Locate Disk page.
5. Type or browse to the name of the VHDor VHDX file you want to open and clickNext. The Choose Action page appears.
6. Select one of the following functions:
542/1537
▪ Compact. Reduces the size of a dy-namically expanding or differencingdisk by deleting empty space whileleaving the disk’s capacityunchanged
▪ Convert. Changes the type offormat of a disk by copying the datato a new disk image file
▪ Expand. Increases the capacity ofthe disk by adding empty storagespace to the image file
▪ Shrink. Reduces the capacity of thedisk by deleting empty storage spacefrom the file
▪ Merge. Combines the data on a dif-ferencing disk with that of the par-ent disk to form a single compositeimage file
543/1537
7. Click Next to open the Completing TheEdit Virtual Hard Disk Wizard page.
8. Complete any new pages presented bythe wizard as a result of your selectionand click Finish.
The options that appear on the wizard’sChoose Action page depend on the currentstatus of the image file you select. For ex-ample, the Merge option only appears if youchoose a differencing disk, and the Shrink op-tion does not appear unless there is free spacein the file that the wizard can delete.
In addition to these disk-editing functionsprovided by Hyper-V Manager, it is possible touse the Disk Management snap-in on theHyper-V host to mount a VHD or VHDX fileas a drive and access its contents, just as if itwere a physical disk.
544/1537
To mount a VHD file, use the followingprocedure.
1. In Server Manager, on the Tools menu,select Computer Management to openthe Computer Management console.
2. In the left pane, select Disk Manage-ment. The Disk Management snap-inopens.
3. From the Action menu, select AttachVHD. The Attach Virtual Hard Disk dia-log box appears.
4. In the Location text box, type or browseto the image disk file you want to attachand click OK. The disk appears in theDisk Management interface.
5. Close the Computer Managementconsole.
545/1537
At this point, you can work with the virtualdisk and its contents using any standard tools,just as you would a physical hard disk drive.To detach the VHD, you use the same proced-ure and select Detach VHD from the Actionmenu.
Creating checkpoints
In Hyper-V, a checkpoint is a captured imageof the state, data, and hardware configurationof a VM at a particular moment in time. Creat-ing checkpoints is a convenient way for ad-ministrators to revert a VM to a previous stateat will. For example, if you create a checkpointjust before applying a system update, and theupdate is somehow problematic, you can applythe checkpoint and return the VM to the statein which it was before you applied the update.
546/1537
EXAM TIP
Prior to Windows Server 2012 R2, thecheckpoints in Hyper-V were known assnapshots. Checkpoints function in ex-actly the same way as snapshots; onlythe name is changed. You can expect tosee either term on the 70-410 exam.
Creating a checkpoint is as simple as selectinga running VM in Hyper-V Manager and select-ing Checkpoint from the Actions pane. Thesystem creates a checkpoint file with an AVHDor AVHDX extension, in the same folder as theVHD file, and adds the checkpoint to theHyper-V Manager display, as shown in Fig-ure 3-20.
547/1537
Figure 3-20. A checkpoint in Hyper-V Manager
Checkpoints are a useful tool for administrat-ors implementing a test environment inHyper-V, but they are not recommended forheavy use in production environments. In ad-dition to consuming disk space, the presenceof checkpoints can reduce the overall perform-ance of a VM’s disk subsystem. Administratorsalso should not use checkpoints on VMs
548/1537
containing databases—such as those createdby SQL Server, Exchange, or Windows domaincontrollers—because the checkpointing pro-cess does not account for the current state ofthe database, and corruption might occur.
Configuring Storage Quality ofService (QoS)
Because it is common for there to be morethan one virtual hard disk hosted by a singlephysical hard disk, it is possible for one virtualdisk to monopolize the input/output capacityof a physical disk, causing the other virtualdisks to slow down. To help prevent this, Win-dows Server 2012 R2 enables you to controlthe Quality of Service (QoS) for a given virtualhard disk.
QoS management in Hyper-V takes the formof controls that enables you to specify the min-imum and maximum input/output operations
549/1537
per second (IOPS) for a disk. To configurestorage QoS, open the Settings dialog box for aVM, expand a hard drive component, and se-lect Advanced Features to display the Ad-vanced Features page shown in Figure 3-21.
550/1537
Figure 3-21. Storage Quality of Service controlsin Hyper-V Manager
After selecting the Enable Quality of ServiceManagement check box, you can specify
551/1537
Minimum IOPS values and Maximum IOPSvalues for the disk in 8 KB increments.
Connecting to a storage areanetwork (SAN)
At its most basic level, a storage area network(SAN) is simply a network dedicated to high-speed connections between servers and stor-age devices. Instead of installing disk drivesinto servers or connecting them by using anexternal SCSI bus, a SAN consists of one ormore drive arrays equipped with network in-terface adapters, which you connect to yourservers by using standard twisted pair or fiberoptic network cables. A SAN-connected server,therefore, typically has at least two networkadapters, one for the standard local area net-work (LAN) connection and one for the SAN,as shown in Figure 3-22.
552/1537
Figure 3-22. A server connected to a SAN
The advantages of SANs are many. By con-necting the storage devices to a network in-stead of to the servers themselves, you avoidthe limitations imposed by the maximumnumber of devices you can connect directly toa computer. SANs also provide added flexibil-ity in their communications capabilities. Be-cause any device on a SAN can conceivably
553/1537
communicate with any other device on thesame SAN, high-speed data transfers can oc-cur in any of the following ways:
▪ Server to storage. Servers can accessstorage devices over the SAN just as if theywere connected directly to the computer.
▪ Server to server. Servers can use theSAN to communicate directly with one an-other at high speeds to avoid flooding theLAN with traffic.
▪ Storage to storage. Storage devices cancommunicate among themselves withoutserver intervention, for example, to per-form backups from one medium to anotheror to mirror drives on different arrays.
Although a SAN is not in itself a high-availab-ility technology, you can make it one by con-necting redundant servers to the same net-work, as shown in Figure 3-23, enabling them
554/1537
to access the same data storage devices. If oneserver should fail, another can assume its rolesby accessing the same data. This is called serv-er clustering.
555/1537
Figure 3-23. Multiple servers connected to aSAN
Because they use standard networking techno-logies, SANs can also greatly extend the dis-tances between servers and storage devices.You can design a SAN that spans differentrooms, different floors, or even different
556/1537
buildings, just as you would a standard com-puter network.
Servers and storage devices cannot exchangeSCSI commands over a SAN connection theway they do when the devices are directly con-nected using a SCSI cable. To communicateover a SAN, servers and storage devices maptheir SCSI communications onto another pro-tocol, such as Fibre Channel.
Using Fibre Channel
Fibre Channel is a versatile SAN communica-tions technology supporting various networkmedia, transmission speeds, topologies, andupper-level protocols. Its primary disadvant-age is that it requires specialized hardwarethat can be extremely expensive.
557/1537
MORE INFORMATION FIBRECHANNEL
The nonstandard spelling of the wordfibre in Fibre Channel is deliberate, todistinguish the term from fiber optic.Fibre Channel can run on eithertwisted-pair copper cables or it can runon optical cables, whereas the spellingfiber always refers to an opticalmedium.
Installing a traditional Fibre Channel SAN en-tails building an entirely new network with itsown special medium, switches, and networkinterface adapters. In addition to the hardwarecosts, which can easily be 10 times those of atraditional Ethernet network, there are alsoinstallation and maintenance expenses to con-sider. Fibre Channel is a rather esoteric tech-nology, with relatively few experts in the field.
558/1537
To install and maintain a Fibre Channel SAN,an organization must either hire experiencedstaff or train existing personnel on the newtechnology. However, there is also a variantcalled Fibre Channel over Ethernet (FCoE)that uses standard Ethernet hardware and istherefore much less expensive.
Connecting virtual machines to aSAN
The specialized networking technologies usedto build Fibre Channel SANs have, in the past,made it difficult to use them with virtualizedservers. However, since the Windows Server2012 implementation, Hyper-V has supportedthe creation of virtual Fibre Channel adapters.
A Hyper-V Fibre Channel adapter is essen-tially a pass-through device that enables a VMto access a physical Fibre Channel adapter in-stalled in the computer, and through that, toaccess the external resources connected to the
559/1537
SAN. With this capability, applications run-ning on VMs can access data files stored onSAN devices and administrators can use VMsto create server clusters with shared storagesubsystems.
To support virtual Fibre Channel connectivity,the physical Fibre Channel host bus adapter(s)in the host computer must have drivers thatexplicitly support virtual Fibre Channel. Thissupport is relatively rare, but more manufac-turers are expected to update their drivers toprovide the necessary support. Your SAN mustalso be able to address its connected resourcesby using logical unit numbers (LUNs).
Assuming you have the appropriate hardwareand software installed on the host computer,you implement the Fibre Channel capabilitiesin Hyper-V by first creating a virtual SAN byusing the Virtual SAN Manager, accessiblefrom Hyper-V Manager. When you create thevirtual SAN, the World Wide Node Names
560/1537
(WWNNs) and World Wide Port Names(WWPNs) of your host bus adapter appear, asshown in Figure 3-24.
561/1537
Figure 3-24. WWNNs and WWPNs in a virtualSAN
The next step is to add a Fibre Channel ad-apter to a VM from the Add Hardware page in
562/1537
the Settings dialog box. When you do this, thevirtual SAN you created earlier is available onthe Fibre Channel Adapter page, shown in Fig-ure 3-25. Hyper-V virtualizes the SAN andmakes the WWNNs and WWPNs available tothe VM.
563/1537
Figure 3-25. A Fibre Channel adapter in a VM
564/1537
THOUGHT EXPERIMENT:CREATING A VHD
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Ed wants to create a new VHD file on hisHyper-V server by using Windows PowerShell.He runs the Get-Disk cmdlet and receives thefollowing results:
Number Friendly Name OperationalStatus
TotalSize
PartitionStyle
0 WDC WD5003ABYX-18WERA0 Online 465.76GB
MBR
1 WDC WD1002FAEX-00Z3A0 Online 931.51GB
GPT
What command should Ed use to create a new500-GB fixed VHD for his Server A VM, in the
565/1537
Windows Server 2012 R2 format, using datafrom the 465-GB drive on his computer, and a4,096-byte sector size?
Objective summary
▪ Hyper-V uses a specialized VHD format topackage part of the space on a physicaldisk and make it appear to the VM asthough it is a physical hard disk drive.
▪ A dynamic hard disk image is an image filewith a specified maximum size, whichstarts small and expands as needed to ac-commodate the data the system writes toit.
▪ A differencing hard disk image is a childimage file associated with a specific parentimage. The system writes all changes made
566/1537
to the operating system to the child image,to facilitate a rollback at a later time.
▪ VHDX image files in Windows Server 2012R2 can be as large as 64 TB, and they alsosupport 4-KB logical sector sizes to providecompatibility with new 4-KB native drives.
▪ A pass-through disk is a type of virtual diskthat points to a physical disk drive in-stalled on the host computer.
▪ In Hyper-V, a checkpoint is a captured im-age of the state, data, and hardware config-uration of a VM at a particular moment intime.
▪ QoS management in Hyper-V takes theform of controls that enable you to specifythe minimum and maximum input/outputoperations per second (IOPS) for a disk.
567/1537
▪ The specialized networking technologiesused to build Fibre Channel SANs have, inthe past, made it difficult to use them withvirtualized servers. However, WindowsServer 2012 R2 Hyper-V supports the cre-ation of virtual Fibre Channel adapters.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following statementsabout VHDX files is not true?
a. VHDX files can be as large as 64TB.
568/1537
b. VHDX files can only be opened bycomputers running WindowsServer 2012 and Windows Server2012 R2.
c. VHDX files support larger blocksizes than VHD files.
d. VHDX files support 4-KB logicalsectors.
2. Which of the following must be trueabout a pass-through disk?
a. A pass-through disk must be off-line in the guest OS that will ac-cess it.
b. A pass-through disk must be off-line in the parent partition of theHyper-V server.
569/1537
c. A pass-through disk can only beconnected to a SCSI controller.
d. A pass-through disk must be ad-ded to a VM with the DiskManagement snap-in.
3. The Merge function only appears in theEdit Virtual Hard Disk Wizard underwhich of the following conditions?
a. When you select a VHDX file forediting
b. When you select two or moredisks for editing
c. When you select a disk with freespace available in it
d. When you select a differencingdisk for editing
570/1537
4. Which of the following are valid reasonsnot to take checkpoints of VMs?(Choose all that apply.)
a. Checkpoints can consume a largeamount of disk space.
b. Each checkpoint requires a separ-ate copy of the VM’s memoryallocation.
c. Each checkpoint can take severalhours to create.
d. The existence of checkpointsslows down VM performance.
5. Which of the following is not requiredto add a Fibre Channel adapter to aHyper-V VM?
a. You must create a Fibre Channelvirtual SAN.
571/1537
b. You must have a physical FibreChannel adapter installed in thehost computer.
c. You must have a Fibre Channeladapter driver that supports vir-tual networking.
d. You must have a SCSI cable con-necting the Fibre Channel ad-apter to the storage devices.
Objective 3.3: Create andconfigure virtual networksNetworking is a critical part of creating a VMinfrastructure. Depending on your networkplan, the VMs you create on a Windows Server2012 R2 Hyper-V server can require commu-nication with other VMs, with the computers
572/1537
on your physical network, and with theInternet.
When you build a network out of physicalcomputers, you install a network interface ad-apter in each one and connect it to a hardwareswitch. The same principle is true in a Hyper-V environment, except that you use virtualcomponents instead of physical ones. EachVM you create has at least one virtual networkadapter and you can connect that adapter to avirtual switch. This enables you to connect theVMs on your Hyper-V server in various net-work configurations that either include or ex-clude the systems on your physical network.
You can create multiple virtual switches on aHyper-V server and multiple network adaptersin each VM. This enables you to create a flex-ible networking environment that is suitablefor anything from a laboratory or classroomnetwork to a production environment. In ad-dition, Windows Server 2012 R2 has added
573/1537
the ability to create extensions for virtualswitches so that software developers can en-hance their capabilities.
574/1537
NOTE
This objective covers how to:
▪ Implement Hyper-V NetworkVirtualization
▪ Configure Hyper-V virtual switches
▪ Optimize network performance
▪ Configure MAC addresses
▪ Configure network isolation
▪ Configure synthetic and legacy vir-tual network adapters
▪ Configure network interface card(NIC) teaming in VMs
575/1537
Creating virtual switches
A virtual switch, like its physical counterpart,is a device that functions at Layer 2 of theOpen Systems Interconnect (OSI) referencemodel. A switch has a series of ports, each ofwhich is connected to a computer’s networkinterface adapter. Any computer connected tothe switch can transmit data to any other com-puter connected to the same switch.
Unlike physical switches, the virtual switchescreated by Hyper-V can have an unlimitednumber of ports, so administrators don’t haveto be concerned about connecting switches to-gether or about uplinks and crossover circuits.
Creating the default virtual switch
The Windows Server 2012 R2 Add Roles andFeatures Wizard provides the opportunity tocreate virtual switches when you install theHyper-V role. When you install Hyper-V on a
576/1537
server running Windows Server 2012 R2, theCreate Virtual Switches page provides youwith the opportunity to create a virtual switchfor each of the physical network adapters in-stalled in the host computer. These switchesenable VMs to participate on the networks towhich the physical adapters are connected.
When you create a virtual switch, the network-ing configuration in the host OS on the parentpartition changes. The new virtual switch ap-pears in the Network Connections window,and if you examine its properties, you can seethat the switch is bound to the operating sys-tem’s TCP/IP client, as shown in Figure 3-26.
Meanwhile, Hyper-V also changes the proper-ties of original network connection represent-ing the physical network interface adapter inthe computer. The physical network adapter isnow bound only to the virtual switch, asshown in Figure 3-27.
577/1537
As a result, the computer’s physical networkconfiguration, in which its network adapter isconnected to an external physical switch, isoverlaid by the virtual network configurationcreated by Hyper-V. In this virtual configura-tion, the virtual switch is connected to thephysical switch and the network adapter in thehost OS is connected to the virtual switch. Theinternal virtual network and the externalphysical network are joined into a single LAN,just as if you connected two physical switches.
578/1537
Figure 3-26. A virtual switch and its properties,displayed in the host OS
579/1537
Figure 3-27. A network interface adapter in thehost OS, bound to a virtual switch
Once Hyper-V has created the virtual switchand made these configuration changes, anynew VMs that administrators choose to con-nect to the virtual switch become part of thisconjoined network, as do any physical com-puters connected to the physical networkthrough an external switch.
580/1537
This type of virtual switch is, in Hyper-V ter-minology, an external network switch becauseit provides connections external to the Hyper-V environment. This is typically the preferredarrangement for a production network inwhich Hyper-V VMs provide and consume ser-vices for the entire network.
For example, a VM connected to this switchwill automatically obtain an IP address from aDynamic Host Configuration Protocol (DHCP)server on the physical network, if there is one.As an alternative, you could configure a VM asa DHCP server and let it provide addresses toall of the systems on the network, virtual orphysical.
Perhaps more important, this arrangementcan also enable your VMs to access the Inter-net by using the router and DNS servers onthe external network. The VMs can thendownload OS updates from servers on the In-ternet, just as external machines often do.
581/1537
There are situations in which this type of vir-tual switch is inappropriate. If you are creatinga laboratory network for product testing or aclassroom network, you might not want it tobe accessible to or from the external network.In these cases, you must create a different typeof virtual switch by using the Virtual SwitchManager in Hyper-V Manager.
Creating a new virtual switch
Hyper-V in Windows Server 2012 R2 supportsthree types of switches, which you must createin the Virtual Switch Manager before you canconnect VMs to them.
To create a new virtual switch, use the follow-ing procedure.
1. In Server Manager, on the Tools menu,select Hyper-V Manager to open theHyper-V Manager console.
2. In the left pane, select a Hyper-V server.
582/1537
3. From the Actions pane, select VirtualSwitch Manager. The Virtual SwitchManager dialog box for the Hyper-Vserver opens, as shown in Figure 3-28.
Figure 3-28. The Virtual Switch Man-ager dialog box
583/1537
4. In the Create Virtual Switch section, se-lect one of the following switch types:
▪ External. The virtual switch isbound to the networking protocolstack in the host OS and connectedto a physical network interface ad-apter in the Hyper-V server. VMsrunning on the server’s parent andchild partitions can all access thephysical network to which the phys-ical adapter is connected.
▪ Internal. An internal networkswitch is bound to a separate in-stance of the networking protocolstack in the host OS, independentfrom the physical network interfaceadapter and its connected network.VMs running on the server’s parentand child partitions can all accessthe virtual network implemented by
584/1537
the virtual switch; the host OS onthe parent partition can access thephysical network through the phys-ical network interface adapter, butthe VMs on the child partitions can-not access the physical networkthrough the physical adapter.
▪ Private. A private network switchexists only in the Hyper-V serverand is accessible only to the VMsrunning on the child partitions. Thehost OS on the parent partition canaccess the physical network throughthe physical network interface ad-apter, but it cannot access the virtualnetwork created by the virtualswitch.
5. Click Create Virtual Switch to open theVirtual Switch Properties page.
585/1537
6. Configure the following options, ifdesired:
▪ Allow Management OperatingSystem To Share This NetworkAdapter. Selected by default whenyou create an external virtual switch,clearing this check box excludes thehost OS from the physical networkwhile allowing access to the childVMs.
▪ Enable Single Root I/O Virtual-ization (SR-IOV). Enables you tocreate an external virtual switch thatis associated with a physical networkadapter capable of supporting SR-IOV. This option is only availablewhen creating a new virtual switch;you cannot modify an existing virtu-al switch to use this option.
586/1537
▪ Enable Virtual LAN Identifica-tion For Management Operat-ing System. If your host computeris connected to a physical switchinginfrastructure that uses virtual LANs(VLANs) to create separate subnets,you can select this check box andenter a VLAN identifier to associatethe virtual switch with a particularVLAN on your physical network.
7. Click OK. The new virtual switch ap-pears in the left pane, in the list of virtu-al switches.
You can create additional virtual switches asneeded. You can create only one externalswitch for each physical network adapter inthe computer, but you can create multiple in-ternal or private switches to create as manyvirtual networks as you need.
587/1537
USING WINDOWSPOWERSHELL
To create a new virtual switch by usingWindows PowerShell, use the New-VMSwitch cmdlet with the followingbasic syntax:
New-VMSwitch <switch name>-NetAdapterName <adapter name>[-SwitchType Internal|Private]
For example, to create an externalswitch called LAN Switch, you woulduse the following command:
New-VMSwitch "LAN Switch"–NetAdapterName "Ethernet"
Configuring MAC addresses
Every network interface adapter has a MediaAccess Control (MAC) address—sometimes
588/1537
called a hardware address—that uniquelyidentifies the device on the network. On phys-ical network adapters, the MAC is assigned bythe manufacturer and permanently entered inthe adapter’s firmware. The MAC address is a6-byte hexadecimal value, the first three bytesof which are an organizationally unique identi-fier (OUI) that specifies the manufacturer, andthe last three bytes of which identify the ad-apter itself.
The MAC address is essential to the operationof a LAN, so the virtual network adapters on aHyper-V server need to have them. The serverhas at least one real MAC address, provided inits physical network adapter, but Hyper-Vcannot use that one address for all the virtualadapters connecting VMs to the network.
Instead, Hyper-V creates a pool of MAC ad-dresses during the installation of the role andit assigns addresses from this pool to VMs asyou create them. To view or modify the MAC
589/1537
address pool for the Hyper-V server, you openthe Virtual Switch Manager and, under GlobalNetwork Settings, select MAC Address Range,as shown in Figure 3-29.
590/1537
Figure 3-29. The MAC Address Range in theVirtual Switch Manager
The first three bytes of the MAC address rangeare always 00-15-5D, which is an OUI
591/1537
registered by Microsoft. The fourth and fifthbytes of the MAC address are the last twobytes of the IP address assigned to the server’sphysical network adapter, converted to hexa-decimal notation. The sixth and last byte ofthe MAC address contains the range of valuesfrom 00 to FF, which provides 256 possibleaddresses.
The Hyper-V server assigns the MAC ad-dresses to the network adapters in VMs as ad-ministrators create the adapters. The adaptersretain their MAC addresses permanently oruntil the adapter is removed from the VM. Theserver reclaims any unused addresses and re-uses them.
The default pool of 256 addresses is expectedto be sufficient for most Hyper-V VM config-urations, but if it is not, you can modify theMinimum and Maximum values to enlarge thepool. To prevent address duplication, youshould change the second-to-last byte only,
592/1537
making it into a range of addresses like thelast byte.
For example, the range illustrated in the figureprovides 256 addresses with the followingvalues:
00-15-1D-02-12-00 to 00-15-1D-02-12-FF
Modifying only the least significant digit, as inthe following values, increases the pool from256 to 4,096:
00-15-1D-02-10-00 to 00-15-1D-02-1F-FF
593/1537
MAC ADDRESSES
When you modify the MAC addresspool and you have other Hyper-V serv-ers on your network, you must be care-ful not to create an overlap situation inwhich duplicate MAC addresses can oc-cur or networking problems can result.
Creating virtual networkadapters
Once you have created virtual switches inHyper-V Manager, you can connect VMs tothem by creating and configuring virtual net-work adapters. When you create a new VM,the default configuration includes one virtualnetwork adapter. The New Virtual MachineWizard includes a Configure Networking page,on which you can select one of the virtualswitches you have created.
594/1537
If you have created only the default externalvirtual switch when installing Hyper-V, thenconnecting a VM to that switch joins the sys-tem to the physical network. If you want tocreate additional network adapters in yourVMs, you must use the following procedure.
1. In Server Manager, on the Tools menu,select Hyper-V Manager to open theHyper-V Manager console.
2. In the left pane, select a Hyper-V server.
3. In the Virtual Machines list, select a VMand, in the Actions pane, click Settings.The Settings dialog box for the VMappears.
4. In the Add Hardware list, select Net-work Adapter and click Add. A new ad-apter appears in the Hardware list, asshown in Figure 3-307.
595/1537
Figure 3-30. A new network adapter inthe Settings dialog box
5. In the Virtual Switch drop-down list, se-lect the switch to which you want toconnect the network adapter.
596/1537
6. If your host computer is connected to aphysical switching infrastructure thatuses VLANs to create separate subnets,you can select the Enable Virtual LANIdentification check box and enter aVLAN identifier to associate the net-work adapter with a particular VLAN onyour physical network.
7. To control the amount of network band-width allocated to the network adapter,select the Enable Bandwidth Manage-ment check box and supply values forthe Minimum Bandwidth and Maxim-um Bandwidth settings.
8. Click OK. The settings are saved to theVM configuration.
You can create up to 12 network adapters on aWindows Server 2012 R2 Hyper-V server:eight synthetic and four emulated.
597/1537
Synthetic adapters and emulatedadapters
Selecting the Network Adapter option on theAdd Hardware page creates what is known inHyper-V terminology as a synthetic networkadapter. Hyper-V supports two types of net-work and storage adapters: synthetic andemulated (sometimes called legacy).
A synthetic adapter is a purely virtual devicethat does not correspond to a real-worldproduct. Synthetic devices in a VM running ona child partition communicate with the parentpartition by using a high-speed conduit calledthe VMBus.
The virtual switches you create in Hyper-Vreside in the parent partition and are part of acomponent called the network VirtualizationService Provider (VSP). The synthetic networkadapter in the child partition is a Virtualiza-tion Service Client (VSC). The VSP and theVSC are both connected to the VMBus, which
598/1537
provides interpartition communications, asshown in Figure 3-31. The VSP, in the parentpartition, provides the VSC, in the child parti-tion, with access to the physical hardware inthe host computer; that is, the physical net-work interface adapter.
599/1537
Figure 3-31. Synthetic network adapters com-municate by using the VMBus
600/1537
Because they have access to the hardwarethrough the VMBus, synthetic adaptersprovide a much higher level of performancethan the alternative, emulated adapters. Syn-thetic adapters are implemented as part of theGuest Integration Services package that runson supported guest OSs. The main drawbackof synthetic network adapters is that they arenot operational until the OS is loaded on theVM.
An emulated adapter—sometimes called alegacy adapter—is a standard network ad-apter driver that communicates with the par-ent partition by making calls directly to thehypervisor, which is external to the partitions,as shown in Figure 3-32. This communicationmethod is substantially slower than theVMBus used by the synthetic network ad-apters and is therefore less desirable.
601/1537
Figure 3-32. Emulated network adapters com-municate by using the hypervisor
To install an emulated adapter, you use thesame procedure described earlier, except that
602/1537
you select Legacy Network Adapter from theAdd Hardware list. Unlike synthetic adapters,emulated adapters load their drivers beforethe OS, so it is possible to boot the VM by us-ing the Preboot eXecution Environment (PXE)and then deploy an OS over the network.
This is one of two scenarios in which using anemulated adapter is preferable to using a syn-thetic adapter. The other is when you are in-stalling an OS on your VMs that does not havea Guest Integration Services package availablefor it.
Configuring hardware accelerationsettings
Some physical network interface adaptershave features that are designed to improveperformance by offloading certain functionsfrom the system processor to componentsbuilt into the adapter itself. Hyper-V includessupport for some of these features, as long as
603/1537
the hardware in the physical network adaptersupports them properly.
When you expand a network adapter in theSettings dialog box of a VM, you gain access tothe Hardware Acceleration page. On this page,you can configure the following hardware ac-celeration settings:
▪ Enable Virtual Machine Queue. Virtu-al machine queue (VMQ) is a techniquethat stores incoming packets intended forVMs in separate queues on the physicalnetwork adapter and delivers them directlyto the VMs, bypassing the processing nor-mally performed by the virtual switch onthe parent partition.
▪ Enable IPsec Task Offloading. Usesthe components on the network adapter toperform some of the cryptographic func-tions required by IPsec. You can also spe-cify the maximum number of security
604/1537
associations you want the adapter to beable to calculate.
▪ Single-Root I/O Virtualization. En-ables the virtual adapter to take advantageof the SR-IOV capabilities of the physicaladapter.
Configuring advanced networkadapter features
The Advanced Features page provides addi-tional options for supporting network adaptercapabilities, as follows:
▪ Static MAC Address. By default, virtualnetwork adapters receive a dynamically as-signed MAC address from the Hyper-Vserver. However, you can opt to create astatic MAC address by using this option.The only requirement is that no other ad-apter, virtual or physical, on the same net-work uses the same address.
605/1537
▪ Enable MAC Address Spoofing. Whenenabled, the port in the virtual switch towhich the virtual network adapter is con-nected can send and receive packets thatcontain any MAC address. The virtualswitch port can also learn of new MAC ad-dresses and add them to its forwardingtable.
▪ Enable DHCP Guard. Prevents the ad-apter from processing messages sent byrogue DHCP servers.
▪ Port Mirroring Mode. Enables the ad-apter to forward all the packets it receivesover the network to another virtual adapterfor analysis by using an application such asNetwork Monitor.
▪ NIC Teaming. Enables the adapter to addits bandwidth to that of other adapters in
606/1537
the same guest OS in a NIC teamingarrangement.
Configuring NIC teaming in avirtual network environment
As explained in objective 1.2, “ConfiguringServers,” NIC teaming is a Windows featurethat enables administrators to join multiplenetwork adapters into a single entity for per-formance enhancement or fault tolerancepurposes. Hyper-V virtual machines can alsotake advantage of NIC teaming, but they arelimited to teams of only two, as opposed to thehost operating system, which can have teamsof up to 64 NICs.
To use NIC teaming in Hyper-V, you mustcomplete three basic tasks, as follows:
1. Create the NIC team in the WindowsServer 2012 R2 host operating system.
607/1537
2. In Hyper-V Manager, create an externalvirtual switch using the NIC team.
3. Configure the network adapter in a vir-tual machine to connect to the virtualswitch representing the NIC team.
Creating the NIC team
NIC teams must consist of physical networkinterface adapters, so before you can use a NICteam in a virtual machine, you must create itin the host operating system. After installingtwo NICs in the computer, you can create aNIC team with Server Manager in the usualmanner, using the settings shown in Fig-ure 3-33. Creating the team installs the Mi-crosoft Network Adapter Multiplexor Driver,which appears as one of the components of thenetwork connection representing the team.
608/1537
Figure 3-33. The NIC Teaming dialog box
609/1537
Creating the team virtual switch
Once you have created the NIC team, you canopen the Virtual Switch Manager and create anew virtual switch by selecting the Externalnetwork option and choosing Microsoft Net-work Adapter Multiplexor Driver from thedrop-down list, as shown in Figure 3-34.
610/1537
Figure 3-34. The Virtual Switch Properties set-tings for a NIC team switch
611/1537
Configuring a NIC team virtualnetwork adapter
To configure a virtual machine to use a NICteam, you must use the Settings dialog box tomodify the properties for a virtual network ad-apter, configuring it to use the team switchyou created in the previous section, as shownin Figure 3-35.
612/1537
Figure 3-35. The Network Adapter settings fora NIC team adapter
Finally, you must open the Advanced Featurespage for the network adapter and select the
613/1537
Enable The Network Adapter To Be Part Of ATeam In The Guest Operating System checkbox. At this point, the NIC team is operationalfor the virtual machine. You can unplug one ofthe network cables and the system will main-tain its connection to the network.
Creating virtual networkconfigurations
Hyper-V makes it possible to extend nearlyany existing physical network configurationinto its virtual space or create a completelyseparated and isolated network within theHyper-V environment.
The basic default configuration of a Hyper-VVM connects its network adapter to an extern-al virtual switch, thus attaching the guest OSon the VM to the outside network. The VM canthen take advantage of services running on theoutside network and send traffic through
614/1537
routers to other networks, including theInternet.
This type of arrangement can enable adminis-trators to consolidate many physical serversinto VMs on a single Hyper-V server, provid-ing them all with access to the entire network.There is no distinction here between the phys-ical network and the virtual one in the Hyper-V space.
Extending a production network intovirtual space
Keep in mind that a Hyper-V server can havemultiple physical network adapters installedin it, which might be connected to differentnetworks to separate traffic or they might beconnected to the same network to increaseavailable bandwidth. You might also have ad-apters dedicated to SAN connections forshared storage and server clustering.
615/1537
Microsoft recommends the use of at least twophysical network adapters in a Hyper-V serv-er, with one adapter servicing the parent parti-tion and the other connected to the child parti-tions. When you have more than two physicaladapters in the server, you can create separateexternal virtual network switches for the phys-ical adapters and connect each one to a separ-ate VM.
Creating an isolated network
For testing and evaluation purposes or forclassroom situations, administrators mightwant to create isolated network environments.By creating internal or private virtualswitches, you can create a network that existsonly within the Hyper-V space, with orwithout the parent partition included.
An isolated network such as this has limita-tions, however. If you want to install the guestOSs by using Windows Deployment Services
616/1537
or configure the VMs by using DHCP, youmust install and configure those services onyour private network. The guest OSs also donot have access to the Internet, which pre-vents them from downloading OS updates. Inthis case, you must deploy appropriate substi-tutes on the private network.
One way to provide your systems with updatesis to install two network adapters on each ofyour VMs, connecting one to a private switchand one to an external switch. This enables theVMs to access the Internet and the privatenetwork.
Another method for creating an isolated net-work is to use VLANs. This is particularlyhelpful if you have VMs on different Hyper-Vservers that you want to add to the isolatednetwork. By connecting the network adaptersto an external switch and configuring themwith the same VLAN identifier, you can createa network within a network, which isolates the
617/1537
VLAN from other computers. You can, for ex-ample, deploy a DHCP server on your VLANwithout it interfering with the other DHCPservers in your production environment.
618/1537
THOUGHT EXPERIMENT:CONFIGURING HYPER-V
NETWORKING
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Ralph has a Windows Server 2012 R2 Hyper-Vserver with one physical network adapter andone external virtual switch connected to thatadapter. This arrangement enables the VMs onthe server to automatically download OS up-dates from the Internet. However, Ralphwants to use the VMs on the Hyper-V serveron an isolated test network on which he canevaluate new software products. The test net-work must have its own DHCP server thatdoes not interfere with the DHCP server on theproduction network.
619/1537
How can Ralph create the test network heneeds for his VMs without changing the con-figuration that provides the machines with In-ternet access?
Objective summary
▪ Networking is a critical part of creating aVM infrastructure. Depending on your net-work plan, the VMs you create on a Win-dows Server 2012 R2 Hyper-V server canrequire communication with other VMs,with the computers on your physical net-work, and with the Internet.
▪ A virtual switch, like its physical counter-part, is a device that functions at Layer 2 ofthe OSI reference model. A switch has aseries of ports, each of which is connectedto a computer’s network interface adapter.
620/1537
Any computer connected to the switch cantransmit data to any other computer con-nected to the same switch.
▪ Hyper-V in Windows Server 2012 R2 sup-ports three types of switches: external, in-ternal, and private, which you must createin the virtual Switch Manager before youcan connect VMs to them.
▪ Every network interface adapter has aMAC address—sometimes called a hard-ware address—that uniquely identifies thedevice on the network.
▪ Once you have created virtual switches inHyper-V Manager, you can connect VMs tothem by creating and configuring virtualnetwork adapters.
▪ Selecting the Network Adapter option onthe Add Hardware page creates what is
621/1537
known in Hyper-V terminology as a syn-thetic network adapter. Hyper-V supportstwo types of network and storage adapters:synthetic and emulated (sometimes calledlegacy).
▪ NIC teaming is a Windows feature that en-ables administrators to join multiple net-work adapters into a single entity for per-formance enhancement or fault tolerancepurposes.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following are valid reasonsfor using an emulated network adapter
622/1537
rather than a synthetic one? (Choose allthat apply.)
a. You want to install the guest OSby using a Windows DeploymentServices server.
b. There is no Guest IntegrationServices package available for theguest OS you plan to use.
c. The manufacturer of your physic-al network adapter has not yetprovided a synthetic network ad-apter driver.
d. The emulated network adapterprovides better performance.
2. Which of the following statements is nottrue about synthetic network adapters?
623/1537
a. Synthetic adapters communicatewith the parent partition by usingthe VMBus.
b. Synthetic adapters require theGuest Integration Services pack-age to be installed on the guestOS.
c. Synthetic adapters provide fasterperformance than emulatedadapters.
d. Synthetic adapters can start thechild VM by using a PXE networkboot.
3. What is the maximum number of portssupported by a Hyper-V virtual switch?
a. 8
b. 256
624/1537
c. 4,096
d. Unlimited
4. Which of the following virtual switchtypes does not enable guest OSs to com-municate with the parent partition?
a. External
b. Internal
c. Private
d. Isolated
5. How many dynamically assigned MACaddresses can a Hyper-V server provideby default?
a. 8
b. 256
625/1537
c. 4,096
d. Unlimited
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
Objective 3.1: Thoughtexperiment
Alice can enable Dynamic Memory on each ofthe eight VMs and set the minimum RAMvalue on each to 512 MB. This will enable eachVM to start with 1,024 MB of memory andthen reduce its footprint, allowing the nextmachine to start.
626/1537
Objective 3.1: Review
1. Correct answers: B, C
a. Incorrect: In Type I virtualiza-tion, the hypervisor does not runon top of a host OS.
b. Correct: A Type I hypervisorruns directly on the computerhardware.
c. Correct: A Type II hypervisorruns on top of a host OS.
d. Incorrect: In Type II virtualiza-tion, the hypervisor does not rundirectly on the computerhardware.
2. Correct answer: A
a. Correct: Type I virtualizationprovides the best performance
627/1537
because the hypervisor runs dir-ectly on the computer hardwareand does not have the overheadof a host OS.
b. Incorrect: Type II virtualizationprovides poorer performancethan Type I because of the needto share processor time with thehost OS.
c. Incorrect: Presentation virtual-ization is the term used to de-scribe the Remote Desktop Ser-vices functionality in Windows. Itis not designed for virtualizingservers.
d. Incorrect: RemoteApp is a tech-nology for virtualizing individualapplications and deploying them
628/1537
by using Remote DesktopServices.
3. Correct answer: B
a. Incorrect: Hyper-V Server doesnot include a license for any vir-tual instances.
b. Correct: Windows Server 2012R2 Datacenter edition includes alicense that enables you to createan unlimited number of virtualinstances.
c. Incorrect: Windows Server2012 R2 Standard edition in-cludes a license that enables youto create two virtual instances.
d. Incorrect: Windows Server2012 R2 Foundation edition doesnot include support for Hyper-V.
629/1537
4. Correct answers: A, B, D
a. Correct: Smart paging enables aVM to restart even if the amountof RAM specified as the startupvalue is unavailable. Smart pa-ging causes the system to use diskspace as a temporary substitutefor memory during a systemrestart.
b. Correct: Dynamic Memory en-ables you to specify a minimumRAM value that is smaller thanthe startup RAM value, but Smartpaging enables the system tofunction with those parameters.
c. Incorrect: Windows MemoryWeight controls the allocation ofmemory among VMs, but it doesnot affect the ability of a systemto start.
630/1537
d. Correct: Guest Integration Ser-vices is required for a guest OS touse Dynamic Memory.
5. Correct answer: C
a. Incorrect: The instance of theOS on which you install Hyper-Vdoes not become the hypervisor.
b. Incorrect: The instance of theOS on which you install Hyper-Vdoes not become the VMM.
c. Correct: The instance of the OSon which you install the Hyper-Vrole becomes the parent partition.
d. Incorrect: The instance of theOS on which you install theHyper-V role does not becomethe child partition.
631/1537
6. Correct answer: B
a. Incorrect: You can create a newGeneration 1 or Generation 2 vir-tual machine at any time.
b. Correct: Because they use im-proved and synthetic drivers,Generation 2 VMs deploy fasterthan Generation 1 VMs.
c. Incorrect: Generation 2 VMscan run Windows Server 2012,Windows Server 2012 R2, Win-dows 8, or Windows 8.1 as a guestoperating system.
d. Incorrect: Generation 2 VMsuse improved and syntheticdrivers, as compared to the legacydrivers in Generation 1 VMs.
632/1537
Objective 3.2: Thoughtexperiment
Ed should use the following Windows Power-Shell command to create the VHD.
New-VHD –Path c:\servera.vhdx –Fixed–SizeBytes 500GB-LogicalSectorSizeBytes 4096 –SourceDisk 0
Objective 3.2: Review
1. Correct answer: B
a. Incorrect: VHDX files can be aslarge as 64 TB, whereas VHD filesare limited to 2 TB.
b. Correct: Windows Server 2012,Windows Server 2012 R2, Win-dows 8, and Windows 8.1 can allopen VHDX files.
633/1537
c. Incorrect: VHDX files supportblock sizes as large as 256 MB.
d. Incorrect: VHDX files can sup-port the 4,096-byte block sizesfound on some newer drives.
2. Correct answer: B
a. Incorrect: A pass-through diskmust be online in the guest OSthat will access it.
b. Correct: A pass-through diskmust be offline in the parent con-tainer so that the guest OS canhave exclusive access to it.
c. Incorrect: A pass-through diskcan be connected to any type ofcontroller.
634/1537
d. Incorrect: You do not use theDisk Management snap-in to adda pass-through disk to a VM; youuse Hyper-V Manager.
3. Correct answer: D
a. Incorrect: You can merge VHDor VHDX disks.
b. Incorrect: You can only selectone disk for editing.
c. Incorrect: There is no free spacerequirement when merging adisk.
d. Correct: The Merge function ap-pears only when you select a dif-ferencing disk for editing. The ob-ject of the function is to combinethe data in the differencing diskwith that of the parent.
635/1537
4. Correct answers: A, D
a. Correct: Checkpoints consumedisk space that could be betterused for other purposes.
b. Incorrect: Checkpoints do notrequire a duplicate memoryallocation.
c. Incorrect: Under typical condi-tions, checkpoints do not takeseveral hours to create.
d. Correct: The Hyper-V servermust locate and process check-points each time it accesses aVM’s disk drives, slowing downits performance.
5. Correct answer: D
a. Incorrect: You must create aFibre Channel SAN before you
636/1537
can add a Fibre Channel adapterto a VM.
b. Incorrect: You must have aphysical Fibre Channel adapterbefore you can create virtualFibre Channel components.
c. Incorrect: The driver for yourphysical Fibre Channel adaptermust support virtual networking.
d. Correct: SCSI cables are not re-quired for Fibre Channelinstallations.
Objective 3.3: Thoughtexperiment
Ralph can create an isolated test environmentwithout changing the virtual switch configura-tion by selecting the Enable Virtual LAN
637/1537
Identification check box on the network ad-apter in each VM and specifying the sameVLAN identifier for each VM he wants on thetest network.
Objective 3.3: Review
1. Correct answers: A, B
a. Correct: A Windows Deploy-ment Server installation requiresthe network adapter to supportPXE, which emulated adaptersdo, but synthetic adapters do not.
b. Correct: Synthetic adapterdrivers are installed as part of theGuest Integration Services pack-age; if there is no package for theguest OS, then there are no syn-thetic drivers.
638/1537
c. Incorrect: Synthetic adapterdrivers are not provided by hard-ware manufacturers.
d. Incorrect: Synthetic adaptersprovide better performance thanemulated adapters.
2. Correct answer: D
a. Incorrect: Synthetic adaptersuse the faster VMBus for commu-nications with the parent parti-tion; emulated adapters must usecalls to the hypervisor.
b. Incorrect: Synthetic adapterdrivers are installed as part of theGuest Integration Services pack-age on the guest OS.
c. Incorrect: Because of theirmore efficient communication
639/1537
with the parent partition, syn-thetic adapters perform betterthan emulated adapters.
d. Correct: Synthetic network ad-apters load with the Guest Integ-ration Services on the guest OS,which prevents them from sup-porting PXE.
3. Correct answer: D
a. Incorrect: Switches limited toeight connections would be insuf-ficient for many Hyper-Vinstallations.
b. Incorrect: Hyper-V switches arenot limited to 256 connections.
c. Incorrect: Hyper-V switches arenot limited to 4,096 connections.
640/1537
d. Correct: Hyper-V virtualswitches can support an unlim-ited number of connections.
4. Correct answer: C
a. Incorrect: External switches en-able the guest OSs to communic-ate with the outside network andthe parent partition.
b. Incorrect: Internal switches en-able the guest OSs to communic-ate with the parent partition butnot with the outside network.
c. Correct: Private switches enablethe guest OSs to communicatewith one another but not with theoutside network or the parentpartition.
641/1537
d. Incorrect: Isolated is not a tech-nical term referring to a type ofvirtual switch.
5. Correct answer: B
a. Incorrect: A pool of eight MACaddresses would be insufficientfor many Hyper-V installations.
b. Correct: A Hyper-V serverprovides a pool of 256 MAC ad-dresses by default. You can createmore by modifying the defaultaddress range.
c. Incorrect: Hyper-V, by default,dedicates only one byte of theMAC address to a dynamic value,which is not enough to support4,096 addresses.
642/1537
d. Incorrect: Hyper-V creates a fi-nite pool of MAC addresses byspecifying minimum and maxim-um address values.
643/1537
Chapter 4. Deployingand configuringcore networkservices
This chapter discusses the vital infrastructureservices that nearly every network must imple-ment. Every computer on a TCP/IP networkmust have at least one Internet Protocol (IP)address and most networks today use the Dy-namic Host Configuration Protocol (DHCP) toassign those addresses. To simplify resourceaccess on the Internet and to locate Active Dir-ectory Domain Services (AD DS) domain con-trollers, TCP/IP computers must have access
to a Domain Name System (DNS) server. Win-dows Server 2012 R2 includes all these ser-vices and provides the tools to manage them.
Objectives in this chapter:
▪ Objective 4.1: Configure IPv4 and IPv6addressing
▪ Objective 4.2: Deploy and configure Dy-namic Host Configuration Protocol(DHCP) service
▪ Objective 4.3: Deploy and configure DNSservice
Objective 4.1: ConfigureIPv4 and IPv6 addressingServer administrators must be familiar withthe basic principles of the IPv4 and IPv6 ad-dress spaces. This section reviews those
645/1537
principles and describes the usual process fordesigning IPv4 and IPv6 addressing strategies.
NOTE
This objective covers how to:
▪ Configure IP address options
▪ Configure subnetting
▪ Configure supernetting
▪ Configure interoperability betweenIPv4 and IPv6
▪ Configure ISATAP
▪ Configure Teredo
646/1537
IPv4 addressing
As you probably know, The IPv4 address spaceconsists of 32-bit addresses, notated as four8-bit decimal values from 0 to 255 and separ-ated by periods (for example, 192.168.43.100).This is known as dotted-decimal notation andthe individual 8-bit decimal values are calledoctets or bytes.
Each address consists of network bits, whichidentify a network, and host bits, which identi-fy a particular device on that network. To dif-ferentiate the network bits from the host bits,each address must have a subnet mask.
A subnet mask is another 32-bit value consist-ing of binary 1 bits and 0 bits. When comparedto an IP address, the bits corresponding to the1s in the mask are the network bits, and thebits corresponding to the 0s are the host bits.Thus, if the 192.168.43.100 address mentionedearlier has a subnet mask of 255.255.255.0
647/1537
(which in binary form is11111111.11111111.11111111.00000000), the firstthree octets (192.168.43) identify the networkand the last octet (100) identifies the host.
IPv4 classful addressing
Because the subnet mask associated with IPaddresses can vary, the number of bits used toidentify the network and the host can alsovary.
The original IP standard defines three classesof IP addresses, which support networks ofdifferent sizes, as shown in Figure 4-1.
648/1537
Figure 4-1. The three IPv4 address classes
The number of networks and hosts supportedby each of the address classes are listed inTable 4-1.
649/1537
Table 4-1. IPv4 address classes
IP AddressClass
Class A ClassB
Class C
First bit values(binary)
0 10 110
First byte values(decimal)
1–127 128–191 192–223
Number of networkidentifier bits
8 16 24
Number of hostidentifier bits
24 16 8
Number of possiblenetworks
126 16,384 2,097,152
Number of possiblehosts
16,777,214 65,534 254
650/1537
ADDITIONAL CLASSES
In addition to Classes A, B, and C, theIP standard defines Class D and ClassE. Class D addresses begin with the bitvalues 1110 and Class E addresses beginwith 11110. The Internet AssignedNumbers Authority (IANA) has alloc-ated Class D addresses for use as mul-ticast identifiers. A multicast addressidentifies a group of computers on anetwork, all of which possess a similartrait. Multicast addresses enable TCP/IP applications to send traffic to com-puters that perform specific functions(such as all the routers on the net-work), even if they’re located on differ-ent subnets. Class E addresses aredefined as experimental and are as yetunused.
651/1537
The “First bit values” row in the table specifiesthe binary values that the first one, two, orthree bits of an address in each class musthave. Early TCP/IP implementations usedthese bit values instead of a subnet mask todetermine the class of an address. The binaryvalues of the first bits of each address classlimit the possible decimal values for the firstbyte of the address. For example, because thefirst bit of a Class A address must be 0, thepossible binary values of the first byte in aClass A address range from 00000001 to01111111, which in decimal form are valuesranging from 1 to 127. Thus, in the classful ad-dressing system, when you see an IP addressin which the first byte is a number from 1 to127, you know that this is a Class A address.
In a Class A address, the network identifier isthe first eight bits of the address and the hostidentifier is the remaining 24 bits. Thus, thereare only 126 possible Class A networks
652/1537
(network identifier 127 is reserved for dia-gnostic purposes), but each network can haveas many as 16,777,214 network interface ad-apters on it. Class B and Class C addresses de-vote more bits to the network identifier, whichmeans they support a greater number of net-works, but at the cost of having fewer hostidentifier bits. This trade-off reduces the num-ber of hosts that can be created on eachnetwork.
The values in Table 4-1 for the number ofhosts each address class supports might ap-pear low. For example, an 8-bit binary numbercan have 256 (that is, 28) possible values, not254, as shown in the table for the number ofhosts on a Class C address. The value 254 isused because the original IP addressing stand-ard states that you can’t assign the “all zeros”or “all ones” addresses to individual hosts. The“all zeros” address identifies the local network,not a specific host, and the “all ones” identifier
653/1537
always signifies a broadcast address. You can-not assign either value to an individual host.Therefore, to calculate the number of possiblenetwork or host addresses you can create witha given number of bits, you use the formula2x–2, where x is the number of bits.
Classless Inter-Domain Routing
When IP was developed, no one imagined thatthe 32-bit address space would ever be ex-hausted. In the early 1980s, there were no net-works that had 65,536 computers, never mind16 million, and no one worried about thewastefulness of assigning IP addresses basedon these classes.
Because of that wastefulness, classful address-ing was gradually obsolesced by a series ofsubnetting methods, including variable lengthsubnet masking (VLSM) and eventually Class-less Inter-Domain Routing (CIDR). CIDR is asubnetting method that enables
654/1537
administrators to place the division betweenthe network bits and the host bits anywhere inthe address, not just between octets. Thismakes it possible to create networks of almostany size.
CIDR also introduces a new notation for net-work addresses. A standard dotted-decimaladdress representing the network is followedby a forward slash and a numeral specifyingthe size of the network-identifying prefix. Forexample, 192.168.43.0/24 represents a singleClass C network that uses a 24-bit networkidentifier, leaving the other 8 bits for up to254 host identifiers. Each of those hosts wouldreceive an address from 192.168.43.1 to192.168.43.254, using the subnet mask255.255.255.0.
However, by using CIDR, an administratorcan subnet this address further by allocatingsome of the host bits to create subnets. To cre-ate subnets for four offices, for example, the
655/1537
administrator can take two of the host identifi-er bits, changing the network address in CIDRnotation to 192.168.43.0/26. Because the net-work identifier is now 26 bits, the subnetmasks for all four networks will now be11111111.11111111.11111111.11000000 in binaryform, or 255.255.255.192 in standard decimalform. Each of the four networks will have upto 62 hosts, using the IP address ranges shownin Table 4-2.
656/1537
Table 4-2. Sample CIDR 192.168.43.0/26networks
NetworkAddress
Starting IPAddress
Ending IPAddress
Subnet Mask
192.168.43.0 192.168.43.1 192.168.43.62 255.255.255.192
192.168.43.64 192.168.43.65 192.168.43.126 255.255.255.192
192.168.43.128 192.168.43.129 192.168.43.190 255.255.255.192
192.168.43.192 192.168.43.193 192.168.43.254 255.255.255.192
If the administrator needs more than four sub-nets, changing the network address to192.168.43.0/28 adds two more bits to thenetwork address for a maximum of 16 subnets,each of which can support up to 14 hosts. Thesubnet mask for these networks would there-fore be 255.255.255.240.
657/1537
Public and private IPv4 addressing
For a computer to be accessible from the In-ternet, there must be an IP address that isboth registered and unique, either on the serv-er or a device providing access to it, such as aNAT router. All web servers on the Internethave registered addresses, as do all other typesof Internet servers.
The IANA is the ultimate source for all re-gistered addresses. Managed by the InternetCorporation for Assigned Names and Num-bers (ICANN), this organization allocatesblocks of addresses to regional Internet regis-tries (RIR), which, in turn, allocate smallerblocks to Internet service providers (ISPs). Anorganization that wants to host a server on theInternet typically obtains a registered addressfrom an ISP.
Registered IP addresses are not necessary forworkstations that merely access resources onthe Internet. If organizations used registered
658/1537
addresses for all their workstations, the IPv4address space would have been depleted longago. Instead, organizations typically useprivate IP addresses for their workstations.Private IP addresses are blocks of addressesthat are allocated specifically for private net-work use. Anyone can use these addresseswithout registering them, but they cannotmake computers using private addresses ac-cessible from the Internet without using a spe-cialized technology such as network addresstranslation (NAT).
The three blocks of addresses allocated forprivate use are as follows:
▪ 10.0.0.0/8
▪ 172.16.0.0/12
▪ 192.168.0.0/16
659/1537
Most enterprise networks use addresses fromthese blocks for their workstations. It doesn’tmatter if multiple organizations use the sameaddresses, because the workstations are neverdirectly connected to the same network.
IPv4 subnetting
In most cases, enterprise administrators useaddresses in one of the private IP addressranges to create the subnets they need. If youare building a new enterprise network fromscratch, you can choose any one of the privateaddress blocks and make things easy on your-self by subnetting along the octet boundaries.
For example, you can take the 10.0.0.0/8private IP address range and use the entiresecond octet as a subnet ID. This enables youto create up to 256 subnets with as many as65,536 hosts on each one. The subnet masksfor all the addresses on the subnets will be
660/1537
255.255.0.0 and the network addresses willproceed as follows:
▪ 10.0.0.0/16
▪ 10.1.0.0/16
▪ 10.2.0.0/16
▪ 10.3.0.0/16
▪ …
▪ 10.255.0.0/16
When you are working on an existing network,the subnetting process is likely to be more dif-ficult. You might, for example, be given a rel-atively small range of addresses and be askedto create a certain number of subnets fromthem. To do this, you use the followingprocedure.
661/1537
1. Determine how many subnet identifierbits you need to create the requirednumber of subnets.
2. Subtract the subnet bits you need fromthe host bits and add them to the net-work bits.
3. Calculate the subnet mask by adding thenetwork and subnet bits in binary formand converting the binary value todecimal.
4. Take the least significant subnet bit andthe host bits, in binary form, and con-vert them to a decimal value.
5. Increment the network identifier (in-cluding the subnet bits) by the decimalvalue you calculated to determine thenetwork addresses of your new subnets.
662/1537
Using the example earlier in this chapter, ifyou take the 192.168.43.0/24 network addressand allocate two extra bits for the subnet ID,you get a binary subnet mask value of11111111.11111111.11111111.11000000(255.255.255.192 in decimal form, as notedearlier).
The least significant subnet bit plus the hostbits gives you a binary value of 1000000,which converts to a decimal value of 64.Therefore, if you know that the network ad-dress of your first subnet is 192.168.43.0, thesecond subnet must be 192.168.43.64, thethird 192.168.43.128, and the fourth192.168.43.192, as shown in Table 4-2.
Supernetting
In addition to simplifying network notation,CIDR also makes possible a technique calledIP address aggregation or supernetting, whichcan help reduce the size of Internet routing
663/1537
tables. A supernet is a combination of contigu-ous networks that all contain a common CIDRprefix. When an organization possesses mul-tiple contiguous networks that can be ex-pressed as a supernet, it is possible to listthose networks in a routing table by using onlyone entry instead of many.
For example, if an organization has the follow-ing five subnets, standard practice would be tocreate a separate routing table entry for eachone.
▪ 172.16.43.0/24
▪ 172.16.44.0/24
▪ 172.16.45.0/24
▪ 172.16.46.0/24
▪ 172.16.47.0/24
664/1537
To create a supernet encompassing all five ofthese networks, you must isolate the bits theyhave in common. When you convert the net-work addresses from decimal to binary, youget the following values:
172.16.43.010101100.00010000.00101011.00000000172.16.44.010101100.00010000.00101100.00000000172.16.45.010101100.00010000.00101101.00000000172.16.46.010101100.00010000.00101110.00000000172.16.47.010101100.00010000.00101111.00000000
In binary form, you can see that all five ad-dresses have the same first 21 bits. Those 21bits become the network identifier of the su-pernet address, as follows:
10101100.00010000.00101
665/1537
After zeroing out the host bits to form the net-work address and converting the binary num-ber back to decimal form, as follows, the res-ulting supernet address is 172.16.40.0/21.
10101100.00010000.00101000.00000000172.16.40.0/21
This one network address can replace the ori-ginal five in routing tables duplicatedthroughout the Internet. This is just one ex-ample of a technique that administrators canuse to combine dozens or even hundreds ofsubnets into single routing table entries.
Assigning IPv4 addresses
In addition to understanding how IP address-ing works, a network administrator must befamiliar with the methods for deploying IP ad-dresses to the computers on a network.
666/1537
To assign IPv4 addresses, there are three basicmethods:
▪ Manual configuration
▪ Dynamic Host Configuration Protocol(DHCP)
▪ Automatic Private IP Addressing (APIPA)
The advantages and disadvantages of thesemethods are discussed in the followingsections.
Manual IPv4 Address Configuration
Configuring a TCP/IP client manually isneither difficult nor time-consuming. Mostoperating systems provide a graphical inter-face that enables you to enter an IPv4 address,a subnet mask, and various other TCP/IP con-figuration parameters. To configure IP addresssettings in Windows Server 2012 R2, you use
667/1537
the Internet Protocol Version 4 (TCP/IPv4)Properties sheet, as shown in Figure 4-2.
668/1537
Figure 4-2. The Internet Protocol Version 4(TCP/IPv4) Properties sheet
When you select the Use The Following IP Ad-dress option, you can configure the followingIP address options:
669/1537
▪ IP Address. Specifies the IP address onthe local subnet that will identify the net-work interface in the computer
▪ Subnet Mask. Specifies the mask associ-ated with the local subnet
▪ Default Gateway. Specifies the IP ad-dress of a router on the local subnet, whichthe system will use to access destinationson other networks
▪ Preferred DNS Server. Specifies the IPaddress of the DNS server the system willuse to resolve host names into IPaddresses
The primary problem with manual configura-tion is that a task requiring two minutes forone workstation requires several hours for 100workstations and several days for 1,000.Manually configuring all but the smallest
670/1537
networks is impractical, and not just becauseit is slow. You must also track the IPv4 ad-dresses you assign and make sure each systemhas an address that is unique. This can presentformidable logistical challenges, which is whyfew network administrators choose thisoption.
Dynamic Host Configuration Protocol(DHCP)
DHCP is an application-layer protocol that to-gether enable administrators to dynamicallyallocate IP addresses from a pool. Computersequipped with DHCP clients automaticallycontact a DHCP server when they start, andthe server assigns them unique addresses andall the other configuration parameters theserver is configured to provide.
The DHCP server provides addresses to clientson a leased basis, and after a predeterminedinterval, each client either renews its address
671/1537
or releases it back to the server for realloca-tion. DHCP not only automates the addressassignment process but also keeps track of theaddresses it assigns, preventing address du-plication on the network.
DHCP ADDRESS ALLOCATION
For more information on DHCP, seeObjective 4.2, “Configuring Servers.”
Automatic Private IP Addressing (APIPA)
APIPA is the name assigned by Microsoft to aDHCP failover mechanism used by all the cur-rent Microsoft Windows operating systems.On Windows computers, the DHCP client isenabled by default. If, after several attempts, asystem fails to locate a DHCP server on thenetwork, APIPA takes over and automatically
672/1537
assigns an address on the 169.254.0.0/16 net-work to the computer.
For a small network that consists of only asingle local area network (LAN), APIPA is asimple and effective alternative to installing aDHCP server. However, for installations con-sisting of multiple LANs connected by routers,administrators must take more positive con-trol over the IP address assignment process.This usually means deploying one or moreDHCP servers in some form.
IPv6 addressing
As most administrators know, IPv6 is de-signed to increase the size of the IP addressspace, thus providing addresses for manymore devices than IPv4. The 128-bit addresssize of IPv6 allows for 2128 possible ad-dresses—which is over 54 million addressesfor each square meter of the Earth’s surface.
673/1537
In addition to providing more addresses, IPv6will also reduce the size of the routing tables inthe routers scattered around the Internet. Thisis because the size of the addresses providesfor more than the two levels of subnetting cur-rently possible with IPv4.
Introducing IPv6
IPv6 addresses are different from IPv4 ad-dresses in many ways other than length. In-stead of the four 8-bit decimal numbers separ-ated by periods that IPv4 uses, IPv6 addressesuse a notation called colon-hexadecimalformat, which consists of eight 16-bit hexa-decimal numbers separated by colons, asfollows:
XX:XX:XX:XX:XX:XX:XX:XX
674/1537
Each X represents eight bits (or one byte),which in hexadecimal notation is representedby two characters, as in the following example:
21cd:0053:0000:0000:e8bb:04f2:003c:c394
Contracting IPv6 Addresses
When an IPv6 address has two or more con-secutive 8-bit blocks of zeros, you can replacethem with a double colon, as follows (but youcan use only one double colon in any IPv6address):
21cd:0053::e8bb:04f2:003c:c394
You can also remove the leading zeros in anyblock where they appear, as follows:
21cd:53::e8bb:4f2:3c:c394
675/1537
Expressing IPv6 Network Addresses
There are no subnet masks in IPv6. Networkaddresses use the same slash notation as CIDRto identify the network bits. In this example,the network address is notated as follows:
21cd:53::/64
This is the contracted form for the followingnetwork address:
21cd:0053:0000:0000/64
IPv6 address types
There are no broadcast transmissions in IPv6,and therefore no broadcast addresses, as inIPv4. IPv6 supports three types of transmis-sions, as follows:
▪ Unicast. Provides one-to-one transmis-sion service to individual interfaces,
676/1537
including server farms sharing a singleaddress
▪ Multicast. Provides one-to-many trans-mission service to groups of interfacesidentified by a single multicast address
▪ Anycast. Provides one-to-one-of-manytransmission service to groups of inter-faces, only the nearest of which (measuredby the number of intermediate routers) re-ceives the transmission
677/1537
IPV6 SCOPES
In IPv6, the scope of an address refersto the size of its functional area. For ex-ample, the scope of a global unicast isunlimited; that is, the entire Internet.The scope of a link-local unicast is theimmediate link; that is, the local net-work. The scope of a unique local uni-cast consists of all the subnets withinan organization.
IPv6 also supports several address types, asdescribed in the following sections.
Global Unicast Addresses
A global unicast address is the equivalent of aregistered IPv4 address, routable worldwideand unique on the Internet.
678/1537
Link-Local Unicast Addresses
In IPv6, systems that assign themselves an ad-dress automatically create a link-local unicastaddress, which is essentially the equivalent ofan APIPA address in IPv4. All link-local ad-dresses have the same network identifier: a10-bit prefix of 1111111010 followed by 54 zer-os, resulting in the following network address:
fe80:0000:0000:0000/64
In its more compact form, the link-local net-work address is as follows:
fe80::/64
Because all link-local addresses are on thesame network, they are not routable, and sys-tems possessing them can only communicatewith other systems on the same link.
679/1537
Unique Local Unicast Addresses
Unique local unicast addresses are the IPv6equivalent of the 10.0.0.0/8, 172.16.0.0/12,and 192.168.0.0/16 private network addressesin IPv4. Like the IPv4 private addresses,unique local addresses are routable within anorganization. Administrators can also subnetthem as needed to support an organization ofany size.
680/1537
DEPRECATED IPV6 ADDRESSES
Many sources of IPv6 information con-tinue to list site-local unicast addressesas a valid type of unicast, with a func-tion similar to that of the private IPv4network addresses. For variousreasons, site-local unicast addresseshave been deprecated, and althoughtheir use is not forbidden, their func-tionality has been replaced by uniquelocal unicast addresses.
Multicast Addresses
Multicast addresses always begin with a valueof 11111111 in binary, or ff in hexadecimal.
Anycast Addresses
The function of an anycast address is to identi-fy the routers within a given address scope andsend traffic to the nearest router, as
681/1537
determined by the local routing protocols. Or-ganizations can use anycast addresses toidentify a particular set of routers in the enter-prise, such as those that provide access to theInternet. To use anycasts, the routers must beconfigured to recognize the anycast addressesas such.
Assigning IPv6 addresses
The processes by which administrators assignIPv6 addresses to network computers are sim-ilar to those in IPv4. As with IPv4, a Windowscomputer can obtain an IPv6 address by threepossible methods:
▪ Manual allocation. A user or adminis-trator manually supplies an address andother information for each networkinterface.
682/1537
▪ Self-allocation. The computer creates itsown address by using a process calledstateless address autoconfiguration.
▪ Dynamic allocation. The computer soli-cits and receives an address from aDHCPv6 server on the network.
Manual IPv6 Address Allocation
For the enterprise administrator, manual al-location of addresses is even more impracticalin IPv6 than in IPv4 because of the length ofthe addresses involved. However, it is pos-sible, and the procedure for doing so in Win-dows Server 2012 R2 is the same as that forIPv4, except that you open the Internet Pro-tocol Version 6 (TCP/IPv6) Properties sheet,as shown in Figure 4-3.
683/1537
Figure 4-3. The Internet Protocol Version 6(TCP/IPv6) Properties sheet
Because of the difficulties of working withIPv6 addresses manually, the following twooptions are far more prevalent.
684/1537
Stateless IPv6 AddressAutoconfiguration
When a Windows computer starts, it initiatesthe stateless address autoconfiguration pro-cess, during which it assigns each interface alink-local unicast address. This assignment al-ways occurs, even when the interface is to re-ceive a global unicast address later. The link-local address enables the system to commu-nicate with the router on the link, whichprovides additional instructions.
The steps of the stateless address autoconfig-uration process are as follows.
1. Link-local address creation. TheIPv6 implementation on the system cre-ates a link-local address for each inter-face by using the fe80::/64 network ad-dress and generating an interface ID,either by using the interface’s media ac-cess control (MAC) address or a pseu-dorandom generator.
685/1537
2. Duplicate address detection. Usingthe IPv6 Neighbor Discovery (ND) pro-tocol, the system transmits a NeighborSolicitation message to determine if anyother computer on the link is using thesame address and listens for a NeighborAdvertisement message sent in reply. Ifthere is no reply, the system considersthe address to be unique on the link. Ifthere is a reply, the system must gener-ate a new address and repeat theprocedure.
3. Link-local address assign-ment. When the system determinesthat the link-local address is unique, itconfigures the interface to use that ad-dress. On a small network consisting ofa single segment or link, this might bethe interface’s permanent address as-signment. On a network with multiplesubnets, the primary function of the
686/1537
link-local address assignment is to en-able the system to communicate with arouter on the link.
4. Router advertisement solicita-tion. The system uses the ND protocolto transmit Router Solicitation mes-sages to the all routers multicast ad-dress. These messages compel routersto transmit the Router Advertisementmessages more frequently.
5. Router advertisement. The routeron the link uses the ND protocol totransmit Router Advertisement mes-sages to the system, which contain in-formation on how the autoconfigurationprocess should proceed. The Router Ad-vertisement messages typically supply anetwork prefix, which the system willuse with its existing interface ID to cre-ate a global or unique local unicast
687/1537
address. The messages might also in-struct the system to initiate a statefulautoconfiguration process by contactinga specific DHCPv6 server. If there is norouter on the link, as determined by thesystem’s failure to receive Router Ad-vertisement messages, then the systemmust attempt to initiate a stateless auto-configuration process.
6. Global or unique local addressconfiguration. Using the informationit receives from the router, the systemgenerates a suitable address that isroutable, either globally or within theenterprise, and configures the interfaceto use it. If so instructed, the systemmight also initiate a stateful autoconfig-uration process by contacting theDHCPv6 server specified by the routerand obtaining a global or unique local
688/1537
address from that server, along withother configuration settings.
Dynamic Host Configuration Protocol v6
If you are an enterprise administrator with amultisegment network, it will be necessary touse unique local or global addresses for inter-network communication, so you will needeither routers that advertise the appropriatenetwork prefixes or DHCPv6 servers that cansupply addresses with the correct prefixes.
The Remote Access role in Windows Server2012 R2 supports IPv6 routing and advert-ising, and the DHCP Server role supports IPv6address allocation.
Subnetting IPv6 Addresses
As with IPv4, administrators can create a hier-archy of subnets using IPv6 addresses.However, in IPv6, no subnet masks are needed
689/1537
because there are ample bits in the networkidentifier to create a subnet identifier withouthaving to borrow from the host bits.
The format for an IPv6 global unicast addressdivides the 128 bits into the following threesections:
▪ Global routing prefix. A 48-bit field be-ginning with the 001 FP value, the hier-archical structure of which is left up to theregional Internet registry (RIR)
▪ Subnet ID. A 16-bit field that organiza-tions can use to create an internal hier-archy of subnets
▪ Interface ID. A 64-bit field identifying aspecific interface on the network
When you obtain an IPv6 network addressfrom an ISP or an RIR, you typically get theglobal routing prefix, commonly known as a “/
690/1537
48”. You are then left with the subnet ID fieldto use for subnetting the network as you wish.Some possible subnetting options are asfollows:
▪ One-level subnet. By setting all subnetID bits to 0, all the computers in the or-ganization are part of a single subnet.
▪ Two-level subnet. By creating a series of16-bit values, you can split the network in-to as many as 65,536 subnets. This is thefunctional equivalent of IPv4 subnetting,but with a much larger subnet addressspace.
▪ Multi-level subnet. By allocating specif-ic numbers of subnet ID bits, you can cre-ate multiple levels of subnets, sub-subnets,and sub-sub-subnets, suitable for an enter-prise of almost any size.
691/1537
For example, consider a large internationalenterprise with its subnet ID divided asfollows:
▪ Country (4 bits). Creates up to 16 sub-nets representing the countries in whichthe organization has offices
▪ State (6 bits). Creates up to 64 sub-sub-nets within each country, representingstates, provinces, or other geographicaldivisions
▪ Office (2 bits). Creates up to four sub-sub-subnets within each state or province,representing offices located in variouscities
▪ Department (4 bits). Creates up to 16sub-sub-sub-subnets within each office,representing the various departments ordivisions.
692/1537
Thus, to create a subnet ID for a particular of-fice, you need to assign values for each field.To use the value 1 for the United States, theCountry bits of the subnet ID would be asfollows:
0001------------
To create a binary state designation for Alaskausing the value 49, the State field would ap-pear as follows:
----110001------
For the second office in Alaska, use the value 2for the Office bits, as follows:
----------10----
For the Sales department in the office, use thevalue 9 for the Department bits, as follows:
693/1537
------------1001
The resulting value for the subnet ID, in bin-ary form, would therefore be as follows:
0001110001101001
In hexadecimal form, that would be 1c69.
Because the organization that owns the prefixwholly controls the subnet ID, enterprise ad-ministrators can adjust the number of levels inthe hierarchy and the number of bits dedic-ated to each level as needed.
Planning an IP transition
Many enterprise administrators are so com-fortable working with IPv4 addresses that theyare hesitant to change. Network AddressTranslation (NAT) and CIDR have been excel-lent stopgaps to the depletion of the 32-bit IP
694/1537
address space for years, and many would liketo see them continue as such. However, theIPv6 transition, long a specter on the horizon,is now approaching at frightening speed, andit is time for administrators not familiar withthe new technologies to catch up.
The networking industry—and particularly theInternet—has made huge investments in IPv4technologies; replacing them with IPv6 hasbeen a gradual process. In fact, it is a gradualprocess that was supposed to have begun inearnest over 10 years ago. However, many ad-ministrators don’t replace their IPv4 equip-ment unless it stops working. Unfortunately,the day when that equipment stops working isapproaching rapidly. So, although it might notyet be time to embrace IPv6 exclusively, ad-ministrators should have the transition inmind as they design their networks and maketheir purchasing decisions.
695/1537
IPV4 ADDRESS EXHAUSTION
The exhaustion of the IANA unalloc-ated address pool occurred on January31, 2011. One of the RIRs, the Asia Pa-cific Network Information Center(APNIC), was depleted on April 15,2011, and the other RIRs are expectedto follow.
Enterprise administrators can do as they wishwithin the enterprise itself. If all the networkdevices in the organization support IPv6, theycan begin to use IPv6 addresses at any time.However, the Internet is still firmly based onIPv4, and will continue to be for several years.Therefore, the transition from IPv4 to IPv6must be a gradual project that includes a peri-od of support for both IP versions.
696/1537
Now, and in the immediate future, adminis-trators must work under the assumption thatthe rest of the world is using IPv4, so you mustimplement a mechanism for transmitting yourIPv6 traffic over an IPv4 connection. Eventu-ally, the situation will be reversed. Most of theworld will be running IPv6 and the remainingIPv4 technologies will have to transmit theirolder traffic over new links.
Using a dual IP stack
The simplest and most obvious method fortransitioning from IPv4 to IPv6 is to run both.This is what all current versions of Windowsdo, going back as far as Windows Server 2008and Windows Vista.
By default, these operating systems installboth IP versions and use them simultaneously.Even if you had never heard of IPv6 untiltoday, your computers are likely already using
697/1537
it and have IPv6 link-local addresses that youcan see by running the ipconfig /all command.
The network layer implementations in Win-dows are separate, so you configure them sep-arately. For both IPv4 and IPv6, you canchoose to configure the address and other set-tings manually or use autoconfiguration.
Because Windows supports both IP versions,the computers can communicate with TCP/IPresources running either IPv4 or IPv6.However, an enterprise network includes oth-er devices, most notably routers, which mightnot yet support IPv6. The Internet is also al-most completely based on IPv4.
Beginning immediately, administrators shouldmake sure that any network layer equipmentthey purchase includes support for IPv6. Fail-ure to do so will almost certainly cost themlater.
698/1537
Tunneling
Right now, there are many network servicesthat are IPv4-only and comparatively few thatrequire IPv6. Those IPv6 services are coming,however.
The DirectAccess remote networking featurein Windows Server 2012 R2 and Windows 8.1is an example of an IPv6 technology and muchof its complexity is due to the need to establishIPv6 connections over the IPv4 Internet.
The primary method for transmitting IPv6traffic over an IPv4 network is called tunnel-ing. Tunneling, in this case, is the process bywhich a system encapsulates an IPv6 data-gram within an IPv4 packet, as shown in Fig-ure 4-4. The system then transmits the IPv4packet to its destination, with none of the in-termediate systems aware of the packet’scontents.
699/1537
Figure 4-4. IPv6 traffic encapsulated inside anIPv4 datagram
Tunneling can work in a variety of configura-tions, depending on the network infrastruc-ture, including router-to-router, host-to-host,router-to-host, and host-to-router. However,the most common configuration is router-to-router, as in the case of an IPv4-only connec-tion between an IPv6 branch office and anIPv6 home office, as shown in Figure 4-5.
700/1537
Figure 4-5. Two IPv6 networks connected byan IPv4 tunnel
The two routers support both IPv4 and IPv6and the local networks at each site use IPv6.However, the link connecting the two sites isIPv4-only. By creating a tunnel between therouters in the two offices, they can exchangeIPv6 traffic as needed by using their IPv4 in-terfaces. Computers at either site can sendIPv6 traffic to the other site and the routersare responsible for encapsulating the IPv6data in IPv4 packets for the trip through thetunnel.
701/1537
Windows supports several different tunnelingmethods, both manual and automatic, as de-scribed in the following sections.
Configuring Tunnels Manually
It is possible to manually create semiperman-ent tunnels that carry IPv6 traffic through anIPv4-only network. When a computer runningWindows Server 2012 R2 or Windows 8.1 isfunctioning as one end of the tunnel, you canuse the following command:
netsh interface ipv6 add v6v4tunnel"interface" localaddress remoteaddress
In this command, interface is a friendly nameyou want to assign to the tunnel you are creat-ing; localaddress and remoteaddress are theIPv4 addresses forming the two ends of thetunnel. An example of an actual commandwould be as follows:
702/1537
netsh interface ipv6 add v6v4tunnel"tunnel" 206.73.118.19 157.54.206.43
Configuring Tunnels Automatically
There are also a number of mechanisms thatautomatically create tunnels over IPv4 con-nections. These are technologies designed tobe temporary solutions during the transitionfrom IPv4 to IPv6. All of them include a mech-anism for expressing an IPv4 address in theIPv6 format. The IPv4-to-IPv6 transition tech-nologies that Windows supports are describedin the following sections.
6to4
The 6to4 mechanism essentially incorporatesthe IPv4 connections in a network into theIPv6 infrastructure by defining a method forexpressing IPv4 addresses in IPv6 format andencapsulating IPv6 traffic into IPv4 packets.
703/1537
ISATAP
Intra-Site Automatic Tunnel Addressing Pro-tocol (ISATAP) is an automatic tunneling pro-tocol used by the Windows workstation oper-ating systems that emulates an IPv6 link byusing an IPv4 network.
ISATAP also converts IPv4 addresses into theIPv6 link-layer address format, but it uses adifferent method than 6to4. ISATAP does notsupport multicasting, so it cannot locaterouters in the usual manner by using theNeighbor Discovery protocol. Instead, the sys-tem compiles a potential routers list (PRL) byusing DNS queries and sends Router Discov-ery messages to them on a regular basis by us-ing Internet Control Message Protocol version6 (ICMPv6).
Teredo
To use 6to4 tunneling, both endpoints of thetunnel must have registered IPv4 addresses.
704/1537
However, on many networks, the system thatwould function as the endpoint is located be-hind a NAT router, and therefore has an unre-gistered address. In such a case, the only re-gistered address available is assigned to theNAT router itself, and unless the router sup-ports 6to4 (which many don’t), it is impossibleto establish the tunnel.
Teredo is a mechanism that addresses thisshortcoming by enabling devices behind non-IPv6 NAT routers to function as tunnel end-points. To do this, Teredo encapsulates IPv6packets within transport-layer User DatagramProtocol (UDP) datagrams rather thannetwork-layer IPv4 datagrams, as 6to4 does.
For a Teredo client to function as a tunnel en-dpoint, it must have access to a Teredo server,with which it exchanges Router Solicitationmessages and Router Advertisement messagesto determine whether the client is located be-hind a NAT router.
705/1537
To initiate communications, a Teredo clientexchanges null packets called bubbles with thedesired destination, using the Teredo serversat each end as intermediaries. The function ofthe bubble messages is to create mappings forboth computers in each other’s NAT routers.
706/1537
THOUGHT EXPERIMENT:SUBNETTING IPV4 ADDRESSES
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
The enterprise administrator has assigned Ar-thur the network address 172.16.8.0/24 for thebranch office network that he is constructing.Arthur calculates that this gives him 254 (28)IP addresses, which is enough for his network,but he has determined that he needs six sub-nets with at least 10 hosts on each one.
With this in mind, answer the followingquestions.
1. How can Arthur subnet the address hehas been given to satisfy his needs?
707/1537
2. What IP addresses and subnet maskswill the computers on his branch officenetwork use?
Objective summary
▪ The IPv4 address space consists of 32-bitaddresses, notated as four 8-bit decimalvalues from 0 to 255 separated by periods,as in the example 192.168.43.100. This isknown as dotted-decimal notation and theindividual 8-bit decimal values are calledoctets or bytes.
▪ Because the subnet mask associated withIP addresses can vary, the number of bitsused to identify the network and the hostcan also vary. The original IP standarddefines three address classes for
708/1537
assignment to networks, which supportdifferent numbers of networks and hosts.
▪ Because of its wastefulness, classful ad-dressing was gradually made obsolete by aseries of subnetting methods, includingVLSM and eventually CIDR.
▪ When a Windows computer starts, it initi-ates the IPv6 stateless address autoconfig-uration process, during which it assignseach interface a link-local unicast address.
▪ The simplest and most obvious method fortransitioning from IPv4 to IPv6 is to runboth, and this is what all current versionsof Windows do.
▪ The primary method for transmitting IPv6traffic over an IPv4 network is called tun-neling. Tunneling is the process by which a
709/1537
system encapsulates an IPv6 datagramwithin an IPv4 packet.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following is the primarymethod for transmitting IPv6 trafficover an IPv4 network?
a. Subnetting
b. Tunneling
c. Supernetting
d. Contracting
710/1537
2. Which of the following is the IPv6 equi-valent to a private IPv4 address?
a. Link-local unicast address
b. Global unique unicast address
c. Unique local unicast address
d. Anycast address
3. Which of the following is an automatictunneling protocol used by Windowsoperating systems that are located be-hind NAT routers?
a. Teredo
b. 6to4
c. ISATAP
d. APIPA
711/1537
4. Which type of IP address must a systemhave to be visible from the Internet?
a. Registered
b. Binary
c. Class B
d. Subnetted
5. Which of the following subnet mask val-ues would you use when configuring aTCP/IP client with an IPv4 address onthe 172.16.32.0/19 network?
a. 255.224.0.0
b. 255.240.0.0
c. 255.255.224.0
d. 255.255.240.0
712/1537
e. 255.255.255.240
Objective 4.2: ConfigureserversA server is rarely ready to perform all the tasksyou have planned for it immediately after in-stallation. Typically, some postinstallationconfiguration is required, and further config-uration changes might become necessary afterthe server is in service.
713/1537
NOTE
This objective covers how to:
▪ Create and configure scopes
▪ Configure a DHCP reservation
▪ Configure DHCP options
▪ Configure client and server for PXEboot
▪ Configure DHCP relay agent
▪ Authorize DHCP server
Understanding DHCP
DHCP is a service that automatically config-ures the IP address and other TCP/IP settingson network computers by assigning addresses
714/1537
from a pool (called a scope) and reclaimingthem when their leases expire.
Aside from being a time-consuming chore,manually configuring TCP/IP clients can res-ult in typographical errors that cause address-ing conflicts that interrupt network commu-nications. DHCP prevents these errors andprovides many other advantages, includingautomatic assignment of new addresses whencomputers are moved from one subnet to an-other and automatic reclamation of addressesthat are no longer in use.
DHCP consists of three components, asfollows:
▪ A DHCP service, which responds to clientrequests for TCP/IP configuration settings
▪ A DHCP client, which issues requests toservers and applies the TCP/IP configura-tion settings it receives to the localcomputer
715/1537
▪ A DHCP communications protocol, whichdefines the formats and sequences of themessages exchanged by DHCP clients andservers
All the Microsoft Windows operating systemsinclude DHCP client capabilities, and all theserver operating systems (including WindowsServer 2012 R2) include the Microsoft DHCPServer role.
The DHCP standards define three different IPaddress allocation methods:
▪ Dynamic allocation. The DHCP serverassigns an IP address to a client computerfrom a scope for a specified length of time.Each client must periodically renew thelease to continue using the address. If theclient allows the lease to expire, the ad-dress is returned to the scope for reassign-ment to another client.
716/1537
▪ Automatic allocation. The DHCP serverpermanently assigns an IP address to a cli-ent computer from a scope. Once theDHCP server assigns the address to the cli-ent, the only way to change it is to manu-ally reconfigure the computer.
▪ Manual allocation. The DHCP serverpermanently assigns a specific IP addressto a specific computer on the network. Inthe Microsoft DHCP server, manually al-located addresses are called reservations.
In addition to IP addresses, DHCP can provideclients with values for the other parametersneeded to configure a TCP/IP client, includinga subnet mask, default gateway, and DNSserver addresses. The object is to eliminate theneed for any manual TCP/IP configuration ona client system. For example, the MicrosoftDHCP server includes more than 50 configur-ation parameters, which it can deliver along
717/1537
with the IP address, even though Windows cli-ents can only use a subset of those parameters.
DHCP communications use eight types ofmessages, each of which uses the same basicpacket format. DHCP traffic is carried withinstandard UDP/IP datagrams, using port 67 atthe server and port 68 at the client.
DHCP options
All DHCP messages include an options field,which is a catch-all area designed to carry thevarious parameters (other than the IP ad-dress) used to configure the client system’sTCP/IP stack. Some of the most commonly-used options are described in the followingsections.
The DHCP Message Type Option
The DHCP Message Type option identifies theoverall function of the DHCP message and isrequired in all DHCP packets. The DHCP
718/1537
communication protocol defines eight mes-sage types, as follows:
▪ DHCPDISCOVER. Used by clients to re-quest configuration parameters from aDHCP server
▪ DHCPOFFER. Used by servers to offer IPaddresses to requesting clients
▪ DHCPREQUEST. Used by clients to ac-cept or renew an IP address assignment
▪ DHCPDECLINE. Used by clients to re-ject an offered IP address
▪ DHCPACK. Used by servers to acknow-ledge a client’s acceptance of an offered IPaddress
▪ DHCPNAK. Used by servers to reject aclient’s acceptance of an offered IP address
719/1537
▪ DHCPRELEASE. Used by clients to ter-minate an IP address lease
▪ DHCPINFORM. Used by clients to ob-tain additional TCP/IP configuration para-meters from a server
BOOTP Vendor Information Extensions
These options include many of the basic TCP/IP configuration parameters used by most cli-ent systems, such as the following:
▪ Subnet Mask. Specifies which bits of theIP address identify the host system andwhich bits identify the network where thehost system resides
▪ Router. Specifies the IP address of therouter (or default gateway) on the localnetwork segment the client should use totransmit to systems on other networksegments
720/1537
▪ Domain Name Server. Specifies the IPaddresses of the servers the client will usefor DNS name resolution
▪ Host Name. Specifies the DNS host namethe client will use
▪ Domain Name. Specifies the name of theDNS domain on which the system willreside
BOOTP
The Bootstrap Protocol (BOOTP) is thepredecessor to DHCP. The two arelargely compatible; the primary differ-ence is that BOOTP allocates IP ad-dresses permanently, and not by leas-ing them.
721/1537
DHCP Extensions
These options are used to provide parametersthat govern the DHCP lease negotiation andrenewal processes.
▪ Requested IP Address. Used by the cli-ent to request a particular IP address fromthe server
▪ IP Address Lease Time. Specifies theduration of a dynamically allocated IP ad-dress lease
▪ Server Identifier. Specifies the IP ad-dress of the server involved in a DHCPtransaction; used by the client to addressunicasts to the server
▪ Parameter Request List. Used by theclient to send a list of requested configura-tion options (identified by their code num-bers) to the server
722/1537
▪ Message. Used to carry an error messagefrom the server to the client in aDHCPNAK message
▪ Renewal (T1) time value. Specifies thetime period that must elapse before an IPaddress lease enters the renewing state
▪ Rebinding (T2) time value. Specifiesthe time period that must elapse before anIP address lease enters the rebinding state
DHCP communications
To design a DHCP strategy for an enterprisenetwork and deploy it properly requires an un-derstanding of the communications that occurbetween DHCP clients and servers. In Win-dows computers, the DHCP client is enabledby default, although it is not mentioned byname in the interface. The Obtain An IP Ad-dress Automatically option in the InternetProtocol Version 4 (TCP/IPv4) Properties
723/1537
sheet and the Obtain An IPv6 Address Auto-matically option in the Internet Protocol Ver-sion 6 (TCP/IPv6) Properties sheet control theactivation of the client for IPv4 and IPv6,respectively.
DHCP Lease Negotiation
DHCP communication is always initiated bythe client, as shown in Figure 4-6, and pro-ceeds as follows:
724/1537
725/1537
Figure 4-6. The DHCP IP address assignmentprocess
1. When a computer boots for the firsttime with the DHCP client active, theclient generates a series ofDHCPDISCOVER messages to solicit anIP address assignment from a DHCPserver and broadcasts them on the localnetwork.
2. All DHCP servers receiving theDHCPDISCOVER broadcast messagesgenerate DHCPOFFER messages con-taining an IP address and other TCP/IPconfiguration parameters and transmitthem to the client.
3. After a specified period, the client ac-cepts one of the offered addresses by
726/1537
broadcasting a DHCPREQUEST mes-sage containing the address of the offer-ing server.
4. When the offering server receives theDHCPREQUEST message, it adds theoffered IP address and other settings toits database.
5. The server transmits a DHCPACK mes-sage to the client, acknowledging thecompletion of the process. If the servercannot complete the assignment, ittransmits a DHCPNAK message to theclient and the process restarts.
6. As a final test, the client broadcasts theoffered IP address using the AddressResolution Protocol (ARP) to ensurethat no other system on the network isusing it. If the client receives no re-sponse to the ARP broadcast, the DHCP
727/1537
transaction is completed. If another sys-tem responds to the ARP message, theclient discards the IP address and trans-mits a DHCPDECLINE message to theserver, nullifying the transaction. Theclient then restarts the process.
DHCP Lease Renewal
By default, the DHCP Server service in Win-dows Server 2012 R2 uses dynamic allocation,leasing IP addresses to clients for eight-dayperiods. At periodic intervals during the lease,the client attempts to contact the server to re-new the lease, as shown in Figure 4-7, by usingthe following procedure:
728/1537
729/1537
Figure 4-7. The DHCP IP address renewalprocess
1. When the DHCP client reaches the 50percent point of the lease’s duration(called the renewal time value or T1value), the client begins generating uni-cast DHCPREQUEST messages andtransmitting them to the DHCP serverholding the lease.
2. If the server does not respond by thetime the client reaches the 87.5 percentpoint of the lease’s duration (called therebinding time value or T2 value), theclient begins transmitting itsDHCPREQUEST messages as broad-casts in an attempt to solicit an IP ad-dress assignment from any DHCP serv-er on the network.
730/1537
3. If the server receives theDHCPREQUEST message from the cli-ent, it responds with either a DHCPACKmessage, which approves the lease re-newal request, or a DHCPNAK message,which terminates the lease. If the clientreceives no responses to itsDHCPREQUEST messages by the timethe lease expires, or if it receives aDHCPNAK message, the client releasesits IP address. All TCP/IP communica-tion then ceases, except for the trans-mission of DHCPDISCOVERbroadcasts.
Deploying a DHCP server
DHCP servers operate independently, so youmust install the service and configure scopeson every computer that will function as aDHCP server. The DHCP Server service ispackaged as a role in Windows Server 2012
731/1537
R2, which you can install by using the AddRoles And Features Wizard, accessible fromthe Server Manager console.
When you install the DHCP Server role on acomputer that is a member of an Active Dir-ectory Domain Services domain, the DHCPServer is automatically authorized to allocateIP addresses to clients that are members of thesame domain. If the server is not a domainmember when you install the role, and youjoin it to a domain later, you must manuallyauthorize the DHCP server in the domain byright-clicking the server node in the DHCPconsole and, from the shortcut menu, select-ing Authorize.
After installing the DHCP Server role, youmust configure the service by creating a scopebefore it can serve clients.
732/1537
Creating a scope
A scope is a range of IP addresses on a partic-ular subnet that are selected for allocation by aDHCP server. In Windows Server versions pri-or to Windows Server 2012, you can create ascope as you install the DHCP Server role.However, in Windows Server 2012 and Win-dows Server 2012 R2, the procedures are sep-arate. To create a scope by using the DHCPsnap-in for Microsoft Management Console(MMC), use the following procedure.
1. In Server Manager, click Tools, DHCP.The DHCP console opens.
2. Expand the server node and the IPv4node.
3. Right-click the IPv4 node and, from theshortcut menu, select New Scope. TheNew Scope Wizard opens, displayingthe Welcome page.
733/1537
4. Click Next. The Scope Name pageopens.
5. Type a name for the scope into theName text box and click Next. The IPAddress Range page opens, as shown inFigure 4-8.
734/1537
Figure 4-8. Configuring the IP AddressRange page in the DHCP console
6. In the Start IP Address text box, typethe first address in the range of ad-dresses you want to assign. In the EndIP Address box, type the last address inthe range.
735/1537
7. In the Subnet Mask text box, type themask value for the subnet on which thescope will operate and click Next. TheAdd Exclusions And Delay page opens.
8. In the Start IP Address and End IP Ad-dress text boxes, specify a range of ad-dresses you want to exclude from thescope. Then click Next to open the LeaseDuration page.
9. Specify the length of the leases for theaddresses in the scope and click Next.The Configure DHCP Options pageopens.
10. Select Yes, I Want To Configure TheseOptions Now and click Next. The Router(Default Gateway) page opens, as shownin Figure 4-9.
736/1537
Figure 4-9. Configuring the Router (De-fault Gateway) page in the DHCP
console
11. In the IP Address text box, specify theaddress of a router on the subnet servedby the scope and click Add. Then clickNext. The Domain Name And DNSServers page opens.
737/1537
12. In the Server Name text box, type thename of a DNS server on the networkand click Resolve or type the address ofa DNS server in the IP Address text boxand click Add. Then click Next. TheWINS Servers page opens.
13. Click Next to open the Activate Scopepage.
14. Select Yes, I Want To Activate ThisScope Now and click Next. The Com-pleting The New Scope Wizard pageopens.
15. Click Finish to close the wizard.
16. Close the DHCP console.
Once you have created the scope, all the DHCPclients on the subnet you identified can obtaintheir IP addresses and other TCP/IP configur-ation settings via DHCP. You can also use the
738/1537
DHCP console to create additional scopes forother subnets.
Configuring DHCP options
The New Scope Wizard enables you to config-ure a few of the most commonly used DHCPoptions as you create a new scope, but you canalways configure the many other options at alater time.
The Windows DHCP server supports twokinds of options:
▪ Scope Options. Options supplied only toDHCP clients receiving addresses from aparticular scope
▪ Server Options. Options supplied to allDHCP clients receiving addresses from theserver
The Router option is a typical example of ascope option because a DHCP client’s default
739/1537
gateway address must be on the same subnetas its IP address. The DNS Servers option istypically a server option, because DNS serversdo not have to be on the same subnet, and net-works often use the same DNS servers for alltheir clients.
All the options supported by the WindowsDHCP server can be either scope or server op-tions, and the process of configuring them isbasically the same. To configure a scopeoption, right-click the Scope Options nodeand, from the shortcut menu, select ConfigureOptions. This opens the Scope Options dialogbox, which provides appropriate controls foreach of the available options (see Figure 4-10).
740/1537
Figure 4-10. The Scope Options dialog box
Right-clicking the Server Options node en-ables you to open the Server Options dialogbox, which behaves the same way as the ScopeOptions dialog box.
741/1537
Creating a reservation
Although DHCP is an excellent TCP/IP config-uration solution for most of the computers ona network, there are a few for which it is not.DHCP servers themselves, for example, needstatic IP addresses.
Because the DHCP dynamic allocation methodallows for the possibility that a computer’s IPaddress could change, it is not appropriate forthese particular roles. However, it is possibleto assign addresses to these computers by us-ing DHCP, using manual, instead of dynamic,allocation.
In a Windows DHCP server, a manually alloc-ated address is called a reservation. You cre-ate a reservation by expanding the scope node,right-clicking the Reservations node, and,from the shortcut menu, selecting New Reser-vation. The New Reservation dialog box opens,as shown in Figure 4-11.
742/1537
Figure 4-11. Creating a reservation
In this dialog box, you specify the IP addressyou want to assign and associate it with theclient computer’s MAC address, which is hard-coded into its network interface adapter.
It is also possible to manually configure thecomputer’s TCP/IP client, but creating aDHCP reservation ensures that all your IP
743/1537
addresses are managed by your DHCP servers.In a large enterprise, where various adminis-trators might be dealing with DHCP and TCP/IP configuration issues, the IP address thatone technician manually assigns to a computermight be included in a DHCP scope by anothertechnician, resulting in potential addressingconflicts. Reservations create a permanent re-cord of the IP address assignment on theDHCP server.
Using PXE
The Windows operating systems include aDHCP client that can configure the local IP ad-dress and other TCP/IP settings of computerswith an operating system already installed.However, it is also possible for a bare metalcomputer—that is, a computer with no operat-ing system installed—to use DHCP.
The Preboot eXecution Environment (PXE) isa feature built into many network interface
744/1537
adapters that enables them to connect to aDHCP server over the network and obtainTCP/IP client settings, even when there is nooperating system on the computer. Adminis-trators typically use this capability to auto-mate the operating system deployment pro-cess on large fleets of computers.
In addition to configuring the IP address andother TCP/IP client settings on the computer,the DHCP server can supply the workstationwith an option specifying the location of a bootfile that the system can download and use tostart the computer and initiate a Windows op-erating system installation. A PXE-equippedsystem downloads boot files by using theTrivial File Transfer Protocol (TFTP), a sim-plified version of the FTP protocol that re-quires no authentication.
Windows Server 2012 R2 includes a role calledWindows Deployment Services (WDS), whichenables administrators to manage image files
745/1537
that remote computers can use to start up andinstall Windows. For a PXE adapter to accessWDS images, the DHCP server on the networkmust have a custom PXEClient option (option60) configured with the location of the WDSserver on the network.
The PXE client on the workstation typicallyneeds no configuration, with the possible ex-ception of an alteration of the boot device or-der so that the computer attempts a networkboot before using the local devices.
In a properly configured WDS deployment ofWindows 8.1, the client operating system de-ployment process proceeds as follows:
1. The client computer starts and, findingno local boot device, attempts to per-form a network boot.
2. The client computer connects to aDHCP server on the network, fromwhich it obtains a DHCPOFFER
746/1537
message containing an IP address andother TCP/IP configuration parameters,plus the 060 PXEClient option, contain-ing the name of a WDS server.
3. The client connects to the WDS serverand is supplied with a boot image file,which it downloads by using TFTP.
4. The client loads Windows PE and theWDS client from the boot image fileonto a RAM disk (a virtual disk createdout of system memory) and displays aboot menu containing a list of the installimages available from the WDS server.
5. The user on the client computer selectsan install image from the boot menu,and the operating system installationprocess begins. From this point, thesetup process proceeds just like a manu-al installation.
747/1537
MORE INFO WINDOWSDEPLOYMENT SERVICES
For more information on using WDS,see Objective 1.1, “Deploy and manageserver images,” in Exam 70-411, “Ad-ministering Windows Server 2012 R2.”
Deploying a DHCP relay agent
Because they rely on broadcast transmissions,DHCPv4 clients can access DHCP servers onlyon the local network, under normal circum-stances. However, it is possible to create aDHCP infrastructure in which one serverprovides addresses for multiple subnets. To dothis, you must install a DHCP relay agent onevery subnet that does not have a DHCP serv-er on it. Many routers are capable of function-ing as DHCP relay agents, but in situationswhere they are not, you can configure a
748/1537
Windows Server 2012 R2 computer to func-tion as a relay agent by using the followingprocedure.
1. In Server Manager, using the Add RolesAnd Features Wizard, install the Re-mote Access role, including the Routingrole service.
2. Click Open The Getting Started Wizard.The Configure Remote Access GettingStarted Wizard opens.
3. Click Deploy VPN Only. The RoutingAnd Remote Access console appears.
4. Right-click the server node and, on theshortcut menu, select Configure AndEnable Routing And Remote Access.The Routing And Remote Access ServerSetup Wizard appears.
749/1537
5. Click Next to bypass the Welcome page.The Configuration page opens, as shownin Figure 4-12.
Figure 4-12. The Configuration page ofthe Routing and Remote Access Server
Setup Wizard
750/1537
6. Select Custom Configuration and clickNext. The Custom Configuration pageopens.
7. Select the LAN Routing check box andclick Next. The Completing The RoutingAnd Remote Access Server Setup Wiz-ard page opens.
8. Click Finish. A Routing and Remote Ac-cess message box appears, promptingyou to start the service.
9. Click Start Service.
10. Expand the IPv4 node. Then, right-clickthe General node and, in the shortcutmenu, select New Routing Protocol. TheNew Routing Protocol dialog boxappears.
751/1537
11. Select DHCP Relay Agent and click OK.A DHCP Relay Agent node appears,subordinate to the IPv4 node.
DHCPV6 RELAY AGENTS
You can also create a relay agentfor DHCPv6 by adding a routingprotocol to the IPv6 node.
12. Right-click the DHCP Relay Agent nodeand, on the shortcut menu, select NewInterface. The New Interface For DHCPRelay Agent dialog box appears.
13. Select the interface to the subnet onwhich you want to install the relay agentand click OK. The DHCP Relay Proper-ties sheet for the interface appears.
752/1537
14. Leave the Relay DHCP Packets checkbox selected, and configure the follow-ing settings, if needed.
▪ Hop-Count Threshold. Specifiesthe maximum number of relayagents through which DHCP mes-sages can pass before being dis-carded. The default value is 4 andthe maximum value is 16. This set-ting prevents DHCP messages frombeing relayed endlessly around thenetwork.
▪ Boot Threshold. Specifies thetime interval (in seconds) that therelay agent should wait before for-warding each DHCP message it re-ceives. The default value is 4seconds. This setting enables you tocontrol which DHCP server
753/1537
processes the clients for a particularsubnet.
15. Click OK.
16. Right-click the DHCP Relay Agent nodeand, on the shortcut menu, select Prop-erties. The DHCP Relay Agent Proper-ties sheet appears, as shown in Fig-ure 4-13.
754/1537
Figure 4-13. The DHCP Relay AgentProperties sheet
17. Type the IP address of the DHCP serverto which you want the agent to relaymessages and click Add. Repeat this
755/1537
step to add additional servers, ifnecessary.
18. Click OK.
19. Close the Routing And Remote Accessconsole.
At this point, the server is configured to relayDHCP messages to the server addresses youspecified.
756/1537
THOUGHT EXPERIMENT:CONFIGURING DHCP SERVERS
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
After deploying a large number of wirelesslaptop computers on the network, Ralph, theIT director at Contoso, Ltd., decides to useDHCP to enable the laptop users to move fromone subnet to another without having tomanually reconfigure their IP addresses. Soonafter the DHCP deployment, however, Ralphnotices that some of the IP address scopes arebeing depleted, resulting in some computersbeing unable to connect to a new subnet.
With this in mind, answer the followingquestion.
757/1537
What can Ralph do to resolve this problemwithout altering the network’s subnetting?
Objective summary
▪ DHCP is a service that automatically con-figures the IP address and other TCP/IPsettings on network computers by assign-ing addresses from a pool (called a scope)and reclaiming them when they are nolonger in use.
▪ DHCP consists of three components: aDHCP service, a DHCP client, and a DHCPcommunications protocol.
▪ The DHCP standards define three differentIP address allocation methods: dynamic al-location, automatic allocation, and manualallocation.
758/1537
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following terms best de-scribes the component that enablesDHCP clients to communicate withDHCP servers on other subnets?
a. Forwarder
b. Resolver
c. Scope
d. Relay agent
759/1537
2. Which of the following message types isnot used during a successful DHCP ad-dress assignment?
a. DHCPDISCOVER
b. DHCPREQUEST
c. DHCPACK
d. DHCPINFORM
3. Which of the following DHCP addressallocation types is the equivalent of a re-servation in Windows Server 2012 R2?
a. Dynamic allocation
b. Automatic allocation
c. Manual allocation
d. Hybrid allocation
760/1537
4. Which of the following network com-ponents are typically capable of func-tioning as DHCP relay agents?
a. Windows 8.1 computers
b. Routers
c. Switches
d. Windows Server 2012 R2computers
5. Which of the following TCP/IP para-meters is typically deployed as a scopeoption in DHCP?
a. DNS Server
b. Subnet Mask
c. Lease Duration
d. Default Gateway
761/1537
Objective 4.3: Deploy andconfigure the DNS serviceDNS is a crucial element of both Internet andActive Directory communications. All TCP/IPcommunication is based on IP addresses. Eachcomputer on a network has at least one net-work interface, which is called a host in TCP/IP parlance, and each host has an IP addressthat is unique on that network. Every data-gram transmitted by a TCP/IP system con-tains the IP address of the sending computerand the IP address of the intended recipient.However, when users access a shared folderon the network or a website on the Internet,they usually do so by specifying or selecting ahost name, not an IP address. This is becausenames are far easier to remember and usethan IP addresses.
762/1537
NOTE
This objective covers how to:
▪ Configure Active Directory integra-tion of primary zones
▪ Configure forwarders
▪ Configure Root Hints
▪ Manage DNS cache
▪ Create A and PTR resource records
Understanding the DNSarchitecture
For TCP/IP systems to use these friendly hostnames, they must have a way to discover theIP address associated with the name. In theearly days of TCP/IP networking, each
763/1537
computer had a list of names and their equi-valent IP addresses, called a host table. At thattime, the small number of computers on thefledgling Internet made the maintenance anddistribution of a single host table practical.
Today, there are millions of computers on theInternet, and the idea of maintaining and dis-tributing a single file containing names for allof them is absurd. Instead of using the hosttable stored on every computer, TCP/IP net-works today use DNS servers to convert hostnames into IP addresses. This conversion pro-cess is referred to as name resolution.
At its core, the DNS is still a list of names andtheir equivalent IP addresses, but the methodsfor creating, storing, and retrieving thosenames are very different from those in a hosttable. DNS consists of three elements:
▪ The DNS namespace. The DNS stand-ards define a tree-structured namespace in
764/1537
which each branch of the tree identifies adomain. Each domain contains a collectionof resource records that contain hostnames, IP addresses, and other informa-tion. Query operations are attempts to re-trieve specific resource records from a par-ticular domain.
▪ Name servers. A DNS server is a servicerunning on a server computer that main-tains information about the domain treestructure and (sometimes) contains au-thoritative information about one or morespecific domains in that structure. The ap-plication is capable of responding to quer-ies for information about the domains forwhich it is the authority and also of for-warding queries about other domains toother name servers. This enables any DNSserver to access information about any do-main in the tree.
765/1537
▪ Resolvers. A resolver is a client programthat generates DNS queries and sendsthem to a DNS server for fulfillment. A re-solver has direct access to at least one DNSserver and can also process referrals to dir-ect its queries to other servers whennecessary.
In its most basic form, the DNS name resolu-tion process consists of a resolver submitting aname resolution request to its designated DNSserver. When the server does not possess in-formation about the requested name, it for-wards the request to another DNS server onthe network. The second server generates a re-sponse containing the IP address of the re-quested name and returns it to the first server,which relays the information to the resolver,as shown in Figure 4-14. In practice, however,the DNS name resolution process can be con-siderably more complex, as you will learn inthe following sections.
766/1537
Figure 4-14. DNS servers relaying requests andreplies to other DNS servers
DNS communications
Although all Internet applications use DNS toresolve host names into IP addresses, thisname resolution process is easiest to see whenyou’re using a web browser to access an Inter-net site. When you type a URL containing aDNS name (for example, www.microsoft.com)into the browser’s Address box and press theEnter key, if you look quickly enough, youmight be able to see a message that sayssomething like “Finding Site:
767/1537
www.microsoft.com.” Then, a few secondslater, you might see a message that says “Con-necting to,” followed by an IP address. It isduring this interval that the DNS name resolu-tion process occurs.
From the client’s perspective, the procedurethat occurs during these few seconds consistsof the application using the built-in DNS re-solver to send a query message to its desig-nated DNS server that contains the name to beresolved. The server then replies with a mes-sage containing the IP address correspondingto that name. Using the supplied address, theapplication can then transmit a message to theintended destination. It is only when you ex-amine the DNS server’s role in the processthat you see how complex the procedure reallyis.
To better explain the relationships among theDNS servers for various domains in the
768/1537
namespace, the following procedure diagramsthe Internet name resolution process.
1. A user on a client system specifies theDNS name of an Internet server in anapplication such as a web browser. Theapplication generates an applicationprogramming interface (API) call to theresolver on the client system and the re-solver creates a DNS recursive querymessage containing the server name,which it transmits to the DNS serveridentified in computer’s TCP/IP config-uration, as shown in Figure 4-15.
769/1537
Figure 4-15. The client resolver sendinga name resolution request to its DNS
server
2. The client’s DNS server, after receivingthe query, checks its resource records tosee if it is the authoritative source forthe zone containing the requested serv-er name. If it is not, which is typical, theDNS server generates an iterative queryand submits it to one of the root nameservers, as shown in Figure 4-16. Theroot name server examines the name re-quested by the client’s DNS server andconsults its resource records to identify
770/1537
the authoritative servers for the name’stop-level domain. The root name serverthen transmits a reply to the client’sDNS server that contains a referral tothe top-level domain server IPaddresses.
Figure 4-16. The client’s DNS server for-warding the request to a root name
server
771/1537
3. The client’s DNS server, now in posses-sion of the top-level domain server ad-dress for the requested name, generatesa new iterative query and transmits it tothe top-level domain server, as shown inFigure 4-17. The top-level domain serv-er examines the second-level domain inthe requested name and transmits a re-ferral containing the addresses of au-thoritative servers for that second-leveldomain back to the client’s DNS server.
772/1537
Figure 4-17. The client’s DNS server for-warding the request to a top-level do-
main server
773/1537
COMBINING STEPS
In the DNS name resolutionprocess just described, the pro-cess of resolving the top-leveland second-level domain namesis portrayed in separate steps.However, this is often not thecase. The most commonly usedtop-level domains (such as com,net, and org) are actually hostedby the root name servers. Thiseliminates one referral from thename resolution process.
4. The client’s DNS server generates an-other iterative query and transmits it tothe second-level domain server, asshown in Figure 4-18. If the second-level domain server is the authority forthe zone containing the requested
774/1537
name, it consults its resource records todetermine the IP address of the reques-ted system and transmits it in a replymessage back to that client’s DNSserver.
Figure 4-18. The client’s DNS server for-warding the request to a second-level
domain server
775/1537
5. The client’s DNS server receives thereply from the authoritative server andtransmits the IP address back to the re-solver on the client system, as shown inFigure 4-19. The resolver relays the ad-dress to the application, which can theninitiate IP communications with thesystem specified by the user.
776/1537
Figure 4-19. The client’s DNS server re-sponding to the client resolver
Depending on the name the client is trying toresolve, this process can be simpler or consid-erably more complex than the one shown here.On one hand, if the client’s DNS server is theauthority for the domain in which the reques-ted name is located, no other servers or iterat-ive requests are necessary. On the other hand,
777/1537
if the requested name contains three or morelevels of domains, additional iterative queriesmight be necessary.
This procedure also assumes a successful com-pletion of the name resolution procedure. Ifany of the authoritative DNS servers queriedreturns an error message to the client’s DNSserver stating, for example, that one of the do-mains in the name does not exist, then this er-ror message is relayed back to the client andthe name resolution process is said to havefailed.
DNS server caching
The DNS name resolution process might seemlong and complex, but in many cases it isn’tnecessary for the client’s DNS server to sendqueries to the servers for each domain spe-cified in the requested DNS name. This is be-cause DNS servers are capable of retaining theinformation they learn about the DNS
778/1537
namespace in the course of their name resolu-tion procedures and storing it in a cache onthe local hard drive.
A DNS server that receives requests from cli-ents, for example, caches the IP addresses ofthe requested systems and the addresses forauthoritative servers of particular domains.The next time a client requests the resolutionof a previously resolved name, the server canrespond immediately with the cached inform-ation. In addition, if a client requests anothername in one of the same domains, the servercan send a query directly to an authoritativeserver for that domain rather than to a rootname server. Thus, the names in commonlyaccessed domains generally resolve quickly be-cause one of the servers along the line has in-formation about the domain in its cache,whereas names in obscure domains takelonger, because the entire request/referralprocess is needed.
779/1537
Caching is a vital element of the DNS architec-ture because it reduces the number of requestssent to the root name and top-level domainservers, which, being at the top of the DNStree, are the most likely to act as a bottleneckfor the whole system. However, caches mustbe purged eventually, and there is a fine linebetween effective and ineffective caching.
Because DNS servers retain resource recordsin their caches, it can take hours or even daysfor changes made in an authoritative server tobe propagated around the Internet. Duringthis period, users might receive incorrect in-formation in response to a query. If informa-tion remains in server caches too long, thenthe changes administrators make to the datain their DNS servers take too long to propag-ate around the Internet. If caches are purgedtoo quickly, then the number of requests sentto the root name and top-level domain serversincreases precipitously.
780/1537
The amount of time that DNS data remainscached on a server is called its time to live(TTL). Unlike most data caches, the TTL is notspecified by the administrator of the serverwhere the cache is stored. Instead, the admin-istrators of each authoritative DNS server spe-cify how long the data for the resource recordsin their domains or zones should be retainedin the servers where it is cached. This enablesadministrators to specify a TTL value based onthe volatility of their server data. On a networkwhere changes in IP addresses or the additionof new resource records is frequent, a lowerTTL value increases the likelihood that clientswill receive current data. On a network thatrarely changes, a longer TTL value minimizesthe number of requests sent to the parentservers of your domain or zone.
To modify the TTL value for a zone on a Win-dows Server 2012 R2 DNS server, right-clickthe zone, open the Properties sheet, and click
781/1537
the Start Of Authority (SOA) tab, as shown inFigure 4-20. On this tab, you can modify theTTL for this record setting from its defaultvalue of one hour.
782/1537
Figure 4-20. Viewing the Start Of Authority(SOA) tab on a DNS server’s Properties sheet
783/1537
Client-side resolver caching
The client resolver on Windows systems alsocontains a caching mechanism, which storesresolved IP addresses and also HOSTS file in-formation on a local drive. When a clientenounters a name that needs to be resolved in-to an IP address, it checks its local cache first,before sending a request to its DNS server.
DNS referrals and queries
The process by which one DNS server sends aname resolution request to another DNS serv-er is called a referral. Referrals are essential tothe DNS name resolution process.
As you noticed in the process described earli-er, the DNS client’s primary involvement inthe name resolution process is sending onequery and receiving one reply. The client’sDNS server might have to send referrals toseveral servers before it reaches the one thathas the information it needs.
784/1537
DNS servers recognize two types of name res-olution requests, as follows:
▪ Recursive query. In a recursive query,the DNS server receiving the name resolu-tion request takes full responsibility forresolving the name. If the server possessesinformation about the requested name, itreplies immediately to the requestor. If theserver has no information about the name,it sends referrals to other DNS servers un-til it obtains the information it needs. TCP/IP client resolvers always send recursivequeries to their designated DNS servers.
▪ Iterative query. In an iterative query, theserver that receives the name resolutionrequest immediately responds with thebest information it possesses at the time.DNS servers use iterative queries whencommunicating with each other. In mostcases, it would be improper to configure
785/1537
one DNS server to send a recursive queryto another DNS server. The only time aDNS server sends recursive queries to an-other server is in the case of a special typeof server called a forwarder, which is spe-cifically configured to interact with otherservers in this way.
DNS forwarders
One of the scenarios in which DNS serverssend recursive queries to other servers is whenyou configure a server to function as a for-warder. On a network running several DNSservers, you might not want all the serverssending queries to other DNS servers on theInternet. If the network has a relatively slowconnection to the Internet, for example, sever-al servers transmitting repeated queries mightuse too much of the available bandwidth.
To prevent this, the Windows Server 2012 R2DNS server enables you to configure one
786/1537
server to function as the forwarder for all In-ternet queries generated by the other serverson the network. Any time a server has to re-solve the DNS name of an Internet system andfails to find the needed information in itscache, it transmits a recursive query to the for-warder, which is then responsible for sendingits own iterative queries over the Internet con-nection. Once the forwarder resolves thename, it sends a reply back to the originalDNS server, which relays it to the client.
To configure forwarders on a Windows Server2012 R2 DNS server, right-click the servernode, open the Properties sheet, and click theForwarders tab, as shown in Figure 4-21. Onthis tab, you can add the names and addressesof the servers that you want your server to useas forwarders.
787/1537
Figure 4-21. The Forwarders tab on a DNSserver’s Properties sheet
The Windows Server 2012 R2 DNS server alsosupports conditional forwarding, which
788/1537
enables administrators to specify differentserver IP addresses for specific domain names.When the server receives a name resolutionrequest, it checks the domain name in the re-quest against its list of forwarders and passesthe request to another server only if the do-main appears in the list. By using this feature,organizations with multiple internal domainscan resolve names throughout the enterprisewithout having to send requests to servers onthe Internet.
Reverse name resolution
The name resolution process described earlieris designed to convert DNS names into IP ad-dresses. However, there are occasions when itis necessary for a computer to convert an IPaddress into a DNS name. This is called a re-verse name resolution.
Because the domain hierarchy is organized ac-cording to domain names, there is no apparent
789/1537
way to resolve an IP address into a name byusing iterative queries, except by forwardingthe reverse name resolution request to everyDNS server on the Internet in search of the re-quested address, which is obviouslyimpractical.
To overcome this problem, the developers ofthe DNS created a special domain called in-addr.arpa, specifically designed for reversename resolution. The in-addr.arpa second-level domain contains four additional levels ofsubdomains. Each of the four levels consists ofsubdomains that are named using the numer-als 0 to 255. For example, beneath in-ad-dr.arpa, there are 256 third-level domains,which have names ranging from 0.in-ad-dr.arpa to 255.in-addr.arpa. Each of those 256third-level domains has 256 fourth-level do-mains beneath it, also numbered from 0 to255, and each fourth-level domain has 256fifth-level domains, as shown in Figure 4-22.
790/1537
Each of those fifth-level domains can have upto 256 hosts in it, also numbered from 0 to255.
791/1537
Figure 4-22. The DNS reverse lookup domain
792/1537
By using this hierarchy of subdomains, it ispossible to express the first three bytes of anIP address as a DNS domain name and to cre-ate a resource record named for the fourthbyte in the appropriate fifth-level domain. Forexample, to resolve the IP address192.168.89.34 into a name, a DNS serverwould locate a domain called 89.168.192.in-addr.arpa in the usual manner and read thecontents of a resource record named 34 in thatdomain.
REVERSE LOOKUP ADDRESSES
In the in-addr.arpa domain, the IP ad-dress is reversed in the domain namebecause IP addresses have the leastpertinent bit (that is, the host identifi-er) on the right, but DNS fully qualifieddomain names (FQDNs) have the hostname on the left.
793/1537
Deploying a DNS server
The process of deploying a DNS server on aWindows Server 2012 R2 computer is just amatter of installing the DNS Server role by us-ing the Add Roles And Features Wizard inServer Manager. The actual installation re-quires no additional input; there are no addi-tional pages in the wizard and no role servicesto select.
Once you install the DNS Server role, the com-puter is ready to perform caching-only nameresolution services for any clients that have ac-cess to it. The role also installs the DNS Man-ager console, which you use to configure theDNS server’s other capabilities. To configurethe server to perform other services, consultthe following sections.
794/1537
Creating zones
A zone is an administrative entity you createon a DNS server to represent a discrete por-tion of the DNS namespace. Administratorstypically divide the DNS namespace into zonesto store them on different servers and to del-egate their administration to different people.Zones always consist of entire domains and/orsubdomains. You can create a zone that con-tains multiple domains as long as those do-mains are contiguous in the DNS namespace.For example, you can create a zone containinga parent domain and its child, because theyare directly connected, but you cannot create azone containing two child domains withouttheir common parent, because the two chil-dren are not directly connected, as shown inFigure 4-23.
795/1537
Figure 4-23. Valid zones must consist of con-tiguous domains
You can divide the DNS namespace into mul-tiple zones and host them on a single DNSserver if you want, although there is usually nopersuasive reason to do so. The DNS server inWindows Server 2012 R2 can support as manyas 200,000 zones on a single server, although
796/1537
it is hard to imagine a scenario that would re-quire that many. In most cases, an adminis-trator creates multiple zones on a server andthen delegates most of them to other servers,which then become responsible for hostingthem.
Every zone consists of a zone database, whichcontains the resource records for the domainsin that zone. The DNS server in WindowsServer 2012 R2 supports three zone types,which specify where the server stores the zonedatabase and what kind of information it con-tains. These zone types are as follows:
▪ Primary zone. Creates a primary zonethat contains the master copy of the zonedatabase, where administrators make allchanges to the zone’s resource records. Ifthe zone is not stored in Active Directory,the server creates a primary master zonedatabase file on the local drive. This is asimple text file that is compliant with most
797/1537
non-Windows DNS serverimplementations.
▪ Secondary zone. Creates a duplicate of aprimary zone on another server. The sec-ondary zone contains a backup copy of theprimary master zone database file, storedas an identical text file on the server’s localdrive. You can only update the resource re-cords in a secondary zone by replicatingthe primary master zone database file, byusing a process called a zone transfer.
▪ Stub zone. Creates a copy of a primaryzone that contains the key resource recordsthat identify the authoritative servers forthe zone. The stub zone forwards or refersrequests. When you create a stub zone, youconfigure it with the IP address of the serv-er that hosts the zone from which you cre-ated the stub. When the server hosting thestub zone receives a query for a name in
798/1537
that zone, it either forwards the request tothe host of the zone or replies with a refer-ral to that host, depending on whether thequery is recursive or iterative.
DNS was designed long before Active Direct-ory, so most of the Internet relies on primaryand secondary zones using text-based data-base files. The most common DNS server im-plementation on the Internet is a UNIX pro-gram called BIND that uses these databases.
However, for DNS servers supporting internaldomains, especially AD DS domains, using theWindows DNS server to create a primary zoneand store it in Active Directory is the recom-mended procedure. When you store the zonein the AD DS database, you do not have to cre-ate secondary zones or perform zone transfers,because AD DS takes the responsibility forreplicating the data, and whatever backup
799/1537
solution you use to protect Active Directoryalso protects the DNS data.
EXAM TIP
Exam 70-410 covers only the process ofcreating a primary zone stored in Act-ive Directory. The procedures forcreating text-based primary and sec-ondary zones and configuring zonetransfers are covered on Exam 70-411,“Administering Windows Server 2012R2,” in Objective 3.1, “Configure DNSzones.”
Using Active Directory–Integrated Zones
When you are running the DNS server serviceon a computer that is an Active Directory Do-main Services domain controller and you storethe zone in Active Directory while creating a
800/1537
zone in the New Zone Wizard, the server doesnot create a zone database file. Instead, theserver stores the DNS resource records for thezone in the AD DS database. Storing the DNSdatabase in Active Directory provides a num-ber of advantages, including ease of adminis-tration, conservation of network bandwidth,and increased security.
In Active Directory–integrated zones, the zonedata is replicated automatically to other do-main controllers, along with all other ActiveDirectory data. Active Directory uses a mul-tiple master replication system so that copiesof the database are updated on all domaincontrollers in the domain. You can modify theDNS resource records on any writable domaincontroller hosting a copy of the zone data, andActive Directory will automatically update allthe other domain controllers. You don’t haveto create secondary zones or manually
801/1537
configure zone transfers, because Active Dir-ectory performs all database replicationactivities.
By default, Windows Server 2012 R2 replicatesthe data for a primary zone stored in ActiveDirectory to all the other domain controllersrunning the DNS server in the same AD DSdomain where the zone is stored. You can alsomodify the scope of zone database replicationto keep copies on all domain controllersthroughout the enterprise or on all domaincontrollers in the AD DS domain, regardless ofwhether they are running the DNS server. Youcan also create a custom replication scope thatcopies the zone database to the domain con-trollers you specify.
Active Directory conserves network bandwidthby replicating only the DNS data that haschanged since the last replication and by com-pressing the data before transmitting it overthe network. The zone replications also use the
802/1537
full security capabilities of Active Directory,including encryption and Kerberos-based au-thentication, which are considerably more ro-bust than those of file-based zone transfers.The protection provided by Active Directory isalso automatic and invisible to the adminis-trator, unlike the process of encrypting file-based zone transfers using IPsec.
Creating an Active Directory Zone
To create a new primary zone and store it inActive Directory, use the following procedure.
1. In Server Manager on a domain control-ler, click Tools, DNS to open the DNSManager console.
2. Expand the server node and select theForward Lookup Zones folder.
3. Right-click the Forward Lookup Zonesfolder and, from the shortcut menu,
803/1537
select New Zone. The New Zone Wizardstarts.
4. Click Next to bypass the Welcome pageand open the Zone Type page.
5. Leave the Primary Zone option and theStore The Zone In Active Directory(Available Only If DNS Server Is A Do-main Controller) check box selected andclick Next. The Active Directory ZoneReplication Scope page opens.
6. Click Next. The Zone Name page opens.
7. Specify the name you want to assign tothe zone in the Zone Name text box andclick Next. The Dynamic Update pageopens.
8. Select one of the following options:
▪ Allow Only Secure Dynamic Updates
804/1537
▪ Allow Both Nonsecure And SecureDynamic Updates
▪ Do Not Allow Dynamic Updates
9. Click Next. The Completing the NewZone Wizard page opens.
10. Click Finish. The wizard creates thezone.
11. Close the DNS Manager console.
To create a primary zone in Active Directorywith Windows PowerShell, you use the Add-DnsServerPrimaryZone cmdlet, as shown inthe following example.
Add-DnsServerPrimaryZone –Name"zonename.adatum.com"–ReplicationScope "Domain"-PassThru
805/1537
Once you have created a primary zone, youcan proceed to create resource records thatspecify the names of the hosts on the networkand their equivalent IP addresses.
Creating resource records
When you run your own DNS server, you cre-ate a resource record for each host name thatyou want to be accessible by the rest of thenetwork.
There are several different types of resourcerecords used by DNS servers, the most import-ant of which are as follows:
▪ SOA (Start of Authority). Indicates thatthe server is the best authoritative sourcefor data concerning the zone. Each zonemust have an SOA record and only oneSOA record can be in a zone.
▪ NS (Name Server). Identifies a DNSserver functioning as an authority for the
806/1537
zone. Each DNS server in the zone (wheth-er primary master or secondary) must berepresented by an NS record.
▪ A (Address). Provides a name-to-addressmapping that supplies an IPv4 address fora specific DNS name. This record type per-forms the primary function of the DNS:converting names to addresses.
▪ AAAA (Address). Provides a name-to-address mapping that supplies an IPv6 ad-dress for a specific DNS name. This recordtype performs the primary function of theDNS: converting names to addresses.
▪ PTR (Pointer). Provides an address-to-name mapping that supplies a DNS namefor a specific address in the in-addr.arpadomain. This is the functional opposite ofan A record, used for reverse lookups only.
807/1537
▪ CNAME (Canonical Name). Creates analias that points to the canonical name(that is, the “real” name) of a host identi-fied by an A record. Administrators useCNAME records to provide alternativenames by which systems can be identified.
▪ MX (Mail Exchanger). Identifies a sys-tem that will direct email traffic sent to anaddress in the domain to the individual re-cipient, a mail gateway, or another mailserver.
808/1537
EXAM TIP
Exam 70-410 covers only the process ofcreating A and PTR resource records.The procedures for creating other re-source record types are covered onExam 70-411, “Administering WindowsServer 2012 R2,” in Objective 3.2,“Configure DNS records.”
To create a new Address resource record, usethe following procedure.
1. Log on to Windows Server 2012 R2 us-ing an account with Administrativeprivileges. The Server Manager windowopens.
2. Click Tools, DNS to open the DNS Man-ager console.
809/1537
3. Expand the server node and select theForward Lookup Zones folder.
4. Right-click the zone in which you wantto create the record and, from the short-cut menu, select New Host (A or AAAA).The New Host dialog box appears, asshown in Figure 4-24.
810/1537
Figure 4-24. Configuring the New Hostdialog box
5. In the Name text box, type the hostname for the new record. The FQDN forthe record appears.
811/1537
6. In the IP Address text box, type the IPv4or IPv6 address associated with the hostname.
7. Select the following check boxes, ifnecessary:
▪ Create Associated Pointer(PTR) Record. Creates a reversename lookup record for the host inthe in-addr.arpa domain
▪ Allow Any Authenticated UserTo Update DNS Records WithThe Same Owner Name. Enablesusers to modify their own resourcerecords
8. Click Add Host. The new resource re-cord is created in the zone you selected.
9. Close the DNS Manager console.
812/1537
To create a PTR record for a new host, you canselect the Create Associated Pointer (PTR) Re-cord check box in the New Host dialog box,but that will only be effective if a reverse look-up zone already exists on the server. To createthe zone, follow the same procedure describedearlier, this time selecting the Reverse LookupZones folder.
When you elect to create an IPv4 reverse look-up zone, a Reverse Lookup Zone Name pageopens, like the one shown in Figure 4-25, inwhich you supply the Network ID that the wiz-ard will use to create the zone.
813/1537
Figure 4-25. Configuring the Reverse LookupZone Name page in the New Zone Wizard
Once the zone is created, you can either createPTR records along with A or AAAA records orcreate a new PTR record by using the New Re-source Record dialog box.
814/1537
Configuring DNS server settings
Once you have installed a DNS server and cre-ated zones and resource records on it, thereare many settings you can alter to modify itsbehavior. The following sections describesome of these settings.
Configuring Active Directory DNSReplication
To modify the replication scope for an ActiveDirectory–integrated zone, open the zone’sProperties sheet in the DNS Manager consoleand, on the General tab, click Change for Rep-lication: All DNS Servers In The Active Direct-ory Domain to display the Change Zone Rep-lication Scope dialog box, shown in Fig-ure 4-26. The options are the same as those inthe New Zone Wizard.
815/1537
Figure 4-26. The Change Zone ReplicationScope dialog box
Configuring Root Hints
Most DNS servers must be able to contact theroot name servers to initiate name resolutionprocesses. Most server implementations, in-cluding Microsoft DNS Server, are precon-figured with the names and addresses of
816/1537
multiple root name servers. These are calledRoot Hints.
The 13 root name server names are located ina domain called root-servers.net and arenamed using letters of the alphabet. The serv-ers are scattered around the world on differentsubnets to provide fault tolerance.
To modify the Root Hints on a Windows Serv-er 2012 R2 DNS server, right-click the servernode, open the Properties sheet, and click theRoot Hints tab, as shown in Figure 4-27. Onthis tab, you can add, edit, or remove RootHints from the list provided.
817/1537
Figure 4-27. The Root Hints tab on a DNS serv-er’s Properties sheet
818/1537
THOUGHT EXPERIMENT:CONTROLLING DNS TRAFFIC
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Alice is an enterprise administrator for Wing-tip Toys, which has recently expanded its Cus-tomer Service division by adding 100 worksta-tions. All the workstations on the companynetwork are configured to use a server on theperimeter network as their primary DNS serv-er and a server on their ISP’s network as a sec-ondary server. As a result of the expansion, In-ternet performance has slowed noticeably anda Network Monitor trace indicates that there isa disproportionate amount of DNS traffic onthe link between the perimeter network andthe ISP’s network.
819/1537
With this in mind, answer the followingquestion.
What are two ways that Alice can reduce theamount of DNS traffic passing over the Inter-net connection?
Objective summary
▪ DHCP is a service that automatically con-figures the IP address and other TCP/IPsettings on network computers by assign-ing addresses from a pool (called a scope)and reclaiming them when they are nolonger in use.
▪ TCP/IP networks today use DNS servers toconvert host names into IP addresses. Thisconversion process is referred to as nameresolution.
820/1537
▪ DNS consists of three elements: the DNSnamespace, name servers, and resolvers.
▪ The hierarchical nature of the DNSnamespace is designed to make it possiblefor any DNS server on the Internet to loc-ate the authoritative source for any domainname by using a minimum number ofqueries.
▪ In a recursive query, the DNS server re-ceiving the name resolution request takesfull responsibility for resolving the name.In an iterative query, the server that re-ceives the name resolution request imme-diately responds with the best informationit possesses at the time.
▪ For Internet name resolution purposes, theonly functions required of the DNS serverare the ability to process incoming queries
821/1537
from resolvers and send its own queries toother DNS servers on the Internet.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following resource recordtypes contains the information a DNSserver needs to perform reverse namelookups?
a. A
b. CNAME
c. SOA
d. PTR
822/1537
2. Which of the following would be thecorrect FQDN for a resource record in areverse lookup zone if the computer’s IPaddress is 10.75.143.88?
a. 88.143.75.10.in-addr.arpa
b. 10.75.143.88.in-addr.arpa
c. in-addr.arpa.88.143.75.10
d. arpa.in-addr.10.75.143.88
3. Which of the following is not one of theelements of DNS?
a. Resolvers
b. Relay agents
c. Name servers
d. Namespace
823/1537
4. In which of the following DNS transac-tions does the querying system generatea recursive query?
a. A DNS client sends the servername www.adatum.com to itsdesignated DNS server forresolution.
b. A client’s DNS server sends a re-quest to a root domain server tofind the authoritative server forthe com top-level domain.
c. A client’s DNS server sends a re-quest to the com top-level do-main server to find the authorit-ative server for the adatum.comdomain.
d. A client’s DNS server sends a re-quest to the adatum.com domainserver to find the IP address
824/1537
associated with the server namewww.
5. Which of the following contains thecontrols used to modify DNS namecaching?
a. The Forwarders tab of a server’sProperties sheet
b. The Start of Authority (SOA) tabof a zone’s Properties sheet
c. The Root Hints tab of a server’sProperties sheet
d. The New Zone Wizard
825/1537
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
Objective 4.1: Thoughtexperiment
Arthur can subnet the address he has beengiven by using four host bits to give him 16subnets with up to 14 hosts on each. The com-puters will use a subnet mask of255.255.255.240 and IP address ranges asfollows:
172.16.8.1 - 172.16.8.14
172.16.8.17 - 172.16.8.30
172.16.8.33 - 172.16.8.46
172.16.8.49 - 172.16.8.62
172.16.8.65 - 172.16.8.78
826/1537
172.16.8.81 - 172.16.8.94
172.16.8.97 - 172.16.8.110
172.16.8.113 - 172.16.8.126
172.16.8.129 - 172.16.8.142
172.16.8.145 - 172.16.8.158
172.16.8.161 - 172.16.8.174
172.16.8.177 - 172.16.8.190
172.16.8.193 - 172.16.8.206
172.16.8.209 - 172.16.8.222
172.16.8.225 - 172.16.8.238
172.16.8.241 - 172.16.8.254
Objective 4.1: Review
1. Correct answer: B
a. Incorrect: Subnetting is a tech-nique for creating administrativedivisions on a network; it does
827/1537
not transmit IPv6 traffic over anIPv4 network.
b. Correct: Tunneling is a methodfor encapsulating IPv6 trafficwithin IPv4 datagrams.
c. Incorrect: Supernetting is amethod for combining consecut-ive subnets into a single entity.
d. Incorrect: Contracting is amethod for shortening IPv6addresses.
2. Correct answer: C
a. Incorrect: Link-local unicastaddresses are self-assigned byIPv6 systems. They are thereforethe equivalent of APIPA ad-dresses on IPv4.
828/1537
b. Incorrect: A global unicast ad-dress is the equivalent of a re-gistered IPv4 address, routableworldwide and unique on theInternet.
c. Correct: Unique local unicastaddresses are the IPv6 equivalentof the 10.0.0.0/8, 172.16.0.0/12,and 192.168.0.0/16 private net-work addresses in IPv4.
d. Incorrect: The function of ananycast address is to identify therouters within a given addressscope and send traffic to thenearest router.
3. Correct answer: A
a. Correct: Teredo is a mechanismthat enables devices behind non-
829/1537
IPv6 NAT routers to function astunnel endpoints.
b. Incorrect: 6to4 incorporates theIPv4 connections in a network in-to the IPv6 infrastructure by de-fining a method for expressingIPv4 addresses in IPv6 formatand encapsulating IPv6 traffic in-to IPv4 packets.
c. Incorrect: Intra-Site AutomaticTunnel Addressing Protocol(ISATAP) is an automatic tunnel-ing protocol used by the Windowsworkstation operating systemsthat emulates an IPv6 link usingan IPv4 network.
d. Incorrect: APIPA is an auto-matic IPv4 address self-
830/1537
assignment process. It has noth-ing to do with tunneling.
4. Correct answer: A
a. Correct: For an address to bevisible from the Internet, it mustbe registered with the IANA.
b. Incorrect: Binary is a system ofnumbering that can be used toexpress any IP address.
c. Incorrect: All address classescan be visible or invisible to theInternet.
d. Incorrect: Subnetted addressescan be visible or invisible to theInternet.
5. Correct answer: C
831/1537
a. Incorrect: In binary form, themask 255.224.0.0 is11111111.11100000.00000000.00000000, which contains only11 network identifier bits.
b. Incorrect: In binary form, themask 255.240.0.0 is11111111.11110000.00000000.00000000, which contains only12 network identifier bits.
c. Correct: In binary form, themask 255.255.224.0 is11111111.11111111.11100000.00000000, which contains 19network identifier bits.
d. Incorrect: In binary form, themask 255.255.240.0 is11111111.11111111.11110000.
832/1537
00000000, which contains 20network identifier bits.
e. Incorrect: In binary form, themask 255.255.255.240 is11111111.11111111.11111111.11110000, which con-tains 28 network identifier bits.
Objective 4.2: Thoughtexperiment
Roger can reduce the duration of the IP ad-dress leases in his scopes so that abandonedaddresses will be available to clients morequickly.
Objective 4.2: Review
1. Correct answer: D
833/1537
a. Incorrect: A forwarder is a DNSserver that accepts recursivequeries from other servers.
b. Incorrect: A resolver is a DNSclient component.
c. Incorrect: A scope is a range ofIP addresses that a DHCP serveris configured to allocate.
d. Correct: A relay agent is a soft-ware module that receives DHCPbroadcast messages and forwardsthem to a DHCP server on anoth-er subnet.
2. Correct answer: D
a. Incorrect: The DHCP addressassignment process begins whenthe DHCP client generatesDHCPDISCOVER messages and
834/1537
broadcasts them on the localnetwork.
b. Incorrect: The client eventuallystops broadcasting and signals itsacceptance of one of the offeredaddresses by generating aDHCPREQUEST message.
c. Incorrect: When the server of-fering the accepted IP address re-ceives the DHCPREQUEST mes-sage, it transmits a DHCPACKmessage to the client, acknow-ledging the completion of theprocess.
d. Correct: The DHCPINFORMmessage type is not used duringan IP address assignment.
3. Correct answer: C
835/1537
a. Incorrect: Dynamic allocation iswhen the DHCP server assigns anIP address to a client computerfrom a scope for a specifiedlength of time.
b. Incorrect: Automatic allocationis when the DHCP server per-manently assigns an IP address toa client computer from a scope.
c. Correct: Manual allocation iswhen the DHCP server perman-ently assigns a specific IP addressto a specific computer on the net-work. In the Windows Server2012 R2 DHCP server, manuallyallocated addresses are calledreservations.
836/1537
d. Incorrect: Hybrid is a DHCP in-frastructure type, not a type ofaddress allocation.
4. Correct answers: B, D
a. Incorrect: Windows 8.1 cannotfunction as a LAN router, and ittherefore cannot function as aDHCP relay agent.
b. Correct: Most IP routers haveDHCP relay agent capabilitiesbuilt into them. If the routersconnecting your subnets are soequipped, you can use them as re-lay agents, eliminating the needfor a DHCP server on eachsubnet.
c. Incorrect: Switches are data-link layer devices and are de-signed to communicate with
837/1537
devices on the same subnet. ADHCP relay agent requires accessto two subnets.
d. Correct: If your routers cannotfunction as DHCP relay agents,you can use the relay agent cap-ability built into the Windowsserver operating systems. In Win-dows Server 2012 R2, the DHCPrelay agent capability is built intothe Remote Access role.
5. Correct answer: D
a. Incorrect: In most cases, all thecomputers on a network will usethe same DNS server, so it ismore convenient to deploy its ad-dress once by using a server op-tion than to deploy it as a scopeoption on every scope.
838/1537
b. Incorrect: The subnet mask isautomatically included with everyaddress lease and therefore doesnot have to be deployed as ascope option or a server option.
c. Incorrect: The lease durationoption is automatically includedwith every address lease andtherefore does not have to be de-ployed as a scope option or aserver option.
d. Correct: The default gatewaymust be a router on the samesubnet as the IP addresses theDHCP server is allocating. There-fore, the gateway address is dif-ferent for every scope and mustbe deployed as a scope option.
839/1537
Objective 4.3: Thoughtexperiment
1. Alice can configure the DNS server onthe perimeter network to use the ISP’sDNS server as a forwarder.
2. Alice can configure the workstations touse the ISP’s DNS server as theirprimary DNS server.
Objective 4.3: Review
1. Correct answer: D
a. Incorrect: A resource recordcontains information for forwardname lookups, not reverse namelookups.
b. Incorrect: CNAME resource re-cords contain alias information
840/1537
for A records. They are not usedfor reverse name lookups.
c. Incorrect: SOA records specifythat a server is the authoritativesource for a zone. They are notused for reverse name lookups.
d. Correct: PTR records containthe information needed for theserver to perform reverse namelookups.
2. Correct answer: A
a. Correct: To resolve the IP ad-dress 10.75.143.88 into a name, aDNS server would locate a do-main called 143.75.10.in-ad-dr.arpa in the usual manner andread the contents of a resourcerecord named 88 in that domain.
841/1537
b. Incorrect: The least significantbits in the IP address (that is, 88)should come first in the FQDN.
c. Incorrect: The top-level domainused for reverse lookups is arpa.Therefore, arpa must be the lastand most significant name in areverse lookup FQDN.
d. Incorrect: The top-level domainused for reverse lookups is arpa.Therefore, arpa must be the lastand most significant name in areverse lookup FQDN.
3. Correct answer: B
a. Incorrect: Resolvers are clientprograms that generate DNSqueries and send them to a DNSserver for fulfillment.
842/1537
b. Correct: Relay agents are routerdevices that enable DHCP clientsto communicate with servers onother networks.
c. Incorrect: Name servers are ap-plications running on server com-puters that maintain informationabout the domain tree structure.
d. Incorrect: DNS consists of atree-structured namespace inwhich each branch of the treeidentifies a domain.
4. Correct answer: A
a. Correct: When a client sends aname resolution query to its DNSserver, it uses a recursive requestso that the server will take on theresponsibility for resolving thename.
843/1537
b. Incorrect: A DNS server seekingthe server for a top-level domainuses iterative, not recursive,queries.
c. Incorrect: A DNS server seekingthe server for a second-level do-main uses iterative, not recursive,queries.
d. Incorrect: A DNS server re-questing a server name resolutionfrom an authoritative server usesiterative, not recursive, queries.
5. Correct answer: B
a. Incorrect: The Forwarders tabis where you specify the ad-dresses of servers that will haveyour server’s recursive queries.
844/1537
b. Correct: The Start of Authority(SOA) tab of a zone’s Propertiessheet contains the Minimum (De-fault) TTL setting that controlsDNS name caching for the zone.
c. Incorrect: The Root Hints tab iswhere you specify the addressesof the root name servers on theInternet.
d. Incorrect: The New Zone Wiz-ard does not enable you to modifyname caching settings.
845/1537
Chapter 5. Installingand administeringActive Directory
A directory service is a repository of informa-tion about the resources—hardware, software,and human—that are connected to a network.Users, computers, and applicationsthroughout the network can access the repos-itory for a variety of purposes, including userauthentication, configuration data storage,and even simple white pages–style informa-tion lookups. Active Directory Domain Ser-vices (AD DS) is the directory service that Mi-crosoft first introduced in Windows 2000Server, and Microsoft has upgraded it in each
successive server operating system release, in-cluding Windows Server 2012 R2.
This chapter covers some of the fundamentaltasks that administrators perform to installand manage AD DS.
Objectives in this chapter
▪ Objective 5.1: Install domain controllers
▪ Objective 5.2: Create and manage ActiveDirectory users and computers
▪ Objective 5.3: Create and manage ActiveDirectory groups and organizational units(OUs)
Objective 5.1: Installdomain controllersAD DS is a directory service that enables ad-ministrators to create organizational divisions
847/1537
called domains. A domain is a logical contain-er of network components, hosted by at leastone server designated as a domain controller.The domain controllers for each domain rep-licate their data among themselves for faulttolerance and load balancing purposes.
848/1537
NOTE
This objective covers how to:
▪ Add or remove a domain controllerfrom a domain
▪ Upgrade a domain controller
▪ Install Active Directory DomainServices (AD DS) on a Server Coreinstallation
▪ Deploy Active Directory infrastruc-ture as a service (IaaS) in WindowsAzure
▪ Install a domain controller fromInstall from Media (IFM)
▪ Resolve DNS SRV record registra-tion issues
▪ Configure a global catalog server
849/1537
Deploying Active DirectoryDomain Services
To create a new domain or to add a domaincontroller to an existing domain, you must in-stall the Active Directory Domain Services roleon a Windows Server 2012 R2 computer andthen run the Active Directory Domain ServicesConfiguration Wizard.
To use a Windows Server 2012 R2 computeras a domain controller, you should configure itto use static IP addresses, not addresses sup-plied by a Dynamic Host Configuration Pro-tocol (DHCP) server. In addition, if you arecreating a domain in an existing forest oradding a domain controller to an existing do-main, you must configure the computer to usethe Domain Name System (DNS) server thathosts the existing forest or domain, at leastduring the Active Directory promotion.
850/1537
Installing the Active DirectoryDomain Services role
Although it does not actually convert the com-puter into a domain controller, installing theActive Directory Domain Services role pre-pares the computer for the conversion process.
To install the role, use the followingprocedure.
1. In Server Manager, from the Managemenu, select Add Roles And Features.The Add Roles And Features Wizardstarts, displaying the Before You Beginpage.
2. Click Next. The Select Installation Typepage opens.
3. Leave the Role-Based Or Feature-BasedInstallation option selected and clickNext to open the Select DestinationServer page.
851/1537
4. Select the server that you want to pro-mote to a domain controller and clickNext. The Select Server Roles pageopens.
5. Select the Active Directory Domain Ser-vice role. The Add Features That AreRequired For Active Directory DomainServices dialog box opens.
6. Click Add Features to accept the de-pendencies and then click Next. TheSelect Features page opens.
7. Click Next. The Active Directory Do-main Services page opens, displayinginformation about the role.
8. Click Next. A Confirm InstallationSelections page opens.
9. Select from the following optional func-tions, if desired:
852/1537
▪ Restart The Destination ServerAutomatically If Desired. Causesthe server to restart automaticallywhen the installation is completed, ifthe selected roles and features re-quire it
▪ Export Configuration Set-tings. Creates an XML script docu-menting the procedures performedby the wizard, which you can use toinstall the same configuration on an-other server using WindowsPowerShell
▪ Specify An Alternate SourcePath. Specifies the location of animage file containing the softwareneeded to install the selected rolesand features
853/1537
10. Click Install, which displays the Install-ation Progress page. Once the role hasbeen installed, a Promote This ServerTo A Domain Controller link appears.
11. Leave the wizard open.
DCPROMO.EXE
The Dcpromo.exe program from previ-ous version of Windows Server hasbeen deprecated in favor of the ServerManager domain controller installationprocess documented in the followingsections. However, it is still possible toautomate AD DS installations by run-ning Dcpromo.exe with an answer file.You can also use Windows PowerShellto install a domain controller.
854/1537
Once you have installed the role, you can runthe Active Directory Domain Services Installa-tion Wizard. The wizard procedure varies, de-pending on what the function of the new do-main controller will be. The following sectionsdescribe the procedures for the most commontypes of domain controller installations.
Creating a new forest
When beginning a new AD DS installation, thefirst step is to create a new forest, which youdo by creating the first domain in the forest,the forest root domain.
To create a new forest, use the followingprocedure.
1. On the Installation Progress page thatappears at the end of the Active Direct-ory Domain Services role installationprocedure, click the Promote This Serv-er To A Domain Controller hyperlink.The Active Directory Domain Services
855/1537
Configuration Wizard starts, displayingthe Deployment Configuration page.
2. Select the Add A New Forest option, asshown in Figure 5-1, and, in the RootDomain Name text box, type the nameof the domain you want to create.
856/1537
Figure 5-1. The Deployment Configura-tion page of the Active Directory Do-main Services Configuration Wizard
3. Click Next. The Domain Controller Op-tions page opens, as shown in Fig-ure 5-2.
857/1537
Figure 5-2. The Domain Controller Op-tions page of the Active Directory Do-main Services Configuration Wizard
4. If you plan to add domain controllersrunning earlier versions of WindowsServer to this forest, select the earliestWindows version you plan to installfrom the Forest Functional Level drop-down list.
858/1537
5. If you plan to add domain controllersrunning earlier versions of WindowsServer to this domain, select the earliestWindows version you plan to installfrom the Domain Functional Leveldrop-down list.
6. If you do not already have a DNS serveron your network, leave the DomainName System (DNS) Server check boxselected. If you have a DNS server onthe network, and the domain controlleris configured to use that server for DNSservices, then clear the check box.
859/1537
DOMAIN CONTROLLEROPTIONS
The Global Catalog (GC) andRead Only Domain Controller(RODC) options are unavailablebecause the first domain con-troller in a new forest must be aGlobal Catalog server and it can-not be a read-only domaincontroller.
7. In the Password and Confirm Passwordtext boxes, type the password you wantto use for Directory Services RestoreMode (DSRM) and click Next. The DNSOptions page opens, displaying a warn-ing that a delegation for the DNS servercannot be created, because the DNSServer service is not installed yet.
860/1537
8. Click Next to open the Additional Op-tions page, which displays the NetBIOSequivalent of the domain name youspecified.
9. Modify the name, if desired, and clickNext to open the Paths page.
10. Modify the default locations for the ADDS files, if desired, and click Next. TheReview Options page opens.
11. Click Next to open the PrerequisitesCheck page, as shown in Figure 5-3.
861/1537
Figure 5-3. The Prerequisites Checkpage of the Active Directory Domain
Services Configuration Wizard.
12. The wizard performs a number of envir-onment tests to determine if the systemcan function as a domain controller.The results can appear as cautions,which enable the procedure to continue,or as warnings, which require you to
862/1537
perform certain actions before the serv-er can be promoted. Once the systemhas passed all the prerequisite checks,click Install. The wizard creates the newforest and configures the server to func-tion as a domain controller.
13. Restart the computer.
With the forest root domain in place, you cancreate additional domain controllers in thatdomain or add new domains to the forest.
Adding a domain controller to anexisting domain
Every Active Directory domain should have aminimum of two domain controllers.
To add a domain controller to an existing Win-dows Server 2012 R2 domain, use the follow-ing procedure.
863/1537
1. On the Installation Progress page thatappears at the end of the Active Direct-ory Domain Services role installationprocedure, click the Promote This Serv-er To A Domain Controller hyperlink.The Active Directory Domain ServicesConfiguration Wizard starts, displayingthe Deployment Configuration page.
2. Select the Add A Domain Controller ToAn Existing Domain option and clickSelect.
3. If you are not logged on to an existingdomain in the forest, a Credentials ForDeployment Operation dialog boxopens, in which you must supply ad-ministrative credentials for the domainto proceed. After you are authenticated,the Select A Domain From The Forestdialog box opens.
864/1537
4. Select the domain to which you want toadd a domain controller and click OK.The selected domain name appears inthe Domain field.
5. Click Next. The Domain Controller Op-tions page, shown in Figure 5-4, opens.
865/1537
Figure 5-4. The Domain Controller Op-tions page of the Active Directory Do-main Services Configuration Wizard
6. If you want to install the DNS Serverservice on the computer, leave the Do-main Name System (DNS) Server checkbox selected. Otherwise, the domain willbe hosted on the DNS server the com-puter is configured to use.
866/1537
7. Leave the Global Catalog (GC) checkbox selected if you want the computer tofunction as a global catalog server. Thisis essential if you will be deploying thenew domain controller at a site thatdoes not already have a GC server.
8. Select the Read Only Domain Controller(RODC) check box, if desired, to createa domain controller that administratorscannot use to modify AD DS objects.
9. In the Site Name drop-down list, selectthe site where the domain controllerwill be located.
10. In the Password and Confirm Passwordtext boxes, type the password you wantto use for Directory Services RestoreMode (DSRM) and click Next to moveto the Additional Options page, shownin Figure 5-5.
867/1537
Figure 5-5. The Additional Options pageof the Active Directory Domain Services
Configuration Wizard
11. To use the Install From Media option,select the Install From Media check box.
12. In the Replicate From drop-down list,select the existing domain controllerthat the server should use as a data
868/1537
source. Then click Next to open thePaths page.
13. Modify the default locations for the ADDS files, if desired, and click Next. TheReview Options page opens.
14. Click Next to move to the PrerequisitesCheck page.
15. Once the system has passed all the pre-requisite checks, click Install. The wiz-ard configures the server to function asa domain controller.
16. Restart the computer.
The domain controller is now configured toservice the existing domain. AD DS replicationbetween the two will begin automatically.
869/1537
Creating a new child domain in aforest
Once you have a forest with at least one do-main, you can add a child domain beneath anyexisting domain. The process of creating a newchild domain is similar to that of creating anew forest, except that the Deployment Con-figuration page of the Active Directory Do-main Services Configuration Wizard requiresyou to specify the parent domain beneathwhich you want to create a child, as shown inFigure 5-6.
870/1537
Figure 5-6. The Deployment Configurationpage of the Active Directory Domain Services
Configuration Wizard
871/1537
TREE DOMAINS
The wizard also supplies the option tocreate a tree domain, which is a newdomain that is not subordinate to anexisting domain in the forest.
Installing AD DS on Server Core
In Windows Server 2012 R2, it is possible toinstall AD DS on a computer running the Serv-er Core installation option and promote thesystem to a domain controllerall by using Win-dows PowerShell.
In Windows Server 2008 and Windows Server2008 R2, the accepted method for installingAD DS on a computer using the Server Coreinstallation option is to create an answer fileand load it from the command prompt by us-ing the Dcpromo.exe program with the /unat-tend parameter.
872/1537
In Windows Server 2012 R2, running Dc-promo.exe with no parameters no longerlaunches the Active Directory Domain ServicesConfiguration Wizard, but administrators whohave already invested considerable time in de-veloping answer files for unattended domaincontroller installations can continue to executethem from the command prompt, althoughdoing so produces this warning: “The dcpromounattended operation is replaced by theADDSDeployment module for WindowsPowerShell.”
For AD DS installations on Server Core, Win-dows PowerShell is now the preferred method.As with the wizard-based installation, theWindows PowerShell procedure occurs in twophases: first, you must install the Active Dir-ectory Domain Services role; then, you mustpromote the server to a domain controller.
Installing the Active Directory Domain Ser-vices role by using Windows PowerShell is no
873/1537
different from installing any other role. In anelevated Windows PowerShell session, use thefollowing command:
Install-WindowsFeature –nameAD-Domain-Services-IncludeManagementTools
Like other Windows PowerShell role installa-tions, the Install-WindowsFeature cmdletdoes not install the management tools for therole, unless you include the –IncludeManage-mentTools parameter in the command.
Once you have installed the role, promotingthe server to a domain controller is somewhatmore complicated. The ADDSDeploymentWindows PowerShell module includes separ-ate cmdlets for the three deployment configur-ations covered in the previous sections:
▪ Install-ADDSForest
874/1537
▪ Install-ADDSDomainController
▪ Install-ADDSDomain
Each of these cmdlets has many possible para-meters to support the many configuration op-tions you find in the Active Directory DomainServices Configuration Wizard. In its simplestform, the following command would install adomain controller for a new forest calledadatum.com:
Install-ADDSForest -DomainName"adatum.com"
The defaults for all of the cmdlet’s other para-meters are the same as those in the Active Dir-ectory Domain Services Configuration Wizard.Running the cmdlet with no parameters stepsthrough the options, prompting you for values.You can also display basic syntax information
875/1537
by using the Get-Help command, as shown inFigure 5-7.
Figure 5-7. Syntax for the Install-ADDSForestcmdlet in Windows PowerShell
Another way to perform a complex installationby using Windows PowerShell is to use a com-puter running Windows Server 2012 R2 withthe full GUI option to generate a script. Beginby running the Active Directory Domain Ser-vices Configuration Wizard, configuring all theoptions with your desired settings. When youreach the Review Option page, click View
876/1537
Script to display the Windows PowerShellcode for the appropriate cmdlet, as shown inFigure 5-8.
877/1537
Figure 5-8. An installation script generated bythe Active Directory Domain Services Configur-
ation Wizard
This feature works as it does because ServerManager is actually based on Windows Power-Shell, so the script contains the cmdlets and
878/1537
parameters that are running when the wizardperforms an installation. You can also use thisscripting capability with the Install-ADDSDo-mainController cmdlet to deploy multiple do-main controllers for the same domain.
Using Install from Media (IFM)
Earlier in this objective, in the procedure forinstalling a replica domain controller, the Ad-ditional Options page of the Active DirectoryDomain Services Configuration Wizard in-cluded an Install From Media check box. Thisis an option that enables administrators tostreamline the process of deploying replica do-main controllers to remote sites.
Usually, installing a domain controller to anexisting domain creates the AD DS databasestructure, but there is no data in it until theserver is able to receive replication traffic fromthe other domain controllers. When the do-main controllers for a particular domain are
879/1537
well connected, such as by LAN, replicationoccurs almost immediately after the new do-main controller is installed, and is entirelyautomatic.
When installing a domain controller at a re-mote location, however, the connection to theother domain controllers is most likely a WANlink, which is typically slower and more ex-pensive than a LAN connection. In this case,the initial replication with the other domaincontrollers can be much more of a problem.The slow speed of the WAN link might causethe replication to take a long time, and itmight also flood the connection, delaying reg-ular traffic. If the domain controllers are loc-ated in different AD DS sites without an ap-propriate site link, no replication will occuruntil an administrator creates and configuresthe required links.
880/1537
REPLICATION
The first replication that occurs afterthe installation of a new domain con-troller is the only one that requires theservers to exchange a complete copy ofthe AD DS database. In subsequentreplications, the domain controllersonly exchange information about theobjects and attributes that havechanged since the last replication.
By using a command-line tool calledNtdsutil.exe, administrators can avoid theseproblems by creating domain controller in-stallation media that includes a copy of the ADDS database. By using this media when in-stalling a remote domain controller, the datais installed along with the database structureand a full replication is not necessary.
881/1537
To create IFM media, you must run theNtdsutil.exe program on a domain controllerrunning the same version of Windows that youintend to deploy. The program is interactive,requiring you to enter a sequence of com-mands like the following:
▪ Ntdsutil. Launches the program
▪ Activate instance ntds. Focuses theprogram on the installed AD DS instance
▪ Ifm. Switches the program into IFM mode
▪ Create Full|RODC <pathname>. Creates media for either a fullread/write domain controller or a read-only domain controller and saves it to thefolder specified by the path name variable
882/1537
NTDSUTIL.EXE PARAMETERS
The Ntdsutil.exe create command alsosupports parameters that include thecontents of the SYSVOL volume withthe AD DS data. The Windows Server2012 R2 version of the program adds anodefrag parameter that speeds up themedia creation process by skipping thedefragmentation.
When you execute these commands, theNtdsutil.exe program creates a snapshot of theAD DS database, mounts it as a volume to de-fragment it, and then saves it to the specifiedfolder along with a copy of the Windows Re-gistry, as shown in Figure 5-9.
883/1537
Figure 5-9. An Ntdsutil.exe command sequence
Once you have created the IFM media, you cantransport it to the servers you intend to deployas domain controllers by using any convenientmeans. To use the media, you run the ActiveDirectory Domain Services Configuration Wiz-ard in the usual way, select the Install FromMedia check box and specify the path to thelocation of the folder.
884/1537
Upgrading Active Directory DomainServices
Introducing Windows Server 2012 R2 onto anexisting AD DS installation is easier than it hasever been in previous versions of the operatingsystem.
There are two ways to upgrade an AD DS in-frastructure. You can upgrade the existingdown-level domain controllers to WindowsServer 2012 R2 or you can add a new Win-dows Server 2012 R2 domain controller toyour existing environment.
There are few upgrade paths to Windows Serv-er 2012 R2. You can upgrade a Windows Serv-er 2008 or Windows Server 2008 R2 domaincontroller to Windows Server 2012 R2, but noearlier versions are upgradable.
In the past, if you wanted to add a new domaincontroller to an existing AD DS installationbased on previous Windows versions, you had
885/1537
to run a program called Adprep.exe to upgradethe domains and forest. Depending on thecomplexity of the installation, this could in-volve logging on to various domain controllersusing different credentials, locating differentversions of Adprep.exe, and running the pro-gram several times using the /domainprepparameter for each domain and the /forest-prep parameter for the forest.
In Windows Server 2012 R2, the Adprep.exefunctionality has been fully incorporated intoServer Manager in the Active Directory Do-main Services Configuration Wizard. Whenyou install a new Windows Server 2012 R2 do-main controller, you only have to supply ap-propriate credentials; the wizard takes care ofthe rest.
886/1537
GROUP MEMBERSHIPS
To install the first Windows Server2012 R2 domain controller onto adown-level AD DS installation, youmust supply credentials for a user whois a member of the Enterprise Adminsand Schema Admins groups and amember of the Domain Admins groupin the domain that hosts the schemamaster.
Deploying Active Directory IaaS onWindows Azure
In addition to running Windows Server 2012R2 on physical computers and locally hostedvirtual machines, Microsoft’s Windows Azureservice enables administrators to create virtualmachines using leased cloud resourcesprovided by Microsoft. This capability, calledInfrastructure as a Service (IaaS), enables
887/1537
administrators to run applications in the cloudwhile maintaining full control over the virtualmachines themselves.
Windows Azure resources can be self-con-tained in the cloud and administrators cancreate a virtualized AD DS forest to organizeand manage them. It is also possible to config-ure Windows Azure resources as an extensionto the existing physical and virtual resourceshosted on a private network. For example,after creating a virtual network in the Win-dows Azure cloud and connecting it to yourprivate network with a site-to-site link using avirtual private networking (VPN) device, youcan create a Windows Server 2012 R2 virtualmachine in the cloud and configure it as a do-main controller for an existing domain.
The process of installing AD DS on a WindowsAzure virtual machine and promoting it to adomain controller is no different from that ofa private network server. You use the Add
888/1537
Roles And Features Wizard to install the ADDS role and then use the Active Directory Do-main Services Configuration Wizard to config-ure the domain controller. The complicatedpart of the process is the configuration of thevirtual network infrastructure to allow com-munication between the cloud network andyour physical network.
Windows Azure is an ideal platform for AD DSdomain controller replicas because it providesIP address consistency in a new way. WindowsAzure virtual machines must obtain IP ad-dresses from DHCP serversyou cannot assignstatic IP addresses to thembut unlike standardDHCP address leases that can expire, causingthe address to change, a cloud VM retains itsIP address lease for its lifetime.
889/1537
AD DS AND WINDOWS AZUREAD
You can install Active Directory Do-main Services on any Windows AzureVM running Windows Server. AD DS ispart of the operating system and re-quires no special resources other thanthose needed to provision the virtualmachine, such as sufficient disk spacefor the AD DS database. However,there is also a cloud service called Win-dows Azure Active Directory (WindowsAzure AD) that can provide identityand access management within thecloud. Although the two can interact,Windows Azure AD is not the same asthe AD DS service supplied with Win-dows Server 2012 R2
890/1537
Removing a domain controller
With the deprecation of Dcpromo.exe, the pro-cess of demoting a domain controller haschanged and is not immediately intuitive.
To remove a domain controller from an AD DSinstallation, you must begin by running theRemove Roles And Features Wizard, as shownin the following procedure.
1. In Server Manager, launch the RemoveRoles And Features Wizard and removethe Active Directory Domain Servicesrole and its accompanying features. AValidation Results dialog box opens, asshown in Figure 5-10.
891/1537
Figure 5-10. The Validation Results dia-log box of the Remove Roles And
Features Wizard
2. Click the Demote This Domain Control-ler hyperlink. The Active Directory Do-main Services Configuration Wizardstarts, displaying the Credentials page.
3. Select the Force The Removal Of ThisDomain Controller check box and click
892/1537
Next to open the New AdministratorPassword page.
4. In the Password and Confirm Passwordtext boxes, type the password you wantthe server to use for the local Adminis-trator account after the demotion. Thenclick Next. The Review Options pageopens.
5. Click Demote. The wizard demotes thedomain controller and restarts thesystem.
6. Log on using the local Administratorpassword you specified earlier.
7. Launch the Remove Roles And FeaturesWizard again and repeat the process ofremoving the Active Directory DomainServices role and its accompanyingfeatures.
893/1537
8. Close the wizard and restart the server.
USING WINDOWSPOWERSHELL
To demote a domain controller by us-ing Windows PowerShell, use the fol-lowing command:
Uninstall-ADDSDomainController–ForceRemoval–LocalAdministratorPassword<password> –Force
Configuring the global catalog
The global catalog is an index of all the AD DSobjects in a forest that prevents systems fromhaving to perform searches among multipledomain controllers. The importance of theglobal catalog varies depending on the size ofyour network and its site configuration.
894/1537
For example, if your network consists of asingle domain, with domain controllers thatare all located at one site and are well connec-ted, the global catalog serves little purposeother than universal group searches. You canmake all your domain controllers global cata-log servers if you wish. The searches will beload balanced and the replication traffic willlikely not overwhelm the network.
However, if your network consists of multipledomains, with domain controllers located atmultiple sites connected by WAN links, thenthe global catalog configuration is critical. Ifpossible, you do not want users performingAD DS searches that must reach across slow,expensive WAN links to contact domain con-trollers at other sites. Placing a global catalogserver at each site is recommended in thiscase. The initial replication might generate alot of traffic, but the savings in the long runshould be significant.
895/1537
When you promote a server to a domain con-troller, you have the option of making the do-main controller a global catalog server. If youdecline to do so at that time, you can make anydomain controller a global catalog server byusing the following procedure.
1. In Server Manager, on the Tools menu,select Active Directory Sites And Ser-vices. The Active Directory Sites AndServices console opens.
2. Expand the site where the domain con-troller you want to function as a globalcatalog server is located. Then expandthe Servers folder and select the serveryou want to configure.
3. Right-click the NTDS Settings node forthe server and, from the shortcut menu,select Properties to open the NTDS Set-tings Properties sheet.
896/1537
4. Select the Global Catalog check box andclick OK.
5. Close the Active Directory Sites AndServices console.
Troubleshooting DNS SRVregistration failure
DNS is essential to the operation of Active Dir-ectory Domain Services. To accommodate dir-ectory services such as AD DS, a special DNSresource record was created that enables cli-ents to locate domain controllers and other vi-tal AD DS services.
When you create a new domain controller, oneof the most important parts of the process isthe registration of the server in the DNS. Thisautomatic registration is the reason an AD DSforest must have access to a DNS server thatsupports the Dynamic Updates standarddefined in Request for Comments (RFC) 2136.
897/1537
If the DNS registration process fails, thencomputers on the network will not be able tolocate that domain controller, the con-sequences of which can be serious. Computerswill be unable to use that domain controller tojoin the domain, existing domain membersmight be unable to log on, and other domaincontrollers will be unable to replicate with it.
DNS problems are, in most cases, due to gen-eral networking faults or DNS client configur-ation error. The first steps you should take areto try pinging the DNS server and to makesure that the TCP/IP client configuration hasthe correct addresses for the DNS servers itshould be using.
To confirm that a domain controller has beenregistered in the DNS, open a commandprompt window with Administrative privilegesand enter the following command:
898/1537
dcdiag /test:registerindns/dnsdomain:<domain name> /v
899/1537
THOUGHT EXPERIMENT:DESIGNING AN ACTIVE
DIRECTORY INFRASTRUCTURE
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Robert is designing a new Active Directory Do-main Services infrastructure for a companycalled Litware, Inc., which has its headquar-ters in New York and two additional offices inLondon and Tokyo. The London office consistsonly of sales and marketing staff; it does nothave its own IT department. The Tokyo officeis larger, with representatives from all thecompany departments, including a full ITstaff. The Tokyo office is connected to theheadquarters using a 64-Kbps demand-diallink, and the London office has a 512-Kbpsframe relay connection. The company has
900/1537
registered the litware.com domain name, andRobert has created a subdomain called in-side.litware.com for use by Active Directory.
Based on this information, design an ActiveDirectory infrastructure for Litware, Inc. thatis as economical as possible, specifying howmany domains to create, what to name them,how many domain controllers to install, andwhere to install them. Explain each of yourdecisions.
Objective summary
▪ A directory service is a repository of in-formation about the resources—hardware,software, and human—that are connectedto a network. Active Directory is the direct-ory service that Microsoft first introducedin Windows 2000 Server, which has beenupgraded in each successive server
901/1537
operating system release, including Win-dows Server 2012 R2.
▪ When you create your first domain on anActive Directory network, you are in es-sence creating the root of a domain tree.You can populate the tree with additionaldomains, as long as they are part of thesame contiguous namespace.
▪ When beginning a new AD DS installation,the first step is to create a new forest,which you do by creating the first domainin the forest, the forest root domain.
▪ In Windows Server 2012 R2, it is now pos-sible to install AD DS on a computer run-ning the Server Core installation optionand promote the system to a domain con-troller, all by using Windows PowerShell.
902/1537
▪ IFM is a feature that enables administrat-ors to streamline the process of deployingreplica domain controllers to remote sites.
▪ There are two ways to upgrade an AD DSinfrastructure. You can upgrade theexisting down-level domain controllers toWindows Server 2012 R2 or you can add anew Windows Server 2012 R2 domain con-troller to your existing installation.
▪ The global catalog is an index of all the ADDS objects in a forest that prevents sys-tems from having to perform searchesamong multiple domain controllers.
▪ DNS is essential to the operation of AD DS.To accommodate directory services such asAD DS, a special DNS resource record wascreated that enables clients to locate do-main controllers and other vital AD DSservices.
903/1537
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following cannot containmultiple Active Directory domains?
a. Organizational units
b. Sites
c. Trees
d. Forests
2. What are the two basic classes of ActiveDirectory objects?
a. Resource
904/1537
b. Leaf
c. Domain
d. Container
3. Which of the following is not true aboutan object’s attributes?
a. Administrators must manuallysupply information for certainattributes.
b. Every container object has, as anattribute, a list of all the other ob-jects it contains.
c. Leaf objects do not containattributes.
d. Active Directory automaticallycreates the globally unique identi-fier (GUID).
905/1537
4. Which of the following is not a reasonyou should try to create as few domainsas possible when designing an ActiveDirectory infrastructure?
a. Creating additional domains in-creases the administrative burdenof the installation.
b. Each additional domain you cre-ate increases the hardware costsof the Active Directorydeployment.
c. Some applications might haveproblems working in a forest withmultiple domains.
d. You must purchase a license fromMicrosoft for each domain youcreate.
906/1537
5. Which of the following does an ActiveDirectory client use to locate objects inanother domain?
a. DNS
b. Global Catalog
c. DHCP
d. Site Link
Objective 5.2: Create andmanage Active Directoryusers and computersUsers and computers are the basic leaf objectsthat populate the branches of the AD DS tree.Creating and managing these objects areeveryday tasks for most AD DSadministrators.
907/1537
NOTE
This objective covers how to:
▪ Automate the creation of ActiveDirectory accounts
▪ Create, copy, configure, and deleteusers and computers
▪ Configure templates
▪ Perform bulk Active Directoryoperations
▪ Configure user rights
▪ Offline domain join
▪ Manage inactive and disabledaccounts
908/1537
Creating user objects
The user account is the primary means bywhich people using an AD DS forest access re-sources. Resource access for individuals takesplace through their individual user accounts.To gain access to the network, prospective net-work users must authenticate to a networkwith a specific user account.
Authentication is the process of confirming auser’s identity by using a known value such asa password, a smart card, or a fingerprint.When a user supplies a name and password,the authentication process validates the cre-dentials supplied in the logon against informa-tion that has been stored within the AD DSdatabase. Do not confuse authentication withauthorization, which is the process of confirm-ing that an authenticated user has the correctpermissions to access one or more networkresources.
909/1537
There are two types of user accounts on sys-tems running Windows Server 2012 R2, asfollows:
▪ Local users. These accounts can only ac-cess resources on the local computer andare stored in the local Security AccountManager (SAM) database on the computerwhere they reside. Local accounts are nev-er replicated to other computers and donot provide domain access. This meansthat a local account configured on oneserver cannot be used to access resourceson a second server; you would need to con-figure a second local account in that case.
▪ Domain users. These accounts can ac-cess AD DS or network-based resources,such as shared folders and printers. Ac-count information for these users is storedin the AD DS database and replicated to alldomain controllers within the same
910/1537
domain. A subset of the domain user ac-count information is replicated to the glob-al catalog, which is then replicated to otherglobal catalog servers throughout theforest.
User creation tools
One of the most common tasks for adminis-trators is the creation of Active Directory userobjects. Windows Server 2012 R2 includesseveral tools you can use to create objects. Thespecific tool you use depends on how manyobjects you need to create, the time frameavailable for the creation of these groups, andany special circumstances, such as importingusers from an existing database.
When creating a single user, administratorscan use Active Directory AdministrativeCenter or the Active Directory Users AndComputers console. However, when you needto create multiple users in a short time frame
911/1537
or you have an existing database from whichto import these objects, you will want to use amore efficient tool. Windows Server 2012 R2provides a number of tools you can choosebased on what you want to accomplish. Thefollowing list describes the most commonlyused methods for creating multiple users andgroups. These tools are detailed in the upcom-ing sections.
▪ Dsadd.exe. The standard command-linetool for creating AD DS leaf objects, whichyou can use with batch files to create ADDS objects in bulk
▪ Windows PowerShell. The Windowsmaintenance tool that enables you to cre-ate object creation scripts of nearly unlim-ited complexity
▪ Comma-Separated Value DirectoryExchange (CSVDE.exe). A command-line utility that can create new AD DS
912/1537
objects by importing information from acomma-separated value (.csv) file
▪ LDAP Data Interchange Format Dir-ectory Exchange (LDIFDE.exe). LikeCSVDE, but with more functionality,LDIFDE is a utility that can import AD DSinformation and use it to add, delete, ormodify objects, in addition to modifyingthe schema, if necessary
These tools all have their roles in network ad-ministration; it is up to the administrator toselect the best tool to suit his or her skill setand the particular situation.
The following sections examine various scen-arios for using these tools to create userobjects.
913/1537
Creating single users
For some administrators, creating individualuser accounts is a daily task and there aremany ways to go about it. Windows Server2012 R2 has redesigned the Active DirectoryAdministrative Center (ADAC) application,first introduced in Windows Server 2008 R2,to fully incorporate new features such as theActive Directory Recycle Bin and fine-grainedpassword policies. You can also use the tool tocreate and manage AD DS user accounts
To create a single user account by using theActive Directory Administrative Center, usethe following procedure.
1. In Server Manager, on the Tools menu,select Active Directory AdministrativeCenter. The Active Directory Adminis-trative Center console opens.
914/1537
2. In the left pane, find the domain inwhich you want to create the user objectand select a container in that domain.
3. In the Tasks pane, under the containername, click New, User to open theCreate User window, as shown in Fig-ure 5-11.
915/1537
Figure 5-11. The Create User window inthe Active Directory Administrative
Center console
4. Type the user’s name in the Full Namefield and an account name in the UserSamAccountName Logon field.
916/1537
5. Type an initial password for the user inthe Password field and the Confirmpassword field.
6. Supply information for any of the op-tional fields on the page you wish.
7. Click OK. The user object appears in thecontainer.
8. Close the Active Directory Administrat-ive Center console.
Administrators who are more comfortablewith the familiar Active Directory Users AndComputers console can still use it to createuser objects by using the New Object – UserWizard, as shown in Figure 5-12.
917/1537
Figure 5-12. The New Object - User Wizard inthe Active Directory Users And Computers
console
For administrators working on Server Core in-stallations or who are more comfortable withthe command line, it is also possible to createuser objects without a graphical interface.
918/1537
Using Dsadd.exe
For administrators more comfortable with thetraditional command prompt, the Dsadd.exeprogram can create new user objects by usingthe syntax shown in Figure 5-13.
Figure 5-13. Syntax of the Dsadd.exe program
To create a user by using the Dsadd.exe utility,you must know the distinguished name (DN)for the user and the user’s login ID, alsoknown as the SAM account name attribute
919/1537
within AD DS. The distinguished name of anobject signifies its location within the ActiveDirectory structure. For example, in the dis-tinguished name:
cn=Elizabeth Ander-sen,ou=Research,dc=adatum,dc=com
the cn refers to the common name for Eliza-beth Andersen’s user account, which resides inthe Research OU, which resides in theadatum.com domain.
Each object has a unique DN, but this DN canchange if you move the object to different loca-tions within the Active Directory structure.For example, if you create an additional layerof OUs representing offices in different cities,the previous DN might change to:
cn=Elizabeth Andersen,ou=Research,ou=Bal-timore,dc=adatum,dc=com
even though it is the same user object with thesame rights and permissions.
920/1537
The SAM account name refers to each user’slogin name—the portion to the left of the @within a User Principal Name—which iseander in [email protected]. The SAM ac-count name must be unique across a domain.
When you have both these items, you can cre-ate a user with the Dsadd.exe utility by usingthe following syntax:
dsadd user <distinguished name>–samid <SAM account name>
For example, in its simplest form, you can cre-ate the account for Elizabeth Andersen refer-enced earlier as follows:
dsadd usercn="ElizabethAndersen,ou=Research,dc=adatum,dc=com"–samid eander
921/1537
You can also add attribute values by using theDsadd.exe tool. The following command addssome of the most common attributes to theuser object:
Dsadd.exe user"CN=ElizabethAndersen,OU=Research,DC=adatum,DC=local"–samid "eander"–fn "Elizabeth"–ln "Andersen"–disabled no–mustchpwd yes–pwd "Pa$$w0rd"
Using Windows Powershell
Microsoft is placing increased emphasis onWindows PowerShell as a server managementtool, and provides a cmdlet called New-ADUser, which you can use to create a user ac-count and configure any or all of the attributesassociated with it. The New-ADUser cmdlet
922/1537
has many parameters, as shown in Fig-ure 5-14, to enable access to all the user ob-ject’s attributes.
Figure 5-14. Syntax of the New-ADUser cmdlet
For example, to create a new user object forElizabeth Andersen in an organizational unit(OU) called Research, you could use the New-ADUser cmdlet with the following parameters:
923/1537
new-ADUser-Name "Elizabeth Andersen"-SamAccountName "eander"-GivenName "Elizabeth"-SurName "Andersen"–path 'OU=Research,DC=adatum,dc=local'-Enabled $true-AccountPassword "Pa$$w0rd"-ChangePasswordAtLogon $true
The –Name and –SamAccountName paramet-ers are required to identify the object. The–path parameter specifies the location of theobject in the AD DS hierarchy. The –Enabledparameter ensures that the account is active.
Creating user templates
In some cases, administrators have to createsingle users on a regular basis, but the user ac-counts contain so many attributes that creat-ing them individually is time-consuming.
924/1537
One way to speed up the process of creatingcomplex user objects is to use the New-ADUser cmdlet or the Dsadd.exe program andretain your commands in a script or batch file.However, if you prefer a graphical interface,you can do roughly the same thing by creatinga user template.
A user template is a standard user object con-taining boilerplate attribute settings. Whenyou want to create a new user with those set-tings, just copy the template to a new user ob-ject and change the name and any other attrib-utes that are unique to the user.
To create a user template by using the ActiveDirectory Users And Computers console, usethe following procedure.
1. In Server Manager, on the Tools menu,select Active Directory Users And Com-puters. The Active Directory
925/1537
Administrative Users And Computersconsole appears.
2. Create a user object with the name De-fault Template, clearing the User MustChange Password At Next Logon checkbox and selecting the Account Is Dis-abled check box.
3. Open the user’s Properties sheet andmodify the attributes on the varioustabs with values common to all theusers you will be creating.
To use the template, right-click the DefaultTemplate user object and, from the shortcutmenu, select Copy. The Copy Object – UserWizard starts, as shown in Figure 5-15.
926/1537
Figure 5-15. The Copy Object – User Wizard
Enter the required unique information for theuser and clear the Account Is Disabled checkbox before clicking OK. The wizard creates anew user object with a subset of the attributesyou configured in the template.
927/1537
Creating multiple users
Administrators sometimes have to create hun-dreds or thousands of user objects, making thesingle object creation procedures impractical.The previous sections described the proced-ures for creating single users and group ob-jects by using the GUI and some of theavailable command-line tools in WindowsServer 2012 R2. The following sections exam-ine some of the mechanisms for automatingthe creation of large numbers of Active Direct-ory objects.
Using CSVDE.exe
Applications such as Microsoft Excel can gen-erate lists of users, with their accompanyinginformation, to add to the AD DS database. Inthese cases, you can export information fromthe applications by saving it to a file in CSVformat. CSV format also can be used to import
928/1537
information into and export it from otherthird-party applications.
A CSV file is a plain text file that consists of re-cordseach on a separate linewhich are dividedinto fields, separated by commas. The formatis a way to save database information in a uni-versally understandable way.
The CSVDE.exe command-line utility enablesadministrators to import or export Active Dir-ectory objects. It uses a CSV file that is basedon a header record, which identifies the attrib-ute contained in each comma-delimited field.The header record is just the first line of thetext file that uses proper attribute names. Tobe imported into AD DS, the attribute namesin the CSV file must match the attributes al-lowed by the Active Directory schema. For ex-ample, if you have a list of people and tele-phone numbers you want to import as usersinto the Active Directory database, you willneed to create a header record that accurately
929/1537
reflects the object names and attributes youwant to create. Review the following attributesthat are commonly used for creating useraccounts.
▪ dn. Specifies the distinguished name ofthe object so that the object can be prop-erly placed in Active Directory
▪ samAccountName. Populates the SAMaccount field
▪ objectClass. Specifies the type of objectto be created, such as user, group, or OU
▪ telephoneNumber. Populates the Tele-phone Number field
▪ userPrincipalName. Populates the UserPrincipal Name field
As you create your CSV file, you must orderthe data to reflect the sequence of the
930/1537
attributes in the header record. If fields anddata are out of order, you will either encounteran error when running the CSVDE.exe utilityor you might get inaccurate results in the cre-ated objects. The following example of a head-er record uses the previously listed attributesto create a user object.
dn,samAccountName,userPrincipalName,telephoneNumber,objectClass
A data record conforming to this header re-cord would then appear as follows:
"cn=ElizabethAndersen,ou=Research,dc=adatum,dc=com",eander,[email protected],586-555-1234,user
After you have added a record for each ac-count you want to create, save the file using.csv as the extension. You then use the follow-ing command syntax to run the CSVDE.exeprogram and import the file:
931/1537
csvde.exe -i -f <filename.csv>
The -i switch tells CSVDE.exe that this opera-tion will import data. The -f switch is used tospecify the .csv file containing the records tobe imported.
Using LDIFDE.exe
LDIFDE.exe is a utility that has the same basicfunctionality as CSVDE.exe and provides theability to modify existing records in ActiveDirectory. For this reason, LDIFDE.exe is amore flexible option. Consider an examplewhere you have to import 200 new users intoyour AD DS structure. In this case, you canuse CSVDE.exe or LDIFDE.exe to import theusers. However, you can use LDIFDE.exe tomodify or delete the objects later, whereasCSVDE.exe does not provide this option.
You can use any text editor to create theLDIFDE.exe input file, which is formatted
932/1537
according to the LDAP Data InterchangeFormat (LDIF) standard. The format for thedata file containing the object records youwish to create is significantly different fromthat of CSVDE.exe. The following exampleshows the syntax for a data file to create thesame user account discussed in theCSVDE.exe example.
dn: "cn=ElizabethAndersen,ou=Research,dc=adatum,dc=com"changetype: addObjectClass: userSAMAccountName: eanderUserPrincipalName: [email protected]: 586-555-1234
Using LDIFDE.exe, you can specify one ofthree actions that will be performed with theLDIF file:
▪ Add. Creates new objects by using theLDIF records
933/1537
▪ Modify. Modifies existing object attrib-utes by using the LDIF records
▪ Delete. Deletes existing objects by usingthe LDIF records
After creating the data file and saving it usingthe .ldf file extension, use the following syntaxto execute the LDIFDE.exe program:
ldifde –i –f <filename.ldf>
The next example illustrates the LDIF syntaxto modify the telephone number of an existinguser object. Note that the hyphen in the lastline is required for the file to functioncorrectly.
dn: "cn=ElizabethAndersen,ou=Research,dc=adatum,dc=com"changetype: modifyreplace: telephoneNumber
934/1537
telephoneNumber: 586-555-1111-
Using Windows Powershell
It is also possible to use CSV files to createuser objects with Windows PowerShell by us-ing the Import-CSV cmdlet to read the datafrom the file and piping it to the New-ADUsercmdlet. To insert the data from the file intothe correct user object attributes, use the New-ADUser cmdlet parameters to reference thefield names in the CSV file’s header record.
An example of a bulk user creation commandwould be as follows:
Import-CSV users.csv | foreach{New-ADUser -SamAccountName$_.SamAccountName-Name $_.Name -Surname $_.Surname-GivenName $_.GivenName -Path"OU=Research,DC=adatum,DC=COM"
935/1537
-AccountPassword Pa$$w0rd-Enabled $true}
Creating computer objects
Because an AD DS forest uses a centralizeddirectory, there has to be some means oftracking the actual computers that are part ofthe domain. To do this, Active Directory usescomputer accounts, which are realized in theform of computers objects in the Active Dir-ectory database. You might have a valid ActiveDirectory user account and a password, but ifyour computer is not represented by a com-puter object, you cannot log on to the domainusing that system.
Computer objects are stored in the Active Dir-ectory hierarchy just like user objects are; theypossess many of the same capabilities, such asthe following:
936/1537
▪ Computer objects consist of properties thatspecify the computer’s name, where it islocated, and who is permitted to manage it.
▪ Computer objects inherit group policy set-tings from container objects such as do-mains, sites, and OUs.
▪ Computer objects can be members ofgroups and inherit permissions from groupobjects.
When a user attempts to log on to an ActiveDirectory domain, the client computer estab-lishes a connection to a domain controller toauthenticate the user’s identity. Before theuser authentication occurs, the two computersperform a preliminary authentication by usingtheir respective computer objects to ensurethat both systems are part of the domain. TheNetLogon service running on the client com-puter connects to the same service on the
937/1537
domain controller, and then each one verifiesthat the other system has a valid computer ac-count. When this validation is completed, thetwo systems establish a secure communica-tions channel between them, which they canthen use to begin the user authenticationprocess.
The computer account validation between theclient and the domain controller is a genuineauthentication process using account namesand passwords, just as when a user authentic-ates to the domain. The difference is that thepasswords used by the computer accounts aregenerated automatically and kept hidden. Ad-ministrators can reset computer accounts, butthey do not have to supply passwords forthem.
What this means for administrators is that, inaddition to creating user accounts in the do-main, they also have to make sure that the net-work computers are part of the domain.
938/1537
Adding a computer to an AD DS domain con-sists of two steps:
▪ Creating a computer account. You cre-ate a computer account by creating a newcomputer object in Active Directory andassigning the name of an actual computeron the network.
▪ Joining the computer to the do-main. When you join a computer to thedomain, the system contacts a domaincontroller, establishes a trust relationshipwith the domain, locates (or creates) acomputer object corresponding to thecomputer’s name, alters its security identi-fier (SID) to match that of the computerobject, and modifies its groupmemberships.
How these steps are performed and who per-forms them depends on the way in which youdeploy computers on your network. There are
939/1537
many ways to create new computer objects,and how administrators elect to do this de-pends on several factors, including the num-ber of objects they need to create, where theywill be when creating the objects, and whattools they prefer to use.
Generally speaking, you create computer ob-jects when you deploy new computers in thedomain. Once a computer is represented by anobject and joined to the domain, any user inthe domain can log on from that computer.For example, you do not have to create newcomputer objects or rejoin computers to thedomain when employees leave the companyand new hires start using their computers.However, if you reinstall the operating systemon a computer, you must create a new com-puter object for it (or reset the existing one),because the newly installed computer willhave a different SID.
940/1537
The creation of a computer object must alwaysoccur before the corresponding computer canjoin the domain, although it might not appearthat way. There are two basic strategies forcreating Active Directory computer objects,which are as follows:
▪ Create the computer objects in advance byusing an Active Directory tool, so that thecomputers can locate the existing objectswhen they join the domain.
▪ Begin the joining process first and let thecomputer create its own computer object.
In either case, the computer object exists be-fore the joining takes place. In the secondstrategy, the joining process appears to beginfirst, but the computer creates the object be-fore the actual joining process begins.
When there are a number of computers to de-ploy, particularly in different locations,
941/1537
administrators can conceivably create thecomputer objects in advance. For large num-bers of computers, it is even possible to auto-mate the computer object creation process byusing command-line tools and batch files, al-though many use a third-party tool for thistask. The following sections examine the toolsyou can use for computer object creation.
Creating computer objects by usingActive Directory Users AndComputers
As with user objects, you can create computerobjects by using the Active Directory UsersAnd Computers console. To create computerobjects in an Active Directory domain by usingthe Active Directory Users And Computersconsole or by using any tool, you must havethe appropriate permissions for the containerin which the objects will be located.
942/1537
By default, the Administrators group has per-mission to create objects anywhere in the do-main, and the Account Operators group hasthe special permissions needed to create com-puter objects in and delete them from theComputers container and from any new OUsyou create. Members of the Domain Adminsand Enterprise Admins groups can also createcomputer objects anywhere. An administratorcan also explicitly delegate control of contain-ers to particular users or groups, enablingthem to create computer objects in thosecontainers.
The process of creating a computer object inActive Directory Users And Computers is sim-ilar to that of creating a user object. You selectthe container in which you want to place theobject and, from the Action menu, select New,Computer. The New Object – Computer Wiz-ard starts, as shown in Figure 5-16.
943/1537
Figure 5-16. The New Object – ComputerWizard
The Properties sheet for Computer objects inthe Active Directory Users and Computersconsole shows relatively few attributes and, inmost cases, you will likely just supply themwith a name, which can be up to 64 characters
944/1537
long. This name must match the name of thecomputer joined with the object.
Creating computer objects by usingActive Directory AdministrativeCenter
As with users, you can also create computerobjects in the Active Directory AdministrativeCenter. To create a computer object, youchoose a container and then select New, Com-puter from the Tasks list to open the CreateComputer dialog box.
Creating computer objects by usingDsadd.exe
As with users, the graphical tools providedwith Windows Server 2012 R2 are good forcreating and managing single objects, butmany administrators turn to the commandline when they have to create multiple objects.
945/1537
The Dsadd.exe utility enables you to createcomputer objects from the command line, justas you created user objects earlier in this les-son. You can create a batch file of Dsadd.execommands to generate multiple objects in oneprocess. The basic syntax for creating a com-puter object by using Dsadd.exe is as follows:
dsadd computer <ComputerDN>
The <ComputerDN> parameter specifies adistinguished name for the new computer ob-ject you want to create. The DNs use the sameformat as those in CSV files, as discussedearlier.
Creating computer objects by usingWindows PowerShell
Windows PowerShell includes the New-ADComputer cmdlet, which you can use tocreate computer objects with the following
946/1537
basic syntax. This cmdlet creates computer ob-jects, but it does not join them to a domain.
new-ADComputer -Name <computer name>–path <distinguished name>
Managing Active Directoryobjects
Once you have created user and computer ob-jects, you can manage them and modify themin many of the same ways by which you cre-ated them.
Double-clicking any object in the Active Dir-ectory Administrative Center or the ActiveDirectory Users And Computers console opensthe Properties sheet for that object. The win-dows appear different, but they contain thesame information and provide the same abilityto alter the object attributes.
947/1537
Managing multiple users
When managing domain user accounts, thereare likely to be times when you have to makethe same changes to multiple user objects, andmodifying each one individually would be a te-dious chore.
In these instances, it is possible to modify theproperties of multiple user accounts simultan-eously by using the Active Directory Adminis-trative Center or the Active Directory UsersAnd Computers console. You just select sever-al user objects by holding down the Ctrl key asyou click each user and then select Properties.A Properties sheet opens, containing the at-tributes you can manage for the selected ob-jects simultaneously, as shown in Figure 5-17.
948/1537
Figure 5-17. A Multiple Users Properties sheetin Active Directory Administrative Center
Joining computers to a domain
The process of joining a computer to a domainmust occur from the computer itself and beperformed by a member of the computer’s
949/1537
local Administrators group. After logging on,you join a computer running Windows Server2012 R2 to a domain from the ComputerName tab in the System Properties sheet. Youcan access the System Properties sheet fromServer Manager, by clicking the Computername or domain hyperlink on the server’sProperties tile, from the Control Panel.
On a computer that is not joined to a domain,the Computer Name tab displays the name as-signed to the computer during the operatingsystem installation and the name of the work-group to which the system currently belongs(which is WORKGROUP, by default). To jointhe computer to the domain, click Change todisplay the Computer Name/Domain Changesdialog box shown in Figure 5-18.
950/1537
Figure 5-18. The Computer Name/DomainChanges dialog box
In this dialog box, the Computer Name fieldenables you to change the name assigned tothe computer during installation. Dependingon whether you have already created a
951/1537
computer object, observe the followingprecautions:
▪ To join a domain in which you havealready created a computer object for thesystem in AD DS, the name on this fieldmust match the name of the object exactly.
▪ If you intend to create a computer objectduring the joining process, the name inthis field must not already exist in thedomain.
When you select the Domain option and enterthe name of the domain the computer willjoin, the computer establishes contact with adomain controller for the domain and asecond Computer Name Changes dialog boxopens, prompting you for the name and pass-word of a domain user account with permis-sion to join the computer to the domain.
952/1537
Once you have authenticated with the domaincontroller, the computer is welcomed to thedomain and you are instructed to restart thecomputer.
Joining a Domain by Using Netdom.exe
It is also possible to use the Netdom.execommand-line utility to join a computer to adomain. The syntax for the command is asfollows:
netdom join <computername>/Domain:<DomainName>[/UserD:<User>/PasswordD:<UserPassword>] [/OU:OUDN]
Creating Computer Objects WhileJoining
You can join a computer to a domain whetheror not you have already created a computerobject for it. Once the computer authenticates
953/1537
to the domain controller, the domain control-ler scans the Active Directory database for acomputer object with the same name as thecomputer. If it does not find a matching ob-ject, the domain controller creates one in thedefault container (usually the Computers con-tainer), using the name supplied by thecomputer.
For the computer object to be created auto-matically in this manner, one would expectthat the user account you specify when con-necting to the domain controller must haveobject creation privileges for the Computerscontainer, such as membership in the Admin-istrators group. However, this is not alwaysthe case.
Domain users can also create computer ob-jects through an interesting, indirect process.The Default Domain Controllers Policy GroupPolicy object (GPO) grants a user right calledAdd Workstations To The Domain (as shown
954/1537
in Figure 5-19) to the Authenticated Users spe-cial identity. This means that any user who issuccessfully authenticated to Active Directoryis permitted to join up to 10 workstations tothe domain and create 10 associated computerobjects, even if the user does not possess expli-cit object creation permissions.
955/1537
Figure 5-19. The Default Domain ControllersPolicy user rights assignments
956/1537
ASSIGNING USER RIGHTS
User rights are Group Policy settingsthat provide users with the ability toperform certain system-related tasks.For example, logging on locally to a do-main controller requires that a usereither have the Log On Locally right as-signed to his or her account or be amember of the Account Operators, Ad-ministrators, Backup Operators, PrintOperators, or Server Operators groupon the domain controller. Other similarsettings included in this collection arerelated to user rights associated withsystem shutdown, taking ownershipprivileges of files or objects and syn-chronizing directory service data. Formore information on user rights as-signment, see Objective 6.2, “Configuresecurity policies,” in Chapter 6.
957/1537
Joining a Domain While Offline
It is typical for administrators to join com-puters to domains while the computers areconnected to the network and have access to adomain controller. However, there are situ-ations in which administrators might want toset up computers without access to a domaincontroller, such as a new branch office install-ation. In these cases, it is possible to performan offline domain join by using a command-line program called Djoin.exe.
The offline domain join procedure requiresyou to run the Djoin.exe program twice, firston a computer with access to a domain con-troller and then on the computer to be joined.When connected to the domain controller, theprogram gathers computer account metadatafor the system to be joined and saves it to afile. The syntax for this phase of the process isas follows:
958/1537
djoin /provision /domain <domain name>/machine <computer name> /savefile<filename.txt>
You then transport the metadata file to thecomputer to be joined and run Djoin.exeagain, specifying the name of the file. The pro-gram saves the metadata from the file to thecomputer, so that the next time it has access toa domain controller, the system is automatic-ally joined to the domain. The syntax for thesecond phase of the process is as follows:
djoin /requestODJ /loadfile<filename.txt>/windowspath %SystemRoot% /localos
Managing disabled accounts
Disabling a user account prevents anyonefrom using it to log on to the domain until anadministrator with the appropriate permis-sions enables it again. You can disable user
959/1537
accounts manually, to prevent their use whilepreserving all their attributes, but it is alsopossible for a domain controller to automatic-ally disable them. For example, repeated viola-tions of password policy settings can disablean account to prevent intruders from makingfurther attack attempts.
To disable or enable a user or computer ac-count in Active Directory AdministrativeCenter or Active Directory Users And Com-puters, just right-click the object and selectDisable or Enable from the shortcut menu.You can also disable and enable multiple ac-counts by selecting multiple objects and right-clicking.
To disable or enable a user or computer ac-count by using Windows PowerShell, use thefollowing cmdlet syntax:
Disable-ADAccount –Identity <accountname>
960/1537
Enable-ADAccount –Identity <accountname>
961/1537
THOUGHT EXPERIMENT:CREATING USER OBJECTS
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
You are a network administrator who is in theprocess of building an Active Directory net-work for a company called Fabrikam, Inc., andyou have to create user objects for the 75 usersin the Inside Sales department. You havealready created the fabrikam.com domain andan OU called Inside Sales for this purpose. TheHuman Resources department has providedyou with a list of the users’ names and has in-structed you to create the account names byusing the first initial and the last name. Eachuser object must also have the value InsideSales in the Department property and Fab-rikam, Inc. in the Company property. Using
962/1537
the first name in the list, Oliver Cox, as an ex-ample, which of the following command-lineformats would enable you to create the 75 userobjects with the required property values?
1. dsadd “Oliver Cox” -samid ocox –com-pany “Fabrikam, Inc.” –dept “InsideSales”
2. dsadd user CN=Oliver Cox,CN=InsideSales,DC=fabrikam,DC=com -samidocox –company Fabrikam, Inc. –deptInside Sales
3. dsadd –company “Fabrikam, Inc.” -samid ocox –dept “Inside Sales”“CN=Oliver Cox,CN=Inside Sales,DC=-fabrikam,DC=com”
4. dsadd user “CN=Oliver Cox,CN=InsideSales,DC=fabrikam,DC=com” -samid
963/1537
ocox –company “Fabrikam, Inc.” –dept“Inside Sales”
Objective summary
▪ The user account is the primary means bywhich people using an AD DS forest accessresources.
▪ One of the most common tasks for admin-istrators is the creation of Active Directoryuser objects. Windows Server 2012 R2 in-cludes several tools you can use to createobjects.
▪ Windows Server 2012 R2 has redesignedthe Active Directory Administrative Center(ADAC) application, first introduced inWindows Server 2008 R2, to fully incor-porate new features such as the Active
964/1537
Directory Recycle Bin and fine-grainedpassword policies. You can also use thetool to create and manage AD DS useraccounts.
▪ For applications in which you can have anumber of users, with their accompanyinginformation, to add to the AD DS database,you can export information from the ap-plications by saving it to a file in CSVformat.
▪ LDIFDE.exe is a utility that has the samebasic functionality as CSVDE.exe andprovides the ability to modify existing re-cords in Active Directory.
▪ Because an AD DS forest uses a centralizeddirectory, there has to be some means oftracking the actual computers that are partof the domain. To do this, Active Directoryuses computer accounts, which are
965/1537
realized in the form of computer objects inthe Active Directory database.
▪ The process of joining a computer to a do-main must occur at the computer itself andbe performed by a member of the com-puter’s local Administrators group.
▪ It is possible to perform an offline domainjoin by using a command-line programcalled Djoin.exe.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following can be used toadd, delete, or modify objects in Active
966/1537
Directory, in addition to modifying theschema if necessary?
a. DCPROMO
b. LDIFDE
c. CSVDE
d. NSLOOKUP
2. When using CSVDE, what is the firstline of the text file that uses proper at-tribute names?
a. Header row
b. Header record
c. Name row
d. Name record
967/1537
3. Which of the following utilities are usedto perform an offline domain join?
a. net join
b. join
c. djoin
d. dconnect
4. Which of the following is not a type ofuser account that can be configured inWindows Server 2012 R2?
a. Local accounts
b. Domain accounts
c. Network accounts
d. Built-in accounts
968/1537
5. Which of the following are the two built-in user accounts created automaticallyon a computer running Windows Server2012 R2?
a. Network
b. Interactive
c. Administrator
d. Guest
Objective 5.3: Create andmanage Active Directorygroups and organizationalunits (OUs)OUs can be nested to create a design that en-ables administrators to take advantage of thenatural inheritance of the Active Directory
969/1537
hierarchy. You should limit the number ofOUs that are nested, because too many levelscan slow the response time to resource re-quests and complicate the application ofGroup Policy settings.
When you first install Active Directory Do-main Services, there is only one OU in the do-main, by default: the Domain Controllers OU.All other OUs must be created by an ADadministrator.
970/1537
OUS AND PERMISSIONS
OUs are not considered security prin-cipals. This means that you cannot as-sign access permissions to a resourcebased on membership to an OU.Herein lies the difference between OUsand global, domain local, and universalgroups. Groups are used for assigningaccess permissions, whereas OUs areused for delegating permissions andGroup Policy.
There is another type of container objectfound in a domain, which is actually called acontainer. For example, a newly created do-main has several container objects in it, in-cluding one called Users, which contains thedomain’s predefined users and groups, andanother called Computers, which contains the
971/1537
computer objects for all the systems joined tothe domain except for domain controllers.
Unlike with OUs, you cannot assign GroupPolicy settings to container objects. You alsocannot create new container objects by usingthe standard Active Directory administrationtools, such as the Active Directory Users AndComputers console. You can create containerobjects by using scripts, but there is no com-pelling reason to do so. OUs are the preferredmethod of subdividing a domain.
972/1537
NOTE
This objective covers how to:
▪ Configure group nesting
▪ Convert groups (including security,distribution, universal, domain loc-al, and domain global)
▪ Manage group membership usingGroup Policy
▪ Enumerate group membership
▪ Delegate the creation and manage-ment of Active Directory objects
▪ Manage default Active Directorycontainers
▪ Create, copy, configure, and deletegroups and OUs
973/1537
Creating OUs
OUs are the simplest type of object to create inthe AD DS hierarchy. You only have to supplya name for the object and define its location inthe Active Directory tree.
To create an OU object by using the ActiveDirectory Administrative Center, use the fol-lowing procedure.
1. In Server Manager, on the Tools menu,select Active Directory AdministrativeCenter to open the Active Directory Ad-ministrative Center console.
2. In the left pane, right-click the objectbeneath which you want to create thenew OU and, from the shortcut menu,select New, Organizational Unit. TheCreate Organizational Unit windowopens, as shown in Figure 5-20.
974/1537
Figure 5-20. The Create OrganizationalUnit window in Active Directory Admin-
istrative Center
3. In the Name field, type a name for theOU and add any optional informationyou desire.
975/1537
4. Click OK. The OU object appears in theobject you selected.
5. Close the Active Directory Administrat-ive Center console.
Creating an OU in the Active Directory UsersAnd Computers console works in roughly thesame way, although the New Object – Organ-izational Unit dialog box looks different. Onceyou have created an OU, you can double-clickit to open its Properties sheet, where you canmodify its attributes, or right-click it and se-lect Move to open the Move dialog box, asshown in Figure 5-21.
976/1537
Figure 5-21. The Move dialog box in Active Dir-ectory Administrative Center
Using OUs to assign Group Policysettings
One of the main reasons for creating an OU isto assign different Group Policy settings to aparticular collection of objects. When you as-sign Group Policy settings to an OU, every ob-ject contained in that OU receives those set-tings, including other OUs. This enables
977/1537
administrators to deploy Group Policy settingsto only part of a domain, rather than the entiredomain.
Using OUs to delegate ActiveDirectory management tasks
Creating OUs enables you to implement a de-centralized administration model, in whichothers manage portions of the AD DS hier-archy, without affecting the rest of thestructure.
Delegating authority at a site level affects alldomains and users within the site. Delegatingauthority at the domain level affects the entiredomain. However, delegating authority at theOU level affects only that OU and its subordin-ate objects. By granting administrative author-ity over an OU structure, as opposed to an en-tire domain or site, you gain the followingadvantages:
978/1537
▪ Minimal number of administratorswith global privileges. By creating ahierarchy of administrative levels, you lim-it the number of people who require globalaccess.
▪ Limited scope of errors. Administrat-ive mistakes such as a container deletionor group object deletion affect only the re-spective OU structure.
The Delegation of Control Wizard provides asimple interface you can use to delegate per-missions for domains, OUs, and containers.AD DS has its own system of permissions,much like those of NTFS and printers. TheDelegation of Control Wizard is essentially afront-end interface that creates complex com-binations of permissions based on specific ad-ministrative tasks.
The wizard interface enables you to specify theusers or groups to which you want to delegate
979/1537
management permissions and the specifictasks you wish them to be able to perform. Youcan delegate predefined tasks or create customtasks that enable you to be more specific.
To delegate administrative control over anOU, use the following procedure.
1. From Server Manager, open the ActiveDirectory Users And Computersconsole, right-click the object overwhich you want to delegate control andclick Delegate Control. The Delegationof Control Wizard starts, displaying theWelcome page.
2. Click Next to move to the Users OrGroups page.
3. Click Add To open the Select Users,Computers, Or Groups dialog box.
980/1537
4. Type the name of the user or group towhich you want to delegate control ofthe object and click OK. The user orgroup appears in the Selected UsersAnd Groups list.
5. Click Next. The Tasks To Delegate pageopens, with the following options:
▪ Delegate The Following Com-mon Tasks. Enables you to choosefrom a list of predefined tasks
▪ Create A Custom Task ToDelegate. Enables you to be morespecific about the task delegation
6. Select Create A Custom Task To Deleg-ate and click Next. The Active DirectoryObject Type page opens, displaying thefollowing options:
981/1537
▪ This Folder, Existing Objects InThis Folder, And Creation OfNew Objects In ThisFolder. Delegates control of thecontainer, including all its currentand future objects
▪ Only The Following Objects InThe Folder. Enables you to selectspecific objects to be controlled. Youcan select Create Selected Objects InThis Folder to allow selected objecttypes to be created, or select DeleteSelected Objects In This Folder toallow selected object types to bedeleted
7. Select This Folder, Existing Objects InThis Folder, And Creation Of New Ob-jects In This Folder and click Next. ThePermissions page opens.
982/1537
8. Set the delegated permissions accordingto your needs for the user or group towhich you are delegating control. Youcan combine permissions from the fol-lowing three options:
▪ General. Displays general permis-sions, which are equal to those dis-played on the Security tab in an ob-ject’s properties
▪ Property-specific. Displays per-missions that apply to specific at-tributes or properties of an object
▪ Creation/deletion of specificchild objects. Displays permis-sions that apply to creation and de-letion permissions for specified ob-ject types
9. Click Next to open the Completing TheDelegation of Control Wizard page.
983/1537
10. Click Finish.
11. Close the Active Directory Users AndComputers console.
In this procedure, you granted permissionsover a portion of Active Directory to a spe-cified administrator or group of administrat-ors. Although you can use the Delegation ofControl Wizard to grant permissions, you can-not use it to modify or remove permissions. Toperform these tasks, you must use the inter-face provided on the Security tab in the AD DSobject’s Properties sheet.
984/1537
ADVANCED VIEW
By default, the Security tab does notappear in an OU’s Properties sheet inthe Active Directory Users And Com-puters console. To display the tab, youmust select Advanced Features fromthe console’s View menu.
Working with groups
Since the early days of the Microsoft serveroperating system, administrators have usedgroups to manage network permissions.Groups enable administrators to assign per-missions to multiple users simultaneously. Agroup can be defined as a collection of user orcomputer accounts that functions as a securityprincipal, in much the same way that a userdoes.
985/1537
In Windows Server 2012 R2, when a user logson to Active Directory, an access token is cre-ated that identifies the user and that user’sgroup memberships. Domain controllers usethis access token to verify a user’s permissionswhen the user attempts to access a local ornetwork resource. By using groups, adminis-trators can grant multiple users the same per-mission level for resources on the network. If,for example, you have 25 users in the graphicsdepartment who need access to a color printer,you can either assign each user the appropri-ate permissions for the printer or you can cre-ate a group containing the 25 users and assignthe appropriate permissions to the group. Byusing a group object to access a resource, youhave accomplished the following:
▪ When users need access to the printer, youcan just add them to the group. Once ad-ded, the users receive all permissions as-signed to this group. Similarly, you can
986/1537
remove users from the group when youwant to revoke their access to the printer.
▪ Administrators only have to make onechange to modify the level of access to theprinter for all the users. Changing thegroup’s permissions changes the permis-sion level for all group members. Withoutthe group, you would have to modify all 25user accounts individually.
ACCESS TOKENS
Users’ access tokens are only generatedwhen they first log on to the networkfrom their workstation. If you addusers to a group, they will need to logoff and log back on again for thatchange to take effect.
987/1537
Users can be members of more than onegroup. In addition, groups can contain otherActive Directory objects, such as computers,and other groups in a technique called groupnesting. Group nesting describes the processof configuring one or more groups as membersof another group. For example, consider acompany that has two groups: marketing andgraphic design. Graphic design group mem-bers have access to a high-resolution colorlaser printer. If the marketing group membersalso need access to the printer, you can justadd the marketing group as a member of thegraphic design group. This gives the marketinggroup members the same permission to thecolor laser printer as the members of thegraphic design group.
Group types
There are two group classifications in Win-dows Server 2012 R2: group type and group
988/1537
scope. Group type defines how a group is usedwithin Active Directory.
The two Windows Server 2012 R2 group typesare as follows:
▪ Distribution groups. Nonsecurity-re-lated groups created for the distribution ofinformation to one or more persons
▪ Security groups. Security-related groupscreated for granting resource access per-missions to multiple users
Active Directory–aware applications can usedistribution groups for nonsecurity-relatedfunctions. For example, Microsoft Exchangeuses distribution groups to send messages tomultiple users. Only applications that are de-signed to work with Active Directory can makeuse of distribution groups in this manner.
Groups that you use to assign permissions toresources are referred to as security groups.
989/1537
Administrators make users who need access tothe same resource members of a securitygroup. They then grant the security group per-mission to access the resource. After you cre-ate a group, you can convert it from a securitygroup to a distribution group, or vice versa, atany time.
Group scopes
In addition to security and distribution grouptypes, several group scopes are available with-in Active Directory. The group scope controlswhich objects the group can contain, limitingthe objects to the same domain or permittingobjects from remote domains, and also con-trols the location in the domain or forestwhere the group can be used. Group scopesavailable in an Active Directory domain in-clude domain local groups, global groups, anduniversal groups.
990/1537
Domain Local Groups
Domain local groups can have any of the fol-lowing as members:
▪ User accounts
▪ Computer accounts
▪ Global groups from any domain in theforest
▪ Universal groups
▪ Domain local groups from the samedomain
You use domain local groups to assign permis-sions to resources in the same domain as thedomain local group. Domain local groups canmake permission assignment and mainten-ance easier to manage.
991/1537
Global Groups
Global groups can have any of the following asmembers:
▪ User accounts
▪ Computer accounts
▪ Other global groups from the same domain
You can use global groups to grant or denypermissions to any resource located in any do-main in the forest. You accomplish this byadding the global group as a member of a do-main local group that has the desired permis-sions. Global group memberships are replic-ated only to domain controllers within thesame domain. Users with common resourceneeds should be members of a global group tofacilitate the assignment of permissions to re-sources. You can change the membership ofthe global group as frequently as necessary to
992/1537
provide users with the necessary resourcepermissions.
Universal Groups
Universal groups can have any of the followingas members:
▪ User accounts
▪ Computer accounts
▪ Global groups from any domain in theforest
▪ Other universal groups
Universal groups, like global groups, can or-ganize users according to their resource accessneeds. You can use them to provide access toresources located in any domain in the forestby using domain local groups.
You can also use universal groups to consolid-ate groups and accounts that either span
993/1537
multiple domains or span the entire forest. Akey point in the application and utilization ofuniversal groups is that group memberships inuniversal groups should not change fre-quently, because universal groups are storedin the global catalog. Changes to universalgroup membership lists are replicated to allglobal catalog servers throughout the forest. Ifthese changes occur frequently, the replicationprocess can consume a significant amount ofbandwidth, especially on relatively slow andexpensive WAN links.
Nesting groups
As discussed earlier, group nesting is the termused when groups are added as members ofother groups. For example, when you make aglobal group a member of a universal group, itis said to be nested within the universal group.
Group nesting reduces the number of timesyou need to assign permissions to users in
994/1537
different domains in a multidomain forest. Forexample, if you have multiple child domains inyour AD DS hierarchy, and the users in eachdomain need access to an enterprise databaseapplication located in the parent domain, thesimplest way to set up access to this applica-tion is as follows.
1. Create global groups in each domainthat contain all users needing access tothe enterprise database.
2. Create a universal group in the parentdomain. Include each location’s globalgroup as a member.
3. Add the universal group to the requireddomain local group to assign the neces-sary permission to access and use theenterprise database.
This traditional approach to group nesting inAD DS is often referred to by using the
995/1537
mnemonic AGUDLP: you add Accounts toGlobal groups, add those global groups toUniversal groups, add universal groups to Do-main Local groups, and, finally, assign Per-missions to the domain local groups.
Administrators can use the same method tocreate their own domain local groups, towhich they will delegate administrative tasksand user rights for particular OUs. Then, aftercreating global groups (or universal groups forforest-wide assignments) and adding them tothe domain local groups, the structure is inplace.
Creating groups
The procedure for creating groups in ActiveDirectory Administrative Center or Active Dir-ectory Users And Computers is nearly identic-al to that for creating OUs. When you create agroup, you must specify a name for the groupobject. The name you select can be up to 64
996/1537
characters long and must be unique in the do-main. You must also choose a group type anda group scope. Figure 5-22 shows the CreateGroup window in Active Directory Adminis-trative Center.
997/1537
Figure 5-22. Creating a group in Active Direct-ory Administrative Center
The New Object – Group dialog box in ActiveDirectory Users And Computers looks slightlydifferent, but contains the same basic controls.
Although the graphical AD DS utilities are aconvenient tool for creating and managing
998/1537
groups individually, they are not the most effi-cient method for creating large numbers of se-curity principals. The command-line tools in-cluded with Windows Server 2012 R2 enableyou to create and manage groups in largenumbers by using batch files or other types ofscripts. Some of these tools are discussed inthe following sections.
Creating Groups from the CommandLine
You can use the Dsadd.exe tool to create newuser objects, and you can also use the programto create group objects. The basic syntax forcreating group objects with Dsadd.exe is asfollows:
dsadd group <GroupDN> [parameters]
999/1537
The <GroupDN> parameter is a DN for thenew group object you want to create. The DNsuse the same format as those in CSV files.
By default, Dsadd.exe creates global securitygroups, but you can use command-line para-meters to create groups with other types andscopes and to specify members and member-ships for the groups and other group objectproperties. The most commonly usedcommand-line parameters are as follows:
▪ -secgrp yes|no. Specifies whether theprogram should create a security group(yes) or a distribution group (no). The de-fault value is yes.
▪ -scope l|g|u. Specifies whether the pro-gram should create a domain local (l),global (g), or universal (u) group. The de-fault value is g.
1000/1537
▪ -samid <SAMName>. Specifies theSAM name for the group object.
▪ -desc <description>. Specifies a de-scription for the group object.
▪ -memberof <GroupDN>. Specifies theDNs of one or more groups of which thenew group should be made a member.
▪ -member <GroupDN>. Specifies theDNs of one or more objects that should bemade members of the new group.
For example, to create a new group calledSales in the Users container and make the Ad-ministrator user a member, you would use thefollowing command:
dsadd group"CN=Sales,CN=Users,DC=adatum,DC=com"–member"CN=Administrator,CN=Users,DC=adatum,DC=com"
1001/1537
To create a new group object by using Win-dows PowerShell, you use the New-ADGroupcmdlet, with the following syntax:
New-ADGroup–Name <group name>-SamAccountName <SAM name>–GroupCategory Distribution|Security–GroupScopeDomainLocal|Global|Universal–Path <distinguished name>
For example, to create a global security groupcalled Sales in the Chicago OU, you would usethe following command:
New-ADGroup –Name Sales–SamAccountName Sales–GroupCategory Security –GroupScopeGlobal–Path "OU=Chicago,DC=Adatum,DC=Com"
1002/1537
Managing group memberships
Unlike the Active Directory AdministrativeCenter, which enables you to specify a group’smembers as you create the group, in ActiveDirectory Users And Computers you must cre-ate the group object first, and then add mem-bers to it.
To add members to a group, select it in theconsole and, from the Action menu, selectProperties to open the group’s Propertiessheet and then select the Members tab.
On the Members tab, you can add objects tothe group’s membership list, and on the Mem-ber Of tab, you can add the group to the mem-bership list of another group. For both thesetasks, you use the standard Select Users,Contacts, Computers, Service Accounts, OrGroups dialog box to choose objects.
1003/1537
Once you enter or find the objects you want toadd, click OK to close the Properties sheet andadd the objects to the group’s membership list.
Manage Group Membership by UsingGroup Policy
It is also possible to control group member-ships by using Group Policy. When you createRestricted Groups policies, you can specify themembership for a group and enforce it, so thatchanges made to the membership will be re-versed during the next policy refresh.
To create Restricted Groups policies, use thefollowing procedure.
1. From Server Manager, open the GroupPolicy Management Console, create anew GPO and link it to your domain.
2. Open the GPO in the Group Policy Man-agement Editor and browse to the Com-puter Configuration\Policies\Windows
1004/1537
Settings\Security Settings\RestrictedGroups folder, as shown in Figure 5-23.
Figure 5-23. The Restricted Groupsfolder in the Group Policy object
3. Right-click the Restricted Groups folderand, from the shortcut menu, select AddGroup to open the Add Group dialogbox.
1005/1537
4. Type or browse to add a group objectand click OK. The group appears in theRestricted Groups folder and a Proper-ties sheet for the policy appears, asshown in Figure 5-24.
1006/1537
Figure 5-24. The Properties sheet for aRestricted Groups policy
5. Click one or both of the Add buttons toadd objects that should be members of
1007/1537
the group or other groups of which thegroup should be a member.
6. Click OK.
7. Close the Group Policy ManagementEditor and Group Policy Managementconsoles.
The members you specify for a group in aRestricted Groups policy are the only mem-bers permitted to remain in that group. Thepolicy does not prevent administrators frommodifying the group membership by usingother tools, but the next time the system re-freshes its group policy settings, the groupmembership list will be overwritten by thepolicy.
1008/1537
Managing Group Objects by UsingDsmod.exe
Dsmod.exe enables you to modify the proper-ties of existing group objects from the Win-dows Server 2012 R2 command prompt. Byusing this program, you can perform taskssuch as adding members to a group, removingthem from a group, and changing a group’stype and scope. The basic syntax for Ds-mod.exe is as follows:
dsmod group <GroupDN> [parameters]
The most commonly used command-line para-meters for Dsmod.exe are as follows:
▪ -secgrp yes|no. Sets the group type to se-curity group (yes) or distribution group(no).
▪ -scope l|g|u. Sets the group scope to do-main local (l), global (g), or universal (u).
1009/1537
▪ -addmbr <members>. Adds membersto the group. Replace members with theDNs of one or more objects.
▪ -rmmbr <members>. Removes mem-bers from the group. Replace memberswith the DNs of one or more objects.
▪ -chmbr <members>. Replaces the com-plete list of group members. Replace mem-bers with the DNs of one or more objects.
For example, to add the Administrator user tothe Guests group, you would use the followingcommand:
dsmod group"CN=Guests,CN=Builtin,DC=adatum,DC=com"–addmbr"CN=Administrator,CN=Users,DC=adatum,DC=com"
1010/1537
Converting groups
As group functions change, you might need tochange a group object’s type. To change thetype of a group, open the group’s Propertiessheet in the Active Directory AdministrativeCenter or the Active Directory Users AndComputers console. On the General tab, youcan modify the Group Type option and clickOK.
The process for changing the group’s scope isthe same, except that you select one of theGroup Scope options on the General tab. TheAD DS utilities only enable you to performpermissible scope changes. Table 5-1 lists thescope changes that are permitted.
1011/1537
Table 5-1. Active Directory Group Scopeconversion restrictions
To Do-mainLocal
To Global ToUniversal
FromDomainLocal
Notapplicable
Notpermitted
Permittedonly when thedomain localgroup doesnot have otherdomain localgroups asmembers
FromGlobal
Notpermitted
Notapplicable
Permittedonly when theglobal group isnot a memberof anotherglobal group
FromUniversal
Norestrictions
Permittedonly whenthe universal
Not applicable
1012/1537
To Do-mainLocal
To Global ToUniversal
group doesnot have oth-er universalgroups asmembers
Deleting a group
As with user objects, each group object thatyou create in AD DS has a unique, non-reusable SID. Windows Server 2012 R2 usesthe SID to identify the group and the permis-sions assigned to it.
When you delete a group, Windows Server2012 R2 does not use the same SID for thatgroup again, even if you create a new groupwith the same name as the one you deleted.Therefore, you cannot restore the access
1013/1537
permissions you assigned to resources by re-creating a deleted group object. You must addthe newly re-created group as a security prin-cipal in the resource’s access control list (ACL)again.
When you delete a group, you delete only thegroup object and the permissions and rightsspecifying that group as the security principal.Deleting a group does not delete the objectsthat are members of the group.
1014/1537
THOUGHT EXPERIMENT:CREATING GROUPS
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
The enterprise network for the Fabrikam Cor-poration consists of a forest root domain calledfabrikam.com and two child domains calledeast.fabrikam.com and west.fabrikam.com.There are four department managers with useraccounts in the fabrikam.com domain and twoeach in the east.fabrikam.com and west.fab-rikam.com domains. Each of the three do-mains has a global group with the domain’smanagers as members. You want all of themembers of these groups to be able to access acommon set of resources in the fabrikam.comdomain, while still segregating the managers’abilities to access resources in domains other
1015/1537
than their own. How should you configure thegroups to provide the desired functionality?
Objective summary
▪ Adding OUs to your Active Directory hier-archy is easier than adding domains; youdon’t need additional hardware, and youcan easily move or delete an OU asnecessary.
▪ When you want to grant a collection ofusers permission to access a network re-source, such as a file system share or aprinter, you cannot assign permissions toan OU; you must use a security group in-stead. Although they are container objects,groups are not part of the Active Directoryhierarchy in the same way that domainsand OUs are.
1016/1537
▪ Creating OUs enables you to implement adecentralized administration model, inwhich others manage portions of the ADDS hierarchy, without affecting the rest ofthe structure.
▪ Groups enable administrators to assignpermissions to multiple users simultan-eously. A group can be defined as a collec-tion of user or computer accounts thatfunctions as a security principal, in muchthe same way that a user does.
▪ In Active Directory, there are two types ofgroups: security and distribution. Thereare also three group scopes: domain local,global, and universal.
▪ Group nesting is the term used whengroups are added as members of othergroups.
1017/1537
▪ It is possible to control group member-ships by using Group Policy. When youcreate Restricted Groups policies, you canspecify the membership for a group andenforce it.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following groups are usedto consolidate groups and accounts thatspan either multiple domains or the en-tire forest?
a. Global
b. Domain local
1018/1537
c. Built-in
d. Universal
2. Which of the following is not a correctreason for creating an OU?
a. To create a permanent containerthat cannot be moved or renamed
b. To duplicate the divisions in yourorganization
c. To delegate administration tasks
d. To assign different Group Policysettings to a specific group ofusers or computers
3. Which of the following group scopemodifications are never permitted?(Choose all that apply.)
a. Global to universal
1019/1537
b. Global to domain local
c. Universal to global
d. Domain local to universal
4. In a domain running at the WindowsServer 2012 R2 domain functional level,which of the following security prin-cipals can be members of a globalgroup? (Choose all that apply.)
a. Users
b. Computers
c. Universal groups
d. Global groups
5. You are attempting to delete a global se-curity group in the Active DirectoryUsers And Computers console but theconsole will not let you complete the
1020/1537
task. Which of the following could pos-sibly be causes for the failure? (Chooseall that apply.)
a. There are still members in thegroup.
b. One of the group’s members hasthe group set as its primarygroup.
c. You do not have the proper per-missions for the container inwhich the group is located.
d. You cannot delete global groupsfrom the Active Directory UsersAnd Computers console.
1021/1537
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
Objective 5.1: Thoughtexperiment
Robert should install Active Directory on a do-main controller in the New York headquarters,creating a forest root domain calledhq.inside.litware.com. Because the London of-fice is well connected, but lacks its own ITstaff, he can install a read-only domain con-troller for the hq.inside.litware.com domainthere, so that the London users can authentic-ate by using a local domain controller. For theTokyo office, which is not as well connectedand has its own IT staff, the design should callfor two domain controllers hosting a separatedomain in the same forest, called
1022/1537
tokyo.inside.litware.com. This will provide theTokyo users with local domain controller ac-cess and minimize the amount of replicationtraffic passing over the demand-dial linkbetween the New York and Tokyo offices.
Objective 5.1: Review
1. Correct answer: A
a. Correct: In AD DS, you can sub-divide a domain into OUs andpopulate it with objects, but youcannot create domains withinOUs.
b. Incorrect: A site can containmultiple domains.
c. Incorrect: A tree can containmultiple domains.
1023/1537
d. Incorrect: A forest can containmultiple domains.
2. Correct answers: B, D
a. Incorrect: There is no objectclass called resource.
b. Correct: There are two basicclasses of objects: container ob-jects and leaf objects. A leaf ob-ject cannot have subordinateobjects.
c. Incorrect: A domain is a specificobject type, not a generalclassification.
d. Correct: There are two basicclasses of objects: container ob-jects and leaf objects. A containerobject is one that can have otherobjects subordinate to it.
1024/1537
3. Correct answer: C
a. Incorrect: Some attributes arecreated automatically, whereasadministrators must supply in-formation for other attributesmanually.
b. Incorrect: A container objecthas, as one of its attributes, a listof all the other objects it contains.
c. Correct: Leaf objects have at-tributes that contain informationabout the specific resource theobject represents.
d. Incorrect: Some attributes arecreated automatically, such as theglobally unique identifier (GUID)that the domain controller as-signs to each object when it cre-ates it.
1025/1537
4. Correct answer: D
a. Incorrect: Each domain in anActive Directory installation is aseparate administrative entity.The more domains you create, thegreater the number of ongoingadministration tasks you have toperform.
b. Incorrect: Every domain re-quires its own domain control-lers, so each additional domainyou create increases the overallhardware and maintenance costsof the deployment.
c. Incorrect: Applications mighthave problems working in a mul-tidomain forest.
d. Correct: No special Microsoft li-censes are needed for domains.
1026/1537
5. Correct answer: B
a. Incorrect: DNS is used forsearches within a domain.
b. Correct: To locate an object inanother domain, Active Directoryclients perform a search of theglobal catalog first. This searchprovides the client with the in-formation it needs to search forthe object in the specific domainthat contains it.
c. Incorrect: DHCP does notprovide search capabilities.
d. Incorrect: Site link objects donot provide search capabilities.
1027/1537
Objective 5.2: Thoughtexperiment
Correct answer: D. Answer A is incorrectbecause the user command is missing and be-cause the user’s name is not expressed in dis-tinguished name (DN) format. Answer B is in-correct because the command-line variablescontaining spaces are not surrounded by quo-tation marks. Answer C is incorrect becausethe user command is missing and because the–company and –dept parameters appear be-fore the DN.
Objective 5.2: Review
1. Correct answer: B
a. Incorrect: Dcpromo, now de-precated in Windows Server 2012R2, is a tool used to promote anddemote Active Directory domaincontrollers.
1028/1537
b. Correct: Like CSVDE.exe, theLDAP Data Interchange FormatDirectory Exchange(LDIFDE.exe) utility can be usedto import or export Active Direct-ory information. It can be used toadd, delete, or modify objects inActive Directory, in addition tomodifying the schema, ifnecessary.
c. Incorrect: CSVDE.exe can cre-ate Active Directory objects frominformation in CSV files, but itcannot modify existing objects.
d. Incorrect: NSLOOKUP is a DNSname resolution utility. It cannotcreate AD DS objects.
2. Correct answer: B
1029/1537
a. Incorrect: The first line of theCSV file is the header record, notthe header row.
b. Correct: The CSVDE command-line utility enables an adminis-trator to import or export AD DSobjects. It uses a .csv file that isbased on a header record, whichdescribes each part of the data. Aheader record is just the first lineof the text file that uses proper at-tribute names.
c. Incorrect: The first line of theCSV file is the header record, notthe name row.
d. Incorrect: The first line of theCSV file is the header record, notthe name record.
1030/1537
3. Correct answer: C
a. Incorrect: You cannot performan offline domain join by usingthe net join command.
b. Incorrect: You cannot performan offline domain join by usingthe join command.
c. Correct: You can perform anoffline domain join on a com-puter running Windows Server2012 R2 by using the Djoin.exeutility.
d. Incorrect: You cannot performan offline domain join by usingthe dconnect command.
4. Correct answer: C
1031/1537
a. Incorrect: Local accounts canbe created and configured inWindows Server 2012 R2.
b. Incorrect: Domain accounts canbe created and configured inWindows Server 2012 R2.
c. Correct: There are three types ofuser accounts in Windows Server2012 R2: local accounts, domainaccounts, and built-in useraccounts.
d. Incorrect: Built-in accounts canbe configured, but not created inWindows Server 2012 R2.
5. Correct answers: C, D
a. Incorrect: There is no Networkaccount in Windows Server 2012R2.
1032/1537
b. Incorrect: There is no Interact-ive account in Windows Server2012 R2.
c. Correct: By default, the twobuilt-in user accounts created ona computer running WindowsServer 2012 R2 are the Adminis-trator account and the Guestaccount.
d. Correct: By default, the twobuilt-in user accounts created ona computer running WindowsServer 2012 R2 are the Adminis-trator account and the Guestaccount.
1033/1537
Objective 5.3: Thoughtexperiment
Correct answer: Create a universal group inthe fabrikam.com domain and add all threeglobal groups to this universal group. Thencreate a domain local group in the fab-rikam.com domain and add the universalgroup to this domain local group. Finally, as-sign the permissions needed to access thecommon resources to the domain local group.
Objective 5.3: Review
1. Correct answer: D
a. Incorrect: Global groups cannotcontain users from otherdomains.
b. Incorrect: Domain local groupscannot have permissions for re-sources in other domains.
1034/1537
c. Incorrect: Built-in groups haveno inherent cross-domainqualities.
d. Correct: Universal groups, likeglobal groups, are used to organ-ize users according to their re-source access needs. You can usethem to organize users to facilit-ate access to any resource locatedin any domain in the forestthrough the use of domain localgroups. Universal groups areused to consolidate groups andaccounts that span either mul-tiple domains or the entire forest.
2. Correct answer: A
a. Correct: The reasons for creat-ing an OU include duplicating or-ganizational divisions, assigningGroup Policy settings, and
1035/1537
delegating administration. Youcan easily move or rename an OUas necessary.
b. Incorrect: Duplicating organiz-ational divisions is a viable reas-on for creating an OU.
c. Incorrect: Delegating adminis-tration tasks is a viable reason forcreating an OU.
d. Incorrect: Assigning GroupPolicy settings is a viable reasonfor creating an OU.
3. Correct answer: B
a. Incorrect: Global to universalgroup conversions are sometimespermitted.
1036/1537
b. Correct: Global to domain localgroup conversions are neverpermitted.
c. Incorrect: Universal to globalgroup conversions are sometimespermitted.
d. Incorrect: Domain local to uni-versal group conversions aresometimes permitted.
4. Correct answers: A, B, D
a. Correct: Users can be securityprincipals in a global group.
b. Correct: Computers can be se-curity principals in a globalgroup.
1037/1537
c. Incorrect: Universal groupscannot be security principals in aglobal group.
d. Correct: Global groups can besecurity principals in a globalgroup.
5. Correct answers: B, C
a. Incorrect: It is possible to de-lete a group that has members.
b. Correct: If any member sets thegroup as its primary group, thenthe system does not permit thegroup to be deleted.
c. Correct: You must have the ap-propriate Active Directory per-missions for the container inwhich the group is located to de-lete it.
1038/1537
d. Incorrect: It is possible to de-lete groups by using the ActiveDirectory Users and Groupsconsole.
1039/1537
Chapter 6. Creatingand managingGroup Policy
Group Policy is a mechanism for controllingand deploying operating system settings tocomputers all over your network. Group Policyconsists of user and computer settings for thevarious Microsoft Windows operating systems,which the systems implement during com-puter startup and shutdown and user logonand logoff. You can configure one or moreGroup Policy Objects (GPOs) and then use aprocess called linking to associate them withspecific Active Directory Domain Services (ADDS) objects. When you link a GPO to a
container object, all the objects in that con-tainer receive the settings you configured inthe GPO. You can link multiple GPOs to asingle AD DS container or link one GPO tomultiple containers throughout the AD DShierarchy.
This chapter covers some of the fundamentaltasks that administrators perform to createand deploy Group Policy settings.
Objectives in this chapter:
▪ Objective 6.1: Create Group Policy Objects(GPOs)
▪ Objective 6.2: Configure security policies
▪ Objective 6.3: Configure application re-striction policies
▪ Objective 6.4: Configure Windows Firewall
1041/1537
Objective 6.1: Create GroupPolicy ObjectsAlthough the name Group Policy Object im-plies that policies are linked directly to groups,this is not the case. GPOs can be linked tosites, domains, and organizational units (OUs)to apply settings to all users and computerswithin AD DS containers. However, an ad-vanced technique named security filtering en-ables you to apply GPO settings to one or moreusers or groups within a container by select-ively granting the Apply Group Policy andRead permissions to one or more users or se-curity groups.
The administrative benefits of GPOs are prob-ably their greatest contribution to network ef-ficiency. Administrators find that Group Policyimplementation helps them achieve central-ized management. The following list identifies
1042/1537
administrative benefits to Group Policyimplementation:
▪ Administrators have control over central-ized configuration of user settings, applica-tion installation, and desktopconfiguration.
▪ Centralized administration of user fileseliminates the need for and cost of tryingto recover files from a damaged drive.
▪ The need to manually make securitychanges on each computer is reduced bythe automated, rapid deployment of newsettings through Group Policy.
1043/1537
NOTE
This objective covers how to:
▪ Configure a Central Store
▪ Manage starter GPOs
▪ Configure GPO links
▪ Configure multiple local grouppolicies
▪ Configure security filtering
Understanding Group PolicyObjects
GPOs contain all the Group Policy settingsthat administrators wish to deploy to user andcomputer objects within a domain, site, or OU.To deploy a GPO, an administrator must
1044/1537
associate it with a container. This associationis achieved by linking the GPO to the desiredAD DS domain, site, or OU object. Adminis-trative tasks for Group Policy include creatingGPOs, specifying where to store them, andmanaging the AD DS links.
There are three types of GPOs: local GPOs,nonlocal GPOs, and starter GPOs.
Local GPOs (LGPOs)
All Windows operating systems have supportfor local GPOs, sometimes known as LGPOs.Windows versions since Windows Server2008 R2 and Windows Vista can support mul-tiple local GPOs. This support enables admin-istrators to specify a different local GPO foradministrators and to create specific GPO set-tings for one or more local users configured ona workstation. This ability is particularly valu-able for computers in public locations such aslibraries and kiosks, when they are not part of
1045/1537
an Active Directory infrastructure. Older Win-dows releases can support only one local GPOand the settings in that local GPO apply to allusers who log on to the computer.
Local GPOs contain fewer options than do-main GPOs. They do not support folder redir-ection or Group Policy software installation.Fewer security settings are available. When alocal and a nonlocal (Active Directory–based)GPO have conflicting settings, the nonlocalGPO settings overwrite the local GPO settings.
Nonlocal GPOs
Nonlocal GPOs are created in AD DS andlinked to sites, domains, and OUs. Once linkedto a container, the settings in the GPO are ap-plied to all users and computers within thatcontainer by default.
1046/1537
Starter GPOs
Starter GPOs were introduced in WindowsServer 2008. A starter GPO is essentially atemplate for the creation of domain GPOsbased on a standard collection of settings.When you create a new GPO from a starterGPO, all the settings in the starter GPO areautomatically copied to the new GPO as its de-fault settings.
Configuring a Central Store
In Windows Server 2008 and Windows Vista,Microsoft replaced the token-based adminis-trative template (ADM) files used with previ-ous versions of Group Policy with an XML-based file format (ADMX). Administrativetemplates are the files defining the registry-based settings that appear in GPOs.
Earlier Windows versions created a copy ofthe ADM files for each GPO administrators
1047/1537
created and placed them in the SYSVOLvolume of a domain controller. A large ActiveDirectory installation could easily have dozensof GPOs and each copy of the ADM files re-quired 4 MB of storage. The result was a con-dition called SYSVOL bloat, in which therewere hundreds of megabytes of redundant in-formation stored on SYSVOL volumes, whichhad to be replicated to all the domain control-lers for the domain.
To address this problem, Group Policy toolscan now access the ADMX files from a CentralStore, a single copy of the ADMX files storedon domain controllers. To use a Central Store,you must create the appropriate folder in theSYSVOL volume on a domain controller.
By default, tools such as the Group PolicyManagement Console (GPMC) save the ADMXfiles to the \%systemroot%\PolicyDefinitionsfolder, which on most computers is C:\Win-dows\PolicyDefinitions. To create a Central
1048/1537
Store, you must copy the entire PolicyDefini-tions folder to the same location as the GroupPolicy templates; that is,%systemroot%\SYSVOL\sysvol\<domainname>\Policies, on a domain controller, or, inuniversal naming convention (UNC) notation,\\< domain name >\SYSVOL\< domainname >\Policies.
Using the Group PolicyManagement Console
The Group Policy Management Console is theMicrosoft Management Console (MMC) snap-in that administrators use to create GPOs andmanage their deployment to AD DS objects.The Group Policy Management Editor is aseparate snap-in that opens GPOs and enablesyou to modify their settings.
There are several different ways of workingwith these two tools, depending on what you
1049/1537
want to accomplish. You can create a GPO andthen link it to a domain, site, or OU, or youcan create and link a GPO in a single step.Windows Server 2012 R2 implements thetools as the Group Policy Management featureand installs them automatically with the ADDS role. You can install the feature manuallyon a member server by using the Add RolesAnd Features Wizard in Server Manager. TheGroup Policy Management tools are also in-cluded in the Remote Server AdministrationTools package for Windows workstations.
Creating and linking nonlocal GPOs
If you decide to leave the default WindowsGPOs unaltered, the first steps in deployingyour own customized Group Policy settingsare to create one or more new GPOs and linkthem to appropriate AD DS objects.
1050/1537
To use the Group Policy Management Consoleto create a new GPO and link it to an OU ob-ject in AD DS, use the following procedure.
1. Open the Active Directory Administrat-ive Center and create an OU called Salesin your domain.
2. In Server Manager, from the Toolsmenu, select Group Policy Manage-ment. The Group Policy ManagementConsole appears, as shown in Fig-ure 6-1.
1051/1537
Figure 6-1. The Group Policy Manage-ment Console
3. Expand the forest container and browseto your domain. Then expand the do-main container and select the GroupPolicy Objects folder. The GPOs thatcurrently exist in the domain appear onthe Contents tab.
1052/1537
4. Right-click the Group Policy Objectsfolder and, from the shortcut menu, se-lect New. The New GPO dialog boxappears.
5. In the Name text box, type a name forthe new GPO and click OK. The newGPO appears in the Contents list.
6. In the left pane, right-click the domain,site, or OU object to which you want tolink the new GPO and, from the short-cut menu, select Link An Existing GPO.The Select GPO dialog box appears.
7. Select the GPO you want to link to theobject and click OK. The GPO appearson the object’s Linked Group Policy Ob-jects tab, as shown in Figure 6-2.
1053/1537
Figure 6-2. The Linked Group Policy Ob-jects tab
8. Close the Group Policy ManagementConsole.
You can also create and link a GPO to an Act-ive Directory container in a single step, byright-clicking an object and selecting Create AGPO In This Domain And Link It Here fromthe shortcut menu.
1054/1537
If you link a GPO to a domain object, it appliesto all users and computers in the domain. On alarger scale, if you link a GPO to a site thatcontains multiple domains, the Group Policysettings are applied to all the domains and thechild objects beneath them. This process is re-ferred to as GPO inheritance.
Using security filtering
Linking a GPO to a container causes all theusers and computers in that container to re-ceive the GPO settings by default. This is be-cause creating the link grants the Read andApply Group Policy permissions for the GPOto the users and computers in the container.
More precisely, the system grants the permis-sions to the Authenticated Users special iden-tity, which includes all the users and com-puters in the domain. However, by using atechnique named security filtering, you canmodify the default permission assignments so
1055/1537
that only certain users and computers receivethe permissions and, consequently, the set-tings in the GPO.
To modify the default security filtering config-uration for a GPO, select it in the left pane ofthe Group Policy Management Console, asshown in Figure 6-3. In the Security Filteringarea, you can use the Add button or the Re-move button to replace the AuthenticatedUsers special identity with specific user, com-puter, or group objects. Of the users and com-puters in the container to which the GPO islinked, only those you select in the SecurityFiltering pane will receive the settings fromthe GPO.
1056/1537
Figure 6-3. Security filtering in the GroupPolicy Management Console
Managing starter GPOs
Starter GPOs are essentially templates thatyou can use to create multiple GPOs with thesame set of baseline Administrative Templatessettings. You create and edit starter GPOs justas you would any other GPO. In the GroupPolicy Management Console, you right-clickthe Starter GPOs folder and, from the shortcut
1057/1537
menu, select New to create a blank starterGPO. You can then open the starter GPO inthe Group Policy Management Editor and con-figure any settings you want to carry over tothe new GPOs you create from it.
USING STARTER GPOS
When you view the Starter GPOs nodein the Group Policy Management Con-sole for the first time, a message ap-pears, prompting you to create theStarter GPOs folder by clicking abutton.
Once you have created and edited your starterGPOs, you can create new GPOs from them inmultiple ways. You can right-click a starterGPO and select New GPO From Starter GPOfrom the shortcut menu, or you can create a
1058/1537
new GPO in the usual manner described earli-er and select the starter GPO you want to usein the Source Starter GPO drop-down list. Youcan also use the New-GPO cmdlet in WindowsPowerShell. This copies the settings from thestarter GPO to the new GPO, which you cancontinue to edit from there.
Configuring Group Policysettings
Group Policy settings enable you to customizethe configuration of a user’s desktop, environ-ment, and security settings. The settings aredivided into two subcategories: ComputerConfiguration and User Configuration. Thesubcategories are referred to as Group Policynodes. A node is just a parent structure thatholds all related settings. In this case, the nodeis specific to computer configurations and userconfigurations.
1059/1537
Group Policy nodes provide a way to organizethe settings according to where they are ap-plied. The settings you define in a GPO can beapplied to client computers, users, or memberservers and domain controllers. The applica-tion of the settings depends on the containerto which you link the GPO. By default, all ob-jects within the container to which you linkthe GPO are affected by the GPO’s settings.
The Computer Configuration and User Config-uration nodes contain three subnodes, or ex-tensions, that further organize the availableGroup Policy settings. Within the ComputerConfiguration and User Configuration nodes,the subnodes are as follows:
▪ Software Settings. The Software Set-tings folder located under the ComputerConfiguration node contains Software In-stallation settings that apply to all userswho log on to a domain using any com-puter affected by the GPO. The Software
1060/1537
Settings folder located under the UserConfiguration node contains Software In-stallation settings that are applied to allusers designated by the Group Policy, re-gardless of the computer from which theylog on.
▪ Windows Settings. The Windows Set-tings folder located under the ComputerConfiguration node contains security set-tings and scripts that apply to all users wholog on to AD DS from that specific com-puter. The Windows Settings folder locatedunder the User Configuration node con-tains settings related to folder redirection,security settings, and scripts that apply tospecific users.
▪ Administrative Templates. WindowsServer 2012 R2 includes thousands of Ad-ministrative Template policies, which con-tain all registry-based policy settings.
1061/1537
Administrative Templates are files with the.admx extension. They are used to generatethe user interface for the Group Policy set-tings that you can set by using the GroupPolicy Management Editor.
To work with Administrative Template set-tings, you must understand the three differentstates of each policy setting. These three statesare as follows:
▪ Not Configured. No modification to theregistry from its default state occurs as aresult of the policy. Not Configured is thedefault setting for the majority of GPO set-tings. When a system processes a GPOwith Not Configured settings, the registrykeys affected by the settings are not modi-fied or overwritten, whatever their currentvalue.
1062/1537
▪ Enabled. The policy function is explicitlyactivated in the registry, whatever its pre-vious state.
▪ Disabled. The policy function is explicitlydeactivated in the registry, whatever itsprevious state.
Understanding these states is critical whenyou are working with Group Policy inheritanceand multiple GPOs. If a policy setting is dis-abled in the registry by default and you have alower-priority GPO that explicitly enables thatsetting, you must configure a higher-priorityGPO to disable the setting if you want to re-store it to its default. Applying the Not Con-figured state will not change the setting, leav-ing it enabled.
1063/1537
Creating multiple local GPOs
Computers that are members of an AD DS do-main benefit from a great deal of flexibilitywhen it comes to Group Policy configuration.Standalone (non–AD DS) systems can achievesome of that flexibility as long as they are run-ning at least Windows Vista or Windows Serv-er 2008 R2. These operating systems enableadministrators to create multiple local GPOsthat provide different settings for users, basedon their identities.
Windows systems supporting multiple localGPOs have three layers of Group Policy sup-port, as follows:
▪ Local Group Policy. Identical to thesingle local GPO supported by older oper-ating system versions, the Local GroupPolicy layer consists of both computer set-tings and user settings and applies to allsystem users, administrative or not. This is
1064/1537
the only local GPO that includes computersettings, so to apply Computer Configura-tion policies, you must use this GPO.
▪ Administrators and Nonadministrat-ors Group Policy. This layer consists oftwo GPOs: one that applies to members ofthe local Administrators group and onethat applies to all users who are not mem-bers of the local Administrators group. Un-like the Local Group Policy GPO, this layerdoes not include computer settings.
▪ User-specific Group Policy. This layerconsists of GPOs that apply to specific localuser accounts created on the computer.These GPOs can apply to individual usersonly, not to local groups. These GPOs alsodo not have computer configurationsettings.
1065/1537
Windows applies the local GPOs in the orderlisted here. The Local Group Policy settingsare applied first, then either the Administrat-ors GPO or the Non-Administrators GPO, and,finally, any user-specific GPOs. As with non-local GPOs, the settings processed later canoverwrite any earlier settings with which theyconflict.
In the case of a system that is also a memberof a domain, the three layers of local GPO pro-cessing come first, followed by the standardorder of nonlocal Group Policy application.
To create local GPOs, you use the Group PolicyObject Editor, which is an MMC snap-inprovided on all Windows computers specific-ally for the management of local GPOs, as inthe following procedure.
1. Open the Run dialog box and, in theOpen text box, type mmc and click OK.An empty MMC console opens.
1066/1537
2. Click File, Add/Remove Snap-In toopen the Add Or Remove Snap-Ins dia-log box.
3. From the Available Snap-Ins list, selectGroup Policy Object Editor and clickAdd. The Select Group Policy Objectpage opens.
4. To create the local Group Policy GPO,click Finish. To create a secondary ortertiary GPO, click Browse. The BrowseFor A Group Policy Object dialog boxopens.
5. Click the Users tab, as shown in Fig-ure 6-4.
1067/1537
Figure 6-4. The Users tab of the BrowseFor A Group Policy Object dialog box
1068/1537
MULTIPLE LOCAL GPOS
Windows computers that do notsupport multiple local GPOslack the Users tab in the BrowseFor A Group Policy Object dia-log box. This includes domaincontrollers and computers run-ning Windows versions prior toWindows Vista and WindowsServer 2008 R2.
6. To create a secondary GPO, select eitherAdministrators or Non-Administratorsand click OK. To create a tertiary GPO,select a user and click OK. The GPO ap-pears on the Select Group Policy Objectpage.
7. Click Finish. The snap-in appears in theAdd Or Remove Snap-Ins dialog box.
1069/1537
8. Click OK. The snap-in appears in theMMC console.
9. Click File, Save As. A Save As combobox appears.
10. Type a name for the console to save it inthe Administrative Tools programgroup.
11. Close the MMC console.
You can now open this console whenever youneed to configure the settings in the GPO youcreated.
1070/1537
THOUGHT EXPERIMENT:IMPLEMENTING GROUP POLICY
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
After a recent incident in which an employeeleft the company with a substantial amount ofconfidential data, the IT director has givenAlice the task of implementing Group Policysettings that prevent all users except adminis-trators and members of the Executives groupfrom installing any USB devices.
Alice creates a GPO called Device Restrictionsfor this purpose and links it to the company’ssingle domain object. The GPO contains thefollowing settings from the Computer Config-uration\Policies\Administrative Tem-plates\System\Device Installation\Device In-stallation Restrictions folder:
1071/1537
▪ Allow administrators to override DeviceInstallation Restriction policies–Enabled
▪ Prevent installation of devices not de-scribed by other policy settings–Enabled
What else must Alice do to satisfy the require-ments of her assignment?
Objective summary
▪ Group Policy consists of user and com-puter settings that can be implementedduring computer startup and user logon.These settings can be used to customizethe user environment, to implement secur-ity guidelines, and to assist in simplifyinguser and desktop administration.
▪ In AD DS, Group Policies can be assignedto sites, domains, and OUs. By default,
1072/1537
there is one local policy per computer.Local policy settings are overwritten byActive Directory policy settings.
▪ The Group Policy Management console isthe tool used to create and modify GPOsand their settings.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following types of files doGroup Policy tools access from a CentralStore by default?
a. ADM files
1073/1537
b. ADMX files
c. Group Policy Objects
d. Security templates
2. Which of the following local GPOs takesprecedence on a system with multiplelocal GPOs?
a. Local Group Policy
b. Administrators Group Policy
c. Non-Administrators Group Policy
d. D. User-specific Group Policy
3. Which of the following techniques canbe used to apply GPO settings to a spe-cific group of users in an OU?
a. GPO linking
1074/1537
b. B. Administrative templates
c. C. Security filtering
d. D. Starter GPOs
4. Which of the following statements bestdescribes the function of a starter GPO?
a. A starter GPO functions as a tem-plate for the creation of newGPOs.
b. A starter GPO is the first GPO ap-plied by all Active Directoryclients.
c. A starter GPO uses a simplifiedinterface for elementary users.
d. A starter GPO contains all the set-tings found in the default DomainPolicy GPO.
1075/1537
5. When you apply a GPO with a value ofNot Configured for a particular settingto a system on which that same settingis disabled, what is the result?
a. The setting remains disabled.
b. The setting is changed to NotConfigured.
c. The setting is changed toEnabled.
d. The setting generates a conflicterror.
Objective 6.2: Configuresecurity policiesOne of the primary aims of Group Policy is toprovide centralized management of securitysettings for users and computers. Most of the
1076/1537
settings that pertain to security are found inthe Windows Settings folder within the Com-puter Configuration node of a GPO. You canuse security settings to govern how users areauthenticated to the network, the resourcesthey are permitted to use, group membershippolicies, and events related to user and groupactions recorded in the event logs. Policy set-tings in the Computer Configuration node ap-ply to a computer; it does not matter who islogging on to it. There are more ComputerConfiguration security settings than settingsyou can apply to a specific user.
1077/1537
NOTE
This objective covers how to:
▪ Configure User Rights Assignment
▪ Configure Security Options settings
▪ Configure Security templates
▪ Configure Audit Policy
▪ Configure Local Users and Groups
▪ Configure User Account Control(UAC)
Defining local policies
Local policies enable administrators to setuser privileges on the local computer that gov-ern what users can do on the computer anddetermine if the system should track user
1078/1537
activities in an event log. Tracking events thattake place on the local computer, a process re-ferred to as auditing, is another importantpart of monitoring and managing activities ona computer running Windows Server 2012 R2.
The Local Policies node of a GPO, found underSecurity Settings, has three subordinatenodes: Audit Policy, User Rights Assignment,and Security Options. As discussed in each ofthe following sections, keep in mind that localpolicies are local to a computer. When they arepart of a GPO in Active Directory, they affectthe local security settings of computer ac-counts to which the GPO is applied.
Planning and configuring an auditpolicy
The Audit Policy section of a GPO enables ad-ministrators to log successful and failed secur-ity events, such as logon events, account ac-cess, and object access. You can use auditing
1079/1537
to track both user activities and system activit-ies. Planning to audit requires that you de-termine the computers to be audited and thetypes of events you wish to track.
When you consider events to audit, such as ac-count logon events, you must decide whetheryou wish to audit successful logon attempts,failed logon attempts, or both. Tracking suc-cessful events enables you to determine howoften users access network resources. This in-formation can be valuable when planning yourresource usage and budgeting for new re-sources. Tracking failed events can help youdetermine when security breaches occur or areattempted. For example, if you notice frequentfailed logon attempts for a specific user ac-count, you might want to investigate further.The policy settings available for auditing areshown in Figure 6-5.
When an audited event occurs, Windows Serv-er 2012 R2 writes an event to the security log
1080/1537
on the domain controller or the computerwhere the event took place. If it is a logon at-tempt or other Active Directory–related event,the event is written to the domain controller.If it is a computer event, such as a floppy driveaccess, the event is written to the local com-puter’s event log.
1081/1537
Figure 6-5. Audit Policies in the default domainpolicy
You must decide which computers, resources,and events you want to audit. It is importantto balance the need for auditing against thepotential information overload that would becreated if you audited every possible type ofevent. The following guidelines can help you toplan your audit policy:
1082/1537
▪ Audit only pertinent items. Determinethe events you want to audit and considerwhether it is more important to track suc-cesses or failures of these events. Youshould only plan to audit events that willhelp you gather network information.
▪ Archive security logs to provide adocumented history. Keeping a historyof event occurrences can provide you withdocumentation you can use to support theneed for additional resources based onpast usage.
▪ Configure the size of your securitylogs carefully. You need to plan the sizeof your security logs based on the numberof events that you anticipate logging. Youcan configure the Event Log Policy settingsunder the Computer Configuration\Win-dows Settings\Security Settings\Event Lognode of a GPO.
1083/1537
Implementation of your plan requires that youspecify the categories to be audited and, if ne-cessary, configure objects for auditing. To con-figure an audit policy, use the followingprocedure.
1. In Server Manager, on the Tools menu,select Group Policy Management toopen the Group Policy Managementconsole.
2. Expand the forest container and browseto your domain. Then expand the do-main container and select the GroupPolicy Objects folder. The GPOs thatcurrently exist in the domain appear onthe Contents tab.
3. Right-click the Default Domain PolicyGPO and click Edit. A Group PolicyManagement Editor window for thispolicy opens.
1084/1537
4. Browse to the Computer Configura-tion\Policies\Windows Settings\Secur-ity Settings\Local Policies node and se-lect Audit Policy. The audit policy set-tings appear in the right pane.
5. Double-click the Audit Policy settingyou want to modify. The Propertiessheet for the policy you chose opens, asshown in Figure 6-6.
1085/1537
Figure 6-6. The Properties sheet for apolicy setting
1086/1537
6. Select the Define These Policy Settingscheck box.
7. Select the appropriate check boxes toaudit Success, Failure, or both.
8. Click OK to close the setting’s Propertiessheet.
9. Close the Group Policy ManagementEditor and the Group Policy Manage-ment console.
You have now configured an audit policy inthe default domain policy GPO, which will bepropagated to all the computers in the domainduring the next policy refresh.
Configuring objects for auditing is necessarywhen you have configured either of the twofollowing event categories:
▪ Audit Directory Service Access. Thisevent category logs user access to Active
1087/1537
Directory objects, such as other user ob-jects or OUs.
▪ Audit Object Access. This event cat-egory logs user access to files, folders, re-gistry keys, and printers.
Each of these event categories requires addi-tional setup steps, in which you open theProperties sheet for the object to be auditedand specify the security principals or the filesand folders for which you want to audit access.
1088/1537
AUDITING OPTIONS
Beginning in Windows Server 2008,new options became available for ADDS auditing that indicate that a changehas occurred and provide the old valueand the new value. For example, if youchange a user’s description from Mar-keting to Training, the Directory Ser-vices Event Log will record two eventscontaining the original value and thenew value.
Assigning user rights
As shown in Figure 6-7, the User RightsAssignment settings in Windows Server 2012R2 are extensive and include settings that per-tain to rights users need to perform system-re-lated tasks.
1089/1537
Figure 6-7. User Rights Assignment settings ina GPO
For example, a user logging on locally to a do-main controller must have the Allow Log OnLocally right assigned to his or her account orbe a member of one of the following AD DSgroups: Account Operators, Administrators,
1090/1537
Backup Operators, Print Operators, or ServerOperators.
These group memberships enable users to logon locally because Windows Server 2012 R2assigns the Allow Log On Locally user right tothose groups in the Default Domain Control-lers Policy GPO by default.
Other similar settings included in this collec-tion are related to user rights associated withsystem shutdown, taking ownership privilegesof files or objects, restoring files and director-ies, and synchronizing directory service data.
Configuring security options
The Security Options node in a GPO, shown inFigure 6-8, includes security settings relatedto interactive logon, digital signing of data, re-strictions for access to floppy and CD-ROMdrives, unsigned driver installation behavior,and logon dialog box behavior.
1091/1537
Figure 6-8. The Security Options node in a GPO
The Security Options category also includesoptions to configure authentication and com-munication security within Active Directory.
1092/1537
Using security templates
A security template is a collection of configur-ation settings stored as a text file with an .infextension. Security templates can containmany of the same security parameters asGPOs. However, security templates presentthese parameters in a unified interface, enableyou to save your configurations as files, andsimplify the process of deploying them whenand where they are needed.
The settings that you can deploy by using se-curity templates include many of the securitypolicies covered in this objective, includingaudit policies, user rights assignments, secur-ity options, event log policies, and restrictedgroups. By itself, a security template is a con-venient way to configure the security of asingle system. When you combine securitytemplates with Group Policy or scripting, theyenable administrators to maintain the securityof networks consisting of hundreds or
1093/1537
thousands of computers running various ver-sions of Microsoft Windows.
By using these tools together, administratorscan create complex security configurationsand mix and match those configurations foreach of the various roles computers serve intheir organizations. When deployed across anetwork, security templates enable you to im-plement consistent, scalable, and reproduciblesecurity settings throughout the enterprise.
Using the Security Templatesconsole
Security templates are plain text files that con-tain security settings in a variety of formats,depending on the nature of the individual set-tings. Although it is possible to work with se-curity template files directly by using any texteditor, Windows Server 2012 R2 provides agraphical interface that makes the job mucheasier.
1094/1537
To create and manage security templates, youuse the Security Templates snap-in for MMC.You can also download and install the SecurityCompliance Manager (SCM) tool from the Mi-crosoft website; this tool provides similarfunctionality plus a collection of system secur-ity baselines. By default, the Windows Server2012 R2 Administrative Tools menu does notinclude an MMC containing the SecurityTemplates snap-in, so you have to create oneyourself by using the MMC Add Or RemoveSnap-Ins dialog box. When you create a newtemplate, the console provides an interfacelike the one shown in Figure 6-9.
1095/1537
Figure 6-9. The Security Templates snap-in
The left pane of the Security Templates snap-in points to a default folder in which the con-sole stores the template files you create by de-fault. The snap-in interprets any file in thisfolder with an .inf extension as a security tem-plate, even though the extensions do not ap-pear in the console.
1096/1537
When you create a new template in the con-sole, you see a hierarchical display of thepolicies in the template and their current set-tings. Many of the policies are identical tothose in a GPO, both in appearance and func-tion. You can modify the policies in each tem-plate just as you would those in a GPO.
Creating security templates
To create a new security template fromscratch, use the following procedure.
1. Open the Run dialog box and, in theOpen text box, type mmc and click OK.An empty MMC appears.
2. Click File, Add/Remove Snap-In toopen the Add Or Remove Snap-Ins dia-log box.
3. From the Available Snap-Ins list, selectSecurity Templates and click Add. The
1097/1537
snap-in appears in the Add Or RemoveSnap-Ins dialog box.
4. Click OK. The snap-in appears in theMMC.
5. Click File, Save As. A Save As combobox appears.
6. Type a name for the console to save it inthe Administrative Tools programgroup.
7. Expand the Security Templates node.
8. Right-click the security template searchpath and, from the shortcut menu, se-lect New Template. A dialog boxappears.
9. In the Template name field, type a namefor the template and click OK. The new
1098/1537
template appears in the console. Leavethe console open.
When you create a blank security template,there are no policies defined in it. Applying theblank template to a computer will have no ef-fect on it.
Working with security templatesettings
Security templates contain many of the samesettings as GPOs, so you are already familiarwith some of the elements of a template. Forexample, security templates contain the samelocal policy settings described earlier in thischapter; the templates are just a different wayto configure and deploy those policies. Secur-ity templates also provide a means for config-uring the permissions associated with files,folders, registry entries, and services.
1099/1537
Security templates have more settings thanLocal Computer Policy, because a template in-cludes options for both standalone computersand computers that are participating in adomain.
Importing security templates intoGPOs
The simplest way to deploy a security templateon multiple computers simultaneously is toimport the template into a GPO. Once you im-port the template, the template settings be-come part of the GPO, and the network’s do-main controllers deploy them to all the com-puters affected by that GPO. As with anyGroup Policy deployment, you can link a GPOto any domain, site, or OU object in the ActiveDirectory tree. The settings in the GPO arethen inherited by all the container and leaf ob-jects subordinate to the object you selected.
1100/1537
To import a security template into a GPO, usethe following procedure.
1. In Server Manager, on the Tools menu,select Group Policy Management. TheGroup Policy Management consoleappears.
2. Expand the forest container and browseto your domain. Then expand the do-main container and select the GroupPolicy Objects folder. The GPOs thatcurrently exist in the domain appear onthe Contents tab.
3. Right-click the GPO into which youwant to import the template and clickEdit. A Group Policy Management Edit-or window for this policy opens.
4. Browse to the Computer Configura-tion\Policies\Windows Settings\Secur-ity Settings node. Right-click the
1101/1537
Security Settings node and, from theshortcut menu, select Import Policy.The Import Policy From dialog boxappears.
5. Browse to the security template file youwant to import and click Open. Thepolicy settings in the template arecopied to the GPO.
6. Close the Group Policy ManagementEditor and Group Policy Managementconsole.
Configuring local users andgroups
Windows Server 2012 R2 provides two separ-ate interfaces for creating and managing localuser accounts: the User Accounts control pan-el and the Local Users and Groups snap-in forMMC, which is included in the Computer
1102/1537
Management console. Both of these interfacesprovide access to the same Security AccountManager (SAM) where the user and group in-formation is stored, so any changes you makeusing one interface will appear in the other.
Microsoft designed the User Accounts controlpanel and the Local Users And Groups snap-infor computer users with different levels of ex-pertise, and they provide different degrees ofaccess to the SAM, as follows:
▪ User Accounts. Provides a simplified in-terface with limited access to user ac-counts. By using this interface, you cancreate local user accounts and modify theirbasic attributes, but you cannot creategroups or manage group memberships (ex-cept for that of the Administrators group).
▪ Local Users And Groups. Provides fullaccess to local users and groups and alltheir attributes.
1103/1537
Using the User Accounts controlpanel
Windows Server 2012 R2 creates two localuser accounts during the operating system in-stallation process: the Administrator accountand the Guest account. The setup programprompts the installer for an Administratorpassword during the installation, and theGuest account is disabled by default.
Once the installation process is completed, thesystem restarts. Because only the Administrat-or account is available, the computer logs onusing that account. This account has adminis-trative privileges, so at this point you can cre-ate additional user accounts or modify the ex-isting ones.
1104/1537
CREATING LOCAL USERS
You can only create new user accountsin the control panel on Windows Server2012 R2 computers that are part of aworkgroup. When you join a computerto an AD DS domain, you must use theLocal Users And Groups snap-in to cre-ate new local user accounts. Domaincontrollers have no local user or groupaccounts.
By default, the User Accounts control panelcreates standard accounts. To grant a localuser administrative capabilities, you mustchange the account type by using the interfaceshown in Figure 6-10.
1105/1537
Figure 6-10. The Change Account Type window
What the User Accounts control panel refersto as an account type is actually a group mem-bership. Selecting the Standard option addsthe user account to the local Users group,whereas selecting the Administrator optionadds the account to the Administrators group.
1106/1537
Using the Local Users And Groupssnap-in
By default, the Local Users And Groups snap-in is part of the Computer Management con-sole. However, you can also load the snap-inby itself or create your own MMC with anycombination of snap-ins you wish.
To create a local user account with the LocalUsers And Groups snap-in, use the followingprocedure.
1. In Server Manager, on the Tools menu,select Computer Management to openthe Computer Management console.
2. Expand the Local Users And Groupsnode and click Users to view a list of thecurrent local users.
3. Right-click the Users folder and, fromthe shortcut menu, select New User.
1107/1537
The New User dialog box opens, asshown in Figure 6-11.
Figure 6-11. The New User dialog box
4. In the User Name text box, type thename you want to assign to the user
1108/1537
account. This is the only required fieldin the dialog box.
5. Specify a Full Name and a Descriptionfor the account if desired.
6. In the Password text box and the Con-firm Password text box, type a passwordfor the account if desired.
7. Select or clear the four check boxes tocontrol the following functions:
▪ User Must Change Password AtNext Logon. Selecting this checkbox forces the new user to changethe password after logging on for thefirst time.
▪ User Cannot Change Pass-word. Selecting this check box pre-vents the user from changing the ac-count password.
1109/1537
▪ Password Never Expires. Select-ing this check box prevents the ex-isting password from ever expiring.
▪ Account Is Disabled. Selectingthis check box disables the user ac-count, preventing anyone from us-ing it to log on.
8. Click Create. The new account is addedto the user list and the console clearsthe dialog box, leaving it ready for thecreation of another user account.
9. Click Close.
10. Close the Computer Managementconsole.
1110/1537
Creating a local group
To create a local group with the Local UsersAnd Groups snap-in, use the followingprocedure.
1. In Server Manager, on the Tools menu,select Computer Management to openthe Computer Management console.
2. Expand the Local Users and Groupsnode and click Groups to display a listof local groups.
3. Right-click the Groups folder and then,from the shortcut menu, select NewGroup. The New Group dialog boxopens.
4. In the Group Name text box, type thename you want to assign to the group.This is the only required field in the dia-log box. If desired, specify a Descriptionfor the group.
1111/1537
5. Click Add. The Select Users dialog boxopens.
6. In the text box, type the names of theusers whom you want to add to thegroup, separated by semicolons andthen click OK. The users are added tothe Members list. You can also type partof a user name and click Check Namesto complete the name or click Advancedto search for users.
7. Click Create to create the group andpopulate it with the user(s) you spe-cified. The console then clears the dia-log box, leaving it ready for the creationof another group.
8. Click Close.
9. Close the Computer Managementconsole.
1112/1537
Local groups have no user-configurable attrib-utes other than a description and a memberslist, so the only modifications you can makewhen you open an existing group are supply-ing a description and adding and removingmembers. As noted earlier in this lesson, localgroups cannot have other local groups asmembers, but if the computer is a member of aWindows domain, a local group can have do-main users and domain groups as members.
Understanding User AccountControl (UAC)
One of the most common Windows securityproblems arises from the fact that many usersperform their everyday computing tasks withmore system access than they actually need.Logging on as an Administrator or as a userwho is a member of the Administrators groupgrants the user full access to all areas of theoperating system. This degree of system access
1113/1537
is not necessary to run many of the applica-tions and perform many of the tasks users re-quire every day; it is needed only for certainadministrative functions, such as installingsystem-wide software and configuring systemparameters.
For most users, logging on with administrativeprivileges all the time is just a matter of con-venience. Microsoft recommends logging onas a standard user and using administrativeprivileges only when you need them. However,many technical specialists who do this fre-quently find themselves encountering situ-ations in which they need administrative ac-cess. There is a surprisingly large number ofcommon, and even mundane, Windows tasksthat require administrative access, and the in-ability to perform those tasks can negativelyaffect a user’s productivity.
Microsoft decided to address this problem bykeeping all Windows Server 2012 R2 users
1114/1537
from accessing the system using administrat-ive privileges unless those privileges are re-quired to perform the task at hand. The mech-anism that does this is called User AccountControl (UAC).
Performing administrative tasks
When a user logs on to Windows Server 2012R2, the system issues a token, which indicatesthe user’s access level. Whenever the systemauthorizes the user to perform a particularactivity, it consults the token to see if the userhas the required privileges.
In versions of Windows prior to WindowsServer 2008 and Windows Vista, standardusers received standard user tokens and mem-bers of the Administrators group received ad-ministrative tokens. Every activity performedby an administrative user was therefore au-thorized using the administrative token, res-ulting in the problems described earlier.
1115/1537
On a computer running Windows Server 2012R2 with UAC, a standard user still receives astandard user token, but an administrativeuser receives two tokens: one for standarduser access and one for administrative user ac-cess. By default, the standard and administrat-ive users both run using the standard usertoken most of the time.
When a standard user attempts to perform atask that requires administrative privileges,the system displays a credential prompt, asshown in Figure 6-12, requesting that the usersupplies the name and password for an ac-count with administrative privileges.
1116/1537
Figure 6-12. A UAC credential prompt
When an administrator attempts to perform atask that requires administrative access, thesystem switches the account from the stand-ard user token to the administrative token.This is known as Admin Approval Mode.
1117/1537
Before the system permits the user to employthe administrative token, it might require theuser to confirm that he or she is actually tryingto perform an administrative task. To do this,the system generates an elevation prompt, asshown in Figure 6-13. This confirmation pre-vents unauthorized processes, such as thoseinitiated by malware, from accessing the sys-tem using administrative privileges.
Figure 6-13. A UAC elevation prompt
1118/1537
Using secure desktop
By default, whenever Windows Server 2012 R2displays an elevation prompt or a credentialprompt, it does so by using the secure desktop.
The secure desktop is an alternative to the in-teractive user desktop that Windows normallydisplays. When Windows Server 2012 R2 gen-erates an elevation or credential prompt, itswitches to the secure desktop, suppressingthe operation of all other desktop controls andpermitting only Windows processes to interactwith the prompt. The object of this is to pre-vent malware from automating a response tothe elevation or credential prompt and by-passing the human reply.
Configuring UAC
Windows Server 2012 R2 enables UAC by de-fault, but it is possible to configure its proper-ties and even to disable it completely. In Win-dows Server 2012 R2, there are four UAC
1119/1537
settings available through the Action Center inControl Panel, as shown in Figure 6-14. Thefour settings are as follows:
▪ Always Notify Me
▪ Notify Me Only When Apps Try To MakeChanges To My Computer
▪ Notify Me Only When Apps Try To MakeChanges To My Computer (Do Not DimMy Desktop)
▪ Never Notify Me
1120/1537
Figure 6-14. The User Account Control Settingsdialog box
Although the Control Panel provides somecontrol over UAC, the most granular controlover UAC properties is through the SecurityOptions node in Group Policy and Local Se-curity Policy.
1121/1537
THOUGHT EXPERIMENT:DEPLOYING SECURITY
TEMPLATES
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
You are a network administrator planning asecurity template deployment on a networkthat consists of 100 workstations. The work-stations are all running various versions of Mi-crosoft Windows, broken down as follows:
▪ Windows 7: 30 workstations
▪ Windows XP Professional: 40workstations
▪ Windows XP Home Edition: 20workstations
1122/1537
▪ Windows 2000 Professional: 10workstations
In the past, some computers on the networkhave been compromised because end usersmodified their workstation security configura-tions. Your task is to deploy your security tem-plates on the workstations in such a way thatend users cannot modify them. To accomplishthis goal, you decide to use Group Policy to de-ploy the templates to an AD DS OU object thatcontains all of the workstations.
Based on the information provided, answerthe following questions.
1. How many of the workstations cannotreceive their security template settingsfrom a GPO linked to an AD DScontainer?
2. Which of the following methods canyou use to deploy your security
1123/1537
templates on the workstations that donot support Group Policy, while still ac-complishing your assigned goals?
▪ Upgrade all the computers that donot support Group Policy to Win-dows 7.
▪ Run the Security Templates snap-inon each computer and load the ap-propriate security template.
▪ Create a logon script that uses Se-cedit.exe to import the securitytemplate on each computer.
▪ Run the Security Configuration andAnalysis snap-in on each computerand use it to import the appropriatesecurity template.
1124/1537
Objective summary
▪ Most security-related settings are foundwithin the Windows Settings node of theComputer Configuration node of a GPO.
▪ Local policy settings govern the actionsusers can perform on a specific computerand determine if the actions are recordedin an event log.
▪ Auditing can be configured to audit suc-cesses, failures, or both.
▪ Administrators can use security templatesto configure local policies, group member-ships, event log settings, and otherpolicies.
▪ When a standard user attempts to performa task that requires administrative priv-ileges, the system displays a credentialprompt, requesting that the user supply
1125/1537
the name and password for an accountwith administrative privileges.
▪ User Account Control is enabled by defaultin all Windows Server 2012 R2 installa-tions, but it is possible to configure itsproperties and even to disable itcompletely.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following tools are used todeploy the settings in a security tem-plate to all the computers in an AD DSdomain?
1126/1537
a. Active Directory Users andComputers
b. Security Templates snap-in
c. Group Policy Object Editor
d. Group Policy Managementconsole
2. Which of the following are local groupsto which you can add users with theWindows Control Panel? (Choose allthat apply.)
a. Users
b. Power Users
c. Administrators
d. Non-Administrators
1127/1537
3. Which of the following tools are used tomodify the settings in a securitytemplate?
a. Active Directory Users andComputers
b. Security Templates snap-in
c. Group Policy Object Editor
d. Group Policy Managementconsole
4. The built-in local groups on a serverrunning Windows Server 2012 R2 re-ceive their special capabilities throughwhich of the following mechanisms?
a. Security options
b. Windows Firewall rules
c. NTFS permissions
1128/1537
d. User rights
5. After configuring and deploying theAudit Directory Service Access policy,what must you do before a computerrunning Windows Server 2012 R2 be-gins logging Active Directory accessattempts?
a. You must select the Active Direct-ory objects you want to audit byusing the Active Directory Usersand Computer console.
b. You must wait for the audit policysettings to propagate to all thedomain controllers on thenetwork.
c. You must open the Audit Direct-ory Service Access Propertiessheet and select all the Active Dir-ectory objects you want to audit.
1129/1537
d. You must add an underscorecharacter to the name of everyActive Directory object you wantto audit.
Objective 6.3: Configureapplication restrictionpoliciesThe options in the Software RestrictionPolicies node provide organizations greatercontrol in preventing potentially dangerousapplications from running. Software restric-tion policies are designed to identify softwareand control its execution. In addition, admin-istrators can control who will be affected bythe policies.
1130/1537
NOTE
This objective covers how to:
▪ Configure rule enforcement
▪ Configure AppLocker rules
▪ Configure Software RestrictionPolicies
Using software restrictionpolicies
The Software Restriction Policies node isfound in the Windows Settings\Security Set-tings node of the User Configuration or theComputer Configuration node of a GPO. Bydefault, the Software Restriction Policiesfolder is empty. When you create a new policy,two subfolders appear: Security Levels andAdditional Rules. The Security Levels folder
1131/1537
enables you to define the default behaviorfrom which all rules will be created. The criter-ia for each executable program are defined inthe Additional Rules folder.
In the following sections, you learn how to setthe security level for a software restrictionpolicy and how to define rules that will governthe execution of program files.
Enforcing restrictions
Prior to creating any rules that govern the re-striction or allowance of executable files, it isimportant to understand how the rules workby default. If a policy does not enforce restric-tions, executable files run based on the per-missions that users or groups have in theNTFS file system.
When considering the use of software restric-tion policies, you must determine your ap-proach to enforcing restrictions. There are
1132/1537
three basic strategies for enforcing restric-tions, as follows:
▪ Unrestricted. This approach enables allapplications to run except those that arespecifically excluded.
▪ Disallowed. This approach prevents allapplications from running except thosethat are specifically allowed.
▪ Basic User. This approach prevents anyapplications from running that require ad-ministrative rights, but enables programsto run that only require resources that areaccessible by normal users.
The approach you take depends on the needsof your particular organization. By default, theSoftware Restriction Policies area has an Un-restricted value in the Default Security Levelsetting.
1133/1537
For example, you might want to enable onlyspecified applications to run in a high-securityenvironment. In this case, you would set theDefault Security Level to Disallowed. By con-trast, in a less secure network, you might wantto allow all executables to run unless you havespecified otherwise. This would require you toleave the Default Security Level set as Unres-tricted. In this case, you would have to create arule to identify an application before you coulddisable it. You can modify the Default SecurityLevel to reflect the Disallowed setting.
Because the Disallowed setting assumes thatall programs will be denied unless a specificrule permits them to run, this setting cancause administrative headaches if not thor-oughly tested. You should test all applicationsyou wish to run to ensure that they will func-tion properly.
To modify the Default Security Level setting toDisallowed, use the following procedure.
1134/1537
1. In Server Manager, on the Tools menu,select Group Policy Management toopen the Group Policy Managementconsole.
2. Expand the forest container and browseto your domain. Then expand the do-main container and select the GroupPolicy Objects folder. The GPOs thatcurrently exist in the domain appear onthe Contents tab.
3. Right-click a GPO and select Edit. AGroup Policy Management Editor win-dow opens.
4. Browse to the Software RestrictionPolicies node under either ComputerConfiguration or User Configuration.
5. Right-click Software Restriction Policiesand select New Software Restriction
1135/1537
Policies. The folders containing the newpolicies appear.
6. In the details pane, double-click Secur-ity Levels. Note the check mark on theUnrestricted icon, which is the defaultsetting.
7. Right-click the Disallowed security leveland, from the shortcut menu, select SetAs Default. A Software RestrictionPolicies message box appears, warningyou of your action.
8. Click Yes, and then close the GroupPolicy Management Editor and GroupPolicy Management consoles.
You have now modified the Default SecurityLevel for a software restriction policy.
1136/1537
Configuring software restrictionrules
The functionality of software restrictionpolicies depends first on the rules that identifysoftware and then by the rules that govern itsusage. When you create a new software re-striction policy, the Additional Rules subfolderappears. This folder enables you to createrules that specify the conditions under whichprograms can be executed or denied. Theserules can override the Default Security Levelsetting when necessary.
You create new rules of your own in the Addi-tional Rules folder using a dialog box like theone shown in Figure 6-15.
1137/1537
Figure 6-15. The New Path Rule dialog box
There are four types of software restrictionrules that you can use to specify which pro-grams can or cannot run on your network:
1138/1537
▪ Hash rules
▪ Certificate rules
▪ Path rules
▪ Network zone rules
There is also a fifth type of rule—the defaultrule—that applies when an application doesnot match any of the other rules you have cre-ated. To configure the default rule, select oneof the policies in the Security Levels folderand, on its Properties sheet, click Set AsDefault.
The functions of the four rule types are ex-plained in the following sections.
Hash Rules
A hash is a series of bytes with a fixed lengththat uniquely identifies a program or file. Ahash value is generated by an algorithm that
1139/1537
essentially creates a fingerprint of the file,making it nearly impossible for another pro-gram to have the same hash. If you create ahash rule and a user attempts to run a pro-gram affected by the rule, the system checksthe hash value of the executable file and com-pares it with the hash value stored in the soft-ware restriction policy. If the two match, thepolicy settings will apply. Therefore, creating ahash rule for an application executable pre-vents the application from running if the hashvalue is not correct. Because the hash value isbased on the file itself, the file will continue tofunction if you move it from one location toanother. If the executable file is altered in anyway, for example, if it is modified or replacedby a worm or virus, the hash rule in the soft-ware restriction policy prevents the file fromrunning.
1140/1537
Certificate Rules
A certificate rule uses the digital certificate as-sociated with an application to confirm its le-gitimacy. You can use certificate rules to en-able software from a trusted source to run orto prevent software that does not come from atrusted source from running. You can also usecertificate rules to run programs in disallowedareas of the operating system.
Path Rules
A path rule identifies software by specifyingthe directory path where the application isstored in the file system. You can use pathrules to create exceptions that allow an applic-ation to execute when the Default SecurityLevel for software restriction policies is set toDisallowed, or you can use them to prevent anapplication from executing when the DefaultSecurity Level for software restriction policiesis set to Unrestricted.
1141/1537
Path rules can specify either a location in thefile system where application files are locatedor a registry path setting. Registry path rulesprovide assurance that the application execut-ables will be found. For example, if an admin-istrator uses a path rule to define a file systemlocation for an application, and the applicationis moved to a new location, such as during anetwork restructuring, the original path in thepath rule would no longer be valid. If the rulespecifies that the application should not func-tion unless it is located in a particular path,the program would not be able to run from itsnew location. This could cause a significant se-curity breach opportunity if the program refer-ences confidential information.
In contrast, if you create a path rule using a re-gistry key location, any change to the locationof the application files will not affect the out-come of the rule. This is because when you re-locate an application, the registry key that
1142/1537
points to the application’s files is updatedautomatically.
Network Zone Rules
Network zone rules apply only to Windows In-staller packages that attempt to install from aspecified zone, such as a local computer, a loc-al intranet, trusted sites, restricted sites, or theInternet. You can configure this type of rule toenable Windows Installer packages to be in-stalled only if they come from a trusted area ofthe network. For example, an Internet zonerule could restrict Windows Installer packagesfrom being downloaded and installed from theInternet or other network locations.
Using multiple rules
You can define a software restriction policy byusing multiple rule types to allow and disallowprogram execution. By using multiple ruletypes, it is possible to have a variety of security
1143/1537
levels. For example, you might want to specifya path rule that prevents programs from run-ning from the \\Server1\Accounting sharedfolder and a path rule that enables programsto run from the \\Server1\Application sharedfolder. You can also choose to incorporate cer-tificate rules and hash rules into your policy.When implementing multiple rule types, sys-tems apply the rules in the following order ofprecedence:
1. Hash rules
2. Certificate rules
3. Network zone rules
4. Path rules
When a conflict occurs between rule types,such as between a hash rule and a path rule,the hash rule prevails because it is higher inthe order of preference. If a conflict occurs
1144/1537
between two rules of the same type with thesame identification settings, such as two pathrules that identify software from the same dir-ectory, the more restrictive setting will apply.In this case, if one of the path rules were set toUnrestricted and the other to Disallowed, thepolicy would enforce the Disallowed setting.
Configuring software restrictionproperties
Within the Software Restriction Policiesfolder, you can configure three specific prop-erties to provide additional settings that applyto all policies when implemented: Enforce-ment, Designated File Types, and TrustedPublishers.
Enforcement Properties
As shown in Figure 6-16, the Enforcementproperties enable you to determine whetherthe policies apply to all files or whether library
1145/1537
files, such as dynamic link library (DLL) files,are excluded. Excluding DLLs is the default.This is the most practical method of enforce-ment. For example, if the Default SecurityLevel for the policy is set to Disallowed andthe Enforcement properties are set to All Soft-ware Files, you would have to create a rulethat checked every DLL before the programcould be allowed or denied. By contrast, ex-cluding DLL files by using the default Enforce-ment property does not require an adminis-trator to define individual rules for each DLLfile.
1146/1537
Figure 6-16. Configuring Enforcementproperties
1147/1537
Designated File Types Properties
The Designated File Types properties withinthe Software Restriction Policies folder, asshown in Figure 6-17, specify file types thatare considered executable. File types that aredesignated as executable or program files areshared by all rules, although you can specify alist for a computer policy that is different fromone that is specified for a user policy.
1148/1537
Figure 6-17. Configuring Designated File Typesproperties
1149/1537
Trusted Publishers Properties
Finally, the Trusted Publishers properties en-able an administrator to control how systemshandle certificate rules. In the Properties dia-log box for Trusted Publishers, shown in Fig-ure 6-18, the first setting enables you to spe-cify which users are permitted to manage trus-ted certificate sources. By default, local com-puter administrators have the right to specifytrusted publishers on the local computer andenterprise administrators have the right tospecify trusted publishers in an OU. From asecurity standpoint, in a high-security net-work, users should not be allowed to determ-ine the sources from which certificates can beobtained.
The Trusted Publisher Properties sheet alsolets you decide if you wish to verify that a cer-tificate has not been revoked. If a certificatehas been revoked, the user should not be per-mitted access to network resources. You have
1150/1537
the option of checking either the publisher orthe time stamp of the certificate to determineif it has been revoked.
Figure 6-18. Configuring Trusted Publishersproperties
1151/1537
Using AppLocker
Software restriction policies can be a powerfultool, but they can also require a great deal ofadministrative overhead. If you elect to disal-low all applications except those matching therules you create, there are many programs inWindows Server 2012 R2 itself that need rules,in addition to the applications you want to in-stall. Administrators must create the rulesmanually, which can be an onerous chore.
AppLocker, also known as application controlpolicies, is a Windows feature that is essen-tially an updated version of the concept imple-mented in software restriction policies. Ap-pLocker also uses rules, which administratorsmust manage, but the process of creating therules is much easier, thanks to a wizard-basedinterface.
AppLocker is also more flexible than softwarerestriction policies. You can apply AppLocker
1152/1537
rules to specific users and groups and also cre-ate rules that support all future versions of anapplication. The primary disadvantage of Ap-pLocker is that you can apply the policies onlyto computers running Windows 7 and Win-dows Server 2008 R2 or later.
Understanding rule types
The AppLocker settings are located in GPOs inthe Computer Configuration\Windows Set-tings\Security Settings\Application ControlPolicies\AppLocker container, as shown inFigure 6-19.
1153/1537
Figure 6-19. The AppLocker container in a GPO
In the AppLocker container, there are fournodes that contain the basic rule types:
▪ Executable Rules. Contains rules thatapply to files with .exe and .com extensions
1154/1537
▪ Windows Installer Rules. Containsrules that apply to Windows Installer pack-ages with .msi and .msp extensions
▪ Script Rules. Contains rules that apply toscript files with .ps1, .bat, .cmd, .vbs, and.js extensions
▪ Packaged App Rules. Contains rulesthat apply to applications purchasedthrough the Windows Store
Each of the rules you create in each of thesecontainers can allow or block access to specificresources, based on one of the followingcriteria:
▪ Publisher. Identifies code-signed applic-ations by means of a digital signature ex-tracted from an application file. You canalso create publisher rules that apply to allfuture versions of an application.
1155/1537
▪ Path. Identifies applications by specifyinga file or folder name. The potential vulner-ability of this type of rule is that any filecan match the rule, as long as it is the cor-rect name or location.
▪ File Hash. Identifies applications basedon a digital fingerprint that remains valideven when the name or location of the ex-ecutable file changes. This type of rulefunctions much like its equivalent in soft-ware restriction policies; in AppLocker,however, the process of creating the rulesand generating file hashes is much easier.
Creating default rules
When enabled, AppLocker blocks all execut-ables, installer packages, and scripts (exceptfor those specified in Allow rules) by default.Therefore, to use AppLocker you must createrules that enable users to access the filesneeded for Windows and the system’s
1156/1537
installed applications to run. The simplest wayto do this is to right-click each of the four rulescontainers and select Create Default Rulesfrom the shortcut menu.
The default rules for each container are stand-ard rules that you can replicate, modify, or de-lete as necessary. You can also create your ownrules, as long as you are careful to provide ac-cess to all the resources the computer needs torun Windows.
APPLYING APPLOCKERPOLICIES
To use AppLocker, the ApplicationIdentity service must be running. Bydefault, this service uses the manualstartup type, so you must start it your-self in the Services console before Win-dows can apply the AppLocker policies.
1157/1537
Creating rules automatically
The greatest advantage of AppLocker oversoftware restriction policies is the ability tocreate rules automatically. When you right-click one of the rules containers and selectAutomatically Generate Rules from the short-cut menu, the Automatically Generate RulesWizard starts.
After specifying the folder to be analyzed andthe users or groups to which the rules shouldapply, you will see a Rule Preferences page,enabling you to specify the types of rules youwant to create. The wizard then displays asummary of its results on the Review Rulespage and adds the rules to the container.
Creating rules manually
In addition to creating rules automatically,you can do it manually by using a wizard-based interface you activate by selecting
1158/1537
Create New Rule from the shortcut menu forone of the rule containers.
The wizard prompts you for the followinginformation:
▪ Action. Specifies whether you want to al-low or deny the user or group access to theresource. In AppLocker, explicit deny rulesalways override allow rules.
▪ User Or Group. Specifies the name ofthe user or group to which the policyshould apply.
▪ Conditions. Specifies whether you wantto create a publisher, path, or file hashrule. The wizard generates an additionalpage for whichever option you select, en-abling you to configure its parameters.
▪ Exceptions. Enables you to specify excep-tions to the rule you are creating by using
1159/1537
any of the three conditions: publisher,path, or file hash.
1160/1537
THOUGHT EXPERIMENT: USINGAPPLOCKER
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Sophie is planning on using AppLocker to con-trol access to applications on a new networkshe has constructed for the Research andDevelopment department at a major aerospacefirm. The software developers in the depart-ment have recently deployed a new applicationcalled Virtual Wind Tunnel, which is based ongovernment project research and is thereforeclassified. All of the full-time personnel havesufficient clearance to use the application, butthe interns in the department do not. Sophiehas placed the user accounts for everyone inthe department into a security group called
1161/1537
ResDev. The interns are also members of agroup called RDint.
How can Sophie use AppLocker to provideeveryone in the department with access to theVirtual Wind Tunnel application withoutchanging the group memberships and withouthaving to apply policies to individual users?
Objective summary
▪ Software restriction policies enable thesoftware’s executable code to be identifiedand either allowed or disallowed on thenetwork.
▪ The three Default Security Levels withinsoftware restriction policies are Unrestric-ted, which means all applications functionbased on user permissions; Disallowed,which means all applications are denied
1162/1537
execution regardless of the user permis-sions; and Basic User, which enables onlyexecutables to be run that can be run bynormal users.
▪ Four rule types can be defined within asoftware restriction policy. They include, inorder of precedence, hash, certificate, net-work zone, and path rules. The securitylevel set on a specific rule supersedes theDefault Security Level of the policy.
▪ Software restriction policies are GroupPolicy settings that enable administratorsto specify the programs that are allowed torun on workstations by creating rules ofvarious types.
▪ AppLocker enables administrators to cre-ate application restriction rules muchmore easily than was previously possible.
1163/1537
Objective review
Answer the following questions to test yourknowledge of the information in this objective.You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following is not one of thesoftware restriction rule types suppor-ted by Windows Server 2012 R2?
a. Hash rules
b. Certificate rules
c. Path rules
d. Firewall rules
2. Which of the following strategies for en-forcing software restrictions will pre-vent any executable from running
1164/1537
except for those that have been specific-ally allowed by an administrator?
a. Basic user
b. Disallowed
c. Power user
d. Unrestricted
3. Under which of the following conditionswill a hash rule in a software restrictionpolicy cease to function? (Choose allthat apply.)
a. When you move the file on whichthe hash is based to a differentfolder
b. When you update the file onwhich the hash is based to a newversion
1165/1537
c. When the file on which the hashis based is modified by a virus
d. When you change the permis-sions for the file on which thehash is based
4. Which of the following rule types ap-plies to files with an .msi extension?
a. Executable rules
b. Windows Installer rules
c. Script rules
d. Packaged app rules
5. Which of the following services mustyou manually start before Windows canapply AppLocker policies?
a. Application Identity
1166/1537
b. Application Management
c. Credential Manager
d. Network Connectivity Assistant
Objective 6.4: ConfigureWindows FirewallYou might have locked the door to the com-puter center in which the servers are located,but the computers remain connected to thenetwork. A network is another type of door, orrather a series of doors, that can allow data inor out. To provide services to your users, someof those doors must be open at least some ofthe time, but server administrators must makesure that only the right doors are left open.
A firewall is a software program that protects acomputer or a network by allowing certaintypes of network traffic in and out of the
1167/1537
system while blocking others. A firewall is es-sentially a series of filters that examine thecontents of packets and the traffic patterns toand from the network to determine whichpackets they should allow to pass through.
The object of a firewall is to permit all of thetraffic that legitimate users need to performtheir assigned tasks yet block everything else.Note that when you are working with firewalls,you are not concerned with subjects like au-thentication and authorization. Those aremechanisms that control who is able to getthrough the server’s open doors. The firewalldetermines which doors are left open andwhich are shut tight.
1168/1537
NOTE
This objective covers how to:
▪ Configure rules for multiple pro-files using Group Policy
▪ Configure connection security rules
▪ Configure Windows Firewall to al-low or deny applications, scopes,ports, and users
▪ Configure authenticated firewallexceptions
▪ Import and export settings
Understanding Windows Firewallsettings
Windows Server 2012 R2 includes a firewallprogram called Windows Firewall, which is
1169/1537
activated by default on all systems. In its de-fault configuration, Windows Firewall blocksmost network traffic from entering the com-puter. Firewalls work by examining the con-tents of each packet entering and leaving thecomputer and comparing the information theyfind to a series of rules, which specify whichpackets are allowed to pass through the fire-wall and which are blocked.
The Transmission Control Protocol/InternetProtocol (TCP/IP) is used by Windows sys-tems to communicate functions by packagingapplication data using a series of layered pro-tocols that define where the data comes fromand where it is going. The three most import-ant criteria that firewalls can use in their rulesare as follows:
▪ IP addresses. IP addresses identify spe-cific hosts on the network. You can use IPaddresses to configure a firewall to only
1170/1537
allow traffic from specific computers ornetworks in and out.
▪ Protocol numbers. Protocol numbersspecify whether the packet contains TCP orUser Datagram Protocol (UDP) traffic. Youcan filter protocol numbers to block pack-ets containing certain types of traffic. Win-dows computers typically use UDP forbrief message exchanges, such as DomainName System (DNS) and Dynamic HostConfiguration Protocol (DHCP) transac-tions. TCP packets usually carry largeramounts of data, such as the files ex-changed by web, file, and print servers.
▪ Port numbers. Port numbers identifyspecific applications running on the com-puter. The most common firewall rules useport numbers to specify the types of ap-plication traffic the computer is allowed tosend and receive. For example, a web
1171/1537
server usually receives its incoming pack-ets to port number 80. Unless the firewallhas a rule opening port 80 to incomingtraffic, the web server cannot function inits default configuration.
Firewall rules can function in two ways, asfollows:
▪ Admit all traffic, except that which con-forms to the applied rules
▪ Block all traffic, except that which con-forms to the applied rules
Generally, blocking all traffic by default is themore secure arrangement. From the server ad-ministrator’s standpoint, you start with a com-pletely blocked system, and then begin testingyour applications. When an application fails tofunction properly because network access isblocked, you create a rule that opens up theports the application needs to communicate.
1172/1537
This is the method that Windows Firewall usesby default for incoming network traffic. Thereare default rules preconfigured into the fire-wall that are designed to admit the traffic usedby standard Windows networking functions,such as file and printer sharing. For outgoingnetwork traffic, Windows Firewall uses theother method, allowing all traffic to pass thefirewall except that which conforms to a rule.
Working with Windows Firewall
Windows Firewall is a single program withone set of rules, but there are two distinct in-terfaces you can use to manage and monitor it.The Windows Firewall control panel appletprovides a simplified interface that enablesadministrators to avoid the details of rules andport numbers. If you just want to turn the fire-wall on or off (typically for testing ortroubleshooting purposes) or work with thefirewall settings for a specific Windows role or
1173/1537
feature, you can do so by using just the controlpanel. For full access to firewall rules andmore sophisticated functions, you must usethe Windows Firewall With Advanced Securityconsole, as discussed later in this objective.
In many cases, administrators never have towork directly with Windows Firewall. Many ofthe roles and features included in WindowsServer 2012 R2 automatically open the appro-priate firewall ports when you install them. Inother situations, the system warns you of fire-wall issues.
For example, the first time you open File Ex-plorer and try to access the network, a warn-ing appears, informing you that Network Dis-covery and File Sharing are turned off, pre-venting you from browsing the network.
Network Discovery is just a set of firewall rulesthat regulate the ports Windows uses for net-work browsing, specifically ports 137, 138,
1174/1537
1900, 2869, 3702, 5355, 5357, and 5358. Bydefault, Windows Server 2012 R2 disables theinbound rules associated with these ports, sothe ports are closed, blocking all trafficthrough them. When you click the warningbanner and choose Turn On Network Discov-ery And File Sharing from the shortcut menu,you are in effect activating these firewall rules,thereby opening the ports associated withthem.
In addition to the menu commands accessiblethrough the warning banner, you can controlthe Network Discovery and File Sharing rulesin other ways. The Network and SharingCenter control panel, through its AdvancedSharing Settings page, provides options thatyou can use to turn Network Discovery, FileSharing, and other basic networking functionson and off.
The Windows Firewall control panel has anAllow An App Or Feature Through Windows
1175/1537
Firewall link, which opens the Allowed Appsdialog box. The Network Discovery check boxin this dialog box enables you to control thesame set of rules as the Network Discoverycontrol panel in the Network And SharingCenter.
Finally, you can access the individual NetworkDiscovery rules directly by using the WindowsFirewall With Advanced Security console.When you select the Inbound Rules node andscroll down in the list, you can see nine Net-work Discovery rules.
As you can see by examining the rules in theconsole, Network Discovery is a complex Win-dows function that would be difficult to con-trol if you had to determine by trial and errorwhich ports it uses. This is why Windows Fire-wall includes a large collection of rules thatregulate the ports that the applications andservices included with the operating systemneed to operate.
1176/1537
Using the Windows Firewallcontrol panel applet
The Windows Firewall control panel appletprovides the easiest and safest access to thefirewall controls. These controls are usuallysufficient for most server administrators, un-less the system has special requirements oryou are working with custom serverapplications.
When you open the Windows Firewall windowfrom the control panel, as shown in Fig-ure 6-20, you see the following information:
▪ Whether the computer is connected to adomain, private, or public network
▪ Whether the Windows Firewall service isturned on or off
▪ Whether inbound and outbound connec-tions are blocked
1177/1537
▪ The name of the currently active network
▪ Whether users are notified when a pro-gram is blocked
1178/1537
Figure 6-20. The Windows Firewall controlpanel
On the left side of the window is a series oflinks, which provide the following functions:
▪ Allow An App Or Feature ThroughWindows Firewall. Opens the Allowed
1179/1537
Apps dialog box, in which you can selectthe applications that can send trafficthrough the firewall
▪ Change Notification Settings. Opensthe Customize Settings dialog box, inwhich you can adjust the notification set-tings for each of the three profiles
▪ Turn Windows Firewall On OrOff. Opens the Customize Settings dialogbox, in which you can toggle the state ofthe firewall in each of the three profiles
▪ Restore Defaults. Returns all firewallsettings to their installation defaults
▪ Advanced Settings. Launches the Win-dows Firewall With Advanced Securityconsole
▪ Troubleshoot My Network. Launchesthe Network and Internet troubleshooter
1180/1537
Customizing settings
Several of the links in the Windows Firewallwindow point to the same place: a CustomizeSettings dialog box that contains controls forsome of the most basic firewall functions.
The Customize Settings dialog box, shown inFigure 6-21, is organized according to threeareas, corresponding to the three profiles on aWindows computer. Windows Firewall usesthese profiles to represent the type of networkto which the server is connected. The profilesare as follows:
▪ Public. The public (or guest) profile is in-tended for servers that are accessible tounauthenticated or temporary users, suchas computers in an open lab or kiosk.
▪ Private. The private profile is intended forservers on an internal network that are notaccessible by unauthorized users.
1181/1537
▪ Domain. The domain profile is applied toservers that are members of an AD DS do-main in which all users are identified andauthenticated.
1182/1537
Figure 6-21. The Customize Settings dialog boxfor Windows Firewall
In Windows Firewall, the three profiles are es-sentially separate sets of rules that apply onlyto computers connected to the designated net-work type. Administrators can control the en-vironment for each type of network by
1183/1537
configuring separate rules and settings foreach profile.
The Customize Settings dialog box has the fol-lowing controls for each of the three networkprofiles:
▪ Turn On/Off Windows Fire-wall. Toggles the Windows Firewall onand off for the selected profile
▪ Block All Incoming Connections, In-cluding Those In The List Of AllowedApps. Enables you to increase the securityof your system by blocking all unsolicitedattempts to connect to your computer
▪ Notify Me When Windows FirewallBlocks A New App. Causes the system tonotify the user when an application’s at-tempt to send traffic through the firewallfails
1184/1537
Allowing applications
There are times when administrators might berequired to modify the firewall settings in oth-er ways, typically because a specific applica-tion requires access to a port not anticipatedby the firewall’s default rules.
To do this, you can use the Allowed Apps dia-log box in the Windows Firewall control panel,as shown in Figure 6-22.
1185/1537
Figure 6-22. The Allowed Apps dialog box forWindows Firewall
Opening up a port in a server’s firewall is aninherently dangerous activity. The more opendoors you put in a wall, the greater the likeli-hood that intruders will get in. Windows Fire-wall provides two basic methods for opening a
1186/1537
hole in your firewall: opening a port and al-lowing an application. Both are risky, but thelatter is less so. This is because when you opena port by creating a rule in the Windows Fire-wall With Advanced Security console, the portstays open permanently. When you allow anapplication through the firewall by using thecontrol panel, the specified port is open onlywhile the program is running. When you ter-minate the program, the firewall closes theport.
EXAM TIP
Previous versions of Windows refer toallowed applications as exceptions,meaning that they are exceptions to thegeneral firewall rules closing off all thecomputer’s ports against intrusion.Exam candidates should be prepared tosee questions containing either term.
1187/1537
The applications listed in the Allowed Appsdialog box are based on the roles and featuresinstalled on the server. Each listed applicationcorresponds to one or more firewall rules,which the control panel activates and deactiv-ates as needed.
Unlike earlier versions, the Windows Server2012 R2 version of the Windows Firewall con-trol panel does not provide direct access toport numbers. For more precise control overthe firewall, you must use the Windows Fire-wall With Advanced Security console, whichyou can access by clicking Advanced Settingsin the Windows Firewall control panel or byselecting it from the Tools menu in ServerManager.
1188/1537
Using the Windows Firewall WithAdvanced Security console
The Windows Firewall control panel is de-signed to enable administrators and advancedusers to manage basic firewall settings. Forfull access to the Windows Firewall configura-tion settings, you must use the Windows Fire-wall With Advanced Security snap-in for theMMC.
To open the console, open Server Managerand, from the Tools menu, select WindowsFirewall With Advanced Security. The Win-dows Firewall With Advanced Security consoleopens, as shown in Figure 6-23.
1189/1537
Figure 6-23. The Windows Firewall With Ad-vanced Security console
Configuring profile settings
At the top of the Windows Firewall With Ad-vanced Security console’s middle pane, in theOverview section, there are status displays forthe computer’s three network location
1190/1537
profiles. If you connect the computer to a dif-ferent network (which is admittedly not likelywith a server), Windows Firewall can load adifferent profile and a different set of rules.
The default Windows Firewall configurationcalls for the same basic settings for all threeprofiles, as follows:
▪ The firewall is turned on.
▪ Incoming traffic is blocked unless itmatches a rule.
▪ Outgoing traffic is allowed unless itmatches a rule.
You can change this default behavior by click-ing the Windows Firewall Properties link,which displays the Windows Firewall WithAdvanced Security On Local Computer dialogbox.
1191/1537
In this dialog box, each of the three networklocation profiles has a tab with identical con-trols which enable you to modify the defaultprofile settings. You can, for example, config-ure the firewall to shut down completely whenit is connected to a domain network and youcan configure the firewall to turn on with itsmost protective settings when you connect thecomputer to a public network. You can alsoconfigure the firewall’s notification options, itslogging behavior, and how it reacts when rulesconflict.
Creating rules
The allowed applications that you can config-ure in the Windows Firewall control panel area relatively friendly method for working withfirewall rules. In the Windows Firewall WithAdvanced Security console, you can work withthe rules in their raw form.
1192/1537
Selecting either Inbound Rules or OutboundRules in the left pane displays a list of all therules operating in that direction, as shown inFigure 6-24. The rules that are currently oper-ational have a check mark in a green circlenext to them; the rules not in force areunavailable.
1193/1537
Figure 6-24. The Inbound Rules list in the Win-dows Firewall With Advanced Security console
Creating new rules by using this interfaceprovides much more flexibility than the Win-dows Firewall control panel. When you right-click the Inbound Rules (or Outbound Rules)node and select New Rule from the shortcutmenu, the New Inbound (or Outbound) Rule
1194/1537
Wizard takes you through the process of con-figuring the following sets of parameters:
▪ Rule Type. Specifies whether you want tocreate a program rule, a port rule, a varianton one of the predefined rules, or a customrule. This selection determines which ofthe following pages the wizard displays.
▪ Program. Specifies whether the rule ap-plies to all programs, to one specific pro-gram, or to a specific service. This is theequivalent of defining an allowed applica-tion in the Windows Firewall control pan-el, except that you must specify the exactpath to the application.
▪ Protocol And Ports. Specifies the net-work or transport layer protocol or the loc-al and remote ports to which the rule ap-plies. This enables you to specify the exacttypes of traffic that the rule should block orallow. To create rules in this way, you must
1195/1537
be familiar with the protocols and portsthat an application uses to communicate atboth ends of the connection.
▪ Predefined Rules. Specifies which pre-defined rules defining specific networkconnectivity requirements the wizardshould create.
▪ Scope. Specifies the IP addresses of thelocal and remote systems to which the ruleapplies. This enables you to block or allowtraffic between specific computers.
▪ Action. Specifies the action the firewallshould take when a packet matches therule. You configure the rule to allow trafficif it is blocked by default or block traffic ifit is allowed by default. You can also con-figure the rule to allow traffic only whenthe connection between the communicat-ing computers is secured using IPsec.
1196/1537
▪ Profile. Specifies the profile(s) to whichthe rule should apply: domain, private, orpublic.
▪ Name. Specifies a name and (optionally) adescription for the rule.
The rules you can create by using the wizardsrange from simple program rules, like thoseyou can create in the Windows Firewall con-trol panel, to highly complex and specific rulesthat block or allow only specific types of trafficbetween specific computers. The more com-plicated the rules become, however, the moreyou have to know about TCP/IP communica-tions in general and the specific behavior ofyour applications. Modifying the default fire-wall settings to accommodate some special ap-plications is relatively simple, but creating anentirely new firewall configuration is a formid-able task.
1197/1537
Importing and exporting rules
The process of creating and modifying rules inthe Windows Firewall With Advanced Securityconsole can be time-consuming, and repeatingthe process on multiple computers even moreso. Therefore, the console makes it possible foryou to save the rules and settings you havecreated by exporting them to a policy file.
A policy file is a file with a .wfw extension thatcontains all the property settings in a Win-dows Firewall installation and all its rules, in-cluding the preconfigured rules and those youhave created or modified. To create a policyfile, select Export Policy from the Action menuin the Windows Firewall With Advanced Se-curity console, and then specify a name andlocation for the file.
You can then duplicate the rules and settingson another computer by copying the file andusing the Import Policy function to read in thecontents.
1198/1537
IMPORTING POLICIES
When you import policies from a file,the console warns you that all existingrules and settings will be overwritten.You must therefore be careful not tocreate custom rules on a computer andthen expect to import other rules by us-ing a policy file.
Creating rules by using Group Policy
The Windows Firewall With Advanced Secur-ity console makes it possible to create complexfirewall configurations, but Windows Firewallis still an application designed to protect asingle computer from intrusion. If you have alarge number of servers running WindowsServer 2012 R2, manually creating a complexfirewall configuration on each one can be alengthy process. Therefore, as with most Win-dows configuration tasks, administrators can
1199/1537
distribute firewall settings to computersthroughout the network by using GroupPolicy.
When you edit a GPO and browse to the Com-puter Configuration\Policies\Windows Set-tings\Security Settings\Windows FirewallWith Advanced Security node, you see an in-terface that is nearly identical to the WindowsFirewall With Advanced Security console.
You can configure Windows Firewall proper-ties and create inbound, outbound, and con-nection security rules, just as you would in theconsole. The difference is that you can thendeploy those settings to computers anywhereon the network by linking the GPO to an ADDS domain, site, or OU object.
When you open a new GPO, the WindowsFirewall With Advanced Security node con-tains no rules. The preconfigured rules thatyou find on every computer running Windows
1200/1537
Server 2012 R2 are not there. You can createnew rules from scratch to deploy to the net-work, or you can import settings from a policyfile, just as you can in the Windows FirewallWith Advanced Security console.
Group Policy does not overwrite the entireWindows Firewall configuration like import-ing a policy file does. When you deploy fire-wall rules and settings by using Group Policy,the rules in the GPO are combined with theexisting rules on the target computers. Theonly exception is when you deploy rules withthe identical names as existing rules. In thatcase, the GPO settings overwrite those foundon the target computers.
Creating connection security rules
Windows Server 2012 R2 also includes a fea-ture that incorporates IPsec data protectioninto the Windows Firewall. The IP Security(IPsec) standards are a collection of
1201/1537
documents that define a method for securingdata while it is in transit over a TCP/IP net-work. IPsec includes a connection establish-ment routine, during which computers au-thenticate each other before transmitting data,and a technique called tunneling, in whichdata packets are encapsulated within otherpackets for their protection.
In addition to inbound and outbound rules,the Windows Firewall With Advanced Securityconsole enables you to create connection se-curity rules by using the New Connection Se-curity Rule Wizard. Connection security rulesdefine the type of protection you want to applyto the communications that conform to Win-dows Firewall rules.
When you right-click the Connection SecurityRules node and select New Rule from theshortcut menu, the New Connection SecurityRule Wizard takes you through the process of
1202/1537
configuring the following sets of parameters,as follows:
▪ Rule Type. Specifies the basic function ofthe rule, such as to isolate computersbased on authentication criteria, to exemptcertain computers (such as infrastructureservers) from authentication, to authentic-ate two specific computers or groups ofcomputers, or to tunnel communicationsbetween two computers. You can also cre-ate custom rules combining thesefunctions.
▪ Endpoints. Specifies the IP addresses ofthe computers that will establish a securedconnection before transmitting any data.
▪ Requirements. Specifies whether au-thentication between two computersshould be requested or required in eachdirection.
1203/1537
▪ Authentication Method. Specifies thetype of authentication the computersshould use when establishing a connection.
▪ Profile. Specifies the profile(s) to whichthe rule should apply: domain, private,public, or a combination thereof.
▪ Name. Specifies a name and (optionally) adescription for the rule.
1204/1537
THOUGHT EXPERIMENT:CONFIGURING WINDOWS
FIREWALL
In the following thought experiment, applywhat you’ve learned about this objective topredict what steps you need to take. You canfind answers to these questions in the Answerssection at the end of this chapter.
Ralph is a junior network administrator atWingtip Toys. He has been left in change ofthe IT department while everyone else is out oftown at a conference. Ralph receives a callfrom the company’s best customer, reportingthat the customer is unable to place ordersthrough the company’s website. Ralph exam-ines the logs for the Windows web server andnotices a huge amount of incoming traffic thatbegan that morning.
Ralph suspects that the server is the target of adenial of service (DoS) attack, but he doesn’thave access to the network firewall and does
1205/1537
not know anything about the firewall configur-ation his company uses. Ralph does have ac-cess to the Windows Firewall running on theweb server, however. What temporary modi-fications can he make to that firewall to blockthe attack and allow the customer to submitorders as usual?
Objective summary
▪ A firewall is a software program that pro-tects a computer by allowing certain typesof network traffic in and out of the systemwhile blocking others.
▪ A firewall is essentially a series of filtersthat examine the contents of packets andthe traffic patterns to and from the net-work to determine which packets theyshould allow to pass through.
1206/1537
▪ The default rules preconfigured into thefirewall are designed to admit the trafficused by standard Windows networkingfunctions, such as file and printer sharing.For outgoing network traffic, WindowsFirewall allows all traffic to pass the fire-wall except that which conforms to a rule.
▪ The Windows Firewall control panel is de-signed to enable administrators to performbasic firewall configuration tasks asneeded.
▪ For full access to the Windows Firewallconfiguration settings, you must use theWindows Firewall With Advanced Securitysnap-in for the MMC.
Objective review
Answer the following questions to test yourknowledge of the information in this objective.
1207/1537
You can find the answers to these questionsand explanations of why each answer choice iscorrect or incorrect in the Answers section atthe end of this chapter.
1. Which of the following mechanisms isused most often in firewall rules to al-low traffic onto the network?
a. Hardware addresses
b. IP addresses
c. Protocol numbers
d. Port numbers
2. Connection security rules require thatnetwork traffic allowed through the fire-wall use which of the following securitymechanisms?
a. EFS
1208/1537
b. IPsec
c. UAC
d. Kerberos
3. Which of the following actions cannotbe performed from the Windows Fire-wall control panel?
a. Allowing an application throughthe firewall in all three profiles
b. Blocking all incoming connec-tions for any of the three profiles
c. Creating firewall exceptionsbased on port numbers for allthree profiles
d. Turning Windows Firewall off forall three profiles
1209/1537
4. Which of the following tools cannot en-able and disable the Network Discoveryfirewall rules?
a. File Explorer
b. B. Network and Sharing Center
c. Action Center
d. Allowed Apps dialog box
5. Which of the following statementsabout Windows Firewall are true?(Choose all that apply.)
a. Applying firewall rules by usingGroup Policy overwrites all thefirewall rules on the targetcomputer.
b. Applying firewall rules by usingGroup Policy combines the newly
1210/1537
deployed rules with the onesalready there.
c. Importing firewall rules savedfrom another computer over-writes all the rules on the targetsystem.
d. Importing firewall rules savedfrom another computer combinesboth sets of settings.
AnswersThis section contains the solutions to thethought experiments and answers to the ob-jective review questions in this chapter.
1211/1537
Objective 6.1: Thoughtexperiment
Alice must create another GPO containing thefollowing setting, link it to the domain, andmodify its Security Filtering by adding the Ex-ecutives group and removing the Authentic-ated Users group. This GPO must take preced-ence over the Device Restrictions GPO.
▪ Prevent installation of devices not de-scribed by other policy settings - Disabled
Objective 6.1: Review
1. Correct answer: B
a. Incorrect: Group Policy toolsthat use the older style adminis-trative template (ADM) files donot look for them in the CentralStore.
1212/1537
b. Correct: Group Policy tools lookfor XML-based administrativetemplate (ADMX) files in theCentral Store by default.
c. Incorrect: GPOs are stored inthe Active Directory database, notthe Central Store.
d. Incorrect: Security templatesare not found in the CentralStore.
2. Correct answer: D
a. Incorrect: Local GPOs are ap-plied first, before the administrat-ors, nonadministrators, and user-specific local GPOs.
b. Incorrect: Administrators localGPOs are applied after local
1213/1537
GPOs and before user-specificlocal GPOs.
c. Incorrect: Nonadministratorslocal GPOs are applied after localGPOs and before user-specificlocal GPOs.
d. Correct: Of the local GPO types,user-specific local GPOs are ap-plied last.
3. Correct answer: C
a. Incorrect: GPO linking appliesGroup Policy settings to the en-tire contents of an AD DScontainer.
b. Incorrect: Administrative tem-plates are the files defining theregistry-based settings that ap-pear in GPOs.
1214/1537
c. Correct: Security filtering is aGroup Policy feature that enablesyou to restrict the disseminationof Group Policy settings to specif-ic users and groups within an ADDS container.
d. Incorrect: Starter GPOs aretemplates used to create newGPOs.
4. Correct answer: A
a. Correct: Starter GPOs are tem-plates that you can use to createmultiple GPOs with the same setof baseline Administrative Tem-plates settings.
b. Incorrect: Starter GPOs are notapplied by clients.
1215/1537
c. Incorrect: Starter GPOs use thesame interface as standard GPOs.
d. Incorrect: Starter GPOs do notcontain all the settings found inthe default Domain Policy GPO.
5. Correct answer: A
a. Correct: A Not Configuredpolicy setting has no effect on theexisting setting of that policy.
b. Incorrect: A Disabled setting re-mains disabled if you apply aGPO with a Not Configured valuefor the same setting.
c. Incorrect: A Not Configuredsetting will not change a Disabledsetting to Enabled.
1216/1537
d. Incorrect: Policy setting con-flicts result in overwritten set-tings but not errors.
Objective 6.2: Thoughtexperiment
1. 20. Of the workstation operating sys-tems listed, only Windows 7, WindowsXP Professional, and Windows 2000Professional are able to use GroupPolicy.
2. A. The only way to ensure that end usersdo not change the security settings ontheir computers is to deploy them by us-ing Group Policy, which would requireyou to upgrade the operating system.Answers c and d would enable you tosuccessfully deploy security templateson the computers, but the users wouldbe able to modify the settings afterward.
1217/1537
Objective 6.2: Review
1. Correct answer: C, D
a. Incorrect: You cannot use Act-ive Directory Users and Com-puters to apply a security tem-plate to a domain.
b. Incorrect: You cannot use theSecurity Templates snap-in to ap-ply a security template to adomain.
c. Correct: You must use theGroup Policy Object Editor to im-port a template into a GPO beforeyou apply it to a domain.
d. Correct. After importing the se-curity template into a GPO, youcan link it to a domain object anddeploy the template settings.
1218/1537
2. Correct answers: A, C
a. Correct: By creating a standarduser in Windows Control Panel,you are adding the account to thelocal Users group.
b. Incorrect: You cannot add usersto the Power Users group by us-ing the Windows Control Panel.
c. Correct: Granting a user admin-istrative privileges in the Win-dows Control Panel adds the ac-count to the local Administratorsgroup.
d. Incorrect: There is no Non-Ad-ministrators local group inWindows.
3. Correct answer: B
1219/1537
a. Incorrect: You cannot use Act-ive Directory Users and Com-puters to modify the settings in asecurity template.
b. Correct: You use the SecurityTemplates snap-in to modify thesettings in a security template.
c. Incorrect: You cannot use theGroup Policy Object Editor tomodify the settings in a securitytemplate.
d. Incorrect: You cannot use theGroup Policy Management con-sole to modify the settings in a se-curity template.
4. Correct answer: D
a. Incorrect: Security options can-not provide the capabilities
1220/1537
granted to the built-in localgroups.
b. Incorrect: Windows Firewallrules cannot provide the capabil-ities granted to the built-in localgroups.
c. Incorrect: NTFS permissionscannot provide the capabilitiesgranted to the built-in localgroups.
d. Correct: Built-in local groups ona server running Windows Server2012 R2 receive their special cap-abilities through user rights.
5. Correct answer: A
a. Correct: The Audit DirectoryService Access policy audits onlythe objects you select in the
1221/1537
Active Directory Users and Com-puters console.
b. Incorrect: There is no need towait for the policy settings topropagate to all the domaincontrollers.
c. Incorrect: You configure the ob-jects to be audited in the ActiveDirectory Users and Computersconsole, not in the policy itself.
d. Incorrect: Modifying the objectnames will have no effect.
Objective 6.3: Thoughtexperiment
Sophie has to create two rules: an allow rulethat grants the ResDev group access to the ap-plication and a deny rule that applies only to
1222/1537
the RDint group. Because deny rules take pre-cedence over allow rules in AppLocker, the in-terns will not be able to access the application.
Objective 6.3: Review
1. Correct answer: D
a. Incorrect: Hash rules is one ofthe software restriction ruletypes.
b. Incorrect: Certificate rules isone of the software restrictionrule types.
c. Incorrect: Path rules is one ofthe software restriction ruletypes.
d. Correct: Firewall rules is notone of the software restrictionrule types.
1223/1537
2. Correct answer: B
a. Incorrect: The Basic Userstrategy prevents any applicationfrom running that requires ad-ministrative rights, but enablesprograms to run that only requireresources that are accessible bynormal users.
b. Correct: The Disallowedstrategy prevents all applicationsfrom running except those thatare specifically allowed.
c. Incorrect: There is no PowerUser strategy for enforcing soft-ware restrictions.
d. Incorrect: The Unrestrictedstrategy enables all applicationsto run except those that are spe-cifically excluded.
1224/1537
3. Correct answers: B, C
a. Incorrect: The hash is based onthe file, not on its location, somoving it does not affect itsfunctionality.
b. Correct: Substituting a differentversion of the file renders thehash unusable.
c. Correct: Modifying the file inany way renders the hashunusable.
d. Incorrect: Changing the file’spermissions does not modify thefile itself, so the hash remainsfunctional.
4. Correct answer: B
1225/1537
a. Incorrect: Executable rules ap-ply to files with .exe and .comextensions.
b. Correct: Windows Installerrules apply to Windows Installerpackages with .msi and .mspextensions.
c. Incorrect: Script rules apply toscript files with .ps1, .bat, .cmd,.vbs, and .js extensions.
d. Incorrect: Packaged app rulesapply to applications purchasedthrough the Windows Store.
5. Correct answer: A
a. Correct: To use AppLocker,Windows Server 2012 R2 re-quires the Application Identityservice to be running.
1226/1537
b. Incorrect: The ApplicationManagement service is not neces-sary for Windows to apply Ap-pLocker policies.
c. Incorrect: The Credential Man-ager service is not necessary forWindows to apply AppLockerpolicies.
d. Incorrect: The Network Con-nectivity Assistant service is notnecessary for Windows to applyAppLocker policies.
Objective 6.4: Thoughtexperiment
As a temporary measure, the administratorcould create an IP address–based WindowsFirewall rule that admits the traffic from thecustomer’s computer and blocks all other
1227/1537
traffic. This would prevent the system fromprocessing the DoS files.
Objective 6.4: Review
1. Correct answer: D
a. Incorrect: Firewalls can con-ceivably use hardware addressesto filter network traffic, but this israrely a practical solution.
b. Incorrect: Firewalls typically fil-ter specific types of networktraffic, not entire IP addresses.
c. Incorrect: Filtering by protocolnumber typically does notprovide the granularity needed tocreate an efficient firewallconfiguration.
1228/1537
d. Correct: Firewalls typically useport numbers to allow traffic ontothe network.
2. Correct answer: B
a. Incorrect: Encrypting File Sys-tem only provides security for thestorage medium, not for networktraffic.
b. Correct: Connection securityrules require that network trafficallowed through the firewall useIPsec for security.
c. Incorrect: User Account Controlcannot restrict network traffic.
d. Incorrect: Kerberos is an au-thentication protocol. It cannotrestrict network traffic.
1229/1537
3. Correct answer: C
a. Incorrect: You can allow an ap-plication through the firewall forall three profiles by using theWindows Firewall control panel.
b. Incorrect: You can use the Win-dows Firewall control panel toblock all incoming connectionsfor all three profiles.
c. Correct: You cannot block trafficbased on port numbers for allthree profiles by using the Win-dows Firewall control panel.
d. Incorrect: You can use the Win-dows Firewall control panel toturn the firewall on and off forany of the three profiles.
4. Correct answer: C
1230/1537
a. Incorrect: File Explorer dis-plays a link that enables the Net-work Discovery rules.
b. Incorrect: The Network andSharing Center control panel con-tains a link that provides accessto controls for the Network Dis-covery tools.
c. Correct: The Action Center con-trol panel does not contain Net-work Discovery controls.
d. Incorrect: The Allowed Appsdialog box contains controls forthe Network Discovery rules.
5. Correct answers: B, C
a. Incorrect: Firewall rules appliedwith Group Policy combine withthe existing rules.
1231/1537
b. Correct: Firewall rules appliedwith Group Policy combine withthe existing rules.
c. Correct: Importing WindowsFirewall rules from another sys-tem overwrites all the existingrules.
d. Incorrect: Importing rules over-writes the existing rules; it doesnot combine them.
1232/1537
Appendix A. Aboutthe Author
CRAIG ZACKER is the author or co-authorof dozens of books, articles, and websites onoperating systems, networking topics, and PChardware, including Microsoft Learning’sWindows Small Business Server 2011 Admin-istrator’s Pocket Consultant and MCITP Self-Paced Training Kit for Exam 70-686: Win-dows 7 Desktop Administrator. He has alsobeen an English professor, a network adminis-trator, a webmaster, a corporate trainer, aphotographic technician, a library clerk, a stu-dent, and a newspaper delivery boy. He livesin a little house with his beautiful wife and aneurotic cat.
Index
A NOTE ON THE DIGITALINDEX
A link in an index entry is dis-played as the section title inwhich that entry appears. Be-cause some sections have mul-tiple index markers, it is not un-usual for an entry to have severallinks to the same section. Clickingon any link will take you directlyto the place in the text in whichthe marker appears.
Symbols
-addmbr <members> command-lineparameter, Manage Group Membershipby Using Group Policy
-chmbr <members> command-lineparameter, Managing Group Objects byUsing Dsmod.exe
-desc <description> command-lineparameter, Creating Groups from theCommand Line
-EnclosureAwareDefault option (New-StoragePool cmdlet), Creating a storagepool
1235/1537
-member <GroupDN> command-lineparameter, Creating Groups from theCommand Line
-memberof <GroupDN> command-lineparameter, Creating Groups from theCommand Line
-ProvisioningTypeDefault option (New-StoragePool cmdlet), Creating a storagepool
-Remove flag, Using Features onDemand
-ResiliencySettingsNameDefault option(New-StoragePool cmdlet), Creating astorage pool
1236/1537
-rmmbr <members> command-lineparameter, Managing Group Objects byUsing Dsmod.exe
-samid <SAMName> command-lineparameter, Creating Groups from theCommand Line
-scope l|g|u command-line parameter,Creating Groups from the CommandLine, Manage Group Membership byUsing Group Policy
-secgrp yes|no command-line paramet-er, Creating groups, Manage GroupMembership by Using Group Policy
1237/1537
6to4 mechanism, IP transitioning,Tunneling
“Just a Bunch of Disks” (JBOD) arrays,How many servers do I need?
A
A (Address) resource records, Creatingan Active Directory Zone
AAAA (Address) resource records,Creating an Active Directory Zone
ABE (access-based enumeration),Creating folder shares
1238/1537
access control entries (ACEs), Creatingfolder shares
access control list (ACL), Creatingfolder shares
access tokens, Using OUs to delegateActive Directory management tasks
access-based enumeration (ABE),Creating folder shares
accessing
files, configuring share access, Con-figuring server roles and features
folder shares, Creating foldershares
1239/1537
NTFS quotas, Configuring VolumeShadow Copies
permissions, Creating foldershares
Volume Shadow Copies, Combin-ing share permissions with NTFSpermissions
Work Folders, Configuring WorkFolders
Account Operators group, CreatingComputer Objects While Joining
ACEs (access control entries), Creatingfolder shares
1240/1537
ACL (access control list), Creatingfolder shares
Action parameter (New Inbound RuleWizard), Creating rules
Activate instance ntds command, In-stalling AD DS on Server Core
Activate Scope page (New Scope Wiz-ard), Creating a scope
Active Directory Administrative Centerconsole, Creating user objects
creating computer objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
1241/1537
creating single AD DS users, Usercreation tools
Active Directory Domain Services. (seeAD DS)
Active Directory Object Type page(Delegation of Control Wizard), UsingOUs to delegate Active Directory man-agement tasks
Active Directory objects, management,Creating computer objects by using Act-ive Directory Administrative Center
Active Directory Sites And Services con-sole, Configuring the global catalog
1242/1537
Active Directory tab
adding servers in Server Manager,Adding servers
Active Directory Users and Computersconsole, Creating user objects
Copy Object-User Wizard, UsingWindows Powershell
creating computer objects, Creatingcomputer objects by using ActiveDirectory Users And Computers
creating user templates, Using Win-dows Powershell
1243/1537
New Object - User Wizard, Creatingsingle users
Active Directory Zone ReplicationScope page (New Zone Wizard), UsingActive Directory–Integrated Zones
Active Directory-integrated zones,Creating zones
active/active configuration (SwitchIndependent Mode), Configuring NICteaming
active/standby configuration (SwitchIndependent Mode), Configuring NICteaming
1244/1537
AD DS
Configuration Wizard, Installing theActive Directory Domain Servicesrole
domain controllers, Installing andadministering Active Directory
adding to existing domains, Creat-ing a new forest
configuring the global catalog, Re-moving a domain controller
creating a new child domain in aforest, Adding a domain control-ler to an existing domain
1245/1537
creating a new forest, Installingthe Active Directory Domain Ser-vices role
deploying IaaS on WindowsAzure, Upgrading Active Direct-ory Domain Services
Install from Media (IFM) option,Installing AD DS on Server Core
installing AD DS on Server Core,Creating a new child domain in aforest
installing AD DS role, Objective5.1: Install domain controllers
1246/1537
removing, Deploying Active Dir-ectory IaaS on Windows Azure
troubleshooting DNS SRV regis-tration failure, Configuring theglobal catalog
upgrading AD DS, Using Installfrom Media (IFM)
Installation Wizard, Installing theActive Directory Domain Servicesrole
management of groups and OUs, Ob-jective review
creating OUs, Objective 5.3:Create and manage Active
1247/1537
Directory groups and organiza-tional units (OUs)
using OUs to assign Group Policysettings, Using OUs to assignGroup Policy settings
using OUs to delegate AD manage-ment tasks, Using OUs to assignGroup Policy settings
working with groups, Using OUsto delegate Active Directory man-agement tasks
1248/1537
management of users and com-puters, Objective review
Active Directory objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating computer objects, UsingWindows Powershell
creating user objects, Objectivereview
adapters, virtual networks, ConfiguringMAC addresses
advanced network adapter features,Configuring hardware accelerationsettings
1249/1537
emulated adapters, Synthetic ad-apters and emulated adapters
hardware acceleration settings, Syn-thetic adapters and emulatedadapters
synthetic adapters, Synthetic ad-apters and emulated adapters
Add action, LDIFDE.exe utility, UsingCSVDE.exe
Add Exclusions And Delay page (NewScope Wizard), Creating a scope
Add Features That Are Required dialogbox, Adding roles and features
1250/1537
Add Features That Are Required ForActive Directory Domain Services dia-log box, Objective 5.1: Install domaincontrollers
Add Features That Are Required ForHyper-V dialog box, Installing Hyper-V
Add Or Remove Snap-Ins dialog box,Creating multiple local GPOs
Add Printer Wizard, Advanced PrintingConfigurations
Add Roles And Features Wizard
Create Virtual Switches page,Installing Hyper-V
1251/1537
Virtual Machine Migration page,Installing Hyper-V
Add Servers dialog box, Adding servers,Adding servers
Add Workstations To The Domain right,Creating Computer Objects WhileJoining
Add-DnsServerPrimaryZone cmdlet,Creating an Active Directory Zone
Add/Remove Servers dialog box, Usingthe Print and Document Services role
1252/1537
adding
print servers, Using the Print andDocument Services role, Using thePrint and Document Services role
servers, Server Manager, Objective2.3: Configure servers for remotemanagement
Additional Drivers dialog box, Sharing aprinter
Additional Options page (AD DS Config-uration Wizard), Adding a domain con-troller to an existing domain
1253/1537
Additional Rules folder (SoftwareRestriction Policies node), Using soft-ware restriction policies
Additive permission management task,Understanding basic and advancedpermissions
Address (A) resource records, Creatingan Active Directory Zone
Address (AAAA) resource records,Creating an Active Directory Zone
addresses
IPv4 addressing. (see IPv4addressing)
1254/1537
IPv6 addressing. (see IPv6addressing)
administration
AD DS
domain controllers, Installingand administering ActiveDirectory
management of groups and OUs,Objective review
management of users and com-puters, Objective review
1255/1537
administrative tasks, configuring UserAccount Control, Understanding UserAccount Control (UAC)
Administrative Templates subnode,Configuring Group Policy settings
Administrators and NonadministratorsGroup Policy layer, Configuring GroupPolicy settings
Administrators group, Creating Com-puter Objects While Joining
ADMX files, Nonlocal GPOs
Adprep.exe functionality, UpgradingActive Directory Domain Services
1256/1537
advanced network adapter features,Configuring hardware accelerationsettings
advanced NTFS permissions, assigning,Assigning basic NTFS permissions
advanced permissions, Understandingbasic and advanced permissions
advanced printing configurations, Ad-vanced Printing Configurations
Advanced Security Settings dialog box,Understanding basic and advanced per-missions, Setting share permissions
1257/1537
Advanced Sharing dialog box, Creatingfolder shares
aggregation (NIC teaming), ConfiguringNIC teaming
All Servers home page (Server Man-ager), Adding servers
allocating memory, Hyper-V Managerconsole, Allocating memory
allocation methods
DHCP IP addresses, UnderstandingDHCP
1258/1537
Allocation Unit Size option, Configuringthe Format Partition page, Creating asimple volume
Allow (access control entry), Under-standing basic and advancedpermissions
Allow Manage This Printer permission,Managing printers
Allow Management Operating SystemTo Share This Network Adapter option,Creating a new virtual switch
Allowed Apps dialog box, Working withWindows Firewall, Allowingapplications
1259/1537
allowing permissions, Understandingbasic and advanced permissions
AMD Virtualization (AMD-V)technology, Hyper-V Server
AMD-V (AMD Virtualization)technology, Hyper-V Server
anycast addresses, IPv6, Link-Local Un-icast Addresses
Anycast transmissions, IPv6 address-ing, Contracting IPv6 Addresses
APIPA (Automatic Private IP Address-ing), Dynamic Host Configuration Pro-tocol (DHCP)
1260/1537
Application Identity service, AppLockerand, Creating default rules
application restriction policies (GP),Objective review
AppLocker, Using AppLocker
configuring restriction properties,Path Rules
configuring rules, Enforcingrestrictions
enforcing restrictions, Using soft-ware restriction policies
AppLocker, Using AppLocker
1261/1537
architecture
DNS, Objective 4.3: Deploy and con-figure the DNS service
client-side resolver caching,Client-side resolver caching
DNS coomunications, Under-standing the DNS architecture
forwarders, DNS forwarders
referrals and queries, Client-sideresolver caching
reverse name resolution, DNSforwarders
1262/1537
server caching, DNScommunications
permissions, Creating folder shares
virtualization, Objective 3.1: Createand configure virtual machinesettings
Windows print architecture, Under-standing the Windows printarchitecture
Assign Drive Letter Or Path page (NewSimple Volume Wizard), Creating asimple volume
1263/1537
Assign Drive Letter Or Path page (NewVolume Wizard), Creating a striped,spanned, mirrored, or RAID-5 volume
Assign The Following Drive Letter op-tion, Creating a simple volume
assigning
IPv4 addresses, Supernetting
IPv6 addresses, Link-Local UnicastAddresses
user rights, Creating Computer Ob-jects While Joining
local security policies, Planningand configuring an audit policy
1264/1537
assigning permissions, Creating foldershares
advanced NTFS permissions, Assign-ing basic NTFS permissions
allowing/denying permissions,Understanding basic and advancedpermissions
basic and advanced permissions,Understanding basic and advancedpermissions
basic NTFS permissions, Settingshare permissions
1265/1537
combining share permissions withNTFS permissions, Assigning basicNTFS permissions
effective access, Allowing and deny-ing permissions
inherited permissions, Allowing anddenying permissions
NTFS authorization, Setting sharepermissions
setting share permissions, Under-standing effective access
Windows permission architecture,Creating folder shares
1266/1537
Attach A Virtual Hard Disk Later op-tion, Connect Virtual Hard Disk page,Creating a virtual disk with a VM
attributes
creating user accounts, Creating usertemplates
Audit Directory Service Access eventcategory, Planning and configuring anaudit policy
Audit Object Access event category,Planning and configuring an auditpolicy
audit policies, GPOs, Objective 6.2: Con-figure security policies
1267/1537
authentication, Objective review
Authentication Method parameter (NewConnection Security Rule Wizard),Creating connection security rules
authorization, Objective review
automatic allocation
definition, Understanding DHCP
Automatic Private IP Addressing(APIPA), Dynamic Host ConfigurationProtocol (DHCP)
Automatically Generate Rules Wizard,Creating default rules
1268/1537
B
Backup function (Guest IntegrationServices), Configuring Guest Integra-tion Services
Backup Operators group, CreatingComputer Objects While Joining
balancing (NIC teaming), ConfiguringNIC teaming
basic disks, Selecting a partition style
basic NTFS permissions, assigning, Set-ting share permissions
basic permissions, Understanding basicand advanced permissions
1269/1537
Basic User approach, enforcing restric-tions, Using software restrictionpolicies
bonding (NIC teaming), ConfiguringNIC teaming
boot threshold, Deploying a DHCP relayagent
boot vendor information extensions,DHCP options
BOOTP (Bootstrap Protocol), DHCPoptions
Bootstrap Protocol (BOOTP), DHCPoptions
1270/1537
Browse For A Group Policy Object dia-log box, Creating multiple local GPOs
C
caching
DNS servers, DNS communications
Canonical Name (CNAME) resource re-cords, Creating an Active DirectoryZone
capabilities, Server Core, Server CoreCapabilities
Central Store, configuring, NonlocalGPOs
1271/1537
certificate rules, Configuring softwarerestriction rules
Change Zone Replication Scope dialogbox, Creating resource records
checkpoints, Modifying virtual disks
child domains
creating in a forest, Adding a domaincontroller to an existing domain
child partitions, Virtualizationarchitectures
CIDR (Classless Inter-Domain Rout-ing), Classless Inter-Domain Routing
1272/1537
classes
IPv4 addresses, IPv4 addressing
classful addressing, IPv4, IPv4addressing
Classless Inter-Domain Routing(CIDR), Classless Inter-DomainRouting
client-side resolver caching, DNS,Client-side resolver caching
client-sode caching, Creating foldershares
clients, DHCP, Understanding DHCP
1273/1537
cmdlets
Add-DnsServerPrimaryZone, Creat-ing an Active Directory Zone
Enable-VMResourceMetering, Con-figuring resource metering
Get-PhysicalDisk, Creating a storagepool
Get-StorageSubsystem, Creating astorage pool
Install-ADDSDomain, Creating anew child domain in a forest
1274/1537
Install-ADDSDomainController,Creating a new child domain in aforest
Install-ADDSForest, Creating a newchild domain in a forest
Install-WindowsFeature, Creating anew child domain in a forest
Measure-VM, Configuring resourcemetering
New-ADUser, Using Dsadd.exe
New-GPO, Managing starter GPOs
1275/1537
New-StoragePool, Creating a storagepool
options, Creating a storage pool
New-VHD, Creating a new virtualdisk
New-VM, Creating a virtual machine
New-VMResourcePool, Configuringresource metering
New-VMSwitch, Creating a new vir-tual switch
Set-VMMemory, Using DynamicMemory
1276/1537
Uninstall-WindowsFeature, UsingFeatures on Demand
CNAME (Canonical Name) resource re-cords, Creating an Active DirectoryZone
Comma-Separated Value Directory Ex-change (CSVDE.exe) command-linetool, Creating user objects
creating multiple AD DS users,Creating user templates
command-line tools, postinstallationtasks, Using GUI tools
1277/1537
commands
Activate instance ntds, Installing ADDS on Server Core
Create Full|RODC, Using Installfrom Media (IFM)
Get-Help, Installing AD DS on ServerCore
Ifm, Installing AD DS on Server Core
Ntdsutil, Installing AD DS on ServerCore
1278/1537
communications
DHCP, DHCP Extensions, DHCPLease Negotiation
lease negotiation, DHCPExtensions
lease renewal, DHCP LeaseNegotiation
DNS, Understanding the DNSarchitecture
Compact function (Edit Virtual HardDisk Wizard), Modifying virtual disks
Compatability Report page (Setup pro-gram), Preparing to upgrade
1279/1537
Completing The New Simple VolumeWizard page (New Simple Volume Wiz-ard), Creating a simple volume
Computer Name tab, System Propertiessheets, Managing multiple users
Computer Name/Domain Changes dia-log box, Managing multiple users
computers, AD DS management, Ob-jective review
Active Directory objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating computer objects, UsingWindows Powershell
1280/1537
Configuration page (Routing and Re-mote Access Server Setup Wizard),Deploying a DHCP relay agent
configuration scripts, DSC, Using Win-dows PowerShell Desired State Config-uration (DSC)
configurations
virtual networks, Configuring a NICteam virtual network adapter
Configure DHCP Options page (NewScope Wizard), Creating a scope
Configure Networking page (New Virtu-al Machine Wizard), Creating a virtualmachine
1281/1537
Configure Remote Access Getting Star-ted Wizard, Deploying a DHCP relayagent
Configure Share Settings page (NewShare Wizard), Creating folder shares
configuring
core network services
DHCP service, UnderstandingDHCP
DNS, Objective 4.3: Deploy andconfigure the DNS service
1282/1537
IPv4 and IPv6 addressing,Deploying and configuring corenetwork services
file and share access, Configuringserver roles and features
folder shares, Creating foldershares
NTFS quotas, Configuring VolumeShadow Copies
permissions, Creating foldershares
Volume Shadow Copies, Combin-ing share permissions with NTFSpermissions
1283/1537
Work Folders, Configuring WorkFolders
global catalog, Removing a domaincontroller
Group Policy settings, ConfiguringGroup Policy settings
Hyper-V
virtual machine settings,Configuring Hyper-V
local storage, Objective review
disk settings, Using StorageSpaces
1284/1537
disks, Understanding volumetypes
planning storage needs, Objectivereview
print and document services, Object-ive review
deploying print servers, Objectivereview
document management, Config-uring printer security
managing printers, Managingprinters
1285/1537
Print and Document Servicesrole, Creating a printer pool
sharing printers, Advanced Print-ing Configurations
printer security, Using remote accessEasy Print
roles and features
file and share access, Configuringserver roles and features
print and document services, Ob-jective review
servers for remote management,Objective review
1286/1537
servers, Objective review
delegating server administration,Configuring services
DSC (Desired State Configura-tion), Configuring services
postinstallation tasks, Objectivereview
remote management, Objectivereview
Server Manager tool, Using Serv-er Manager
services, Configuring services
1287/1537
software restriction policies (GP),Enforcing restrictions
software restriction properties, PathRules
virtual machine settings,Configuring Hyper-V
Hyper-V implementations, Virtu-alization architectures
Hyper-V Manager, InstallingHyper-V
installing Hyper-V, Hyper-VServer
1288/1537
resource metering, Using Dynam-ic Memory
virtualization architectures, Ob-jective 3.1: Create and configurevirtual machine settings
virtual machine storage, Objective3.2: Create and configure virtual ma-chine storage
checkpoints, Modifying virtualdisks
connecting to a SAN, ConfiguringStorage Quality of Service (QoS)
modifying virtual disks, Modify-ing virtual disks
1289/1537
pass-through disks, Creating dif-ferencing disks
QoS (Quality of Service), Creatingcheckpoints
virtual disk formats, Objective3.2: Create and configure virtualmachine storage
virtual disks, Virtual disk formats
virtual networks, Objective review
configurations, Configuring a NICteam virtual network adapter
NIC teaming, Configuring hard-ware acceleration settings
1290/1537
virtual network adapters, Config-uring MAC addresses
virtual switches, Objective 3.3:Create and configure virtualnetworks
Windows Firewall, Managing Win-dows Server 2012 R2 servers, Object-ive 6.4: Configure Windows Firewall
control panel applet, Workingwith Windows Firewall
settings, Objective 6.4: ConfigureWindows Firewall
1291/1537
Windows Firewall with AdvancedSecurity snap-in, Allowingapplications
WinRM, Managing Windows Server2012 R2 servers
Connect Virtual Hard Disk page (NewVirtual Machine Wizard), Creating avirtual machine, Virtual disk formats
connections
SANs (storage area networks), Con-figuring Storage Quality of Service(QoS)
Fibre Channel, Connecting to astorage area network (SAN)
1292/1537
virtual machines to SANs, UsingFibre Channel
containers, Objective 5.3: Create andmanage Active Directory groups and or-ganizational units (OUs)
contextual tasks, addressing remoteservers, Using Remote Server Adminis-tration Tools
contracting IPv6 addresses, ContractingIPv6 Addresses
control panel applet, Windows Firewall,Working with Windows Firewall
1293/1537
Convert function (Edit Virtual HardDisk Wizard), Modifying virtual disks
Convert To GPT Disk option, Adding anew physical disk
Convert To MBR Disk option, Adding anew physical disk
converting groups, AD DS, ManagingGroup Objects by Using Dsmod.exe
Copy Object-User Wizard, Using Win-dows Powershell
1294/1537
core network services
DHCP, Understanding DHCP
communications, DHCPExtensions
deploying DHCP relay agents,Using PXE
deploying DHCP servers, DHCPLease Renewal
IP address allocation methods,Understanding DHCP
options, DHCP options
1295/1537
DNS, Objective 4.3: Deploy and con-figure the DNS service
architecture, Objective 4.3:Deploy and configure the DNSservice
deploying servers, Reverse nameresolution
IPv4 and IPv6 addressing, Deployingand configuring core networkservices
assigning IPv4 addresses,Supernetting
assigning IPv6 addrersses, Link-Local Unicast Addresses
1296/1537
CIDR (Classless Inter-DomainRouting), Classless Inter-DomainRouting
introduction to IPv6 addressing,Dynamic Host Configuration Pro-tocol (DHCP)
IPv4 classful addressing, IPv4addressing
IPv4 subnetting, Public andprivate IPv4 addressing
IPv6 address types, ContractingIPv6 Addresses
1297/1537
planning an IP transition, Subnet-ting IPv6 Addresses
public and private IPv4 address-ing, Public and private IPv4addressing
subnetting IPv6 addresses, Sub-netting IPv6 Addresses
supernetting, IPv4 subnetting
Create A Virtual Hard Disk option, Con-nect Virtual Hard Disk page, Virtualdisk formats
1298/1537
Create And Attach Virtual Hard Diskdialog box, Creating and mounting vir-tual hard disks (VHDs)
Create Full|RODC command, Using In-stall from Media (IFM)
Create Group window, AD Administrat-ive Center console, Nesting groups
Create Organizational Unit window, ADDS Administrative Center console,Creating OUs
Create Server Group dialog box,Managing down-level servers
1299/1537
Create User window (Active DirectoryAdministrative Center console), Usercreation tools
Create Virtual Switches page (AddRoles and Features Wizard), InstallingHyper-V
creating
checkpoints, Modifying virtual disks
computer objects, AD DS, UsingWindows Powershell
differencing disks, Creating differen-cing disks
folder shares, Creating folder shares
1300/1537
forests, Installing the Active Direct-ory Domain Services role
Group Policy settings
GPOs (Group Policy Objects),Creating and managing GroupPolicy
software restriction policies, Ob-jective review
Windows Firewall, Objective 6.4:Configure Windows Firewall
groups, AD DS, Nesting groups
OUs (organizational units), AD DS,Objective 5.3: Create and manage
1301/1537
Active Directory groups and organiz-ational units (OUs)
printer pools, Setting printerpriorities
reservations, DHCP servers, Config-uring DHCP options
resource records, DNS, Creating anActive Directory Zone
Restricted Groups policies, ManageGroup Membership by Using GroupPolicy
scope, DHCP servers, DHCP LeaseRenewal
1302/1537
server groups, Managing down-levelservers
user objects, AD DS, Objectivereview
multiple users, Creating usertemplates
single users, User creation tools
user templates, Using WindowsPowershell
virtual disks, Creating a storagepool, Virtual disk formats
1303/1537
virtual machine settings,Configuring Hyper-V
Hyper-V implementations, Virtu-alization architectures
Hyper-V Manager, InstallingHyper-V
installing Hyper-V, Hyper-VServer
resource metering, Using Dynam-ic Memory
virtualization architectures, Ob-jective 3.1: Create and configurevirtual machine settings
1304/1537
virtual machine storage, Objective3.2: Create and configure virtual ma-chine storage
checkpoints, Modifying virtualdisks
connecting to a SAN, ConfiguringStorage Quality of Service (QoS)
modifying virtual disks, Modify-ing virtual disks
pass-through disks, Creating dif-ferencing disks
QoS (Quality of Service), Creatingcheckpoints
1305/1537
virtual disk formats, Objective3.2: Create and configure virtualmachine storage
virtual disks, Virtual disk formats
virtual networks, Objective review
configurations, Configuring a NICteam virtual network adapter
NIC teaming, Configuring hard-ware acceleration settings, Creat-ing the NIC team
virtual network adapters, Config-uring MAC addresses
1306/1537
virtual switches, Objective 3.3:Create and configure virtual net-works, Creating the default virtu-al switch
zones, DNS servers, Creating zones
creation permissions, Using OUs to del-egate Active Directory managementtasks
creation tools, creating AD DS user ob-jects, Creating user objects
credential prompts, User Account Con-trol, Understanding User Account Con-trol (UAC)
1307/1537
Credentials For Deployment Operationdialog box, Creating a new forest
CSV files, Creating user templates
CSVDE.exe (Comma-Separated ValueDirectory Exchange) command-linetool, Creating user objects
creating multiple AD DS users,Creating user templates
Custom Configuration page (Routingand Remote Access Server Setup Wiz-ard), Deploying a DHCP relay agent
Custom Filters node (Print Manage-ment console), Viewing printers
1308/1537
Customize Settings dialog box, Usingthe Windows Firewall control panelapplet
D
Dashboard page (Server Manager),Using Server Manager
Data Exchange function (Guest Integra-tion Services), Configuring Guest Integ-ration Services
Data Execution Prevention (DEP),Hyper-V Server
1309/1537
Datacenter edition, Selecting a Win-dows Server 2012 R2 edition
Hyper-V licensing, Hyper-V licensing
support for Hyper-V, Supportingserver roles
Dcpromo.exe program, Installing theActive Directory Domain Services role
Default Domain Controllers Policy GPO,Creating Computer Objects WhileJoining
Default Gateway option, manual config-uration of IPv4 addresses, Manual IPv4Address Configuration
1310/1537
default installation, Server Core, UsingServer Core
default rules, AppLocker, Creating de-fault rules
Default Security Level setting (SoftwareRestriction Policies node), Using soft-ware restriction policies
default virtual switches, Objective 3.3:Create and configure virtual networks
delegating
printer privileges, Configuringservices
1311/1537
server administration, Configuringservices
Delegation of Control Wizard, UsingOUs to assign Group Policy settings
Delete action, LDIFDE.exe utility, UsingCSVDE.exe
deleting
groups, AD DS, Managing Group Ob-jects by Using Dsmod.exe
deletion permissions, Using OUs to del-egate Active Directory managementtasks
1312/1537
Deny (access control entry), Under-standing basic and advancedpermissions
denying permissions, Understandingbasic and advanced permissions
DEP (Data Execution Prevention),Hyper-V Server
Deploy With Group Policy dialog box,Deploying printers with Group Policy
deploying
Active Directory IaaS on WindowsAzure, Upgrading Active DirectoryDomain Services
1313/1537
core network services
DHCP, Understanding DHCP
DNS, Objective 4.3: Deploy andconfigure the DNS service
IPv4 and IPv6 addressing,Deploying and configuring corenetwork services
DHCP relay agents, Using PXE
DHCP servers, DHCP Lease Renewal
configuring DHCP options, Creat-ing a scope
1314/1537
creating a scope, DHCP LeaseRenewal
creating reservations, Configur-ing DHCP options
PXE, Creating a reservation
DNS servers, Reverse nameresolution
configuring settings, Creating re-source records
creating zones, Creating zones
resource records, Creating an Act-ive Directory Zone
1315/1537
Group Policy settings
GPOs (Group Policy Objects),Creating and managing GroupPolicy
software restriction policies, Ob-jective review
Windows Firewall, Objective 6.4:Configure Windows Firewall
print servers, Objective review
understanding Windows printing,Understanding the Windows printarchitecture
1316/1537
Windows print architecture,Understanding the Windows printarchitecture
Windows print flexibility, Under-standing Windows printing
printers with Group Policy, Deploy-ing printers with Group Policy
roles to VHDs, Adding roles andfeatures
Deployment Configuration page (AD DSConfiguration Wizard), Installing theActive Directory Domain Services role,Adding a domain controller to an exist-ing domain
1317/1537
deprecated IPv6 addresses, Link-LocalUnicast Addresses
Designated File Types properties, En-forcement Properties
Desired State Configuration (DSC),Configuring services
DHCP (Dynamic Host ConfigurationProtocol), Understanding DHCP
communications, DHCP Extensions,DHCP Extensions
lease negotiation, DHCPExtensions
1318/1537
lease renewal, DHCP LeaseNegotiation
deploying DHCP relay agents, UsingPXE
deploying servers, DHCP LeaseRenewal
configuring DHCP options, Creat-ing a scope
creating a scope, DHCP LeaseRenewal
creating reservations, Configur-ing DHCP options
PXE, Creating a reservation
1319/1537
IP address allocation methods, State-less IPv6 Address Autoconfiguration,Understanding DHCP
manual configuration of IPv4 ad-dresses, Manual IPv4 AddressConfiguration
options, DHCP options
DHCP Relay Agent Properties sheet,Deploying a DHCP relay agent
DHCPACK message type, DHCP, DHCPoptions
DHCPDECLINE message type, DHCP,DHCP options
1320/1537
DHCPDISCOVER message type, DHCP,DHCP options
DHCPINFORM message type, DHCP,DHCP options
DHCPNAK message type, DHCP, DHCPoptions
DHCPOFFER message type, DHCP,DHCP options
DHCPRELEASE message type, DHCP,DHCP options
DHCPREQUEST message type, DHCP,DHCP options
1321/1537
dialog boxes
Add Features That Are Required, Ad-ding roles and features
Add Features That Are Required ForActive Directory Domain Services,Objective 5.1: Install domaincontrollers
Add Features That Are Required ForHyper-V, Installing Hyper-V
Add Or Remove Snap-Ins, Creatingmultiple local GPOs
Add Servers, Adding servers, Addingservers
1322/1537
Add/Remove Servers, Using thePrint and Document Services role
Additional Drivers, Sharing a printer
Advanced Security Settings, Under-standing basic and advanced permis-sions, Setting share permissions
Advanced Sharing, Creating foldershares
Allowed Apps, Working with Win-dows Firewall, Allowing applications
Browse For A Group Policy Object,Creating multiple local GPOs
1323/1537
Change Zone Replication Scope,Creating resource records
Computer Name/Domain Changes,Managing multiple users
Create And Attach Virtual Hard Disk,Creating and mounting virtual harddisks (VHDs)
Create Server Group, Managingdown-level servers
Credentials For Deployment Opera-tion, Creating a new forest
Customize Settings, Using the Win-dows Firewall control panel applet
1324/1537
Deploy With Group Policy, Deploy-ing printers with Group Policy
File Sharing, Creating folder shares
Import Policy From, Importing se-curity templates into GPOs
Move, Creating OUs
New GPO, Creating and linking non-local GPOs
New Group, Using the Local UsersAnd Groups snap-in
New Host, Creating resource records
1325/1537
New Interface For DHCP RelayAgent, Deploying a DHCP relay agent
New Object-Group, Creating groups
New Path Rule, Enforcingrestrictions
New User, Using the Local Users AndGroups snap-in
NIC Teaming, Creating the NIC team
Select A Domain From The Forest,Creating a new forest
Select GPO, Creating and linkingnonlocal GPOs
1326/1537
Select Print Server, Using the Printand Document Services role
Select Users, Using the Local UsersAnd Groups snap-in
Settings, new virtual machines,Creating a virtual machine
Shadow Copies, Combining sharepermissions with NTFS permissions
User Account Control Settings, Con-figuring UAC
Validation Results, Deploying ActiveDirectory IaaS on Windows Azure
1327/1537
Virtual Switch Manager, Creating thedefault virtual switch
differencing disks, Creating a virtualdisk with a VM, Creating differencingdisks
differencing hard disk image VHD files,Virtual disk formats
direct printing, Windows printingflexibility
Directory Services Restore Mode(DSRM), Creating a new forest
directory services, definition, Installingand administering Active Directory
1328/1537
Disabled state, Administrative Tem-plate settings, Configuring Group Policysettings
disabling user accounts, Creating Com-puter Objects While Joining
Disallowed approach, enforcing restric-tions, Using software restrictionpolicies
Disk Management snap-in, Understand-ing disk types, Working with disks
creating simple volumes, Creating asimple volume
disk virtualization technology, StorageSpaces, How many servers do I need?
1329/1537
DiskPart.exe utility, Creating a simplevolume
disks
configuring local storage, Under-standing volume types
adding physical disks, Workingwith disks
creating a simple volume, Creat-ing virtual disks
storage pools, Creating andmounting virtual hard disks(VHDs)
1330/1537
striped, spanned, mirrored,RAID-5 volumes, Creating asimple volume
VHDs (virtual hard disks), Addinga new physical disk
virtual disks, Creating a storagepool
settings, Using Storage Spaces
disk types, Selecting a partitionstyle
partition style, Using StorageSpaces
1331/1537
Disks tile (Server Manager), Workingwith disks
disks, virtual
creating, Virtual disk formats
formats, Objective 3.2: Create andconfigure virtual machine storage
modifying, Modifying virtual disks
pass-through disks, Creating differ-encing disks
QoS (Quality of Service), Creatingcheckpoints
1332/1537
distinguished name (DN), users, UsingDsadd.exe
Distributed Scan Server option (SelectRole Services page), Creating a printerpool
distribution groups, Working withgroups
Djoin.exe command-line tool, joining adomain while offline, Creating Com-puter Objects While Joining
DN (distinguished name), users, UsingDsadd.exe
dn attribute, Creating user templates
1333/1537
DNS (Domain Name System), Objective4.3: Deploy and configure the DNSservice
architecture, Objective 4.3: Deployand configure the DNS service
client-side resolver caching,Client-side resolver caching
DNS coomunications, Under-standing the DNS architecture
forwarders, DNS forwarders
referrals and queries, Client-sideresolver caching
1334/1537
reverse name resolution, DNSforwarders
server caching, DNScommunications
deploying servers, Reverse nameresolution
configuring settings, Creating re-source records
creating zones, Creating zones
resource records, Creating an Act-ive Directory Zone
DNS SRV registration failure, Configur-ing the global catalog
1335/1537
DNS tab
adding servers in Server Manager,Adding servers
Do Not Assign A Drive Letter Or DrivePath option, Creating a simple volume
document services, configuring, Object-ive review
deploying print servers, Objectivereview
understanding Windows printing,Understanding the Windows printarchitecture
1336/1537
Windows print architecture,Understanding the Windows printarchitecture
Windows print flexibility, Under-standing Windows printing
document management, Configuringprinter security
managing printers, Managingprinters
Print and Document Services role,Creating a printer pool
adding print servers, Using thePrint and Document Services role
1337/1537
deploying printers with GroupPolicy, Deploying printers withGroup Policy
viewing printers, Viewingprinters
sharing printers, Advanced PrintingConfigurations
configuring printer security,Using remote access Easy Print
managing printer drivers, Shar-ing a printer
remote access Easy Print, Sharinga printer
1338/1537
Domain Admins group, Upgrading Act-ive Directory Domain Services
Domain Controller Options page (ADDS Configuration Wizard), Creating anew forest, Creating a new forest
domain controllers
installation, Installing and adminis-tering Active Directory
adding to existing domains, Creat-ing a new forest
configuring the global catalog, Re-moving a domain controller
1339/1537
creating a new child domain in aforest, Adding a domain control-ler to an existing domain
creating a new forest, Installingthe Active Directory Domain Ser-vices role
deploying IaaS on WindowsAzure, Upgrading Active Direct-ory Domain Services
Install from Media (IFM) option,Installing AD DS on Server Core
installing AD DS on Server Core,Creating a new child domain in aforest
1340/1537
installing AD DS role, Objective5.1: Install domain controllers
troubleshooting DNS SRV regis-tration failure, Configuring theglobal catalog
upgrading AD DS, Using Installfrom Media (IFM)
removing, Deploying Active Direct-ory IaaS on Windows Azure
domain local groups, AD DS, Workingwith groups
Domain Name And DNS Servers page(New Scope Wizard), Creating a scope
1341/1537
Domain Name System. (see DNS (Do-main Name System))
domain users, Creating user objects
domains
adding domain controllers to exist-ing domains, Creating a new forest
definition, Installing and adminis-tering Active Directory
joining computers to, Managing mul-tiple users
down-level servers, Configuring Win-dows Firewall
1342/1537
drivers
printers, Sharing a printer
Dsadd.exe command-line tool, Creatinguser objects
creating computer objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating group objects, Creatinggroups
creating single AD DS users, Creat-ing single users
DSC (Desired State Configuration),Configuring services
1343/1537
DSC Service, Using Windows Power-Shell Desired State Configuration (DSC)
Dsmod.exe command-line tool
managing group objects, ManageGroup Membership by Using GroupPolicy
DSRM (Directory Services RestoreMode), Creating a new forest
dual IP stacks, IP transitioning, Using adual IP stack
DVD drive settings, virtual machines,Installing an operating system
1344/1537
dynamic allocation
assigning IPv6 addresses, AssigningIPv6 addresses
definition, Understanding DHCP
dynamic disks, Understanding disktypes
dynamic hard disk image VHD files,Virtual disk formats
Dynamic Host Configuration Protocol.(see DHCP (Dynamic Host Configura-tion Protocol))
Dynamic Memory, Hyper-V Managerconsole, Allocating memory
1345/1537
Dynamic Update page (New Zone Wiz-ard), Using Active Directory–IntegratedZones
Dynamically Expanding disks, Creatinga virtual disk with a VM
Dynamically Expanding VHD Type op-tion, Creating and mounting virtualhard disks (VHDs)
E
Easy Print, Sharing a printer
Edit Virtual Hard Disk Wizard, Modify-ing virtual disks
1346/1537
editions, Selecting a Windows Server2012 R2 edition
effective access, assigning permissions,Allowing and denying permissions
elevation prompts, User Account Con-trol, Performing administrative tasks
emulated adapters, Synthetic adaptersand emulated adapters
Enable DHCP Guard (advanced net-work adapter feature), Configuringhardware acceleration settings
Enable File And Folder Compressionoption, Configuring the Format
1347/1537
Partition page, Creating a simplevolume
Enable IPsec Task Offloading (hard-ware acceleration setting), Configuringhardware acceleration settings
Enable MAC Address Spoofing (ad-vanced network adapter feature), Con-figuring hardware acceleration settings
Enable Single Root I/O Virtualization(SR-IOV) option, Creating a new virtualswitch
Enable Virtual LAN Identification ForManagement Operating System option,Creating a new virtual switch
1348/1537
Enable Virtual Machine Queue (hard-ware acceleration setting), Syntheticadapters and emulated adapters
Enable-VMResourceMetering cmdlet,Configuring resource metering
Enabled state, Administrative Templatesettings, Configuring Group Policysettings
Endpoints parameter (New ConnectionSecurity Rule Wizard), Creating con-nection security rules
Enforcement properties, EnforcementProperties
1349/1537
enforcing restrictions, Group Policy,Using software restriction policies
enhanced session mode, ConfiguringGuest Integration Services
Enhanced Session Mode Policy settings,Using Enhanced Session mode
Enterprise Admins group, UpgradingActive Directory Domain Services
Essentials edition, Selecting a WindowsServer 2012 R2 edition
Executable Rules node, AppLocker,Understanding rule types
1350/1537
eXecute Disable (XD), Hyper-V Server
Expand function (Edit Virtual HardDisk Wizard), Modifying virtual disks
Export Configuration Settings function,Installing the Active Directory DomainServices role
expressing IPv6 network addresses,Contracting IPv6 Addresses
External virtual switches, Creating anew virtual switch
1351/1537
F
FAT file systems, Understandingvolume types
fault tolerance, Storage Spaces, Creat-ing virtual disks
FCoE (Fibre Channel over Ethernet),Using Fibre Channel
features
adding, Server Manager tool, Addingservers
configuring
file and share access, Configuringserver roles and features
1352/1537
print and document srevices, Ob-jective review
servers for remote management,Objective review
Features on Demand, Using the Minim-al Server Interface
Fibre Channel, Connecting to a storagearea network (SAN)
Fibre Channel over Ethernet (FCoE),Using Fibre Channel
File and Storage Services home page(Server Manager), Creating foldershares
1353/1537
File and Storage Services role, Under-standing volume types
file hash rules, Understanding ruletypes
File Server Resource Manager quotas,Configuring Volume Shadow Copies
File Server role service, Creating foldershares
File Sharing, Working with WindowsFirewall
File Sharing dialog box, Creating foldershares
1354/1537
File System option, Configuring theFormat Partition page, Creating asimple volume
file systems, Understanding volumetypes
files
ADMX, Nonlocal GPOs
configuring, Configuring server rolesand features
folder shares, Creating foldershares
NTFS quotas, Configuring VolumeShadow Copies
1355/1537
permissions, Creating foldershares
Volume Shadow Copies, Combin-ing share permissions with NTFSpermissions
Work Folders, Configuring WorkFolders
CSV, Creating user templates
Firewall
configuring, Managing WindowsServer 2012 R2 servers
1356/1537
Firewall (Windows), Objective 6.4: Con-figure Windows Firewall
control panel applet, Working withWindows Firewall
settings, Objective 6.4: ConfigureWindows Firewall
Windows Firewall with AdvancedSecurity snap-in, Allowingapplications
first bit values, IP addresses, IPv4 class-ful addressing
fixed hard disk image VHD files, Virtualdisk formats
1357/1537
Fixed Provisioning Type option, Creat-ing virtual disks
Fixed Size (Recommended) VHD Typeoption, Creating and mounting virtualhard disks (VHDs)
Fixed Size disks, Creating a virtual diskwith a VM
flexibility, Windows printing, Under-standing Windows printing
folder shares, creating, Creating foldershares
1358/1537
forests
creating, Installing the Active Direct-ory Domain Services role
creating new child domains in, Ad-ding a domain controller to an exist-ing domain
Format Partition page (New SimpleVolume Wizard), Creating a simplevolume
formats
virtual disks, Objective 3.2: Createand configure virtual machinestorage
1359/1537
Forwarders tab (DNS server Propertiessheet), DNS forwarders
forwarders, DNS, DNS forwarders
Foundation edition, Selecting a Win-dows Server 2012 R2 edition
G
GC (Global Catalog)
configuring, Removing a domaincontroller
domain controllers, Creating a newforest
1360/1537
general permissions, Using OUs to del-egate Active Directory managementtasks
Generation 1 VMs, Creating a virtualmachine
Generation 2 VMs, Creating a virtualmachine
Get-Help command, Installing AD DSon Server Core
Get-PhysicalDisk cmdlet, Creating astorage pool
Get-StorageSubsystem cmdlet, Creatinga storage pool
1361/1537
Global Catalog (GC)
configuring, Removing a domaincontroller
domain controllers, Creating a newforest
global groups, AD DS, Domain LocalGroups
global routing prefixes, IP addresses,Subnetting IPv6 Addresses
global unicast addresses, IPv6, Con-tracting IPv6 Addresses
1362/1537
GPMC (Group Policy Management Con-sole), Nonlocal GPOs, Creating andlinking nonlocal GPOs
creating/linking nonlocal GPs, Creat-ing and linking nonlocal GPOs
security filtering, Creating and link-ing nonlocal GPOs
GPOs (Group Policy objects), Deployingprinters with Group Policy
GPOs (Group Policy Objects)
creating, Creating and managingGroup Policy
Central Store, Nonlocal GPOs
1363/1537
configuring settings, ConfiguringGroup Policy settings
Group Policy Management Con-sole, Nonlocal GPOs
local GPOs, Objective 6.1: CreateGroup Policy Objects, ConfiguringGroup Policy settings
nonlocal GPOs, Nonlocal GPOs
starter GPOs, Nonlocal GPOs,Managing starter GPOs
GPT partition style, Selecting a parti-tion style
1364/1537
group nesting, Working with groups,Nesting groups
Group Policy
assigning settings using OUs, UsingOUs to assign Group Policy settings
creating GPOs, Creating and man-aging Group Policy
Central Store, Nonlocal GPOs
configuring settings, ConfiguringGroup Policy settings
Group Policy Management Con-sole, Nonlocal GPOs
1365/1537
local GPOs, Objective 6.1: CreateGroup Policy Objects, ConfiguringGroup Policy settings
nonlocal GPOs, Nonlocal GPOs
starter GPOs, Nonlocal GPOs,Managing starter GPOs
deploying printers, Deploying print-ers with Group Policy
managing group membership, Man-age Group Membership by UsingGroup Policy
1366/1537
security policies, Objective 6.2: Con-figure security policies
defining local policies, Objective6.2: Configure security policies
local users and groups, Importingsecurity templates into GPOs
security templates, Configuringsecurity options
User Account Control, Using theLocal Users And Groups snap-in
software restriction policies, Object-ive review
AppLocker, Using AppLocker
1367/1537
configuring properties, PathRules
configuring rules, Enforcingrestrictions
enforcing restrictions, Using soft-ware restriction policies
using multiple rules, Path Rules
Windows Firewall, Objective 6.4:Configure Windows Firewall
control panel applet, Workingwith Windows Firewall
settings, Objective 6.4: ConfigureWindows Firewall
1368/1537
Windows Firewall with AdvancedSecurity snap-in, Allowingapplications
Group Policy Management Console(GPMC), Nonlocal GPOs, NonlocalGPOs
creating/linking nonlocal GPOs,Creating and linking nonlocal GPOs
security filtering, Creating and link-ing nonlocal GPOs
Group Policy Management Editor con-sole, Configuring Windows Firewall
1369/1537
Group Policy Management Editor win-dow, Planning and configuring an auditpolicy
Group Policy Object Editor snap-in,Configuring Group Policy settings
Group Policy objects (GPOs), Deployingprinters with Group Policy
Group Policy Objects. (see GPOs (GroupPolicy Objects))
group scopes, AD DS, Working withgroups
1370/1537
groups
access to SAM, Importing securitytemplates into GPOs
Group Policy security policies, Im-porting security templates into GPOs
groups, AD DS management, Objectivereview
converting groups, Managing GroupObjects by Using Dsmod.exe
creating groups, Nesting groups
deleting groups, Managing GroupObjects by Using Dsmod.exe
1371/1537
Domain Admins, Upgrading ActiveDirectory Domain Services
Enterprise Admins, Upgrading Act-ive Directory Domain Services
group memberships, CreatingGroups from the Command Line
group scopes, Working with groups
group types, Working with groups
nesting groups, Nesting groups
Schema Admins, Upgrading ActiveDirectory Domain Services
1372/1537
Guest Integration Services, ConfiguringGuest Integration Services
Guest Services function (Guest Integra-tion Services), Configuring Guest Integ-ration Services
GUI tools
postinstallation tasks, Completingpostinstallation tasks
H
Hard Drive interface, Settings dialogbox, Adding virtual disks to virtualmachines
1373/1537
hardware acceleration settings, virtualnetwork adapters, Synthetic adaptersand emulated adapters
hardware limitations, Hyper-V, Hyper-V licensing
hardware requirements
Hyper-V installation, Hyper-V Server
hardware requirements, server installa-tion, Supporting server virtualization
hash rules, Configuring software re-striction rules
1374/1537
Heartbeat function (Guest IntegrationServices), Configuring Guest Integra-tion Services
hop-count threshold, Deploying a DHCPrelay agent
host operating systems, hypervisor and,Objective 3.1: Create and configure vir-tual machine settings
Hyper-V
configuring
virtual machine settings,Configuring Hyper-V
1375/1537
virtual machine storage, Objective3.2: Create and configure virtualmachine storage
virtual networks, Objective review
installation, Hyper-V Server
licensing, Hyper-V licensing
server installation considerations,Supporting server roles
Hyper-V Manager console, InstallingHyper-V
creating virtual machines, UsingHyper-V Manager
1376/1537
enhanced session mode, ConfiguringGuest Integration Services
Generation 1 and Generation 2 VMs,Creating a virtual machine
Guest Integration Services, Config-uring Guest Integration Services
memory allocation, Allocatingmemory
Hyper-V Server, Hyper-V licensing
hypervisor, Configuring Hyper-V
1377/1537
I
IaaS (Infrastructure as a Service)
Windows Azure, Upgrading ActiveDirectory Domain Services
ICANN (Internet Corporation forAssigned Names and Numbers), Publicand private IPv4 addressing
ICMPv6 (Internet Control Message Pro-tocol version 6), ISATAP
IDE (Integrated Drive Electronics) con-trollers, Objective 3.2: Create and con-figure virtual machine storage
1378/1537
IDE Controller interface, Settings dia-log box, Adding virtual disks to virtualmachines
IFM (Install from Media) option, In-stalling AD DS on Server Core
Ifm command, Installing AD DS onServer Core
IIS Hostable Web Core feature, Config-uring Work Folders
implementations
Hyper-V, Virtualizationarchitectures
1379/1537
Import Policy From dialog box, Import-ing security templates into GPOs
Import tab
adding servers in Server Manager,Adding servers
importing
security templates into GPOs, Creat-ing security templates
in-addr.arpa domain, DNS forwarders
Inbound Rules list, Windows Firewallwith Advanced Security console, Config-uring profile settings
1380/1537
Infrastructure as a Service (IaaS)
Windows Azure, Upgrading ActiveDirectory Domain Services
inheriting permissions, Allowing anddenying permissions
Install from Media (IFM) option, In-stalling AD DS on Server Core
Install-ADDSDomain cmdlet, Creating anew child domain in a forest
Install-ADDSDomainController cmdlet,Creating a new child domain in a forest
Install-ADDSForest cmdlet, Creating anew child domain in a forest
1381/1537
Install-WindowsFeature cmdlet, Creat-ing a new child domain in a forest
installation
AD DS role, Objective 5.1: Install do-main controllers
domain controllers. (see domaincontrollers)
Hyper-V, Hyper-V Server
Migration Tools, Installing WindowsServer Migration Tools
network-attached print devices,Sharing a printer
1382/1537
operating systems, Installing an op-erating system
printers, Understanding Windowsprinting
servers, Objective 1.1: Install servers
Features on Demand, Using theMinimal Server Interface
migrating roles, Preparing toupgrade
Minimal Server Interface, ServerCore Capabilities
planning installation, Objective1.1: Install servers
1383/1537
Server Core, Installationrequirements
upgrades, Upgrading servers
Integrated Drive Electronics (IDE) con-trollers, Objective 3.2: Create and con-figure virtual machine storage
Integration Services settings, virtualmachines, Configuring Guest Integra-tion Services
Intel Virtualization Technology (IntelVT), Hyper-V Server
Intel VT (Intel VirtualizationTechnology), Hyper-V Server
1384/1537
Interface ID, IP addresses, SubnettingIPv6 Addresses
Internal virtual switches, Creating anew virtual switch
Internet Control Message Protocol ver-sion 6 (ICMPv6), ISATAP
Internet Corporation for AssignedNames and Numbers (ICANN), Publicand private IPv4 addressing
Internet Printing option (Select RoleServices page), Creating a printer pool
Internet Protocol Version 4 (TCP/IPv4)Properties sheet, Supernetting
1385/1537
Intra-Site Automatic Tunnel AddressingProtocol (ISATAP), ISATAP
IP address aggregation (supernetting),IPv4 subnetting
IP address allocation methods, DHCP,Understanding DHCP
IP Address Lease Time extension,DHCP, DHCP Extensions
IP Address option, manual configura-tion of IPv4 addresses, Manual IPv4 Ad-dress Configuration
IP Address Range page (New ScopeWizard), Creating a scope
1386/1537
IP addresses, Understanding WindowsFirewall settings
IPv4 addressing, Deploying and config-uring core network services
assigning IPv4 addresses,Supernetting
CIDR (Classless Inter-Domain Rout-ing), Classless Inter-Domain Routing
classful addressing, IPv4 addressing
planning an IP transition, Subnet-ting IPv6 Addresses
public and private addressing, Publicand private IPv4 addressing
1387/1537
subnetting, Public and private IPv4addressing
supernetting, IPv4 subnetting
IPv6 addressing
address types, Contracting IPv6Addresses
assigning IPv6 addrersses, Link-Local Unicast Addresses
introduction, Dynamic Host Config-uration Protocol (DHCP)
planning an IP transition, Subnet-ting IPv6 Addresses
1388/1537
subnetting IPv6 addresses, Subnet-ting IPv6 Addresses
ISATAP (Intra-Site Automatic TunnelAddressing Protocol), ISATAP
isolated network environments, Ex-tending a production network into vir-tual space
iterative queries, DNS, Client-side re-solver caching
J
JOBD (“Just a Bunch of Disks”) arrays,How many servers do I need?
1389/1537
joining computers to domains,Managing multiple users
L
LDAP Data Interchange Formal Direct-ory Exchange (LDIFDE.exe) utility,Creating user objects
creating multiple AD DS users, UsingCSVDE.exe
LDIFDE.exe (LDAP Data InterchangeFormal Directory Exchange) utility
creating multiple AD DS users, UsingCSVDE.exe
Lease Duration page (New Scope Wiz-ard), Creating a scope
1390/1537
lease negotiation, DHCP, DHCPExtensions
lease renewal, DHCP, DHCP LeaseNegotiation
legacy adapters, Synthetic adapters andemulated adapters
licensing
Hyper-V, Hyper-V licensing
server installation, Supporting serv-er virtualization
1391/1537
limitations
Hyper-V hardware, Hyper-Vlicensing
link-local unicast addresses, IPv6, Link-Local Unicast Addresses
linking nonlocal GPOs, Group PolicyManagement Console, Creating andlinking nonlocal GPOs
local GPOs, Objective 6.1: Create GroupPolicy Objects, Configuring GroupPolicy settings
Local Group Policy layer, ConfiguringGroup Policy settings
1392/1537
local groups, creating, Using the LocalUsers And Groups snap-in
local policies, Objective 6.2: Configuresecurity policies
local storage
configuring, Objective review
disk settings, Using StorageSpaces
disks, Understanding volumetypes
planning storage needs, Objectivereview
1393/1537
local users, Creating user objects
Group Policy security policies, Im-porting security templates into GPOs
Local Users And Groups snap-in, Usingthe User Accounts control panel
locally attached print devices, Windowsprinting flexibility
locally attached printer sharing, Win-dows printing flexibility
Log On Locally right, Creating Com-puter Objects While Joining
LPD Service option (Select Role Ser-vices page), Creating a printer pool
1394/1537
M
MAC Address Range (Virtual SwitchManager), Configuring MAC addresses
MAC addresses
virtual switches, Creating a new vir-tual switch
Mail Exchanger (MX) resource records,Creating an Active Directory Zone
management
AD DS groups and OUs, Objectivereview
creating OUs, Objective 5.3:Create and manage Active
1395/1537
Directory groups and organiza-tional units (OUs)
using OUs to assign Group Policysettings, Using OUs to assignGroup Policy settings
using OUs to delegate AD manage-ment tasks, Using OUs to assignGroup Policy settings
working with groups, Using OUsto delegate Active Directory man-agement tasks
1396/1537
AD DS users and computers, Object-ive review
Active Directory objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating computer objects, UsingWindows Powershell
creating user objects, Objectivereview
Group Policy settings
GPOs (Group Policy Objects),Creating and managing GroupPolicy
1397/1537
software restriction policies, Ob-jective review
Windows Firewall, Objective 6.4:Configure Windows Firewall
Manager (Hyper-V), Installing Hyper-V
creating virtual machines, UsingHyper-V Manager
enhanced session mode, ConfiguringGuest Integration Services
Generation 1 and Generation 2 VMs,Creating a virtual machine
Guest Integration Services, Config-uring Guest Integration Services
1398/1537
memory allocation, Allocatingmemory
managing
documents, Configuring printersecurity
print servers, Viewing printers
printer drivers, Sharing a printer
printers, Managing printers, View-ing printers
manual allocation
assigning IPv6 addresses, Link-LocalUnicast Addresses
1399/1537
definition, Understanding DHCP
manual IPv4 address configuration,Supernetting
Maximum RAM setting, DynamicMemory, Using Dynamic Memory
MBR partition style, Using StorageSpaces
Measure-VM cmdlet, Configuring re-source metering
memberships, AD DS groups, CreatingGroups from the Command Line
1400/1537
memory allocation, Hyper-V Managerconsole, Allocating memory
Memory Buffer setting, DynamicMemory, Using Dynamic Memory
Memory settings, virtual machines, Al-locating memory
Memory Weight setting, DynamicMemory, Using Dynamic Memory
Merge function (Edit Virtual Hard DiskWizard), Modifying virtual disks
Message extension, DHCP, DHCPExtensions
1401/1537
Message Type option, DHCP, DHCPoptions
Microsoft Network Adapter MultiplexorDriver, Creating the NIC team
migration guides, Installing WindowsServer Migration Tools
Migration Tools, Preparing to upgrade
migration, servers, Preparing toupgrade
Minimal Server Interface, Server CoreCapabilities
1402/1537
Minimum RAM setting, DynamicMemory, Using Dynamic Memory
Mirror storage layout option, Creatingvirtual disks
mirrored volumes
configuring local storage, Creating asimple volume
disks, Understanding disk types
Modify action, LDIFDE.exe utility,Using CSVDE.exe
modifying
virtual disks, Modifying virtual disks
1403/1537
Mount In The Following Empty NTFSFolder option, Creating a simplevolume
Move dialog box, Creating OUs
multi-level subnet option, subnettingIPv6 addresses, Subnetting IPv6Addresses
multicast addresses, IPv6, Link-LocalUnicast Addresses
Multicast transmissions, IPv6 address-ing, Contracting IPv6 Addresses
multiple local GPOs, creating, Configur-ing Group Policy settings
1404/1537
multiple users, AD DS, Creating usertemplates
MX (Mail Exchanger) resource records,Creating an Active Directory Zone
N
Name parameter
New Connection Security Rule Wiz-ard, Creating connection securityrules
New Inbound Rule Wizard, Creatingrules
name resolution process, DNS, DNSforwarders
1405/1537
name resolution requests (referrals),DNS, Client-side resolver caching
Name Server (NS) resource records,Creating an Active Directory Zone
name servers, DNS, Objective 4.3:Deploy and configure the DNS service
namespace, DNS, Objective 4.3: Deployand configure the DNS service
NAS (network attached storage) techno-logies, How many servers do I need?
ND (Neighbor Discovery) protocol,Stateless IPv6 AddressAutoconfiguration
1406/1537
Neighbor Discovery (ND) protocol,Stateless IPv6 AddressAutoconfiguration
nesting groups, Working with groups,Nesting groups
Netdom.exe command-line utility, join-ing computers to domains, Joiningcomputers to a domain
Network Adapter settings, NIC team ad-apter, Configuring a NIC team virtualnetwork adapter
Network And Sharing Center controlpanel, Working with Windows Firewall
1407/1537
network attached printing, Locally At-tached Printer Sharing
network attached storage (NAS) techno-logies, How many servers do I need?
Network Discovery, Working with Win-dows Firewall
Network File System (NFS), Creatingfolder shares
network services
DHCP, Understanding DHCP
communications, DHCPExtensions
1408/1537
deploying DHCP relay agents,Using PXE
deploying DHCP servers, DHCPLease Renewal
IP address allocation methods,Understanding DHCP
options, DHCP options
DNS, Objective 4.3: Deploy and con-figure the DNS service
architecture, Objective 4.3:Deploy and configure the DNSservice
1409/1537
deploying servers, Reverse nameresolution
IPv4 and IPv6 addressing, Deployingand configuring core networkservices
assigning IPv4 addresses,Supernetting
assigning IPv6 addrersses, Link-Local Unicast Addresses
CIDR (Classless Inter-DomainRouting), Classless Inter-DomainRouting
1410/1537
introduction to IPv6 addressing,Dynamic Host Configuration Pro-tocol (DHCP)
IPv4 classful addressing, IPv4addressing
IPv4 subnetting, Public andprivate IPv4 addressing
IPv6 address types, ContractingIPv6 Addresses
planning an IP transition, Subnet-ting IPv6 Addresses
1411/1537
public and private IPv4 address-ing, Public and private IPv4addressing
subnetting IPv6 addresses, Sub-netting IPv6 Addresses
supernetting, IPv4 subnetting
network zone rules, Path Rules
network-attached print devices
installation, Sharing a printer
network-attached printer sharing,Network-Attached Printer Sharing
1412/1537
networks
virtual networks, Objective review
configurations, Configuring a NICteam virtual network adapter
NIC teaming, Configuring hard-ware acceleration settings
virtual network adapters, Config-uring MAC addresses
virtual switches, Objective 3.3:Create and configure virtualnetworks
New Connection Security Rule Wizard,Creating rules by using Group Policy
1413/1537
New GPO dialog box, Creating and link-ing nonlocal GPOs
New Group dialog box, Using the LocalUsers And Groups snap-in
New Host dialog box, Creating resourcerecords
New Inbound (or Outbound) Rule Wiz-ard, Creating rules
New Interface For DHCP Relay Agentdialog box, Deploying a DHCP relayagent
New Object - User Wizard, Creatingsingle users
1414/1537
New Object-Computer Wizard, Creatingcomputer objects by using Active Dir-ectory Users And Computers
New Object-Group dialog box, Creatinggroups
New Path Rule dialog box, Enforcingrestrictions
New Scope Wizard, Creating a scope,Creating a scope
New Share Wizard, Creating foldershares
New Simple Volume Wizard, Creating asimple volume
1415/1537
New Storage Pool Wizard, Creating andmounting virtual hard disks (VHDs)
New Team page (Server Manager), Con-figuring NIC teaming
New User dialog box, Using the LocalUsers And Groups snap-in
New Virtual Disk menu, Creating a stor-age pool
New Virtual Machine Wizard
Configure Networking page, Creatinga virtual machine
1416/1537
Connect Virtual Hard Disk page,Creating a virtual machine, Virtualdisk formats
Specify Generation page, CreatingGeneration 1 and Generation 2 VMs
New Zone Wizard, Using Active Direct-ory–Integrated Zones
New-ADUser cmdlet, Using Dsadd.exe
New-GPO cmdlet, Managing starterGPOs
New-StoragePool cmdlet, Creating astorage pool
options, Creating a storage pool
1417/1537
New-VHD cmdlet, Creating a new virtu-al disk
New-VM cmdlet, Creating a virtualmachine
New-VMResourcePool cmdlet, Config-uring resource metering
New-VMSwitch cmdlet, Creating a newvirtual switch
NFS (Network File System), Creatingfolder shares
NFS Share-Advanced option (File ShareProfile list), Creating folder shares
1418/1537
NFS Share-Quick option (File ShareProfile list), Creating folder shares
NIC teaming, Configuring NIC teaming
virtual networks, Configuring hard-ware acceleration settings
configuring virtual network ad-apters, Creating the team virtualswitch
creating NIC teams, Creating theNIC team
creating team virtual switches,Creating the team virtual switch
1419/1537
NIC Teaming dialog box, Creating theNIC team
NIC Teaming window, Configuring NICteaming
NIC teams, creating, Creating the NICteam
No eXecute (NX), Hyper-V Server
non-domain joined servers, Addingservers
noncontextual tasks, addressing remoteservers, Using Remote Server Adminis-tration Tools
1420/1537
noncontextual tools, addressing remoteservers, Using Remote Server Adminis-tration Tools
nonlocal GPOs, Nonlocal GPOs
creating and linking, Group PolicyManagement Console, Creating andlinking nonlocal GPOs
Not Configured state, AdministrativeTemplate settings, Configuring GroupPolicy settings
NS (Name Server) resource records,Creating an Active Directory Zone
Ntdsutil.exe command-line tool, In-stalling AD DS on Server Core
1421/1537
NTFS authorization
assigning permissions, Setting sharepermissions
NTFS file system, Understandingvolume types
NTFS permissions, Creating foldershares
advanced NTFS permissions, Assign-ing basic NTFS permissions
basic permissions, Setting sharepermissions
combining with share permissions,Assigning basic NTFS permissions
1422/1537
NTFS quotas, configuring, ConfiguringVolume Shadow Copies
NX (No eXecute), Hyper-V Server
O
objectClass attribute, Creating usertemplates
Offline Files, Creating folder shares
one-level subnet option, subnettingIPv6 addresses, Subnetting IPv6Addresses
1423/1537
Open Systems Interconnect (OSI) refer-ence model, Objective 3.3: Create andconfigure virtual networks
Operating System Shutdown function(Guest Integration Services), Configur-ing Guest Integration Services
operating systems
installation, Installing an operatingsystem
operating systems, considerations forserver installation, Selecting a Win-dows Server 2012 R2 edition
organizational units. (see OUs)
1424/1537
OSI (Open Systems Interconnect) refer-ence model, Objective 3.3: Create andconfigure virtual networks
OUs (organizational units), AD DS man-agement, Objective review
creating OUs, Objective 5.3: Createand manage Active Directory groupsand organizational units (OUs)
using OUs to assign Group Policy set-tings, Using OUs to assign GroupPolicy settings
using OUs to delegate AD manage-ment tasks, Using OUs to assignGroup Policy settings
1425/1537
Outbound Rules list, Windows Firewallwith Advanced Security console, Config-uring profile settings
P
Packaged App Rules node, AppLocker,Understanding rule types
Parameter Request List extension,DHCP, DHCP Extensions
parent partition, Virtualizationarchitectures
Parity storage layout option, Creatingvirtual disks
1426/1537
partition style, disks, Using StorageSpaces
partitions, Virtualization architectures
pass-through disks, Creating differen-cing disks
path rules, Configuring software re-striction rules, Understanding ruletypes
PCL (printer control language), Under-standing Windows printing
Perform A Quick Format option, Con-figuring the Format Partition page,Creating a simple volume
1427/1537
permission inheritance, Allowing anddenying permissions
permissions
assigning, Creating folder shares
advanced NTFS permissions,Assigning basic NTFS permissions
allowing/denying permission,Understanding basic and ad-vanced permissions
basic and advanced permissions,Understanding basic and ad-vanced permissions
1428/1537
basic NTFS permissions, Settingshare permissions
combining share permissionswith NTFS permissions, Assigningbasic NTFS permissions
effective access, Allowing anddenying permissions
inherited permissions, Allowingand denying permissions
NTFS authorization, Setting sharepermissions
setting share permissions, Under-standing effective access
1429/1537
Windows permission architec-ture, Creating folder shares
Permissions page (Delegation of Con-trol Wizard), Using OUs to delegate Act-ive Directory management tasks
physical disks
configuring local storage, Workingwith disks
physical operating system environment(POSE) installation, Supporting serverroles
1430/1537
planning
IP transitions, Subnetting IPv6Addresses
server installation, Objective 1.1: In-stall servers
installation requirements, Sup-porting server virtualization
selecting Windows Server 2012R2 edition, Selecting a WindowsServer 2012 R2 edition
server licensing, Supporting serv-er virtualization
1431/1537
supporting server roles, Selectinga Windows Server 2012 R2edition
supporting server virtualization,Supporting server roles
server storage, Objective review
Pointer (PTR) resource records, Creat-ing an Active Directory Zone
1432/1537
policies
Group Policy security policies, Ob-jective 6.2: Configure securitypolicies
defining local policies, Objective6.2: Configure security policies
local users and groups, Importingsecurity templates into GPOs
security templates, Configuringsecurity options
User Account Control, Using theLocal Users And Groups snap-in
1433/1537
Group Policy software restrictionpolicies, Objective review
AppLocker, Using AppLocker
configuring properties, PathRules
configuring rules, Enforcingrestrictions
enforcing restrictions, Using soft-ware restriction policies
using multiple rules, Path Rules
Port Mirroring Mode (advanced net-work adapter feature), Configuringhardware acceleration settings
1434/1537
port numbers, Understanding WindowsFirewall settings
POSE (physical operating system envir-onment) installation, Supporting serverroles
postinstallation tasks
configuring servers, Objective review
command-line tools, Using GUItools
converting between GUI and Serv-er Core, Converting between GUIand Server Core
1435/1537
GUI tools, Completing postinstall-ation tasks
NIC teaming, Configuring NICteaming
PowerShell, Windows, Creating userobjects
creating computer objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating single AD DS users, UsingDsadd.exe
creating user objects, Using Win-dows Powershell
1436/1537
Preboot eXecution Environment (PXE),Synthetic adapters and emulated ad-apters, Creating a reservation
Predefined Rules parameter (New In-bound Rule Wizard), Creating rules
Preferred DNS Server option, manualconfiguration of IPv4 addresses, Manu-al IPv4 Address Configuration
preparing
server upgrades, Upgrading servers
Prerequisites Check page (AD DS Con-figuration Wizard), Creating a newforest
1437/1537
primary zones, DNS servers, Creatingzones
Print and Document Services role,Creating a printer pool
adding print servers, Using the Printand Document Services role
deploying printers with GroupPolicy, Deploying printers withGroup Policy
viewing printers, Viewing printers
print clients, Windows printingflexibility
1438/1537
print device, defined, Understandingthe Windows print architecture
Print Management console, Creating aprinter pool
Print Operators group, Creating Com-puter Objects While Joining
print queue, Understanding Windowsprinting
print queue window, Configuring print-er security
Print Server option (Select Role Ser-vices page), Creating a printer pool
1439/1537
print servers
adding, Using the Print and Docu-ment Services role
defined, Understanding the Win-dows print architecture
deploying, Objective review
understanding Windows printing,Understanding the Windows printarchitecture
Windows print architecture,Understanding the Windows printarchitecture
1440/1537
Windows print flexibility, Under-standing Windows printing
managing, Viewing printers
print services, configuring, Objectivereview
deploying print servers, Objectivereview
understanding Windows printing,Understanding the Windows printarchitecture
Windows print architecture,Understanding the Windows printarchitecture
1441/1537
Windows print flexibility, Under-standing Windows printing
document management, Configuringprinter security
managing printers, Managingprinters
Print And Document Services role,Creating a printer pool
adding print servers, Using thePrint and Document Services role
deploying printers with GroupPolicy, Deploying printers withGroup Policy
1442/1537
viewing printers, Viewingprinters
sharing printers, Advanced PrintingConfigurations
configuring printer security,Using remote access Easy Print
managing printer drivers, Shar-ing a printer
remote access Easy Print, Sharinga printer
printer control language (PCL), Under-standing Windows printing
1443/1537
printer drivers
defined, Understanding the Win-dows print architecture
managing, Sharing a printer
printer pools, creating, Setting printerpriorities
printer sharing, Advanced PrintingConfigurations
advanced printing configurations,Advanced Printing Configurations
configuring printer security, Usingremote access Easy Print
1444/1537
locally attached printer sharing,Windows printing flexibility
managing printer drivers, Sharing aprinter
network attached printing, LocallyAttached Printer Sharing
network-attached printer sharing,Network-Attached Printer Sharing
remote access Easy Print, Sharing aprinter
printers
defined, Understanding the Win-dows print architecture
1445/1537
deploying with Group Policy, Deploy-ing printers with Group Policy
installation, Understanding Win-dows printing
management, Managing printers
managing, Viewing printers
viewing, Viewing printers
private IPv4 addressing, Public andprivate IPv4 addressing
Private virtual switches, Creating a newvirtual switch
1446/1537
privileges
delegating printer privileges, Config-uring services
Profile parameter
New Connection Security Rule Wiz-ard, Creating connection securityrules
New Inbound Rule Wizard, Creatingrules
Program parameter (New Inbound RuleWizard), Creating rules
1447/1537
properties
configuring software restrictionproperties, Path Rules
Properties sheet
policy setting, Planning and config-uring an audit policy
Properties sheets, AD AdministrativeCenter/Users and Computers consoles,Creating computer objects by using Act-ive Directory Administrative Center
Properties tile (Server Manager), Com-pleting postinstallation tasks
1448/1537
property-specific permissions, UsingOUs to delegate Active Directory man-agement tasks
Protocol And Ports parameter (New In-bound Rule Wizard), Creating rules
protocol numbers, Understanding Win-dows Firewall settings
PTR (Pointer) resource records, Creat-ing an Active Directory Zone
public IPv4 addressing, Public andprivate IPv4 addressing
publisher rules, Understanding ruletypes
1449/1537
PXE (Preboot eXecution Environment),Synthetic adapters and emulated ad-apters, Creating a reservation
Q
QoS (Quality of Service), virtual harddisks, Creating checkpoints
Quality of Service (QoS), virtual harddisks, Creating checkpoints
queries
DNS, Client-side resolver caching
1450/1537
R
RAID-5 volumes
configuring local storage, Creating asimple volume
disks, Understanding volume types
Read Only Domain Controller (RODC)domain controllers, Creating a newforest
Readeraid, Hyper-V licensing
Rebinding (T2) time value extension,DHCP, DHCP Extensions
1451/1537
recursive queries, DNS, Client-side re-solver caching
referrals, DNS, Client-side resolvercaching
ReFS file system, Understandingvolume types
relay agents, DHCP, Using PXE
remote access
Easy Print, Sharing a printer
Remote Desktop Session Host role ser-vice, Sharing a printer
1452/1537
Remote Server Administration tools,Creating server groups
remote server management
configuring servers, Objective review
Remote Server Administrationtools, Creating server groups
Server Manager, Objective 2.3:Configure servers for remotemanagement
working with remote servers,Using Remote Server Administra-tion Tools
1453/1537
remote servers, Using Remote ServerAdministration Tools
Remove Features page (Server Man-ager), Converting between GUI andServer Core
Remove Roles And Features Wizard,Using the Minimal Server Interface,Deploying Active Directory IaaS onWindows Azure
removing
domain controllers, Deploying Act-ive Directory IaaS on WindowsAzure
1454/1537
Server Graphical Shell feature, Usingthe Minimal Server Interface
Renewal (T1) time value extension,DHCP, DHCP Extensions
renewal process, DHCP IP addresses,DHCP Lease Negotiation
replication, Installing AD DS on ServerCore
Requested IP Address extension, DHCP,DHCP Extensions
Requirements parameter (New Connec-tion Security Rule Wizard), Creatingconnection security rules
1455/1537
reservations, DHCP servers, Configur-ing DHCP options
resolvers, DNS, Understanding the DNSarchitecture
resource access, AD DS users, Objectivereview
resource metering, Using DynamicMemory
resource records, DNS servers, Creat-ing an Active Directory Zone
Restart The Destination Server Auto-matically If Desired function, Installing
1456/1537
the Active Directory Domain Servicesrole
Restricted Groups policies, creating,Manage Group Membership by UsingGroup Policy
Reverse Lookup Zone Name page (NewZone Wizard), Creating resourcerecords
reverse name resolution, DNS, DNSforwarders
RODC (Read Only Domain Controller)domain controllers, Creating a newforest
1457/1537
roles
adding, Server Manager tool, Addingservers
configuring
file and share access, Configuringserver roles and features
print and document srevices, Ob-jective review
servers for remote management,Objective review
considerations for server installa-tion, Selecting a Windows Server2012 R2 edition
1458/1537
deploying to VHDs, Adding roles andfeatures
Hyper-V Server, Hyper-V licensing
Root Hints tab (DNS server Proeprtiessheet), Configuring Root Hints
Root Hints, configuring, ConfiguringRoot Hints
Router (Default Gateway) page (NewScope Wizard), Creating a scope
Routing And Remote Access console,Deploying a DHCP relay agent
1459/1537
Routing And Remote Access ServerSetup Wizard, Deploying a DHCP relayagent
Rule Type parameter
New Connection Security Rule Wiz-ard, Creating connection securityrules
New Inbound Rule Wizard, Creatingrules
S
sales channels, server licensing, Sup-porting server virtualization
1460/1537
SAM (Security Account Manager), Im-porting security templates into GPOs
SAM account name attribute, UsingDsadd.exe, Creating user templates
SANs (storage area networks), Config-uring Storage Quality of Service (QoS)
Fibre Channel, Connecting to a stor-age area network (SAN)
virtual machines to SANs, UsingFibre Channel
Schema Admins group, Upgrading Act-ive Directory Domain Services
1461/1537
SCM (Security Compliance Manager)tool, Using security templates
SCONFIG interface, Hyper-V Server
scope
DHCP servers, DHCP Lease Renewal
IPv6 addresses, Contracting IPv6Addresses
Scope parameter (New Inbound RuleWizard), Creating rules
Script Rules node, AppLocker, Under-standing rule types
1462/1537
scripting model, DSC, Using WindowsPowerShell Desired State Configuration(DSC)
SCSI (Small Computer Systems Inter-face) controllers, Objective 3.2: Createand configure virtual machine storage
SCSI disks, Creating Generation 1 andGeneration 2 VMs
secondary zones, DNS servers, Creatingzones
secure desktop, configuring User Ac-count Control, Performing administrat-ive tasks
1463/1537
security
AD DS
authentication and authorization,Objective review
Group Policy security policies, Ob-jective 6.2: Configure securitypolicies
defining local policies, Objective6.2: Configure security policies
local users and groups, Importingsecurity templates into GPOs
security templates, Configuringsecurity options
1464/1537
User Account Control, Using theLocal Users And Groups snap-in
Group Policy software restrictionpolicies, Objective review
AppLocker, Using AppLocker
configuring properties, PathRules
configuring rules, Enforcingrestrictions
enforcing restrictions, Using soft-ware restriction policies
using multiple rules, Path Rules
1465/1537
printers, Using remote access EasyPrint
Security Account Manager (SAM), Im-porting security templates into GPOs
Security Compliance Manager (SCM)tool, Using security templates
security filtering, Group Policy Manage-ment Console, Creating and linkingnonlocal GPOs
security identifiers (SIDs), Settingshare permissions
1466/1537
Security Levels folder (SoftwareRestriction Policies node), Objectivereview
Security Options node, GPOs, Assigninguser rights
security templates, Configuring securityoptions
creating, Creating security templates
importing into GPOs, Creating secur-ity templates
Security Template snap-in, Using se-curity templates
settings, Creating security templates
1467/1537
Security Templates snap-in, Using se-curity templates
security-related groups, Working withgroups
Select A Domain From The Forest dia-log box, Creating a new forest
Select Destination Server page (AddRoles and Features Wizard), Addingroles and features, Deploying roles toVHDs
Select Disks page (New Volume Wiz-ard), Creating a striped, spanned,mirrored, or RAID-5 volume
1468/1537
Select Features page (Add Roles andFeatures Wizard), Adding roles andfeatures
Select GPO dialog box, Creating andlinking nonlocal GPOs
Select Installation Type page (Add Rolesand Features Wizard), Adding servers
Select Physical Disks For the StoragePool page (New Storage Pool Wizard),Creating a storage pool
Select Print Server dialog box, Using thePrint and Document Services role
1469/1537
Select Server Roles page (Add Roles andFeatures Wizard), Adding roles andfeatures
Select The Profile For This Share page(New Share Wizard), Creating foldershares
Select The Server And Storage Poolpage (Server Manager), Creating a stor-age pool
Select The Storage Layout page (ServerManager), Creating a storage pool
Select Users dialog box, Using the LocalUsers And Groups snap-in
1470/1537
self-allocation, assigning IPv6 ad-dresses, Assigning IPv6 addresses
server caching
DNS, DNS communications
Server Core
installing AD DS on, Creating a newchild domain in a forest
Server Core installation option, Install-ation requirements
Server Core interface
Hyper-V Server, Hyper-V Server
1471/1537
Server for NFS role service, Creatingfolder shares
Server Graphical Shell feature, remov-ing, Using the Minimal Server Interface
server groups, creating, Managingdown-level servers
Server Identifier extension, DHCP,DHCP Extensions
Server Manager, Using Server Manager
adding roles and features, Addingservers
adding servers, Using ServerManager
1472/1537
deploying roles to VHDs, Addingroles and features
remote management, Objective 2.3:Configure servers for remotemanagement
adding servers, Objective 2.3:Configure servers for remotemanagement
creating server groups, Managingdown-level servers
down-level servers, ConfiguringWindows Firewall
non-domain joined servers, Ad-ding servers
1473/1537
Windows Server 2012 R2 servers,Adding servers
Server Message Blocks (SMB), Creatingfolder shares
Server Operators group, Creating Com-puter Objects While Joining
servers
adding, Server Manager, Objective2.3: Configure servers for remotemanagement
adding, Server Manager tool, UsingServer Manager
1474/1537
configuring, Objective review
delegating server administration,Configuring services
DSC (Desired State Configura-tion), Configuring services
postinstallation tasks, Objectivereview
remote management, Objectivereview
Server Manager tool, Using Serv-er Manager
services, Configuring services
1475/1537
DHCP, DHCP Lease Renewal
configuring DHCP options, Creat-ing a scope
creating a scope, DHCP LeaseRenewal
creating reservations, Configur-ing DHCP options
PXE, Creating a reservation
DNS, Reverse name resolution
configuring settings, Creating re-source records
creating zones, Creating zones
1476/1537
resource records, Creating an Act-ive Directory Zone
installation, Objective 1.1: Installservers
Features on Demand, Using theMinimal Server Interface
migrating roles, Preparing toupgrade
Minimal Server Interface, ServerCore Capabilities
planning installation, Objective1.1: Install servers
1477/1537
Server Core, Installationrequirements
upgrades, Upgrading servers
print servers, Objective review
adding, Using the Print and Docu-ment Services role
understanding Windows printing,Understanding the Windows printarchitecture
Windows print architecture,Understanding the Windows printarchitecture
1478/1537
Windows print flexibility, Under-standing Windows printing
SAN connections, Connecting to astorage area network (SAN)
services
configuring servers, Configuringservices
Services tile (Server Manager), Config-uring services
Set-VMMemory cmdlet, Using DynamicMemory
1479/1537
setting
printer priorities, Managing printers
share permissions, Understandingeffective access
settings
disks, Using Storage Spaces
disk types, Selecting a partitionstyle
partition style, Using StorageSpaces
volumes, Understanding disktypes
1480/1537
VMs (virtual machines), ConfiguringHyper-V
Hyper-V implementations, Virtu-alization architectures
Hyper-V Manager, InstallingHyper-V
installing Hyper-V, Hyper-VServer
resource metering, Using Dynam-ic Memory
virtualization architectures, Ob-jective 3.1: Create and configurevirtual machine settings
1481/1537
Settings dialog box, new virtual ma-chines, Creating a virtual machine
Setup program, Compatability Reportpage, Preparing to upgrade
Shadow Copies dialog box, Combiningshare permissions with NTFSpermissions
share access, files
configuring, Configuring server rolesand features
folder shares, Creating foldershares
1482/1537
NTFS quotas, Configuring VolumeShadow Copies
permissions, Creating foldershares
Volume Shadow Copies, Combin-ing share permissions with NTFSpermissions
Work Folders, Configuring WorkFolders
share permissions, Creating foldershares, Understanding effective access
Share Permissions tab (shared folders),Understanding effective access
1483/1537
sharing folders, Creating folder shares
sharing printers, Advanced PrintingConfigurations
advanced printing configurations,Advanced Printing Configurations
configuring printer security, Usingremote access Easy Print
locally attached printer sharing,Windows printing flexibility
managing printer drivers, Sharing aprinter
network attached printing, LocallyAttached Printer Sharing
1484/1537
network-attached printer sharing,Network-Attached Printer Sharing
remote access Easy Print, Sharing aprinter
Shrink function (Edit Virtual Hard DiskWizard), Modifying virtual disks
SIDs (security identifiers), Settingshare permissions
Simple storage layout option, Creatingvirtual disks
simple volumes
disks, Understanding disk types
1485/1537
single users, AD DS, User creation tools
Single-Root I/O Virtualization (hard-ware acceleration setting), Configuringhardware acceleration settings
Small Computer Systems Interface(SCSI) controllers, Objective 3.2: Createand configure virtual machine storage
smart paging, Using Dynamic Memory
Smart Paging File Location settings,Using Dynamic Memory
SMB (Server Message Blocks), Creatingfolder shares
1486/1537
SMB Share-Advanced option (FileShare Profile list), Creating foldershares
SMB Share-Applications option (FileShare Profile list), Creating foldershares
SMB Share-Quick option (File ShareProfile list), Creating folder shares
snap-ins
Group Policy Object Editor, Config-uring Group Policy settings
Local Users and Groups, Using theUser Accounts control panel
1487/1537
Security Templates, Using securitytemplates
Windows Firewall with Advanced Se-curity, Allowing applications
snapshots, Modifying virtual disks
SOA (Start of Authority) resource re-cords, Creating an Active DirectoryZone
SOA (Start Of Authority) tab (DNS serv-er Properties sheet), DNS servercaching
1488/1537
software restriction policies (GP), Ob-jective review
AppLocker, Using AppLocker
configuring restriction properties,Path Rules
configuring rules, Enforcingrestrictions
enforcing restrictions, Using soft-ware restriction policies
Software Settings subnode, ConfiguringGroup Policy settings
1489/1537
spanned volumes
configuring local storage, Creating asimple volume
disks, Understanding disk types
special permissions, Understanding ba-sic and advanced permissions
Specify A Storage Pool Name and Sub-system page (New Storage Pool Wiz-ard), Creating and mounting virtualhard disks (VHDs)
Specify An Alternate Source Path func-tion, Installing the Active Directory Do-main Services role
1490/1537
Specify Generation page (New VirtualMachine Wizard), Creating Generation1 and Generation 2 VMs
Specify The Provisioning Type page(Server Manager), Creating virtualdisks
Specify The Size Of The Virtual Diskpage (Server Manager), Creating virtualdisks
Specify The Virtual Disk Name page(Server Manager), Creating a storagepool
1491/1537
Specify Volume Size page (New SimpleVolume Wizard), Creating a simplevolume
spooler (print queue), UnderstandingWindows printing
Standard edition, Selecting a WindowsServer 2012 R2 edition
Hyper-V licensing, Hyper-V licensing
support for Hyper-V, Supportingserver roles
standard permissions, Understandingbasic and advanced permissions
1492/1537
Start of Authority (SOA) resource re-cords, Creating an Active DirectoryZone
Start Of Authority (SOA) tab (DNS serv-er Properties sheet), DNS servercaching
starter GPOs, Nonlocal GPOs, Managingstarter GPOs
Startup RAM setting, Dynamic Memory,Using Dynamic Memory
stateless IPv6 address autoconfigura-tion, Assigning IPv6 addresses
1493/1537
states, Features on Demand, UsingFeatures on Demand
Static MAC Address (advanced networkadapter feature), Configuring hardwareacceleration settings
static teaming, Configuring NICteaming
storage
configuring local storage, Objectivereview
disk settings, Using StorageSpaces
1494/1537
disks, Understanding volumetypes
planning storage needs, Objectivereview
virtual machines, Objective 3.2:Create and configure virtual ma-chine storage
checkpoints, Modifying virtualdisks
connecting to a SAN, ConfiguringStorage Quality of Service (QoS)
modifying virtual disks, Modify-ing virtual disks
1495/1537
pass-through disks, Creating dif-ferencing disks
QoS (Quality of Service), Creatingcheckpoints
virtual disk formats, Objective3.2: Create and configure virtualmachine storage
virtual disks, Virtual disk formats
storage area networks (SANs), Config-uring Storage Quality of Service (QoS)
Fibre Channel, Connecting to a stor-age area network (SAN)
1496/1537
virtual machines to SANs, UsingFibre Channel
storage pools
configuring local storage, Creatingand mounting virtual hard disks(VHDs)
Storage Pools tile (Server Manager),Creating and mounting virtual harddisks (VHDs)
Storage Services role, Creating foldershares
Storage Spaces, How many servers do Ineed?
1497/1537
striped volumes
configuring local storage, Creating asimple volume
disks, Understanding disk types
stub zones, DNS servers, Creating zones
subdomains of in-addr.arpa domain,DNS forwarders
Subnet ID, IP addresses, SubnettingIPv6 Addresses
Subnet Mask option, manual configura-tion of IPv4 addresses, Manual IPv4 Ad-dress Configuration
1498/1537
subnet mask, IP addresses, IPv4addressing
subnetting
IPv4 addressing, Public and privateIPv4 addressing
IPv6 addresses, Subnetting IPv6Addresses
Subtractive permission managementtask, Understanding basic and ad-vanced permissions
supernetting, IPv4 addressing, IPv4subnetting
1499/1537
Switch Dependent Mode, NIC teaming,Configuring NIC teaming
Switch Independent Mode, NIC team-ing, Configuring NIC teaming
switches, virtual, Objective 3.3: Createand configure virtual networks
creating a new switch, Creating thedefault virtual switch
default virtual switches, Objective3.3: Create and configure virtualnetworks
MAC addresses, Creating a new vir-tual switch
1500/1537
sync shares, Configuring Work Folders
synthetic adapters, Synthetic adaptersand emulated adapters
System Properties sheets, Managingmultiple users
T
Tasks To Delegate page (Delegation ofControl Wizard), Using OUs to delegateActive Directory management tasks
TCP (Transmission Control Protocol)ports, Locally Attached Printer Sharing
1501/1537
telephoneNumber attribute, Creatinguser templates
Teredo, IP transitioning, ISATAP
TFTP (Trivial File Transfer Protocol),Using PXE
Thin Provisioning Type option, Creatingvirtual disks
Time Synchronization function (GuestIntegration Services), ConfiguringGuest Integration Services
time to live (TTL), DNS server caching
1502/1537
Transmission Control Protocol (TCP)ports, Locally Attached Printer Sharing
Trivial File Transfer Protocol (TFTP),Using PXE
Trusted Publishers properties, TrustedPublishers Properties
TTL (time to live), DNS server caching
tunneling, IP transitioning, Using adual IP stack
two-level subnet option, subnettingIPv6 addresses, Subnetting IPv6Addresses
1503/1537
Type I virtualization, Virtualizationarchitectures
Type II virtualization, Objective 3.1:Create and configure virtual machinesettings
U
UAC (User Account Control), GroupPolicy security, Using the Local UsersAnd Groups snap-in
UEFI boot, Creating Generation 1 andGeneration 2 VMs
Unicast transmissions, IPv6 address-ing, Contracting IPv6 Addresses
1504/1537
Uninstall-WindowsFeature cmdlet,Using Features on Demand
uninstalling features, Remove Featurespage, Converting between GUI andServer Core
unique local unicast addresses, IPv6,Link-Local Unicast Addresses
universal groups, AD DS, Domain LocalGroups
Unrestricted approach, enforcing re-strictions, Using software restrictionpolicies
1505/1537
upgrade paths, servers, Upgradingservers
upgrades
servers, Upgrading servers
preparing to upgrade, Upgradingservers
upgrade paths, Upgrading servers
upgrading
AD DS, Using Install from Media(IFM)
Guest Integration Services, Config-uring Guest Integration Services
1506/1537
USB-connected printers, AdvancedPrinting Configurations
Use An Existing Virtual Hard Disk op-tion, Connect Virtual Hard Disk page,Creating a virtual disk with a VM
User Account Control (UAC), GroupPolicy security, Using the Local UsersAnd Groups snap-in
User Account Control Settings dialogbox, Configuring UAC
User Accounts control panel, configur-ing local users, Importing security tem-plates into GPOs
1507/1537
user objects, AD DS, Objective review
creating
multiple users, Creating usertemplates
single users, User creation tools
user templates, Using WindowsPowershell
user rights
local security policies, Planning andconfiguring an audit policy
User Rights Assignment settings, Plan-ning and configuring an audit policy
1508/1537
user rights, assigning, Creating Com-puter Objects While Joining
user templates, AD DS, Using WindowsPowershell
User-specific Group Policy layer, Con-figuring Group Policy settings
userPrincipalName attribute, Creatinguser templates
users
AD DS, Objective review
Active Directory objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
1509/1537
creating user objects, Objectivereview
Group Policy security policies, Im-porting security templates into GPOs
V
Validation Results dialog box, Deploy-ing Active Directory IaaS on WindowsAzure
variable length subnet masking(VLSM), Classless Inter-DomainRouting
1510/1537
VHDs (virtual hard disks)
creating and mounting, Adding anew physical disk
deploying roles to, Adding roles andfeatures
VHDX image files, Virtual disk formats
View Results page
New Storage Pool Wizard, Creating astorage pool
Server Manager, Creating virtualdisks
1511/1537
viewing
printers, Viewing printers
virtual disks
configuring local storage, Creating astorage pool
creating, Virtual disk formats
formats, Objective 3.2: Create andconfigure virtual machine storage
modifying, Modifying virtual disks
pass-through disks, Creating differ-encing disks
1512/1537
QoS (Quality of Service), Creatingcheckpoints
Virtual Hard Disk Format options,Creating and mounting virtual harddisks (VHDs)
Virtual Hard Disk Type options, Creat-ing and mounting virtual hard disks(VHDs)
virtual hard disks (VHDs)
creating and mounting, Adding anew physical disk
deploying roles to, Adding roles andfeatures
1513/1537
Virtual Machine Migration page (AddRoles and Features Wizard), InstallingHyper-V
virtual machine monitor (VMM),Configuring Hyper-V
virtual machines. (see VMs)
virtual network adapters, ConfiguringMAC addresses
advanced network adapter features,Configuring hardware accelerationsettings
emulated adapters, Synthetic ad-apters and emulated adapters
1514/1537
hardware acceleration settings, Syn-thetic adapters and emulatedadapters
synthetic adapters, Synthetic ad-apters and emulated adapters
virtual networks
creating and configuring, Objectivereview
configurations, Configuring a NICteam virtual network adapter
NIC teaming, Configuring hard-ware acceleration settings
1515/1537
virtual network adapters, Config-uring MAC addresses
virtual switches, Objective 3.3:Create and configure virtualnetworks
virtual operating system environment(VOSE) installation, Supporting serverroles
Virtual Switch Manager dialog box,Creating the default virtual switch
Virtual Switch Properties page, Creat-ing a new virtual switch
1516/1537
Virtual Switch Properties settings, NICteam switch, Creating the team virtualswitch
virtual switches, Objective 3.3: Createand configure virtual networks
creating a new switch, Creating thedefault virtual switch
default virtual switches, Objective3.3: Create and configure virtualnetworks
MAC addresses, Creating a new vir-tual switch
1517/1537
virtualization
considerations for server installa-tion, Supporting server roles
virtualization architectures, Objective3.1: Create and configure virtual ma-chine settings
Virtualization Service Client (VSC),Synthetic adapters and emulatedadapters
Virtualization Service Provider (VSP),Synthetic adapters and emulatedadapters
VLSM (variable length subnet mask-ing), Classless Inter-Domain Routing
1518/1537
VMBus, Synthetic adapters and emu-lated adapters
VMM (virtual machine monitor),Configuring Hyper-V
VMs
connecting to SANs, Using FibreChannel
creating and configuring settings,Configuring Hyper-V
Hyper-V implementations, Virtu-alization architectures
Hyper-V Manager, InstallingHyper-V
1519/1537
installing Hyper-V, Hyper-VServer
resource metering, Using Dynam-ic Memory
virtualization architectures, Ob-jective 3.1: Create and configurevirtual machine settings
creating and configuring storage,Objective 3.2: Create and configurevirtual machine storage
checkpoints, Modifying virtualdisks
connecting to a SAN, ConfiguringStorage Quality of Service (QoS)
1520/1537
modifying virtual disks, Modify-ing virtual disks
pass-through disks, Creating dif-ferencing disks
QoS (Quality of Service), Creatingcheckpoints
virtual disk formats, Objective3.2: Create and configure virtualmachine storage
virtual disks, Virtual disk formats
Volume Label option, Configuring theFormat Partition page, Creating asimple volume
1521/1537
Volume Shadow Copies, Combiningshare permissions with NTFSpermissions
volumes
configuring local storage, Creatingvirtual disks
disks, Understanding disk types
VOSE (virtual operating system envir-onment) installation, Supporting serverroles
VSC (Virtualization Service Client),Synthetic adapters and emulatedadapters
1522/1537
VSP (Virtualization Service Provider),Synthetic adapters and emulatedadapters
W
windows
NIC Teaming, Configuring NICteaming
Windows Azure
Infrastructure as a Service (IaaS),Upgrading Active Directory DomainServices
1523/1537
Windows Firewall, Objective 6.4: Con-figure Windows Firewall
configuring, Managing WindowsServer 2012 R2 servers
control panel applet, Working withWindows Firewall
settings, Objective 6.4: ConfigureWindows Firewall
Windows Firewall With AdvancedSecurity snap-in, Allowingapplications
Windows Firewall With AdvancedSecurity snap-in, Allowing applications
1524/1537
Windows Installer Rules node, Ap-pLocker, Understanding rule types
Windows PowerShell, Creating userobjects
creating computer objects, Creatingcomputer objects by using ActiveDirectory Administrative Center
creating single AD DS users, UsingDsadd.exe
creating user objects, Using Win-dows Powershell
installing AD DS on Server Core,Creating a new child domain in aforest
1525/1537
Windows Remote Management (HTTP-In) rules, Managing down-level servers
Windows Server 2012 R2 servers
managing, Adding servers
Windows Settings subnode, Configur-ing Group Policy settings
WinRM
configuring, Managing WindowsServer 2012 R2 servers
WINS Servers page (New Scope Wiz-ard), Creating a scope
1526/1537
wizards
Active Directory Domain ServicesConfiguration, Installing the ActiveDirectory Domain Services role
Active Directory Domain Services In-stallation, Installing the Active Dir-ectory Domain Services role
Add Printer, Advanced PrintingConfigurations
Add Roles And Features
Create Virtual Switches page,Installing Hyper-V
1527/1537
Virtual Machine Migration page,Installing Hyper-V
Automatically Generate Rules, Creat-ing default rules
Configure Remote Access GettingStarted, Deploying a DHCP relayagent
Copy Object-User, Using WindowsPowershell
Delegation of Control, Using OUs toassign Group Policy settings
Edit Virtual Hard Disk, Modifyingvirtual disks
1528/1537
New Connection Security Rule,Creating rules by using Group Policy
New Inbound (or Outbound) Rule,Creating rules
New Object - Computer, Creatingcomputer objects by using ActiveDirectory Users And Computers
New Object - User, Creating singleusers
New Scope, Creating a scope
configuring DHCP options, Creat-ing a scope
New Share, Creating folder shares
1529/1537
New Simple Volume, Creating asimple volume
New Storage Pool, Creating andmounting virtual hard disks (VHDs)
New Virtual Machine
Configure Networking page,Creating a virtual machine
Connect Virtual Hard Disk page,Creating a virtual machine, Virtu-al disk formats
Specify Generation page, CreatingGeneration 1 and Generation 2VMs
1530/1537
New Zone, Using Active Direct-ory–Integrated Zones
Remove Roles And Features, Usingthe Minimal Server Interface,Deploying Active Directory IaaS onWindows Azure
Routing And Remote Access ServerSetup, Deploying a DHCP relay agent
Work Folders, configuring, ConfiguringWork Folders
World Wide Node Names (WWNNs),Using Fibre Channel
1531/1537
World Wide Port Names (WWPNs),Using Fibre Channel
WWNNs (World Wide Node Names),Using Fibre Channel
WWPNs (World Wide Port Names),Using Fibre Channel
X
XD (eXecute Disable), Hyper-V Server
Z
zones, DNS servers, Creating zones
1532/1537
About the AuthorCraig Zacker is an educator and editor whohas written or contributed to dozens of bookson operating systems, networking, and PChardware. He is coauthor of the MicrosoftTraining Kit for Exam 70-686 and author ofWindows Small Business Server 2011Administrator's Pocket Consultant.
Exam Ref 70-410: Installing andConfiguring Windows Server 2012R2
Craig Zacker
EditorKaren Szall
EditorAnne Hamilton
Copyright © 2014
All rights reserved. No part of the contents of this bookmay be reproduced or transmitted in any form or by anymeans without the written permission of the publisher.
Library of Congress Control Number: 2014931253
Microsoft Press books are available through booksellersand distributors worldwide. If you need support related tothis book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of thisbook at http://www.microsoft.com/learning/booksurvey.
Microsoft and the trademarks listed at http://www.mi-crosoft.com/en-us/legal/intellectualproperty/Trade-marks/EN-US.aspx are trademarks of the Microsoft groupof companies. All other marks are property of their re-spective owners.
The example companies, organizations, products, domainnames, email addresses, logos, people, places, and eventsdepicted herein are fictitious. No association with any realcompany, organization, product, domain name, email ad-dress, logo, person, place, or event is intended or shouldbe inferred.
This book expresses the author’s views and opinions. Theinformation contained in this book is provided withoutany express, statutory, or implied warranties. Neither theauthors, Microsoft Corporation, nor its resellers, or dis-tributors will be held liable for any damages caused or al-leged to be caused either directly or indirectly by thisbook.
Acquisitions Editor: Anne HamiltonDevelopmental Editor: Karen SzallEditorial Production: Box Twelve CommunicationsTechnical Reviewer: Brian SvidergolCover: Twist Creative • Seattle
Microsoft PressA Division of Microsoft Corporation
1535/1537
One Microsoft WayRedmond, Washington 98052-6399
2014-02-19T06:02:59-08:00
1536/1537
